bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/17022.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

209 lines
No EOL
6.4 KiB
Text
Raw Blame History

Sources:
http://aluigi.org/adv/factorylink_1-adv.txt
http://aluigi.org/adv/factorylink_2-adv.txt
http://aluigi.org/adv/factorylink_3-adv.txt
http://aluigi.org/adv/factorylink_4-adv.txt
http://aluigi.org/adv/factorylink_5-adv.txt
http://aluigi.org/adv/factorylink_6-adv.txt
Advisory Archive: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17022-1.tar.gz (siemens_factory_link_adv.tar.gz)
PoC Archive: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17022-2.tar.gz (siemens_factory_link_poc.tar.gz)
#######################################################################
Luigi Auriemma
Application: Siemens Tecnomatix FactoryLink
http://www.usdata.com/sea/FactoryLink/en/p_nav1.html
http://www.plm.automation.siemens.com/en_us/products/tecnomatix/production_management/factorylink/index.shtml
Versions: <= 8.0.1.1473
Date: 21 Mar 2011 (found 02 Jan 2011)
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
===============
Introduction
===============
From vendor's website:
"Siemens FactoryLink monitors, supervises, and controls industrial
processes by enabling customers to perfect their processes and
products. Built on an advanced open architecture, FactoryLink delivers
the highest performance and flexibility to customers building vertical
applications in a wide range of industries.
Highly scaleable, FactoryLink can be used to build virtually any size
application, from the simplest Human-Machine Interface (HMI) systems to
the most complex and demanding Supervisory Control and Data Acquisition
(SCADA) systems."
Remote Stack Overflow:
======
Bug
======
CSService is a Windows service listening on port 7580.
The logging function is vulnerable to a buffer-overflow caused by the
usage of vsprintf with a stack buffer of 1024 bytes.
The vulnerability can be exploited from remote in various ways like the
passing of a big path or filter string in the file related operations
(opcodes 6, 8 and 10).
===========
The Code
===========
http://aluigi.org/poc/factorylink_x.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17022-x.zip (factorylink_x.zip)
factorylink_x 3 SERVER
#######################################################################
Arbitrary Files Reading and Listing:
======
Bug
======
CSService is a Windows service listening on port 7580.
All the file operations used by the service (opcodes 6, 8 and 10) allow
to specify arbitrary files and directories (absolute paths) and it's
possible for an attacker to download any remote file on the server.
Obviously it's possible also to specify directory traversal paths.
#######################################################################
===========
The Code
===========
http://aluigi.org/poc/factorylink_x.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17022-x.zip (factorylink_x.zip)
for downloading c:\boot.ini
factorylink_x 4 SERVER
for viewing the list of files in c:\
factorylink_x 5 SERVER
#######################################################################
Remote Memory Corruption:
======
Bug
======
vrn.exe is a server listening on port 7579 when a project is started.
There is a particular function used to parse the text fields located in
the strings of the opcode 10.
It copies the string delimited by a ';' or a space in the stack buffer
provided by the callee function causing a stack overflow that allows a
certain control on the code flow (for example the changing of the lower
8bit of the return address or another exception).
#######################################################################
===========
The Code
===========
http://aluigi.org/poc/factorylink_3.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17022-3.zip (factorylink_3.zip)
nc SERVER 7579 < factorylink_3.dat
#######################################################################
Remote Stack Overflow:
======
Bug
======
vrn.exe is a server listening on port 7579 when a project is started.
There is a particular function used to parse the text fields located in
the strings of the opcode 9.
It copies the string delimited by a ';' or a space in the stack buffer
provided by the callee function causing a classical stack overflow.
#######################################################################
===========
The Code
===========
http://aluigi.org/poc/factorylink_4.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17022-4.zip (factorylink_4.zip)
nc SERVER 7579 < factorylink_4.dat
#######################################################################
Arbitrary File Download:
======
Bug
======
vrn.exe is a server listening on port 7579 when a project is started.
The opcode 8 can be used to download any arbitrary file on the system
by specifiying the full path (UNC too) or directory traversal.
#######################################################################
===========
The Code
===========
http://aluigi.org/poc/factorylink_5.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17022-5.zip (factorylink_5.zip)
download c:\boot.ini
nc SERVER 7579 < factorylink_5.dat
#######################################################################
======
Bug
======
CSService, connsrv and datasrv are various Windows services.
All these services are vulneable to some Denial of Service
vulnerabilities that allow to crash them due to NULL pointer
dereferences, stack exaustions and raised exceptions.
#######################################################################
===========
The Code
===========
http://aluigi.org/poc/factorylink_x.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17022-x.zip (factorylink_x.zip)
factorylink_x 1 SERVER
factorylink_x 2 SERVER
factorylink_x 6 SERVER
factorylink_x 7 SERVER
#######################################################################
======
Fix
======
No fix.
#######################################################################
Reference in a new issue View git blame Copy permalink