970f7b1104
18 changes to exploits/shellcodes macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free Apple macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free NetAware 1.20 - 'Add Block' Denial of Service (PoC) NetAware 1.20 - 'Share Name' Denial of Service (PoC) Terminal Services Manager 3.2.1 - Denial of Service Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free Microsoft Windows 10 (17763.379) - Install DLL Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation Apple Mac OS X - Feedback Assistant Race Condition (Metasploit) Microsoft Windows (x84) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation Microsoft Internet Explorer 11 - Sandbox Escape Microsoft Windows - 'Win32k' Local Privilege Escalation Axis Network Camera - .srv to parhand RCE (Metasploit) Axis Network Camera - .srv to parhand Remote Code Execution (Metasploit) HP Intelligent Management - Java Deserialization RCE (Metasploit) HP Intelligent Management - Java Deserialization Remote Code Execution (Metasploit) Erlang - Port Mapper Daemon Cookie RCE (Metasploit) Erlang - Port Mapper Daemon Cookie Remote Code Execution (Metasploit) CMS Made Simple (CMSMS) Showtime2 - File Upload RCE (Metasploit) CMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit) AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit) Pimcore < 5.71 - Unserialize RCE (Metasploit) AIS logistics ESEL-Server - Unauthenticated SQL Injection Remote Code Execution (Metasploit) Pimcore < 5.71 - Unserialize Remote Code Execution (Metasploit) Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit) Nagios XI 5.6.1 - SQL injection BSD/x86 - setuid(0) + Bind (31337/TCP) Shell Shellcode (94 bytes) BSD/x86 - setuid(0) + Bind (31337/TCP) Shell (/bin/sh) Shellcode (94 bytes) Linux/x86 - execve(/sbin/iptables -F) Shellcode (70 bytes) Linux/x86 - Flush IPTables Rules (execve(/sbin/iptables -F)) Shellcode (70 bytes) Linux/x86 - /sbin/iptables --flush Shellcode (69 bytes) Linux/x86 - Flush IPTables Rules (/sbin/iptables --flush) Shellcode (69 bytes) Linux/x86 - iptables --flush Shellcode (43 bytes) Linux/x86 - Flush IPTables Rules (iptables --flush) Shellcode (43 bytes) Linux/x86 - iptables -F Shellcode (43 bytes) Linux/x86 - Flush IPTables Rules (iptables -F) Shellcode (43 bytes) Linux/x86 - Reverse TCP (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes) Linux/x86 - Reverse (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes) Linux/x86 - Reverse TCP (fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509:1337/TCP) Shell (/bin/sh) + IPv6 Shellcode (Generator) (94 bytes) Linux/x86 - Reverse (fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509:1337/TCP) Shell (/bin/sh) + IPv6 Shellcode (Generator) (94 bytes) Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes) Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP (192.168.2.157/31337) Shellcode (181 bytes) Linux/x86 - wget chmod execute over execve /bin/sh -c Shellcode (119 bytes) Linux/x86 - execve(/bin/sh -c) + wget (http://127.0.0.1:8080/evilfile) + chmod 777 + execute Shellcode (119 bytes) macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes) macOS - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (129 bytes) macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes) macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes) macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes) Apple macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes) Apple macOS - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (129 bytes) Apple macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes) Apple macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes) Apple macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes) Linux/x86 - Polymorphic execve(/bin/sh) Shellcode (63 bytes) Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (63 bytes) Linux/x86 - Add User (sshd/root) to Passwd File Shellcode (149 bytes) Linux/x86 - Add User (sshd/root) to /etc/passwd Shellcode (149 bytes) Linux/x86 - Cat File Encode to base64 and post via curl to Webserver Shellcode (125 bytes) Linux/ARM - Password-Protected Reverse TCP Shellcode (100 bytes) Linux/x86 - Rabbit Shellcode Crypter (200 bytes) Linux/x86 - Reverse Shell Shellcode (91 Bytes) + Python Wrapper Linux/x86 - Openssl Encrypt Files With aes256cbc Shellcode (185 bytes) Linux/x86 - cat (.bash_history)+ base64 Encode + curl data (http://localhost:8080) Shellcode (125 bytes) Linux/ARM - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (S59!) + Null-Free Shellcode (100 bytes) Linux/x86 - Rabbit Encoder Shellcode (200 bytes) Linux/x86 - Reverse (127.0.0.1:8080/TCP) Shell (/bin/sh) + Generator Shellcode (91 Bytes) Linux/x86 - OpenSSL Encrypt (aes256cbc) Files (test.txt) Shellcode (185 bytes) Linux/x86 - shred file Shellcode (72 bytes) Linux/x86 - execve /bin/sh Shellcode (20 bytes) Linux/x86 - /sbin/iptables -F Shellcode (43 bytes) Linux x86_64 - Delete File Shellcode (28 bytes) Linux/x86 - Shred file (test.txt) Shellcode (72 bytes) Linux/x86 - execve(/bin/sh) Shellcode (20 bytes) Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (43 bytes) Linux/x86_64 - Delete File (test.txt) Shellcode (28 bytes) Linux/x64 - Execve(/bin/sh) Shellcode (23 bytes)
51 lines
No EOL
3.4 KiB
Text
51 lines
No EOL
3.4 KiB
Text
EDIT: Apparently this was patched earlier this month.. so whatever.
|
|
|
|
Windows Error Reporting Arbitrary DACL write
|
|
|
|
It can take upwards of 15 minutes for the bug to trigger. If it takes too long, closing the program, cleaning out the reportarchive folder in programdata (it may mess up the timing if there's too many reports in there as result of running our poc for too long), deleting the c:\blah folder.. etc.. might help.
|
|
|
|
I guess a more determined attacker might be able to make it more reliable. It is just an insanely small window in which we can win our race, I wasn't even sure if I could ever exploit it at all.
|
|
|
|
I don't see a way to use OPLOCKS to reliably win the race.. and while I can make it work fairly reliable in my VM, I need to use a "rand()" function to bruteforce a delay needed to hit the correct timing.. because this timing will vary wildly from hardware setup to setup.
|
|
|
|
Overview:
|
|
|
|
1. We turn c:\programdata\microsoft\windows\wer\reportqueue into a junction point to c:\blah
|
|
|
|
2. In c:\blah we create a folder named 1_1_1_1_1, and inside we dump a .wer file and another file called test
|
|
|
|
3. We trigger the WER reporting queue task
|
|
|
|
4. When the service tries to write a DACL we delete the file "test" after it calls GetSecurityFile on it and replace it with a hardlink, on which the service will call SetSecurityFile.
|
|
|
|
Bug description:
|
|
|
|
The WER service will try to delete both files while not impersonating when we trigger the reporting queue task. It does extensive testing against junctions.. so we cannot abuse that.
|
|
|
|
However it will write a DACL to both files, to ensure that SYSTEM has the "delete" right over them. The way this works is in two steps:
|
|
|
|
1. It calls GetFileSecurity and gets a security descriptor (or whatever the technical name is)
|
|
|
|
2. It adds some stuff to the security descriptor so SYSTEM has delete rights, and then writes it back to the file using SetFileSecurity
|
|
|
|
It also closes file handles between both function calls which is convenient.
|
|
|
|
This means that if between both function calls we plant a hardlink.. it will first get the security descriptor from a normal file which authenticated users can write to. It will then copy these permissions, and applies this security descriptor to a hardlink pointing to an entirely different file.
|
|
|
|
The race condition is incredibly hard to win. I havn't tested on another setup.. but you definitely need multiple processor cores and you may have to wait minutes for it to work (It can take a really long time.. ). Anyway... in an LPE scenario time is not that much of an issue.
|
|
|
|
A succesful run will look like this. You can see the hardlink being created after the QuerySecurityFile and before SetSecurityFile.
|
|
|
|
You can also ofcourse look in IDA (wer.dll) and confirm there. The vulnerable function is: UtilAddAccessToPath
|
|
|
|
Steps to reproduce:
|
|
|
|
1. Copy AngryPolarBearBug.exe and report.wer into the same folder
|
|
|
|
2. Run AngryPolarBearBug.exe
|
|
|
|
After many long minutes it should stop and c:\windows\system32\drivers\pci.sys should now by writeable from non-admin.
|
|
|
|
Again.. I have only tested this on both my VM and host, I don't even know if the random delay range will work on other hardware setups (it basically tries to bruteforce the correct timing).. so I hope you can repo it.
|
|
|
|
EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46917.zip |