From 3a855523efe6d271327692d48ee606dd7becb563 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 2 Jun 2016 05:03:04 +0000 Subject: [PATCH] DB: 2016-06-02 2 new exploits GeekLog 2.x ImageImageMagick.php Remote File Inclusion Vulnerability GeekLog 2.x - ImageImageMagick.php Remote File Inclusion Vulnerability ImageMagick 6.x PNM Image Decoding Remote Buffer Overflow Vulnerability ImageMagick 6.x - .PNM Image Decoding Remote Buffer Overflow Vulnerability ImageMagick 6.x SGI Image File Remote Heap Buffer Overflow Vulnerability ImageMagick 6.x - .SGI Image File Remote Heap Buffer Overflow Vulnerability ImageMagick < 6.9.3-9 - Multiple Vulnerabilities ImageMagick <= 6.9.3-9 / <= 7.0.1-0 - Multiple Vulnerabilities (ImageTragick) ImageMagick Delegate Arbitrary Command Execution ImageMagick <= 6.9.3-9 / <= 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick) AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities Wireshark - erf_meta_read_tag SIGSEGV --- files.csv | 12 ++- platforms/multiple/dos/39877.txt | 24 +++++ platforms/php/webapps/39876.txt | 177 +++++++++++++++++++++++++++++++ 3 files changed, 208 insertions(+), 5 deletions(-) create mode 100755 platforms/multiple/dos/39877.txt create mode 100755 platforms/php/webapps/39876.txt diff --git a/files.csv b/files.csv index eea08af11..65f400602 100755 --- a/files.csv +++ b/files.csv @@ -3599,7 +3599,7 @@ id,file,description,date,author,platform,type,port 3943,platforms/php/webapps/3943.pl,"FAQEngine <= 4.16.03 (question.php questionref) SQL Injection Exploit",2007-05-16,Silentz,php,webapps,0 3944,platforms/php/webapps/3944.txt,"Mambo com_yanc 1.4 beta (id) Remote SQL Injection Vulnerability",2007-05-17,"Mehmet Ince",php,webapps,0 3945,platforms/linux/dos/3945.rb,"MagicISO <= 5.4 (build239) - (.cue) Heap Overflow PoC",2007-05-17,n00b,linux,dos,0 -3946,platforms/php/webapps/3946.txt,"GeekLog 2.x ImageImageMagick.php Remote File Inclusion Vulnerability",2007-05-17,diesl0w,php,webapps,0 +3946,platforms/php/webapps/3946.txt,"GeekLog 2.x - ImageImageMagick.php Remote File Inclusion Vulnerability",2007-05-17,diesl0w,php,webapps,0 3947,platforms/php/webapps/3947.txt,"Build it Fast (bif3) 0.4.1 - Multiple Remote File Inclusion Vulnerabilities",2007-05-17,"Alkomandoz Hacker",php,webapps,0 3948,platforms/php/webapps/3948.txt,"Libstats <= 1.0.3 (template_csv.php) Remote File Inclusion Vulnerability",2007-05-18,"Mehmet Ince",php,webapps,0 3949,platforms/php/webapps/3949.txt,"MolyX BOARD 2.5.0 (index.php lang) Local File Inclusion Vulnerability",2007-05-18,MurderSkillz,php,webapps,0 @@ -22657,7 +22657,7 @@ id,file,description,date,author,platform,type,port 25524,platforms/php/webapps/25524.txt,"PHPBB 2.0.x Viewtopic.php Cross-Site Scripting Vulnerability",2005-04-23,HaCkZaTaN,php,webapps,0 25525,platforms/linux/dos/25525.c,"Affix Bluetooth Protocol Stack 3.1/3.2 Signed Buffer Index Vulnerability (1)",2005-04-25,kf,linux,dos,0 25526,platforms/linux/remote/25526.c,"Affix Bluetooth Protocol Stack 3.1/3.2 Signed Buffer Index Vulnerability (2)",2005-04-25,kf,linux,remote,0 -25527,platforms/linux/dos/25527.txt,"ImageMagick 6.x PNM Image Decoding Remote Buffer Overflow Vulnerability",2005-04-25,"Damian Put",linux,dos,0 +25527,platforms/linux/dos/25527.txt,"ImageMagick 6.x - .PNM Image Decoding Remote Buffer Overflow Vulnerability",2005-04-25,"Damian Put",linux,dos,0 25528,platforms/php/webapps/25528.txt,"WoltLab Burning Board 2.3.1 PMS.php Cross-Site Scripting Vulnerability",2005-04-25,deluxe89,php,webapps,0 25529,platforms/asp/webapps/25529.txt,"StorePortal 2.63 Default.ASP Multiple SQL Injection Vulnerabilities",2005-04-25,Dcrab,asp,webapps,0 25530,platforms/asp/webapps/25530.txt,"OneWorldStore IDOrder Information Disclosure Vulnerability",2005-04-25,Lostmon,asp,webapps,0 @@ -25433,7 +25433,7 @@ id,file,description,date,author,platform,type,port 28380,platforms/linux/dos/28380.txt,"Mozilla Firefox 1.0.x JavaScript Handler Race Condition Memory Corruption Vulnerability",2006-08-12,"Michal Zalewski",linux,dos,0 28381,platforms/windows/dos/28381.txt,"Microsoft Windows XP/2000/2003 help - Multiple Vulnerabilities",2006-08-12,"Benjamin Tobias Franz",windows,dos,0 28382,platforms/php/webapps/28382.txt,"WP-DB Backup For WordPress 1.6/1.7 Edit.php - Directory Traversal Vulnerability",2006-08-14,"marc & shb",php,webapps,0 -28383,platforms/linux/dos/28383.txt,"ImageMagick 6.x SGI Image File Remote Heap Buffer Overflow Vulnerability",2006-08-14,"Damian Put",linux,dos,0 +28383,platforms/linux/dos/28383.txt,"ImageMagick 6.x - .SGI Image File Remote Heap Buffer Overflow Vulnerability",2006-08-14,"Damian Put",linux,dos,0 28384,platforms/linux/dos/28384.txt,"Libmusicbrainz 2.0.2/2.1.x - Multiple Buffer Overflow Vulnerabilities",2006-08-14,"Luigi Auriemma",linux,dos,0 28385,platforms/asp/webapps/28385.txt,"BlaBla 4U Multiple Cross-Site Scripting Vulnerabilities",2006-08-14,Vampire,asp,webapps,0 28386,platforms/linux/dos/28386.txt,"Linux-HA Heartbeat <= 2.0.6 - Remote Denial of Service Vulnerability",2006-08-13,"Yan Rong Ge",linux,dos,0 @@ -35960,7 +35960,7 @@ id,file,description,date,author,platform,type,port 39764,platforms/linux/local/39764.py,"TRN Threaded USENET News Reader 3.6-23 - Local Stack-Based Overflow",2016-05-04,"Juan Sacco",linux,local,0 39765,platforms/cgi/webapps/39765.txt,"IPFire < 2.19 Core Update 101 - Remote Command Execution",2016-05-04,"Yann CAM",cgi,webapps,0 39766,platforms/php/webapps/39766.php,"PHP Imagick 3.3.0 - disable_functions Bypass",2016-05-04,RicterZ,php,webapps,0 -39767,platforms/multiple/dos/39767.txt,"ImageMagick < 6.9.3-9 - Multiple Vulnerabilities",2016-05-04,"Nikolay Ermishkin",multiple,dos,0 +39767,platforms/multiple/dos/39767.txt,"ImageMagick <= 6.9.3-9 / <= 7.0.1-0 - Multiple Vulnerabilities (ImageTragick)",2016-05-04,"Nikolay Ermishkin",multiple,dos,0 39768,platforms/multiple/dos/39768.txt,"OpenSSL Padding Oracle in AES-NI CBC MAC Check",2016-05-04,"Juraj Somorovsky",multiple,dos,0 39769,platforms/linux/local/39769.txt,"Zabbix Agent 3.0.1 - mysql.size Shell Command Injection",2016-05-04,"Timo Lindfors",linux,local,0 39770,platforms/windows/dos/39770.txt,"McAfee LiveSafe 14.0 - Relocations Processing Memory Corruption",2016-05-04,"Google Security Research",windows,dos,0 @@ -35982,7 +35982,7 @@ id,file,description,date,author,platform,type,port 39786,platforms/windows/local/39786.txt,"Certec EDV atvise SCADA Server 2.5.9 - Privilege Escalation",2016-05-09,LiquidWorm,windows,local,0 39788,platforms/windows/local/39788.txt,"Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2)",2016-05-09,hex0r,windows,local,0 39789,platforms/windows/dos/39789.py,"RPCScan 2.03 - Hostname/IP Field SEH Overwrite PoC",2016-05-09,"Nipun Jaswal",windows,dos,0 -39791,platforms/multiple/local/39791.rb,"ImageMagick Delegate Arbitrary Command Execution",2016-05-09,metasploit,multiple,local,0 +39791,platforms/multiple/local/39791.rb,"ImageMagick <= 6.9.3-9 / <= 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick)",2016-05-09,metasploit,multiple,local,0 39792,platforms/ruby/remote/39792.rb,"Ruby on Rails Development Web Console (v2) Code Execution",2016-05-09,metasploit,ruby,remote,3000 39794,platforms/windows/shellcode/39794.c,"All Windows Null-Free Shellcode - Functional Keylogger to File - 601 (0x0259) bytes",2016-05-10,Fugu,windows,shellcode,0 39795,platforms/windows/dos/39795.pl,"MediaInfo 0.7.61 - Crash PoC",2016-05-10,"Mohammad Reza Espargham",windows,dos,0 @@ -36057,3 +36057,5 @@ id,file,description,date,author,platform,type,port 39873,platforms/linux/dos/39873.py,"CCextractor 0.80 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0 39874,platforms/windows/remote/39874.rb,"Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf)",2016-05-31,"Ian Lovering",windows,remote,0 39875,platforms/linux/dos/39875.py,"TCPDump 4.5.1 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0 +39876,platforms/php/webapps/39876.txt,"AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities",2016-06-01,hyp3rlinx,php,webapps,80 +39877,platforms/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",multiple,dos,0 diff --git a/platforms/multiple/dos/39877.txt b/platforms/multiple/dos/39877.txt new file mode 100755 index 000000000..49b1afd9e --- /dev/null +++ b/platforms/multiple/dos/39877.txt @@ -0,0 +1,24 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=803 + +The following SIGSEGV crash due to an invalid memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): + +--- cut --- +==28415==ERROR: AddressSanitizer: SEGV on unknown address 0x61b000022d84 (pc 0x7f0e1b0002a2 bp 0x7ffde25a76f0 sp 0x7ffde25a7630 T0) + #0 0x7f0e1b0002a1 in erf_meta_read_tag wireshark/wiretap/erf.c:1242:13 + #1 0x7f0e1afff0f0 in populate_summary_info wireshark/wiretap/erf.c:1851:27 + #2 0x7f0e1aff34d6 in erf_read wireshark/wiretap/erf.c:447:7 + #3 0x7f0e1b1a746b in wtap_read wireshark/wiretap/wtap.c:1245:7 + #4 0x528196 in load_cap_file wireshark/tshark.c:3478:12 + #5 0x51e67c in main wireshark/tshark.c:2192:13 + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV wireshark/wiretap/erf.c:1242:13 in erf_meta_read_tag +==28415==ABORTING +--- cut --- + +The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12352. Attached are three files which trigger the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39877.zip + diff --git a/platforms/php/webapps/39876.txt b/platforms/php/webapps/39876.txt new file mode 100755 index 000000000..14de9b694 --- /dev/null +++ b/platforms/php/webapps/39876.txt @@ -0,0 +1,177 @@ +[+] Credits: hyp3rlinx + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: +http://hyp3rlinx.altervista.org/advisories/AJAXEXPLORER-REMOTE-CMD-EXECUTION.txt + +[+] ISR: apparitionsec + + +Vendor: +========== +sourceforge.net +smsid + +download linx: +sourceforge.net/projects/ajax-explorer/files/ + + +Product: +======================= +AjaxExplorer v1.10.3.2 + +Manage server files through simple windows like interface. + + +Vulnerability Type: +======================= +Remote Command Execution +CSRF +Persistent XSS + + +CVE Reference: +============== +N/A + + +Vulnerability Details: +===================== + +AjaxExplorer has command terminal feature where you can move, copy, delete +files etc... also lets a user save commands in a +flat file named "terminal" under their user profile +"/ae.user/owner/myprofile". + +e.g. + +copy [FILEPATH + FILENAME] [FILEPATH] +create [FILEPATH + FILENAME] + +Since AjaxExplorer also suffers from CSRF vulnerability we can exploit the +application by first creating an .htaccess file with an +"allow from all" directive to bypass access restrictions, next create +arbitrary PHP files for remote command execution purposes. +This exploit will require two consecutive HTTP requests, so we need to +target an iframe to stay on same page until exploit is completed. + + +Exploit code(s): +=============== + +1) first POST request creates .htaccess file so we can bypass directory +browsing restrictions. +2) second POST writes our remote command execution file we will then access +to execute commands on the victim system. + +The below P:/ for "strPath" form value is for "Profile" + + + + +
+ + + + + +
+ +
+ + + + + +
+ +Now we can access and run arbitrary cmds. + +http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/ae.user/owner/myprofile/terminal.php?cmd=c +:\\Windows\\system32\\calc.exe + + +///////////////////////////////////////////////////// + + +Here is another way to RCE this application... first create PHP file then +edit. + + + +
+ + + + +
+ +
+ + + + +
+ + +//////////////////////// + +Persistent XSS: +================ + +We can also write persistent XSS payload to the user profile "terminal" +file. + +
+ + + + + +
+ + + +Disclosure Timeline: +=============================== +Vendor Notification: NA +June 1, 2016 : Public Disclosure + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +================ +8.0 (High) +CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the +information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author +prohibits any malicious use of security related information +or exploits by the author or elsewhere. + +hyp3rlinx